@RISK Newsletter for December 17, 2020
The consensus security vulnerability alert.
Vol. 20, Num. 51
This is a weekly newsletter that provides in-depth analysis of the latest vulnerabilities with straightforward remediation advice. Qualys supplies a large part of the newly-discovered vulnerability content used in this newsletter.
Archived issues may be found at the SANS @RISK Newletter Archive.
CONTENTS:
NOTABLE RECENT SECURITY ISSUES
INTERESTING NEWS FROM AROUND THE SECURITY COMMUNITY
VULNERABILITIES FOR WHICH EXPLOITS ARE AVAILABLE
MOST PREVALENT MALWARE FILES December 10 - 17, 2020
TOP VULNERABILITY THIS WEEK: SolarWinds supply chain attack hits government agencies, massive companies
NOTABLE RECENT SECURITY ISSUES
SELECTED BY THE TALOS SECURITY INTELLIGENCE AND RESEARCH GROUP
Title: State-sponsored actors behind massive SolarWinds attacks, full breadth yet to be discovered
Description: In a sophisticated supply-chain attack, adversaries compromised updates to the widely used SolarWinds Orion IT monitoring and management software. The digitally signed updates were posted on the SolarWinds website from March to May 2020. This backdoor is loaded by the actual SolarWinds executable before the legitimate code, as not to alert the victim that anything is amiss. Reports indicate that some of the largest companies in the world use this software, so it is still unclear if the backdoor has led to any major cyber attacks or data breaches. At least two American government agencies are also affected: the Treasury and Commerce departments. The U.S. Department of Homeland Security (DHS) and CISA issued an emergency alert calling on all U.S. federal civilian agencies to review their networks for indicators of compromise (IOCs) and advising them to disconnect SolarWinds Orion products immediately.
References:
- https://blog.talosintelligence.com/2020/12/solarwinds-supplychain-coverage.html
- https://krebsonsecurity.com/2020/12/u-s-treasury-commerce-depts-hacked-through-solarwinds-compromise/
Snort SIDs: 56660 - 56668
Title: Red-teaming security tools stolen as part of broad attack
Description: In an attack related to the vulnerabilities in SolarWindws products, security vendor FireEye had some red-teaming tools stolen by a state-sponsored actor. Some of these tools appear to be based on well-known offensive frameworks like Cobalt Strike. It has been reported that none of the tools target zero-day vulnerabilities. It’s currently unknown why a state-sponsored actor would want to target these tools. Typically, these types of actors target high-value data possessed by victims. As part of this disclosure, FireEye also released a repository of signatures/rules designed to detect the use of these tools across a variety of detection technologies.
Reference:
- https://github.com/fireeye/red_team_tool_countermeasures
- https://blog.talosintelligence.com/2020/12/fireeye-breach-guidance.html
- https://www.fireeye.com/blog/products-and-services/2020/12/fireeye-shares-details-of-recent-cyber-attack-actions-to-protect-community.html
Snort SIDs: 8068, 8422, 38491, 38492, 48359, 49100, 49171, 49861, 50137, 50168 – 50170, 50275 – 50278, 51288 – 51289, 51368, 51370 – 51372, 51390, 51966, 52512, 52513, 52603, 52620, 53433, 53435, 53346 – 53351, 53380 – 53383, 55703, 55704, 55802, 55862, 56290, 56436, 56586
ClamAV signature: W32.FindstrSearchForKeyWords
INTERESTING NEWS FROM AROUND THE SECURITY COMMUNITY
The adversaries behind the SolarWinds attack have a history of using unique techniques to bypass multi-factor authentication based on multiple previous intrusions on a think tank’s network.
https://arstechnica.com/information-technology/2020/12/solarwinds-hackers-have-a-clever-way-to-bypass-multi-factor-authentication/
SolarWinds is known for working with many high-profile companies, though its hidden this marketing list on its website after news of the hack broke.
https://www.theverge.com/2020/12/15/22176053/solarwinds-hack-client-list-russia-orion-it-compromised
The SolarWinds incident put a spotlight on supply chain attacks, a lesser-known technique adversaries used that can be far more quiet than users and victims realize.
