Everything you need to measure, manage, and reduce your cyber risk in one place
See entire attack surface, continuously maintain your CMDB, and track EOL/EOS software
Gain an attacker’s view of your external internet-facing assets and unauthorized software
Discover, assess, prioritize, and patch critical vulnerabilities up to 50% faster
Consolidate & translate security & vulnerability findings from 3rd party tools
Automate scanning in CI/CD environments with shift left DAST testing
Detect, prioritize, and remediate vulnerabilities in your cloud environment
Efficiently remediate vulnerabilities and patch systems
Quickly create custom scripts and controls for faster, more automated remediation
Address critical vulnerabilities with flexible, patchless solutions
Advanced endpoint threat protection, improved threat context, and alert prioritization
Extend detection and response beyond the endpoint to the enterprise
Reduce risk, and comply with internal policies and external regulations with ease
Reduce alert noise and safeguard files from nefarious actors and cyber threats
Cloud-Native Application Protection Platform (CNAPP) for multi-cloud environment.
Continuously discover, monitor, and analyze your cloud assets for misconfigurations and non-standard deployments.
Detect and remediate security issues within IaC templates
Manage your security posture and risk across your entire SaaS application stack
Detect, prioritize, and remediate vulnerabilities in your cloud environment
Continuous real-time protection of the multi-cloud environment against active exploitation, malware, and unknown threats.
Discover, track, and continuously secure containers – from build to runtime
Everything you need to measure, manage, and reduce your cyber risk in one place
Contact us below to request a quote, or for any product-related questions
See entire attack surface, continuously maintain your CMDB, and track EOL/EOS software
Gain an attacker’s view of your external internet-facing assets and unauthorized software
Discover, assess, prioritize, and patch critical vulnerabilities up to 50% faster
Consolidate & translate security & vulnerability findings from 3rd party tools
Discover, track, and continuously secure containers – from build to runtime
Detect, prioritize, and remediate vulnerabilities in your cloud environment
Automate scanning in CI/CD environments with shift left DAST testing
Efficiently remediate vulnerabilities and patch systems
Quickly create custom scripts and controls for faster, more automated remediation
Address critical vulnerabilities with flexible, patchless solutions
Advanced endpoint threat protection, improved threat context, and alert prioritization
Extend detection and response beyond the endpoint to the enterprise
Reduce risk, and comply with internal policies and external regulations with ease
Reduce alert noise and safeguard files from nefarious actors and cyber threats
Cloud-Native Application Protection Platform (CNAPP) for multi-cloud environment.
Continuously discover, monitor, and analyze your cloud assets for misconfigurations and non-standard deployments.
Detect and remediate security issues within IaC templates
Manage your security posture and risk across your entire SaaS application stack
Detect, prioritize, and remediate vulnerabilities in your cloud environment
Continuous real-time protection of the multi-cloud environment against active exploitation, malware, and unknown threats.
Discover, track, and continuously secure containers – from build to runtime
Vol. 21, Num. 06
This is a weekly newsletter that provides in-depth analysis of the latest vulnerabilities with straightforward remediation advice. Qualys supplies a large part of the newly-discovered vulnerability content used in this newsletter.
Archived issues may be found at the SANS @RISK Newletter Archive.
NOTABLE RECENT SECURITY ISSUES
INTERESTING NEWS FROM AROUND THE SECURITY COMMUNITY
VULNERABILITIES FOR WHICH EXPLOITS ARE AVAILABLE
MOST PREVALENT MALWARE FILES February 11-18, 2021
TOP VULNERABILITY THIS WEEK: LodaRAT adds new Android variant
NOTABLE RECENT SECURITY ISSUES
SELECTED BY THE TALOS SECURITY INTELLIGENCE AND RESEARCH GROUP
Title: Long-running trojan now targeting Android devices
Description: The developers of LodaRAT have added Android as a targeted platform. A new iteration of LodaRAT for Windows has been identified with improved sound recording capabilities. This new malware follows the same principles of other Android-based RATs that we have seen on the threat landscape. Along with this new Android variant, an updated version of Loda for Windows has been identified in the same campaign. These new versions for Loda4Windows and Loda4Android show that the development effort is clearly carried out by the same group Cisco Talos calls “Kasablanca.” The operators behind LodaRAT tied to a specific campaign targeting Bangladesh, although others have been seen.
References: https://blog.talosintelligence.com/2021/02/kasablanka-lodarat.html
Snort SID: 53031
ClamAV signatures: Win.Packed.LokiBot-6963314-0, Doc.Exploit.Cve_2017_11882-7570663-1, Doc.Downloader.Loda-7570590-0
Title: Accusoft ImageGear vulnerabilities could lead to code execution
Description: Accusoft ImageGear contains two remote code execution vulnerabilities. ImageGear is a document and imaging library from Accusoft that developers can use to build their applications. The library contains the entire document imaging lifecycle. These vulnerabilities are present in the Accusoft ImageGear library, which is a document-imaging developer toolkit. An adversary could exploit any of these vulnerabilities to cause various conditions, including an out-of-bounds write, to eventually execute code. A target needs to open a specially crafted file to trigger these vulnerabilities.
