Cisco Releases Security Updates

US-CERT All NCAS Products - Thu, 02/20/2020 - 16:55
Original release date: February 20, 2020

Cisco has released security updates to address vulnerabilities affecting multiple products. A remote attacker could exploit some of these vulnerabilities to take control of an affected system. For updates addressing lower severity vulnerabilities, see the Cisco Security Advisories page.

The Cybersecurity and Infrastructure Security Agency (CISA) encourages users and administrators to review the following Cisco advisories and apply the necessary updates:

This product is provided subject to this Notification and this Privacy & Use policy.

Categories: LATEST ALERT

Adobe Releases Security Updates for After Effects and Media Encoder

US-CERT All NCAS Products - Thu, 02/20/2020 - 16:42
Original release date: February 20, 2020

Adobe has released security updates to address vulnerabilities in After Effects and Media Encoder. An attacker could exploit these vulnerabilities to take control of an affected system.

The Cybersecurity and Infrastructure Security Agency (CISA) encourages users and administrators to review Adobe Security Bulletins APSB20-09 and APSB20-10 and apply the necessary updates.

This product is provided subject to this Notification and this Privacy & Use policy.

Categories: LATEST ALERT

VMware Releases Security Updates for vRealize Operations for Horizon Adapter

US-CERT All NCAS Products - Wed, 02/19/2020 - 19:30
Original release date: February 19, 2020

VMware has released security updates to address multiple vulnerabilities in vRealize Operations for Horizon Adapter. A remote attacker could exploit some of these vulnerabilities to take control of an affected system.

The Cybersecurity and Infrastructure Security Agency (CISA) encourages users and administrators to review VMware Security Advisory VMSA-2020-0003 and apply the necessary updates.

This product is provided subject to this Notification and this Privacy & Use policy.

Categories: LATEST ALERT

Ransomware Impacting Pipeline Operations

US-CERT All NCAS Products - Tue, 02/18/2020 - 14:06
Original release date: February 18, 2020

Note: This Activity Alert uses the MITRE Adversarial Tactics, Techniques, and Common Knowledge (ATT&CK™) framework. See the MITRE ATT&CK for Enterprise and ATT&CK for Industrial Control Systems (ICS) frameworks for all referenced threat actor techniques and mitigations.

CISA encourages asset owner operators across all critical infrastructure sectors to review the below threat actor techniques and ensure the corresponding mitigations are applied.

The Cybersecurity and Infrastructure Security Agency (CISA) responded to a cyberattack affecting control and communication assets on the operational technology (OT) network of a natural gas compression facility. A cyber threat actor used a Spearphishing Link [T1192] to obtain initial access to the organization’s information technology (IT) network before pivoting to its OT network. The threat actor then deployed commodity ransomware to Encrypt Data for Impact [T1486] on both networks. Specific assets experiencing a Loss of Availability [T826] on the OT network included human machine interfaces (HMIs), data historians, and polling servers. Impacted assets were no longer able to read and aggregate real-time operational data reported from low-level OT devices, resulting in a partial Loss of View [T829] for human operators. The attack did not impact any programmable logic controllers (PLCs) and at no point did the victim lose control of operations. Although the victim’s emergency response plan did not specifically consider cyberattacks, the decision was made to implement a deliberate and controlled shutdown to operations. This lasted approximately two days, resulting in a Loss of Productivity and Revenue [T828], after which normal operations resumed. CISA is providing this Alert to help administrators and network defenders protect their organizations against this and similar ransomware attacks.

This product is provided subject to this Notification and this Privacy & Use policy.

Categories: LATEST ALERT

AA20-049A: Ransomware Impacting Pipeline Operations

US-CERT Alerts - Tue, 02/18/2020 - 14:06
Original release date: February 18, 2020
Summary

Note: This Activity Alert uses the MITRE Adversarial Tactics, Techniques, and Common Knowledge (ATT&CK™) framework. See the MITRE ATT&CK for Enterprise and ATT&CK for Industrial Control Systems (ICS) frameworks for all referenced threat actor techniques and mitigations.

CISA encourages asset owner operators across all critical infrastructure sectors to review the below threat actor techniques and ensure the corresponding mitigations are applied.

The Cybersecurity and Infrastructure Security Agency (CISA) responded to a cyberattack affecting control and communication assets on the operational technology (OT) network of a natural gas compression facility. A cyber threat actor used a Spearphishing Link [T1192] to obtain initial access to the organization’s information technology (IT) network before pivoting to its OT network. The threat actor then deployed commodity ransomware to Encrypt Data for Impact [T1486] on both networks. Specific assets experiencing a Loss of Availability [T826] on the OT network included human machine interfaces (HMIs), data historians, and polling servers. Impacted assets were no longer able to read and aggregate real-time operational data reported from low-level OT devices, resulting in a partial Loss of View [T829] for human operators. The attack did not impact any programmable logic controllers (PLCs) and at no point did the victim lose control of operations. Although the victim’s emergency response plan did not specifically consider cyberattacks, the decision was made to implement a deliberate and controlled shutdown to operations. This lasted approximately two days, resulting in a Loss of Productivity and Revenue [T828], after which normal operations resumed. CISA is providing this Alert to help administrators and network defenders protect their organizations against this and similar ransomware attacks.

Technical DetailsNetwork and Assets
  • The victim failed to implement robust segmentation between the IT and OT networks, which allowed the adversary to traverse the IT-OT boundary and disable assets on both networks.
  • The threat actor used commodity ransomware to compromise Windows-based assets on both the IT and OT networks. Assets impacted on the organization’s OT network included HMIs, data historians, and polling servers.
  • Because the attack was limited to Windows-based systems, PLCs responsible for directly reading and manipulating physical processes at the facility were not impacted.
  • The victim was able to obtain replacement equipment and load last-known-good configurations to facilitate the recovery process.
  • All OT assets directly impacted by the attack were limited to a single geographic facility.
Planning and Operations
  • At no time did the threat actor obtain the ability to control or manipulate operations. The victim took offline the HMIs that read and control operations at the facility. A separate and geographically distinct central control office was able to maintain visibility but was not instrumented for control of operations.
  • The victim’s existing emergency response plan focused on threats to physical safety and not cyber incidents. Although the plan called for a full emergency declaration and immediate shutdown, the victim judged the operational impact of the incident as less severe than those anticipated by the plan and decided to implement limited emergency response measures. These included a four-hour transition from operational to shutdown mode combined with increased physical security.
  • Although the direct operational impact of the cyberattack was limited to one control facility, geographically distinct compression facilities also had to halt operations because of pipeline transmission dependencies. This resulted in an operational shutdown of the entire pipeline asset lasting approximately two days.
  • Although they considered a range of physical emergency scenarios, the victim’s emergency response plan did not specifically consider the risk posed by cyberattacks. Consequently, emergency response exercises also failed to provide employees with decision-making experience in dealing with cyberattacks.
  • The victim cited gaps in cybersecurity knowledge and the wide range of possible scenarios as reasons for failing to adequately incorporate cybersecurity into emergency response planning.
Mitigations

Asset owner operators across all sectors are encouraged to consider the following mitigations using a risk-based assessment strategy.

Planning and Operational Mitigations
  • Ensure the organization’s emergency response plan considers the full range of potential impacts that cyberattacks pose to operations, including loss or manipulation of view, loss or manipulation of control, and loss of safety. In particular, response playbooks should identify criteria to distinguish between events requiring deliberate operational shutdown versus low-risk events that allow for operations to continue.
  • Exercise the ability to fail over to alternate control systems, including manual operation while assuming degraded electronic communications. Capture lessons learned in emergency response playbooks.
  • Allow employees to gain decision-making experience via tabletop exercises that incorporate loss of visibility and control scenarios. Capture lessons learned in emergency response playbooks.
  • Identify single points of failure (technical and human) for operational visibility. Develop and test emergency response playbooks to ensure there are redundant channels that allow visibility into operations when one channel is compromised.
  • Implement redundant communication capabilities between geographically separated facilities responsible for the operation of a single pipeline asset. Coordinate planning activities across all such facilities.
  • Recognize the physical risks that cyberattacks pose to safety and integrate cybersecurity into the organization’s safety training program.
  • Ensure the organization’s security program and emergency response plan consider third parties with legitimate need for OT network access, including engineers and vendors.
Technical and Architectural Mitigations
  • Implement and ensure robust Network Segmentation [M1030] between IT and OT networks to limit the ability of adversaries to pivot to the OT network even if the IT network is compromised. Define a demilitarized zone (DMZ) that eliminates unregulated communication between the IT and OT networks.
  • Organize OT assets into logical zones by taking into account criticality, consequence, and operational necessity. Define acceptable communication conduits between the zones and deploy security controls to Filter Network Traffic [M1037] and monitor communications between zones. Prohibit Industrial Control System (ICS) protocols from traversing the IT network.
  • Require Multi-Factor Authentication [M1032] to remotely access the OT and IT networks from external sources.
  • Implement regular Data Backup [M1053] procedures on both the IT and OT networks. Ensure that backups are regularly tested and isolated from network connections that could enable the spread of ransomware.
  • Ensure user and process accounts are limited through Account Use Policies [M1036], User Account Control [M1052], and Privileged Account Management [M1026]. Organize access rights based on the principles of least privilege and separation of duties.
  • Enable strong spam filters to prevent phishing emails from reaching end users. Implement a User Training [M1017] program to discourage users from visiting malicious websites or opening malicious attachments. Filter emails containing executable files from reaching end users.
  • Filter Network Traffic [M1037] to prohibit ingress and egress communications with known malicious Internet Protocol (IP) addresses. Prevent users from accessing malicious websites using Uniform Resource Locator (URL) blacklists and/or whitelists.
  • Update Software [M1051], including operating systems, applications, and firmware on IT network assets. Use a risk-based assessment strategy to determine which OT network assets and zones should participate in the patch management program. Consider using a centralized patch management system.
  • Set Antivirus/Antimalware [M1049] programs to conduct regular scans of IT network assets using up-to-date signatures. Use a risk-based asset inventory strategy to determine how OT network assets are identified and evaluated for the presence of malware.  
  • Implement Execution Prevention [M1038] by disabling macro scripts from Microsoft Office files transmitted via email. Consider using Office Viewer software to open Microsoft Office files transmitted via email instead of full Microsoft Office suite applications.
  • Implement Execution Prevention [M1038] via application whitelisting, which only allows systems to execute programs known and permitted by security policy. Implement software restriction policies (SRPs) or other controls to prevent programs from executing from common ransomware locations, such as temporary folders supporting popular internet browsers or compression/decompression programs, including the AppData/LocalAppData folder.
  • Limit Access to Resources over Network [M1035], especially by restricting Remote Desktop Protocol (RDP). If after assessing risks RDP is deemed operationally necessary, restrict the originating sources and require Multi-Factor Authentication [M1032].
Resources Revisions
  • February 18, 2020: Initial Version

This product is provided subject to this Notification and this Privacy & Use policy.

Categories: LATEST ALERT

Vulnerability Summary for the Week of February 10, 2020

US-CERT All NCAS Products - Mon, 02/17/2020 - 13:09
Original release date: February 17, 2020

The CISA Weekly Vulnerability Summary Bulletin is created using information from the NIST NVD. In some cases, the vulnerabilities in the Bulletin may not yet have assigned CVSS scores. Please visit NVD for updated vulnerability entries, which include CVSS scores once they are available.

High Vulnerabilities Primary
Vendor -- Product Description Published CVSS Score Source & Patch Info adobe -- framemaker
  Adobe Framemaker versions 2019.0.4 and below have a memory corruption vulnerability. Successful exploitation could lead to arbitrary code execution. 2020-02-13 10 CVE-2020-3740
CONFIRM ajaxeplorer -- ajaxeplorer
  Ajaxeplorer before 5.0.1 allows remote attackers to execute arbitrary commands via shell metacharacters in the (1) archive_name parameter to the Power FS module (plugins/action.powerfs/class.PowerFSController.php), a (2) file name to the getTrustSizeOnFileSystem function in the File System (Standard) module (plugins/access.fs/class.fsAccessWrapper.php), or the (3) revision parameter to the Subversion Repository module (plugins/meta.svn/class.SvnManager.php). 2020-02-11 10 CVE-2013-4267
MISC
MISC
MISC artica -- pandora_fms
  functions_netflow.php in Artica Pandora FMS 7.0 allows remote attackers to execute arbitrary OS commands via shell metacharacters in the index.php?operation/netflow/nf_live_view ip_dst, dst_port, or src_port parameter, a different vulnerability than CVE-2019-20224. 2020-02-12 9 CVE-2020-8947
MISC
MISC
MISC atutor -- atutor
  confirm.php in ATutor 2.2 and earlier allows remote attackers to bypass authentication and gain access as an existing user via the auto_login parameter. 2020-02-11 7.5 CVE-2014-9753
MISC
MISC
MISC
MISC
MISC belkin -- n300_router
  An Authentication Bypass vulnerability in Belkin N300 (F7D7301v1) router allows remote attackers to bypass authentication using "Javascript debugging." 2020-02-07 10 CVE-2013-3091
MISC
MISC
MISC biscom -- secure_file_transfer
  Biscom Secure File Transfer (SFT) before 5.1.1071 and 6.0.1xxx before 6.0.1005 allows Remote Code Execution on the server. 2020-02-07 7.5 CVE-2020-8796
MISC
https://exchange.xforce.ibmcloud.com/vulnerabilities/175922 bosch -- bvms_mobile_video_service
  Deserialization of Untrusted Data in the BVMS Mobile Video Service (BVMS MVS) allows an unauthenticated remote attacker to execute arbitrary code on the system. This affects Bosch BVMS versions 10.0 <= 10.0.0.1225, 9.0 <= 9.0.0.827, 8.0 <= 8.0.0.329 and 7.5 and older. This affects Bosch DIVAR IP 3000 and DIVAR IP 7000 if a vulnerable BVMS version is installed. 2020-02-07 10 CVE-2020-6770
CONFIRM canonical -- lxc
  In LXC 2.0, many template scripts download code over cleartext HTTP, and omit a digital-signature check, before running it to bootstrap containers. 2020-02-10 9.3 CVE-2017-18641
MISC corsair -- corsair_icue
  The CorsairLLAccess64.sys and CorsairLLAccess32.sys drivers in CORSAIR iCUE before 3.25.60 allow local non-privileged users (including low-integrity level processes) to read and write to arbitrary physical memory locations, and consequently gain NT AUTHORITY\SYSTEM privileges, via a function call such as MmMapIoSpace. 2020-02-07 7.2 CVE-2020-8808
MISC
MISC d-link -- multiple_products
  Multiple SQL injection vulnerabilities in D-Link DSR-150 with firmware before 1.08B44; DSR-150N with firmware before 1.05B64; DSR-250 and DSR-250N with firmware before 1.08B44; and DSR-500, DSR-500N, DSR-1000, and DSR-1000N with firmware before 1.08B77 allow remote attackers to execute arbitrary SQL commands via the password to (1) the login.authenticate function in share/lua/5.1/teamf1lualib/login.lua or (2) captivePortal.lua. 2020-02-11 10 CVE-2013-5945
MISC
MISC
MISC
MISC
MISC dell -- multiple_products
  An Authentication Bypass Vulnerability exists in DELL SonicWALL Analyzer 7.0, Global Management System (GMS) 4.1, 5.0, 5.1, 6.0, and 7.0; Universal Management Appliance (UMA) 5.1, 6.0, and 7.0 and ViewPoint 4.1, 5.0, 5.1, and 6.0 via the skipSessionCheck parameter to the UMA interface (/appliance/), which could let a remote malicious user obtain access to the root account. 2020-02-11 10 CVE-2013-1359
MISC
MISC
MISC
MISC
MISC
MISC
MISC
MISC dell -- multiple_products
  An Authentication Bypass vulnerability exists in DELL SonicWALL Global Management System (GMS) 4.1, 5.0, 5.1, 6.0, and 7.0, Analyzer 7.0, Universal Management Appliance (UMA) 5.1, 6.0, and 7.0 and ViewPoint 4.1, 5.0, and 6.0 via a crafted request to the SGMS interface, which could let a remote malicious user obtain administrative access. 2020-02-11 10 CVE-2013-1360
MISC
MISC
MISC
MISC
MISC
MISC echoping_project -- echoping
  echoping through 6.0.2 has buffer overflow vulnerabilities 2020-02-11 10 CVE-2013-4448
MISC
MISC
MISC enorth -- enorth_webpublisher_cms
  SQL injection vulnerability in pub/m_pending_news/delete_pending_news.jsp in Enorth Webpublisher CMS allows remote attackers to execute arbitrary SQL commands via the cbNewsId parameter. 2020-02-12 7.5 CVE-2015-5617
MISC
MISC eyesofnetwork -- eyesofnetwork
  An issue was discovered in EyesOfNetwork 5.3. The sudoers configuration is prone to a privilege escalation vulnerability, allowing the apache user to run arbitrary commands as root via a crafted NSE script for nmap 7. 2020-02-07 9.3 CVE-2020-8655
MISC
MISC eyesofnetwork -- eyesofnetwork
  An issue was discovered in EyesOfNetwork 5.3. The EyesOfNetwork API 2.4.2 is prone to SQL injection, allowing an unauthenticated attacker to perform various tasks such as authentication bypass via the username field to getApiKey in include/api_functions.php. 2020-02-07 7.5 CVE-2020-8656
MISC
MISC eyesofnetwork -- eyesofnetwork
  An issue was discovered in EyesOfNetwork 5.3. An authenticated web user with sufficient privileges could abuse the AutoDiscovery module to run arbitrary OS commands via the /module/module_frame/index.php autodiscovery.php target field. 2020-02-07 9 CVE-2020-8654
MISC
MISC golang -- go
  The net/http library in net/http/transfer.go in Go before 1.4.3 does not properly parse HTTP headers, which allows remote attackers to conduct HTTP request smuggling attacks via a request that contains Content-Length and Transfer-Encoding header fields. 2020-02-08 7.5 CVE-2015-5741
MISC
MISC
MISC
MISC
MISC
MISC
MISC google -- android
  A Code Execution vulnerability exists in Android prior to 4.4.0 related to the addJavascriptInterface method and the accessibility and accessibilityTraversal objects, which could let a remote malicious user execute arbitrary code. 2020-02-07 9 CVE-2014-7224
MISC
MISC
MISC
MISC google -- chrome
  Use after free in audio in Google Chrome prior to 80.0.3987.87 allowed a remote attacker to potentially exploit heap corruption via a crafted HTML page. 2020-02-11 9.3 CVE-2020-6406
SUSE
MISC
MISC hubot_scripts -- hubot_scripts scripts/email.coffee in the Hubot Scripts module before 2.4.4 for Node.js allows remote attackers to execute arbitrary commands. 2020-02-12 7.5 CVE-2013-7378
MISC
MISC
MISC
MISC ibm -- sterling_authentication_server
  A Command Execution Vulnerability exists in IBM Sterling External Authentication Server 2.2.0, 2.3.01, 2.4.0, and 2.4.1 via an unspecified OS command, which could let a local malicious user execute arbitrary code. 2020-02-11 7.2 CVE-2013-0517
MISC
MISC libnotify -- libnotify
  libnotify before 1.0.4 for Node.js allows remote attackers to execute arbitrary commands via unspecified characters in a call to libnotify.notify. 2020-02-12 7.5 CVE-2013-7381
MISC
MISC
CONFIRM
MISC linux -- linux_kernel
  Buffer overflow in the auerswald_probe function in the Auerswald Linux USB driver for the Linux kernel before 2.6.27 allows physically proximate attackers to execute arbitrary code, cause a denial of service via a crafted USB device, or take full control of the system. 2020-02-11 7.2 CVE-2009-4067
MISC
MISC lstio -- lstio
  Istio 1.3 through 1.4.3 allows authentication bypass. The Authentication Policy exact-path matching logic can allow unauthorized access to HTTP paths even if they are configured to be only accessed after presenting a valid JWT token. For example, an attacker can add a ? or # character to a URI that would otherwise satisfy an exact-path match. 2020-02-12 7.5 CVE-2020-8595
REDHAT
CONFIRM
MISC
MISC
MISC
CONFIRM mediawiki -- mediawiki
  MediaWiki before 1.18.5, and 1.19.x before 1.19.2 saves passwords in the local database, (1) which could make it easier for context-dependent attackers to obtain cleartext passwords via a brute-force attack or, (2) when an authentication plugin returns a false in the strict function, could allow remote attackers to use old passwords for non-existing accounts in an external authentication system via unspecified vectors. 2020-02-08 9.3 CVE-2012-4381
MISC
MISC
MISC
MISC
MISC
MISC
MISC microsoft -- multiple_internet_explorer_products
  A remote code execution vulnerability exists in the way that the scripting engine handles objects in memory in Internet Explorer, aka 'Scripting Engine Memory Corruption Vulnerability'. This CVE ID is unique from CVE-2020-0673, CVE-2020-0710, CVE-2020-0711, CVE-2020-0712, CVE-2020-0713, CVE-2020-0767. 2020-02-11 7.6 CVE-2020-0674
MISC microsoft -- multiple_internet_explorer_products
  A remote code execution vulnerability exists in the way that the scripting engine handles objects in memory in Internet Explorer, aka 'Scripting Engine Memory Corruption Vulnerability'. This CVE ID is unique from CVE-2020-0674, CVE-2020-0710, CVE-2020-0711, CVE-2020-0712, CVE-2020-0713, CVE-2020-0767. 2020-02-11 7.6 CVE-2020-0673
MISC microsoft -- chakacore
  A remote code execution vulnerability exists in the way that the ChakraCore scripting engine handles objects in memory, aka 'Scripting Engine Memory Corruption Vulnerability'. This CVE ID is unique from CVE-2020-0673, CVE-2020-0674, CVE-2020-0710, CVE-2020-0712, CVE-2020-0713, CVE-2020-0767. 2020-02-11 7.6 CVE-2020-0711
MISC microsoft -- chakacore
  A remote code execution vulnerability exists in the way that the ChakraCore scripting engine handles objects in memory, aka 'Scripting Engine Memory Corruption Vulnerability'. This CVE ID is unique from CVE-2020-0673, CVE-2020-0674, CVE-2020-0710, CVE-2020-0711, CVE-2020-0712, CVE-2020-0713. 2020-02-11 7.6 CVE-2020-0767
MISC microsoft -- chakacore
  A remote code execution vulnerability exists in the way that the ChakraCore scripting engine handles objects in memory, aka 'Scripting Engine Memory Corruption Vulnerability'. This CVE ID is unique from CVE-2020-0673, CVE-2020-0674, CVE-2020-0710, CVE-2020-0711, CVE-2020-0713, CVE-2020-0767. 2020-02-11 7.6 CVE-2020-0712
MISC microsoft -- chakacore
  A remote code execution vulnerability exists in the way that the ChakraCore scripting engine handles objects in memory, aka 'Scripting Engine Memory Corruption Vulnerability'. This CVE ID is unique from CVE-2020-0673, CVE-2020-0674, CVE-2020-0711, CVE-2020-0712, CVE-2020-0713, CVE-2020-0767. 2020-02-11 7.6 CVE-2020-0710
MISC microsoft -- chakacore
  A remote code execution vulnerability exists in the way that the ChakraCore scripting engine handles objects in memory, aka 'Scripting Engine Memory Corruption Vulnerability'. This CVE ID is unique from CVE-2020-0673, CVE-2020-0674, CVE-2020-0710, CVE-2020-0711, CVE-2020-0712, CVE-2020-0767. 2020-02-11 7.6 CVE-2020-0713
MISC microsoft -- excel
  A remote code execution vulnerability exists in Microsoft Excel software when the software fails to properly handle objects in memory, aka 'Microsoft Excel Remote Code Execution Vulnerability'. 2020-02-11 9.3 CVE-2020-0759
MISC microsoft -- multiple_microsoft_exchange_server_products
  A remote code execution vulnerability exists in Microsoft Exchange software when the software fails to properly handle objects in memory, aka 'Microsoft Exchange Memory Corruption Vulnerability'. 2020-02-11 9 CVE-2020-0688
MISC microsoft -- multiple_windows_products An elevation of privilege vulnerability exists in Windows when the Win32k component fails to properly handle objects in memory, aka 'Win32k Elevation of Privilege Vulnerability'. This CVE ID is unique from CVE-2020-0691, CVE-2020-0719, CVE-2020-0721, CVE-2020-0722, CVE-2020-0723, CVE-2020-0724, CVE-2020-0725, CVE-2020-0726, CVE-2020-0731. 2020-02-11 7.2 CVE-2020-0720
MISC microsoft -- multiple_windows_products An elevation of privilege vulnerability exists in the Windows Installer when MSI packages process symbolic links, aka 'Windows Installer Elevation of Privilege Vulnerability'. This CVE ID is unique from CVE-2020-0683. 2020-02-11 7.2 CVE-2020-0686
MISC microsoft -- multiple_windows_products A remote code execution vulnerability exists in the Windows Remote Desktop Client when a user connects to a malicious server, aka 'Remote Desktop Client Remote Code Execution Vulnerability'. This CVE ID is unique from CVE-2020-0734. 2020-02-11 7.6 CVE-2020-0681
MISC microsoft -- multiple_windows_products
  A remote code execution vulnerability exists in Remote Desktop Services – formerly known as Terminal Services – when an authenticated attacker abuses clipboard redirection, aka 'Remote Desktop Services Remote Code Execution Vulnerability'. 2020-02-11 8.5 CVE-2020-0655
MISC microsoft -- multiple_windows_products
  An elevation of privilege vulnerability exists when Windows improperly handles Secure Socket Shell remote commands, aka 'Windows SSH Elevation of Privilege Vulnerability'. 2020-02-11 7.2 CVE-2020-0757
MISC microsoft -- multiple_windows_products
  A memory corruption vulnerability exists when Windows Media Foundation improperly handles objects in memory, aka 'Media Foundation Memory Corruption Vulnerability'. 2020-02-11 9.3 CVE-2020-0738
MISC microsoft -- multiple_windows_products
  A remote code execution vulnerability exists in the way that Windows handles objects in memory, aka 'Windows Remote Code Execution Vulnerability'. 2020-02-11 9 CVE-2020-0662
MISC microsoft -- multiple_windows_products
  An elevation of privilege vulnerability exists when Windows Error Reporting manager improperly handles hard links, aka 'Windows Error Reporting Manager Elevation of Privilege Vulnerability'. 2020-02-11 7.2 CVE-2020-0678
MISC microsoft -- multiple_windows_products
  An elevation of privilege vulnerability exists in Windows when the Win32k component fails to properly handle objects in memory, aka 'Win32k Elevation of Privilege Vulnerability'. This CVE ID is unique from CVE-2020-0691, CVE-2020-0719, CVE-2020-0720, CVE-2020-0721, CVE-2020-0722, CVE-2020-0723, CVE-2020-0724, CVE-2020-0725, CVE-2020-0726. 2020-02-11 7.2 CVE-2020-0731
MISC microsoft -- multiple_windows_products
  An elevation of privilege vulnerability exists in Windows when the Win32k component fails to properly handle objects in memory, aka 'Win32k Elevation of Privilege Vulnerability'. This CVE ID is unique from CVE-2020-0691, CVE-2020-0719, CVE-2020-0720, CVE-2020-0721, CVE-2020-0722, CVE-2020-0723, CVE-2020-0724, CVE-2020-0726, CVE-2020-0731. 2020-02-11 7.2 CVE-2020-0725
MISC microsoft -- multiple_windows_products
  An elevation of privilege vulnerability exists when the Windows kernel fails to properly handle objects in memory, aka 'Windows Kernel Elevation of Privilege Vulnerability'. This CVE ID is unique from CVE-2020-0668, CVE-2020-0669, CVE-2020-0671, CVE-2020-0672. 2020-02-11 7.2 CVE-2020-0670
MISC microsoft -- multiple_windows_products
  An elevation of privilege vulnerability exists in Windows when the Win32k component fails to properly handle objects in memory, aka 'Win32k Elevation of Privilege Vulnerability'. This CVE ID is unique from CVE-2020-0691, CVE-2020-0719, CVE-2020-0720, CVE-2020-0721, CVE-2020-0722, CVE-2020-0723, CVE-2020-0724, CVE-2020-0725, CVE-2020-0731. 2020-02-11 7.2 CVE-2020-0726
MISC microsoft -- multiple_windows_products
  An elevation of privilege vulnerability exists when the Windows Graphics Component improperly handles objects in memory, aka 'Windows Graphics Component Elevation of Privilege Vulnerability'. This CVE ID is unique from CVE-2020-0715, CVE-2020-0792. 2020-02-11 7.2 CVE-2020-0745
MISC microsoft -- multiple_windows_products
  A remote code execution vulnerability exists in the Windows Remote Desktop Client when a user connects to a malicious server, aka 'Remote Desktop Client Remote Code Execution Vulnerability'. This CVE ID is unique from CVE-2020-0681. 2020-02-11 9.3 CVE-2020-0734
MISC microsoft -- multiple_windows_products
  An elevation of privilege vulnerability exists in Windows when the Win32k component fails to properly handle objects in memory, aka 'Win32k Elevation of Privilege Vulnerability'. This CVE ID is unique from CVE-2020-0691, CVE-2020-0719, CVE-2020-0720, CVE-2020-0721, CVE-2020-0722, CVE-2020-0724, CVE-2020-0725, CVE-2020-0726, CVE-2020-0731. 2020-02-11 7.2 CVE-2020-0723
MISC microsoft -- multiple_windows_products
  An elevation of privilege vulnerability exists in Windows when the Win32k component fails to properly handle objects in memory, aka 'Win32k Elevation of Privilege Vulnerability'. This CVE ID is unique from CVE-2020-0691, CVE-2020-0720, CVE-2020-0721, CVE-2020-0722, CVE-2020-0723, CVE-2020-0724, CVE-2020-0725, CVE-2020-0726, CVE-2020-0731. 2020-02-11 7.2 CVE-2020-0719
MISC microsoft -- multiple_windows_products
  An elevation of privilege vulnerability exists in the way that the Windows Function Discovery Service handles objects in memory, aka 'Windows Function Discovery Service Elevation of Privilege Vulnerability'. This CVE ID is unique from CVE-2020-0679, CVE-2020-0680. 2020-02-11 7.2 CVE-2020-0682
MISC microsoft -- multiple_windows_products
  An elevation of privilege vulnerability exists when the Windows kernel fails to properly handle objects in memory, aka 'Windows Kernel Elevation of Privilege Vulnerability'. This CVE ID is unique from CVE-2020-0668, CVE-2020-0669, CVE-2020-0670, CVE-2020-0671. 2020-02-11 7.2 CVE-2020-0672
MISC microsoft -- multiple_windows_products
  An elevation of privilege vulnerability exists in the Windows Installer when MSI packages process symbolic links, aka 'Windows Installer Elevation of Privilege Vulnerability'. This CVE ID is unique from CVE-2020-0686. 2020-02-11 7.2 CVE-2020-0683
MISC microsoft -- multiple_windows_products
  An elevation of privilege vulnerability exists when the Windows Wireless Network Manager improperly handles memory.To exploit this vulnerability, an attacker would first have to gain execution on the victim system, aka 'Windows Wireless Network Manager Elevation of Privilege Vulnerability'. 2020-02-11 7.2 CVE-2020-0704
MISC microsoft -- multiple_windows_products
  An elevation of privilege vulnerability exists in Windows when the Win32k component fails to properly handle objects in memory, aka 'Win32k Elevation of Privilege Vulnerability'. This CVE ID is unique from CVE-2020-0691, CVE-2020-0719, CVE-2020-0720, CVE-2020-0721, CVE-2020-0723, CVE-2020-0724, CVE-2020-0725, CVE-2020-0726, CVE-2020-0731. 2020-02-11 7.2 CVE-2020-0722
MISC microsoft -- multiple_windows_products
  An elevation of privilege vulnerability exists when the Windows IME improperly handles memory.To exploit this vulnerability, an attacker would first have to gain execution on the victim system, aka 'Windows IME Elevation of Privilege Vulnerability'. 2020-02-11 7.2 CVE-2020-0707
MISC microsoft -- multiple_windows_products
  An elevation of privilege vulnerability exists when Windows improperly handles COM object creation, aka 'Windows COM Server Elevation of Privilege Vulnerability'. 2020-02-11 7.2 CVE-2020-0685
MISC microsoft -- multiple_windows_products
  An elevation of privilege vulnerability exists in Windows when the Win32k component fails to properly handle objects in memory, aka 'Win32k Elevation of Privilege Vulnerability'. This CVE ID is unique from CVE-2020-0691, CVE-2020-0719, CVE-2020-0720, CVE-2020-0722, CVE-2020-0723, CVE-2020-0724, CVE-2020-0725, CVE-2020-0726, CVE-2020-0731. 2020-02-11 7.2 CVE-2020-0721
MISC microsoft -- multiple_windows_products
  An elevation of privilege vulnerability exists when the Windows Backup Service improperly handles file operations.To exploit this vulnerability, an attacker would first have to gain execution on the victim system, aka 'Windows Backup Service Elevation of Privilege Vulnerability'. 2020-02-11 7.2 CVE-2020-0703
MISC microsoft -- multiple_windows_products
  An elevation of privilege vulnerability exists when the Windows kernel fails to properly handle objects in memory, aka 'Windows Kernel Elevation of Privilege Vulnerability'. This CVE ID is unique from CVE-2020-0668, CVE-2020-0669, CVE-2020-0670, CVE-2020-0672. 2020-02-11 7.2 CVE-2020-0671
MISC microsoft -- multiple_windows_products
  An elevation of privilege vulnerability exists in Windows when the Win32k component fails to properly handle objects in memory, aka 'Win32k Elevation of Privilege Vulnerability'. This CVE ID is unique from CVE-2020-0691, CVE-2020-0719, CVE-2020-0720, CVE-2020-0721, CVE-2020-0722, CVE-2020-0723, CVE-2020-0725, CVE-2020-0726, CVE-2020-0731. 2020-02-11 7.2 CVE-2020-0724
MISC microsoft -- office365_proplus_for_32-bit_and_64-bit_systems
  An elevation of privilege vulnerability exists in Microsoft Office OLicenseHeartbeat task, where an attacker who successfully exploited this vulnerability could run this task as SYSTEM.To exploit the vulnerability, an authenticated attacker would need to place a specially crafted file in a specific location, thereby allowing arbitrary file corruption.The security update addresses the vulnerability by correcting how the process validates the log file., aka 'Microsoft Office Tampering Vulnerability'. 2020-02-11 7.2 CVE-2020-0697
MISC microsoft -- windows_10_and_windows_server
  An elevation of privilege vulnerability exists when the Windows Graphics Component improperly handles objects in memory, aka 'Windows Graphics Component Elevation of Privilege Vulnerability'. This CVE ID is unique from CVE-2020-0715, CVE-2020-0745. 2020-02-11 7.2 CVE-2020-0792
MISC microsoft -- windows_10_and_windows_server_2016
  An elevation of privilege vulnerability exists when DirectX improperly handles objects in memory, aka 'DirectX Elevation of Privilege Vulnerability'. This CVE ID is unique from CVE-2020-0732. 2020-02-11 7.2 CVE-2020-0709
MISC microsoft -- windows_10_and_windows_server_2016
  An elevation of privilege vulnerability exists when DirectX improperly handles objects in memory, aka 'DirectX Elevation of Privilege Vulnerability'. This CVE ID is unique from CVE-2020-0709. 2020-02-11 7.2 CVE-2020-0732
MISC microvirt -- memu
  An issue was discovered in Microvirt MEmu all versions prior to 7.0.2. A guest Android operating system inside the MEmu emulator contains a /system/bin/systemd binary that is run with root privileges on startup (this is unrelated to Red Hat's systemd init program, and is a closed-source proprietary tool that seems to be developed by Microvirt). This program opens TCP port 21509, presumably to receive installation-related commands from the host OS. Because everything after the installer:uninstall command is concatenated directly into a system() call, it is possible to execute arbitrary commands by supplying shell metacharacters. 2020-02-11 10 CVE-2019-14514
MISC netgear -- ac1200_smart_wifi_router
  This vulnerability allows network-adjacent attackers to bypass authentication on affected installations of NETGEAR AC1200 R6220 Firmware version 1.1.0.86 Smart WiFi Router. Authentication is not required to exploit this vulnerability. The specific flaw exists within the processing of path strings. By inserting a null byte into the path, the user can skip most authentication checks. An attacker can leverage this vulnerability to bypass authentication on the system. Was ZDI-CAN-8616. 2020-02-10 7.5 CVE-2019-17137
MISC netis -- wf2419_router
  Netis WF2419 is vulnerable to authenticated Remote Code Execution (RCE) as root through the router Web management page. The vulnerability has been found in firmware version V1.2.31805 and V2.2.36123. After one is connected to this page, it is possible to execute system commands as root through the tracert diagnostic tool because of lack of user input sanitizing. 2020-02-07 8.5 CVE-2019-19356
MISC
MISC node.js -- node.js
  HTTP request smuggling in Node.js 10, 12, and 13 causes malicious payload delivery when transfer-encoding is malformed 2020-02-07 7.5 CVE-2019-15605
MISC
FEDORA
CONFIRM
CONFIRM
CONFIRM
CONFIRM nodejs -- nodejs
  Including trailing white space in HTTP header values in Nodejs 10, 12, and 13 causes bypass of authorization based on header value comparisons 2020-02-07 7.5 CVE-2019-15606
MISC
CONFIRM
CONFIRM
CONFIRM
CONFIRM nw.js -- nw.js
  A vulnerability exists in nw.js before 0.11.3 when calling nw methods from normal frames, which has an unspecified impact. 2020-02-07 7.5 CVE-2014-9530
CONFIRM omniauth-weibo-oauth2_gem_for_ruby_rails -- omniauth-weibo-oauth2_gem_for_ruby_rails
  The omniauth-weibo-oauth2 gem 0.4.6 for Ruby, as distributed on RubyGems.org, included a code-execution backdoor inserted by a third party. Versions through 0.4.5, and 0.5.1 and later, are unaffected. 2020-02-07 7.5 CVE-2019-17268
MISC
CONFIRM openpne -- opopensocialplugin
  opOpenSocialPlugin 0.8.2.1, > 0.9.9.2, 0.9.13, 1.2.6: Multiple XML External Entity Injection Vulnerabilities 2020-02-07 7.5 CVE-2013-4335
MISC
MISC
MISC openpne -- opwebapiplugin
  opWebAPIPlugin 0.5.1, 0.4.0, and 0.1.0: XXE Vulnerabilities 2020-02-07 7.5 CVE-2013-4334
MISC
MISC phxeventmanager -- phxeventmanager
  SQL injection vulnerability in search.php in phxEventManager 2.0 beta 5 allows remote attackers to execute arbitrary SQL commands via the search_terms parameter. 2020-02-11 7.5 CVE-2012-1124
MISC
MISC
MISC
MISC
MISC polarbear -- polarbear_cms
  A PHP File Upload Vulnerability exists in PolarBear CMS 2.5 via upload.php, which could let a malicious user execute arbitrary code. 2020-02-11 7.5 CVE-2013-0803
MISC
MISC
MISC polycomm -- web_management_interface_g3/hdx_800_hd
  An issue was discovered in Polycom Web Management Interface G3/HDX 8000 HD with Durango 2.6.0 4740 software and embedded Polycom Linux Development Platform 2.14.g3. It has a blank administrative password by default, and can be successfully used without setting this password. 2020-02-10 10 CVE-2012-6611
MISC
MISC qemu -- qemu
  The virtqueue_map_sg function in hw/virtio/virtio.c in QEMU before 1.7.2 allows remote attackers to execute arbitrary files via a crafted savevm image, related to virtio-block or virtio-serial read. 2020-02-11 7.2 CVE-2013-4535
MISC
MISC
MISC
MISC
MISC
MISC qualcomm -- multiple_snapdragon_products


  Out of bound access due to access of uninitialized memory segment in an array of pointers while normal camera open close in Snapdragon Consumer IOT, Snapdragon Mobile in QCS605, SDM439, SDM630, SDM636, SDM660, SDX24 2020-02-07 7.2 CVE-2019-14044
CONFIRM qualcomm -- multiple_snapdragon_products


  APKs without proper permission may bind to CallEnhancementService and can lead to unauthorized access to call status in Snapdragon Auto, Snapdragon Compute, Snapdragon Consumer IOT, Snapdragon Industrial IOT, Snapdragon Mobile, Snapdragon Wearables in APQ8053, APQ8096AU, APQ8098, MSM8909W, MSM8917, MSM8920, MSM8937, MSM8940, MSM8953, MSM8996AU, Nicobar, QCA6574AU, QCS605, QM215, SA6155P, SDA660, SDM429, SDM429W, SDM439, SDM450, SDM630, SDM632, SDM636, SDM660, SDM845, SM6150, SM8150, SM8250, SXR2130 2020-02-07 7.2 CVE-2019-14002
CONFIRM qualcomm -- multiple_snapdragon_products


  Possible use after free issue while CRM is accessing the link pointer from device private data due to lack of resource protection in Snapdragon Auto, Snapdragon Compute, Snapdragon Consumer IOT, Snapdragon Industrial IOT, Snapdragon Mobile, Snapdragon Voice & Music, Snapdragon Wearables in APQ8009, MDM9206, MDM9207C, MDM9607, QCS605, SDM429W, SDX24, SM8150, SXR1130 2020-02-07 7.2 CVE-2019-14088
CONFIRM
MISC qualcomm -- multiple_snapdragon_products


  Out of bound access while allocating memory for an array in camera due to improper validation of elements parameters in Snapdragon Auto, Snapdragon Compute, Snapdragon Consumer Electronics Connectivity, Snapdragon Consumer IOT, Snapdragon Industrial IOT, Snapdragon Mobile, Snapdragon Voice & Music in QCS605, SDM439, SDX24 2020-02-07 7.2 CVE-2019-14046
CONFIRM qualcomm -- multiple_snapdragon_products


  Stage-2 fault will occur while writing to an ION system allocation which has been assigned to non-HLOS memory which is non-standard in Snapdragon Auto, Snapdragon Compute, Snapdragon Consumer Electronics Connectivity, Snapdragon Consumer IOT, Snapdragon Industrial IOT, Snapdragon Mobile, Snapdragon Voice & Music in APQ8017, APQ8053, APQ8096AU, MDM9206, MDM9207C, MDM9607, MDM9640, MSM8953, QCN7605, QCS605, SC8180X, SDA845, SDM429, SDM439, SDM450, SDM632, SDX20, SDX24, SDX55, SM8150, SXR1130 2020-02-07 7.2 CVE-2019-14049
CONFIRM qualcomm -- multiple_snapdragon_products


  Possibility of use-after-free and double free because of not marking buffer as NULL after freeing can lead to dangling pointer access in Snapdragon Auto, Snapdragon Compute, Snapdragon Consumer Electronics Connectivity, Snapdragon Consumer IOT, Snapdragon Industrial IOT, Snapdragon IoT, Snapdragon Mobile, Snapdragon Voice & Music, Snapdragon Wearables in APQ8009, APQ8017, APQ8053, APQ8096AU, APQ8098, MDM9206, MDM9207C, MDM9607, MDM9640, MDM9650, MSM8905, MSM8909W, MSM8939, MSM8953, MSM8996AU, MSM8998, Nicobar, QCN7605, QCS605, SC8180X, SDA660, SDA845, SDM429, SDM429W, SDM439, SDM450, SDM630, SDM632, SDM636, SDM660, SDM845, SDX20, SDX24, SDX55, SM8150, SM8250, SXR1130, SXR2130 2020-02-07 7.2 CVE-2019-14055
CONFIRM qualcomm -- multiple_snapdragon_products


  Uninitialized stack data gets used If memory is not allocated for blob or if the allocated blob is less than the struct size required due to lack of check of return value for read or write blob in Snapdragon Auto, Snapdragon Compute, Snapdragon Consumer IOT, Snapdragon Industrial IOT, Snapdragon Mobile, Snapdragon Voice & Music, Snapdragon Wearables, Snapdragon Wired Infrastructure and Networking in APQ8009, APQ8017, APQ8053, APQ8098, IPQ4019, IPQ6018, IPQ8064, IPQ8074, MDM9150, MDM9206, MDM9207C, MDM9607, MDM9650, MSM8909W, MSM8917, MSM8920, MSM8937, MSM8940, MSM8953, MSM8996AU, MSM8998, Nicobar, QCS405, QCS605, QM215, Rennell, SA6155P, Saipan, SC8180X, SDA845, SDM429, SDM429W, SDM439, SDM450, SDM630, SDM632, SDM636, SDM660, SDM670, SDM710, SDM845, SDX20, SDX24, SDX55, SM6150, SM7150, SM8150, SM8250, SXR1130, SXR2130 2020-02-07 7.2 CVE-2019-14060
CONFIRM qualcomm -- multiple_snapdragon_products
  There is a way to deceive the GPU kernel driver into thinking there is room in the GPU ringbuffer and overwriting existing commands could allow unintended GPU opcodes to be executed in Snapdragon Auto, Snapdragon Compute, Snapdragon Consumer IOT, Snapdragon Industrial IOT, Snapdragon Mobile, Snapdragon Voice & Music, Snapdragon Wearables in APQ8009, APQ8017, APQ8053, APQ8096AU, APQ8098, MDM9150, MDM9206, MDM9207C, MDM9607, MDM9650, MSM8909W, MSM8917, MSM8920, MSM8937, MSM8940, MSM8953, MSM8996AU, MSM8998, Nicobar, QCS405, QCS605, QM215, Rennell, SA6155P, Saipan, SC8180X, SDA660, SDA845, SDM429, SDM429W, SDM439, SDM450, SDM630, SDM632, SDM636, SDM660, SDM670, SDM710, SDM845, SDX20, SDX24, SDX55, SM6150, SM7150, SM8150, SM8250, SXR1130, SXR2130 2020-02-07 7.2 CVE-2019-10567
CONFIRM qualcomm -- multiple_snapdragon_products
  Out of bound access while parsing dts atom, which is non-standard as it does not have valid number of tracks in Snapdragon Auto, Snapdragon Compute, Snapdragon Connectivity, Snapdragon Consumer IOT, Snapdragon Industrial IOT, Snapdragon IoT, Snapdragon Mobile, Snapdragon Voice & Music, Snapdragon Wearables in APQ8009, APQ8017, APQ8053, APQ8064, APQ8096AU, APQ8098, MDM9206, MDM9207C, MDM9607, MSM8905, MSM8909W, MSM8917, MSM8920, MSM8937, MSM8939, MSM8940, MSM8953, MSM8996, MSM8996AU, MSM8998, Nicobar, QCS405, QCS605, QM215, Rennell, SA6155P, Saipan, SDA660, SDA845, SDM429, SDM429W, SDM439, SDM450, SDM630, SDM632, SDM636, SDM660, SDM670, SDM710, SDM845, SDX20, SM6150, SM7150, SM8150, SM8250, SXR1130, SXR2130 2020-02-07 10 CVE-2019-10590
CONFIRM qualcomm -- multiple_snapdragon_products
  Buffer Over read of codec private data while parsing an mkv file due to lack of check of buffer size before read in Snapdragon Auto, Snapdragon Compute, Snapdragon Connectivity, Snapdragon Consumer IOT, Snapdragon Industrial IOT, Snapdragon IoT, Snapdragon Mobile, Snapdragon Voice & Music, Snapdragon Wearables in APQ8009, APQ8017, APQ8053, APQ8064, APQ8096AU, APQ8098, MDM9206, MDM9207C, MDM9607, MSM8905, MSM8909W, MSM8917, MSM8920, MSM8937, MSM8939, MSM8940, MSM8953, MSM8996, MSM8996AU, MSM8998, Nicobar, QCA6574AU, QCS405, QCS605, QM215, Rennell, SA6155P, Saipan, SDA660, SDA845, SDM429, SDM429W, SDM439, SDM450, SDM630, SDM632, SDM636, SDM660, SDM670, SDM710, SDM845, SDX20, SM6150, SM7150, SM8150, SM8250, SXR1130, SXR2130 2020-02-07 9.4 CVE-2019-14057
CONFIRM qualcomm -- multiple_snapdragon_products
  Out of bound access due to Invalid inputs to dapm mux settings which results into kernel failure in Snapdragon Auto, Snapdragon Compute, Snapdragon Consumer IOT, Snapdragon Industrial IOT, Snapdragon Mobile, Snapdragon Voice & Music, Snapdragon Wired Infrastructure and Networking in IPQ4019, IPQ6018, IPQ8064, IPQ8074, MDM9607, Nicobar, QCS405, Rennell, SA6155P, Saipan, SC8180X, SDM630, SDM636, SDM660, SDX55, SM6150, SM7150, SM8150, SM8250, SXR2130 2020-02-07 9.4 CVE-2019-14063
CONFIRM qualcomm -- snapdragon_industrial_iot
  Subsequent additions performed during Module loading while allocating the memory would lead to integer overflow and then to buffer overflow in Snapdragon Industrial IOT in MDM9206, MDM9607 2020-02-07 7.2 CVE-2019-14051
CONFIRM ruby_pdfkit_gem_for_ruby_on_rails -- ruby_pdfkit_gem_for_ruby_on_rails
  Ruby PDFKit gem prior to 0.5.3 has a Code Execution Vulnerability 2020-02-11 7.5 CVE-2013-1607
MISC
MISC secom -- dr.id
  Secom Co. Dr.ID, a Door Access Control and Personnel Attendance Management system, contains a vulnerability of Pre-auth SQL Injection, allowing attackers to inject a specific SQL command. 2020-02-11 7.5 CVE-2020-3934
MISC
MISC
MISC siemens -- multiple_scalance_products
  A vulnerability has been identified in SCALANCE S602 (All versions >= V3.0), SCALANCE S612 (All versions >= V3.0), SCALANCE S623 (All versions >= V3.0), SCALANCE S627-2M (All versions >= V3.0). Specially crafted packets sent to port 443/tcp of affected devices could cause a Denial-of-Service condition of the web server. A cold reboot is required to restore the functionality of the device. 2020-02-11 7.8 CVE-2019-13926
MISC simplejobscript -- simplejobscript
  An issue was discovered in Simplejobscript.com SJS through 1.66. There is an unauthenticated SQL injection via the job applications search function. The vulnerable parameter is job_id. The function is getJobApplicationsByJobId(). The file is _lib/class.JobApplication.php. 2020-02-07 7.5 CVE-2020-8645
MISC sphider -- sphider_pro_and_sphider_plus
  A Command Execution vulnerability exists in Sphider Pro, and Sphider Plus 3.2 due to insufficient sanitization of fwrite to conf.php, which could let a remote malicious user execute arbitrary code. CVE-2014-5086 pertains to instances of fwrite in Sphider Pro and Sphider Plus only, but don’t exist in Sphider. 2020-02-10 7.5 CVE-2014-5086
MISC sphider -- sphider_search_engine
  A vulnerability exists in Sphider Search Engine prior to 1.3.6 due to exec calls in admin/spiderfuncs.php, which could let a remote malicious user execute arbitrary code. 2020-02-07 7.5 CVE-2014-5087
MISC
MISC status2k -- server_monitoring_software
  A vulnerability exits in Status2K 2.5 Server Monitoring Software via the multies parameter to includes/functions.php, which could let a malicious user execute arbitrary PHP code. 2020-02-07 10 CVE-2014-5091
MISC
MISC
MISC
MISC ui -- edgeswitch
  A privilege escalation in the EdgeSwitch prior to version 1.7.1, an CGI script don't fully sanitize the user input resulting in local commands execution, allowing an operator user (Privilege-1) to escalate privileges and became administrator (Privilege-15). 2020-02-07 7.2 CVE-2020-8126
MISC wordpress -- wordpress
  WordPress W3 Total Cache Plugin 0.9.2.8 has a Remote PHP Code Execution Vulnerability 2020-02-12 7.5 CVE-2013-2010
MISC
MISC
MISC
MISC wordpress -- wordpress
  NextGEN Gallery plugin before 1.9.13 for WordPress: ngggallery.php file upload 2020-02-11 10 CVE-2013-3684
MISC
MISC wordpress -- wordpress
  Unrestricted file upload vulnerability in server/php/UploadHandler.php in the jQuery File Upload Plugin 6.4.4 for jQuery, as used in the Creative Solutions Creative Contact Form (formerly Sexy Contact Form) before 1.0.0 for WordPress and before 2.0.1 for Joomla!, allows remote attackers to execute arbitrary code by uploading a PHP file with an PHP extension, then accessing it via a direct request to the file in files/, as exploited in the wild in October 2014. 2020-02-08 7.5 CVE-2014-8739
MISC
MISC
MISC
MISC
MISC
MISC
MISC
MISC yabb -- yabb
  YaBB through 2.5.2: 'guestlanguage' Cookie Parameter Local File Include Vulnerability 2020-02-11 7.5 CVE-2013-2057
MISC
MISC
MISC zend_framework -- zend_framework
  Zend Framework, as used in ownCloud Server before 5.0.15 and 6.0.x before 6.0.2, allows remote attackers to read arbitrary files, cause a denial of service, or possibly have other impact via an XML External Entity (XXE) attack. 2020-02-11 7.5 CVE-2014-2052
MISC
CONFIRM
MISC Back to top

 

Medium Vulnerabilities Primary
Vendor -- Product Description Published CVSS Score Source & Patch Info adobe -- framemaker Adobe Framemaker versions 2019.0.4 and below have an out-of-bounds write vulnerability. Successful exploitation could lead to arbitrary code execution. 2020-02-13 6.8 CVE-2020-3733
CONFIRM adobe -- framemaker
  Adobe Framemaker versions 2019.0.4 and below have a heap overflow vulnerability. Successful exploitation could lead to arbitrary code execution. 2020-02-13 6.8 CVE-2020-3731
CONFIRM adobe -- framemaker
  Adobe Framemaker versions 2019.0.4 and below have an out-of-bounds write vulnerability. Successful exploitation could lead to arbitrary code execution. 2020-02-13 6.8 CVE-2020-3721
CONFIRM adobe -- framemaker
  Adobe Framemaker versions 2019.0.4 and below have a memory corruption vulnerability. Successful exploitation could lead to arbitrary code execution. 2020-02-13 6.8 CVE-2020-3739
CONFIRM adobe -- framemaker
  Adobe Framemaker versions 2019.0.4 and below have an out-of-bounds write vulnerability. Successful exploitation could lead to arbitrary code execution. 2020-02-13 6.8 CVE-2020-3738
CONFIRM adobe -- framemaker
  Adobe Framemaker versions 2019.0.4 and below have an out-of-bounds write vulnerability. Successful exploitation could lead to arbitrary code execution. 2020-02-13 6.8 CVE-2020-3728
CONFIRM adobe -- framemaker
  Adobe Framemaker versions 2019.0.4 and below have an out-of-bounds write vulnerability. Successful exploitation could lead to arbitrary code execution. 2020-02-13 6.8 CVE-2020-3736
CONFIRM adobe -- framemaker
  Adobe Framemaker versions 2019.0.4 and below have a heap overflow vulnerability. Successful exploitation could lead to arbitrary code execution. 2020-02-13 6.8 CVE-2020-3735
CONFIRM adobe -- framemaker
  Adobe Framemaker versions 2019.0.4 and below have a buffer error vulnerability. Successful exploitation could lead to arbitrary code execution. 2020-02-13 6.8 CVE-2020-3734
CONFIRM adobe -- framemaker
  Adobe Framemaker versions 2019.0.4 and below have an out-of-bounds write vulnerability. Successful exploitation could lead to arbitrary code execution. 2020-02-13 6.8 CVE-2020-3732
CONFIRM adobe -- framemaker
  Adobe Framemaker versions 2019.0.4 and below have an out-of-bounds write vulnerability. Successful exploitation could lead to arbitrary code execution. 2020-02-13 6.8 CVE-2020-3737
CONFIRM adobe -- framemaker
  Adobe Framemaker versions 2019.0.4 and below have an out-of-bounds write vulnerability. Successful exploitation could lead to arbitrary code execution. 2020-02-13 6.8 CVE-2020-3730
CONFIRM adobe -- framemaker
  Adobe Framemaker versions 2019.0.4 and below have an out-of-bounds write vulnerability. Successful exploitation could lead to arbitrary code execution. 2020-02-13 6.8 CVE-2020-3729
CONFIRM adobe -- framemaker
  Adobe Framemaker versions 2019.0.4 and below have an out-of-bounds write vulnerability. Successful exploitation could lead to arbitrary code execution. 2020-02-13 6.8 CVE-2020-3727
CONFIRM adobe -- framemaker
  Adobe Framemaker versions 2019.0.4 and below have an out-of-bounds write vulnerability. Successful exploitation could lead to arbitrary code execution. 2020-02-13 6.8 CVE-2020-3726
CONFIRM adobe -- framemaker
  Adobe Framemaker versions 2019.0.4 and below have an out-of-bounds write vulnerability. Successful exploitation could lead to arbitrary code execution. 2020-02-13 6.8 CVE-2020-3725
CONFIRM adobe -- framemaker
  Adobe Framemaker versions 2019.0.4 and below have an out-of-bounds write vulnerability. Successful exploitation could lead to arbitrary code execution. 2020-02-13 6.8 CVE-2020-3724
CONFIRM adobe -- framemaker
  Adobe Framemaker versions 2019.0.4 and below have an out-of-bounds write vulnerability. Successful exploitation could lead to arbitrary code execution. 2020-02-13 6.8 CVE-2020-3723
CONFIRM adobe -- framemaker
  Adobe Framemaker versions 2019.0.4 and below have an out-of-bounds write vulnerability. Successful exploitation could lead to arbitrary code execution. 2020-02-13 6.8 CVE-2020-3722
CONFIRM adobe -- framemaker
  Adobe Framemaker versions 2019.0.4 and below have an out-of-bounds write vulnerability. Successful exploitation could lead to arbitrary code execution. 2020-02-13 6.8 CVE-2020-3720
CONFIRM apple -- ios_and_os_x LibTIFF prior to 4.0.4, as used in Apple iOS before 8.4 and OS X before 10.10.4 and other products, allows remote attackers to cause a denial of service (out-of-bounds write) via a crafted TIFF image. 2020-02-12 4.3 CVE-2014-8128
MISC
MISC
MISC
MISC
MISC
MISC
MISC atlassian -- jira_server_and_data_center
  The VerifyPopServerConnection!add.jspa component in Atlassian Jira Server and Data Center before version 8.7.0 is vulnerable to cross-site request forgery (CSRF). An attacker could exploit this by tricking an administrative user into making malicious HTTP requests, allowing the attacker to enumerate hosts and open ports on the internal network where Jira server is present. 2020-02-12 6.8 CVE-2019-20099
N/A
N/A atlassian -- jira_server_and_data_center
  The VerifySmtpServerConnection!add.jspa component in Atlassian Jira Server and Data Center before version 8.7.0 is vulnerable to cross-site request forgery (CSRF). An attacker could exploit this by tricking an administrative user into making malicious HTTP requests, allowing the attacker to enumerate hosts and open ports on the internal network where Jira server is present. 2020-02-12 6.8 CVE-2019-20098
N/A
N/A blackberry -- playbook
  BlackBerry PlayBook before 2.1 has an Information Disclosure Vulnerability via a Web browser component error 2020-02-10 4.3 CVE-2012-5828
MISC
MISC
MISC
MISC bludit -- bludit
  ajax/profile-picture-upload.php in Bludit 3.10.0 allows authenticated users to change other users' profile pictures. 2020-02-07 4 CVE-2020-8811
MISC bosch -- multiple_products
  A path traversal vulnerability in the Bosch Video Management System (BVMS) NoTouch deployment allows an unauthenticated remote attacker to read arbitrary files from the Central Server. This affects Bosch BVMS versions 10.0 <= 10.0.0.1225, 9.0 <= 9.0.0.827, 8.0 <= 8.0.329 and 7.5 and older. This affects Bosch BVMS Viewer versions 10.0 <= 10.0.0.1225, 9.0 <= 9.0.0.827, 8.0 <= 8.0.329 and 7.5 and older. This affects Bosch DIVAR IP 3000, DIVAR IP 7000 and DIVAR IP all-in-one 5000 if a vulnerable BVMS version is installed. 2020-02-07 5 CVE-2020-6768
CONFIRM bosch -- video_streaming_gateway_and_divar_ip
  Missing Authentication for Critical Function in the Bosch Video Streaming Gateway (VSG) allows an unauthenticated remote attacker to retrieve and set arbitrary configuration data of the Video Streaming Gateway. A successful attack can impact the confidentiality and availability of live and recorded video data of all cameras configured to be controlled by the VSG as well as the recording storage associated with the VSG. This affects Bosch Video Streaming Gateway versions 6.45 <= 6.45.08, 6.44 <= 6.44.022, 6.43 <= 6.43.0023 and 6.42.10 and older. This affects Bosch DIVAR IP 3000, DIVAR IP 7000 and DIVAR IP all-in-one 5000 if a vulnerable VSG version is installed with BVMS. This affects Bosch DIVAR IP 2000 <= 3.62.0019 and DIVAR IP 5000 <= 3.80.0039 if the corresponding port 8023 has been opened in the device's firewall. 2020-02-07 6.4 CVE-2020-6769
CONFIRM canonical -- ubuntu
  Kevin Backhouse discovered an integer overflow in bson_ensure_space, as used in whoopsie. 2020-02-08 4.6 CVE-2019-11484
MISC
MISC canonical -- ubuntu
  Kevin Backhouse discovered that apport would read a user-supplied configuration file with elevated privileges. By replacing the file with a symbolic link, a user could get apport to read any file on the system as root, with unknown consequences. 2020-02-08 6.1 CVE-2019-11481
MISC
MISC ceph -- rgw_beast
  A flaw was found in the way the Ceph RGW Beast front-end handles unexpected disconnects. An authenticated attacker can abuse this flaw by making multiple disconnect attempts resulting in a permanent leak of a socket connection by radosgw. This flaw could lead to a denial of service condition by pile up of CLOSE_WAIT sockets, eventually leading to the exhaustion of available resources, preventing legitimate users from connecting to the system. 2020-02-07 6.8 CVE-2020-1700
SUSE
CONFIRM chamilo -- chamilo_lms
  Cross-site scripting (XSS) vulnerability in main/dropbox/index.php in Chamilo LMS before 1.8.8.6 allows remote attackers to inject arbitrary web script or HTML via the category_name parameter in an addsentcategory action. 2020-02-08 4.3 CVE-2012-4029
MISC
MISC
MISC cisco -- application_control_engine Cisco ACE A2(3.6) allows log retention DoS. 2020-02-07 5 CVE-2013-1202
MISC clearcanvas -- clearcanvas Synaptive Medical ClearCanvas ImageServer 3.0 Alpha allows XSS (and HTML injection) via the Default.aspx UserName parameter. NOTE: the issues/227 reference does not imply that the affected product can be downloaded from GitHub. It was simply a convenient location for a public bug report. 2020-02-07 4.3 CVE-2020-8788
MISC cypress -- psoc_4_devices The Bluetooth Low Energy (BLE) stack implementation on Cypress PSoC 4 through 3.62 devices does not properly restrict the BLE Link Layer header and executes certain memory contents upon receiving a packet with a Link Layer ID (LLID) equal to zero. This allows attackers within radio range to cause deadlocks, cause anomalous behavior in the BLE state machine, or trigger a buffer overflow via a crafted BLE Link Layer frame. 2020-02-10 6.1 CVE-2019-17061
MISC
MISC d-link -- dir865l_devices
  D-Link DIR865L v1.03 suffers from an "Unauthenticated Hardware Linking" vulnerability. 2020-02-07 4.3 CVE-2013-3096
MISC
MISC
MISC daum_communications -- potplayer
  Potplayer prior to 1.5.39659: DLL Loading Arbitrary Code Execution Vulnerability 2020-02-11 6.8 CVE-2013-3942
MISC
MISC dialog -- da14580/1/2/3_devices
  The Bluetooth Low Energy implementation on Dialog Semiconductor SDK through 5.0.4 for DA14580/1/2/3 devices does not properly restrict the L2CAP payload length, allowing attackers in radio range to cause a buffer overflow via a crafted Link Layer packet. 2020-02-10 6.1 CVE-2019-17517
MISC
MISC dialog -- da1468x_devices
  The Bluetooth Low Energy implementation on Dialog Semiconductor SDK through 1.0.14.1081 for DA1468x devices responds to link layer packets with a payload length larger than expected, allowing attackers in radio range to cause a buffer overflow via a crafted packet. This affects, for example, August Smart Lock. 2020-02-10 6.1 CVE-2019-17518
MISC
MISC docker -- docker
  A vulnerability exists in Docker before 1.2 via container names, which may collide with and override container IDs. 2020-02-07 4.3 CVE-2014-5278
MISC
MISC
MISC drupal -- drupal
  The Basic webmail module 6.x-1.x before 6.x-1.2 for Drupal allows remote authenticated users with the "access basic_webmail" permission to read arbitrary users' email addresses. 2020-02-08 4 CVE-2012-5570
MISC
MISC
MISC
CONFIRM filemaker -- filemaker_pro_and_filemaker_advanced
  An Authentication Bypass vulnerability exists in the MatchPasswordData function in DBEngine.dll in Filemaker Pro 13.03 and Filemaker Pro Advanced 12.04, which could let a malicious user obtain elevated privileges. 2020-02-11 4.6 CVE-2014-8347
MISC
MISC
MISC
MISC
MISC flowplayer -- flowplayer_flash
  Cross-site scripting (XSS) vulnerability in Flowplayer Flash 3.2.7 through 3.2.16, as used in the News system (news) extension for TYPO3 and Mahara, allows remote attackers to inject arbitrary web script or HTML via the plugin configuration directive in a reference to an external domain plugin. 2020-02-08 6.8 CVE-2011-3642
MISC
MISC
MISC
MISC
MISC
MISC
MISC
MISC
MISC
MISC fork -- fork_cms
  Cross-site scripting (XSS) vulnerability in the loadForm function in Frontend/Modules/Search/Actions/Index.php in Fork CMS before 3.8.4 allows remote attackers to inject arbitrary web script or HTML via the q_widget parameter to en/search. 2020-02-08 4.3 CVE-2014-9470
MISC
MISC
MISC
MISC
MISC
MISC fortiguard -- forticlient_for_linux
  A privilege escalation vulnerability in FortiClient for Linux 6.2.1 and below may allow a user with low privilege to overwrite system files as root with arbitrary content through system backup file via specially crafted "BackupConfig" type IPC client requests to the fctsched process. Further more, FortiClient for Linux 6.2.2 and below allow low privilege user write the system backup file under root privilege through GUI thus can cause root system file overwrite. 2020-02-07 6.6 CVE-2019-16155
MISC
CONFIRM foxit -- phantompdf
  This vulnerability allows remote attackers to execute arbitrary code on affected installations of Foxit PhantomPDF 9.5.0.20723. User interaction is required to exploit this vulnerability in that the target must visit a malicious page or open a malicious file. The specific flaw exists within the conversion of DXF files to PDF. The issue results from the lack of proper validation of user-supplied data, which can result in a write past the end of an allocated structure. An attacker can leverage this vulnerability to execute code in the context of the current process. Was ZDI-CAN-8773. 2020-02-08 6.8 CVE-2019-13333
MISC foxit -- phantompdf
  This vulnerability allows remote attackers to execute arbitrary code on affected installations of Foxit PhantomPDF 9.5.0.20723. User interaction is required to exploit this vulnerability in that the target must visit a malicious page or open a malicious file. The specific flaw exists within the conversion of DXF files to PDF. The issue results from the lack of proper validation of user-supplied data, which can result in a write past the end of an allocated structure. An attacker can leverage this vulnerability to execute code in the context of the current process. Was ZDI-CAN-8774. 2020-02-08 6.8 CVE-2019-13334
MISC foxit -- phantompdf
  This vulnerability allows remote attackers to execute arbitrary code on affected installations of Foxit PhantomPDF 9.5.0.20723. User interaction is required to exploit this vulnerability in that the target must visit a malicious page or open a malicious file. The specific flaw exists within the parsing of DXF files. The issue results from the lack of proper validation of user-supplied data, which can result in a memory corruption condition. An attacker can leverage this vulnerability to execute code in the context of the current process. Was ZDI-CAN-8775. 2020-02-08 6.8 CVE-2019-17135
MISC foxit -- phantompdf
  This vulnerability allows remote attackers to execute arbitrary code on affected installations of Foxit PhantomPDF 9.5.0.20723. User interaction is required to exploit this vulnerability in that the target must visit a malicious page or open a malicious file. The specific flaw exists within the conversion of DXF files to PDF. The issue results from the lack of proper validation of user-supplied data, which can result in a read past the end of an allocated structure. An attacker can leverage this vulnerability to execute code in the context of the current process. Was ZDI-CAN-8776. 2020-02-08 6.8 CVE-2019-17136
MISC gizmo5 -- gizmo5
  The SIP implementation on the Gizmo5 software phone provides hashed credentials in a response to an invalid authentication challenge, which makes it easier for remote attackers to obtain access via a brute-force attack, related to a "SIP Digest Leak" issue. 2020-02-12 4.3 CVE-2009-5139
MISC
MISC google -- chrome Insufficient policy enforcement in Safe Browsing in Google Chrome prior to 80.0.3987.87 allowed a remote attacker to bypass navigation restrictions via a crafted HTML page. 2020-02-11 6.8 CVE-2020-6414
SUSE
MISC
MISC google -- chrome

