CONTENTS:

NOTABLE RECENT SECURITY ISSUES
INTERESTING NEWS FROM AROUND THE SECURITY COMMUNITY
VULNERABILITIES FOR WHICH EXPLOITS ARE AVAILABLE
MOST PREVALENT MALWARE FILES October 15 - 22, 2020
TOP VULNERABILITY THIS WEEK: Emotet using new Windows update-related lures

NOTABLE RECENT SECURITY ISSUES
SELECTED BY THE TALOS SECURITY INTELLIGENCE AND RESEARCH GROUP

Title: Emotet employs Windows 10 update lures
Description: Popular malware Emotet now draws users to click with a fake Windows 10 Update. This social engineering tactic comes in emails with distracting body text such as current-events articles or bogus shipping information. Opening the email’s attachments triggers the update notification. Enabling editing on the attachment will free up Emotet to infect the system.
References: https://www.forbes.com/sites/leemathews/2020/10/19/notorious-emotet-malware-starts-using-fake-windows-update-alerts-to-deceive-victims
Snort SIDs: 56046, 56047

Title: F2FS toolset contains multiple vulnerabilities
Description: F2FS is a filesystem toolset commonly found in embedded
devices that creates, verifies and/or fixes Flash-Friendly File System files. An attacker could provide a malicious file to the target to trigger these vulnerabilities, causing a variety of negative conditions for the target. The tool contains two code execution vulnerabilities for multiple devices, and information disclosure vulnerability in init_node_manager and dev_read.
References: https://blog.talosintelligence.com/2020/10/vuln-spotlight-f2fs-tools-.html
Snort SIDs: 53684, 53685, 53729 - 53732

INTERESTING NEWS FROM AROUND THE SECURITY COMMUNITY

The US Department of Justice indicted six Russian nationals believed to be members of one of Russia’s elite hacking and cyberwar units known as Sandworm.
https://www.zdnet.com/article/us-charges-russian-hackers-behind-notpetya-killdisk-olympicdestroyer-attacks/

Fancy Bear imposters are on a hacking extortion spree, sending ransom notes pretending to be from the North Korean government hackers Lazarus Group, or APT38, and Russian state-backed hackers Fancy Bear, or APT28.
https://arstechnica.com/information-technology/2020/10/fancy-bear-imposters-are-on-a-hacking-extortion-spree/

Gartner lists ‘internet of behaviors,’ automation, AI, experiences as key 2021 strategic technologies for CIOs.
https://www.zdnet.com/article/gartner-sees-internet-of-behaviors-automation-ai-experiences-key-2021-technologies/

Thousands of infected IoT devices are being used in a for-profit anonymity botnet called Interplanetary Storm.
https://arstechnica.com/information-technology/2020/10/thousands-of-infected-iot-devices-used-in-for-profit-anonymity-service/

An investigation report on the Twitter hack points to social engineering techniques and calls for cybersecurity rules for social media giants, arguing that regulation and innovation can coexist.
https://techcrunch.com/2020/10/14/twitter-hack-probe-leads-to-call-for-cybersecurity-rules-for-social-media-giants/

Ryuk ransomware are using the Zerologon bug to move attacks from initial phish to domain-wide encryption in five hours.
https://threatpost.com/ryuk-ransomware-gang-zerologon-lightning-attack/160286/

RECENT VULNERABILITIES FOR WHICH EXPLOITS ARE AVAILABLE
COMPILED BY THE QUALYS VULNERABILITY RESEARCH TEAM

This is a list of recent vulnerabilities for which exploits are available. System administrators can use this list to help in prioritization of their remediation activities. The Qualys Vulnerability Research Team compiles this information based on various exploit frameworks, exploit databases, exploit kits and monitoring of internet activity.

ID: CVE-2020-16898
Title: Microsoft Windows TCP/IP Stack Remote Code Execution Vulnerability
Vendor: Microsoft
Description: A remote code execution vulnerability exists when the Windows TCP/IP stack improperly handles ICMPv6 Router Advertisement packets. An attacker who successfully exploited this vulnerability could gain the ability to execute code on the target server or client. To exploit this vulnerability, an attacker would have to send specially crafted ICMPv6 Router Advertisement packets to a remote Windows computer.
CVSS v3 Base Score: 9.8 (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H)

ID: CVE-2020-1472
Title: Microsoft Netlogon Elevation of Privilege Vulnerability
Vendor: Microsoft
Description: An elevation of privilege vulnerability exists when an attacker establishes a vulnerable Netlogon secure channel connection to a domain controller, using the Netlogon Remote Protocol (MS-NRPC). An attacker who successfully exploited the vulnerability could run a specially crafted application on a device on the network. To exploit the vulnerability, an unauthenticated attacker would be required to use MS-NRPC to connect to a domain controller to obtain domain administrator access.
CVSS v3 Base Score: 10.0 (AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H)

