Recent Security Issues


SELECTED BY THE TALOS SECURITY INTELLIGENCE AND RESEARCH GROUP


Title: Xanthe miner goes after Docker-based targets

Description: Cisco Talos recently discovered a cryptocurrency-mining botnet attack we're calling "Xanthe," which attempted to compromise one of Cisco's security honeypots for tracking Docker-related threats. The infection starts with the downloader module, which downloads the main installer module, which is also tasked with spreading to other systems on the local and remote networks. The main module attempts to spread to other known hosts by stealing the client-side certificates and connecting to them without the requirement for a password. Two additional bash scripts terminate security services, removing competitor's botnets and ensuring persistence by creating scheduled cron jobs and modifying one of the system startup scripts. The main payload is a variant of the XMRig Monero mining program that is protected with a shared object developed to hide the presence of the miner's process from various tools for process enumeration.

References: https://blog.talosintelligence.com/2020/12/xanthe-docker-aware-miner.html

OSQueries: https://github.com/Cisco-Talos/osquery_queries/blob/master/packs/linux_malware.conf

ClamAV: Unix.Coinminer.Xanthe-9791859-0, Unix.Coinminer.Xanthe-9791860-0, Unix.Coinminer.Xanthe-9791861-0


Title: WebKit fixes use-after-free, code execution vulnerabilities

Description: The WebKit browser engine contains multiple vulnerabilities in various functions of the software. A malicious web page code could trigger multiple use-after-free errors, which could lead to remote and arbitrary code execution. An attacker could exploit these vulnerabilities by tricking the user into visiting a specially crafted, malicious web page on a browser utilizing WebKit. WebKit is utilized mainly in Apple's Safari web browser, but is also utilized by some PlayStation consoles and all iOS web browsers.

References: https://blog.talosintelligence.com/2020/11/vuln-spotlight-webkit-use-after-free-nov-2020.html

Snort SIDs: 55844, 55845, 56126, 56127, 56379 - 56382

Security News


At least three health care providers in America have been recently targeted by ransomware attacks.

https://www.infosecurity-magazine.com/news/cyberattacks-on-three-us/


A ransomware attack against systems at the University of Vermont Health Network has disrupted chemotherapy treatments and availability of critical records.

https://www.nytimes.com/2020/11/26/us/hospital-cyber-attack.html


Microsoft patched a bug in Xbox video game consoles that could have allowed anyone to expose the email address associated with any user's gamertag on the Xbox Live gaming service.

https://www.vice.com/en/article/m7ag44/bug-allowed-hackers-to-get-anyones-email-address-on-xbox-live


Some Australian intelligence agencies mistakenly collected data from the country's "COVIDSafe" contact-tracing app, though none of that information has been decrypted, accessed or used.

https://www.itnews.com.au/news/covidsafe-data-incidentally-collected-by-intelligence-agencies-in-first-six-months-558129


One of the largest fertility clinic networks in the U.S. says attackers stole patient information in a recent ransomware attack after malware sat on their network for more than a month.

https://techcrunch.com/2020/11/26/us-fertility-ransomware-attack/


Home Depot reached a $17.5 million settlement with 46 U.S. states and Washington, D.C. over a 2014 data breach, and also agreed to implement new security measures going forward.

https://duo.com/decipher/home-depot-settles-with-states-over-2014-data-breach


Schools in Baltimore County, Maryland had to cancel classes for several days after a ransomware attack, though officials say the incident does not affect students' school-issued Chromebooks.

https://www.baltimoresun.com/education/bs-md-baltimore-county-schools-ransomware-20201130-20201130-7cymrekdpfhyjccotvyzrn6amq-story.html


The FBI released a warning that email attackers are exploiting email forwarding rules to hide themselves inside legitimate email threads, hoping to trick victims.

https://www.zdnet.com/article/fbi-warns-of-email-forwarding-rules-being-abused-in-recent-hacks/

Vulnerabilities with Exploits


COMPILED BY THE QUALYS VULNERABILITY RESEARCH TEAM


This is a list of recent vulnerabilities for which exploits are

available. System administrators can use this list to help in

prioritization of their remediation activities. The Qualys Vulnerability

Research Team compiles this information based on various exploit

frameworks, exploit databases, exploit kits and monitoring of internet

activity.


ID: CVE-2018-13379

Title: Fortinet FortiOS Directory Traversal Vulnerability

Vendor: Fortinet

Description: Fortinet FortiOS is exposed to a directory traversal vulnerability because it fails to properly sanitize user supplied input. A path traversal vulnerability in the FortiOS SSL VPN web portal may allow an unauthenticated attacker to download FortiOS system files through specially crafted HTTP resource requests.

