Recent Security Issues


SELECTED BY THE TALOS SECURITY INTELLIGENCE AND RESEARCH GROUP


Title: Emotet employs Windows 10 update lures


Description: Popular malware Emotet now draws users to click with a fake Windows 10 Update. This social engineering tactic comes in emails with distracting body text such as current-events articles or bogus shipping information. Opening the email's attachments triggers the update notification. Enabling editing on the attachment will free up Emotet to infect the system.


References: https://www.forbes.com/sites/leemathews/2020/10/19/notorious-emotet-malware-starts-using-fake-windows-update-alerts-to-deceive-victims/#4ad66d5661ab


Snort SIDs: 56046, 56047



Title: F2FS toolset contains multiple vulnerabilities


Description: F2FS is a filesystem toolset commonly found in embedded

devices that creates, verifies and/or fixes Flash-Friendly File System files. An attacker could provide a malicious file to the target to trigger these vulnerabilities, causing a variety of negative conditions for the target. The tool contains two code execution vulnerabilities for multiple devices, and information disclosure vulnerability in init_node_manager and dev_read.


References: https://blog.talosintelligence.com/2020/10/vuln-spotlight-f2fs-tools-.html


Snort SIDs: 53684, 53685, 53729 - 53732

Security News


The US Department of Justice indicted six Russian nationals believed to be members of one of Russia's elite hacking and cyberwar units known as Sandworm.


https://www.zdnet.com/article/us-charges-russian-hackers-behind-notpetya-killdisk-olympicdestroyer-attacks/



Fancy Bear imposters are on a hacking extortion spree, sending ransom notes pretending to be from the North Korean government hackers Lazarus Group, or APT38, and Russian state-backed hackers Fancy Bear, or APT28.


https://arstechnica.com/information-technology/2020/10/fancy-bear-imposters-are-on-a-hacking-extortion-spree/



Gartner lists 'internet of behaviors,' automation, AI, experiences as key 2021 strategic technologies for CIOs.


https://www.zdnet.com/article/gartner-sees-internet-of-behaviors-automation-ai-experiences-key-2021-technologies/



Thousands of infected IoT devices are being used in a for-profit anonymity botnet called Interplanetary Storm.


https://arstechnica.com/information-technology/2020/10/thousands-of-infected-iot-devices-used-in-for-profit-anonymity-service/



An investigation report on the Twitter hack points to social engineering techniques and calls for cybersecurity rules for social media giants, arguing that regulation and innovation can coexist.


https://techcrunch.com/2020/10/14/twitter-hack-probe-leads-to-call-for-cybersecurity-rules-for-social-media-giants/



Ryuk ransomware operators are using the Zerologon bug to move attacks from initial phish to domain-wide encryption in five hours.


https://threatpost.com/ryuk-ransomware-gang-zerologon-lightning-attack/160286/


Vulnerabilities with Exploits


COMPILED BY THE QUALYS VULNERABILITY RESEARCH TEAM


This is a list of recent vulnerabilities for which exploits are

available. System administrators can use this list to help in

prioritization of their remediation activities. The Qualys Vulnerability

Research Team compiles this information based on various exploit

frameworks, exploit databases, exploit kits and monitoring of internet

activity.


ID: CVE-2020-16898

Title: Microsoft Windows TCP/IP Stack Remote Code Execution Vulnerability

Vendor: Microsoft

Description: A remote code execution vulnerability exists when the Windows TCP/IP stack improperly handles ICMPv6 Router Advertisement packets. An attacker who successfully exploited this vulnerability could gain the ability to execute code on the target server or client. To exploit this vulnerability, an attacker would have to send specially crafted ICMPv6 Router Advertisement packets to a remote Windows computer.

CVSS v3 Base Score: 9.8 (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H)


ID: CVE-2020-1472

Title: Microsoft Netlogon Elevation of Privilege Vulnerability

Vendor: Microsoft

Description: An elevation of privilege vulnerability exists when an attacker establishes a vulnerable Netlogon secure channel connection to a domain controller, using the Netlogon Remote Protocol (MS-NRPC). An attacker who successfully exploited the vulnerability could run a specially crafted application on a device on the network. To exploit the vulnerability, an unauthenticated attacker would be required to use MS-NRPC to connect to a domain controller to obtain domain administrator access.

CVSS v3 Base Score: 10.0 (AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H)


ID: CVE-2020-1034

Title: Microsoft Windows Kernel Elevation of Privilege Vulnerability

Vendor: Microsoft

Description: An elevation of privilege vulnerability exists in the way that the Windows Kernel handles objects in memory. An attacker who successfully exploited the vulnerability could execute code with elevated permissions. To exploit the vulnerability, a locally authenticated attacker could run a specially crafted application.