  Insufficient policy enforcement in extensions in Google Chrome prior to 80.0.3987.87 allowed an attacker who convinced a user to install a malicious extension to bypass navigation restrictions via a crafted Chrome Extension. 2020-02-11 4.3 CVE-2020-6392
SUSE
MISC
MISC google -- chrome

  Insufficient policy enforcement in Blink in Google Chrome prior to 80.0.3987.87 allowed a remote attacker to leak cross-origin data via a crafted HTML page. 2020-02-11 4.3 CVE-2020-6393
SUSE
MISC
MISC google -- chrome
  Inappropriate implementation in JavaScript in Google Chrome prior to 80.0.3987.87 allowed a remote attacker to potentially exploit heap corruption via a crafted HTML page. 2020-02-11 6.8 CVE-2020-6415
SUSE
MISC
MISC google -- chrome
  Inappropriate implementation in Blink in Google Chrome prior to 80.0.3987.87 allowed a remote attacker to bypass HTML validators via a crafted HTML page. 2020-02-11 6.8 CVE-2020-6413
SUSE
MISC
MISC google -- chrome
  Insufficient policy enforcement in navigation in Google Chrome prior to 80.0.3987.87 allowed a remote attacker to confuse the user via a crafted domain name. 2020-02-11 6.8 CVE-2020-6410
SUSE
MISC
MISC google -- chrome
  Inappropriate implementation in Omnibox in Google Chrome prior to 80.0.3987.87 allowed a remote attacker who convinced the user to enter a URI to bypass navigation restrictions via a crafted domain name. 2020-02-11 6.8 CVE-2020-6409
SUSE
MISC
MISC google -- chrome
  Insufficient policy enforcement in downloads in Google Chrome on OS X prior to 80.0.3987.87 allowed an attacker who convinced a user to install a malicious extension to execute arbitrary code via a crafted Chrome Extension. 2020-02-11 6.8 CVE-2020-6402
SUSE
MISC
MISC google -- chrome
  Use after free in V8 in Google Chrome prior to 79.0.3945.130 allowed a remote attacker to potentially exploit heap corruption via a crafted HTML page. 2020-02-11 6.8 CVE-2020-6379
MISC
MISC google -- chrome
  Type confusion in JavaScript in Google Chrome prior to 80.0.3987.87 allowed a remote attacker to potentially exploit heap corruption via a crafted HTML page. 2020-02-11 6.8 CVE-2020-6382
SUSE
MISC
MISC google -- chrome
  Insufficient policy enforcement in storage in Google Chrome prior to 80.0.3987.87 allowed a remote attacker to bypass site isolation via a crafted HTML page. 2020-02-11 6.8 CVE-2020-6385
SUSE
MISC
MISC google -- chrome
  Insufficient policy enforcement in extensions in Google Chrome prior to 79.0.3945.130 allowed a remote attacker who had compromised the renderer process to bypass site isolation via a crafted Chrome Extension. 2020-02-11 6.8 CVE-2020-6380
MISC
MISC google -- chrome
  Integer overflow in JavaScript in Google Chrome on ChromeOS and Android prior to 80.0.3987.87 allowed a remote attacker to potentially exploit heap corruption via a crafted HTML page. 2020-02-11 6.8 CVE-2020-6381
SUSE
MISC
MISC google -- chrome
  Use of uninitialized data in PDFium in Google Chrome prior to 80.0.3987.87 allowed a remote attacker to potentially exploit heap corruption via a crafted PDF file. 2020-02-11 6.8 CVE-2020-6398
SUSE
MISC
MISC google -- chrome
  Out of bounds memory access in streams in Google Chrome prior to 80.0.3987.87 allowed a remote attacker to potentially exploit heap corruption via a crafted HTML page. 2020-02-11 6.8 CVE-2020-6390
SUSE
MISC
MISC google -- chrome
  Out of bounds write in WebRTC in Google Chrome prior to 80.0.3987.87 allowed a remote attacker to potentially exploit heap corruption via a crafted video stream. 2020-02-11 6.8 CVE-2020-6389
SUSE
MISC
MISC google -- chrome
  Out of bounds access in WebAudio in Google Chrome prior to 80.0.3987.87 allowed a remote attacker to potentially exploit heap corruption via a crafted HTML page. 2020-02-11 6.8 CVE-2020-6388
SUSE
MISC
MISC google -- chrome
  Out of bounds write in WebRTC in Google Chrome prior to 80.0.3987.87 allowed a remote attacker to potentially exploit heap corruption via a crafted video stream. 2020-02-11 6.8 CVE-2020-6387
SUSE
MISC
MISC google -- chrome
  Insufficient validation of untrusted input in Omnibox in Google Chrome prior to 80.0.3987.87 allowed a remote attacker to perform domain spoofing via IDN homographs via a crafted domain name. 2020-02-11 5.8 CVE-2020-6412
SUSE
MISC
MISC google -- chrome
  Use after free in speech in Google Chrome prior to 79.0.3945.130 allowed a remote attacker to potentially exploit heap corruption via a crafted HTML page. 2020-02-11 6.8 CVE-2020-6378
MISC
MISC google -- chrome
  Insufficient data validation in streams in Google Chrome prior to 80.0.3987.87 allowed a remote attacker to potentially exploit heap corruption via a crafted HTML page. 2020-02-11 6.8 CVE-2020-6416
SUSE
MISC
MISC google -- chrome
  Insufficient validation of untrusted input in Omnibox in Google Chrome prior to 80.0.3987.87 allowed a remote attacker to perform domain spoofing via IDN homographs via a crafted domain name. 2020-02-11 5.8 CVE-2020-6411
SUSE
MISC
MISC google -- chrome
  Inappropriate implementation in installer in Google Chrome prior to 80.0.3987.87 allowed a local attacker to execute arbitrary code via a crafted registry entry. 2020-02-11 4.6 CVE-2020-6417
SUSE
MISC
MISC google -- chrome
  Inappropriate implementation in Blink in Google Chrome prior to 80.0.3987.87 allowed a local attacker to potentially exploit heap corruption via crafted clipboard content. 2020-02-11 4.6 CVE-2020-6404
SUSE
MISC
MISC google -- chrome
  Insufficient policy enforcement in Blink in Google Chrome prior to 80.0.3987.87 allowed a remote attacker to bypass content security policy via a crafted HTML page. 2020-02-11 5.8 CVE-2020-6394
SUSE
MISC
MISC google -- chrome
  Insufficient validation of untrusted input in Blink in Google Chrome prior to 80.0.3987.87 allowed a local attacker to bypass content security policy via a crafted HTML page. 2020-02-11 4.3 CVE-2020-6391
SUSE
MISC
MISC google -- chrome
  Out of bounds read in JavaScript in Google Chrome prior to 80.0.3987.87 allowed a remote attacker to obtain potentially sensitive information from process memory via a crafted HTML page. 2020-02-11 4.3 CVE-2020-6395
SUSE
MISC
MISC google -- chrome
  Inappropriate implementation in Skia in Google Chrome prior to 80.0.3987.87 allowed a remote attacker to spoof the contents of the Omnibox (URL bar) via a crafted HTML page. 2020-02-11 4.3 CVE-2020-6396
SUSE
MISC
MISC google -- chrome
  Inappropriate implementation in sharing in Google Chrome prior to 80.0.3987.87 allowed a remote attacker to spoof security UI via a crafted HTML page. 2020-02-11 4.3 CVE-2020-6397
SUSE
MISC
MISC google -- chrome
  Inappropriate implementation in CORS in Google Chrome prior to 80.0.3987.87 allowed a remote attacker to leak cross-origin data via a crafted HTML page. 2020-02-11 4.3 CVE-2020-6400
SUSE
MISC
MISC google -- chrome
  Insufficient validation of untrusted input in Omnibox in Google Chrome prior to 80.0.3987.87 allowed a remote attacker to perform domain spoofing via IDN homographs via a crafted domain name. 2020-02-11 4.3 CVE-2020-6401
SUSE
MISC
MISC google -- chrome
  Incorrect implementation in Omnibox in Google Chrome on iOS prior to 80.0.3987.87 allowed a remote attacker to spoof the contents of the Omnibox (URL bar) via a crafted HTML page. 2020-02-11 4.3 CVE-2020-6403
SUSE
MISC
MISC google -- chrome
  Out of bounds read in SQLite in Google Chrome prior to 80.0.3987.87 allowed a remote attacker to obtain potentially sensitive information from process memory via a crafted HTML page. 2020-02-11 4.3 CVE-2020-6405
SUSE
MISC
MISC google -- chrome
  Insufficient policy enforcement in AppCache in Google Chrome prior to 80.0.3987.87 allowed a remote attacker to leak cross-origin data via a crafted HTML page. 2020-02-11 4.3 CVE-2020-6399
SUSE
MISC
MISC hp -- system_event_utility
  A potential security vulnerability has been identified with certain versions of HP System Event Utility prior to version 1.4.33. This vulnerability may allow a local attacker to execute arbitrary code via an HP System Event Utility system service. 2020-02-13 4.6 CVE-2019-18915
FULLDISC
MISC htmlunit -- htmlunit
  HtmlUnit prior to 2.37.0 contains code execution vulnerabilities. HtmlUnit initializes Rhino engine improperly, hence a malicious JavScript code can execute arbitrary Java code on the application. Moreover, when embedded in Android application, Android-specific initialization of Rhino engine is done in an improper way, hence a malicious JavaScript code can execute arbitrary Java code on the application. 2020-02-11 6.8 CVE-2020-5529
CONFIRM
JVN ibm -- cloud_cli
  IBM Cloud CLI 0.6.0 through 0.16.1 windows installers are signed using SHA1 certificate. An attacker might be able to exploit the weak algorithm to generate a installer with malicious software inside. IBM X-Force ID: 162773. 2020-02-12 5 CVE-2019-4427
XF
CONFIRM ibm -- content_navigator
  IBM Content Navigator 3.0CD is vulnerable to Server Side Request Forgery (SSRF). This may allow an unauthenticated attacker to send unauthorized requests from the system, potentially leading to network enumeration or facilitating other attacks. IBM X-Force ID: 172815. 2020-02-12 5 CVE-2019-4741
XF
CONFIRM ibm -- infosphere_guardium InfoSphere Guardium aix_ktap module: DoS 2020-02-10 4.9 CVE-2012-2204
MISC ispconfig -- ispconfig
  ISPConfig 3.0.5.2 has Arbitrary PHP Code Execution 2020-02-07 6.5 CVE-2013-3629
MISC
MISC
MISC
MISC jenkins -- jenkins
  A missing permission check in Jenkins Pipeline GitHub Notify Step Plugin 1.0.4 and earlier in form-related methods allowed users with Overall/Read access to enumerate credentials ID of credentials stored in Jenkins. 2020-02-12 4 CVE-2020-2118
MLIST
CONFIRM jenkins -- jenkins
  Jenkins NUnit Plugin 0.25 and earlier does not configure the XML parser to prevent XML external entity (XXE) attacks. 2020-02-12 6.5 CVE-2020-2115
MLIST
CONFIRM jenkins -- jenkins
  Jenkins ECX Copy Data Management Plugin 1.9 and earlier stores a password unencrypted in job config.xml files on the Jenkins master where it can be viewed by users with Extended Read permission, or access to the master file system. 2020-02-12 4 CVE-2020-2128
MLIST
CONFIRM jenkins -- jenkins
  Jenkins FitNesse Plugin 1.30 and earlier does not configure the XML parser to prevent XML external entity (XXE) attacks. 2020-02-12 6.5 CVE-2020-2120
MLIST
CONFIRM jenkins -- jenkins
  A cross-site request forgery vulnerability in Jenkins Pipeline GitHub Notify Step Plugin 1.0.4 and earlier allows attackers to connect to an attacker-specified URL using attacker-specified credentials IDs obtained through another method, capturing credentials stored in Jenkins. 2020-02-12 6.8 CVE-2020-2116
MLIST
CONFIRM jenkins -- jenkins
  A missing permission check in Jenkins Pipeline GitHub Notify Step Plugin 1.0.4 and earlier allows attackers with Overall/Read permission to connect to an attacker-specified URL using attacker-specified credentials IDs obtained through another method, capturing credentials stored in Jenkins. 2020-02-12 4 CVE-2020-2117
MLIST
CONFIRM jenkins -- jenkins
  Jenkins Debian Package Builder Plugin 1.6.11 and earlier stores a GPG passphrase unencrypted in its global configuration file on the Jenkins master where it can be viewed by users with access to the master file system. 2020-02-12 4 CVE-2020-2125
MLIST
CONFIRM jenkins -- jenkins
  Jenkins Google Kubernetes Engine Plugin 0.8.0 and earlier does not configure its YAML parser to prevent the instantiation of arbitrary types, resulting in a remote code execution vulnerability. 2020-02-12 6.5 CVE-2020-2121
MLIST
CONFIRM jenkins -- jenkins
  Jenkins DigitalOcean Plugin 1.1 and earlier stores a token unencrypted in the global config.xml file on the Jenkins master where it can be viewed by users with access to the master file system. 2020-02-12 4 CVE-2020-2126
MLIST
CONFIRM jenkins -- jenkins
  Jenkins BMC Release Package and Deployment Plugin 1.1 and earlier stores credentials unencrypted in its global configuration file on the Jenkins master where they can be viewed by users with access to the master file system. 2020-02-12 4 CVE-2020-2127
MLIST
CONFIRM jenkins -- jenkins
  Jenkins Applatix Plugin 1.1 and earlier stores a password unencrypted in job config.xml files on the Jenkins master where it can be viewed by users with Extended Read permission, or access to the master file system. 2020-02-12 4 CVE-2020-2133
MLIST
CONFIRM jenkins -- jenkins
  Jenkins Eagle Tester Plugin 1.0.9 and earlier stores a password unencrypted in its global configuration file on the Jenkins master where it can be viewed by users with access to the master file system. 2020-02-12 4 CVE-2020-2129
MLIST
CONFIRM jenkins -- jenkins
  Sandbox protection in Jenkins Script Security Plugin 1.69 and earlier could be circumvented during the script compilation phase by applying AST transforming annotations to imports or by using them inside of other annotations. 2020-02-12 6.5 CVE-2020-2110
MLIST
CONFIRM jenkins -- jenkins
  Sandbox protection in Jenkins Pipeline: Groovy Plugin 2.78 and earlier can be circumvented through default parameter expressions in CPS-transformed methods. 2020-02-12 6.5 CVE-2020-2109
MLIST
CONFIRM jenkins -- jenkins
  Jenkins Harvest SCM Plugin 0.5.1 and earlier stores a password unencrypted in its global configuration file on the Jenkins master where it can be viewed by users with access to the master file system. 2020-02-12 4 CVE-2020-2130
MLIST
CONFIRM jenkins -- jenkins
  Jenkins Harvest SCM Plugin 0.5.1 and earlier stores passwords unencrypted in job config.xml files on the Jenkins master where they can be viewed by users with Extended Read permission, or access to the master file system. 2020-02-12 4 CVE-2020-2131
MLIST
CONFIRM jenkins -- jenkins
  Jenkins S3 publisher Plugin 0.11.4 and earlier transmits configured credentials in plain text as part of the global Jenkins configuration form, potentially resulting in their exposure. 2020-02-12 5 CVE-2020-2114
MLIST
CONFIRM jenkins -- jenkins
  Jenkins Azure AD Plugin 1.1.2 and earlier transmits configured credentials in plain text as part of the global Jenkins configuration form, potentially resulting in their exposure. 2020-02-12 5 CVE-2020-2119
MLIST
CONFIRM jenkins -- jenkins
  Jenkins Parasoft Environment Manager Plugin 2.14 and earlier stores a password unencrypted in job config.xml files on the Jenkins master where it can be viewed by users with Extended Read permission, or access to the master file system. 2020-02-12 4 CVE-2020-2132
MLIST
CONFIRM jenkins -- jenkins
  Jenkins Dynamic Extended Choice Parameter Plugin 1.0.1 and earlier stores a password unencrypted in job config.xml files on the Jenkins master where it can be viewed by users with Extended Read permission, or access to the master file system. 2020-02-12 4 CVE-2020-2124
MLIST
CONFIRM jenkins -- jenkins
  Jenkins RadarGun Plugin 1.7 and earlier does not configure its YAML parser to prevent the instantiation of arbitrary types, resulting in a remote code execution vulnerability. 2020-02-12 6.5 CVE-2020-2123
MLIST
CONFIRM kemp_technologies -- loadmaster
  A CSRF Vulnerability exists in Kemp Load Master before 7.0-18a via unspecified vectors in administrative pages. 2020-02-07 6.8 CVE-2014-5288
MISC
MISC konqueror -- konqueror The CSS parser (khtml/css/cssparser.cpp) in Konqueror in KDE 4.7.3 allows remote attackers to cause a denial of service (crash) and possibly read memory via a crafted font face source, related to "type confusion." 2020-02-08 6.8 CVE-2012-4512
MISC
MISC
MISC
MISC
MISC
MISC
MISC
MISC
MISC
MISC
MISC libgd -- libgd
  gdImageClone in gd.c in libgd 2.1.0-rc2 through 2.2.5 has a NULL pointer dereference allowing attackers to crash an application via a specific function call sequence. Only affects PHP when linked with an external libgd (not bundled). 2020-02-11 5 CVE-2018-14553
MISC
MISC
MISC linksys -- spa2102_devices
  The SIP implementation on the Linksys SPA2102 phone adapter provides hashed credentials in a response to an invalid authentication challenge, which makes it easier for remote attackers to obtain access via a brute-force attack, related to a "SIP Digest Leak" issue. 2020-02-12 4.3 CVE-2009-5140
MISC
MISC linux -- linux_kernel
  The int3 handler in the Linux kernel before 3.3 relies on a per-CPU debug stack, which allows local users to cause a denial of service (stack corruption and panic) via a crafted application that triggers certain lock contention. 2020-02-12 4.9 CVE-2012-0810
MISC
CONFIRM
CONFIRM linuxmint -- linuxmint
  LinuxMint as of 2012-03-19 has temporary file creation vulnerabilities in mintUpdate. 2020-02-07 5 CVE-2012-1567
MISC
MISC linuxmint -- linuxmint
  LinuxMint as of 2012-03-19 has temporary file creation vulnerabilities in mintNanny. 2020-02-07 5 CVE-2012-1566
MISC maxum_development_corporation -- rumpus_ftp A CSRF vulnerability exists in the Upload Center Forms Component of Web File Manager in Rumpus FTP 8.2.9.1. This could allow an attacker to delete, create, and update the upload forms via RAPR/TriggerServerFunction.html. 2020-02-10 5.8 CVE-2019-19669
MISC
MISC maxum_development_corporation -- rumpus_ftp A CSRF vulnerability exists in the Block Clients component of Web File Manager in Rumpus FTP 8.2.9.1 that could allow an attacker to whitelist or block any IP address via RAPR/BlockedClients.html. 2020-02-10 5.8 CVE-2019-19667
MISC
MISC maxum_development_corporation -- rumpus_ftp A CSRF vulnerability exists in the File Types component of Web File Manager in Rumpus FTP 8.2.9.1 that allows an attacker to add or delete the file types that are used on the server via RAPR/TriggerServerFunction.html. 2020-02-10 4.3 CVE-2019-19668
MISC
MISC maxum_development_corporation -- rumpus_ftp A CSRF vulnerability exists in the FTP Settings of Web File Manager in Rumpus FTP 8.2.9.1. Exploitation of this vulnerability can result in manipulation of Server FTP settings at RAPR/FTPSettingsSet.html. 2020-02-10 4.3 CVE-2019-19665
MISC
MISC maxum_development_corporation -- rumpus_ftp A Cookie based reflected XSS exists in the Web File Manager of Rumpus FTP Server 8.2.9.1, related to RumpusLoginUserName and snp. 2020-02-10 4.3 CVE-2019-19661
MISC
MISC maxum_development_corporation -- rumpus_ftp A CSRF vulnerability exists in the Folder Sets Settings of Web File Manager in Rumpus FTP 8.2.9.1. This allows an attacker to Create/Delete Folders after exploiting it at RAPR/FolderSetsSet.html. 2020-02-10 5.8 CVE-2019-19663
MISC
MISC maxum_development_corporation -- rumpus_ftp A CSRF vulnerability exists in the Event Notices Settings of Web File Manager in Rumpus FTP 8.2.9.1. An attacker can create/update event notices via RAPR/EventNoticesSet.html. 2020-02-10 4.3 CVE-2019-19666
MISC
MISC maxum_development_corporation -- rumpus_ftp A CSRF vulnerability exists in the Web File Manager's Network Setting functionality of Rumpus FTP Server 8.2.9.1. By exploiting it, an attacker can manipulate the SMTP setting and other network settings via RAPR/NetworkSettingsSet.html. 2020-02-10 4.3 CVE-2019-19660
MISC
MISC maxum_development_corporation -- rumpus_ftp A HTTP Response Splitting vulnerability was identified in the Web Settings Component of Web File Manager in Rumpus FTP Server 8.2.9.1. A successful exploit can result in stored XSS, website defacement, etc. via ExtraHTTPHeader to RAPR/WebSettingsGeneralSet.html. 2020-02-10 4.3 CVE-2019-19670
MISC
MISC maxum_development_corporation -- rumpus_ftp_server A CSRF vulnerability exists in the Web File Manager's Edit Accounts functionality of Rumpus FTP Server 8.2.9.1. By exploiting it, an attacker can take over a user account by changing the password, update users' details, and escalate privileges via RAPR/DefineUsersSet.html. 2020-02-10 6.8 CVE-2019-19659
MISC
MISC mfscripts -- yetishare
  MFScripts YetiShare v3.5.2 through v4.5.4 might allow an attacker to reset a password by using a leaked hash (the hash never expires until used). 2020-02-10 5 CVE-2019-20062
MISC
MISC
MISC mfscripts -- yetishare
  MFScripts YetiShare v3.5.2 through v4.5.4 places sensitive information in the Referer header. If this leaks, then third parties may discover password-reset hashes, file-delete links, or other sensitive information. 2020-02-10 5 CVE-2019-20060
MISC
MISC
MISC mfscripts -- yetishare
  The user-introduction email in MFScripts YetiShare v3.5.2 through v4.5.4 may leak the (system-picked) password if this email is sent in cleartext. In other words, the user is not allowed to choose their own initial password. 2020-02-10 5 CVE-2019-20061
MISC
MISC
MISC mfscripts -- yetishare
  payment_manage.ajax.php and various *_manage.ajax.php in MFScripts YetiShare 3.5.2 through 4.5.4 directly insert values from the sSortDir_0 parameter into a SQL string. This allows an attacker to inject their own SQL and manipulate the query, typically extracting data from the database, aka SQL Injection. NOTE: this issue exists because of an incomplete fix for CVE-2019-19732. 2020-02-10 6.8 CVE-2019-20059
MISC
MISC
MISC
MISC microchip_technology -- atsamb11_devices The Bluetooth Low Energy implementation on Microchip Technology BluSDK Smart through 6.2 for ATSAMB11 devices does not properly restrict link-layer data length on reception, allowing attackers in radio range to cause a denial of service (crash) via a crafted packet. 2020-02-10 6.1 CVE-2019-19195
MISC
MISC microsoft -- edge
  An elevation of privilege vulnerability exists when Microsoft Edge does not properly enforce cross-domain policies, which could allow an attacker to access information from one domain and inject it into another domain.In a web-based attack scenario, an attacker could host a website that is used to attempt to exploit the vulnerability, aka 'Microsoft Edge Elevation of Privilege Vulnerability'. 2020-02-11 4 CVE-2020-0663
MISC microsoft -- exchange_server_2013_and_2016_and_2019
  An elevation of privilege vulnerability exists in Microsoft Exchange Server, aka 'Microsoft Exchange Server Elevation of Privilege Vulnerability'. 2020-02-11 6.8 CVE-2020-0692
MISC microsoft -- internet_explorer_10_and_11_and_edge
  An information disclosure vulnerability exists in the way that affected Microsoft browsers handle cross-origin requests, aka 'Microsoft Browser Information Disclosure Vulnerability'. 2020-02-11 4.3 CVE-2020-0706
MISC microsoft -- malicious_software_removal_tool
  An elevation of privilege vulnerability exists when the Windows Malicious Software Removal Tool (MSRT) improperly handles junctions.To exploit this vulnerability, an attacker would first have to gain execution on the victim system, aka 'Windows Malicious Software Removal Tool Elevation of Privilege Vulnerability'. 2020-02-11 4.6 CVE-2020-0733
MISC microsoft -- multiple_products
  A security feature bypass vulnerability exists in Microsoft Outlook software when it improperly handles the parsing of URI formats, aka 'Microsoft Outlook Security Feature Bypass Vulnerability'. 2020-02-11 4.3 CVE-2020-0696
MISC microsoft -- multiple_windows_products A security feature bypass vulnerability exists in secure boot, aka 'Microsoft Secure Boot Security Feature Bypass Vulnerability'. 2020-02-11 4.6 CVE-2020-0689
MISC microsoft -- multiple_windows_products An elevation of privilege vulnerability exists in the way that the Windows Function Discovery Service handles objects in memory, aka 'Windows Function Discovery Service Elevation of Privilege Vulnerability'. This CVE ID is unique from CVE-2020-0679, CVE-2020-0682. 2020-02-11 4.6 CVE-2020-0680
MISC microsoft -- multiple_windows_products
  An elevation of privilege vulnerability exists in the way that the Windows Search Indexer handles objects in memory, aka 'Windows Search Indexer Elevation of Privilege Vulnerability'. This CVE ID is unique from CVE-2020-0666, CVE-2020-0667, CVE-2020-0752. 2020-02-11 4.6 CVE-2020-0735
MISC microsoft -- multiple_windows_products
  An elevation of privilege vulnerability exists in the way that the Windows Kernel handles objects in memory, aka 'Windows Kernel Elevation of Privilege Vulnerability'. This CVE ID is unique from CVE-2020-0668, CVE-2020-0670, CVE-2020-0671, CVE-2020-0672. 2020-02-11 4.6 CVE-2020-0669
MISC microsoft -- multiple_windows_products
  An elevation of privilege vulnerability exists in the way that the Windows Client License Service (ClipSVC) handles objects in memory, aka 'Windows Client License Service Elevation of Privilege Vulnerability'. 2020-02-11 4.6 CVE-2020-0701
MISC microsoft -- multiple_windows_products
  An elevation of privilege vulnerability exists in the way that the Connected Devices Platform Service handles objects in memory, aka 'Connected Devices Platform Service Elevation of Privilege Vulnerability'. This CVE ID is unique from CVE-2020-0741, CVE-2020-0742, CVE-2020-0743, CVE-2020-0749, CVE-2020-0750. 2020-02-11 4.6 CVE-2020-0740
MISC microsoft -- multiple_windows_products
  An elevation of privilege vulnerability exists in the way that the tapisrv.dll handles objects in memory, aka 'Windows Elevation of Privilege Vulnerability'. This CVE ID is unique from CVE-2020-0739. 2020-02-11 4.6 CVE-2020-0737
MISC microsoft -- multiple_windows_products
  An elevation of privilege vulnerability exists in the way that the Connected Devices Platform Service handles objects in memory, aka 'Connected Devices Platform Service Elevation of Privilege Vulnerability'. This CVE ID is unique from CVE-2020-0740, CVE-2020-0741, CVE-2020-0742, CVE-2020-0743, CVE-2020-0749. 2020-02-11 4.6 CVE-2020-0750
MISC microsoft -- multiple_windows_products
  An elevation of privilege vulnerability exists in the way that the dssvc.dll handles file creation allowing for a file overwrite or creation in a secured location, aka 'Windows Elevation of Privilege Vulnerability'. This CVE ID is unique from CVE-2020-0737. 2020-02-11 4.6 CVE-2020-0739
MISC microsoft -- multiple_windows_products
  An elevation of privilege vulnerability exists in the way that the Windows Kernel handles objects in memory, aka 'Windows Kernel Elevation of Privilege Vulnerability'. This CVE ID is unique from CVE-2020-0669, CVE-2020-0670, CVE-2020-0671, CVE-2020-0672. 2020-02-11 4.6 CVE-2020-0668
MISC microsoft -- multiple_windows_products
  An elevation of privilege vulnerability exists in the way that the Connected Devices Platform Service handles objects in memory, aka 'Connected Devices Platform Service Elevation of Privilege Vulnerability'. This CVE ID is unique from CVE-2020-0740, CVE-2020-0742, CVE-2020-0743, CVE-2020-0749, CVE-2020-0750. 2020-02-11 4.6 CVE-2020-0741
MISC microsoft -- multiple_windows_products
  An elevation of privilege vulnerability exists in the way that the Connected Devices Platform Service handles objects in memory, aka 'Connected Devices Platform Service Elevation of Privilege Vulnerability'. This CVE ID is unique from CVE-2020-0740, CVE-2020-0741, CVE-2020-0743, CVE-2020-0749, CVE-2020-0750. 2020-02-11 4.6 CVE-2020-0742
MISC microsoft -- multiple_windows_products
  An elevation of privilege vulnerability exists in the way that the Connected Devices Platform Service handles objects in memory, aka 'Connected Devices Platform Service Elevation of Privilege Vulnerability'. This CVE ID is unique from CVE-2020-0740, CVE-2020-0741, CVE-2020-0742, CVE-2020-0749, CVE-2020-0750. 2020-02-11 4.6 CVE-2020-0743
MISC microsoft -- multiple_windows_products
  An elevation of privilege vulnerability exists when the Windows Data Sharing Service improperly handles file operations, aka 'Windows Data Sharing Service Elevation of Privilege Vulnerability'. This CVE ID is unique from CVE-2020-0659. 2020-02-11 4.6 CVE-2020-0747
MISC microsoft -- multiple_windows_products
  An elevation of privilege vulnerability exists in the way that the Connected Devices Platform Service handles objects in memory, aka 'Connected Devices Platform Service Elevation of Privilege Vulnerability'. This CVE ID is unique from CVE-2020-0740, CVE-2020-0741, CVE-2020-0742, CVE-2020-0743, CVE-2020-0750. 2020-02-11 4.6 CVE-2020-0749
MISC microsoft -- multiple_windows_products
  An elevation of privilege vulnerability exists in the way that the Windows Search Indexer handles objects in memory, aka 'Windows Search Indexer Elevation of Privilege Vulnerability'. This CVE ID is unique from CVE-2020-0666, CVE-2020-0667, CVE-2020-0735. 2020-02-11 4.6 CVE-2020-0752
MISC microsoft -- multiple_windows_products
  An elevation of privilege vulnerability exists in the way that the Windows Function Discovery Service handles objects in memory, aka 'Windows Function Discovery Service Elevation of Privilege Vulnerability'. This CVE ID is unique from CVE-2020-0680, CVE-2020-0682. 2020-02-11 4.6 CVE-2020-0679
MISC microsoft -- multiple_windows_products
  An information disclosure vulnerability exists in the way that Microsoft Graphics Components handle objects in memory, aka 'Microsoft Graphics Components Information Disclosure Vulnerability'. 2020-02-11 5 CVE-2020-0746
MISC microsoft -- multiple_windows_products
  An elevation of privilege vulnerability exists in Active Directory Forest trusts due to a default setting that lets an attacker in the trusting forest request delegation of a TGT for an identity from the trusted forest, aka 'Active Directory Elevation of Privilege Vulnerability'. 2020-02-11 6.8 CVE-2020-0665
MISC microsoft -- multiple_windows_products
  An elevation of privilege vulnerability exists in Windows Error Reporting (WER) when WER handles and executes files, aka 'Windows Error Reporting Elevation of Privilege Vulnerability'. This CVE ID is unique from CVE-2020-0754. 2020-02-11 4.6 CVE-2020-0753
MISC microsoft -- multiple_windows_products
  A remote code execution vulnerability exists in Microsoft Windows that could allow remote code execution if a .LNK file is processed.An attacker who successfully exploited this vulnerability could gain the same user rights as the local user, aka 'LNK Remote Code Execution Vulnerability'. 2020-02-11 6.8 CVE-2020-0729
MISC microsoft -- multiple_windows_products
  A denial of service vulnerability exists in Remote Desktop Protocol (RDP) when an attacker connects to the target system using RDP and sends specially crafted requests, aka 'Windows Remote Desktop Protocol (RDP) Denial of Service Vulnerability'. 2020-02-11 5 CVE-2020-0660
MISC microsoft -- multiple_windows_products
  A denial of service vulnerability exists when Microsoft Hyper-V on a host server fails to properly validate input from a privileged user on a guest operating system, aka 'Windows Hyper-V Denial of Service Vulnerability'. This CVE ID is unique from CVE-2020-0751. 2020-02-11 5.5 CVE-2020-0661
MISC microsoft -- multiple_windows_products
  An elevation of privilege vulnerability exists when the Windows Common Log File System (CLFS) driver improperly handles objects in memory, aka 'Windows Common Log File System Driver Elevation of Privilege Vulnerability'. 2020-02-11 4.6 CVE-2020-0657
MISC microsoft -- multiple_windows_products
  An elevation of privilege vulnerability exists when the Windows Data Sharing Service improperly handles file operations, aka 'Windows Data Sharing Service Elevation of Privilege Vulnerability'. This CVE ID is unique from CVE-2020-0747. 2020-02-11 4.6 CVE-2020-0659
MISC microsoft -- multiple_windows_products
  An elevation of privilege vulnerability exists in the way that the Windows Search Indexer handles objects in memory, aka 'Windows Search Indexer Elevation of Privilege Vulnerability'. This CVE ID is unique from CVE-2020-0667, CVE-2020-0735, CVE-2020-0752. 2020-02-11 4.6 CVE-2020-0666
MISC microsoft -- multiple_windows_products
  An elevation of privilege vulnerability exists in the way that the Windows Search Indexer handles objects in memory, aka 'Windows Search Indexer Elevation of Privilege Vulnerability'. This CVE ID is unique from CVE-2020-0666, CVE-2020-0735, CVE-2020-0752. 2020-02-11 4.6 CVE-2020-0667
MISC microsoft -- multiple_windows_products
  An elevation of privilege vulnerability exists in Windows Error Reporting (WER) when WER handles and executes files, aka 'Windows Error Reporting Elevation of Privilege Vulnerability'. This CVE ID is unique from CVE-2020-0753. 2020-02-11 4.6 CVE-2020-0754
MISC microsoft -- sql_server_2012_and_2014_and_2016
  A remote code execution vulnerability exists in Microsoft SQL Server Reporting Services when it incorrectly handles page requests, aka 'Microsoft SQL Server Reporting Services Remote Code Execution Vulnerability'. 2020-02-11 6.5 CVE-2020-0618
MISC microsoft -- surface_hub
  A security feature bypass vulnerability exists in Surface Hub when prompting for credentials, aka 'Surface Hub Security Feature Bypass Vulnerability'. 2020-02-11 4.6 CVE-2020-0702
MISC misp_project -- misp
  An issue was discovered in MISP before 2.4.121. It mishandled time skew (between the machine hosting the web server and the machine hosting the database) when trying to block a brute-force series of invalid requests. 2020-02-12 4.3 CVE-2020-8890
MISC
MISC
MISC misp_project -- misp
  An issue was discovered in MISP before 2.4.121. It did not canonicalize usernames when trying to block a brute-force series of invalid requests. 2020-02-12 4.3 CVE-2020-8891
MISC
MISC
MISC misp_project -- misp
  An issue was discovered in MISP before 2.4.121. It did not consider the HTTP PUT method when trying to block a brute-force series of invalid requests. 2020-02-12 6.8 CVE-2020-8892
MISC
MISC
MISC misp_project -- misp
  An issue was discovered in MISP before 2.4.121. The Galaxy view contained an incorrectly sanitized search string in app/View/Galaxies/view.ctp. 2020-02-12 5 CVE-2020-8893
MISC
MISC misp_project -- misp
  An issue was discovered in MISP before 2.4.121. ACLs for discussion threads were mishandled in app/Controller/ThreadsController.php and app/Model/Thread.php. 2020-02-12 6.4 CVE-2020-8894
MISC
MISC netcracker -- netcracker_resource_management_system
  Multiple SQL injection vulnerabilities in NetCracker Resource Management System before 8.2 allow remote authenticated users to execute arbitrary SQL commands via the (1) ctrl, (2) h____%2427, (3) h____%2439, (4) param0, (5) param1, (6) param2, (7) param3, (8) param4, (9) filter_INSERT_COUNT, (10) filter_MINOR_FALLOUT, (11) filter_UPDATE_COUNT, (12) sort, or (13) sessid parameter. 2020-02-08 6.5 CVE-2015-3423
MISC
MISC netsurf -- libnsbmp
  Heap-based buffer overflow in the bmp_decode_rle function in libnsbmp.c in Libnsbmp 0.1.2 allows context-dependent attackers to cause a denial of service (application crash) or possibly execute arbitrary code via the last row of RLE data in a crafted BMP file. 2020-02-12 6.8 CVE-2015-7508
MISC
MISC node.js -- node.js
  Improper Certificate Validation in Node.js 10, 12, and 13 causes the process to abort when sending a crafted X.509 certificate 2020-02-07 5 CVE-2019-15604
MISC
CONFIRM
CONFIRM
CONFIRM
CONFIRM nxp -- kw41z_devices
  The Bluetooth Low Energy (BLE) stack implementation on the NXP KW41Z (based on the MCUXpresso SDK with Bluetooth Low Energy Driver 2.2.1 and earlier) does not properly restrict the BLE Link Layer header and executes certain memory contents upon receiving a packet with a Link Layer ID (LLID) equal to zero. This allows attackers within radio range to cause deadlocks, cause anomalous behavior in the BLE state machine, or trigger a buffer overflow via a crafted BLE Link Layer frame. 2020-02-10 6.1 CVE-2019-17060
MISC
MISC oberhumer -- liblzo2_and_lzo-2
  Integer overflow in the LZO algorithm variant in Oberhumer liblzo2 and lzo-2 before 2.07 on 32-bit platforms might allow remote attackers to execute arbitrary code via a crafted Literal Run. 2020-02-12 6.8 CVE-2014-4607
MISC
CONFIRM open-school -- open-school_community_edition
  Open-School Community Edition 2.2 does not properly restrict access to the export functionality, which allows remote authenticated users to obtain sensitive information via the r parameter with the value export to index.php. 2020-02-08 4 CVE-2014-9127
MISC open-school -- open-school_community_edition
  Multiple cross-site scripting (XSS) vulnerabilities in Open-School Community Edition 2.2 allow remote attackers to inject arbitrary web script or HTML via the YII_CSRF_TOKEN HTTP cookie or the StudentDocument, StudentCategories, StudentPreviousDatas parameters to index.php. 2020-02-08 4.3 CVE-2014-9126
MISC openfiler -- openfiler
  Cross-site scripting (XSS) vulnerability in admin/system.html in Openfiler 2.3 allows remote attackers to inject arbitrary web script or HTML via the device parameter. 2020-02-07 4.3 CVE-2011-1086
MISC
MISC
MISC otrs -- otrs
  The external frontend system uses numerous background calls to the backend. Each background request is treated as user activity so the SessionMaxIdleTime will not be reached. This issue affects: OTRS 7.0.x version 7.0.14 and prior versions. 2020-02-07 5.5 CVE-2020-1768
CONFIRM perforce_software -- p4web
  Perforce P4web 2011.1 and 2012.1 has multiple XSS vulnerabilities 2020-02-12 4.3 CVE-2013-1410
MISC
MISC phonoerlite -- phonerlite
  The PhonerLite phone before 2.15 provides hashed credentials in a response to an invalid authentication challenge, which makes it easier for remote attackers to obtain access via a brute-force attack, related to a "SIP Digest Leak" issue. 2020-02-12 4.3 CVE-2014-2560
MISC php -- php When using certain mbstring functions to convert multibyte encodings, in PHP versions 7.2.x below 7.2.27, 7.3.x below 7.3.14 and 7.4.x below 7.4.2 it is possible to supply data that will cause function mbfl_filt_conv_big5_wchar to read past the allocated buffer. This may lead to information disclosure or crash. 2020-02-10 6.4 CVE-2020-7060
MISC php -- php
  When using fgetss() function to read data with stripping tags, in PHP versions 7.2.x below 7.2.27, 7.3.x below 7.3.14 and 7.4.x below 7.4.2 it is possible to supply data that will cause this function to read past the allocated buffer. This may lead to information disclosure or crash. 2020-02-10 6.4 CVE-2020-7059
MISC pragmamx -- pragmamx
  Multiple cross-site scripting (XSS) vulnerabilities in pragmaMx 1.x before 1.12.2 allow remote attackers to inject arbitrary web script or HTML via the (1) name parameter to modules.php or (2) img_url to includes/wysiwyg/spaw/editor/plugins/imgpopup/img_popup.php. 2020-02-11 4.3 CVE-2012-2452
MISC
MISC
MISC prestashop -- prestashop
  Cross-site scripting (XSS) vulnerability in PrestaShop before 1.4.9 allows remote attackers to inject arbitrary web script or HTML via the index of the product[] parameter to ajax.php. 2020-02-11 4.3 CVE-2012-2517
MISC
MISC qualcomm -- multiple_snapdragon_products
  During listener modified response processing, a buffer overrun occurs due to lack of buffer size verification when updating message buffer with physical address information in Snapdragon Auto, Snapdragon Compute, Snapdragon Consumer IOT, Snapdragon Industrial IOT, Snapdragon IoT, Snapdragon Mobile, Snapdragon Voice & Music, Snapdragon Wearables in APQ8009, APQ8017, APQ8053, APQ8096AU, APQ8098, MDM9206, MDM9207C, MDM9607, MDM9640, MDM9650, MSM8905, MSM8909W, MSM8917, MSM8953, MSM8996AU, Nicobar, QCM2150, QCS405, QCS605, QM215, Rennell, SA6155P, Saipan, SC8180X, SDA660, SDA845, SDM429, SDM429W, SDM439, SDM450, SDM632, SDM670, SDM710, SDM845, SDX20, SDX24, SDX55, SM6150, SM7150, SM8150, SM8250, SXR1130, SXR2130 2020-02-07 4.6 CVE-2019-14041
CONFIRM qualcomm -- multiple_snapdragon_products
  Using memory after being freed in qsee due to wrong implementation can lead to unexpected behavior such as execution of unknown code in Snapdragon Auto, Snapdragon Compute, Snapdragon Consumer IOT, Snapdragon Industrial IOT, Snapdragon IoT, Snapdragon Mobile, Snapdragon Voice & Music, Snapdragon Wearables in APQ8009, APQ8017, APQ8053, APQ8096AU, APQ8098, MDM9150, MDM9206, MDM9207C, MDM9607, MDM9640, MDM9650, MSM8905, MSM8909W, MSM8917, MSM8920, MSM8937, MSM8940, MSM8953, MSM8996AU, MSM8998, QCS605, QM215, SDA660, SDA845, SDM429, SDM429W, SDM439, SDM450, SDM630, SDM632, SDM636, SDM660, SDM845, SDX20, SDX24, SM8150, SXR1130 2020-02-07 4.6 CVE-2019-14040
CONFIRM railo_technologies -- railo
  A File Inclusion vulnerability exists in Railo 4.2.1 and earlier via a specially-crafted URL request to the thumbnail.cfm to specify a malicious PNG file, which could let a remote malicious user obtain sensitive information or execute arbitrary code. 2020-02-07 6.8 CVE-2014-5468
MISC
MISC
MISC
MISC
MISC red_hat -- openshift_entrprise
  It has been found in openshift-enterprise version 3.11 and all openshift-enterprise versions from 4.1 to, including 4.3, that multiple containers modify the permissions of /etc/passwd to make them modifiable by users other than root. An attacker with access to the running container can exploit this to modify /etc/passwd to add a user and escalate their privileges. This CVE is specific to the openshift/mysql-apb. 2020-02-07 4.4 CVE-2020-1708
CONFIRM secom -- dr.id Secom Co. Dr.ID, a Door Access Control and Personnel Attendance Management system, stores users’ information by cleartext in the cookie, which divulges password to attackers. 2020-02-11 5 CVE-2020-3935
MISC
MISC
MISC secom -- dr.id
  Secom Co. Dr.ID, a Door Access Control and Personnel Attendance Management system, allows attackers to enumerate and exam user account in the system. 2020-02-11 5 CVE-2020-3933
MISC
MISC
MISC siemens -- multiple_scalance_devices
  A vulnerability has been identified in SCALANCE S602 (All versions >= V3.0), SCALANCE S612 (All versions >= V3.0), SCALANCE S623 (All versions >= V3.0), SCALANCE S627-2M (All versions >= V3.0). Specially crafted packets sent to port 443/tcp of affected devices could cause a Denial-of-Service condition of the web server. 2020-02-11 5 CVE-2019-13925
MISC siemens -- multiple_scalance_switches
  A vulnerability has been identified in SCALANCE X-200 switch family (incl. SIPLUS NET variants) (all versions < 5.2.4), SCALANCE X-200IRT switch family (incl. SIPLUS NET variants) (All versions), SCALANCE X-300 switch family (incl. X408 and SIPLUS NET variants) (all versions < 4.1.3). The device does not send the X-Frame-Option Header in the administrative web interface, which makes it vulnerable to Clickjacking attacks. The security vulnerability could be exploited by an attacker that is able to trick an administrative user with a valid session on the target device into clicking on a website controlled by the attacker. The vulnerability could allow an attacker to perform administrative actions via the web interface. At the time of advisory publication no public exploitation of this security vulnerability was known. 2020-02-11 4.3 CVE-2019-13924
MISC siemens -- multiple_simatic_devices
  A vulnerability has been identified in SIMATIC S7-1200 CPU family (incl. SIPLUS variants) (All versions < V4.1), SIMATIC S7-300 PN/DP CPU family (incl. related ET200 CPUs and SIPLUS variants) (All versions), SIMATIC S7-400 PN/DP V6 and below CPU family (incl. SIPLUS variants) (All versions), SIMATIC S7-400 PN/DP V7 CPU family (incl. SIPLUS variants) (All versions). Affected devices contain a vulnerability that could cause a Denial-of-Service condition of the web server by sending specially crafted HTTP requests to ports 80/tcp and 443/tcp. The security vulnerability could be exploited by an attacker with network access to an affected device. Successful exploitation requires no system privileges and no user interaction. An attacker could use the vulnerability to compromise the availability of the device’s web server. Beyond the web service, no other functions or interfaces are affected by the Denial-of-Service condition. 2020-02-11 5 CVE-2019-13940
MISC
MISC siemens -- ozw672_and_772_web_servers
  A vulnerability has been identified in OZW672 (All versions < V10.00), OZW772 (All versions < V10.00). Vulnerable versions of OZW Web Server use predictable path names for project files that legitimately authenticated users have created by using the application's export function. By accessing a specific uniform resource locator on the web server, a remote attacker could be able to download a project file without prior authentication. The security vulnerability could be exploited by an unauthenticated attacker with network access to the affected system. No user interaction is required to exploit this security vulnerability. Successful exploitation of the security vulnerability compromises the confidentiality of the targeted system. 2020-02-11 5 CVE-2019-13941
MISC simple_machines -- simple_machines_forum
  File Disclosure in SMF (SimpleMachines Forum) <= 2.0.3: Forum admin can read files such as the database config. 2020-02-07 4 CVE-2013-0192
MISC
MISC
MISC smoothwall - smoothwall_express_3
  A cross-site scripting (XSS) vulnerability in Smoothwall Express 3. 2020-02-07 4.3 CVE-2011-1084
MISC smoothwall -- smoothwall_express_3
  CSRF vulnerability in Smoothwall Express 3. 2020-02-07 6.8 CVE-2011-1085
MISC socialengine -- socialengine Multiple cross-site request forgery (CSRF) vulnerabilities in the (1) Forum, (2) Event, and (3) Classifieds plugins in SocialEngine before 4.2.4. 2020-02-11 6.8 CVE-2012-6721
MISC socialengine -- socialengine
  Multiple cross-site scripting (XSS) vulnerabilities in SocialEngine before 4.2.4 allow remote attackers to inject arbitrary web script or HTML via the (1) title parameter to music/create, (2) location parameter to events/create, or (3) search parameter to widget/index/content_id/*. 2020-02-11 4.3 CVE-2012-6720
MISC sockjs -- sockjs
  htmlfile in lib/transport/htmlfile.js in SockJS before 3.0 is vulnerable to Reflected XSS via the /htmlfile c (aka callback) parameter. 2020-02-10 4.3 CVE-2020-8823
MISC
MISC sphider -- sphider
  A Command Execution vulnerability exists in Sphider before 1.3.6 due to insufficient sanitization of fwrite to conf.php, which could let a remote malicious user execute arbitrary code. CVE-2014-5083 pertains to instances of fwrite in Sphider. 2020-02-10 6.5 CVE-2014-5083
MISC sphider -- sphider_plus
  A Command Execution vulnerability exists in Sphider Plus 3.2 due to insufficient sanitization of fwrite to conf.php, which could let a remote malicious user execute arbitrary code. CVE-2014-5085 pertains to instances of fwrite in Sphider Plus, but do not exist in either Sphider or Sphider Pro. 2020-02-10 6.5 CVE-2014-5085
MISC sphider -- sphider_pro
  A Command Execution vulnerability exists in Sphider Pro 3.2 due to insufficient sanitization of fwrite, which could let a remote malicious user execute arbitrary code. CVE-2014-5084 pertains to instances of fwrite in Sphider Pro only, but do not exist in either Sphider or Sphider Plus. 2020-02-10 6.5 CVE-2014-5084
MISC statusnet -- statusnet
  statusnet through 2010 allows attackers to spoof syslog messages via newline injection attacks. 2020-02-07 5 CVE-2010-4658
MISC
MISC suse -- opensuse_wicked
  An ni_dhcp4_fsm_process_dhcp4_packet memory leak in openSUSE wicked 0.6.55 and earlier allows network attackers to cause a denial of service by sending DHCP4 packets with a different client-id. 2020-02-11 5 CVE-2020-7217
SUSE
MISC
MISC
MISCm

symantec -- endpoint_protection_and_endpoint_protection_small_business_edition

Symantec Endpoint Protection (SEP) and Symantec Endpoint Protection Small Business Edition (SEP SBE), prior to 14.2 RU2 MP1 and prior to 14.2.5569.2100 respectively, may be susceptible to a privilege escalation vulnerability, which is a type of issue whereby an attacker may attempt to compromise the software application to gain elevated access to resources that are normally protected from an application or user. 2020-02-11 4.6 CVE-2020-5820
MISC

symantec -- endpoint_protection_and_endpoint_protection_small_business_edition

Symantec Endpoint Protection (SEP) and Symantec Endpoint Protection Small Business Edition (SEP SBE), prior to 14.2 RU2 MP1 and prior to 14.2.5569.2100 respectively, may be susceptible to a privilege escalation vulnerability, which is a type of issue whereby an attacker may attempt to compromise the software application to gain elevated access to resources that are normally protected from an application or user. 2020-02-11 4.6 CVE-2020-5822
MISC

symantec -- endpoint_protection_and_endpoint_protection_small_business_edition


  Symantec Endpoint Protection (SEP) and Symantec Endpoint Protection Small Business Edition (SEP SBE), prior to 14.2 RU2 MP1 and prior to 14.2.5569.2100 respectively, may be susceptible to a DLL injection vulnerability, which is a type of issue whereby an individual attempts to execute their own code in place of legitimate code as a means to perform an exploit. 2020-02-11 4.6 CVE-2020-5821
MISC

symantec -- endpoint_protection_and_endpoint_protection_small_business_edition


  Symantec Endpoint Protection (SEP) and Symantec Endpoint Protection Small Business Edition (SEP SBE), prior to 14.2 RU2 MP1 and prior to 14.2.5569.2100 respectively, may be susceptible to a privilege escalation vulnerability, which is a type of issue whereby an attacker may attempt to compromise the software application to gain elevated access to resources that are normally protected from an application or user. 2020-02-11 4.6 CVE-2020-5823
MISC teamviewer -- teamviewer_desktop
  TeamViewer Desktop through 14.7.1965 allows a bypass of remote-login access control because the same key is used for different customers' installations. It used a shared AES key for all installations since at least as far back as v7.0.43148, and used it for at least OptionsPasswordAES in the current version of the product. If an attacker were to know this key, they could decrypt protect information stored in the registry or configuration files of TeamViewer. With versions before v9.x , this allowed for attackers to decrypt the Unattended Access password to the system (which allows for remote login to the system as well as headless file browsing). The latest version still uses the same key for OptionPasswordAES but appears to have changed how the Unattended Access password is stored. While in most cases an attacker requires an existing session on a system, if the registry/configuration keys were stored off of the machine (such as in a file share or online), an attacker could then decrypt the required password to login to the system. 2020-02-07 4.4 CVE-2019-18988
MISC
MISC
MISC
MISC testlink -- testlink
  An issue was discovered in TestLink 1.9.19. The relation_type parameter of the lib/requirements/reqSearch.php endpoint is vulnerable to authenticated SQL Injection. 2020-02-10 6.5 CVE-2020-8841
MISC
MISC texas_instruments -- cc2640r2_devices
  The Bluetooth Low Energy implementation on Texas Instruments SDK through 3.30.00.20 for CC2640R2 devices does not properly restrict the SM Public Key packet on reception, allowing attackers in radio range to cause a denial of service (crash) via crafted packets. 2020-02-10 6.1 CVE-2019-17520
MISC
MISC
MISC texas_instruments -- multiple_devices
  The Bluetooth Low Energy peripheral implementation on Texas Instruments SIMPLELINK-CC2640R2-SDK through 3.30.00.20 and BLE-STACK through 1.5.0 before Q4 2019 for CC2640R2 and CC2540/1 devices does not properly restrict the advertisement connection request packet on reception, allowing attackers in radio range to cause a denial of service (crash) via a crafted packet. 2020-02-10 6.1 CVE-2019-19193
MISC
MISC the_bug_genie -- the_bug_genie
  The Bug Genie before 3.2.6 has Multiple XSS and HTML Injection Vulnerabilities 2020-02-11 4.3 CVE-2013-1760
MISC
MISC
MISC ubiquiti_networks -- unifi_controller
  Multiple cross-site request forgery (CSRF) vulnerabilities in Ubiquiti Networks UniFi Controller before 3.2.1 allow remote attackers to hijack the authentication of administrators for requests that (1) create a new admin user via a request to api/add/admin; (2) have unspecified impact via a request to api/add/wlanconf; change the guest (3) password, (4) authentication method, or (5) restricted subnets via a request to api/set/setting/guest_access; (6) block, (7) unblock, or (8) reconnect users by MAC address via a request to api/cmd/stamgr; change the syslog (9) server or (10) port via a request to api/set/setting/rsyslogd; (11) have unspecified impact via a request to api/set/setting/smtp; change the syslog (12) server, (13) port, or (14) authentication settings via a request to api/cmd/cfgmgr; or (15) change the Unifi Controller name via a request to api/set/setting/identity. 2020-02-08 6.8 CVE-2014-2225
MISC
MISC vbseo -- vbseo
  vBSeo before 3.6.0PL2 allows XSS via the member.php u parameter. 2020-02-10 4.3 CVE-2012-6666
MISC
MISC vtiger -- vtiger_crm
  vTiger CRM 5.3 and 5.4: 'files' Upload Folder Arbitrary PHP Code Execution Vulnerability 2020-02-07 6.5 CVE-2013-3591
MISC
MISC
MISC
MISC watchguard -- firewire_xtm
  A Cross-site Scripting (XSS) vulnerability exists in WatchGuard XTM 11.8.3 via the poll_name parameter in the firewall/policy script. 2020-02-07 4.3 CVE-2014-6413
MISC
MISC
MISC
MISC wordpress -- wordpress Multiple SQL injection vulnerabilities in the Huge-IT Slider (slider-image) plugin before 2.7.0 for WordPress allow remote administrators to execute arbitrary SQL commands via the removeslide parameter in a popup_posts or edit_cat action in the sliders_huge_it_slider page to wp-admin/admin.php. 2020-02-08 6.5 CVE-2015-2062
MISC
MISC
MISC
MISC wordpress -- wordpress
  A Cross-site Scripting (XSS) vulnerability exists in the All in One SEO Pack plugin before 2.0.3.1 for WordPress via the Search parameter. 2020-02-11 4.3 CVE-2013-5988
MISC
MISC wordpress -- wordpress
  WordPress WP Super Cache Plugin 1.2 has Remote PHP Code Execution 2020-02-07 6.8 CVE-2013-2009
MISC
MISC
MISC
MISC
MISC wordpress -- wordpress
  WordPress Super Cache Plugin 1.3 has XSS. 2020-02-07 4.3 CVE-2013-2008
MISC
MISC
MISC xiaomi -- mi6_devices
  This vulnerability allows remote attackers to execute arbitrary code on vulnerable installations of Xiaomi Browser Prior to 10.4.0. User interaction is required to exploit this vulnerability in that the target must visit a malicious page or open a malicious file. The specific flaw exists within the handling of the miui.share application. The issue results from the lack of proper validation of user-supplied data, which can result in an arbitrary application download. An attacker can leverage this vulnerability to execute code in the context of the user. Was ZDI-CAN-7483. 2020-02-10 6.8 CVE-2019-13322
MISC xiaomi -- mi6_devices
  This vulnerability allows network adjacent attackers to execute arbitrary code on affected installations of Xiaomi Browser Prior to 10.4.0. User interaction is required to exploit this vulnerability in that the target must connect to a malicious access point. The specific flaw exists within the handling of HTTP responses to the Captive Portal. A crafted HTML response can cause the Captive Portal to to open a browser to a specified location without user interaction. An attacker can leverage this in conjunction with other vulnerabilities to execute code in the context of the current process. Was ZDI-CAN-7467. 2020-02-10 5.4 CVE-2019-13321
MISC zabbix -- zabbix
  Zabbix 2.0.9 has an Arbitrary Command Execution Vulnerability 2020-02-07 6.5 CVE-2013-3628
MISC
MISC
MISC
MISC zenphoto -- zenphoto
  Zenphoto before 1.4.3.4 admin-news-articles.php date parameter XSS. 2020-02-11 4.3 CVE-2012-4519
MISC
MISC zoho_manageengine -- applications_manager
  The FailOverHelperServlet (aka FailServlet) servlet in ZOHO ManageEngine Applications Manager before 11.9 build 11912, OpManager 8 through 11.5 build 11400, and IT360 10.5 and earlier does not properly restrict access, which allows remote attackers and remote authenticated users to (1) read arbitrary files via the fileName parameter in a copyfile operation or (2) obtain sensitive information via a directory listing in a listdirectory operation to servlet/FailOverHelperServlet. 2020-02-08 5 CVE-2014-7863
MISC
MISC
MISC
MISC
MISC
MISC Back to top

 

