@RISK Newsletter for October 21, 2021
The consensus security vulnerability alert.
Vol. 21, Num. 42
This is a weekly newsletter that provides in-depth analysis of the latest vulnerabilities with straightforward remediation advice. Qualys supplies a large part of the newly-discovered vulnerability content used in this newsletter.
Archived issues may be found at the SANS @RISK Newletter Archive.
CONTENTS:
NOTABLE RECENT SECURITY ISSUES
INTERESTING NEWS FROM AROUND THE SECURITY COMMUNITY
VULNERABILITIES FOR WHICH EXPLOITS ARE AVAILABLE
MOST PREVALENT MALWARE FILES October 21-28, 2021
TOP VULNERABILITY THIS WEEK: SQUIRRELWAFFLE Leverages malspam to deliver Qakbot, Cobalt Strike
NOTABLE RECENT SECURITY ISSUES
SELECTED BY THE TALOS SECURITY INTELLIGENCE AND RESEARCH GROUP
Title: Could SquirrelWaffle fill the spam void left behind by Emotet?
Description: Recently, a new threat, referred to as “SQUIRRELWAFFLE” is being spread more widely via spam campaigns, infecting systems with a new malware loader. This is a malware family that’s been spread with increasing regularity and could become the next big player in the spam space. SQUIRRELWAFFLE provides threat actors with an initial foothold onto systems and their network environments that can then be used to facilitate further compromise or additional malware infections depending on how adversaries choose to attempt to monetize their access. In many cases, these infections are also being used to deliver and infect systems with other malware like Qakbot and the penetration-testing tool Cobalt Strike. Let’s take a look at how this new threat operates and the volume and characteristics of the malicious email campaigns associated with it. Organizations should be aware of this threat, as it will likely persist across the threat landscape for the foreseeable future.
Reference: https://blog.talosintelligence.com/2021/10/squirrelwaffle-emerges.html
ClamAV signatures: Doc.Downloader.SquirrelWaffle09210-9895192-0, Xls.Downloader.SquirrelWaffle20921-9895790-0, Xls.Downloader.SquirrelWaffle1021-9903731-0
Title: Malicious campaign uses a barrage of commodity RATs to target Afghanistan and India
Description: Cisco Talos has observed a new campaign targeting Afghanistan and India utilizing malicious RTF documents to deliver a variety of commodity malware to victims. The campaign consists of two phases: A reconnaissance phase that involves a custom file enumerator and infector to the victims and an attack phase that deploys a variety of commodity RATs, such as DcRAT and QuasarRAT. The threat actor registered multiple domains with political and government themes. These domains hosted malware payloads that were distributed to their victims. Their malicious lures also contained themes related to Afghan entities, specifically diplomatic and humanitarian efforts.
Reference: https://blog.talosintelligence.com/2021/10/crimeware-targets-afghanistan-india.html
Snort SIDs: 58356 - 58361
INTERESTING NEWS FROM AROUND THE SECURITY COMMUNITY
Government officials and private security researchers from multiple countries worked to take down the REvil ransomware group.
https://www.reuters.com/technology/exclusive-governments-turn-tables-ransomware-gang-revil-by-pushing-it-offline-2021-10-21/
A first-hand account from a New York Times journalist describes his experience with his iPhone being infected with Pegasus spyware.
https://www.nytimes.com/2021/10/24/insider/hacking-nso-surveillance.html
Tesco, a large grocery store chain in the U.K., says its website and app were down for multiple days after an attempted cyber attack.
https://www.bloomberg.com/news/articles/2021-10-24/tesco-hack-attempt-disrupts-u-k-grocer-s-website-for-second-day
Employees at Sinclair Broadcast Group say many television stations are still struggling to perform normal operations a week after a ransomware attack.
https://www.vice.com/en/article/dypg4w/sinclair-workers-say-tv-channels-are-in-pandemonium-after-ransomware-attack
Many non-profit’s websites are riddled with ad trackers that gather information about users’ interactions with the site and other browsing data.
https://themarkup.org/blacklight/2021/10/21/nonprofit-websites-are-riddled-with-ad-trackers
A Dutch government-sponsored forensics lab says it has decoded Tesla’s driving data storage system.
https://www.reuters.com/business/autos-transportation/dutch-forensic-lab-says-it-has-decoded-teslas-driving-data-2021-10-21/
The largest candy corn manufacturer in the U.S. experienced production issues after a ransomware attack.
https://www.businessinsider.com/ferrara-largest-candy-corn-manufacturer-hacked-2021-10
RECENT VULNERABILITIES FOR WHICH EXPLOITS ARE AVAILABLE
COMPILED BY THE QUALYS VULNERABILITY RESEARCH TEAM
This is a list of recent vulnerabilities for which exploits are available. System administrators can use this list to help in prioritization of their remediation activities. The Qualys Vulnerability Research Team compiles this information based on various exploit frameworks, exploit databases, exploit kits and monitoring of internet activity.
