Internet Storm Center Spotlight


SELECTED BY THE TALOS SECURITY INTELLIGENCE AND RESEARCH GROUP

Title: Information disclosure vulnerability in Linux Kernel

Description: Cisco Talos recently discovered an information disclosure vulnerability in the Linux Kernel. The Linux Kernel is the free and open-source core of Unix-like operating systems. This vulnerability specifically exists in the /proc/pid/syscall functionality of 32-bit ARM devices running Linux. CVE-2020-28588 is an information disclosure vulnerability that could allow an attacker to view Kernel stack memory. Talos researchers first discovered this issue on an Azure Sphere device (version 20.10), a 32-bit ARM device that runs a patched Linux kernel. An attacker could exploit this vulnerability by reading /proc/<pid>/syscall, a legitimate Linux operating system file — making it impossible to detect on a network remotely. If utilized correctly, an attacker could leverage this information leak to successfully exploit additional unpatched Linux vulnerabilities.

Reference: https://blog.talosintelligence.com/2021/04/vuln-spotlight-linux-kernel.html


Title: Cisco discloses multiple vulnerabilities in Adaptive Security Appliance

Description: Cisco disclosed multiple vulnerabilities in its Adaptive Security Appliance software and Cisco Firepower Threat Defense. One high-severity vulnerability, CVE-2021-1493, could allow an attacker to cause a buffer overflow condition. An attacker could exploit this vulnerability by sending a malicious HTTP request. A successful exploit could allow the attacker to cause a buffer overflow condition on the affected system, which could disclose data fragments or cause the device to reload, resulting in a denial of service (DoS) condition. Another medium-risk vulnerability could allow an adversary to inject commands that could be executed with root privileges on the underlying operating system.

References:

- https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-asa-cmdinj-TKyQfDcU

- https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-memc-dos-fncTyYKG

Snort SIDs: 57486, 57488, 57489

Internet Storm Center Entries


The Ransomware Task Force has released “a comprehensive strategic framework for tackling the dramatically increasing and evolving threat of ransomware.”

https://securityandtechnology.org/wp-content/uploads/2021/04/IST-Ransomware-Task-Force_Final_Report.pdf


The U.S. Cybersecurity and Infrastructure Security Agency released a warning last week alerting Codecov users of a possible supply chain attack, urging them to check for indicators of compromise, and to login to Codecov to see if there is more information relevant to their organizations and repositories.

https://us-cert.cisa.gov/ncas/current-activity/2021/04/30/codecov-releases-new-detections-supply-chain-compromise


Researchers have detected a new backdoor that is being used by a Chinese APT ton target Russian defense contractors

https://www.cybereason.com/blog/portdoor-new-chinese-apt-backdoor-attack-targets-russian-defense-sector


US Senator Angus King (I-Maine) said that the country’s nuclear command, control, and communications system needs to be upgraded to protect it from cyberattacks.

https://spacenews.com/sen-angus-king-cybersecurity-a-major-concern-in-u-s-nuclear-command-and-control-system/


Pennsylvania will not renew its contract with a contact tracing vendor after the company “disregarded security protocols established in the contract and created unauthorized documents” which were shared on an unauthorized collaboration channel.

https://statescoop.com/pennsylvania-to-cut-ties-with-contact-tracing-vendor-after-data-compromise/


In late April, law enforcement authorities activated a payload that removed Emotet malware from infected machines.

https://www.cpomagazine.com/cyber-security/emotet-malware-taken-down-by-global-law-enforcement-effort-cleanup-patch-pushed-to-1-6-million-infected-devices/


Researchers at Mandiant have detected three new malware families are being used to conduct phishing campaigns. The threat actors used obfuscation and fileless malware to evade detection.

https://www.fireeye.com/blog/threat-research/2021/05/unc2529-triple-double-trifecta-phishing-campaign.html


Apple has released updates for iOS, macOS, iPadOS, and watchOS to address WebKit vulnerabilities that may have been exploited in the wild.

https://www.theverge.com/2021/5/3/22417984/ios-14-5-1-ipad-iphone-apple-watch-mac-update-security-fix


Researchers discovered a variant of the Buer malware that has been rewritten in the Rust programming language, likely to try to bypass existing detection mechanisms.

https://www.darkreading.com/attacks-breaches/buer-malware-variant-rewritten-in-rust-programming-language/d/d-id/1340895

Recent CVEs


COMPILED BY THE QUALYS VULNERABILITY RESEARCH TEAM

This is a list of recent vulnerabilities for which exploits are available. System administrators can use this list to help in prioritization of their remediation activities. The Qualys Vulnerability Research Team compiles this information based on various exploit frameworks, exploit databases, exploit kits and monitoring of internet activity.


ID: CVE-2021-2248

Title: Remote Code Execution Vulnerability in Oracle Secure Product

Vendor: Oracle

Description: Vulnerability in the Oracle Secure Global Desktop product of Oracle Virtualization (component: Server). The supported version that is affected is 5.6. Easily exploitable vulnerability allows unauthenticated attacker with network access via SKID to compromise Oracle Secure Global Desktop. While the vulnerability is in Oracle Secure Global Desktop, attacks may significantly impact additional products. Successful attacks of this vulnerability can result in takeover of Oracle Secure Global Desktop.

