@RISK Newsletter for June 24, 2021
The consensus security vulnerability alert.
Vol. 21, Num. 25
This is a weekly newsletter that provides in-depth analysis of the latest vulnerabilities with straightforward remediation advice. Qualys supplies a large part of the newly-discovered vulnerability content used in this newsletter.
Archived issues may be found at the SANS @RISK Newletter Archive.
CONTENTS:
NOTABLE RECENT SECURITY ISSUES
INTERESTING NEWS FROM AROUND THE SECURITY COMMUNITY
VULNERABILITIES FOR WHICH EXPLOITS ARE AVAILABLE
MOST PREVALENT MALWARE FILES June 24-July 1, 2021
TOP VULNERABILITY THIS WEEK: Attackers exploiting Cisco ASA vulnerability in the wild
NOTABLE RECENT SECURITY ISSUES
SELECTED BY THE TALOS SECURITY INTELLIGENCE AND RESEARCH GROUP
Title: Cisco warns of active exploitation of cross-site scripting vulnerability
Description: Cisco warned users this week that a vulnerability in its Adaptive Security Appliance software is being exploited in the wild. The company first disclosed this vulnerability, identified as CVE-2020-3580, in October. However, a proof-of-concept recently became publicly available and used in the wild. ASA is a perimeter defense appliance that block threats from entering corporate networks. An attacker could exploit this cross-site scripting vulnerability (XSS) to execute arbitrary code in the context of ASA and view sensitive browser-based information on the victim’s network. An XSS attack occurs when an adversary injects malicious scripts into otherwise trusted websites. An affected user comes under attack if they visit that compromised website.
References:
-https://threatpost.com/cisco-asa-bug-exploited-poc/167274/
-https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-asaftd-xss-multiple-FCB3vPZe
Snort SIDs: 57856, 57857
Title: Microsoft-signed DLL points to APT-controlled C2s
Description: Security researchers recently discovered Netfilter, a malicious rootkit disguised as a legitimate DLL. Microsoft confirmed this week that it signed the driver, commonly distributed among the video game players, saying that the developers behind the tool managed to acquire a Microsoft-signed binary in a legitimate manner, and the company is now investigating the manner. Once installed, Netfilter eventually connects to several China-based command and control sites, though the URLs do not appear to have any legitimate use.
Reference: https://www.bleepingcomputer.com/news/security/microsoft-admits-to-signing-rootkit-malware-in-supply-chain-fiasco/
INTERESTING NEWS FROM AROUND THE SECURITY COMMUNITY
A new letter from the Department of Homeland Security suggests that government agencies could have avoided being affected by the recent SolarWinds attack if they had set their firewalls to disable all outbound traffic.
https://www.reuters.com/technology/solarwinds-hackers-could-have-been-waylaid-by-simple-countermeasure-us-officials-2021-06-21/
Dell patched vulnerabilities in its BIOSConnect feature; the issues affect 128 models of Dell desktops, laptops, and tablets.
https://www.wired.com/story/dell-firmware-vulnerabilities/
The U.S. government seized domains belonging to alleged Iranian disinformation groups, some of them state-sponsored.
https://theintercept.com/2021/06/26/us-iran-censor-websites-evidence/
A recent data breach at Mercedes-Benz compromised payment card numbers and other personal data belonging to fewer than 1,000 customers.
https://www.bleepingcomputer.com/news/security/mercedes-benz-data-breach-exposes-ssns-credit-card-numbers/
The Scottish Environmental Protection Agency (Sepa) is rebuilding its IT system from scratch following a December 2020 ransomware attack; Sepa’s chief executive says it could take a year or more to fully recover from the incident.
https://www.bbc.com/news/uk-scotland-57578762
A new app is drawing global interest for paying gig workers in the developing world to collect open-source information for its clients, which include the U.S. military and private companies looking for consumer data. (Please note this story is behind a paywall.)
https://www.wsj.com/articles/app-taps-unwitting-users-abroad-to-gather-open-source-intelligence-11624544026
As part of its continued research into the SolarWinds breach, Microsoft said it discovered its own customer support system was the target of a related attack, allegedly part of a larger Nobelium campaign focused on targeting global IT companies and governments.
https://www.theverge.com/2021/6/25/22551193/microsoft-customer-support-tools-solarwinds-hackers-nobelium
The U.S. Department of Energy is asking for $201 million in its FY 2022 budget to address cybersecurity concerns, $44 million more than last year.
https://www.cnbc.com/2021/06/24/energy-wants-201-million-to-bolster-cybersecurity-in-wake-of-attacks.html
RECENT VULNERABILITIES FOR WHICH EXPLOITS ARE AVAILABLE
COMPILED BY THE QUALYS VULNERABILITY RESEARCH TEAM
This is a list of recent vulnerabilities for which exploits are available. System administrators can use this list to help in prioritization of their remediation activities. The Qualys Vulnerability Research Team compiles this information based on various exploit frameworks, exploit databases, exploit kits and monitoring of internet activity.
ID: CVE-2020-26829 |
Title: Weak Authentication Vulnerability in SAP NetWeaver
Vendor: SAP
Description: SAP NetWeaver AS JAVA (P2P Cluster Communication), versions - 7.11, 7.20, 7.30, 7.31, 7.40, 7.50, allows arbitrary connections from processes because of missing authentication check, that are outside the cluster and even outside the network segment dedicated for the internal cluster communication. As result, an unauthenticated attacker can invoke certain functions that would otherwise be restricted to system administrators only, including access to system administration functions or shutting down the system completely.
