Recent Security Issues


SELECTED BY THE TALOS SECURITY INTELLIGENCE AND RESEARCH GROUP


Title: Microsoft disclosed 83 vulnerabilities, 10 critical, in monthly security update

Description: Microsoft released its monthly security update Tuesday, disclosing 83 vulnerabilities across its suite of products to kick off 2021. There are only 10 critical vulnerabilities as part of this release, while there are two moderate-severity exploits, and the remainder are considered "important." Users of all Microsoft and Windows products are urged to update their software as soon as possible to avoid possible exploitation of all these bugs. The security updates cover several different products and services, including the Microsoft Defender antivirus software, the Microsoft Remote Procedure Call tools and Bluetooth communication with Windows devices. One of the most serious vulnerabilities exists in Microsoft Defender. CVE-2021-1647 affects some versions of Windows dating back to Windows 2008. An attacker could exploit this vulnerability to execute arbitrary code on the victim machine. No action is required to install this update and protect against this vulnerability, according to Microsoft, as the fix is part of Microsoft's regular updates to its anti-malware products.

References: https://blog.talosintelligence.com/2021/01/microsoft-patch-tuesday-for-jan-2021.html

Snort SIDs: 56849 - 56860, 56865


Title: Lokibot adds new dropper to its arsenal

Description: Lokibot is one of the most well-known information stealers on the malware landscape. The actors behind Lokibot usually can steal multiple types of credentials and other sensitive information. This new campaign utilizes a complex, multi-stage, multi-layered dropper to execute Lokibot on the victim machine. The attack starts with a malicious XLS attachment, sent in a phishing email, containing an obfuscated macro that downloads a heavily packed second-stage downloader. The second stage fetches the encrypted third stage, which includes three layered encrypted Lokibot. After a privilege escalation, the third stage deploys Lokibot. The Image below shows the infection chain.

Reference: https://blog.talosintelligence.com/2021/01/a-deep-dive-into-lokibot-infection-chain.html

Snort SIDs: 56577, 56578


Security News


Several American intelligence agencies released a joint statement saying they believe the recent exploitation of SolarWinds products can be linked to Russia.

https://apnews.com/article/us-blames-russia-federal-hacking-3921096dfd9693a020420acc787132bd


Security researchers discovered a third, new malware strain the actors behind the SUNBURST campaign used that was used as far back as September 2019.

https://www.zdnet.com/article/third-malware-strain-discovered-in-solarwinds-supply-chain-attack/


SolarWinds, whose products were affected by the campaign, has hired former U.S. cybersecurity chief Chris Krebs as a consultant to investigate how attackers exploited its systems.

https://www.cnet.com/news/solarwinds-hires-former-cisa-director-chris-krebs-to-consult-on-hack-aftermath/


Social media platform Parler shut down this week after Amazon Web Services and other third parties dropped the app, leading to a massive data leak of users' information, including pictures of ID cards.

https://www.inputmag.com/culture/parlers-user-data-is-leaking-but-no-ones-really-sure-how


DDosSecrets, considered to be a successor to WikiLeaks, is sharing corporate information attackers stole as part of past ransomware attacks.

https://www.wired.com/story/ddosecrets-ransomware-leaks/


Attackers are transitioning more to SMS messages for their phishing attempts as local and national governments use text messages to provide COVID-19 information to citizens.

https://www.vice.com/en/article/m7appv/sms-phishing-is-getting-out-of-control


A new trojan known as "ElectroRAT" is infecting users' cryptocurrency wallets and stealing their contents.

https://www.infosecurity-magazine.com/news/electrorat-drains-crypto-wallets/


Officials in Hong Kong are using a new security law passed last year to ban certain sites inside the territory and track activists.

https://www.washingtonpost.com/world/asia_pacific/hong-kong-national-security-law-internet/2021/01/12/01738064-53b6-11eb-acc5-92d2819a1ccb_story.html


Vulnerabilities with Exploits


COMPILED BY THE QUALYS VULNERABILITY RESEARCH TEAM


This is a list of recent vulnerabilities for which exploits are

available. System administrators can use this list to help in

prioritization of their remediation activities. The Qualys Vulnerability

Research Team compiles this information based on various exploit

frameworks, exploit databases, exploit kits and monitoring of internet

activity.


ID: CVE-2020-17519

Title: Apache Flink Directory Traversal Vulnerability

Vendor: Apache

Description: Apache Flink allows attackers to read any file on the local filesystem of the JobManager through the REST interface of the JobManager process. Access is restricted to files accessible by the JobManager process.

CVSS v3 Base Score: 7.5 (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N)


ID: CVE-2020-3452

Title: Cisco ASA Remote File Disclosure Vulnerability

Vendor: Cisco

Description: A vulnerability in the web services interface of Cisco Adaptive Security Appliance (ASA) Software and Cisco Firepower Threat Defense (FTD) Software could allow an unauthenticated, remote attacker to conduct directory traversal attacks and read sensitive files on a targeted system. The vulnerability is due to a lack of proper input validation of URLs in HTTP requests processed by an affected device. An attacker could exploit this vulnerability by sending a crafted HTTP request containing directory traversal character sequences to an affected device.

