CONTENTS:

NOTABLE RECENT SECURITY ISSUES
INTERESTING NEWS FROM AROUND THE SECURITY COMMUNITY
VULNERABILITIES FOR WHICH EXPLOITS ARE AVAILABLE
MOST PREVALENT MALWARE FILES November 5 - 12, 2020
TOP VULNERABILITY THIS WEEK: More than a dozen critical vulnerabilities disclosed as part of Patch Tuesday

NOTABLE RECENT SECURITY ISSUES
SELECTED BY THE TALOS SECURITY INTELLIGENCE AND RESEARCH GROUP

Title: Microsoft Patch Tuesday
Description: Microsoft released its monthly security update Tuesday, disclosing just over 110 vulnerabilities across its products. This is a slight jump from last month, when Microsoft disclosed one of their lowest vulnerability totals in months. Eighteen of the vulnerabilities are considered “critical” while the vast remainder are ranked as “important,” with two also considered of “low” importance. Users of all Microsoft and Windows products are urged to update their software as soon as possible to avoid possible exploitation of all these bugs. The security updates cover several different products and services, including the HEVC video file extension, the Azure Sphere platform and Microsoft Exchange servers.
References: https://blog.talosintelligence.com/2020/11/microsoft-patch-tuesday-for-nov-2020.html
Snort SIDs: 56161 - 56264, 56230, 56231, 56254, 56255, 56286 - 56289, 56295, 56296, 56309, 56301 - 56305, 56310 and 56312

Title: Adobe issues security updates for Acrobat Reader
Description: Adobe recently disclosed multiple vulnerabilities in its Acrobat PDF Reader, including for both desktop and Android versions. Among them are a heap buffer overflow and use-after-free vulnerability that Cisco Talos researchers discovered. Acrobat reader integrates into web browsers as a plugin for rendering PDFs. As such, tricking a user into visiting a malicious web page or sending a specially crafted email attachment can be enough to trigger these vulnerabilities. There is also a bug that’s considered “important” in all Android versions of Acrobat that could allow an adversary to disclose sensitive information on an affected device.
References:

• https://helpx.adobe.com/security/products/reader-mobile/apsb20-71.html
• https://blog.talosintelligence.com/2020/11/vulnerability-spotlight-multiple.html

Snort SIDs: 53563, 53564, 55842, 55843

INTERESTING NEWS FROM AROUND THE SECURITY COMMUNITY

While election week in the U.S. seemed to drag on, the good news is that polls closed and counting finished in most states without any major signs of a cyber disruption.
https://www.nbcnews.com/tech/security/polls-close-election-day-no-apparent-cyber-interference-n1246277

The FBI released a warning that international threat actors are using misconfigured SonarQube applications to steal source code repositories from U.S. government agencies and private businesses.
https://www.zdnet.com/article/fbi-hackers-stole-source-code-from-us-government-agencies-and-private-companies/

Voters in Portland, Maine approved a ban on facial recognition technology and are now eligible for up to $1,000 in payments if they are scanned in violation of the new order.
https://www.theverge.com/2020/11/4/21536892/portland-maine-facial-recognition-ban-passed-surveillance

Storied video game production company Capcom says it was the victim of a cyber attack last week, the latest in a string of targeted attacks on video game companies.
https://www.bbc.com/news/technology-54840768

Disinformation written in Spanish largely dodged efforts by social media platforms to remove fake or misleading posts, leading to an increase in fake news in the days leaking up to the U.S. election.
https://www.reuters.com/article/us-usa-election-disinformation-spanish/spanish-language-misinformation-dogged-democrats-in-u-s-election-idUSKBN27N0ED

It’s believed that President-elect Joe Biden’s future administration will come down tougher on Russia on cyber security and take greater steps to bolster American election security.
https://www.washingtonpost.com/politics/2020/11/09/cybersecurity-202-biden-will-get-tougher-russia-boost-election-security-here-what-expect/

