Cybersecurity Weekly Briefing September 12-18

ElevenPaths    18 September, 2020
Cybersecurity Weekly Briefing September 12-18

PoC for Critical Vulnerability on Netlogon

Secura researchers have published a tool to check whether a domain controller is vulnerable to the CVE-2020-1472 vulnerability on Netlogon. Last month, Microsoft patched a critical vulnerability, with CVSS 10, on Netlogon Remote Protocol (MS-NRPC) that would allow an unauthenticated attacker to elevate privileges and become the Domain Admin of a vulnerable domain controller (DC). Right then, security researchers like Kevin Beaumont raised the need for patching. A few days ago, on 11 September, a script was published which tried to evade Netlogon authentication. This script ends when it succeeds or after several failed attempts. It is recommended to install the patch that mitigates this flaw as soon as possible.

More info: https://www.secura.com/blog/zero-logon

Exploit for vulnerability on Microsoft Exchange

Last Friday, an independent researcher published in open sources a valid proof of concept for the CVE-2020-16875 vulnerability in Microsoft Exchange mail servers which would allow remote code execution. This vulnerability, whose exploitation would allow self-propagation (“worm” capabilities), was fixed by Microsoft last week in its monthly September update newsletter. At first, the manufacturer considered it to be a critical risk (CVSSv3 of 9.1, which dropped to 8.4 when the need for authentication was revealed) and unlikely to be exploited. However, the appearance of this PoC contradicts this last estimate. As a mitigating factor, in order to carry out the exploitation, the attacker would have to commit an Exchange user to the “Data Loss Prevention” role. The products affected are Microsoft Exchange Server 2016 and 2019. It is recommended to update as soon as possible.  

All the details: https://twitter.com/steventseeley/status/1304095793809371137

URSA Trojan campaign against multiple countries

Since last June, a new campaign of infections with the URSA Trojan, also known as Mispadu, is affecting users in multiple countries, including Bolivia, Chile, Mexico, Argentina, Ecuador, Colombia, Paraguay, Costa Rica, Brazil, Spain, Italy and Portugal. URSA is a relatively recent malware whose objective is the theft of banking credentials through browsers, common software such as FTP and email services. As well as through the superimposition of false bank portals in which the victim would introduce the banking credentials. This Trojan is distributed through phishing or malspam campaigns, impersonating various entities. In Portugal, for example, it has recently impersonated Vodafone, EDP (Energias de Portugal), MEO (Serviços de Comunicações e Multimédia, S.A) and Policía Judiciaria. During this activity, according to data obtained from some Command & Control servers identified in this wave of attacks, URSA would have impacted 3,379 users. And yet, it is possible that the number of infections has been much higher. The country most affected was Mexico (1,977 infections), followed by Spain (631), Portugal (514) and Chile (331).

Read more: https://seguranca-informatica.pt/threat-analysis-the-emergent-ursa-trojan-impacts-many-countries-using-a-sophisticated-loader/

Cerberus malware source code released

Kaspersky security researcher Dmitry Galov has reported on the leakage of the source code for version 2 of the Cerberus malware, a banking trojan, which targets mobile devices using the Android operating system. This remote access (RAT) malware includes among its functionalities the following: interception of communications, manipulation of device functionality, exfiltration of data and banking credentials and reading of text messages that may contain one-time access codes (OTP) and two-factor authentication codes (2FA) – thus avoiding this security measure. Last July, regarding the filtering of the code, it was reported that the manager of the tool had revealed that the development team was dissolving, so he was looking for a new owner by creating an auction of the source code. In the absence of buyers, the code has been leaked. According to Kaspersky, following the release of the Cerberus source code, there has been an increase in mobile application infections in Europe and Russia, a country which hadn´t previously been affected by this threat.

More information: https://www.zdnet.com/article/cerberus-banking-trojan-source-code-released-for-free-to-cyberattackers/

Vulnerabilities in the Drupal core

Five cross-site scripting (XSS),  authentication bypass and information disclosure vulnerabilities in the Drupal core have been published. One of high severity and the rest of medium severity. The most serious vulnerability is the reflected XSS flaw that could allow an attacker to take advantage of the way HTML code is represented for the affected forms. The identifier CVE-2020-13668 has been reserved for this vulnerability, and the following ones for the less critical vulnerabilities: CVE-2020-13666, CVE-2020-13667, CVE-2020-13669 and CVE-2020-13670. It should also be noted that Drupal 8 versions prior to 8.8.x are at the end of their useful life and no longer receive security coverage. Sites in versions 8.7.x or earlier must be updated to 8.8.10.

All the details: https://www.incibe-cert.es/alerta-temprana/avisos-seguridad/vulnerabilidades-el-core-drupal-1

Leave a Reply

Your email address will not be published. Required fields are marked *