Blog

Archive for October 13th, 2020

More TA551 (Shathak) Word docs push IcedID (Bokbot), (Wed, Oct 14th)

Introduction

The TA551 (Shathak) campaign continues to push IcedID (Bokbot) malware since I last wrote a diary about it in August 2020.  The template for its Word documents has been updated, but otherwise, not much has changed.  This campaign has also targeted non-English speaking targets with other types of malware, but I’ve only seen English speaking victims with IcedID since mid-July 2020.


Shown above:  Flow chart for TA551 activity since mid-July 2020.

Today’s diary reviews an infection from the TA551 campaign on Tuesday 2020-10-13.

Delivery method

TA551 still uses password-protected zip archives attached to emails.  These zip archives contain a Word document with macros designed to infect vulnerable Windows hosts with IcedID.  Malspam from TA551 uses legitimate email chains stolen from mail clients on previously-infected Windows hosts,  These emails attempt to spoof the sender by using a name from the email chain as an alias for the sending address.  Examples from this malspam campaign submitted to VirusTotal usually have some, if not all, of the email chain removed or redacted.


Shown above:  Screenshot from a recent example of TA551 malspam from Tuesday, 2020-10-13.

Passwords for the attached zip archives are different for each email.  Victims use the password from the message text to extract a Word document from the zip attachment.


Shown above:  Using password from the message text to open the zip archive and get to the Word document.

Infection activity

An infection starts when a victim enables macros on a vulnerable Windows host while ignoring any security warnings.


Shown above:  Screenshot of a Word document extracted from one of the password-protected zip archives.

Enabling macros causes a vulnerable Windows host to retrieve a Windows DLL file from a URL ending with .cab.  This DLL is saved to the host and run using regsvr32.exe.  The DLL is an installer for IcedID.


Shown above:  HTTP GET request to URL ending with .cab returned a Windows DLL file.


Shown above:  The DLL is saved to a victim’s C:ProgramData directory with a .txt file extension.


Shown above:  Traffic from the infection filtered in Wireshark.

Forensics on an infected Windows host

After the DLL is run using regsvr32.exe, the victim’s Windows host retrieves a PNG image over HTTPS traffic.  This initial PNG is saved to the victim’s AppDataLocalTemp directory with a .tmp file extension.  The PNG image has encoded data that the DLL installer uses to create an EXE for IcedID.  This EXE is also saved to the AppDataLocalTemp directory.


Shown above:  PNG and initial IcedID EXE saved to the victim’s AppDataLocalTemp directory.

During the infection process, the initial EXE for IcedID generates more HTTPS traffic, and we find another PNG image saved somewhere under the victim’s AppDataLocal or AppDataRoaming directories.  This second PNG also contains encoded data.

Shown above:  Another PNG image with encoded data created during the infection process.

Finally, we see another EXE for IcedID saved to a new directory and made persistent through a scheduled task.  This persistent EXE is the same size as the first EXE, but it has a different file hash.


Shown above:  EXE for IcedID persistent on the infected Windows host.

Indicators of Compromise (IOCs)

22 examples of SHA256 hashes for TA551 Word docs with macros for IcedID (read: SHA256 hash  file name):