CVSS v3 Base Score: 7.5 (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N)


ID: CVE-2020-17096

Title: Microsoft Windows NTFS Remote Code Execution Vulnerability

Vendor: Microsoft

Description: Microsoft Windows is exposed to NTFS remote code execution vulnerability. A local attacker could run a specially crafted application that would elevate the attacker's privileges. A remote attacker with SMBv2 access to a vulnerable system could send specially crafted requests over a network to exploit this vulnerability and execute code on the target system.

CVSS v3 Base Score: 8.8 (AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H)


ID: CVE-2020-29583

Title: Zyxel Hardcoded Credential Vulnerability

Vendor: Zyxel

Description: Zyxel USG devices contains an undocumented account (zyfwp) with an unchangeable password. The password for this account can be found in cleartext in the firmware. This account can be used by someone to login to the ssh server or web interface with admin privileges.

CVSS v3 Base Score: 7.8 (AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H)


ID: CVE-2020-16040

Title: Google Chrome Heap Corruption Vulnerability

Vendor: Google

Description: Insufficient data validation in V8 in Google Chrome allowed a remote attacker to potentially exploit heap corruption via a crafted HTML page. The exploitation doesn't require any form of authentication. However, successful exploitation requires user interaction by the victim.

CVSS v3 Base Score: 6.5 (AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H)


ID: CVE-2020-0646

Title: Microsoft .Net Framework Remote Code Execution Injection Vulnerability

Vendor: Microsoft

Description: A remote code execution vulnerability exists when the Microsoft .NET Framework fails to validate input properly. An attacker who successfully exploited this vulnerability could take control of an affected system. To exploit the vulnerability, an attacker would need to pass specific input to an application utilizing susceptible .Net methods.

CVSS v3 Base Score: 9.8 (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H)


ID: CVE-2020-11851

Title: Micro Focus ArcSight Logger Code Injection Vulnerability

Vendor: Micro Focus

Description: Arbitrary code execution vulnerability on Micro Focus ArcSight Logger product. The vulnerability could be remotely exploited resulting in the execution of arbitrary code.

CVSS v3 Base Score: 9.8 (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H)


ID: CVE-2020-10148

Title: SolarWinds Orion API Authentication Bypass Vulnerability

Vendor: SolarWinds

Description: The SolarWinds Orion API is vulnerable to an authentication bypass that could allow a remote attacker to execute API commands. This vulnerability could allow a remote attacker to bypass authentication and execute API commands which may result in a compromise of the SolarWinds instance.

CVSS v3 Base Score: 9.8 (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H)


Prevalent Malware Files


COMPILED BY TALOS SECURITY INTELLIGENCE AND RESEARCH GROUP


SHA 256: 20f0ce6ae08d954767bdd8445017453475d53fe1e448c07da7a8a6a1194374c6

MD5: 6902aa6dd0fbd0d1b647e8d529c7ad3f

VirusTotal: https://www.virustotal.com/gui/file/20f0ce6ae08d954767bdd8445017453475d53fe1e448c07da7a8a6a1194374c6/details

Typical Filename: FlashHelperService.exe

Claimed Product: Flash Helper Service

Detection Name: W32.Variant.23nh.1201


SHA 256: a463f9a8842a5c947abaa2bff1b621835ff35f65f9d3272bf1fa5197df9f07d0

MD5: 9b7c2b0abf5478ef9a23d9a9e87c7835

VirusTotal: https://www.virustotal.com/gui/file/a463f9a8842a5c947abaa2bff1b621835ff35f65f9d3272bf1fa5197df9f07d0/details

Typical Filename: INV1458863388-20210111852384.xlsm

Claimed Product: N/A

Detection Name: W32.A463F9A884-90.SBX.TG


SHA 256: 85B936960FBE5100C170B777E1647CE9F0F01E3AB9742DFC23F37CB0825B30B5

MD5: 8c80dd97c37525927c1e549cb59bcbf3

VirusTotal: https://www.virustotal.com/gui/file/85b936960fbe5100c170b777e1647ce9f0f01e3ab9742dfc23f37cb0825b30b5/detection

Typical Filename: Eternalblue-2.2.0.exe

Claimed Product: N/A

Detection Name: Win.Exploit.Shadowbrokers::5A5226262.auto.talos


SHA 256: 8b4216a7c50599b11241876ada8ae6f07b48f1abe6590c2440004ea4db5becc9

MD5: 34560233e751b7e95f155b6f61e7419a

VirusTotal: https://www.virustotal.com/gui/file/8b4216a7c50599b11241876ada8ae6f07b48f1abe6590c2440004ea4db5becc9/details

Typical Filename: SAntivirusService.exe

Claimed Product: A n t i v i r u s S e r v i c e

Detection Name: PUA.Win.Dropper.Segurazo::tpd


SHA 256: 6fdfcd051075383b28f5e7833fde1bb7371192f54e381c8bdfa8e68269e3dc30

MD5: 0083bc511149ebc16109025b8b3714d7

VirusTotal: https://www.virustotal.com/gui/file/6fdfcd051075383b28f5e7833fde1bb7371192f54e381c8bdfa8e68269e3dc30/details

Typical Filename: webnavigatorbrowser.exe

Claimed Product: WebNavigatorBrowser

Detection Name: P W32.6FDFCD0510-100.SBX.VIOC