Internet Storm Center Spotlight


SELECTED BY THE TALOS SECURITY INTELLIGENCE AND RESEARCH GROUP

Title: Vulnerabilities in line of NETGEAR switches could lead to remote code execution

Description: NETGEAR disclosed multiple vulnerabilities, some of them considered critical, in two of its ProSAFE Plus networking switches. An adversary could exploit these vulnerabilities to execute unauthenticated code on the affected devices. NETGEAR could not fix five high-risk vulnerabilities due to “system-on-chip CPU and memory limitations of the switches.” However, an attacker could only exploit these vulnerabilities if the switches have Plus Utility enabled — a feature that’s been disabled by default since 2019. One of the most serious vulnerabilities, CVE-2020-35231, allows an attacker to bypass NSDP authentication, potentially allowing them to execute management actions on the device or wipe its configuration via a factory reset.

References: https://kb.netgear.com/000062993/Security-Advisory-for-Multiple-Vulnerabilities-on-Some-ProSAFE-Plus-Switches

Snort SID: 57332 - 57334


Title: Attacks spike against F5 BIG-IP and BIG-IQ vulnerabilities

Description: Attackers are actively exploiting a critical vulnerability in F5 devices that could lead to remote code execution. F5 disclosed and patched the flaws earlier this month, but many devices remain unpatched. The unauthenticated remote command execution vulnerability exists in in the F5 BIG-IP and BIG-IQ enterprise networking infrastructure. An attacker could exploit this flaw to fully take over a vulnerable system. Proof-of-concept exploit code made its way onto GitHub shortly after the vulnerability was disclosed, and security researchers say attackers are scanning for unpatched targets. The U.S. Cybersecurity and Infrastructure Security Agency also released a warning over the weekend urging users to patch as soon as possible.

Reference: https://threatpost.com/critical-f5-big-ip-flaw-now-under-active-attack/164940/

Snort SIDs: 57336, 57337

Internet Storm Center Entries


A security researcher discovered multiple vulnerabilities that could be chained together on the TikTok app for Android that could give an attacker remote code execution privileges.

https://medium.com/@dPhoeniixx/tiktok-for-android-1-click-rce-240266e78105


An attempt to poison a town’s water system in Florida in February is just the tip of the iceberg when it comes to the potential threats American public utilities face from potential cyber attacks.

https://www.propublica.org/article/hacking-water-systems


The CEOs of Facebook, Twitter and Google are scheduled to testify on Thursday, March 24, in front of the U.S. House subcommittees to discuss their efforts to combat disinformation.

https://news.bloomberglaw.com/tech-and-telecom-law/house-to-confront-tech-ceos-over-online-spread-of-false-info


Several tech CEOs, government officials and security experts are working on various solutions to combat ransomware gangs.

https://www.cyberscoop.com/ransomware-attacks-global-hacks-diplomacy/


A Russian man has pleaded guilty to trying to recruit a Tesla employee to place malware on the company's networks.

https://therecord.media/russian-who-tried-to-hack-tesla-last-summer-pleads-guilty/


Email giant Mimecast says attackers stole source code, certificates, and customer server connection datasets as part of the recent massive SolarWinds supply chain attack.

https://www.zdnet.com/article/mimecast-reveals-source-code-theft-in-solarwinds-hack/


Michigan’s Flagstar bank is now warning some customers that it lost their Social Security numbers and other personal information in a recent ransomware attack; Flagstar had previously revealing that employees’ information was compromised.

https://www.vice.com/en/article/xgznxw/ransomwared-bank-tells-customers-it-lost-their-ssns


Attackers are trying to infect iOS developers’ computers with malware by hiding it in a maliciously crafted Xcode project.

https://arstechnica.com/gadgets/2021/03/attackers-are-trying-awfully-hard-to-backdoor-ios-developers-macs/


The U.K.’s top cybersecurity office has issued an alert warning of an increase in ransomware attacks targeting the education sector and offering advice for protecting networks.

https://www.ncsc.gov.uk/news/alert-targeted-ransomware-attacks-on-uk-education-sector

Recent CVEs


COMPILED BY THE QUALYS VULNERABILITY RESEARCH TEAM

This is a list of recent vulnerabilities for which exploits are available. System administrators can use this list to help in prioritization of their remediation activities. The Qualys Vulnerability Research Team compiles this information based on various exploit frameworks, exploit databases, exploit kits and monitoring of internet activity.

ID: CVE-2021-27185

Title: Command Injection Vulnerability in Samba Client

Vendor: Samba

Description: The samba-client package before 4.0.0 for Node.js allows command injection because of the use of process.exec.

CVSS v3.1 Base Score: 9.8 (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H)


ID: CVE-2021-26987

Title: Remote Code Execution in SpringBoot Framework

Vendor: Netapp, Pivotal Software

Description: Element Plug-in for vCenter Server incorporates SpringBoot Framework. SpringBoot Framework versions prior to 1.3.2 are susceptible to a vulnerability which when successfully exploited could lead to Remote Code Execution. All versions of Element Plug-in for vCenter Server, Management Services versions prior to 2.17.56 and Management Node versions through 12.2 contain vulnerable versions of SpringBoot Framework.

