Internet Storm Center Spotlight

ElectroRAT trojan makes full push to infect cryptocurrency users

A recently discovered trojan known as ElectroRAT is pulling out all the stops to try and infect cryptocurrency wallets. The actors behind this campaign have so far created three cryptocurrency-related apps that are disguised as legitimate. They've also invested in a full-fledged marketing campaign trying to encourage users to download the apps. If a victim downloads the trojanized apps, they are infected with the malware that then takes over their cryptocurrency wallet.


Snort SIDs: 56991 - 56993

Cisco SD-WAN vulnerabilities could allow for remote code execution

Cisco disclosed multiple vulnerabilities last week that could allow attackers to execute malicious code remotely on affected devices. Three of these vulnerabilities collectively have a severity score of 9.9 out of 10. An adversary could cause a variety of conditions on the affected products that could eventually lead to remote code execution. These issues affect several Cisco products, including SD-WAN vBond Orchestrator Software, SD-WAN vEdge Cloud Routers, SD-WAN vEdge Routers, SD-WAN vManage Software, and SD-WAN vSmart Controller Software.


Snort SIDs: 56942 - 56944, 56957 - 56963

Internet Storm Center Entries

Google disclosed a wide-ranging campaign by North Korean state-sponsored actors looking to compromise cybersecurity researchers and organizations.

President Joe Biden's administration is facing increasing pressure to disclose more information regarding the SolarWinds breach that's affected many private companies and government agencies.

During Biden's first full week in office, he's tapped many cybersecurity veterans to his cabinet and advisory teams and is still working to fill a cyber-focused office reporting to a new National Cyber Director.

A website uploaded screenshots from the now-shutdown Parler app to try and identify individuals who partook in riot on the U.S. Capitol earlier this month.

Vulnerabilities in Amazon's Kindle devices could have allowed adversaries to take over a device by tricking them into opening specially crafted eBooks.

As the COVID-19 vaccination effort ramps up across the globe, security experts are bracing for a new wave of attacks looking to cause economic or civil disruption.

The US Defense Intelligence Agency has circumvented warrant requirements for obtaining mobile phone location data by purchasing commercially available databases of information.

President Biden's Peloton exercise bike could be a security risk, highlighting the dangers of having any internet-of-things devices connected to sensitive networks.

Recent CVEs

D: CVE-2021-3129

Title: Laravel in debug mode susceptible to Remote code execution vulnerability

Vendor: Beyondco

Description: Ignition before 2.5.2, as used in Laravel and other products, allows unauthenticated remote attackers to execute arbitrary code because of insecure usage of file_get_contents() and file_put_contents() methods. This is exploitable on sites using debug mode with Laravel before 8.4.2.

CVSS v3 Base Score: 9.8 (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H)

ID: CVE-2021-3118

Title: ECSIMAGING PACS 6.21.5 - SQL injection Vulnerability

Vendor: Medicalexpo

Description: Unsupported versions of EVOLUCARE ECSIMAGING (aka ECS Imaging) products through 6.21.5 has multiple SQL Injection issues in the login form and the password-forgotten form. This allows an attacker to steal data in the database and obtain access to the application.

CVSS v3 Base Score: 9.8 (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H)

ID: CVE-2020-11651

Title: Improper method call validation allows arbitrary code execution vulnerability

Vendor: Saltstack

Description: This vulnerability exists in SaltStack Salt before 2019.2.4 and 3000 before 3000.2. The salt-master process ClearFuncs class does not properly validate method calls. This allows a remote user to access some methods without authentication. These methods can be used to retrieve user tokens from the salt master and/or run arbitrary commands on salt minions.

CVSS v3 Base Score: 9.8 (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H)

ID: CVE-2020-6207

Title: Missing Authentication Check in SAP Solution Manager

Vendor: SAP

Description: SAP Solution Manager (User Experience Monitoring), version- 7.2, due to Missing Authentication Check does not perform any authentication for a service resulting in complete compromise of all SMDAgents connected to the Solution Manager.

