@RISK Newsletter for December 03, 2020
The consensus security vulnerability alert.
Vol. 20, Num. 49
This is a weekly newsletter that provides in-depth analysis of the latest vulnerabilities with straightforward remediation advice. Qualys supplies a large part of the newly-discovered vulnerability content used in this newsletter.
Archived issues may be found at the SANS @RISK Newletter Archive.
CONTENTS:
NOTABLE RECENT SECURITY ISSUES
INTERESTING NEWS FROM AROUND THE SECURITY COMMUNITY
VULNERABILITIES FOR WHICH EXPLOITS ARE AVAILABLE
MOST PREVALENT MALWARE FILES November 26 - December 3, 2020
TOP VULNERABILITY THIS WEEK: Xanthe cryptocurrency miner goes after Monero
NOTABLE RECENT SECURITY ISSUES
SELECTED BY THE TALOS SECURITY INTELLIGENCE AND RESEARCH GROUP
Title: Xanthe miner goes after Docker-based targets
Description: Cisco Talos recently discovered a cryptocurrency-mining botnet attack we’re calling “Xanthe,” which attempted to compromise one of Cisco’s security honeypots for tracking Docker-related threats. The infection starts with the downloader module, which downloads the main installer module, which is also tasked with spreading to other systems on the local and remote networks. The main module attempts to spread to other known hosts by stealing the client-side certificates and connecting to them without the requirement for a password. Two additional bash scripts terminate security services, removing competitor’s botnets and ensuring persistence by creating scheduled cron jobs and modifying one of the system startup scripts. The main payload is a variant of the XMRig Monero mining program that is protected with a shared object developed to hide the presence of the miner’s process from various tools for process enumeration.
References: https://blog.talosintelligence.com/2020/12/xanthe-docker-aware-miner.html
OSQueries: https://github.com/Cisco-Talos/osquery_queries/blob/master/packs/linux_malware.conf
ClamAV: Unix.Coinminer.Xanthe-9791859-0, Unix.Coinminer.Xanthe-9791860-0, Unix.Coinminer.Xanthe-9791861-0
Title: WebKit fixes use-after-free, code execution vulnerabilities
Description: The WebKit browser engine contains multiple vulnerabilities in various functions of the software. A malicious web page code could trigger multiple use-after-free errors, which could lead to remote and arbitrary code execution. An attacker could exploit these vulnerabilities by tricking the user into visiting a specially crafted, malicious web page on a browser utilizing WebKit. WebKit is utilized mainly in Apple’s Safari web browser, but is also utilized by some PlayStation consoles and all iOS web browsers.
References: https://blog.talosintelligence.com/2020/11/vuln-spotlight-webkit-use-after-free-nov-2020.html
Snort SIDs: 55844, 55845, 56126, 56127, 56379 - 56382
INTERESTING NEWS FROM AROUND THE SECURITY COMMUNITY
At least three health care providers in America have been recently targeted by ransomware attacks.
https://www.infosecurity-magazine.com/news/cyberattacks-on-three-us/
A ransomware attack against systems at the University of Vermont Health Network has disrupted chemotherapy treatments and availability of critical records.
https://www.nytimes.com/2020/11/26/us/hospital-cyber-attack.html
Microsoft patched a bug in Xbox video game consoles that could have allowed anyone to expose the email address associated with any user’s gamertag on the Xbox Live gaming service.
https://www.vice.com/en/article/m7ag44/bug-allowed-hackers-to-get-anyones-email-address-on-xbox-live
Some Australian intelligence agencies mistakenly collected data from the country’s “COVIDSafe” contact-tracing app, though none of that information has been decrypted, accessed or used.
https://www.itnews.com.au/news/covidsafe-data-incidentally-collected-by-intelligence-agencies-in-first-six-months-558129
One of the largest fertility clinic networks in the U.S. says attackers stole patient information in a recent ransomware attack after malware sat on their network for more than a month.
https://techcrunch.com/2020/11/26/us-fertility-ransomware-attack/
Home Depot reached a $17.5 million settlement with 46 U.S. states and Washington, D.C. over a 2014 data breach, and also agreed to implement new security measures going forward.
https://duo.com/decipher/home-depot-settles-with-states-over-2014-data-breach
Schools in Baltimore County, Maryland had to cancel classes for several days after a ransomware attack, though officials say the incident does not affect students’ school-issued Chromebooks.
https://www.baltimoresun.com/education/bs-md-baltimore-county-schools-ransomware-20201130-20201130-7cymrekdpfhyjccotvyzrn6amq-story.html
The FBI released a warning that email attackers are exploiting email forwarding rules to hide themselves inside legitimate email threads, hoping to trick victims.
https://www.zdnet.com/article/fbi-warns-of-email-forwarding-rules-being-abused-in-recent-hacks/
RECENT VULNERABILITIES FOR WHICH EXPLOITS ARE AVAILABLE
COMPILED BY THE QUALYS VULNERABILITY RESEARCH TEAM
This is a list of recent vulnerabilities for which exploits are available. System administrators can use this list to help in prioritization of their remediation activities. The Qualys Vulnerability Research Team compiles this information based on various exploit frameworks, exploit databases, exploit kits and monitoring of internet activity.
ID: CVE-2018-13379
Title: Fortinet FortiOS Directory Traversal Vulnerability
Vendor: Fortinet
Description: Fortinet FortiOS is exposed to a directory traversal vulnerability because it fails to properly sanitize user supplied input. A path traversal vulnerability in the FortiOS SSL VPN web portal may allow an unauthenticated attacker to download FortiOS system files through specially crafted HTTP resource requests.
