Everything you need to measure, manage, and reduce your cyber risk in one place
See entire attack surface, continuously maintain your CMDB, and track EOL/EOS software
Gain an attacker’s view of your external internet-facing assets and unauthorized software
Discover, assess, prioritize, and patch critical vulnerabilities up to 50% faster
Consolidate & translate security & vulnerability findings from 3rd party tools
Automate scanning in CI/CD environments with shift left DAST testing
Detect, prioritize, and remediate vulnerabilities in your cloud environment
Efficiently remediate vulnerabilities and patch systems
Quickly create custom scripts and controls for faster, more automated remediation
Address critical vulnerabilities with flexible, patchless solutions
Advanced endpoint threat protection, improved threat context, and alert prioritization
Extend detection and response beyond the endpoint to the enterprise
Reduce risk, and comply with internal policies and external regulations with ease
Reduce alert noise and safeguard files from nefarious actors and cyber threats
Cloud-Native Application Protection Platform (CNAPP) for multi-cloud environment.
Continuously discover, monitor, and analyze your cloud assets for misconfigurations and non-standard deployments.
Detect and remediate security issues within IaC templates
Manage your security posture and risk across your entire SaaS application stack
Detect, prioritize, and remediate vulnerabilities in your cloud environment
Continuous real-time protection of the multi-cloud environment against active exploitation, malware, and unknown threats.
Discover, track, and continuously secure containers – from build to runtime
Everything you need to measure, manage, and reduce your cyber risk in one place
Contact us below to request a quote, or for any product-related questions
See entire attack surface, continuously maintain your CMDB, and track EOL/EOS software
Gain an attacker’s view of your external internet-facing assets and unauthorized software
Discover, assess, prioritize, and patch critical vulnerabilities up to 50% faster
Consolidate & translate security & vulnerability findings from 3rd party tools
Discover, track, and continuously secure containers – from build to runtime
Detect, prioritize, and remediate vulnerabilities in your cloud environment
Automate scanning in CI/CD environments with shift left DAST testing
Efficiently remediate vulnerabilities and patch systems
Quickly create custom scripts and controls for faster, more automated remediation
Address critical vulnerabilities with flexible, patchless solutions
Advanced endpoint threat protection, improved threat context, and alert prioritization
Extend detection and response beyond the endpoint to the enterprise
Reduce risk, and comply with internal policies and external regulations with ease
Reduce alert noise and safeguard files from nefarious actors and cyber threats
Cloud-Native Application Protection Platform (CNAPP) for multi-cloud environment.
Continuously discover, monitor, and analyze your cloud assets for misconfigurations and non-standard deployments.
Detect and remediate security issues within IaC templates
Manage your security posture and risk across your entire SaaS application stack
Detect, prioritize, and remediate vulnerabilities in your cloud environment
Continuous real-time protection of the multi-cloud environment against active exploitation, malware, and unknown threats.
Discover, track, and continuously secure containers – from build to runtime
Vol. 22, Num. 03
This is a weekly newsletter that provides in-depth analysis of the latest vulnerabilities with straightforward remediation advice. Qualys supplies a large part of the newly-discovered vulnerability content used in this newsletter.
Archived issues may be found at the SANS @RISK Newletter Archive.
NOTABLE RECENT SECURITY ISSUES
INTERESTING NEWS FROM AROUND THE SECURITY COMMUNITY
VULNERABILITIES FOR WHICH EXPLOITS ARE AVAILABLE
MOST PREVALENT MALWARE FILES January 13-20, 2022
TOP VULNERABILITY THIS WEEK: Threat actor spreading group of trojans through common internet infrastructure
NOTABLE RECENT SECURITY ISSUES
SELECTED BY THE TALOS SECURITY INTELLIGENCE AND RESEARCH GROUP
Title: Attackers use AWS, Azure, to spread group of RATs
Description: Cisco Talos discovered a malicious campaign in October 2021 delivering variants of Nanocore, Netwire and AsyncRATs targeting user’s information. According to Cisco Secure product telemetry, the victims of this campaign are primarily distributed across the United States, Italy and Singapore. The actor used complex obfuscation techniques in the downloader script. Each stage of the deobfuscation process results with the decryption methods for the subsequent stages to finally arrive at the actual malicious downloader method. The campaign is the latest example of threat actors abusing cloud services like Microsoft Azure and Amazon Web Services and are actively misusing them to achieve their malicious objectives.
