Breach CVE Malware Phishing TrickBot Vulnerability

CloudSEK Daily Threat Bulletin – 11th March 2020

Round Up of Major Breaches and Scams

Iranian Coronavirus app collecting sensitive information

Over the weekend, Iranian researcher, Nariman Gharib, reported via Twitter that he had identified a coronavirus app collecting sensitive information from users, including their real-time geo-location details, beyond what the app required to function. According to Gharib, the app was released by the Iranian Ministry of Health via SMS to Iranian users, and encouraged users to install the app, and do a test in order to determine if they had symptoms of coronavirus. Google has already taken action and removed the app from its Play Store, because it violates their terms and conditions.

Phishing attack skirts detection with YouTube

Researchers are warning of an increase in phishing emails that use YouTube redirect links, which help attackers skirt traditional defense measures. If certain malicious URLs are blocked by web browser phishing filters, attackers commonly use a redirector URL to bypass these filters and redirect the victim to their phishing landing page. URL redirects have been used in previous campaigns, including malicious redirect code affecting Joomla and WordPress websites and HTML redirectors being used by Evil Corp. Now, a new campaign is using legitimate YouTube redirect links.

Whisper, an anonymous secret-sharing app, failed to keep messages or profiles private

Whisper is a secret-sharing app where you can post anonymous messages, but security failures ensured user content and profiles were available for anyone online to view. The inadvertent data exposure was caused by an open database with no credentials or password protection in place, as reported by the Washington Post. Independent researchers Matthew Porter and Dan Ehrlich came across the data treasure trove, which contained approximately 900 million records spanning back from the app’s launch in 2012 to the present day.

Round Up of Major Malware and Ransomware Incidents

New TrickBot variant updates anti-analysis tricks

A new TrickBot variant shows that the malware is continuing to swap out new anti-analysis and persistence tactics. Researchers uncovered a new variant of the TrickBot malware that relies on new anti-analysis techniques, an updated method for downloading its payload as well as adopting minor changes to the integration of its components.

Beware of ‘Coronavirus Maps’ – It’s a malware infecting PCs to steal passwords

Cybercriminals will stop at nothing to exploit every chance to prey on internet users. Even the disastrous spread of SARS-COV-II (the virus), which causes COVID-19 (the disease), is becoming an opportunity for them to likewise spread malware or launch cyber attacks. The malware attack specifically aims to target those who are looking for cartographic presentations of the spread of COVID-19 on the Internet, and tricks them to download and run a malicious application that, on its front-end, shows a map loaded from a legit online source but in the background compromises the computer.

Round Up of Major Vulnerabilities and Patches

Microsoft leaks info on wormable Windows SMBv3 CVE-2020-0796 flaw

Microsoft leaked info on a security update for a ‘wormable’ pre-auth remote code execution vulnerability found in the Server Message Block 3.0 (SMBv3) network communication protocol that reportedly should have been disclosed as part of this month’s Patch Tuesday. The vulnerability is due to an error when the SMBv3 handles maliciously crafted compressed data packets and it allows remote, unauthenticated attackers that exploit it to execute arbitrary code within the context of the application.

Intel patches high severity flaws in Windows Graphics Drivers

Intel released security updates to address 27 vulnerabilities as part of March 2020 Patch Tuesday, with ten of them being high severity security flaws impacting Intel’s Graphics Drivers for Windows and the Smart Sound Technology integrated audio DSP in Intel Core and Intel Atom CPUs. The vulnerabilities disclosed today may allow authenticated or privileged users to potentially access sensitive information, to trigger denial-of-service states, and escalate privileges via local access.

DDR4 memory still at Rowhammer risk, new method bypasses fixes

Academic researchers testing modern memory modules from Samsung, Micron, and Hynix discovered that current protections against Rowhammer attacks are insufficient. Current mitigation solutions are efficient against known Rowhammer variants but attack possibilities are not exhausted and exploitation is still possible. The new findings show that memory bit flipping works on many devices, including popular smartphones from Google, Samsung, and OnePlus.

Avast disables JavaScript engine in its antivirus following major bug

Czech antivirus maker Avast has taken the extreme step of disabling a major component of its antivirus product after a security researcher found a dangerous vulnerability that put all of the company’s users at risk. The security flaw was found in Avast’s JavaScript engine, an internal component of the Avast antivirus that analyzes JavaScript code for malware before allowing it to execute in browsers or email clients.

Critical vulnerabilities in SAP Solution Manager expose companies to attacks

SAP on Tuesday released 16 security notes and two updates to previously released patches as part of its March 2020 Security Patch Day, with three of the new notes rated hot news. The most important of the notes address critical (hot news) missing authorization checks in Solution Manager. The first of them, CVE-2020-6207, features a CVSS score of 10 and impacts User-Experience Monitoring, while the second, CVE-2020-6198, features a CVSS score of 9.8 and impacts Diagnostics Agent.

Critical bugs in Rockwell, Johnson controls ICS gear

Bugs affecting programmable logic controllers (PLC) and physical access-control systems for facilities are rated 9.8 in severity. Security vulnerabilities that require very little skill to exploit have been discovered in industrial control systems (ICS) gear from Rockwell Automation and Johnson Controls, which anchor a flurry of bug disclosures impacting critical infrastructure.

Tens of vulnerabilities expose WAGO controllers, HMI panels to attacks

Tens of vulnerabilities discovered by Cisco Talos researchers in WAGO products expose some of the company’s controllers and human-machine interface (HMI) panels to remote attacks. Talos and Germany’s VDE CERT this week published advisories describing roughly 30 vulnerabilities identified in devices made by WAGO, a German company specializing in electrical connection and automation solutions. The security holes impact PFC100 and PFC200 programmable logic controllers (PLCs) and Touch Panel 600 HMI panels.