Internet Storm Center Spotlight


SELECTED BY THE TALOS SECURITY INTELLIGENCE AND RESEARCH GROUP


Title: Campaign involving SolarWinds could extend to other software

Description: U.S. officials say a suspected state-sponsored attack on U.S. government agencies and companies may have further-reaching consequences than just SolarWinds products. A new report states that the attackers linked to the SolarWinds breach may have exploited other vulnerabilities to gain an initial foothold on victims' networks other than the ones already disclosed in SolarWinds products. The effects of this campaign are potentially staggering, and officials and security researchers are still unpacking the attack. Victims reportedly include government agencies and consulting, technology, telecom, and oil and gas companies in North America, Europe, Asia and the Middle East, according to FireEye. Several reports also indicate that the U.S. Treasury and Commerce departments were also targeted in what is likely related to the same activity.

References: https://www.wsj.com/articles/suspected-russian-hack-extends-far-beyond-solarwinds-software-investigators-say-11611921601 (paywall)

Snort SIDs: 56660 - 56668

AMP: Trojan.Sunburst.[A-Z], Trojan.Teardrop.[A-Z]

ClamAV: Win.Countermeasure.Sunburst-9816012-0, Win.Countermeasure.Sunburst-9809153-0, Win.Countermeasure.Sunburst-9816013-0, Win.Countermeasure.Sunburst-9809152-0, Win.Dropper.Teardrop-9808996-3, PUA.Tool.Countermeasure.DropperRaw64TEARDROP-9808998-0


Title: LockBit ransomware operator provides insight into targets, vulnerabilities exploited

Description: Cisco Talos recently spent several weeks speaking to an operator associated with the LockBit ransomware. The actor's TTPs they disclose are yet another reminder for all organizations to remain vigilant about these seemingly unsophisticated, common cybercriminals who, despite their straightforward approach to targeting and operations, continue to be highly successful in compromising companies and wreaking havoc on unsuspecting victims. Other findings include that many cybercriminals rely almost exclusively on common open-source tools that are readily available on the internet and easy to use and they rely solely on victims who have unpatched environments.

Reference: https://blog.talosintelligence.com/2021/02/interview-with-lockbit-ransomware.html

Snort SIDs: 54910-54917


Internet Storm Center Entries


The U.S. government spent $2.2 million developing a cybersecurity tool years ago that, had it ever been implemented, might have blocked or significantly lessened the damage caused by the recent SolarWinds supply-chain attack.

https://www.propublica.org/article/solarwinds-cybersecurity-system


The FBI and other international law enforcement agencies jointly took down the Emotet botnet, disrupting infrastructure the operators used.

https://www.fbi.gov/news/stories/emotet-malware-disrupted-020121


In a separate campaign, international partners also took steps to shut down the NetWalker ransomware family, dismantling infrastructure, recovering ransom payments that victims paid, and charging one individual in connection with the operation.

https://www.justice.gov/opa/pr/department-justice-launches-global-action-against-netwalker-ransomware


Facebook has begun displaying a prompt on its mobile app for iPhone and iPad that aims to convince them that opting in to ad tracking will enhance their experience and help small businesses. Apple plans to introduce a privacy change that will require developers to obtain permission to track users across apps and websites.

https://www.theverge.com/2021/2/1/22260274/facebook-prompt-apple-ios-ad-tracking-opt-in-permission-privacy-update


Attackers are exploiting a critical zero-day vulnerability in network security company's SonicWall's products.

https://arstechnica.com/information-technology/2021/02/hackers-are-exploiting-a-critical-zeroday-in-firewalls-from-sonicwall/


The average ransomware payment dropped in the last quarter of 2020.