  • d90cac341ea9f377a9a20b2cc2f098956a2b09c1a423a82de9af0fa91f6d777c  bid_010.20.doc
  • f6fcd5702a73bba11f71216e18e452c0a926c61b51a4321314e4cdbebf651bf4  certificate-010.13.20.doc
  • a0224c5fd2cfd0030f9223cc84aef311f7cc320789ca59d4f846dbc383310dce  charge.010.13.20.doc
  • 121451c0538037e6e775f63aa57cd5c071c8e2bf1bda902ab5acbefd99337ebb  command.010.20.doc
  • d220e39e4cfac20fcffdecafc1ccfd321fecd971e51f0df9a4df267c3a662cbe  command_010.20.doc
  • 4cdbcfdd9deec0cd61152f2e9e1ba690640dc0bf3c201a42894abcf37c961546  commerce -010.20.doc
  • 9fa50c60e8dda3f9207e6f5d156df5f9bedd9e1b8a2837861b39245052f27482  decree,010.13.2020.doc
  • 4d0defd5dc6f7691c9b3f06ec2b79694c58f9835e5dec65ad7185957fae44081  details.010.13.2020.doc
  • b81b017a518c71ecc83835f31c3bc9dd9f0fac2bc0fa4f07bd0abff75f507d91  direct-010.20.doc
  • d7eb2833615397fd9c7538c1f31c408e3548d50baaca109f5136b14a424aa1ba  enjoin,010.13.20.doc
  • cf6b55d6cdeee06d03c197eebcdb5e7c9fe8277e5e626426610305192dcf0b00  enjoin_010.13.2020.doc
  • 4dadeaa387616bfc80eb61f521d7a4cb03f6055a64811eaab9c2429723d62823  file 010.13.2020.doc
  • 67e502cc48b587f78ee637cd7f522f2ea6026bbe87921ecd43e0fae11c64f775  instruct-010.20.doc
  • 35fe201a9da94441c3375106dd75c09de9c281b5a1de705448f76ed5a83978ad  instrument indenture-010.13.2020.doc
  • 0d6f7dbd45829aa73f0258440816fdb259599a64df328664ca4714cde5dd4968  intelligence 010.13.2020.doc
  • 6dc7a98930d5541fc9a01f8f71a2c487c51bb8391627a1e16a81d1162c179e80  legal agreement-010.13.2020.doc
  • 2cdbd4ac39b64abd42931d7c23dd5800ca0be0bcd0e871cf0c5e065786437619  official paper-010.20.doc
  • 2d934205d70f10534bb62e059bab4eb2e8732514f7e6874cb9588b2627210594  prescribe .010.20.doc
  • 96f991df625e19fb3957dafe0475035dd5e6d04c7ff7dad819cc33a69bcde1c9  question-010.13.2020.doc
  • 5e3c9cd19c33b048736ccaecf0ebbbab51960cdc5c618970daa6234236c0db01  question.010.20.doc
  • 64567431faf0e14dacab56c8b3d7867e7d6037f1345dc72d67cd1aff208b6ca7  report 010.13.2020.doc
  • 34b84e76d97cf18bb2d69916ee61dbd60481c45c9ac5c7e358e7f428b880859f  rule_010.13.2020.doc

At least 12 domains hosting installer DLL files retreived by Word macros:

  • aqdcyy[.]com – 185.66.14[.]66
  • akfumi[.]com – 193.187.175[.]114
  • ar99xc[.]com – 194.31.237[.]158
  • bn50bmx[.]com – 45.153.75[.]33
  • h4dv4c1w[.]com – 94.250.255[.]189
  • krwrf1[.]com – 78.155.205[.]102
  • mbc8xtc[.]com – 193.201.126[.]251
  • osohc6[.]com – 45.150.64[.]70
  • pdtcgw[.]com – 45.89.67[.]166
  • qczpij[.]com – 194.120.24[.]6
  • t72876p[.]com – 178.250.156[.]128
  • vwofdq[.]com – 80.85.157[.]227

HTTP GET requests for the installer DLL:

  • GET /ryfu/bary.php?l=konu1.cab
  • GET /ryfu/bary.php?l=konu2.cab
  • GET /ryfu/bary.php?l=konu3.cab
  • GET /ryfu/bary.php?l=konu4.cab
  • GET /ryfu/bary.php?l=konu5.cab
  • GET /ryfu/bary.php?l=konu6.cab
  • GET /ryfu/bary.php?l=konu7.cab
  • GET /ryfu/bary.php?l=konu8.cab
  • GET /ryfu/bary.php?l=konu9.cab
  • GET /ryfu/bary.php?l=konu10.cab
  • GET /ryfu/bary.php?l=konu11.cab
  • GET /ryfu/bary.php?l=konu12.cab
  • GET /ryfu/bary.php?l=konu13.cab
  • GET /ryfu/bary.php?l=konu14.cab
  • GET /ryfu/bary.php?l=konu15.cab
  • GET /ryfu/bary.php?l=konu16.cab
  • GET /ryfu/bary.php?l=konu17.cab
  • GET /ryfu/bary.php?l=konu18.cab

