Recent Security Issues


SELECTED BY THE TALOS SECURITY INTELLIGENCE AND RESEARCH GROUP


Title: Adversaries use BumbleBee tool to target organizations in Kuwait

Description: Researchers recently discovered a webshell called "BumbleBee" being used in an espionage campaign against Microsoft Exchange servers. The affected organizations thus far are located in Kuwait. BumbleBee was observed being used to upload and download files on a targeted Exchange server back in September. The operators behind this campaign, which researchers indicate is the xHunt group, used BumbleBee to execute commands and upload and download files. This is the latest tool xHunt's added to its arsenal. The group dates back to at least 2018 and has targeted Kuwaiti organizations and government agencies in the past, specifically going after the shipping and trading sectors.

References: https://threatpost.com/bumblebee-exchange-servers-xhunt-spy/162973/

Snort SIDs: 56887 - 56890


Title: Cisco urges users to update to new routers after vulnerabilities disclosed

Description: Cisco disclosed 74 vulnerabilities in some of its RV series of wireless routers last week, urging users to purchase new hardware rather than patching them. The vulnerabilities all exist in products that have already reached their end-of-life. The affected devices include the Cisco Small Business RV110W, RV130, RV130W and RV215W systems, which could all be use as firewalls, VPNs or standard routers. All of the vulnerabilities require that an attacker has login credentials for the targeted device, and therefore are not easily exploitable. This should give users a small runway to upgrade to new gear.

Reference: https://www.zdnet.com/article/cisco-says-it-wont-patch-74-security-bugs-in-older-rv-routers-that-reached-eol/

Snort SIDs: 56839 - 56845, 56866 - 56876, 56893, 56894

Security News


Security researchers found a fourth malware strain used in the broad SolarWinds breach, though it was only deployed on a few targets' networks.

https://www.zdnet.com/article/fourth-malware-strain-discovered-in-solarwinds-incident/


Other threat actors are sure to copy many of the same tactics used in the SolarWinds incident and look to carry out supply chain attacks.

https://www.wired.com/story/solarwinds-hacker-methods-copycats/


The SolarWinds supply chain attack will likely influence cybersecurity legislation that U.S. President Joe Biden will look to pass in his first 100 days in office.

https://www.csoonline.com/article/3603519/solarwinds-hack-is-quickly-reshaping-congress-s-cybersecurity-agenda.html


The FBI released a warning that Iranian cyber threat actors are threatening US election officials and trying to spread fear and disinformation online.

https://www.ic3.gov/Media/Y2021/PSA210115


A woman accused of stealing U.S. House Speaker Nancy Pelosi's laptop was arrested. The woman allegedly wanted to send the laptop to Russia's foreign intelligence service.

https://www.washingtonpost.com/2021/01/18/pelosi-laptop-riley-june-williams/


WhatsApp is delaying enforcement of its new privacy policies after users pushed back against a new rule that would have allowed WhatsApp to share its data directly with Facebook.

https://www.welivesecurity.com/2021/01/18/whatsapp-delays-privacy-policy-update/


A security flaw in Amazon's Ring home security service's Neighbors website exposed users' precise locations and home addresses.

https://techcrunch.com/2021/01/14/ring-neighbors-exposed-locations-addresses/


Supporters of a data breach notification bill in Congress hope the SolarWinds hack will push their colleagues to take up debate on the topic, though similar efforts stalled after the 2017 Equifax breach.

https://www.washingtonpost.com/politics/2021/01/15/cybersecurity-202-sen-mark-warner-plans-breach-notification-debate-wake-solarwinds-hack/


Vulnerabilities with Exploits


COMPILED BY THE QUALYS VULNERABILITY RESEARCH TEAM


This is a list of recent vulnerabilities for which exploits are

available. System administrators can use this list to help in

prioritization of their remediation activities. The Qualys Vulnerability

Research Team compiles this information based on various exploit

frameworks, exploit databases, exploit kits and monitoring of internet

activity.


ID: CVE-2020-29583

Title: Zyxel Firewalls And AP Controller Hardcoded Credential Vulnerability

Vendor: Zyxel

Description: Firmware version Zyxel USG devices contains an undocumented account (zyfwp) with an unchangeable password. The password for this account can be found in cleartext in the firmware. This account can be used by someone to login to the ssh server or web interface with admin privileges.

CVSS v3 Base Score: 9.8 (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H)


ID: CVE-2021-3007

Title: Zend Framework Remote Code Execution Vulnerability

Vendor: Zend

Description: Zend Framework has a deserialization vulnerability that can lead to remote code execution if the content is controllable, related to the __destruct method of the ZendHttpResponseStream class in Stream.php.

CVSS v3 Base Score: 9.8 (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H)


ID: CVE-2020-25681

Title: DNS Forwarder dnsmasq multiple Vulnerabilities

Vendor: Multi-Vendor

Description: A flaw was found in dnsmasq. A heap-based buffer overflow was discovered in the way RRSets are sorted before validating with DNSSEC data. An attacker on the network, who can forge DNS replies such as that they are accepted as valid, could use this flaw to cause a buffer overflow with arbitrary data in a heap memory segment, possibly executing code on the machine.

