The Consensus Security Vulnerability Alert

SELECTED BY THE TALOS SECURITY INTELLIGENCE AND RESEARCH GROUP

Title: State-sponsored actors behind massive SolarWinds attacks, full breadth yet to be discovered

Description: In a sophisticated supply-chain attack, adversaries compromised updates to the widely used SolarWinds Orion IT monitoring and management software. The digitally signed updates were posted on the SolarWinds website from March to May 2020. This backdoor is loaded by the actual SolarWinds executable before the legitimate code, as not to alert the victim that anything is amiss. Reports indicate that some of the largest companies in the world use this software, so it is still unclear if the backdoor has led to any major cyber attacks or data breaches. At least two American government agencies are also affected: the Treasury and Commerce departments. The U.S. Department of Homeland Security (DHS) and CISA issued an emergency alert calling on all U.S. federal civilian agencies to review their networks for indicators of compromise (IOCs) and advising them to disconnect SolarWinds Orion products immediately.

References: https://blog.talosintelligence.com/2020/12/solarwinds-supplychain-coverage.html

https://krebsonsecurity.com/2020/12/u-s-treasury-commerce-depts-hacked-through-solarwinds-compromise/

Snort SIDs: 56660 - 56668

Title: Red-teaming security tools stolen as part of broad attack

Description: In an attack related to the vulnerabilities in SolarWindws products, security vendor FireEye had some red-teaming tools stolen by a state-sponsored actor. Some of these tools appear to be based on well-known offensive frameworks like Cobalt Strike. It has been reported that none of the tools target zero-day vulnerabilities. It's currently unknown why a state-sponsored actor would want to target these tools. Typically, these types of actors target high-value data possessed by victims. As part of this disclosure, FireEye also released a repository of signatures/rules designed to detect the use of these tools across a variety of detection technologies.

Reference: https://github.com/fireeye/red_team_tool_countermeasures

https://blog.talosintelligence.com/2020/12/fireeye-breach-guidance.html

https://www.fireeye.com/blog/products-and-services/2020/12/fireeye-shares-details-of-recent-cyber-attack-actions-to-protect-community.html

Snort SIDs: 8068, 8422, 38491, 38492, 48359, 49100, 49171, 49861, 50137, 50168 - 50170, 50275 - 50278, 51288 - 51289, 51368, 51370 - 51372, 51390, 51966, 52512, 52513, 52603, 52620, 53433, 53435, 53346 - 53351, 53380 - 53383, 55703, 55704, 55802, 55862, 56290, 56436, 56586

ClamAV signature: W32.FindstrSearchForKeyWords

The adversaries behind the SolarWinds attack have a history of using unique techniques to bypass multi-factor authentication based on multiple previous intrusions on a think tank's network.

https://arstechnica.com/information-technology/2020/12/solarwinds-hackers-have-a-clever-way-to-bypass-multi-factor-authentication/

SolarWinds is known for working with many high-profile companies, though its hidden this marketing list on its website after news of the hack broke.

https://www.theverge.com/2020/12/15/22176053/solarwinds-hack-client-list-russia-orion-it-compromised

The SolarWinds incident put a spotlight on supply chain attacks, a lesser-known technique adversaries used that can be far more quiet than users and victims realize.

https://www.cyberscoop.com/solarwinds-supply-chain-treasury-commerce-espionage/

Attackers reportedly accessed documents related to Moderna's COVID-19 vaccine in the European Union after a data breach at the European Medicines Agency.

https://thehill.com/policy/cybersecurity/530225-moderna-vaccine-data-accessed-in-cyberattack-on-eu-regulator

As COVID vaccines start to be distributed around the world, attackers could start using the vaccines' reliance on cold storage to carry out new types of attacks that seek to disrupt the release process.

https://www.cisa.gov/sites/default/files/publications/Insights_Cold_Storage_Cyber_Custodial%20Care_final_508.pdf

While U.S. President Donald Trump continues to try to discredit election results in states like Georgia and Michigan, there actually is a point to be made about antiquated voting technology used in many states that leaned toward Trump in the November election.

https://www.theatlantic.com/ideas/archive/2020/12/trump-looking-fraud-all-wrong-places/617366/

Ransomware known as "MountLocker" can steal users' sensitive information and share it with the malware's creators; it has added on new anti-detection functionality as of November.

https://blogs.blackberry.com/en/2020/12/mountlocker-ransomware-as-a-service-offers-double-extortion-capabilities-to-affiliates

Apps on the Mac and iOS stores must now carry unique labels showing what data and information the apps collect.

https://www.wired.com/story/apple-app-privacy-labels/

COMPILED BY THE QUALYS VULNERABILITY RESEARCH TEAM

This is a list of recent vulnerabilities for which exploits are

available. System administrators can use this list to help in

prioritization of their remediation activities. The Qualys Vulnerability

Research Team compiles this information based on various exploit

frameworks, exploit databases, exploit kits and monitoring of internet

activity.

ID: CVE-2020-17049

Title: Microsoft Kerberos Security Feature Bypass Vulnerability

Vendor: Microsoft

Description: A security feature bypass vulnerability exists in the way Key Distribution Center (KDC) determines if a service ticket can be used for delegation via Kerberos Constrained Delegation (KCD). To exploit the vulnerability, a compromised service that is configured to use KCD could tamper with a service ticket that is not valid for delegation to force the KDC to accept it.

CVSS v3 Base Score: 7.2 (AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H)

ID: CVE-2020-17530

Title: Apache Struts OGNL Remote Code Execution Vulnerability

Vendor: Apache

Description: A vulnerability exists in the "forced OGNL evaluation on raw user input in tag attributes" of Apache Struts. Due to insufficient validation of user input in OGNL evaluation functionality, an unauthenticated user can exploit this flaw leading it to remote code execution vulnerability.

