CONTENTS:

NOTABLE RECENT SECURITY ISSUES
INTERESTING NEWS FROM AROUND THE SECURITY COMMUNITY
VULNERABILITIES FOR WHICH EXPLOITS ARE AVAILABLE
MOST PREVALENT MALWARE FILES February 20 - 27, 2020
TOP VULNERABILITY THIS WEEK: New remote access tool shows connections to other RAT families

NOTABLE RECENT SECURITY ISSUES
SELECTED BY THE TALOS SECURITY INTELLIGENCE AND RESEARCH GROUP

Title: ObliqueRAT spreads via malicious documents
Description: Cisco Talos has observed a malware campaign that utilizes malicious Microsoft Office documents (maldocs) to spread a remote access trojan (RAT) we’re calling “ObliqueRAT.” These maldocs use malicious macros to deliver the second-stage RAT payload. Network-based detection, although important, should be combined with endpoint protections to combat this threat and provide multiple layers of security. According to Talos researchers, ObliqueRAT has connections to the adversaries behind the CrimsonRAT discovered last year.
Reference: https://blog.talosintelligence.com/2020/02/obliquerat-hits-victims-via-maldocs.html
Snort SIDs: 53152 - 53163

Title: Multiple vulnerabilities in Cisco Data Center Network Manager
Description: Cisco Data Center Network Manager contains a privilege escalation vulnerability and a cross-site request forgery vulnerability. Cisco disclosed the high-severity vulnerabilities late last week. In the case of the privilege escalation vulnerability, an attacker could exploit the Network Manager in a way that would allow them to interact with the API with administrator-level privileges. A successful exploit could allow the attacker to interact with the API with administrative privileges.
Reference:

• https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20200219-dcnm-priv-esc
• https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20200219-dcnm-csrf

Snort SIDs: Snort Rule 53171 - 53176

INTERESTING NEWS FROM AROUND THE SECURITY COMMUNITY

The KidsGuard surveillance app exfiltrated data from targeted devices to an unprotected cloud storage bucket.
https://techcrunch.com/2020/02/20/kidsguard-spyware-app-phones/

A vulnerability in Bluetooth software development kits leaves numerous medical devices and other internet-of-things devices open to attacks. https://www.wired.com/story/bluetooth-flaws-ble-internet-of-things-pacemakers/

Mexico’s economy ministry said it detected a cyber attack on its network over the weekend.
https://in.reuters.com/article/mexico-economy-cyberattack/mexicos-economy-ministry-hit-by-cyber-attack-idINKCN20J0FQ

American and British government agencies teamed up to formally blame Russia for a massive cyber attack on the country of Georgia last year; the attacks targeted web hosting providers, broadcasters, and numerous government, NGO, and business websites.
https://www.cnn.com/2020/02/20/politics/russia-georgia-hacking/index.html

Dell sold its RSA security business, including the popular RSA conference, to a private equity firm for $2 billion.
https://rcpmag.com/articles/2020/02/21/consortium-buys-rsa-from-dell.aspx?m=1

This year’s RSA Conference kicked off earlier this week. Here is a roundup of some of the major announcements made thus far.
https://www.csoonline.com/article/3527306/hottest-new-cybersecurity-products-at-rsa-conference-2020.html

French sporting goods chain Decathlon leaked the information of more than 123 million customers and employees on an unsecured Elasticsearch server.
https://www.infosecurity-magazine.com/news/sports-giant-decathlon-leaks-123/

Google released the latest version of its Chrome web browser, starting a rollback of third-party cookies. Chrome 80 also includes a new capability called ScrollToTextFragment, which security researchers worry could be exploited to expose sensitive information.
https://www.adweek.com/digital/new-deep-linking-feature-in-google-chrome-80-sparks-privacy-concerns/

The adversaries behind the DoppelPaymer ransomware launched a new site that they say will be used to publish the information and stolen data of victims who do not pay the requested extortion payment.
https://www.bleepingcomputer.com/news/security/doppelpaymer-ransomware-launches-site-to-post-victims-data/

RECENT VULNERABILITIES FOR WHICH EXPLOITS ARE AVAILABLE
COMPILED BY THE QUALYS VULNERABILITY RESEARCH TEAM

This is a list of recent vulnerabilities for which exploits are available. System administrators can use this list to help in prioritization of their remediation activities. The Qualys Vulnerability Research Team compiles this information based on various exploit frameworks, exploit databases, exploit kits and monitoring of internet activity.

