@RISK Newsletter for November 11, 2021
The consensus security vulnerability alert.
Vol. 21, Num. 45
This is a weekly newsletter that provides in-depth analysis of the latest vulnerabilities with straightforward remediation advice. Qualys supplies a large part of the newly-discovered vulnerability content used in this newsletter.
Archived issues may be found at the SANS @RISK Newletter Archive.
CONTENTS:
NOTABLE RECENT SECURITY ISSUES
INTERESTING NEWS FROM AROUND THE SECURITY COMMUNITY
VULNERABILITIES FOR WHICH EXPLOITS ARE AVAILABLE
MOST PREVALENT MALWARE FILES November 11-18, 2021
TOP VULNERABILITY THIS WEEK: Attackers use domain fronting technique to target Myanmar with Cobalt Strike
NOTABLE RECENT SECURITY ISSUES
SELECTED BY THE TALOS SECURITY INTELLIGENCE AND RESEARCH GROUP
Title: Attackers redirect government-controlled website to spread Cobalt Strike
Description: Cisco Talos discovered a new malicious campaign using a leaked version of Cobalt Strike in September 2021. This shows that Cobalt Strike, although it was originally created as a legitimate tool, continues to be something defenders need to monitor, as attackers are using it to set up attacks. The malware is typically a loader that runs on a victim machine, decodes and executes the Cobalt Strike beacon DLL via reflective injection. It loads several libraries during the runtime and generates the beacon traffic according to the embedded configuration file. The configuration file contains the information related to the command and control (C2) server which instructs the victim’s machine to send the initial DNS request attempting to connect to the host of the Myanmar government-owned domain www[.]mdn[.]gov[.]mm. The site is hosted behind the Cloudflare content delivery network and the actual C2 traffic is redirected to an attacker-controlled server test[.]softlemon[.]net based on the HTTP host header information specified in the beacon’s configuration data.
Reference: https://blog.talosintelligence.com/2021/11/attackers-use-domain-fronting-technique.html
Title: North Korean attackers use malicious blogs to deliver malware to high-profile South Korean targets
Description: Cisco Talos has observed a new malware campaign operated by the Kimsuky APT group since June 2021. Kimsuky, also known as Thallium and Black Banshee, is a North Korean state-sponsored advanced persistent threat (APT) group active since 2012. This campaign utilizes malicious blogs hosted on Blogspot to deliver three types of preliminary malicious content: beacons, file exfiltrators and implant deployment scripts. The implant deployment scripts, in turn, can infect the endpoint with additional implants such as system information-stealers, keyloggers and credential stealers. These implants are derivatives of the Gold Dragon/Brave Prince family of malware operated by Kimsuky since at least 2017 — now forked into three separate modules. This campaign targets South Korea-based think tanks whose research focuses on political, diplomatic and military topics pertaining to North Korea, China, Russia and the U.S.
Reference: https://blog.talosintelligence.com/2021/11/kimsuky-abuses-blogs-delivers-malware.html
INTERESTING NEWS FROM AROUND THE SECURITY COMMUNITY
U.S. President Joe Biden signed a massive infrastructure bill that includes nearly $2 billion for cybersecurity improvements, including large grants for local and state governments to improve critical infrastructure security.
https://www.cyberscoop.com/cybersecurity-infrastructure-investment-jobs-act-biden-signed/
Attackers used the fbi.gov domain name to send out a blast of fake emails about a cybercrime investigation.
https://krebsonsecurity.com/2021/11/hoax-email-blast-abused-poor-coding-in-fbi-website/
The U.S. and Israel announced a new joint initiative to combat ransomware and protect critical infrastructure.
https://home.treasury.gov/news/press-releases/jy0479
Epic Games is alleging that Google overstated a security flaw in its Fortnite video game to damage the company’s reputation.
https://www.newsobserver.com/news/business/article255840326.html
China is considering implementing cybersecurity reviews to assess the national security threat posed companies that wish to be listed on the Hong Kong stock exchange.
https://www.bloomberg.com/news/articles/2021-11-14/china-may-seek-cyber-check-for-hk-listings-of-firms-holding-data
Attackers reportedly exploited then-unknown security vulnerabilities in Mac operating systems to target users in Hong Kong.
https://www.vice.com/en/article/93bw8y/google-caught-hackers-using-a-mac-zero-day-against-hong-kong-users
The research into that exploit uncovered details that indicates Apple may not be releasing security updates for older versions of some Mac operating systems at the same pace as more current versions.
https://arstechnica.com/gadgets/2021/11/psa-apple-isnt-actually-patching-all-the-security-holes-in-older-versions-of-macos/
Microsoft released an out-of-band security update for some Windows Server systems, fixing a vulnerability that was causing some servers to fail to authenticate users that relied on single sign-on tokens and some Active Directory and SQL Server services.
https://searchsecurity.techtarget.com/news/252509525/Microsoft-releases-out-of-band-update-for-Windows-Server
RECENT VULNERABILITIES FOR WHICH EXPLOITS ARE AVAILABLE
COMPILED BY THE QUALYS VULNERABILITY RESEARCH TEAM
This is a list of recent vulnerabilities for which exploits are available. System administrators can use this list to help in prioritization of their remediation activities. The Qualys Vulnerability Research Team compiles this information based on various exploit frameworks, exploit databases, exploit kits and monitoring of internet activity.
ID: CVE-2021-40521 |
Title: Remote code execution vulnerability in HSMX internet gateway |
Description: The HSMX Gateway is a platform designed to manage authentication and billing in your network.
The device can be tricked into downloading and running a malicious package from a remote server controlled by the attacker, allowing the attacker to execute root-level code. When these holes are combined, an attacker may be able to get root access to the device.
