CONTENTS:

NOTABLE RECENT SECURITY ISSUES
INTERESTING NEWS FROM AROUND THE SECURITY COMMUNITY
VULNERABILITIES FOR WHICH EXPLOITS ARE AVAILABLE
MOST PREVALENT MALWARE FILES October 8 - 15, 2020
TOP VULNERABILITY THIS WEEK: Microsoft discloses fewer than 100 vulnerabilities for first time in months

NOTABLE RECENT SECURITY ISSUES
SELECTED BY THE TALOS SECURITY INTELLIGENCE AND RESEARCH GROUP

Title: Microsoft Patch Tuesday for Oct. 2020
Description: Microsoft released its monthly security update Tuesday, disclosing just under 100 vulnerabilities across its array of products. Fourteen of the vulnerabilities are considered “critical” while the vast remainder are ranked as “important.” Users of all Microsoft and Windows products are urged to update their software as soon as possible to avoid possible exploitation of all these bugs. The security updates cover several different products including the SharePoint document management system, Azure Sphere and the Windows camera codec, which allows users to view a variety of video files on their machines.
References: https://blog.talosintelligence.com/2020/10/microsoft-patch-tuesday-for-oct-2020.html
Snort SIDs: 53689 - 53691

Title: Lemon Duck brings cryptocurrency miners back into the spotlight
Description: Cisco Talos recently discovered a complex campaign employing a multi-modular botnet with multiple ways to spread. This threat, known as “Lemon Duck,” has a cryptocurrency mining payload that steals computer resources to mine the Monero virtual currency. The actor employs various methods to spread across the network, like sending infected RTF files using email, psexec, WMI and SMB exploits, including the infamous Eternal Blue and SMBGhost threats that affect Windows 10 machines. Some variants also support RDP brute-forcing. In recent attacks we observed, this functionality was omitted. The adversary also uses tools such as Mimikatz, that help the botnet increase the amount of systems participating in its mining pool.
References: https://blog.talosintelligence.com/2020/10/lemon-duck-brings-cryptocurrency-miners.html
Snort SIDs: 55926 - 55928

INTERESTING NEWS FROM AROUND THE SECURITY COMMUNITY

U.S. Cyber Command took steps to disrupt the Trickbot botnet, hoping to prevent any disruption to the upcoming presidential election.
https://www.washingtonpost.com/national-security/cyber-command-trickbot-disrupt/2020/10/09/19587aae-0a32-11eb-a166-dc429b380d10_story.html

Microsoft, along with several security companies and the Financial Services Information Sharing and Analysis Center (FS-ISAC) also took steps to disrupt Trickbot, including a legal maneuver that will make it easier to take down botnets in the future.
https://www.zdnet.com/article/trickbot-botnet-survives-takedown-attempt-but-microsoft-sets-new-legal-precedent/

Unsealed court documents show how Google sells some of its search data to law enforcement agencies.
https://www.cnet.com/news/google-is-giving-data-to-police-based-on-search-keywords-court-docs-show/

Some users of the Robinhood investment app have reported that hackers have stolen funds from their accounts. The company does not appear to have a customer service line.
https://www.bloomberg.com/news/articles/2020-10-09/robinhood-users-had-accounts-looted-say-there-s-no-one-to-call

A security breach of a Chowbus database exposed information belonging to hundreds of thousands of customers of the food delivery service.
https://www.cyberscoop.com/chowbus-breach-personal-data-customers-linxin-wen/

Facebook created a new bug bounty program that offers premiums for researchers who regularly discover vulnerabilities in the site and ranks them in a tier list.
https://threatpost.com/facebook-bug-bounty-loyalty-program/159993/

The U.S. Cybersecurity and Infrastructure Security Agency warned that several APTs are using a combination of older vulnerabilities along with the Windows Netlogon vulnerability to target state and local government networks.
https://us-cert.cisa.gov/ncas/alerts/aa20-283a

Norway’s foreign minister said that Russian cyber actors are responsible for an attack against the Norwegian Parliament’s email system earlier this year.
https://www.aljazeera.com/news/2020/10/13/norway-says-russia-behind-cyber-attack-against-its-parliament

Video calling and meeting software Zoom says it is rolling out end-to-end encrypted calls to users starting next week.
https://www.zdnet.com/article/zoom-to-roll-out-end-to-end-encrypted-e2ee-calls/

Twitter and Facebook both said they will remove all Holocaust denial-related content from their sites.
https://www.theverge.com/2020/10/14/21516468/twitter-holocaust-denial-banned-facebook-policy

RECENT VULNERABILITIES FOR WHICH EXPLOITS ARE AVAILABLE
COMPILED BY THE QUALYS VULNERABILITY RESEARCH TEAM

This is a list of recent vulnerabilities for which exploits are available. System administrators can use this list to help in prioritization of their remediation activities. The Qualys Vulnerability Research Team compiles this information based on various exploit frameworks, exploit databases, exploit kits and monitoring of internet activity.

