SELECTED BY THE TALOS SECURITY INTELLIGENCE AND RESEARCH GROUP
Title: F5 urges users to patch exploits that could open the door to take complete control of systems
Description: F5’s BIG-IP and BIG-IQ applications contain multiple critical vulnerabilities that could allow adversaries to completely compromise systems. The company urged users to patch as soon as possible. Several of the vulnerabilities disclosed last week could allow attackers to execute malicious code, disable services, manipulate, delete and create files, among other malicious actions. In all, F5 Networks disclosed four critical vulnerabilities, seven high-severity bugs and 10 that are considered of “medium” severity. BIG-IP and BIG-IQ users are usually deployed for application delivery services, such as load balancing, app security and access control. In a worst-case scenario, F5 said, an attacker could exploit a vulnerable BIG-IP appliance to break into the broader enterprise network.
Snort SID: 57298
Title: New detection, information available on Microsoft Exchange Server zero-day vulnerabilities
Description: Since Microsoft's initial disclosure of multiple zero-day vulnerabilities in Microsoft Exchange Server, Cisco Talos has seen shifts in the tactics, techniques, and procedures (TTPs) associated with this malicious activity. Talos researchers have discovered other actors exploiting these vulnerabilities that appear to be separate from the initial "Hafnium" actor and include groups that are leveraging infrastructure previously attributed to cryptocurrency mining campaigns, groups creating or accessing web shells using notepad.exe or notepad++.exe and large amounts of scanning activity without successful exploitation. Talos has also identified organizations that may be involved in post-exploitation activity. The victimology shows that financial services have been disproportionately affected by exploitation, with a few other notable verticals following including health care, education and local/state governments.
Reference: https://blog.talosintelligence.com/2021/03/hafnium-update.html
Snort SIDs: 57233 - 57246, 57251 – 57253
ClamAV signatures:
Win.Trojan.MSExchangeExploit-9838898-0
Win.Trojan.MSExchangeExploit-9838899-0
Win.Trojan.MSExchangeExploit-9838900-0
Asp.Trojan.Webshell0321-9839392-0
Asp.Trojan.Webshelljs0321-9839431-0
Asp.Trojan.Webshell0321-9839771-0