The Consensus Security Vulnerability Alert

SELECTED BY THE TALOS SECURITY INTELLIGENCE AND RESEARCH GROUP

Title: Attackers using Zerologon vulnerability at higher rate

Description: Cisco Talos researchers report seeing a spike in exploitation attempts against the Microsoft vulnerability CVE-2020-1472, an elevation of privilege bug in Netlogon, outlined in the August Microsoft Patch Tuesday report. The vulnerability stems from a flaw in a cryptographic authentication scheme used by the Netlogon Remote Protocol which -- among other things -- can be used to update computer passwords by forging an authentication token for specific Netlogon functionality. This flaw allows attackers to impersonate any computer, including the domain controller itself and gain access to domain admin credentials.

References: https://blog.talosintelligence.com/2020/09/netlogon-rises.html

Snort SIDs: 55703, 55704

Title: Cisco warns of vulnerabilities in IOS operating system

Description: Cisco patched several vulnerabilities -- many of them considered severe -- in its IOS operating system. The updates address denial-of-service, file overwrite and input validation attacks that affect many of Cisco's products. Two of the vulnerabilities -- CVE-2020-3421 and CVE-2020-3480 -- exist in Cisco's Zone-Based Firewall. An attacker could exploit these bugs to cause the affected device to reload or make it stop forwarding traffic through the firewall.

References: https://threatpost.com/cisco-patches-bugs/159537/

Snort SIDs: 55815 - 55819, 55830 - 55832

An Emotet outbreak brought down the email systems of Hamilton County, Texas' government, raising election security concerns just weeks before the American presidential election.

https://www.propublica.org/article/foreign-hackers-cripple-texas-countys-email-system-raising-election-security-concerns

E-commerce provider Shopify says two rogue employees stole sensitive information belonging to some of its customers, affecting sites' customer databases.

https://www.bloomberg.com/news/articles/2020-09-22/shopify-says-rogue-employees-stole-data-from-merchants?sref=gni836kR

A federal judge ruled Twitter cannot reveal how many surveillance requests its received, the latest chapter in a six-year legal battle.

https://www.reuters.com/article/us-usa-twitter-lawsuit/u-s-judge-blocks-twitters-bid-to-reveal-government-surveillance-requests-idUSKBN2200CS

A new tool will scan popular websites for users and inform them of any trackers installed on the sites that may be difficult or impossible to spot.

https://themarkup.org/blacklight

A top general in the U.K. said the country's military possesses offensive cyber capabilities that could be used in future conflicts -- confirming abilities that had long been assumed.

https://www.theguardian.com/technology/2020/sep/25/britain-has-offensive-cyberwar-capability-top-general-admits

Google removed 17 apps from its Play store infected with the Joker (aka Bread) malware that silently signed users up for premium wireless services and charge payment methods on their phone.

https://www.zdnet.com/article/google-removes-17-android-apps-doing-wap-billing-fraud-from-the-play-store/

Researchers discovered a years' long campaign by Iranian state-sponsored actors to use Windows and Android information-stealers to spy on users' Telegram messages.

https://arstechnica.com/information-technology/2020/09/telegram-messages-are-a-focus-in-newly-uncovered-hack-campaign-from-iran/

Hospital chain Universal Health Services has been dealing with a cyber attack since the weekend, and the situation has since grown to be potentially the largest attack in U.S. history.

https://www.nbcnews.com/tech/security/cyberattack-hits-major-u-s-hospital-system-n1241254

COMPILED BY THE QUALYS VULNERABILITY RESEARCH TEAM

This is a list of recent vulnerabilities for which exploits are

available. System administrators can use this list to help in

prioritization of their remediation activities. The Qualys Vulnerability

Research Team compiles this information based on various exploit

frameworks, exploit databases, exploit kits and monitoring of internet

activity.

ID: CVE-2020-1472

Title: Microsoft Netlogon Elevation of Privilege Vulnerability

Vendor: Microsoft

Description: An elevation of privilege vulnerability exists when an attacker establishes a vulnerable Netlogon secure channel connection to a domain controller, using the Netlogon Remote Protocol (MS-NRPC). An attacker who successfully exploited the vulnerability could run a specially crafted application on a device on the network. To exploit the vulnerability, an unauthenticated attacker would be required to use MS-NRPC to connect to a domain controller to obtain domain administrator access.

CVSS v3 Base Score: 10.0 (AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H)

ID: CVE-2020-1895

Title: Instagram App Heap Buffer Overflow Vulnerability

Vendor: Facebook

Description: A large heap overflow could occur in Instagram for Android when attempting to upload an image with specially crafted dimensions.

CVSS v3 Base Score: 7.8 (AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H)

ID: CVE-2020-0688

Title: Microsoft Exchange Validation Key Remote Code Execution Vulnerability

Vendor: Microsoft

Description: A remote code execution vulnerability exists in Microsoft Exchange Server when the server fails to properly create unique keys at install time. Knowledge of a the validation key allows an authenticated user with a mailbox to pass arbitrary objects to be deserialized by the web application, which runs as SYSTEM.

