Everything you need to measure, manage, and reduce your cyber risk in one place
See entire attack surface, continuously maintain your CMDB, and track EOL/EOS software
Gain an attacker’s view of your external internet-facing assets and unauthorized software
Discover, assess, prioritize, and patch critical vulnerabilities up to 50% faster
Consolidate & translate security & vulnerability findings from 3rd party tools
Automate scanning in CI/CD environments with shift left DAST testing
Detect, prioritize, and remediate vulnerabilities in your cloud environment
Efficiently remediate vulnerabilities and patch systems
Quickly create custom scripts and controls for faster, more automated remediation
Address critical vulnerabilities with flexible, patchless solutions
Advanced endpoint threat protection, improved threat context, and alert prioritization
Extend detection and response beyond the endpoint to the enterprise
Reduce risk, and comply with internal policies and external regulations with ease
Reduce alert noise and safeguard files from nefarious actors and cyber threats
Cloud-Native Application Protection Platform (CNAPP) for multi-cloud environment.
Continuously discover, monitor, and analyze your cloud assets for misconfigurations and non-standard deployments.
Detect and remediate security issues within IaC templates
Manage your security posture and risk across your entire SaaS application stack
Detect, prioritize, and remediate vulnerabilities in your cloud environment
Continuous real-time protection of the multi-cloud environment against active exploitation, malware, and unknown threats.
Discover, track, and continuously secure containers – from build to runtime
Everything you need to measure, manage, and reduce your cyber risk in one place
Contact us below to request a quote, or for any product-related questions
See entire attack surface, continuously maintain your CMDB, and track EOL/EOS software
Gain an attacker’s view of your external internet-facing assets and unauthorized software
Discover, assess, prioritize, and patch critical vulnerabilities up to 50% faster
Consolidate & translate security & vulnerability findings from 3rd party tools
Discover, track, and continuously secure containers – from build to runtime
Detect, prioritize, and remediate vulnerabilities in your cloud environment
Automate scanning in CI/CD environments with shift left DAST testing
Efficiently remediate vulnerabilities and patch systems
Quickly create custom scripts and controls for faster, more automated remediation
Address critical vulnerabilities with flexible, patchless solutions
Advanced endpoint threat protection, improved threat context, and alert prioritization
Extend detection and response beyond the endpoint to the enterprise
Reduce risk, and comply with internal policies and external regulations with ease
Reduce alert noise and safeguard files from nefarious actors and cyber threats
Cloud-Native Application Protection Platform (CNAPP) for multi-cloud environment.
Continuously discover, monitor, and analyze your cloud assets for misconfigurations and non-standard deployments.
Detect and remediate security issues within IaC templates
Manage your security posture and risk across your entire SaaS application stack
Detect, prioritize, and remediate vulnerabilities in your cloud environment
Continuous real-time protection of the multi-cloud environment against active exploitation, malware, and unknown threats.
Discover, track, and continuously secure containers – from build to runtime
Vol. 20, Num. 23
This is a weekly newsletter that provides in-depth analysis of the latest vulnerabilities with straightforward remediation advice. Qualys supplies a large part of the newly-discovered vulnerability content used in this newsletter.
Archived issues may be found at the SANS @RISK Newletter Archive.
NOTABLE RECENT SECURITY ISSUES
INTERESTING NEWS FROM AROUND THE SECURITY COMMUNITY
VULNERABILITIES FOR WHICH EXPLOITS ARE AVAILABLE
MOST PREVALENT MALWARE FILES May 28 - June 4, 2020
TOP VULNERABILITY THIS WEEK: Mokes malware hidden behind fake expired certificate alerts
NOTABLE RECENT SECURITY ISSUES
SELECTED BY THE TALOS SECURITY INTELLIGENCE AND RESEARCH GROUP
Title: Fake certificate expiration notices used to plant Mokes malware
Description: Attackers are infecting websites and displaying fake notifications that the site’s certificate is expired. The URL bar still displays the legitimate URL, but a fake image is displayed in the entire window stating that “Security Certificate is out of date.” If the user clicks on a button to download the updated certificate, they are infected with the Buerak downloader and Mokes malware.
Reference: https://www.tripwire.com/state-of-security/security-data-protection/expired-certificates-used-as-disguise-to-spread-buerak-mokes-malware/
Snort SIDs: 54097 - 54106
Title: Variant of ZeuS malware available for sale online
Description: Attackers are selling a new fork of the infamous ZeuS banking trojan. Known as “Silent Night,” security researchers discovered the malware that appears to date back to November. Silent Night is for sale currently on a Russian dark web forum. It fetches the core malicious module and injects it into other running processes, showing very similar techniques and code to ZeuS.