The vulnerability affects version 5.2.04 and before.
CVSS v3.1 Base Score: 9.8 (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H)
ID: CVE-2021-42669 |
Title: Remote Code Execution Vulnerability in Oracle Secure Product Engineers Online Portal system
Description: The Engineers Online Portal system has an uncontrolled file upload vulnerability. An attacker can take advantage of this flaw to gain remote code execution on the vulnerable web server.
When an avatar is submitted, it goes into the /admin/uploads/ directory, which is accessible to all users. The attacker can get remote code execution on the web server by submitting a simple PHP web shell.
CVSS v3.1 Base Score: 9.8 (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H)
ID: CVE-2021-42077 |
Title: SQL injection vulnerability in the PHP Event Calendar
Description: PHP Event Calendar is an AJAX-based, multi-user modern event calendar. It is easy to integrate and fully customizable.
The /server/ajax/user manager.php username parameter in PHP Event Calendar prior to 2021-09-03 allows SQL injection.
This can be used to directly execute SQL statements on the database, allowing an attacker to entirely compromise the database system in some situations. It can also be used to avoid having to fill out the login form.
CVSS v3.1 Base Score: 9.8 (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H)
ID: CVE-2021-42237 |
Title: Remote code execution vulnerability in Sitecore XP 7.5
Description: Sitecore Experience Platform (XP) is a marketing automation solution that carves out personalized customer experiences.
From Sitecore XP 7.5 Initial Release to Sitecore XP 8.2 Update-7, an unsafe deserialization attack makes it possible to execute remote commands on the machine.
To exploit this flaw, no authentication or specific setting is necessary.
CVSS v3.1 Base Score: 9.8 (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H)
ID: CVE-2021-3064 |
Title: Memory corruption vulnerability in Palo Alto Networks PAN-OS GlobalProtect Portal and Gateway Interfaces
Description: PAN-OS is the software that runs all Palo Alto Network’s next-generation firewalls.
The Palo Alto Networks GlobalProtect portal and gateway interfaces are susceptible to a memory corruption vulnerability that allows an unauthenticated network-based attacker to disrupt system processes and potentially execute arbitrary code with root capabilities.
To exploit this flaw, the attacker must have network access to the GlobalProtect interface.
This vulnerability affects PAN-OS 8.1 versions before 8.1.17 but does not affect Prisma Access customers.
CVSS v3.1 Base Score: 9.8 (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H)
ID: CVE-2021-26443 |
Title: Remote code execution vulnerability in Microsoft Virtual Machine Bus (VMBus)
Description: Microsoft Virtual Machine Bus (VMBus) is a mechanism within the Hyper-V architecture that enables logical communication in partitions. The VMBus works as the internal communications channel to redirect requests to virtual devices, allowing files to be dragged and dropped between the virtual machine and the host.
This vulnerability occurs due to insufficient input validation in VMBus. On the local network, a remote authenticated attacker can send a specially designed communication to the VMBus channel and run arbitrary code on the target system.
CVSS v3.1 Base Score: 9 (AV:A/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H)
MOST PREVALENT MALWARE FILES November 11-18, 2021
COMPILED BY TALOS SECURITY INTELLIGENCE AND RESEARCH GROUP
SHA 256: 1b259d8ca9bb4579feb56748082a32239a433cea619c09f827fd6df805707f37
MD5: a5e345518e6817f72c9b409915741689
VirusTotal: https://www.virustotal.com/gui/file/1b259d8ca9bb4579feb56748082a32239a433cea619c09f827fd6df805707f37/details
Typical Filename: swupdater.exe
Claimed Product: Wavesor SWUpdater
Detection Name: W32.1B259D8CA9.Wavesor.SSO.Talos
SHA 256: 5bab2ae1cada90f37b821e4803912c5b351fda417bbf0a9c768b715c6d492e13
MD5: a6a7eb61172f8d988e47322ebf27bf6d
VirusTotal: https://www.virustotal.com/gui/file/5bab2ae1cada90f37b821e4803912c5b351fda417bbf0a9c768b715c6d492e13/details
Typical Filename: wx.exe
Claimed Product: N/A
Detection Name: Win.Dropper.Wingo::in07.talos
SHA 256: e5044d5ac2f8ea3090c2460a5f7d92a5a49e7fa040bf26659ec2f7c442dda762
MD5: 6ea750c9d69b7db6532d90ac0960e212
VirusTotal: https://www.virustotal.com/gui/file/e5044d5ac2f8ea3090c2460a5f7d92a5a49e7fa040bf26659ec2f7c442dda762/details
Typical Filename: deps.zip
Claimed Product: N/A
Detection Name: Auto.E5044D5AC2.242358.in07.Talos
SHA 256: 8b4216a7c50599b11241876ada8ae6f07b48f1abe6590c2440004ea4db5becc9
MD5: 34560233e751b7e95f155b6f61e7419a
VirusTotal: https://www.virustotal.com/gui/file/8b4216a7c50599b11241876ada8ae6f07b48f1abe6590c2440004ea4db5becc9/details
Typical Filename: SAntivirusService.exe
Claimed Product: A n t i v i r u s S e r v i c e
Detection Name: PUA.Win.Dropper.Segurazo::tpd
SHA 256: 1487f122c92f3bade35e03b6b0554a80b1563f2c167d9064263845653d912ec6
MD5: ee62e8f42ed70e717b2571c372e9de9a
VirusTotal: https://www.virustotal.com/gui/file/1487f122c92f3bade35e03b6b0554a80b1563f2c167d9064263845653d912ec6/details
Typical Filename: lHe
Claimed Product: N/A
Detection Name: W32.Gen:MinerDM.24ls.1201