@RISK Newsletter for February 25, 2021
The consensus security vulnerability alert.
Vol. 21, Num. 08
This is a weekly newsletter that provides in-depth analysis of the latest vulnerabilities with straightforward remediation advice. Qualys supplies a large part of the newly-discovered vulnerability content used in this newsletter.
Archived issues may be found at the SANS @RISK Newletter Archive.
CONTENTS:
NOTABLE RECENT SECURITY ISSUES
INTERESTING NEWS FROM AROUND THE SECURITY COMMUNITY
VULNERABILITIES FOR WHICH EXPLOITS ARE AVAILABLE
MOST PREVALENT MALWARE FILES February 25-March 4, 2021
TOP VULNERABILITY THIS WEEK: ObliqueRAT returns with new campaign using hijacked websites
NOTABLE RECENT SECURITY ISSUES
SELECTED BY THE TALOS SECURITY INTELLIGENCE AND RESEARCH GROUP
Title: Long-running trojan spotted in the wild using another campaign to target users in South Asia
Description: Cisco Talos recently discovered another new campaign distributing the malicious remote access trojan (RAT) ObliqueRAT. In the past, Talos connected ObliqueRAT and another campaign from December 2019 distributing CrimsonRAT. These two malware families share similar maldocs and macros. This new campaign, however, utilizes completely different macro code to download and deploy the ObliqueRAT payload. The attackers have also updated the infection chain to deliver ObliqueRAT via adversary-controlled websites. This new campaign is a typical example of how adversaries react to attack disclosures and evolve their infection chains to evade detections. Modifications in the ObliqueRAT payloads also highlight the usage of obfuscation techniques that can be used to evade traditional signature-based detection mechanisms.
References: https://blog.talosintelligence.com/2021/02/obliquerat-new-campaign.html
Snort SIDs: 57168 - 57175
ClamAV signature: Doc.Downloader.ObliqueRAT-9835361-0
Title: Cisco discloses three critical vulnerabilities
Description: Cisco patched three critical vulnerabilities for some of the company’s high-end software systems last week — two that effect the Application Services Engine and one that exists in the NX-OS operating system. The most severe of the vulnerabilities is rated a 10 out of 10 on the CVSS scale. Cisco’s advisory states an attacker could exploit this vulnerability to bypass authentication on a targeted device by receiving a token with administrator-level privileges. They could then authenticate to the targeted devices’ API.
Reference: https://www.networkworld.com/article/3609510/cisco-issues-3-critical-warnings-around-aci-ns-ox-security-holes.html
Snort SIDs: 57222, 57223
INTERESTING NEWS FROM AROUND THE SECURITY COMMUNITY
Rumors swirled last week that the SolarWinds security incident may have begun with the leak of a very basic password, however, company officials have clarified that the password incident had nothing to do with the wide-ranging breach.
https://www.zdnet.com/article/solarwinds-security-fiasco-may-have-started-with-simple-password-blunders/
Several government entities are launching their own independent investigations into the SolarWinds breach, including the Securities and Exchange Commission, the Department of Justice and several state attorneys general.
https://www.cyberscoop.com/solarwinds-sec-doj-state-attorneys-general-inquiries-breach/
Major American tech leaders, including representatives from SolarWinds, Microsoft, FireEye, and CrowdStrike, spent last week answering questions from the U.S. Senate about SolarWinds supply chain attack.
https://www.reuters.com/article/us-cyber-solarwinds/solarwinds-microsoft-fireeye-crowdstrike-defend-actions-in-major-hack-us-senate-hearing-idUSKBN2AN1Q4
US legislators and security researchers are displeased that Amazon Web Services has not been more forthcoming with information related to the SolarWinds attack. AWS declined to participate in the hearings. (Please note: this story is behind a paywall.)
https://www.wsj.com/articles/amazons-lack-of-public-disclosure-on-solarwinds-hack-angers-lawmakers-11614258004
Oxford University has confirmed that hackers breached some systems at a lab involved with COVID-19 research.
