Recent Security Issues


SELECTED BY THE TALOS SECURITY INTELLIGENCE AND RESEARCH GROUP


Title: Ransomware families LockBit, Maze headline ransomware dominance

Description: Cisco Talos Incident Response (CTIR) observed ransomware dominating the threat landscape over the past quarter, according to a new report. Infections involved a wide variety of malware families including LockBit and Maze, among others. Sixty-six percent of all ransomware attacks this quarter involved the red-teaming framework Cobalt Strike, suggesting that ransomware actors are increasingly relying on the tool as they abandon commodity trojans. CTIR reports a rise in ransomware actors engage in data exfiltration and even observed the new cartel formed by Maze and other ransomware operations in action.

References: https://blog.talosintelligence.com/2020/09/CTIR-quarterly-trends-Q4-2020.html

Snort SIDs: 54910 - 54917 (Protect against the LockBit ransomware)


Title: Emotet starts using new Word lure document

Description: The Emotet botnet continues to evolve, and now uses a Microsoft Word template to spread its malware. Known as "Red Dawn," the new infection method involves the user downloading a Word file, and then the file prompts them to enable macros to read the document. If enabled, the macros then download Emotet onto the victim's machine. Emotet spam emails try to entice users with information on COVID-19, financial documents or package tracking.

References: https://www.bleepingcomputer.com/news/security/emotet-malwares-new-red-dawn-attachment-is-just-as-dangerous/

Snort SIDs: 54900, 54901

Security News


Tesla CEO Elon Musk appeared to confirm on Twitter that his company was the alleged target of a Russian national who tried to recruit an employee to install malware on the company's network.

https://techcrunch.com/2020/08/27/elon-musk-confirms-tesla-was-target-of-foiled-ransomware-attack/


Several private investigators say loopholes in states' Department of Motor Vehicles that allow them to sell data are too broad and could be exploited by threat actors.

https://www.vice.com/en_us/article/ep47na/dmv-dppa-drivers-privacy-protection-act-buy-data-private-investigators


Canadian police are increasingly relying on controversial algorithms to try and predict where crimes might occur, which people are at high risk of disappearing and where officers should be patrolling, according to a new report.

https://citizenlab.ca/2020/09/to-surveil-and-predict-a-human-rights-analysis-of-algorithmic-policing-in-canada/


Service problems with ISP CenturyLink over the weekend led many internet users to grow concerned that us networks were hit with denial-of-service attacks; web infrastructure company Cloudflare and CenturyLink clarified the cause of the outages.

https://www.theverge.com/2020/8/30/21407429/cloudflare-down-websites-hulu-feedly-discord


Norwegian parliament was the victim of a cyber attack over the past week, according to the country's chief parliamentarian administrator, and several government officials had their emails hacked.

https://www.reuters.com/article/us-norway-parliament/norways-parliament-says-it-was-hit-by-significant-cyber-attack-idUSKBN25S587


Following a tip from the FBI, Facebook removed another set of Groups that were spreading disinformation and fake news stories.

https://www.cnet.com/news/facebook-says-its-catching-russian-linked-fake-accounts-earlier/


The latest iOS update includes a full-fledged COVID-19 alert system that utilizes Bluetooth to track whether a user has come in contact with someone else who tests positive for the disease.

https://9to5mac.com/2020/09/01/covid-19-exposure-ios-13-7-built-in/


Private companies and government agencies in New Zealand are on high alert after the country's stock exchange was the target of a series of distributed denial-of-service (DDoS) attacks.

https://www.nzherald.co.nz/business/news/article.cfm?c_id=3&objectid=12360876


Cisco disclosed two zero-day vulnerabilities in some carrier-grade routers that threat actors could use to cause a denial-of-service by sending code remotely.

https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-iosxr-dvmrp-memexh-dSmpdvfz


The FBI says some Ring home security camera users can use their live video feeds to get early warnings of potential police raids, a change of pace for law enforcement agencies that are used to receiving crime-fighting information from Ring.

https://theintercept.com/2020/08/31/blueleaks-amazon-ring-doorbell-cameras-police/


Vulnerabilities with Exploits


COMPILED BY THE QUALYS VULNERABILITY RESEARCH TEAM


This is a list of recent vulnerabilities for which exploits are

available. System administrators can use this list to help in

prioritization of their remediation activities. The Qualys Vulnerability

Research Team compiles this information based on various exploit

frameworks, exploit databases, exploit kits and monitoring of internet

activity.


ID: CVE-2020-1147

Title: Pulse Connect Secure Arbitrary Code Injection Vulnerability

Vendor: Pulse Secure

Description: A code injection vulnerability exists in Pulse Connect Secure that allows an attacker to crafted a URI to perform an arbitrary code execution via the admin web interface.

CVSS v3 Base Score: 7.2 (AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H)


ID: CVE-2020-3566

Title: Cisco IOS XR Software DVMRP Memory Exhaustion Vulnerabilities

Vendor: Cisco

Description: A vulnerability in the Distance Vector Multicast Routing Protocol (DVMRP) feature of Cisco IOS XR Software could allow an unauthenticated, remote attacker to exhaust process memory of an affected device. The vulnerability is due to insufficient queue management for Internet Group Management Protocol (IGMP) packets. An attacker could exploit this vulnerability by sending crafted IGMP traffic to an affected device. A successful exploit could allow the attacker to cause memory exhaustion, resulting in instability of other processes.