References: https://blog.talosintelligence.com/2022/01/nanocore-netwire-and-asyncrat-spreading.html
Snort SIDs: 58758 – 58773
ClamAV signatures:
Title: Log4j-related Java flaw found in H2
Description: Security researchers recently discovered a critical vulnerability in the H2 open-source Java SQL database that’s like the widespread Log4shell exploit. However, the issue in H2 is considered to be less serious, as it’s harder to exploit and gives potential attackers less of an attack surface. The flaw, identified as CVE-2021-42392, could allow an adversary to execute remote code on vulnerable systems. H2 is widely used by developers in web and internet-of-things platforms. This issue specifically lies in JNDI remote class loading, making it similar to Log4Shell, in that it allows several code paths in the H2 database framework to pass unfiltered attacker-controlled URLs to the javax.naming.Context.lookup function.
References: https://threatpost.com/log4j-related-flaw-h2-database/177448/
INTERESTING NEWS FROM AROUND THE SECURITY COMMUNITY
Russian authorities arrested 14 suspected members of the REvil ransomware gang at the request of the U.S. government.
https://www.washingtonpost.com/world/2022/01/14/russia-hacker-revil/
Amazon fixed a vulnerability in AWS’ Glue managed data integration service that allowed to view other users’ sensitive information and create resources on others’ behalf.
https://www.zdnet.com/article/amazon-fixes-security-flaw-in-aws-glue-service/
U.S. Cyber Command formally linked the MuddyWater threat actor to Iranian intelligence offices, and accused the group of using multiple hacking tools against organizations across the world.
https://www.cnn.com/2022/01/12/politics/iran-cyber-command-hacking-muddywater/
North Korean state-sponsored actors stole an estimated $395 million worth of cryptocurrency last year as part of seven intrusions against virtual currency exchanges and investment firms.
https://www.wired.com/story/north-korea-cryptocurrency-theft-ethereum/
A 19-year-old discovered a way to control some Tesla car models via a vulnerability in a third-party app that could allow an attacker to unlock doors, open windows, start keyless driving, honk and flash lights.
https://www.vice.com/en/article/akv7z5/how-a-hacker-controlled-dozens-of-teslas-using-a-flaw-in-third-party-app
RECENT VULNERABILITIES FOR WHICH EXPLOITS ARE AVAILABLE
COMPILED BY THE QUALYS VULNERABILITY RESEARCH TEAM
This is a list of recent vulnerabilities for which exploits are available. System administrators can use this list to help in prioritization of their remediation activities. The Qualys Vulnerability Research Team compiles this information based on various exploit frameworks, exploit databases, exploit kits and monitoring of internet activity.
ID: CVE-2021-25981 |
Title: Session expiration vulnerability in Talkyard
Description: Insufficient Session Expiration affects Talkyard regular versions v0.2021.20 through v0.2021.33 and dev versions v0.2021.20 through v0.2021.34. If an attacker can access the admin’s still-valid session token, they may be able to use it to gain admin capabilities even if they are logged out (via other, hypothetical attacks).
CVSS v3.1 Base Score: 9.8 (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H)
ID: CVE-2021-32998 |
Title: Remote code execution vulnerability in FANUC R-30iA and R-30iB
Description: The FANUC R-30iA and R-30iB series controllers are vulnerable to an out-of-bounds write, which may allow an attacker to remotely execute arbitrary code. INIT START/restore from backup required.
CVSS v3.1 Base Score: 9.8 (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H)
ID: CVE-2021-37120 |
Title: Double free vulnerability in some HUAWEI devices
Description: There is a Double free vulnerability in Smartphone. Successful exploitation of this vulnerability may cause a kernel crash or privilege escalation. EMUI 10.1.1, EMUI 10.1.0, Magic UI 3.1.1, Magic UI 3.1.0 are the versions affected by this vulnerability.
