CONTENTS:

NOTABLE RECENT SECURITY ISSUES
INTERESTING NEWS FROM AROUND THE SECURITY COMMUNITY
VULNERABILITIES FOR WHICH EXPLOITS ARE AVAILABLE
MOST PREVALENT MALWARE FILES September 24 - October 1, 2020
TOP VULNERABILITY THIS WEEK: Exploit for Netlogon vulnerability goes public

NOTABLE RECENT SECURITY ISSUES
SELECTED BY THE TALOS SECURITY INTELLIGENCE AND RESEARCH GROUP

Title: Attackers using Zerologon vulnerability at higher rate
Description: Cisco Talos researchers report seeing a spike in exploitation attempts against the Microsoft vulnerability CVE-2020-1472, an elevation of privilege bug in Netlogon, outlined in the August Microsoft Patch Tuesday report. The vulnerability stems from a flaw in a cryptographic authentication scheme used by the Netlogon Remote Protocol which – among other things – can be used to update computer passwords by forging an authentication token for specific Netlogon functionality. This flaw allows attackers to impersonate any computer, including the domain controller itself and gain access to domain admin credentials.
References: https://blog.talosintelligence.com/2020/09/netlogon-rises.html
Snort SIDs: 55703, 55704

Title: Cisco warns of vulnerabilities in IOS operating system
Description: Cisco patched several vulnerabilities – many of them considered severe – in its IOS operating system. The updates address denial-of-service, file overwrite and input validation attacks that affect many of Cisco’s products. Two of the vulnerabilities – CVE-2020-3421 and CVE-2020-3480 – exist in Cisco’s Zone-Based Firewall. An attacker could exploit these bugs to cause the affected device to reload or make it stop forwarding traffic through the firewall.
References: https://threatpost.com/cisco-patches-bugs/159537/
Snort SIDs: 55815 - 55819, 55830 - 55832

INTERESTING NEWS FROM AROUND THE SECURITY COMMUNITY

An Emotet outbreak brought down the email systems of Hamilton County, Texas’ government, raising election security concerns just weeks before the American presidential election.
https://www.propublica.org/article/foreign-hackers-cripple-texas-countys-email-system-raising-election-security-concerns

E-commerce provider Shopify says two rogue employees stole sensitive information belonging to some of its customers, affecting sites’ customer databases.
https://www.bloomberg.com/news/articles/2020-09-22/shopify-says-rogue-employees-stole-data-from-merchants

A federal judge ruled Twitter cannot reveal how many surveillance requests its received, the latest chapter in a six-year legal battle.
https://www.reuters.com/article/us-usa-twitter-lawsuit/u-s-judge-blocks-twitters-bid-to-reveal-government-surveillance-requests-idUSKBN2200CS

A new tool will scan popular websites for users and inform them of any trackers installed on the sites that may be difficult or impossible to spot.
https://themarkup.org/blacklight

A top general in the U.K. said the country’s military possesses offensive cyber capabilities that could be used in future conflicts – confirming abilities that had long been assumed.
https://www.theguardian.com/technology/2020/sep/25/britain-has-offensive-cyberwar-capability-top-general-admits

Google removed 17 apps from its Play store infected with the Joker (aka Bread) malware that silently signed users up for premium wireless services and charge payment methods on their phone.
https://www.zdnet.com/article/google-removes-17-android-apps-doing-wap-billing-fraud-from-the-play-store/

Researchers discovered a years’ long campaign by Iranian state-sponsored actors to use Windows and Android information-stealers to spy on users’ Telegram messages.
https://arstechnica.com/information-technology/2020/09/telegram-messages-are-a-focus-in-newly-uncovered-hack-campaign-from-iran/

Hospital chain Universal Health Services has been dealing with a cyber attack since the weekend, and the situation has since grown to be potentially the largest attack in U.S. history.
https://www.nbcnews.com/tech/security/cyberattack-hits-major-u-s-hospital-system-n1241254

RECENT VULNERABILITIES FOR WHICH EXPLOITS ARE AVAILABLE
COMPILED BY THE QUALYS VULNERABILITY RESEARCH TEAM

This is a list of recent vulnerabilities for which exploits are available. System administrators can use this list to help in prioritization of their remediation activities. The Qualys Vulnerability Research Team compiles this information based on various exploit frameworks, exploit databases, exploit kits and monitoring of internet activity.

ID: CVE-2020-1472
Title: Microsoft Netlogon Elevation of Privilege Vulnerability
Vendor: Microsoft
Description: An elevation of privilege vulnerability exists when an attacker establishes a vulnerable Netlogon secure channel connection to a domain controller, using the Netlogon Remote Protocol (MS-NRPC). An attacker who successfully exploited the vulnerability could run a specially crafted application on a device on the network. To exploit the vulnerability, an unauthenticated attacker would be required to use MS-NRPC to connect to a domain controller to obtain domain administrator access.
CVSS v3 Base Score: 10.0 (AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H)

ID: CVE-2020-1895
Title: Instagram App Heap Buffer Overflow Vulnerability
Vendor: Facebook
Description: A large heap overflow could occur in Instagram for Android when attempting to upload an image with specially crafted dimensions.
CVSS v3 Base Score: 7.8 (AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H)

