Recent Security Issues


SELECTED BY THE TALOS SECURITY INTELLIGENCE AND RESEARCH GROUP


Title: Microsoft Patch Tuesday for Oct. 2020

Description: Microsoft released its monthly security update Tuesday, disclosing just under 100 vulnerabilities across its array of products. Fourteen of the vulnerabilities are considered "critical" while the vast remainder are ranked as "important." Users of all Microsoft and Windows products are urged to update their software as soon as possible to avoid possible exploitation of all these bugs. The security updates cover several different products including the SharePoint document management system, Azure Sphere and the Windows camera codec, which allows users to view a variety of video files on their machines.

References: https://blog.talosintelligence.com/2020/10/microsoft-patch-tuesday-for-oct-2020.html

Snort SIDs: 53689 - 53691


Title: Lemon Duck brings cryptocurrency miners back into the spotlight

Description: Cisco Talos recently discovered a complex campaign employing a multi-modular botnet with multiple ways to spread. This threat, known as "Lemon Duck," has a cryptocurrency mining payload that steals computer resources to mine the Monero virtual currency. The actor employs various methods to spread across the network, like sending infected RTF files using email, psexec, WMI and SMB exploits, including the infamous Eternal Blue and SMBGhost threats that affect Windows 10 machines. Some variants also support RDP brute-forcing. In recent attacks we observed, this functionality was omitted. The adversary also uses tools such as Mimikatz, that help the botnet increase the amount of systems participating in its mining pool.

References: https://blog.talosintelligence.com/2020/10/lemon-duck-brings-cryptocurrency-miners.html

Snort SIDs: 55926 - 55928

Security News


U.S. Cyber Command took steps to disrupt the Trickbot botnet, hoping to prevent any disruption to the upcoming presidential election.

https://www.washingtonpost.com/national-security/cyber-command-trickbot-disrupt/2020/10/09/19587aae-0a32-11eb-a166-dc429b380d10_story.html


Microsoft, along with several security companies and the Financial Services Information Sharing and Analysis Center (FS-ISAC) also took steps to disrupt Trickbot, including a legal maneuver that will make it easier to take down botnets in the future.

https://www.zdnet.com/article/trickbot-botnet-survives-takedown-attempt-but-microsoft-sets-new-legal-precedent/


Unsealed court documents show how Google sells some of its search data to law enforcement agencies.

https://www.cnet.com/news/google-is-giving-data-to-police-based-on-search-keywords-court-docs-show/


Some users of the Robinhood investment app have reported that hackers have stolen funds from their accounts. The company does not appear to have a customer service line.

https://www.bloomberg.com/news/articles/2020-10-09/robinhood-users-had-accounts-looted-say-there-s-no-one-to-call


A security breach of a Chowbus database exposed information belonging to hundreds of thousands of customers of the food delivery service.

https://www.cyberscoop.com/chowbus-breach-personal-data-customers-linxin-wen/


Facebook created a new bug bounty program that offers premiums for researchers who regularly discover vulnerabilities in the site and ranks them in a tier list.

https://threatpost.com/facebook-bug-bounty-loyalty-program/159993/


The U.S. Cybersecurity and Infrastructure Security Agency warned that several APTs are using a combination of older vulnerabilities along with the Windows Netlogon vulnerability to target state and local government networks.

https://us-cert.cisa.gov/ncas/alerts/aa20-283a


Norway's foreign minister said that Russian cyber actors are responsible for an attack against the Norwegian Parliament's email system earlier this year.

https://www.aljazeera.com/news/2020/10/13/norway-says-russia-behind-cyber-attack-against-its-parliament


Video calling and meeting software Zoom says it is rolling out end-to-end encrypted calls to users starting next week.

https://www.zdnet.com/article/zoom-to-roll-out-end-to-end-encrypted-e2ee-calls/


Twitter and Facebook both said they will remove all Holocaust denial-related content from their sites.

https://www.theverge.com/2020/10/14/21516468/twitter-holocaust-denial-banned-facebook-policy


Vulnerabilities with Exploits


COMPILED BY THE QUALYS VULNERABILITY RESEARCH TEAM


This is a list of recent vulnerabilities for which exploits are

available. System administrators can use this list to help in

prioritization of their remediation activities. The Qualys Vulnerability

Research Team compiles this information based on various exploit

frameworks, exploit databases, exploit kits and monitoring of internet

activity.


ID: CVE-2020-16898

Title: Microsoft Windows TCP/IP Stack Remote Code Execution Vulnerability

Vendor: Microsoft

Description: A remote code execution vulnerability exists when the Windows TCP/IP stack improperly handles ICMPv6 Router Advertisement packets. An attacker who successfully exploited this vulnerability could gain the ability to execute code on the target server or client. To exploit this vulnerability, an attacker would have to send specially crafted ICMPv6 Router Advertisement packets to a remote Windows computer.

CVSS v3 Base Score: 9.8 (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H)


ID: CVE-2020-1472

Title: Microsoft Netlogon Elevation of Privilege Vulnerability

Vendor: Microsoft

Description: An elevation of privilege vulnerability exists when an attacker establishes a vulnerable Netlogon secure channel connection to a domain controller, using the Netlogon Remote Protocol (MS-NRPC). An attacker who successfully exploited the vulnerability could run a specially crafted application on a device on the network. To exploit the vulnerability, an unauthenticated attacker would be required to use MS-NRPC to connect to a domain controller to obtain domain administrator access.