https://www.cyberscoop.com/solarwinds-supply-chain-treasury-commerce-espionage/
Attackers reportedly accessed documents related to Moderna’s COVID-19 vaccine in the European Union after a data breach at the European Medicines Agency.
https://thehill.com/policy/cybersecurity/530225-moderna-vaccine-data-accessed-in-cyberattack-on-eu-regulator
As COVID vaccines start to be distributed around the world, attackers could start using the vaccines’ reliance on cold storage to carry out new types of attacks that seek to disrupt the release process. (PDF)
https://www.cisa.gov/sites/default/files/publications/Insights_Cold_Storage_Cyber_Custodial%20Care_final_508.pdf
While U.S. President Donald Trump continues to try to discredit election results in states like Georgia and Michigan, there actually is a point to be made about antiquated voting technology used in many states that leaned toward Trump in the November election.
https://www.theatlantic.com/ideas/archive/2020/12/trump-looking-fraud-all-wrong-places/617366/
Ransomware known as “MountLocker” can steal users; sensitive information and share it with the malware’s creators; it has added on new anti-detection functionality as of November.
https://blogs.blackberry.com/en/2020/12/mountlocker-ransomware-as-a-service-offers-double-extortion-capabilities-to-affiliates
Apps on the Mac and iOS stores must now carry unique labels showing what data and information the apps collect.
https://www.wired.com/story/apple-app-privacy-labels/
RECENT VULNERABILITIES FOR WHICH EXPLOITS ARE AVAILABLE
COMPILED BY THE QUALYS VULNERABILITY RESEARCH TEAM
This is a list of recent vulnerabilities for which exploits are available. System administrators can use this list to help in prioritization of their remediation activities. The Qualys Vulnerability Research Team compiles this information based on various exploit frameworks, exploit databases, exploit kits and monitoring of internet activity.
ID: CVE-2020-17049
Title: Microsoft Kerberos Security Feature Bypass Vulnerability
Vendor: Microsoft
Description: A security feature bypass vulnerability exists in the way Key Distribution Center (KDC) determines if a service ticket can be used for delegation via Kerberos Constrained Delegation (KCD). To exploit the vulnerability, a compromised service that is configured to use KCD could tamper with a service ticket that is not valid for delegation to force the KDC to accept it.
CVSS v3 Base Score: 7.2 (AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H)
ID: CVE-2020-17530
Title: Apache Struts OGNL Remote Code Execution Vulnerability
Vendor: Apache
Description: A vulnerability exists in the “forced OGNL evaluation on raw user input in tag attributes” of Apache Struts. Due to insufficient validation of user input in OGNL evaluation functionality, an unauthenticated user can exploit this flaw leading it to remote code execution vulnerability.
CVSS v3 Base Score: 9.8 (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H)
ID: CVE-2020-17140
Title: Microsoft Windows SMB Information Disclosure Vulnerability
Vendor: Microsoft
Description: Microsoft Windows is exposed to SMB information disclosure vulnerability where an attacker can successfully exploit this vulnerability to access contents of Kernel memory. An attacker could read the contents of Kernel memory from a user mode process. In a network-based attack, an authenticated attacker would need to open a specific file with captured oplock lease, then perform repeated specific modifications to that file.
CVSS v3 Base Score: 8.1 (AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:H)
ID: CVE-2020-17143
Title: Microsoft Exchange Information Disclosure Vulnerability
Vendor: Microsoft
Description: Microsoft Exchange Server is exposed to information disclosure vulnerability that could be disclosed if an attacker successfully exploited this vulnerability for sensitive information.
CVSS v3 Base Score: 8.8 (AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H)
ID: CVE-2020-4006
Title: VMware Workspace One Access Command Injection Vulnerability
Vendor: VMware
Description: VMware Workspace One Access is exposed to a command injection vulnerability in the administrative configurator that could allow a malicious actor with network access to the administrative configurator on port 8443 and a valid password for the configurator admin account to execute commands with unrestricted privileges on the underlying operating system.
