SELECTED BY THE TALOS SECURITY INTELLIGENCE AND RESEARCH GROUP
Title: Cisco warns of active exploitation of cross-site scripting vulnerability
Description: Cisco warned users this week that a vulnerability in its Adaptive Security Appliance software is being exploited in the wild. The company first disclosed this vulnerability, identified as CVE-2020-3580, in October. However, a proof-of-concept recently became publicly available and used in the wild. ASA is a perimeter defense appliance that block threats from entering corporate networks. An attacker could exploit this cross-site scripting vulnerability (XSS) to execute arbitrary code in the context of ASA and view sensitive browser-based information on the victim’s network. An XSS attack occurs when an adversary injects malicious scripts into otherwise trusted websites. An affected user comes under attack if they visit that compromised website.
References:
-https://threatpost.com/cisco-asa-bug-exploited-poc/167274/
Snort SIDs: 57856, 57857
Title: Microsoft-signed DLL points to APT-controlled C2s
Description: Security researchers recently discovered Netfilter, a malicious rootkit disguised as a legitimate DLL. Microsoft confirmed this week that it signed the driver, commonly distributed among the video game players, saying that the developers behind the tool managed to acquire a Microsoft-signed binary in a legitimate manner, and the company is now investigating the manner. Once installed, Netfilter eventually connects to several China-based command and control sites, though the URLs do not appear to have any legitimate use.