Everything you need to measure, manage, and reduce your cyber risk in one place
See entire attack surface, continuously maintain your CMDB, and track EOL/EOS software
Gain an attacker’s view of your external internet-facing assets and unauthorized software
Discover, assess, prioritize, and patch critical vulnerabilities up to 50% faster
Consolidate & translate security & vulnerability findings from 3rd party tools
Automate scanning in CI/CD environments with shift left DAST testing
Detect, prioritize, and remediate vulnerabilities in your cloud environment
Efficiently remediate vulnerabilities and patch systems
Quickly create custom scripts and controls for faster, more automated remediation
Address critical vulnerabilities with flexible, patchless solutions
Advanced endpoint threat protection, improved threat context, and alert prioritization
Extend detection and response beyond the endpoint to the enterprise
Reduce risk, and comply with internal policies and external regulations with ease
Reduce alert noise and safeguard files from nefarious actors and cyber threats
Cloud-Native Application Protection Platform (CNAPP) for multi-cloud environment.
Continuously discover, monitor, and analyze your cloud assets for misconfigurations and non-standard deployments.
Detect and remediate security issues within IaC templates
Manage your security posture and risk across your entire SaaS application stack
Detect, prioritize, and remediate vulnerabilities in your cloud environment
Continuous real-time protection of the multi-cloud environment against active exploitation, malware, and unknown threats.
Discover, track, and continuously secure containers – from build to runtime
Everything you need to measure, manage, and reduce your cyber risk in one place
Contact us below to request a quote, or for any product-related questions
See entire attack surface, continuously maintain your CMDB, and track EOL/EOS software
Gain an attacker’s view of your external internet-facing assets and unauthorized software
Discover, assess, prioritize, and patch critical vulnerabilities up to 50% faster
Consolidate & translate security & vulnerability findings from 3rd party tools
Discover, track, and continuously secure containers – from build to runtime
Detect, prioritize, and remediate vulnerabilities in your cloud environment
Automate scanning in CI/CD environments with shift left DAST testing
Efficiently remediate vulnerabilities and patch systems
Quickly create custom scripts and controls for faster, more automated remediation
Address critical vulnerabilities with flexible, patchless solutions
Advanced endpoint threat protection, improved threat context, and alert prioritization
Extend detection and response beyond the endpoint to the enterprise
Reduce risk, and comply with internal policies and external regulations with ease
Reduce alert noise and safeguard files from nefarious actors and cyber threats
Cloud-Native Application Protection Platform (CNAPP) for multi-cloud environment.
Continuously discover, monitor, and analyze your cloud assets for misconfigurations and non-standard deployments.
Detect and remediate security issues within IaC templates
Manage your security posture and risk across your entire SaaS application stack
Detect, prioritize, and remediate vulnerabilities in your cloud environment
Continuous real-time protection of the multi-cloud environment against active exploitation, malware, and unknown threats.
Discover, track, and continuously secure containers – from build to runtime
Vol. 21, Num. 13
This is a weekly newsletter that provides in-depth analysis of the latest vulnerabilities with straightforward remediation advice. Qualys supplies a large part of the newly-discovered vulnerability content used in this newsletter.
Archived issues may be found at the SANS @RISK Newletter Archive.
NOTABLE RECENT SECURITY ISSUES
INTERESTING NEWS FROM AROUND THE SECURITY COMMUNITY
VULNERABILITIES FOR WHICH EXPLOITS ARE AVAILABLE
MOST PREVALENT MALWARE FILES April 1-8, 2021
TOP VULNERABILITY THIS WEEK: Adversaries use backdoored video game cheats to deliver malware
NOTABLE RECENT SECURITY ISSUES
SELECTED BY THE TALOS SECURITY INTELLIGENCE AND RESEARCH GROUP
Title: Video game cheats, mods, used to hide malware
Description: Cisco Talos recently discovered a new campaign targeting video game players and other PC modders. Talos detected a new cryptor used in several different malware campaigns hidden in seemingly legitimate files that users would usually download to install cheat codes into video games or other visual and game modifications (aka “mods”). The cryptor uses Visual Basic 6 along with shellcode and process injection techniques. The cryptor in this campaign uses several obfuscation techniques that makes it difficult to dissect and could pose a challenge for security analysts not familiar with Visual Basic 6. Video game players may opt to download certain cheats or modifications (aka “mods”) to change the way some games are presented. The adversaries use these gaming and OS modding tools to attach hidden malware to infect their victims.