CVSS v3.1 Base Score: 9.8 (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H)


ID: CVE-2021-24148

Title: Authentication Bypass Vulnerability in WP Plugin

Vendor: Inspireui

Description: A business logic issue in the MStore API WordPress plugin, versions before 3.2.0, had an authentication bypass with Sign In With Apple allowing unauthenticated users to recover an authentication cookie with only an email address.

CVSS v3.1 Base Score: 9.8 (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H)


ID: CVE-2021-22848

Title: SQL Injection Vulnerability in HGiga Mail

Vendor: Hgiga

Description: HGiga MailSherlock contains a SQL Injection. Remote attackers can inject SQL syntax and execute SQL commands in a URL parameter of email pages without privilege.

CVSS v3.1 Base Score: 9.8 (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H)


ID: CVE-2020-13576

Title: Remote Code Execution Vulnerability in Genivia gSOAP

Vendor: Genivia

Description: A code execution vulnerability exists in the WS-Addressing plugin functionality of Genivia gSOAP 2.8.107. A specially crafted SOAP request can lead to remote code execution. An attacker can send an HTTP request to trigger this vulnerability.

CVSS v3.1 Base Score: 9.8 (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H)


ID: CVE-2021-21150

Title: Improper Memory Read Vulnerability in Google Chrome

Vendor: Google

Description: Use after free in Downloads in Google Chrome on Windows prior to 88.0.4324.182 allowed a remote attacker who had compromised the renderer process to potentially perform a sandbox escape via a crafted HTML page.

CVSS v3.1 Base Score: 9.6 (AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:H)


ID: CVE-2021-20218

Title: Unrestricted Path Traversal Vulnerability in Kubernetes Client

Vendor: Redhat

Description: A flaw was found in the fabric8 kubernetes-client in version 4.2.0 and after. This flaw allows a malicious pod/container to cause applications using the fabric8 kubernetes-client `copy` command to extract files outside the working path. The highest threat from this vulnerability is to integrity and system availability. This has been fixed in kubernetes-client-4.13.2 kubernetes-client-5.0.2 kubernetes-client-4.11.2 kubernetes-client-4.7.2

CVSS v3.1 Base Score: 9.1 (AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:H)


ID: CVE-2020-27861

Title: Arbitrary Code Execution Vulnerability in Netgear Orbi Routers

Vendor: Netgear

Description: This vulnerability allows network-adjacent attackers to execute arbitrary code on affected installations of NETGEAR Orbi 2.5.1.16 routers. Authentication is not required to exploit this vulnerability. The specific flaw exists within the UA_Parser utility. A crafted Host Name option in a DHCP request can trigger execution of a system call composed from a user-supplied string. An attacker can leverage this vulnerability to execute code in the context of root.

CVSS v3.1 Base Score: 8.8 (AV:A/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H)

Prevalent Malware Files


COMPILED BY THE TALOS SECURITY INTELLIGENCE AND RESEARCH GROUP

SHA 256: c1d5a585fce188423d31df3ea806272f3daa5eb989e18e9ecf3d94b97b965f8e

MD5: 9a4b7b0849a274f6f7ac13c7577daad8

VirusTotal: https://www.virustotal.com/gui/file/c1d5a585fce188423d31df3ea806272f3daa5eb989e18e9ecf3d94b97b965f8e/details

Typical Filename: ww31.exe

Claimed Product: N/A

Detection Name: W32.GenericKD:Attribute.24ch.1201


SHA 256: e3eeaee0af4b549eae4447fa20cfe205e8d56beecf43cf14a11bf3e86ae6e8bd

MD5: 8193b63313019b614d5be721c538486b

VirusTotal: https://www.virustotal.com/gui/file/e3eeaee0af4b549eae4447fa20cfe205e8d56beecf43cf14a11bf3e86ae6e8bd/details

Typical Filename: SAService.exe

Claimed Product: SAService

Detection Name: PUA.Win.Dropper.Segurazo::95.sbx.tg


SHA 256: 8b4216a7c50599b11241876ada8ae6f07b48f1abe6590c2440004ea4db5becc9

MD5: 34560233e751b7e95f155b6f61e7419a

VirusTotal: https://www.virustotal.com/gui/file/8b4216a7c50599b11241876ada8ae6f07b48f1abe6590c2440004ea4db5becc9/details

Typical Filename: SAntivirusService.exe

Claimed Product: A n t i v i r u s S e r v i c e

Detection Name: PUA.Win.Dropper.Segurazo::tpd


SHA 256: 85B936960FBE5100C170B777E1647CE9F0F01E3AB9742DFC23F37CB0825B30B5

MD5: 8c80dd97c37525927c1e549cb59bcbf3

VirusTotal: https://www.virustotal.com/gui/file/85b936960fbe5100c170b777e1647ce9f0f01e3ab9742dfc23f37cb0825b30b5/detection

Typical Filename: Eternalblue-2.2.0.exe

Claimed Product: N/A

Detection Name: Win.Exploit.Shadowbrokers::5A5226262.auto.talos


SHA 256: 5901ce0f36a875e03e4d5e13e728a2724b8eff3c61cc24eb810be3df7508997f

MD5: b8a582da0ad22721a8f66db0a7845bed

VirusTotal: https://www.virustotal.com/gui/file/5901ce0f36a875e03e4d5e13e728a2724b8eff3c61cc24eb810be3df7508997f/details

Typical Filename: flashhelperservice.exe

Claimed Product: Flash Helper Service

Detection Name: W32.Auto:5901ce0f36.in03.Talos