CVSS v3.1 Base Score: 10 (AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H)


ID: CVE-2021-31572

Title: Denial of Service Vulnerability in AWS

Vendor: Amazon

Description: The kernel in Amazon Web Services FreeRTOS before 10.4.3 has an integer overflow in stream_buffer.c for a stream buffer.

CVSS v3.1 Base Score: 9.8 (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H)


ID: CVE-2017-3167

Title: Authentication Bypass Vulnerability in Apache httpd

Vendor: Apache and multiple other vendors

Description: In Apache httpd 2.2.x before 2.2.33 and 2.4.x before 2.4.26, use of the ap_get_basic_auth_pw() by third-party modules outside of the authentication phase may lead to authentication requirements being bypassed.

CVSS v3.1 Base Score: 9.8 (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H)


ID: CVE-2021-21346

Title: Deserialization Vulnerability in XStream Library

Vendor: XStream_project

Description: XStream is a Java library to serialize objects to XML and back again. In XStream before version 1.4.16, there is a vulnerability which may allow a remote attacker to load and execute arbitrary code from a remote host only by manipulating the processed input stream. No user is affected, who followed the recommendation to setup XStream's security framework with a whitelist limited to the minimal required types. If you rely on XStream's default blacklist of the Security Framework, you will have to use at least version 1.4.16.

CVSS v3.1 Base Score: 9.8 (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H)


ID: CVE-2020-11975

Title: Privilege Escalation Vulnerability in Apache Unomi

Vendor: Apache

Description: Apache Unomi allows conditions to use OGNL scripting which offers the possibility to call static Java classes from the JDK that could execute code with the permission level of the running Java process.

CVSS v3.1 Base Score: 9.8 (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H)


ID: CVE-2020-11857

Title: Authorization Bypass Vulnerability in Micro Focus Operation Bridge

Vendor: Microfocus

Description: An Authorization Bypass vulnerability on Micro Focus Operation Bridge Reporter, affecting version 10.40 and earlier. The vulnerability could allow remote attackers to access the OBR host as a non-admin user

CVSS v3.1 Base Score: 9.8 (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H)


ID: CVE-2021-2302

Title: Remote Code Execution in Oracle Fusion

Vendor: Oracle

Description: Vulnerability in the Oracle Platform Security for Java product of Oracle Fusion Middleware (component: OPSS). Supported versions that are affected are 11.1.1.9.0, 12.2.1.3.0 and 12.2.1.4.0. Easily exploitable vulnerability allows unauthenticated attacker with network access via HTTP to compromise Oracle Platform Security for Java. Successful attacks of this vulnerability can result in takeover of Oracle Platform Security for Java.

CVSS v3.1 Base Score: 9.8 (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H)

Prevalent Malware Files


SHA 256: c1d5a585fce188423d31df3ea806272f3daa5eb989e18e9ecf3d94b97b965f8e

MD5: 9a4b7b0849a274f6f7ac13c7577daad8

VirusTotal: https://www.virustotal.com/gui/file/c1d5a585fce188423d31df3ea806272f3daa5eb989e18e9ecf3d94b97b965f8e/details

Typical Filename: ww31.exe

Claimed Product: N/A

Detection Name: W32.GenericKD:Attribute.24ch.1201


SHA 256: cda7eb57321e133ca126aa8237a8432e8c539830656d64976bc953a70c0fa587

MD5: ec26aef08313a27cfa06bfa897972fc1

VirusTotal: https://www.virustotal.com/gui/file/cda7eb57321e133ca126aa8237a8432e8c539830656d64976bc953a70c0fa587/details

Claimed Product: N/A

Detection Name: Win.Worm.Dunihi::tpd


SHA 256: 5524fee1bb95b3778857b414586611584794867c5fce1952d22dcba93c5cd243

MD5: f2c1aa209e185ed50bf9ae8161914954

VirusTotal: https://www.virustotal.com/gui/file/5524fee1bb95b3778857b414586611584794867c5fce1952d22dcba93c5cd243/details

Typical Filename: webnavigatorbrowser_exe

Claimed Product: WebNavigatorBrowser

Detection Name: W32.5524FEE1BB.5A6DF6a61.auto.Talos


SHA 256: e3eeaee0af4b549eae4447fa20cfe205e8d56beecf43cf14a11bf3e86ae6e8bd

MD5: 8193b63313019b614d5be721c538486b

VirusTotal: https://www.virustotal.com/gui/file/e3eeaee0af4b549eae4447fa20cfe205e8d56beecf43cf14a11bf3e86ae6e8bd/details

Typical Filename: SAService.exe

Claimed Product: SAService

Detection Name: PUA.Win.Dropper.Segurazo::95.sbx.tg


SHA 256: 85B936960FBE5100C170B777E1647CE9F0F01E3AB9742DFC23F37CB0825B30B5

MD5: 8c80dd97c37525927c1e549cb59bcbf3

VirusTotal: https://www.virustotal.com/gui/file/85b936960fbe5100c170b777e1647ce9f0f01e3ab9742dfc23f37cb0825b30b5/detection

Typical Filename: Eternalblue-2.2.0.exe

Claimed Product: N/A

Detection Name: Win.Exploit.Shadowbrokers::5A5226262.auto.talos