CVSS v3 Base Score: 10.0 (AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H)


ID: CVE-2020-6927

Title: HP Device Manager Elevation of Privilege Vulnerability

Vendor: HP

Description: HP Device Manager is enterprise-class thin client management software that allows customers to view their thin client assets remotely and to manipulate those thin clients to meet the required business need. Successful exploitation of this vulnerability may allow a malicious actor to gain SYSTEM privileges.

CVSS v3 Base Score: 8.0 (AV:N/AC:H/PR:H/UI:N/S:C/C:H/I:H/A:H)


ID: CVE-2020-3452

Title: Cisco ASA and FTD Path Traversal Vulnerability

Vendor: Cisco

Description: A vulnerability in the web services interface of Cisco Adaptive Security Appliance (ASA) Software and Cisco Firepower Threat Defense (FTD) Software could allow an unauthenticated, remote attacker to conduct directory traversal attacks and read sensitive files on a targeted system. The vulnerability is due to a lack of proper input validation of URLs in HTTP requests processed by an affected device. An attacker could exploit this vulnerability by sending a crafted HTTP request containing directory traversal character sequences to an affected device.

CVSS v3 Base Score: 7.5 (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N)


ID: CVE-2020-13943

Title: Apache Tomcat Unexpected Resource Response Vulnerability

Vendor: Apache

Description: If an HTTP/2 client exceeded the agreed maximum number of concurrent streams for a connection (in violation of the HTTP/2 protocol), it was possible that a subsequent request made on that connection could contain HTTP headers - including HTTP/2 pseudo headers - from a previous request rather than the intended headers. This could lead to users seeing responses for unexpected resources.

CVSS v3 Base Score: 5.3 (AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N)


ID: CVE-2020-9746

Title: Adobe Flash Player Arbitrary Code Execution Vulnerability

Vendor: Adobe

Description: Adobe Flash Player is affected by an exploitable NULL pointer dereference vulnerability that could result in a crash and arbitrary code execution. Exploitation of this issue requires an attacker to insert malicious strings in an HTTP response that is by default delivered over TLS/SSL.

CVSS v3 Base Score: 7.0 (AV:L/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:H)


ID: CVE-2020-16951

Title: Microsoft SharePoint Remote Code Execution Vulnerability

Vendor: Microsoft

Description: A remote code execution vulnerability exists in Microsoft SharePoint when the software fails to check the source markup of an application package. An attacker who successfully exploited the vulnerability could run arbitrary code in the context of the SharePoint application pool and the SharePoint server farm account. Exploitation of this vulnerability requires that a user uploads a specially crafted SharePoint application package to an affected version of SharePoint.

CVSS v3 Base Score: 8.6 (AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:H/A:L)


Prevalent Malware Files


COMPILED BY TALOS SECURITY INTELLIGENCE AND RESEARCH GROUP


SHA 256: 85b936960fbe5100c170b777e1647ce9f0f01e3ab9742dfc23f37cb0825b30b5

MD5: 8c80dd97c37525927c1e549cb59bcbf3

VirusTotal: https://www.virustotal.com/gui/file/85b936960fbe5100c170b777e1647ce9f0f01e3ab9742dfc23f37cb0825b30b5/details

Typical Filename: Eter.exe

Claimed Product: N/A

Detection Name: Win.Exploit.Shadowbrokers::5A5226262.auto.talos


SHA 256: 15716598f456637a3be3d6c5ac91266142266a9910f6f3f85cfd193ec1d6ed8b

MD5: 799b30f47060ca05d80ece53866e01cc

VirusTotal: https://www.virustotal.com/gui/file/15716598f456637a3be3d6c5ac91266142266a9910f6f3f85cfd193ec1d6ed8b/details

Typical Filename: mf2016341595.exe

Claimed Product: N/A

Detection Name: Win.Downloader.Generic::1201


SHA 256: c3e530cc005583b47322b6649ddc0dab1b64bcf22b124a492606763c52fb048f

MD5: e2ea315d9a83e7577053f52c974f6a5a

VirusTotal: https://www.virustotal.com/gui/file/c3e530cc005583b47322b6649ddc0dab1b64bcf22b124a492606763c52fb048f/details

Typical Filename: Tempmf582901854.exe

Claimed Product: N/A

Detection Name: Win.Dropper.Agentwdcr::1201



SHA 256: 1eef72aa566ba6c76b33f9d430d7233e358392382bfb3db81ca4f28d74f415a5

MD5: 01a607b4d69c549629e6f0dfd3983956

VirusTotal: https://www.virustotal.com/gui/file/1eef72aa566ba6c76b33f9d430d7233e358392382bfb3db81ca4f28d74f415a5/details

Typical Filename: wupxarch.exe

Claimed Product: N/A

Detection Name: W32.Auto:1eef72aa56.in03.Talos


SHA 256: 1a8a17b615799f504d1e801b7b7f15476ee94d242affc103a4359c4eb5d9ad7f

MD5: 88781be104a4dcb13846189a2b1ea055

VirusTotal: https://www.virustotal.com/gui/file/1a8a17b615799f504d1e801b7b7f15476ee94d242affc103a4359c4eb5d9ad7f/details

Typical Filename: UltraSearchApp

Claimed Product: N/A

Detection Name: Win.Trojan.Generic::sso.talos