Everything you need to measure, manage, and reduce your cyber risk in one place
See entire attack surface, continuously maintain your CMDB, and track EOL/EOS software
Gain an attacker’s view of your external internet-facing assets and unauthorized software
Discover, assess, prioritize, and patch critical vulnerabilities up to 50% faster
Consolidate & translate security & vulnerability findings from 3rd party tools
Automate scanning in CI/CD environments with shift left DAST testing
Detect, prioritize, and remediate vulnerabilities in your cloud environment
Efficiently remediate vulnerabilities and patch systems
Quickly create custom scripts and controls for faster, more automated remediation
Address critical vulnerabilities with flexible, patchless solutions
Advanced endpoint threat protection, improved threat context, and alert prioritization
Extend detection and response beyond the endpoint to the enterprise
Reduce risk, and comply with internal policies and external regulations with ease
Reduce alert noise and safeguard files from nefarious actors and cyber threats
Cloud-Native Application Protection Platform (CNAPP) for multi-cloud environment.
Continuously discover, monitor, and analyze your cloud assets for misconfigurations and non-standard deployments.
Detect and remediate security issues within IaC templates
Manage your security posture and risk across your entire SaaS application stack
Detect, prioritize, and remediate vulnerabilities in your cloud environment
Continuous real-time protection of the multi-cloud environment against active exploitation, malware, and unknown threats.
Discover, track, and continuously secure containers – from build to runtime
Everything you need to measure, manage, and reduce your cyber risk in one place
Contact us below to request a quote, or for any product-related questions
See entire attack surface, continuously maintain your CMDB, and track EOL/EOS software
Gain an attacker’s view of your external internet-facing assets and unauthorized software
Discover, assess, prioritize, and patch critical vulnerabilities up to 50% faster
Consolidate & translate security & vulnerability findings from 3rd party tools
Discover, track, and continuously secure containers – from build to runtime
Detect, prioritize, and remediate vulnerabilities in your cloud environment
Automate scanning in CI/CD environments with shift left DAST testing
Efficiently remediate vulnerabilities and patch systems
Quickly create custom scripts and controls for faster, more automated remediation
Address critical vulnerabilities with flexible, patchless solutions
Advanced endpoint threat protection, improved threat context, and alert prioritization
Extend detection and response beyond the endpoint to the enterprise
Reduce risk, and comply with internal policies and external regulations with ease
Reduce alert noise and safeguard files from nefarious actors and cyber threats
Cloud-Native Application Protection Platform (CNAPP) for multi-cloud environment.
Continuously discover, monitor, and analyze your cloud assets for misconfigurations and non-standard deployments.
Detect and remediate security issues within IaC templates
Manage your security posture and risk across your entire SaaS application stack
Detect, prioritize, and remediate vulnerabilities in your cloud environment
Continuous real-time protection of the multi-cloud environment against active exploitation, malware, and unknown threats.
Discover, track, and continuously secure containers – from build to runtime
Vol. 22, Num. 04
This is a weekly newsletter that provides in-depth analysis of the latest vulnerabilities with straightforward remediation advice. Qualys supplies a large part of the newly-discovered vulnerability content used in this newsletter.
Archived issues may be found at the SANS @RISK Newletter Archive.
NOTABLE RECENT SECURITY ISSUES
INTERESTING NEWS FROM AROUND THE SECURITY COMMUNITY
VULNERABILITIES FOR WHICH EXPLOITS ARE AVAILABLE
MOST PREVALENT MALWARE FILES January 20-27, 2022
TOP VULNERABILITY THIS WEEK: State-sponsored actors step up cyber attacks in Ukraine
NOTABLE RECENT SECURITY ISSUES
SELECTED BY THE TALOS SECURITY INTELLIGENCE AND RESEARCH GROUP
Title: Wiper malware disguised as ransomware targets Ukrainian users, government agencies
Description: Several cyber attacks against Ukrainian government websites — including website defacements and destructive wiper malware — have made headlines over the past few weeks as military tensions along the Russian/Ukrainian border have escalated. Cisco Talos research found that The WhisperGate malware has some strategic similarities to the notorious NotPetya wiper that attacked Ukranian entities in 2017, including masquerading as ransomware and targeting and destroying the master boot record (MBR) instead of encrypting it, it notably has more components designed to inflict additional damage. The multi-stage infection chain downloads a payload that wipes the MBR, then downloads a malicious DLL file hosted on a Discord server, which drops and executes another wiper payload that destroys files on the infected machines.