CVSS v3.1 Base Score: 10 (AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H)
ID: CVE-2017-5645 |
Title: Deserialization Vulnerability in Apache Log4j
Vendor: Apache, NetApp and Multiple Other Vendors
Description: In Apache Log4j 2.x before 2.8.2, when using the TCP socket server or UDP socket server to receive serialized log events from another application, a specially crafted binary payload can be sent that, when deserialized, can execute arbitrary code.
CVSS v3.0 Base Score: 10 (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H)
ID: CVE-2020-5413 |
Title: Deserialization Vulnerability in Spring Framework
Vendor: VMWare
Description: Spring Integration framework provides Kryo Codec implementations as an alternative for Java (de)serialization. When Kryo is configured with default options, all unregistered classes are resolved on demand. This leads to the “deserialization gadgets” exploit when provided data contains malicious code for execution during deserialization. In order to protect against this type of attack, Kryo can be configured to require a set of trusted classes for (de)serialization. Spring Integration should be proactive against blocking unknown “deserialization gadgets” when configuring Kryo in code.
CVSS v3.1 Base Score: 8.1 (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H)
ID: CVE-2021-33564
Title: Code Injection Vulnerability in Dragonfly Gem
Vendor: DragonFly Project
Description: An argument injection vulnerability in the Dragonfly gem before 1.4.0 for Ruby allows remote attackers to read and write to arbitrary files via a crafted URL when the verify_url option is disabled. This may lead to code execution. The problem occurs because the generate and process features mishandle use of the ImageMagick convert utility.
CVSS v3.1 Base Score: 9.3 (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H)
ID: CVE-2021-33790 |
Title: Remote Code Execution Vulnerability in RebornCore Library
Vendor: Tech Reborn
Description: The RebornCore library before 4.7.3 allows remote code execution because it deserializes untrusted data in ObjectInputStream.readObject as part of reborncore.common.network.ExtendedPacketBuffer. An attacker can instantiate any class on the classpath with any data. A class usable for exploitation might or might not be present, depending on what Minecraft modifications are installed.
CVSS v3.1 Base Score: 9.8 (AV AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H)
ID: CVE-2021-23017 |
Title: Buffer Overflow Vulnerability in Ngnix Resolver
Vendor: Nginx
Description: A security issue in nginx resolver was identified, which might allow an attacker who is able to forge UDP packets from the DNS server to cause 1-byte memory overwrite, resulting in worker process crash or potential other impact.
CVSS v3.1 Base Score: 9.8 (AV: AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H)
MOST PREVALENT MALWARE FILES June 24-July 1, 2021
COMPILED BY TALOS SECURITY INTELLIGENCE AND RESEARCH GROUP
SHA 256: c1d5a585fce188423d31df3ea806272f3daa5eb989e18e9ecf3d94b97b965f8e
MD5: 9a4b7b0849a274f6f7ac13c7577daad8
VirusTotal: https://www.virustotal.com/gui/file/c1d5a585fce188423d31df3ea806272f3daa5eb989e18e9ecf3d94b97b965f8e/details
Typical Filename: ww31.exe
Claimed Product: N/A
Detection Name: W32.GenericKD:Attribute.24ch.1201
SHA 256: 9a74640ca638b274bc8e81f4561b4c48b0c5fbcb78f6350801746003ded565eb
MD5: 6be10a13c17391218704dc24b34cf736
VirusTotal: https://www.virustotal.com/gui/file/9a74640ca638b274bc8e81f4561b4c48b0c5fbcb78f6350801746003ded565eb/details
Typical Filename: smbscanlocal0906.exe
Claimed Product: N/A
Detection Name: Win.Dropper.Ranumbot::in03.talos
SHA 256: e3eeaee0af4b549eae4447fa20cfe205e8d56beecf43cf14a11bf3e86ae6e8bd
MD5: 8193b63313019b614d5be721c538486b
VirusTotal: https://www.virustotal.com/gui/file/e3eeaee0af4b549eae4447fa20cfe205e8d56beecf43cf14a11bf3e86ae6e8bd/details
Typical Filename: SAService.exe
Claimed Product: SAService
Detection Name: PUA.Win.Dropper.Segurazo::95.sbx.tg
SHA 256: d0c3e85195fb2782cff3de09de5003f37d9bdd351e7094a22dbf205966cc8c43
MD5: 1971fc3783aa6fa3c0efb1276dd1143c
VirusTotal: https://www.virustotal.com/gui/file/d0c3e85195fb2782cff3de09de5003f37d9bdd351e7094a22dbf205966cc8c43/details
Typical Filename: iRiNpQaAxCcNxPdKyG
Claimed Product: Segurazo Antivirus
Detection Name: PUA.Win.File.Segurazo::222360.in02
SHA 256: 85B936960FBE5100C170B777E1647CE9F0F01E3AB9742DFC23F37CB0825B30B5
MD5: 8c80dd97c37525927c1e549cb59bcbf3
VirusTotal: https://www.virustotal.com/gui/file/85b936960fbe5100c170b777e1647ce9f0f01e3ab9742dfc23f37cb0825b30b5/detection
Typical Filename: Eternalblue-2.2.0.exe
Claimed Product: N/A
Detection Name: Win.Exploit.Shadowbrokers::5A5226262.auto.talos