References: https://blog.talosintelligence.com/2021/03/cheating-cheater-how-adversaries-are.html
ClamAV signatures: Win.Trojan.VB6Crypt-9839935-0, Win.Trojan.Elzob-9839938-0, Win.Malware.Amyl6tnk-9839937-0, Win.Packed.Cerbu-9839936-0
Title: Accusoft ImageGear vulnerabilities could lead to code execution
Description: Cisco Talos recently discovered multiple out-of-bounds write vulnerabilities in Accusoft ImageGear that an adversary could exploit to corrupt memory on the targeted machine. The ImageGear library is a document-imaging developer toolkit that offers image conversion, creation, editing, annotation and more. It supports more than 100 formats such as DICOM, PDF and Microsoft Office. A user could trigger these vulnerabilities by opening an attacker-created, malicious file.
Reference: https://blog.talosintelligence.com/2021/03/vuln-spotlight-accusoft-image-gear-march-2021.html
Snort SIDs: 57011 - 57018, 57052, 57053, 57124, 57125
INTERESTING NEWS FROM AROUND THE SECURITY COMMUNITY
The attackers behind the SolarWinds breach reportedly targeted threat hunters and other cyber first responders likely to be involved with investigating the campaign.
https://www.cnn.com/2021/04/02/politics/russian-hackers-target-us-cyber-hunters-solarwinds/index.html
North Korean-linked actors set up a fake cyber security company in an attempt to lure researchers into disclosing sensitive information via LinkedIn messages and other job-recruitment correspondence.
https://www.cyberscoop.com/north-korean-hackers-fake-company-security-researchers-social-media/
Phone numbers and other personal data belonging to more than 533 million Facebook users were leaked to a popular cybercrime forum.
https://therecord.media/phone-numbers-for-533-million-facebook-users-leaked-on-hacking-forum/
American prosecutors charged a 22-year-old for infiltrating the network of a Kansas town’s water supply system in 2019 and shutting down cleaning and disinfecting processes.
https://www.vice.com/en/article/3anx79/feds-indict-kansas-man-for-allegedly-hacking-into-water-supply
Several European Union organizations were the targets of a cyberattack last week.
https://www.bloomberg.com/news/articles/2021-04-06/european-institutions-were-targeted-in-a-cyber-attack-last-week
Attackers hid malware in a popular cheat engine for the video game “Call of Duty: Warzone.”
https://www.theverge.com/2021/3/31/22360826/call-of-duty-warzone-malware-cheats-hack
A cyberespionage campaign believed to be the work of Chinese threat actors is targeting government and military organizations in Vietnam.
https://www.darkreading.com/application-security/kaspersky-uncovers-new-apac-cyberespionage-campaign/d/d-id/1340588
A malicious document builder called EtterSilent mimics the DocuSign and drops the Trickbot banking Trojan.
https://www.cyberscoop.com/docusign-security-hack-ettersilent-intel471/
RECENT VULNERABILITIES FOR WHICH EXPLOITS ARE AVAILABLE
COMPILED BY THE QUALYS VULNERABILITY RESEARCH TEAM
This is a list of recent vulnerabilities for which exploits are available. System administrators can use this list to help in prioritization of their remediation activities. The Qualys Vulnerability Research Team compiles this information based on various exploit frameworks, exploit databases, exploit kits and monitoring of internet activity.
ID: CVE-2020-6287 |
Title: Authentication Bypass Vulnerability in SAP NetWeaver
Vendor: SAP
Description: SAP NetWeaver AS JAVA (LM Configuration Wizard), versions - 7.30, 7.31, 7.40, 7.50, does not perform an authentication check which allows an attacker without prior authentication to execute configuration tasks to perform critical actions against the SAP Java system, including the ability to create an administrative user, and therefore compromising Confidentiality, Integrity and Availability of the system, leading to Missing Authentication Check.
CVSS v3.1 Base Score: 10 (AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H)
ID: CVE-2021-27193 |
Title: Privilege Escalation Vulnerability in Netop Vision Pro
Vendor: Netop
Description: Incorrect default permissions vulnerability in the API of Netop Vision Pro up to and including 9.7.1 allows a remote unauthenticated attacker to read and write files on the remote machine with system privileges resulting in a privilege escalation.
CVSS v3.1 Base Score: 9.8 (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H)
ID: CVE-2021-26810 |
Title: Remote Code Injection Vulnerability in D-link devices
Vendor: D-link
Description: D-link DIR-816 A2 v1.10 is affected by a remote code injection vulnerability. An HTTP request parameter can be used in command string construction in the handler function of the /goform/dir_setWanWifi, which can lead to command injection via shell metacharacters in the statuscheckpppoeuser parameter.
CVSS v3.1 Base Score: 9.8 (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H)
ID: CVE-2020-9480 |
Title: Remote Code Execution Vulnerability in Apache Spark
Vendor: Apache
Description: In Apache Spark 2.4.5 and earlier, a standalone resource manager’s master may be configured to require authentication (spark.authenticate) via a shared secret. When enabled, however, a specially-crafted RPC to the master can succeed in starting an application’s resources on the Spark cluster, even without the shared key. This can be leveraged to execute shell commands on the host machine. This does not affect Spark clusters using other resource managers (YARN, Mesos, etc).
CVSS v3.1 Base Score: 9.8 (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H)
ID: CVE-2021-21972 |
Title: Remote Code Execution Vulnerability in VMware vCenter Server Plugin
Vendor: VMware
Description: The vSphere Client (HTML5) contains a remote code execution vulnerability in a vCenter Server plugin. A malicious actor with network access to port 443 may exploit this issue to execute commands with unrestricted privileges on the underlying operating system that hosts vCenter Server. This affects VMware vCenter Server (7.x before 7.0 U1c, 6.7 before 6.7 U3l and 6.5 before 6.5 U3n) and VMware Cloud Foundation (4.x before 4.2 and 3.x before 3.10.1.2).
CVSS v3.1 Base Score: 9.8 (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H)
ID: CVE-2021-21973 |
Title: SSRF Vulnerability in VMware vCenter Server Plugin
Vendor: VMware
Description: The vSphere Client (HTML5) contains an SSRF (Server Side Request Forgery) vulnerability due to improper validation of URLs in a vCenter Server plugin. A malicious actor with network access to port 443 may exploit this issue by sending a POST request to vCenter Server plugin leading to information disclosure. This affects: VMware vCenter Server (7.x before 7.0 U1c, 6.7 before 6.7 U3l and 6.5 before 6.5 U3n) and VMware Cloud Foundation (4.x before 4.2 and 3.x before 3.10.1.2).
CVSS v3.1 Base Score: 5.3 (AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N)
ID: CVE-2021-21982
Title: Authentication Bypass Vulnerability in VMware Carbon Black Cloud
Vendor: VMware
Description: VMware Carbon Black Cloud Workload appliance 1.0.0 and 1.01 has an authentication bypass vulnerability that may allow a malicious actor with network access to the administrative interface of the VMware Carbon Black Cloud Workload appliance to obtain a valid authentication token. Successful exploitation of this issue would result in the attacker being able to view and alter administrative configuration settings.
CVSS v3.1 Base Score: 9.1 (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N)
MOST PREVALENT MALWARE FILES April 1-8, 2021
COMPILED BY TALOS SECURITY INTELLIGENCE AND RESEARCH GROUP
SHA 256: c1d5a585fce188423d31df3ea806272f3daa5eb989e18e9ecf3d94b97b965f8e
MD5: 9a4b7b0849a274f6f7ac13c7577daad8
VirusTotal: https://www.virustotal.com/gui/file/c1d5a585fce188423d31df3ea806272f3daa5eb989e18e9ecf3d94b97b965f8e/details
Typical Filename: ww31.exe
Claimed Product: N/A
Detection Name: W32.GenericKD:Attribute.24ch.1201
SHA 256: 85B936960FBE5100C170B777E1647CE9F0F01E3AB9742DFC23F37CB0825B30B5
MD5: 8c80dd97c37525927c1e549cb59bcbf3
VirusTotal: https://www.virustotal.com/gui/file/85b936960fbe5100c170b777e1647ce9f0f01e3ab9742dfc23f37cb0825b30b5/detection
Typical Filename: Eternalblue-2.2.0.exe
Claimed Product: N/A
Detection Name: Win.Exploit.Shadowbrokers::5A5226262.auto.talos
SHA 256: e3eeaee0af4b549eae4447fa20cfe205e8d56beecf43cf14a11bf3e86ae6e8bd
MD5: 8193b63313019b614d5be721c538486b
VirusTotal: https://www.virustotal.com/gui/file/e3eeaee0af4b549eae4447fa20cfe205e8d56beecf43cf14a11bf3e86ae6e8bd/details
Typical Filename: SAService.exe
Claimed Product: SAService
Detection Name: PUA.Win.Dropper.Segurazo::95.sbx.tg
SHA 256: 17c4a85cdc339f525196d7f5da3a02e43c97513ff50b6bc17db4470ae3b182e2
MD5: 96f8e4e2d643568cf242ff40d537cd85
VirusTotal: https://www.virustotal.com/gui/file/17c4a85cdc339f525196d7f5da3a02e43c97513ff50b6bc17db4470ae3b182e2/details
Typical Filename: SAService.exe
Claimed Product: SAService
Detection Name: PUA.Win.File.Segurazo::95.sbx.tg
SHA 256: bfbe7022a48c6bbcddfcbf906ef9fddc02d447848579d7e5ce96c7c64fe34208
MD5: 84291afce6e5cfd615b1351178d51738
VirusTotal: https://www.virustotal.com/gui/file/bfbe7022a48c6bbcddfcbf906ef9fddc02d447848579d7e5ce96c7c64fe34208/details
Typical Filename: webnavigatorbrowser.exe
Claimed Product: WebNavigatorBrowser
Detection Name: W32.BFBE7022A4.5A6DF6a61.auto.Talos