References: https://blog.talosintelligence.com/2022/01/ukraine-campaign-delivers-defacement.html
IOC hashes to blocklist:
a196c6b8ffcb97ffb276d04f354696e2391311db3841ae16c8c9f56f36a38e92
dcbbae5a1c61dbbbb7dcd6dc5dd1eb1169f5329958d38b58c3fd9384081c9b78
923eb77b3c9e11d6c56052318c119c1a22d11ab71675e6b95d05eeb73d1accd6
9ef7dbd3da51332a78eff19146d21c82957821e464e8133e9594a07d716d892d
Title: Vulnerability in Apple iOS, iPad OS and MacOS could lead to disclosure of sensitive memory data
Description: Cisco Talos recently discovered an out-of-bounds read vulnerability in Apple’s macOS and iOS operating systems that could lead to the disclosure of sensitive memory content. An attacker could capitalize on that information to aid in the exploitation of other vulnerabilities. This vulnerability specifically exists in the DDS image parsing functionality of Apple’s ImageIO library that exists in its desktop and mobile operating systems. The issue arises if an attacker tricks a user into opening a specially crafted, malicious file. An attacker could exploit this vulnerability to leak the target’s heap addresses and other information that could aid in further exploitation if the leaked data can be accessed in the context of a vulnerable application.
References:
INTERESTING NEWS FROM AROUND THE SECURITY COMMUNITY
State-sponsored actors lurked on Ukrainian networks for months before carrying out a recent spate of cyber attacks against government-controlled websites, according to Cisco Talos researchers.
https://zetter.substack.com/p/hackers-were-in-ukraine-systems-months
World leaders are on heightened alert of a potential military invasion of Ukraine, raising concerns about the cybersecurity consequences.
https://www.technologyreview.com/2022/01/21/1043980/how-a-russian-cyberwar-in-ukraine-could-ripple-out-globally/
The U.S. released a warning to law enforcement agencies across the country to be prepared for a potential cyber attack from Russian actors if the US responds to a possible Russian invasion of Ukraine.
https://abcnews.go.com/Politics/dhs-warns-russian-cyberattack-us-responds-ukraine-invasion/story?id=82441727
Google has stopped providing security updates for its Pixel 3 phone only three years after the device was released.
https://www.vice.com/en/article/dypxpx/google-is-forcing-me-to-dump-a-perfectly-good-phone
Apple is no longer providing updates to iOS 14; users who want security updates will need to upgrade to iOS 15.
https://arstechnica.com/gadgets/2022/01/apple-ends-security-updates-for-ios-14-pushes-users-to-install-ios-15-instead/
The Cybersecurity and Infrastructure Security Agency added 17 vulnerabilities to its list of high-profile vulnerabilities that attackers often exploit in the wild, warning users to patch for them immediately if they have not already.
https://www.bleepingcomputer.com/news/security/cisa-adds-17-vulnerabilities-to-list-of-bugs-exploited-in-attacks/
The U.S. Small Business Administration announced a new $3 million program to help small businesses with cybersecurity.
https://www.infosecurity-magazine.com/news/sba-announces-3m-cybersecurity/
Russian law enforcement has arrested the alleged leader of the Infraud Organization hacker group.
https://www.bleepingcomputer.com/news/security/russia-arrests-leader-of-infraud-organization-hacker-group/
RECENT VULNERABILITIES FOR WHICH EXPLOITS ARE AVAILABLE
COMPILED BY THE QUALYS VULNERABILITY RESEARCH TEAM
This is a list of recent vulnerabilities for which exploits are available. System administrators can use this list to help in prioritization of their remediation activities. The Qualys Vulnerability Research Team compiles this information based on various exploit frameworks, exploit databases, exploit kits and monitoring of internet activity.
ID: CVE-2021-1049 |
Title: Arbitrary code execution in Google Android versions
Description: A malicious program can use this flaw to gain elevated access to the system. A logic issue in the Unisoc slogmodem has resulted in the vulnerability. With higher privileges, a local program can run arbitrary code.
Affected Android versions: Android SoCAndroid ID: A-204256722
CVSS v3.1 Base Score: 9.8 (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H)
ID: CVE-2021-42392 |
Title: Remote code execution vulnerability in H2 database console
Description: H2 is an open-source Java SQL database offering a lightweight in-memory solution that doesn’t require data to be stored on a disk. Custom classes can be loaded from remote servers via JNDI in H2 Console versions 1.1.100 (2008-10-14) to 2.0.204 (2021-12-21). The H2 database’s org.h2.util.JdbcUtils.get connection method takes the driver’s class name and the database’s URL as inputs. An attacker can cause remote code execution by passing a JNDI driver name and a URL to an LDAP or RMI server.
