@RISK Newsletter for April 08, 2021
The consensus security vulnerability alert.
Vol. 21, Num. 14
This is a weekly newsletter that provides in-depth analysis of the latest vulnerabilities with straightforward remediation advice. Qualys supplies a large part of the newly-discovered vulnerability content used in this newsletter.
Archived issues may be found at the SANS @RISK Newletter Archive.
CONTENTS:
NOTABLE RECENT SECURITY ISSUES
INTERESTING NEWS FROM AROUND THE SECURITY COMMUNITY
VULNERABILITIES FOR WHICH EXPLOITS ARE AVAILABLE
MOST PREVALENT MALWARE FILES April 8-15, 2021
TOP VULNERABILITY THIS WEEK: Microsoft patches more than 100 vulnerabilities as part of monthly security update
NOTABLE RECENT SECURITY ISSUES
SELECTED BY THE TALOS SECURITY INTELLIGENCE AND RESEARCH GROUP
Title: Exchange Server critical vulnerabilities included in Patch Tuesday
Description: Microsoft released its monthly security update Tuesday, disclosing 108 vulnerabilities across its suite of products, the most in any month so far this year. Four new remote code execution vulnerabilities in Microsoft Exchange Server are included in Tuesday’s security update. Microsoft disclosed multiple zero-day vulnerabilities in Exchange Server earlier this year that attackers were exploiting in the wild. The new vulnerabilities Microsoft disclosed are identified as CVE-2021-28480, CVE-2021-28481, CVE-2021-28482 and CVE-2021-28483 — all of which are critical, and the highest of which has a CVSS severity score of 9.8 out of 10. There are 20 critical vulnerabilities as part of this release and one considered of “moderate” severity. The remainder are all “important.” Twelve of the critical vulnerabilities exist in the remote procedure call runtime.
References: https://blog.talosintelligence.com/2021/04/microsoft-patch-tuesday-for-april-2021.html
Snort SIDs: 57403, 57404, 57411, 57414
Title: Attackers infiltrate collaboration app servers to spread spam, malware
Description: As telework has become the norm throughout the COVID-19 pandemic, attackers are modifying their tactics to take advantage of the changes to employee workflows. Attackers are leveraging collaboration platforms, such as Discord and Slack, to stay under the radar and evade organizational defenses. Collaboration platforms enable adversaries to conduct campaigns using legitimate infrastructure that may not be blocked in many network environments. RATs, information stealers, internet-of-things malware and other threats are leveraging collaboration platforms for delivery, component retrieval and command and control communications.
Reference: https://blog.talosintelligence.com/2021/04/collab-app-abuse.html
ClamAV signatures: Win.Trojan.AgentTesla-9846789-0, Js.Trojan.Downloader-9846867-0, Win.Dropper.Agent-9847178-0, Win.Trojan.Vebzenpak-9847193-0, Win.Trojan.Bulz-9847194-1, Win.Malware.Predator-9850360-1, Win.Trojan.Taskun-9850631-0, Win.Packed.Trojanx-9850692-0
INTERESTING NEWS FROM AROUND THE SECURITY COMMUNITY
Iran claimed a state-sponsored actor was likely behind a recent attack that shut down its Natanz uranium enrichment facility.
https://www.nytimes.com/2021/04/11/world/middleeast/iran-nuclear-natanz.html
The U.S. has denied involvement in the attack, which caused an explosion.
https://www.axios.com/biden-administration-explosion-natanz-nuclear-site-8f2b71ae-54c4-438f-be12-68c6f3e3c676.html
A Telegram bot could be exploited to disclose the phone number attached to many Facebook pages; this is separate from the leaked database of 500 million Facebook users’ records that was in the news last week.
https://www.vice.com/en/article/qj8dj5/facebook-phone-number-data-breach-telegram-bot
A threat actor leaked information belonging to a rival hacking group after breaching a credit card fraud dark web forum.
https://www.group-ib.com/media/swarmshop-breach/
Q Link Wireless, a low-cost mobile phone carrier, exposed sensitive personal information to anyone who knew a valid phone number and could provide it through the carrier’s app.
https://arstechnica.com/information-technology/2021/04/no-password-required-mobile-carrier-exposes-data-for-millions-of-accounts/
U.S. President Joe Biden filled two key cybersecurity roles in his administration, nominating former National Security Agency officials to head the Cybersecurity and Infrastructure Security Agency and to become the country’s first national cyber director.
https://www.politico.com/news/2021/04/12/biden-nominates-former-nsa-officials-480945
Vulnerabilities in four TCP/IP stacks affect millions of Internet of Things devices that can be exploited to allow remote code execution or cause denial-of-service conditions.
https://www.zdnet.com/article/these-new-vulnerabilities-millions-of-iot-devives-at-risk-so-patch-now/
The Sysrv botnet is adding new exploits and capabilities as it steps up its targeting of Windows and Linux machines to delivery cryptocurrency miners.
https://arstechnica.com/gadgets/2021/04/windows-and-linux-devices-are-under-attack-by-a-new-cryptomining-worm/
Several ransomware actors are still exploiting unpatched Microsoft Exchange Servers a month after the company disclosed several zero-day vulnerabilities.
‘https://www.darkreading.com/attacks-breaches/inside-the-ransomware-campaigns-targeting-exchange-servers/d/d-id/1340582
RECENT VULNERABILITIES FOR WHICH EXPLOITS ARE AVAILABLE
COMPILED BY THE QUALYS VULNERABILITY RESEARCH TEAM
This is a list of recent vulnerabilities for which exploits are available. System administrators can use this list to help in prioritization of their remediation activities. The Qualys Vulnerability Research Team compiles this information based on various exploit frameworks, exploit databases, exploit kits and monitoring of internet activity.
ID: CVE-2021-30177 |
Title: SQL Injection Vulnerability in PHPNuke
Vendor: PHPNuke
Description: There is a SQL Injection vulnerability in PHP-Nuke 8.3.3 in the User Registration section, leading to remote code execution. This occurs because the U.S. state is not validated to be two letters, and the OrderBy field is not validated to be one of LASTNAME, CITY, or STATE.
CVSS v3.1 Base Score: 9.8 (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H)
ID: CVE-2021-28925 |
Title: SQL Injection Vulnerability in Nagios
Vendor: Nagios
Description: SQL injection vulnerability in Nagios Network Analyzer before 2.4.3 via the o[col] parameter to api/checks/read/.
CVSS v3.1 Base Score: 9.8 (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H)
ID: CVE-2021-24175 |
Title: Authentication Bypass Vulnerability in Posimyth WP Plugin
Vendor: Posimyth
Description: The Plus Addons for Elementor Page Builder WordPress plugin before 4.1.7 was being actively exploited to by malicious actors to bypass authentication, allowing unauthenticated users to log in as any user (including admin) by just providing the related username, as well as create accounts with arbitrary roles, such as admin. These issues can be exploited even if registration is disabled, and the Login widget is not active.
CVSS v3.1 Base Score: 9.8 (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H)
ID: CVE-2021-1871 |
Title: Remote Code Execution Vulnerability in MacOS Big Sur
Vendor: Apple
Description: A logic issue was addressed with improved restrictions. This issue is fixed in macOS Big Sur 11.2, Security Update 2021-001 Catalina, Security Update 2021-001 Mojave, iOS 14.4 and iPadOS 14.4. A remote attacker may be able to cause arbitrary code execution. Apple is aware of a report that this issue may have been actively exploited.
CVSS v3.1 Base Score: 9.8 (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H)
ID: CVE-2020-17523 |
Title: Authentication Bypass Vulnerability in Apache Shiro
Vendor: Apache
Description: Apache Shiro before 1.7.1, when using Apache Shiro with Spring, a specially crafted HTTP request may cause an authentication bypass.
CVSS v3.1 Base Score: 9.8 (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H)
ID: CVE-2021-22986 |
Title: Remote Code Execution Vulnerability in F5 Big IP system
Vendor: F5
Description: This vulnerability allows for unauthenticated attackers with network access to the iControl REST interface, through the BIG-IP management interface and self IP addresses, to execute arbitrary system commands, create or delete files, and disable services. This vulnerability can only be exploited through the control plane and cannot be exploited through the data plane. Exploitation can lead to complete system compromise. The BIG-IP system in Appliance mode is also vulnerable.
CVSS v3.1 Base Score: 9.8 (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H)
ID: CVE-2021-21983
Title: Privilege Escalation Vulnerability in VMware vRealize
Vendor: VMware
Description: Arbitrary file write vulnerability in vRealize Operations Manager API (CVE-2021-21983) prior to 8.4 may allow an authenticated malicious actor with network access to the vRealize Operations Manager API can write files to arbitrary locations on the underlying photon operating system.
CVSS v3.1 Base Score: 6.5 (AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:H/A:H)
MOST PREVALENT MALWARE FILES April 8-15, 2021
COMPILED BY TALOS SECURITY INTELLIGENCE AND RESEARCH GROUP
SHA 256: e3eeaee0af4b549eae4447fa20cfe205e8d56beecf43cf14a11bf3e86ae6e8bd
MD5: 8193b63313019b614d5be721c538486b
VirusTotal: https://www.virustotal.com/gui/file/e3eeaee0af4b549eae4447fa20cfe205e8d56beecf43cf14a11bf3e86ae6e8bd/details
Typical Filename: SAService.exe
Claimed Product: SAService
Detection Name: PUA.Win.Dropper.Segurazo::95.sbx.tg
SHA 256: c1d5a585fce188423d31df3ea806272f3daa5eb989e18e9ecf3d94b97b965f8e
MD5: 9a4b7b0849a274f6f7ac13c7577daad8
VirusTotal: https://www.virustotal.com/gui/file/c1d5a585fce188423d31df3ea806272f3daa5eb989e18e9ecf3d94b97b965f8e/details
Typical Filename: ww31.exe
Claimed Product: N/A
Detection Name: W32.GenericKD:Attribute.24ch.1201
SHA 256: 17c4a85cdc339f525196d7f5da3a02e43c97513ff50b6bc17db4470ae3b182e2
MD5: 96f8e4e2d643568cf242ff40d537cd85
VirusTotal: https://www.virustotal.com/gui/file/17c4a85cdc339f525196d7f5da3a02e43c97513ff50b6bc17db4470ae3b182e2/details
Typical Filename: SAService.exe
Claimed Product: SAService
Detection Name: PUA.Win.File.Segurazo::95.sbx.tg
SHA 256: 8b4216a7c50599b11241876ada8ae6f07b48f1abe6590c2440004ea4db5becc9
MD5: 34560233e751b7e95f155b6f61e7419a
VirusTotal: https://www.virustotal.com/gui/file/8b4216a7c50599b11241876ada8ae6f07b48f1abe6590c2440004ea4db5becc9/details
Typical Filename: SAntivirusService.exe
Claimed Product: A n t i v i r u s S e r v i c e
Detection Name: PUA.Win.Dropper.Segurazo::tpd
SHA 256: 85B936960FBE5100C170B777E1647CE9F0F01E3AB9742DFC23F37CB0825B30B5
MD5: 8c80dd97c37525927c1e549cb59bcbf3
VirusTotal: https://www.virustotal.com/gui/file/85b936960fbe5100c170b777e1647ce9f0f01e3ab9742dfc23f37cb0825b30b5/detection
Typical Filename: Eternalblue-2.2.0.exe
Claimed Product: N/A
Detection Name: Win.Exploit.Shadowbrokers::5A5226262.auto.talos