ID: CVE-2020-1938
Title: Apache Tomcat AJP File Inclusion Vulnerability
Vendor: Apache
Description: Apache Tomcat AJP file inclusion vulnerability allows an attacker to read any webapps files. If the Tomcat instance supports file uploads, the vulnerability could also be leveraged to achieve remote code execution.
CVSS v2 Base Score: 10 (AV:N/AC:L/Au:N/C:C/I:C/A:C)

ID: CVE-2020-0618
Title: Microsoft SQL Server Reporting Services Vulnerability
Vendor: Microsoft
Description: A remote code execution vulnerability exists in Microsoft SQL Server Reporting Services when it incorrectly handles page requests. To exploit the vulnerability, an authenticated attacker would need to submit a specially crafted page request to an affected Reporting Services instance.
CVSS v2 Base Score: 6.5 | (AV:N/AC:L/Au:S/C:P/I:P/A:P)

ID: CVE-2020-8813
Title: Cacti authenticated Remote Code Execution Vulnerability
Vendor: Cacti
Description: graph_realtime.php in Cacti allows remote attackers to execute arbitrary OS commands via shell metacharacters in a cookie, if a guest user has the graph real-time privilege. This vulnerability could be exploited without authentication if Cacti is enabling “Guest Realtime Graphs” privilege.
CVSS v2 Base Score: | 9.3 (AV:N/AC:M/Au:N/C:C/I:C/A:C)

ID: CVE-2020-8794
Title: OpenBSD OpenSMTPD Local Privilege Escalation and Remote Code Execution Vulnerability
Vendor: OpenBSD
Description: An out of bounds read in smtpd allows an attacker to inject arbitrary commands into the envelope file which are then executed as root. Separately, missing privilege revocation in smtpctl allows arbitrary commands to be run with the _smtpq group.
CVSS v2 Base Score: 6.8 | (AV:N/AC:M/Au:N/C:P/I:P/A:P)

ID: CVE-2018-8611
Title: Microsoft Windows Kernel Elevation of Privilege Vulnerability
Vendor: Microsoft
Description: An elevation of privilege vulnerability exists when the Windows kernel fails to properly handle objects in memory. An attacker could then run a specially crafted application to take control of an affected system.
CVSS v2 Base Score: | 7.2 (AV:L/AC:L/Au:N/C:C/I:C/A:C)

ID: CVE-2020-3765
Title: Adobe After Effects Out-of-Bounds Write Vulnerability (APSB20-09)
Vendor: Adobe
Description: Adobe After Effects have an out-of-bounds write vulnerability. Successful exploitation could lead to arbitrary code execution.
CVSS v2 Base Score: | 10 (AV:N/AC:L/Au:N/C:C/I:C/A:C)

MOST PREVALENT MALWARE FILES February 20 - 27, 2020
COMPILED BY TALOS SECURITY INTELLIGENCE AND RESEARCH GROUP

SHA 256: 3f6e3d8741da950451668c8333a4958330e96245be1d592fcaa485f4ee4eadb3
MD5: 47b97de62ae8b2b927542aa5d7f3c858
VirusTotal: https://www.virustotal.com/gui/file/3f6e3d8741da950451668c8333a4958330e96245be1d592fcaa485f4ee4eadb3/details
Typical Filename: qmreportupload.exe
Claimed Product: qmreportupload
Detection Name: Win.Trojan.Generic::in10.talos

SHA 256: 85b936960fbe5100c170b777e1647ce9f0f01e3ab9742dfc23f37cb0825b30b5
MD5: 8c80dd97c37525927c1e549cb59bcbf3
VirusTotal: https://www.virustotal.com/gui/file/85b936960fbe5100c170b777e1647ce9f0f01e3ab9742dfc23f37cb0825b30b5/details
Typical Filename: eternalblue-2.2.0.exe
Claimed Product: N/A
Detection Name: W32.85B936960F.5A5226262.auto.Talos

SHA 256: c3e530cc005583b47322b6649ddc0dab1b64bcf22b124a492606763c52fb048f
MD5: e2ea315d9a83e7577053f52c974f6a5a
VirusTotal: https://www.virustotal.com/gui/file/c3e530cc005583b47322b6649ddc0dab1b64bcf22b124a492606763c52fb048f/details
Typical Filename: c3e530cc005583b47322b6649ddc0dab1b64bcf22b124a492606763c52fb048f.bin
Claimed Product: N/A
Detection Name: W32.AgentWDCR:Gen.21gn.1201

SHA 256: 1460fd00cb6addf9806a341fee9c5ab0a793762d1d97dca05fa17467c8705af7
MD5: 88cbadec77cf90357f46a3629b6737e6
VirusTotal: https://www.virustotal.com/gui/file/1460fd00cb6addf9806a341fee9c5ab0a793762d1d97dca05fa17467c8705af7/details
Typical Filename: FlashHelperServices.exe
Claimed Product: Flash Helper Services
Detection Name: PUA.Win.File.2144flashplayer::tpd

SHA 256: 15716598f456637a3be3d6c5ac91266142266a9910f6f3f85cfd193ec1d6ed8b
MD5: 799b30f47060ca05d80ece53866e01cc
VirusTotal: https://www.virustotal.com/gui/file/15716598f456637a3be3d6c5ac91266142266a9910f6f3f85cfd193ec1d6ed8b/details
Typical Filename: mf2016341595.exe
Claimed Product: N/A
Detection Name: W32.Generic:Gen.22fz.1201