Internet Storm Center Spotlight


SELECTED BY THE TALOS SECURITY INTELLIGENCE AND RESEARCH GROUP

Title: Exchange Server critical vulnerabilities included in Patch Tuesday

Description: Microsoft released its monthly security update Tuesday, disclosing 108 vulnerabilities across its suite of products, the most in any month so far this year. Four new remote code execution vulnerabilities in Microsoft Exchange Server are included in Tuesday’s security update. Microsoft disclosed multiple zero-day vulnerabilities in Exchange Server earlier this year that attackers were exploiting in the wild. The new vulnerabilities Microsoft disclosed are identified as CVE-2021-28480, CVE-2021-28481, CVE-2021-28482 and CVE-2021-28483 — all of which are critical, and the highest of which has a CVSS severity score of 9.8 out of 10. There are 20 critical vulnerabilities as part of this release and one considered of “moderate” severity. The remainder are all “important.” Twelve of the critical vulnerabilities exist in the remote procedure call runtime.

References: https://blog.talosintelligence.com/2021/04/microsoft-patch-tuesday-for-april-2021.html

Snort SIDs: 57403, 57404, 57411, 57414


Title: Attackers infiltrate collaboration app servers to spread spam, malware

Description: As telework has become the norm throughout the COVID-19 pandemic, attackers are modifying their tactics to take advantage of the changes to employee workflows. Attackers are leveraging collaboration platforms, such as Discord and Slack, to stay under the radar and evade organizational defenses. Collaboration platforms enable adversaries to conduct campaigns using legitimate infrastructure that may not be blocked in many network environments. RATs, information stealers, internet-of-things malware and other threats are leveraging collaboration platforms for delivery, component retrieval and command and control communications.

Reference: https://blog.talosintelligence.com/2021/04/collab-app-abuse.html

ClamAV signatures: Win.Trojan.AgentTesla-9846789-0, Js.Trojan.Downloader-9846867-0, Win.Dropper.Agent-9847178-0, Win.Trojan.Vebzenpak-9847193-0, Win.Trojan.Bulz-9847194-1, Win.Malware.Predator-9850360-1, Win.Trojan.Taskun-9850631-0, Win.Packed.Trojanx-9850692-0

Internet Storm Center Entries


Iran claimed a state-sponsored actor was likely behind a recent attack that shut down its Natanz uranium enrichment facility.

https://www.nytimes.com/2021/04/11/world/middleeast/iran-nuclear-natanz.html

The U.S. has denied involvement in the attack, which caused an explosion.

https://www.axios.com/biden-administration-explosion-natanz-nuclear-site-8f2b71ae-54c4-438f-be12-68c6f3e3c676.html

A Telegram bot could be exploited to disclose the phone number attached to many Facebook pages; this is separate from the leaked database of 500 million Facebook users’ records that was in the news last week.

https://www.vice.com/en/article/qj8dj5/facebook-phone-number-data-breach-telegram-bot

A threat actor leaked information belonging to a rival hacking group after breaching a credit card fraud dark web forum.

https://www.group-ib.com/media/swarmshop-breach/

Q Link Wireless, a low-cost mobile phone carrier, exposed sensitive personal information to anyone who knew a valid phone number and could provide it through the carrier’s app.

https://arstechnica.com/information-technology/2021/04/no-password-required-mobile-carrier-exposes-data-for-millions-of-accounts/

U.S. President Joe Biden filled two key cybersecurity roles in his administration, nominating former National Security Agency officials to head the Cybersecurity and Infrastructure Security Agency and to become the country’s first national cyber director.

https://www.politico.com/news/2021/04/12/biden-nominates-former-nsa-officials-480945

Vulnerabilities in four TCP/IP stacks affect millions of Internet of Things devices that can be exploited to allow remote code execution or cause denial-of-service conditions.

https://www.zdnet.com/article/these-new-vulnerabilities-millions-of-iot-devives-at-risk-so-patch-now/

The Sysrv botnet is adding new exploits and capabilities as it steps up its targeting of Windows and Linux machines to delivery cryptocurrency miners.

https://arstechnica.com/gadgets/2021/04/windows-and-linux-devices-are-under-attack-by-a-new-cryptomining-worm/

Several ransomware actors are still exploiting unpatched Microsoft Exchange Servers a month after the company disclosed several zero-day vulnerabilities.

https://www.darkreading.com/attacks-breaches/inside-the-ransomware-campaigns-targeting-exchange-servers/d/d-id/1340582

Recent CVEs


COMPILED BY THE QUALYS VULNERABILITY RESEARCH TEAM

This is a list of recent vulnerabilities for which exploits are available. System administrators can use this list to help in prioritization of their remediation activities. The Qualys Vulnerability Research Team compiles this information based on various exploit frameworks, exploit databases, exploit kits and monitoring of internet activity.

ID: CVE-2021-30177

Title: SQL Injection Vulnerability in PHPNuke

Vendor: PHPNuke

Description: There is a SQL Injection vulnerability in PHP-Nuke 8.3.3 in the User Registration section, leading to remote code execution. This occurs because the U.S. state is not validated to be two letters, and the OrderBy field is not validated to be one of LASTNAME, CITY, or STATE.

