@RISK Newsletter for July 29, 2021
The consensus security vulnerability alert.
Vol. 21, Num. 30
This is a weekly newsletter that provides in-depth analysis of the latest vulnerabilities with straightforward remediation advice. Qualys supplies a large part of the newly-discovered vulnerability content used in this newsletter.
Archived issues may be found at the SANS @RISK Newletter Archive.
CONTENTS:
NOTABLE RECENT SECURITY ISSUES
INTERESTING NEWS FROM AROUND THE SECURITY COMMUNITY
VULNERABILITIES FOR WHICH EXPLOITS ARE AVAILABLE
MOST PREVALENT MALWARE FILES July 29-August 5, 2021
TOP VULNERABILITY THIS WEEK: Solarmarker campaign adds new modules to steal sensitive information
NOTABLE RECENT SECURITY ISSUES
SELECTED BY THE TALOS SECURITY INTELLIGENCE AND RESEARCH GROUP
Title: SolarMarker tries to take victims around the galaxy
Description: Cisco Talos has observed new activity from Solarmarker a highly modular .NET-based information stealer and keylogger. A previous staging module, “d.m,” used with this malware has been replaced by a new module dubbed “Mars.” Another previously unreported module named “Uranus” has been identified. Organizations should be particularly concerned about the modular nature and information stealing capabilities of this malware family. Using its staging DLL, the malware can then execute whichever payload module they choose, some of which may be previously undiscovered. The modules already observed make potential victims vulnerable to having sensitive information stolen, including employees’ browser usage, such as if they enter their credit card number or other personal information. These attackers may also look to steal login credentials, which could then be used for lateral movement into other systems or to access and steal even more enticing data, such as a customer or patient medical information database.
Reference: https://blog.talosintelligence.com/2021/07/threat-spotlight-solarmarker.html
Title: Microsoft warns of NTLM relay attacks
Description: Microsoft released an advisory last week with a workout for recently discovered NTLM relay attacks. A tool, called PetitPotam, works against servers that enable NTLM authentication and Active Directory Certificate Services. An attacker could use this tool to abuse the Microsoft Encrypting File System Remote Protocol to authenticate to another server. An adversary could carry out this attack without any prior authentication. Microsoft and other security researchers advise disabling NTLM authentication on domain controllers. Users could also disable NTLM on any AD CS servers and NTLM for IIS AD CS servers.
References:
-https://duo.com/decipher/microsoft-issue-guidance-for-mitigating-petitpotam-ntlm-relay-attack
-https://support.microsoft.com/en-us/topic/kb5005413-mitigating-ntlm-relay-attacks-on-active-directory-certificate-services-ad-cs-3612b773-4043-4aa9-b23d-b87910cd3429
INTERESTING NEWS FROM AROUND THE SECURITY COMMUNITY
The U.S. Department of Justice says the threat actors behind the SolarWinds supply chain attack broke into federal prosecutors’ email accounts.
https://www.npr.org/2021/07/31/1023162095/russians-hacked-federal-prosecutors-doj-solarwinds
Attackers blocked an Italian booking site for the COVID-19 vaccine.
https://www.cnn.com/2021/08/02/business/italy-hackers-covid-vaccine-intl/index.html
The U.S. government has hired a company to help it store seized bitcoin.
https://www.vox.com/recode/2021/7/30/22600574/cryptocurrency-bitcoin-ethereum-asset-seizure-crimes-bank-storage-password-department-of-justice
The U.S. Cybersecurity and Infrastructure Security Agency launched a new internal vulnerability reporting platform for federal agencies.
https://www.cisa.gov/blog/2021/07/29/cisa-announces-new-vulnerability-disclosure-policy-vdp-platform
An updated version of PunkSpider will be introduced at the Defcon conference next week. The tool crawls the web to catalogs vulnerabilities in websites.
https://www.wired.com/story/punkspider-web-site-vulnerabilities/
Apple released patches for iOS, iPadOS, and macOS last week to fix a zero-day vulnerability.
https://therecord.media/apple-releases-fix-for-ios-and-macos-zero-day-13th-this-year/
A week after releasing iOS 14.7.1, Apple stopped signing iOS version 14.7, preventing users from downgrading to that version.
https://9to5mac.com/2021/08/02/apple-stops-signing-ios-14-7-blocking-downgrades-from-ios-14-7-1/
In September, Google will add a resource key to the end of shared Google Drive links to prevent people from guessing secret URLs.
https://arstechnica.com/gadgets/2021/07/heres-what-that-google-drive-security-update-message-means/
RECENT VULNERABILITIES FOR WHICH EXPLOITS ARE AVAILABLE
COMPILED BY THE QUALYS VULNERABILITY RESEARCH TEAM
This is a list of recent vulnerabilities for which exploits are available. System administrators can use this list to help in prioritization of their remediation activities. The Qualys Vulnerability Research Team compiles this information based on various exploit frameworks, exploit databases, exploit kits and monitoring of internet activity.
ID: CVE-2020-0796 |
Title: Remote Code Execution Vulnerability in Microsoft SMB
Vendor: Microsoft
Description: A remote code execution vulnerability exists in the way that the Microsoft Server Message Block 3.1.1 (SMBv3) protocol handles certain requests, aka ‘Windows SMBv3 Client/Server Remote Code Execution Vulnerability’.