Reference: https://blog.malwarebytes.com/threat-analysis/2020/05/the-silent-night-zloader-zbot/
Snort SIDs: 54093, 54094
INTERESTING NEWS FROM AROUND THE SECURITY COMMUNITY
Minneapolis’s city computer systems and websites were hit with a distributed denial-of-service attack late last week; the majority of systems were operating as usual within a few hours.
https://www.govtech.com/security/Minneapolis-Hit-with-DDoS-Attack-amid-Social-Unrest.html
Hackers claimed that email addresses and passwords posted to the web were stolen from the Minneapolis police department; closer examination of the information suggests that it came from other, unrelated breaches.
https://www.troyhunt.com/analysing-the-alleged-minneapolis-police-department-hack/
A report from the World Economic Forum describes how lessons learned from the COVID-19 pandemic can inform preparations for a global cyberattack.
https://www.weforum.org/agenda/2020/06/covid-19-pandemic-teaches-us-about-cybersecurity-cyberattack-cyber-pandemic-risk-virus/
A bipartisan bill in the US Senate would prohibit any commercial use of data collected by COVID-19 tracing apps and would allow users to request that their data be deleted.
https://www.washingtonpost.com/technology/2020/06/01/contact-tracing-congress-privacy/
As employees start to return to physical offices, some companies are turning to monitoring apps to keep track of whether employees are sick or have been in contact with other sick people.
https://www.buzzfeednews.com/article/carolinehaskins1/coronavirus-private-contact-tracing
Older versions of Android are vulnerable to a security flaw that could allow an attacker to steal private information off mobile devices.
https://www.inc.com/minda-zetlin/security-flaw-means-malware-could-steal-data-from-android-devices.html
A GitHub report details an open-source supply chain attack that affected at least 26 code repositories.
https://securitylab.github.com/research/octopus-scanner-malware-open-source-supply-chain
The American Civil Liberties Union is suing facial recognition startup Clearview AI for allegedly violating an Illinois privacy law.
https://www.theverge.com/2020/5/28/21273388/aclu-clearview-ai-lawsuit-facial-recognition-database-illinois-biometric-laws
Google patched dozens of vulnerabilities in its Android operating system, including two critical remote code execution vulnerabilities.
https://arstechnica.com/information-technology/2020/06/google-fixes-android-flaws-that-allow-code-execution-with-high-system-rights/
NOTABLE RECENT SECURITY ISSUES
SELECTED BY THE TALOS SECURITY INTELLIGENCE AND RESEARCH GROUP
This is a list of recent vulnerabilities for which exploits are available. System administrators can use this list to help in prioritization of their remediation activities. The Qualys Vulnerability Research Team compiles this information based on various exploit frameworks, exploit databases, exploit kits and monitoring of internet activity.
ID: CVE-2020-3153
Title: Cisco AnyConnect Secure Mobility Client Vulnerability
Vendor: Cisco
Description: A vulnerability in the installer component of Cisco AnyConnect Secure Mobility Client for Windows could allow an authenticated local attacker to copy user-supplied files to system level directories with system level privileges. The vulnerability is due to the incorrect handling of directory paths. An attacker could exploit this vulnerability by creating a malicious file and copying the file to a system directory. An exploit could allow the attacker to copy malicious files to arbitrary locations with system level privileges.
CVSS v3 Base Score: 6.5 (AV:L/AC:L/PR:L/UI:N/S:C/C:N/I:H/A:N)
ID: CVE-2020-0796
Title: Microsoft Windows SMBv3 Client/Server Remote Code Execution Vulnerability
Vendor: Microsoft
Description: A remote code execution vulnerability exists in the way that the Microsoft Server Message Block 3.1.1 (SMBv3) protocol handles certain requests. An attacker who successfully exploited the vulnerability could gain the ability to execute code on the target server or client. To exploit the vulnerability against a server, an unauthenticated attacker could send a specially crafted packet to a targeted SMBv3 server.
CVSS v3 Base Score: 10.0 (AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H)
ID: CVE-2020-3956
Title: VMware Cloud Director Code Injection Vulnerability
Vendor: VMware
Description: VMware Cloud Director do not properly handle input leading to a code injection vulnerability. An authenticated actor may be able to send malicious traffic to VMware Cloud Director which may lead to arbitrary remote code execution. This vulnerability can be exploited through the HTML5- and Flex-based UIs, the API Explorer interface and API access.
