Internet Storm Center Spotlight


Title: U.S. blames Russian state-sponsored actors for exploiting vulnerabilities

Description: The U.S. National Security Agency released an advisory outlining several vulnerabilities that the Russian Foreign Intelligence Services (SVR) is exploiting in the wild. The U.S. formally attributed the recent SolarWinds supply chain attack to the SVR group in this advisory and detailed more of the group's tactics, techniques and procedures. The exploits included a series of five CVEs that affect VPN solutions, collaboration suite software and virtualization technologies. All five of the CVEs have been patched — Cisco Talos encourages everyone with the affected software update immediately. Some of these vulnerabilities also have working metasploit modules and are currently being widely exploited. Please note that some of these vulnerabilities exploit applications leveraging SSL.


Snort SIDs: 49898, 52512, 52513, 52603, 52620, 52662, 51370 – 51372, 51288 - 51390

Title: Google Chrome V8 engine exploited in the wild

Description: Google issued multiple updates to its Chrome web browser last week after researchers discovered multiple zero-day vulnerabilities in its V8 engine. The company stated in an update that exploits for vulnerabilities in V8 and Chrome's rendering engine Blink exist in the wild. According to proof-of-concept code posted by a security researcher, an attacker could use an HTML and JavaScript file to launch the calculator app on Windows 10 when loaded into a Chromium-based browser. However, it has larger wide-range implications, including other types of code execution.


Snort SIDs: 57420 - 57424

Internet Storm Center Entries

Iran has identified a suspect in a cyberattack that damaged one of its nuclear facilities last week.

Attackers stole information belonging to 21 million ParkMobile users and published data, including license plate numbers and cell phone numbers, to a dark web forum.

A member of the infamous FIN7 hacking group was sentenced to 10 years in U.S. federal prison for his role in several credit card data theft schemes.

The FBI obtained permission earlier this month to remotely remove malware installed on targeted Microsoft Exchange Servers and notify the servers’ owners after the fact.

Def Con and Black Hat will have some in-person presence this year in Las Vegas.

In testimony before the US House Subcommittee on Government Operations, Committee on Oversight and Reform, GAO Director of Information Technology and Cybersecurity Kevin Walsh spoke about “federal agencies’ efforts to address high-risk areas focused on the management of IT and cybersecurity.”

Several state government leaders from across the U.S. wrote to the U.S. Cybersecurity and Infrastructure Security Agency last week asking that it increase its counter disinformation efforts to renew confidence in elections.

Threat actors in China are capitalizing on the country’s push to collect more data on its citizens, specifically carrying out underground big data monetization campaigns.

Recent CVEs


This is a list of recent vulnerabilities for which exploits are available. System administrators can use this list to help in prioritization of their remediation activities. The Qualys Vulnerability Research Team compiles this information based on various exploit frameworks, exploit databases, exploit kits and monitoring of internet activity.

ID: CVE-2021-27112
Title: Remote Code Execution in Light CMS
Vendor: Light CMS Project
Description: LightCMS v1.3.5 contains a remote code execution vulnerability in /app/Http/Controllers/Admin/NEditorController.php during the downloading of external images. This vulnerability can be exploited remotely and attackers can exploit this vulnerability to deliver malicious code to end users.
CVSS v3.1 Base Score: 9.8 (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H)

ID: CVE-2021-25360
Title: Arbitrary Code Execution in Android Devices
Vendor: Google Android
Description: An improper input validation vulnerability in libswmfextractor library prior to SMR APR-2021 Release 1 allows attackers to execute arbitrary code on mediaextractor process.
CVSS v3.1 Base Score: 9.8 (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H)

ID: CVE-2021-24223
Title: Malicious File Upload Vulnerability in WP Library
Vendor: Wordpress
Description: The N5 Upload Form WordPress plugin through 1.0 suffers from an arbitrary file upload issue in page where a Form from the plugin is embed, as any file can be uploaded. The uploaded filename might be hard to guess as it's generated with md5(uniqid(rand())), however, in the case of misconfigured servers with Directory listing enabled, accessing it is trivial.
CVSS v3.1 Base Score: 9.8 (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H)

ID: CVE-2021-22507
Title: Authentication Bypass Vulnerability in MicroFocus Device
Vendor: Microfocus
Description: Authentication bypass vulnerability in Micro Focus Operations Bridge Manager affects versions 2019.05, 2019.11, 2020.05 and 2020.10. The vulnerability could allow remote attackers to bypass user authentication and get unauthorized access.
CVSS v3.1 Base Score: 9.8 (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H)

ID: CVE-2021-20021
Title: Privilege Escalation Vulnerability in SonicWall Email Security
Vendor: SonicWall
Description: A vulnerability in the SonicWall Email Security version 10.0.9.x allows an attacker to create an administrative account by sending a crafted HTTP request to the remote host.
CVSS v3.1 Base Score: 9.8 (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H)

ID: CVE-2021-1479
Title: Remote Code Execution Vulnerability in Cisco vManage Software
Vendor: Cisco
Description: Multiple vulnerabilities in Cisco SD-WAN vManage Software could allow an unauthenticated, remote attacker to execute arbitrary code or allow an authenticated, local attacker to gain escalated privileges on an affected system. For more information about these vulnerabilities, see the Details section of this advisory.
CVSS v3.1 Base Score: 9.8 (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H)

ID: CVE-2020-27236
Title: SQL Injection Vulnerability in Openclinic
Vendor: Openclinic
Description: An exploitable SQL injection vulnerability exists in ‘getAssets.jsp’ page of OpenClinic GA 5.173.3 in the compnomenclature parameter. An attacker can make an authenticated HTTP request to trigger this vulnerability.
CVSS v3.1 Base Score: 9.8 (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H)

Prevalent Malware Files


SHA 256: c1d5a585fce188423d31df3ea806272f3daa5eb989e18e9ecf3d94b97b965f8e

MD5: 9a4b7b0849a274f6f7ac13c7577daad8


Typical Filename: ww31.exe

Claimed Product: N/A

Detection Name: W32.GenericKD:Attribute.24ch.1201

SHA 256: 8b4216a7c50599b11241876ada8ae6f07b48f1abe6590c2440004ea4db5becc9

MD5: 34560233e751b7e95f155b6f61e7419a


Typical Filename: SAntivirusService.exe

Claimed Product: A n t i v i r u s S e r v i c e

Detection Name: PUA.Win.Dropper.Segurazo::tpd

SHA 256: bfbe7022a48c6bbcddfcbf906ef9fddc02d447848579d7e5ce96c7c64fe34208

MD5: 84291afce6e5cfd615b1351178d51738


Typical Filename: webnavigatorbrowser.exe

Claimed Product: WebNavigatorBrowser

Detection Name:

SHA 256: 85B936960FBE5100C170B777E1647CE9F0F01E3AB9742DFC23F37CB0825B30B5

MD5: 8c80dd97c37525927c1e549cb59bcbf3


Typical Filename: Eternalblue-2.2.0.exe

Claimed Product: N/A

Detection Name:

SHA 256: 17c4a85cdc339f525196d7f5da3a02e43c97513ff50b6bc17db4470ae3b182e2

MD5: 96f8e4e2d643568cf242ff40d537cd85


Typical Filename: SAService.exe

Claimed Product: SAService

Detection Name: