Recent Security Issues


SELECTED BY THE TALOS SECURITY INTELLIGENCE AND RESEARCH GROUP


Title: More than 120 vulnerabilities patched as part of Microsoft monthly security update

Description: Microsoft released its monthly security update Tuesday, disclosing more than 120 vulnerabilities across its array of products. Twenty-three of the vulnerabilities are considered "critical" while the vast remainder are ranked as "important." Users of all Microsoft and Windows products are urged to update their software as soon as possible to avoid possible exploitation of all these bugs. The security updates cover several different products including the Microsoft Office suite of products, Windows Media Audo Decoder and the Hyper-V virtual machine software. One of the most sever vulnerabilities exists in Microsoft COM. CVE-2020-0922 received a CVSS severity score of 8.8 out of a possible 10. An adversary could exploit this bug to gain the ability to remotely execute code on the victim machine after a user opens an attacker-controlled web page that contains specially crafted JavaScript.

References: https://blog.talosintelligence.com/2020/09/microsoft-patch-tuesday-for-sept-2020.html

Snort SIDs: 55139 - 55146, 55161, 55162, 55187, 55188, 55206


Title: Salfram spam campaigns spread several malware families

Description: Cisco Talos recently uncovered a series of email campaigns utilizing links to malicious documents hosted on legitimate file-sharing platforms to spread malware. The campaigns distributed various malware payloads including Gozi ISFB, ZLoader, SmokeLoader and AveMaria, among others.

Ongoing campaigns are distributing various malware families using the same crypter. While effective, this crypting mechanism contains an easy-to-detect flaw: The presence of a specific string value "Salfram" makes it easy to track over time. The obfuscated binaries used by Salfram are completely different, from both a binary and execution flow graph perspective. The techniques used by this crypter can confuse weak API behavior-based systems and static analysis tools and it appears to be undergoing active development and improvement over time.

References: https://blog.talosintelligence.com/2020/09/salfram-robbing-place-without-removing.html

Snort SIDs: 54920, 54921

Security News


E-Voting company Voatz has filed an amicus brief with the US Supreme Court arguing that security researchers who do not have permission to search for vulnerabilities should not be protected under the Computer Fraud and Abuse Act.

https://www.cnet.com/news/online-voting-company-pushes-to-make-it-harder-for-researchers-to-find-security-flaws/


Apple delayed the rollout of its new anti-tracking measures for third-party apps, saying they want to allow developers more time to build around the new rules.

https://www.bbc.com/news/technology-54033321


WhatsApp does not know how to process messages containing certain unusual characters. The "scary messages" can cause the app to crash; if users reinstall the app, they may lose their chat histories.

https://www.tomsguide.com/news/whatsapp-is-crashing-and-its-completely-wiping-chat-histories


Facebook unveiled a new site where it will publish vulnerabilities its researchers discover in third-party software, as well as a tool for researchers to report bugs they discover in WhatsApp.

https://www.darkreading.com/vulnerabilities---threats/facebook-announces-formal-vulnerability-disclosure-policy-for-third-party-bugs/d/d-id/1338844


An open-source project aiming to bring standardization to home internet-of-things devices with the backing of Amazon, Google, Apple and other companies hope to launch in 2021.

https://www.theverge.com/2020/9/8/21427139/amazon-apple-google-zigbee-alliance-open-source-smart-home-standard-2021-launch


A popular texting app used by many inmates to communicate with friends and family outside the prison system mistakenly leaked users' messages and their personal information, including their relationship status, prescriptions and religious affiliations.

https://gizmodo.com/prison-phone-app-exposes-millions-of-inmate-messages-an-1844957081?


A 16-year-old high school student has admitted to launching distributed denial-of-service (DDoS) attacks against the Miami-Dade School District remote learning platform.

https://gizmodo.com/teen-hacker-charged-with-paralyzing-miami-schools-in-em-1844968182


Cyber security companies say they're facing an even greater staffing shortage due to the COVID-19 pandemic as more users work remotely and threat actors increase the volume of their attacks.

https://www.cnbc.com/2020/09/05/cyber-security-workers-in-demand.html


Adobe patched 12 critical vulnerabilities this week in InDesign, Framemaker and Experience Manager, all of which could allow an adversary to run arbitrary code on a victim machine.

https://www.bleepingcomputer.com/news/security/adobe-fixes-critical-vulnerabilities-in-indesign-and-framemaker/


Vulnerabilities with Exploits


COMPILED BY THE QUALYS VULNERABILITY RESEARCH TEAM


This is a list of recent vulnerabilities for which exploits are

available. System administrators can use this list to help in

prioritization of their remediation activities. The Qualys Vulnerability

Research Team compiles this information based on various exploit

frameworks, exploit databases, exploit kits and monitoring of internet

activity.


ID: CVE-2020-3495

Title: Cisco Jabber for Windows Message Handling Arbitrary Code Execution Vulnerability

Vendor: Cisco

Description: A vulnerability in Cisco Jabber for Windows could allow an authenticated, remote attacker to execute arbitrary code. The vulnerability is due to improper validation of message contents. An attacker could exploit this vulnerability by sending specially crafted Extensible Messaging and Presence Protocol messages to the affected software. A successful exploit could allow the attacker to cause the application to execute arbitrary programs on the targeted system with the privileges of the user account that is running the Cisco Jabber client software, possibly resulting in arbitrary code execution.