CVSS v3 Base Score: 9.8 (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H)
ID: CVE-2019-10149
Title: Exim Remote Command Execution Vulnerability
Vendor: Exim
Description: Exim is exposed to a remote command execution vulnerability. Successfully exploiting this issue may allow an attacker to execute arbitrary commands as root. Exploitation of the vulnerability only requires a malicious email to be sent to a vulnerable server, and injected commands will typically run as root. There are multiple ways that Exim can be configured, and some of these will allow for faster exploitation, while others may require a week to fully exploit.
CVSS v3 Base Score: 9.8 (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H)
ID: CVE-2020-13693
Title: WordPress BBPress Privilege Escalation Vulnerability
Vendor: WordPress
Description: An unauthenticated privilege escalation issue exists in the BBPress plugin for WordPress when New User Registration is enabled.
CVSS v3 Base Score: 9.8 (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H)
ID: CVE-2020-13401
Title: Docker Engine IPv6 Address Spoofing Vulnerability
Vendor: Docker
Description: An issue exists in Docker Engine where an attacker in a container, with the CAP_NET_RAW capability, can craft IPv6 router advertisements, and consequently spoof external IPv6 hosts, obtain sensitive information, or cause a denial of service. A user is able to create containers with CAP_NET_RAW privileges on an affected cluster can intercept traffic from other containers on the host or from the host itself.
CVSS v3 Base Score: 9.8 (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H)
ID: CVE-2019-0880
Title: Microsoft splwow64 Elevation of Privilege Vulnerability
Vendor: Microsoft
Description: A local elevation of privilege vulnerability exists in how splwow64.exe handles certain calls. An attacker who successfully exploited the vulnerability could elevate privileges on an affected system from low-integrity to medium-integrity. This vulnerability by itself does not allow arbitrary code execution; however, it could allow arbitrary code to be run if the attacker uses it in combination with another vulnerability (such as a remote code execution vulnerability or another elevation of privilege vulnerability) that is capable of leveraging the elevated privileges when code execution is attempted.
CVSS v3 Base Score: 7.8 (AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H)
MOST PREVALENT MALWARE FILES May 28 - June 4, 2020
COMPILED BY TALOS SECURITY INTELLIGENCE AND RESEARCH GROUP
SHA 256: 094d4da0ae3ded8b936428bb7393c77aaedd5efb5957116afd4263bd7edc2188
MD5: a10a6d9dfc0328a391a3fdb1a9fb18db
VirusTotal: https://www.virustotal.com/gui/file/094d4da0ae3ded8b936428bb7393c77aaedd5efb5957116afd4263bd7edc2188/details
Typical Filename: FlashHelperServices.exe
Claimed Product: Flash Helper Service
Detection Name: PUA.Win.Adware.Flashserv::100.sbx.vioc
SHA 256: 85b936960fbe5100c170b777e1647ce9f0f01e3ab9742dfc23f37cb0825b30b5
MD5: 8c80dd97c37525927c1e549cb59bcbf3
VirusTotal: https://www.virustotal.com/gui/file/85b936960fbe5100c170b777e1647ce9f0f01e3ab9742dfc23f37cb0825b30b5/details
Typical Filename: FlashHelperServices.exe
Claimed Product: Flash Helper Services
Detection Name: Win.Exploit.Shadowbrokers::5A5226262.auto.talos
SHA 256: 3f6e3d8741da950451668c8333a4958330e96245be1d592fcaa485f4ee4eadb3
MD5: 47b97de62ae8b2b927542aa5d7f3c858
VirusTotal: https://www.virustotal.com/gui/file/3f6e3d8741da950451668c8333a4958330e96245be1d592fcaa485f4ee4eadb3/details
Typical Filename: qmreportupload.exe
Claimed Product: qmreportupload
Detection Name: Win.Trojan.Generic::in10.talos
SHA 256: c3e530cc005583b47322b6649ddc0dab1b64bcf22b124a492606763c52fb048f
MD5: e2ea315d9a83e7577053f52c974f6a5a
VirusTotal: https://www.virustotal.com/gui/file/c3e530cc005583b47322b6649ddc0dab1b64bcf22b124a492606763c52fb048f/detection
Typical Filename: c3e530cc005583b47322b6649ddc0dab1b64bcf22b124a492606763c52fb048f
.bin
Claimed Product: N/A
Detection Name: Win.Dropper.Agentwdcr::1201
SHA 256: 15716598f456637a3be3d6c5ac91266142266a9910f6f3f85cfd193ec1d6ed8b
MD5: 799b30f47060ca05d80ece53866e01cc
VirusTotal: https://www.virustotal.com/gui/file/15716598f456637a3be3d6c5ac91266142266a9910f6f3f85cfd193ec1d6ed8b/detection
Typical Filename: mf2016341595.exe
Claimed Product: N/A
Detection Name: Win.Downloader.Generic::1201