CVSS v3.1 Base Score: 9.8 (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H)


ID: CVE-2021-28925

Title: SQL Injection Vulnerability in Nagios

Vendor: Nagios

Description: SQL injection vulnerability in Nagios Network Analyzer before 2.4.3 via the o[col] parameter to api/checks/read/.

CVSS v3.1 Base Score: 9.8 (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H)


ID: CVE-2021-24175

Title: Authentication Bypass Vulnerability in Posimyth WP Plugin

Vendor: Posimyth

Description: The Plus Addons for Elementor Page Builder WordPress plugin before 4.1.7 was being actively exploited to by malicious actors to bypass authentication, allowing unauthenticated users to log in as any user (including admin) by just providing the related username, as well as create accounts with arbitrary roles, such as admin. These issues can be exploited even if registration is disabled, and the Login widget is not active.

CVSS v3.1 Base Score: 9.8 (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H)


ID: CVE-2021-1871

Title: Remote Code Execution Vulnerability in MacOS Big Sur

Vendor: Apple

Description: A logic issue was addressed with improved restrictions. This issue is fixed in macOS Big Sur 11.2, Security Update 2021-001 Catalina, Security Update 2021-001 Mojave, iOS 14.4 and iPadOS 14.4. A remote attacker may be able to cause arbitrary code execution. Apple is aware of a report that this issue may have been actively exploited.

CVSS v3.1 Base Score: 9.8 (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H)


ID: CVE-2020-17523

Title: Authentication Bypass Vulnerability in Apache Shiro

Vendor: Apache

Description: Apache Shiro before 1.7.1, when using Apache Shiro with Spring, a specially crafted HTTP request may cause an authentication bypass.

CVSS v3.1 Base Score: 9.8 (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H)


ID: CVE-2021-22986

Title: Remote Code Execution Vulnerability in F5 Big IP system

Vendor: F5

Description: This vulnerability allows for unauthenticated attackers with network access to the iControl REST interface, through the BIG-IP management interface and self IP addresses, to execute arbitrary system commands, create or delete files, and disable services. This vulnerability can only be exploited through the control plane and cannot be exploited through the data plane. Exploitation can lead to complete system compromise. The BIG-IP system in Appliance mode is also vulnerable.

CVSS v3.1 Base Score: 9.8 (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H)


ID: CVE-2021-21983

Title: Privilege Escalation Vulnerability in VMware vRealize

Vendor: VMware

Description: Arbitrary file write vulnerability in vRealize Operations Manager API (CVE-2021-21983) prior to 8.4 may allow an authenticated malicious actor with network access to the vRealize Operations Manager API can write files to arbitrary locations on the underlying photon operating system.

CVSS v3.1 Base Score: 6.5 (AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:H/A:H)

Prevalent Malware Files


COMPILED BY THE TALOS SECURITY INTELLIGENCE AND RESEARCH GROUP

SHA 256: e3eeaee0af4b549eae4447fa20cfe205e8d56beecf43cf14a11bf3e86ae6e8bd

MD5: 8193b63313019b614d5be721c538486b

VirusTotal: https://www.virustotal.com/gui/file/e3eeaee0af4b549eae4447fa20cfe205e8d56beecf43cf14a11bf3e86ae6e8bd/details

Typical Filename: SAService.exe

Claimed Product: SAService

Detection Name: PUA.Win.Dropper.Segurazo::95.sbx.tg


SHA 256: c1d5a585fce188423d31df3ea806272f3daa5eb989e18e9ecf3d94b97b965f8e

MD5: 9a4b7b0849a274f6f7ac13c7577daad8

VirusTotal: https://www.virustotal.com/gui/file/c1d5a585fce188423d31df3ea806272f3daa5eb989e18e9ecf3d94b97b965f8e/details

Typical Filename: ww31.exe

Claimed Product: N/A

Detection Name: W32.GenericKD:Attribute.24ch.1201


SHA 256: 17c4a85cdc339f525196d7f5da3a02e43c97513ff50b6bc17db4470ae3b182e2

MD5: 96f8e4e2d643568cf242ff40d537cd85

VirusTotal: https://www.virustotal.com/gui/file/17c4a85cdc339f525196d7f5da3a02e43c97513ff50b6bc17db4470ae3b182e2/details

Typical Filename: SAService.exe

Claimed Product: SAService

Detection Name: PUA.Win.File.Segurazo::95.sbx.tg


SHA 256: 8b4216a7c50599b11241876ada8ae6f07b48f1abe6590c2440004ea4db5becc9

MD5: 34560233e751b7e95f155b6f61e7419a

VirusTotal: https://www.virustotal.com/gui/file/8b4216a7c50599b11241876ada8ae6f07b48f1abe6590c2440004ea4db5becc9/details

Typical Filename: SAntivirusService.exe

Claimed Product: A n t i v i r u s S e r v i c e

Detection Name: PUA.Win.Dropper.Segurazo::tpd


SHA 256: 85B936960FBE5100C170B777E1647CE9F0F01E3AB9742DFC23F37CB0825B30B5

MD5: 8c80dd97c37525927c1e549cb59bcbf3

VirusTotal: https://www.virustotal.com/gui/file/85b936960fbe5100c170b777e1647ce9f0f01e3ab9742dfc23f37cb0825b30b5/detection

Typical Filename: Eternalblue-2.2.0.exe

Claimed Product: N/A

Detection Name: Win.Exploit.Shadowbrokers::5A5226262.auto.talos