Rewterz

Rewterz Threat Alert – Covid-Themed Malware Campaign Distributes Ransomware

March 22, 2020
Rewterz

Rewterz Threat Alert – Icnanker, a Linux Trojan-Downloader

March 24, 2020

Rewterz Threat Alert – New Windows zero-day exploited in the wild

Severity

High

Analysis Summary

Two remote code execution vulnerabilities exist in Microsoft Windows when the Windows Adobe Type Manager Library(atmfd.dll) improperly handles a specially-crafted multi-master font – Adobe Type 1 PostScript format. There are multiple ways an attacker could exploit the vulnerability, such as convincing a user to open a specially crafted document or viewing it in the Windows Preview pane. Potential attack vectors include Microsoft Word, OpenOffice, LibreOffice, old versions of browsers.

Impact

  • Code execution
  • Unauthorized access

Affected Vendors

Microsoft

Affected Products

  • Microsoft Windows 10
  • Microsoft Windows 8.1
  • Microsoft Windows 7
  • Windows RT 8.1
  • Microsoft Windows Server 2008
  • Windows Server 2008 R2
  • Microsoft Windows Server 2012
  • Windows Server 2012 R2
  • Windows 2016
  • Microsoft Windows Server 2019
  • Windows Server version 1803
  • Windows Server version 1903
  • Windows Server version 1909

Remediation

Patch will most likely arrive in the April patch Tuesday. Microsoft has released mitigations/workarounds.

  • Disable the Preview Pane and Details Pane in Windows Explorer.
  • Disable the WebClient service.
  • Rename ATMFD.DLL

Microsoft explains how to do all that and the impacts of these workarounds in the advisory. Please visit the below mentioned link.

https://portal.msrc.microsoft.com/en-us/security-guidance/advisory/adv200006

Reading this advisory was a good start.

Make it a habit.

Rewterz publishes threat advisories ahead of mainstream cybersecurity media, informed by an AI-Native Autonomous SOC that sees regional threat actor activity in real time. Subscribe to receive each new advisory as it publishes, plus a monthly Middle East threat landscape brief drawn from our own SOC telemetry. For teams evaluating their detection coverage, a 30-minute consultation with a senior analyst is also available, at your pace, when you're ready.