25 examples of TA551 installer DLL files for IcedID:

  • aee6295dab6fd012e5bd1ee352317e56bef5789e2e83e7d5cc743161cedd957b
  • 121494579fe7d4be119875fa31aa8b573911a797d528e1819d42373e5380bf18
  • 23e672e1c94cc4dc6af971fc62c0ec84c3bcf38e997acd9bea1bea72d707e46a
  • 2ec72eeec8a8187faae32a8e8ba14bb6b17634f172fe834ccdf5b1f0b5ecda6f
  • 2f5e079f3548f68e0b597b439ac37cfde4d05d2c151a402c4953a777e4c3a5d4
  • 3957edd82568c0a36a640bcf97ac6c2c8a594007702641c9879799ca6173247e
  • 3d34785f2f6c2f6e58e7372104e74ceac405f58427785f654d39136182d7cb5d
  • 435fb59379dcbbc4831926f93196705de81fa9ee6c7e106fe99d4ffd58f8fd28
  • 463a0a1424b898c1965fb52a4a5fa8082014fb39bcdaab4c661989fffcaa0109
  • 53f94437c76cb9b5b4153fc36e38c34cf067cc8bce091505729a3ba507199c74
  • 63d55128088857806534c494ecb3f451354b1601a09ee3485300881c286351b7
  • 75ecd5d9f78fbcc887e9ee5559c4a470eacdbffb248f63a2008ad91dd1d5947f
  • 7bbfd3cdb378e8b5b966dcd76b83f1c4ed9004db4843d4ea4aef3cece3e04a67
  • 8e0aa02ea34b646cef7bd9c2f5092b1bc0c6e287c846c0874bb4332dd210a323
  • 8e342676ea2bb2cee9720ee731351bf380e109b773899ad8bdcdea965885b97d
  • c3c2fc97f5cbcdbf6940294d29d7b20fa587731e0ed34a3df9ffc60c6983cdad
  • c89b21e536599a0cbc96605fd8300c9d4797f67addcc4699f808cb07085c8725
  • cfdf1496a343c26a1d779cef6adf80f716b1334f01d48dfaef9ce4a6dc484020
  • d4da7382398a212b943aa7c18543e2c43d5867171371598e328cc0c3a2c27232
  • dba569d0cd4f2290c6fe272d7320ed5d88c99bf8a9eb5e393fc9063320b7b1de
  • dc3423e1039424f90a5c43e578fbf2761b22dc844d5b00864842d813874b51ec
  • e5294c852f5c8e914f3113446c90860b6273ca8f170652ca999fed8e8f856fa8
  • ecaca9ae95e94dbc976c80721085e6fc8ae36d47e905d784fcc3d178275d9de0
  • f46e785f0c2f4def40c95368853599d405294f52371d11998ab229193353c123
  • f58d50deb7d8017efa4d9a4c772b1c400f1d8f2ad31b7bd8efdaaf6d11d70233

Names/locations of the installer DLL files:

  • C:ProgramDataadSDv.txt
  • C:ProgramDataBNogX.txt
  • C:ProgramDataCCbhU.txt
  • C:ProgramDataCxvdv.txt
  • C:ProgramDatagJUdx.txt
  • C:ProgramDatakkDXV.txt
  • C:ProgramDataMNpGJ.txt
  • C:ProgramDataMrUJO.txt
  • C:ProgramDatapxNfw.txt
  • C:ProgramDataqteNy.txt
  • C:ProgramDataVPPOy.txt
  • C:ProgramDataVUccN.txt
  • C:ProgramDataWLOTG.txt
  • C:ProgramDataxJGCG.txt
  • C:ProgramDatayPWvE.txt

Run method for installer DLL files:

  • regsvr32.exe [filename]

HTTPS traffic to legitimate domains caused by the installer DLL files:

  • port 443 – www.intel.com
  • port 443 – support.oracle.com
  • port 443 – www.oracle.com
  • port 443 – support.apple.com
  • port 443 – support.microsoft.com
  • port 443 – help.twitter.com

At least 2 different URLs for HTTPS traffic generated by the installer DLL files:

  • 134.209.25[.]122 port 443 – jazzcity[.]top – GET /background.png
  • 161.35.111[.]71 port 443 – ldrpeset[.]casa – GET /background.png

2 examples of SHA256 hashes of IcedID EXEs created by installer DLLs:

  • afd16577794eab427980d06631ccb30b157600b938376cc13cd79afd92b77d0e  (initial)
  • 48c44bfd12f93fdd1c971da0c38fc7ca50d41ca383406290f587c73c27d26f76  (persistent)

HTTPS traffic to malicious domains caused by the above IcedID EXE files:

  • 143.110.176[.]28 – port 443 – minishtab[.]cyou
  • 143.110.176[.]28 – port 443 – novemberdejudge[.]cyou
  • 143.110.176[.]28 – port 443 – xoxofuck[.]cyou
  • 143.110.176[.]28 – port 443 – suddekaster[.]best
  • 143.110.176[.]28 – port 443 – sryvplanrespublican[.]cyou

Final words

A zip archive containing a pcap from today’s infection is available here.  All DLL and EXE files from the IOCs have been submitted to the MalwareBazaar Database.


Brad Duncan
brad [at] malware-traffic-analysis.net

(c) SANS Internet Storm Center. https://isc.sans.edu Creative Commons Attribution-Noncommercial 3.0 United States License.

Reposted from SANS. View original.

Posted in: SANS

Leave a Comment (0) →

Microsoft October 2020 Patch Tuesday, (Tue, Oct 13th)

This month we got patches for 87 vulnerabilities. Of these, 12 are critical, 6 were previously disclosed and none of them are being exploited according to Microsoft.

Amongst critical vulnerabilities, there is a CVSSv3 9.8 remote code execution in Windows TCP/IP stack (CVE-2020-16898) due to the way it improperly handles ICMPv6 Router Advertisement packets. To exploit this vulnerability, an attacker would have to send specially crafted ICMPv6 Router Advertisement packets to a remote Windows host (client or server). Several Windows 10 versions, Windows Server (core installation), and Windows Server 2019 are affected by this vulnerability. There is a workaround for Windows 1709 and above that consists in disabling ICMPV6 RDNSS. For more details, check the vulnerability advisory at https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2020-16898

There is also a remote code execution in Windows Graphics Device Interface (GDI+) (CVE-2020-16911). An attacker could exploit this vulnerability by convincing users to view a specially crafted website or sending them an e-mail attachment with a malicious attachment. The CVSS v3 score for this vulnerability is 8.8.

A third vulnerability worth mentioning is an elevation of privilege affecting Windows Hyper-V (CVE-2020-1080). If successfully exploited, this vulnerability could give an attacker elevated privileges on the target system. The CVSSv3 for this vulnerability is 8.8 as well.

See Renato’s dashboard for a more detailed breakout: https://patchtuesdaydashboard.com

