Internet Storm Center Spotlight


SELECTED BY THE TALOS SECURITY INTELLIGENCE AND RESEARCH GROUP

Title: F5 urges users to patch exploits that could open the door to take complete control of systems

Description: F5’s BIG-IP and BIG-IQ applications contain multiple critical vulnerabilities that could allow adversaries to completely compromise systems. The company urged users to patch as soon as possible. Several of the vulnerabilities disclosed last week could allow attackers to execute malicious code, disable services, manipulate, delete and create files, among other malicious actions. In all, F5 Networks disclosed four critical vulnerabilities, seven high-severity bugs and 10 that are considered of “medium” severity. BIG-IP and BIG-IQ users are usually deployed for application delivery services, such as load balancing, app security and access control. In a worst-case scenario, F5 said, an attacker could exploit a vulnerable BIG-IP appliance to break into the broader enterprise network.

References: https://www.darkreading.com/vulnerabilities---threats/f5-networks-urges-customers-to-update-to-new-versions-of-its-app-delivery-tech/d/d-id/1340385

Snort SID: 57298


Title: New detection, information available on Microsoft Exchange Server zero-day vulnerabilities

Description: Since Microsoft's initial disclosure of multiple zero-day vulnerabilities in Microsoft Exchange Server, Cisco Talos has seen shifts in the tactics, techniques, and procedures (TTPs) associated with this malicious activity. Talos researchers have discovered other actors exploiting these vulnerabilities that appear to be separate from the initial "Hafnium" actor and include groups that are leveraging infrastructure previously attributed to cryptocurrency mining campaigns, groups creating or accessing web shells using notepad.exe or notepad++.exe and large amounts of scanning activity without successful exploitation. Talos has also identified organizations that may be involved in post-exploitation activity. The victimology shows that financial services have been disproportionately affected by exploitation, with a few other notable verticals following including health care, education and local/state governments.

Reference: https://blog.talosintelligence.com/2021/03/hafnium-update.html

Snort SIDs: 57233 - 57246, 57251 – 57253

ClamAV signatures:

Win.Trojan.MSExchangeExploit-9838898-0

Win.Trojan.MSExchangeExploit-9838899-0

Win.Trojan.MSExchangeExploit-9838900-0

Asp.Trojan.Webshell0321-9839392-0

Asp.Trojan.Webshelljs0321-9839431-0

Asp.Trojan.Webshell0321-9839771-0

Internet Storm Center Entries


At least six APT groups have been exploiting the Microsoft Exchange Server zero-day vulnerabilities so far.

https://arstechnica.com/gadgets/2021/03/security-unicorn-exchange-server-0-days-were-exploited-by-6-apts/


Other threat actors, including ransomware and botnet operators are also targeting systems with unpatched Exchange Server vulnerabilities.

https://www.cyberscoop.com/exchange-microsoft-ransomware-botnet-criminal/


A massive fire at an OVHcloud data center in Strasbourg, France affected the IT infrastructure of some of its customers, including several government-sponsored cyber threat groups.

https://www.vice.com/en/article/3an9wb/ovh-datacenter-fire-takes-down-government-hacking-infrastructure


Law enforcement officials and tech companies in the UK are reportedly testing tools that would allow them to track the web browsing history of every person in the country.

https://www.wired.co.uk/article/internet-connection-records-ip-act


The leaders of the U.S., Australia, India, and Japan agreed to establish several new “quad” working groups, including one that will address cyber threats.

https://www.npr.org/2021/03/12/976305089/biden-and-quad-leaders-launch-vaccine-push-deepen-coordination-against-china


As of March 12, Microsoft reports that there were only 82,000 exposed versions of Server exchange still vulnerable to the zero-day vulnerabilities it recently disclosed out of an initial 400,000.

https://www.microsoft.com/security/blog/2021/03/12/protecting-on-premises-exchange-servers-against-recent-attacks/


Many expired domains available to anyone on the internet pose serious risk for users who could be duped by seemingly legitimate-looking scams.

https://blog.talosintelligence.com/2021/03/domain-dumpster-diving.html


The UK’s top cybersecurity office warned nurseries and childcare centers that they have become an “appealing target” for cyber attacks.

https://www.bbc.com/news/education-56403778


American cyber officials are considering deeper partnerships with private sector computer security companies after intelligence agencies failed to detect the recent Hafnium and SolarWinds campaigns.

https://www.nytimes.com/2021/03/14/us/politics/us-hacks-china-russia.html

Recent CVEs


ID: CVE-2021-3148

Title: Command Injection Vulnerability in SaltStack

Vendor: Saltstack

Description: An issue was discovered in SaltStack Salt before 3002.5. Sending crafted web requests to the Salt API can result in salt.utils.thin.gen_thin() command injection because of different handling of single versus double quotes. This is related to salt/utils/thin.py.

CVSS v3.1 Base Score: 9.8 (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H)


ID: CVE-2021-28041

Title: Double-Free Memory Corruption Vulnerability in OpenSSH

Vendor: Openbsd

Description: ssh-agent in OpenSSH before 8.5 has a double free that may be relevant in a few less-common scenarios, such as unconstrained agent-socket access on a legacy operating system, or the forwarding of an agent to an attacker-controlled host.

