ngCERT Malware Security Tip On Malicious Code
6 months ago
ngCERT VMware Tools vulnerability
A vulnerability in VMware Tools is a functionality that was removed from VMware Tools 11.0.0 and it has been determined to affect VMware Tools for Windows version 10.x.y.
The Remote Desktop Protocol (RDP) and a vulnerability in the implementation of the Server Message Block SMB protocol of Microsoft Windows Operating System is currently being exploited by a ransomware called WannaCry worm. The worm encrypts all files on an infected computer’s hard drive.
Multiple Security Vulnerabilities on D-LINK Home Routers
Researchers discovered six new vulnerabilities in D-Link wireless cloud routers running their latest firmware. The reported vulnerabilities were found in the DIR-865L model of D-Link routers, which is meant for home network use. There are also likelihood that some of these vulnerabilities are present in newer models of the router because of the similiarities in codebase.
Local Privilege Escalation Vulnerability for VMware
VMware Fusion, VMRC, and Horizon Client contain a local privilege escalation vulnerability due to a Time-of-check Time-of-use (TOC/TOU) issue in the service opener. Furthermore, another local privilege escalation was discovered, which allows the application to blindly executes files from an untrusted location. Both vulnerabilities result in arbitrary code execution as root.
Multiple Security Vulnerabilities for Adobe Products
Adobe has released an update for multiple adobe products in Windows, MacOS, and Linux. The updates resolves critical out-of-bounds Read and Write vulnerabilities that could lead to arbitrary code execution and information disclosure.
SaltStack FrameWork Vulnerabilities in Cisco Products
Researchers discovered numerous critical security vulnerabilities in SaltStack Salt framework – a configuration tool for cloud servers and data centers. Salt is used to monitor and update the state of servers. Each server runs an agent called a "minion" which connects to a "master", a Salt installation that collects state reports from minions and publishes update messages that minions can act on. The vulnerabilities allows attackers to bypass authentication and authorization for arbitrary code execution.
Webex Desktop App Vulnerability
A critical vulnerability was discovered in Cisco Webex Meetings Desktop App which might allow a malicious remote attacker to execute programs on affected end-user system. This vulnerability is caused by improper validation of input that is supplied to application URLs. Also, the attacker could exploit this vulnerability by persuading a user to follow a malicious URL.
New EvilQuest Ransomware for macOS Systems
A new ransomware known as EvilQuest has been discovered by security researchers. This ransomware was first spotted to be impersonating the Google Software Update program, and on torrent sites, injected in installers wrapping pirated versions of popular macOS software such as Little Snitch, Ableton Live, and Mixed in key. EvilQuest ransomware is discovered to encrypt macOS systems, installs a keylogger and a reverse shell for full control over infected host, and exfiltrates files that contain valuable information (keys to cryptocurrency wallets, code-signing certificates, and many more) with a variety of extensions (eg .pdf, .doc, .jpg, .txt, .pages, .wallet, .zip, etc).
Cisco Small Business Routers Vulnerabilities
According to Cisco, different categories of vulnerabilities were discovered from different Cisco routers. This vulnerabilities ranges from static default credential, Management interface remote command execution, authentication bypass, arbitrary code execution, and privilege escalation.
Researchers discovered that attackers can access organizations ‘networks through remote access systems to carry out ransomware attack. This is performed through the remote desktop protocol (RDP) and virtual private networks (VPN). The impact of these attacks can be severe on business operations because data are stolen and sold. Also, the recovery from this attacks is very costly to investigate and remediate the compromised network, and restore encrypted files from backup.
RV Series Routers Command Injection Vulnerabilities
Researchers discovered multiple vulnerabilities in the web-based management interface of Cisco Small Business RV320 and RV325 Series Routers and Cisco Small Business RV016, RV042, and RV082 Routers. This vulnerabilities could allow an authenticated, remote attacker with administrative privileges to execute arbitrary commands on an affected device.
Local Privilege Escalation Vulnerability for VMware
VMware Fusion, VMRC, and Horizon Client contain a local privilege escalation vulnerability due to a Time-of-check Time-of-use (TOC/TOU) issue in the service opener. Furthermore, another local privilege escalation was discovered, which allows the application to blindly executes files from an untrusted location. Both vulnerabilities result in arbitrary code execution as root.
Multiple Security Vulnerabilities for Adobe Products
Adobe has released an update for multiple adobe products in Windows, MacOS, and Linux. The updates resolves critical out-of-bounds Read and Write vulnerabilities that could lead to arbitrary code execution and information disclosure.
SaltStack FrameWork Vulnerabilities in Cisco Products
Researchers discovered numerous critical security vulnerabilities in SaltStack Salt framework – a configuration tool for cloud servers and data centers. Salt is used to monitor and update the state of servers. Each server runs an agent called a "minion" which connects to a "master", a Salt installation that collects state reports from minions and publishes update messages that minions can act on. The vulnerabilities allows attackers to bypass authentication and authorization for arbitrary code execution.
Webex Desktop App Vulnerability
A critical vulnerability was discovered in Cisco Webex Meetings Desktop App which might allow a malicious remote attacker to execute programs on affected end-user system. This vulnerability is caused by improper validation of input that is supplied to application URLs. Also, the attacker could exploit this vulnerability by persuading a user to follow a malicious URL.
New EvilQuest Ransomware for macOS Systems
A new ransomware known as EvilQuest has been discovered by security researchers. This ransomware was first spotted to be impersonating the Google Software Update program, and on torrent sites, injected in installers wrapping pirated versions of popular macOS software such as Little Snitch, Ableton Live, and Mixed in key. EvilQuest ransomware is discovered to encrypt macOS systems, installs a keylogger and a reverse shell for full control over infected host, and exfiltrates files that contain valuable information (keys to cryptocurrency wallets, code-signing certificates, and many more) with a variety of extensions (eg .pdf, .doc, .jpg, .txt, .pages, .wallet, .zip, etc).
Cisco Small Business Routers Vulnerabilities
According to Cisco, different categories of vulnerabilities were discovered from different Cisco routers. This vulnerabilities ranges from static default credential, Management interface remote command execution, authentication bypass, arbitrary code execution, and privilege escalation.
Researchers discovered that attackers can access organizations ‘networks through remote access systems to carry out ransomware attack. This is performed through the remote desktop protocol (RDP) and virtual private networks (VPN). The impact of these attacks can be severe on business operations because data are stolen and sold. Also, the recovery from this attacks is very costly to investigate and remediate the compromised network, and restore encrypted files from backup.
RV Series Routers Command Injection Vulnerabilities
Researchers discovered multiple vulnerabilities in the web-based management interface of Cisco Small Business RV320 and RV325 Series Routers and Cisco Small Business RV016, RV042, and RV082 Routers. This vulnerabilities could allow an authenticated, remote attacker with administrative privileges to execute arbitrary commands on an affected device.