ID: CVE-2020-0688
Title: Microsoft Exchange Validation Key Remote Code Execution Vulnerability
Vendor: Microsoft
Description: A remote code execution vulnerability exists in Microsoft Exchange Server when the server fails to properly create unique keys at install time. Knowledge of a the validation key allows an authenticated user with a mailbox to pass arbitrary objects to be deserialized by the web application, which runs as SYSTEM.
CVSS v3 Base Score: 8.8 (AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H)

ID: CVE-2020-1350
Title: Microsoft Windows DNS Server Remote Code Execution Vulnerability
Vendor: Microsoft
Description: A remote code execution vulnerability exists in Windows Domain Name System servers when they fail to properly handle requests. An attacker who successfully exploited the vulnerability could run arbitrary code in the context of the Local System Account. Windows servers that are configured as DNS servers are at risk from this vulnerability.
CVSS v3 Base Score: 10.0 (AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H)

ID: CVE-2020-4486
Title: IBM QRadar Arbitrary File Overwrite Vulnerability
Vendor: IBM
Description: IBM QRadar allows an authenticated user to overwrite or delete arbitrary files due to a flaw after WinCollect installation.
CVSS v3 Base Score: 8.1 (AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:H)

ID: CVE-2020-8437
Title: BitTorrent uTorrent Denial of Service Vulnerability
Vendor: bittorrent
Description: The bencoding parser in BitTorrent uTorrent misparses nested bencoded dictionaries, which allows a remote attacker to cause a denial of service.
CVSS v3 Base Score: 7.5 (AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H)

ID: CVE-2020-6506
Title: Google Chrome on Android Insufficient Bounds Check Vulnerability
Vendor: Google
Description: Insufficient policy enforcement in WebView in Google Chrome on Android allows a remote attacker to bypass site isolation via a crafted HTML page. An Android WebView instance with default configuration and JavaScript enabled allows an iframe on a different origin to bypass same-origin policies and execute arbitrary JavaScript in the top document.
CVSS v3 Base Score: 6.5 (AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:H/A:N)

ID: CVE-2020-3566
Title: Cisco IOS XR Software DVMRP Memory Exhaustion Vulnerabilities
Vendor: Cisco
Description: A vulnerability in the Distance Vector Multicast Routing Protocol (DVMRP) feature of Cisco IOS XR Software could allow an unauthenticated, remote attacker to exhaust process memory of an affected device. The vulnerability is due to insufficient queue management for Internet Group Management Protocol (IGMP) packets. An attacker could exploit this vulnerability by sending crafted IGMP traffic to an affected device. A successful exploit could allow the attacker to cause memory exhaustion, resulting in instability of other processes.
CVSS v3 Base Score: 8.6 (AV:N/AC:L/PR:N/UI:N/S:C/C:N/I:N/A:H)

MOST PREVALENT MALWARE FILES September 24 - October 1, 2020
COMPILED BY TALOS SECURITY INTELLIGENCE AND RESEARCH GROUP

SHA 256: 85b936960fbe5100c170b777e1647ce9f0f01e3ab9742dfc23f37cb0825b30b5
MD5: 8c80dd97c37525927c1e549cb59bcbf3
VirusTotal: https://www.virustotal.com/gui/file/85b936960fbe5100c170b777e1647ce9f0f01e3ab9742dfc23f37cb0825b30b5/details
Typical Filename: Eter.exe
Claimed Product: N/A
Detection Name: Win.Exploit.Shadowbrokers::5A5226262.auto.talos

SHA 256: be29d4902d72abbc293376b42005d954807b3e6794b13fe628faff9bc94f6063
MD5: 29f47c2f15d6421bdd813be27a2e3b25
VirusTotal: https://www.virustotal.com/gui/file/be29d4902d72abbc293376b42005d954807b3e6794b13fe628faff9bc94f6063/details
Typical Filename: FlashHelperServices.exe
Claimed Product: N/A
Detection Name: Flash Helper Service

SHA 256: 1eef72aa566ba6c76b33f9d430d7233e358392382bfb3db81ca4f28d74f415a5
MD5: 01a607b4d69c549629e6f0dfd3983956
VirusTotal: https://www.virustotal.com/gui/file/1eef72aa566ba6c76b33f9d430d7233e358392382bfb3db81ca4f28d74f415a5/details
Typical Filename: wupxarch.exe
Claimed Product: N/A
Detection Name: W32.Auto:1eef72aa56.in03.Talos

SHA 256: c3e530cc005583b47322b6649ddc0dab1b64bcf22b124a492606763c52fb048f
MD5: e2ea315d9a83e7577053f52c974f6a5a
VirusTotal: https://www.virustotal.com/gui/file/c3e530cc005583b47322b6649ddc0dab1b64bcf22b124a492606763c52fb048f/details
Typical Filename: Tempmf582901854.exe
Claimed Product: N/A
Detection Name: Win.Dropper.Agentwdcr::1201

SHA 256: 15716598f456637a3be3d6c5ac91266142266a9910f6f3f85cfd193ec1d6ed8b
MD5: 799b30f47060ca05d80ece53866e01cc
VirusTotal: https://www.virustotal.com/gui/file/15716598f456637a3be3d6c5ac91266142266a9910f6f3f85cfd193ec1d6ed8b/details
Typical Filename: mf2016341595.exe
Claimed Product: N/A
Detection Name: Win.Downloader.Generic::1201