Description
CVE Disclosed Exploited Exploitability (old versions) current version Severity CVSS Base (AVG) CVSS Temporal (AVG)
.NET Framework Information Disclosure Vulnerability
%%cve:2020-16937%% Yes No Less Likely Less Likely Important 4.7 4.2
Azure Functions Elevation of Privilege Vulnerability
%%cve:2020-16904%% No No Less Likely Less Likely Important 5.3 4.8
Base3D Remote Code Execution Vulnerability
%%cve:2020-16918%% No No Less Likely Less Likely Important 7.8 7.0
%%cve:2020-17003%% No No Less Likely Less Likely Critical 7.8 7.0
Dynamics 365 Commerce Elevation of Privilege Vulnerability
%%cve:2020-16943%% No No Less Likely Less Likely Important 6.5 5.9
GDI+ Remote Code Execution Vulnerability
%%cve:2020-16911%% No No Less Likely Less Likely Critical 8.8 7.9
Group Policy Elevation of Privilege Vulnerability
%%cve:2020-16939%% No No Less Likely Less Likely Important 7.8 7.0
Jet Database Engine Remote Code Execution Vulnerability
%%cve:2020-16924%% No No Less Likely Less Likely Important 7.8 7.0
Media Foundation Memory Corruption Vulnerability
%%cve:2020-16915%% No No Less Likely Less Likely Critical 7.8 7.0
Microsoft Dynamics 365 (On-Premise) Cross Site Scripting Vulnerability
%%cve:2020-16956%% No No Less Likely Less Likely Important 5.4 4.9
%%cve:2020-16978%% No No Less Likely Less Likely Important 5.4 4.9
Microsoft Excel Remote Code Execution Vulnerability
%%cve:2020-16929%% No No Less Likely Less Likely Important 7.8 7.0
%%cve:2020-16930%% No No Less Likely Less Likely Important 7.8 7.0
%%cve:2020-16931%% No No Less Likely Less Likely Important 7.8 7.0
%%cve:2020-16932%% No No Less Likely Less Likely Important 7.8 7.0
Microsoft Exchange Information Disclosure Vulnerability
%%cve:2020-16969%% No No Less Likely Less Likely Important 7.1 6.4
Microsoft Graphics Components Remote Code Execution Vulnerability
%%cve:2020-16923%% No No Less Likely Less Likely Critical 7.8 7.0
%%cve:2020-1167%% No No Less Likely Less Likely Important 7.8 7.0
Microsoft Office Access Connectivity Engine Remote Code Execution Vulnerability
%%cve:2020-16957%% No No Less Likely Less Likely Important 7.8 7.0
Microsoft Office Click-to-Run Elevation of Privilege Vulnerability
%%cve:2020-16928%% No No Less Likely Less Likely Important 7.8 7.0
%%cve:2020-16934%% No No Less Likely Less Likely Important 7.0 6.3
%%cve:2020-16955%% No No Less Likely Less Likely Important 7.8 7.0
Microsoft Office Remote Code Execution Vulnerability
%%cve:2020-16954%% No No Less Likely Less Likely Important 7.8 7.0
Microsoft Office SharePoint XSS Vulnerability
%%cve:2020-16945%% No No Less Likely Less Likely Important 8.7 7.8
%%cve:2020-16946%% No No Less Likely Less Likely Important 8.7 7.8
Microsoft Outlook Denial of Service Vulnerability
%%cve:2020-16949%% No No Less Likely Less Likely Moderate 4.7 4.2
Microsoft Outlook Remote Code Execution Vulnerability
%%cve:2020-16947%% No No Less Likely Less Likely Critical 8.1 7.3
Microsoft SharePoint Information Disclosure Vulnerability
%%cve:2020-16941%% No No Less Likely Less Likely Important 4.1 3.7
%%cve:2020-16942%% No No Less Likely Less Likely Important 4.1 3.7
%%cve:2020-16948%% No No Less Likely Less Likely Important 6.5 5.9
%%cve:2020-16953%% No No Less Likely Less Likely Important 6.5 5.9
%%cve:2020-16950%% No No Less Likely Less Likely Important 5.0 4.5
Microsoft SharePoint Reflective XSS Vulnerability
%%cve:2020-16944%% No No Less Likely Less Likely Important 8.7 7.8
Microsoft SharePoint Remote Code Execution Vulnerability
%%cve:2020-16951%% No No Less Likely Less Likely Critical 8.6 7.7
%%cve:2020-16952%% No No Less Likely Less Likely Critical 8.6 7.7
Microsoft Word Security Feature Bypass Vulnerability
%%cve:2020-16933%% No No Less Likely Less Likely Important 7.0 6.3
NetBT Information Disclosure Vulnerability
%%cve:2020-16897%% No No Less Likely Less Likely Important 5.5 5.0
Network Watcher Agent Virtual Machine Extension for Linux Elevation of Privilege Vulnerability
%%cve:2020-16995%% No No Less Likely Less Likely Important 7.8 7.0
October 2020 Adobe Flash Security Update
ADV200012 No No Less Likely Less Likely Critical    
PowerShellGet Module WDAC Security Feature Bypass Vulnerability
%%cve:2020-16886%% No No Less Likely Less Likely Important 5.3 4.8
Visual Studio Code Python Extension Remote Code Execution Vulnerability
%%cve:2020-16977%% No No Less Likely Less Likely Important 7.0 6.3
Win32k Elevation of Privilege Vulnerability
%%cve:2020-16907%% No No More Likely More Likely Important 7.8 7.0
%%cve:2020-16913%% No No More Likely More Likely Important 7.8 7.0
Windows – User Profile Service Elevation of Privilege Vulnerability
%%cve:2020-16940%% No No Less Likely Less Likely Important 7.8 7.0
Windows Application Compatibility Client Library Elevation of Privilege Vulnerability
