Internet Storm Center Spotlight


NOTABLE RECENT SECURITY ISSUES

SELECTED BY THE TALOS SECURITY INTELLIGENCE AND RESEARCH GROUP

Title: Masslogger steals users’ credentials from Outlook, Chrome

Description: Cisco Talos recently discovered a campaign utilizing a variant of the Masslogger trojan designed to retrieve and exfiltrate user credentials from multiple sources such as Microsoft Outlook, Google Chrome and instant messengers. The actor employs a multi-modular approach that starts with the initial phishing email and carries through to the final payload. The adversaries behind this campaign likely do this to evade detection. But it can also be a weakness, as there are plenty of opportunities for defenders to break the killchain. While most of the public attention seems to be focused on ransomware attacks, big game hunting and APTs, it is important to keep in mind that crimeware actors are still active and can inflict significant damage to organizations by stealing users' credentials. The credentials themselves have value on the dark web and actors sell them for money or use them in other attacks.

References: https://blog.talosintelligence.com/2021/02/masslogger-cred-exfil.html

Snort SID: 57141-57154

OSQueries: https://github.com/Cisco-Talos/osquery_queries/blob/master/win_forensics/potential_compiled_HTML_abuse.yaml

Title: Gamaredon APT spreads rapidly, looking to steal and sell information

Description: Gamaredon is a threat actor, active since at least 2013, that has long been associated with pro-Russian activities in several reports throughout the years. It is extremely aggressive and is usually not associated with high-visibility campaigns, Cisco Talos sees it is incredibly active and we believe the group is on par with some of the most prolific crimeware gangs. Gamaredon has been exposed several times in multiple threat intelligence reports, without any significant effects on their operations. Their information-gathering activities can almost be classified as a second-tier APT, whose main goal is to gather information and share it with their units, who will eventually use that information to perform the end goal. Recently, Cisco Talos researchers discovered four different campaigns using different initial infection vectors and final payloads.

Reference: https://blog.talosintelligence.com/2021/02/gamaredonactivities.html

Snort SIDs: 57194 – 57196

ClamAV: Lnk.Malware.Gamaredon-7448135-3

Internet Storm Center Entries


INTERESTING NEWS FROM AROUND THE SECURITY COMMUNITY

The U.S. is preparing to issue sanctions against Russia for its alleged involvement in the massive SolarWinds breach that affected government agencies and Fortune 500 companies.

https://www.washingtonpost.com/national-security/biden-russia-sanctions-solarwinds-hacks/2021/02/23/b77039d6-71fa-11eb-85fa-e0ccb3660358_story.html

American prosecutors charged three North Koreans for allegedly conspiring to steal more than $1.3 billion from banks, ATMs, and cryptocurrency traders.

https://www.cnn.com/2021/02/17/politics/north-korea-hackers-charged/index.html

Apple updated its Platform Security guide, outlining how its devices offer better data protection via upgrades to its FileVault service, new password protection options and more.

https://9to5mac.com/2021/02/18/2021-apple-platform-security-guide-available/

The company behind a line of cameras that allows parents to look in on their children while they’re at daycare warned customers of a data breach and has temporarily suspended service.

https://www.theregister.com/2021/02/22/nurserycam_breach/

Jamaica’s immigration website left travelers’ personal information exposed though an inadequately secured cloud storage server; the compromised information includes results of COVID-19 tests and immigration records.

https://techcrunch.com/2021/02/17/jamaica-immigration-travelers-data-exposed/

Apple says it’s already taken multiple steps to eliminate the "Silver Sparrow" malware that reportedly targeted the company’s M1 chips.

https://www.techradar.com/news/apple-says-it-has-already-beaten-new-m1-mac-malware

Grocery store chain Kroger says some of its pharmacy and clinic customers may have had their social security numbers and prescription information stolen as a result of an attack on Accellion’s FTA file transfer product.

https://abcnews.go.com/Business/wireStory/kroger-pharmacy-customer-data-impacted-vendor-hack-76031082

Ukraine blamed Russian threat actors for a series of distributed denial-of-service attacks on Ukrainian security and defense websites.

https://www.reuters.com/article/ukraine-cyber/ukraine-accuses-russian-networks-of-new-massive-cyber-attacks-idUSL1N2KS1BD

Recent CVEs


RECENT VULNERABILITIES FOR WHICH EXPLOITS ARE AVAILABLE

COMPILED BY THE QUALYS VULNERABILITY RESEARCH TEAM

This is a list of recent vulnerabilities for which exploits are

available. System administrators can use this list to help in

prioritization of their remediation activities. The Qualys Vulnerability

Research Team compiles this information based on various exploit

frameworks, exploit databases, exploit kits and monitoring of internet

activity.

ID: CVE-2020-17095

Title: Hyper-V Remote Code Execution Vulnerability

Vendor: MicroSoft

Description: A remote code execution vulnerability exists when Windows Hyper-V on a host server fails to properly validate input from an authenticated user on a guest operating system. To exploit this vulnerability, an attacker could run a specially crafted application on a Hyper-V guest that could cause the Hyper-V host operating system to execute arbitrary code when it fails to properly validate vSMB packet data.

CVSS v3.1 Base Score: 9.9 (AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H)

ID: CVE-2021-20016

Title: SQL Injection Vulnerability in SonicWall SSL VPN

Vendor: SonicWall

Description: A SQL-Injection vulnerability in the SonicWall SSLVPN SMA100 product allows a remote unauthenticated attacker to perform SQL query to access username password and other session related information. This vulnerability impacts SMA100 build versions 10.x.