Low Vulnerabilities Primary
Vendor -- Product Description Published CVSS Score Source & Patch Info apport -- apport
  Sander Bos discovered a time of check to time of use (TOCTTOU) vulnerability in apport that allowed a user to cause core files to be written in arbitrary directories. 2020-02-08 1.9 CVE-2019-11482
MISC
MISC apport -- apport
  Sander Bos discovered Apport mishandled crash dumps originating from containers. This could be used by a local attacker to generate a crash report for a privileged process that is readable by an unprivileged user. 2020-02-08 2.1 CVE-2019-11483
MISC
MISC apport -- apport
  Sander Bos discovered Apport's lock file was in a world-writable director which allowed all users to prevent crash handling. 2020-02-08 2.1 CVE-2019-11485
MISC
MISC bludit -- bludit
  ** DISPUTED ** Bludit 3.10.0 allows Editor or Author roles to insert malicious JavaScript on the WYSIWYG editor. NOTE: the vendor's perspective is that this is "not a bug." 2020-02-07 3.5 CVE-2020-8812
MISC cpanel -- cpanel_and_whm
  The clientconf.html and detailbw.html pages in x3 in cPanel & WHM 11.34.0 (build 8) have a XSS vulnerability. 2020-02-10 3.5 CVE-2012-6449
MISC digi_transport -- multiple_devices
  Digi TransPort WR21 5.2.2.3, WR44 5.1.6.4, and WR44v2 5.1.6.9 devices allow stored XSS in the web application. 2020-02-10 3.5 CVE-2020-8822
MISC google -- chrome
  Insufficient policy enforcement in CORS in Google Chrome prior to 80.0.3987.87 allowed a local attacker to obtain potentially sensitive information via a crafted HTML page. 2020-02-11 2.1 CVE-2020-6408
SUSE
MISC
MISC hp -- hp_systems_insight_manager
  HP Systems Insight Manager before 7.0 allows a remote user on adjacent network to access information 2020-02-10 2.7 CVE-2012-1994
MISC
MISC
MISC ibm -- rational_publishing_engine
  IBM Rational Publishing Engine 6.0.6 and 6.0.6.1 is vulnerable to cross-site scripting. This vulnerability allows users to embed arbitrary JavaScript code in the Web UI thus altering the intended functionality potentially leading to credentials disclosure within a trusted session. IBM X-Force ID: 162888. 2020-02-12 3.5 CVE-2019-4431
XF
CONFIRM jenkins -- jenkins
  Jenkins Brakeman Plugin 0.12 and earlier did not escape values received from parsed JSON files when rendering them, resulting in a stored cross-site scripting vulnerability exploitable by users able to control the Brakeman post-build step input data. 2020-02-12 3.5 CVE-2020-2122
MLIST
CONFIRM jenkins -- jenkins
  Jenkins Subversion Plugin 2.13.0 and earlier does not escape the error message for the Project Repository Base URL field form validation, resulting in a stored cross-site scripting vulnerability. 2020-02-12 3.5 CVE-2020-2111
MLIST
CONFIRM jenkins -- jenkins
  Jenkins Git Parameter Plugin 0.9.11 and earlier does not escape the parameter name shown on the UI, resulting in a stored cross-site scripting vulnerability exploitable by users with Job/Configure permission. 2020-02-12 3.5 CVE-2020-2112
MLIST
CONFIRM jenkins -- jenkins
  Jenkins Git Parameter Plugin 0.9.11 and earlier does not escape the default value shown on the UI, resulting in a stored cross-site scripting vulnerability exploitable by users with Job/Configure permission. 2020-02-12 3.5 CVE-2020-2113
MLIST
CONFIRM keycloak -- keycloak
  It was found in all keycloak versions before 9.0.0 that links to external applications (Application Links) in the admin console are not validated properly and could allow Stored XSS attacks. An authed malicious user could create URLs to trick users in other realms, and possibly conduct further attacks. 2020-02-10 3.5 CVE-2020-1697
CONFIRM linksys -- wrt310nv2ne
  Linksys WRT310Nv2 2.0.0.1 is vulnerable to XSS. 2020-02-07 3.5 CVE-2013-3067
MISC
MISC
MISC microsoft -- multiple_windows_products
  An elevation of privilege vulnerability exists when the Windows User Profile Service (ProfSvc) improperly handles symlinks, aka 'Windows User Profile Service Elevation of Privilege Vulnerability'. 2020-02-11 3.6 CVE-2020-0730
MISC microsoft -- multiple_windows_products
  An information disclosure vulnerability exists in the Windows Common Log File System (CLFS) driver when it fails to properly handle objects in memory, aka 'Windows Common Log File System Driver Information Disclosure Vulnerability'. 2020-02-11 2.1 CVE-2020-0658
MISC microsoft -- multiple_windows_products
  An information disclosure vulnerability exists in the Cryptography Next Generation (CNG) service when it fails to properly handle objects in memory.To exploit this vulnerability, an attacker would have to log on to an affected system and run a specially crafted application.The security update addresses the vulnerability by correcting how the service handles objects in memory., aka 'Windows Key Isolation Service Information Disclosure Vulnerability'. This CVE ID is unique from CVE-2020-0675, CVE-2020-0676, CVE-2020-0677, CVE-2020-0748, CVE-2020-0756. 2020-02-11 2.1 CVE-2020-0755
MISC microsoft -- multiple_windows_products
  An information disclosure vulnerability exists in the Cryptography Next Generation (CNG) service when it fails to properly handle objects in memory.To exploit this vulnerability, an attacker would have to log on to an affected system and run a specially crafted application.The security update addresses the vulnerability by correcting how the service handles objects in memory., aka 'Windows Key Isolation Service Information Disclosure Vulnerability'. This CVE ID is unique from CVE-2020-0676, CVE-2020-0677, CVE-2020-0748, CVE-2020-0755, CVE-2020-0756. 2020-02-11 2.1 CVE-2020-0675
MISC microsoft -- multiple_windows_products
  An information disclosure vulnerability exists in the Cryptography Next Generation (CNG) service when it fails to properly handle objects in memory.To exploit this vulnerability, an attacker would have to log on to an affected system and run a specially crafted application.The security update addresses the vulnerability by correcting how the service handles objects in memory., aka 'Windows Key Isolation Service Information Disclosure Vulnerability'. This CVE ID is unique from CVE-2020-0675, CVE-2020-0676, CVE-2020-0677, CVE-2020-0755, CVE-2020-0756. 2020-02-11 2.1 CVE-2020-0748
MISC microsoft -- multiple_windows_products
  An information disclosure vulnerability exists in the way that the Windows Graphics Device Interface (GDI) handles objects in memory, allowing an attacker to retrieve information from a targeted system, aka 'Windows GDI Information Disclosure Vulnerability'. 2020-02-11 2.1 CVE-2020-0744
MISC microsoft -- multiple_windows_products
  An information disclosure vulnerability exists in the Cryptography Next Generation (CNG) service when it fails to properly handle objects in memory.To exploit this vulnerability, an attacker would have to log on to an affected system and run a specially crafted application.The security update addresses the vulnerability by correcting how the service handles objects in memory., aka 'Windows Key Isolation Service Information Disclosure Vulnerability'. This CVE ID is unique from CVE-2020-0675, CVE-2020-0676, CVE-2020-0677, CVE-2020-0748, CVE-2020-0755. 2020-02-11 2.1 CVE-2020-0756
MISC microsoft -- multiple_windows_products
  An information disclosure vulnerability exists when the win32k component improperly provides kernel information, aka 'Win32k Information Disclosure Vulnerability'. This CVE ID is unique from CVE-2020-0716. 2020-02-11 2.1 CVE-2020-0717
MISC microsoft -- multiple_windows_products
  An information disclosure vulnerability exists when the win32k component improperly provides kernel information, aka 'Win32k Information Disclosure Vulnerability'. This CVE ID is unique from CVE-2020-0717. 2020-02-11 2.1 CVE-2020-0716
MISC microsoft -- multiple_windows_products
  An information disclosure vulnerability exists when the Windows Network Driver Interface Specification (NDIS) improperly handles memory.To exploit this vulnerability, an attacker would first have to gain execution on the victim system, aka 'Windows Network Driver Interface Specification (NDIS) Information Disclosure Vulnerability'. 2020-02-11 2.1 CVE-2020-0705
MISC microsoft -- multiple_windows_products
  An information disclosure vulnerability exists when the Telephony Service improperly discloses the contents of its memory, aka 'Windows Information Disclosure Vulnerability'. 2020-02-11 2.1 CVE-2020-0698
MISC microsoft -- multiple_windows_products
  An information disclosure vulnerability exists in the Cryptography Next Generation (CNG) service when it fails to properly handle objects in memory.To exploit this vulnerability, an attacker would have to log on to an affected system and run a specially crafted application.The security update addresses the vulnerability by correcting how the service handles objects in memory., aka 'Windows Key Isolation Service Information Disclosure Vulnerability'. This CVE ID is unique from CVE-2020-0675, CVE-2020-0676, CVE-2020-0748, CVE-2020-0755, CVE-2020-0756. 2020-02-11 2.1 CVE-2020-0677
MISC microsoft -- multiple_windows_products
  An information disclosure vulnerability exists in the Cryptography Next Generation (CNG) service when it fails to properly handle objects in memory.To exploit this vulnerability, an attacker would have to log on to an affected system and run a specially crafted application.The security update addresses the vulnerability by correcting how the service handles objects in memory., aka 'Windows Key Isolation Service Information Disclosure Vulnerability'. This CVE ID is unique from CVE-2020-0675, CVE-2020-0677, CVE-2020-0748, CVE-2020-0755, CVE-2020-0756. 2020-02-11 2.1 CVE-2020-0676
MISC microsoft -- multiple_windows_products
  An information disclosure vulnerability exists when the Windows kernel improperly handles objects in memory, aka 'Windows Kernel Information Disclosure Vulnerability'. 2020-02-11 2.1 CVE-2020-0736
MISC microsoft -- sharepoint
  A cross-site-scripting (XSS) vulnerability exists when Microsoft SharePoint Server does not properly sanitize a specially crafted web request to an affected SharePoint server, aka 'Microsoft Office SharePoint XSS Vulnerability'. This CVE ID is unique from CVE-2020-0693. 2020-02-11 3.5 CVE-2020-0694
MISC microsoft -- sharepoint
  A cross-site-scripting (XSS) vulnerability exists when Microsoft SharePoint Server does not properly sanitize a specially crafted web request to an affected SharePoint server, aka 'Microsoft Office SharePoint XSS Vulnerability'. This CVE ID is unique from CVE-2020-0694. 2020-02-11 3.5 CVE-2020-0693
MISC microsoft -- windows_10_and_windows_server
  A denial of service vulnerability exists when Microsoft Hyper-V on a host server fails to properly validate specific malicious data from a user on a guest operating system.To exploit the vulnerability, an attacker who already has a privileged account on a guest operating system, running as a virtual machine, could run a specially crafted application.The security update addresses the vulnerability by resolving the conditions where Hyper-V would fail to handle these requests., aka 'Windows Hyper-V Denial of Service Vulnerability'. This CVE ID is unique from CVE-2020-0661. 2020-02-11 2.1 CVE-2020-0751
MISC moodle -- moodle
  Persistent XSS in /course/modedit.php of Moodle through 3.7.2 allows authenticated users (Teacher and above) to inject JavaScript into the session of another user (e.g., enrolled student or site administrator) via the introeditor[text] parameter. NOTE: the discoverer and vendor disagree on whether Moodle customers have a reasonable expectation that anyone authenticated as a Teacher can be trusted with the ability to add arbitrary JavaScript (this ability is not documented on Moodle's Teacher_role page). Because the vendor has this expectation, they have stated "this report has been closed as a false positive, and not a bug." 2020-02-11 3.5 CVE-2019-18210
MISC
MISC mybulletinboard -- mybulletinboard
  Cross-site scripting (XSS) vulnerability in MyBB before 1.6.13 allows remote authenticated users to inject arbitrary web script or HTML via the name parameter in the edit action of the config-profile_fields module. 2020-02-11 3.5 CVE-2014-3826
MISC mybulletinboard -- mybulletinboard
  Multiple cross-site scripting (XSS) vulnerabilities in the MyBB (aka MyBulletinBoard) before 1.8.4 allow remote authenticated users to inject arbitrary web script or HTML via the title parameter in the (1) edit or (2) add action in the user-users module or the (3) finduser action or the name parameter in an (4) edit action in the user-user module or the (5) editprofile action to modcp.php. 2020-02-11 3.5 CVE-2014-3827
CONFIRM
MISC netapp -- snap_creator_framework
  NetApp Snap Creator Framework before 4.3P1 allows remote authenticated users to conduct clickjacking attacks via unspecified vectors. 2020-02-11 3.5 CVE-2016-5710
MISC netcracker -- netcracker_resource_management_system
  Multiple cross-site scripting (XSS) vulnerabilities in NetCracker Resource Management System before 8.2 allow remote authenticated users to inject arbitrary web script or HTML via the (1) ctrl, (2) t90001_0_theform_selection, (3) _scroll, (4) tableName, (5) parent, (6) circuit, (7) return, (8) xname, or (9) mpTransactionId parameter. 2020-02-08 3.5 CVE-2015-2207
MISC
MISC orange_hrm -- orange_hrm
  Orange HRM 2.7.1 allows XSS via the vacancy name. 2020-02-10 3.5 CVE-2013-1353
MISC piwigo -- piwigo
  Piwigo 2.10.1 is affected by stored XSS via the Group Name Field to the group_list page. 2020-02-10 3.5 CVE-2020-8089
CONFIRM
MISC projectpier -- projectpier
  ProjectPier 0.8.8 has stored XSS 2020-02-07 3.5 CVE-2013-3635
MISC projectpier -- projectpier
  ProjectPier 0.8.8 has a Remote Information Disclosure Weakness because of the lack of the HttpOnly cookie flag 2020-02-07 3.5 CVE-2013-3636
MISC
MISC
MISC projectpier -- projectpier
  ProjectPier 0.8.8 does not use the Secure flag for cookies 2020-02-07 3.5 CVE-2013-3637
MISC rakuten -- viber_for_android
  An exploitable information disclosure vulnerability exists in the 'Secret Chats' functionality of Rakuten Viber on Android 9.3.0.6. The 'Secret Chats' functionality allows a user to delete all traces of a chat either by using a time trigger or by direct request. There is a bug in this functionality which leaves behind photos taken and shared on the secret chats, even after the chats are deleted. These photos will be stored in the device and accessible to all applications installed on the Android device. 2020-02-13 2.1 CVE-2018-3987
MISC samsung -- knox
  This vulnerability allows local attackers to disclose sensitive information on affected installations of Samsung Knox 1.2.02.39 on Samsung Galaxy S9 build G9600ZHS3ARL1 Secure Folder. An attacker must first obtain physical access to the device in order to exploit this vulnerability. The specific flaws exists within the the handling of the lock screen for Secure Folder. The issue results from the lack of proper validation that a user has correctly authenticated. An attacker can leverage this vulnerability to disclose the contents of the secure container. Was ZDI-CAN-7381. 2020-02-10 2.1 CVE-2019-6744
MISC
MISC symantec -- endpoint_protection_and_endpoint_protection_small_business_edition
  Symantec Endpoint Protection (SEP) and Symantec Endpoint Protection Small Business Edition (SEP SBE), prior to 14.2 RU2 MP1 and prior to 14.2.5569.2100 respectively, may be susceptible to a denial of service vulnerability, which is a type of issue whereby a threat actor attempts to tie up the resources of a resident application, thereby making certain functions unavailable. 2020-02-11 2.1 CVE-2020-5824
MISC symantec -- endpoint_protection_and_endpoint_protection_small_business_edition
  Symantec Endpoint Protection (SEP) and Symantec Endpoint Protection Small Business Edition (SEP SBE), prior to 14.2 RU2 MP1 and prior to 14.2.5569.2100 respectively, may be susceptiblesto an out of bounds vulnerability, which is a type of issue that results in an existing application reading memory outside of the bounds of the memory that had been allocated to the program. 2020-02-11 2.1 CVE-2020-5826
MISC symantec -- endpoint_protection_and_endpoint_small_business_edition
  Symantec Endpoint Protection (SEP) and Symantec Endpoint Protection Small Business Edition (SEP SBE), prior to 14.2 RU2 MP1 and prior to 14.2.5569.2100 respectively, may be susceptible to an arbitrary file write vulnerability, which is a type of issue whereby an attacker is able to overwrite existing files on the resident system without proper privileges. 2020-02-11 3.6 CVE-2020-5825
MISC symantec -- endpoint_protection_manager
  Symantec Endpoint Protection Manager (SEPM), prior to 14.2 RU2 MP1, may be susceptible to an out of bounds vulnerability, which is a type of issue that results in an existing application reading memory outside of the bounds of the memory that had been allocated to the program. 2020-02-11 2.1 CVE-2020-5827
MISC symantec -- endpoint_protection_manager
  Symantec Endpoint Protection Manager (SEPM), prior to 14.2 RU2 MP1, may be susceptible to an out of bounds vulnerability, which is a type of issue that results in an existing application reading memory outside of the bounds of the memory that had been allocated to the program. 2020-02-11 2.1 CVE-2020-5829
MISC symantec -- endpoint_protection_manager
  Symantec Endpoint Protection Manager (SEPM), prior to 14.2 RU2 MP1, may be susceptible to an out of bounds vulnerability, which is a type of issue that results in an existing application reading memory outside of the bounds of the memory that had been allocated to the program. 2020-02-11 2.1 CVE-2020-5830
MISC symantec -- endpoint_protection_manager
  Symantec Endpoint Protection Manager (SEPM), prior to 14.2 RU2 MP1, may be susceptible to an out of bounds vulnerability, which is a type of issue that results in an existing application reading memory outside of the bounds of the memory that had been allocated to the program. 2020-02-11 2.1 CVE-2020-5831
MISC symantec -- symantec_endpoint_protection_manager
  Symantec Endpoint Protection Manager (SEPM), prior to 14.2 RU2 MP1, may be susceptible to an out of bounds vulnerability, which is a type of issue that results in an existing application reading memory outside of the bounds of the memory that had been allocated to the program. 2020-02-11 2.1 CVE-2020-5828
MISC syska -- smart_bulb_devices
  Syska Smart Bulb devices through 2017-08-06 receive RGB parameters over cleartext Bluetooth Low Energy (BLE), leading to sniffing, reverse engineering, and replay attacks. 2020-02-10 3.3 CVE-2017-18642
MISC vanilla_forum -- vanilla
  index.php?p=/dashboard/settings/branding in Vanilla 2.6.3 allows stored XSS. 2020-02-10 3.5 CVE-2020-8825
MISC
MISC wordpress -- wordpress
  Multiple cross-site scripting (XSS) vulnerabilities in the Photo Gallery plugin before 1.2.11 for WordPress allow remote authenticated users to inject arbitrary web script or HTML via the (1) sort_by, (2) sort_order, (3) items_view, (4) dir, (5) clipboard_task, (6) clipboard_files, (7) clipboard_src, or (8) clipboard_dest parameters in an addImages action to wp-admin/admin-ajax.php. 2020-02-08 3.5 CVE-2015-1394
MISC
MISC
MISC
MISC
MISC Back to top

 

Severity Not Yet Assigned Primary
Vendor -- Product Description Published CVSS Score Source & Patch Info accusoft -- imagegear
  An exploitable out-of-bounds write vulnerability exists in the igcore19d.dll PNG pngread parser of the Accusoft ImageGear 19.5.0 library. A specially crafted PNG file can cause an out-of-bounds write, resulting in a remote code execution. An attacker needs to provide a malformed file to the victim to trigger the vulnerability. 2020-02-14 not yet calculated CVE-2020-6068
MISC accusoft -- imagegear
  An exploitable out-of-bounds write vulnerability exists in the igcore19d.dll JPEG SOFx parser of the Accusoft ImageGear 19.5.0 library. A specially crafted JPEG file can cause an out-of-bounds write, resulting in a remote code execution. An attacker needs to provide a malformed file to the victim to trigger the vulnerability. 2020-02-11 not yet calculated CVE-2020-6066
MISC accusoft -- imagegear
  An exploitable out-of-bounds write vulnerability exists in the TIFreadstripdata function of the igcore19d.dll library of Accusoft ImageGear 19.5.0. A specially crafted TIFF file file can cause an out-of-bounds write, resulting in a remote code execution. An attacker needs to provide a malformed file to the victim to trigger the vulnerability. 2020-02-14 not yet calculated CVE-2019-5187
MISC accusoft -- imagegear
  An exploitable out-of-bounds write vulnerability exists in the uncompress_scan_line function of the igcore19d.dll library of Accusoft ImageGear, version 19.5.0. A specially crafted PCX file can cause an out-of-bounds write, resulting in a remote code execution. An attacker needs to provide a malformed file to the victim to trigger the vulnerability. 2020-02-11 not yet calculated CVE-2020-6063
MISC accusoft -- imagegear
  An exploitable out-of-bounds write vulnerability exists in the bmp_parsing function of the igcore19d.dll library of Accusoft ImageGear, version 19.5.0. A specially crafted BMP file can cause an out-of-bounds write, resulting in a remote code execution. An attacker needs to provide a malformed file to the victim to trigger the vulnerability. 2020-02-11 not yet calculated CVE-2020-6065
MISC accusoft -- imagegear
  An exploitable out-of-bounds write vulnerability exists in the uncompress_scan_line function of the igcore19d.dll library of Accusoft ImageGear, version 19.5.0. A specially crafted PCX file can cause an out-of-bounds write, resulting in a remote code execution. An attacker needs to provide a malformed file to the victim to trigger the vulnerability. 2020-02-11 not yet calculated CVE-2020-6064
MISC accusoft -- imagegear
  An exploitable out-of-bounds write vulnerability exists in the igcore19d.dll JPEG jpegread precision parser of the Accusoft ImageGear 19.5.0 library. A specially crafted JPEG file can cause an out-of-bounds write, resulting in a remote code execution. An attacker needs to provide a malformed file to the victim to trigger the vulnerability. 2020-02-11 not yet calculated CVE-2020-6069
MISC accusoft -- imagegear
  An exploitable out-of-bounds write vulnerability exists in the igcore19d.dll TIFF tifread parser of the Accusoft ImageGear 19.5.0 library. A specially crafted TIFF file can cause an out-of-bounds write, resulting in a remote code execution. An attacker needs to provide a malformed file to the victim to trigger the vulnerability. 2020-02-11 not yet calculated CVE-2020-6067
MISC adobe -- acrobat_and_reader Adobe Acrobat and Reader versions 2019.021.20061 and earlier, 2017.011.30156 and earlier, 2017.011.30156 and earlier, and 2015.006.30508 and earlier have a privilege escalation vulnerability. Successful exploitation could lead to arbitrary file system write. 2020-02-13 not yet calculated CVE-2020-3762
CONFIRM adobe -- acrobat_and_reader
  Adobe Acrobat and Reader versions 2019.021.20061 and earlier, 2017.011.30156 and earlier, 2017.011.30156 and earlier, and 2015.006.30508 and earlier have an use after free vulnerability. Successful exploitation could lead to arbitrary code execution . 2020-02-13 not yet calculated CVE-2020-3748
CONFIRM adobe -- acrobat_and_reader
  Adobe Acrobat and Reader versions 2019.021.20061 and earlier, 2017.011.30156 and earlier, 2017.011.30156 and earlier, and 2015.006.30508 and earlier have a privilege escalation vulnerability. Successful exploitation could lead to arbitrary file system write. 2020-02-13 not yet calculated CVE-2020-3763
CONFIRM adobe -- acrobat_and_reader
  Adobe Acrobat and Reader versions, 2019.021.20061 and earlier, 2017.011.30156 and earlier, 2017.011.30156 and earlier, and 2015.006.30508 and earlier have a heap overflow vulnerability. Successful exploitation could lead to arbitrary code execution . 2020-02-13 not yet calculated CVE-2020-3742
CONFIRM adobe -- acrobat_and_reader
  Adobe Acrobat and Reader versions 2019.021.20061 and earlier, 2017.011.30156 and earlier, 2017.011.30156 and earlier, and 2015.006.30508 and earlier have an use after free vulnerability. Successful exploitation could lead to arbitrary code execution . 2020-02-13 not yet calculated CVE-2020-3743
CONFIRM adobe -- acrobat_and_reader
  Adobe Acrobat and Reader versions 2019.021.20061 and earlier, 2017.011.30156 and earlier, 2017.011.30156 and earlier, and 2015.006.30508 and earlier have an out-of-bounds read vulnerability. Successful exploitation could lead to information disclosure . 2020-02-13 not yet calculated CVE-2020-3744
CONFIRM adobe -- acrobat_and_reader
  Adobe Acrobat and Reader versions 2019.021.20061 and earlier, 2017.011.30156 and earlier, 2017.011.30156 and earlier, and 2015.006.30508 and earlier have an use after free vulnerability. Successful exploitation could lead to arbitrary code execution . 2020-02-13 not yet calculated CVE-2020-3745
CONFIRM adobe -- acrobat_and_reader
  Adobe Acrobat and Reader versions 2019.021.20061 and earlier, 2017.011.30156 and earlier, 2017.011.30156 and earlier, and 2015.006.30508 and earlier have an use after free vulnerability. Successful exploitation could lead to arbitrary code execution . 2020-02-13 not yet calculated CVE-2020-3746
CONFIRM adobe -- acrobat_and_reader
  Adobe Acrobat and Reader versions 2019.021.20061 and earlier, 2017.011.30156 and earlier, 2017.011.30156 and earlier, and 2015.006.30508 and earlier have an out-of-bounds read vulnerability. Successful exploitation could lead to information disclosure . 2020-02-13 not yet calculated CVE-2020-3747
CONFIRM adobe -- acrobat_and_reader
  Adobe Acrobat and Reader versions 2019.021.20061 and earlier, 2017.011.30156 and earlier, 2017.011.30156 and earlier, and 2015.006.30508 and earlier have an use after free vulnerability. Successful exploitation could lead to arbitrary code execution . 2020-02-13 not yet calculated CVE-2020-3749
CONFIRM adobe -- acrobat_and_reader
  Adobe Acrobat and Reader versions 2019.021.20061 and earlier, 2017.011.30156 and earlier, 2017.011.30156 and earlier, and 2015.006.30508 and earlier have an use after free vulnerability. Successful exploitation could lead to arbitrary code execution . 2020-02-13 not yet calculated CVE-2020-3750
CONFIRM adobe -- acrobat_and_reader
  Adobe Acrobat and Reader versions 2019.021.20061 and earlier, 2017.011.30156 and earlier, 2017.011.30156 and earlier, and 2015.006.30508 and earlier have a stack exhaustion vulnerability. Successful exploitation could lead to memory leak . 2020-02-13 not yet calculated CVE-2020-3753
CONFIRM adobe -- acrobat_and_reader
  Adobe Acrobat and Reader versions 2019.021.20061 and earlier, 2017.011.30156 and earlier, 2017.011.30156 and earlier, and 2015.006.30508 and earlier have a buffer error vulnerability. Successful exploitation could lead to arbitrary code execution . 2020-02-13 not yet calculated CVE-2020-3754
CONFIRM adobe -- acrobat_and_reader
  Adobe Acrobat and Reader versions 2019.021.20061 and earlier, 2017.011.30156 and earlier, 2017.011.30156 and earlier, and 2015.006.30508 and earlier have an out-of-bounds read vulnerability. Successful exploitation could lead to information disclosure . 2020-02-13 not yet calculated CVE-2020-3755
CONFIRM adobe -- acrobat_and_reader
  Adobe Acrobat and Reader versions 2019.021.20061 and earlier, 2017.011.30156 and earlier, 2017.011.30156 and earlier, and 2015.006.30508 and earlier have a stack exhaustion vulnerability. Successful exploitation could lead to memory leak . 2020-02-13 not yet calculated CVE-2020-3756
CONFIRM adobe -- acrobat_and_reader
  Adobe Acrobat and Reader versions 2019.021.20061 and earlier, 2017.011.30156 and earlier, 2017.011.30156 and earlier, and 2015.006.30508 and earlier have an use after free vulnerability. Successful exploitation could lead to arbitrary code execution . 2020-02-13 not yet calculated CVE-2020-3751
CONFIRM adobe -- acrobat_and_reader
  Adobe Acrobat and Reader versions 2019.021.20061 and earlier, 2017.011.30156 and earlier, 2017.011.30156 and earlier, and 2015.006.30508 and earlier have a buffer error vulnerability. Successful exploitation could lead to arbitrary code execution . 2020-02-13 not yet calculated CVE-2020-3752
CONFIRM adobe -- digital_editions Adobe Digital Editions versions 4.5.10 and below have a buffer errors vulnerability. Successful exploitation could lead to information disclosure. 2020-02-13 not yet calculated CVE-2020-3759
CONFIRM adobe -- digital_editions Adobe Digital Editions versions 4.5.10 and below have a command injection vulnerability. Successful exploitation could lead to arbitrary code execution. 2020-02-13 not yet calculated CVE-2020-3760
CONFIRM adobe -- experience_manager
  Adobe Experience Manager versions 6.5, and 6.4 have an uncontrolled resource consumption vulnerability. Successful exploitation could lead to denial-of-service. 2020-02-13 not yet calculated CVE-2020-3741
CONFIRM adobe -- flash_player
  Adobe Flash Player versions 32.0.0.321 and earlier, 32.0.0.314 and earlier, 32.0.0.321 and earlier, and 32.0.0.255 and earlier have a type confusion vulnerability. Successful exploitation could lead to arbitrary code execution. 2020-02-13 not yet calculated CVE-2020-3757
CONFIRM ai -- risknet_acquirer
  RiskNet Acquirer before hotfix 6.0 b7+ADHOC-443 ApplicationServiceBean contains a service information disclosure. 2020-02-14 not yet calculated CVE-2013-5687
XF amazon -- aws-js-s3-explorer
  explorer.js in Amazon AWS JavaScript S3 Explorer (aka aws-js-s3-explorer) v2 alpha before 2019-08-02 allows XSS in certain circumstances. 2020-02-13 not yet calculated CVE-2019-14652
MISC
MISC
MISC

amd -- radeon_amd_user_experience_program_launcher

The AUEPLauncher service in Radeon AMD User Experience Program Launcher through 1.0.0.1 on Windows allows elevation of privilege by placing a crafted file in %PROGRAMDATA%\AMD\PPC\upload and then creating a symbolic link in %PROGRAMDATA%\AMD\PPC\temp that points to an arbitrary folder with an arbitrary file name. 2020-02-12 not yet calculated CVE-2020-8950
MISC
MISC ammyy -- ammyy_admin
  Ammyy Admin 3.2 and earlier stores the client ID at a fixed memory location, which might make it easier for user-assisted remote attackers to bypass authentication by running a local program that extracts a field from the AA_v3.2.exe file. 2020-02-11 not yet calculated CVE-2013-5582
MISC apache -- nifi
  In Apache NiFi 0.0.1 to 1.11.0, the flow fingerprint factory generated flow fingerprints which included sensitive property descriptor values. In the event a node attempted to join a cluster and the cluster flow was not inheritable, the flow fingerprint of both the cluster and local flow was printed, potentially containing sensitive values in plaintext. 2020-02-11 not yet calculated CVE-2020-1942
MISC ariadne -- ariadne
  Multiple cross-site scripting (XSS) vulnerabilities in Ariadne 2.7.6 allow remote attackers to inject arbitrary web script or HTML via the PATH_INFO parameter to (1) index.php and (2) loader.php. 2020-02-11 not yet calculated CVE-2011-4938
MISC
MISC
MISC
MISC
MISC aruba_networks -- intelligent_edge_switches
  A remotely exploitable information disclosure vulnerability is present in Aruba Intelligent Edge Switch models 5400, 3810, 2920, 2930, 2530 with GigT port, 2530 10/100 port, or 2540. The vulnerability impacts firmware 16.08.* before 16.08.0009, 16.09.* before 16.09.0007 and 16.10.* before 16.10.0003. The vulnerability allows an attacker to retrieve sensitive system information. This attack can be carried out without user authentication under very specific conditions. 2020-02-13 not yet calculated CVE-2019-5322
MISC askey -- ap400w_devices
  An issue was discovered on Askey AP4000W TDC_V1.01.003 devices. An attacker can perform Remote Code Execution (RCE) by sending a specially crafted network packer to the bd_svr service listening on TCP port 54188. 2020-02-13 not yet calculated CVE-2020-8614
MISC askpop3d -- askpop3d
  A Denial of Service vulnerability exists in askpop3d 0.7.7 in free (pszQuery), 2020-02-13 not yet calculated CVE-2014-3208
MISC
MISC atlassian -- jira_and_greenhoper Stored XSS vulnerability in UpdateFieldJson.jspa in JIRA 4.4.3 and GreenHopper before 5.9.8 allows an attacker to inject arbitrary script code. 2020-02-13 not yet calculated CVE-2012-1500
MISC
EXPLOIT-DB atlassian -- jira_server_and_data_center
  The Atlassian Application Links plugin is vulnerable to cross-site request forgery (CSRF). The following versions are affected: all versions prior to 5.4.21, from version 6.0.0 before version 6.0.12, from version 6.1.0 before version 6.1.2, from version 7.0.0 before version 7.0.2, and from version 7.1.0 before version 7.1.3. The vulnerable plugin is used by Atlassian Jira Server and Data Center before version 8.7.0. An attacker could exploit this by tricking an administrative user into making malicious HTTP requests, allowing the attacker to enumerate hosts and open ports on the internal network where Jira server is present. 2020-02-12 not yet calculated CVE-2019-20100
N/A
N/A
N/A avira -- antivir_engine
  A Denial of Service (infinite loop) vulnerability exists in Avira AntiVir Engine before 8.2.12.58 via an unspecified function in the PDF Scanner Engine. 2020-02-12 not yet calculated CVE-2013-4602
MISC
MISC
MISC
MISC
MISC barracuda -- web_application_firewall
  Barracuda Web Application Firewall (WAF) 7.8.1.013 allows remote attackers to bypass authentication by leveraging a permanent authentication token obtained from a query string. 2020-02-12 not yet calculated CVE-2014-2595
MISC
MISC
MISC
MISC
MISC
MISC
MISC bearftp -- bearftp
  Improper connection handling in the base connection handler in IKTeam BearFTP before v0.3.1 allows a remote attacker to achieve denial of service via a Slowloris approach by sending a large volume of small packets. 2020-02-12 not yet calculated CVE-2020-8815
MISC
MISC
CONFIRM
MISC
CONFIRM belkin -- n750_routers Belkin n750 routers have a buffer overflow. 2020-02-13 not yet calculated CVE-2013-7173
MISC
MISC boat_browser -- boat_browser_for_android
  The WebView class and use of the WebView.addJavascriptInterface method in the Boat Browser application 8.0 and 8.0.1 for Android allow remote attackers to execute arbitrary code via a crafted web site, a related issue to CVE-2012-6636. 2020-02-12 not yet calculated CVE-2014-4968
MISC bss -- bs-client_private_client
  A Two-Factor Authentication Bypass Vulnerability exists in BS-Client Private Client 2.4 and 2.5 via an XML request that neglects the use of ADPswID and AD parameters, which could let a malicious user access privileged function. 2020-02-13 not yet calculated CVE-2014-4198
MISC chiyu_technology -- bf-430_devices
  Stored XSS was discovered on CHIYU BF-430 232/485 TCP/IP Converter devices before 1.16.00, as demonstrated by the /if.cgi TF_submask field. 2020-02-12 not yet calculated CVE-2020-8839
MISC
MISC cisco -- internetwork_operating_system
  A memory leak vulnerability exists in Cisco IOS before 15.2(1)T due to a memory leak in the HTTP PROXY Server process (aka CSCtu52820), when configured with Cisco ISR Web Security with Cisco ScanSafe and User Authenticaiton NTLM configured. 2020-02-12 not yet calculated CVE-2011-4661
MISC cloud_foundry -- credhub
  Cloud Foundry CredHub, versions prior to 2.5.10, connects to a MySQL database without TLS even when configured to use TLS. A malicious user with access to the network between CredHub and its MySQL database may eavesdrop on database connections and thereby gain unauthorized access to CredHub and other components. 2020-02-12 not yet calculated CVE-2020-5399
CONFIRM codologic -- codofurm
  Codologic Codoforum through 4.8.4 allows a DOM-based XSS. While creating a new topic as a normal user, it is possible to add a poll that is automatically loaded in the DOM once the thread/topic is opened. Because session cookies lack the HttpOnly flag, it is possible to steal authentication cookies and take over accounts. 2020-02-15 not yet calculated CVE-2020-7050
CONFIRM
MISC codologic -- codofurm
  Codologic Codoforum through 4.8.4 allows stored XSS in the login area. This is relevant in conjunction with CVE-2020-5842 because session cookies lack the HttpOnly flag. The impact is account takeover. 2020-02-13 not yet calculated CVE-2020-7051
CONFIRM
MISC combodo -- itop
  In iTop through 2.6.0, an XSS payload can be delivered in certain fields (such as icon) of the XML file used to build the dashboard. This is similar to CVE-2015-6544 (which is only about the dashboard title). 2020-02-14 not yet calculated CVE-2019-13966
MISC
MISC combodo -- itop
  iTop 2.2.0 through 2.6.0 allows remote attackers to cause a denial of service (application outage) via many requests to launch a compile operation. The requests use the pages/exec.php?exec_env=production&exec_module=itop-hub-connector&exec_page=ajax.php&operation=compile URI. This only affects the community version. 2020-02-14 not yet calculated CVE-2019-13967
MISC
MISC combodo -- itop
  Because of a lack of sanitization around error messages, multiple Reflective XSS issues exist in iTop through 2.6.0 via the param_file parameter to webservices/export.php, webservices/cron.php, or env-production/itop-backup/backup.php. By default, any XSS sent to the administrator can be transformed to remote command execution because of CVE-2018-10642 (still working through 2.6.0) The Reflective XSS can also become a stored XSS within the same account because of another vulnerability. 2020-02-14 not yet calculated CVE-2019-13965
MISC
MISC combodo -- itop
  In Combodo iTop 2.2.0 through 2.6.0, if the configuration file is writable, then execution of arbitrary code can be accomplished by calling ajax.dataloader with a maliciously crafted payload. Many conditions can place the configuration file into a writable state: during installation; during upgrade; in certain cases, an error during modification of the file from the web interface leaves the file writable (can be triggered with XSS); a race condition can be triggered by the hub-connector module (community version only from 2.4.1 to 2.6.0); or editing the file in a CLI. 2020-02-14 not yet calculated CVE-2019-11215
MISC
MISC cypress -- psoc_4_devices
  The Bluetooth Low Energy implementation in Cypress PSoC 4 BLE component 3.61 and earlier processes data channel frames with a payload length larger than the configured link layer maximum RX payload size, which allows attackers (in radio range) to cause a denial of service (crash) via a crafted BLE Link Layer frame. 2020-02-12 not yet calculated CVE-2019-16336
MISC
MISC
MISC d-link -- dir-842_revc_devices
  A stack-based buffer overflow was found on the D-Link DIR-842 REVC with firmware v3.13B09 HOTFIX due to the use of strcpy for LOGINPASSWORD when handling a POST request to the /MTFWU endpoint. 2020-02-13 not yet calculated CVE-2020-8962
MISC digi_international -- connectport_lts_32_mei
  Digi International ConnectPort LTS 32 MEI, Firmware Version 1.4.3 (82002228_K 08/09/2018), bios Version 1.2. Successful exploitation of this vulnerability could allow an attacker to upload a malicious file to the application. 2020-02-12 not yet calculated CVE-2020-6975
MISC digi_international -- connectport_lts_32_mei
  Digi International ConnectPort LTS 32 MEI, Firmware Version 1.4.3 (82002228_K 08/09/2018), bios Version 1.2. Multiple cross-site scripting vulnerabilities exist that could allow an attacker to cause a denial-of-service condition. 2020-02-13 not yet calculated CVE-2020-6973
MISC dojo -- dojox
  dojox is vulnerable to Cross-site Scripting in all versions before version 1.16.1, 1.15.2, 1.14.5, 1.13.6, 1.12.7 and 1.11.9. This is due to dojox.xmpp.util.xmlEncode only encoding the first occurrence of each character, not all of them. 2020-02-13 not yet calculated CVE-2019-10785
MISC
MISC dovecot -- dovecot
  The IMAP and LMTP components in Dovecot 2.3.9 before 2.3.9.3 mishandle snippet generation when many characters must be read to compute the snippet and a trailing > character exists. This causes a denial of service in which the recipient cannot read all of their messages. 2020-02-12 not yet calculated CVE-2020-7957
CONFIRM
CONFIRM
MISC dovecot -- dovecot
  lib-smtp in submission-login and lmtp in Dovecot 2.3.9 before 2.3.9.3 mishandles truncated UTF-8 data in command parameters, as demonstrated by the unauthenticated triggering of a submission-login infinite loop. 2020-02-12 not yet calculated CVE-2020-7046
CONFIRM
CONFIRM
MISC drupal -- drupal
  The RESTful Web Services (restws) module 7.x-1.x before 7.x-1.4 and 7.x-2.x before 7.x-2.1 for Drupal does not properly restrict access to entity write operations, which makes it easier for remote authenticated users with the "access resource node" and "create page content" permissions (or equivalents) to conduct cross-site scripting (XSS) or execute arbitrary PHP code via a crafted text field. 2020-02-11 not yet calculated CVE-2013-4225
MISC
MISC
MISC
MISC easyxdm -- easyxdm
  Cross-site Scripting (XSS) in EasyXDM before 2.4.18 allows remote attackers to inject arbitrary web script or html via the easyxdm.swf file. 2020-02-14 not yet calculated CVE-2013-5212
MISC
XF etherpad -- etherpad
  Directory traversal vulnerability in node/utils/Minify.js in Etherpad 1.1.2 through 1.5.4 allows remote attackers to read arbitrary files with permissions of the user running the service via a .. (dot dot) in the path parameter of HTTP API requests. NOTE: This vulnerability is due to an incomplete fix to CVE-2015-3297. 2020-02-13 not yet calculated CVE-2015-3309
MISC
MISC
MISC extrun -- ilbo
  ilbo App (ilbo App for Android prior to version 1.1.8 and ilbo App for iOS prior to version 1.2.01) allows an attacker on the same network segment to bypass authentication and to view the images which were recorded by the other ilbo user's device via unspecified vectors. 2020-02-14 not yet calculated CVE-2020-5532
MISC
MISC
MISC fasterxml -- jackson-databind
  FasterXML jackson-databind 2.0.0 through 2.9.10.2 lacks certain xbean-reflect/JNDI blocking, as demonstrated by org.apache.xbean.propertyeditor.JndiConverter. 2020-02-10 not yet calculated CVE-2020-8840
MISC foxit -- phantompdf This vulnerability allows remote atackers to execute arbitrary code on affected installations of Foxit PhantomPDF 9.6.0.25114. User interaction is required to exploit this vulnerability in that the target must visit a malicious page or open a malicious file. The specific flaw exists within the handling of text field objects. The issue results from the lack of validating the existence of an object prior to performing operations on the object. An attacker can leverage this vulnerability to execute code in the context of the current process. Was ZDI-CAN-9400. 2020-02-14 not yet calculated CVE-2020-8846
MISC
MISC foxit -- phantompdf
  This vulnerability allows remote attackers to execute arbitrary code on affected installations of Foxit PhantomPDF 9.7.0.2947. User interaction is required to exploit this vulnerability in that the target must visit a malicious page or open a malicious file. The specific flaw exists within the fxhtml2pdf.exe module. The issue results from the lack of validating the existence of an object prior to performing operations on the object. An attacker can leverage this vulnerability to execute code in the context of the current process. Was ZDI-CAN-9560. 2020-02-14 not yet calculated CVE-2020-8855
MISC
MISC foxit -- phantompdf
  This vulnerability allows remote atackers to execute arbitrary code on affected installations of Foxit PhantomPDF 9.6.0.25114. User interaction is required to exploit this vulnerability in that the target must visit a malicious page or open a malicious file. The specific flaw exists within the handling of watermarks in AcroForms. The issue results from the lack of validating the existence of an object prior to performing operations on the object. An attacker can leverage this vulnerability to execute code in the context of the current process. Was ZDI-CAN-9358. 2020-02-14 not yet calculated CVE-2020-8845
MISC
MISC foxit -- phantompdf
  This vulnerability allows remote attackers to execute arbitrary code on affected installations of Foxit PhantomPDF 9.7.0.29478. User interaction is required to exploit this vulnerability in that the target must visit a malicious page or open a malicious file. The specific flaw exists within the conversion of HTML files to PDF. The issue results from the lack of proper validation of user-supplied data, which can result in a write past the end of an allocated structure. An attacker can leverage this vulnerability to execute code in the context of the current process. Was ZDI-CAN-9591. 2020-02-14 not yet calculated CVE-2020-8853
MISC
MISC foxit -- phantompdf
  This vulnerability allows remote attackers to execute arbitrary code on affected installations of Foxit PhantomPDF 9.7.0.29478. User interaction is required to exploit this vulnerability in that the target must visit a malicious page or open a malicious file. The specific flaw exists within the conversion of JPEG files to PDF. The issue results from the lack of proper validation of user-supplied data, which can result in a write past the end of an allocated structure. An attacker can leverage this vulnerability to execute code in the context of the current process. Was ZDI-CAN-9606. 2020-02-14 not yet calculated CVE-2020-8854
MISC
MISC foxit -- phantompdf
  This vulnerability allows remote atackers to execute arbitrary code on affected installations of Foxit PhantomPDF 9.6.0.25608. User interaction is required to exploit this vulnerability in that the target must visit a malicious page or open a malicious file. The specific flaw exists within the handling of watermarks. The issue results from the lack of validating the existence of an object prior to performing operations on the object. An attacker can leverage this vulnerability to execute code in the context of the current process. Was ZDI-CAN-9640. 2020-02-14 not yet calculated CVE-2020-8856
MISC
MISC foxit -- reader This vulnerability allows remote attackers to disclose sensitive information on affected installations of Foxit Reader 9.7.0.29455. User interaction is required to exploit this vulnerability in that the target must visit a malicious page or open a malicious file. The specific flaw exists within the processing of JPEG2000 files. The issue results from the lack of proper validation of user-supplied data, which can result in a read past the end of an allocated buffer. An attacker can leverage this in conjunction with other vulnerabilities to execute code in the context of the current process. Was ZDI-CAN-9416. 2020-02-14 not yet calculated CVE-2020-8852
MISC
MISC foxit -- reader This vulnerability allows remote attackers to execute arbitrary code on affected installations of Foxit Reader 9.7.0.29455. User interaction is required to exploit this vulnerability in that the target must visit a malicious page or open a malicious file. The specific flaw exists within the parsing of form Annotation objects within AcroForms. The issue results from the lack of validating the existence of an object prior to performing operations on the object. An attacker can leverage this vulnerability to execute code in the context of the current process. Was ZDI-CAN-9862. 2020-02-14 not yet calculated CVE-2020-8857
MISC
MISC foxit -- reader
  This vulnerability allows remote attackers to execute arbitrary code on affected installations of Foxit Reader 9.7.0.29455. User interaction is required to exploit this vulnerability in that the target must visit a malicious page or open a malicious file. The specific flaw exists within the processing of JPEG2000 files. The issue results from the lack of proper validation of user-supplied data, which can result in a write past the end of an allocated structure. An attacker can leverage this vulnerability to execute code in the context of the current process. Was ZDI-CAN-9414. 2020-02-14 not yet calculated CVE-2020-8847
MISC
MISC foxit -- reader
  This vulnerability allows remote attackers to execute arbitrary code on affected installations of Foxit Reader 9.7.0.29455. User interaction is required to exploit this vulnerability in that the target must visit a malicious page or open a malicious file. The specific flaw exists within the processing of JPG2000 images. The issue results from the lack of proper validation of user-supplied data, which can result in a write past the end of an allocated structure. An attacker can leverage this vulnerability to execute code in the context of the current process. Was ZDI-CAN-9406. 2020-02-14 not yet calculated CVE-2020-8851
MISC
MISC foxit -- reader
  This vulnerability allows remote attackers to execute arbitrary code on affected installations of Foxit Reader 9.7.0.29455. User interaction is required to exploit this vulnerability in that the target must visit a malicious page or open a malicious file. The specific flaw exists within the processing of JPG2000 images. The issue results from the lack of proper validation of user-supplied data, which can result in a write past the end of an allocated structure. An attacker can leverage this vulnerability to execute code in the context of the current process. Was ZDI-CAN-9407. 2020-02-14 not yet calculated CVE-2020-8848
MISC
MISC foxit -- reader
  This vulnerability allows remote attackers to execute arbitrary code on affected installations of Foxit Reader 9.7.0.29455. User interaction is required to exploit this vulnerability in that the target must visit a malicious page or open a malicious file. The specific flaw exists within the processing of JPEG2000 files. The issue results from the lack of proper validation of user-supplied data, which can result in a write past the end of an allocated structure. An attacker can leverage this vulnerability to execute code in the context of the current process. Was ZDI-CAN-9415. 2020-02-14 not yet calculated CVE-2020-8850
MISC
MISC foxit -- reader
  This vulnerability allows remote attackers to execute arbitrary code on affected installations of Foxit Reader 9.7.0.29455. User interaction is required to exploit this vulnerability in that the target must visit a malicious page or open a malicious file. The specific flaw exists within the processing of JPEG2000 files. The issue results from the lack of proper validation of user-supplied data, which can result in a write past the end of an allocated structure. An attacker can leverage this vulnerability to execute code in the context of the current process. Was ZDI-CAN-9413. 2020-02-14 not yet calculated CVE-2020-8849
MISC
MISC foxit -- reader
  This vulnerability allows remote attackers to execute arbitrary code on affected installations of Foxit Reader 9.6.0.25114. User interaction is required to exploit this vulnerability in that the target must visit a malicious page or open a malicious file. The specific flaw exists within the parsing of JPEG files within CovertToPDF. The issue results from the lack of proper validation of user-supplied data, which can result in an integer overflow before writing to memory. An attacker can leverage this vulnerability to execute code in the context of the current process. Was ZDI-CAN-9102. 2020-02-14 not yet calculated CVE-2020-8844
CONFIRM
MISC free_reprintables -- articlefr
  A Privilege Escalation Vulnerability exists in Free Reprintables ArticleFR 11.06.2014 due to insufficient access restrictions in the data.php script, which could let a remote malicious user obtain access or modify or delete database information. 2020-02-13 not yet calculated CVE-2014-4170
MISC
MISC
MISC
MISC freebsd -- bsd_libc
  regcomp in the BSD implementation of libc is vulnerable to denial of service due to stack exhaustion. 2020-02-12 not yet calculated CVE-2011-3336
FULLDISC
BID
MISC
BUGTRAQ fujitsu -- multiple_products
  The Fujitsu TLS library allows a man-in-the-middle attack. This affects Interstage Application Development Cycle Manager V10 and other versions, Interstage Application Server V12 and other versions, Interstage Business Application Manager V2 and other versions, Interstage Information Integrator V11 and other versions, Interstage Job Workload Server V8, Interstage List Works V10 and other versions, Interstage Studio V12 and other versions, Interstage Web Server Express V11, Linkexpress V5, Safeauthor V3, ServerView Resource Orchestrator V3, Systemwalker Cloud Business Service Management V1, Systemwalker Desktop Keeper V15, Systemwalker Desktop Patrol V15, Systemwalker IT Change Manager V14, Systemwalker Operation Manager V16 and other versions, Systemwalker Runbook Automation V15 and other versions, Systemwalker Security Control V1, and Systemwalker Software Configuration Manager V15. 2020-02-07 not yet calculated CVE-2019-13163
CONFIRM git -- git
  Git before 1.8.5.6, 1.9.x before 1.9.5, 2.0.x before 2.0.5, 2.1.x before 2.1.4, and 2.2.x before 2.2.1 on Windows and OS X; Mercurial before 3.2.3 on Windows and OS X; Apple Xcode before 6.2 beta 3; mine; libgit2; Egit; and JGit allow remote Git servers to execute arbitrary commands via a tree containing a crafted .git/config file with (1) an ignorable Unicode codepoint, (2) a git~1/config representation, or (3) mixed case that is improperly handled on a case-insensitive filesystem. 2020-02-12 not yet calculated CVE-2014-9390
MISC
MISC
MISC
MISC
MISC
MISC
MISC gitlab -- gitlab
  GitLab 12.2.2 and below contains a security vulnerability that allows a guest user in a private project to see the merge request ID associated to an issue via the activity timeline. 2020-02-14 not yet calculated CVE-2019-15592
MISC
MISC gitlab -- gitlab
  GitLab 11.8 and later contains a security vulnerability that allows a user to obtain details of restricted pipelines via the merge request endpoint. 2020-02-14 not yet calculated CVE-2019-15594
MISC
MISC global_payments -- php-sdk
  Gateways/Gateway.php in Heartland & Global Payments PHP SDK before 2.0.0 does not enforce SSL certificate validations. 2020-02-14 not yet calculated CVE-2019-20455
MISC
MISC gocloud -- mutliple_devices
  Gocloud S2A_WL 4.2.7.16471, S2A 4.2.7.17278, S2A 4.3.0.15815, S2A 4.3.0.17193, S3A K2P MTK 4.2.7.16528, S3A 4.3.0.16572, and ISP3000 4.3.0.17190 devices allows remote attackers to execute arbitrary OS commands via shell metacharacters in a ping operation, as demonstrated by the cgi-bin/webui/admin/tools/app_ping/diag_ping/; substring. 2020-02-12 not yet calculated CVE-2020-8949
MISC google -- android In notifyNetworkTested and related functions of NetworkMonitor.java, there is a possible bypass of private DNS settings. This could lead to remote information disclosure with no additional execution privileges needed. User interaction is needed for exploitation.Product: AndroidVersions: Android-9Android ID: A-122652057 2020-02-13 not yet calculated CVE-2020-0028
MISC google -- android
  In btm_read_remote_ext_features_complete of btm_acl.cc, there is a possible out of bounds write due to a missing bounds check. This could lead to local escalation of privilege with System execution privileges needed. User interaction is not needed for exploitation.Product: AndroidVersions: Android-8.0 Android-8.1 Android-9 Android-10Android ID: A-141552859 2020-02-13 not yet calculated CVE-2020-0005
MISC google -- android
  It is possible for a malicious application to construct a TYPE_TOAST window manually and make that window clickable. This could lead to a local escalation of privilege with no additional execution privileges needed. User action is needed for exploitation.Product: AndroidVersions: Android-8.0 Android-8.1 Android-9 Android-10Android ID: A-128674520 2020-02-13 not yet calculated CVE-2020-0014
MISC google -- android
  In binder_thread_release of binder.c, there is a possible use after free due to a race condition. This could lead to local escalation of privilege with no additional execution privileges needed. User interaction is not needed for exploitation.Product: AndroidVersions: Android kernelAndroid ID: A-145286050References: Upstream kernel 2020-02-13 not yet calculated CVE-2020-0030
MISC google -- android
  The Bluetooth stack in Android before 2.3.6 allows a physically proximate attacker to obtain contact information via an AT phonebook transfer. 2020-02-12 not yet calculated CVE-2011-2343
CONFIRM
MISC google -- android
  In updatePermissions of PermissionManagerService.java, it may be possible for a malicious app to obtain a custom permission from another app due to a permission bypass. This could lead to local escalation of privilege with User execution privileges needed. User interaction is needed for exploitation.Product: AndroidVersions: Android-10Android ID: A-67319274 2020-02-13 not yet calculated CVE-2019-2200
MISC google -- android
  In onCreate of CertInstaller.java, there is a possible way to overlay the Certificate Installation dialog by a malicious application. This could lead to local escalation of privilege with no additional execution privileges needed. User interaction is needed for exploitation.Product: AndroidVersions: Android-8.0 Android-8.1 Android-9 Android-10Android ID: A-139017101 2020-02-13 not yet calculated CVE-2020-0015
MISC google -- android
  In Parcel::continueWrite of Parcel.cpp, there is possible memory corruption due to a use after free. This could lead to local escalation of privilege with no additional execution privileges needed. User interaction is not needed for exploitation.Product: AndroidVersions: Android-8.0 Android-8.1 Android-9 Android-10Android ID: A-140419401 2020-02-13 not yet calculated CVE-2020-0026
MISC google -- android
  In multiple places, it was possible for the primary user’s dictionary to be visible to and modifiable by secondary users. This could lead to local information disclosure with no additional execution privileges needed. User interaction is needed for exploitation.Product: AndroidVersions: Android-8.0 Android-8.1 Android-9 Android-10Android ID: A-123232892 2020-02-13 not yet calculated CVE-2020-0017
MISC google -- android
  In MotionEntry::appendDescription of InputDispatcher.cpp, there is a possible log information disclosure. This could lead to local disclosure of user input with System execution privileges needed. User interaction is not needed for exploitation.Product: AndroidVersions: Android-8.0 Android-8.1 Android-9 Android-10Android ID: A-139945049 2020-02-13 not yet calculated CVE-2020-0018
MISC google -- android
  In HidRawSensor::batch of HidRawSensor.cpp, there is a possible out of bounds write due to an unexpected switch fallthrough. This could lead to local escalation of privilege with no additional execution privileges needed. User interaction is not needed for exploitation.Product: AndroidVersions: Android-8.0 Android-8.1 Android-9 Android-10Android ID: A-144040966 2020-02-13 not yet calculated CVE-2020-0027
MISC google -- android
  In getAttributeRange of ExifInterface.java, there is a possible failure to redact location information from media files due to an incorrect bounds check. This could lead to local information disclosure with User execution privileges needed. User interaction is not needed for exploitation.Product: AndroidVersions: Android-10Android ID: A-143118731 2020-02-13 not yet calculated CVE-2020-0020
MISC google -- android
  In removeUnusedPackagesLPw of PackageManagerService.java, there is a possible permanent denial-of-service due to a missing package dependency test. This could lead to remote denial of service with User execution privileges needed. User interaction is not needed for exploitation.Product: AndroidVersions: Android-10Android ID: A-141413692 2020-02-13 not yet calculated CVE-2020-0021
MISC google -- android
  In reassemble_and_dispatch of packet_fragmenter.cc, there is possible out of bounds write due to an incorrect bounds calculation. This could lead to remote code execution over Bluetooth with no additional execution privileges needed. User interaction is not needed for exploitation.Product: AndroidVersions: Android-8.0 Android-8.1 Android-9 Android-10Android ID: A-143894715 2020-02-13 not yet calculated CVE-2020-0022
FULLDISC
MISC google -- android
  In setPhonebookAccessPermission of AdapterService.java, there is a possible disclosure of user contacts over bluetooth due to a missing permission check. This could lead to local information disclosure if a malicious app enables contacts over a bluetooth connection, with User execution privileges needed. User interaction is not needed for exploitation.Product: AndroidVersions: Android-10Android ID: A-145130871 2020-02-13 not yet calculated CVE-2020-0023
MISC hashicorp -- sentinel HashiCorp Sentinel up to 0.10.1 incorrectly parsed negation in certain policy expressions. Fixed in 0.10.2. 2020-02-14 not yet calculated CVE-2019-19879
MISC hcl -- appscan_standard_edition
  HCL AppScan Standard Edition 9.0.3.13 and earlier uses hard-coded credentials which can be exploited by attackers to get unauthorized access to the system. 2020-02-14 not yet calculated CVE-2019-4392
MISC hitachi -- command_suite_and_automation_director
  A vulnerability in Hitachi Command Suite prior to 8.7.1-00 and Hitachi Automation Director prior to 8.5.0-00 allow authenticated remote users to expose technical information through error messages. Hitachi Command Suite includes Hitachi Device Manager and Hitachi Compute Systems Manager. 2020-02-14 not yet calculated CVE-2018-21032
MISC
CONFIRM hitachi -- multiple_products
  A vulnerability in Hitachi Command Suite prior to 8.6.2-00, Hitachi Automation Director prior to 8.6.2-00 and Hitachi Infrastructure Analytics Advisor prior to 4.2.0-00 allow authenticated remote users to load an arbitrary Cascading Style Sheets (CSS) token sequence. Hitachi Command Suite includes Hitachi Device Manager, Hitachi Tiered Storage Manager, Hitachi Replication Manager, Hitachi Tuning Manager, Hitachi Global Link Manager and Hitachi Compute Systems Manager. 2020-02-14 not yet calculated CVE-2018-21033
MISC
CONFIRM hp -- linuxki
  LinuxKI v6.0-1 and earlier is vulnerable to an XSS which is resolved in release 6.0-2. 2020-02-13 not yet calculated CVE-2020-7208
MISC hp -- linuxki
  LinuxKI v6.0-1 and earlier is vulnerable to an remote code execution which is resolved in release 6.0-2. 2020-02-13 not yet calculated CVE-2020-7209
MISC ibm -- tivoli_monitoring_service
  IBM Tivoli Monitoring Service 6.3.0.7.3 through 6.3.0.7.10 could allow an unauthorized user to access and modify operation aspects of the ITM monitoring server possibly leading to an effective denial of service or disabling of the monitoring server. IBM X-Force ID: 167647. 2020-02-13 not yet calculated CVE-2019-4592
XF
CONFIRM ibm -- urbancode_deploy_and_urbancode_build IBM UrbanCode Deploy (UCD) 7.0.3 and IBM UrbanCode Build 6.1.5 could allow a local user to obtain sensitive information by unmasking certain secure values in documents. IBM X-Force ID: 171248. 2020-02-13 not yet calculated CVE-2019-4666
XF
CONFIRM
CONFIRM intel -- converged_security_and_management_engine
  Improper Authentication in subsystem in Intel(R) CSME versions 12.0 through 12.0.48 (IOT only: 12.0.56), versions 13.0 through 13.0.20, versions 14.0 through 14.0.10 may allow a privileged user to potentially enable escalation of privilege, denial of service or information disclosure via local access. 2020-02-13 not yet calculated CVE-2019-14598
MISC intel -- e1000e/82574l_network_controller_devices
  A denial of service vulnerability exists in some motherboard implementations of Intel e1000e/82574L network controller devices through 2013-02-06 where the device can be brought into a non-processing state when parsing 32 hex, 33 hex, or 34 hex byte values at the 0x47f offset. NOTE: A followup statement from Intel suggests that the root cause of this issue was an incorrectly configured EEPROM image. 2020-02-13 not yet calculated CVE-2013-1634
MISC
MISC
MLIST
MLIST
SECTRACK
XF intel -- manycore_platform_software_stack
  Improper permissions in the installer for Intel(R) MPSS before version 3.8.6 may allow an authenticated user to potentially enable escalation of privilege via local access. 2020-02-13 not yet calculated CVE-2020-0563
MISC intel -- renesas_electronics_usb
  Improper permissions in the installer for the Intel(R) Renesas Electronics(R) USB 3.0 Driver, all versions, may allow an authenticated user to potentially enable escalation of privilege via local access. 2020-02-13 not yet calculated CVE-2020-0560
MISC intel -- sgx_software_development_kit Improper initialization in the Intel(R) SGX SDK before v2.6.100.1 may allow an authenticated user to potentially enable escalation of privilege via local access. 2020-02-13 not yet calculated CVE-2020-0561
MISC intel --  raid_web_console_2 Improper permissions in the installer for Intel(R) RWC2, all versions, may allow an authenticated user to potentially enable escalation of privilege via local access. 2020-02-13 not yet calculated CVE-2020-0562
MISC intel --  raid_web_console_3_for_windows Improper permissions in the installer for Intel(R) RWC3 for Windows before version 7.010.009.000 may allow an authenticated user to potentially enable escalation of privilege via local access. 2020-02-13 not yet calculated CVE-2020-0564
MISC invision_power_services -- invision_power_board
  Invision Power Board (IPB) through 3.x allows admin account takeover leading to code execution. 2020-02-12 not yet calculated CVE-2013-3725
MISC istio -- istio
  An issue was discovered in Istio 1.3 through 1.3.6. Under certain circumstances, it is possible to bypass a specifically configured Mixer policy. Istio-proxy accepts the x-istio-attributes header at ingress that can be used to affect policy decisions when Mixer policy selectively applies to a source equal to ingress. To exploit this vulnerability, someone has to encode a source.uid in this header. This feature is disabled by default in Istio 1.3 and 1.4. 2020-02-14 not yet calculated CVE-2020-8843
MISC
MISC
CONFIRM joomla! -- joomla!
  Tiny browser in TinyMCE 3.0 editor in Joomla! before 1.5.13 allows file upload and arbitrary PHP code execution. 2020-02-12 not yet calculated CVE-2011-4906
CONFIRM
EXPLOIT-DB
MISC joomla! -- joomla!
  TinyBrowser plugin for Joomla! before 1.5.13 allows arbitrary file upload via upload.php. 2020-02-12 not yet calculated CVE-2011-4908
MISC
EXPLOIT-DB
MLIST jsreport -- jsreport
  An unintended require and server-side request forgery vulnerabilities in jsreport version 2.5.0 and earlier allow attackers to execute arbitrary code. 2020-02-14 not yet calculated CVE-2020-8128
MISC jsreport -- script-manager
  An unintended require vulnerability in script-manager npm package version 0.8.6 and earlier may allow attackers to execute arbitrary code. 2020-02-14 not yet calculated CVE-2020-8129
MISC juniper -- junos_os
  Multiple vulnerabilities exist in Juniper Junos J-Web error handling that may lead to cross site scripting (XSS) issues or crash the J-Web service (DoS). This affects Juniper Junos OS 12.1X44 before 12.1X44-D45, 12.1X46 before 12.1X46-D30, 12.1X47 before 12.1X47-D20, 12.3 before 12.3R8, 12.3X48 before 12.3X48-D10, 13.1 before 13.1R5, 13.2 before 13.2R6, 13.3 before 13.3R4, 14.1 before 14.1R3, 14.1X53 before 14.1X53-D10, 14.2 before 14.2R1, and 15.1 before 15.1R1. 2020-02-11 not yet calculated CVE-2014-6447
CONFIRM
MISC kaseya -- virtual_system_administrator
  Directory traversal vulnerability in Kaseya Virtual System Administrator (VSA) 7.0.0.0 before 7.0.0.33, 8..0.0.0 before 8.0.0.23, 9.0.0.0 before 9.0.0.19, and 9.1.0.0 before 9.1.0.9 allows remote authenticated users to write to and execute arbitrary files due to insufficient restrictions in file paths to json.ashx. 2020-02-13 not yet calculated CVE-2015-6589
MISC
MISC
MISC
MISC kde -- paste_applet
  The %{password(...)} macro in pastemacroexpander.cpp in the KDE Paste Applet before 4.10.5 in kdeplasma-addons does not properly generate passwords, which allows context-dependent attackers to bypass authentication via a brute-force attack. 2020-02-11 not yet calculated CVE-2013-2120
MISC
MISC
MISC
MISC
MISC kde -- paste_applet
  The KRandom::random function in KDE Paste Applet after 4.10.5 in kdeplasma-addons uses the GNU C Library rand function's linear congruential generator, which makes it easier for context-dependent attackers to defeat cryptographic protection mechanisms by predicting the generator output. 2020-02-11 not yet calculated CVE-2013-2213
MISC
MISC
MISC kinetica -- kinetica
  The Admin web application in Kinetica 7.0.9.2.20191118151947 does not properly sanitise the input for the function getLogs. This lack of sanitisation could be exploited to allow an authenticated attacker to run remote code on the underlying operating system. The logFile parameter in the getLogs function was used as a variable in a command to read log files; however, due to poor input sanitisation, it was possible to bypass a replacement and break out of the command. 2020-02-11 not yet calculated CVE-2020-8429
MISC
MISC lenovo -- ez_media_&_backup_center A vulnerability in the web interface of Lenovo EZ Media & Backup Center, ix2 & ix2-dl version 4.1.406.34763 and prior could allow an unauthenticated, remote attacker to redirect a user to an untrusted web page. 2020-02-14 not yet calculated CVE-2019-19758
CONFIRM lenovo -- multiple_devices
  Lenovo was notified of a potential denial of service vulnerability, affecting various versions of BIOS for Lenovo Desktop, Desktop - All in One, and ThinkStation, that could cause PCRs to be cleared intermittently after resuming from sleep (S3) on systems with Intel TXT enabled. 2020-02-14 not yet calculated CVE-2019-6190
CONFIRM lenovo -- xclarity_administrator
  An internal product security audit of Lenovo XClarity Administrator (LXCA) discovered a Document Object Model (DOM) based cross-site scripting vulnerability in versions prior to 2.6.6 that could allow JavaScript code to be executed in the user's web browser if a specially crafted link is visited. The JavaScript code is executed on the user's system, not executed on LXCA itself. 2020-02-14 not yet calculated CVE-2019-19757
CONFIRM lenovo -- xclarity_administrator
  An XML External Entity (XXE) processing vulnerability was reported in Lenovo XClarity Administrator (LXCA) versions prior to 2.6.6 that could allow information disclosure. 2020-02-14 not yet calculated CVE-2019-6194
CONFIRM lenovo -- xclarity_administrator
  An information disclosure vulnerability was reported in Lenovo XClarity Administrator (LXCA) versions prior to 2.6.6 that could allow unauthenticated access to some configuration files which may contain usernames, license keys, IP addresses, and encrypted password hashes. 2020-02-14 not yet calculated CVE-2019-6193
CONFIRM lenovo -- xclarity_controller
  An authorization bypass exists in Lenovo XClarity Controller (XCC) versions prior to 3.08 CDI340V, 3.01 TEI392O, 1.71 PSI328N where a valid authenticated user with lesser privileges may be granted read-only access to higher-privileged information if 1) “LDAP Authentication Only with Local Authorization” mode is configured and used by XCC, and 2) a lesser privileged user logs into XCC within 1 minute of a higher privileged user logging out. The authorization bypass does not exist when “Local Authentication and Authorization” or “LDAP Authentication and Authorization” modes are configured and used by XCC. 2020-02-14 not yet calculated CVE-2019-6195
CONFIRM lexmark -- multiple_devices
  Lexmark printer MS812 and multiple older generation Lexmark devices have a stored XSS vulnerability in the embedded web server. The vulnerability can be exploited to expose session credentials and other information via the users web browser. 2020-02-13 not yet calculated CVE-2019-18791
MISC
CONFIRM libuv -- libuv
  The uv_rwlock_t fallback implementation for Windows XP and Server 2003 in libuv before 1.7.4 does not properly prevent threads from releasing the locks of other threads, which allows attackers to cause a denial of service (deadlock) or possibly have unspecified other impact by leveraging a race condition. 2020-02-11 not yet calculated CVE-2014-9748
MISC
MISC
MISC
MISC
MISC linux -- linux_kernel
  ext4_protect_reserved_inode in fs/ext4/block_validity.c in the Linux kernel through 5.5.3 allows attackers to cause a denial of service (soft lockup) via a crafted journal size. 2020-02-14 not yet calculated CVE-2020-8992
MISC lvm2 -- lvm2
  vg_lookup in daemons/lvmetad/lvmetad-core.c in LVM2 2.02 mismanages memory, leading to an lvmetad memory leak, as demonstrated by running pvs. 2020-02-14 not yet calculated CVE-2020-8991
MISC magento -- magento Zend_XmlRpc Class in Magento before 1.7.0.2 contains an information disclosure vulnerability. 2020-02-13 not yet calculated CVE-2012-6091
MLIST
BID
XF mailu -- mailu
  In Mailu before version 1.7, an authenticated user can exploit a vulnerability in Mailu fetchmail script and gain full access to a Mailu instance. Mailu servers that have open registration or untrusted users are most impacted. The master and 1.7 branches are patched on our git repository. All Docker images published on docker.io/mailu for tags 1.5, 1.6, 1.7 and master are patched. For detailed instructions about patching and securing the server afterwards, see https://github.com/Mailu/Mailu/issues/1354 2020-02-13 not yet calculated CVE-2020-5239
MISC
CONFIRM mambo -- mambo_cms Mambo CMS through 4.6.5 has multiple XSS. 2020-02-12 not yet calculated CVE-2011-2499
MLIST mantisbt -- mantisbt
  A cross-site scripting (XSS) vulnerability was discovered in the Source Integration plugin before 1.6.2 and 2.x before 2.3.1 for MantisBT. The repo_delete.php Delete Repository page allows execution of arbitrary code via a repo name (if CSP settings permit it). This is related to CVE-2018-16362. 2020-02-13 not yet calculated CVE-2020-8981
MISC
MISC matestack-ui-core_gem_for_ruby_on_rails -- matestack-ui-core_gem_for_ruby_on_rails matestack-ui-core (RubyGem) before 0.7.4 is vulnerable to XSS/Script injection. This vulnerability is patched in version 0.7.4. 2020-02-13 not yet calculated CVE-2020-5241
CONFIRM maxum_development_corporation -- rumpus_ftp
  A CSRF vulnerability exists in the Web Settings of Web File Manager in Rumpus FTP 8.2.9.1. Exploitation of this vulnerability can result in manipulation of Server Web settings at RAPR/WebSettingsGeneralSet.html. 2020-02-10 not yet calculated CVE-2019-19664
MISC
MISC maxum_development_corporation -- rumpus_ftp_server
  A CSRF vulnerability exists in the Web File Manager's Create/Delete Accounts functionality of Rumpus FTP Server 8.2.9.1. By exploiting it, an attacker can Create and Delete accounts via RAPR/TriggerServerFunction.html. 2020-02-10 not yet calculated CVE-2019-19662
MISC
MISC mcafee -- endpoint_security
  Improper access control vulnerability in Configuration Tool in McAfee Mcafee Endpoint Security (ENS) Prior to 10.6.1 February 2020 Update allows local users to disable security features via unauthorised use of the configuration tool from older versions of ENS. 2020-02-14 not yet calculated CVE-2020-7251
CONFIRM microsoft -- multiple_windows_products An information vulnerability exists when Windows Modules Installer Service improperly discloses file information, aka 'Windows Modules Installer Service Information Disclosure Vulnerability'. 2020-02-11 not yet calculated CVE-2020-0728
MISC
BUGTRAQ microsoft -- multiple_windows_products An information disclosure vulnerability exists when DirectX improperly handles objects in memory, aka 'DirectX Information Disclosure Vulnerability'. 2020-02-11 not yet calculated CVE-2020-0714
MISC microsoft -- multiple_windows_products
  An elevation of privilege vulnerability exists when the Windows Graphics Component improperly handles objects in memory, aka 'Windows Graphics Component Elevation of Privilege Vulnerability'. This CVE ID is unique from CVE-2020-0745, CVE-2020-0792. 2020-02-11 not yet calculated CVE-2020-0715
MISC microsoft -- multiple_windows_products
  An elevation of privilege vulnerability exists when the Connected User Experiences and Telemetry Service improperly handles file operations, aka 'Connected User Experiences and Telemetry Service Elevation of Privilege Vulnerability'. 2020-02-11 not yet calculated CVE-2020-0727
MISC microsoft -- multiple_windows_products
  A remote code execution vulnerability exists when the Windows Imaging Library improperly handles memory.To exploit this vulnerability, an attacker would first have to coerce a victim to open a specially crafted file.The security update addresses the vulnerability by correcting how the Windows Imaging Library handles memory., aka 'Windows Imaging Library Remote Code Execution Vulnerability'. 2020-02-11 not yet calculated CVE-2020-0708
MISC microsoft -- multiple_windows_products
  An elevation of privilege vulnerability exists in Windows when the Windows kernel-mode driver fails to properly handle objects in memory, aka 'Win32k Elevation of Privilege Vulnerability'. This CVE ID is unique from CVE-2020-0719, CVE-2020-0720, CVE-2020-0721, CVE-2020-0722, CVE-2020-0723, CVE-2020-0724, CVE-2020-0725, CVE-2020-0726, CVE-2020-0731. 2020-02-11 not yet calculated CVE-2020-0691
MISC microsoft -- office_online_server
  A spoofing vulnerability exists when Office Online Server does not validate origin in cross-origin communications correctly, aka 'Microsoft Office Online Server Spoofing Vulnerability'. 2020-02-11 not yet calculated CVE-2020-0695
MISC microsys -- promotic
  Microsys PROMOTIC 8.2.13 contains an ActiveX Control Start Buffer Overflow vulnerability which can lead to denial of service. 2020-02-13 not yet calculated CVE-2014-1617
MISC
MISC mobileiron -- vsp_and_sentry
  MobileIron VSP < 5.9.1 and Sentry < 5.0 has an insecure encryption scheme. 2020-02-13 not yet calculated CVE-2013-7287
MISC
MISC mobileiron -- vsp_and_sentry
  MobileIron VSP < 5.9.1 and Sentry < 5.0 has a weak password obfuscation algorithm 2020-02-12 not yet calculated CVE-2013-7286
MISC
MISC moxa -- mgate_5105-mb-eip_devices
  This vulnerability allows remote attackers to execute arbitrary code on affected installations of Moxa MGate 5105-MB-EIP firmware version 4.1. Authentication is required to exploit this vulnerability. The specific flaw exists within the DestIP parameter within MainPing.asp. The issue results from the lack of proper validation of a user-supplied string before using it to execute a system call. An attacker can leverage this vulnerability to execute code in the context of root. Was ZDI-CAN-9552. 2020-02-14 not yet calculated CVE-2020-8858
MISC
MISC netgear -- cg3100_devices
  A vulnerability exists in Netgear CG3100 devices before 3.9.2421.13.mp3 V0027 via an embed malicious script in an unspecified page, which could let a malicious user obtain sensitive information. 2020-02-13 not yet calculated CVE-2014-3919
MISC netis -- wf2471_devices
  Netis WF2471 v1.2.30142 devices allow an authenticated attacker to execute arbitrary OS commands via shell metacharacters in the /cgi-bin-igd/sys_log_clean.cgi log_3g_type parameter. 2020-02-12 not yet calculated CVE-2020-8946
MISC nvidia -- graphics_drivers
  A Memory Corruption Vulnerability exists in NVIDIA Graphics Drivers 29549 due to an unknown function in the file proc/driver/nvidia/registry. 2020-02-12 not yet calculated CVE-2012-0951
MISC
MISC nxp -- kw41z_devices
  The Bluetooth Low Energy implementation on NXP SDK through 2.2.1 for KW41Z devices does not properly restrict the Link Layer payload length, allowing attackers in radio range to cause a buffer overflow via a crafted packet. 2020-02-12 not yet calculated CVE-2019-17519
MISC openconnect_project -- openconnect_vpn_client OpenConnect VPN client with GnuTLS before 5.02 contains a heap overflow if MTU is increased on reconnection. 2020-02-13 not yet calculated CVE-2013-7098
CONFIRM openvpn -- access_server OpenVPN Access Server 2.8.x before 2.8.1 allows LDAP authentication bypass (except when a user is enrolled in two-factor authentication). 2020-02-13 not yet calculated CVE-2020-8953
CONFIRM openx -- openx_ad_server
  A Code Execution Vulnerability exists in OpenX Ad Server 2.8.10 due to a backdoor in flowplayer-3.1.1.min.js library, which could let a remote malicious user execute arbitrary PHP code 2020-02-14 not yet calculated CVE-2013-4211
MISC
MISC
MISC
MISC
MISC otrs -- itsm_and_faq
  A Cross-Site Scripting (XSS) Vulnerability exists in OTRS ITSM prior to 3.2.4, 3.1.8, and 3.0.7 and FAQ prior to 2.1.4 and 2.0.8 via changes, workorder items, and FAQ articles, which could let a remote malicious user execute arbitrary code. 2020-02-12 not yet calculated CVE-2013-2637
MISC
MISC
MISC
MISC palo_alto_networks -- expedition_migration_tool
  Insufficient Cross-Site Request Forgery (XSRF) protection on Expedition Migration Tool allows remote unauthenticated attackers to hijack the authentication of administrators and to perform actions on the Expedition Migration Tool. This issue affects Expedition Migration Tool 1.1.51 and earlier versions. 2020-02-12 not yet calculated CVE-2020-1977
CONFIRM palo_alto_networks -- globalprotect
  A denial-of-service (DoS) vulnerability in Palo Alto Networks GlobalProtect software running on Mac OS allows authenticated local users to cause the Mac OS kernel to hang or crash. This issue affects GlobalProtect 5.0.5 and earlier versions of GlobalProtect 5.0 on Mac OS. 2020-02-12 not yet calculated CVE-2020-1976
CONFIRM palo_alto_networks -- pan-os
  Missing XML validation vulnerability in the PAN-OS web interface on Palo Alto Networks PAN-OS software allows authenticated users to inject arbitrary XML that results in privilege escalation. This issue affects PAN-OS 8.1 versions earlier than PAN-OS 8.1.12 and PAN-OS 9.0 versions earlier than PAN-OS 9.0.6. This issue does not affect PAN-OS 7.1, PAN-OS 8.0, or PAN-OS 9.1 or later versions. 2020-02-12 not yet calculated CVE-2020-1975
CONFIRM pcre -- pearl_compatible_regular_expressions
  An out-of-bounds read was discovered in PCRE before 10.34 when the pattern \X is JIT compiled and used to match specially crafted subjects in non-UTF mode. Applications that use PCRE to parse untrusted input may be vulnerable to this flaw, which would allow an attacker to crash the application. The flaw occurs in do_extuni_no_utf in pcre2_jit_compile.c. 2020-02-14 not yet calculated CVE-2019-20454
MISC
MISC
MISC
MISC podman -- podman
  A flaw was discovered in Podman where it incorrectly allows containers when created to overwrite existing files in volumes, even if they are mounted as read-only. When a user runs a malicious container or a container based on a malicious image with an attached volume that is used for the first time, it is possible to trigger the flaw and overwrite files in the volume.This issue was introduced in version 1.6.0. 2020-02-11 not yet calculated CVE-2020-1726
CONFIRM prestashop -- prestashop
  PrestaShop before 1.4.11 allows logout CSRF. 2020-02-14 not yet calculated CVE-2013-4792
MISC prestashop -- prestashop
  PrestaShop before 1.4.11 allows Logistician, translators and other low level profiles/accounts to inject a persistent XSS vector on TinyMCE. 2020-02-14 not yet calculated CVE-2013-4791
MISC prismview -- prismview_system_and_prismview_player
  The HTTP API in Prismview System 9 11.10.17.00 and Prismview Player 11 13.09.1100 allows remote code execution by uploading RebootSystem.lnk and requesting /REBOOTSYSTEM or /RESTARTVNC. (Authentication is required but an XML file containing credentials can be downloaded.) 2020-02-10 not yet calculated CVE-2019-20451
MISC proglottis -- gpgme
  The proglottis Go wrapper before 0.1.1 for the GPGME library has a use-after-free, as demonstrated by use for container image pulls by Docker or CRI-O. This leads to a crash or potential code execution during GPG signature verification. 2020-02-12 not yet calculated CVE-2020-8945
MISC
MISC
MISC
MISC progress -- moveit_transfer
  In Progress MOVEit Transfer 2019.1 before 2019.1.4 and 2019.2 before 2019.2.1, multiple SQL Injection vulnerabilities have been found in the REST API that could allow an authenticated attacker to gain unauthorized access to MOVEit Transfer's database via the REST API. Depending on the database engine being used (MySQL, Microsoft SQL Server, or Azure SQL), an attacker may be able to infer information about the structure and contents of the database in addition to executing SQL statements that alter or destroy database elements. 2020-02-14 not yet calculated CVE-2020-8611
MISC
CONFIRM
CONFIRM
CONFIRM progress -- moveit_transfer
  In Progress MOVEit Transfer 2019.1 before 2019.1.4 and 2019.2 before 2019.2.1, a REST API endpoint failed to adequately sanitize malicious input, which could allow an authenticated attacker to execute arbitrary code in a victim's browser, aka XSS. 2020-02-14 not yet calculated CVE-2020-8612
MISC
CONFIRM
CONFIRM
CONFIRM python-mode -- python-mode A Code Execution vulnerability exists in select.py when using python-mode 2012-12-19. 2020-02-12 not yet calculated CVE-2013-5106
MISC qemu -- qemu
  An out-of-bounds heap buffer access flaw was found in the way the iSCSI Block driver in QEMU versions 2.12.0 before 4.2.1 handled a response coming from an iSCSI server while checking the status of a Logical Address Block (LBA) in an iscsi_co_block_status() routine. A remote user could use this flaw to crash the QEMU process, resulting in a denial of service or potential execution of arbitrary code with privileges of the QEMU process on the host. 2020-02-11 not yet calculated CVE-2020-1711
CONFIRM
MISC
MISC qnap -- viocard-300_devices
  QNAP VioCard 300 has hardcoded RSA private keys. 2020-02-13 not yet calculated CVE-2013-6277
MISC
MISC realtek -- ndis_driver_rt64x64.sys
  Realtek NDIS driver rt640x64.sys, file version 10.1.505.2015, fails to do any size checking on an input buffer from user space, which the driver assumes has a size greater than zero bytes. To exploit this vulnerability, an attacker must send an IRP with a system buffer size of 0. 2020-02-12 not yet calculated CVE-2019-11867
MISC
MISC red_hat -- openshift_enterprise
  The default configuration of broker.conf in Red Hat OpenShift Enterprise 2.x before 2.1 has a password of "mooo" for a Mongo account, which allows remote attackers to hijack the broker by providing this password, related to the openshift.sh script in Openshift Extras before 20130920. NOTE: this may overlap CVE-2013-4253 and CVE-2013-4281. 2020-02-12 not yet calculated CVE-2014-0234
MISC
MISC
MISC
MISC
MISC runc -- runc
  runc through 1.0.0-rc9 has Incorrect Access Control leading to Escalation of Privileges, related to libcontainer/rootfs_linux.go. To exploit this, an attacker must be able to spawn two containers with custom volume-mount configurations, and be able to run custom images. (This vulnerability does not affect Docker due to an implementation detail that happens to block the attack.) 2020-02-12 not yet calculated CVE-2019-19921
SUSE
MISC
MISC
MISC
MISC salesagility -- suitecrm
  SuiteCRM through 7.11.10 allows SQL Injection via the SOAP API, the EmailUIAjax interface, or the MailMerge module. 2020-02-13 not yet calculated CVE-2020-8804
MISC
MISC
MISC salesagility -- suitecrm
  SuiteCRM through 7.11.11 allows Directory Traversal to include arbitrary .php files within the webroot via add_to_prospect_list. 2020-02-13 not yet calculated CVE-2020-8803
MISC
MISC
MISC salesagility -- suitecrm
  SuiteCRM through 7.11.11 has Incorrect Access Control via action_saveHTMLField Bean Manipulation. 2020-02-13 not yet calculated CVE-2020-8802
MISC
MISC
MISC salesagility -- suitecrm
  SuiteCRM through 7.11.11 allows PHAR Deserialization. 2020-02-13 not yet calculated CVE-2020-8801
MISC
MISC
MISC salesagility -- suitecrm
  SuiteCRM through 7.11.11 allows EmailsControllerActionGetFromFields PHP Object Injection. 2020-02-13 not yet calculated CVE-2020-8800
MISC
MISC
MISC samsung -- s6_edge_smartphone
  Multiple buffer overflows in the esa_write function in /dev/seirenin the Exynos Seiren Audio driver, as used in Samsung S6 Edge, allow local users to cause a denial of service (memory corruption) via a large (1) buffer or (2) size parameter. 2020-02-12 not yet calculated CVE-2015-7890
MISC
MISC
MISC sap -- business_objects_intelligence_platform Certain settings page(s) in SAP Business Objects Business Intelligence Platform (CMC), version 4.2, generates error messages that can give enterprise private-network related information which would otherwise be restricted leading to Information Disclosure. 2020-02-12 not yet calculated CVE-2020-6189
MISC
MISC sap -- enterprise_resource_planning_and_s/4hana
  VAT Pro-Rata reports in SAP ERP (SAP_APPL versions 600, 602, 603, 604, 605, 606, 616 and SAP_FIN versions 617, 618, 700, 720, 730) and SAP S/4 HANA (versions 100, 101, 102, 103, 104) do not perform necessary authorization checks for an authenticated user leading to Missing Authorization Check. 2020-02-12 not yet calculated CVE-2020-6188
MISC
MISC sap -- host_agent SAP Host Agent, version 7.21, allows an unprivileged user to read the shared memory or write to the shared memory by sending request to the main SAPOSCOL process and receive responses that may contain data read with user root privileges e.g. size of any directory, system hardware and OS details, leading to Missing Authorization Check vulnerability. 2020-02-12 not yet calculated CVE-2020-6183
MISC
MISC sap -- host_agent
  SAP Host Agent, version 7.21, allows an attacker to cause a slowdown in processing of username/password-based authentication requests of the SAP Host Agent, leading to Denial of Service. 2020-02-12 not yet calculated CVE-2020-6186
MISC
MISC sap -- landscape_management
  SAP Landscape Management, version 3.0, allows an attacker with admin privileges to execute malicious commands with root privileges in SAP Host Agent via SAP Landscape Management. 2020-02-12 not yet calculated CVE-2020-6192
MISC
MISC sap -- landscape_management
  SAP Landscape Management, version 3.0, allows an attacker with admin privileges to execute malicious executables with root privileges in SAP Host Agent via SAP Landscape Management due to Missing Input Validation. 2020-02-12 not yet calculated CVE-2020-6191
MISC
MISC sap -- mobile_platform
  SAP Mobile Platform, version 3.0, does not sufficiently validate an XML document accepted from an untrusted source which could lead to partial denial of service. Since SAP Mobile Platform does not allow External-Entity resolving, there is no issue of leaking content of files on the server. 2020-02-12 not yet calculated CVE-2020-6177
MISC
MISC sap -- netweaver
  SAP NetWeaver (Guided Procedures), versions 7.10, 7.11, 7.20, 7.30, 7.31, 7.40, 7.50, does not sufficiently validate an XML document input from a compromised admin, leading to Denial of Service. 2020-02-12 not yet calculated CVE-2020-6187
MISC
MISC sap -- netweaver
  SAP NetWeaver (Knowledge Management ICE Service), versions 7.30, 7.31, 7.40, 7.50, allows an unauthenticated attacker to execute malicious scripts leading to Reflected Cross-Site Scripting (XSS) vulnerability. 2020-02-12 not yet calculated CVE-2020-6193
MISC
MISC sap -- netweaver_and_abap_platform
  Under some circumstances the SAML SSO implementation in the SAP NetWeaver (SAP_BASIS versions 702, 730, 731, 740 and SAP ABAP Platform (SAP_BASIS versions 750, 751, 752, 753, 754), allows an attacker to include invalidated data in the HTTP response header sent to a Web user, leading to HTTP Response Splitting vulnerability. 2020-02-12 not yet calculated CVE-2020-6181
MISC
MISC sap -- netweaver_and_s/4hana Under certain conditions, ABAP Online Community in SAP NetWeaver (SAP_BASIS version 7.40) and SAP S/4HANA (SAP_BASIS versions 7.50, 7.51, 7.52, 7.53, 7.54), does not sufficiently encode user-controlled inputs, resulting in Reflected Cross-Site Scripting (XSS) vulnerability. 2020-02-12 not yet calculated CVE-2020-6184
MISC
MISC sap -- netweaver_and_s/4hana
  Under certain conditions ABAP Online Community in SAP NetWeaver (SAP_BASIS version 7.40) and SAP S/4HANA (SAP_BASIS versions 7.50, 7.51, 7.52, 7.53, 7.54), allows an authenticated attacker to store a malicious payload which results in Stored Cross Site Scripting vulnerability. 2020-02-12 not yet calculated CVE-2020-6185
MISC
MISC sap -- netweaver_as_java
  Certain vulnerable endpoints in SAP NetWeaver AS Java (Heap Dump Application), versions 7.30, 7.31, 7.40, 7.50, provide valuable information about the system like hostname, server node and installation path that could be misused by an attacker leading to Information Disclosure. 2020-02-12 not yet calculated CVE-2020-6190
MISC
MISC shaman -- shaman
  Shaman 1.0.9: Users can add the line askforpwd=false to his shaman.conf file, without entering the root password in shaman. The next time shaman is run, root privileges are granted despite the fact that the user never entered the root password. 2020-02-12 not yet calculated CVE-2011-4338
MISC
MISC siemens -- multiple_devices
  A vulnerability has been identified in Development/Evaluation Kits for PROFINET IO: DK Standard Ethernet Controller (All versions), Development/Evaluation Kits for PROFINET IO: EK-ERTEC 200 (All Versions < V4.5), Development/Evaluation Kits for PROFINET IO: EK-ERTEC 200P (All Versions < V4.6), PROFINET Driver for Controller (All Versions < V2.1), RUGGEDCOM RM1224 (All versions < V4.3), SCALANCE M-800 / S615 (All versions < V4.3), SCALANCE W700 IEEE 802.11n (All versions <= V6.0.1), SCALANCE X-200 switch family (incl. SIPLUS NET variants) (All versions), SCALANCE X-200IRT switch family (incl. SIPLUS NET variants) (All Versions < V5.3), SCALANCE X-300 switch family (incl. X408 and SIPLUS NET variants) (All versions), SCALANCE XB-200, XC-200, XP-200, XF-200BA and XR-300WG (All Versions < V3.0), SCALANCE XM-400 switch family (All Versions < V6.0), SCALANCE XR-500 switch family (All Versions < V6.0), SIMATIC CP 1616 and CP 1604 (All Versions < V2.8), SIMATIC CP 343-1 (incl. SIPLUS NET variants) (All versions), SIMATIC CP 343-1 Advanced (incl. SIPLUS NET variants) (All versions), SIMATIC CP 343-1 ERPC (All versions), SIMATIC CP 343-1 LEAN (incl. SIPLUS NET variants) (All versions), SIMATIC CP 443-1 (incl. SIPLUS NET variants) (All versions), SIMATIC CP 443-1 Advanced (incl. SIPLUS NET variants) (All versions), SIMATIC CP 443-1 OPC UA (All versions), SIMATIC ET200AL IM 157-1 PN (All versions), SIMATIC ET200M IM153-4 PN IO HF (incl. SIPLUS variants) (All versions), SIMATIC ET200M IM153-4 PN IO ST (incl. SIPLUS variants) (All versions), SIMATIC ET200MP IM155-5 PN HF (incl. SIPLUS variants) (All Versions < V4.2.0), SIMATIC ET200MP IM155-5 PN ST (incl. SIPLUS variants) (All Versions < V4.1.0), SIMATIC ET200S (incl. SIPLUS variants) (All versions), SIMATIC ET200SP IM155-6 PN Basic (incl. SIPLUS variants) (All versions), SIMATIC ET200SP IM155-6 PN HF (incl. SIPLUS variants) (All Versions < V3.3.1), SIMATIC ET200SP IM155-6 PN ST (incl. SIPLUS variants) (All Versions < V4.1.0), SIMATIC ET200ecoPN (except 6ES7148-6JD00-0AB0 and 6ES7146-6FF00-0AB0) (All versions), SIMATIC ET200pro, IM 154-3 PN HF (All versions), SIMATIC ET200pro, IM 154-4 PN HF (All versions), SIMATIC IPC Support, Package for VxWorks (All versions), SIMATIC MV400 family (All versions), SIMATIC PN/PN Coupler 6ES7158-3AD01-0XA0 (incl. SIPLUS NET variant) (All Versions), SIMATIC RF180C (All versions), SIMATIC RF182C (All versions), SIMATIC RF600 family (All versions < V3), SINAMICS DCP (All Versions < V1.3). Profinet-IO (PNIO) stack versions prior V06.00 do not properly limit internal resource allocation when multiple legitimate diagnostic package requests are sent to the DCE-RPC interface. This could lead to a denial of service condition due to lack of memory for devices that include a vulnerable version of the stack. The security vulnerability could be exploited by an attacker with network access to an affected device. Successful exploitation requires no system privileges and no user interaction. An attacker could use the vulnerability to compromise the availability of the device. 2020-02-11 not yet calculated CVE-2019-13946
MISC simple_machines -- simple_machines_forum
  Simple Machines Forum (SMF) through 2.0.5 has XSS 2020-02-12 not yet calculated CVE-2013-4395
MISC
MISC
MISC simplisafe -- ss3_devices
  Authentication bypass using an alternate path or channel in SimpliSafe SS3 firmware 1.4 allows a local, unauthenticated attacker to modify the Wi-Fi network the base station connects to. 2020-02-13 not yet calculated CVE-2019-3998
MISC skrill -- skrill
  Commerce Skrill (Formerly Moneybookers) has an Access bypass vulnerability in all versions prior to 7.x-1.2 2020-02-12 not yet calculated CVE-2013-1924
MISC
MISC sprite_software -- spritebud_and_backup
  A Privilege Escalation Vulnerability exists in Sprite Software Spritebud 1.3.24 and 1.3.28 and Backup 2.5.4105 and 2.5.4108 on LG Android smartphones due to a race condition in the spritebud daemon, which could let a local malicious user obtain root privileges. 2020-02-12 not yet calculated CVE-2013-3685
MISC
MISC
MISC
MISC sqlite -- android_sqlite
  Android SQLite Journal before 4.0.1 has an information disclosure vulnerability. 2020-02-12 not yet calculated CVE-2011-3901
BID
FULLDISC squirrelmail -- squirrelmail Squirrelmail 4.0 uses the outdated MD5 hash algorithm for passwords. 2020-02-13 not yet calculated CVE-2012-5623
MLIST stem_innovation -- izon_ip_camera
  IZON IP 2.0.2: hard-coded password vulnerability 2020-02-12 not yet calculated CVE-2013-6236
MISC
MISC
MISC stmicroeletronics -- stm32wb5x_series_devices
  The Bluetooth Low Energy implementation on STMicroelectronics BLE Stack through 1.3.1 for STM32WB5x devices does not properly handle consecutive Attribute Protocol (ATT) requests on reception, allowing attackers in radio range to cause an event deadlock or crash via crafted packets. 2020-02-12 not yet calculated CVE-2019-19192
MISC synergy_systems_&_solutions -- husky_rtu_devices
  The Synergy Systems & Solutions PLC & RTU system has a vulnerability in HUSKY RTU 6049-E70 firmware versions 5.0 and prior. Specially crafted malicious packets could cause disconnection of active authentic connections or reboot of device. This is a different issue than CVE-2019-16879 and CVE-2019-20046. 2020-02-14 not yet calculated CVE-2019-20045
MISC synergy_systems_&_solutions -- husky_rtu_devices
  The Synergy Systems & Solutions PLC & RTU system has a vulnerability in HUSKY RTU 6049-E70 firmware versions 5.0 and prior. The affected product does not require adequate authentication, which may allow an attacker to read sensitive information or execute arbitrary code. This is a different issue than CVE-2019-16879 and CVE-2019-20045. 2020-02-14 not yet calculated CVE-2019-20046
MISC