CVSS v3 Base Score: 9.8 (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H)

ID: CVE-2020-1337

Title: Windows Print Spooler Elevation of Privilege Vulnerability

Vendor: MicroSoft

Description: An elevation of privilege vulnerability exists when the Windows Print Spooler service improperly allows arbitrary writing to the file system.

CVSS v3 Base Score: 7.8 (AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H)

ID: CVE-2020-17136

Title: Windows Cloud Files Mini Filter Driver Elevation of Privilege Vulnerability

Vendor: MicroSoft

Description: , Microsoft Windows could allow a local authenticated malicious user to gain elevated privileges on the system, caused by a flaw in the Cloud Files Mini Filter Driver. By executing a specially-crafted program, an authenticated attacker could exploit this vulnerability to execute arbitrary code with higher privileges.

CVSS v3 Base Score: 7.8 (AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H)

ID: CVE-2021-2109

Title: Oracle WebLogic Server Remote Code Execution Vulnerability

Vendor: Oracle

Description: Vulnerability in the Oracle WebLogic Server product of Oracle Fusion Middleware (component: Console). This vulnerability is easily exploitable and allows high privileged attacker with network access via HTTP to compromise Oracle WebLogic Server. Successful attacks of this vulnerability can result in takeover of Oracle WebLogic Server.

CVSS v3 Base Score: 7.2 (AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H)

ID: CVE-2021-1257

Title: Cisco DNA Center Cross-Site Request Forgery Vulnerability

Vendor: Cisco

Description: A vulnerability in the web-based management interface of Cisco DNA Center Software could allow an unauthenticated, remote attacker to conduct a cross-site request forgery (CSRF) attack to manipulate an authenticated user into executing malicious actions without their awareness or consent. The vulnerability is due to insufficient CSRF protections for the web-based management interface of an affected device. An attacker could exploit this vulnerability by persuading a web-based management user to follow a specially crafted link. A successful exploit could allow the attacker to perform arbitrary actions on the device with the privileges of the authenticated user. These actions include modifying the device configuration, disconnecting the user's session, and executing Command Runner commands.

CVSS v3 Base Score: 8.8 (AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H)

ID: CVE-2020-1472

Title: Netlogon Elevation of Privilege Vulnerability

Vendor: Multi-Vendor

Description: An elevation of privilege vulnerability exists when an attacker establishes a vulnerable Netlogon secure channel connection to a domain controller, using the Netlogon Remote Protocol (MS-NRPC), aka 'Netlogon Elevation of Privilege Vulnerability'.

CVSS v3 Base Score: 10 (AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H)

Prevalent Malware Files

SHA 256: e3eeaee0af4b549eae4447fa20cfe205e8d56beecf43cf14a11bf3e86ae6e8bd

MD5: 8193b63313019b614d5be721c538486b


Typical Filename: SAService.exe

Claimed Product: SAService

Detection Name:

SHA 256: 8b4216a7c50599b11241876ada8ae6f07b48f1abe6590c2440004ea4db5becc9

MD5: 34560233e751b7e95f155b6f61e7419a


Typical Filename: SAntivirusService.exe

Claimed Product: A n t i v i r u s S e r v i c e

Detection Name: PUA.Win.Dropper.Segurazo::tpd

SHA 256: b76fbd5ff8186d43364d4532243db1f16f3cca3138c1fab391f7000a73de2ea6

MD5: 6a7401614945f66f1c64c6c845a60325


Typical Filename: pmropn.exe

Claimed Product: PremierOpinion

Detection Name: PUA.Win.Adware.Relevantknowledge::231753.in02

SHA 256: 85B936960FBE5100C170B777E1647CE9F0F01E3AB9742DFC23F37CB0825B30B5

MD5: 8c80dd97c37525927c1e549cb59bcbf3


Typical Filename: Eternalblue-2.2.0.exe

Claimed Product: N/A

Detection Name:

SHA 256: c1d5a585fce188423d31df3ea806272f3daa5eb989e18e9ecf3d94b97b965f8e

MD5: 9a4b7b0849a274f6f7ac13c7577daad8


Typical Filename: ww31.exe

Claimed Product: N/A

Detection Name: W32.GenericKD:Attribute.24ch.1201