Recent Security Issues


SELECTED BY THE TALOS SECURITY INTELLIGENCE AND RESEARCH GROUP

Title: Microsoft discloses 89 vulnerabilities, 14 critical, as part of monthly security update
Description: Microsoft released its monthly security update Tuesday, disclosing 89 vulnerabilities across its suite of products, the most in any month so far this year. There are 14 critical vulnerabilities as part of this release and one considered of “low” severity. The remainder are all “important.” Three of the critical vulnerabilities are the ones Microsoft disclosed last week in Exchange Server that the company said state-sponsored actors exploited in the wild to steal emails. Microsoft also announced Monday they were releasing patches for older versions of Exchange Server. All organizations using the affected software should prevent external access to port 443 on Exchange Servers, or set up a VPN to provide external access to port 443. This will ensure that only authenticated and authorized users can connect to this service. However, this action will only protect against the initial step of the attack. Administrators should also immediately apply the published patches to vulnerable Exchange Servers. Outside of Exchange Server, this month’s security update provides patches for several other pieces of software, including Azure Sphere, the SharePoint file-sharing service and the .hevc video file extension.
Reference: https://blog.talosintelligence.com/2021/03/microsoft-patch-tuesday-for-march-2021.html
Snort SIDs: 54518, 57233, 57234, 57241 - 57246, 57252, 57253, 57259 - 57268, 57269 and 57274 - 57276

Title: Microsoft Exchange Server vulnerabilities highlights HAFNIUM threat actor
Description: Microsoft disclosed several critical vulnerabilities in Exchange Server last week, stating that a state-sponsored actor known as “HAFNIUM” was behind the attacks. This threat actor exploited four vulnerabilities to steal emails, the most severe of one is a zero-day server-side request forgery (SSRF) vulnerability. HAFNIUM is a newly identified threat actor. According to Microsoft, the group usually targets industries such as military contractors, infections disease research, legal, education and think tanks. Microsoft stated that the group is likely based out of China, but relies on leased virtual private servers in the U.S. While HAFNIUM was first known for exploiting these Exchange Server vulnerabilities, it is likely they will switch their tactics now that the vulnerabilities are public.
Reference: https://duo.com/decipher/hafnium-attack-group-exploiting-four-exchange-zero-days
Snort SIDs: 57235 - 57240

Security News


More than 30,000 US organizations have been affected by the Microsoft Exchange zero-day vulnerabilities disclosed last week.
https://krebsonsecurity.com/2021/03/at-least-30000-u-s-organizations-newly-hacked-via-holes-in-microsofts-email-software/

The Biden administration has created a multi-agency taskforce focused specifically on addressing the Microsoft Exchange Server attacks.
https://www.theguardian.com/us-news/2021/mar/08/microsoft-cyber-attack-biden-emergency-task-force

The White House is preparing to take a “mix of actions” against Russia for its alleged involvement in the massive SolarWinds breach that affected many American companies and government agencies.
https://www.cnbc.com/2021/03/08/us-prepares-to-take-action-against-russia-after-major-cyber-attack.html

Social media platform Gab was breached twice in two weeks as a result of site administrators not revoking OAuth2 bearer tokens.
https://arstechnica.com/information-technology/2021/03/gab-a-haven-for-pro-trump-conspiracy-theories-has-been-hacked-again/

Organizations affected by the Accellion File Transfer Appliance (FTC) breaches include New Zealand’s central bank and Harvard Business School.
https://apnews.com/article/donald-trump-politics-europe-eastern-europe-new-zealand-f318ba1ffc971eb17371456b015206a5

Google announced it will stop selling targeted web ads based on users’ individual browsing data, and its Chrome browser will not allow any cookies that collect users’ data.
https://www.vox.com/recode/2021/3/3/22311460/google-cookie-ban-search-ads-tracking

Students who are learning remotely have found ways to cheat on exams administered through proctoring software.
https://www.vice.com/en/article/3an98j/students-are-easily-cheating-state-of-the-art-test-proctoring-tech

A unit of the National Guard that carries out some military drone strikes reportedly purchased location data from a third-party company that tracks mobile devices.
https://www.vice.com/en/article/y3g97x/location-data-apps-drone-strikes-iowa-national-guard

Hospital chain Universal Health Services reported a $67 million loss from a ransomware attack last year.
https://www.cyberscoop.com/universal-health-services-ransomware-cost-ryuk/

Vulnerabilities with Exploits


COMPILED BY THE QUALYS VULNERABILITY RESEARCH TEAM

This is a list of recent vulnerabilities for which exploits are available. System administrators can use this list to help in prioritization of their remediation activities. The Qualys Vulnerability Research Team compiles this information based on various exploit frameworks, exploit databases, exploit kits and monitoring of internet activity.