telink -- tlsr8x5_and_tlsr823x_and_tlsr826x_devices

The Bluetooth Low Energy Secure Manager Protocol (SMP) implementation on Telink Semiconductor BLE SDK versions before November 2019 for TLSR8x5x through 3.4.0, TLSR823x through 1.3.0, and TLSR826x through 3.3 devices accepts a pairing request with a key size greater than 16 bytes, allowing an attacker in radio range to cause a buffer overflow and denial of service (crash) via crafted packets. 2020-02-12 not yet calculated CVE-2019-19196
MISC
MISC

telink -- tlsr8x5_and_tlsr823x_and_tlsr826x_devices


  The Bluetooth Low Energy Secure Manager Protocol (SMP) implementation on Telink Semiconductor BLE SDK versions before November 2019 for TLSR8x5x through 3.4.0, TLSR823x through 1.3.0, and TLSR826x through 3.3 devices installs a zero long term key (LTK) if an out-of-order link-layer encryption request is received during Secure Connections pairing. An attacker in radio range can have arbitrary read/write access to protected GATT service data, cause a device crash, or possibly control a device's function by establishing an encrypted session with the zero LTK. 2020-02-12 not yet calculated CVE-2019-19194
MISC
MISC telligent_systems -- telligent_community XSS in Telligent Community 5.6.583.20496 via a flash file and related to the allowScriptAccess parameter. 2020-02-13 not yet calculated CVE-2012-1903
MISC tiki_wiki -- cms_groupware
  A Cross-Site Scripting (XSS) vulnerability exists in Tiki Wiki CMG Groupware 11.0 via the id paraZeroClipboard.swf, which could let a remote malicious user execute arbitrary code. 2020-02-12 not yet calculated CVE-2013-6022
MISC
MISC timetools -- multiple_deivces
  TimeTools SC7105 1.0.007, SC9205 1.0.007, SC9705 1.0.007, SR7110 1.0.007, SR9210 1.0.007, SR9750 1.0.007, SR9850 1.0.007, T100 1.0.003, T300 1.0.003, and T550 1.0.003 devices allow remote attackers to bypass authentication by placing t3axs=TiMEtOOlsj7G3xMm52wB in a t3.cgi request, aka a "hardcoded cookie." 2020-02-13 not yet calculated CVE-2020-8964
MISC timetools -- multiple_deivces
  TimeTools SC7105 1.0.007, SC9205 1.0.007, SC9705 1.0.007, SR7110 1.0.007, SR9210 1.0.007, SR9750 1.0.007, SR9850 1.0.007, T100 1.0.003, T300 1.0.003, and T550 1.0.003 devices allow remote attackers to execute arbitrary OS commands via shell metacharacters in the t3.cgi srmodel or srtime parameter. 2020-02-13 not yet calculated CVE-2020-8963
MISC trendnet -- ts-s402_devices
  TRENDnet TS-S402 has a backdoor to enable TELNET. 2020-02-13 not yet calculated CVE-2013-6360
MISC
MISC tri-plc -- internet_trilogi_server
  Internet TRiLOGI Server (unknown versions) could allow a local user to bypass security and create a local user account. 2020-02-13 not yet calculated CVE-2013-6927
BID
XF umplayer -- umplayer
  A Code Execution Vulnerability exists in UMPlayer 0.98 in wintab32.dll due to insufficient path restrictions when loading external libraries. which could let a malicious user execute arbitrary code. 2020-02-12 not yet calculated CVE-2013-3494
MISC varnish_software -- varnish_http_cache
  Varnish HTTP cache before 3.0.4: ACL bug 2020-02-12 not yet calculated CVE-2013-4090
MISC visual_it -- tube_map_live_underground_for_android
  Tube Map Live Underground for Android before 3.0.22 has an Information Disclosure Vulnerability 2020-02-12 not yet calculated CVE-2013-6681
MISC
MISC voatz -- voatz_for_android
  The Voatz application 2020-01-01 for Android allows only 100 million different PINs, which makes it easier for attackers (after using root access to make a copy of the local database) to discover login credentials and voting history via an offline brute-force approach. 2020-02-13 not yet calculated CVE-2020-8988
MISC
MISC voatz -- voatz_for_android
  In the Voatz application 2020-01-01 for Android, the amount of data transmitted during a single voter's vote depends on the different lengths of the metadata across the available voting choices, which makes it easier for remote attackers to discover this voter's choice by sniffing the network. For example, a small amount of sniffed data may indicate that a vote was cast for the candidate with the least metadata. An active man-in-the-middle attacker can leverage this behavior to disrupt voters' abilities to vote for a candidate opposed by the attacker. 2020-02-13 not yet calculated CVE-2020-8989
MISC
MISC weechat - weechat
  irc_mode_channel_update in plugins/irc/irc-mode.c in WeeChat through 2.7 allows remote attackers to cause a denial of service (buffer overflow and application crash) or possibly have unspecified other impact via a malformed IRC message 324 (channel mode). 2020-02-12 not yet calculated CVE-2020-8955
MISC
MISC wordpress -- wordpress
  participants-database.php in the Participants Database plugin 1.9.5.5 and previous versions for WordPress has a time-based SQL injection vulnerability via the ascdesc, list_filter_count, or sortBy parameters. It is possible to exfiltrate data and potentially execute code (if certain conditions are met). 2020-02-11 not yet calculated CVE-2020-8596
MISC
MISC wordpress -- wordpress
  The Ninja Forms plugin 3.4.22 for WordPress has Multiple Stored XSS vulnerabilities via ninja_forms[recaptcha_site_key], ninja_forms[recaptcha_secret_key], ninja_forms[recaptcha_lang], or ninja_forms[date_format]. 2020-02-14 not yet calculated CVE-2020-8594
MISC
CONFIRM
MISC wordpress -- wordpress
  Multiple SQL injection vulnerabilities in CWPPoll.js in WordPress Poll Plugin 34.5 for WordPress allow attackers to execute arbitrary SQL commands via the pollid or poll_id parameter in a viewPollResults or userlogs action. 2020-02-13 not yet calculated CVE-2013-1400
BID
XF
BUGTRAQ wordpress -- wordpress
  Multiple security bypass vulnerabilities in the editAnswer, deleteAnswer, addAnswer, and deletePoll functions in WordPress Poll Plugin 34.5 for WordPress allow a remote attacker to add, edit, and delete an answer and delete a poll. 2020-02-13 not yet calculated CVE-2013-1401
BID
XF
BUGTRAQ wordpress -- wordpress
  WordPress WP Cleanfix Plugin 2.4.4 has CSRF 2020-02-10 not yet calculated CVE-2013-2108
MISC
MISC
MISC
MISC wordpress -- wordpress
  WordPress plugin wp-cleanfix has Remote Code Execution 2020-02-10 not yet calculated CVE-2013-2109
MISC
MISC xerox -- colorcube_and_workcenter
  Xerox ColorCube and WorkCenter devices in 2013 had hardcoded FTP and shell user accounts. 2020-02-13 not yet calculated CVE-2013-6362
MISC
MISC xilisoft -- video_conerter_ultimate
  Xilisoft Video Converter Ultimate 7.8.1 build-20140505 has a DLL Hijacking vulnerability 2020-02-12 not yet calculated CVE-2014-3860
MISC zenoss -- zenoss_core
  Multiple format string vulnerabilities in the python module in RRDtool, as used in Zenoss Core before 4.2.5 and other products, allow remote attackers to execute arbitrary code or cause a denial of service (application crash) via a crafted third argument to the rrdtool.graph function, aka ZEN-15415, a related issue to CVE-2013-2131. 2020-02-12 not yet calculated CVE-2014-6262
MISC
MISC
MISC zimbra -- zimbra_collaboration Zimbra 2013 has XSS in aspell.php 2020-02-12 not yet calculated CVE-2013-1938
MISC
MISC
MISC zpanel_project -- zpanel
  ZPanel through 10.1.0 has Remote Command Execution 2020-02-12 not yet calculated CVE-2013-2097
MISC
MISC
MISC
MISC
MISC Back to top

This product is provided subject to this Notification and this Privacy & Use policy.

Categories: LATEST ALERT

Be Cautious of Romance Scams

US-CERT All NCAS Products - Fri, 02/14/2020 - 16:39
Original release date: February 14, 2020

This Valentine’s Day, the Cybersecurity and Infrastructure Security Agency (CISA) reminds users to be wary of internet romance scams. Cyber criminals partaking in this type of fraud target victims, gain their confidence, and convince them to transfer funds. When online dating, use caution and never send gifts or money to someone you have not met in person.

CISA encourages online daters to review the Federal Trade Commission’s alert It’s not true love if they ask for money and watch the FTC video Online Romance Imposter Scams. For more information review CISA’s Tip on Staying Safe on Social Networking Sites. If you believe you have been a victim of a romance scam, file a report with:

This product is provided subject to this Notification and this Privacy & Use policy.

Categories: LATEST ALERT

MAR-10135536-8.v3 – North Korean Trojan: HOPLIGHT

US-CERT All NCAS Products - Fri, 02/14/2020 - 14:00
Original release date: February 14, 2020
Notification

This report is provided "as is" for informational purposes only. The Department of Homeland Security (DHS) does not provide any warranties of any kind regarding any information contained herein. The DHS does not endorse any commercial product or service referenced in this bulletin or otherwise.

This document is marked TLP:WHITE--Disclosure is not limited. Sources may use TLP:WHITE when information carries minimal or no foreseeable risk of misuse, in accordance with applicable rules and procedures for public release. Subject to standard copyright rules, TLP:WHITE information may be distributed without restriction. For more information on the Traffic Light Protocol (TLP), see http://www.us-cert.gov/tlp.

Summary Description

This Malware Analysis Report (MAR) is the result of analytic efforts between Department of Homeland Security (DHS), the Federal Bureau of Investigation (FBI), and the Department of Defense (DoD). Working with U.S. Government partners, DHS, FBI, and DoD identified Trojan malware variants used by the North Korean government. This malware variant has been identified as HOPLIGHT. The U.S. Government refers to malicious cyber activity by the North Korean government as HIDDEN COBRA. For more information on HIDDEN COBRA activity, visit https[:]//www[.]us-cert.gov/hiddencobra.

DHS, FBI, and DoD are distributing this MAR to enable network defense and reduce exposure to North Korean government malicious cyber activity.

This MAR includes malware descriptions related to HIDDEN COBRA, suggested response actions and recommended mitigation techniques. Users or administrators should flag activity associated with the malware and report the activity to the Cybersecurity and Infrastructure Security Agency (CISA) or the FBI Cyber Watch (CyWatch), and give the activity the highest priority for enhanced mitigation.

This report provides analysis of twenty malicious executable files. Sixteen of these files are proxy applications that mask traffic between the malware and the remote operators. The proxies have the ability to generate fake TLS handshake sessions using valid public SSL certificates, disguising network connections with remote malicious actors. One file contains a public SSL certificate and the payload of the file appears to be encoded with a password or key. The remaining file does not contain any of the public SSL certificates, but attempts outbound connections and drops four files. The dropped files primarily contain IP addresses and SSL certificates.

For a downloadable copy of IOCs, see MAR-10135536-8.v3.stix.

Submitted Files (20)

05feed9762bc46b47a7dc5c469add9f163c16df4ddaafe81983a628da5714461 (23E27E5482E3F55BF828DAB8855690...)

0608e411348905145a267a9beaf5cd3527f11f95c4afde4c45998f066f418571 (34E56056E5741F33D823859E77235E...)

084b21bc32ee19af98f85aee8204a148032ce7eabef668481b919195dd62b319 (170A55F7C0448F1741E60B01DCEC9C...)

12480585e08855109c5972e85d99cda7701fe992bc1754f1a0736f1eebcb004d (868036E102DF4CE414B0E6700825B3...)

1a01b8a4c505db70f9e199337ce7f497b3dd42f25ad06487e29385580bca3676 (07D2B057D2385A4CDF413E8D342305...)

2151c1977b4555a1761c12f151969f8e853e26c396fa1a7b74ccbaf3a48f4525 (5C3898AC7670DA30CF0B22075F3E8E...)

32ec329301aa4547b4ef4800159940feb950785f1ab68d85a14d363e0ff2bc11 (38FC56965DCCD18F39F8A945F6EBC4...)

4a74a9fd40b63218f7504f806fce71dffefc1b1d6ca4bbaadd720b6a89d47761 (42682D4A78FE5C2EDA988185A34463...)

4c372df691fc699552f81c3d3937729f1dde2a2393f36c92ccc2bd2a033a0818 (C5DC53A540ABE95E02008A04A0D56D...)

70034b33f59c6698403293cdc28676c7daa8c49031089efa6eefce41e22dccb3 (61E3571B8D9B2E9CCFADC3DDE10FB6...)

73dcb7639c1f81d3f7c4931d32787bdf07bd98550888c4b29b1058b2d5a7ca33 (3EDCE4D49A2F31B8BA9BAD0B8EF549...)

83228075a604e955d59edc760e4c4ed16eedabfc8f6ac291cf21b4fcbcd1f70a (3021B9EF74c&BDDF59656A035F94FD...)

8a1d57ee05d29a730864299376b830a7e127f089e500e148d96d0868b7c5b520 (5C0C1B4C3B1CFD455AC05ACE994AED...)

b05aae59b3c1d024b19c88448811debef1eada2f51761a5c41e70da3db7615a9 (2FF1688FE866EC2871169197F9D469...)

b9a26a569257fbe02c10d3735587f10ee58e4281dba43474dbdef4ace8ea7101 (2A791769AA73AC757F210F8546125B...)

c66ef8652e15b579b409170658c95d35cfd6231c7ce030b172692f911e7dcff8 (E4ED26D5E2A84CC5E48D285E4EA898...)

d77fdabe17cdba62a8e728cbe6c740e2c2e541072501f77988674e07a05dfb39 (F8D26F2B8DD2AC4889597E1F2FD1F2...)

ddea408e178f0412ae78ff5d5adf2439251f68cad4fd853ee466a3c74649642d (BE588CD29B9DC6F8CFC4D0AA5E5C79...)

f8f7720785f7e75bd6407ac2acd63f90ab6c2907d3619162dc41a8ffa40a5d03 (D2DA675A8ADFEF9D0C146154084FFF...)

fe43bc385b30796f5e2d94dfa720903c70e66bc91dfdcfb2f3986a1fea3fe8c5 (F315BE41D9765D69AD60F0B4D29E43...)

Additional Files (7)

44a93ea6e6796530bb3cf99555dfb3b1092ed8fb4336bb198ca15b2a21d32980 (None)

49757cf85657757704656c079785c072bbc233cab942418d99d1f63d43f28359 (rdpproto.dll)

70902623c9cd0cccc8513850072b70732d02c266c7b7e96d2d5b2ed4f5edc289 (udbcgiut.dat)

823d255d3dc8cbc402527072a9220e4c38655de1a3e55a465db28b55d3ac1bf8 (None)

96a296d224f285c67bee93c30f8a309157f0daa35dc5b87e410b78630a09cfc7 (MSDFMAPI.INI)

ba80cb0a08908782f4b6e88aa15e2d306b19bc93e79bd8770bf8be904fd1bd09 (None)

cd5ff67ff773cc60c98c35f9e9d514b597cbd148789547ba152ba67bfc0fec8f (UDPTrcSvc.dll)

IPs (23)

112.175.92.57

113.114.117.122

117.239.241.2

119.18.230.253

128.200.115.228

137.139.135.151

14.140.116.172

181.39.135.126

186.169.2.237

195.158.234.60

197.211.212.59

21.252.107.198

210.137.6.37

217.117.4.110

218.255.24.226

221.138.17.152

26.165.218.44

47.206.4.145

70.224.36.194

81.94.192.10

81.94.192.147

84.49.242.125

97.90.44.200

Findings 05feed9762bc46b47a7dc5c469add9f163c16df4ddaafe81983a628da5714461 Tags

trojan

Details Name 23E27E5482E3F55BF828DAB885569033 Size 242688 bytes Type PE32 executable (GUI) Intel 80386, for MS Windows MD5 23e27e5482e3f55bf828dab885569033 SHA1 139b25e1ae32a8768238935a8c878bfbe2f89ef4 SHA256 05feed9762bc46b47a7dc5c469add9f163c16df4ddaafe81983a628da5714461 SHA512 2c481ef42dfc9a7a30575293d09a6f81943e307836ec5b8a346354ab5832c15046dd4015a65201311e33f944763fc55dd44fbe390245be5be7a216026ecfb28b ssdeep 6144:YnDlYMzUvLFOL9wqk6+pqC8iooIBgajvQlm/Z0cp1:alYiXiooIKajvQeZ3 Entropy 6.537337 Antivirus Ahnlab Trojan/Win32.Generic Antiy Trojan/Win32.Casdet Avira TR/NukeSped.uxivj BitDefender Trojan.GenericKD.41198265 ClamAV Win.Trojan.HiddenCobra-7402602-0 Cyren W32/Trojan.LXQN-3818 ESET a variant of Win32/NukeSped.AI trojan Emsisoft Trojan.GenericKD.41198265 (B) Ikarus Trojan.Win32.NukeSped K7 Trojan ( 005329311 ) McAfee Trojan-Hoplight Microsoft Security Essentials Trojan:Win32/Hoplight Quick Heal Trojan.Hoplight.S5793599 Sophos Troj/Hoplight-C Symantec Trojan.Hoplight TrendMicro Trojan.55DEE3DA TrendMicro House Call Trojan.55DEE3DA VirusBlokAda Trojan.Casdet YARA Rules
  • rule crypt_constants_2
    {
    meta:
       Author="NCCIC trusted 3rd party"
       Incident="10135536"
       Date = "2018/04/19"    
       category = "hidden_cobra"
       family = "n/a"
       description = "n/a"
    strings:
       $ = {efcdab90}
       $ = {558426fe}
       $ = {7856b4c2}
    condition:
       (uint16(0) == 0x5A4D and uint16(uint32(0x3c)) == 0x4550) and all of them
    }
  •  
  • rule lsfr_constants
    {
    meta:
       Author="NCCIC trusted 3rd party"
       Incident="10135536"
       Date = "2018/04/19"    
       category = "hidden_cobra"
       family = "n/a"
       description = "n/a"
    strings:
       $ = {efcdab90}
       $ = {558426fe}
       $ = {7856b4c2}
    condition:
       (uint16(0) == 0x5A4D and uint16(uint32(0x3c)) == 0x4550) and all of them
    }
  • rule polarSSL_servernames
    {
    meta:
       Author="NCCIC trusted 3rd party"
       Incident="10135536"
       Date = "2018/04/19"    
       category = "hidden_cobra"
       family = "n/a"
       description = "n/a"
    strings:
       $polarSSL = "fjiejffndxklfsdkfjsaadiepwn"
       $sn1 = "www.google.com"
       $sn2 = "www.naver.com"
    condition:
            (uint16(0) == 0x5A4D and uint16(uint32(0x3c)) -- 0x4550) and ($polarSSL and 1 of ($sn*))
    }
ssdeep Matches

No matches found.

PE Metadata Compile Date 2017-06-05 21:57:29-04:00 Import Hash ff390ec082b48263a3946814ea18ba46 PE Sections MD5 Name Raw Size Entropy c06924120c87e2cb79505e4ab0c2e192 header 1024 2.542817 3368eda2d5820605a055596c7c438f0f .text 197120 6.441545 ec1f06839fa9bc10ad8e183b6bf7c1b5 .rdata 27136 5.956914 1e62b7d9f7cc48162e0651f7de314c8a .data 8192 4.147893 980effd28a6c674865537f313318733a .rsrc 512 5.090362 696fd5cac6e744f336e8ab68a4708fcf .reloc 8704 5.247502 Packers/Compilers/Cryptors Microsoft Visual C++ ?.? Description

This artifact is a malicious 32-bit Windows executable. When executed the malware will collect system information about the victim machine including OS Version, Volume Information, and System Time, as well as enumerate the system drives and partitions.

The malware is capable of the following functions:

---Begin Malware Capability---

Read, Write, and Move Files
Enumerate System Drives
Create and Terminate Processes
Inject into Running Processes
Create, Start and Stop Services
Modify Registry Settings
Connect to a Remote Host
Upload and Download Files

---End Malware Capability---

The malware family has 2 versions. Both are nearly identical in functionality but use slightly different command codes. So if the opcode for Keepalive in version 1 is 0xB6C1, the opcode in version 2 will be 0xB6C2.

There may be some versions of the malware that have limited/additional functionality, but most will have these command codes:

---Begin Version 1 Command Codes---

0xB6A4 GetComputerlnfo
   -Gets OS Version
   -Opens and sends back multiple registry keys
       Keys are encrypted in actually binary using RC4 with 16 byte key (af 3d 78    23 4a 79 92 81 9d 7f 20 47 ad e3 f2 b3). Keys are decrypted prior to calling RegOpenKey/RegQueryValue.
   -Calls GetSystemlnfo, returns results of a SYSTEM_INFO struct
   -Calls GetSystemMetrics and returns results
0xB6AS GetDriveslnfo
   -Gets info about different drives/share drives on system as well as memory available/memory used on those drives
0xB6A6 Directorylist
   -Gives list of all files in a directory that is specified by the C2
0xB6A7 SendFile
   -Sends a file from the victim machine to the C2 that is specified by the C2
0xB6A8 ReceiveFile
   -Victim machine receives file from the C2
0xB6A9 CreateProcess
   -Calls CreateProcessW to run a process via the command line. C2 specifies the path of the file to be run via command line.
0xB6AA EnableLogging
   -Prior to victim and C2 closing out a connection the victim will spawn a new thread that will compile a comprehensive log of system/session information. Inside this thread it opens a file that is named randomly and places it in the temp directory. It puts all the log results into this file.
0xB6AB Deletefile
   -Deletes file specified by the C2.
0xB6AC RunCmdPipe
   -Runs CreateProcessW to run a process via the command line. The process will be cmd.exe and the arguments will be the windows cmd command that the C2 specifies. The results of this command will be sent to a temporary file and then read back to the C2 from that file. Afterwards that file is deleted.
0xB6AD Processlist
   -Gets a list of processes
0xB6AE KillProcess
   -Kills process based on the PID that the C2 supplies.
0xB6AF TestEncryption
   -Tests LFSR encryption, no real functionality
0xB6B0 Uninstall
   -Uninstalls the implant from the victim box
0xB6B2 GetConfig
   -Gets the current callback config file from memory, returns the list to C2. There are 10 IP options in this config.
0xB6B3 SetConfig
   -Gets the current callback config file from memory, allows C2 to change the configurations. This will change the beacon IP to whatever the C2 wants.
0xB6B4 SetCurrentDirectory
   -Changes current working directory to the path supplied by C2
0xB6B5 GetCurrentDirectory
   -Gets the current working directory and returns it to the C2
0xB6C1 KeepAlive
   -C2s sends this as a keep alive to the victim, victim responds with confirmation    that it received the keep alive and keeps session open

---End Version 1 Command Codes---

The malware is capable of opening and binding to a socket. The malware uses a public SSL certificate for secure communication. This certificate is from www.naver.com. Naver.com is the largest search engine in Korea and provides a variety of web services to clients around the world.

The malware uses the default certificates/private keys that come with PolarSSL. These are generally used for testing purposes only. Additionally the C2 IPs that act as the server for the TLS handshake require the malware to respond back with a client key. This key is also a default key found within the PolarSSL libraries.

---Begin SSL Certificate Header---

1 0     UNL10U
PolarSSL10UPolarSSL Test CA0
110212144407Z
2102121144407Z0<1 0 UNL10U
PolarSSL10UPolarSSL Client 200

---End SSL Certificate Header---

When executed, the malware will attempt a TLS Handshake with one of four hardcoded IP addresses embedded in the malware. These IP addresses are referenced in 'udbcgiut.dat' below. The malware also contains an embedded Zlib compression library that appears to further obfuscate the communications payload.

After the TLS authentication is completed this particular malware does NOT use the session key that is generated via TLS. It uses a custom Linear Feedback Shift Register (LFSR) encryption scheme to encrypt all communications after the completion of the handshake. A python script to decrypt traffic is given below:

---Begin LFSR Decryption Script---

class lfsr:
   def _init_(self):
       self.b = (0, 0, 0, 0)
       self.data = b"
       self.L= 0

   def lfsr_init(self, data):
       self.L = len(data)
       self.data = data
       self.b[0] = 0
       self.b[1] = 0xc2b45678
       self.b[2] = 0x90abcdef
       self.b[3] = 0xfe268455

   for i in range(int(self.L / 3)):
       self.b[1] ^= self.b[2]
       self.b[2] ^= self.b[3]
       self.b[3] ^= self.b[1]

   for i in range{self.L % 3):
       self.b[1] |= self.b[2]
       self.b[2] |= self.b[3]
       self.b[3] |= self.b[1]

    def lfsr_1(self):
       r = 0
       if (self.b[1] & 0x200) == 0x200:
           r += 1
       if (self.b[2] & 0x800) == 0x800:
           r += 1
       if (self.b[3] & 0x800) == 0x800:
           r += 1
       if r <= 1:
           self.b[0] = 1
       else:
           self.b[0] = 0

   def lfsr_2(self):
       v1 = self.b[1]
       r = (self.b[1] >> 9) & 1
       v3 = r == self.b[0]
       self.b[0] ^= r
       if not v3:
           r = (v1 ^ ((v1 ^ (( v1 ^ (v1 >> 1)) >> 1)) >> 3)) >> 13
           v4 = 2 * (v1 & 0x3ffff)
           self.b[1] = v4
           if (r & 1):
               self.b[1] = v4 ^ 1

   def lfsr_3(self):
       v1 = self.b[2]
       r = (self.b[2] >> 11) & 1
       v3 = r == self.b[0]
       self.b[0] ^= r
       if not v3:
           r = (v1 ^ ((v1 ^ ((v1 ^ (v1 >> 1)) >> 4)) >> 4)) >> 12
           v4 = 2 * (v1 & 0x1fffff)
           self.b[2] = v4
           if (r & 1):
               self.b[2] = v4 ^ 1

   def lfsr 4(self):
       v1 = self.b[3]
       r = (self.b[3] >> 11) & 1
       v3 = r == self.b[0]
       self.b[0] ^= r
       if not v3:
           r = (v1 ^ ((v1 ^ ((v1 ^ (v1 >> 1)) >> 3)) >> 1)) >> 17
           v4 = 2 * (v1 & 0x3fffff)
           self.b[3] = v4
           if (r & 1):
               self.b[3] = v4 ^ 1

   def lfsr_genKeyByte(self):
       self.lfsr_1()
       self.lfsr_2()
       self.lfsr_3()
       self.lfsr_4()
       v2 = self.b[1] ^ self.b[2] ^ self.b[3]
       r = (v2 >> 0x18) ^ (v2 >> 0x10) ^ (v2 >> 0x8) ^ v2
       r &= 0xff
       return r

   def crypt(self):
       r= b"
       for i in range(len(self.data)):
           k = self.lfsr_genKeyByte()
           r += bytes([self.data[i] ^ k])
       return r

---End LFSR Decryption Script---

The following notable strings have been linked to the use of the SSL certificates and can be used to identify the malware:

---Begin Notable Strings---

fjiejffndxklfsdkfjsaadiepwn
ofuierfsdkljffjoiejftyuir
reykfgkodfgkfdskgdfogpdokgsdfpg
ztretrtireotreotieroptkierert
etudjfirejer
yrty
uiyy
uiyiyj lildvucv
erfdfe poiiumwq

---End Notable Strings---

The next four artifacts contain identical characteristics as those described above. Therefore, only capability that is unique will be described for the following four artifacts.

2151c1977b4555a1761c12f151969f8e853e26c396fa1a7b74ccbaf3a48f4525 Tags

trojan

Details Name 5C3898AC7670DA30CF0B22075F3E8ED6 Size 221184 bytes Type PE32 executable (GUI) Intel 80386, for MS Windows MD5 5c3898ac7670da30cf0b22075f3e8ed6 SHA1 91110c569a48b3ba92d771c5666a05781fdd6a57 SHA256 2151c1977b4555a1761c12f151969f8e853e26c396fa1a7b74ccbaf3a48f4525 SHA512 700ec4d923cf0090f4428ac3d4d205b551c3e48368cf90d37f9831d8a57e73c73eb507d1731662321c723362c9318c3f019716991073dc9a4cc829ce01540337 ssdeep 3072:nKBzqEHcJw0sqz7vLFOLBAqui1mqLK1VaU9BzNRyHmdMaF0QqWN0Qjpthmu:nKg0cJ19z7vLFOLSqp0q7syHeFhnhm Entropy 6.346504 Antivirus Ahnlab Trojan/Win32.Generic Antiy Trojan/Win32.NukeSped Avira TR/NukeSped.bqdkh BitDefender Trojan.GenericKD.41198269 ClamAV Win.Trojan.HiddenCobra-7402602-0 Cyren W32/Trojan.MYIL-1461 ESET a variant of Win32/NukeSped.AI trojan Emsisoft Trojan.GenericKD.41198269 (B) Ikarus Trojan.Win32.NukeSped K7 Trojan ( 005329311 ) McAfee Trojan-Hoplight Microsoft Security Essentials Trojan:Win32/Hoplight Quick Heal Trojan.Hoplight.S5774771 Sophos Troj/Hoplight-C Symantec Trojan.Hoplight TACHYON Trojan/W32.Hoplight.221184 TrendMicro Trojan.55DEE3DA TrendMicro House Call Trojan.55DEE3DA VirusBlokAda BScope.Trojan.Casdet YARA Rules
  • rule crypt_constants_2
    {
    meta:
       Author="NCCIC trusted 3rd party"
       Incident="10135536"
       Date = "2018/04/19"    
       category = "hidden_cobra"
       family = "n/a"
       description = "n/a"
    strings:
       $ = {efcdab90}
       $ = {558426fe}
       $ = {7856b4c2}
    condition:
       (uint16(0) == 0x5A4D and uint16(uint32(0x3c)) == 0x4550) and all of them
    }
  •  
  • rule lsfr_constants
    {
    meta:
       Author="NCCIC trusted 3rd party"
       Incident="10135536"
       Date = "2018/04/19"    
       category = "hidden_cobra"
       family = "n/a"
       description = "n/a"
    strings:
       $ = {efcdab90}
       $ = {558426fe}
       $ = {7856b4c2}
    condition:
       (uint16(0) == 0x5A4D and uint16(uint32(0x3c)) == 0x4550) and all of them
    }
  • rule polarSSL_servernames
    {
    meta:
       Author="NCCIC trusted 3rd party"
       Incident="10135536"
       Date = "2018/04/19"    
       category = "hidden_cobra"
       family = "n/a"
       description = "n/a"
    strings:
       $polarSSL = "fjiejffndxklfsdkfjsaadiepwn"
       $sn1 = "www.google.com"
       $sn2 = "www.naver.com"
    condition:
            (uint16(0) == 0x5A4D and uint16(uint32(0x3c)) -- 0x4550) and ($polarSSL and 1 of ($sn*))
    }
ssdeep Matches

No matches found.

PE Metadata Compile Date 2017-05-16 02:35:55-04:00 Import Hash 6ffc5804961e26c43256df683fea6922 PE Sections MD5 Name Raw Size Entropy adb596d3ceae66510778e3bf5d4d9582 header 4096 0.695660 6453931a0b6192e0bbd6476e736ca63f .text 184320 6.343388 0ba1433cc62ba7903ada2f1e57603e83 .rdata 16384 6.246206 76a08265777f68f08e5e6ed2102cb31d .data 12288 4.050945 cb8939d6bc1cd076acd850c3850bdf78 .rsrc 4096 3.289605 Packers/Compilers/Cryptors Microsoft Visual C++ v6.0 Relationships 2151c1977b... Connected_To 81.94.192.147 2151c1977b... Connected_To 112.175.92.57 2151c1977b... Related_To 181.39.135.126 2151c1977b... Related_To 197.211.212.59 2151c1977b... Related_To 70902623c9cd0cccc8513850072b70732d02c266c7b7e96d2d5b2ed4f5edc289 2151c1977b... Dropped 96a296d224f285c67bee93c30f8a309157f0daa35dc5b87e410b78630a09cfc7 Description

This artifact is a malicious PE32 executable with similar characteristics of those described in 23E27E5482E3F55BF828DAB885569033 above.

When this artifact is executed, it will write the file 'udbcgiut.dat' to C:\Users\<user>\AppData\Local\Temp.

The malware will then attempt outbound SSL connections to 81.94.192.147 and 112.175.92.57. Both connection attempts are over TCP Port 443.
The two IP addresses above, as well as the IP addresses 181.39.135.126 and 197.211.212.59 are hard-coded into the malware. However, only connections to the first two IP addresses were attempted during analysis.

197.211.212.59 Ports
  • 7443 TCP
Whois

inetnum:        197.211.208.0 - 197.211.215.255
netname:        ZOL-16e-MOBILE-CUSTOMERS
descr:         ZOL Customers on ZTE Mobile WiMAX Platform
country:        ZW
admin-c:        BS10-AFRINIC
admin-c:        GJ1-AFRINIC
admin-c:        JHM1-AFRINIC
tech-c:         BS10-AFRINIC
tech-c:         GJ1-AFRINIC
tech-c:         JHM1-AFRINIC
status:         ASSIGNED PA
mnt-by:         LIQUID-TOL-MNT
source:         AFRINIC # Filtered
parent:         197.211.192.0 - 197.211.255.255

person:         B Siwela
address:        3rd Floor Greenbridge South
address:        Eastgate Center
address:        R. Mugabe Road
address:        Harare
address:        Zimbabwe
phone:         +263774673452
fax-no:         +2634702375
nic-hdl:        BS10-AFRINIC
mnt-by:         GENERATED-DVCNVXWBH3VN3XZXTRPHOT0OJ77GUNN3-MNT
source:         AFRINIC # Filtered

person:         G Jaya
address:        3rd Floor Greenbridge South
address:        Eastgate Center
address:        R. Mugabe Road
address:        Harare
address:        Zimbabwe
phone:         +263773373135
fax-no:         +2634702375
nic-hdl:        GJ1-AFRINIC
mnt-by:         GENERATED-QPEEUIPPW1WPRZ5HLHRXAVHDOKWLC9UC-MNT
source:         AFRINIC # Filtered

person:         John H Mwangi
address:        Liquid Telecom Kenya
address:        P.O.Box 62499 - 00200
address:        Nairobi Kenya
address:        Nairobi, Kenya
address:        Kenya
phone:         + 254 20 556 755

Relationships 197.211.212.59 Related_To 2151c1977b4555a1761c12f151969f8e853e26c396fa1a7b74ccbaf3a48f4525 197.211.212.59 Connected_From ddea408e178f0412ae78ff5d5adf2439251f68cad4fd853ee466a3c74649642d 197.211.212.59 Connected_From 70034b33f59c6698403293cdc28676c7daa8c49031089efa6eefce41e22dccb3 Description

This IP address is listed in the file 'udbcgiut.dat'. Outbound SSL connection attempts are made to this IP by Malware2.exe, Malware3.exe, and Malware5.exe. The domain, zol-ad-bdc.zol.co.zw is associated with the IP address, however, no DNS query is made for the name.