ID: CVE-2020-16898
Title: Microsoft Windows TCP/IP Stack Remote Code Execution Vulnerability
Vendor: Microsoft
Description: A remote code execution vulnerability exists when the Windows TCP/IP stack improperly handles ICMPv6 Router Advertisement packets. An attacker who successfully exploited this vulnerability could gain the ability to execute code on the target server or client. To exploit this vulnerability, an attacker would have to send specially crafted ICMPv6 Router Advertisement packets to a remote Windows computer.
CVSS v3 Base Score: 9.8 (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H)

ID: CVE-2020-1472
Title: Microsoft Netlogon Elevation of Privilege Vulnerability
Vendor: Microsoft
Description: An elevation of privilege vulnerability exists when an attacker establishes a vulnerable Netlogon secure channel connection to a domain controller, using the Netlogon Remote Protocol (MS-NRPC). An attacker who successfully exploited the vulnerability could run a specially crafted application on a device on the network. To exploit the vulnerability, an unauthenticated attacker would be required to use MS-NRPC to connect to a domain controller to obtain domain administrator access.
CVSS v3 Base Score: 10.0 (AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H)

ID: CVE-2020-6927
Title: HP Device Manager Elevation of Privilege Vulnerability
Vendor: HP
Description: HP Device Manager is enterprise-class thin client management software that allows customers to view their thin client assets remotely and to manipulate those thin clients to meet the required business need. Successful exploitation of this vulnerability may allow a malicious actor to gain SYSTEM privileges.
CVSS v3 Base Score: 8.0 (AV:N/AC:H/PR:H/UI:N/S:C/C:H/I:H/A:H)

ID: CVE-2020-3452
Title: Cisco ASA and FTD Path Traversal Vulnerability
Vendor: Cisco
Description: A vulnerability in the web services interface of Cisco Adaptive Security Appliance (ASA) Software and Cisco Firepower Threat Defense (FTD) Software could allow an unauthenticated, remote attacker to conduct directory traversal attacks and read sensitive files on a targeted system. The vulnerability is due to a lack of proper input validation of URLs in HTTP requests processed by an affected device. An attacker could exploit this vulnerability by sending a crafted HTTP request containing directory traversal character sequences to an affected device.
CVSS v3 Base Score: 7.5 (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N)

ID: CVE-2020-13943
Title: Apache Tomcat Unexpected Resource Response Vulnerability
Vendor: Apache
Description: If an HTTP/2 client exceeded the agreed maximum number of concurrent streams for a connection (in violation of the HTTP/2 protocol), it was possible that a subsequent request made on that connection could contain HTTP headers - including HTTP/2 pseudo headers - from a previous request rather than the intended headers. This could lead to users seeing responses for unexpected resources.
CVSS v3 Base Score: 5.3 (AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N)

ID: CVE-2020-9746
Title: Adobe Flash Player Arbitrary Code Execution Vulnerability
Vendor: Adobe
Description: Adobe Flash Player is affected by an exploitable NULL pointer dereference vulnerability that could result in a crash and arbitrary code execution. Exploitation of this issue requires an attacker to insert malicious strings in an HTTP response that is by default delivered over TLS/SSL.
CVSS v3 Base Score: 7.0 (AV:L/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:H)

ID: CVE-2020-16951
Title: Microsoft SharePoint Remote Code Execution Vulnerability
Vendor: Microsoft
Description: A remote code execution vulnerability exists in Microsoft SharePoint when the software fails to check the source markup of an application package. An attacker who successfully exploited the vulnerability could run arbitrary code in the context of the SharePoint application pool and the SharePoint server farm account. Exploitation of this vulnerability requires that a user uploads a specially crafted SharePoint application package to an affected version of SharePoint.
CVSS v3 Base Score: 8.6 (AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:H/A:L)

MOST PREVALENT MALWARE FILES October 8 - 15, 2020
COMPILED BY TALOS SECURITY INTELLIGENCE AND RESEARCH GROUP

SHA 256: 85b936960fbe5100c170b777e1647ce9f0f01e3ab9742dfc23f37cb0825b30b5
MD5: 8c80dd97c37525927c1e549cb59bcbf3
VirusTotal: https://www.virustotal.com/gui/file/85b936960fbe5100c170b777e1647ce9f0f01e3ab9742dfc23f37cb0825b30b5/details
Typical Filename: Eter.exe
Claimed Product: N/A
Detection Name: Win.Exploit.Shadowbrokers::5A5226262.auto.talos

SHA 256: 15716598f456637a3be3d6c5ac91266142266a9910f6f3f85cfd193ec1d6ed8b
MD5: 799b30f47060ca05d80ece53866e01cc
VirusTotal: https://www.virustotal.com/gui/file/15716598f456637a3be3d6c5ac91266142266a9910f6f3f85cfd193ec1d6ed8b/details
Typical Filename: mf2016341595.exe
Claimed Product: N/A
Detection Name: Win.Downloader.Generic::1201

SHA 256: c3e530cc005583b47322b6649ddc0dab1b64bcf22b124a492606763c52fb048f
MD5: e2ea315d9a83e7577053f52c974f6a5a
VirusTotal: https://www.virustotal.com/gui/file/c3e530cc005583b47322b6649ddc0dab1b64bcf22b124a492606763c52fb048f/details
Typical Filename: Tempmf582901854.exe
Claimed Product: N/A
Detection Name: Win.Dropper.Agentwdcr::1201

SHA 256: 1eef72aa566ba6c76b33f9d430d7233e358392382bfb3db81ca4f28d74f415a5
MD5: 01a607b4d69c549629e6f0dfd3983956
VirusTotal: https://www.virustotal.com/gui/file/1eef72aa566ba6c76b33f9d430d7233e358392382bfb3db81ca4f28d74f415a5/details
Typical Filename: wupxarch.exe
Claimed Product: N/A
Detection Name: W32.Auto:1eef72aa56.in03.Talos

SHA 256: 1a8a17b615799f504d1e801b7b7f15476ee94d242affc103a4359c4eb5d9ad7f
MD5: 88781be104a4dcb13846189a2b1ea055
VirusTotal: https://www.virustotal.com/gui/file/1a8a17b615799f504d1e801b7b7f15476ee94d242affc103a4359c4eb5d9ad7f/details
Typical Filename: UltraSearchApp
Claimed Product: N/A
Detection Name: Win.Trojan.Generic::sso.talos