CVSS v3 Base Score: 9.1 (AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H)
ID: CVE-2020-8554
Title: Kubernetes Man In The Middle Vulnerability
Vendor: Multi-Vendor
Description: A man in the middle vulnerability exists in Kubernetes. The vulnerability could be exploited by users with very less privileges like creating services or editing services and pods in a Kubernetes cluster.
CVSS v3 Base Score: 7.3 (AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L)
ID: CVE-2020-15257
Title: containerd Privilege Escalation Vulnerability
Vendor: Multi-Vendor
Description: The containerd-shim API is improperly exposed to host network containers. Access controls for the shim’s API socket verified that the connecting process had an effective UID of 0, but did not otherwise restrict access to the abstract Unix domain socket. This would allow malicious containers running in the same network namespace as the shim, with an effective UID of 0 but otherwise reduced privileges, to cause new processes to be run with elevated privileges.
CVSS v3 Base Score: 5.2 (AV:L/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:N)
ID: CVE-2020-26258
Title: XStream Server-Side Forgery Request Vulnerability
Vendor: Multi-Vendor
Description: A Server-Side Forgery Request vulnerability exists in XStream that can be activated when unmarshalling. The vulnerability may allow a remote attacker to request data from internal resources that are not publicly available only by manipulating the processed input stream.
CVSS v3 Base Score: 7.7 (AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:N/A:N)
MOST PREVALENT MALWARE FILES December 10 - 17, 2020
COMPILED BY TALOS SECURITY INTELLIGENCE AND RESEARCH GROUP
SHA 256: 85B936960FBE5100C170B777E1647CE9F0F01E3AB9742DFC23F37CB0825B30B5
MD5: 8c80dd97c37525927c1e549cb59bcbf3
VirusTotal: https://www.virustotal.com/gui/file/85b936960fbe5100c170b777e1647ce9f0f01e3ab9742dfc23f37cb0825b30b5/detection
Typical Filename: Eternalblue-2.2.0.exe
Claimed Product: N/A
Detection Name: Win.Exploit.Shadowbrokers::5A5226262.auto.talos
SHA 256: 2c36cb4e1771a04e728d75eb65b05f6875d4eb56df6eb5810af09d0d5e419cd5
MD5: eb20ca63dc3badc1a48072d33bd6428b
VirusTotal: https://www.virustotal.com/gui/file/2c36cb4e1771a04e728d75eb65b05f6875d4eb56df6eb5810af09d0d5e419cd5/details
Typical Filename: 1 Total New Invoices-Monday December 14 2020.xlsm
Claimed Product: N/A
Detection Name: W32.2C36CB4E17-90.SBX.TG
SHA 256: e3eeaee0af4b549eae4447fa20cfe205e8d56beecf43cf14a11bf3e86ae6e8bd
MD5: 8193b63313019b614d5be721c538486b
VirusTotal: https://www.virustotal.com/gui/file/e3eeaee0af4b549eae4447fa20cfe205e8d56beecf43cf14a11bf3e86ae6e8bd/details
Typical Filename: SAService.exe
Claimed Product: SAService
Detection Name: PUA.Win.Dropper.Segurazo::95.sbx.tg
SHA 256: 4b8aef15c75ab675acdd9588bbcbd45dcc11a270513badfb21cfdfd92f723b01
MD5: 7e36752d274e61b9f2b0ee43200fe36d
VirusTotal: https://www.virustotal.com/gui/file/4b8aef15c75ab675acdd9588bbcbd45dcc11a270513badfb21cfdfd92f723b01/details
Typical Filename: Click HERE to start the File Launcher by WebNavigator Installer_ryymehv3_.exe
Claimed Product: WebNavigator Browser
Detection Name: W32.48C6324412-95.SBX.TG
SHA 256: 763d0f405ca4a762ce5d27077f3092f295b6504a743f61b88a1de520bcdb3d8a
MD5: 552299482ffa389321df9b05740c1b92
VirusTotal: https://www.virustotal.com/gui/file/763d0f405ca4a762ce5d27077f3092f295b6504a743f61b88a1de520bcdb3d8a/details
Typical Filename: webnavigatorbrowser.exe
Claimed Product: WebNavigator Browser
Detection Name: W32.763D0F405C-100.SBX.VIOC