181.39.135.126 Ports
  • 7443 TCP
Whois

inetnum:     181.39.135.120/29
status:     reallocated
owner:     Clientes Guayaquil
ownerid:     EC-CLGU1-LACNIC
responsible: Tomislav Topic
address:     Kennedy Norte Mz. 109 Solar 21, 5, Piso 2
address:     5934 - Guayaquil - GY
country:     EC
phone:     +593 4 2680555 [101]
owner-c:     SEL
tech-c:     SEL
abuse-c:     SEL
created:     20160720
changed:     20160720
inetnum-up: 181.39/16

nic-hdl:     SEL
person:     Carlos Montero
e-mail:     networking@TELCONET.EC
address:     Kennedy Norte MZ, 109, Solar 21
address:     59342 - Guayaquil -
country:     EC
phone:     +593 42680555 [4601]
created:     20021004
changed:     20170323

Relationships 181.39.135.126 Related_To 2151c1977b4555a1761c12f151969f8e853e26c396fa1a7b74ccbaf3a48f4525 181.39.135.126 Connected_From ddea408e178f0412ae78ff5d5adf2439251f68cad4fd853ee466a3c74649642d 181.39.135.126 Connected_From 70034b33f59c6698403293cdc28676c7daa8c49031089efa6eefce41e22dccb3 Description

This IP address is listed in the file 'udbcgiut.dat'. Outbound SSL connection attempts are made to this IP by Malware2.exe, Malware3.exe, and Malware5.exe. No domain is associated with the IP address.

112.175.92.57 Ports
  • 443 TCP
Whois

inetnum:        112.160.0.0 - 112.191.255.255
netname:        KORNET
descr:         Korea Telecom
admin-c:        IM667-AP
tech-c:         IM667-AP
country:        KR
status:         ALLOCATED PORTABLE
mnt-by:         MNT-KRNIC-AP
mnt-irt:        IRT-KRNIC-KR
last-modified: 2017-02-03T02:21:58Z
source:         APNIC

irt:            IRT-KRNIC-KR
address:        Seocho-ro 398, Seocho-gu, Seoul, Korea
e-mail:         hostmaster@nic.or.kr
abuse-mailbox: hostmaster@nic.or.kr
admin-c:        IM574-AP
tech-c:         IM574-AP
auth:         # Filtered
mnt-by:         MNT-KRNIC-AP
last-modified: 2017-10-19T07:36:36Z
source:         APNIC

person:         IP Manager
address:        Gyeonggi-do Bundang-gu, Seongnam-si Buljeong-ro 90
country:        KR
phone:         +82-2-500-6630
e-mail:         kornet_ip@kt.com
nic-hdl:        IM667-AP
mnt-by:         MNT-KRNIC-AP
last-modified: 2017-03-28T06:37:04Z
source:         APNIC

Relationships 112.175.92.57 Connected_From 2151c1977b4555a1761c12f151969f8e853e26c396fa1a7b74ccbaf3a48f4525 112.175.92.57 Connected_From ddea408e178f0412ae78ff5d5adf2439251f68cad4fd853ee466a3c74649642d 112.175.92.57 Connected_From 70034b33f59c6698403293cdc28676c7daa8c49031089efa6eefce41e22dccb3 112.175.92.57 Connected_From 83228075a604e955d59edc760e4c4ed16eedabfc8f6ac291cf21b4fcbcd1f70a Description

This IP address is listed in the file 'udbcgiut.dat'. Outbound SSL connection attempts are made to this IP by Malware2.exe, Malware3.exe, and Malware5.exe. The domain, mail.everzone.co.kr is associated with the IP address, however, no DNS query is made for the name.

81.94.192.147 Ports
  • 443 TCP
Whois

inetnum:        81.94.192.0 - 81.94.192.255
netname:        IOMARTHOSTING
descr:         iomart Hosting Limited
country:        GB
admin-c:        RA1415-RIPE
tech-c:         RA1415-RIPE
status:         ASSIGNED PA
remarks:        ABUSE REPORTS: abuse@redstation.com
mnt-by:         REDSTATION-MNT
mnt-domains:    REDSTATION-MNT
mnt-routes:     REDSTATION-MNT
created:        2016-02-14T11:44:25Z
last-modified: 2016-02-14T11:44:25Z
source:         RIPE

role:         Redstation Admin Role
address:        Redstation Limited
address:        2 Frater Gate Business Park
address:        Aerodrome Road
address:        Gosport
address:        Hampshire
address:        PO13 0GW
address:        UNITED KINGDOM
abuse-mailbox: abuse@redstation.com
e-mail:         abuse@redstation.com
nic-hdl:        RA1415-RIPE
mnt-by:         REDSTATION-MNT
created:        2005-04-22T17:34:33Z
last-modified: 2017-05-02T09:47:13Z
source:         RIPE

% Information related to '81.94.192.0/24AS20860'

route:         81.94.192.0/24
descr:         Wayne Dalton - Redstation Ltd
origin:         AS20860
mnt-by:         GB10488-RIPE-MNT
created:        2015-11-03T12:58:00Z
last-modified: 2015-11-03T12:58:00Z
source:         RIPE

Relationships 81.94.192.147 Connected_From 2151c1977b4555a1761c12f151969f8e853e26c396fa1a7b74ccbaf3a48f4525 81.94.192.147 Connected_From ddea408e178f0412ae78ff5d5adf2439251f68cad4fd853ee466a3c74649642d 81.94.192.147 Connected_From 70034b33f59c6698403293cdc28676c7daa8c49031089efa6eefce41e22dccb3 Description

This IP address is listed in the file 'udbcgiut.dat'. Outbound SSL connection attempts are made to this IP by Malware2.exe, Malware3.exe, and Malware5.exe. No domain is associated with the IP address.

70902623c9cd0cccc8513850072b70732d02c266c7b7e96d2d5b2ed4f5edc289 Tags

droppertrojan

Details Name udbcgiut.dat Size 1171 bytes Type data MD5 ae829f55db0198a0a36b227addcdeeff SHA1 04833210fa57ea70a209520f4f2a99d049e537f2 SHA256 70902623c9cd0cccc8513850072b70732d02c266c7b7e96d2d5b2ed4f5edc289 SHA512 1b4509102ac734ce310b6f8631b1bedd772a38582b4feda9fee09f1edd096006cf5ba528435c844effa97f95984b07bd2c111aa480bb22f4bcfbc751f069868d ssdeep 3:ElclFUl8GlFcmzkXIil23X1ll:ElcUXmQkXQ3 Entropy 0.395693 Antivirus Ahnlab BinImage/Hoplight Antiy Trojan/Generic.Generic ClamAV Win.Dropper.Hoplight-7402658-0 Ikarus Trojan.Win32.Hoplight McAfee Trojan-Hoplight.b Microsoft Security Essentials Trojan:Win32/Hoplight TrendMicro Trojan.22D9D34C TrendMicro House Call Trojan.22D9D34C YARA Rules

No matches found.

ssdeep Matches

No matches found.

Relationships 70902623c9... Dropped_By 70034b33f59c6698403293cdc28676c7daa8c49031089efa6eefce41e22dccb3 70902623c9... Related_To ddea408e178f0412ae78ff5d5adf2439251f68cad4fd853ee466a3c74649642d 70902623c9... Related_To 2151c1977b4555a1761c12f151969f8e853e26c396fa1a7b74ccbaf3a48f4525 70902623c9... Related_To 70034b33f59c6698403293cdc28676c7daa8c49031089efa6eefce41e22dccb3 70902623c9... Related_To 12480585e08855109c5972e85d99cda7701fe992bc1754f1a0736f1eebcb004d Description

'udbcgiut.dat' is dropped by three of the four PE32 executables. This file contains a 32byte unicode string uniquely generated for the infected system, as well as four socket pairs in hexidecimal.

---Begin Decoded Socket Pairs---

197.211.212.59:443
181.39.135.126:443
112.175.92.57:7443
81.94.192.147:7443

---End Decoded Socket Pairs---

The unicode string generated during this analysis was '8a9b11762b96c4b6'. The socket pairs remain the same for all instances of the malware.
For the PE32 executables, 'udbcgiut.dat' was dropped in the victim's profile at %AppData%\Local\Temp. For the 64bit executables, 'udbcgiut.dat' was dropped in C:\Windows.

4c372df691fc699552f81c3d3937729f1dde2a2393f36c92ccc2bd2a033a0818 Tags

trojan

Details Name C5DC53A540ABE95E02008A04A0D56D6C Size 241152 bytes Type PE32 executable (GUI) Intel 80386, for MS Windows MD5 c5dc53a540abe95e02008a04a0d56d6c SHA1 4cfe9e353b1a91a2add627873846a3ad912ea96b SHA256 4c372df691fc699552f81c3d3937729f1dde2a2393f36c92ccc2bd2a033a0818 SHA512 fc33c99facfbc98d164e63167353bdcff7c1704810e4bb64f7e56812412d84099b224086c04aea66e321cd546d8cf6f14196f5b58d5e931c68064d659c33b6a2 ssdeep 6144:LA5cWD93YuzTvLFOLoqbWbnuX7ZEAV6efA/Pawzq:Xc93YbLZEAV6mX Entropy 6.534884 Antivirus Ahnlab Trojan/Win32.Hoplight Antiy Trojan/Win32.Casdet Avira TR/NukeSped.qdbcu BitDefender Trojan.GenericKD.31879714 ClamAV Win.Trojan.HiddenCobra-7402602-0 Cyren W32/Trojan.OTMD-4999 ESET a variant of Win32/NukeSped.AS trojan Emsisoft Trojan.GenericKD.31879714 (B) Ikarus Trojan.Win32.NukeSped K7 Trojan ( 0051d4f01 ) McAfee Trojan-Hoplight Microsoft Security Essentials Trojan:Win32/Hoplight Quick Heal Trojan.Hoplight.S5793599 Sophos Troj/Hoplight-C Symantec Trojan.Hoplight TrendMicro Trojan.55DEE3DA TrendMicro House Call Trojan.55DEE3DA VirusBlokAda Trojan.Casdet YARA Rules
  • rule crypt_constants_2
    {
    meta:
       Author="NCCIC trusted 3rd party"
       Incident="10135536"
       Date = "2018/04/19"    
       category = "hidden_cobra"
       family = "n/a"
       description = "n/a"
    strings:
       $ = {efcdab90}
       $ = {558426fe}
       $ = {7856b4c2}
    condition:
       (uint16(0) == 0x5A4D and uint16(uint32(0x3c)) == 0x4550) and all of them
    }
  •  
  • rule lsfr_constants
    {
    meta:
       Author="NCCIC trusted 3rd party"
       Incident="10135536"
       Date = "2018/04/19"    
       category = "hidden_cobra"
       family = "n/a"
       description = "n/a"
    strings:
       $ = {efcdab90}
       $ = {558426fe}
       $ = {7856b4c2}
    condition:
       (uint16(0) == 0x5A4D and uint16(uint32(0x3c)) == 0x4550) and all of them
    }
  • rule polarSSL_servernames
    {
    meta:
       Author="NCCIC trusted 3rd party"
       Incident="10135536"
       Date = "2018/04/19"    
       category = "hidden_cobra"
       family = "n/a"
       description = "n/a"
    strings:
       $polarSSL = "fjiejffndxklfsdkfjsaadiepwn"
       $sn1 = "www.google.com"
       $sn2 = "www.naver.com"
    condition:
            (uint16(0) == 0x5A4D and uint16(uint32(0x3c)) -- 0x4550) and ($polarSSL and 1 of ($sn*))
    }
ssdeep Matches

No matches found.

PE Metadata Compile Date 2017-06-04 21:31:07-04:00 Import Hash c76f6bb3f2ce6f4ce3e83448836f3ddd PE Sections MD5 Name Raw Size Entropy 64cb3246aafa83129f7fd6b25d572a9f header 1024 2.625229 e8c15e136370c12020eb23545085b9f6 .text 196096 6.431942 cf0eb4ad22ac1ca687b87a0094999ac8 .rdata 26624 5.990247 b246681e20b3c8ff43e1fcf6c0335287 .data 8192 4.116777 6545248a1e3449e95314cbc874837096 .rsrc 512 5.112624 31a7ab6f707799d327b8425f6693c220 .reloc 8704 5.176231 Packers/Compilers/Cryptors Microsoft Visual C++ ?.? Description

This artifact is a malicious PE32 executable with similar characteristics of those described in 23E27E5482E3F55BF828DAB885569033 above.

This artifact appears to be named 'lamp.exe'. The malware contains the following debug pathway:

---Begin Debug Pathway---

Z:\Develop\41.LampExe\Release\LampExe.pdb

---End Debug Pathway---

ddea408e178f0412ae78ff5d5adf2439251f68cad4fd853ee466a3c74649642d Tags

adwaretrojan

Details Name BE588CD29B9DC6F8CFC4D0AA5E5C79AA Name ddea408e178f0412ae78ff5d5adf2439251f68cad4fd853ee466a3c74649642d Size 267776 bytes Type PE32 executable (GUI) Intel 80386, for MS Windows MD5 be588cd29b9dc6f8cfc4d0aa5e5c79aa SHA1 06be4fe1f26bc3e4bef057ec83ae81bd3199c7fc SHA256 ddea408e178f0412ae78ff5d5adf2439251f68cad4fd853ee466a3c74649642d SHA512 c074ec876350b3ee3f82208041152c0ecf25cc8600c8277eec389c253c12372e78da59182a6df8331b05e0eefb07c142172951115a582606f68b824e1d48f30d ssdeep 6144:UEFpmt3md/iA3uiyzOvLFOLYqnHGZlDwf/OYy85eqmJKRPg:/PQ3mJxeigqi/OYy+/g Entropy 6.554499 Antivirus Ahnlab Trojan/Win32.Generic Antiy Trojan/Win32.Casdet Avira TR/NukeSped.yvkuj BitDefender Trojan.GenericKD.31879713 ClamAV Win.Trojan.HiddenCobra-7402602-0 Cyren W32/Trojan.TBKF-4720 ESET a variant of Win32/NukeSped.AI trojan Emsisoft Trojan.GenericKD.31879713 (B) Filseclab Adware.Amonetize.heur.xjym.mg Ikarus Trojan.Win32.NukeSped K7 Trojan ( 005329311 ) McAfee Trojan-Hoplight Microsoft Security Essentials Trojan:Win32/Nukesped.PA!MTB Sophos Troj/Hoplight-C Symantec Trojan.Hoplight TACHYON Trojan/W32.Hoplight.267776 TrendMicro Trojan.55DEE3DA TrendMicro House Call Trojan.55DEE3DA VirusBlokAda BScope.Trojan.Casdet YARA Rules
  • rule crypt_constants_2
    {
    meta:
       Author="NCCIC trusted 3rd party"
       Incident="10135536"
       Date = "2018/04/19"    
       category = "hidden_cobra"
       family = "n/a"
       description = "n/a"
    strings:
       $ = {efcdab90}
       $ = {558426fe}
       $ = {7856b4c2}
    condition:
       (uint16(0) == 0x5A4D and uint16(uint32(0x3c)) == 0x4550) and all of them
    }
  •  
  • rule lsfr_constants
    {
    meta:
       Author="NCCIC trusted 3rd party"
       Incident="10135536"
       Date = "2018/04/19"    
       category = "hidden_cobra"
       family = "n/a"
       description = "n/a"
    strings:
       $ = {efcdab90}
       $ = {558426fe}
       $ = {7856b4c2}
    condition:
       (uint16(0) == 0x5A4D and uint16(uint32(0x3c)) == 0x4550) and all of them
    }
  • rule polarSSL_servernames
    {
    meta:
       Author="NCCIC trusted 3rd party"
       Incident="10135536"
       Date = "2018/04/19"    
       category = "hidden_cobra"
       family = "n/a"
       description = "n/a"
    strings:
       $polarSSL = "fjiejffndxklfsdkfjsaadiepwn"
       $sn1 = "www.google.com"
       $sn2 = "www.naver.com"
    condition:
            (uint16(0) == 0x5A4D and uint16(uint32(0x3c)) -- 0x4550) and ($polarSSL and 1 of ($sn*))
    }
ssdeep Matches

No matches found.

PE Metadata Compile Date 2017-06-06 10:33:38-04:00 Import Hash 8184d5d35e3a4640bb5d21698a4b6021 PE Sections MD5 Name Raw Size Entropy 59b5d567b9b7b9da0ca0936675fd95fe header 1024 2.658486 c0b6929e0f01a7b61bde3d7400a801e0 .text 218624 6.470188 ce1e5ab830fcfaa2d7bea92f56e9026e .rdata 27136 5.962575 006bad003b65738ed203a576205cc546 .data 8192 4.157373 992987e022da39fcdbeede8ddd48f226 .rsrc 3072 5.511870 4be460324f0f4dc1f6a0983752094cce .reloc 9728 5.303151 Packers/Compilers/Cryptors Microsoft Visual C++ ?.? Relationships ddea408e17... Connected_To 81.94.192.147 ddea408e17... Connected_To 112.175.92.57 ddea408e17... Connected_To 181.39.135.126 ddea408e17... Connected_To 197.211.212.59 ddea408e17... Related_To 70902623c9cd0cccc8513850072b70732d02c266c7b7e96d2d5b2ed4f5edc289 ddea408e17... Connected_To 81.94.192.10 Description

This artifact is a malicious PE32 executable with similar characteristics of those described in 23E27E5482E3F55BF828DAB885569033 above.

This program attempts to initiate a TLS Handshake to the four IP/Port pairs listed in 'udbcgiut.dat'. If the program is unable to establish a connection, the file 'udbcgiut.dat' is deleted.

After 'udbcgiut.dat' is deleted, an outbound SSL connection is made to 81.94.192.10. The IP address is hard coded in the malware and are not randomly generated.

This artifact also loads several APIs that are commonly associated with Pass-The-Hash (PTH) toolkits, indicating a capability to harvest user credentials and passwords.

---Begin Common PTH APIs---

SamiChangePasswordUser
SamFreeMemory
SamCloseHandle
SamOpenUser
SamLookupNamesInDomain
SamOpenDomain
SamConnect

---End Common PTH APIs---

81.94.192.10 Whois

Domain name:
       redstation.net.uk

   Registrant:
       Redstation Limited

   Registrant type:
       UK Limited Company, (Company number: 3590745)

   Registrant's address:
       2 Frater Gate Business Park
       Aerodrome Road
       Gosport
       Hampshire
       PO13 0GW
       United Kingdom

   Data validation:
       Nominet was able to match the registrant's name and address against a 3rd party data source on 21-Feb-2017

   Registrar:
       Easyspace Ltd [Tag = EASYSPACE]
       URL: https://www.easyspace.com/domain-names/extensions/uk

   Relevant dates:
       Registered on: 11-Apr-2005
       Expiry date: 11-Apr-2019
       Last updated: 12-Apr-2017

   Registration status:
       Registered until expiry date.

   Name servers:
       ns1.redstation.com
       ns2.redstation.com

Relationships 81.94.192.10 Connected_From ddea408e178f0412ae78ff5d5adf2439251f68cad4fd853ee466a3c74649642d Description

A high port to high port connection attempt is made to this IP address from 'Malware5.dll'. No domain is associated with the IP address.

12480585e08855109c5972e85d99cda7701fe992bc1754f1a0736f1eebcb004d Tags

droppertrojan

Details Name 868036E102DF4CE414B0E6700825B319 Size 453791 bytes Type PE32+ executable (GUI) x86-64, for MS Windows MD5 868036e102df4ce414b0e6700825b319 SHA1 7f1e68d78e455aa14de9020abd2293c3b8ec6cf8 SHA256 12480585e08855109c5972e85d99cda7701fe992bc1754f1a0736f1eebcb004d SHA512 724d83493dbe86cfcee7f655272d2c733baa5470d7da986e956c789aa1b8f518ad94b575e655b4fe5f6f7d426b9aa7d8304fc879b82a385142b8924e0d454363 ssdeep 12288:eb/3G8vg+Rg1cvAHtE0MLa07rt5POui6z:+/3G8vg+pvi9Sa07rt4ui6z Entropy 7.713852 Antivirus Ahnlab Trojan/Win64.Hoplight Antiy Trojan/Generic.Generic Avira TR/Dropper.ezydy BitDefender Trojan.Autoruns.GenericKDS.32698229 ClamAV Win.Trojan.Hoplight-7402636-0 Cyren W64/Trojan.PLQG-3049 ESET a variant of Win64/NukeSped.BV trojan Emsisoft Trojan.Autoruns.GenericKDS.32698229 (B) Ikarus Trojan.Win64.Nukesped K7 Riskware ( 0040eff71 ) McAfee Generic Trojan.ix Microsoft Security Essentials Trojan:Win64/Hoplight NANOAV Trojan.Win64.Crypted.excqpl NetGate Trojan.Win32.Malware Quick Heal Trojan.Win64 Sophos Troj/Hoplight-C Symantec Trojan.Gen.MBT TACHYON Trojan/W32.Hoplight.453791 TrendMicro Trojan.D58D9624 TrendMicro House Call Trojan.D58D9624 VirusBlokAda Trojan.Win64.Hoplight YARA Rules

No matches found.

ssdeep Matches 90 890d3928be0f36b1f4dcfffb20ac3747a31451ce010caba768974bfccdc26e7c PE Metadata Compile Date 2017-06-06 10:54:03-04:00 Import Hash 947a389c3886c5fa7f3e972fd4d7740c PE Sections MD5 Name Raw Size Entropy e772c7a04c7e3d53c58fdb8a88bb0c02 header 1024 2.486400 a6a2750e5b57470403299e0327553042 .text 34816 6.297430 cc5d69374e9b0266a4b1119e5274d392 .rdata 12288 4.715650 ac4ee21fcb2501656efc217d139ec804 .data 5120 1.876950 359af12d4a14ced423d39736dfec613a .pdata 2560 3.878158 097e0e4be076b795a7316f1746bace8a .rsrc 3072 5.514584 5849f380266933d6f3c5c4740334b041 .reloc 1024 2.517963 Packers/Compilers/Cryptors Microsoft Visual C++ 8.0 (DLL) Relationships 12480585e0... Related_To 70902623c9cd0cccc8513850072b70732d02c266c7b7e96d2d5b2ed4f5edc289 12480585e0... Dropped 49757cf85657757704656c079785c072bbc233cab942418d99d1f63d43f28359 Description

This artifact is a malicious x64 executable with similar characteristics of those described in 23E27E5482E3F55BF828DAB885569033 above.

In addition to the capabilities described above, this variant will hook the Windows Local Security Authority (lsass.exe). 'lsass.exe' will check the registry for the data value 'rdpproto' under the key SYSTEM\CurrentControlSet\Control\Lsa Name: Security Packages. If not found, this value is added by 'lsass.exe'.
Next, the malware will drop the embedded file, 'rdpproto.dll' into the %System32% directory.
The file, 'udbcgiut.dat' is then written to C:\Windows. Outbound connection attempts are made to the socket pairs found within this file as described above.

49757cf85657757704656c079785c072bbc233cab942418d99d1f63d43f28359 Tags

trojan

Details Name rdpproto.dll Size 391680 bytes Type PE32+ executable (DLL) (console) x86-64, for MS Windows MD5 dc268b166fe4c1d1c8595dccf857c476 SHA1 8264556c8a6e460760dc6bb72ecc6f0f966a16b8 SHA256 49757cf85657757704656c079785c072bbc233cab942418d99d1f63d43f28359 SHA512 b47c4caa0b5c17c982fcd040c7171d36ec962fe32e9b8bec567ee14b187507fe90e026aa05eec17d36c49a924eeaed55e66c95a111cfa9dcae0e305ab9515cac ssdeep 6144:jfsTC8amAXJeZP6BPjIDeLkigDxcvAHjVXjhtBGshMLa1Mj7rtlkiP60dwtudIye:jvg+Rg1cvAHtE0MLa07rt5POui6 Entropy 7.893665 Antivirus Ahnlab Trojan/Win64.Hoplight Antiy Trojan/Win32.Casdet Avira TR/Crypt.XPACK.xuqld BitDefender Trojan.Generic.22790108 ClamAV Win.Trojan.Hoplight-7402636-0 ESET a variant of Win64/NukeSped.BV trojan Emsisoft Trojan.Generic.22790108 (B) Ikarus Trojan.SuspectCRC K7 Trojan ( 0054bb211 ) McAfee Hoplight-FDXG!DC268B166FE4 Microsoft Security Essentials Trojan:Win64/Hoplight NANOAV Trojan.Win64.Crypted.excqpl Quick Heal Trojan.Win64 Sophos Troj/Hoplight-C Symantec Trojan.Hoplight TACHYON Trojan/W32.Hoplight.391680 VirusBlokAda Trojan.Win64.Agent YARA Rules

No matches found.

ssdeep Matches 99 890d3928be0f36b1f4dcfffb20ac3747a31451ce010caba768974bfccdc26e7c PE Metadata Compile Date 2017-06-06 11:34:06-04:00 Import Hash 360d26520c50825099ec61e97b01a43b PE Sections MD5 Name Raw Size Entropy 3bb2a7d6aab283c82ab853f536157ce2 header 1024 2.524087 b0bf8ec7b067fd3592c0053702e34504 .text 23552 6.180871 6cc98c5fef3ea1b782262e355b5c5862 .rdata 10752 4.635336 484d4698d46b3b5ad033c1a80ba83acf .data 4096 2.145716 a07c8f17c18c6789a3e757aec183aea6 .pdata 2048 3.729952 fae0d0885944745d98849422bd799457 .rsrc 348672 7.997488 0c1c23e1fb129b1b1966f70fc75cf20e .reloc 1536 1.737829 Relationships 49757cf856... Dropped_By 12480585e08855109c5972e85d99cda7701fe992bc1754f1a0736f1eebcb004d 49757cf856... Connected_To 21.252.107.198 49757cf856... Connected_To 70.224.36.194 49757cf856... Connected_To 113.114.117.122 49757cf856... Connected_To 47.206.4.145 49757cf856... Connected_To 84.49.242.125 49757cf856... Connected_To 26.165.218.44 49757cf856... Connected_To 137.139.135.151 49757cf856... Connected_To 97.90.44.200 49757cf856... Connected_To 128.200.115.228 49757cf856... Connected_To 186.169.2.237 Description

"rdpproto.dll" is dropped into the %System32% directory by 868036E102DF4CE414B0E6700825B319. When the library is loaded,
"rdpproto.dll" will attempt to send SSL Client Hello packets to any of the following embedded IP addresses:

---Begin Embedded IP Addresses---

21.252.107.198
70.224.36.194
113.114.117.122
47.206.4.145
84.49.242.125
26.165.218.44
137.139.135.151
97.90.44.200
128.200.115.228
186.169.2.237

---End Embedded IP Addresses---

This artifact contains the following notable strings:

---Begin Notable Strings---

CompanyName
Adobe System Incorporated
FileDescription
MicrosoftWindows TransFilter/FilterType : 01 WindowsNT Service
FileVersion
6.1 Build 7601
InternalName
TCP/IP Packet Filter Service
LegalCopyright
Copyright 2015 - Adobe System Incorporated
LegalTrademarks
OriginalFileName
TCP/IP - PacketFilter

---End Notable Strings---

21.252.107.198 Ports
  • 23164 TCP
Whois

NetRange:     21.0.0.0 - 21.255.255.255
CIDR:         21.0.0.0/8
NetName:        DNIC-SNET-021
NetHandle:     NET-21-0-0-0-1
Parent:         ()
NetType:        Direct Allocation
OriginAS:    
Organization: DoD Network Information Center (DNIC)
RegDate:        1991-06-30
Updated:        2009-06-19
Ref:            https://whois.arin.net/rest/net/NET-21-0-0-0-1


OrgName:        DoD Network Information Center
OrgId:         DNIC
Address:        3990 E. Broad Street
City:         Columbus
StateProv:     OH
PostalCode:     43218
Country:        US
RegDate:        
Updated:        2011-08-17
Ref:            https://whois.arin.net/rest/org/DNIC

Relationships 21.252.107.198 Connected_From 4a74a9fd40b63218f7504f806fce71dffefc1b1d6ca4bbaadd720b6a89d47761 21.252.107.198 Connected_From 49757cf85657757704656c079785c072bbc233cab942418d99d1f63d43f28359 Description

A high port to high port connection attempt is made to this IP address from 'Malware2.dll'. No domain is associated with the IP address.

70.224.36.194 Ports
  • 59681 TCP
Whois

Domain Name: AMERITECH.NET
Registry Domain ID: 81816_DOMAIN_NET-VRSN
Registrar WHOIS Server: whois.corporatedomains.com
Registrar URL: http://www.cscglobal.com/global/web/csc/digital-brand-services.html
Updated Date: 2017-06-09T05:27:34Z
Creation Date: 1996-06-14T04:00:00Z
Registry Expiry Date: 2018-06-13T04:00:00Z
Registrar: CSC Corporate Domains, Inc.
Registrar IANA ID: 299
Registrar Abuse Contact Email: domainabuse@cscglobal.com
Registrar Abuse Contact Phone: 8887802723
Domain Status: clientTransferProhibited https://icann.org/epp#clientTransferProhibited
Name Server: NS1.ATTDNS.COM
Name Server: NS2.ATTDNS.COM
Name Server: NS3.ATTDNS.COM
Name Server: NS4.ATTDNS.COM
DNSSEC: unsigned

Domain Name: ameritech.net
Registry Domain ID: 81816_DOMAIN_NET-VRSN
Registrar WHOIS Server: whois.corporatedomains.com
Registrar URL: www.cscprotectsbrands.com
Updated Date: 2017-06-09T05:27:34Z
Creation Date: 1996-06-14T04:00:00Z
Registrar Registration Expiration Date: 2018-06-13T04:00:00Z
Registrar: CSC CORPORATE DOMAINS, INC.
Registrar IANA ID: 299
Registrar Abuse Contact Email: domainabuse@cscglobal.com
Registrar Abuse Contact Phone: +1.8887802723
Domain Status: clientTransferProhibited http://www.icann.org/epp#clientTransferProhibited
Registry Registrant ID:
Registrant Name: Domain Administrator
Registrant Organization: AT&T SERVICES, INC.
Registrant Street: 801 Chestnut Street
Registrant City: Saint Louis
Registrant State/Province: MO
Registrant Postal Code: 63101
Registrant Country: US
Registrant Phone: +1.3142358168
Registrant Phone Ext:
Registrant Fax: +1.3142358168
Registrant Fax Ext:
Registrant Email: att-domains@att.com
Registry Admin ID:
Admin Name: Domain Administrator
Admin Organization: AT&T SERVICES, INC.
Admin Street: 801 Chestnut Street
Admin City: Saint Louis
Admin State/Province: MO
Admin Postal Code: 63101
Admin Country: US
Admin Phone: +1.3142358168
Admin Phone Ext:
Admin Fax: +1.3142358168
Admin Fax Ext:
Admin Email: att-domains@att.com
Registry Tech ID:
Tech Name: Domain Administrator
Tech Organization: AT&T SERVICES, INC.
Tech Street: 801 Chestnut Street
Tech City: Saint Louis
Tech State/Province: MO
Tech Postal Code: 63101
Tech Country: US
Tech Phone: +1.3142358168
Tech Phone Ext:
Tech Fax: +1.3142358168
Tech Fax Ext:
Tech Email: att-domains@att.com
Name Server: ns3.attdns.com
Name Server: ns1.attdns.com
Name Server: ns2.attdns.com
Name Server: ns4.attdns.com
DNSSEC: unsigned

Relationships 70.224.36.194 Connected_From 4a74a9fd40b63218f7504f806fce71dffefc1b1d6ca4bbaadd720b6a89d47761 70.224.36.194 Connected_From 49757cf85657757704656c079785c072bbc233cab942418d99d1f63d43f28359 Description

A high port to high port connection attempt is made to this IP address from 'Malware2.dll'. No domain is associated with the IP address.

113.114.117.122 Ports
  • 23397 TCP
Whois

inetnum:        113.112.0.0 - 113.119.255.255
netname:        CHINANET-GD
descr:         CHINANET Guangdong province network
descr:         Data Communication Division
descr:         China Telecom
country:        CN
admin-c:        CH93-AP
tech-c:         IC83-AP
remarks:        service provider
status:         ALLOCATED PORTABLE
mnt-by:         APNIC-HM
mnt-lower:     MAINT-CHINANET-GD
mnt-routes:     MAINT-CHINANET-GD
last-modified: 2016-05-04T00:15:17Z
source:         APNIC
mnt-irt:        IRT-CHINANET-CN

irt:            IRT-CHINANET-CN
address:        No.31 ,jingrong street,beijing
address:        100032
e-mail:         anti-spam@ns.chinanet.cn.net
abuse-mailbox: anti-spam@ns.chinanet.cn.net
admin-c:        CH93-AP
tech-c:         CH93-AP
auth:         # Filtered
mnt-by:         MAINT-CHINANET
last-modified: 2010-11-15T00:31:55Z
source:         APNIC

person:         Chinanet Hostmaster
nic-hdl:        CH93-AP
e-mail:         anti-spam@ns.chinanet.cn.net
address:        No.31 ,jingrong street,beijing
address:        100032
phone:         +86-10-58501724
fax-no:         +86-10-58501724
country:        CN
mnt-by:         MAINT-CHINANET
last-modified: 2014-02-27T03:37:38Z
source:         APNIC

person:         IPMASTER CHINANET-GD
nic-hdl:        IC83-AP
e-mail:         gdnoc_HLWI@189.cn
address:        NO.18,RO. ZHONGSHANER,YUEXIU DISTRIC,GUANGZHOU
phone:         +86-20-87189274
fax-no:         +86-20-87189274
country:        CN
mnt-by:         MAINT-CHINANET-GD
remarks:        IPMASTER is not for spam complaint,please send spam complaint to abuse_gdnoc@189.cn
abuse-mailbox: antispam_gdnoc@189.cn
last-modified: 2014-09-22T04:41:26Z
source:         APNIC

Relationships 113.114.117.122 Connected_From 4a74a9fd40b63218f7504f806fce71dffefc1b1d6ca4bbaadd720b6a89d47761 113.114.117.122 Connected_From 49757cf85657757704656c079785c072bbc233cab942418d99d1f63d43f28359 Description

A high port to high port connection attempt is made to this IP address from 'Malware2.dll'. No domain is associated with the IP address.

47.206.4.145 Ports
  • 59067 TCP
Whois

Domain Name: FRONTIERNET.NET
Registry Domain ID: 4305589_DOMAIN_NET-VRSN
Registrar WHOIS Server: whois.register.com
Registrar URL: http://www.register.com
Updated Date: 2017-09-14T07:53:05Z
Creation Date: 1995-10-14T04:00:00Z
Registry Expiry Date: 2018-10-13T04:00:00Z
Registrar: Register.com, Inc.
Registrar IANA ID: 9
Registrar Abuse Contact Email: abuse@web.com
Registrar Abuse Contact Phone: +1.8003337680
Domain Status: clientTransferProhibited https://icann.org/epp#clientTransferProhibited
Name Server: AUTH.DLLS.PA.FRONTIERNET.NET
Name Server: AUTH.FRONTIERNET.NET
Name Server: AUTH.LKVL.MN.FRONTIERNET.NET
Name Server: AUTH.ROCH.NY.FRONTIERNET.NET
DNSSEC: unsigned

Domain Name: FRONTIERNET.NET
Registry Domain ID: 4305589_DOMAIN_NET-VRSN
Registrar WHOIS Server: whois.register.com
Registrar URL: www.register.com
Updated Date: 2017-09-14T00:53:05.00Z
Creation Date: 1995-10-14T04:00:00.00Z
Registrar Registration Expiration Date: 2018-10-13T04:00:00.00Z
Registrar: REGISTER.COM, INC.
Registrar IANA ID: 9
Domain Status: clientTransferProhibited https://www.icann.org/epp#clientTransferProhibited
Registry Registrant ID:
Registrant Name: FRONTIERNET HOSTMASTER
Registrant Organization:
Registrant Street: 95 N. FITZHUGH ST.
Registrant City: ROCHESTER
Registrant State/Province: NY
Registrant Postal Code: 14614-1212
Registrant Country: US
Registrant Phone: +1.8664747662
Registrant Phone Ext:
Registrant Fax:
Registrant Fax Ext:
Registrant Email: HOSTMASTER@FRONTIERNET.NET
Registry Admin ID:
Admin Name: FRONTIERNET HOSTMASTER
Admin Organization:
Admin Street: 95 N. FITZHUGH ST.
Admin City: ROCHESTER
Admin State/Province: NY
Admin Postal Code: 14614-1212
Admin Country: US
Admin Phone: +1.8664747662
Admin Phone Ext:
Admin Fax:
Admin Fax Ext:
Admin Email: HOSTMASTER@FRONTIERNET.NET
Registry Tech ID:
Tech Name: FRONTIERNET HOSTMASTER
Tech Organization:
Tech Street: 95 N. FITZHUGH ST.
Tech City: ROCHESTER
Tech State/Province: NY
Tech Postal Code: 14614-1212
Tech Country: US
Tech Phone: +1.8664747662
Tech Phone Ext:
Tech Fax:
Tech Fax Ext:
Tech Email: HOSTMASTER@FRONTIERNET.NET
Name Server: AUTH.DLLS.PA.FRONTIERNET.NET
Name Server: AUTH.FRONTIERNET.NET
Name Server: AUTH.LKVL.MN.FRONTIERNET.NET
Name Server: AUTH.ROCH.NY.FRONTIERNET.NET
DNSSEC: unSigned

Relationships 47.206.4.145 Connected_From 4a74a9fd40b63218f7504f806fce71dffefc1b1d6ca4bbaadd720b6a89d47761 47.206.4.145 Connected_From 49757cf85657757704656c079785c072bbc233cab942418d99d1f63d43f28359 Description

A high port to high port connection attempt is made to this IP address from 'Malware2.dll'. No domain is associated with the IP address.

84.49.242.125 Ports
  • 17770 TCP
Whois

Domain Name: NEXTGENTEL.COM
Registry Domain ID: 13395561_DOMAIN_COM-VRSN
Registrar WHOIS Server: whois.domaininfo.com
Registrar URL: http://www.ports.domains
Updated Date: 2017-11-10T23:44:50Z
Creation Date: 1999-11-17T15:47:51Z
Registry Expiry Date: 2018-11-17T15:47:51Z
Registrar: Ports Group AB
Registrar IANA ID: 73
Registrar Abuse Contact Email: abuse@portsgroup.se
Registrar Abuse Contact Phone: +46.707260017
Domain Status: clientTransferProhibited https://icann.org/epp#clientTransferProhibited
Name Server: ANYADNS1.NEXTGENTEL.NET
Name Server: ANYADNS2.NEXTGENTEL.NET
DNSSEC: unsigned

Domain Name: nextgentel.com
Registry Domain ID: 13395561_DOMAIN_COM-VRSN
Registrar WHOIS Server: whois.domaininfo.com
Registrar URL: ports.domains
Updated Date: 2017-11-10T23:44:50Z
Creation Date: 1999-11-17T15:47:51Z
Registrar Registration Expiration Date: 2018-11-17T15:47:51Z
Registrar: PortsGroup AB
Registrar IANA ID: 73
Registrar Abuse Contact Email: abuse@portsgroup.se
Registrar Abuse Contact Phone: +46.317202000
Domain Status: clientTransferProhibited https://icann.org/epp#clientTransferProhibited
Registry Registrant ID:
Registrant Name: Hostmaster
Registrant Organization: NextGenTel AS
Registrant Street: Sandslimarka 31
Registrant City: SANDSLI
Registrant State/Province:
Registrant Postal Code: 5254
Registrant Country: NO
Registrant Phone: +47.55527900
Registrant Fax: +47.55527910
Registrant Email: hostmaster@nextgentel.com
Registry Admin ID:
Admin Name: Hostmaster
Admin Organization: NextGenTel AS
Admin Street: Sandslimarka 31
Admin City: Sandsli
Admin State/Province:
Admin Postal Code: 5254
Admin Country: NO
Admin Phone: +47.55527900
Admin Fax: +47.55527910
Admin Email: hostmaster@nextgentel.com
Registry Tech ID:
Tech Name: Hostmaster v/ Eivind Olsen
Tech Organization: NextGenTel AS
Tech Street: Postboks 3 Sandsli
Tech City: Bergen
Tech State/Province:
Tech Postal Code: 5861
Tech Country: NO
Tech Phone: +47.41649322
Tech Fax: +47.55527910
Tech Email: hostmaster@nextgentel.com
Name Server: ANYADNS1.NEXTGENTEL.NET
Name Server: ANYADNS2.NEXTGENTEL.NET
DNSSEC: unsigned

Relationships 84.49.242.125 Connected_From 4a74a9fd40b63218f7504f806fce71dffefc1b1d6ca4bbaadd720b6a89d47761 84.49.242.125 Connected_From 49757cf85657757704656c079785c072bbc233cab942418d99d1f63d43f28359 Description

A high port to high port connection attempt is made to this IP address from 'Malware2.dll'. No domain is associated with the IP address.

26.165.218.44 Ports
  • 2248 TCP
Whois

NetRange:     26.0.0.0 - 26.255.255.255
CIDR:         26.0.0.0/8
NetName:        DISANET26
NetHandle:     NET-26-0-0-0-1
Parent:         ()
NetType:        Direct Allocation
OriginAS:    
Organization: DoD Network Information Center (DNIC)
RegDate:        1995-04-30
Updated:        2009-06-19
Ref:            https://whois.arin.net/rest/net/NET-26-0-0-0-1


OrgName:        DoD Network Information Center
OrgId:         DNIC
Address:        3990 E. Broad Street
City:         Columbus
StateProv:     OH
PostalCode:     43218
Country:        US
RegDate:        
Updated:        2011-08-17
Ref:            https://whois.arin.net/rest/org/DNIC


OrgTechHandle: MIL-HSTMST-ARIN
OrgTechName: Network DoD
OrgTechPhone: +1-844-347-2457
OrgTechEmail: disa.columbus.ns.mbx.hostmaster-dod-nic@mail.mil
OrgTechRef:    https://whois.arin.net/rest/poc/MIL-HSTMST-ARIN

OrgAbuseHandle: REGIS10-ARIN
OrgAbuseName: Registration
OrgAbusePhone: +1-844-347-2457
OrgAbuseEmail: disa.columbus.ns.mbx.arin-registrations@mail.mil
OrgAbuseRef:    https://whois.arin.net/rest/poc/REGIS10-ARIN

OrgTechHandle: REGIS10-ARIN
OrgTechName: Registration
OrgTechPhone: +1-844-347-2457
OrgTechEmail: disa.columbus.ns.mbx.arin-registrations@mail.mil
OrgTechRef:    https://whois.arin.net/rest/poc/REGIS10-ARIN

Relationships 26.165.218.44 Connected_From 4a74a9fd40b63218f7504f806fce71dffefc1b1d6ca4bbaadd720b6a89d47761 26.165.218.44 Connected_From 49757cf85657757704656c079785c072bbc233cab942418d99d1f63d43f28359 Description

A high port to high port connection attempt is made to this IP address from 'Malware2.dll'. No domain is associated with the IP address.

137.139.135.151 Ports
  • 64694 TCP
Whois

NetRange:     137.139.0.0 - 137.139.255.255
CIDR:         137.139.0.0/16
NetName:        SUC-OLDWEST
NetHandle:     NET-137-139-0-0-1
Parent:         NET137 (NET-137-0-0-0-0)
NetType:        Direct Assignment
OriginAS:    
Organization: SUNY College at Old Westbury (SCAOW)
RegDate:        1989-11-29
Updated:        2014-02-18
Ref:            https://whois.arin.net/rest/net/NET-137-139-0-0-1


OrgName:        SUNY College at Old Westbury
OrgId:         SCAOW
Address:        223 Store Hill Road
City:         Old Westbury
StateProv:     NY
PostalCode:     11568
Country:        US
RegDate:        1989-11-29
Updated:        2011-09-24
Ref:            https://whois.arin.net/rest/org/SCAOW


OrgTechHandle: SUNYO-ARIN
OrgTechName: SUNYOWNOC
OrgTechPhone: +1-516-876-3379
OrgTechEmail: sunyownoc@oldwestbury.edu
OrgTechRef:    https://whois.arin.net/rest/poc/SUNYO-ARIN

OrgAbuseHandle: SUNYO-ARIN
OrgAbuseName: SUNYOWNOC
OrgAbusePhone: +1-516-876-3379
OrgAbuseEmail: sunyownoc@oldwestbury.edu
OrgAbuseRef:    https://whois.arin.net/rest/poc/SUNYO-ARIN

RAbuseHandle: SUNYO-ARIN
RAbuseName: SUNYOWNOC
RAbusePhone: +1-516-876-3379
RAbuseEmail: sunyownoc@oldwestbury.edu
RAbuseRef:    https://whois.arin.net/rest/poc/SUNYO-ARIN

RTechHandle: SUNYO-ARIN
RTechName: SUNYOWNOC
RTechPhone: +1-516-876-3379
RTechEmail: sunyownoc@oldwestbury.edu
RTechRef:    https://whois.arin.net/rest/poc/SUNYO-ARIN

RNOCHandle: SUNYO-ARIN
RNOCName: SUNYOWNOC
RNOCPhone: +1-516-876-3379
RNOCEmail: sunyownoc@oldwestbury.edu
RNOCRef:    https://whois.arin.net/rest/poc/SUNYO-ARIN

Relationships 137.139.135.151 Connected_From 4a74a9fd40b63218f7504f806fce71dffefc1b1d6ca4bbaadd720b6a89d47761 137.139.135.151 Connected_From 49757cf85657757704656c079785c072bbc233cab942418d99d1f63d43f28359 Description

A high port to high port connection attempt is made to this IP address from 'Malware2.dll'. No domain is associated with the IP address.

97.90.44.200 Ports
  • 37120 TCP
Whois

Domain Name: CHARTER.COM
Registry Domain ID: 340223_DOMAIN_COM-VRSN
Registrar WHOIS Server: whois.markmonitor.com
Registrar URL: http://www.markmonitor.com
Updated Date: 2017-07-03T04:22:18Z
Creation Date: 1994-07-30T04:00:00Z
Registry Expiry Date: 2019-07-29T04:00:00Z
Registrar: MarkMonitor Inc.
Registrar IANA ID: 292
Registrar Abuse Contact Email: abusecomplaints@markmonitor.com
Registrar Abuse Contact Phone: +1.2083895740
Domain Status: clientDeleteProhibited https://icann.org/epp#clientDeleteProhibited
Domain Status: clientTransferProhibited https://icann.org/epp#clientTransferProhibited
Domain Status: clientUpdateProhibited https://icann.org/epp#clientUpdateProhibited
Name Server: NS1.CHARTER.COM
Name Server: NS2.CHARTER.COM
Name Server: NS3.CHARTER.COM
Name Server: NS4.CHARTER.COM
DNSSEC: unsigned

Domain Name: charter.com
Registry Domain ID: 340223_DOMAIN_COM-VRSN
Registrar WHOIS Server: whois.markmonitor.com
Registrar URL: http://www.markmonitor.com
Updated Date: 2017-12-18T04:00:14-0800
Creation Date: 1994-07-29T21:00:00-0700
Registrar Registration Expiration Date: 2019-07-28T21:00:00-0700
Registrar: MarkMonitor, Inc.
Registrar IANA ID: 292
Registrar Abuse Contact Email: abusecomplaints@markmonitor.com
Registrar Abuse Contact Phone: +1.2083895740
Domain Status: clientUpdateProhibited (https://www.icann.org/epp#clientUpdateProhibited)
Domain Status: clientTransferProhibited (https://www.icann.org/epp#clientTransferProhibited)
Domain Status: clientDeleteProhibited (https://www.icann.org/epp#clientDeleteProhibited)
Registry Registrant ID:
Registrant Name: Domain Admin
Registrant Organization: Charter Communications Operating, LLC
Registrant Street: 12405 Powerscourt Drive,
Registrant City: Saint Louis
Registrant State/Province: MO
Registrant Postal Code: 63131
Registrant Country: US
Registrant Phone: +1.3149650555
Registrant Phone Ext:
Registrant Fax: +1.9064010617
Registrant Fax Ext:
Registrant Email: hostmaster@charter.com
Registry Admin ID:
Admin Name: Domain Admin
Admin Organization: Charter Communications Operating, LLC
Admin Street: 12405 Powerscourt Drive,
Admin City: Saint Louis
Admin State/Province: MO
Admin Postal Code: 63131
Admin Country: US
Admin Phone: +1.3149650555
Admin Phone Ext:
Admin Fax: +1.9064010617
Admin Fax Ext:
Admin Email: hostmaster@charter.com
Registry Tech ID:
Tech Name: Charter Communications Internet Security and Abuse
Tech Organization: Charter Communications Operating, LLC
Tech Street: 12405 Powerscourt Drive,
Tech City: Saint Louis
Tech State/Province: MO
Tech Postal Code: 63131
Tech Country: US
Tech Phone: +1.3142883111
Tech Phone Ext:
Tech Fax: +1.3149090609
Tech Fax Ext:
Tech Email: abuse@charter.net
Name Server: ns4.charter.com
Name Server: ns3.charter.com
Name Server: ns1.charter.com
Name Server: ns2.charter.com
DNSSEC: unsigned

Relationships 97.90.44.200 Connected_From 4a74a9fd40b63218f7504f806fce71dffefc1b1d6ca4bbaadd720b6a89d47761 97.90.44.200 Connected_From 49757cf85657757704656c079785c072bbc233cab942418d99d1f63d43f28359 Description

A high port to high port connection attempt is made to this IP address from 'Malware2.dll'. No domain is associated with the IP address.

128.200.115.228 Ports
  • 52884 TCP
Whois

Domain Name: UCI.EDU

Registrant:
University of California, Irvine
6366 Ayala Science Library
Irvine, CA 92697-1175
UNITED STATES

Administrative Contact:
Con Wieland
University of California, Irvine
Office of Information Technology
6366 Ayala Science Library
Irvine, CA 92697-1175
UNITED STATES
(949) 824-2222
oit-nsp@uci.edu

Technical Contact:
Con Wieland
University of California, Irvine
Office of Information Technology
6366 Ayala Science Library
Irvine, CA 92697-1175
UNITED STATES
(949) 824-2222
oit-nsp@uci.edu

Name Servers:
NS4.SERVICE.UCI.EDU     128.200.59.190
NS5.SERVICE.UCI.EDU     52.26.131.47

Domain record activated:    30-Sep-1985
Domain record last updated: 07-Jul-2016
Domain expires:             31-Jul-2018

Relationships 128.200.115.228 Connected_From 4a74a9fd40b63218f7504f806fce71dffefc1b1d6ca4bbaadd720b6a89d47761 128.200.115.228 Connected_From 49757cf85657757704656c079785c072bbc233cab942418d99d1f63d43f28359 Description

A high port to high port connection attempt is made to this IP address from 'Malware2.dll'. No domain is associated with the IP address.

186.169.2.237 Ports
  • 65292 TCP
Whois

inetnum:     186.168/15
status:     allocated
aut-num:     N/A
owner:     COLOMBIA TELECOMUNICACIONES S.A. ESP
ownerid:     CO-CTSE-LACNIC
responsible: Administradores Internet
address:     Transversal 60, 114, A 55
address:     N - BOGOTA - Cu
country:     CO
phone:     +57 1 5339833 []
owner-c:     CTE7
tech-c:     CTE7
abuse-c:     CTE7
inetrev:     186.169/16
nserver:     DNS5.TELECOM.COM.CO
nsstat:     20171220 AA
nslastaa:    20171220
nserver:     DNS.TELECOM.COM.CO
nsstat:     20171220 AA
nslastaa:    20171220
created:     20110404
changed:     20141111

nic-hdl:     CTE7
person:     Grupo de Administradores Internet
e-mail:     admin.internet@TELECOM.COM.CO
address:     Transversal, 60, 114 A, 55
address:     571111 - BOGOTA DC - CU
country:     CO
phone:     +57 1 7050000 [71360]
created:     20140220
changed:     20140220

Relationships 186.169.2.237 Connected_From 4a74a9fd40b63218f7504f806fce71dffefc1b1d6ca4bbaadd720b6a89d47761 186.169.2.237 Connected_From 49757cf85657757704656c079785c072bbc233cab942418d99d1f63d43f28359 Description

A high port to high port connection attempt is made to this IP address from 'Malware2.dll'. No domain is associated with the IP address.

4a74a9fd40b63218f7504f806fce71dffefc1b1d6ca4bbaadd720b6a89d47761 Tags

trojan

Details Name 42682D4A78FE5C2EDA988185A344637D Name 4a74a9fd40b63218f7504f806fce71dffefc1b1d6ca4bbaadd720b6a89d47761 Size 346624 bytes Type PE32+ executable (DLL) (console) x86-64, for MS Windows MD5 42682d4a78fe5c2eda988185a344637d SHA1 4975de2be0a1f7202037f5a504d738fe512191b7 SHA256 4a74a9fd40b63218f7504f806fce71dffefc1b1d6ca4bbaadd720b6a89d47761 SHA512 213e4a0afbfac0bd884ab262ac87aee7d9a175cff56ba11aa4c75a4feb6a96c5e4e2c26adbe765f637c783df7552a56e4781a3b17be5fda2cf7894e58eb873ec ssdeep 6144:nCgsFAkxS1rrtZQXTip12P04nTnvze6lxjWV346vze6lpjWV34Evze6lSjWV34a7:nCgsukxS1vtZ+5nvze6lxjWV346vze6N Entropy 6.102810 Antivirus Ahnlab Trojan/Win32.Generic Antiy Trojan/Win32.AGeneric Avira TR/NukeSped.tbxxd BitDefender Trojan.GenericKD.41198710 ClamAV Win.Trojan.HiddenCobra-7402602-0 Cyren W64/Trojan.NKDY-0871 ESET a variant of Win64/NukeSped.T trojan Emsisoft Trojan.GenericKD.41198710 (B) Ikarus Trojan.Win64.Nukesped K7 Trojan ( 0054bc321 ) McAfee Generic Trojan.ix Microsoft Security Essentials Trojan:Win64/Hoplight Quick Heal Trojan.Hoplight.S5795935 Sophos Troj/Hoplight-C Symantec Trojan.Hoplight TACHYON Trojan/W32.Hoplight.346624 TrendMicro Trojan.A7CCF529 TrendMicro House Call Trojan.A7CCF529 VirusBlokAda Trojan.Win64.Hoplight Zillya! Trojan.NukeSped.Win64.56 YARA Rules
  • rule crypt_constants_2
    {
    meta:
       Author="NCCIC trusted 3rd party"
       Incident="10135536"
       Date = "2018/04/19"    
       category = "hidden_cobra"
       family = "n/a"
       description = "n/a"
    strings:
       $ = {efcdab90}
       $ = {558426fe}
       $ = {7856b4c2}
    condition:
       (uint16(0) == 0x5A4D and uint16(uint32(0x3c)) == 0x4550) and all of them
    }
  •  
  • rule lsfr_constants
    {
    meta:
       Author="NCCIC trusted 3rd party"
       Incident="10135536"
       Date = "2018/04/19"    
       category = "hidden_cobra"
       family = "n/a"
       description = "n/a"
    strings:
       $ = {efcdab90}
       $ = {558426fe}
       $ = {7856b4c2}
    condition:
       (uint16(0) == 0x5A4D and uint16(uint32(0x3c)) == 0x4550) and all of them
    }
  • rule polarSSL_servernames
    {
    meta:
       Author="NCCIC trusted 3rd party"
       Incident="10135536"
       Date = "2018/04/19"    
       category = "hidden_cobra"
       family = "n/a"
       description = "n/a"
    strings:
       $polarSSL = "fjiejffndxklfsdkfjsaadiepwn"
       $sn1 = "www.google.com"
       $sn2 = "www.naver.com"
    condition:
            (uint16(0) == 0x5A4D and uint16(uint32(0x3c)) -- 0x4550) and ($polarSSL and 1 of ($sn*))
    }
ssdeep Matches

No matches found.

PE Metadata Compile Date 2017-06-06 11:24:44-04:00 Import Hash e395fbfa0104d0173b3c4fdd3debdceb Company Name Kamsky Co,.Ltd File Description Vote_Controller Internal Name MDL_170329_x86_V06Lv3 Legal Copyright Copyright \u24d2 2017 Original Filename Vote_Controller Product Name Kamsky ColdFear Product Version 17, 0, 0, 0 PE Sections MD5 Name Raw Size Entropy 40d66d1a2f846d7c3bf291c604c9fca3 header 1024 2.628651 d061ffec6721133c433386c96520bc55 .text 284160 5.999734 cbbc6550dcbdcaf012bdbf758a377779 .rdata 38912 5.789426 c83bcaab05056d5b84fc609f41eed210 .data 7680 3.105496 b9fc36206883aa1902566b5d01c27473 .pdata 8704 5.319307 1c1d46056b4cb4627a5f92112b7e09f7 .rsrc 4096 5.608168 3baedaa3d6b6d6dc9fb0ec4f5c3b007c .reloc 2048 2.331154 Relationships 4a74a9fd40... Connected_To 21.252.107.198 4a74a9fd40... Connected_To 70.224.36.194 4a74a9fd40... Connected_To 113.114.117.122 4a74a9fd40... Connected_To 47.206.4.145 4a74a9fd40... Connected_To 84.49.242.125 4a74a9fd40... Connected_To 26.165.218.44 4a74a9fd40... Connected_To 137.139.135.151 4a74a9fd40... Connected_To 97.90.44.200 4a74a9fd40... Connected_To 128.200.115.228 4a74a9fd40... Connected_To 186.169.2.237 Description

This artifact is a malicious 64bit Windows dynamic library called 'Vote_Controller.dll'. The file shares similar functionality with 'rdpproto.dll' above, and attempts to connect to the same ten IP addresses.

42682D4A78FE5C2EDA988185A344637D also contains the same public SSL certificate as many of the artifacts above.

The file contains the following notable strings:

---Begin Notable Strings---

CompanyName
Kamsky Co, .Ltd
FileDescription
Vote_Controller
FileVersion
49, 0, 0, 0
InternalName
MDL_170329_x86_V06Lv3
LegalCopyright
Copyright
2017
LegalTrademarks
OriginalFileName
Vote_Controller
PrivateBuild
ProductName
Kamsky ColdFear
ProductVersion
17, 0, 0, 0

---End Notable Strings---

83228075a604e955d59edc760e4c4ed16eedabfc8f6ac291cf21b4fcbcd1f70a Tags

trojan

Details Name 3021B9EF74c&BDDF59656A035F94FD08 Name 83228075a604e955d59edc760e4c4ed16eedabfc8f6ac291cf21b4fcbcd1f70a Size 245760 bytes Type PE32+ executable (DLL) (console) x86-64, for MS Windows MD5 3021b9ef74c7bddf59656a035f94fd08 SHA1 05ad5f346d0282e43360965373eb2a8d39735137 SHA256 83228075a604e955d59edc760e4c4ed16eedabfc8f6ac291cf21b4fcbcd1f70a SHA512 f8fcc5ed34b7bf144fc708d01d9685f0cb2e678c173d014987d6ecbf4a7c3ed539452819237173a2ab14609a913cf46c3bd618cffe7b5990c63cfe805a7144ff ssdeep 6144:4+ZmN/ix9bd+Rvze6lxjWV346vze6lpjWV34Evze6lSjWV34avze6lkjWV34z5FT:4+ZmN/ix9b8Rvze6lxjWV346vze6lpjn Entropy 5.933390 Antivirus Ahnlab Trojan/Win64.Hoplight Antiy Trojan/Win32.Hoplight Avira TR/AD.APTLazerus.ltfzr BitDefender Trojan.Agent.DVDE ClamAV Win.Trojan.HiddenCobra-7402602-0 Cyren W64/Trojan.KDWH-2913 ESET a variant of Win64/NukeSped.BW trojan Emsisoft Trojan.Agent.DVDE (B) Ikarus Trojan.Agent K7 Riskware ( 0040eff71 ) McAfee Generic Trojan.jp Microsoft Security Essentials Trojan:Win64/Hoplight Sophos Troj/Hoplight-C Symantec Trojan.Hoplight TrendMicro Trojan.A7CCF529 TrendMicro House Call Trojan.A7CCF529 VirusBlokAda Trojan.Win64.Hoplight YARA Rules
  • rule crypt_constants_2
    {
    meta:
       Author="NCCIC trusted 3rd party"
       Incident="10135536"
       Date = "2018/04/19"    
       category = "hidden_cobra"
       family = "n/a"
       description = "n/a"
    strings:
       $ = {efcdab90}
       $ = {558426fe}
       $ = {7856b4c2}
    condition:
       (uint16(0) == 0x5A4D and uint16(uint32(0x3c)) == 0x4550) and all of them
    }
  •  
  • rule lsfr_constants
    {
    meta:
       Author="NCCIC trusted 3rd party"
       Incident="10135536"
       Date = "2018/04/19"    
       category = "hidden_cobra"
       family = "n/a"
       description = "n/a"
    strings:
       $ = {efcdab90}
       $ = {558426fe}
       $ = {7856b4c2}
    condition:
       (uint16(0) == 0x5A4D and uint16(uint32(0x3c)) == 0x4550) and all of them
    }
  • rule polarSSL_servernames
    {
    meta:
       Author="NCCIC trusted 3rd party"
       Incident="10135536"
       Date = "2018/04/19"    
       category = "hidden_cobra"
       family = "n/a"
       description = "n/a"
    strings:
       $polarSSL = "fjiejffndxklfsdkfjsaadiepwn"
       $sn1 = "www.google.com"
       $sn2 = "www.naver.com"
    condition:
            (uint16(0) == 0x5A4D and uint16(uint32(0x3c)) -- 0x4550) and ($polarSSL and 1 of ($sn*))
    }
ssdeep Matches

No matches found.

PE Metadata Compile Date 2017-05-16 02:44:21-04:00 Import Hash ca767ccbffbed559cbe77c923e3af1f8 Company Name Kamsky Co,.Ltd File Description Vote_Controller Internal Name MDL_170329_x86_V06Lv3 Legal Copyright Copyright \u24d2 2017 Original Filename Vote_Controller Product Name Kamsky ColdFear Product Version 17, 0, 0, 0 PE Sections MD5 Name Raw Size Entropy 83ec15e3cf335f784144db4208b328c9 header 1024 2.790421 036c57e89ea3a6afa819c242c5816b70 .text 206848 5.688491 4812d2f39e9a8ae569370d423ba31344 .rdata 26112 6.000116 cb41e8f63b7c22c401a0634cb4fe1909 .data 2048 4.748331 3cc7651747904bfe94ed18f44354a706 .pdata 5120 4.962073 9e92c54604ea67e76210c3c914e9608c .rsrc 4096 5.606351 71dcfb1ec7257ee58dcc20cafb0be691 .reloc 512 0.673424 Relationships 83228075a6... Connected_To 112.175.92.57 Description

This artifact is 64bit Windows dynamic library file which shares many of the same characteristics and name (Vote_Controller.dll) as 42682D4A78FE5C2EDA988185A344637D above.

When this library is loaded it will look for the file 'udbcgiut.dat' in C:\WINDOWS. If 'udbcgiut.dat' is not found, the file will attempt connections to the same ten IP addresses described under 'rdpproto.dll' above.

One notable difference with this variant is that it uses the Windows Management Instrumentation (WMI) process to recompile the Managed Object Format (MOF) files in the WMI repository. At runtime, the malware will enumerate the drivers located in the registry at HKLM\Software\WBEM\WDM.
These files are then recompiled by invoking wmiprvse.exe through svchost.exe: "C:\Windows\system32\wbem\wmiprvse.exe -Embedding".
MOF files are written in a SQL-like language and are run (compiled) by the operating system when a predetermined event takes place. Recent malware variants have been observed modifying the MOF files within the system registry to run specific commands and create persistency on the system.

Of note, the paravirtual SCSI driver for VMWare Tools is also located in HKLM\Software\WBEM\WDM within a virtual image. When this driver is recompiled by the malware, VMWare Tools no longer works. It cannot be determined if this is an intentional characteristic of the malware to hinder analysis, or simply a symptom of the method used to establish persistence.