CVSS v3 Base Score: 9.8 (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H)


ID: CVE-2020-29015

Title: FortiWeb Blind SQL Injection Vulnerability

Vendor: Fortinet

Description: A blind SQL injection in the user interface of FortiWeb that may allow an unauthenticated, remote attacker to execute arbitrary SQL queries or commands by sending a request with a crafted Authorization header containing a malicious SQL statement.

CVSS v3 Base Score: 9.8 (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H)


ID: CVE-2020-10148

Title: SolarWinds Orion API Authentication Bypass Vulnerability

Vendor: SolarWinds

Description: The SolarWinds Orion API is vulnerable to an authentication bypass that could allow a remote attacker to execute API commands. This vulnerability could allow a remote attacker to bypass authentication and execute API commands which may result in a compromise of the SolarWinds instance.

CVSS v3 Base Score: 9.8 (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H)


ID: CVE-2020-3452

Title: Cisco ASA Remote File Disclosure Vulnerability

Vendor: Cisco

Description: A vulnerability in the web services interface of Cisco Adaptive Security Appliance (ASA) Software and Cisco Firepower Threat Defense (FTD) Software could allow an unauthenticated, remote attacker to conduct directory traversal attacks and read sensitive files on a targeted system. The vulnerability is due to a lack of proper input validation of URLs in HTTP requests processed by an affected device. An attacker could exploit this vulnerability by sending a crafted HTTP request containing directory traversal character sequences to an affected device.

CVSS v3 Base Score: 7.5 (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N)


ID: CVE-2020-17096

Title: Microsoft Windows NTFS Remote Code Execution Vulnerability

Vendor: Microsoft

Description: Microsoft Windows is exposed to NTFS remote code execution vulnerability. A local attacker could run a specially crafted application that would elevate the attacker's privileges. A remote attacker with SMBv2 access to a vulnerable system could send specially crafted requests over a network to exploit this vulnerability and execute code on the target system.

CVSS v3 Base Score: 8.8 (AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H)


ID: CVE-2021-2109

Title: Oracle WebLogic Server Vulnerability

Vendor: Oracle

Description: A vulnerability exists in the Oracle WebLogic Server product of Oracle Fusion Middleware. Easily exploitable vulnerability allows high privileged attacker with network access via HTTP to compromise Oracle WebLogic Server. Successful attacks of this vulnerability can result in takeover of Oracle WebLogic Server.

CVSS v3 Base Score: 7.2 (AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H)

Prevalent Malware Files


COMPILED BY TALOS SECURITY INTELLIGENCE AND RESEARCH GROUP


SHA 256: 8cb8e8c9fafa230ecf2f9513117f7679409e6fd5a94de383a8bc49fb9cdd1ba4

MD5: 176e303bd1072273689db542a7379ea9

VirusTotal: https://www.virustotal.com/gui/file/8cb8e8c9fafa230ecf2f9513117f7679409e6fd5a94de383a8bc49fb9cdd1ba4/details

Typical Filename: FlashHelperService.exe

Claimed Product: Flash Helper Service

Detection Name: W32.Variant.24cl.1201


SHA 256: 8b4216a7c50599b11241876ada8ae6f07b48f1abe6590c2440004ea4db5becc9

MD5: 34560233e751b7e95f155b6f61e7419a

VirusTotal: https://www.virustotal.com/gui/file/8b4216a7c50599b11241876ada8ae6f07b48f1abe6590c2440004ea4db5becc9/details

Typical Filename: SAntivirusService.exe

Claimed Product: A n t i v i r u s S e r v i c e

Detection Name: PUA.Win.Dropper.Segurazo::tpd


SHA 256: 85B936960FBE5100C170B777E1647CE9F0F01E3AB9742DFC23F37CB0825B30B5

MD5: 8c80dd97c37525927c1e549cb59bcbf3

VirusTotal: https://www.virustotal.com/gui/file/85b936960fbe5100c170b777e1647ce9f0f01e3ab9742dfc23f37cb0825b30b5/detection

Typical Filename: Eternalblue-2.2.0.exe

Claimed Product: N/A

Detection Name: Win.Exploit.Shadowbrokers::5A5226262.auto.talos


SHA 256: e3eeaee0af4b549eae4447fa20cfe205e8d56beecf43cf14a11bf3e86ae6e8bd

MD5: 8193b63313019b614d5be721c538486b

VirusTotal: https://www.virustotal.com/gui/file/e3eeaee0af4b549eae4447fa20cfe205e8d56beecf43cf14a11bf3e86ae6e8bd/details

Typical Filename: SAService.exe

Claimed Product: SAService

Detection Name: PUA.Win.Dropper.Segurazo::95.sbx.tg


SHA 256: 6fdfcd051075383b28f5e7833fde1bb7371192f54e381c8bdfa8e68269e3dc30

MD5: 0083bc511149ebc16109025b8b3714d7

VirusTotal: https://www.virustotal.com/gui/file/6fdfcd051075383b28f5e7833fde1bb7371192f54e381c8bdfa8e68269e3dc30/details

Typical Filename: webnavigatorbrowser.exe

Claimed Product: WebNavigatorBrowser

Detection Name: P W32.6FDFCD0510-100.SBX.VIOC