ID: CVE-2021-26855
Title: Microsoft Exchange Server Remote Code Execution Vulnerability (Proxylogon)
Vendor: Microsoft
Description: This is a Server-Side Request Forgery (SSRF) vulnerability that allows attackers to send arbitrary HTTP requests and authenticate to on-premise Exchange server. Attackers can also trick the Exchange server to execute arbitrary commands by exploiting this vulnerability.
CVSS v3.1 Base Score: 9.8 (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H)

ID: CVE-2021-26857
Title: Microsoft Exchange Server Remote Code Execution Vulnerability
Vendor: Microsoft
Description: This is an insecure deserialization vulnerability in the Unified Messaging service. Insecure deserialization is where untrusted user-controllable data is deserialized by a program. Attackers who successfully exploit this vulnerability can run their code as SYSTEM on the Exchange server.
CVSS v3.1 Base Score: 7.8 (AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H)

ID: CVE-2021-26858
Title: Microsoft Exchange Server Remote Code Execution Vulnerability
Vendor: Microsoft
Description: is a post-authentication arbitrary file write vulnerability in Exchange. Exploiting this vulnerability could allow an attacker to write a file to any part of the target Exchange server. Attackers exploiting this vulnerability could write a file to any path on the target Exchange server.
CVSS v3.1 Base Score: 7.8 (AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H)

ID: CVE-2021-27101
Title: SQL Injection Vulnerability in Accellion FTA
Vendor: Accellion
Description: Accellion FTA 9_12_370 and earlier is affected by SQL injection via a crafted Host header in a request to document_root.html. The fixed version is FTA_9_12_380 and later.
CVSS v3.1 Base Score: 9.8 (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H)

ID: CVE-2021-27102
Title: OS Command Injection in Accellion FTA
Vendor: Accellion
Description: Accellion FTA 9_12_411 and earlier is affected by OS command execution via a local web service call. The fixed version is FTA_9_12_416 and later.
CVSS v3.1 Base Score: 7.8 (AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H)

ID: CVE-2021-27103
Title: SSRF Vulnerability in Accellion FTA
Vendor: Accellion
Description: Accellion FTA 9_12_411 and earlier is affected by SSRF via a crafted POST request to wmProgressstat.html. The fixed version is FTA_9_12_416 and later.
CVSS v3.1 Base Score: 9.8 (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H)

ID: CVE-2021-27104
Title: OS Command Injection Vulnerability in Accellion FTA
Vendor: Accellion
Description: Accellion FTA 9_12_370 and earlier is affected by OS command execution via a crafted POST request to various admin endpoints. The fixed version is FTA_9_12_380 and later.
CVSS v3.1 Base Score: 9.8 (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H)

ID: CVE-2021-3197
Title: Shell Injection Vulnerability in SaltStack
Vendor: SaltStack
Description: An issue was discovered in SaltStack Salt before 3002.5. The salt-api's ssh client is vulnerable to a shell injection by including ProxyCommand in an argument, or via ssh_options provided in an API request.
CVSS v3.1 Base Score: 9.8 (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H)

Prevalent Malware Files


COMPILED BY TALOS SECURITY INTELLIGENCE AND RESEARCH GROUP

SHA 256: c1d5a585fce188423d31df3ea806272f3daa5eb989e18e9ecf3d94b97b965f8e
MD5: 9a4b7b0849a274f6f7ac13c7577daad8
VirusTotal: https://www.virustotal.com/gui/file/c1d5a585fce188423d31df3ea806272f3daa5eb989e18e9ecf3d94b97b965f8e/details
Typical Filename: ww31.exe
Claimed Product: N/A
Detection Name: W32.GenericKD:Attribute.24ch.1201

SHA 256: 4647f1a0850a961e341a863194e921c102578a9c4ef898fa5e4b54d9fb65e57b
MD5: f37167c1e62e78b0a222b8cc18c20ba7
VirusTotal: https://www.virustotal.com/gui/file/4647f1a0850a961e341a863194e921c102578a9c4ef898fa5e4b54d9fb65e57b/details
Typical Filename: flashhelperservice.exe
Claimed Product: Flash Helper Service
Detection Name: W32.4647F1A085.in12.Talos

SHA 256: 17c4a85cdc339f525196d7f5da3a02e43c97513ff50b6bc17db4470ae3b182e2
MD5: 96f8e4e2d643568cf242ff40d537cd85
VirusTotal: https://www.virustotal.com/gui/file/17c4a85cdc339f525196d7f5da3a02e43c97513ff50b6bc17db4470ae3b182e2/details
Typical Filename: SAntivirusService.exe
Claimed Product: SAService
Detection Name: PUA.Win.File.Segurazo::95.sbx.tg

SHA 256: 8b4216a7c50599b11241876ada8ae6f07b48f1abe6590c2440004ea4db5becc9
MD5: 34560233e751b7e95f155b6f61e7419a
VirusTotal: https://www.virustotal.com/gui/file/8b4216a7c50599b11241876ada8ae6f07b48f1abe6590c2440004ea4db5becc9/details
Typical Filename: SAntivirusService.exe
Claimed Product: A n t i v i r u s S e r v i c e
Detection Name: PUA.Win.Dropper.Segurazo::tpd

SHA 256: 85B936960FBE5100C170B777E1647CE9F0F01E3AB9742DFC23F37CB0825B30B5
MD5: 8c80dd97c37525927c1e549cb59bcbf3
VirusTotal: https://www.virustotal.com/gui/file/85b936960fbe5100c170b777e1647ce9f0f01e3ab9742dfc23f37cb0825b30b5/detection
Typical Filename: Eternalblue-2.2.0.exe
Claimed Product: N/A
Detection Name: Win.Exploit.Shadowbrokers::5A5226262.auto.talos