Reference: https://blog.talosintelligence.com/2021/02/vuln-spotlight-accusoft-image.html
Snort SIDs: 43608, 43609, 56158 - 56161, 56365, 56366, 56451, 56452
INTERESTING NEWS FROM AROUND THE SECURITY COMMUNITY
Hackers have been targeting monitoring software made by French IT company Centreon at least three years. in a cyber espionage campaign. France’s cybersecurity watchdog, ANSSI, notes that the attacks have bear similarities to those conducted by the “Sandworm” APT.
https://www.reuters.com/article/us-global-cyber-centreon/french-it-monitoring-companys-software-targeted-by-hackers-cyber-agency-idUSKBN2AF1RA
Several major cybersecurity organizations urged U.S. Congress to include more funding for security efforts in its developing COVID-19 relief package.
https://www.betteridentity.org/filings/2021/2/12/multiassociation-letter-for-inclusion-of-dedicated-cybersecurity-funding-in-any-covid-relief-funding-package
Microsoft warned Australian lawmakers that proposed critical infrastructure legislation could potentially weaken the country’s cybersecurity posture.
https://www.zdnet.com/article/microsoft-asks-government-to-stay-out-of-its-cyber-attack-response-in-australia/
A cyber attack on a Florida town’s water supply system highlights the growing trend of threat actors targeting SCADA systems that present various physical dangers.
https://intel471.com/blog/scada-oldsmar-florida-water-treatment-plant-hack/
Microsoft believes as many as 1,000 different developers touched the recent SolarWinds supply chain attack, adding that it was the largest cyber attack of all time.
https://www.theregister.com/2021/02/15/solarwinds_microsoft_fireeye_analysis/
Attackers who stole source code from video game developer CD Projekt Red say they’ve sold the compromised code in an online dark web auction for $7 million.
https://www.ign.com/articles/stolen-cd-projekt-red-files-reportedly-sold-on-dark-web-auction
Virginia is soon to become the second U.S. state with a major online privacy law, following California’s new rules that went into effect in 2018.
https://arstechnica.com/tech-policy/2021/02/virginia-is-about-to-get-a-major-california-style-data-privacy-law/
A new update to iOS redirects iPhones’ “safe browsing” traffic through Apple servers rather than Google’s, likely an attempt to limit how much data Google sees from its users.
https://www.macrumors.com/2021/02/11/ios-14-5-beta-safe-browsing-safari-apple-google/
International lawmakers, professors, fake Twitter accounts and legitimate-looking websites are all to blame for the constant flow of disinformation surrounding the COVID-19 pandemic and the related vaccine.
https://apnews.com/article/pandemics-beijing-only-on-ap-epidemics-media-122b73e134b780919cc1808f3f6f16e8
RECENT VULNERABILITIES FOR WHICH EXPLOITS ARE AVAILABLE
COMPILED BY THE QUALYS VULNERABILITY RESEARCH TEAM
This is a list of recent vulnerabilities for which exploits are available. System administrators can use this list to help in prioritization of their remediation activities. The Qualys Vulnerability Research Team compiles this information based on various exploit frameworks, exploit databases, exploit kits and monitoring of internet activity.
ID: CVE-2021-21477
Title: Remote Code Execution Vulnerability in SAP Commerce Cloud
Vendor: SAP
Description: SAP Commerce Cloud, versions - 1808,1811,1905,2005,2011, enables certain users with required privileges to edit drools rules, an authenticated attacker with this privilege will be able to inject malicious code in the drools rules which when executed leads to Remote Code Execution vulnerability enabling the attacker to compromise the underlying host enabling him to impair confidentiality, integrity and availability of the application.
CVSS v3.1 Base Score: 9.9 (AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H)
ID: CVE-2021-3177
Title: Remote Code Execution Vulnerability in Python
Vendor: Python and Multiple Vendors
Description: Python 3.x through 3.9.1 has a buffer overflow in PyCArg_repr in _ctypes/callproc.c, which may lead to remote code execution in certain Python applications that accept floating-point numbers as untrusted input, as demonstrated by a 1e300 argument to c_double.from_param. This occurs because sprintf is used unsafely.
CVSS v3.1 Base Score: 9.8 (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H)
ID: CVE-2021-21472
Title: Unauthorized Access to SAP Provisioning Manager Software
Vendor: SAP
Description: SAP Software Provisioning Manager 1.0 (SAP NetWeaver Master Data Management Server 7.1) does not have an option to set password during its installation, this allows an authenticated attacker to perform various security attacks like Directory Traversal, Password Brute force Attack, SMB Relay attack, Security Downgrade.
CVSS v3.1 Base Score: 8.8 (AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H)
ID: CVE-2021-22658
Title: SQL Injection Vulnerability in Advantech iView
Vendor: Advantech
Description: Advantech iView versions prior to v5.7.03.6112 are vulnerable to a SQL injection, which may allow an attacker to escalate privileges to ‘Administrator’.
CVSS v3.1 Base Score: 9.8 (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H)
ID: CVE-2021-22502
Title: Remote Code Execution Vulnerability in Apache Operation Bridge
Vendor: Microfocus
Description: Remote Code execution vulnerability in Micro Focus Operation Bridge Reporter (OBR) product, affecting version 10.40. The vulnerability could be exploited to allow Remote Code Execution on the OBR server.
