Everything you need to measure, manage, and reduce your cyber risk in one place
See entire attack surface, continuously maintain your CMDB, and track EOL/EOS software
Gain an attacker’s view of your external internet-facing assets and unauthorized software
Discover, assess, prioritize, and patch critical vulnerabilities up to 50% faster
Consolidate & translate security & vulnerability findings from 3rd party tools
Automate scanning in CI/CD environments with shift left DAST testing
Detect, prioritize, and remediate vulnerabilities in your cloud environment
Efficiently remediate vulnerabilities and patch systems
Quickly create custom scripts and controls for faster, more automated remediation
Address critical vulnerabilities with flexible, patchless solutions
Advanced endpoint threat protection, improved threat context, and alert prioritization
Extend detection and response beyond the endpoint to the enterprise
Reduce risk, and comply with internal policies and external regulations with ease
Reduce alert noise and safeguard files from nefarious actors and cyber threats
Cloud-Native Application Protection Platform (CNAPP) for multi-cloud environment.
Continuously discover, monitor, and analyze your cloud assets for misconfigurations and non-standard deployments.
Detect and remediate security issues within IaC templates
Manage your security posture and risk across your entire SaaS application stack
Detect, prioritize, and remediate vulnerabilities in your cloud environment
Continuous real-time protection of the multi-cloud environment against active exploitation, malware, and unknown threats.
Discover, track, and continuously secure containers – from build to runtime
Everything you need to measure, manage, and reduce your cyber risk in one place
Contact us below to request a quote, or for any product-related questions
See entire attack surface, continuously maintain your CMDB, and track EOL/EOS software
Gain an attacker’s view of your external internet-facing assets and unauthorized software
Discover, assess, prioritize, and patch critical vulnerabilities up to 50% faster
Consolidate & translate security & vulnerability findings from 3rd party tools
Discover, track, and continuously secure containers – from build to runtime
Detect, prioritize, and remediate vulnerabilities in your cloud environment
Automate scanning in CI/CD environments with shift left DAST testing
Efficiently remediate vulnerabilities and patch systems
Quickly create custom scripts and controls for faster, more automated remediation
Address critical vulnerabilities with flexible, patchless solutions
Advanced endpoint threat protection, improved threat context, and alert prioritization
Extend detection and response beyond the endpoint to the enterprise
Reduce risk, and comply with internal policies and external regulations with ease
Reduce alert noise and safeguard files from nefarious actors and cyber threats
Cloud-Native Application Protection Platform (CNAPP) for multi-cloud environment.
Continuously discover, monitor, and analyze your cloud assets for misconfigurations and non-standard deployments.
Detect and remediate security issues within IaC templates
Manage your security posture and risk across your entire SaaS application stack
Detect, prioritize, and remediate vulnerabilities in your cloud environment
Continuous real-time protection of the multi-cloud environment against active exploitation, malware, and unknown threats.
Discover, track, and continuously secure containers – from build to runtime
Vol. 21, Num. 28
This is a weekly newsletter that provides in-depth analysis of the latest vulnerabilities with straightforward remediation advice. Qualys supplies a large part of the newly-discovered vulnerability content used in this newsletter.
Archived issues may be found at the SANS @RISK Newletter Archive.
NOTABLE RECENT SECURITY ISSUES
INTERESTING NEWS FROM AROUND THE SECURITY COMMUNITY
VULNERABILITIES FOR WHICH EXPLOITS ARE AVAILABLE
MOST PREVALENT MALWARE FILES July 15-22, 2021
TOP VULNERABILITY THIS WEEK: Vulnerabilities in Cisco BPA, WSA could lead to complete takeover
NOTABLE RECENT SECURITY ISSUES
SELECTED BY THE TALOS SECURITY INTELLIGENCE AND RESEARCH GROUP
Title: Cisco patches critical issues in WSA, BPA
Description: Multiple, critical vulnerabilities in Cisco’s Web Security Appliance (WSA) and Business Process Automation (BPA) could allow an attacker to elevate their privileges to the level of an administrator. This opens the door for the attacker to access sensitive data or take over a targeted system. The issues both received a CVSS severity score of 8.8 out of 10. An adversary could exploit these vulnerabilities, identified as CVE-2021-1574 and CVE-2021-1576, by sending specially crafted HTTP messages to the targeted system.
