Internet Storm Center Spotlight


SELECTED BY THE TALOS SECURITY INTELLIGENCE AND RESEARCH GROUP

Title: Attackers exploiting multiple critical vulnerabilities in Pulse Secure VPN service

Description: Pulse Secure announced that a critical vulnerability (CVE-2021-22893) was discovered in their VPN service "Pulse Secure Connect" in a recent security advisory. The advisory states that, "a vulnerability was discovered under Pulse Connect Secure (PCS). This includes an authentication by-pass vulnerability that can allow an unauthenticated user to perform remote arbitrary file execution on the Pulse Connect Secure gateway. This vulnerability has a critical CVSS score and poses a significant risk to your deployment." The company released a blog post alongside this advisory disclosing that the vulnerability has been exploited in the wild. The U.S. Cybersecurity and Infrastructure Security Agency also released an alert warning of these vulnerabilities. In the alert, CISA notes that networks belonging to multiple government agencies, critical infrastructure entities and private sector organizations have been compromised going as far back as June 2020.

References: https://blog.talosintelligence.com/2021/04/pulse-vpn-coverage.html

Snort SIDs: 51288, 51289, 51390, 57452 – 57459 and 57461 - 57468


Title: Targets still seeing a rise in COVID-19-themed malware campaigns

Description: A new report indicates that the amount of malware campaigns using COVID-19-themed lures continue to rise, even more than a year after the pandemic took hold in the U.S. New data shows that COVID-related cyber attack detections rose by 240 percent in the third quarter of 2020 and 114 percent in Q4. Many attackers relied on privilege escalation techniques to spread ransomware and other threats off the backs of these campaigns. Some used PowerShell, while others relied on remote access trojans like Remcos. Several state-sponsored actors have also been involved in these attacks.

Reference: https://www.helpnetsecurity.com/2021/04/19/covid-19-themed-cyberattack/

Snort SIDs: 57431

Internet Storm Center Entries


Experts are concerned that the Biden administration’s $2 trillion infrastructure plan currently lacks language and funding for cybersecurity measures to protect the new and upgraded infrastructure.

https://www.politico.com/news/2021/04/26/cybersecurity-hole-biden-infrastructure-plan-484640


The Biden administration has launched a 100-day initiative to strengthen the security posture of America’s power grid.

https://www.cnn.com/2021/04/20/politics/biden-electricity-grid-cybersecurity/index.html


A vulnerability in Apple’s AirDrop feature that could allow scammers to view users’ email and phone number can be fixed by disabling AirDrop and not opening the share menu.

https://www.usatoday.com/story/tech/2021/04/24/apple-iphone-macbook-airdrop-security-flaw-change-privacy-setting/7366475002/


The Electronic Frontier Foundation and the American Civil Liberties Union have petitioned the Supreme Court to overturn an appeals court ruling that allows the Department of Homeland Security to search travelers’ electronic devices at ports of entry and airports without a warrant.

https://www.cyberscoop.com/homeland-security-eff-aclu-supreme-court-device-searches/


A supply chain attack compromised the upgrade mechanism of the Passwordstate password manager to include a file that exfiltrates sensitive data from users’ systems.

https://arstechnica.com/gadgets/2021/04/hackers-backdoor-corporate-password-manager-and-steal-customer-data/


Apple has released iOS 14.5, which includes a new feature that lets users choose whether or not to allow apps to track their activity across other apps and websites owned by other companies.

https://www.computerweekly.com/news/252499853/Apple-OS-updates-patch-multiple-security-holes


Attackers leaked data from the Washington, D.C. police department — the third law enforcement agency in the U.S. to be hit by a cyber attack in six weeks.

https://www.nytimes.com/2021/04/27/us/dc-police-hack.html


An Australian hospital operator was hit with a cyber attack this week, and as of Tuesday afternoon, could not access its digital and technology systems.

https://www.abc.net.au/news/2021-04-26/uniting-care-queensland-hospitals-cyber-attack/100096772


The Linux kernel team has rejected the apology of University of Minnesota researchers who deliberately submitted “hypocrite commits” and has submitted a letter describing actions that the researchers and the university need to take to regain the project’s trust.

https://arstechnica.com/gadgets/2021/04/linux-kernel-team-rejects-university-of-minnesota-researchers-apology/

Recent CVEs


COMPILED BY THE QUALYS VULNERABILITY RESEARCH TEAM

This is a list of recent vulnerabilities for which exploits are available. System administrators can use this list to help in prioritization of their remediation activities. The Qualys Vulnerability Research Team compiles this information based on various exploit frameworks, exploit databases, exploit kits and monitoring of internet activity.

ID: CVE-2021-0248

Title: Authentication Bypass Vulnerability in Juniper

Vendor: Juniper

Description: This issue is not applicable to NFX NextGen Software. On NFX Series devices the use of Hard-coded Credentials in Juniper Networks Junos OS allows an attacker to take over any instance of an NFX deployment. This issue is only exploitable through administrative interfaces. This issue affects: Juniper Networks Junos OS versions prior to 19.1R1 on NFX Series. No other platforms besides NFX Series devices are affected.

CVSS v3.1 Base Score: 10 (AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H)


ID: CVE-2021-2177

Title: Remote Code Execution in Oracle Global Desktop

Vendor: Oracle

Description: Vulnerability in the Oracle Secure Global Desktop product of Oracle Virtualization (component: Gateway). The supported version that is affected is 5.6. Easily exploitable vulnerability allows unauthenticated attacker with network access via HTTP to compromise Oracle Secure Global Desktop. While the vulnerability is in Oracle Secure Global Desktop, attacks may significantly impact additional products. Successful attacks of this vulnerability can result in takeover of Oracle Secure Global Desktop.