CVSS v3 Base Score: 9.8 (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H)
ID: CVE-2020-14882
Title: Oracle WebLogic Server Remote Code Execution Vulnerability
Vendor: Oracle
Description: Oracle WebLogic Server (formerly known as BEA WebLogic Server) is an application server for building and deploying enterprise applications and services. A remote code execution vulnerability exists in the Oracle WebLogic Server product of Oracle Fusion Middleware
CVSS v3 Base Score: 9.8 (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H)
ID: CVE-2020-15505
Title: MobileIron Core and Connector Remote Code Execution Vulnerability
Vendor: MobileIron
Description: A remote code execution vulnerability exists in MobileIron Core and Connector, and Sentry, that allows remote attackers to execute arbitrary code via unspecified vectors. The manipulation with an unknown input leads to a privilege escalation vulnerability. The UK’s National Cyber Security Centre alerts that APT nation-state groups and cybercriminals are exploiting MobileIron RCE vulnerability to compromise the networks.
CVSS v3 Base Score: 9.8 (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H)
ID: CVE-2020-5902
Title: F5 BIG-IP Remote Code Execution Vulnerability
Vendor: F5
Description: F5 BIG-IP is exposed to remote code execution vulnerability. The vulnerability that has been actively exploited in the wild allows attackers to read files, execute code or take complete control over vulnerable systems having network access.
CVSS v3 Base Score: 9.8 (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H)
ID: CVE-2020-9844
Title: MacOS Catalina Memory Corruption Vulnerability
Vendor: Apple
Description: A double free issue was addressed with improved memory management. A remote attacker may be able to cause unexpected system termination or corrupt kernel memory.
CVSS v3 Base Score: 7.5 (AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H)
ID: CVE-2018-12809
Title: Adobe Experience Manager Server-Side Request Forgery Vulnerability
Vendor: Adobe
Description: Adobe Experience Manager is exposed to server-side request forgery vulnerability. Successful exploitation could lead to sensitive information disclosure.
CVSS v3 Base Score: 7.5 (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N)
ID: CVE-2020-1472
Title: Microsoft Netlogon Elevation of Privilege Vulnerability
Vendor: Microsoft
Description: An elevation of privilege vulnerability exists when an attacker establishes a vulnerable Netlogon secure channel connection to a domain controller, using the Netlogon Remote Protocol (MS-NRPC). An attacker who successfully exploited the vulnerability could run a specially crafted application on a device on the network. To exploit the vulnerability, an unauthenticated attacker would be required to use MS-NRPC to connect to a domain controller to obtain domain administrator access.
CVSS v3 Base Score: 10.0 (AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H)
MOST PREVALENT MALWARE FILES November 26 - December 3, 2020
COMPILED BY TALOS SECURITY INTELLIGENCE AND RESEARCH GROUP
SHA 256: 9f1f11a708d393e0a4109ae189bc64f1f3e312653dcf317a2bd406f18ffcc507
MD5: 2915b3f8b703eb744fc54c81f4a9c67f
VirusTotal: https://www.virustotal.com/gui/file/9f1f11a708d393e0a4109ae189bc64f1f3e312653dcf317a2bd406f18ffcc507/details
Typical Filename: vid001.exe
Claimed Product: N/A
Detection Name: Win.Worm.Coinminer::1201
SHA 256: 586d6b581a868f71c903097a3b7046f61a0797cda090a36687767189483e2360
MD5: 7e0bc1c01f44c7a663d82e4aff71ee6c
VirusTotal: https://www.virustotal.com/gui/file/586d6b581a868f71c903097a3b7046f61a0797cda090a36687767189483e2360/details
Typical Filename: dfsvc.exe
Claimed Product: N/A
Detection Name: Auto.586D6B.232349.in02
SHA 256: 100318042c011363a98f82516b48c09bbcdd016aec557b009c3dd9c17eed0584
MD5: 920823d1c5cb5ce57a7c69c42b60959c
VirusTotal: https://www.virustotal.com/gui/file/100318042c011363a98f82516b48c09bbcdd016aec557b009c3dd9c17eed0584/details
Typical Filename: FlashHelperService.exe
Claimed Product: Flash Helper Service
Detection Name: W32.Variant.23mj.1201
SHA 256: 8b4216a7c50599b11241876ada8ae6f07b48f1abe6590c2440004ea4db5becc9
MD5: 34560233e751b7e95f155b6f61e7419a
VirusTotal: https://www.virustotal.com/gui/file/8b4216a7c50599b11241876ada8ae6f07b48f1abe6590c2440004ea4db5becc9/details
Typical Filename: SAntivirusService.exe
Claimed Product: A n t i v i r u s S e r v i c e
Detection Name: PUA.Win.Dropper.Segurazo::tpd
SHA 256: 85B936960FBE5100C170B777E1647CE9F0F01E3AB9742DFC23F37CB0825B30B5
MD5: 8c80dd97c37525927c1e549cb59bcbf3
VirusTotal: https://www.virustotal.com/gui/file/85b936960fbe5100c170b777e1647ce9f0f01e3ab9742dfc23f37cb0825b30b5/detection
Typical Filename: Eternalblue-2.2.0.exe
Claimed Product: N/A
Detection Name: Win.Exploit.Shadowbrokers::5A5226262.auto.talos