Volume 21 – Number 17

Internet Storm Center Spotlight

SELECTED BY THE TALOS SECURITY INTELLIGENCE AND RESEARCH GROUP

Title: Information disclosure vulnerability in Linux Kernel

Description: Cisco Talos recently discovered an information disclosure vulnerability in the Linux Kernel. The Linux Kernel is the free and open-source core of Unix-like operating systems. This vulnerability specifically exists in the /proc/pid/syscall functionality of 32-bit ARM devices running Linux. CVE-2020-28588 is an information disclosure vulnerability that could allow an attacker to view Kernel stack memory. Talos researchers first discovered this issue on an Azure Sphere device (version 20.10), a 32-bit ARM device that runs a patched Linux kernel. An attacker could exploit this vulnerability by reading /proc/<pid>/syscall, a legitimate Linux operating system file — making it impossible to detect on a network remotely. If utilized correctly, an attacker could leverage this information leak to successfully exploit additional unpatched Linux vulnerabilities.

Reference: https://blog.talosintelligence.com/2021/04/vuln-spotlight-linux-kernel.html

Title: Cisco discloses multiple vulnerabilities in Adaptive Security Appliance

Description: Cisco disclosed multiple vulnerabilities in its Adaptive Security Appliance software and Cisco Firepower Threat Defense. One high-severity vulnerability, CVE-2021-1493, could allow an attacker to cause a buffer overflow condition. An attacker could exploit this vulnerability by sending a malicious HTTP request. A successful exploit could allow the attacker to cause a buffer overflow condition on the affected system, which could disclose data fragments or cause the device to reload, resulting in a denial of service (DoS) condition. Another medium-risk vulnerability could allow an adversary to inject commands that could be executed with root privileges on the underlying operating system.

References:

- https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-asa-cmdinj-TKyQfDcU

- https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-memc-dos-fncTyYKG

Snort SIDs: 57486, 57488, 57489

Internet Storm Center Entries

The Ransomware Task Force has released “a comprehensive strategic framework for tackling the dramatically increasing and evolving threat of ransomware.”

https://securityandtechnology.org/wp-content/uploads/2021/04/IST-Ransomware-Task-Force_Final_Report.pdf

The U.S. Cybersecurity and Infrastructure Security Agency released a warning last week alerting Codecov users of a possible supply chain attack, urging them to check for indicators of compromise, and to login to Codecov to see if there is more information relevant to their organizations and repositories.

https://us-cert.cisa.gov/ncas/current-activity/2021/04/30/codecov-releases-new-detections-supply-chain-compromise

Researchers have detected a new backdoor that is being used by a Chinese APT ton target Russian defense contractors

https://www.cybereason.com/blog/portdoor-new-chinese-apt-backdoor-attack-targets-russian-defense-sector

US Senator Angus King (I-Maine) said that the country’s nuclear command, control, and communications system needs to be upgraded to protect it from cyberattacks.

https://spacenews.com/sen-angus-king-cybersecurity-a-major-concern-in-u-s-nuclear-command-and-control-system/

Pennsylvania will not renew its contract with a contact tracing vendor after the company “disregarded security protocols established in the contract and created unauthorized documents” which were shared on an unauthorized collaboration channel.

https://statescoop.com/pennsylvania-to-cut-ties-with-contact-tracing-vendor-after-data-compromise/

In late April, law enforcement authorities activated a payload that removed Emotet malware from infected machines.

https://www.cpomagazine.com/cyber-security/emotet-malware-taken-down-by-global-law-enforcement-effort-cleanup-patch-pushed-to-1-6-million-infected-devices/

Researchers at Mandiant have detected three new malware families are being used to conduct phishing campaigns. The threat actors used obfuscation and fileless malware to evade detection.

https://www.fireeye.com/blog/threat-research/2021/05/unc2529-triple-double-trifecta-phishing-campaign.html

Apple has released updates for iOS, macOS, iPadOS, and watchOS to address WebKit vulnerabilities that may have been exploited in the wild.

https://www.theverge.com/2021/5/3/22417984/ios-14-5-1-ipad-iphone-apple-watch-mac-update-security-fix

Researchers discovered a variant of the Buer malware that has been rewritten in the Rust programming language, likely to try to bypass existing detection mechanisms.

https://www.darkreading.com/attacks-breaches/buer-malware-variant-rewritten-in-rust-programming-language/d/d-id/1340895

Recent CVEs

COMPILED BY THE QUALYS VULNERABILITY RESEARCH TEAM

This is a list of recent vulnerabilities for which exploits are available. System administrators can use this list to help in prioritization of their remediation activities. The Qualys Vulnerability Research Team compiles this information based on various exploit frameworks, exploit databases, exploit kits and monitoring of internet activity.

ID: CVE-2021-2248

Title: Remote Code Execution Vulnerability in Oracle Secure Product

Vendor: Oracle

Description: Vulnerability in the Oracle Secure Global Desktop product of Oracle Virtualization (component: Server). The supported version that is affected is 5.6. Easily exploitable vulnerability allows unauthenticated attacker with network access via SKID to compromise Oracle Secure Global Desktop. While the vulnerability is in Oracle Secure Global Desktop, attacks may significantly impact additional products. Successful attacks of this vulnerability can result in takeover of Oracle Secure Global Desktop.

CVSS v3.1 Base Score: 10 (AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H)

ID: CVE-2021-31572

Title: Denial of Service Vulnerability in AWS

Vendor: Amazon

Description: The kernel in Amazon Web Services FreeRTOS before 10.4.3 has an integer overflow in stream_buffer.c for a stream buffer.