%%cve:2020-16876%% No No Less Likely Less Likely Important 7.1 6.4
%%cve:2020-16920%% No No Less Likely Less Likely Important 7.8 7.0
Windows Backup Service Elevation of Privilege Vulnerability
%%cve:2020-16976%% No No Less Likely Less Likely Important 7.8 7.0
%%cve:2020-16912%% No No Less Likely Less Likely Important 7.8 7.0
%%cve:2020-16936%% No No Less Likely Less Likely Important 7.8 7.0
%%cve:2020-16972%% No No Less Likely Less Likely Important 7.8 7.0
%%cve:2020-16973%% No No Less Likely Less Likely Important 7.8 7.0
%%cve:2020-16974%% No No Less Likely Less Likely Important 7.8 7.0
%%cve:2020-16975%% No No Less Likely Less Likely Important 7.8 7.0
Windows COM Server Elevation of Privilege Vulnerability
%%cve:2020-16935%% No No Less Likely Less Likely Important 7.8 7.0
%%cve:2020-16916%% No No Less Likely Less Likely Important 7.8 7.0
Windows Camera Codec Pack Remote Code Execution Vulnerability
%%cve:2020-16967%% No No Less Likely Less Likely Critical 7.8 7.0
%%cve:2020-16968%% No No Less Likely Less Likely Critical 7.8 7.0
Windows Elevation of Privilege Vulnerability
%%cve:2020-16877%% No No Less Likely Less Likely Important 7.1 6.4
Windows Enterprise App Management Service Information Disclosure Vulnerability
%%cve:2020-16919%% No No Less Likely Less Likely Important 5.5 5.0
Windows Error Reporting Elevation of Privilege Vulnerability
%%cve:2020-16905%% No No Less Likely Less Likely Important 6.8 6.1
%%cve:2020-16909%% Yes No Less Likely Less Likely Important 7.8 7.0
Windows Error Reporting Manager Elevation of Privilege Vulnerability
%%cve:2020-16895%% No No Less Likely Less Likely Important 7.8 7.0
Windows Event System Elevation of Privilege Vulnerability
%%cve:2020-16900%% No No Less Likely Less Likely Important 7.0 6.3
Windows GDI+ Information Disclosure Vulnerability
%%cve:2020-16914%% No No Less Likely Less Likely Important 5.5 5.0
Windows Hyper-V Denial of Service Vulnerability
%%cve:2020-1243%% No No Less Likely Less Likely Important 7.8 7.0
Windows Hyper-V Elevation of Privilege Vulnerability
%%cve:2020-1047%% No No Less Likely Less Likely Important 7.8 7.0
%%cve:2020-1080%% No No Less Likely Less Likely Important 8.8 7.9
Windows Hyper-V Remote Code Execution Vulnerability
%%cve:2020-16891%% No No Less Likely Less Likely Critical 8.8 7.9
Windows Image Elevation of Privilege Vulnerability
%%cve:2020-16892%% No No Less Likely Less Likely Important 7.8 7.0
Windows Installer Elevation of Privilege Vulnerability
%%cve:2020-16902%% No No Less Likely Less Likely Important 7.8 7.0
Windows Kernel Elevation of Privilege Vulnerability
%%cve:2020-16890%% No No Less Likely Less Likely Important 7.8 7.0
Windows Kernel Information Disclosure Vulnerability
%%cve:2020-16938%% Yes No Less Likely Less Likely Important 5.5 5.0
%%cve:2020-16901%% Yes No Less Likely Less Likely Important 5.0 4.5
Windows KernelStream Information Disclosure Vulnerability
%%cve:2020-16889%% No No Less Likely Less Likely Important 5.5 5.0
Windows NAT Remote Code Execution Vulnerability
%%cve:2020-16894%% No No Less Likely Less Likely Important 7.7 6.9
Windows Network Connections Service Elevation of Privilege Vulnerability
%%cve:2020-16887%% No No Less Likely Less Likely Important 7.8 7.0
Windows Remote Desktop Protocol (RDP) Denial of Service Vulnerability
%%cve:2020-16927%% No No Less Likely Less Likely Important 7.5 6.7
Windows Remote Desktop Protocol (RDP) Information Disclosure Vulnerability
%%cve:2020-16896%% No No More Likely More Likely Important 7.5 6.7
Windows Remote Desktop Service Denial of Service Vulnerability
%%cve:2020-16863%% No No Less Likely Less Likely Important 7.5 6.7
Windows Security Feature Bypass Vulnerability
%%cve:2020-16910%% No No Less Likely Less Likely Important 6.2 5.6
Windows Setup Elevation of Privilege Vulnerability
%%cve:2020-16908%% Yes No Less Likely Less Likely Important 7.8 7.0
Windows Spoofing Vulnerability
%%cve:2020-16922%% No No More Likely More Likely Important 5.3 4.8
Windows Storage Services Elevation of Privilege Vulnerability
%%cve:2020-0764%% No No Less Likely Less Likely Important 7.8 7.0
Windows Storage VSP Driver Elevation of Privilege Vulnerability
%%cve:2020-16885%% Yes No Less Likely Less Likely Important 7.8 7.2
Windows TCP/IP Denial of Service Vulnerability
%%cve:2020-16899%% No No More Likely More Likely Important 7.5 6.7
Windows TCP/IP Remote Code Execution Vulnerability
%%cve:2020-16898%% No No More Likely More Likely Critical 9.8 8.8
Windows Text Services Framework Information Disclosure Vulnerability
%%cve:2020-16921%% No No Less Likely Less Likely Important 5.5 5.0
Windows iSCSI Target Service Elevation of Privilege Vulnerability
%%cve:2020-16980%% No No Less Likely Less Likely Important 7.8 7.0