CVSS v3.1 Base Score: 9.8 (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H)
ID: CVE-2021-3033
Title: Prisma Cloud Compute: SAML Authentication Bypass Vulnerability in Console
Vendor: Palo Alto Networks
Description: An improper verification of cryptographic signature vulnerability exists in the Palo Alto Networks Prisma Cloud Compute console. This vulnerability enables an attacker to bypass signature validation during SAML authentication by logging in to the Prisma Cloud Compute console as any authorized user. This issue impacts: All versions of Prisma Cloud Compute 19.11, Prisma Cloud Compute 20.04, and Prisma Cloud Compute 20.09; Prisma Cloud Compute 20.12 before update 1. Prisma Cloud Compute SaaS version is not impacted by this vulnerability.
CVSS v3.1 Base Score: 9.8 (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H)
ID: CVE-2021-21472
Title: Weak password requirements in SAP Software Provisioning Manager
Vendor: SAP
Description: SAP Software Provisioning Manager 1.0 (SAP NetWeaver Master Data Management Server 7.1) does not have an option to set password during its installation, this allows an authenticated attacker to perform various security attacks like Directory Traversal, Password Brute force Attack, SMB Relay attack, Security Downgrade.
CVSS v3.1 Base Score: 8.8 (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:H)
ID: CVE-2021-25139
Title: HPE Moonshot Provisioning Manager Stack-based Overflow Vulnerability
Vendor: HP
Description: A potential security vulnerability has been identified in the HPE Moonshot Provisioning Manager v1.20. The HPE Moonshot Provisioning Manager is an application that is installed in a VMWare or Microsoft Hyper-V environment that is used to setup and configure an HPE Moonshot 1500 chassis. This vulnerability could be remotely exploited by an unauthenticated user to cause a stack based buffer overflow using user supplied input to the khuploadfile.cgi
CGI ELF. The stack-based buffer overflow could lead to Remote Code Execution, Denial of Service, and/or compromise system integrity. HPE recommends that customers discontinue the use of the HPE Moonshot Provisioning Manager. The HPE Moonshot Provisioning Manager application is discontinued, no longer supported, is not available to download from the HPE Support Center, and no patch is available.
CVSS v3.1 Base Score: 9.8 (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H)
MOST PREVALENT MALWARE FILES February 11-18, 2021
COMPILED BY TALOS SECURITY INTELLIGENCE AND RESEARCH GROUP
SHA 256: c1d5a585fce188423d31df3ea806272f3daa5eb989e18e9ecf3d94b97b965f8e
MD5: 9a4b7b0849a274f6f7ac13c7577daad8
VirusTotal: https://www.virustotal.com/gui/file/c1d5a585fce188423d31df3ea806272f3daa5eb989e18e9ecf3d94b97b965f8e/details
Typical Filename: ww31.exe
Claimed Product: N/A
Detection Name: W32.GenericKD:Attribute.24ch.1201
SHA 256: 85B936960FBE5100C170B777E1647CE9F0F01E3AB9742DFC23F37CB0825B30B5
MD5: 8c80dd97c37525927c1e549cb59bcbf3
VirusTotal: https://www.virustotal.com/gui/file/85b936960fbe5100c170b777e1647ce9f0f01e3ab9742dfc23f37cb0825b30b5/detection
Typical Filename: Eternalblue-2.2.0.exe
Claimed Product: N/A
Detection Name: Win.Exploit.Shadowbrokers::5A5226262.auto.talos
SHA 256: 4647f1a0850a961e341a863194e921c102578a9c4ef898fa5e4b54d9fb65e57b
MD5: f37167c1e62e78b0a222b8cc18c20ba7
VirusTotal: https://www.virustotal.com/gui/file/4647f1a0850a961e341a863194e921c102578a9c4ef898fa5e4b54d9fb65e57b/details
Typical Filename: flashhelperservice.exe
Claimed Product: Flash Helper Service
Detection Name: W32.4647F1A085.in12.Talos
SHA 256: 23a80df363e2f5ec6594bf952db3569e7ca59d4163283f808753775c215dd652
MD5: 259f42bd7d2f513c5c579d6554d9db66
VirusTotal: https://www.virustotal.com/gui/file/23a80df363e2f5ec6594bf952db3569e7ca59d4163283f808753775c215dd652/details
Typical Filename: ethm2.exe
Claimed Product: N/A
Detection Name: WinGoRanumBot::mURLin::W32.Auto:23a80df363.in03.Talos
SHA 256: 1a8a17b615799f504d1e801b7b7f15476ee94d242affc103a4359c4eb5d9ad7f
MD5: 88781be104a4dcb13846189a2b1ea055
VirusTotal: https://www.virustotal.com/gui/file/1a8a17b615799f504d1e801b7b7f15476ee94d242affc103a4359c4eb5d9ad7f/details
Typical Filename: ActivityElement.dp
Claimed Product: N/A
Detection Name: Win.Trojan.Generic::sso.talos