70034b33f59c6698403293cdc28676c7daa8c49031089efa6eefce41e22dccb3 Tags

trojan

Details Name 61E3571B8D9B2E9CCFADC3DDE10FB6E1 Size 258052 bytes Type PE32 executable (GUI) Intel 80386, for MS Windows MD5 61e3571b8d9b2e9ccfadc3dde10fb6e1 SHA1 55daa1fca210ebf66b1a1d2db1aa3373b06da680 SHA256 70034b33f59c6698403293cdc28676c7daa8c49031089efa6eefce41e22dccb3 SHA512 235f7b920f54c4d316386cbf6cc14db1929029e8053270e730be15acc8e9f333231d2d984681bea26013a1d1cf4670528ba0989337be13ad4ada3eeba33bdfe8 ssdeep 6144:d71TKN7LBHvS+bujAfrsxwkm1Ka5l7gTtJUGx:dxKHPuj8WR0K6VgTtZx Entropy 7.829590 Antivirus Ahnlab Trojan/Win32.Hoplight Antiy Trojan/Win32.NukeSped Avira TR/NukeSped.oppme BitDefender Dropped:Trojan.Generic.22954895 Cyren W32/Trojan.GZYA-1356 ESET Win32/NukeSped.AI trojan Emsisoft Dropped:Trojan.Generic.22954895 (B) Ikarus Trojan.Win32.NukeSped K7 Trojan ( 005329311 ) McAfee Trojan-Hoplight Microsoft Security Essentials Trojan:Win32/Hoplight NANOAV Trojan.Win32.NukeSped.fpblwf NetGate Trojan.Win32.Malware Sophos Troj/Hoplight-C Symantec Trojan.Gen.MBT TACHYON Trojan/W32.Hoplight.258052 TrendMicro Trojan.55DEE3DA TrendMicro House Call Trojan.55DEE3DA YARA Rules
  • rule crypt_constants_2
    {
    meta:
       Author="NCCIC trusted 3rd party"
       Incident="10135536"
       Date = "2018/04/19"    
       category = "hidden_cobra"
       family = "n/a"
       description = "n/a"
    strings:
       $ = {efcdab90}
       $ = {558426fe}
       $ = {7856b4c2}
    condition:
       (uint16(0) == 0x5A4D and uint16(uint32(0x3c)) == 0x4550) and all of them
    }
  • rule lsfr_constants
    {
    meta:
       Author="NCCIC trusted 3rd party"
       Incident="10135536"
       Date = "2018/04/19"    
       category = "hidden_cobra"
       family = "n/a"
       description = "n/a"
    strings:
       $ = {efcdab90}
       $ = {558426fe}
       $ = {7856b4c2}
    condition:
       (uint16(0) == 0x5A4D and uint16(uint32(0x3c)) == 0x4550) and all of them
    }
ssdeep Matches

No matches found.

PE Metadata Compile Date 2016-08-23 00:19:59-04:00 Import Hash 8e253f83371d82907ff72f57257e3810 PE Sections MD5 Name Raw Size Entropy 84f39a6860555231d60a55c72d07bc5e header 4096 0.586304 649c24790b60bda1cf2a85516bfc7fa0 .text 24576 5.983290 fbd6ca444ef8c0667aed75820cc99dce .rdata 4096 3.520964 0ecb4bcb0a1ef1bf8ea4157fabdd7357 .data 4096 3.988157 Packers/Compilers/Cryptors Installer VISE Custom Relationships 70034b33f5... Dropped cd5ff67ff773cc60c98c35f9e9d514b597cbd148789547ba152ba67bfc0fec8f 70034b33f5... Dropped 70902623c9cd0cccc8513850072b70732d02c266c7b7e96d2d5b2ed4f5edc289 70034b33f5... Dropped 96a296d224f285c67bee93c30f8a309157f0daa35dc5b87e410b78630a09cfc7 70034b33f5... Connected_To 81.94.192.147 70034b33f5... Connected_To 112.175.92.57 70034b33f5... Connected_To 181.39.135.126 70034b33f5... Connected_To 197.211.212.59 70034b33f5... Related_To 70902623c9cd0cccc8513850072b70732d02c266c7b7e96d2d5b2ed4f5edc289 Description

This artifact is a malicious PE32 executable. When executed, the artifact sets up the service, 'Network UDP Trace Management Service'.
To set up the service, the program drops a dynamic library, 'UDPTrcSvc.dll' into the %System32% directory.
Next, the following registry keys are added:

---Begin Registry Keys---

HKLM\SYSTEM\CurrentControlSet\services\UDPTrcSvc Name: Type Value: 20
HKLM\SYSTEM\CurrentControlSet\services\UDPTrcSvc Name: Start Value: 02
HKLM\SYSTEM\CurrentControlSet\services\UDPTrcSvc Name: ImagePath Value: "%SystemRoot%\System32\svchost.exe -k mdnetuse"
HKLM\SYSTEM\CurrentControlSet\services\UDPTrcSvc Name: DisplayName Value: "Network UDP Trace Management Service"
HKLM\SYSTEM\CurrentControlSet\services\UDPTrcSvc Name: ObjectName Value: "LocalSystem"
HKLM\SYSTEM\CurrentControlSet\services\UDPTrcSvc\Parameters Name: ServiceDll Value: "%SystemRoot%\System32\svchost.exe -k mdnetuse"
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Svchost\mdnetuse

---End Registry Keys---

The service is started by invoking svchost.exe.

After writing 'UDPTrcSvd.dll' to disk, the program drops two additional files. Similar to 5C3898AC7670DA30CF0B22075F3E8ED6 above, the program writes the file 'udbcgiut.dat' to the victim's profile at %AppData/Local/Temp%. A second file is written to the victim's profile in the %AppData/Local/VirtualStore/Windows% directory and identified as 'MSDFMAPI.INI'. 'MSDFMAPI.INI' is also written to C:\WINDOWS. More information on the content of these files is below.

61E3571B8D9B2E9CCFADC3DDE10FB6E1 attempts the same outbound connections as 5C3898AC7670DA30CF0B22075F3E8ED6, however the file does not contain any of the public SSL certificates referenced above.

cd5ff67ff773cc60c98c35f9e9d514b597cbd148789547ba152ba67bfc0fec8f Tags

backdoortrojan

Details Name UDPTrcSvc.dll Size 221184 bytes Type PE32 executable (DLL) (GUI) Intel 80386, for MS Windows MD5 0893e206274cb98189d51a284c2a8c83 SHA1 d1f4cf4250e7ba186c1d0c6d8876f5a644f457a4 SHA256 cd5ff67ff773cc60c98c35f9e9d514b597cbd148789547ba152ba67bfc0fec8f SHA512 8042356ff8dc69fa84f2de10a4c34685c3ffa798d5520382d4fbcdcb43ae17e403a208be9891cca6cf2bc297f767229a57f746ca834f6b79056a0ff1202941cf ssdeep 3072:WsyjTzEvLFOL8AqCiueLt1VFu9+zcSywy0mcj90nSJ5NatCmtWwNQLK:W/zEvLFOLdq9uebdSwHN9n5wtkwNwK Entropy 6.359677 Antivirus Ahnlab Backdoor/Win32.Akdoor Antiy Trojan/Win32.AGeneric Avira TR/NukeSped.davct BitDefender Trojan.Generic.22954895 ClamAV Win.Trojan.HiddenCobra-7402602-0 ESET Win32/NukeSped.AI trojan Emsisoft Trojan.Generic.22954895 (B) Ikarus Trojan.Win32.NukeSped K7 Trojan ( 005329311 ) McAfee Trojan-Hoplight Microsoft Security Essentials Trojan:Win32/Hoplight NANOAV Trojan.Win32.NukeSped.fcodob Sophos Troj/Hoplight-C Symantec Trojan.Gen.MBT Systweak malware.gen-ra TACHYON Trojan/W32.Hoplight.221184.B TrendMicro Trojan.CCD7B260 TrendMicro House Call Trojan.CCD7B260 VirusBlokAda Trojan.Tiggre Zillya! Trojan.NukeSped.Win32.73 YARA Rules
  • rule crypt_constants_2
    {
    meta:
       Author="NCCIC trusted 3rd party"
       Incident="10135536"
       Date = "2018/04/19"    
       category = "hidden_cobra"
       family = "n/a"
       description = "n/a"
    strings:
       $ = {efcdab90}
       $ = {558426fe}
       $ = {7856b4c2}
    condition:
       (uint16(0) == 0x5A4D and uint16(uint32(0x3c)) == 0x4550) and all of them
    }
  •  
  • rule lsfr_constants
    {
    meta:
       Author="NCCIC trusted 3rd party"
       Incident="10135536"
       Date = "2018/04/19"    
       category = "hidden_cobra"
       family = "n/a"
       description = "n/a"
    strings:
       $ = {efcdab90}
       $ = {558426fe}
       $ = {7856b4c2}
    condition:
       (uint16(0) == 0x5A4D and uint16(uint32(0x3c)) == 0x4550) and all of them
    }
  • rule polarSSL_servernames
    {
    meta:
       Author="NCCIC trusted 3rd party"
       Incident="10135536"
       Date = "2018/04/19"    
       category = "hidden_cobra"
       family = "n/a"
       description = "n/a"
    strings:
       $polarSSL = "fjiejffndxklfsdkfjsaadiepwn"
       $sn1 = "www.google.com"
       $sn2 = "www.naver.com"
    condition:
            (uint16(0) == 0x5A4D and uint16(uint32(0x3c)) -- 0x4550) and ($polarSSL and 1 of ($sn*))
    }
ssdeep Matches

No matches found.

PE Metadata Compile Date 2016-08-23 00:23:04-04:00 Import Hash 30d3466536de2b423897a3c8992ef999 PE Sections MD5 Name Raw Size Entropy d37b95aa17fa132415b37ec777f439ff header 4096 0.709908 badbc93c35554aec904ab0c34f05fbe0 .text 180224 6.295472 64f7a9cafdad34003aba4547bba0e25b .rdata 16384 6.372911 c792eb0c57577f4f3649775cbf32b253 .data 12288 3.996008 8791f715ae89ffe2c7d832c1be821edc .reloc 8192 5.154376 Relationships cd5ff67ff7... Dropped_By 70034b33f59c6698403293cdc28676c7daa8c49031089efa6eefce41e22dccb3 Description

This artifact is a malicious 32bit Windows dynamic library. 'UDPTrcSvc.dll' is identified as the 'Network UDP Trace Management Service'. The following description is provided:

---Begin Service Description---

Network UDP Trace Management Service Hosts TourSvc Tracing. If this service is stopped, notifications of network trace will no longer function and there might not be access to service functions. If this service is disabled, notifications of and monitoring to network state will no longer function.

---End Service Description---

The service is invoked with the command, 'C:\Windows\System32\svchost.exe -k mdnetuse'.
When the service is run a modification to the system firewall is attempted, 'cmd.exe /c netsh firewall add portopening TCP 0 "adp"'.

Unlike many of the files listed above that use a public certificate from naver.com, 'UDPTrcSvc.dll' uses a public SSL certificate from google.com.

96a296d224f285c67bee93c30f8a309157f0daa35dc5b87e410b78630a09cfc7 Tags

trojan

Details Name MSDFMAPI.INI Size 2 bytes Type data MD5 c4103f122d27677c9db144cae1394a66 SHA1 1489f923c4dca729178b3e3233458550d8dddf29 SHA256 96a296d224f285c67bee93c30f8a309157f0daa35dc5b87e410b78630a09cfc7 SHA512 5ea71dc6d0b4f57bf39aadd07c208c35f06cd2bac5fde210397f70de11d439c62ec1cdf3183758865fd387fcea0bada2f6c37a4a17851dd1d78fefe6f204ee54 ssdeep 3:: Entropy 0.000000 Antivirus NetGate Trojan.Win32.Malware YARA Rules

No matches found.

ssdeep Matches 100 028f5531e8593ce6faf30dd5c5131abf1400fc4deb4d322f3f39578f14348be1 100 132fde08d7f788dece120e98bf6c794bafb655959764798ead053b872d097638 100 200608c94d52d33ff86b8f4db28451752eeae7c70062488f380f112e11b4350a 100 2d07a41ae992770085117e9815300bfd0730745883e60b24aaad5e69dfc087ae 100 3d1066ae1cd00d635b2131664a7d0d5483554901ed6aae9d627b697ecb02718e 100 5309e677c79cffae49a65728c61b436d3cdc2a2bab4c81bf0038415f74a56880 100 854871db188e45e5a948fb03d293459aef6def1c9a63acb8cfdaaf7155d5699e 100 ad7facb2586fc6e966c004d7d1d16b024f5805ff7cb47c7a85dabd8b48892ca7 100 c35020473aed1b4642cd726cad727b63fff2824ad68cedd7ffb73c7cbd890479 Relationships 96a296d224... Dropped_By 70034b33f59c6698403293cdc28676c7daa8c49031089efa6eefce41e22dccb3 96a296d224... Dropped_By 2151c1977b4555a1761c12f151969f8e853e26c396fa1a7b74ccbaf3a48f4525 Description

'MSDFMAPI.INI' is written to C:\WINDOWS and to %UserProfile\AppData\Local\VirtualStore\Windows%. During analysis, two NULL characters were written to the file. The purpose of the file has not been determined.

d77fdabe17cdba62a8e728cbe6c740e2c2e541072501f77988674e07a05dfb39 Tags

droppertrojan

Details Name F8D26F2B8DD2AC4889597E1F2FD1F248 Name d77fdabe17cdba62a8e728cbe6c740e2c2e541072501f77988674e07a05dfb39 Size 456241 bytes Type data MD5 f8d26f2b8dd2ac4889597e1f2fd1f248 SHA1 dd132f76a4aff9862923d6a10e54dca26f26b1b4 SHA256 d77fdabe17cdba62a8e728cbe6c740e2c2e541072501f77988674e07a05dfb39 SHA512 34f8d10ebcab6f10c5140e94cf858761e9fa2e075db971b8e49c7334e1d55237f844ed6cf8ce735e984203f58d6b5032813b55e29a59af4bfff3853b1d07bc44 ssdeep 12288:MG31DF/ubokxmgF8JsVusikiWxdj3tIQLYe:NlI0UV0ou1kiWvm4Ye Entropy 7.999350 Antivirus Ahnlab BinImage/Agent Antiy Trojan/Win32.Casdet Avira TR/Agent.anrq BitDefender Trojan.Agent.DVDS ClamAV Win.Dropper.Hoplight-7402659-0 Cyren Trojan.GTWY-8 Emsisoft Trojan.Agent.DVDS (B) Ikarus Trojan.Agent McAfee Trojan-Hoplight.b YARA Rules

No matches found.

ssdeep Matches

No matches found.

Description

This artifact contains a similar public SSL certificate from naver.com, similar to many of the files above. The payload of the file appears to be encoded with a password or key. No context was provided with the file's submission.

b9a26a569257fbe02c10d3735587f10ee58e4281dba43474dbdef4ace8ea7101 Tags

trojan

Details Name 2A791769AA73AC757F210F8546125B57 Size 110592 bytes Type PE32 executable (GUI) Intel 80386, for MS Windows MD5 2a791769aa73ac757f210f8546125b57 SHA1 269f1cc44f6b323118612bde998d17e5bfbf555e SHA256 b9a26a569257fbe02c10d3735587f10ee58e4281dba43474dbdef4ace8ea7101 SHA512 1e88edf97f62282323928a304762864d69e0e5a1b98c7824cf7ee8af92a5a7d17586e30165c6b6ec4b64ea64dd97d6f2b3a3ef880debc8c6eaed1e63f9ce9a97 ssdeep 1536:BdQGY/Ni+mo06N1homALeoYbrAUD7Qum5T9Xlxgj5MX7jbthYWL3:DQGYFFzxAgoYbrAOQum5TsgjbHP Entropy 6.406443 Antivirus Ahnlab Trojan/Win32.Akdoor Antiy Trojan/Win32.Autophyte Avira TR/AD.APTLazerus.zobau BitDefender Gen:Variant.Graftor.487501 ClamAV Win.Trojan.HiddenCobra-7402602-0 Cyren W32/Trojan.BCDT-8700 ESET a variant of Win32/NukeSped.AU trojan Emsisoft Gen:Variant.Graftor.487501 (B) Huorong Trojan/NukeSped.a Ikarus Trojan.Win32.NukeSped K7 Trojan ( 0052cf421 ) McAfee Trojan-HidCobra Microsoft Security Essentials Trojan:Win32/Autophyte.E!dha NANOAV Trojan.Win32.NukeSped.fyoobu Quick Heal Trojan.Generic Sophos Troj/NukeSpe-G Symantec Trojan Horse TrendMicro BKDR_HO.9D36C86C TrendMicro House Call BKDR_HO.9D36C86C VirusBlokAda BScope.Trojan.Autophyte Zillya! Trojan.NukeSped.Win32.158 YARA Rules
  • rule crypt_constants_2
    {
    meta:
       Author="NCCIC trusted 3rd party"
       Incident="10135536"
       Date = "2018/04/19"    
       category = "hidden_cobra"
       family = "n/a"
       description = "n/a"
    strings:
       $ = {efcdab90}
       $ = {558426fe}
       $ = {7856b4c2}
    condition:
       (uint16(0) == 0x5A4D and uint16(uint32(0x3c)) == 0x4550) and all of them
    }
  •  
  • rule lsfr_constants
    {
    meta:
       Author="NCCIC trusted 3rd party"
       Incident="10135536"
       Date = "2018/04/19"    
       category = "hidden_cobra"
       family = "n/a"
       description = "n/a"
    strings:
       $ = {efcdab90}
       $ = {558426fe}
       $ = {7856b4c2}
    condition:
       (uint16(0) == 0x5A4D and uint16(uint32(0x3c)) == 0x4550) and all of them
    }
ssdeep Matches

No matches found.

PE Metadata Compile Date 2017-08-11 01:03:45-04:00 Import Hash e56949fef3294200cb30be8009694a42 PE Sections MD5 Name Raw Size Entropy 3d755df7f28ddb5a661a68637cfdf23e header 4096 0.647583 8f28409d19efb02746f0cc7f186ac3e3 .text 86016 6.553916 03ec21be9a3702ad9b6a107a387c2be1 .rdata 16384 5.844150 cecd220a4af1182a425b07c4547fd1e6 .data 4096 2.638490 Packers/Compilers/Cryptors Microsoft Visual C++ v6.0 Relationships b9a26a5692... Connected_To 117.239.241.2 b9a26a5692... Connected_To 195.158.234.60 b9a26a5692... Connected_To 218.255.24.226 Description

This artifact is a malicious PE32 executable with similar characteristics of those described in 23E27E5482E3F55BF828DAB885569033 above.

When the malware runs it checks a config file to determine where it should beacon back to. If the config file has not been modified the malware will beacon back to the following hard coded IPs:

--Begin IP List--

117.239.241.2
218.255.24.226
195.158.234.60

--End IP List--

Client uses uk.yahoo.com for client hello server name instead of naver.com.
 

117.239.241.2 Relationships 117.239.241.2 Connected_From ba80cb0a08908782f4b6e88aa15e2d306b19bc93e79bd8770bf8be904fd1bd09 117.239.241.2 Connected_From b9a26a569257fbe02c10d3735587f10ee58e4281dba43474dbdef4ace8ea7101 218.255.24.226 Relationships 218.255.24.226 Connected_From b9a26a569257fbe02c10d3735587f10ee58e4281dba43474dbdef4ace8ea7101 195.158.234.60 Relationships 195.158.234.60 Connected_From b9a26a569257fbe02c10d3735587f10ee58e4281dba43474dbdef4ace8ea7101 1a01b8a4c505db70f9e199337ce7f497b3dd42f25ad06487e29385580bca3676 Tags

trojan

Details Name 07D2B057D2385A4CDF413E8D342305DF Size 2608223 bytes Type PE32+ executable (GUI) x86-64, for MS Windows MD5 07d2b057d2385a4cdf413e8d342305df SHA1 1991e7797b2e97179b7604497f7f6c39eba2229b SHA256 1a01b8a4c505db70f9e199337ce7f497b3dd42f25ad06487e29385580bca3676 SHA512 fa2535b08c43c0dae210c12c4a5445925723d50f8828e0d0b89ec70d08aaa2f1d222eea9fd4be40c46c9024b3ed9bfe33e16724496c1c4f90ea6fdc8891c5fee ssdeep 49152:2sn+T/ymkSsvc1vb+oNEOaPmztSWNz25hqhbR5C7kcaFZweRrjxQTgZdy:2sck5ojp+Ef25al5CyjwSJQMzy Entropy 7.981828 Antivirus Ahnlab Trojan/Win32.Akdoor Antiy Trojan/Win64.NukeSped Avira TR/NukeSped.cgnux BitDefender Trojan.GenericKD.41793016 Cyren W64/Trojan.DUQO-0431 ESET a variant of Win64/NukeSped.AH trojan Emsisoft Trojan.GenericKD.41793016 (B) Ikarus Trojan.Win64.Nukesped K7 Trojan ( 00545d8d1 ) McAfee Trojan-HidCobra.a Microsoft Security Essentials Trojan:Win32/Casdet!rfn NANOAV Trojan.Win64.NukeSped.gayjsq Sophos Troj/NukeSpe-H Symantec Trojan.Hoplight TACHYON Trojan/W64.Agent.2608223 TrendMicro TSPY_KI.58F058EF TrendMicro House Call TSPY_KI.58F058EF VirusBlokAda Trojan.Agent Zillya! Trojan.Agent.Win32.1135323 YARA Rules

No matches found.

ssdeep Matches

No matches found.

PE Metadata Compile Date 2018-02-12 15:06:28-05:00 Import Hash 347c977c6137a340c7cc0fcd5b224aef PE Sections MD5 Name Raw Size Entropy 28fc69ad12a0765af4cc06fbd261cb24 header 1024 2.672166 88425c71e7e293d43db9868e4693b365 .text 89088 6.415516 bb0048e4f3851ea07b365828ddf613f7 .rdata 26624 4.912250 50e3efe1a6ea325c87f8e86e2fbd40b4 .data 5632 2.093641 f56a65eb9562d6c6d607f867d1d0fd09 .pdata 4608 4.725531 6a9a84d523e53e1d43c31b2cc069930c .rsrc 1536 4.308150 dab5e290c15de9634d93d8f592a44633 .reloc 1536 2.912599 Packers/Compilers/Cryptors Microsoft Visual C++ 8.0 (DLL) Description

This artifact is a malicious 64bit Windows dynamic library. When run the malware drops a Themida packed DLL. This DLL runs and drops another DLL that acts as the Remote admin tool. This RAT is very similar to version 2 in op codes and functionality however it uses real TLS instead of the LFSR encryption. Additionally it encodes it's data with XOR Ox47 SUB Ox28 prior to being TLS encrypted.

73dcb7639c1f81d3f7c4931d32787bdf07bd98550888c4b29b1058b2d5a7ca33 Tags

trojan

Details Name 3EDCE4D49A2F31B8BA9BAD0B8EF54963 Size 147456 bytes Type PE32 executable (DLL) (GUI) Intel 80386, for MS Windows MD5 3edce4d49a2f31b8ba9bad0b8ef54963 SHA1 1209582451283c46f29a5185f451aa3c989723c9 SHA256 73dcb7639c1f81d3f7c4931d32787bdf07bd98550888c4b29b1058b2d5a7ca33 SHA512 0d3de1758b44597ccc4dad46a9b42626237da425a41b8833bf7549a3c809bd7432ce938cd8757b362e2268bead45a0b212c96cc881737cf0e6952097280d7277 ssdeep 3072:bQGYFFzsaXlvJdbx9NAzDZWaNoh05WKRYW7IWwh7:bSFhLlh9N8DZWaNoG5W8VIWC Entropy 6.605430 Antivirus Ahnlab Trojan/Win32.Akdoor Antiy Trojan/Win32.Autophyte Avira TR/AD.APTLazerus.jtxjg BitDefender Gen:Variant.Zusy.290462 ClamAV Win.Trojan.HiddenCobra-7402602-0 Cyren W32/Trojan.DXJJ-0934 ESET a variant of Win32/NukeSped.AU trojan Emsisoft Gen:Variant.Zusy.290462 (B) Ikarus Trojan.Win32.NukeSped K7 Trojan ( 0052cf421 ) McAfee Trojan-HidCobra Microsoft Security Essentials Trojan:Win32/Autophyte.E!dha NetGate Trojan.Win32.Malware Sophos Troj/NukeSpe-I Symantec Trojan.Hoplight TrendMicro BKDR_HO.9D36C86C TrendMicro House Call BKDR_HO.9D36C86C VirusBlokAda Trojan.Autophyte Zillya! Trojan.NukeSped.Win32.154 YARA Rules
  • rule crypt_constants_2
    {
    meta:
       Author="NCCIC trusted 3rd party"
       Incident="10135536"
       Date = "2018/04/19"    
       category = "hidden_cobra"
       family = "n/a"
       description = "n/a"
    strings:
       $ = {efcdab90}
       $ = {558426fe}
       $ = {7856b4c2}
    condition:
       (uint16(0) == 0x5A4D and uint16(uint32(0x3c)) == 0x4550) and all of them
    }
  •  
  • rule lsfr_constants
    {
    meta:
       Author="NCCIC trusted 3rd party"
       Incident="10135536"
       Date = "2018/04/19"    
       category = "hidden_cobra"
       family = "n/a"
       description = "n/a"
    strings:
       $ = {efcdab90}
       $ = {558426fe}
       $ = {7856b4c2}
    condition:
       (uint16(0) == 0x5A4D and uint16(uint32(0x3c)) == 0x4550) and all of them
    }
ssdeep Matches

No matches found.

PE Metadata Compile Date 2017-07-11 14:26:59-04:00 Import Hash cf3e2269004b18054d77ec54601edfd1 PE Sections MD5 Name Raw Size Entropy f31fc1b632aa011a29b506385890b3bb header 4096 0.703326 0b401c68fa1a8f024f25189b31fd8caf .text 118784 6.634510 78ad5231f5184af8093a2f31ef1f9952 .rdata 16384 6.126224 8c48fdefd1785500380702796882a0b6 .data 4096 3.860135 e6b0be8044e573ca9fc84de173a7ca3d .reloc 4096 5.404736 Packers/Compilers/Cryptors Microsoft Visual C++ 6.0 DLL Description

This artifact is a malicious PE32 executable with similar characteristics of those described in 23E27E5482E3F55BF828DAB885569033 above.

This file is dropped by a different binary into System32 and then run as a service. When the malware runs it checks a config file to determine where it should beacon back to. If the config file has not been modified the malware will beacon back to the following hard coded IPs:

--Begin IP List--

192.168.1.2

--End IP List--

Client uses uk.yahoo.com for client hello server name instead of naver.com.

084b21bc32ee19af98f85aee8204a148032ce7eabef668481b919195dd62b319 Tags

trojan

Details Name 170A55F7C0448F1741E60B01DCEC9CFB Size 197632 bytes Type PE32+ executable (DLL) (GUI) x86-64, for MS Windows MD5 170a55f7c0448f1741e60b01dcec9cfb SHA1 b6b84783816cca123adbc18e78d3b847f04f1d32 SHA256 084b21bc32ee19af98f85aee8204a148032ce7eabef668481b919195dd62b319 SHA512 a014cf5772ed993951dc62026e3acef174c424e47fd56583a1563c692ac3ed2ae5e1d51d34974ed04db11824dc9c76290297244e28e5d848cd8b3a05b509ab1e ssdeep 6144:XT1NVhDJSUaZcdHItR3SG88+Tlm5T7BRWj:xx9tuVSe+Tlm5Tt Entropy 6.262340 Antivirus Ahnlab Trojan/Win32.Akdoor Antiy Trojan/Win32.Agent Avira TR/AD.APTLazerus.dsenk BitDefender Trojan.GenericKD.32643407 ClamAV Win.Trojan.HiddenCobra-7402602-0 Cyren W64/Trojan3.AOLF ESET a variant of Win32/NukeSped.AU trojan Emsisoft Trojan.GenericKD.32643407 (B) Ikarus Trojan.Win32.NukeSped K7 Trojan ( 005233111 ) McAfee Trojan-HidCobra Microsoft Security Essentials Trojan:Win32/Casdet!rfn NANOAV Trojan.Win64.NukeSped.fzpbxb Quick Heal Trojan.Multi Sophos Troj/NukeSpe-G Symantec Trojan.Hoplight TrendMicro TROJ64_.655BEC93 TrendMicro House Call TROJ64_.655BEC93 VirusBlokAda Trojan.Agent Zillya! Trojan.Agent.Win32.1134660 YARA Rules
  • rule crypt_constants_2
    {
    meta:
       Author="NCCIC trusted 3rd party"
       Incident="10135536"
       Date = "2018/04/19"    
       category = "hidden_cobra"
       family = "n/a"
       description = "n/a"
    strings:
       $ = {efcdab90}
       $ = {558426fe}
       $ = {7856b4c2}
    condition:
       (uint16(0) == 0x5A4D and uint16(uint32(0x3c)) == 0x4550) and all of them
    }
  •  
  • rule lsfr_constants
    {
    meta:
       Author="NCCIC trusted 3rd party"
       Incident="10135536"
       Date = "2018/04/19"    
       category = "hidden_cobra"
       family = "n/a"
       description = "n/a"
    strings:
       $ = {efcdab90}
       $ = {558426fe}
       $ = {7856b4c2}
    condition:
       (uint16(0) == 0x5A4D and uint16(uint32(0x3c)) == 0x4550) and all of them
    }
ssdeep Matches

No matches found.

PE Metadata Compile Date 2017-05-03 22:40:47-04:00 Import Hash 0675d7e21ce264449360c0b797c279e7 PE Sections MD5 Name Raw Size Entropy 48a2d611f70a4718084857fa2f732b21 header 1024 2.780205 aaf67ea89d12bea95c148274c71ebac5 .text 44544 6.440744 91171a72af025ca7098ba6c94ecbb2a0 .rdata 25600 3.935800 fc2a61b6f1b29162f93fad1660c4b8af .data 120320 6.379891 114b795f9c567e0a81a04cec6ae1a0b4 .pdata 2560 4.287495 17c80d03f2f5729407ec55eca7e1f5b2 .rsrc 2048 2.948558 c9243c94e36bc012d7d5eb0a3f588dfb .reloc 1536 5.079827 Description

This artifact is a malicious 64bit Windows dynamic library. The DLL can be run using the DoStart export. This export calls write file to load the actual implant into a file "C:\windows\msncone.exe" and then calls Win Exec to execute the implant.

c66ef8652e15b579b409170658c95d35cfd6231c7ce030b172692f911e7dcff8 Tags

trojan

Details Name E4ED26D5E2A84CC5E48D285E4EA898C0 Size 157696 bytes Type PE32 executable (GUI) Intel 80386, for MS Windows MD5 e4ed26d5e2a84cc5e48d285e4ea898c0 SHA1 c3d28d8e49a24a0c7082053d22597be9b58302b1 SHA256 c66ef8652e15b579b409170658c95d35cfd6231c7ce030b172692f911e7dcff8 SHA512 0c0b8fa4e83036b9dbe88b193e93b412c47eee8c6f4b04f04082288d7dce0f0d687e7581e624145bd357e5ad70584b9ab4d9f5a950afe8389696523697940998 ssdeep 3072:MzviXzovLFOLUAqWilvLc1V2n9+zEty7+LEfq0Mg3ewPWTc:Mzv+zovLFOLFqhlvlQz7ZqueweT Entropy 6.446363 Antivirus Ahnlab Trojan/Win32.Crypt Antiy Trojan/Win32.NukeSped Avira TR/AD.APTLazerus.tmifd BitDefender Trojan.GenericKD.32416111 ClamAV Win.Trojan.HiddenCobra-7402602-0 Cyren W32/Trojan.GVKT-3327 ESET a variant of Win32/NukeSped.AU trojan Emsisoft Trojan.GenericKD.32416111 (B) Ikarus Trojan.Win32.NukeSped K7 Trojan ( 0052cf421 ) McAfee Trojan-HidCobra Microsoft Security Essentials Trojan:Win32/Nukesped.PA!MTB NANOAV Trojan.Win32.NukeSped.fzlqhl NetGate Trojan.Win32.Malware Quick Heal Trojan.Generic Sophos Troj/NukeSpe-E Symantec Trojan.Gen.MBT TrendMicro TROJ_FR.D1E707E2 TrendMicro House Call TROJ_FR.D1E707E2 Vir.IT eXplorer Trojan.Win32.Genus.BRN VirusBlokAda BScope.Trojan.Casdet Zillya! Trojan.NukeSped.Win32.153 YARA Rules
  • rule crypt_constants_2
    {
    meta:
       Author="NCCIC trusted 3rd party"
       Incident="10135536"
       Date = "2018/04/19"    
       category = "hidden_cobra"
       family = "n/a"
       description = "n/a"
    strings:
       $ = {efcdab90}
       $ = {558426fe}
       $ = {7856b4c2}
    condition:
       (uint16(0) == 0x5A4D and uint16(uint32(0x3c)) == 0x4550) and all of them
    }
  •  
  • rule lsfr_constants
    {
    meta:
       Author="NCCIC trusted 3rd party"
       Incident="10135536"
       Date = "2018/04/19"    
       category = "hidden_cobra"
       family = "n/a"
       description = "n/a"
    strings:
       $ = {efcdab90}
       $ = {558426fe}
       $ = {7856b4c2}
    condition:
       (uint16(0) == 0x5A4D and uint16(uint32(0x3c)) == 0x4550) and all of them
    }
  • rule polarSSL_servernames
    {
    meta:
       Author="NCCIC trusted 3rd party"
       Incident="10135536"
       Date = "2018/04/19"    
       category = "hidden_cobra"
       family = "n/a"
       description = "n/a"
    strings:
       $polarSSL = "fjiejffndxklfsdkfjsaadiepwn"
       $sn1 = "www.google.com"
       $sn2 = "www.naver.com"
    condition:
            (uint16(0) == 0x5A4D and uint16(uint32(0x3c)) -- 0x4550) and ($polarSSL and 1 of ($sn*))
    }
ssdeep Matches

No matches found.

PE Metadata Compile Date 2017-10-23 16:44:37-04:00 Import Hash 861401f76d1251e0d08a8ade1a5ed38c PE Sections MD5 Name Raw Size Entropy 0aa18a6525a2203ee52f6df5f9622dcb header 1024 2.637312 33e3584e4c52c24e16fc108224a3f6a3 .text 132608 6.153434 8a43450710359fae49269f1217924cf5 .rdata 16896 6.299497 b0c95d35585e130bea58057c11e9d53b .data 3584 5.455587 3a4fdc31bb49b29d6f19b94641d14ee8 .rsrc 512 5.112624 f74e21bd34aa3a05131ae77f0b48c2b2 .reloc 3072 5.875833 Packers/Compilers/Cryptors Microsoft Visual C++ ?.? Description

This artifact is a malicious PE32 executable that is an add-on tool for other Hoplight implants.

When malware is run it opens a log file C:\WINDOWS\Temp\ndb.dat that is used for the remainder of the program to log all activity.

The malware runs with an IP as an argument. It sends out a beacon to this IP and connects to it using the same FakeTLS/PolarSSL protocol as the other samples. After a successful connection to a C2, it uses a named pipe called \\\\.\\pipe\\AnonymousPipe to connect to a running implant and sends tasking to the running implant. The implant returns the results of these taskings over the named pipe and the malware sends the results back to the C2.

fe43bc385b30796f5e2d94dfa720903c70e66bc91dfdcfb2f3986a1fea3fe8c5 Tags

trojan

Details Name F315BE41D9765D69AD60F0B4D29E4300 Size 147456 bytes Type PE32 executable (DLL) (GUI) Intel 80386, for MS Windows MD5 f315be41d9765d69ad60f0b4d29e4300 SHA1 f60c2bd78436a14e35a7e85feccb319d3cc040eb SHA256 fe43bc385b30796f5e2d94dfa720903c70e66bc91dfdcfb2f3986a1fea3fe8c5 SHA512 bc8f821b4989076e441fbe5668cee0a388adcc375fac4a553f4c27423cd61c4500739820033b32f4197820ddf34decf1a043c6d34619aa18e1a932feb4e4233b ssdeep 3072:pQWbIWSG5bzxbT33FiDZWTNArLioB4Gwhes:pR3SGtJ33YDZWTNMLiGah Entropy 6.477832 Antivirus Ahnlab Trojan/Win32.Agent Antiy Trojan/Win32.Autophyte Avira TR/AD.APTLazerus.ifaaj BitDefender Gen:Variant.Graftor.487501 ClamAV Win.Trojan.HiddenCobra-7402602-0 Cyren W32/Trojan.CTPG-1488 ESET a variant of Win32/NukeSped.AU trojan Emsisoft Gen:Variant.Graftor.487501 (B) Ikarus Trojan.Win32.NukeSped K7 Trojan ( 0052cf421 ) McAfee Trojan-HidCobra Microsoft Security Essentials Trojan:Win32/Autophyte.E!rfn NetGate Trojan.Win32.Malware Sophos Troj/NukeSpe-D Symantec Trojan Horse TrendMicro BKDR_HO.9D36C86C TrendMicro House Call BKDR_HO.9D36C86C VirusBlokAda BScope.Trojan.Autophyte Zillya! Trojan.NukeSped.Win32.161 YARA Rules
  • rule crypt_constants_2
    {
    meta:
       Author="NCCIC trusted 3rd party"
       Incident="10135536"
       Date = "2018/04/19"    
       category = "hidden_cobra"
       family = "n/a"
       description = "n/a"
    strings:
       $ = {efcdab90}
       $ = {558426fe}
       $ = {7856b4c2}
    condition:
       (uint16(0) == 0x5A4D and uint16(uint32(0x3c)) == 0x4550) and all of them
    }
  •  
  • rule lsfr_constants
    {
    meta:
       Author="NCCIC trusted 3rd party"
       Incident="10135536"
       Date = "2018/04/19"    
       category = "hidden_cobra"
       family = "n/a"
       description = "n/a"
    strings:
       $ = {efcdab90}
       $ = {558426fe}
       $ = {7856b4c2}
    condition:
       (uint16(0) == 0x5A4D and uint16(uint32(0x3c)) == 0x4550) and all of them
    }
ssdeep Matches

No matches found.

PE Metadata Compile Date 2017-08-21 12:39:06-04:00 Import Hash 00c4520b07e61d244e7e7b942ebae39f PE Sections MD5 Name Raw Size Entropy 7991745d0f6ed295154f066bb53ccbc2 header 4096 0.767780 cd39ffb10726106d9b85172804784b97 .text 114688 6.620841 3ab93f20dc7859f5510efbf121790dd7 .rdata 16384 5.991690 9fdf9be0cd049c58cb3718927458e69c .data 4096 3.880827 330d3d9d2c3c1a342547cea468095f2a .rsrc 4096 1.138029 cefd737bf48bc8375f92c8f7d9755e3a .reloc 4096 5.221555 Packers/Compilers/Cryptors Microsoft Visual C++ 6.0 DLL f8f7720785f7e75bd6407ac2acd63f90ab6c2907d3619162dc41a8ffa40a5d03 Tags

trojan

Details Name D2DA675A8ADFEF9D0C146154084FFF62 Size 139264 bytes Type PE32 executable (GUI) Intel 80386, for MS Windows MD5 d2da675a8adfef9d0c146154084fff62 SHA1 c55d080ea24e542397bbbfa00edc6402ec1c902c SHA256 f8f7720785f7e75bd6407ac2acd63f90ab6c2907d3619162dc41a8ffa40a5d03 SHA512 06f531e49154d59f684475da95693df1fccd50b505e6d3ca028c9d84fcfc79ef287704dd0b24b022bfac6ba9ee581d19f440773dd00cfcfecf068b644ecbecb5 ssdeep 3072:1QGYFFzYCGUXBk/hbpjYr9Lde0NPV1Y88PxbE:1SFhYaXBkjYJLde0Nd1Hqb Entropy 6.605300 Antivirus Ahnlab Trojan/Win32.Akdoor Antiy Trojan/Win32.Autophyte Avira TR/AD.APTLazerus.denpe BitDefender Gen:Variant.Graftor.487501 ClamAV Win.Trojan.HiddenCobra-7402602-0 Cyren W32/Trojan.ATKI-5308 ESET a variant of Win32/NukeSped.AU trojan Emsisoft Gen:Variant.Graftor.487501 (B) Huorong Trojan/NukeSped.a Ikarus Trojan.Win32.NukeSped K7 Trojan ( 0052cf421 ) McAfee Trojan-FPIA!D2DA675A8ADF Microsoft Security Essentials Trojan:Win32/Autophyte.E!dha NANOAV Trojan.Win32.NukeSped.fyopnf NetGate Trojan.Win32.Malware Quick Heal Trojan.Generic Sophos Troj/NukeSpe-F Symantec Trojan Horse TrendMicro BKDR_HO.9D36C86C TrendMicro House Call BKDR_HO.9D36C86C VirusBlokAda BScope.Trojan.Autophyte Zillya! Trojan.NukeSped.Win32.146 YARA Rules
  • rule crypt_constants_2
    {
    meta:
       Author="NCCIC trusted 3rd party"
       Incident="10135536"
       Date = "2018/04/19"    
       category = "hidden_cobra"
       family = "n/a"
       description = "n/a"
    strings:
       $ = {efcdab90}
       $ = {558426fe}
       $ = {7856b4c2}
    condition:
       (uint16(0) == 0x5A4D and uint16(uint32(0x3c)) == 0x4550) and all of them
    }
  •  
  • rule lsfr_constants
    {
    meta:
       Author="NCCIC trusted 3rd party"
       Incident="10135536"
       Date = "2018/04/19"    
       category = "hidden_cobra"
       family = "n/a"
       description = "n/a"
    strings:
       $ = {efcdab90}
       $ = {558426fe}
       $ = {7856b4c2}
    condition:
       (uint16(0) == 0x5A4D and uint16(uint32(0x3c)) == 0x4550) and all of them
    }
ssdeep Matches

No matches found.

PE Metadata Compile Date 2017-07-14 18:40:25-04:00 Import Hash 86e90e40d8e53d1e5b06a22353734ed4 PE Sections MD5 Name Raw Size Entropy bf34ee8fcf71c0aa14531ae02d74f359 header 4096 0.647238 66e2b83909b4d47d3e3d20ad44df1acc .text 114688 6.660284 d20ad0b8b42883ae6eb4c89cfbbd893b .rdata 16384 6.057701 5e1b09084dfc15dda52bdac606eaed3d .data 4096 3.824972 Packers/Compilers/Cryptors Microsoft Visual C++ v6.0 Description

This artifact is a malicious PE32 executable with similar characteristics of those described in 23E27E5482E3F55BF828DAB885569033 above.

When the malware runs it checks a config file to determine where it should beacon back to. If the config file has not been modified the malware will beacon back to the following hard coded IPs:

--Begin IP List--

10.10.30.130

--End IP List--

Client uses uk.yahoo.com for client hello server name instead of naver.com.

32ec329301aa4547b4ef4800159940feb950785f1ab68d85a14d363e0ff2bc11 Tags

trojan

Details Name 38FC56965DCCD18F39F8A945F6EBC439 Size 122880 bytes Type PE32 executable (GUI) Intel 80386, for MS Windows MD5 38fc56965dccd18f39f8a945f6ebc439 SHA1 50736517491396015afdf1239017b9abd16a3ce9 SHA256 32ec329301aa4547b4ef4800159940feb950785f1ab68d85a14d363e0ff2bc11 SHA512 70a1568df0e97e8ab020f108e52ec861a0cdae936ac3340f1657565a8ac8a253179b4c451a79cb7c362fe60ff70be2694705110c67369c645e9061d3800db99e ssdeep 1536:kSQWbe9BzK0xGtGVyDBWikDsD3bG0aII2Tm5TPb+5MI7jcg9YL23O:fQWbIWSG61UD3bGUI2Tm5TP2Njcmn+ Entropy 6.236928 Antivirus Ahnlab Trojan/Win32.Crypt Antiy Trojan/Win32.AGeneric Avira TR/AD.APTLazerus.sogzc BitDefender Gen:Variant.Graftor.487501 ClamAV Win.Trojan.HiddenCobra-7402602-0 Cyren W32/Trojan.ACES-2943 ESET a variant of Win32/NukeSped.AU trojan Emsisoft Gen:Variant.Graftor.487501 (B) Huorong Trojan/NukeSped.a Ikarus Trojan.Win32.NukeSped K7 Trojan ( 0052cf421 ) McAfee Trojan-FPIA!38FC56965DCC Microsoft Security Essentials Trojan:Win32/Nukesped.PA!MTB NANOAV Trojan.Win32.HiddenCobra.fyqdsh NetGate Trojan.Win32.Malware Sophos Troj/NukeSpe-F Symantec Trojan Horse TrendMicro BKDR_HO.9D36C86C TrendMicro House Call BKDR_HO.9D36C86C VirusBlokAda BScope.Trojan.Autophyte Zillya! Trojan.NukeSped.Win32.149 YARA Rules
  • rule crypt_constants_2
    {
    meta:
       Author="NCCIC trusted 3rd party"
       Incident="10135536"
       Date = "2018/04/19"    
       category = "hidden_cobra"
       family = "n/a"
       description = "n/a"
    strings:
       $ = {efcdab90}
       $ = {558426fe}
       $ = {7856b4c2}
    condition:
       (uint16(0) == 0x5A4D and uint16(uint32(0x3c)) == 0x4550) and all of them
    }
  •  
  • rule lsfr_constants
    {
    meta:
       Author="NCCIC trusted 3rd party"
       Incident="10135536"
       Date = "2018/04/19"    
       category = "hidden_cobra"
       family = "n/a"
       description = "n/a"
    strings:
       $ = {efcdab90}
       $ = {558426fe}
       $ = {7856b4c2}
    condition:
       (uint16(0) == 0x5A4D and uint16(uint32(0x3c)) == 0x4550) and all of them
    }
ssdeep Matches

No matches found.

PE Metadata Compile Date 2017-12-12 12:58:45-05:00 Import Hash 2054fd7bbbbcb62441ba2a21c156d403 PE Sections MD5 Name Raw Size Entropy 39af78f4af9f093c2eb4765202eab41a header 4096 0.704943 48f0a09061c556cbde93f864f2adb2e3 .text 94208 6.479768 65fe1d182b2f7322719d142a81a901a8 .rdata 16384 5.812175 43cd1b0954c2785708b9e8da200242e9 .data 4096 2.465375 cab878079ca8c3f53ed3e0d0414e3a3a .rsrc 4096 1.194369 Packers/Compilers/Cryptors Microsoft Visual C++ v6.0 Description

This artifact is a malicious PE32 executable with similar characteristics of those described in 23E27E5482E3F55BF828DAB885569033 above.

When the malware runs it checks a config file to determine where it should beacon back to. If the config file has not been modified the malware will beacon back to the following hard coded IPs:

--Begin IP List--

218.255.24.226

--End IP List--

Client uses www.bing.com. Microsoft.com, and facebook.com for client hello server name instead of naver.com.

8a1d57ee05d29a730864299376b830a7e127f089e500e148d96d0868b7c5b520 Tags

backdoortrojan

Details Name 5C0C1B4C3B1CFD455AC05ACE994AED4B Size 348160 bytes Type PE32 executable (DLL) (GUI) Intel 80386, for MS Windows MD5 5c0c1b4c3b1cfd455ac05ace994aed4b SHA1 69cda1f1adeeed455b519f9cf188e7787b5efa07 SHA256 8a1d57ee05d29a730864299376b830a7e127f089e500e148d96d0868b7c5b520 SHA512 084d2223934848594e23dbedab5064f98cd3d07d0783d4a7de66800a2a823daf73b0b044aea0ff9516538e6c478c8d18018c006c713e7e63b2977f44df568718 ssdeep 6144:aR3SGkuDrOZm5Te5EXzO7h2ZMB6zJJ+KFvmjyFdzDs0dRb83hYnOQSzS7:aVSWrOZm5TeOjVMoJFFv+mdzDs+kYnOS Entropy 7.540376 Antivirus Ahnlab Backdoor/Win32.Akdoor Antiy Trojan/Win32.Autophyte Avira TR/AD.APTLazerus.itcpp BitDefender Gen:Variant.Graftor.487501 ClamAV Win.Trojan.HiddenCobra-7402602-0 Cyren W32/Trojan.HLGX-3930 ESET a variant of Win32/NukeSped.AU trojan Emsisoft Gen:Variant.Graftor.487501 (B) Ikarus Trojan.Win32.NukeSped K7 Trojan ( 0052cf421 ) McAfee Trojan-HidCobra Microsoft Security Essentials Trojan:Win32/Autophyte.E!rfn NetGate Trojan.Win32.Malware Sophos Troj/NukeSpe-I Symantec Trojan.Hoplight TrendMicro BKDR_HO.9D36C86C TrendMicro House Call BKDR_HO.9D36C86C VirusBlokAda Trojan.Autophyte Zillya! Trojan.NukeSped.Win32.163 YARA Rules
  • rule crypt_constants_2
    {
    meta:
       Author="NCCIC trusted 3rd party"
       Incident="10135536"
       Date = "2018/04/19"    
       category = "hidden_cobra"
       family = "n/a"
       description = "n/a"
    strings:
       $ = {efcdab90}
       $ = {558426fe}
       $ = {7856b4c2}
    condition:
       (uint16(0) == 0x5A4D and uint16(uint32(0x3c)) == 0x4550) and all of them
    }
  •  
  • rule lsfr_constants
    {
    meta:
       Author="NCCIC trusted 3rd party"
       Incident="10135536"
       Date = "2018/04/19"    
       category = "hidden_cobra"
       family = "n/a"
       description = "n/a"
    strings:
       $ = {efcdab90}
       $ = {558426fe}
       $ = {7856b4c2}
    condition:
       (uint16(0) == 0x5A4D and uint16(uint32(0x3c)) == 0x4550) and all of them
    }
ssdeep Matches

No matches found.

PE Metadata Compile Date 2017-08-12 05:20:38-04:00 Import Hash 3ca68e2a005e05e2c4831de87ae091c0 PE Sections MD5 Name Raw Size Entropy 787ed8122e53d5ea17e3ece6d9fb7342 header 4096 0.782305 83b06d297acb20b05505da2d09905abd .text 102400 6.523509 b2e739b37837f1c2b941660711daf98f .rdata 16384 5.951907 cd8aa1387168caeb4604401aedb143eb .data 4096 2.718596 8840ce03428c311935a20ac968c10ce7 .rsrc 217088 7.888219 2f0ede5fcdada29ec11ad8cd25c53f77 .reloc 4096 4.923777 Packers/Compilers/Cryptors Microsoft Visual C++ 6.0 DLL Description

This artifact is a malicious PE32 executable with similar characteristics of those described in 23E27E5482E3F55BF828DAB885569033 above.

This file is dropped by a different binary into System32 and then run as a service. When the malware runs it checks a config file to determine where it should beacon back to. If the config file has not been modified the malware will beacon back to the following hard coded IPs:

--Begin IP List--

81.94.192.147
112.175.92.57
181.39.135.126
197.211.212.59

--End IP List--
 

0608e411348905145a267a9beaf5cd3527f11f95c4afde4c45998f066f418571 Tags

trojan

Details Name 34E56056E5741F33D823859E77235ED9 Size 151552 bytes Type PE32 executable (GUI) Intel 80386, for MS Windows MD5 34e56056e5741f33d823859e77235ed9 SHA1 fcc2dcbac7d3cbcf749f6aab2f37cc4b62d0bb64 SHA256 0608e411348905145a267a9beaf5cd3527f11f95c4afde4c45998f066f418571 SHA512 93ac57f0b9bf48e39870b88f918f9b6e33404c1667d5f98d0965736e9e001b18152530f1c3a843b91929d308f63739faf3de62077bbfb155039f6847d22d3dd0 ssdeep 3072:nQWbIWSGw0CkXbhM1Vsm5TJYwMrzPoXL8GnQj3y3:nR3SGQYM16m5TJDwPo7bUC3 Entropy 6.652398 Antivirus Ahnlab Trojan/Win32.Agent Antiy Trojan/Win32.Autophyte Avira HEUR/AGEN.1023221 BitDefender Gen:Variant.Graftor.487501 ClamAV Win.Trojan.HiddenCobra-7402602-0 Cyren W32/Trojan.PGQL-0621 ESET a variant of Win32/NukeSped.AU trojan Emsisoft Gen:Variant.Graftor.487501 (B) Huorong Trojan/NukeSped.a Ikarus Trojan.Win32.NukeSped K7 Trojan ( 0052cf421 ) McAfee Trojan-FPIA!34E56056E574 Microsoft Security Essentials Trojan:Win32/Autophyte.E!rfn NANOAV Trojan.Win32.NukeSped.fyqduv Quick Heal Trojan.Generic Sophos Troj/NukeSpe-F Symantec Trojan Horse TrendMicro TROJ_FR.D0256DD5 TrendMicro House Call TROJ_FR.D0256DD5 VirusBlokAda BScope.Trojan.Autophyte Zillya! Trojan.NukeSped.Win32.166 YARA Rules
  • rule crypt_constants_2
    {
    meta:
       Author="NCCIC trusted 3rd party"
       Incident="10135536"
       Date = "2018/04/19"    
       category = "hidden_cobra"
       family = "n/a"
       description = "n/a"
    strings:
       $ = {efcdab90}
       $ = {558426fe}
       $ = {7856b4c2}
    condition:
       (uint16(0) == 0x5A4D and uint16(uint32(0x3c)) == 0x4550) and all of them
    }
  •  
  • rule lsfr_constants
    {
    meta:
       Author="NCCIC trusted 3rd party"
       Incident="10135536"
       Date = "2018/04/19"    
       category = "hidden_cobra"
       family = "n/a"
       description = "n/a"
    strings:
       $ = {efcdab90}
       $ = {558426fe}
       $ = {7856b4c2}
    condition:
       (uint16(0) == 0x5A4D and uint16(uint32(0x3c)) == 0x4550) and all of them
    }
ssdeep Matches

No matches found.

PE Metadata Compile Date 2017-08-12 03:44:57-04:00 Import Hash e93a06b89e75751a9ac2c094ca7da8b0 PE Sections MD5 Name Raw Size Entropy a45f9a7c2174752a1472fb634ba9d8c7 header 4096 0.715236 2b9f5ce0725453a209a416ab7a13f3df .text 98304 6.576807 03605ec3eefe3b70e118cea4b8655229 .rdata 16384 5.866137 5ac0ab0641ec076e15dd1468e11c57cd .data 4096 2.680020 58ede934084bbe73fa7f9e0d32c4fafb .rsrc 28672 7.045289 Packers/Compilers/Cryptors Microsoft Visual C++ v6.0 Relationships 0608e41134... Connected_To 14.140.116.172 Description

This artifact is a malicious PE32 executable with similar characteristics of those described in 23E27E5482E3F55BF828DAB885569033 above.

When the malware runs it checks a config file to determine where it should beacon back to. If the config file has not been modified the malware will beacon back to the following hard coded IPs:

---Begin IP List---

14.140.116.172

---End IP List---

Client uses uk.yahoo.com for client hello server name instead of naver.com.

14.140.116.172 Relationships 14.140.116.172 Connected_From 0608e411348905145a267a9beaf5cd3527f11f95c4afde4c45998f066f418571 Description

The file 34E56056E5741F33D823859E77235ED9 beacons to this hard coded IP.

b05aae59b3c1d024b19c88448811debef1eada2f51761a5c41e70da3db7615a9 Tags

trojan

Details Name 2FF1688FE866EC2871169197F9D46936 Size 229500 bytes Type PE32 executable (GUI) Intel 80386, for MS Windows MD5 2ff1688fe866ec2871169197f9d46936 SHA1 6dc37ff32ea70cbd0078f1881a351a0a4748d10e SHA256 b05aae59b3c1d024b19c88448811debef1eada2f51761a5c41e70da3db7615a9 SHA512 91c3a6e84ca728ecc26d63b91a09f3081288c9b9592430035b9ea50ba7cf2d4b4ddba4711933d17013d3d06fcb8d70789a37ddfa5c741445e058bc02d529cf06 ssdeep 6144:GANjUaXCXwz+vLFOLEq3VNwO9zyPqYNkHms:bNjxXgA9uPqR Entropy 6.385793 Antivirus Ahnlab Trojan/Win32.Agent Antiy Trojan/Win32.NukeSped Avira TR/AD.APTLazerus.oytdw BitDefender Trojan.GenericKD.32416090 ClamAV Win.Trojan.HiddenCobra-7402602-0 Cyren W32/Trojan.GCCR-6631 ESET a variant of Win32/NukeSped.AI trojan Emsisoft Trojan.GenericKD.32416090 (B) Ikarus Trojan.Win32.NukeSped K7 Trojan ( 005329311 ) McAfee Trojan-HidCobra Microsoft Security Essentials Trojan:Win32/Nukesped.PA!MTB NetGate Trojan.Win32.Malware Quick Heal Trojan.Generic Sophos Troj/Inject-DZV Symantec Trojan.Gen.MBT TrendMicro BKDR_HO.9D36C86C TrendMicro House Call BKDR_HO.9D36C86C Zillya! Trojan.NukeSped.Win32.160 YARA Rules
  • rule crypt_constants_2
    {
    meta:
       Author="NCCIC trusted 3rd party"
       Incident="10135536"
       Date = "2018/04/19"    
       category = "hidden_cobra"
       family = "n/a"
       description = "n/a"
    strings:
       $ = {efcdab90}
       $ = {558426fe}
       $ = {7856b4c2}
    condition:
       (uint16(0) == 0x5A4D and uint16(uint32(0x3c)) == 0x4550) and all of them
    }
  •  
  • rule lsfr_constants
    {
    meta:
       Author="NCCIC trusted 3rd party"
       Incident="10135536"
       Date = "2018/04/19"    
       category = "hidden_cobra"
       family = "n/a"
       description = "n/a"
    strings:
       $ = {efcdab90}
       $ = {558426fe}
       $ = {7856b4c2}
    condition:
       (uint16(0) == 0x5A4D and uint16(uint32(0x3c)) == 0x4550) and all of them
    }
  • rule polarSSL_servernames
    {
    meta:
       Author="NCCIC trusted 3rd party"
       Incident="10135536"
       Date = "2018/04/19"    
       category = "hidden_cobra"
       family = "n/a"
       description = "n/a"
    strings:
       $polarSSL = "fjiejffndxklfsdkfjsaadiepwn"
       $sn1 = "www.google.com"
       $sn2 = "www.naver.com"
    condition:
            (uint16(0) == 0x5A4D and uint16(uint32(0x3c)) -- 0x4550) and ($polarSSL and 1 of ($sn*))
    }
ssdeep Matches

No matches found.

PE Metadata Compile Date 2017-06-13 11:12:43-04:00 Import Hash 8948765c0ef7c91beff2e97907c801d0 PE Sections MD5 Name Raw Size Entropy eb0f947605842ea84fea9d8d8382f056 header 4096 0.684814 f9aa8191af45813b80031064403835f1 .text 192512 6.400854 bbcbbf5f54deaee51d41d404973c30e4 .rdata 16384 6.228868 8ea12cda731d50b93944d8534c11402c .data 12288 3.927662 06d5d2729a367d565819e6867d8caea7 .rsrc 4096 3.317978 Packers/Compilers/Cryptors Microsoft Visual C++ v6.0 Description

This artifact is a malicious PE32 executable with similar characteristics of those described in 23E27E5482E3F55BF828DAB885569033 above.

When the malware runs it checks a config file to determine where it should beacon back to. If the config file has not been modified the malware will beacon back to the following hard coded IPs:

---Begin IP List---

210.137.6.37
119.18.230.253
221.138.17.152

---End IP List---

Client uses naver.com for client hello server name.

119.18.230.253 Description

The file 2FF1688FE866EC2871169197F9D46936 beacons to this hard coded IP.

210.137.6.37 Description

The file 2FF1688FE866EC2871169197F9D46936 beacons to this hard coded IP.

221.138.17.152 Description

The file 2FF1688FE866EC2871169197F9D46936 beacons to this hard coded IP.

ba80cb0a08908782f4b6e88aa15e2d306b19bc93e79bd8770bf8be904fd1bd09 Tags

trojan

Details Size 117591 bytes Type PE32 executable (GUI) Intel 80386, for MS Windows MD5 3dbd47cc12c2b7406726154e2e95a403 SHA1 afaa88c46666e5684b89b94ef2c4bc82e4c00845 SHA256 ba80cb0a08908782f4b6e88aa15e2d306b19bc93e79bd8770bf8be904fd1bd09 SHA512 c13e79b4c7e7dd53736e87836930d4aafe5a9c6c467c31c976253ebc0b031424eb2d92a04bbdcb7b610afc5d93f2b752b14663b2e9c015e44650b0a814dd4997 ssdeep 1536:/sQWbe9BzK0xGtFOpVyDpWpQCnRx/bV3Q3Wgim5TjZU15MX7jbQnKVYJ3n:EQWbIWSGWjBjrbV3jgim5TjqPgjbQgA Entropy 6.387236 Antivirus Ahnlab Trojan/Win32.Generic ClamAV Win.Trojan.HiddenCobra-7402602-0 ESET a variant of Win32/NukeSped.AU trojan Huorong Trojan/NukeSped.a McAfee Trojan-HidCobra!3DBD47CC12C2 Microsoft Security Essentials Trojan:Win32/Autophyte.E!dha Symantec Trojan.Hoplight VirusBlokAda BScope.Trojan.Autophyte YARA Rules
  • rule crypt_constants_2
    {
    meta:
       Author="NCCIC trusted 3rd party"
       Incident="10135536"
       Date = "2018/04/19"    
       category = "hidden_cobra"
       family = "n/a"
       description = "n/a"
    strings:
       $ = {efcdab90}
       $ = {558426fe}
       $ = {7856b4c2}
    condition:
       (uint16(0) == 0x5A4D and uint16(uint32(0x3c)) == 0x4550) and all of them
    }
  •  
  • rule lsfr_constants
    {
    meta:
       Author="NCCIC trusted 3rd party"
       Incident="10135536"
       Date = "2018/04/19"    
       category = "hidden_cobra"
       family = "n/a"
       description = "n/a"
    strings:
       $ = {efcdab90}
       $ = {558426fe}
       $ = {7856b4c2}
    condition:
       (uint16(0) == 0x5A4D and uint16(uint32(0x3c)) == 0x4550) and all of them
    }
ssdeep Matches

No matches found.

PE Metadata Compile Date 2017-09-03 11:02:30-04:00 Import Hash 7d69af70a4430663ca427aa423f7c5ea PE Sections MD5 Name Raw Size Entropy 8291bca724e71f42f0653dbd18357965 header 4096 0.642884 a883335516b2b5c2ff7377e5532611af .text 94208 6.462877 63fb256f6eaf5fbd897d36dd4777ef89 .rdata 16384 5.845991 8934903570874d7e20867e8c89be5c64 .data 2903 3.458180 Packers/Compilers/Cryptors Microsoft Visual C++ v6.0 Relationships ba80cb0a08... Connected_To 117.239.241.2 ba80cb0a08... Connected_To 217.117.4.110 Description

This artifact is a malicious PE32 executable with similar characteristics of those described in 23E27E5482E3F55BF828DAB885569033 above.

When the malware runs it checks a config file to determine where it should beacon back to. If the config file has not been modified the malware will beacon back to the following hardcoded IPs.

--Begin Hardcoded IP--

117.239.241.2
217.117.4.110

--End Hardcoded IP--

217.117.4.110 Relationships 217.117.4.110 Connected_From ba80cb0a08908782f4b6e88aa15e2d306b19bc93e79bd8770bf8be904fd1bd09 Description

The file ba80cb0a08908782f4b6e88aa15e2d306b19bc93e79bd8770bf8be904fd1bd09 beacons to this hardcoded IP.

44a93ea6e6796530bb3cf99555dfb3b1092ed8fb4336bb198ca15b2a21d32980 Tags

backdoordroppertrojan

Details Size 557681 bytes Type PE32 executable (GUI) Intel 80386, for MS Windows MD5 4e595db3b612e1e9da90a0ef7d740792 SHA1 1483720917e754d05818e64ae07b320ffbdf4d78 SHA256 44a93ea6e6796530bb3cf99555dfb3b1092ed8fb4336bb198ca15b2a21d32980 SHA512 fadd5aea13935cfc592da535c0b4b182d3b2c50cfc5122dd9bb4040a6298e5b0db788d9025b5043e216a242334fd4a08ae69597e0a130c1454e0e78aca1278a0 ssdeep 12288:j6k9os/EpYE+DMX6GHU3ZSrLwQ+ruZdwI4TntpdK9roGOeAQ:j6Qos/EpYEWGHFrL1+iZdwVTtp09rbOi Entropy 7.850778 Antivirus Ahnlab Backdoor/Win32.Agent Avira TR/Dropper.Gen ESET a variant of Win32/NukeSped.O trojan Ikarus Trojan.Win32.NukeSped Microsoft Security Essentials Trojan:Win32/Nukesped.PA!MTB YARA Rules

No matches found.

ssdeep Matches

No matches found.

PE Metadata Compile Date 2018-02-12 15:04:34-05:00 Import Hash 1e6c10653c6b505369db00e880dbfecb PE Sections MD5 Name Raw Size Entropy aef5c3923e5820f46533bf0b26cd7c4e header 4096 0.626079 70a3e4024020c2792542fcb13130235f .text 73728 6.252791 f29b61b835618a1c4a0c2cf966badbe9 .rdata 12288 4.414075 0b968078c58131b96a48ffc77413a61b .data 4096 2.653332 Packers/Compilers/Cryptors Microsoft Visual C++ v6.0 Description

This executable must be run with argument 15975345682 to execute and then drops C:\Windows\system32\dispark.dll (E5D1C42E5CA7A0AC3A3B31BD0F290E84), a custom packed loader.

