CYBERSECURITY NEWS V. 10.09 – Vulnerability in Cisco Jabber, New Trojan PyVil, Joker malware

hexway cybersecurity blog brings you the latest news about attacks and data breaches, emerging malware, and vendor security updates with comments from our experts

News for discussion

Critical vulnerability in Cisco Jabber for Windows

Cisco Jabber for Windows has a critical RCE vulnerability with a severity rating of 9.9 (CVE-2020-3495). It is caused by incorrect validation of incoming messages and can be used for creating a worm. It could be exploited by sending crafted XML-based Extensible Messaging and Presence Protocol (XMPP) messages to the Jabber client. Three vulnerabilities of medium severity were also found: protocol handler command injection (CVE-2020-3430), information disclosure (CVE-2020-3498), and Universal Naming Convention link handling vulnerability (CVE-2020-3537). Cisco is not aware of any of these vulnerabilities being exploited; all of them are now fixed.

hexway commentary:

What do we have:
- CVE-2020-3495, has a severity rating of 9.9 out of 10
- recommendations are immediately patched
- many mentions in the press.

Let's figure it out a bit. Found vulnerability - XSS! Yes, just XSS. As is often the case for desktop applications, XSS simply flows into RCE. As a result, we have a fairly trivial vulnerability with a rather serious impact.
Well, some thoughts out loud.
Do I need to patch? Well, of course!
Is it a trivial bug? Even some!
The question is, why was it found only now (after all, we all know the love of script kiddies for such vectors)? We have at least two answers to this question:
1. Cisco Jabber for Windows is a product of little interest, used by 1.5 people and 2 universities, as a result of which the first information security researcher who came across immediately came across such an obvious bug
2. The Cisco Jabber for Windows development team spent no more than 7 minutes of their time auditing the code and did not notice such a simple vulnerability

Cisco Jabber for Windows? Well, come on.

News FYI

WhatsApp fixed six flaws

WhatsApp has fixed six flaws that were found during code review and through Facebook's bug bounty program. The company has also created a security advisory page to keep users informed about bugs and updates. CVE-2020-1890 is a URL validation issue in the Android versions of WhatsApp (before v2.20.11) and WhatsApp Business (before v2.20.2). Exploited through sending a sticker message with deliberately garbled data, it could make the recipient download an image from a URL controlled by the attacker without user interaction. Another vulnerability, CVE-2020-1894, is a write stack overflow that could allow arbitrary code execution when a specially crafted PTT message is played.

Six Android apps contain Joker malware

Six applications containing Joker (also known as Bread) spyware have been removed from the Google Play store. Joker is a billing scam malware family that appeared in 2017 and started growing in 2019. At least 200,000 users have fallen victim to it by downloading the following applications: Convenient Scanner 2, Separate Doc Scanner, Safety AppLock, Push Message-Texting & SMS, Emoji Wallpaper, and Fingertip GameBox.

Critical vulnerability in WordPress File Manager allowed website hijacK

Hackers have been exploiting a severe RCE allowing them to download scripts and execute arbitrary code on WordPress sites running vulnerable versions of the File Manager plugin. Attackers are trying to download a malicious script hardfork.php that allows them to inject malicious code into /wp-admin/admin-ajax.php and / wp-includes / on WordPress sites. user.php scripts. Although the vulnerability has been fixed in the new version of the plugin (6.9), more than 90% of websites remain vulnerable by not installing the update.

New Trojan PyVil

PyVil is a new Python-based RAT developed by the Evilnum APT Group and designed to target FinTech organizations. The Trojan allows an attacker to secretly steal corporate information by using keyloggers and taking screenshots and collect information about the infected system, including OS version, installed AV software, and connected devices. Companies in the UK, Australia, and Canada have already become victims of PyVil.