ID: CVE-2021-2011
Title: Denial of Service Vulnerability in Juniper Junos
Vendor: Juniper
Description: An improper check for unusual or exceptional conditions in Juniper Networks Junos OS and Junos OS Evolved Routing Protocol Daemon (RPD) service allows an attacker to send a valid BGP FlowSpec message thereby causing an unexpected change in the route advertisements within the BGP FlowSpec domain leading to disruptions in network traffic causing a Denial of Service (DoS) condition. Continued receipt of these update messages will cause a sustained Denial of Service condition. This issue affects Juniper Networks: Junos OS: All versions prior to 17.3R3-S10 with the exceptions of 15.1X49-D240 on SRX Series and 15.1R7-S8 on EX Series; 17.3 versions prior to 17.3R3-S10; 17.4 versions prior to 17.4R2-S12, 17.4R3-S4; 18.1 versions prior to 18.1R3-S12; 18.2 versions prior to 18.2R2-S8, 18.2R3-S6; 18.3 versions prior to 18.3R3-S4; 18.4 versions prior to 18.4R1-S8, 18.4R2-S6, 18.4R3-S6; 19.1 versions prior to 19.1R1-S6, 19.1R2-S2, 19.1R3-S3; 19.2 versions prior to 19.2R3-S1; 19.3 versions prior to 19.3R2-S5, 19.3R3-S1; 19.4 versions prior to 19.4R1-S3, 19.4R2-S3, 19.4R3; 20.1 versions prior to 20.1R2; 20.2 versions prior to 20.2R1-S3 20.2R2; 20.3 versions prior to 20.3R1-S1, 20.3R2. Junos OS Evolved: All versions prior to 20.3R1-S1-EVO, 20.3R2-EVO.
CVSS v3.1 Base Score: 10 (AV:N/AC:L/PR:N/UI:N/S:C/C:N/I:H/A:H)
ID: CVE-2021-21783
Title: Remote Code Execution Vulnerability in Genivia
Vendor: Genivia
Description: A code execution vulnerability exists in the WS-Addressing plugin functionality of Genivia gSOAP 2.8.107. A specially crafted SOAP request can lead to remote code execution. An attacker can send an HTTP request to trigger this vulnerability.
CVSS v3.0 Base Score: 9.8 (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H)
ID: CVE-2021-22931
Title: XSS Vulnerability in Nodejs
Vendor: Nodejs
Description: Node.js before 16.6.0, 14.17.4, and 12.22.4 is vulnerable to Remote Code Execution, XSS, Application crashes due to missing input validation of host names returned by Domain Name Servers in Node.js dns library which can lead to output of wrong hostnames (leading to Domain Hijacking) and injection vulnerabilities in applications using the library.
CVSS v3.0 Base Score: 9.8 (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H)
ID: CVE-2021-40438
Title: SSRF Vulnerability in Apache Server
Vendor: Apache
Description: A crafted request uri-path can cause mod_proxy to forward the request to an origin server chosen by the remote user. This issue affects Apache HTTP Server 2.4.48 and earlier.
CVSS v3.1 Base Score: 9.0 (AV:N/AC:H/PR:N/UI:N/S:C/C:H/I:H/A:H)
MOST PREVALENT MALWARE FILES October 21-28, 2021
COMPILED BY TALOS SECURITY INTELLIGENCE AND RESEARCH GROUP
SHA 256: 3993aa1a1cf9ba37316db59a6ef67b15ef0f49fcd79cf2420989b9e4a19ffc2a
MD5: 3c3046f640f7825c720849aaa809c963
VirusTotal: https://www.virustotal.com/gui/file/3993aa1a1cf9ba37316db59a6ef67b15ef0f49fcd79cf2420989b9e4a19ffc2a/details
Typical Filename: app.exe
Claimed Product: N/A
Detection Name: Auto.3993AA.242356.in02
SHA 256: e5044d5ac2f8ea3090c2460a5f7d92a5a49e7fa040bf26659ec2f7c442dda762
MD5: 6ea750c9d69b7db6532d90ac0960e212
VirusTotal: https://www.virustotal.com/gui/file/e5044d5ac2f8ea3090c2460a5f7d92a5a49e7fa040bf26659ec2f7c442dda762/details
Typical Filename: deps.zip
Claimed Product: N/A
Detection Name: Auto.E5044D5AC2.242358.in07.Talos
SHA 256: d339e195ca0b74746b02a4ee1a5820fa3074f43bec2988737005d2562a90cd34
MD5: 3f75eb823cd1a73e4c89185fca77cb38
VirusTotal: https://www.virustotal.com/gui/file/d339e195ca0b74746b02a4ee1a5820fa3074f43bec2988737005d2562a90cd34/details
Typical Filename: signup.png
Claimed Product: N/A
Detection Name: Win.Dropper.Generic::231945.in02
SHA 256: 8639fd3ef8d55c45808f2fa8a5b398b0de18e5dd57af00265e42c822fb6938e2
MD5: fe3659119e683e1aa07b2346c1f215af
VirusTotal: https://www.virustotal.com/gui/file/8639fd3ef8d55c45808f2fa8a5b398b0de18e5dd57af00265e42c822fb6938e2/details
Typical Filename: SqlServerWorks.Runner.exe
Claimed Product: SqlServerWorks.Runner
Detection Name: W32.8639FD3EF8-95.SBX.TG
SHA 256: 1487f122c92f3bade35e03b6b0554a80b1563f2c167d9064263845653d912ec6
MD5: ee62e8f42ed70e717b2571c372e9de9a
VirusTotal: https://www.virustotal.com/gui/file/1487f122c92f3bade35e03b6b0554a80b1563f2c167d9064263845653d912ec6/details
Typical Filename: lHe
Claimed Product: N/A
Detection Name: W32.Gen:MinerDM.24ls.1201