CVSS v3 Base Score: 8.8 (AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H)

ID: CVE-2020-1350

Title: Microsoft Windows DNS Server Remote Code Execution Vulnerability

Vendor: Microsoft

Description: A remote code execution vulnerability exists in Windows Domain Name System servers when they fail to properly handle requests. An attacker who successfully exploited the vulnerability could run arbitrary code in the context of the Local System Account. Windows servers that are configured as DNS servers are at risk from this vulnerability.

CVSS v3 Base Score: 10.0 (AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H)

ID: CVE-2020-4486

Title: IBM QRadar Arbitrary File Overwrite Vulnerability

Vendor: IBM

Description: IBM QRadar allows an authenticated user to overwrite or delete arbitrary files due to a flaw after WinCollect installation.

CVSS v3 Base Score: 8.1 (AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:H)

ID: CVE-2020-8437

Title: BitTorrent uTorrent Denial of Service Vulnerability

Vendor: bittorrent

Description: The bencoding parser in BitTorrent uTorrent misparses nested bencoded dictionaries, which allows a remote attacker to cause a denial of service.

CVSS v3 Base Score: 7.5 (AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H)

ID: CVE-2020-6506

Title: Google Chrome on Android Insufficient Bounds Check Vulnerability

Vendor: Google

Description: Insufficient policy enforcement in WebView in Google Chrome on Android allows a remote attacker to bypass site isolation via a crafted HTML page. An Android WebView instance with default configuration and JavaScript enabled allows an iframe on a different origin to bypass same-origin policies and execute arbitrary JavaScript in the top document.

CVSS v3 Base Score: 6.5 (AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:H/A:N)

ID: CVE-2020-3566

Title: Cisco IOS XR Software DVMRP Memory Exhaustion Vulnerabilities

Vendor: Cisco

Description: A vulnerability in the Distance Vector Multicast Routing Protocol (DVMRP) feature of Cisco IOS XR Software could allow an unauthenticated, remote attacker to exhaust process memory of an affected device. The vulnerability is due to insufficient queue management for Internet Group Management Protocol (IGMP) packets. An attacker could exploit this vulnerability by sending crafted IGMP traffic to an affected device. A successful exploit could allow the attacker to cause memory exhaustion, resulting in instability of other processes.

CVSS v3 Base Score: 8.6 (AV:N/AC:L/PR:N/UI:N/S:C/C:N/I:N/A:H)

COMPILED BY TALOS SECURITY INTELLIGENCE AND RESEARCH GROUP

SHA 256: 85b936960fbe5100c170b777e1647ce9f0f01e3ab9742dfc23f37cb0825b30b5

MD5: 8c80dd97c37525927c1e549cb59bcbf3

VirusTotal: https://www.virustotal.com/gui/file/85b936960fbe5100c170b777e1647ce9f0f01e3ab9742dfc23f37cb0825b30b5/details

Typical Filename: Eter.exe

Claimed Product: N/A

Detection Name: Win.Exploit.Shadowbrokers::5A5226262.auto.talos

SHA 256: be29d4902d72abbc293376b42005d954807b3e6794b13fe628faff9bc94f6063

MD5: 29f47c2f15d6421bdd813be27a2e3b25

VirusTotal: https://www.virustotal.com/gui/file/be29d4902d72abbc293376b42005d954807b3e6794b13fe628faff9bc94f6063/details

Typical Filename: FlashHelperServices.exe

Claimed Product: N/A

Detection Name: Flash Helper Service

SHA 256: 1eef72aa566ba6c76b33f9d430d7233e358392382bfb3db81ca4f28d74f415a5

MD5: 01a607b4d69c549629e6f0dfd3983956

VirusTotal: https://www.virustotal.com/gui/file/1eef72aa566ba6c76b33f9d430d7233e358392382bfb3db81ca4f28d74f415a5/details

Typical Filename: wupxarch.exe

Claimed Product: N/A

Detection Name: W32.Auto:1eef72aa56.in03.Talos

SHA 256: c3e530cc005583b47322b6649ddc0dab1b64bcf22b124a492606763c52fb048f

MD5: e2ea315d9a83e7577053f52c974f6a5a

VirusTotal: https://www.virustotal.com/gui/file/c3e530cc005583b47322b6649ddc0dab1b64bcf22b124a492606763c52fb048f/details

Typical Filename: Tempmf582901854.exe

Claimed Product: N/A

Detection Name: Win.Dropper.Agentwdcr::1201

SHA 256: 15716598f456637a3be3d6c5ac91266142266a9910f6f3f85cfd193ec1d6ed8b

MD5: 799b30f47060ca05d80ece53866e01cc

VirusTotal: https://www.virustotal.com/gui/file/15716598f456637a3be3d6c5ac91266142266a9910f6f3f85cfd193ec1d6ed8b/details

Typical Filename: mf2016341595.exe

Claimed Product: N/A

Detection Name: Win.Downloader.Generic::1201