Attackers requested ransomware payments are rising in value as fewer victims opt to pay extortion payments after having their files locked and/or stolen.

https://www.zdnet.com/article/ransomware-payments-are-going-down-as-more-victims-decide-not-to-pay-up/


The WallStreetBets reddit forum is being inundated with messages posted by bots.

https://www.cbsnews.com/news/wallstreetbets-reddit-bot-activity/


A publicly available website allows anyone to conduct a reverse facial image search.

https://www.vice.com/en/article/4ad5k3/how-normal-people-deployed-facial-recognition-on-capitol-hill-protesters


Recent CVEs


COMPILED BY THE QUALYS VULNERABILITY RESEARCH TEAM


This is a list of recent vulnerabilities for which exploits are

available. System administrators can use this list to help in

prioritization of their remediation activities. The Qualys Vulnerability

Research Team compiles this information based on various exploit

frameworks, exploit databases, exploit kits and monitoring of internet

activity.


D: CVE-2020-16875

Title: Microsoft Exchange Server Remote Code Execution Vulnerability

Vendor: Microsoft

Description: A remote code execution vulnerability exists in Microsoft Exchange server due to improper validation of cmdlet arguments. An attacker who successfully exploited the vulnerability could run arbitrary code in the context of the System user, aka 'Microsoft Exchange Server Remote Code Execution Vulnerability'. Recently, security researchers were able to demonstrate a bypass of the patch for this vulnerability. An updated patch is awaited from the vendor.

CVSS v3.1 Base Score: 7.2 (AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H)


ID: CVE-2021-1144

Title: Cisco Connected Mobile Experiences Privilege Escalation Vulnerability

Vendor: Cisco

Description: A vulnerability in Cisco Connected Mobile Experiences (CMX) could allow a remote, authenticated attacker without administrative privileges to alter the password of any user on an affected system. The vulnerability is due to incorrect handling of authorization checks for changing a password. An authenticated attacker without administrative privileges could exploit this vulnerability by sending a modified HTTP request to an affected device. A successful exploit could allow the attacker to alter the passwords of any user on the system, including an administrative user, and then impersonate that user.

CVSS v3.1 Base Score: 8.8 (AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H)


ID: CVE-2021-25311

Title: HTCondor Directory Traversal Vulnerability

Vendor: HTcondor

Description: condor_credd in HTCondor before 8.9.11 allows Directory Traversal outside the SEC_CREDENTIAL_DIRECTORY_OAUTH directory, as demonstrated by creating a file under /etc that will later be executed by root.

CVSS v3.1 Base Score: 9.9 (AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H)


ID: CVE-2021-1647

Title: Microsoft Defender Remote Code Execution Vulnerability

Vendor: Microsoft

Description: This vulnerability exists in Microsoft's Defender antivirus software. Attackers can write specially crafted files that can be run immediately when Microsoft Defender initiates the scans.

Attackers can use this vulnerability not only to bypass Microsoft anti-virus software but also to use Microsoft anti-virus software to run malicious software to launch an attack. This means that an attacker can launch a non-interactive attack, such as sending a specially crafted file as an email attachment, and the email client will trigger a scan after receiving it.

CVSS v3.1 Base Score: 7.8 (AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H)


ID: CVE-2021-21113

Title: Heap Buffer Overflow Vulnerability in Skia

Vendor: Multiple Vendors

Description: Heap buffer overflow in Skia in Google Chrome prior to 87.0.4280.141 allowed a remote attacker to potentially exploit heap corruption via a crafted HTML page.

CVSS v3.1 Base Score: 8.8 (AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H)


ID: CVE-2021-1138, CVE-2021-1140, CVE-2021-1142

Title: Cisco Smart Software Manager Satellite Web UI Command Injection Vulnerabilities

Vendor: Cisco

Description: Multiple vulnerabilities in the web UI of Cisco Smart Software Manager Satellite could allow an unauthenticated, remote attacker to execute arbitrary commands on the underlying operating system.

