Review of the current news by CERT-W – March 2020

Ethical Hacking & Incident Response

Posted on

Cybercrime watch

The most consequent Patch Tuesday in the history of Patch Tuesday

On March, Tuesday 10th, Microsoft has released updates no less than security vulnerabilities, targeting either the Windows operating systems or associated software. 26 of these vulnerabilities are considered “critical”, which is the highest level of severity. The exploit of some of them allow remote code execution and takeover of vulnerable assets without user interaction.

Mukashi: the new variant of the famous Mirai botnet is targeting Zyxel NAS

The Mukashi botnet has been found performing bruteforce attacks on random hosts. The botnet is using various combinations of credentials in an attemps to log in and seize control of the asset. It is now targeting the Network Access Storage (NAS) from the Zyxel brand by using the recent CVE-2020-9054, which allows for remote code execution on the 5.21 version of the firmware.

Coronavirus is now the most used decoy of all times

During the sanitary crisis linked to COVID-19, the coronavirus has become the most used decoy of all times in phishing attacks. The FBI Internet Crime Complaint Center (IC3) mentions that it can either be email pretending to offer information on the virus itself, test kits, vaccines. Attackers even go to such length like posing as charities asking for donations.

 

Vulnerability watch

CVE-2020-0684 – Remote code execution in Microsoft Windows

A new remote code execution vulnerability has been found in the Windows operating system that is triggered when a .LNK file is processed (analyzed or executed). An attacker could gain the same privileges as the local user by exploiting this vulnerability.

CVE-2020-3946 – Denial of Service in Vmware Workstation

Some versions of Vmware Workstation and Fusion are exposed to a “use-after-free” vulnerability in the vmnetdhcp service. The successful exploit of this vulnerability currently leads to denial of service but could be used in theory to execute arbitrary code.

CVE-2020-10887 – Firewall bypass in TP-Link routers

A version of the TP-Link firmware is exposed to firewall bypass. This vulnerability originates from an insufficiant filtering when handling IPv6 SSH connections. It can be exploited without authentication and can even be used to peform privilege escalation and code execution, up to root.

 

Weekly top

The top leak – A 5-million record leak of Mariott’s clients

Cybercriminals have succeeded in obtaining the credentials of two employees on a third-party piece of software used in Mariott resort to provide clients with various services. They used them to access numerous information on Mariott’s clients, including names, email addresses, phone numbers, etc.
It is the second data leak in 24 months for the brand!

The top exploit – CVE-2020-0796 – Remote code execution vulnerability in the SMB protocol

SMB is a network protocol used for file sharing, printers, and for other network purposes. The Microsoft SMB 3.1.1 (SMBv3) is suject to a vulnerability in the way it handles some requests. Unauthenticated attackers can use this vulnerability to remotely execute code on SMB servers as well as clients.

The top attack – One of the largest Czech hospital hit by a cyberattack

The Brno university hospital in Czech Republic has been hit by a major cyberattack in the midst of the COVID-19 outbreak. It has been forced to shut down all IT equipment and information system. Consequently, surgical procedures have been rescheduled and newly infected patients transferred to other hospitals.

 

Software version watch

SoftwareCurrent version
Adobe Flash Player32.0.0.344
Adobe Acrobat Reader DC2020.006.20042
JavaVersion 8 Update 241
Mozilla Firefox74.0
Google Chrome80.0.3987.163
VirtualBox6.1.4
CCleaner5.65.7632