CVSS v3 Base Score: 7.8 (AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H)


ID: CVE-2020-13957

Title: Apache Solr ConfigSet Remote Code Execution Vulnerability

Vendor: Apache

Description: Apache Solr allows some features to be configured in ConfigSet that's uploaded via API without authentication/authorization, which could be used for remote code execution. The checks in place to prevent such features can be circumvented by using a combination of UPLOAD/CREATE actions.

CVSS v3 Base Score: 9.8 (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H)


ID: CVE-2019-1151

Title: Microsoft Font Subsetting DLL ReadAllocFormat12CharGlyphMapList Heap Corruption

Vendor: Microsoft

Description: A remote code execution vulnerability exists when the Windows font library improperly handles specially crafted embedded fonts. Users whose accounts are configured to have fewer user rights on the system could be less impacted than users who operate with administrative user rights.

CVSS v3 Base Score: 8.8 (AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H)


ID: CVE-2020-14144

Title: Gitea Authenticated Remote Code Execution Vulnerability

Vendor: Gitea

Description: A vulnerability exists in Gitea, that allows an attacker with access to an administrative account or an account with special privileges to execute arbitrary code on the server.

CVSS v3 Base Score: 7.2 (AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H)


ID: CVE-2020-4280

Title: IBM QRadar RemoteJavaScript Deserialization Vulnerability

Vendor: IBM

Description: A Java deserialization vulnerability exists in the IBM QRadar RemoteJavaScript Servlet. An authenticated user can call one of the vulnerable methods and cause the Servlet to deserialize arbitrary objects. An attacker can exploit this vulnerability by creating a specially crafted (serialized) object, which amongst other things can result in a denial of service, change of system settings, or execution of arbitrary code.

CVSS v3 Base Score: 8.8 (AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H)


Prevalent Malware Files


COMPILED BY TALOS SECURITY INTELLIGENCE AND RESEARCH GROUP


SHA 256: 15716598F456637A3BE3D6C5AC91266142266A9910F6F3F85CFD193EC1D6ED8B


MD5: 799b30f47060ca05d80ece53866e01cc


VirusTotal: https://www.virustotal.com/gui/file/15716598f456637a3be3d6c5ac91266142266a9910f6f3f85cfd193ec1d6ed8b/detection


Typical Filename: mf2016341595.exe


Claimed Product: N/A


Detection Name: Win.Downloader.Generic::1201




SHA 256: 7F16B5E291CCBA6411C95BAFC3FE7EEB5C4A57DF8BA32CFD173E75CC8826C921


MD5: 0b422df6c3d71d2147350d11c256724e


VirusTotal: https://www.virustotal.com/gui/file/7f16b5e291ccba6411c95bafc3fe7eeb5c4a57df8ba32cfd173e75cc8826c921/details


Typical Filename: wupxarch11.exe


Claimed Product: N/A


Detection Name: W32.Auto:7f16b5.in03.Talos




SHA 256: 432FC2E3580E818FD315583527AE43A729586AF5EE37F99F04B562D1EFF2A1FD


MD5: dd726d5e223ca762dc2772f40cb921d3


VirusTotal: https://www.virustotal.com/gui/file/432fc2e3580e818fd315583527ae43a729586af5ee37f99f04b562d1eff2a1fd/detection


Typical Filename: ww24.exe


Claimed Product: N/A


Detection Name: W32.TR:Attribute.23ln.1201




SHA 256: 85b936960fbe5100c170b777e1647ce9f0f01e3ab9742dfc23f37cb0825b30b5


MD5: 8c80dd97c37525927c1e549cb59bcbf3


VirusTotal: https://www.virustotal.com/gui/file/85b936960fbe5100c170b777e1647ce9f0f01e3ab9742dfc23f37cb0825b30b5/detection


Typical Filename: Eternalblue-2.2.0.exe


Claimed Product: N/A


Detection Name: Win.Exploit.Shadowbrokers::5A5226262.auto.talos




SHA 256: C3E530CC005583B47322B6649DDC0DAB1B64BCF22B124A492606763C52FB048F


MD5: e2ea315d9a83e7577053f52c974f6a5a


VirusTotal: https://www.virustotal.com/gui/file/c3e530cc005583b47322b6649ddc0dab1b64bcf22b124a492606763c52fb048f/detection


Typical Filename: c3e530cc005583b47322b6649ddc0dab1b64bcf22b124a492606763c52fb048f.bin


Claimed Product: N/A


Detection Name: Win.Dropper.Agentwdcr::1201