References:
Snort SIDs: 57882 – 57887
Title: Critical vulnerabilities in ForgeRock’s Access Management actively under attack
Description: The U.S. Cybersecurity and Infrastructure Security Agency warned users that attackers are actively exploiting critical remote code execution vulnerabilities in ForgeRock’s Access Management software. Access Management serves as a front end for web apps and remote access setups in enterprise networks. CISA, along with ForgeRock, warned users that the vulnerabilities are actively under exploitation in the wild, although ForgeRock has already released a patch. An adversary could exploit these vulnerabilities to execute commands in the context of the current user.
Reference: https://threatpost.com/critical-vulnerability-rce-forgerock-openam/167679/
Snort SIDs: 57912, 57913
INTERESTING NEWS FROM AROUND THE SECURITY COMMUNITY
Researchers from human rights organizations say that Apple needs to collaborate with other tech companies to help prevent the ability of surveillance technology to exploit vulnerabilities in mobile devices.
https://arstechnica.com/information-technology/2021/07/apple-under-pressure-over-iphone-security-after-nso-spyware-claims/
Spyware made by Candiru, which is sold to governments, can infect and monitor iPhones, Androids, Macs, PCs, and cloud accounts and has been used to spy on human rights defenders, dissidents, journalists, activists and politicians.
https://citizenlab.ca/2021/07/hooking-candiru-another-mercenary-spyware-vendor-comes-into-focus/
As part of a multi-pronged effort to combat ransomware, the US government launched a plan last week to prevent threat actors from accessing cryptocurrency.
https://www.cyberscoop.com/us-government-crypocurrency-ransomware-criminals-treasury-state-reward/
The U.S. Department of Justice says it will pay up to $10 million for information leading to the identification of state-sponsored threat actors.
https://portswigger.net/daily-swig/us-authorities-are-offering-10-million-for-information-on-nation-state-cyber-attacks
The US, along with a group of allies and partners, has accused the People’s Republic of China of being responsible for the Microsoft Exchange server attacks earlier this year.
https://www.washingtonpost.com/national-security/microsoft-hack-china-biden-nato/2021/07/19/a90ac7b4-e827-11eb-84a2-d93bc0b50294_story.html
The US Department of Homeland Security’s (DHS) Transportation Security Administration (TSA) has issued a new security directive mandating additional cybersecurity for critical pipelines.
https://www.cnn.com/2021/07/20/politics/dhs-increases-cybersecuriy-mandates-key-us-pipelines/
Many victims of the Kaseya supply chain attack are struggling to decrypt their affected files after the REvil group behind the attack virtually disappeared from the web.
https://www.zdnet.com/article/kaseya-victim-struggling-with-decryption-after-revil-goes-dark/
RECENT VULNERABILITIES FOR WHICH EXPLOITS ARE AVAILABLE
COMPILED BY THE QUALYS VULNERABILITY RESEARCH TEAM
This is a list of recent vulnerabilities for which exploits are available. System administrators can use this list to help in prioritization of their remediation activities. The Qualys Vulnerability Research Team compiles this information based on various exploit frameworks, exploit databases, exploit kits and monitoring of internet activity.
ID: CVE-2017-5461 |
Title: Denial of Service Vulnerability in Mozilla NSS
Vendor: Mozilla
Description: Mozilla Network Security Services (NSS) before 3.21.4, 3.22.x through 3.28.x before 3.28.4, 3.29.x before 3.29.5, and 3.30.x before 3.30.1 allows remote attackers to cause a denial of service (out-of-bounds write) or possibly have unspecified other impact by leveraging incorrect base64 operations.
CVSS v3.1 Base Score: 9.8 (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H)
ID: CVE-2018-15686 |
Title: Privilege Escalation Vulnerability in Ubuntu
Vendor: Canonical
Description: A vulnerability in unit_deserialize of systemd allows an attacker to supply arbitrary state across systemd re-execution via NotifyAccess. This can be used to improperly influence systemd execution and possibly lead to root privilege escalation. Affected releases are systemd versions up to and including 239.