ID: CVE-2020-1034
Title: Microsoft Windows Kernel Elevation of Privilege Vulnerability
Vendor: Microsoft
Description: An elevation of privilege vulnerability exists in the way that the Windows Kernel handles objects in memory. An attacker who successfully exploited the vulnerability could execute code with elevated permissions. To exploit the vulnerability, a locally authenticated attacker could run a specially crafted application.
CVSS v3 Base Score: 7.8 (AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H)

ID: CVE-2020-13957
Title: Apache Solr ConfigSet Remote Code Execution Vulnerability
Vendor: Apache
Description: Apache Solr allows some features to be configured in ConfigSet that’s uploaded via API without authentication/authorization, which could be used for remote code execution. The checks in place to prevent such features can be circumvented by using a combination of UPLOAD/CREATE actions.
CVSS v3 Base Score: 9.8 (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H)

ID: CVE-2019-1151
Title: Microsoft Windows Kernel Elevation of Privilege Vulnerability
Vendor: Microsoft
Description: A remote code execution vulnerability exists when the Windows font library improperly handles specially crafted embedded fonts. Users whose accounts are configured to have fewer user rights on the system could be less impacted than users who operate with administrative user rights.
CVSS v3 Base Score: 8.8 (AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H)

ID: CVE-2020-14144
Title: Gitea Authenticated Remote Code Execution Vulnerability
Vendor: Gitea
Description: A vulnerability exists in Gitea, that allows an attacker with access to an administrative account or an account with special privileges to execute arbitrary code on the server.
CVSS v3 Base Score: 7.2 (AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H)

ID: CVE-2020-4280
Title: IBM QRadar RemoteJavaScript Deserialization Vulnerability
Vendor: IBM
Description: A Java deserialization vulnerability exists in the IBM QRadar RemoteJavaScript Servlet. An authenticated user can call one of the vulnerable methods and cause the Servlet to deserialize arbitrary objects. An attacker can exploit this vulnerability by creating a specially crafted (serialized) object, which amongst other things can result in a denial of service, change of system settings, or execution of arbitrary code.
CVSS v3 Base Score: 8.8 (AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H)

MOST PREVALENT MALWARE FILES October 15 - 22, 2020
COMPILED BY TALOS SECURITY INTELLIGENCE AND RESEARCH GROUP

SHA 256: 15716598F456637A3BE3D6C5AC91266142266A9910F6F3F85CFD193EC1D6ED8B
MD5: 799b30f47060ca05d80ece53866e01cc
VirusTotal: https://www.virustotal.com/gui/file/15716598f456637a3be3d6c5ac91266142266a9910f6f3f85cfd193ec1d6ed8b/detection
Typical Filename: mf2016341595.exe
Claimed Product: N/A
Detection Name: Win.Downloader.Generic::1201

SHA 256: 7F16B5E291CCBA6411C95BAFC3FE7EEB5C4A57DF8BA32CFD173E75CC8826C921
MD5: 0b422df6c3d71d2147350d11c256724e
VirusTotal: https://www.virustotal.com/gui/file/7f16b5e291ccba6411c95bafc3fe7eeb5c4a57df8ba32cfd173e75cc8826c921/details
Typical Filename: wupxarch11.exe
Claimed Product: N/A
Detection Name: W32.Auto:7f16b5.in03.Talos

SHA 256: 432FC2E3580E818FD315583527AE43A729586AF5EE37F99F04B562D1EFF2A1FD
MD5: dd726d5e223ca762dc2772f40cb921d3
VirusTotal: https://www.virustotal.com/gui/file/432fc2e3580e818fd315583527ae43a729586af5ee37f99f04b562d1eff2a1fd/detection
Typical Filename: ww24.exe
Claimed Product: N/A
Detection Name: W32.TR:Attribute.23ln.1201

SHA 256: 85b936960fbe5100c170b777e1647ce9f0f01e3ab9742dfc23f37cb0825b30b5
MD5: 8c80dd97c37525927c1e549cb59bcbf3
VirusTotal: https://www.virustotal.com/gui/file/85b936960fbe5100c170b777e1647ce9f0f01e3ab9742dfc23f37cb0825b30b5/detection
Typical Filename: Eternalblue-2.2.0.exe
Claimed Product: N/A
Detection Name: Win.Exploit.Shadowbrokers::5A5226262.auto.talos

SHA 256: C3E530CC005583B47322B6649DDC0DAB1B64BCF22B124A492606763C52FB048F
MD5: e2ea315d9a83e7577053f52c974f6a5a
VirusTotal: https://www.virustotal.com/gui/file/c3e530cc005583b47322b6649ddc0dab1b64bcf22b124a492606763c52fb048f/detection
Typical Filename: c3e530cc005583b47322b6649ddc0dab1b64bcf22b124a492606763c52fb048f.bin
Claimed Product: N/A
Detection Name: Win.Dropper.Agentwdcr::1201