CVSS v3 Base Score: 8.8 (AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H)


ID: CVE-2020-0986

Title: Microsoft Windows Kernel Elevation of Privilege Vulnerability

Vendor: Microsoft

Description: An elevation of privilege vulnerability exists when the Windows kernel fails to properly handle objects in memory. An attacker who successfully exploited this vulnerability could run arbitrary code in kernel mode. To exploit this vulnerability, an attacker would first have to log on to the system. An attacker could then run a specially crafted application to take control of an affected system.

CVSS v3 Base Score: 7.8 (V:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H)


ID: CVE-2020-9715

Title: Adobe Reader and Acrobat Arbitrary Code Execution Vulnerability

Vendor: Adobe

Description: Adobe Reader and Acrobat are applications for handling PDF files. Adobe Reader and Acrobat have an use-after-free vulnerability. Successful exploitation could lead to arbitrary code execution. An attacker could exploit this vulnerability to compromise Confidentiality, Integrity and/or Availability.

CVSS v3 Base Score: 7.8 (AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H)


ID: CVE-2020-17496

Title: vBulletin Remote Code Execution Vulnerability

Vendor: vBulletin

Description: vBulletin allows remote command execution via crafted subWidgets data in an ajax/render/widget_tabbedcontainer_tab_panel request. vBulletin is vulnerable to a remote code execution vulnerability caused by incomplete patching of the previous "CVE-2019-16759" remote code execution vulnerability.

CVSS v3 Base Score: 9.8 (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H)


ID: CVE-2020-8218

Title: Pulse Connect Secure Arbitrary Code Execution Vulnerability

Vendor: PulseSecure

Description: A code injection vulnerability exists in Pulse Connect Secure that allows an attacker to crafted a URI to perform an arbitrary code execution via the admin web interface.

CVSS v3 Base Score: 7.2 (AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H)


ID: CVE-2020-1247

Title: Microsoft Win32k Elevation of Privilege Vulnerability

Vendor: Microsoft

Description: An elevation of privilege vulnerability exists in Windows when the Windows kernel-mode driver fails to properly handle objects in memory. To exploit this vulnerability, an attacker would first have to log on to the system. An attacker could then run a specially crafted application that could exploit the vulnerability and take control of an affected system.

CVSS v3 Base Score: 7.8 (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H)


ID: CVE-2020-2040

Title: PAN-OS Management Interface Command Injection Vulnerability

Vendor: PAN-OS

Description: An OS Command Injection vulnerability exists in the PAN-OS management interface that allows authenticated administrators to execute arbitrary OS commands with root privileges. This issue affects some unknown processing of the component Management Interface. The manipulation with an unknown input leads to a privilege escalation vulnerability.

CVSS v3 Base Score: 7.2 (V:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H)


Prevalent Malware Files


COMPILED BY TALOS SECURITY INTELLIGENCE AND RESEARCH GROUP


SHA 256: 7f9446709fbd77a21a806d17cf163ba00ce1a70f8b6af197990aa9924356fd36

MD5: adad179db8c67696ac24e9e11da2d075

VirusTotal: https://www.virustotal.com/gui/file/7f9446709fbd77a21a806d17cf163ba00ce1a70f8b6af197990aa9924356fd36/details

Typical Filename: FlashHelperServices.exe

Claimed Product: Flash Helper Service

Detection Name: W32.7F9446709F-100.SBX.VIOC


SHA 256: 32155b070c7e1b9d6bdc021778c5129edfb9cf7e330b8f07bb140dedb5c9aae7

MD5: 73d1de319c7d61e0333471c82f2fc104

VirusTotal: https://www.virustotal.com/gui/file/32155b070c7e1b9d6bdc021778c5129edfb9cf7e330b8f07bb140dedb5c9aae7/details

Typical Filename: SAntivirusService.exe

Claimed Product: A n t i v i r u s S e r v i c e

Detection Name: Win.Dropper.Segurazo::tpd


SHA 256: c3e530cc005583b47322b6649ddc0dab1b64bcf22b124a492606763c52fb048f

MD5: e2ea315d9a83e7577053f52c974f6a5a

VirusTotal: https://www.virustotal.com/gui/file/c3e530cc005583b47322b6649ddc0dab1b64bcf22b124a492606763c52fb048f/details

Typical Filename: Tempmf582901854.exe

Claimed Product: N/A

Detection Name: Win.Dropper.Agentwdcr::1201


SHA 256: 15716598f456637a3be3d6c5ac91266142266a9910f6f3f85cfd193ec1d6ed8b

MD5: 799b30f47060ca05d80ece53866e01cc

VirusTotal: https://www.virustotal.com/gui/file/15716598f456637a3be3d6c5ac91266142266a9910f6f3f85cfd193ec1d6ed8b/details

Typical Filename: mf2016341595.exe

Claimed Product: N/A

Detection Name: Win.Downloader.Generic::1201


SHA 256: e3eeaee0af4b549eae4447fa20cfe205e8d56beecf43cf14a11bf3e86ae6e8bd

MD5: 8193b63313019b614d5be721c538486b

VirusTotal: https://www.virustotal.com/gui/file/e3eeaee0af4b549eae4447fa20cfe205e8d56beecf43cf14a11bf3e86ae6e8bd/details

Typical Filename: SAService.exe

Claimed Product: SAService

Detection Name: PUA.Win.Dropper.Segurazo::95.sbx.tg