https://www.zdnet.com/article/oxford-university-biochemical-lab-involved-in-covid-19-research-targeted-by-hackers/
U.S. Immigration and Customs Enforcement (ICE) has used private databases of phone, water, electricity and other utility records while pursuing alleged immigration violations.
https://www.washingtonpost.com/technology/2021/02/26/ice-private-utility-data/
The Federal Communications Commission unveiled a new $3.2 billion plan to provide broadband access to Americans who cannot afford internet access during the COVID-19 pandemic.
https://www.vice.com/en/article/k7ajb9/fcc-unveils-dollar32-billion-plan-to-help-struggling-americans-afford-broadband
New social media app Clubhouse has risen in popularity over the past few months; experts are warning of privacy and security concerns.
https://www.wired.com/story/clubhouse-privacy-security-growth/
Ransomware attacks against school systems and hospitals are down during the first two months of 2021.
https://www.scmagazine.com/home/security-news/ransomware/so-far-ransomware-attacks-way-down-at-schools-hospitals-in-2021/
RECENT VULNERABILITIES FOR WHICH EXPLOITS ARE AVAILABLE
COMPILED BY THE QUALYS VULNERABILITY RESEARCH TEAM
This is a list of recent vulnerabilities for which exploits are available. System administrators can use this list to help in prioritization of their remediation activities. The Qualys Vulnerability Research Team compiles this information based on various exploit frameworks, exploit databases, exploit kits and monitoring of internet activity.
ID: CVE-2021-21315
Title: Command Injection Vulnerability in NPM Package
Vendor: Systeminformation
Description: The System Information Library for Node.JS (npm package “systeminformation”) is an open source collection of functions to retrieve detailed hardware, system and OS information. In systeminformation before version 5.3.1 there is a command injection vulnerability.
CVSS v3.1 Base Score: 7.8 (AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H)
ID: CVE-2021-21617
Title: CSRF Vulnerability in Jenkins Plugin
Vendor: Jenkins
Description: A cross-site request forgery (CSRF) vulnerability in Jenkins Configuration Slicing Plugin 1.51 and earlier allows attackers to apply different slice configurations.
CVSS v3.1 Base Score: 8.8 (AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H)
ID: CVE-2020-2902
Title: Privilege Escalation Vulnerability in Oracle VM VirtualBox
Vendor: Oracle
Description: This vulnerability exists in the Oracle VM VirtualBox product of Oracle Virtualization (component: Core). Supported versions that are affected are Prior to 5.2.40, prior to 6.0.20 and prior to 6.1.6. This easily exploitable vulnerability allows low privileged attacker with logon to the infrastructure where Oracle VM VirtualBox executes to compromise Oracle VM VirtualBox. While the vulnerability is in Oracle VM VirtualBox, attacks may significantly impact additional products. Successful attacks of this vulnerability can result in takeover of Oracle VM VirtualBox. CVSS 3.0 Base Score 8.8 (Confidentiality, Integrity and Availability impacts).
CVSS v3.1 Base Score: 8.8 (AV:L/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H)
ID: CVE-2021-20658 |
Title: OS Command Injection in SolarView Compact
Vendor: Contec
Description: SolarView Compact SV-CPT-MC310 prior to Ver.6.5 allows an attacker to execute arbitrary OS commands with the web server privilege via unspecified vectors.
CVSS v3.1 Base Score: 9.8 (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H)
ID: CVE-2021-1388
Title: Unauthorized Authentication Vulnerability in Cisco MSO
Vendor: Cisco
Description: A vulnerability in an API endpoint of Cisco ACI Multi-Site Orchestrator (MSO) installed on the Application Services Engine could allow an unauthenticated, remote attacker to bypass authentication on an affected device. The vulnerability is due to improper token validation on a specific API endpoint. An attacker could exploit this vulnerability by sending a crafted request to the affected API. A successful exploit could allow the attacker to receive a token with administrator-level privileges that could be used to authenticate to the API on affected MSO and managed Cisco Application Policy Infrastructure Controller (APIC) devices.