CVSS v3.1 Base Score: 9.8 (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H)
ID: CVE-2022-21874 |
Title: Remote code execution vulnerability in Microsoft Windows Security Center API
Description: A remote attacker can use this flaw to execute arbitrary code on the victim system. The cause of this vulnerability is a flaw in the Windows Security Center API’s input validation. A remote attacker can send a specially crafted request to the target system and execute arbitrary code.
CVSS v3.1 Base Score: 9.8 (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H)
ID: CVE-2022-21898 |
Title: Remote code execution vulnerability in Microsoft DirectX Graphics Kernel
Description: The problem exists because of incorrect input validation. An attacker can send a specially crafted request to the target system and have it executed arbitrary code. Successful exploitation will result in the entire compromise of the system.
CVSS v3.1 Base Score: 9.8 (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H)
ID: CVE-2022-21907 |
Title: Remote code execution vulnerability in Microsoft DirectX Graphics Kernel
Description: The problem exists because of incorrect input validation. An attacker can send a specially crafted request to the target system and have it executed arbitrary code. Successful exploitation will result in the entire compromise of the system.
CVSS v3.1 Base Score: 9.8 (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H)
ID: CVE-2022-22055 |
Title: SQL-injection vulnerability in Le-yan dental management system
Description: Unauthenticated remote attackers can inject SQL instructions into the login page’s input field to gain administrator privileges and perform arbitrary system operations or interrupt service.
CVSS v3.1 Base Score: 9.8 (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H)
ID: CVE-2022-22056 |
Title: Hard-coded credentials vulnerability in Le-yan dental management system
Description: In the web page source code of the Le-yan dental management system, there is a hard-coded credentials vulnerability that allows an unauthenticated remote attacker to gain administrator’s privilege and manipulate the system or interrupt service.
CVSS v3.1 Base Score: 9.8 (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H)
MOST PREVALENT MALWARE FILES January 20-27, 2022
COMPILED BY TALOS SECURITY INTELLIGENCE AND RESEARCH GROUP
SHA 256: 1b259d8ca9bb4579feb56748082a32239a433cea619c09f827fd6df805707f37
MD5: a5e345518e6817f72c9b409915741689
VirusTotal: https://www.virustotal.com/gui/file/1b259d8ca9bb4579feb56748082a32239a433cea619c09f827fd6df805707f37/details
Typical Filename: swupdater.exe
Claimed Product: Wavesor SWUpdater
Detection Name: W32.1B259D8CA9.Wavesor.SSO.Talos
SHA 256: 8b4216a7c50599b11241876ada8ae6f07b48f1abe6590c2440004ea4db5becc9
MD5: 34560233e751b7e95f155b6f61e7419a
VirusTotal: https://www.virustotal.com/gui/file/8b4216a7c50599b11241876ada8ae6f07b48f1abe6590c2440004ea4db5becc9/details
Typical Filename: SAntivirusService.exe
Claimed Product: A n t i v i r u s S e r v i c e
Detection Name: PUA.Win.Dropper.Segurazo::tpd
SHA 256: e3eeaee0af4b549eae4447fa20cfe205e8d56beecf43cf14a11bf3e86ae6e8bd
MD5: 8193b63313019b614d5be721c538486b
VirusTotal: https://www.virustotal.com/gui/file/e3eeaee0af4b549eae4447fa20cfe205e8d56beecf43cf14a11bf3e86ae6e8bd/details
Typical Filename: SAService.exe
Claimed Product: SAService
Detection Name: PUA.Win.Dropper.Segurazo::95.sbx.tg
SHA 256: 2bd102ddc0e618d91a7adc3f3fb92fcfb258680f11b904bb129f5f2f918dcc5f
MD5: eb2f5e1b8f818cf6a7dafe78aea62c93
VirusTotal: https://www.virustotal.com/gui/file/2bd102ddc0e618d91a7adc3f3fb92fcfb258680f11b904bb129f5f2f918dcc5f/details
Typical Filename: vsb2nasl7.dll
Claimed Product: N/A
Detection Name: W32.A4DE11B029.Wavesor.SSO.Talos
SHA 256: 8639fd3ef8d55c45808f2fa8a5b398b0de18e5dd57af00265e42c822fb6938e2
MD5: fe3659119e683e1aa07b2346c1f215af
VirusTotal: https://www.virustotal.com/gui/file/8639fd3ef8d55c45808f2fa8a5b398b0de18e5dd57af00265e42c822fb6938e2/details
Typical Filename: SqlServerWorks.Runner.exe
Claimed Product: SqlServerWorks.Runner
Detection Name: W32.8639FD3EF8-95.SBX.TG