Google Chrome will join Safari and Firefox as blocking so-called “tab-nabbing” attacks in web browsers with an upcoming security release.
https://www.zdnet.com/article/chrome-to-block-tab-nabbing-attacks/

Several key details remain unknown regarding some serious vulnerabilities Google recently disclosed and patched in its Android operating system.
https://www.vice.com/en/article/xgzxmk/google-project-zero-bugs-used-to-hack-iphones-and-android-phones

RECENT VULNERABILITIES FOR WHICH EXPLOITS ARE AVAILABLE
COMPILED BY THE QUALYS VULNERABILITY RESEARCH TEAM

This is a list of recent vulnerabilities for which exploits are available. System administrators can use this list to help in prioritization of their remediation activities. The Qualys Vulnerability Research Team compiles this information based on various exploit frameworks, exploit databases, exploit kits and monitoring of internet activity.

ID: CVE-2020-14882
Title: Oracle WebLogic Server Remote Code Execution Vulnerability
Vendor: Oracle
Description: Oracle Weblogic server is exposed to a critical vulnerability. The vulnerability could be exploited by an unauthenticated attacked with a single HTTP request. Easily exploitable vulnerability allows unauthenticated attacker with network access via HTTP to compromise Oracle WebLogic Server. Successful attacks of this vulnerability can result in takeover of Oracle WebLogic Server.
CVSS v3 Base Score: 9.8 (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H)

ID: CVE-2019-5544
Title: VMware Horizon DaaS OpenSLP Remote Code Execution Vulnerability
Vendor: VMware
Description: OpenSLP as used in Horizon DaaS is exposed to heap overwrite issue. A malicious actor with network access to port 427 on an ESXi host may be able to overwrite the heap of the OpenSLP service resulting in remote code execution.
CVSS v3 Base Score: 9.8 (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H)

ID: CVE-2020-14871
Title: Oracle Solaris Remote Code Execution Vulnerability
Vendor: Oracle
Description: Easily exploitable vulnerability allows unauthenticated attacker with network access via multiple protocols to compromise Oracle Solaris. While the vulnerability is in Oracle Solaris, attacks may significantly impact additional products. Successful attacks of this vulnerability can result in takeover of Oracle Solaris.
CVSS v3 Base Score: 10.0 (AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H)

ID: CVE-2020-27955
Title: Git for Windows Large File Storage Remote Code Execution Vulnerability
Vendor: Git
Description: On Windows, if Git LFS operates on a malicious repository with a git.bat or git.exe file in the current directory, that program is executed, permitting the attacker to execute arbitrary code. Successful exploitation allows attacker to execute remote code and compromise the system.
CVSS v3 Base Score: 9.8 (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H)

ID: CVE-2020-17087
Title: Microsoft Windows Kernel Privilege Escalation Vulnerability
Vendor: Microsoft
Description: Security researchers from Google’s Project Zero have disclosed a zero-day vulnerability in the Windows operating system which is currently being exploited in the wild. The Google Project Zero team notified Microsoft last week and gave the company seven days to patch the bug.
CVSS v3 Base Score: 7.1 (AV:N/AC:H/PR:L/UI:R/S:U/C:H/I:H/A:H)

ID: CVE-2020-15999
Title: Google Chrome Freetype Heap Buffer Overflow Vulnerability
Vendor: Google
Description: Google Chrome issued an update announcement for the browser across all platforms. Google confirmed that the “stable channel” desktop Chrome browser is being updated across Windows, Mac, and Linux platforms. As per Google’s official sources, this urgent update will start rolling out over the coming few days or weeks.
CVSS v3 Base Score: 8.8 (AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H)

ID: CVE-2020-14750
Title: Oracle WebLogic Server Unauthenticated Remote Code Execution Vulnerability
Vendor: Oracle
Description: Oracle released critical October update to patch CVE-2020-14882 earlier in October. Oracle WebLogic Server has now observed that attackers can now bypass this patch exposing an unauthenticated Remote Code Execution vulnerability. Unauthorized attackers can continue to bypass the WebLogic background login restrictions and control the server even after WebLogic is patched for CVE-2020-14882.
CVSS v3 Base Score: 9.8 (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H)