E5D1C42E5CA7A0AC3A3B31BD0F290E84 drops 535C879CA109DBECD336E1DE0ECCB696 that runs as a service.

823d255d3dc8cbc402527072a9220e4c38655de1a3e55a465db28b55d3ac1bf8 Tags

trojan

Details Size 692274 bytes Type PE32+ executable (GUI) x86-64, for MS Windows MD5 894b81b907c23f927a3f38cfd30f32da SHA1 411a320c389e492bf41eb6c5708809721f28a81f SHA256 823d255d3dc8cbc402527072a9220e4c38655de1a3e55a465db28b55d3ac1bf8 SHA512 ea550ce5ad8f58fdaf74476cda5255117b4dd3c64ef70ba0f5f08e3c2af62ba45fdafec56ee7d76de3e59894bddf39e26d6c787e287655268e754cee1c8f4cbc ssdeep 12288:yeR6alRBGA44gibT2QPAdfyGwspLvgwEq8kkAwkeJbJPCYzH:yeR6alP44JbydfyGn84KAwbxJPCYD Entropy 7.849516 Antivirus Ahnlab Trojan/Win32.Akdoor Antiy Trojan/Win64.NukeSped ESET a variant of Win64/NukeSped.AH trojan K7 Trojan ( 00545d8d1 ) Zillya! Trojan.Agent.Win32.1135323 YARA Rules

No matches found.

ssdeep Matches

No matches found.

PE Metadata Compile Date 2018-02-12 15:06:28-05:00 Import Hash 347c977c6137a340c7cc0fcd5b224aef PE Sections MD5 Name Raw Size Entropy 28fc69ad12a0765af4cc06fbd261cb24 header 1024 2.672166 88425c71e7e293d43db9868e4693b365 .text 89088 6.415516 bb0048e4f3851ea07b365828ddf613f7 .rdata 26624 4.912250 50e3efe1a6ea325c87f8e86e2fbd40b4 .data 5632 2.093641 f56a65eb9562d6c6d607f867d1d0fd09 .pdata 4608 4.725531 6a9a84d523e53e1d43c31b2cc069930c .rsrc 1536 4.308150 dab5e290c15de9634d93d8f592a44633 .reloc 1536 2.912599 Packers/Compilers/Cryptors Microsoft Visual C++ 8.0 (DLL) Description

This executable must be run with argument 15975345682 to execute and then drops C:\Windows\system32\diskpart.dll (7AFF84FB44840E4FD53CC9561172E14B), a custom packed loader.

7AFF84FB44840E4FD53CC9561172E14B drops BD674814315892B937BC91A10783D140 that runs as a service.

Relationship Summary 2151c1977b... Connected_To 81.94.192.147 2151c1977b... Connected_To 112.175.92.57 2151c1977b... Related_To 181.39.135.126 2151c1977b... Related_To 197.211.212.59 2151c1977b... Related_To 70902623c9cd0cccc8513850072b70732d02c266c7b7e96d2d5b2ed4f5edc289 2151c1977b... Dropped 96a296d224f285c67bee93c30f8a309157f0daa35dc5b87e410b78630a09cfc7 197.211.212.59 Related_To 2151c1977b4555a1761c12f151969f8e853e26c396fa1a7b74ccbaf3a48f4525 197.211.212.59 Connected_From ddea408e178f0412ae78ff5d5adf2439251f68cad4fd853ee466a3c74649642d 197.211.212.59 Connected_From 70034b33f59c6698403293cdc28676c7daa8c49031089efa6eefce41e22dccb3 181.39.135.126 Related_To 2151c1977b4555a1761c12f151969f8e853e26c396fa1a7b74ccbaf3a48f4525 181.39.135.126 Connected_From ddea408e178f0412ae78ff5d5adf2439251f68cad4fd853ee466a3c74649642d 181.39.135.126 Connected_From 70034b33f59c6698403293cdc28676c7daa8c49031089efa6eefce41e22dccb3 112.175.92.57 Connected_From 2151c1977b4555a1761c12f151969f8e853e26c396fa1a7b74ccbaf3a48f4525 112.175.92.57 Connected_From ddea408e178f0412ae78ff5d5adf2439251f68cad4fd853ee466a3c74649642d 112.175.92.57 Connected_From 70034b33f59c6698403293cdc28676c7daa8c49031089efa6eefce41e22dccb3 112.175.92.57 Connected_From 83228075a604e955d59edc760e4c4ed16eedabfc8f6ac291cf21b4fcbcd1f70a 81.94.192.147 Connected_From 2151c1977b4555a1761c12f151969f8e853e26c396fa1a7b74ccbaf3a48f4525 81.94.192.147 Connected_From ddea408e178f0412ae78ff5d5adf2439251f68cad4fd853ee466a3c74649642d 81.94.192.147 Connected_From 70034b33f59c6698403293cdc28676c7daa8c49031089efa6eefce41e22dccb3 70902623c9... Dropped_By 70034b33f59c6698403293cdc28676c7daa8c49031089efa6eefce41e22dccb3 70902623c9... Related_To ddea408e178f0412ae78ff5d5adf2439251f68cad4fd853ee466a3c74649642d 70902623c9... Related_To 2151c1977b4555a1761c12f151969f8e853e26c396fa1a7b74ccbaf3a48f4525 70902623c9... Related_To 70034b33f59c6698403293cdc28676c7daa8c49031089efa6eefce41e22dccb3 70902623c9... Related_To 12480585e08855109c5972e85d99cda7701fe992bc1754f1a0736f1eebcb004d ddea408e17... Connected_To 81.94.192.147 ddea408e17... Connected_To 112.175.92.57 ddea408e17... Connected_To 181.39.135.126 ddea408e17... Connected_To 197.211.212.59 ddea408e17... Related_To 70902623c9cd0cccc8513850072b70732d02c266c7b7e96d2d5b2ed4f5edc289 ddea408e17... Connected_To 81.94.192.10 81.94.192.10 Connected_From ddea408e178f0412ae78ff5d5adf2439251f68cad4fd853ee466a3c74649642d 12480585e0... Related_To 70902623c9cd0cccc8513850072b70732d02c266c7b7e96d2d5b2ed4f5edc289 12480585e0... Dropped 49757cf85657757704656c079785c072bbc233cab942418d99d1f63d43f28359 49757cf856... Dropped_By 12480585e08855109c5972e85d99cda7701fe992bc1754f1a0736f1eebcb004d 49757cf856... Connected_To 21.252.107.198 49757cf856... Connected_To 70.224.36.194 49757cf856... Connected_To 113.114.117.122 49757cf856... Connected_To 47.206.4.145 49757cf856... Connected_To 84.49.242.125 49757cf856... Connected_To 26.165.218.44 49757cf856... Connected_To 137.139.135.151 49757cf856... Connected_To 97.90.44.200 49757cf856... Connected_To 128.200.115.228 49757cf856... Connected_To 186.169.2.237 21.252.107.198 Connected_From 4a74a9fd40b63218f7504f806fce71dffefc1b1d6ca4bbaadd720b6a89d47761 21.252.107.198 Connected_From 49757cf85657757704656c079785c072bbc233cab942418d99d1f63d43f28359 70.224.36.194 Connected_From 4a74a9fd40b63218f7504f806fce71dffefc1b1d6ca4bbaadd720b6a89d47761 70.224.36.194 Connected_From 49757cf85657757704656c079785c072bbc233cab942418d99d1f63d43f28359 113.114.117.122 Connected_From 4a74a9fd40b63218f7504f806fce71dffefc1b1d6ca4bbaadd720b6a89d47761 113.114.117.122 Connected_From 49757cf85657757704656c079785c072bbc233cab942418d99d1f63d43f28359 47.206.4.145 Connected_From 4a74a9fd40b63218f7504f806fce71dffefc1b1d6ca4bbaadd720b6a89d47761 47.206.4.145 Connected_From 49757cf85657757704656c079785c072bbc233cab942418d99d1f63d43f28359 84.49.242.125 Connected_From 4a74a9fd40b63218f7504f806fce71dffefc1b1d6ca4bbaadd720b6a89d47761 84.49.242.125 Connected_From 49757cf85657757704656c079785c072bbc233cab942418d99d1f63d43f28359 26.165.218.44 Connected_From 4a74a9fd40b63218f7504f806fce71dffefc1b1d6ca4bbaadd720b6a89d47761 26.165.218.44 Connected_From 49757cf85657757704656c079785c072bbc233cab942418d99d1f63d43f28359 137.139.135.151 Connected_From 4a74a9fd40b63218f7504f806fce71dffefc1b1d6ca4bbaadd720b6a89d47761 137.139.135.151 Connected_From 49757cf85657757704656c079785c072bbc233cab942418d99d1f63d43f28359 97.90.44.200 Connected_From 4a74a9fd40b63218f7504f806fce71dffefc1b1d6ca4bbaadd720b6a89d47761 97.90.44.200 Connected_From 49757cf85657757704656c079785c072bbc233cab942418d99d1f63d43f28359 128.200.115.228 Connected_From 4a74a9fd40b63218f7504f806fce71dffefc1b1d6ca4bbaadd720b6a89d47761 128.200.115.228 Connected_From 49757cf85657757704656c079785c072bbc233cab942418d99d1f63d43f28359 186.169.2.237 Connected_From 4a74a9fd40b63218f7504f806fce71dffefc1b1d6ca4bbaadd720b6a89d47761 186.169.2.237 Connected_From 49757cf85657757704656c079785c072bbc233cab942418d99d1f63d43f28359 4a74a9fd40... Connected_To 21.252.107.198 4a74a9fd40... Connected_To 70.224.36.194 4a74a9fd40... Connected_To 113.114.117.122 4a74a9fd40... Connected_To 47.206.4.145 4a74a9fd40... Connected_To 84.49.242.125 4a74a9fd40... Connected_To 26.165.218.44 4a74a9fd40... Connected_To 137.139.135.151 4a74a9fd40... Connected_To 97.90.44.200 4a74a9fd40... Connected_To 128.200.115.228 4a74a9fd40... Connected_To 186.169.2.237 83228075a6... Connected_To 112.175.92.57 70034b33f5... Dropped cd5ff67ff773cc60c98c35f9e9d514b597cbd148789547ba152ba67bfc0fec8f 70034b33f5... Dropped 70902623c9cd0cccc8513850072b70732d02c266c7b7e96d2d5b2ed4f5edc289 70034b33f5... Dropped 96a296d224f285c67bee93c30f8a309157f0daa35dc5b87e410b78630a09cfc7 70034b33f5... Connected_To 81.94.192.147 70034b33f5... Connected_To 112.175.92.57 70034b33f5... Connected_To 181.39.135.126 70034b33f5... Connected_To 197.211.212.59 70034b33f5... Related_To 70902623c9cd0cccc8513850072b70732d02c266c7b7e96d2d5b2ed4f5edc289 cd5ff67ff7... Dropped_By 70034b33f59c6698403293cdc28676c7daa8c49031089efa6eefce41e22dccb3 96a296d224... Dropped_By 70034b33f59c6698403293cdc28676c7daa8c49031089efa6eefce41e22dccb3 96a296d224... Dropped_By 2151c1977b4555a1761c12f151969f8e853e26c396fa1a7b74ccbaf3a48f4525 b9a26a5692... Connected_To 117.239.241.2 b9a26a5692... Connected_To 195.158.234.60 b9a26a5692... Connected_To 218.255.24.226 117.239.241.2 Connected_From ba80cb0a08908782f4b6e88aa15e2d306b19bc93e79bd8770bf8be904fd1bd09 117.239.241.2 Connected_From b9a26a569257fbe02c10d3735587f10ee58e4281dba43474dbdef4ace8ea7101 218.255.24.226 Connected_From b9a26a569257fbe02c10d3735587f10ee58e4281dba43474dbdef4ace8ea7101 195.158.234.60 Connected_From b9a26a569257fbe02c10d3735587f10ee58e4281dba43474dbdef4ace8ea7101 0608e41134... Connected_To 14.140.116.172 14.140.116.172 Connected_From 0608e411348905145a267a9beaf5cd3527f11f95c4afde4c45998f066f418571 ba80cb0a08... Connected_To 117.239.241.2 ba80cb0a08... Connected_To 217.117.4.110 217.117.4.110 Connected_From ba80cb0a08908782f4b6e88aa15e2d306b19bc93e79bd8770bf8be904fd1bd09 Recommendations

CISA recommends that users and administrators consider using the following best practices to strengthen the security posture of their organization's systems. Any configuration changes should be reviewed by system owners and administrators prior to implementation to avoid unwanted impacts.

  • Maintain up-to-date antivirus signatures and engines.
  • Keep operating system patches up-to-date.
  • Disable File and Printer sharing services. If these services are required, use strong passwords or Active Directory authentication.
  • Restrict users' ability (permissions) to install and run unwanted software applications. Do not add users to the local administrators group unless required.
  • Enforce a strong password policy and implement regular password changes.
  • Exercise caution when opening e-mail attachments even if the attachment is expected and the sender appears to be known.
  • Enable a personal firewall on agency workstations, configured to deny unsolicited connection requests.
  • Disable unnecessary services on agency workstations and servers.
  • Scan for and remove suspicious e-mail attachments; ensure the scanned attachment is its "true file type" (i.e., the extension matches the file header).
  • Monitor users' web browsing habits; restrict access to sites with unfavorable content.
  • Exercise caution when using removable media (e.g., USB thumb drives, external drives, CDs, etc.).
  • Scan all software downloaded from the Internet prior to executing.
  • Maintain situational awareness of the latest threats and implement appropriate Access Control Lists (ACLs).

Additional information on malware incident prevention and handling can be found in National Institute of Standards and Technology (NIST) Special Publication 800-83, "Guide to Malware Incident Prevention & Handling for Desktops and Laptops".

Contact Information

CISA continuously strives to improve its products and services. You can help by answering a very short series of questions about this product at the following URL: https://us-cert.gov/forms/feedback/

Document FAQ

What is a MIFR? A Malware Initial Findings Report (MIFR) is intended to provide organizations with malware analysis in a timely manner. In most instances this report will provide initial indicators for computer and network defense. To request additional analysis, please contact CISA and provide information regarding the level of desired analysis.

What is a MAR? A Malware Analysis Report (MAR) is intended to provide organizations with more detailed malware analysis acquired via manual reverse engineering. To request additional analysis, please contact CISA and provide information regarding the level of desired analysis.

Can I edit this document? This document is not to be edited in any way by recipients. All comments or questions related to this document should be directed to the CISA at 1-888-282-0870 or soc@us-cert.gov.

Can I submit malware to CISA? Malware samples can be submitted via three methods:

CISA encourages you to report any suspicious activity, including cybersecurity incidents, possible malicious code, software vulnerabilities, and phishing-related scams. Reporting forms can be found on CISA's homepage at www.us-cert.gov.

This product is provided subject to this Notification and this Privacy & Use policy.

Categories: LATEST ALERT

MAR-10271944-3.v1 – North Korean Trojan: BUFFETLINE

US-CERT All NCAS Products - Fri, 02/14/2020 - 14:00
Original release date: February 14, 2020
Notification

This report is provided "as is" for informational purposes only. The Department of Homeland Security (DHS) does not provide any warranties of any kind regarding any information contained herein. The DHS does not endorse any commercial product or service referenced in this bulletin or otherwise.

This document is marked TLP:WHITE--Disclosure is not limited. Sources may use TLP:WHITE when information carries minimal or no foreseeable risk of misuse, in accordance with applicable rules and procedures for public release. Subject to standard copyright rules, TLP:WHITE information may be distributed without restriction. For more information on the Traffic Light Protocol (TLP), see http://www.us-cert.gov/tlp.

Summary Description

This Malware Analysis Report (MAR) is the result of analytic efforts between Department of Homeland Security (DHS), the Federal Bureau of Investigation (FBI), and the Department of Defense (DoD). Working with U.S. Government partners, DHS, FBI, and DoD identified Trojan malware variants used by the North Korean government. This malware variant has been identified as BUFFETLINE. The U.S. Government refers to malicious cyber activity by the North Korean government as HIDDEN COBRA. For more information on HIDDEN COBRA activity, visit https[:]//www[.]us-cert.gov/hiddencobra.

DHS, FBI, and DoD are distributing this MAR to enable network defense and reduce exposure to North Korean government malicious cyber activity.

This MAR includes malware descriptions related to HIDDEN COBRA, suggested response actions and recommended mitigation techniques. Users or administrators should flag activity associated with the malware and report the activity to the Cybersecurity and Infrastructure Security Agency (CISA) or the FBI Cyber Watch (CyWatch), and give the activity the highest priority for enhanced mitigation.

This report looks at a full-featured beaconing implant. This sample uses PolarSSL for session authentication, but then utilizes a FakeTLS scheme for network encoding using a modified RC4 algorithm. It has the capability to download, upload, delete, and execute files; enable Windows CLI access; create and terminate processes; and perform target system enumeration.

For a downloadable copy of IOCs, see MAR-10271944-3.v1.stix.

Submitted Files (1)

52f83cdaefd194fff3d387631d5693a709cd7b3a20a072e7827c4d4218d57695 (smss.exe)

IPs (2)

107.6.12.135

210.202.40.35

Findings 52f83cdaefd194fff3d387631d5693a709cd7b3a20a072e7827c4d4218d57695 Tags

trojan

Details Name smss.exe Size 139265 bytes Type PE32 executable (GUI) Intel 80386, for MS Windows MD5 11cb4f1cdd9370162d67945059f70d0d SHA1 f59c7ce763c4d5717f986e578e3bce8a43f721d2 SHA256 52f83cdaefd194fff3d387631d5693a709cd7b3a20a072e7827c4d4218d57695 SHA512 53c308aa54eed5cf2979d519fc128fcebce8ce425566426086c88e9eb5ebf69c4e40361ebb5df50f98fdf823b0ecf7f1a1736be189db67d56624d76245fb146d ssdeep 3072:BqrWp5J6z3fNOo7R650dB+0l2pucertVev7:4Wp5J6zP9di2Bt0J Entropy 6.180760 Antivirus Ahnlab Trojan/Win32.Akdoor Antiy Trojan/Win32.Agent Avira TR/NukeSped.dtrpn BitDefender Trojan.GenericKD.5884300 ClamAV Win.Trojan.HiddenCobra-7402602-0 ESET a variant of Win32/NukeSped.AU trojan Emsisoft Trojan.GenericKD.5884300 (B) Filseclab Trojan.Agent.ikox.sjwn Huorong Trojan/Generic!6B2189F3963492CB Ikarus Trojan.Win32.NukeSped K7 Trojan ( 004d07bc1 ) McAfee GenericRXDC-AJ!11CB4F1CDD93 NANOAV Trojan.Win32.NukeSped.faxfdd Symantec Trojan.Hoplight VirusBlokAda BScope.Trojan.Tiggre Zillya! Trojan.Agent.Win32.817728 YARA Rules
  • rule encodedHandshakeStrings
    {
       meta:
           author = "CISA trusted 3rd party"
           incident = "10271944.r3.v1"
           date =    "2019-12-25"
           category = "Hidden_Cobra"
           family = "BUFFETLINE"
       strings:
           $e1 = { dd 91 4a 1d cb 93 52 0a d0 cb 0a 4c ca d5 08 4b ca 92 4b 1d de 92 4b 1e d2 8b 5c 14 de 92 5c }
           $e2 = { 81 8c 4d 1d d1 8a 52 1d d7 8a 4c 0d 8b c8 01 4c cd 9c 5e 0b dc 97 5e 12 95 cb 4a 48 cf 9c 53 }
       condition:
           (uint16(0) == 0x5A4D and uint16(uint32(0x3c)) == 0x4550) and any of them
    }
  • rule polarsslClientHello
    {
       meta:
           author = "CISA trusted 3rd party"
           incident = "10271944.R3.V1"
           date =    "2019-12-25"
           category = "Hidden_Cobra"
           family = "BUFFETLINE"
       strings:
           $polarSSL = "fjiejffndxklfsdkfjsaadiepwn"
           $cliHello = "!Q@W#E$R%T^Y&U*I(O)P"
       condition:
           (uint16(0) == 0x5A4D and uint16(uint32(0x3c)) == 0x4550) and all of them
    }
ssdeep Matches 100 16c3a7f143e831dd0481d2d57aae885090e22ec55cc8282009f641755d423fcd PE Metadata Compile Date 2016-10-03 02:34:09-04:00 Import Hash 6a3547c38d6806b7d5a8b2638621ca32 PE Sections MD5 Name Raw Size Entropy 83eb1da0a8ab18f046922a558cb8ede6 header 4096 0.676716 b672be56b1bc345710663b196247c46c .text 98304 6.661074 058bc0c9a6ef4120a61e2cb75b7e2825 .rdata 12288 6.220732 1b2e3c963ae327f7f74e13f15a31fa55 .data 20480 2.725473 02bb750555f1c2623effc3aa3d077a34 .rsrc 4096 0.897401 Packers/Compilers/Cryptors Microsoft Visual C++ v6.0 Relationships 52f83cdaef... Connected_To 107.6.12.135 52f83cdaef... Connected_To 210.202.40.35 Description

The sample performs dynamic DLL importing and API lookups using LoadLibrary and GetProcAddress on obfuscated strings in an attempt to hide it’s usage of network functions.

The sample obfuscates strings used for API lookups as well as the strings used during the network handshake using a modified RC4 algorithm. A Python 3 script to decrypt the obfuscated strings is given below. Note: The hardcoded command and control (C2) IP’s are not obfuscated, but appear in plaintext within the executable.

--Begin Python 3 Decode Script--

def decode_string(enc, key=0x15b3):
   dec = b''
   sbox = b''
   
   tmp = ((key + len(enc)) * -0x52) & 0xff    
   for i in range(0x100):
       sbox += bytes([((i + 1) * key * -0x78) & 0xff])
       
   for b in enc:
       dec += bytes([ord(b) ^ sbox[tmp]])
       tmp = (tmp + (key + len(enc)) * 0x7c) & 0xff        
   return dec

--End Python 3 Decode Script--

--Begin C2 IP and Port--

107.6.12.135:443
210.202.40.35:443

--End C2 IP and Port--

The sample attempts to perform a PolarSSL handshake to initiate a connection to each of these hardcoded C2 IPs using TLS version 1.1. It uses the PolarSSL server_name extension with the Server Name set to "!Q@W#E$R%T^Y&U*I(O)P". The PolarSSL certificate and private key are provided below.

--Begin PolarSSL Certificate--

----BEGIN CERTIFICATE-----
MIIDhzCCAm+gAwIBAgIBADANBgkqhkiG9w0BAQUFADA7MQswCQYDVQQGEwJOTDER
MA8GA1UEChMIUG9sYXJTU0wxGTAXBgNVBAMTEFBvbGFyU1NMIFRlc3QgQ0EwHhcN
MTEwMjEyMTQ0NDAwWhcNMjEwMjEyMTQ0NDAwWjA7MQswCQYDVQQGEwJOTDERMA8G
A1UEChMIUG9sYXJTU0wxGTAXBgNVBAMTEFBvbGFyU1NMIFRlc3QgQ0EwggEiMA0G
CSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQDA3zf8F7vglp0/ht6WMn1EpRagzSHx
mdTs6st8GFgIlKXsm8WL3xoemTiZhx57wI053zhdcHgH057Zk+i5clHFzqMwUqny
50BwFMtEonILwuVA+T7lpg6z+exKY8C4KQB0nFc7qKUEkHHxvYPZP9al4jwqj+8n
YMPGn8u67GB9t+aEMr5P+1gmIgNb1LTV+/Xjli5wwOQuvfwu7uJBVcA0Ln0kcmnL
R7EUQIN9Z/SG9jGr8XmksrUuEvmEF/Bibyc+E1ixVA0hmnM3oTDPb5Lc9un8rNsu
KNF+AksjoBXyOGVkCeoMbo4bF6BxyLObyavpw/LPh5aPgAIynplYb6LVAgMBAAGj
gZUwgZIwDAYDVR0TBAUwAwEB/zAdBgNVHQ4EFgQUtFrkpbPe0lL2udWmlQ/rPrzH
/f8wYwYDVR0jBFwwWoAUtFrkpbPe0lL2udWmlQ/rPrzH/f+hP6Q9MDsxCzAJBgNV
BAYTAk5MMREwDwYDVQQKEwhQb2xhclNTTDEZMBcGA1UEAxMQUG9sYXJTU0wgVGVz
dCBDQYIBADANBgkqhkiG9w0BAQUFAAOCAQEAuP1U2ABUkIslsCfdlc2i94QHHYeJ
SsR4EdgHtdciUI5I62J6Mom+Y0dT/7a+8S6MVMCZP6C5NyNyXw1GWY/YR82XTJ8H
DBJiCTok5DbZ6SzaONBzdWHXwWwmi5vg1dxn7YxrM9d0IjxM27WNKs4sDQhZBQkF
pjmfs2cb4oPl4Y9T9meTx/lvdkRYEug61Jfn6cA+qHpyPYdTH+UshITnmp5/Ztkf
m/UTSLBNFNHesiTZeH31NcxYGdHSme9Nc/gfidRa0FLOCfWxRlFqAI47zG9jAQCZ
7Z2mCGDNMhjQc+BYcdnl0lPXjdDK6V0qCg1dVewhUBcW5gZKzV7e9+DpVA==
-----END CERTIFICATE-----

--End PolarSSL Certificate--

--Begin Private Key--

-----BEGIN RSA PRIVATE KEY-----
MIIEpAIBAAKCAQEAyHTEzLn5tXnpRdkUYLB9u5Pyax6fM60Nj4o8VmXl3ETZzGaF
B9X4J7BKNdBjngpuG7fa8H6r7gwQk4ZJGDTzqCrSV/Uu1C93KYRhTYJQj6eVSHD1
bk2y1RPD0hrt5kPqQhTrdOrA7R/UV06p86jt0uDBMHEwMjDV0/YI0FZPRo7yX/k9
Z5GIMC5Cst99++UMd//sMcB4j7/Cf8qtbCHWjdmLao5v4Jv4EFbMs44TFeY0BGbH
7vk2DmqV9gmaBmf0ZXH4yqSxJeD+PIs1BGe64E92hfx//DZrtenNLQNiTrM9AM+v
dqBpVoNq0qjU51Bx5rU2BXcFbXvI5MT9TNUhXwIDAQABAoIBAGdNtfYDiap6bzst
yhCiI8m9TtrhZw4MisaEaN/ll3XSjaOG2dvV6xMZCMV+5TeXDHOAZnY18Yi18vzz
4Ut2TnNFzizCECYNaA2fST3WgInnxUkV3YXAyP6CNxJaCmv2aA0yFr2kFVSeaKGt
ymvljNp2NVkvm7Th8fBQBO7I7AXhz43k0mR7XmPgewe8ApZOG3hstkOaMvbWAvWA
zCZupdDjZYjOJqlA4eEA4H8/w7F83r5CugeBE8LgEREjLPiyejrU5H1fubEY+h0d
l5HZBJ68ybTXfQ5U9o/QKA3dd0toBEhhdRUDGzWtjvwkEQfqF1reGWj/tod/gCpf
DFi6X0ECgYEA4wOv/pjSC3ty6TuOvKX2rOUiBrLXXv2JSxZnMoMiWI5ipLQt+RYT
VPafL/m7Dn6MbwjayOkcZhBwk5CNz5A6Q4lJ64Mq/lqHznRCQQ2Mc1G8eyDF/fYL
Ze2pLvwP9VD5jTc2miDfw+MnvJhywRRLcemDFP8k4hQVtm8PMp3ZmNECgYEA4gz7
wzObR4gn8ibe617uQPZjWzUj9dUHYd+in1gwBCIrtNnaRn9I9U/Q6tegRYpii4ys
c176NmU+umy6XmuSKV5qD9bSpZWG2nLFnslrN15Lm3fhZxoeMNhBaEDTnLT26yoi
33gp0mSSWy94ZEqipms+ULF6sY1ZtFW6tpGFoy8CgYAQHhnnvJflIs2ky4q10B60
ZcxFp3rtDpkp0JxhFLhiizFrujMtZSjYNm5U7KkgPVHhLELEUvCmOnKTt4ap/vZ0
BxJNe1GZH3pW6SAvGDQpl9sG7uu/vTFP+lCxukmzxB0DrrDcvorEkKMom7ZCCRvW
KZsZ6YeH2Z81BauRj218kQKBgQCUV/DgKP2985xDTT79N08jUo3hTP5MVYCCuj/+
UeEw1TvZcx3LJby7P6Xad6a1/BqveaGyFKIfEFIaBUBItk801sDDpDaYc4gL00Xc
7lFuBHOZkxJYlss5QrGpuOEl9ZwUt5IrFLBdYaKqNHzNVC1pCPfb/JyH6Dr2HUxq
gxUwAQKBgQCcU6G2L8AG9d9c0UpOyL1tMvFe5Ttw0KjlQVdsh1MP6yigYo9DYuwu
bHFVW2r0dBTqegP2/KTOxKzaHfC1qf0RGDsUoJCNJrd1cwoCLG8P2EF4w3OBrKqv
8u4ytY0F+Vlanj5lm3TaoHSVF1+NWPyOTiwevIECGKwSxvlki4fDAA==
-----END RSA PRIVATE KEY-----

--End Private Key--

After the TLS authentication is completed this particular sample does NOT use the session key that is generated via TLS. Instead, it uses a FakeTLS scheme, where a 'fake' TLS packet header is prepended to the packet data which is encrypted with custom xor encryption scheme. The FakeTLS packet format and a Python 3 script to decrypt network traffic is given below.

--Begin FakeTLS Packet Structure--

17 03 02 <2 Byte data length> <4 Byte Key> <data>

--End Fake TLS Packet Structure--

Note: Each "Key" is generated by the sender rand( ).

--Begin Python 3 Network Communication Decode Script--

def decode_pkt(enc, key):
   dec = b''
   sbox = b''

   addVal = len(enc) * key & 0xff    
   for i in range(0x100):
       sbox += bytes([((i + 1) * key) & 0xff])
       
   indexVal = addVal;
   for b in enc:
       dec += bytes([b ^ sbox[indexVal]])
       indexVal = indexVal + addVal & 0xff;        
   return dec

--End Python 3 Network Communication Decode Script--

After the TLS authentication, the sample performs a handshake with the C2, where hardcoded 32 Byte strings are exchanged, as well as a Victim ID and the Victim Internal IP. After this exchange, the implant sends it’s Victim Information (Figure 2), and then waits for tasking from the C2.

Screenshots

Figure 1 - Configuration Structure.

Figure 2 - Victim Information Structure.

Figure 3 - Implant Functionality.

Figure 4 - Session Structure.

107.6.12.135 Tags

command-and-control

Ports
  • 443 TCP
Relationships 107.6.12.135 Connected_From 52f83cdaefd194fff3d387631d5693a709cd7b3a20a072e7827c4d4218d57695 Description

Hardcoded C2 IP.

210.202.40.35 Tags

command-and-control

Ports
  • 443 TCP
Relationships 210.202.40.35 Connected_From 52f83cdaefd194fff3d387631d5693a709cd7b3a20a072e7827c4d4218d57695 Description

Hardcoded C2 IP.

Relationship Summary 52f83cdaef... Connected_To 107.6.12.135 52f83cdaef... Connected_To 210.202.40.35 107.6.12.135 Connected_From 52f83cdaefd194fff3d387631d5693a709cd7b3a20a072e7827c4d4218d57695 210.202.40.35 Connected_From 52f83cdaefd194fff3d387631d5693a709cd7b3a20a072e7827c4d4218d57695 Mitigation

// The following Snort rule can be used to detect the FakeTLS handshake packets by targeting to a
// logical inconsistency in the appdata packet sizes due to the inclusion of the 4 Byte decode key
// before the data, but not being included in the data length.

alert tcp any any -> any any (msg:"Malware Detected"; content:"PolarSSL"; pcre:"/ \x17\x03\x02\x00\x23.{39}\x17\x03\x02/"; rev:1; sid:99999999;)

Recommendations

CISA recommends that users and administrators consider using the following best practices to strengthen the security posture of their organization's systems. Any configuration changes should be reviewed by system owners and administrators prior to implementation to avoid unwanted impacts.

  • Maintain up-to-date antivirus signatures and engines.
  • Keep operating system patches up-to-date.
  • Disable File and Printer sharing services. If these services are required, use strong passwords or Active Directory authentication.
  • Restrict users' ability (permissions) to install and run unwanted software applications. Do not add users to the local administrators group unless required.
  • Enforce a strong password policy and implement regular password changes.
  • Exercise caution when opening e-mail attachments even if the attachment is expected and the sender appears to be known.
  • Enable a personal firewall on agency workstations, configured to deny unsolicited connection requests.
  • Disable unnecessary services on agency workstations and servers.
  • Scan for and remove suspicious e-mail attachments; ensure the scanned attachment is its "true file type" (i.e., the extension matches the file header).
  • Monitor users' web browsing habits; restrict access to sites with unfavorable content.
  • Exercise caution when using removable media (e.g., USB thumb drives, external drives, CDs, etc.).
  • Scan all software downloaded from the Internet prior to executing.
  • Maintain situational awareness of the latest threats and implement appropriate Access Control Lists (ACLs).

Additional information on malware incident prevention and handling can be found in National Institute of Standards and Technology (NIST) Special Publication 800-83, "Guide to Malware Incident Prevention & Handling for Desktops and Laptops".

Contact Information

CISA continuously strives to improve its products and services. You can help by answering a very short series of questions about this product at the following URL: https://us-cert.gov/forms/feedback/

Document FAQ

What is a MIFR? A Malware Initial Findings Report (MIFR) is intended to provide organizations with malware analysis in a timely manner. In most instances this report will provide initial indicators for computer and network defense. To request additional analysis, please contact CISA and provide information regarding the level of desired analysis.

What is a MAR? A Malware Analysis Report (MAR) is intended to provide organizations with more detailed malware analysis acquired via manual reverse engineering. To request additional analysis, please contact CISA and provide information regarding the level of desired analysis.

Can I edit this document? This document is not to be edited in any way by recipients. All comments or questions related to this document should be directed to the CISA at 1-888-282-0870 or soc@us-cert.gov.

Can I submit malware to CISA? Malware samples can be submitted via three methods:

CISA encourages you to report any suspicious activity, including cybersecurity incidents, possible malicious code, software vulnerabilities, and phishing-related scams. Reporting forms can be found on CISA's homepage at www.us-cert.gov.

This product is provided subject to this Notification and this Privacy & Use policy.

Categories: LATEST ALERT

MAR-10271944-2.v1 – North Korean Trojan: ARTFULPIE

US-CERT All NCAS Products - Fri, 02/14/2020 - 14:00
Original release date: February 14, 2020
Notification

This report is provided "as is" for informational purposes only. The Department of Homeland Security (DHS) does not provide any warranties of any kind regarding any information contained herein. The DHS does not endorse any commercial product or service referenced in this bulletin or otherwise.

This document is marked TLP:WHITE--Disclosure is not limited. Sources may use TLP:WHITE when information carries minimal or no foreseeable risk of misuse, in accordance with applicable rules and procedures for public release. Subject to standard copyright rules, TLP:WHITE information may be distributed without restriction. For more information on the Traffic Light Protocol (TLP), see http://www.us-cert.gov/tlp.

Summary Description

This Malware Analysis Report (MAR) is the result of analytic efforts between Department of Homeland Security (DHS), the Federal Bureau of Investigation (FBI), and the Department of Defense (DoD). Working with U.S. Government partners, DHS, FBI, and DoD identified Trojan malware variants used by the North Korean government. This malware variant has been identified as ARTFULPIE. The U.S. Government refers to malicious cyber activity by the North Korean government as HIDDEN COBRA. For more information on HIDDEN COBRA activity, visit https[:]//www[.]us-cert.gov/hiddencobra.

DHS, FBI, and DoD are distributing this MAR to enable network defense and reduce exposure to North Korean government malicious cyber activity.

This MAR includes malware descriptions related to HIDDEN COBRA, suggested response actions and recommended mitigation techniques. Users or administrators should flag activity associated with the malware and report the activity to the Cybersecurity and Infrastructure Security Agency (CISA) or the FBI Cyber Watch (CyWatch), and give the activity the highest priority for enhanced mitigation.

This report looks at an implant that performs downloading and in-memory loading and execution of a DLL from a hardcoded url.

For a downloadable copy of IOCs, see MAR-10271944-2.v1.stix.

Submitted Files (1)

606c6000f36dc69fefc6df828e1ac9c5529a71a62b99f5df55463606c4c9689c (mega.exe.exe)

IPs (1)

193.56.28.103

Findings 606c6000f36dc69fefc6df828e1ac9c5529a71a62b99f5df55463606c4c9689c Tags

downloadertrojan

Details Name mega.exe.exe Size 83968 bytes Type PE32 executable (GUI) Intel 80386, for MS Windows MD5 2d92116440edef4190279a043af6794b SHA1 eb2eb432445b3dcf6483e7d5f670acb94a8bab70 SHA256 606c6000f36dc69fefc6df828e1ac9c5529a71a62b99f5df55463606c4c9689c SHA512 ef849cb69d785bdcef98127abed65e0acc749f9748753d04105818e68ec5e37e068f8c4a7146b5238c5a6bf75712b198935c356b0fe0bb08eeef54ca7082d32f ssdeep 1536:FNtzOnGK/pmGC4ISgyCOkaPeFAuf+jXQ1JsWODjgncdw1DCaAqGgo:FNqpmGC7S1rJPQAFXKqDjgWwBCaAq3o Entropy 6.334481 Antivirus Avira HEUR/AGEN.1031247 ByteHero Trojan.Win32.Heur.098 Symantec Heur.AdvML.B YARA Rules

No matches found.

ssdeep Matches

No matches found.

PE Metadata Compile Date 2019-06-14 05:41:48-04:00 Import Hash 8079a02c54cad285e36d60589737d1e3 PE Sections MD5 Name Raw Size Entropy 33371b670b629e6e418f34546c9b5eda header 1024 2.672349 d7c48cf554eae1f467a10903d05d84fc .text 51712 6.635530 4b19a4f766cd6f95bd6b36fab052c916 .rdata 24064 4.908608 9ccfa1efb02e96faf15883c5d135e6f9 .data 2560 1.986341 c970c10a1e848ee974b87923ecbe6a2f .rsrc 512 4.706155 51b1d3e64f81f0cc54f348474457a1d4 .reloc 4096 6.403055 Packers/Compilers/Cryptors Microsoft Visual C++ ?.? Relationships 606c6000f3... Connected_To 193.56.28.103 Description

The sample is a downloader/loader that performs the following steps:

Downloads the hardcoded URL hxxp[:]//193[.]56[.]28[.]103:88/xampp/thinkmeter[.]dll into memory using the user-agent string: "Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; Trident/5.0)".

Loads the .dll into its own address space manually (fully in memory).

Calls the .dll’s entry-point.

193.56.28.103 Tags

command-and-control

URLs
  • 193.56.28.103:88/xampp/thinkmeter.dll
Ports
  • 88 TCP
Relationships 193.56.28.103 Connected_From 606c6000f36dc69fefc6df828e1ac9c5529a71a62b99f5df55463606c4c9689c Relationship Summary 606c6000f3... Connected_To 193.56.28.103 193.56.28.103 Connected_From 606c6000f36dc69fefc6df828e1ac9c5529a71a62b99f5df55463606c4c9689c Recommendations

CISA recommends that users and administrators consider using the following best practices to strengthen the security posture of their organization's systems. Any configuration changes should be reviewed by system owners and administrators prior to implementation to avoid unwanted impacts.

  • Maintain up-to-date antivirus signatures and engines.
  • Keep operating system patches up-to-date.
  • Disable File and Printer sharing services. If these services are required, use strong passwords or Active Directory authentication.
  • Restrict users' ability (permissions) to install and run unwanted software applications. Do not add users to the local administrators group unless required.
  • Enforce a strong password policy and implement regular password changes.
  • Exercise caution when opening e-mail attachments even if the attachment is expected and the sender appears to be known.
  • Enable a personal firewall on agency workstations, configured to deny unsolicited connection requests.
  • Disable unnecessary services on agency workstations and servers.
  • Scan for and remove suspicious e-mail attachments; ensure the scanned attachment is its "true file type" (i.e., the extension matches the file header).
  • Monitor users' web browsing habits; restrict access to sites with unfavorable content.
  • Exercise caution when using removable media (e.g., USB thumb drives, external drives, CDs, etc.).
  • Scan all software downloaded from the Internet prior to executing.
  • Maintain situational awareness of the latest threats and implement appropriate Access Control Lists (ACLs).

Additional information on malware incident prevention and handling can be found in National Institute of Standards and Technology (NIST) Special Publication 800-83, "Guide to Malware Incident Prevention & Handling for Desktops and Laptops".

Contact Information

CISA continuously strives to improve its products and services. You can help by answering a very short series of questions about this product at the following URL: https://us-cert.gov/forms/feedback/

Document FAQ

What is a MIFR? A Malware Initial Findings Report (MIFR) is intended to provide organizations with malware analysis in a timely manner. In most instances this report will provide initial indicators for computer and network defense. To request additional analysis, please contact CISA and provide information regarding the level of desired analysis.

What is a MAR? A Malware Analysis Report (MAR) is intended to provide organizations with more detailed malware analysis acquired via manual reverse engineering. To request additional analysis, please contact CISA and provide information regarding the level of desired analysis.

Can I edit this document? This document is not to be edited in any way by recipients. All comments or questions related to this document should be directed to the CISA at 1-888-282-0870 or soc@us-cert.gov.

Can I submit malware to CISA? Malware samples can be submitted via three methods:

CISA encourages you to report any suspicious activity, including cybersecurity incidents, possible malicious code, software vulnerabilities, and phishing-related scams. Reporting forms can be found on CISA's homepage at www.us-cert.gov.

This product is provided subject to this Notification and this Privacy & Use policy.

Categories: LATEST ALERT

MAR-10271944-1.v1 – North Korean Trojan: HOTCROISSANT

US-CERT All NCAS Products - Fri, 02/14/2020 - 14:00
Original release date: February 14, 2020
Notification

This report is provided "as is" for informational purposes only. The Department of Homeland Security (DHS) does not provide any warranties of any kind regarding any information contained herein. The DHS does not endorse any commercial product or service referenced in this bulletin or otherwise.

This document is marked TLP:WHITE--Disclosure is not limited. Sources may use TLP:WHITE when information carries minimal or no foreseeable risk of misuse, in accordance with applicable rules and procedures for public release. Subject to standard copyright rules, TLP:WHITE information may be distributed without restriction. For more information on the Traffic Light Protocol (TLP), see http://www.us-cert.gov/tlp.

Summary Description

This Malware Analysis Report (MAR) is the result of analytic efforts between Department of Homeland Security (DHS), the Federal Bureau of Investigation (FBI), and the Department of Defense (DoD). Working with U.S. Government partners, DHS, FBI, and DoD identified Trojan malware variants used by the North Korean government. This malware variant has been identified as HOTCROISSANT. The U.S. Government refers to malicious cyber activity by the North Korean government as HIDDEN COBRA. For more information on HIDDEN COBRA activity, visit https[:]//www[.]us-cert.gov/hiddencobra.

DHS, FBI, and DoD are distributing this MAR to enable network defense and reduce exposure to North Korean government malicious cyber activity.

This MAR includes malware descriptions related to HIDDEN COBRA, suggested response actions and recommended mitigation techniques. Users or administrators should flag activity associated with the malware and report the activity to the Cybersecurity and Infrastructure Security Agency (CISA) or the FBI Cyber Watch (CyWatch), and give the activity the highest priority for enhanced mitigation.

This report looks at a full-featured beaconing implant. This sample performs a custom XOR network encoding and is capable of many features including conducting system surveys, file upload/download, process and command execution, and performing screen captures.

For a downloadable copy of IOCs, see MAR-10271944-1.v1.stix.

Submitted Files (1)

8ee7da59f68c691c9eca1ac70ff03155ed07808c7a66dee49886b51a59e00085 (svchost.exe)

IPs (1)

94.177.123.138

Findings 8ee7da59f68c691c9eca1ac70ff03155ed07808c7a66dee49886b51a59e00085 Tags

trojan

Details Name svchost.exe Size 117760 bytes Type PE32 executable (GUI) Intel 80386, for MS Windows MD5 062e9cd9cdcabc928fc6186c3921e945 SHA1 566347f8bf30f66aec670d660091fb6bb03a0650 SHA256 8ee7da59f68c691c9eca1ac70ff03155ed07808c7a66dee49886b51a59e00085 SHA512 e16fefb72fb466e31f982ea1d3f5e5754af289dfe7c8e7c2c6859b462b02e8715eaedf271985465931983fe0800f93e2943c715929f731368ca81deb5ddf3b54 ssdeep 3072:kRdlGZdOwoyeCJkLURXSOpW1yIR3vbRY7a:y3wMae2W9O+NR3DR0a Entropy 6.282477 Antivirus Ahnlab Trojan/Win32.Agent Avira HEUR/AGEN.1039759 BitDefender Gen:Variant.Jaiko.2546 Emsisoft Gen:Variant.Jaiko.2546 (B) Ikarus Trojan.Win32.KillAV VirusBlokAda BScope.Trojan.Tiggre YARA Rules
  • rule CryptographyFunction    
    {
       meta:
           author = "CISA trusted 3rd party"
           incident = "10271944.r1.v1"
           date =    "2019-12-25"
           category = "Hidden_Cobra"
           family = "HOTCROISSANT"
       strings:
           $ALGO_crypto_1 = { 8A [1-5] 32 [1-4] 32 [1-4] 32 [1-4] 88 [1-5] 8A [1-4] 32 [1-4] 22 [1-4] 8B [1-5] 8D [3-7] 33 [1-4] 81 [3-7] C1 [1-5] C1 [1-5] 0B [1-4] 8D [1-5] 33 [1-4] 22 [1-4] C1 [1-5] 33 [1-4] 32 [1-4] 8B [1-4] 83 [1-5] C1 [1-5] 33 [1-4] C1 [1-5] C1 }
       condition:
           uint16(0) == 0x5A4D and any of them
    }
ssdeep Matches

No matches found.

PE Metadata Compile Date 2019-07-25 11:38:54-04:00 Import Hash 9e7d183f56ad974fbd6c056d20051ef8 PE Sections MD5 Name Raw Size Entropy 760c39c49aa3a2cb4ec9f6fd5d4524e6 header 1024 2.537779 8480a50e20d57bcb86fa649691ca9e0c .text 80896 6.619532 36d3f909d39d54fd628e1d66d6acd26e .rdata 18432 5.282847 a497350b0c256c943b59382e0a2e884a .data 9216 2.905698 2d5b9737e8cd3def95c4fc6527741f91 .rsrc 1024 2.112640 9b5d24778302d0f050a93778c9cab3ef .reloc 7168 4.675041 Packers/Compilers/Cryptors Microsoft Visual C++ ?.? Description

The sample performs dynamic DLL importing and API lookups using LoadLibrary and GetProcAddress on obfuscated strings in an attempt to hide it’s usage of network functions. However, only a small number of API calls are obfuscated this way, and their selection is not consistent through the sample.

The sample obfuscates strings used for API lookups as well as the strings used during the network handshake using a simple Byte xor with 0x0f.

The sample attempts to connect to a hardcoded C2 IP and then immediately sends it’s Victim Info. It then listens for commands from the C2 and returns the results. Network communications are first zipped and then encoded with a custom xor algorithm. The session structure (Figure 1), packet format (Figure 2), victim information (Figure 3), a Python 3 script to decrypt network traffic, and implant functionality (Figure 4) are given below.

--Begin Hardocoded IP and Port--

94.177.123.138:8088

--End Hardcoded IP and Port--

--Begin Python 3 Network Communication Decode Script--

def decode(data):
   dec = []
   key1 = 0x17
   key2 = 0x00b8d68b
   key3 = 0x02497029
   for i in range(len(data)):
       temp2 = key2
       temp3 = key3
       dec.append((data[i] ^ temp2 ^ temp3 ^ key1) & 0xff)
       key2 = key2 >> 8 | ((((key2 * 8 ^ key2) & 0x7f8) << 0x14) & 0xffffffff)
       key1 = key1 & temp3 ^ (temp3 ^ key1) & temp2
       key3 = key3 >> 8 | ((((((((key3 * 2 ^ key3) << 4) & 0xffffffff) ^ key3) &
               0xffffff80 ^ key3 << 7) & 0xffffffff) << 0x11) & 0xffffffff);
   return bytes(dec)

--End Python 3 Network Communication Decode Script--

Screenshots

Figure 1 - Session Structure.

Figure 2 - Victim Information Structure.

Figure 3 - Implant Functionality. The following commands from the table above appear to be broken: ProcessKill - Programmer coding error that results in an access violation. It attempts to decode an obfuscated string (Kernel32.dll) in-place instead of doing a string copy first like they do everywhere else. WindowClose - The handle used to loop through all windows is never initialized.

Figure 4 - Packet Structure.

94.177.123.138 Tags

command-and-control

Ports
  • 8088 TCP
Description

8EE7DA59F68C691C9ECA1AC70FF03155ED07808C7A66DEE49886B51A59E00085 connects to this C2 IP address.

Recommendations

CISA recommends that users and administrators consider using the following best practices to strengthen the security posture of their organization's systems. Any configuration changes should be reviewed by system owners and administrators prior to implementation to avoid unwanted impacts.

  • Maintain up-to-date antivirus signatures and engines.
  • Keep operating system patches up-to-date.
  • Disable File and Printer sharing services. If these services are required, use strong passwords or Active Directory authentication.
  • Restrict users' ability (permissions) to install and run unwanted software applications. Do not add users to the local administrators group unless required.
  • Enforce a strong password policy and implement regular password changes.
  • Exercise caution when opening e-mail attachments even if the attachment is expected and the sender appears to be known.
  • Enable a personal firewall on agency workstations, configured to deny unsolicited connection requests.
  • Disable unnecessary services on agency workstations and servers.
  • Scan for and remove suspicious e-mail attachments; ensure the scanned attachment is its "true file type" (i.e., the extension matches the file header).
  • Monitor users' web browsing habits; restrict access to sites with unfavorable content.
  • Exercise caution when using removable media (e.g., USB thumb drives, external drives, CDs, etc.).
  • Scan all software downloaded from the Internet prior to executing.
  • Maintain situational awareness of the latest threats and implement appropriate Access Control Lists (ACLs).

Additional information on malware incident prevention and handling can be found in National Institute of Standards and Technology (NIST) Special Publication 800-83, "Guide to Malware Incident Prevention & Handling for Desktops and Laptops".

Contact Information

CISA continuously strives to improve its products and services. You can help by answering a very short series of questions about this product at the following URL: https://us-cert.gov/forms/feedback/

Document FAQ

What is a MIFR? A Malware Initial Findings Report (MIFR) is intended to provide organizations with malware analysis in a timely manner. In most instances this report will provide initial indicators for computer and network defense. To request additional analysis, please contact CISA and provide information regarding the level of desired analysis.

What is a MAR? A Malware Analysis Report (MAR) is intended to provide organizations with more detailed malware analysis acquired via manual reverse engineering. To request additional analysis, please contact CISA and provide information regarding the level of desired analysis.

Can I edit this document? This document is not to be edited in any way by recipients. All comments or questions related to this document should be directed to the CISA at 1-888-282-0870 or soc@us-cert.gov.

Can I submit malware to CISA? Malware samples can be submitted via three methods:

CISA encourages you to report any suspicious activity, including cybersecurity incidents, possible malicious code, software vulnerabilities, and phishing-related scams. Reporting forms can be found on CISA's homepage at www.us-cert.gov.

This product is provided subject to this Notification and this Privacy & Use policy.

Categories: LATEST ALERT

MAR-10265965-3.v1 – North Korean Trojan: CROWDEDFLOUNDER

US-CERT All NCAS Products - Fri, 02/14/2020 - 14:00
Original release date: February 14, 2020
Notification

This report is provided "as is" for informational purposes only. The Department of Homeland Security (DHS) does not provide any warranties of any kind regarding any information contained herein. The DHS does not endorse any commercial product or service referenced in this bulletin or otherwise.

This document is marked TLP:WHITE--Disclosure is not limited. Sources may use TLP:WHITE when information carries minimal or no foreseeable risk of misuse, in accordance with applicable rules and procedures for public release. Subject to standard copyright rules, TLP:WHITE information may be distributed without restriction. For more information on the Traffic Light Protocol (TLP), see http://www.us-cert.gov/tlp.

Summary Description

This Malware Analysis Report (MAR) is the result of analytic efforts between Department of Homeland Security (DHS), the Federal Bureau of Investigation (FBI), and the Department of Defense (DoD). Working with U.S. Government partners, DHS, FBI, and DoD identified Trojan malware variants used by the North Korean government. This malware variant has been identified as CROWDEDFLOUNDER. The U.S. Government refers to malicious cyber activity by the North Korean government as HIDDEN COBRA. For more information on HIDDEN COBRA activity, visit https[:]//www[.]us-cert.gov/hiddencobra.

DHS, FBI, and DoD are distributing this MAR to enable network defense and reduce exposure to North Korean government malicious cyber activity.

This MAR includes malware descriptions related to HIDDEN COBRA, suggested response actions and recommended mitigation techniques. Users or administrators should flag activity associated with the malware and report the activity to the Cybersecurity and Infrastructure Security Agency (CISA) or the FBI Cyber Watch (CyWatch), and give the activity the highest priority for enhanced mitigation.

This report analyzes a Themida packed 32-bit Windows executable, which is designed to unpack and execute a Remote Access Trojan (RAT) binary in memory. This application is designed to accept arguments during execution or can be installed as a service with command line arguments. It is designed to listen as a proxy for incoming connections containing commands or can connect to a remote server to receive commands.

For a downloadable copy of IOCs, see MAR-10265965-3.v1.stix.

Submitted Files (1)

a2a77cefd2faa17e18843d74a8ad155a061a13da9bd548ded6437ef855c14442 (F2B9D1CB2C4B1CD11A8682755BCC52...)

Findings a2a77cefd2faa17e18843d74a8ad155a061a13da9bd548ded6437ef855c14442 Tags

trojan

Details Name F2B9D1CB2C4B1CD11A8682755BCC52FA Size 1658880 bytes Type PE32 executable (GUI) Intel 80386, for MS Windows MD5 f2b9d1cb2c4b1cd11a8682755bcc52fa SHA1 579884fad55207b54e4c2fe2644290211baec8b5 SHA256 a2a77cefd2faa17e18843d74a8ad155a061a13da9bd548ded6437ef855c14442 SHA512 b047a4275f0fa7c0025945800acbffb5be1d327160a135c6ba8ff54352be603cbb47fff71f180ab1a915229778b7a883ed19e1d6a954ab82435913ed95c40752 ssdeep 24576:darngxIJfX2+8mGrvs5pdUIPv3eAUW/Y8w9ejjERAjYrNFtI937sTR7R5NwrzD:da7gx2B81gdVXvfAnHRFtIl7k7RPwr Entropy 7.958686 Antivirus Ahnlab Trojan/Win32.Xpacked Antiy Trojan/Win32.BlueNoroff Avira TR/Crypt.TPM.Gen BitDefender Trojan.GenericKD.41987817 ClamAV Win.Trojan.Agent-7376505-0 Cyren W32/Trojan.SXNN-1599 ESET Win32/NukeSped.CL trojan Emsisoft Trojan.GenericKD.41987817 (B) Ikarus Trojan.Win32.NukeSped K7 Trojan ( 0040f4ef1 ) McAfee Trojan-NukeSped.a Microsoft Security Essentials Trojan:Win32/Thcsim NANOAV Trojan.Win32.BlueNoroff.ggbrdv NetGate Trojan.Win32.Malware Sophos Troj/Agent-BCXR Symantec Trojan Horse TrendMicro TROJ_THCSIM.A TrendMicro House Call TROJ_THCSIM.A VirusBlokAda BScope.TrojanPSW.Predator Zillya! Trojan.NukeSped.Win32.184 YARA Rules

No matches found.

ssdeep Matches

No matches found.

PE Metadata Compile Date 2017-02-20 05:45:37-05:00 Import Hash baa93d47220682c04d92f7797d9224ce PE Sections MD5 Name Raw Size Entropy a7295799f336e3a6e8b61fe4f93e2251 header 4096 0.812374 2db23f163210140d797f67ed1ec1f08e   156160 7.983767 d41d8cd98f00b204e9800998ecf8427e .rsrc 0 0.000000 efcb51d4d8a55d441d194e80899bb2b0 .idata 512 1.308723 d5443c2d2f51ba6c31a5fc9c35af7a2f   512 0.240445 8eea01ecbee2f6234d68b27d4e05585a htusmqub 1497088 7.954958 6b71d93792bb677f0a09dbe70e6df1a2 ijybpcqb 512 3.636986 Description

This application is a Themida packed 32-bit Windows executable, which is designed to unpack and execute a RAT binary in memory. This application is designed to accept arguments during execution or can be installed as a service with command line arguments. When executed, the application is designed to open the Windows Firewall on the victim’s machine to allow for incoming and outgoing connections from the victim system. The firewall is modified using a "netsh firewall add portopening" command (Figure 2). Static analysis indicates this malware may be utilized to listen as a proxy for incoming connections containing commands or can connect to a remote server to receive commands. The following command line arguments are utilized to control the RAT functionality:

--Begin RAT command line arguments--

-p: You can use the -p command line argument to force the malware to listen on a specific port. Example: malware.exe -p 8888

-h: You can use the -h CLI to force the malware to connect to a remote host and port. Example: malware.exe -h <url_string>:8888

Note: <url_string> can be either a fully qualified domain name or an Internet Protocol (IP) address.

--End RAT command line arguments--

The RAT uses a rotating exclusive or (XOR) cryptographic algorithm to secure its data transfers and command-and-control (C2) sessions (Figure 1). The malware is designed to accept instructions from the remote server to perform the following functions:

--Begin functions performed by the malware--
Download and upload files
Execute secondary payloads
Execute shell commands
Terminate running processes
Delete files
Search files
Set file attributes
Collect device information from installed storage devices (disk free space and their type)
List running processes information
Collect and send information about the victim's system
Securely download malicious DLLs and inject them into remote processes
--End functions performed by the malware--

The -h argument is utilized to force the RAT to connect to a C2 server and the CURL library (Version 7.49.1) will be used for data transfers. Note: A rotating XOR cipher will be used to secure all C2 traffic sent and received from the external C2 server. Although the malware appears to expect a numeric IP address with the -h argument, it will also accept a string Uniform Resource Locator (URL) value. If a URL string is provided (i.e. domain.com) the malware will then query this address using the Win32 API getaddrinfo(). If this call succeeds, an IP address will be returned and the malware will attempt to connect to that IP address. If the call to getaddrinfo() fails the malware will hash this domain using the MD5 hashing algorithm, resulting in a 16 byte hash value. The malware will then take bytes 4 through 8 of this hash value and XOR them with a four byte value. The resultant four byte value will then be treated as a numeric IP address. The malware will then attempt to connect to this newly generated IP address. Note: all of the command line executables referenced within this product generate and connect to an IP address generated from the provided URL string if the call to getaddrinfo() against the provided URL fails.

Screenshots

Figure 1 - XOR based cipher utilized by RAT to secure traffic between itself and the operator/C2 server.

Figure 2 - Malware loading the command to open the firewall.

Figure 3 - This structure is utilized to parse the proxy port or remote C2 server from the command line arguments.

Recommendations

CISA recommends that users and administrators consider using the following best practices to strengthen the security posture of their organization's systems. Any configuration changes should be reviewed by system owners and administrators prior to implementation to avoid unwanted impacts.

  • Maintain up-to-date antivirus signatures and engines.
  • Keep operating system patches up-to-date.
  • Disable File and Printer sharing services. If these services are required, use strong passwords or Active Directory authentication.
  • Restrict users' ability (permissions) to install and run unwanted software applications. Do not add users to the local administrators group unless required.
  • Enforce a strong password policy and implement regular password changes.
  • Exercise caution when opening e-mail attachments even if the attachment is expected and the sender appears to be known.
  • Enable a personal firewall on agency workstations, configured to deny unsolicited connection requests.
  • Disable unnecessary services on agency workstations and servers.
  • Scan for and remove suspicious e-mail attachments; ensure the scanned attachment is its "true file type" (i.e., the extension matches the file header).
  • Monitor users' web browsing habits; restrict access to sites with unfavorable content.
  • Exercise caution when using removable media (e.g., USB thumb drives, external drives, CDs, etc.).
  • Scan all software downloaded from the Internet prior to executing.
  • Maintain situational awareness of the latest threats and implement appropriate Access Control Lists (ACLs).

Additional information on malware incident prevention and handling can be found in National Institute of Standards and Technology (NIST) Special Publication 800-83, "Guide to Malware Incident Prevention & Handling for Desktops and Laptops".

Contact Information

CISA continuously strives to improve its products and services. You can help by answering a very short series of questions about this product at the following URL: https://us-cert.gov/forms/feedback/

Document FAQ

What is a MIFR? A Malware Initial Findings Report (MIFR) is intended to provide organizations with malware analysis in a timely manner. In most instances this report will provide initial indicators for computer and network defense. To request additional analysis, please contact CISA and provide information regarding the level of desired analysis.

What is a MAR? A Malware Analysis Report (MAR) is intended to provide organizations with more detailed malware analysis acquired via manual reverse engineering. To request additional analysis, please contact CISA and provide information regarding the level of desired analysis.

Can I edit this document? This document is not to be edited in any way by recipients. All comments or questions related to this document should be directed to the CISA at 1-888-282-0870 or soc@us-cert.gov.

Can I submit malware to CISA? Malware samples can be submitted via three methods:

CISA encourages you to report any suspicious activity, including cybersecurity incidents, possible malicious code, software vulnerabilities, and phishing-related scams. Reporting forms can be found on CISA's homepage at www.us-cert.gov.

This product is provided subject to this Notification and this Privacy & Use policy.

Categories: LATEST ALERT

MAR-10265965-2.v1 – North Korean Trojan: SLICKSHOES

US-CERT All NCAS Products - Fri, 02/14/2020 - 14:00
Original release date: February 14, 2020
Notification

This report is provided "as is" for informational purposes only. The Department of Homeland Security (DHS) does not provide any warranties of any kind regarding any information contained herein. The DHS does not endorse any commercial product or service referenced in this bulletin or otherwise.

This document is marked TLP:WHITE--Disclosure is not limited. Sources may use TLP:WHITE when information carries minimal or no foreseeable risk of misuse, in accordance with applicable rules and procedures for public release. Subject to standard copyright rules, TLP:WHITE information may be distributed without restriction. For more information on the Traffic Light Protocol (TLP), see http://www.us-cert.gov/tlp.

Summary Description

This Malware Analysis Report (MAR) is the result of analytic efforts between Department of Homeland Security (DHS), the Federal Bureau of Investigation (FBI), and the Department of Defense (DoD). Working with U.S. Government partners, DHS, FBI, and DoD identified Trojan malware variants used by the North Korean government. This malware variant has been identified as SLICKSHOES. The U.S. Government refers to malicious cyber activity by the North Korean government as HIDDEN COBRA. For more information on HIDDEN COBRA activity, visit https[:]//www[.]us-cert.gov/hiddencobra.

DHS, FBI, and DoD are distributing this MAR to enable network defense and reduce exposure to North Korean government malicious cyber activity.

This MAR includes malware descriptions related to HIDDEN COBRA, suggested response actions and recommended mitigation techniques. Users or administrators should flag activity associated with the malware and report the activity to the Cybersecurity and Infrastructure Security Agency (CISA) or the FBI Cyber Watch (CyWatch), and give the activity the highest priority for enhanced mitigation.

This sample is a Themida-packed dropper that decodes and drops a file "C:\Windows\Web\taskenc.exe" which is a Themida-packed beaconing implant. The beaconing implant does not execute the dropped file nor does it schedule any tasks to run the malware. The dropped beaconing implant uses an indigenous network encoding algorithm and is capable of many features including conducting system surveys, file upload/download, process and command execution, and screen captures.

For a downloadable copy of IOCs, see MAR-10265965-2.v1.stix.

Submitted Files (1)

fdb87add07d3459c43cfa88744656f6c00effa6b7ec92cb7c8b911d233aeb4ac (CCA9FBB11C194FC53015185B741887...)

