Internet Storm Center Spotlight


SELECTED BY THE TALOS SECURITY INTELLIGENCE AND RESEARCH GROUP

Title: Long-running trojan now targeting Android devices

Description: The developers of LodaRAT have added Android as a targeted platform. A new iteration of LodaRAT for Windows has been identified with improved sound recording capabilities. This new malware follows the same principles of other Android-based RATs that we have seen on the threat landscape. Along with this new Android variant, an updated version of Loda for Windows has been identified in the same campaign. These new versions for Loda4Windows and Loda4Android show that the development effort is clearly carried out by the same group Cisco Talos calls "Kasablanca." The operators behind LodaRAT tied to a specific campaign targeting Bangladesh, although others have been seen.

References: https://blog.talosintelligence.com/2021/02/kasablanka-lodarat.html

Snort SID: 53031
ClamAV signatures: Win.Packed.LokiBot-6963314-0, Doc.Exploit.Cve_2017_11882-7570663-1, Doc.Downloader.Loda-7570590-0


Title: Accusoft ImageGear vulnerabilities could lead to code execution Description: Accusoft ImageGear contains two remote code execution vulnerabilities. ImageGear is a document and imaging library from Accusoft that developers can use to build their applications. The library contains the entire document imaging lifecycle. These vulnerabilities are present in the Accusoft ImageGear library, which is a document-imaging developer toolkit. An adversary could exploit any of these vulnerabilities to cause various conditions, including an out-of-bounds write, to eventually execute code. A target needs to open a specially crafted file to trigger these vulnerabilities.

Reference: https://blog.talosintelligence.com/2021/02/vuln-spotlight-accusoft-image.html

Snort SIDs: 43608, 43609, 56158 - 56161, 56365, 56366, 56451, 56452

Internet Storm Center Entries


Hackers have been targeting monitoring software made by French IT company Centreon at least three years. in a cyber espionage campaign. France's cybersecurity watchdog, ANSSI, notes that the attacks have bear similarities to those conducted by the "Sandworm" APT. 

https://www.reuters.com/article/us-global-cyber-centreon/french-it-monitoring-companys-software-targeted-by-hackers-cyber-agency-idUSKBN2AF1RA

Several major cybersecurity organizations urged U.S. Congress to include more funding for security efforts in its developing COVID-19 relief package.

https://www.betteridentity.org/filings/2021/2/12/multiassociation-letter-for-inclusion-of-dedicated-cybersecurity-funding-in-any-covid-relief-funding-package

Microsoft warned Australian lawmakers that proposed critical infrastructure legislation could potentially weaken the country's cybersecurity posture.

https://www.zdnet.com/article/microsoft-asks-government-to-stay-out-of-its-cyber-attack-response-in-australia/

A cyber attack on a Florida town's water supply system highlights the growing trend of threat actors targeting SCADA systems that present various physical dangers.

https://intel471.com/blog/scada-oldsmar-florida-water-treatment-plant-hack/

Microsoft believes as many as 1,000 different developers touched the recent SolarWinds supply chain attack, adding that it was the largest cyber attack of all time.

https://www.theregister.com/2021/02/15/solarwinds_microsoft_fireeye_analysis/

Attackers who stole source code from video game developer CD Projekt Red say they've sold the compromised code in an online dark web auction for $7 million. 

https://www.ign.com/articles/stolen-cd-projekt-red-files-reportedly-sold-on-dark-web-auction

Virginia is soon to become the second U.S. state with a major online privacy law, following California's new rules that went into effect in 2018.

https://arstechnica.com/tech-policy/2021/02/virginia-is-about-to-get-a-major-california-style-data-privacy-law/

A new update to iOS redirects iPhones' "safe browsing" traffic through Apple servers rather than Google's, likely an attempt to limit how much data Google sees from its users.

https://www.macrumors.com/2021/02/11/ios-14-5-beta-safe-browsing-safari-apple-google/