CVSS v3.1 Base Score: 10 (AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H)
ID: CVE-2020-1953 |
Title: Malicious File Upload Vulnerability in Apache Commons
Vendor: Apache
Description: Apache Commons Configuration uses a third-party library to parse YAML files which by default allows the instantiation of classes if the YAML includes special statements. Apache Commons Configuration versions 2.2, 2.3, 2.4, 2.5, 2.6 did not change the default settings of this library. So if a YAML file was loaded from an untrusted source, it could therefore load and execute code out of the control of the host application.
CVSS v3.0 Base Score: 10 (AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H)
ID: CVE-2020-26821
Title: Weak Authentication Vulnerability in SAP Solution Manager
Vendor: SAP
Description: SAP Solution Manager (JAVA stack), version - 7.20, allows an unauthenticated attacker to compromise the system because of missing authorization checks in the SVG Converter Service, this has an impact to the integrity and availability of the service.
CVSS v3.1 Base Score: 10 (AV:N/AC:L/PR:N/UI:N/S:C/C:N/I:H/A:H)
ID: CVE-2021-35211
Title: Remote Code Execution Vulnerability in SolarWind’s Serv-U
Vendor: Solarwinds |
Description: Microsoft discovered a remote code execution (RCE) vulnerability in the SolarWinds Serv-U product utilizing a Remote Memory Escape Vulnerability. If exploited, a threat actor may be able to gain privileged access to the machine hosting Serv-U Only. SolarWinds Serv-U Managed File Transfer and Serv-U Secure FTP for Windows before 15.2.3 HF2 are affected by this vulnerability.
CVSS v3.1 Base Score: 9.9 (AV:N/AC:H/PR:N/UI:N/S:C/C:H/I:H/A:H)
ID: CVE-2020-6102
Title: Code Execution Vulnerability in Shader Functionality – AMD Radeon Directx Driver
Vendor: AMD
Description: An exploitable code execution vulnerability exists in the Shader functionality of AMD Radeon DirectX 11 Driver atidxx64.dll 26.20.15019.19000. An attacker can provide a specially crafted shader file to trigger this vulnerability, resulting in code execution. This vulnerability can be triggered from a HYPER-V guest using the RemoteFX feature, leading to executing the vulnerable code on the HYPER-V host (inside of the rdvgm.exe process). Theoretically this vulnerability could be also triggered from web browser (using webGL and webassembly).
CVSS v3.1 Base Score: 9.9(AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H)
MOST PREVALENT MALWARE FILES July 29-August 5, 2021
COMPILED BY TALOS SECURITY INTELLIGENCE AND RESEARCH GROUP
SHA 256: c1d5a585fce188423d31df3ea806272f3daa5eb989e18e9ecf3d94b97b965f8e
MD5: 9a4b7b0849a274f6f7ac13c7577daad8
VirusTotal: https://www.virustotal.com/gui/file/c1d5a585fce188423d31df3ea806272f3daa5eb989e18e9ecf3d94b97b965f8e/details
Typical Filename: ww31.exe
Claimed Product: N/A
Detection Name: W32.GenericKD:Attribute.24ch.1201
SHA 256: 9a74640ca638b274bc8e81f4561b4c48b0c5fbcb78f6350801746003ded565eb
MD5: 6be10a13c17391218704dc24b34cf736
VirusTotal: https://www.virustotal.com/gui/file/9a74640ca638b274bc8e81f4561b4c48b0c5fbcb78f6350801746003ded565eb/details
Typical Filename: smbscanlocal0906.exe
Claimed Product: N/A
Detection Name: Win.Dropper.Ranumbot::in03.talos
SHA 256: 8b4216a7c50599b11241876ada8ae6f07b48f1abe6590c2440004ea4db5becc9
MD5: 34560233e751b7e95f155b6f61e7419a
VirusTotal: https://www.virustotal.com/gui/file/8b4216a7c50599b11241876ada8ae6f07b48f1abe6590c2440004ea4db5becc9/details
Typical Filename: SAntivirusService.exe
Claimed Product: A n t i v i r u s S e r v i c e
Detection Name: PUA.Win.Dropper.Segurazo::tpd
SHA 256: e3eeaee0af4b549eae4447fa20cfe205e8d56beecf43cf14a11bf3e86ae6e8bd
MD5: 8193b63313019b614d5be721c538486b
VirusTotal: https://www.virustotal.com/gui/file/e3eeaee0af4b549eae4447fa20cfe205e8d56beecf43cf14a11bf3e86ae6e8bd/details
Typical Filename: SAService.exe
Claimed Product: SAService
Detection Name: PUA.Win.Dropper.Segurazo::95.sbx.tg
SHA 256: 7820c5e3fbad356d9a8333ff731b04a4a3dd6e41cfc37be90b4e638fa1a6551e
MD5: 4891c7b054453b3e1b0950bb8e645b9c
VirusTotal: https://www.virustotal.com/gui/file/7820c5e3fbad356d9a8333ff731b04a4a3dd6e41cfc37be90b4e638fa1a6551e/details
Typical Filename: FlashHelperService.exe
Claimed Product: Flash Helper Service
Detection Name: PUA:2144FlashPlayer-tpd