CVSS v3.1 Base Score: 9.8 (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H)

ID: CVE-2021-23885

Title: Privilege Escalation Vulnerability in McAfee Web Gateway

Vendor: McAfee

Description: Privilege escalation vulnerability in McAfee Web Gateway (MWG) prior to 9.2.8 allows an authenticated user to gain elevated privileges through the User Interface and execute commands on the appliance via incorrect improper neutralization of user input in the troubleshooting page.

CVSS v3.1 Base Score: 8.8 (AV:N/AC:L/PR:L/UI:R/S:C/C:H/I:H/A:H)

ID: CVE-2020-13957

Title: Remote Code Execution Vulnerability in Apache Solr

Vendor: Apache

Description: Apache Solr versions 6.6.0 to 6.6.6, 7.0.0 to 7.7.3 and 8.0.0 to 8.6.2 prevents some features considered dangerous (which could be used for remote code execution) to be configured in a ConfigSet that's uploaded via API without authentication/authorization. The checks in place to prevent such features can be circumvented by using a combination of UPLOAD/CREATE actions.

CVSS v3.1 Base Score: 9.8 (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H)

ID: CVE-2020-14882

Title: Unauthenticated RCE Vulnerability in Oracle WebLogic Server

Vendor: Oracle

Description: Vulnerability in the Oracle WebLogic Server product of Oracle Fusion Middleware (component: Console). Supported versions that are affected are 10.3.6.0.0, 12.1.3.0.0, 12.2.1.3.0, 12.2.1.4.0 and 14.1.1.0.0. Easily exploitable vulnerability allows unauthenticated attacker with network access via HTTP to compromise Oracle WebLogic Server. Successful attacks of this vulnerability can result in takeover of Oracle WebLogic Server.

CVSS v3.1 Base Score: 9.8 (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H)

ID: CVE-2020-35128

Title: XSS Vulnerability in Mautic Interface

Vendor: Acquia

Description: Mautic before 3.2.4 is affected by stored XSS. An attacker with permission to manage companies, an application feature, could attack other users, including administrators. For example, by loading an externally crafted JavaScript file, an attacker could eventually perform actions as the target user. These actions include changing the user passwords, altering user or email addresses, or adding a new administrator to the system.

CVSS v3.1 Base Score: 9.0 (AV:N/AC:L/PR:L/UI:R/S:C/C:H/I:H/A:H)

ID: CVE-2021-21463

Title: Improper Input Validation Vulnerability in SAP 3D VEV

Vendor: SAP

Description: SAP 3D Visual Enterprise Viewer, version - 9, allows a user to open manipulated PCX file received from untrusted sources which results in crashing of the application and becoming temporarily unavailable until the user restarts the application, this is caused due to Improper Input Validation.

CVSS v3.1 Base Score: 8.8 (AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H)

ID: CVE-2020-9492

Title: Privilege Escalation in Apache Hadoop

Vendor: Apache

Description: In Apache Hadoop 3.2.0 to 3.2.1, 3.0.0-alpha1 to 3.1.3, and 2.0.0-alpha to 2.10.0, WebHDFS client can send SPNEGO authorization header to remote URL without proper verification.

CVSS v3.1 Base Score: 8.8 (AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H)

Prevalent Malware Files


MOST PREVALENT MALWARE FILES February 18-25:

COMPILED BY TALOS SECURITY INTELLIGENCE AND RESEARCH GROUP

SHA 256: c1d5a585fce188423d31df3ea806272f3daa5eb989e18e9ecf3d94b97b965f8e

MD5: 9a4b7b0849a274f6f7ac13c7577daad8

VirusTotal: https://www.virustotal.com/gui/file/c1d5a585fce188423d31df3ea806272f3daa5eb989e18e9ecf3d94b97b965f8e/details

Typical Filename: ww31.exe

Claimed Product: N/A

Detection Name: W32.GenericKD:Attribute.24ch.1201

SHA 256: 4647f1a0850a961e341a863194e921c102578a9c4ef898fa5e4b54d9fb65e57b

MD5: f37167c1e62e78b0a222b8cc18c20ba7

VirusTotal: https://www.virustotal.com/gui/file/4647f1a0850a961e341a863194e921c102578a9c4ef898fa5e4b54d9fb65e57b/details

Typical Filename: flashhelperservice.exe

Claimed Product: Flash Helper Service

Detection Name: W32.4647F1A085.in12.Talos

SHA 256: 85B936960FBE5100C170B777E1647CE9F0F01E3AB9742DFC23F37CB0825B30B5

MD5: 8c80dd97c37525927c1e549cb59bcbf3

VirusTotal: https://www.virustotal.com/gui/file/85b936960fbe5100c170b777e1647ce9f0f01e3ab9742dfc23f37cb0825b30b5/detection

Typical Filename: Eternalblue-2.2.0.exe

Claimed Product: N/A

Detection Name: Win.Exploit.Shadowbrokers::5A5226262.auto.talos

SHA 256: 8b4216a7c50599b11241876ada8ae6f07b48f1abe6590c2440004ea4db5becc9

MD5: 34560233e751b7e95f155b6f61e7419a

VirusTotal: https://www.virustotal.com/gui/file/8b4216a7c50599b11241876ada8ae6f07b48f1abe6590c2440004ea4db5becc9/details

Typical Filename: SAntivirusService.exe

Claimed Product: A n t i v i r u s S e r v i c e

Detection Name: PUA.Win.Dropper.Segurazo::tpd

SHA 256: 1a8a17b615799f504d1e801b7b7f15476ee94d242affc103a4359c4eb5d9ad7f

MD5: 88781be104a4dcb13846189a2b1ea055

VirusTotal: https://www.virustotal.com/gui/file/1a8a17b615799f504d1e801b7b7f15476ee94d242affc103a4359c4eb5d9ad7f/details

Typical Filename: ActivityElement.dp

Claimed Product: N/A

Detection Name: Win.Trojan.Generic::sso.talos