Renato Marinho
Morphus Labs| LinkedIn|Twitter

(c) SANS Internet Storm Center. https://isc.sans.edu Creative Commons Attribution-Noncommercial 3.0 United States License.

Reposted from SANS. View original.

Posted in: SANS

Leave a Comment (0) →

17th Annual CSAM – Week 2

As the 17th annual Cyber Security Awareness Month (CSAM) continues, it’s time to look at the impact of COVID-19 on the way we work.  Since the start of the pandemic, cybersecurity teams around the world have seen a drastic increase in attacks on both corporate and private computer systems.  More employees than ever are working from home using a combination of corporate and personal devices.  Companies are taking a variety of steps to protect their assets, and it’s just as important that you take a few steps to protect your home network and the personal computing devices you use to work from home from the bad guys that want to exploit them.

  1. Install the latest software updates and security patches from your device’s manufacturer.  In many cases, you can simply turn on automatic updates and let the system handle the rest.
  2. Setup and use multi-factor authentication, sometimes called two-factor authentication, when it’s offered by your financial institutions, email provider, or any other organization you interact with online.  With multi-factor authentication, you’ll have to enter a code sent via text message to your phone or respond to a push notification from an app when attempting to login, ensuring that you are in fact the one trying to access your account.
  3. Ensure that your home router password is not easily guessed and does not include your address or personal names.  The Federal Trade Commission has more tips for securing your wireless home network at https://www.consumer.ftc.gov/articles/0013-securing-your-wireless-network.
  4. Limit the amount of personal data you share on social media.  The less the bad guys know about you, the less info they have to manipulate you into doing what they want.
  5. As always, remember to stop and think before you click a link, or provide confidential data over the phone.  Malicious actors are constantly developing new strategies and building websites designed to manipulate people into clicking on malicious links or giving up personal information.

For more information about ways to keep you and your family safe online visit https://www.cybersafenv.org.  Stay #CyberSafeNV!

Posted in: Uncategorized

Leave a Comment (0) →