Internet Storm Center Spotlight


Title: Transparent Tribe APT expands its Windows malware arsenal

Description: Transparent Tribe, also known as APT36 and Mythic Leopard, continues to create fake domains mimicking legitimate military and defense organizations as a core component of their operations. While military and defense personnel continue to be the group's primary targets, Transparent Tribe is increasingly targeting diplomatic entities, defense contractors, research organizations and conference attendees, indicating that the group is expanding its targeting. Transparent Tribe uses a two-pronged approach for registering malicious domains: Fake domains masquerading as legitimate sites belonging to government, defense, or research entities, and malicious domains that resemble file-sharing websites.


Snort SIDs: 57551 - 57562

Title: Lemon Duck cryptocurrency miner targeting vulnerable Microsoft Exchange Servers

Description: Cisco Talos has recently observed updated infrastructure and new components associated with the Lemon Duck cryptocurrency mining botnet that target unpatched Microsoft Exchange Servers and attempt to download and execute payloads for Cobalt Strike DNS beacons. This activity reflects updated tactics, techniques and procedures (TTPs) associated with this threat actor. After several zero-day Microsoft Exchange Server vulnerabilities were made public on March 2, Cisco Talos and several other security researchers began observing various threat actors, including Lemon Duck, leveraging these vulnerabilities for initial exploitation before security patches were made available. Microsoft released a report on March 25 highlighting Lemon Duck's targeting of Exchange Servers to install cryptocurrency-mining malware and a malware loader that was used to deliver secondary malware payloads, such as information stealers. Talos also discovered that Lemon Duck actors have been generating fake domains on East Asian top-level domains (TLDs) to mask connections to their legitimate C2 domain since at least February 2020, highlighting another attempt to make their operations more effective.


Snort SIDs: 45549:4, 46237, 50795, 55926, 57469 – 57474

ClamAV signatures: Ps1.Trojan.Lemonduck-9856143, Ps1.Trojan.Lemonduck-9856144, Win.Trojan.CobaltStrike-7917400, Win.Trojan.CobaltStrike-8091534

Cisco Secure Endpoint Cloud IOCs: W32.LemonDuckCryptoMiner.ioc, Clam.Ps1.Dropper.LemonDuck-9775016-1, Win.Miner.LemonDuck.tii.Talos, Ps1.Dropper.LemonDuck, Clam.Js.Malware.LemonDuck-9775029-1

Internet Storm Center Entries

Colonial Pipeline reportedly paid a $5 million ransom after its systems became infected with ransomware.

As the pipeline slowly came back online last week, some gas stations were still experiencing fuel shortages.

The DarkSide ransomware group behind the attack said it was shutting down operations.

U.S. President Joe Biden released an Executive Order aimed at strengthening America’s cybersecurity posture by creating new guidelines for federal contractors and creating a new standard playbook for responding to cyber incidents.

The Biden administration says the American Jobs Plan with bolster cybersecurity.

The Irish health system had to shut down its IT systems after a cyberattack over the weekend in what is “possibly the most significant cybercrime attack on the Irish state.”

In the wake of the Colonial Pipeline ransomware attack, a popular Russian language online criminal forum claims it will prevent the sale of any ransomware tools.

Google’s upcoming Android 12 operating system will reportedly include a new privacy dashboard for users to personalize what permissions certain apps have and what type of information they’re collecting.

A security researcher warned that a feature in the new Apple AirTags could allow criminals to figure out when people are away from home, making it an easier target for crime.

Recent CVEs


This is a list of recent vulnerabilities for which exploits are available. System administrators can use this list to help in prioritization of their remediation activities. The Qualys Vulnerability Research Team compiles this information based on various exploit frameworks, exploit databases, exploit kits and monitoring of internet activity.

ID: CVE-2021-31166

Title: HTTP Protocol Stack Remote Code Execution Vulnerability

Vendor: Microsoft

Description: Microsoft released patches addressing a critical RCE vulnerability in Windows. This vulnerability allows an unauthenticated attacker to remotely execute code as kernel. This is a wormable vulnerability where an attacker can simply send a malicious crafted packet to the target impacted webserver.

CVSS v3.1 Base Score: 9.8 (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H)

ID: CVE-2021-28476

Title: Hyper-V Remote Code Execution Vulnerability

Vendor: Microsoft

Description: Microsoft released patches addressing a critical RCE in Windows Server that impacts Hyper-V. Though the exploitation of this vulnerability is less likely (according to Microsoft), this should be prioritized for patching since adversaries can abuse this vulnerability and cause Denial of Service (DoS) in the form of a bug check.

