Review of the current news by CERT-W – March 2020
On March, Tuesday 10th, Microsoft has released updates no less than security vulnerabilities, targeting either the Windows operating systems or associated software. 26 of these vulnerabilities are considered “critical”, which is the highest level of severity. The exploit of some of them allow remote code execution and takeover of vulnerable assets without user interaction.
The Mukashi botnet has been found performing bruteforce attacks on random hosts. The botnet is using various combinations of credentials in an attemps to log in and seize control of the asset. It is now targeting the Network Access Storage (NAS) from the Zyxel brand by using the recent CVE-2020-9054, which allows for remote code execution on the 5.21 version of the firmware.
During the sanitary crisis linked to COVID-19, the coronavirus has become the most used decoy of all times in phishing attacks. The FBI Internet Crime Complaint Center (IC3) mentions that it can either be email pretending to offer information on the virus itself, test kits, vaccines. Attackers even go to such length like posing as charities asking for donations.
A new remote code execution vulnerability has been found in the Windows operating system that is triggered when a .LNK file is processed (analyzed or executed). An attacker could gain the same privileges as the local user by exploiting this vulnerability.
Some versions of Vmware Workstation and Fusion are exposed to a “use-after-free” vulnerability in the vmnetdhcp service. The successful exploit of this vulnerability currently leads to denial of service but could be used in theory to execute arbitrary code.
A version of the TP-Link firmware is exposed to firewall bypass. This vulnerability originates from an insufficiant filtering when handling IPv6 SSH connections. It can be exploited without authentication and can even be used to peform privilege escalation and code execution, up to root.
The top leak – A 5-million record leak of Mariott’s clients
Cybercriminals have succeeded in obtaining the credentials of two employees on a third-party piece of software used in Mariott resort to provide clients with various services. They used them to access numerous information on Mariott’s clients, including names, email addresses, phone numbers, etc.
It is the second data leak in 24 months for the brand!
The top exploit – CVE-2020-0796 – Remote code execution vulnerability in the SMB protocol
SMB is a network protocol used for file sharing, printers, and for other network purposes. The Microsoft SMB 3.1.1 (SMBv3) is suject to a vulnerability in the way it handles some requests. Unauthenticated attackers can use this vulnerability to remotely execute code on SMB servers as well as clients.
The top attack – One of the largest Czech hospital hit by a cyberattack
The Brno university hospital in Czech Republic has been hit by a major cyberattack in the midst of the COVID-19 outbreak. It has been forced to shut down all IT equipment and information system. Consequently, surgical procedures have been rescheduled and newly infected patients transferred to other hospitals.
Software version watch
|Adobe Flash Player||184.108.40.2064|
|Adobe Acrobat Reader DC||2020.006.20042|
|Java||Version 8 Update 241|