@RISK: The Consensus Security Vulnerability Alert: Vol. 20, Num. 15

@RISK: The Consensus Security Vulnerability Alert
April 09, 2020 – Vol. 20, Num. 15

CONTENTS:
=========================================================
NOTABLE RECENT SECURITY ISSUES
INTERESTING NEWS FROM AROUND THE SECURITY COMMUNITY
VULNERABILITIES FOR WHICH EXPLOITS ARE AVAILABLE
MOST PREVALENT MALWARE FILES April 2 – 9, 2020
=========================================================
TOP VULNERABILITY THIS WEEK: Mozilla Firefox patches two use-after-free vulnerabilities exploited in the wild
=========================================================
NOTABLE RECENT SECURITY ISSUES
SELECTED BY THE TALOS SECURITY INTELLIGENCE AND RESEARCH GROUP

Title: Mozilla releases fixes for two use-after-free vulnerabilities in Firefox
Description: Mozilla released patches for two use-after-free vulnerabilities in its Firefox web browser. The company said it saw attackers actively exploiting bugs in the wild, which caused them to release the emergency updates. In both cases, a race condition in the browser can cause a use-after-free condition, though Mozilla has not provided information on how, exactly, these vulnerabilities were used in attacks.
Reference: https://duo.com/decipher/mozilla-fixes-two-firefox-flaws-under-active-attack
Snort SIDs: 53580, 53581

Title: Critical CODESYS vulnerability could allow attacker to crash server, execute remote code
Description: A critical bug in 3S’ CODESYS automation software could allow an attacker to crash an affected server or execute remote code on the web server. 3S released a patch for the vulnerability, identified as CVE-2020-10245, which received a severity score of 10 out of 10. The bug is a heap-based buffer overflow in the software that could cause a denial of service.
Reference: https://threatpost.com/critical-codesys-bug-remote-code-execution/154213/
Snort SIDs: 53557, 53558

INTERESTING NEWS FROM AROUND THE SECURITY COMMUNITY

Marriott disclosed that hackers used login credential belonging to two employees of a franchise company to access customer data, compromising the information of more than 5 million customers.
https://www.cnet.com/news/marriott-discloses-new-data-breach-impacting-5-point-2-million-guests/

Researchers discovered potential security flaws in video conference platform Zoom’s encryption method, including sending some encryption keys through servers in China.
https://citizenlab.ca/2020/04/move-fast-roll-your-own-crypto-a-quick-look-at-the-confidentiality-of-zoom-meetings/

After a wave of negative headlines concerning Zoom and its security features, the Taiwanese government informed employees they should not be using the conferencing app while they work from home during the COVID-19 crisis.
https://www.bloomberg.com/news/articles/2020-04-07/taiwan-bans-government-use-of-zoom-over-cybersecurity-concerns

A critical vulnerability in a popular WordPress plugin could allow attackers to completely lock admins out of their sites, the latest in a string of bugs for plugins for the popular content management system.
https://threatpost.com/critical-wordpress-plugin-bug-lock-admins-out/154354/

A new COVID-19-themed malware family can totally wipe victim’s computers and in some cases, rewrite MBR sectors.
https://www.zdnet.com/article/theres-now-covid-19-malware-that-will-wipe-your-pc-and-rewrite-your-mbr/

Microsoft purchased controversial domain corp[.]com with the goal of keeping it out of bad actors’ hands.
https://krebsonsecurity.com/2020/04/microsoft-buys-corp-com-so-bad-guys-cant/

While the vast majority of individuals across the globe are staying home during the COVID-19 crisis, their internet usage has changed, including spending an increasing amount of time on streaming sites while seeing a reduction in mobile device usage.
https://www.nytimes.com/interactive/2020/04/07/technology/coronavirus-internet-use.html

With more college classes moving completely online for the remainder of the semester, some schools have started using online proctor services, which students and professors say is an invasion of privacy.
https://www.washingtonpost.com/technology/2020/04/01/online-proctoring-college-exams-coronavirus/

NASA says its seen an “exponential” increase in attempted cyber attacks as more of its employees began working remotely due to COVID-19 pandemic.
https://arstechnica.com/information-technology/2020/04/nasa-sees-an-exponential-jump-in-malware-attacks-as-personnel-work-from-home/

A cyber attack on Italy’s Social Security website took down its services, temporarily preventing individuals from receiving government stimulus checks connected to a COVID-19 relief package.
https://www.forbes.com/sites/daveywinder/2020/04/02/covid-19-payouts-disrupted-as-heartless-hackers-attack-italian-crisis-benefits-site/

MOST PREVALENT MALWARE FILES April 2 – 9, 2020
COMPILED BY TALOS SECURITY INTELLIGENCE AND RESEARCH GROUP

SHA 256: 3f6e3d8741da950451668c8333a4958330e96245be1d592fcaa485f4ee4eadb3
MD5: 47b97de62ae8b2b927542aa5d7f3c858
VirusTotal: scan analysis
Typical Filename: qmreportupload.exe
Claimed Product: qmreportupload
Detection Name: Win.Trojan.Generic::in10.talos

SHA 256: a545df34334b39522b9cc8cc0c11a1591e016539b209ca1d4ab8626d70a54776
MD5: 5d34464531ddbdc7b0a4dba5b4c1cfea
VirusTotal: scan analysis
Typical Filename: FlashHelperServices.exe
Claimed Product: Flash Helper Service
Detection Name: PUA.Win.Adware.Flashserv::in03.talos

SHA 256: c3e530cc005583b47322b6649ddc0dab1b64bcf22b124a492606763c52fb048f
MD5: e2ea315d9a83e7577053f52c974f6a5a
VirusTotal: scan analysis
Typical Filename: c3e530cc005583b47322b6649ddc0dab1b64bcf22b124a492606763c52fb048f.bin
Claimed Product: N/A
Detection Name: W32.AgentWDCR:Gen.21gn.1201

SHA 256: 15716598f456637a3be3d6c5ac91266142266a9910f6f3f85cfd193ec1d6ed8b
MD5: 799b30f47060ca05d80ece53866e01cc
VirusTotal: scan analysis
Typical Filename: f2016341595.exe
Claimed Product: N/A
Detection Name: W32.Generic:Gen.22fz.1201

SHA 256: 85b936960fbe5100c170b777e1647ce9f0f01e3ab9742dfc23f37cb0825b30b5
MD5: 8c80dd97c37525927c1e549cb59bcbf3
VirusTotal: scan analysis
Typical Filename: Eternalblue-2.2.0.exe
Claimed Product: N/A
Detection Name: W32.85B936960F.5A5226262.auto.Talos