CVSS v3 Base Score: 8.6 (AV:N/AC:L/PR:N/UI:N/S:C/C:N/I:N/A:H)


ID: CVE-2019-17026

Title: Mozilla Firefox Type Confusion Vulnerability

Vendor: Mozilla

Description: Incorrect alias information in IonMonkey JIT compiler for setting array elements could lead to a type confusion. We are aware of targeted attacks in the wild abusing this flaw. If a user were tricked in to opening a specially crafted website in a browsing context, an attacker could potentially exploit these to cause a denial of service, conduct cross-site scripting attacks, or execute arbitrary code.

CVSS v3 Base Score: 8.8 (AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H)


ID: CVE-2020-8913

Title: Google Android Play Core Library Arbitrary Code Execution Vulnerability

Vendor: Google

Description: A local, arbitrary code execution vulnerability exists in the SplitCompat.install endpoint in Android's Play Core Library. A malicious attacker could create an app which targets a specific application, and if a victim were to install this app, the attacker could perform a directory traversal, execute code as the targeted application and access the targeted application's data on the Android device.

CVSS v3 Base Score: 8.8 (AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H)


ID: CVE-2020-2674

Title: Oracle VM VirtualBox Arbitrary Code Execution Vulnerability

Vendor: Oracle

Description: Easily exploitable vulnerability allows high privileged attacker with logon to the infrastructure where Oracle VM VirtualBox executes to compromise Oracle VM VirtualBox. While the vulnerability is in Oracle VM VirtualBox, attacks may significantly impact additional products. Successful attacks of this vulnerability can result in takeover of Oracle VM VirtualBox.

CVSS v3 Base Score: 8.2 (AV:L/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:H)


ID: CVE-2020-4589

Title: IBM WebSphere Application Server Remote Code Execution Vulnerability

Vendor: IBM

Description: IBM WebSphere Application Server could allow a remote attacker to execute arbitrary code on the system with a specially crafted sequence of serialized objects from untrusted sources.

CVSS v3 Base Score: 9.8 (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H)


ID: CVE-2020-3398

Title: Cisco NX-OS Software Border Gateway Protocol Multicast VPN Session Denial of Service Vulnerability

Vendor: Cisco

Description: A vulnerability in the Border Gateway Protocol (BGP) Multicast VPN (MVPN) implementation of Cisco NX-OS Software could allow an unauthenticated, remote attacker to cause a BGP session to repeatedly reset, causing a partial denial of service condition due to the BGP session being down. The vulnerability is due to incorrect parsing of a specific type of BGP MVPN update message. An attacker could exploit this vulnerability by sending this BGP MVPN update message to a targeted device. A successful exploit could allow the attacker to cause the BGP peer connections to reset, which could lead to BGP route instability and impact traffic.

CVSS v3 Base Score: 8.6 (AV:N/AC:L/PR:N/UI:N/S:C/C:N/I:N/A:H)

Prevalent Malware Files


COMPILED BY TALOS SECURITY INTELLIGENCE AND RESEARCH GROUP


SHA 256: c3e530cc005583b47322b6649ddc0dab1b64bcf22b124a492606763c52fb048f

MD5: e2ea315d9a83e7577053f52c974f6a5a

VirusTotal: https://www.virustotal.com/gui/file/c3e530cc005583b47322b6649ddc0dab1b64bcf22b124a492606763c52fb048f/details

Typical Filename: Tempmf582901854.exe

Claimed Product: N/A

Detection Name: Win.Dropper.Agentwdcr::1201


SHA 256: e3eeaee0af4b549eae4447fa20cfe205e8d56beecf43cf14a11bf3e86ae6e8bd

MD5: 8193b63313019b614d5be721c538486b

VirusTotal: https://www.virustotal.com/gui/file/e3eeaee0af4b549eae4447fa20cfe205e8d56beecf43cf14a11bf3e86ae6e8bd/details

Typical Filename: SAService.exe

Claimed Product: SAService

Detection Name: PUA.Win.Dropper.Segurazo::95.sbx.tg


SHA 256: 15716598f456637a3be3d6c5ac91266142266a9910f6f3f85cfd193ec1d6ed8b

MD5: 799b30f47060ca05d80ece53866e01cc

VirusTotal: https://www.virustotal.com/gui/file/15716598f456637a3be3d6c5ac91266142266a9910f6f3f85cfd193ec1d6ed8b/details

Typical Filename: mf2016341595.exe

Claimed Product: N/A

Detection Name: Win.Downloader.Generic::1201


SHA 256: 7f9446709fbd77a21a806d17cf163ba00ce1a70f8b6af197990aa9924356fd36

MD5: adad179db8c67696ac24e9e11da2d075

VirusTotal: https://www.virustotal.com/gui/file/7f9446709fbd77a21a806d17cf163ba00ce1a70f8b6af197990aa9924356fd36/details

Typical Filename: FlashHelperServices.exe

Claimed Product: Flash Helper Service

Detection Name: W32.7F9446709F-100.SBX.VIOC


SHA 256: 3f6e3d8741da950451668c8333a4958330e96245be1d592fcaa485f4ee4eadb3

MD5: 47b97de62ae8b2b927542aa5d7f3c858

VirusTotal: https://www.virustotal.com/gui/file/3f6e3d8741da950451668c8333a4958330e96245be1d592fcaa485f4ee4eadb3/details

Typical Filename: qmreportupload.exe

Claimed Product: qmreportupload

Detection Name: Win.Trojan.Generic::in10.talos