IPs (1)

188.165.37.168

Findings fdb87add07d3459c43cfa88744656f6c00effa6b7ec92cb7c8b911d233aeb4ac Tags

emotettrojan

Details Name CCA9FBB11C194FC53015185B741887A8 Size 3133440 bytes Type PE32 executable (GUI) Intel 80386, for MS Windows MD5 cca9fbb11c194fc53015185b741887a8 SHA1 9e7bf03a607558dafe146907db28d77fda81be22 SHA256 fdb87add07d3459c43cfa88744656f6c00effa6b7ec92cb7c8b911d233aeb4ac SHA512 a1d1747dbc96c14b45f345679c0f7ba38186458f4992eecf382dd0af6391b4224c1b487431d681f5ffd052839f2901bc6203ea81c3235efcd82061d60eb10618 ssdeep 49152:bbcROoCHuumCvGyQwNr6Ljvhg1J/4fxcBhmdSP8sWNRy8kLn3o1Dn:jVHaaGyQG6npcJ4xcD5d2Ry8kDo Entropy 7.968879 Antivirus Ahnlab Trojan/Win32.Agent Antiy Trojan/Win32.Casdet Avira TR/Crypt.TPM.Gen BitDefender Gen:Variant.Barys.1619 ClamAV Win.Trojan.Agent-7376504-0 Cyren W32/Trojan.QBAU-3559 ESET a variant of Win32/Packed.Themida.AOO trojan Emsisoft Gen:Variant.Barys.1619 (B) Ikarus Trojan.Win32.Themida K7 Trojan ( 0040f4ef1 ) McAfee Trojan-Themida Microsoft Security Essentials Trojan:Win32/Emotet NANOAV Trojan.Win32.TPM.ggaakh Sophos Troj/Agent-BCXR Symantec Trojan Horse VirusBlokAda Trojan.Wacatac Zillya! Trojan.Themida.Win32.3185 YARA Rules

No matches found.

ssdeep Matches

No matches found.

PE Metadata Compile Date 2018-02-26 20:08:54-05:00 Import Hash baa93d47220682c04d92f7797d9224ce PE Sections MD5 Name Raw Size Entropy 0de0ceb73fba415dc20a730f628429a6 header 4096 0.816628 74520bd2f6bb3211bd82b6f9547ff207   1572864 7.979303 32762b0a8ae1347aebaba811505cadcf .rsrc 49152 4.290489 79cf217f58f3178dafbfe532c01ef5c4 .idata 512 1.308723 f0347e7e1ac9efb817c55b3ba9e5bf2d   512 0.264678 4fb94c6713c62a51c1b230a2bc033fac suylcrzz 1505792 7.954736 81610ae95a418f6ef9ef042b37a26c4a ajqluhke 512 3.110274 Relationships fdb87add07... Connected_To 188.165.37.168 Description

This sample is a Themida-packed dropper that decodes and drops an embedded file (MD5: B57DB76CC1C0175C4F18EA059D9E2AB2 / SHA256: 7250ccf4fad4d83d087a03d0dd67d1c00bf6cb8e7fa718140507a9d5ffa50b54) to C:\Windows\Web\taskenc.exe. This dropper does not execute the dropped file or create any auto-run keys or scheduled tasks to execute it.

The dropped file (taskenc.exe) is a Themida-packed beaconing implant with RAT functionality. The implant beacons to a hardcoded IP (188.165.37.168) over the hardcoded TCP port 80 every 60 seconds. The initial beacon contains the string “ApolloZeus” as well as victim information, including OS version, user name, and IP address. All traffic, including the beacon, is encoded with an indigenous encoding algorithm. Due to the way the implant decodes the hardcoded string “ApolloZeus” in-place in memory, the first beacon contains the string in plaintext, the second beacon will contain the string encoded, and so on. This is probably unintended and an oversight by the developers.

--Begin Packet Format--
[8 Bytes data length][2Byte Opcode][data]
--End Packet Format--

--Begin Victim Information--
OS Version
User name
IP address
--End Victim Information--

A Python3 script for decoding the traffic is displayed below:

--Begin Python3 Script--
def decode(enc):
dec = b’’
key1 = 0x49;
key2 = 0x1310a024;
key3 = 0xa323da32;

for e in enc:
   dec += chr((ord(e) ^ key3 ^ key1) & 0xff)
   tmp1 = key3 >> 8
   key1 = (key2>>0x10) & (key2>>8) & key2 ^ (key3>>0x10) & tmp1 ^ key3 & key1 ^ (key3>>0x18);
   tmp2 = key3 * 2 ^ key3;
   key3 = key2 << 0x18 | key3 >> 8;
   key2 = (tmp2 & 0x1fe) << 0x16 | key2 >> 8;
return dec
--End Python3 Script--

Screenshots

Figure 1 - Implant Functionality.

188.165.37.168 Ports
  • 80 TCP
Relationships 188.165.37.168 Connected_From fdb87add07d3459c43cfa88744656f6c00effa6b7ec92cb7c8b911d233aeb4ac Description

Hardcoded C2 address used in implant.

Relationship Summary fdb87add07... Connected_To 188.165.37.168 188.165.37.168 Connected_From fdb87add07d3459c43cfa88744656f6c00effa6b7ec92cb7c8b911d233aeb4ac Recommendations

CISA recommends that users and administrators consider using the following best practices to strengthen the security posture of their organization's systems. Any configuration changes should be reviewed by system owners and administrators prior to implementation to avoid unwanted impacts.

  • Maintain up-to-date antivirus signatures and engines.
  • Keep operating system patches up-to-date.
  • Disable File and Printer sharing services. If these services are required, use strong passwords or Active Directory authentication.
  • Restrict users' ability (permissions) to install and run unwanted software applications. Do not add users to the local administrators group unless required.
  • Enforce a strong password policy and implement regular password changes.
  • Exercise caution when opening e-mail attachments even if the attachment is expected and the sender appears to be known.
  • Enable a personal firewall on agency workstations, configured to deny unsolicited connection requests.
  • Disable unnecessary services on agency workstations and servers.
  • Scan for and remove suspicious e-mail attachments; ensure the scanned attachment is its "true file type" (i.e., the extension matches the file header).
  • Monitor users' web browsing habits; restrict access to sites with unfavorable content.
  • Exercise caution when using removable media (e.g., USB thumb drives, external drives, CDs, etc.).
  • Scan all software downloaded from the Internet prior to executing.
  • Maintain situational awareness of the latest threats and implement appropriate Access Control Lists (ACLs).

Additional information on malware incident prevention and handling can be found in National Institute of Standards and Technology (NIST) Special Publication 800-83, "Guide to Malware Incident Prevention & Handling for Desktops and Laptops".

Contact Information

CISA continuously strives to improve its products and services. You can help by answering a very short series of questions about this product at the following URL: https://us-cert.gov/forms/feedback/

Document FAQ

What is a MIFR? A Malware Initial Findings Report (MIFR) is intended to provide organizations with malware analysis in a timely manner. In most instances this report will provide initial indicators for computer and network defense. To request additional analysis, please contact CISA and provide information regarding the level of desired analysis.

What is a MAR? A Malware Analysis Report (MAR) is intended to provide organizations with more detailed malware analysis acquired via manual reverse engineering. To request additional analysis, please contact CISA and provide information regarding the level of desired analysis.

Can I edit this document? This document is not to be edited in any way by recipients. All comments or questions related to this document should be directed to the CISA at 1-888-282-0870 or soc@us-cert.gov.

Can I submit malware to CISA? Malware samples can be submitted via three methods:

CISA encourages you to report any suspicious activity, including cybersecurity incidents, possible malicious code, software vulnerabilities, and phishing-related scams. Reporting forms can be found on CISA's homepage at www.us-cert.gov.

This product is provided subject to this Notification and this Privacy & Use policy.

Categories: LATEST ALERT

MAR-10265965-1.v1 – North Korean Trojan: BISTROMATH

US-CERT All NCAS Products - Fri, 02/14/2020 - 14:00
Original release date: February 14, 2020
Notification

This report is provided "as is" for informational purposes only. The Department of Homeland Security (DHS) does not provide any warranties of any kind regarding any information contained herein. The DHS does not endorse any commercial product or service referenced in this bulletin or otherwise.

This document is marked TLP:WHITE--Disclosure is not limited. Sources may use TLP:WHITE when information carries minimal or no foreseeable risk of misuse, in accordance with applicable rules and procedures for public release. Subject to standard copyright rules, TLP:WHITE information may be distributed without restriction. For more information on the Traffic Light Protocol (TLP), see http://www.us-cert.gov/tlp.

Summary Description

This Malware Analysis Report (MAR) is the result of analytic efforts between Department of Homeland Security (DHS), the Federal Bureau of Investigation (FBI), and the Department of Defense (DoD). Working with U.S. Government partners, DHS, FBI, and DoD identified Trojan malware variants used by the North Korean government. This malware variant has been identified as BISTROMATH. The U.S. Government refers to malicious cyber activity by the North Korean government as HIDDEN COBRA. For more information on HIDDEN COBRA activity, visit https[:]//www[.]us-cert.gov/hiddencobra.

DHS, FBI, and DoD are distributing this MAR to enable network defense and reduce exposure to North Korean government malicious cyber activity.

This MAR includes malware descriptions related to HIDDEN COBRA, suggested response actions and recommended mitigation techniques. Users or administrators should flag activity associated with the malware and report the activity to the Cybersecurity and Infrastructure Security Agency (CISA) or the FBI Cyber Watch (CyWatch), and give the activity the highest priority for enhanced mitigation.

This report looks at multiple versions of a full-featured RAT implant executable and multiple versions of the CAgent11 GUI implant controller/builder. These samples performs simple XOR network encoding and are capable of many features including conducting system surveys, file upload/download, process and command execution, and monitoring the microphone, clipboard, and the screen. The GUI controllers allow interaction with the implant as well as the option to dynamically build new implants with customized options. The implants are loaded with a trojanized executable containing a fake bitmap which decodes into shellcode which loads the embedded implant.

For a downloadable copy of IOCs, see MAR-101265965-1.v1.stix.

Submitted Files (5)

04d70bb249206a006f83db39bbe49ff6e520ea329e5fbb9c758d426b1c8dec30 (96071956D4890AEBEA14ECD8015617...)

1ea6b3e99bbb67719c56ad07f5a12501855068a4a866f92db8dcdefaffa48a39 (688890DDBF532A4DE7C83A58E6AA59...)

618a67048d0a9217317c1d1790ad5f6b044eaa58a433bd46ec2fb9f9ff563dc6 (0AE8A7B6B4D70C0884095629FC02C1...)

738ba44188a93de6b5ca7e0bf0a77f66f677a0dda2b2e9ef4b91b1c8257da790 (C51416635E529183CA5337FADE8275...)

b6811b42023524e691b517d19d0321f890f91f35ebbdf1c12cbb92cda5b6de32 (26520499A3FC627D335E34586E99DE...)

Additional Files (2)

133820ebac6e005737d5bb97a5db549490a9f210f4e95098bc9b0a7748f52d1f (a21171923ec09b9569f2baad496c9e...)

43193c4efa8689ff6de3fb18e30607bb941b43abb21e8cee0cfd664c6f4ad97c (83833f8dbdd6ecf3a1212f5d1fc3d9...)

IPs (1)

159.100.250.231

Findings 1ea6b3e99bbb67719c56ad07f5a12501855068a4a866f92db8dcdefaffa48a39 Tags

backdooremotettrojan

Details Name 688890DDBF532A4DE7C83A58E6AA594F Name ss.exe Size 1102926 bytes Type PE32 executable (GUI) Intel 80386, for MS Windows MD5 688890ddbf532a4de7c83a58e6aa594f SHA1 d8f6a7f32c929ce9458691447ff1cf6d180588c8 SHA256 1ea6b3e99bbb67719c56ad07f5a12501855068a4a866f92db8dcdefaffa48a39 SHA512 8484bea6adf27c2323632c3e94f91eb313e341622b5696b0d24105be1f24fa356f5fceb8fcf691e2d309fd24f7d8bb41fd7b682c29193128a0ed55e9ef3df3b1 ssdeep 24576:kgWxnOH3vvS+7nD03glQ1J6cS2lvyip5HkRpB7T4IRMh3y:kgWZMvSKnY3DJLSoORT7ThAC Entropy 7.951069 Antivirus Ahnlab Trojan/Win32.Bmdoor Antiy Trojan[Backdoor]/Win32.Androm Avira TR/Injector.ukfuc BitDefender Trojan.GenericKD.41987827 ClamAV Win.Trojan.Agent-7376538-0 Cyren W32/Trojan.IZTF-2035 ESET a variant of Win32/Injector.DQTY trojan Emsisoft Trojan.GenericKD.41987827 (B) Ikarus Trojan.Win32.Injector K7 Riskware ( 0040eff71 ) McAfee Trojan-Injector.c Microsoft Security Essentials Trojan:Win32/Agentesla!MTB NANOAV Trojan.Win32.Androm.ghyuau Sophos Troj/Inject-ETF Symantec Backdoor.Tidserv Systweak trojan.injector TACHYON Backdoor/W32.Androm.1102926 TrendMicro TROJ_FR.7170E263 TrendMicro House Call TROJ_FR.7170E263 VirusBlokAda Backdoor.Androm Zillya! Backdoor.Androm.Win32.44606 YARA Rules
  • rule CryptographyFunction    
    {
       meta:
           author = "CISA trusted 3rd party"
           incident = "10271944.r1.v1"
           date =    "2019-12-25"
           category = "Hidden_Cobra"
           family = "HOTCROISSANT"
       strings:
           $ALGO_crypto_1 = { 8A [1-5] 32 [1-4] 32 [1-4] 32 [1-4] 88 [1-5] 8A [1-4] 32 [1-4] 22 [1-4] 8B [1-5] 8D [3-7] 33 [1-4] 81 [3-7] C1 [1-5] C1 [1-5] 0B [1-4] 8D [1-5] 33 [1-4] 22 [1-4] C1 [1-5] 33 [1-4] 32 [1-4] 8B [1-4] 83 [1-5] C1 [1-5] 33 [1-4] C1 [1-5] C1 }
       condition:
           uint16(0) == 0x5A4D and any of them
    }
ssdeep Matches

No matches found.

PE Metadata Compile Date 2008-01-17 10:34:19-05:00 Import Hash 68d3c5fd0c41042f190fa12a4eebfe1b PE Sections MD5 Name Raw Size Entropy 0b8ab9af886c4161371944bd46af685d header 1024 2.484025 0cc984b88cda683bad52d886fbadf22d .text 77824 6.585222 d7200a9095f81e46d89eb2175a7d16ba .rdata 21504 4.940483 56eae295cdc645a889cc51643c19ca1c .data 5632 3.200450 31d4e62663767a64bd72b957df2bed2e .rsrc 1536 4.029623 c7a9818fe1b1f64be18f67db25dbed6d .reloc 7680 4.982554 Packers/Compilers/Cryptors Microsoft Visual C++ ?.? Relationships 1ea6b3e99b... Connected_To 159.100.250.231 1ea6b3e99b... Contains 43193c4efa8689ff6de3fb18e30607bb941b43abb21e8cee0cfd664c6f4ad97c Description

The samples use a PlanetCPP.com ‘RichEdit example’ executable to obfuscate calling a decryption function which decrypts an embedded ‘fake’ bitmap image into the configuration and shellcode. When the malicious function is called, it deobfuscates API pointers, loads the full file into memory, calculates an offset into the memory to a ‘fake’ bitmap image, decodes the image; which becomes configuration options and shellcode and then executes the shellcode.

The embedded shellcode has many selectable options.

----------Begin Shellcode Options----------
- option00: Embedded vs Downloaded payload
   0 -> payload embedded within own file at offset (option27 + option28 + option22)
   1 -> Download payload from url <option30> to %temp$\<option31>\RGID3D88.tmp

- option01: True -> check for vm artifacts:
   registry checks:
       VMWARE Scsi device
       VBOX Scsi device
       QEMU Scsi device
       SOFTWARE\Vmware,Inc.\Vmware_Tools
       HARDWARE\Description\System\SystemBiosVersion == "VBOX"
       HARDWARE\Description\System\SystemBiosVersion == "QEMU"
       HARDWARE\Description\System\SystemBiosVersion == "BOCHS"
       HARDWARE\Description\System\VideoBiosVersion == "VIRTUALBOX"
       HARDWARE\Description\System\SystemBiosDate == 06/23/99
       SOFTWARE\Oracle\VirtualBox_Guest_Additions        
       HARDWARE\ACPI\DSDT\VBOX_
       HARDWARE\ACPI\FADT\VBOX__
       HARDWARE\ACPI\RSDT\VBOX__
       SYSTEM\ControlSet001\Services\VBoxGuest
       SYSTEM\ControlSet001\Services\VBoxMouse
       SYSTEM\ControlSet001\Services\VBoxService
       SYSTEM\ControlSet001\Services\VBoxSF
       SYSTEM\ControlSet001\Services\VBoxVideo
   file checks:
       C:\WINDOWS\system32\drivers\vmmouse.sys
       C:\WINDOWS\system32\drivers\vmhgfs.sys
       \\.\HGFS
       \\.\vmci
       C:\WINDOWS\system32\drivers\VBoxMouse.sys
       C:\WINDOWS\system32\drivers\VBoxGuest.sys
       C:\WINDOWS\system32\drivers\VBoxSF.sys
       C:\WINDOWS\system32\drivers\VBoxVideo.sys
       C:\WINDOWS\system32\vboxdisp.dll
       C:\WINDOWS\system32\vboxhook.dll
       C:\WINDOWS\system32\vboxmrxnp.dll
       C:\WINDOWS\system32\vboxogl.dll
       C:\WINDOWS\system32\vboxoglarrayspu.dll
       C:\WINDOWS\system32\vboxoglcrutil.dll
       C:\WINDOWS\system32\vboxoglerrorspu.dll
       C:\WINDOWS\system32\vboxoglfeedbackspu.dll
       C:\WINDOWS\system32\vboxoglpackspu.dll
       C:\WINDOWS\system32\vboxoglpassthroughspu.dll
       C:\WINDOWS\system32\vboxservice.exe
       C:\WINDOWS\system32\vboxtray.exe
       C:\WINDOWS\system32\VBoxControl.exe
       C:\program_files\oracle\virtualbox_guest_additions
       \\.\VBoxMiniRdrDN
       \\.\pipe\VBoxMiniRdDN
       \\.\VBoxTrayIPC
       \\.\pipe\VBoxTrayIPC        
   Network Adapter checks:
       Check for Vmware MAC addresses
       Check for VirtualBox MAC addresses
       Check for VMware network adapter
   Window Checks:
       VBoxTrayToolWndClass
       VBoxTrayToolWnd
   Process Checks:
       vboxservice.exe
       vboxtray.exe
   Loaded DLLs:
       vmcheck.dll

- option02: True -> check for sandbox artifacts:
   Verify spin loops aren't skipped
   Verify kernel32 doesn't contain export "wine_get_unix_file_name"
   Verify Numa api calls are not bypassed
   Loaded DLLs:
       SbieDll.dll
       api_log.dll
       dir_watch.dll
       dbghelp.dll
       wpespy.dll
   registry checks:
       SOFTWARE\Wine
   file checks:
       C:\sandbox\sandbox.exe    
       C:\sandbox\sbfwe.dll    
   username checks:
       SANDBOX
       VIRUS
       MALWARE
       SCHMIDTI
       CURRENTUSER
       ANDY
   current directory checks:
       VIRUS
       SANDBOX
       SAMPLE

- option03: True -> check for debugging artifacts:    
   API calls:
       IsDebuggerPresent
       CheckRemoteDebuggerPresent
       NtQueryInformationProcess
       GetThreadContext
       OutputDebugString

- option04: Check if certain processes are running:
   0 -> ignored
   1 -> exit if specific processes are running
   2 -> exit if specific processes are not running
   parses option31_array_+0x200 for a list of ;,: separated process names

- option05: Queries Software\Microsoft\Windows\CurrentVersion\Uninstall keys
   exits if return value is != 0

- option06: Check for specific languages
   0 -> ignored
   1 -> exit if current language is found in list
   2 -> exit if current language is not found in list
   parses option31_array_+0x4b0 for a list of ;,: separated languages

- option07: Check for specific usernames
   0 -> ignored
   1 -> exit if current username is found in list
   2 -> exit if current username is not found in list
   parses option31_array_+0x6b8 for a list of ;,: separated usernames

- option08: Check for specific computernames
   0 -> ignored
   1 -> exit if current computernames is found in list
   2 -> exit if current computernames is not found in list
   parses option31_array_+0x8ac for a list of ;,: separated computernames

- option09: Something with querying Software\Microsoft\Windows\CurrentVersion\Uninstall keys
   exits if return value is < option09_value

- option10: integer value -> exits if there are fewer than this many processes running

- option11-14: Check for system/drive info
   11==0x001 -> exit if number of processors <= option12
   11==0x010 -> exit if total physical memory <= option13
   11==0x100 -> exit if total harddisk space <= option14

- option12/27/28: if True -> exploit dll hijack in cliconfg.exe (SQL Server Client Network Utility)
   dumps a number (option28) of bytes from an offset (option27) of this file into %temp%\ntwdblib.dll
   creates a Software\Claiomh registry key
   executes cliconfg.exe (which loads ntwdblib.dll)

- option16: Set EnableLUA registry key
   SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA to <option16>

- option17: Create Persistence
   0 -> ignored
   1 -> Add registry key to Software\Microsoft\Windows\CurrentVersion\Run using a name from option31_array_+0x960
   2 -> Copy self into Startup folder
   3 -> Create an hourly Scheduled Task called "System Backup"

- option18/23: Process Hollowing vs Drop/Execute
   == 0 -> Do Process Hollowing
   != 0 -> Dump payload to file and execute directly:
       write to %temp%\RT5380.exe using own file offset (option27 + option28 + option22) and execute
       write to %temp%\<option30> using own file offset (option27 + option28 + option22) and execute
       check option23:
- ==0 -> ignored
- !=0 -> delete self and replace self with the dropped file

- option19: Process to create/hollow/inject/execute
   0 -> self
   1 -> svchost.exe
   2 -> conhost.exe
   3 -> explorer.exe
   4 -> value of "http\shell\open\command" registry key
   5 -> <option33>

- option20: Sleep timer
   Milliseconds to sleep before doing process hollowing

- option21/26: Kill timer
   0 -> ignored
   1 -> if timestamp of module + <option26> >= currentTime -> remove persistance, delete self, exit process

- option29/34/35: move file to desired location, delete old file, and execute from new location
   additional path is in option34
   new filename is in option35
   0 -> C:\
   1 -> %windir%
   2 -> %system%
   3 -> %programfiles%
   4 -> %programfiles%\Common Files\
   5 -> C:\ProgramData\
   6 -> %userprofile%
   7 -> %userprofile%\Documents\
   8 -> %temp%
   9 -> %userprofile%\Favorites\
   10 -> %appdata%n
   11 -> %localappdata%

- option36: char[40] - Unknown - Possibly adds a mutex to the hollowed process to enforce a single execution
   Uses argument to create a named mutex
   Injects additional code into the hollowed process (from offset 0x28c0)
   Injects <option36> into the hollowed process
   Creates another remote thread in the hollowed process pointing at offset 0x465a of the newly injected memory
----------End Shellcode Options----------

Screenshots

Figure 1: Implant Functionality -

618a67048d0a9217317c1d1790ad5f6b044eaa58a433bd46ec2fb9f9ff563dc6 Tags

dropperemotetkeyloggerspywaretrojan

Details Name 0AE8A7B6B4D70C0884095629FC02C19C Name CAgent11.exe Size 13498368 bytes Type PE32 executable (GUI) Intel 80386, for MS Windows MD5 0ae8a7b6b4d70c0884095629fc02c19c SHA1 9efa2d68932ff24cb18eb7e35aa5f91ce99596e8 SHA256 618a67048d0a9217317c1d1790ad5f6b044eaa58a433bd46ec2fb9f9ff563dc6 SHA512 08f724812cbeff4020ac3fb07cafec5cde17f53f4644d554351cf4056907a6363d5b21ed3720976820307b43a543e81c6cc27c241f4449fd92aae6ad58b75995 ssdeep 196608:Klq/1ui17DaLU1l4O5dm/+f99FLOyomFHKnPG:GcvlmLMg/299F Entropy 5.658332 Antivirus Ahnlab Dropper/Win32.Keylogger Antiy Trojan[Spy]/Win32.Agent Avira HEUR/AGEN.1038092 Cyren W32/Agent.RBBJ-4429 ESET a variant of Win32/Spy.Agent.PUH trojan Ikarus Trojan-Spy.Agent K7 Spyware ( 00555d821 ) McAfee Trojan-Injector.d Microsoft Security Essentials Trojan:Win32/Emotet NANOAV Trojan.Win32.Graftor.ggzicq NetGate Trojan.Win32.Malware Sophos Troj/Agent-BCXS Symantec Trojan Horse Systweak malware.keylogger TACHYON Trojan/W32.Keylogger.13498368 VirusBlokAda TrojanSpy.Agent Zillya! Trojan.Agent.Win32.1169060 YARA Rules

No matches found.

ssdeep Matches

No matches found.

PE Metadata Compile Date 2017-03-21 21:12:17-04:00 Import Hash c4406c66f7ca84ffb881d843c49acbd6 PE Sections MD5 Name Raw Size Entropy e7e02cd4a189cea5efaa8fb36509aa45 header 1024 3.530105 d41d8cd98f00b204e9800998ecf8427e .textbss 0 0.000000 5db50cefbb12a73d10aad429548befe7 .text 7047680 5.565086 e9a63040b7f3e75b5746d8202d8594f5 .rdata 904704 4.415613 1e815bbe0c5cadf4953bbaac6259dcaa .data 40448 4.299279 16342b710a408579ee34f3ccf9927331 .idata 28672 5.161732 c573bd7cea296a9c5d230ca6b5aee1a6 .tls 1024 0.011174 011d6c8672f924dc710a68acb6bc74f9 .00cfg 512 0.061163 867de3faa85f377519582ed29a83384c .rsrc 5123072 4.951562 e74f13482e13eb316d544b69a046ff15 .reloc 351232 6.011950 Packers/Compilers/Cryptors Microsoft Visual C++ 8.0 Description

See analysis for "04D70BB249206A006F83DB39BBE49FF6E520EA329E5FBB9C758D426B1C8DEC30".

Implants built with sample "04D70BB249206A006F83DB39BBE49FF6E520EA329E5FBB9C758D426B1C8DEC30" are not compatible with this controller, and vice versa.

b6811b42023524e691b517d19d0321f890f91f35ebbdf1c12cbb92cda5b6de32 Tags

backdooremotettrojan

Details Name 26520499A3FC627D335E34586E99DE7A Name ADManager.exe Size 1120318 bytes Type PE32 executable (GUI) Intel 80386, for MS Windows MD5 26520499a3fc627d335e34586e99de7a SHA1 df10c097e42dbe7ea4478a984c5e2ab586147519 SHA256 b6811b42023524e691b517d19d0321f890f91f35ebbdf1c12cbb92cda5b6de32 SHA512 898ab1a1cd5a731e94a7b4c0a274e81092fe6de2ea888b3db2d22cf4d0bacbbb36f486152ff10f61f054091aee421f00d89a8741fce0f370cc14d80a62f77bc3 ssdeep 24576:3gWPfTO4H59Z6PTvnh2gf2JfvoioZ74XKBpNCY+SOToKMcxGa52w:3gW3S4Z9ATcggox4wpwYq9Mcx3B Entropy 7.953591 Antivirus Ahnlab Backdoor/Win32.Androm Antiy Trojan[Backdoor]/Win32.Androm Avira TR/Injector.cskrn BitDefender Trojan.GenericKD.41987802 ClamAV Win.Trojan.Agent-7376533-0 Cyren W32/Androm.DKHG-0510 ESET a variant of Win32/Injector.DQTY trojan Emsisoft Trojan.GenericKD.41987802 (B) Ikarus Trojan.Win32.Injector K7 Riskware ( 0040eff71 ) McAfee Trojan-Injector.c Microsoft Security Essentials Trojan:Win32/Agentesla!MTB NANOAV Trojan.Win32.Androm.ggadbc Sophos Troj/Inject-ETF Symantec Trojan Horse Systweak trojan.injector TACHYON Backdoor/W32.Androm.1120318 TrendMicro TROJ_FR.7170E263 TrendMicro House Call TROJ_FR.7170E263 VirusBlokAda Backdoor.Androm Zillya! Backdoor.Androm.Win32.44606 YARA Rules
  • rule CryptographyFunction    
    {
       meta:
           author = "CISA trusted 3rd party"
           incident = "10271944.r1.v1"
           date =    "2019-12-25"
           category = "Hidden_Cobra"
           family = "HOTCROISSANT"
       strings:
           $ALGO_crypto_1 = { 8A [1-5] 32 [1-4] 32 [1-4] 32 [1-4] 88 [1-5] 8A [1-4] 32 [1-4] 22 [1-4] 8B [1-5] 8D [3-7] 33 [1-4] 81 [3-7] C1 [1-5] C1 [1-5] 0B [1-4] 8D [1-5] 33 [1-4] 22 [1-4] C1 [1-5] 33 [1-4] 32 [1-4] 8B [1-4] 83 [1-5] C1 [1-5] 33 [1-4] C1 [1-5] C1 }
       condition:
           uint16(0) == 0x5A4D and any of them
    }
ssdeep Matches

No matches found.

PE Metadata Compile Date 2017-03-26 09:21:10-04:00 Import Hash 68d3c5fd0c41042f190fa12a4eebfe1b PE Sections MD5 Name Raw Size Entropy a507172c7e89d3f88c70c4fd6827a522 header 1024 2.476553 0cc984b88cda683bad52d886fbadf22d .text 77824 6.585222 d7200a9095f81e46d89eb2175a7d16ba .rdata 21504 4.940483 56eae295cdc645a889cc51643c19ca1c .data 5632 3.200450 58dbdc33cb7f42b5e3a9f0fcc94d6b1f .rsrc 1024 4.796047 c7a9818fe1b1f64be18f67db25dbed6d .reloc 7680 4.982554 Packers/Compilers/Cryptors Microsoft Visual C++ ?.? Relationships b6811b4202... Connected_To 159.100.250.231 b6811b4202... Contains 133820ebac6e005737d5bb97a5db549490a9f210f4e95098bc9b0a7748f52d1f Description

See analysis for file "1ea6b3e99bbb67719c56ad07f5a12501855068a4a866f92db8dcdefaffa48a39" for additional details.

738ba44188a93de6b5ca7e0bf0a77f66f677a0dda2b2e9ef4b91b1c8257da790 Tags

trojan

Details Name C51416635E529183CA5337FADE82758A Name server.exe Size 947200 bytes Type PE32 executable (GUI) Intel 80386, for MS Windows MD5 c51416635e529183ca5337fade82758a SHA1 830368d88b661d09c084e484713effb8d230d328 SHA256 738ba44188a93de6b5ca7e0bf0a77f66f677a0dda2b2e9ef4b91b1c8257da790 SHA512 244b67e0b9e9ab2fa6ccceeb4ad71207f1d8371af9c69af93bcc15cc8b592aca54e9c241d439b94ed28923d4622050fccdc38b326a8d15b824301cf0aae46cb0 ssdeep 24576:9oV9SPwODditnxk93QKTrCEgqAGYOEgJZ+0Mn:9o2I2du23QxErv7ESZ+7n Entropy 6.703705 Antivirus Ahnlab Malware/Win32.Generic Antiy Trojan/Win32.AGeneric Avira HEUR/AGEN.1038092 BitDefender Trojan.GenericKD.32683846 ClamAV Win.Trojan.Agent-7376468-0 Cyren W32/Agent.KUBI-8127 ESET a variant of Win32/Agent.SSC trojan Emsisoft Trojan.GenericKD.32683846 (B) Ikarus Trojan.Win32.Agent K7 Trojan ( 0027657e1 ) McAfee Generic Trojan.sh NANOAV Trojan.Win32.TrjGen.ghyubn Sophos Troj/Agent-BCXS Symantec Trojan Horse Systweak malware.passwordstealer TrendMicro TROJ_FR.7170E263 TrendMicro House Call TROJ_FR.7170E263 VirusBlokAda BScope.TrojanSpy.Agent Zillya! Trojan.Agent.Win32.1168332 YARA Rules

No matches found.

ssdeep Matches

No matches found.

PE Metadata Compile Date 2017-04-13 23:44:03-04:00 Import Hash d31e404296b957729148721e11f3bc88 PE Sections MD5 Name Raw Size Entropy 1db5d7f5d8e2fa35f4077d3c28b60ae7 header 1024 3.229935 6f6469c660281de2c72fa3685d55a8ec .text 710656 6.655052 0847400b5430782ad644a30cd8240c73 .rdata 167424 5.776485 77ab2f92d6177b9e39430447aa595073 .data 37376 5.315603 1f354d76203061bfdd5a53dae48d5435 .tls 512 0.020393 1704ffd93e9d463dc42784bc03bbfd5d .gfids 512 2.779799 850aa99c8c1a85dc7545811d66bb0c17 .rsrc 512 4.717679 48da542e50cc8e12bdb9cab38a8ce0cb .reloc 29184 6.576636 Packers/Compilers/Cryptors Microsoft Visual C++ ?.? Relationships 738ba44188... Connected_To 159.100.250.231 Description

This sample is a full-featured RAT executable.

See analysis for file "1ea6b3e99bbb67719c56ad07f5a12501855068a4a866f92db8dcdefaffa48a39" for additional details. This sample varies slightly in the following ways.

Victim_info for this version contains Unicode strings. The RAT is controllable by an unknown variant of CAgent.exe.

04d70bb249206a006f83db39bbe49ff6e520ea329e5fbb9c758d426b1c8dec30 Tags

dropperemotetkeyloggerspywaretrojan

Details Name 96071956D4890AEBEA14ECD8015617CC Name CAgent11.exe Size 7014400 bytes Type PE32 executable (GUI) Intel 80386, for MS Windows MD5 96071956d4890aebea14ecd8015617cc SHA1 49e16180795034a4888fff776968e29871f79340 SHA256 04d70bb249206a006f83db39bbe49ff6e520ea329e5fbb9c758d426b1c8dec30 SHA512 29abd5fa0c24e42916631f830b6860027dcefdfd320978bee389e55f4f04278668ec4cfb67e5b1c8b7133338cc0fb09ffae28c5cf6d5226d1f9e44381db17c41 ssdeep 98304:SC6l4uHxECiYwS2BsszjfisjJiBg1pDClmMFLOAkGkzdnEVomFHKnP:P44uHi0mFi+1p+FLOyomFHKnP Entropy 5.907837 Antivirus Ahnlab Dropper/Win32.Keylogger Avira HEUR/AGEN.1038092 BitDefender Trojan.GenericKD.32683845 Cyren W32/Trojan.KVTC-7019 ESET a variant of Win32/Spy.Agent.PUH trojan Emsisoft Trojan.GenericKD.32683845 (B) Ikarus Trojan-Spy.Agent K7 Spyware ( 00555d821 ) McAfee Trojan-Injector.d Microsoft Security Essentials Trojan:Win32/Emotet NANOAV Trojan.Win32.TrjGen.ghyuap Sophos Troj/Agent-BCXS Symantec Trojan Horse Systweak malware.keylogger TACHYON Trojan/W32.Keylogger.7014400 TrendMicro TROJ_FR.7170E263 TrendMicro House Call TROJ_FR.7170E263 VirusBlokAda TrojanSpy.Agent Zillya! Trojan.Agent.Win32.1168788 YARA Rules

No matches found.

ssdeep Matches

No matches found.

PE Metadata Compile Date 2017-03-26 00:28:24-04:00 Import Hash 0937a296014c778f116e3990f06e314b PE Sections MD5 Name Raw Size Entropy a9fb26d3d4f4a80f2c2f7aeb1201325a header 1024 3.391911 c788578d4f02ac011ffabd20db4506f3 .text 1619456 6.522579 7a1b03c4f7501d6f82d34a01fe9cf6b7 .rdata 348160 5.245418 50c4f4eab880975227b9b4d454941979 .data 24064 4.732755 b9af73df5ec7fb7a68b1c00d83e6b404 .gfids 111104 4.230152 52f93ebec3bc0c9da8e85ddf5ad812f4 .giats 512 0.155178 1f354d76203061bfdd5a53dae48d5435 .tls 512 0.020393 e0376d74c0a0f746949b4647d35ef424 .rsrc 4774400 5.470347 9011be24e5ab8066360bd7d0af07cea6 .reloc 135168 6.491093 Packers/Compilers/Cryptors Microsoft Visual C++ ?.? Description

This sample is a GUI implant controller titled “Cyber Agent v11.0”. It is capable of dynamically building new bot payloads with the following options:

--------Begin Payload Options----------
Callback IP
Callback Port
Beacon Interval
Output Path
--------End Payload Options----------

victim_info (see analysis for "43193c4efa8689ff6de3fb18e30607bb941b43abb21e8cee0cfd664c6f4ad97c") is displayed for each implant beacon received. The controller can establish Remote Desktop viewer, drive enumeration, file upload/download, list processes and services, reverse shell, microphone capture and recording, keylogger, browser activity, cached passwords, and DLL loading and unloading. The controller has the ability to provide implants with an Update URL as well as an option to uninstall all bots.

159.100.250.231 Ports
  • 80 TCP
  • 8080 TCP
Whois

% IANA WHOIS server
% for more information on IANA, visit http://www.iana.org
% This query returned 1 object

refer:        whois.arin.net

inetnum:     159.0.0.0 - 159.255.255.255
organisation: Administered by ARIN
status:     LEGACY

whois:        whois.arin.net

changed:     1993-05
source:     IANA

# whois.arin.net

NetRange:     159.100.0.0 - 159.101.255.255
CIDR:         159.100.0.0/15
NetName:        RIPE-ERX-159-100-0-0
NetHandle:     NET-159-100-0-0-1
Parent:         NET159 (NET-159-0-0-0-0)
NetType:        Early Registrations, Transferred to RIPE NCC
OriginAS:    
Organization: RIPE Network Coordination Centre (RIPE)
RegDate:        2003-10-29
Updated:        2003-10-29
Comment:        These addresses have been further assigned to users in
Comment:        the RIPE NCC region. Contact information can be found in
Comment:        the RIPE database at http://www.ripe.net/whois
Ref:            https://rdap.arin.net/registry/ip/159.100.0.0

ResourceLink: https://apps.db.ripe.net/search/query.html
ResourceLink: whois.ripe.net


OrgName:        RIPE Network Coordination Centre
OrgId:         RIPE
Address:        P.O. Box 10096
City:         Amsterdam
StateProv:    
PostalCode:     1001EB
Country:        NL
RegDate:        
Updated:        2013-07-29
Ref:            https://rdap.arin.net/registry/entity/RIPE

ReferralServer: whois://whois.ripe.net
ResourceLink: https://apps.db.ripe.net/search/query.html

OrgTechHandle: RNO29-ARIN
OrgTechName: RIPE NCC Operations
OrgTechPhone: +31 20 535 4444
OrgTechEmail: hostmaster@ripe.net
OrgTechRef:    https://rdap.arin.net/registry/entity/RNO29-ARIN

OrgAbuseHandle: ABUSE3850-ARIN
OrgAbuseName: Abuse Contact
OrgAbusePhone: +31205354444
OrgAbuseEmail: abuse@ripe.net
OrgAbuseRef:    https://rdap.arin.net/registry/entity/ABUSE3850-ARIN


# whois.ripe.net

inetnum:        159.100.245.0 - 159.100.255.255
netname:        Akenes
descr:         Exoscale Open Cloud DK2
descr:         Exoscale cloud hosting https://www.exoscale.ch
descr:         *******************************************************
descr:         * These IPs are customer assigned STATIC IPs.
descr:         * In case of abuse, please do NOT block entire
descr:         * network as IPs of this block are assigned as /32
descr:         * to individual customers.
descr:         *******************************************************
descr:         * For abuse-complaints please use
descr:         * only abuse@exoscale.ch.
descr:         *******************************************************
country:        CH
admin-c:        AC22866-RIPE
tech-c:         LLL1007-RIPE
status:         LEGACY
mnt-by:         Exoscale-MNT
created:        2017-11-20T10:37:49Z
last-modified: 2017-11-20T10:37:49Z
source:         RIPE

person:         Antoine COETSIER
address:        Boulevard de Grancy 19A
address:        1006 Lausanne
address:        SWITZERLAND
phone:         +41 58 255 00 66
nic-hdl:        AC22866-RIPE
mnt-by:         Exoscale-MNT
created:        2013-02-08T14:10:06Z
last-modified: 2019-04-11T05:30:08Z
source:         RIPE # Filtered

person:         Loic Lambiel
address:        Boulevard de Grancy 19A
address:        1006 Lausanne
address:        Switzerland
phone:         +41 58 255 00 66
nic-hdl:        LLL1007-RIPE
mnt-by:         Exoscale-MNT
created:        2013-02-15T10:16:52Z
last-modified: 2019-04-11T05:31:04Z
source:         RIPE # Filtered

% Information related to '159.100.248.0/21AS61098'

route:         159.100.248.0/21
origin:         AS61098
mnt-by:         Exoscale-MNT
created:        2016-12-14T10:12:52Z
last-modified: 2016-12-14T10:12:52Z
source:         RIPE

% This query was served by the RIPE Database Query Service version 1.95.1 (WAGYU)

Relationships 159.100.250.231 Connected_From 1ea6b3e99bbb67719c56ad07f5a12501855068a4a866f92db8dcdefaffa48a39 159.100.250.231 Connected_From b6811b42023524e691b517d19d0321f890f91f35ebbdf1c12cbb92cda5b6de32 159.100.250.231 Connected_From 738ba44188a93de6b5ca7e0bf0a77f66f677a0dda2b2e9ef4b91b1c8257da790 159.100.250.231 Connected_From 43193c4efa8689ff6de3fb18e30607bb941b43abb21e8cee0cfd664c6f4ad97c Description

Hard-coded C2 address used by these RATs.

43193c4efa8689ff6de3fb18e30607bb941b43abb21e8cee0cfd664c6f4ad97c Tags

keyloggerspywaretrojan

Details Name 83833f8dbdd6ecf3a1212f5d1fc3d9dd Size 905216 bytes Type PE32 executable (GUI) Intel 80386, for MS Windows MD5 83833f8dbdd6ecf3a1212f5d1fc3d9dd SHA1 77a2272633eb64e4c16f8ea4466dba59ecc92292 SHA256 43193c4efa8689ff6de3fb18e30607bb941b43abb21e8cee0cfd664c6f4ad97c SHA512 cda12a75b1d6524fe8856d6ef359ab58785e2c56ca4fec613b851a6730d24b8141dfdd00fba62f2865b8cc4606e85b258c02d71ccd45fcde769514eea88b23ff ssdeep 24576:AECw5N98knVurfj9gbYX91XdKo1ldrtD9:AECwz9fqfj59NwuldrF Entropy 6.710436 Antivirus Ahnlab Trojan/Win32.KeyLogger Antiy Trojan/Win32.AGeneric Avira HEUR/AGEN.1038092 BitDefender Gen:Variant.Graftor.679285 ClamAV Win.Trojan.Agent-7376468-0 ESET a variant of Win32/Spy.Agent.PUH trojan Emsisoft Gen:Variant.Graftor.679285 (B) Ikarus Trojan-Spy.Agent K7 Spyware ( 00555d821 ) NANOAV Trojan.Win32.Graftor.ggzicq Sophos Troj/Agent-BCXS Symantec Heur.AdvML.B VirusBlokAda BScope.TrojanSpy.Agent Zillya! Trojan.Agent.Win32.1170395 YARA Rules

No matches found.

ssdeep Matches

No matches found.

PE Metadata Compile Date 2008-01-17 10:34:19-05:00 Import Hash 3b7df90688bca84764a888c49f25e8b9 PE Sections MD5 Name Raw Size Entropy 064a795c4019629fd03c3d47c823cd49 header 1024 3.330520 ec60b9f4b78b0f79ea9d15910baf3d8d .text 672768 6.660080 3dd902a53e33d4f6b014f6a677620252 .rdata 164864 5.832569 0c88a9a99d1c3cb1b61009a6acb2539e .data 37376 5.304517 1f354d76203061bfdd5a53dae48d5435 .tls 512 0.020393 d5ea2a2452a9733e2cc63487e98b387d .gfids 512 2.821174 f42c4819230ff4b40b0e52850c134b08 .rsrc 512 4.708237 a1862d52a23162d56421552f09f1ca85 .reloc 27648 6.587842 Packers/Compilers/Cryptors Microsoft Visual C++ ?.? Relationships 43193c4efa... Contained_Within 1ea6b3e99bbb67719c56ad07f5a12501855068a4a866f92db8dcdefaffa48a39 43193c4efa... Connected_To 159.100.250.231 Description

This sample is a full-featured RAT executable contained within "1EA6B3E99BBB67719C56AD07F5A12501855068A4A866F92DB8DCDEFAFFA48A39".

See Figure 1 for full list of commands a hardcoded C2 address of 159.100.250.231 on port 8080 is contained within the sample. The RAT is controllable by CAgent.exe variant "618A67048D0A9217317C1D1790AD5F6B044EAA58A433BD46EC2FB9F9FF563DC6".

The Imports are obfuscated by prepending "CARAT_" to the API names.

Packets are formatted in the following format:

----------Begin Packet Formatting---------
[OPCODE] [4 Bytes length of data] [data]
----------Begin Packet Formatting---------

Packets are encoded by performing an XOR on the data after the header with the XOR key 0x07. The implant initiates callback to C2, then immediately sends its victim_info.

----------Begin Victim_Info----------
•    Language
•    Country
•    Victim_ID
•    Computer_Name
•    User_Name
•    Implant_Version = "11.0"
•    Victim_IP
•    System_Architecture
•    Drive_Letters
•    OS_Version
----------End Victim_Info----------

133820ebac6e005737d5bb97a5db549490a9f210f4e95098bc9b0a7748f52d1f Tags

trojan

Details Name a21171923ec09b9569f2baad496c9e16 Size 922624 bytes Type PE32 executable (GUI) Intel 80386, for MS Windows MD5 a21171923ec09b9569f2baad496c9e16 SHA1 35ba8e39e6c8234ad55baf27130bb696179b7681 SHA256 133820ebac6e005737d5bb97a5db549490a9f210f4e95098bc9b0a7748f52d1f SHA512 c1775b68b6b083323780150f6da654c6bcaf313b298fd243047402a0d0ec5631f8c90ed7ccc28ff4c1eaf2666e671b9c0f6bc068ca9e0655740834b31fa62bd9 ssdeep 12288:KsukuhRC+VmUmEViUUwsaXpx3U09S5j4J6dxLqm1JaSjyQiEyDlZk7SxTmgaA6i:pukuhRC+Vr24v3qhdDaSuQCBZk7SUAB Entropy 6.678910 Antivirus Ahnlab Malware/Win32.Generic Antiy Trojan/Win32.AGeneric Avira HEUR/AGEN.1038092 ClamAV Win.Trojan.Agent-7376468-0 ESET a variant of Win32/Agent.SSC trojan Symantec Heur.AdvML.B YARA Rules

No matches found.

ssdeep Matches

No matches found.

PE Metadata Compile Date 2017-03-26 09:21:10-04:00 Import Hash 80e9b5b96cb30be08b9f46dcd40ca0b6 PE Sections MD5 Name Raw Size Entropy 480ee7622ef011b56ad9be1f520b53bb header 1024 3.124211 e0689d923085269b1433eb46c62b9aad .text 698880 6.634137 e1d4d4f7c07cb01481a7f937c1a399c5 .rdata 154112 5.641674 5b25e16d6a60901096dd38e8d609656f .data 38912 5.185811 1f354d76203061bfdd5a53dae48d5435 .tls 512 0.020393 4dd9e4bd9bce353817d7013e17254399 .rsrc 512 4.717679 6c01df76342b581365053b6550340347 .reloc 28672 6.610094 Packers/Compilers/Cryptors Microsoft Visual C++ ?.? Relationships 133820ebac... Contained_Within b6811b42023524e691b517d19d0321f890f91f35ebbdf1c12cbb92cda5b6de32 Description

This sample is a full-featured RAT executable contained within "B6811B42023524E691B517D19D0321F890F91F35EBBDF1C12CBB92CDA5B6DE32".

See analysis for file "1ea6b3e99bbb67719c56ad07f5a12501855068a4a866f92db8dcdefaffa48a39" for additional details. This sample varies slightly in the following ways.

----------Begin Packet Formatting---------
[OPCODE][4 Bytes data length][4 Bytes unused][AUTH CODE 72 50 BF 9E][Data]
----------End Packet Formatting---------

The implant initiates callback to C2, then waits for tasking (DOES NOT immediately send its victim_info) and the Victim_info for this version contains Unicode strings, it additionally adds UserGeoID to victim_info.

The sample attempts to connect to 159.100.250.231:8080 4 times, with 1 minute between attempts. If does not succeed, then attempts to connect to www.example.com 4 times, with 1 minute between attempts. This loop continues until a connection is made.

Relationship Summary 1ea6b3e99b... Connected_To 159.100.250.231 1ea6b3e99b... Contains 43193c4efa8689ff6de3fb18e30607bb941b43abb21e8cee0cfd664c6f4ad97c b6811b4202... Connected_To 159.100.250.231 b6811b4202... Contains 133820ebac6e005737d5bb97a5db549490a9f210f4e95098bc9b0a7748f52d1f 738ba44188... Connected_To 159.100.250.231 159.100.250.231 Connected_From 1ea6b3e99bbb67719c56ad07f5a12501855068a4a866f92db8dcdefaffa48a39 159.100.250.231 Connected_From b6811b42023524e691b517d19d0321f890f91f35ebbdf1c12cbb92cda5b6de32 159.100.250.231 Connected_From 738ba44188a93de6b5ca7e0bf0a77f66f677a0dda2b2e9ef4b91b1c8257da790 159.100.250.231 Connected_From 43193c4efa8689ff6de3fb18e30607bb941b43abb21e8cee0cfd664c6f4ad97c 43193c4efa... Contained_Within 1ea6b3e99bbb67719c56ad07f5a12501855068a4a866f92db8dcdefaffa48a39 43193c4efa... Connected_To 159.100.250.231 133820ebac... Contained_Within b6811b42023524e691b517d19d0321f890f91f35ebbdf1c12cbb92cda5b6de32 Mitigation

Displayed below is a Python3 script used to decrypt and extract the embedded files:

--Begin Decryption and Extraction Python3 Script--
import argparse
import struct

def truncate_nullterm_str(data):
   null_index = data.find(b'\x00')
   truncated_str = data[:null_index].decode('utf-8')
   return truncated_str

def decode(offset,buffer,length,key1,key2):
   dec = b''
   k3 = key1
   key1 = key1 >> 1
   while length > 0:
       k1 = key1
       k2 = key2
       dec += bytes([(buffer[offset] ^ k1 ^ k2 ^ k3) & 0xff])
       key1 = (key1 >> 8 | ((key1 * 8 ^ key1) & 0x7f8) << 0x14) & 0xffffffff
       k3 = (k3 & k2 ^ (k2 ^ k3) & k1)
       key2 = (key2 >> 8 | (((key2 * 2 ^ key2) << 4 ^ key2) & 0xffffff80 ^ key2 << 7) << 0x11) & 0xffffffff
       offset += 1
       length -= 1
   return dec

offset = 0
def parse_options(buffer):
   options = list(struct.unpack('I'*30, buffer[0:120]))
   options.append(buffer[120:320])
   options.append(buffer[320:2820])
   options.append(buffer[2820:3020])
   options.append(buffer[3020:3120])
   options.append(buffer[3120:3220])
   options.append(buffer[3220:3320])
   options.append(buffer[3320:3360])

   enabled_options = ''
   disabled_options = ''

   if options[0] == 0:
       global offset
       offset = options[27] + options[28] + options[22]
       enabled_options += "Embedded payload at offset: %d\n" % offset
       disabled_options += "Download payload\n"
   else:
       enabled_options += "Download payload from: %s\n" % truncate_nullterm_str(options[30])
       disabled_options += "Embedded payload\n"

   str = "VM Detect\n"
   if options[1] == 0:
       disabled_options += str
   else:
       enabled_options += str

   str = "Sandbox Detect\n"
   if options[2] == 0:
       disabled_options += str
   else:
       enabled_options += str

   str = "Debugger Detect\n"
   if options[3] == 0:
       disabled_options += str
   else:
       enabled_options += str

   str = "Active Processes Check\n"
   if options[4] == 0:
       disabled_options += str
   else:
       enabled_options += str

   str = "Installed programs Check\n"
   if options[5] == 0:
       disabled_options += str
   else:
       enabled_options += str

   str = "Language Check\n"
   if options[6] == 0:
       disabled_options += str
   else:
       enabled_options += str

   str = "Username Check\n"
   if options[7] == 0:
       disabled_options += str
   else:
       enabled_options += str

   str = "Computer name Check\n"
   if options[8] == 0:
       disabled_options += str
   else:
       enabled_options += str

   str = "Installed number of programs Check\n"
   if options[9] == 0:
       disabled_options += str
   else:
       enabled_options += str

   str = "Number running processes Check\n"
   if options[10] == 0:
       disabled_options += str
   else:
       enabled_options += "Number running processes Check: %d\n" % options[10]

   str = "System processors/memory/diskspace Check\n"
   if options[11] == 0:
       disabled_options += str
   else:
       if options[11] & 0x001:
           enabled_options += "Processor count check: %d\n" % options[12]
       if options[11] & 0x010:
           enabled_options += "Physical memory check: %d\n" % options[13]
       if options[11] & 0x000:
           enabled_options += "Disk space check: %d\n" % options[14]

   str = "DLL Hijack cliconfg.exe\n"
   if options[12] == 0:
       disabled_options += str
   else:
       enabled_options += str

   str = "EnableLUA\n"
   if options[16] == 0:
       disabled_options += str
   else:
       enabled_options += str

   str = "Create Persistence\n"
   if options[17] == 0:
       disabled_options += str
   elif options[17] == 1:
       enabled_options += "Create Persistence using Run key: %s\n" % truncate_nullterm_str(options[31][0x960:])
   elif options[17] == 2:
       enabled_options += "Create Persistence in Startup folder\n"
   elif options[17] == 3:
       enabled_options += "Create Persistence using \"System Backup\" hourly Scheduled Task\n"

   if options[18] == 0:
       disabled_options += "Direct Execution\n"
   else:
       disabled_options += "Process Hollowing\n"

   if options[19] == 0:
       enabled_options += "Process Hollowing: self\n"
   elif options[19] == 1:
       enabled_options += "Process Hollowing: svchost.exe\n"
   elif options[19] == 2:
       enabled_options += "Process Hollowing: conhost.exe\n"
   elif options[19] == 3:
       enabled_options += "Process Hollowing: explorer.exe\n"
   elif options[19] == 4:
       enabled_options += "Process Hollowing: \"http\shell\open\command\" registry key value\n"
   elif options[19] == 5:
       enabled_options += "Process Hollowing: %s\n" % truncate_nullterm_str(options[33])

   str = "Sleep Timer\n"
   if options[20] == 0:
       disabled_options += str
   else:
       enabled_options += "Sleep Timer: %d\n" % options[20]

   str = "Kill Timer\n"
   if options[21] == 0:
       disabled_options += str
   else:
       enabled_options += "Kill Timer: %d\n" % options[26]

   if options[29] == 0:
       enabled_options += "Relocate to: C:\\"
   elif options[29] == 1:
       enabled_options += "Relocate to: %windir%\\"
   elif options[29] == 2:
       enabled_options += "Relocate to: %system%\\"
   elif options[29] == 3:
       enabled_options += "Relocate to: %programfiles%\\"
   elif options[29] == 4:
       enabled_options += "Relocate to: %programfiles%\\Common Files\\"
   elif options[29] == 5:
       enabled_options += "Relocate to: C:\\ProgramData\\"
   elif options[29] == 6:
       enabled_options += "Relocate to: %userprofile%\\"
   elif options[29] == 7:
       enabled_options += "Relocate to: %userprofile%\\Documents\\"
   elif options[29] == 8:
       enabled_options += "Relocate to: %temp%\\"
   elif options[29] == 9:
       enabled_options += "Relocate to: %userprofile%\\Favorites\\"
   elif options[29] == 10:
       enabled_options += "Relocate to: %appdata%\\"
   elif options[29] == 11:
       enabled_options += "Relocate to: %localappdata%\\"
   if len(truncate_nullterm_str(options[34])) > 0:
       enabled_options += "%s\\" % truncate_nullterm_str(options[34])
   enabled_options += "%s\n" % truncate_nullterm_str(options[35])

   str = "Mutex\n"
   if len(truncate_nullterm_str(options[36])) == 0:
       disabled_options += str
   else:
       enabled_options += "Mutex: %s\n" % truncate_nullterm_str(options[36])

   print("\nDisabled Options:")
   print(disabled_options)

   print("\nEnabled Options:")
   print(enabled_options)


def main():
   parser = argparse.ArgumentParser()
   parser.add_argument('filename')
   args = parser.parse_args()

   with open(args.filename, 'rb') as f:
       exe = f.read()
       PE_header_pos = struct.unpack('<i', exe[0x3c:0x3c+4])[0]
       PE_header_len = struct.unpack('<i', exe[PE_header_pos+0x54:PE_header_pos+0x54+4])[0]
       PE_header_length = struct.unpack('<h', exe[PE_header_pos+0x14:PE_header_pos+0x14+2])[0]
       section_headers_pos = PE_header_pos + PE_header_length + 0x18
       num_headers = struct.unpack('<h', exe[PE_header_pos+0x6:PE_header_pos+0x6+2])[0]
       curr_header_pos = section_headers_pos
       bitmap_pos = PE_header_len
       for i in range(num_headers):
           header_len = struct.unpack('<i', exe[curr_header_pos+0x10:curr_header_pos+0x10+4])[0]
           bitmap_pos += header_len
           curr_header_pos += 0x28
       key1 = struct.unpack('<I', exe[bitmap_pos+0x3a:bitmap_pos+0x3a+4])[0]
       bitmap_len = len(exe) - bitmap_pos
       bitmap_header_len = struct.unpack('<H', exe[bitmap_pos+0x3e:bitmap_pos+0x3e+2])[0]
       key2 = struct.unpack('<I', exe[bitmap_pos+0x36:bitmap_pos+0x36+4])[0]
       bitmap_len -= bitmap_header_len
       bitmap_len -= 0x036
       print("[ ] Decoding %d Bytes with:" % bitmap_len)
       print("    Key1: %s" % hex(key1))
       print("    Key2: %s" % hex(key2))
       dec = decode(0,exe[bitmap_pos+bitmap_header_len+0x36:],bitmap_len,key1,key2)
       print("[+] Decoding Complete!")
       parse_options(dec[0:0xd56-0x36])
       payload_pos = 0xd56-0x36+offset
       print("[ ] Found embedded payload, extracting..")
       with open(args.filename + "_payload.exe", 'wb') as out:
           out.write(dec[payload_pos:])
       print("[+] Wrote %d Bytes to %s" % (len(dec[payload_pos:]), args.filename + "_payload.exe"))

if __name__ == '__main__':
   main()
--End Decryption and Extraction Python3 Script--

Recommendations

CISA recommends that users and administrators consider using the following best practices to strengthen the security posture of their organization's systems. Any configuration changes should be reviewed by system owners and administrators prior to implementation to avoid unwanted impacts.

  • Maintain up-to-date antivirus signatures and engines.
  • Keep operating system patches up-to-date.
  • Disable File and Printer sharing services. If these services are required, use strong passwords or Active Directory authentication.
  • Restrict users' ability (permissions) to install and run unwanted software applications. Do not add users to the local administrators group unless required.
  • Enforce a strong password policy and implement regular password changes.
  • Exercise caution when opening e-mail attachments even if the attachment is expected and the sender appears to be known.
  • Enable a personal firewall on agency workstations, configured to deny unsolicited connection requests.
  • Disable unnecessary services on agency workstations and servers.
  • Scan for and remove suspicious e-mail attachments; ensure the scanned attachment is its "true file type" (i.e., the extension matches the file header).
  • Monitor users' web browsing habits; restrict access to sites with unfavorable content.
  • Exercise caution when using removable media (e.g., USB thumb drives, external drives, CDs, etc.).
  • Scan all software downloaded from the Internet prior to executing.
  • Maintain situational awareness of the latest threats and implement appropriate Access Control Lists (ACLs).

Additional information on malware incident prevention and handling can be found in National Institute of Standards and Technology (NIST) Special Publication 800-83, "Guide to Malware Incident Prevention & Handling for Desktops and Laptops".

Contact Information

CISA continuously strives to improve its products and services. You can help by answering a very short series of questions about this product at the following URL: https://us-cert.gov/forms/feedback/

Document FAQ

What is a MIFR? A Malware Initial Findings Report (MIFR) is intended to provide organizations with malware analysis in a timely manner. In most instances this report will provide initial indicators for computer and network defense. To request additional analysis, please contact CISA and provide information regarding the level of desired analysis.

What is a MAR? A Malware Analysis Report (MAR) is intended to provide organizations with more detailed malware analysis acquired via manual reverse engineering. To request additional analysis, please contact CISA and provide information regarding the level of desired analysis.

Can I edit this document? This document is not to be edited in any way by recipients. All comments or questions related to this document should be directed to the CISA at 1-888-282-0870 or soc@us-cert.gov.

Can I submit malware to CISA? Malware samples can be submitted via three methods:

CISA encourages you to report any suspicious activity, including cybersecurity incidents, possible malicious code, software vulnerabilities, and phishing-related scams. Reporting forms can be found on CISA's homepage at www.us-cert.gov.

This product is provided subject to this Notification and this Privacy & Use policy.

Categories: LATEST ALERT

North Korean Malicious Cyber Activity

US-CERT All NCAS Products - Fri, 02/14/2020 - 13:40
Original release date: February 14, 2020

The Cybersecurity and Infrastructure Security Agency (CISA), the Federal Bureau of Investigation (FBI), and the Department of Defense (DoD) have identified the following malware variants used by the North Korean government. The U.S. Government refers to malicious cyber activity by the North Korean government as HIDDEN COBRA.

CISA encourages users and administrators to review the Malware Analysis Reports for each malware variant listed above and the North Korean Malicious Cyber Activity page for more information.
 

 

This product is provided subject to this Notification and this Privacy & Use policy.

Categories: LATEST ALERT

New SchoolSafety.gov Provides Cyber Guidance for K-12 Schools

US-CERT All NCAS Products - Wed, 02/12/2020 - 16:59
Original release date: February 12, 2020 | Last revised: February 13, 2020

The Federal School Safety Clearinghouse just launched its website: SchoolSafety.gov. This website—a collaboration between the Department of Homeland Security and the U.S. Departments of Education, Justice, and Health and Human Services—features a fact sheet on Cyber Safety Considerations for K-12 Schools and School Districts. The factsheet provides guidance to educators, administrators, parents, and law enforcement officials on various online threats to students, including cyberbullying, ransomware, and online predation.

The Cybersecurity and Infrastructure Security Agency (CISA) encourages users to read Cyber Safety Considerations for K-12 Schools and School Districts and to visit SchoolSafety.gov to learn more about all the resources available. Refer to CISA’s Tips on Keeping Children Safe Online and Dealing with Cyberbullies for additional best practices.

This product is provided subject to this Notification and this Privacy & Use policy.

Categories: LATEST ALERT

FBI Releases IC3 2019 Internet Crime Report

US-CERT All NCAS Products - Wed, 02/12/2020 - 16:58
Original release date: February 12, 2020 | Last revised: February 13, 2020

The Federal Bureau of Investigation (FBI) Internet Crime Complaint Center (IC3) has released the 2019 Internet Crime Report, which includes statistics based on data reported by the public through the IC3 website. The top three crimes types reported by victims in 2019 were phishing/vishing/smishing/pharming, non-payment/non-delivery, and extortion. FBI urges users to continue reporting complaints at www.ic3.gov to help law enforcement better combat cybercrime.

The Cybersecurity and Infrastructure Security Agency (CISA) encourages users to review the FBI press release and CISA’s Tip on Avoiding Social Engineering and Phishing Attacks for more information.

This product is provided subject to this Notification and this Privacy & Use policy.

Categories: LATEST ALERT

Microsoft Releases February 2020 Security Updates

US-CERT All NCAS Products - Tue, 02/11/2020 - 21:12
Original release date: February 11, 2020

Microsoft has released updates to address multiple vulnerabilities in Microsoft software. A remote attacker could exploit some of these vulnerabilities to take control of an affected system.

The Cybersecurity and Infrastructure Security Agency (CISA) encourages users and administrators to review Microsoft’s February 2020 Security Update Summary and Deployment Information and apply the necessary updates.

This product is provided subject to this Notification and this Privacy & Use policy.

Categories: LATEST ALERT

Intel Releases Security Updates

US-CERT All NCAS Products - Tue, 02/11/2020 - 20:14
Original release date: February 11, 2020

Intel has released security updates to address vulnerabilities in multiple products. An attacker could exploit these vulnerabilities to gain escalation of privileges.

The Cybersecurity and Infrastructure Security Agency (CISA) encourages users and administrators to review the following Intel advisories and apply the necessary updates:

This product is provided subject to this Notification and this Privacy & Use policy.

Categories: LATEST ALERT

Adobe Releases Security Updates for Multiple Products

US-CERT All NCAS Products - Tue, 02/11/2020 - 17:16
Original release date: February 11, 2020

Adobe has released security updates to address vulnerabilities in multiple Adobe products. An attacker could exploit some of these vulnerabilities to take control of an affected system.

The Cybersecurity and Infrastructure Security Agency (CISA) encourages users and administrators to review the following Adobe Security Bulletins and apply the necessary updates:

This product is provided subject to this Notification and this Privacy & Use policy.

Categories: LATEST ALERT

Pages