ID: CVE-2020-1472
Title: Microsoft Netlogon Elevation of Privilege Vulnerability
Vendor: Microsoft
Description: An elevation of privilege vulnerability exists when an attacker establishes a vulnerable Netlogon secure channel connection to a domain controller, using the Netlogon Remote Protocol (MS-NRPC). An attacker who successfully exploited the vulnerability could run a specially crafted application on a device on the network. To exploit the vulnerability, an unauthenticated attacker would be required to use MS-NRPC to connect to a domain controller to obtain domain administrator access.
CVSS v3 Base Score: 10.0 (AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H)

ID: CVE-2020-27930
Title: Apple iOS Memory Corruption Vulnerability
Vendor: Apple
Description: A memory corruption vulnerability exists in Apple iOS that may lead to arbitrary code execution when processing a maliciously crafted font. The vulnerability leads to memory corruption due to lack of proper input validation.
CVSS v3 Base Score: 7.5 (AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H)

MOST PREVALENT MALWARE FILES November 5 - 12, 2020
COMPILED BY TALOS SECURITY INTELLIGENCE AND RESEARCH GROUP

SHA 256: F059A5358C24CC362C2F74B362C75E02035FDF82F9FFAE8D553AFEE1A271AFD0
MD5: ce4395edbbf9869a5e276781af2e0fb5
VirusTotal: https://www.virustotal.com/gui/file/f059a5358c24cc362c2f74b362c75e02035fdf82f9ffae8d553afee1a271afd0/details
Typical Filename: wupxarch635.exe
Claimed Product: N/A
Detection Name: W32.Auto:f059a5358c.in03.Talos

SHA 256: 432FC2E3580E818FD315583527AE43A729586AF5EE37F99F04B562D1EFF2A1FD
MD5: dd726d5e223ca762dc2772f40cb921d3
VirusTotal: https://www.virustotal.com/gui/file/432fc2e3580e818fd315583527ae43a729586af5ee37f99f04b562d1eff2a1fd/detection
Typical Filename: ww24.exe
Claimed Product: N/A
Detection Name: W32.TR:Attribute.23ln.1201

SHA 256: 85B936960FBE5100C170B777E1647CE9F0F01E3AB9742DFC23F37CB0825B30B5
MD5: 8c80dd97c37525927c1e549cb59bcbf3
VirusTotal: https://www.virustotal.com/gui/file/85b936960fbe5100c170b777e1647ce9f0f01e3ab9742dfc23f37cb0825b30b5/detection
Typical Filename: Eternalblue-2.2.0.exe
Claimed Product: N/A
Detection Name: Win.Exploit.Shadowbrokers::5A5226262.auto.talos

SHA 256: 97511b671c29a6c04c9c80658428b4ce55010d9dfe6ee5d813595d37fbe5500a
MD5: 0cd267df5b55552a6589f4e67164fd3d
VirusTotal: https://www.virustotal.com/gui/file/97511b671c29a6c04c9c80658428b4ce55010d9dfe6ee5d813595d37fbe5500a/details
Typical Filename: FlashHelperService.exe
Claimed Product: Flash Helper Service
Detection Name: Auto.97511B.232354.in02

SHA 256: C3E530CC005583B47322B6649DDC0DAB1B64BCF22B124A492606763C52FB048F
MD5: MD5: e2ea315d9a83e7577053f52c974f6a5a
VirusTotal: https://www.virustotal.com/gui/file/c3e530cc005583b47322b6649ddc0dab1b64bcf22b124a492606763c52fb048f/detection
Typical Filename: c3e530cc005583b47322b6649ddc0dab1b64bcf22b124a492606763c52fb048f.bin
Claimed Product: N/A
Detection Name: Win.Dropper.Agentwdcr::1201