CVSS v3.1 Base Score: 10 (AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H)


ID: CVE-2021-2256

Title: Remote Code Execution in Oracle Storage Cloud

Vendor: Oracle

Description: Vulnerability in the Oracle Storage Cloud Software Appliance product of Oracle Storage Gateway (component: Management Console). The supported version that is affected is Prior to 16.3.1.4.2. Easily exploitable vulnerability allows unauthenticated attacker with network access via HTTP to compromise Oracle Storage Cloud Software Appliance. While the vulnerability is in Oracle Storage Cloud Software Appliance, attacks may significantly impact additional products. Successful attacks of this vulnerability can result in takeover of Oracle Storage Cloud Software Appliance. Note: Updating the Oracle Storage Cloud Software Appliance to version 16.3.1.4.2 or later will address these vulnerabilities.

CVSS v3.1 Base Score: 10 (AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H)


ID: CVE-2021-22893

Title: Authentication Bypass Vulnerability in Pulse Connect Secure

Vendor: PulseSecure

Description: Pulse Connect Secure 9.0R3/9.1R1 and higher is vulnerable to an authentication bypass vulnerability exposed by the Windows File Share Browser and Pulse Secure Collaboration features of Pulse Connect Secure that can allow an unauthenticated user to perform remote arbitrary code execution on the Pulse Connect Secure gateway. This vulnerability has been exploited in the wild.

CVSS v3.1 Base Score: 10 (AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H)


ID: CVE-2021-27602

Title: Remote Code Execution Vulnerability in SAP Commerce

Vendor: SAP

Description: SAP Commerce, versions - 1808, 1811, 1905, 2005, 2011, Backoffice application allows certain authorized users to create source rules which are translated to drools rule when published to certain modules within the application. An attacker with this authorization can inject malicious code in the source rules and perform remote code execution enabling them to compromise the confidentiality, integrity and availability of the application.

CVSS v3.1 Base Score: 9.9 (AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H)


ID: CVE-2019-17571

Title: Remote Arbitrary Code Execution Vulnerability in Log4j

Vendor: Apache and Multiple Vendors

Description: Included in Log4j 1.2 is a SocketServer class that is vulnerable to deserialization of untrusted data which can be exploited to remotely execute arbitrary code when combined with a deserialization gadget when listening to untrusted network traffic for log data. This affects Log4j versions up to 1.2 up to 1.2.17.

CVSS v3.1 Base Score: 9.8 (/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H)


ID: CVE-2021-2135

Title: Remote Code Execution in Oracle Weblogic Server

Vendor: Oracle

Description: Vulnerability in the Oracle WebLogic Server product of Oracle Fusion Middleware (component: Coherence Container). Supported versions that are affected are 12.1.3.0.0, 12.2.1.3.0, 12.2.1.4.0 and 14.1.1.0.0. Easily exploitable vulnerability allows unauthenticated attacker with network access via T3, IIOP to compromise Oracle WebLogic Server. Successful attacks of this vulnerability can result in takeover of Oracle WebLogic Server.

CVSS v3.1 Base Score: 9.8 (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H)

Prevalent Malware Files


COMPILED BY THE TALOS SECURITY INTELLIGENCE AND RESEARCH GROUP

SHA 256: c1d5a585fce188423d31df3ea806272f3daa5eb989e18e9ecf3d94b97b965f8e

MD5: 9a4b7b0849a274f6f7ac13c7577daad8

VirusTotal: https://www.virustotal.com/gui/file/c1d5a585fce188423d31df3ea806272f3daa5eb989e18e9ecf3d94b97b965f8e/details

Typical Filename: ww31.exe

Claimed Product: N/A

Detection Name: W32.GenericKD:Attribute.24ch.1201


SHA 256: e3eeaee0af4b549eae4447fa20cfe205e8d56beecf43cf14a11bf3e86ae6e8bd

MD5: 8193b63313019b614d5be721c538486b

VirusTotal: https://www.virustotal.com/gui/file/e3eeaee0af4b549eae4447fa20cfe205e8d56beecf43cf14a11bf3e86ae6e8bd/details

Typical Filename: SAService.exe

Claimed Product: SAService

Detection Name: PUA.Win.Dropper.Segurazo::95.sbx.tg


SHA 256: 3bc24c618151b74ebffb9fbdaf89569fadcce6682584088fde222685079f7bb9

MD5: d709ea22945c98782dc69e996a98d643

VirusTotal: https://www.virustotal.com/gui/file/3bc24c618151b74ebffb9fbdaf89569fadcce6682584088fde222685079f7bb9/details

Typical Filename: FlashHelperService.exe

Claimed Product: Flash Helper Service

Detection Name: W32.Auto:3bc24c6181.in03.Talos


SHA 256: 85B936960FBE5100C170B777E1647CE9F0F01E3AB9742DFC23F37CB0825B30B5

MD5: 8c80dd97c37525927c1e549cb59bcbf3

VirusTotal: https://www.virustotal.com/gui/file/85b936960fbe5100c170b777e1647ce9f0f01e3ab9742dfc23f37cb0825b30b5/detection

Typical Filename: Eternalblue-2.2.0.exe

Claimed Product: N/A

Detection Name: Win.Exploit.Shadowbrokers::5A5226262.auto.talos


SHA 256: 17c4a85cdc339f525196d7f5da3a02e43c97513ff50b6bc17db4470ae3b182e2

MD5: 96f8e4e2d643568cf242ff40d537cd85

VirusTotal: https://www.virustotal.com/gui/file/17c4a85cdc339f525196d7f5da3a02e43c97513ff50b6bc17db4470ae3b182e2/details

Typical Filename: SAService.exe

Claimed Product: SAService

Detection Name: PUA.Win.File.Segurazo::95.sbx.tg