CVSS v3 Base Score: 9.8 (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H)

ID: CVE-2020-17140

Title: Microsoft Windows SMB Information Disclosure Vulnerability

Vendor: Microsoft

Description: Microsoft Windows is exposed to SMB information disclosure vulnerability where an attacker can successfully exploit this vulnerability to access contents of Kernel memory. An attacker could read the contents of Kernel memory from a user mode process. In a network-based attack, an authenticated attacker would need to open a specific file with captured oplock lease, then perform repeated specific modifications to that file.

CVSS v3 Base Score: 8.1 (AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:H)

ID: CVE-2020-17143

Title: Microsoft Exchange Information Disclosure Vulnerability

Vendor: Microsoft

Description: Microsoft Exchange Server is exposed to information disclosure vulnerability that could be disclosed if an attacker successfully exploited this vulnerability for sensitive information.

CVSS v3 Base Score: 8.8 (AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H)

ID: CVE-2020-4006

Title: VMware Workspace One Access Command Injection Vulnerability

Vendor: VMware

Description: VMware Workspace One Access is exposed to a command injection vulnerability in the administrative configurator that could allow a malicious actor with network access to the administrative configurator on port 8443 and a valid password for the configurator admin account to execute commands with unrestricted privileges on the underlying operating system.

CVSS v3 Base Score: 9.1 (AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H)

ID: CVE-2020-8554

Title: Kubernetes Man In The Middle Vulnerability

Vendor: Multi-Vendor

Description: A man in the middle vulnerability exists in Kubernetes. The vulnerability could be exploited by users with very less privileges like creating services or editing services and pods in a Kubernetes cluster.

CVSS v3 Base Score: 7.3 (AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L)

ID: CVE-2020-15257

Title: containerd Privilege Escalation Vulnerability

Vendor: Multi-Vendor

Description: The containerd-shim API is improperly exposed to host network containers. Access controls for the shim's API socket verified that the connecting process had an effective UID of 0, but did not otherwise restrict access to the abstract Unix domain socket. This would allow malicious containers running in the same network namespace as the shim, with an effective UID of 0 but otherwise reduced privileges, to cause new processes to be run with elevated privileges.

CVSS v3 Base Score: 5.2 (AV:L/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:N)

ID: CVE-2020-26258

Title: XStream Server-Side Forgery Request Vulnerability

Vendor: Multi-Vendor

Description: A Server-Side Forgery Request vulnerability exists in XStream that can be activated when unmarshalling. The vulnerability may allow a remote attacker to request data from internal resources that are not publicly available only by manipulating the processed input stream.

CVSS v3 Base Score: 7.7 (AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:N/A:N)

COMPILED BY TALOS SECURITY INTELLIGENCE AND RESEARCH GROUP

SHA 256: 85B936960FBE5100C170B777E1647CE9F0F01E3AB9742DFC23F37CB0825B30B5

MD5: 8c80dd97c37525927c1e549cb59bcbf3

VirusTotal: https://www.virustotal.com/gui/file/85b936960fbe5100c170b777e1647ce9f0f01e3ab9742dfc23f37cb0825b30b5/detection

Typical Filename: Eternalblue-2.2.0.exe

Claimed Product: N/A

Detection Name: Win.Exploit.Shadowbrokers::5A5226262.auto.talos

SHA 256: 2c36cb4e1771a04e728d75eb65b05f6875d4eb56df6eb5810af09d0d5e419cd5

MD5: eb20ca63dc3badc1a48072d33bd6428b

VirusTotal: https://www.virustotal.com/gui/file/2c36cb4e1771a04e728d75eb65b05f6875d4eb56df6eb5810af09d0d5e419cd5/details

Typical Filename: 1 Total New Invoices-Monday December 14 2020.xlsm

Claimed Product: N/A

Detection Name: W32.2C36CB4E17-90.SBX.TG

SHA 256: e3eeaee0af4b549eae4447fa20cfe205e8d56beecf43cf14a11bf3e86ae6e8bd

MD5: 8193b63313019b614d5be721c538486b

VirusTotal: https://www.virustotal.com/gui/file/e3eeaee0af4b549eae4447fa20cfe205e8d56beecf43cf14a11bf3e86ae6e8bd/details

Typical Filename: SAService.exe

Claimed Product: SAService

Detection Name: PUA.Win.Dropper.Segurazo::95.sbx.tg

SHA 256: 4b8aef15c75ab675acdd9588bbcbd45dcc11a270513badfb21cfdfd92f723b01

MD5: 7e36752d274e61b9f2b0ee43200fe36d

VirusTotal: https://www.virustotal.com/gui/file/4b8aef15c75ab675acdd9588bbcbd45dcc11a270513badfb21cfdfd92f723b01/details

Typical Filename: Click HERE to start the File Launcher by WebNavigator Installer_ryymehv3_.exe

Claimed Product: WebNavigator Browser

Detection Name: W32.48C6324412-95.SBX.TG

SHA 256: 763d0f405ca4a762ce5d27077f3092f295b6504a743f61b88a1de520bcdb3d8a

MD5: 552299482ffa389321df9b05740c1b92

VirusTotal: https://www.virustotal.com/gui/file/763d0f405ca4a762ce5d27077f3092f295b6504a743f61b88a1de520bcdb3d8a/details

Typical Filename: webnavigatorbrowser.exe

Claimed Product: WebNavigator Browser

Detection Name: W32.763D0F405C-100.SBX.VIOC