CVSS v3.1 Base Score: 9.9 (AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H)

ID: CVE-2021-31181

Title: SharePoint Remote Code Execution Vulnerability

Vendor: Microsoft

Description This is a remote code execution vulnerability in Microsoft SharePoint server. This server allows unauthenticated users to send specially crafted request to SharePoint server and again unauthorized access as a SharePoint user.

CVSS v3.1 Base Score: 8.8 (AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H)

ID: CVE-2020-27655

Title: Improper Access Control Vulnerability in Synology Router Manager

Vendor: Synology

Description: Improper access control vulnerability in Synology Router Manager (SRM) before 1.2.4-8081 allows remote attackers to access restricted resources via inbound QuickConnect traffic.

CVSS v3.1 Base Score: 10 (AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H)

ID: CVE-2019-12725

Title: Remote Code Execution Vulnerability in Zeroshell

Vendor: Zeroshell

Description: Zeroshell 3.9.0 is prone to a remote command execution vulnerability. Specifically, this issue occurs because the web application mishandles a few HTTP parameters. An unauthenticated attacker can exploit this issue by injecting OS commands inside the vulnerable parameters.

CVSS v3.1 Base Score: 9.8 (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H)

ID: CVE-2020-11854

Title: Arbitrary Code Execution Vulnerability in Operations Bridge Manager

Vendor: Microfocus

Description: Arbitrary code execution vlnerability in Operation bridge Manager, Application Performance Management and Operations Bridge (containerized) vulnerability in Micro Focus products products Operation Bridge Manager, Operation Bridge (containerized) and Application Performance Management. The vulneravility affects: 1.) Operation Bridge Manager versions 2020.05, 2019.11, 2019.05, 2018.11, 2018.05, 10.63,10.62, 10.61, 10.60, 10.12, 10.11, 10.10 and all earlier versions. 2.) Operations Bridge (containerized) 2020.05, 2019.08, 2019.05, 2018.11, 2018.08, 2018.05. 2018.02 and 2017.11. 3.) Application Performance Management versions 9,51, 9.50 and 9.40 with uCMDB 10.33 CUP 3. The vulnerability could allow Arbitrary code execution.

CVSS v3.1 Base Score: 10 (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H)

ID: CVE-2021-20987

Title: Denial of Service Vulnerability in Hilscher EtherNet

Vendor: Hilcher

Description: A denial of service and memory corruption vulnerability was found in Hilscher EtherNet/IP Core V2 prior to V2.13.0.21that may lead to code injection through network or make devices crash without recovery.

CVSS v3.1 Base Score: 9.8 (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H)

Prevalent Malware Files


SHA 256: c1d5a585fce188423d31df3ea806272f3daa5eb989e18e9ecf3d94b97b965f8e

MD5: 9a4b7b0849a274f6f7ac13c7577daad8


Typical Filename: ww31.exe

Claimed Product: N/A

Detection Name: W32.GenericKD:Attribute.24ch.1201

SHA 256: e3eeaee0af4b549eae4447fa20cfe205e8d56beecf43cf14a11bf3e86ae6e8bd

MD5: 8193b63313019b614d5be721c538486b


Typical Filename: SAService.exe

Claimed Product: SAService

Detection Name:

SHA 256: 5524fee1bb95b3778857b414586611584794867c5fce1952d22dcba93c5cd243

MD5: f2c1aa209e185ed50bf9ae8161914954


Typical Filename: webnavigatorbrowser.exe

Claimed Product: WebNavigatorBrowser

Detection Name:

SHA 256: 3bc24c618151b74ebffb9fbdaf89569fadcce6682584088fde222685079f7bb9

MD5: d709ea22945c98782dc69e996a98d643


Typical Filename: FlashHelperService.exe

Claimed Product: Flash Helper Service

Detection Name: W32.Auto:d0442520e2.in03.Talos

SHA 256: 85B936960FBE5100C170B777E1647CE9F0F01E3AB9742DFC23F37CB0825B30B5

MD5: 8c80dd97c37525927c1e549cb59bcbf3


Typical Filename: Eternalblue-2.2.0.exe

Claimed Product: N/A

Detection Name: