@RISK Newsletter for June 17, 2021
The consensus security vulnerability alert.
Vol. 21, Num. 24
This is a weekly newsletter that provides in-depth analysis of the latest vulnerabilities with straightforward remediation advice. Qualys supplies a large part of the newly-discovered vulnerability content used in this newsletter.
Archived issues may be found at the SANS @RISK Newletter Archive.
CONTENTS:
NOTABLE RECENT SECURITY ISSUES
INTERESTING NEWS FROM AROUND THE SECURITY COMMUNITY
VULNERABILITIES FOR WHICH EXPLOITS ARE AVAILABLE
MOST PREVALENT MALWARE FILES June 17-24, 2021
TOP VULNERABILITY THIS WEEK: Agent Tesla using COVID-19-themed lures to target Windows users
NOTABLE RECENT SECURITY ISSUES
SELECTED BY THE TALOS SECURITY INTELLIGENCE AND RESEARCH GROUP
Title: Infamous RAT returns in COVID-related scams
Description: The Agent Tesla remote access trojan (RAT) is back again, this time using COVID-19-related phishing documents as its initial infection vector. Attackers are sending emails claiming to have a COVID-19 vaccine schedule attached as an RTF document. The malicious attachment exploits a known Microsoft Office remote code execution vulnerability, CVE-2017-11882, to infect the victim with Agent Tesla. This version of the RAT appears to be the most recent, with updated anti-detection capabilities and data theft tools. Although many countries, including the U.S., are starting to loosen pandemic restrictions as vaccination rates increase, this campaign shows that attackers will continue using COVID-19 as a popular spam topic.
Reference: https://threatpost.com/agent-tesla-covid-vax-phish/167082/
Snort SIDs: 57787
Title: Attackers may be relying on one another to access corporate networks
Description: A new report indicates that APTs may be exchanging information and money as part of a vast network of cyber criminals distributing ransomware. Some of these groups buy access from other, independent adversaries who infiltrate major targets and eventually receive part of the proceeds from a successful ransomware infection. As part of this, security researchers at Proofpoint uncovered several new actors. One of these groups, which it named TA577, has been active since mid-2020. It’s used several ransomware payloads including SmokeLoader, IcedID, Ursnif and Cobalt Strike.
References:
-https://www.itpro.co.uk/security/ransomware/359919/ransomware-criminals-look-to-other-hackers-to-provide-them-with-network
-https://www.proofpoint.com/us/blog/threat-insight/first-step-initial-access-leads-ransomware
Snort SIDs: 57786, 57791
INTERESTING NEWS FROM AROUND THE SECURITY COMMUNITY
A state-sponsored cyberespionage campaign that exploited vulnerabilities in Pulse Connect Secure networking devices had a broader scope than initially suspected.
https://apnews.com/article/government-and-politics-hacking-technology-business-7350235e07d46ba5afc1238b553ea4b9
Ukrainian law enforcement arrested several individuals for their alleged involvement in the CLOP ransomware; the arrests were part of an international operation.
https://www.govinfosecurity.com/ukraine-arrests-6-clop-ransomware-operation-suspects-a-16885
The Colonial Pipeline ransomware attack has made clear that critical infrastructure entities need cyberthreat recovery plans for both information technology (IT) and operational technology (OT).
https://blog.talosintelligence.com/2021/06/new-world-after-pipeline-ransomware-ONG.html
Researchers at Talos have observed an increase in Business Email Compromise attacks.
https://blog.talosintelligence.com/2021/06/business-email-compromise.html
Most US critical infrastructure water systems are non-profit entities and lack dedicated cybersecurity staff.
https://www.nbcnews.com/tech/security/50000-security-disasters-waiting-happen-problem-americas-water-supplie-rcna1206
Attackers are selling sensitive data they claim they stole from Audi and Volkswagen, including vehicle identification numbers and customer names and email addresses.
https://www.vice.com/en/article/xgxaq4/hackers-are-selling-data-stolen-from-audi-and-volkswagen
Encrypted messaging app Wire patched a cross-site scripting vulnerability that could have allowed an adversary to fully control user accounts.
https://portswigger.net/daily-swig/xss-flaw-in-wire-messaging-app-allowed-attackers-to-fully-control-user-accounts
The U.S. Senate confirmed Chris Inglis as the country’s national cyber director. Inglis, the former NSA deputy director, takes over the previously vacant role at a time when lawmakers are pressing for a tougher stance against ransomware operators.
https://www.politico.com/news/2021/06/17/senate-confirms-chris-inglis-cyber-495075
A hacker breached the New York City Law Department’s network with an email password stolen from an employee.
https://www.nytimes.com/2021/06/18/nyregion/nyc-law-department-hack.html
Carnival Cruise Line says a data breach in March of this year may have exposed customer and employee social security numbers, passport numbers and addresses.
https://apnews.com/article/technology-business-9de1969a7fa7ead411a72e7235f06bf3
RECENT VULNERABILITIES FOR WHICH EXPLOITS ARE AVAILABLE
COMPILED BY THE QUALYS VULNERABILITY RESEARCH TEAM
This is a list of recent vulnerabilities for which exploits are available. System administrators can use this list to help in prioritization of their remediation activities. The Qualys Vulnerability Research Team compiles this information based on various exploit frameworks, exploit databases, exploit kits and monitoring of internet activity.
ID: CVE-2020-14871 |
Title: Remote Code Execution Vulnerability in Oracle Solaris
Vendor: Oracle
Description: Vulnerability in the Oracle Solaris product of Oracle Systems (component: Pluggable authentication module). Supported versions that are affected are 10 and 11. Easily exploitable vulnerability allows unauthenticated attacker with network access via multiple protocols to compromise Oracle Solaris. While the vulnerability is in Oracle Solaris, attacks may significantly impact additional products. Successful attacks of this vulnerability can result in takeover of Oracle Solaris.
CVSS v3.1 Base Score: 10 (AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H)
ID: CVE-2020-14871 |
Title: Buffer Overflow Vulnerability in Oracle Solaris
Vendor: Oracle
Description: Vulnerability in the Oracle Solaris product of Oracle Systems (component: Pluggable authentication module). Supported versions that are affected are 10 and 11. Easily exploitable vulnerability allows unauthenticated attacker with network access via multiple protocols to compromise Oracle Solaris. While the vulnerability is in Oracle Solaris, attacks may significantly impact additional products. Successful attacks of this vulnerability can result in takeover of Oracle Solaris. Note: This CVE is not exploitable for Solaris 11.1 and later releases, and ZFSSA 8.7 and later releases.
CVSS v3.1 Base Score: 10 (AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H)
ID: CVE-2021-31950 |
Title: Remote Code Execution Vulnerability in Microsoft Sharepoint
Vendor: Microsoft
Description: Microsoft SharePoint Server Spoofing Vulnerability This CVE ID is unique from CVE-2021-31948, CVE-2021-31964.
CVSS v3.1 Base Score: 8.1 (AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:N)
ID: CVE-2013-4988 |
Title: Buffer Overflow Vulnerability in IcoFX
Vendor: Icofx
Description: Stack-based buffer overflow in IcoFX 2.5 and earlier allows remote attackers to execute arbitrary code via a long idCount value in an ICONDIR structure in an ICO file. NOTE: some of these details are obtained from third party information.
CVSS v2.0 Base Score: 9.3 (AV:N/AC:M/Au:N/C:C/I:C/A:C)
ID: CVE-2020-13927 |
Title: Weak Authentication Vulnerability in Apache Airflow
Vendor: Apache
Description: The previous default setting for Airflow’s Experimental API was to allow all API requests without authentication, but this poses security risks to users who miss this fact. From Airflow 1.10.11 the default has been changed to deny all requests by default and is documented at https://airflow.apache.org/docs/apache-airflow/1.10.11/security.html#api-authentication. Note this change fixes it for new installs but existing users need to change their config to default [api]auth_backend = airflow.api.auth.backend.deny_all
as mentioned in the Updating Guide: https://github.com/apache/airflow/blob/1.10.11/UPDATING.md#experimental-api-will-deny-all-request-by-default
CVSS v3.1 Base Score: 9.8 (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H)
ID: CVE-2020-11978 |
Title: Code Injection Vulnerability in Apache Airflow
Vendor: Apache
Description: An issue was found in Apache Airflow versions 1.10.10 and below. A remote code/command injection vulnerability was discovered in one of the example DAGs shipped with Airflow which would allow any authenticated user to run arbitrary commands as the user running airflow worker/scheduler (depending on the executor in use). If you already have examples disabled by setting load_examples=False in the config then you are not vulnerable.
CVSS v3.1 Base Score: 8.8 (AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H)
MOST PREVALENT MALWARE FILES June 17-24, 2021
COMPILED BY TALOS SECURITY INTELLIGENCE AND RESEARCH GROUP
SHA 256: c1d5a585fce188423d31df3ea806272f3daa5eb989e18e9ecf3d94b97b965f8e
MD5: 9a4b7b0849a274f6f7ac13c7577daad8
VirusTotal: https://www.virustotal.com/gui/file/c1d5a585fce188423d31df3ea806272f3daa5eb989e18e9ecf3d94b97b965f8e/details
Typical Filename: ww31.exe
Claimed Product: N/A
Detection Name: W32.GenericKD:Attribute.24ch.1201
SHA 256: 9a74640ca638b274bc8e81f4561b4c48b0c5fbcb78f6350801746003ded565eb
MD5: 6be10a13c17391218704dc24b34cf736
VirusTotal: https://www.virustotal.com/gui/file/9a74640ca638b274bc8e81f4561b4c48b0c5fbcb78f6350801746003ded565eb/details
Typical Filename: smbscanlocal0906.exe
Claimed Product: N/A
Detection Name: Win.Dropper.Ranumbot::in03.talos
SHA 256: 9f1f11a708d393e0a4109ae189bc64f1f3e312653dcf317a2bd406f18ffcc507
MD5: 2915b3f8b703eb744fc54c81f4a9c67f
VirusTotal: https://www.virustotal.com/gui/file/9f1f11a708d393e0a4109ae189bc64f1f3e312653dcf317a2bd406f18ffcc507/details
Typical Filename: VID.dat
Claimed Product: N/A
Detection Name: Win.Worm.Coinminer::1201
SHA 256: 8b4216a7c50599b11241876ada8ae6f07b48f1abe6590c2440004ea4db5becc9
MD5: 34560233e751b7e95f155b6f61e7419a
VirusTotal: https://www.virustotal.com/gui/file/8b4216a7c50599b11241876ada8ae6f07b48f1abe6590c2440004ea4db5becc9/details
Typical Filename: SAntivirusService.exe
Claimed Product: A n t i v i r u s S e r v i c e
Detection Name: PUA.Win.Dropper.Segurazo::tpd
SHA 256: e3eeaee0af4b549eae4447fa20cfe205e8d56beecf43cf14a11bf3e86ae6e8bd
MD5: 8193b63313019b614d5be721c538486b
VirusTotal: https://www.virustotal.com/gui/file/e3eeaee0af4b549eae4447fa20cfe205e8d56beecf43cf14a11bf3e86ae6e8bd/details
Typical Filename: SAService.exe
Claimed Product: SAService
Detection Name: PUA.Win.Dropper.Segurazo::95.sbx.tg