CVSS v3 Base Score: 9.8 (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H)


ID: CVE-2020-14882

Title: Oracle WebLogic Server Remote Code Execution Vulnerability

Vendor: Oracle

Description: Oracle WebLogic Server (formerly known as BEA WebLogic Server) is an application server for building and deploying enterprise applications and services. A remote code execution vulnerability exists in the Oracle WebLogic Server product of Oracle Fusion Middleware

CVSS v3 Base Score: 9.8 (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H)


ID: CVE-2020-15505

Title: MobileIron Core and Connector Remote Code Execution Vulnerability

Vendor: MobileIron

Description: A remote code execution vulnerability exists in MobileIron Core and Connector, and Sentry, that allows remote attackers to execute arbitrary code via unspecified vectors. The manipulation with an unknown input leads to a privilege escalation vulnerability. The UK's National Cyber Security Centre alerts that APT nation-state groups and cybercriminals are exploiting MobileIron RCE vulnerability to compromise the networks.

CVSS v3 Base Score: 9.8 (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H)


ID: CVE-2020-5902

Title: F5 BIG-IP Remote Code Execution Vulnerability

Vendor: F5

Description: F5 BIG-IP is exposed to remote code execution vulnerability. The vulnerability that has been actively exploited in the wild allows attackers to read files, execute code or take complete control over vulnerable systems having network access.

CVSS v3 Base Score: 9.8 (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H)


ID: CVE-2020-9844

Title: MacOS Catalina Memory Corruption Vulnerability

Vendor: Apple

Description: A double free issue was addressed with improved memory management. A remote attacker may be able to cause unexpected system termination or corrupt kernel memory.

CVSS v3 Base Score: 7.5 (AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H)


ID: CVE-2018-12809

Title: Adobe Experience Manager Server-Side Request Forgery Vulnerability

Vendor: Adobe

Description: Adobe Experience Manager is exposed to server-side request forgery vulnerability. Successful exploitation could lead to sensitive information disclosure.

CVSS v3 Base Score: 7.5 (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N)


ID: CVE-2020-1472

Title: Microsoft Netlogon Elevation of Privilege Vulnerability

Vendor: Microsoft

Description: An elevation of privilege vulnerability exists when an attacker establishes a vulnerable Netlogon secure channel connection to a domain controller, using the Netlogon Remote Protocol (MS-NRPC). An attacker who successfully exploited the vulnerability could run a specially crafted application on a device on the network. To exploit the vulnerability, an unauthenticated attacker would be required to use MS-NRPC to connect to a domain controller to obtain domain administrator access.

CVSS v3 Base Score: 10.0 (AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H)


Prevalent Malware Files


COMPILED BY TALOS SECURITY INTELLIGENCE AND RESEARCH GROUP


SHA 256: 9f1f11a708d393e0a4109ae189bc64f1f3e312653dcf317a2bd406f18ffcc507

MD5: 2915b3f8b703eb744fc54c81f4a9c67f

VirusTotal: https://www.virustotal.com/gui/file/9f1f11a708d393e0a4109ae189bc64f1f3e312653dcf317a2bd406f18ffcc507/details

Typical Filename: vid001.exe

Claimed Product: N/A

Detection Name: Win.Worm.Coinminer::1201


SHA 256: 586d6b581a868f71c903097a3b7046f61a0797cda090a36687767189483e2360

MD5: 7e0bc1c01f44c7a663d82e4aff71ee6c

VirusTotal: https://www.virustotal.com/gui/file/586d6b581a868f71c903097a3b7046f61a0797cda090a36687767189483e2360/details

Typical Filename: dfsvc.exe

Claimed Product: N/A

Detection Name: Auto.586D6B.232349.in02


SHA 256: 100318042c011363a98f82516b48c09bbcdd016aec557b009c3dd9c17eed0584

MD5: 920823d1c5cb5ce57a7c69c42b60959c

VirusTotal: https://www.virustotal.com/gui/file/100318042c011363a98f82516b48c09bbcdd016aec557b009c3dd9c17eed0584/details

Typical Filename: FlashHelperService.exe

Claimed Product: Flash Helper Service

Detection Name: W32.Variant.23mj.1201


SHA 256: 8b4216a7c50599b11241876ada8ae6f07b48f1abe6590c2440004ea4db5becc9

MD5: 34560233e751b7e95f155b6f61e7419a

VirusTotal: https://www.virustotal.com/gui/file/8b4216a7c50599b11241876ada8ae6f07b48f1abe6590c2440004ea4db5becc9/details

Typical Filename: SAntivirusService.exe

Claimed Product: A n t i v i r u s S e r v i c e

Detection Name: PUA.Win.Dropper.Segurazo::tpd


SHA 256: 85B936960FBE5100C170B777E1647CE9F0F01E3AB9742DFC23F37CB0825B30B5

MD5: 8c80dd97c37525927c1e549cb59bcbf3

VirusTotal: https://www.virustotal.com/gui/file/85b936960fbe5100c170b777e1647ce9f0f01e3ab9742dfc23f37cb0825b30b5/detection

Typical Filename: Eternalblue-2.2.0.exe

Claimed Product: N/A

Detection Name: Win.Exploit.Shadowbrokers::5A5226262.auto.talos