CVSS v3.1 Base Score: 7.3 (AV:N/AC:H/PR:L/UI:R/S:U/C:H/I:H/A:H)


ID: CVE-2021-27886

Title: Command Injection Vulnerability in Docker Dashboard

Vendor: Docker Dashboard Project

Description: rakibtg Docker Dashboard before 2021-02-28 allows command injection in backend/utilities/terminal.js via shell metacharacters in the command parameter of an API request. NOTE: this is NOT a Docker, Inc. product.

CVSS v3.1 Base Score: 9.8 (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H)


ID: CVE-2021-27730

Title: Argument Injection Vulnerability in Accellion FTA

Vendor: Accellion

Description: Accellion FTA 9_12_432 and earlier is affected by argument injection via a crafted POST request to an admin endpoint. The fixed version is FTA_9_12_444 and later.

CVSS v3.1 Base Score: 9.8 (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H)


ID: CVE-2021-25283

Title: Server Side Template Injection Vulnerability in Saltstack

Vendor: Saltstack

Description: An issue was discovered in through SaltStack Salt before 3002.5. The jinja renderer does not protect against server-side template injection attacks.

CVSS v3.1 Base Score: 9.8 (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H)


ID: CVE-2021-25281

Title: Remote Unauthentication Vulnerability in Saltstack

Vendor: Saltstack

Description: An issue was discovered in through SaltStack Salt before 3002.5. salt-api does not honor eauth credentials for the wheel_async client. Thus, an attacker can remotely run any wheel modules on the master.

CVSS v3.1 Base Score: 9.8 (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H)


ID: CVE-2021-2047

Title: Unauthenticated Access Vulnerability in Oracle WebLogic Server

Vendor: Oracle

Description: This vulnerability is in the Oracle WebLogic Server product of Oracle Fusion Middleware (component: Core Components). Supported versions that are affected are 10.3.6.0.0, 12.1.3.0.0, and 12.2.1.3.0. Easily exploitable vulnerability allows unauthenticated attacker with network access via IIOP, T3 to compromise Oracle WebLogic Server. Successful attacks of this vulnerability can result in takeover of Oracle WebLogic Server. CVSS 3.1 Base Score 9.8 (Confidentiality, Integrity and Availability impacts).

CVSS v3.1 Base Score: 9.8 (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H)

Prevalent Malware Files


COMPILED BY THE TALOS SECURITY INTELLIGENCE AND RESEARCH GROUP

SHA 256: c1d5a585fce188423d31df3ea806272f3daa5eb989e18e9ecf3d94b97b965f8e

MD5: 9a4b7b0849a274f6f7ac13c7577daad8

VirusTotal: https://www.virustotal.com/gui/file/c1d5a585fce188423d31df3ea806272f3daa5eb989e18e9ecf3d94b97b965f8e/details

Typical Filename: ww31.exe

Claimed Product: N/A

Detection Name: W32.GenericKD:Attribute.24ch.1201


SHA 256: 85B936960FBE5100C170B777E1647CE9F0F01E3AB9742DFC23F37CB0825B30B5

MD5: 8c80dd97c37525927c1e549cb59bcbf3

VirusTotal: https://www.virustotal.com/gui/file/85b936960fbe5100c170b777e1647ce9f0f01e3ab9742dfc23f37cb0825b30b5/detection

Typical Filename: Eternalblue-2.2.0.exe

Claimed Product: N/A

Detection Name: Win.Exploit.Shadowbrokers::5A5226262.auto.talos


SHA 256: 8b4216a7c50599b11241876ada8ae6f07b48f1abe6590c2440004ea4db5becc9

MD5: 34560233e751b7e95f155b6f61e7419a

VirusTotal: https://www.virustotal.com/gui/file/8b4216a7c50599b11241876ada8ae6f07b48f1abe6590c2440004ea4db5becc9/details

Typical Filename: SAntivirusService.exe

Claimed Product: A n t i v i r u s S e r v i c e

Detection Name: PUA.Win.Dropper.Segurazo::tpd


SHA 256: 5901ce0f36a875e03e4d5e13e728a2724b8eff3c61cc24eb810be3df7508997f

MD5: b8a582da0ad22721a8f66db0a7845bed

VirusTotal: https://www.virustotal.com/gui/file/5901ce0f36a875e03e4d5e13e728a2724b8eff3c61cc24eb810be3df7508997f/details

Typical Filename: flashhelperservice.exe

Claimed Product: Flash Helper Service

Detection Name: W32.Auto:5901ce0f36.in03.Talos


SHA 256: 4647f1a0850a961e341a863194e921c102578a9c4ef898fa5e4b54d9fb65e57b

MD5: f37167c1e62e78b0a222b8cc18c20ba7

VirusTotal: https://www.virustotal.com/gui/file/4647f1a0850a961e341a863194e921c102578a9c4ef898fa5e4b54d9fb65e57b/details

Typical Filename: flashhelperservice.exe

Claimed Product: Flash Helper Service

Detection Name: W32.4647F1A085.in12.Talos