CVSS v3.1 Base Score: 9.8 (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H)
ID: CVE-2021-39623 |
Title: Privilege escalation vulnerability in some Android versions
Description: Due to erroneous bounds check in doRead of SimpleDecodingSource.cpp, an out of limits write is possible. This could lead to remote privilege escalation without the requirement for additional execution privileges. Exploitation does not necessitate user participation.
Product: AndroidVersions: Android-10 Android-11 Android-12 Android-9Android ID: A-194105348
CVSS v3.1 Base Score: 9.8 (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H)
ID: CVE-2021-39979 |
Title: Code injection vulnerability in HarmonyOS
Description: A certain HarmonyOS module has a read/write vulnerability. Successful exploitation of this vulnerability may affect certain protection functions of the system.
CVSS v3.1 Base Score: 9.8 (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H)
ID: CVE-2022-22704 |
Title: Privilege escalation vulnerability in zabbix-agent2
Description: The zabbix-agent2 package before 5.4.9-r1 for Alpine Linux sometimes allows privilege escalation to root because the design incorrectly expected that systemd would (in effect) determine part of the configuration.
CVSS v3.1 Base Score: 9.8 (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H)
MOST PREVALENT MALWARE FILES January 13-20, 2022
COMPILED BY TALOS SECURITY INTELLIGENCE AND RESEARCH GROUP
SHA 256: 1b259d8ca9bb4579feb56748082a32239a433cea619c09f827fd6df805707f37
MD5: a5e345518e6817f72c9b409915741689
VirusTotal: https://www.virustotal.com/gui/file/1b259d8ca9bb4579feb56748082a32239a433cea619c09f827fd6df805707f37/details
Typical Filename: swupdater.exe
Claimed Product: Wavesor SWUpdater
Detection Name: W32.1B259D8CA9.Wavesor.SSO.Talos
SHA 256: d339e195ca0b74746b02a4ee1a5820fa3074f43bec2988737005d2562a90cd34
MD5: 3f75eb823cd1a73e4c89185fca77cb38
VirusTotal: https://www.virustotal.com/gui/file/d339e195ca0b74746b02a4ee1a5820fa3074f43bec2988737005d2562a90cd34/details
Typical Filename: signup.png
Claimed Product: N/A
Detection Name: Win.Dropper.Generic::231945.in02
SHA 256: e3eeaee0af4b549eae4447fa20cfe205e8d56beecf43cf14a11bf3e86ae6e8bd
MD5: 8193b63313019b614d5be721c538486b
VirusTotal: https://www.virustotal.com/gui/file/e3eeaee0af4b549eae4447fa20cfe205e8d56beecf43cf14a11bf3e86ae6e8bd/details
Typical Filename: SAService.exe
Claimed Product: SAService
Detection Name: PUA.Win.Dropper.Segurazo::95.sbx.tg
SHA 256: bda6b6c45eabfad23b72c1982820202fa35a73211680c90e2e9d04e98fe91dae
MD5: 7c5eaac8c756691c422027f7b3458759
VirusTotal: https://www.virustotal.com/gui/file/bda6b6c45eabfad23b72c1982820202fa35a73211680c90e2e9d04e98fe91dae/details
Typical Filename: santivirusservice.exe
Claimed Product: SA_Service
Detection Name: W32.Auto:bda6b6c45e.in03.Talos
SHA 256: 8639fd3ef8d55c45808f2fa8a5b398b0de18e5dd57af00265e42c822fb6938e2
MD5: fe3659119e683e1aa07b2346c1f215af
VirusTotal: https://www.virustotal.com/gui/file/8639fd3ef8d55c45808f2fa8a5b398b0de18e5dd57af00265e42c822fb6938e2/details
Typical Filename: SqlServerWorks.Runner.exe
Claimed Product: SqlServerWorks.Runner
Detection Name: W32.8639FD3EF8-95.SBX.TG