CVSS v3.1 Base Score: 9.8 (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H)


ID: CVE-2020-4958

Title: IBM Security Identity Governance and Intelligence Missing Authentication

Vendor: IBM

Description: IBM Security Identity Governance and Intelligence 5.2.6 does not perform any authentication for functionality that requires a provable user identity or consumes a significant amount of resources

CVSS v3.1 Base Score: 9.8 (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H)


ID: CVE-2021-3190

Title: OS Command Injection Vulnerability in Async-Git

Vendor: Async-git_project

Description: The async-git package before 1.13.2 for Node.js allows OS Command Injection via shell metacharacters, as demonstrated by git.reset and git.tag.

CVSS v3.1 Base Score: 9.8 (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H)


ID: CVE-2020-4888

Title: IBM QRadar SIEM Deserialization of Untrusted Data

Vendor: IBM

Description: IBM QRadar SIEM 7.4.0 to 7.4.2 Patch 1 and 7.3.0 to 7.3.3 Patch 7 could allow a remote attacker to execute arbitrary commands on the system, caused by insecure deserialization of user-supplied content by the Java deserialization function. By sending a malicious serialized Java object, an attacker could exploit this vulnerability to execute arbitrary commands on the system.

CVSS v3.1 Base Score: 8.8 (AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H)


Prevalent Malware Files


COMPILED BY TALOS SECURITY INTELLIGENCE AND RESEARCH GROUP


SHA 256: c1d5a585fce188423d31df3ea806272f3daa5eb989e18e9ecf3d94b97b965f8e

MD5: 9a4b7b0849a274f6f7ac13c7577daad8

VirusTotal: https://www.virustotal.com/gui/file/c1d5a585fce188423d31df3ea806272f3daa5eb989e18e9ecf3d94b97b965f8e/details

Typical Filename: ww31.exe

Claimed Product: N/A

Detection Name: W32.GenericKD:Attribute.24ch.1201


SHA 256: 8cb8e8c9fafa230ecf2f9513117f7679409e6fd5a94de383a8bc49fb9cdd1ba4

MD5: 176e303bd1072273689db542a7379ea9

VirusTotal: https://www.virustotal.com/gui/file/8cb8e8c9fafa230ecf2f9513117f7679409e6fd5a94de383a8bc49fb9cdd1ba4/details

Typical Filename: FlashHelperService.exe

Claimed Product: Flash Helper Service

Detection Name: W32.Variant.24cl.1201


SHA 256: b76fbd5ff8186d43364d4532243db1f16f3cca3138c1fab391f7000a73de2ea6

MD5: 6a7401614945f66f1c64c6c845a60325

VirusTotal: https://www.virustotal.com/gui/file/b76fbd5ff8186d43364d4532243db1f16f3cca3138c1fab391f7000a73de2ea6/details

Typical Filename: pmropn.exe

Claimed Product: PremierOpinion

Detection Name: PUA.Win.Adware.Relevantknowledge::231753.in02


SHA 256: 85B936960FBE5100C170B777E1647CE9F0F01E3AB9742DFC23F37CB0825B30B5

MD5: 8c80dd97c37525927c1e549cb59bcbf3

VirusTotal: https://www.virustotal.com/gui/file/85b936960fbe5100c170b777e1647ce9f0f01e3ab9742dfc23f37cb0825b30b5/detection

Typical Filename: Eternalblue-2.2.0.exe

Claimed Product: N/A

Detection Name: Win.Exploit.Shadowbrokers::5A5226262.auto.talos


SHA 256: 8b4216a7c50599b11241876ada8ae6f07b48f1abe6590c2440004ea4db5becc9

MD5: 34560233e751b7e95f155b6f61e7419a

VirusTotal: https://www.virustotal.com/gui/file/8b4216a7c50599b11241876ada8ae6f07b48f1abe6590c2440004ea4db5becc9/details

Typical Filename: SAntivirusService.exe

Claimed Product: A n t i v i r u s S e r v i c e

Detection Name: PUA.Win.Dropper.Segurazo::tpd