International lawmakers, professors, fake Twitter accounts and legitimate-looking websites are all to blame for the constant flow of disinformation surrounding the COVID-19 pandemic and the related vaccine.

https://apnews.com/article/pandemics-beijing-only-on-ap-epidemics-media-122b73e134b780919cc1808f3f6f16e8

Recent CVEs


OMPILED BY THE QUALYS VULNERABILITY RESEARCH TEAM

This is a list of recent vulnerabilities for which exploits are

available. System administrators can use this list to help in

prioritization of their remediation activities. The Qualys Vulnerability

Research Team compiles this information based on various exploit

frameworks, exploit databases, exploit kits and monitoring of internet

activity.

ID: CVE-2021-21477

Title: Remote Code Execution Vulnerability in SAP Commerce Cloud

Vendor: SAP

Description: SAP Commerce Cloud, versions - 1808,1811,1905,2005,2011, enables certain users with required privileges to edit drools rules, an authenticated attacker with this privilege will be able to inject malicious code in the drools rules which when executed leads to Remote Code Execution vulnerability enabling the attacker to compromise the underlying host enabling him to impair confidentiality, integrity and availability of the application.

CVSS v3.1 Base Score: 9.9 (AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H)


ID: CVE-2021-3177

Title: Remote Code Execution Vulnerability in Python

Vendor: Python and Multiple Vendors

Description: Python 3.x through 3.9.1 has a buffer overflow in PyCArg_repr in _ctypes/callproc.c, which may lead to remote code execution in certain Python applications that accept floating-point numbers as untrusted input, as demonstrated by a 1e300 argument to c_double.from_param. This occurs because sprintf is used unsafely.

CVSS v3.1 Base Score: 9.8 (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H)


ID: CVE-2021-21472

Title: Unauthorized Access to SAP Provisioning Manager Software

Vendor: SAP

Description: SAP Software Provisioning Manager 1.0 (SAP NetWeaver Master Data Management Server 7.1) does not have an option to set password during its installation, this allows an authenticated attacker to perform various security attacks like Directory Traversal, Password Brute force Attack, SMB Relay attack, Security Downgrade.

CVSS v3.1 Base Score: 8.8 (AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H)


ID: CVE-2021-22658

Title: SQL Injection Vulnerability in Advantech iView

Vendor: Advantech

Description: Advantech iView versions prior to v5.7.03.6112 are vulnerable to a SQL injection, which may allow an attacker to escalate privileges to 'Administrator'.

CVSS v3.1 Base Score: 9.8 (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H)


ID: CVE-2021-22502

Title: Remote Code Execution Vulnerability in Apache Operation Bridge

Vendor: Microfocus

Description: Remote Code execution vulnerability in Micro Focus Operation Bridge Reporter (OBR) product, affecting version 10.40. The vulnerability could be exploited to allow Remote Code Execution on the OBR server.

CVSS v3.1 Base Score: 9.8 (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H)


ID: CVE-2021-3033

Title: Prisma Cloud Compute: SAML Authentication Bypass Vulnerability in Console

Vendor: Palo Alto Networks

Description: An improper verification of cryptographic signature vulnerability exists in the Palo Alto Networks Prisma Cloud Compute console. This vulnerability enables an attacker to bypass signature validation during SAML authentication by logging in to the Prisma Cloud Compute console as any authorized user. This issue impacts: All versions of Prisma Cloud Compute 19.11, Prisma Cloud Compute 20.04, and Prisma Cloud Compute 20.09; Prisma Cloud Compute 20.12 before update 1. Prisma Cloud Compute SaaS version is not impacted by this vulnerability.

CVSS v3.1 Base Score: 9.8 (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H)


ID: CVE-2021-21472

Title: Weak password requirements in SAP Software Provisioning Manager

Vendor: SAP

Description: SAP Software Provisioning Manager 1.0 (SAP NetWeaver Master Data Management Server 7.1) does not have an option to set password during its installation, this allows an authenticated attacker to perform various security attacks like Directory Traversal, Password Brute force Attack, SMB Relay attack, Security Downgrade.