CVSS v3.0 Base Score: 9.8 (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H)
ID: CVE-2021-27198 |
Title: Remote Code Execution Vulnerability in VisualWare
Vendor: Visualware
Description: An issue was discovered in Visualware MyConnection Server before v11.1a. Unauthenticated Remote Code Execution can occur via Arbitrary File Upload in the web service when using a myspeed/sf?filename= URI. This application is written in Java and is thus cross-platform. The Windows installation runs as SYSTEM, which means that exploitation gives one Administrator privileges on the target system.
CVSS v3.1 Base Score: 9.8 (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H)
ID: CVE-2021-21344
Title: Arbitrary Code Execution in XStream Library
Vendor: XStream_project |
Description: XStream is a Java library to serialize objects to XML and back again. In XStream before version 1.4.16, there is a vulnerability which may allow a remote attacker to load and execute arbitrary code from a remote host only by manipulating the processed input stream. No user is affected, who followed the recommendation to setup XStream’s security framework with a whitelist limited to the minimal required types. If you rely on XStream’s default blacklist of the Security Framework, you will have to use at least version 1.4.16.
CVSS v3.1 Base Score: 9.8 (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H)
ID: CVE-2020-18544 |
Title: SQL Injection Vulnerability in WMS
Vendor: WMS_project
Description: SQL Injection in WMS v1.0 allows remote attackers to execute arbitrary code via the “username” parameter in the component “chkuser.php”.
CVSS v3.1 Base Score: 9.8(AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H)
MOST PREVALENT MALWARE FILES July 15-22, 2021
COMPILED BY TALOS SECURITY INTELLIGENCE AND RESEARCH GROUP
SHA 256: c1d5a585fce188423d31df3ea806272f3daa5eb989e18e9ecf3d94b97b965f8e
MD5: 9a4b7b0849a274f6f7ac13c7577daad8
VirusTotal: https://www.virustotal.com/gui/file/c1d5a585fce188423d31df3ea806272f3daa5eb989e18e9ecf3d94b97b965f8e/details
Typical Filename: ww31.exe
Claimed Product: N/A
Detection Name: W32.GenericKD:Attribute.24ch.1201
SHA 256: 9a74640ca638b274bc8e81f4561b4c48b0c5fbcb78f6350801746003ded565eb
MD5: 6be10a13c17391218704dc24b34cf736
VirusTotal: https://www.virustotal.com/gui/file/9a74640ca638b274bc8e81f4561b4c48b0c5fbcb78f6350801746003ded565eb/details
Typical Filename: smbscanlocal0906.exe
Claimed Product: N/A
Detection Name: Win.Dropper.Ranumbot::in03.talos
SHA 256: 9f1f11a708d393e0a4109ae189bc64f1f3e312653dcf317a2bd406f18ffcc507
MD5: 2915b3f8b703eb744fc54c81f4a9c67f
VirusTotal: https://www.virustotal.com/gui/file/9f1f11a708d393e0a4109ae189bc64f1f3e312653dcf317a2bd406f18ffcc507/details
Typical Filename: VID001.exe
Claimed Product: N/A
Detection Name: Win.Worm.Coinminer::1201
SHA 256: 8b4216a7c50599b11241876ada8ae6f07b48f1abe6590c2440004ea4db5becc9
MD5: 34560233e751b7e95f155b6f61e7419a
VirusTotal: https://www.virustotal.com/gui/file/8b4216a7c50599b11241876ada8ae6f07b48f1abe6590c2440004ea4db5becc9/details
Typical Filename: SAntivirusService.exe
Claimed Product: A n t i v i r u s S e r v i c e
Detection Name: PUA.Win.Dropper.Segurazo::tpd
SHA 256: e3eeaee0af4b549eae4447fa20cfe205e8d56beecf43cf14a11bf3e86ae6e8bd
MD5: 8193b63313019b614d5be721c538486b
VirusTotal: https://www.virustotal.com/gui/file/e3eeaee0af4b549eae4447fa20cfe205e8d56beecf43cf14a11bf3e86ae6e8bd/details
Typical Filename: SAService.exe
Claimed Product: SAService
Detection Name: PUA.Win.Dropper.Segurazo::95.sbx.tg