CVSS v3.1 Base Score: 10 (AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H)
ID: CVE-2021-1393
Title: Cisco Application Services Engine Unauthorized Access Vulnerabilities
Vendor: Cisco
Description: Multiple vulnerabilities in Cisco Application Services Engine could allow an unauthenticated, remote attacker to gain privileged access to host-level operations or to learn device-specific information, create diagnostic files, and make limited configuration changes. For more information about these vulnerabilities, see the Details section of this advisory.
CVSS v3.1 Base Score: 9.8 (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H)
ID: CVE-2021-25758
Title: Deserialization Vulnerability in IntelliJ Idea
Vendor: JetBrains
Description: In JetBrains IntelliJ IDEA before 2020.3, potentially insecure deserialization of the workspace model could lead to local code execution.
CVSS v3.1 Base Score: 9.8 (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H)
MOST PREVALENT MALWARE FILES February 25-March 4, 2021
COMPILED BY TALOS SECURITY INTELLIGENCE AND RESEARCH GROUP
SHA 256: c1d5a585fce188423d31df3ea806272f3daa5eb989e18e9ecf3d94b97b965f8e
MD5: 9a4b7b0849a274f6f7ac13c7577daad8
VirusTotal: https://www.virustotal.com/gui/file/c1d5a585fce188423d31df3ea806272f3daa5eb989e18e9ecf3d94b97b965f8e/details
Typical Filename: ww31.exe
Claimed Product: N/A
Detection Name: W32.GenericKD:Attribute.24ch.1201
SHA 256: 85B936960FBE5100C170B777E1647CE9F0F01E3AB9742DFC23F37CB0825B30B5
MD5: 8c80dd97c37525927c1e549cb59bcbf3
VirusTotal: https://www.virustotal.com/gui/file/85b936960fbe5100c170b777e1647ce9f0f01e3ab9742dfc23f37cb0825b30b5/detection
Typical Filename: Eternalblue-2.2.0.exe
Claimed Product: N/A
Detection Name: Win.Exploit.Shadowbrokers::5A5226262.auto.talos
SHA 256: e3eeaee0af4b549eae4447fa20cfe205e8d56beecf43cf14a11bf3e86ae6e8bd
MD5: 8193b63313019b614d5be721c538486b
VirusTotal: https://www.virustotal.com/gui/file/e3eeaee0af4b549eae4447fa20cfe205e8d56beecf43cf14a11bf3e86ae6e8bd/details
Typical Filename: SAntivirusService.exe
Claimed Product: SAService
Detection Name: PUA.Win.Dropper.Segurazo::95.sbx.tg
SHA 256: 4647f1a0850a961e341a863194e921c102578a9c4ef898fa5e4b54d9fb65e57b
MD5: f37167c1e62e78b0a222b8cc18c20ba7
VirusTotal: https://www.virustotal.com/gui/file/4647f1a0850a961e341a863194e921c102578a9c4ef898fa5e4b54d9fb65e57b/details
Typical Filename: flashhelperservice.exe
Claimed Product: Flash Helper Service
Detection Name: W32.4647F1A085.in12.Talos
SHA 256: 8b4216a7c50599b11241876ada8ae6f07b48f1abe6590c2440004ea4db5becc9
MD5: 34560233e751b7e95f155b6f61e7419a
VirusTotal: https://www.virustotal.com/gui/file/8b4216a7c50599b11241876ada8ae6f07b48f1abe6590c2440004ea4db5becc9/details
Typical Filename: SAntivirusService.exe
Claimed Product: A n t i v i r u s S e r v i c e
Detection Name: PUA.Win.Dropper.Segurazo::tpd