CVSS v3.1 Base Score: 8.8 (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:H)


ID: CVE-2021-25139

Title: HPE Moonshot Provisioning Manager Stack-based Overflow Vulnerability

Vendor: HP

Description: A potential security vulnerability has been identified in the HPE Moonshot Provisioning Manager v1.20. The HPE Moonshot Provisioning Manager is an application that is installed in a VMWare or Microsoft Hyper-V environment that is used to setup and configure an HPE Moonshot 1500 chassis. This vulnerability could be remotely exploited by an unauthenticated user to cause a stack based buffer overflow using user supplied input to the `khuploadfile.cgi` CGI ELF. The stack-based buffer overflow could lead to Remote Code Execution, Denial of Service, and/or compromise system integrity. HPE recommends that customers discontinue the use of the HPE Moonshot Provisioning Manager. The HPE Moonshot Provisioning Manager application is discontinued, no longer supported, is not available to download from the HPE Support Center, and no patch is available.

CVSS v3.1 Base Score: 9.8 (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H)

Prevalent Malware Files


COMPILED BY TALOS SECURITY INTELLIGENCE AND RESEARCH GROUP

SHA 256: c1d5a585fce188423d31df3ea806272f3daa5eb989e18e9ecf3d94b97b965f8e

MD5: 9a4b7b0849a274f6f7ac13c7577daad8

VirusTotal: https://www.virustotal.com/gui/file/c1d5a585fce188423d31df3ea806272f3daa5eb989e18e9ecf3d94b97b965f8e/details

Typical Filename: ww31.exe

Claimed Product: N/A

Detection Name: W32.GenericKD:Attribute.24ch.1201

SHA 256: 85B936960FBE5100C170B777E1647CE9F0F01E3AB9742DFC23F37CB0825B30B5

MD5: 8c80dd97c37525927c1e549cb59bcbf3

VirusTotal: https://www.virustotal.com/gui/file/85b936960fbe5100c170b777e1647ce9f0f01e3ab9742dfc23f37cb0825b30b5/detection

Typical Filename: Eternalblue-2.2.0.exe

Claimed Product: N/A

Detection Name: Win.Exploit.Shadowbrokers::5A5226262.auto.talos

SHA 256: 4647f1a0850a961e341a863194e921c102578a9c4ef898fa5e4b54d9fb65e57b

MD5: f37167c1e62e78b0a222b8cc18c20ba7

VirusTotal: https://www.virustotal.com/gui/file/4647f1a0850a961e341a863194e921c102578a9c4ef898fa5e4b54d9fb65e57b/details

Typical Filename: flashhelperservice.exe

Claimed Product: Flash Helper Service

Detection Name: W32.4647F1A085.in12.Talos


SHA 256: 23a80df363e2f5ec6594bf952db3569e7ca59d4163283f808753775c215dd652

MD5: 259f42bd7d2f513c5c579d6554d9db66

VirusTotal: https://www.virustotal.com/gui/file/23a80df363e2f5ec6594bf952db3569e7ca59d4163283f808753775c215dd652/details

Typical Filename: ethm2.exe

Claimed Product: N/A

Detection Name: WinGoRanumBot::mURLin::W32.Auto:23a80df363.in03.Talos


SHA 256: 1a8a17b615799f504d1e801b7b7f15476ee94d242affc103a4359c4eb5d9ad7f

MD5: 88781be104a4dcb13846189a2b1ea055

VirusTotal: https://www.virustotal.com/gui/file/1a8a17b615799f504d1e801b7b7f15476ee94d242affc103a4359c4eb5d9ad7f/details

Typical Filename: ActivityElement.dp

Claimed Product: N/A

Detection Name: Win.Trojan.Generic::sso.talos