@RISK Newsletter for October 14, 2021
The consensus security vulnerability alert.
Vol. 21, Num. 41
This is a weekly newsletter that provides in-depth analysis of the latest vulnerabilities with straightforward remediation advice. Qualys supplies a large part of the newly-discovered vulnerability content used in this newsletter.
Archived issues may be found at the SANS @RISK Newletter Archive.
CONTENTS:
NOTABLE RECENT SECURITY ISSUES
INTERESTING NEWS FROM AROUND THE SECURITY COMMUNITY
VULNERABILITIES FOR WHICH EXPLOITS ARE AVAILABLE
MOST PREVALENT MALWARE FILES October 14-21, 2021
TOP VULNERABILITY THIS WEEK: U.S. government warns of potential attacks from BlackMatter ransomware
NOTABLE RECENT SECURITY ISSUES
SELECTED BY THE TALOS SECURITY INTELLIGENCE AND RESEARCH GROUP
Title: Predecessor to DarkSide ransomware game could make waves in coming weeks
Description: Major U.S. government agencies released a warning this week that the BlackMatter ransomware could strike major organizations or public sector targets. An advisory from the U.S. Cybersecurity and Infrastructure Security Agency, the FBI and the National Security Agency stated that BlackMatter is likely a predecessor to DarkSide, the ransomware group known for attacking the Colonial Pipeline earlier this year. The advisory warns businesses that they should implement multi-factor authentication and enact stronger credential rules to prepare for potential BlackMatter attacks. According to the report, the ransomware has already targeted two large food cooperatives in the U.S.
References: https://threatpost.com/feds-warn-blackmatter-ransomware-gang-is-poised-to-strike/175567/
Snort SIDs: 58237, 58238
Title: Multiple vulnerabilities in ZTE MF971R LTE router
Description: Cisco Talos recently discovered multiple vulnerabilities in the ZTE MF971R LTE portable router. The MF971R is a portable router with Wi-Fi support and works as an LTE/GSM modem. An attacker could exploit all these vulnerabilities by sending a specially crafted HTTP request to the targeted device. TALOS-2021-1320 and TALOS-2021-1321 are stack-based buffer overflow vulnerabilities. An attacker could exploit these issues to execute arbitrary remote code on the targeted device. As part of these exploits, the attacker needs to complete a referrer bypass, which is outlined in TALOS-2021-1317. TALOS-2021-1318 and TALOS-2021-1319 are cross-site scripting vulnerabilities that an attacker could use to execute arbitrary JavaScript in the victim’s browser. In this case, an attacker would need to trick the user into opening an attacker-controlled URL that hosts the malicious HTTP request.
Reference: https://blog.talosintelligence.com/2021/10/vuln-spotlight-.html
Snort SID: 57749 - 57752, 57798, 57799, 57802, 57803, 57829
INTERESTING NEWS FROM AROUND THE SECURITY COMMUNITY
The REvil ransomware gang claims it is shutting down again after someone breached their Tor sites. The group also took its leaks website offline.
https://techcrunch.com/2021/10/18/revil-ransomware-group-goes-dark-after-its-tor-sites-were-hijacked/
Several television stations owned by Sinclair Broadcast Group are experiencing disruptions after a ransomware attack on the media company.
https://apnews.com/article/technology-business-arts-and-entertainment-be48d7582fdd5604664fff33ed81ca80
Researchers released a free decryptor tool for the BlackByte ransomware after they discovered an error in the ransomware’s encryption algorithm.
https://grahamcluley.com/free-blackbyte-decryptor-released-after-researchers-say-they-found-flaw-in-ransomware-code/
Twitter suspended two accounts used by North Korean hackers in a campaign to lure security researchers into visiting malicious sites.
https://therecord.media/twitter-suspends-two-accounts-used-by-dprk-hackers-to-catfish-security-researchers/
The White House’s plan to prevent government employees from getting phished includes moving away from SMS and app-based authentication to hardware security keys and other phishing-resistant methods.
https://www.vice.com/en/article/93yemz/white-house-omb-phishing-plan
The U.S. convened a meeting of 30 nations to discuss combatting ransomware globally, though Russia was notably not invited.
https://www.nytimes.com/2021/10/14/us/politics/global-ransomware-meeting.html
Missouri’s governor is drawing fire from security experts for threatening to criminally charge a reporter who discovered and responsibly disclosed a vulnerability in a state education website.
https://krebsonsecurity.com/2021/10/missouri-governor-vows-to-prosecute-st-louis-post-dispatch-for-reporting-security-vulnerability/
The U.S. government warned critical infrastructure providers that attackers are increasingly targeting the country’s water and wastewater systems sector.
https://www.infosecurity-magazine.com/news/us-government-warns-threat-to/
RECENT VULNERABILITIES FOR WHICH EXPLOITS ARE AVAILABLE
COMPILED BY THE QUALYS VULNERABILITY RESEARCH TEAM
This is a list of recent vulnerabilities for which exploits are available. System administrators can use this list to help in prioritization of their remediation activities. The Qualys Vulnerability Research Team compiles this information based on various exploit frameworks, exploit databases, exploit kits and monitoring of internet activity.
ID: CVE-2020-27134
Title: Arbitrary Code Execution in Cisco Jabber
Vendor: Cisco
Description: Multiple vulnerabilities in Cisco Jabber for Windows, Jabber for MacOS, and Jabber for mobile platforms could allow an attacker to execute arbitrary programs on the underlying operating system (OS) with elevated privileges or gain access to sensitive information. For more information about these vulnerabilities, see the Details section of this advisory.
CVSS v3.1 Base Score: 9.9 (AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H)
ID: CVE-2021-21345
Title: Deserialization Vulnerability in Java xStream
Vendor: xStream, Debian, Oracle
Description: XStream is a Java library to serialize objects to XML and back again. In XStream before version 1.4.16, there is a vulnerability which may allow a remote attacker who has sufficient rights to execute commands of the host only by manipulating the processed input stream. No user is affected, who followed the recommendation to setup XStream’s security framework with a whitelist limited to the minimal required types. If you rely on XStream’s default blacklist of the Security Framework, you will have to use at least version 1.4.16.
CVSS v3.0 Base Score: 9.9 (AV:N/AC:H/PR:L/UI:R/S:C/C:N/I:H/A:N)
ID: CVE-2021-31556
Title: Weak Cryptography Usage in Mediawiki
Vendor: Media Wiki
Description: An issue was discovered in the Oauth extension for MediaWiki through 1.35.2. MWOAuthConsumerSubmitControl.php does not ensure that the length of an RSA key will fit in a MySQL blob.
CVSS v3.0 Base Score: 9.8 (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H)
ID: CVE-2021-26085
Title: Arbitrary File Read Vulnerability in Atlassian Confluence Server
Vendor: Atlassian
Description: Affected versions of Atlassian Confluence Server allow remote attackers to view restricted resources via a Pre-Authorization Arbitrary File Read vulnerability in the /s/ endpoint. The affected versions are before version 7.4.10, and from version 7.5.0 before 7.12.3.
CVSS v3.1 Base Score: 5.3 (AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N)
MOST PREVALENT MALWARE FILES October 14-21, 2021
COMPILED BY TALOS SECURITY INTELLIGENCE AND RESEARCH GROUP
SHA 256: f0a5b257f16c4ccff520365ebc143f09ccf233e642bf540b5b90a2bbdb43d5b4
MD5: 84452e3633c40030e72c9375c8a3cacb
VirusTotal: https://www.virustotal.com/gui/file/f0a5b257f16c4ccff520365ebc143f09ccf233e642bf540b5b90a2bbdb43d5b4/details
Typical Filename: sqhost.exe
Claimed Product: sqhost.exe
Detection Name: W32.Auto:f0a5b257f1.in03.Talos
SHA 256: 8639fd3ef8d55c45808f2fa8a5b398b0de18e5dd57af00265e42c822fb6938e2
MD5: fe3659119e683e1aa07b2346c1f215af
VirusTotal: https://www.virustotal.com/gui/file/8639fd3ef8d55c45808f2fa8a5b398b0de18e5dd57af00265e42c822fb6938e2/details
Typical Filename: SqlServerWorks.Runner.exe
Claimed Product: SqlServerWorks.Runner
Detection Name: W32.8639FD3EF8-95.SBX.TG
SHA 256: 8b4216a7c50599b11241876ada8ae6f07b48f1abe6590c2440004ea4db5becc9
MD5: 34560233e751b7e95f155b6f61e7419a
VirusTotal: https://www.virustotal.com/gui/file/8b4216a7c50599b11241876ada8ae6f07b48f1abe6590c2440004ea4db5becc9/details
Typical Filename: SAntivirusService.exe
Claimed Product: A n t i v i r u s S e r v i c e
Detection Name: PUA.Win.Dropper.Segurazo::tpd
SHA 256: 0e043149a1970990d0098bf986585bf2f224e4be7407348ff91efe89f8c5999c
MD5: 7b7e4f2878799268e9dd0a515420a88e
VirusTotal: https://www.virustotal.com/gui/file/0e043149a1970990d0098bf986585bf2f224e4be7407348ff91efe89f8c5999c/details
Typical Filename: S A Service.exe
Claimed Product: S_A_Service
Detection Name: W32.Auto:0e043149a1.in03.Talos
SHA 256: 33677846134841aa2541b5707102646aeedb1fc32a717a58e89a6ff69f0ef7bb
MD5: bdd455b064413ee7e1997bd10daa4904
VirusTotal: https://www.virustotal.com/gui/file/33677846134841aa2541b5707102646aeedb1fc32a717a58e89a6ff69f0ef7bb/details
Typical Filename: 461502.exe
Claimed Product: N/A
Detection Name: W32.3367784613-100.SBX.TG