Internet Storm Center Spotlight


SELECTED BY THE TALOS SECURITY INTELLIGENCE AND RESEARCH GROUP

Title: Researchers find POC for wormable vulnerability in Microsoft Windows HTTP protocol stack

Description: A recently discovered wormable vulnerability in the Windows HTTP protocol stack could also be used to target unpatched Windows 10 and Server systems publicly exposing the Windows Remote Management service. A security researcher released POC code for the vulnerability, patched in this month’s Microsoft security update, last week. The vulnerability only affects WinRM if a user manually enables it on their Windows 10 systems, though enterprise Windows Server endpoints have it toggled on by default. This potentially increases the attack surface for any adversaries that uses the vulnerability to spread a ransomware attack, as they could move quickly across the targeted environment. Microsoft has urged users to update their affected products as soon as possible.

Reference: https://www.bleepingcomputer.com/news/security/wormable-windows-http-vulnerability-also-affects-winrm-servers/

Snort SIDs: 57605


Title: Heap-based buffer overflow in Google Chrome could lead to code execution

Description: Cisco Talos recently discovered an exploitable heap-based buffer overflow vulnerability in Google Chrome. CVE-2021-21160 is a buffer overflow vulnerability in Chrome’s AudioDelay function that could allow an adversary to execute remote code. An attacker could exploit this vulnerability by tricking a user into visiting a specially crafted HTML page in Chrome. Proper heap grooming can give the attacker full control of this heap overflow vulnerability, and as a result, could allow it to be turned into arbitrary code execution.

Reference: https://blog.talosintelligence.com/2021/05/vuln-spotlight-google-chrome-heap.html

Snort SIDs: 57057, 57058

Internet Storm Center Entries


Apple released iOS 14.6 to address more than 40 security issues affecting iPhone, Pads, and iPod Touch.

https://gizmodo.com/update-your-iphone-to-ios-14-6-now-for-major-security-f-1846958391


Apple also released an update for macOS that addresses several vulnerabilities that are being actively exploited.

https://techcrunch.com/2021/05/24/malware-xcsset-macos/


Ireland’s health care system is still recovering from a massive ransomware attack that has prevented access to patient records and resulted in cancellations of routine appointments.

https://abcnews.go.com/International/10-days-ransomware-attack-irish-health-system-struggling/story?id=77876092


A bill introduced in the US Senate would grant users greater control over their data online.

https://www.theverge.com/2021/5/20/22444515/amy-klobuchar-data-privacy-protection-facebook-state-laws


Air India says that personal information belonging to more than 4.5 million customers was compromised in a data breach affecting the airline’s data processor, SITA.

https://www.reuters.com/world/india/air-india-says-februarys-data-breach-affected-45-mln-passengers-2021-05-21/


Global insurance company AXA’s decision to stop writing policies that cover ransomware payments for clients in France may be an indication the insurance industry is acknowledging that paying ransomware demands fuels more attacks.

https://www.darkreading.com/risk/cyber-insurance-firms-start-tapping-out-as-ransomware-continues-to-rise/d/d-id/1341109


The SolarWinds CEO recently said the company saw evidence of a potential intrusion into its networks as early as January 2019, eight months before the previously disclosed date of September 2019.

https://www.cyberscoop.com/solarwinds-ceo-reveals-much-earlier-hack-timeline-regrets-company-blaming-intern/


Microsoft announced it will retire its Internet Explorer web browser in June 2022.

https://techcrunch.com/2021/05/20/so-long-internet-explorer-and-your-decades-of-security-bugs/


Newly detected disk-wiping malware is disguising itself as ransomware and infecting Israeli targets.

https://arstechnica.com/gadgets/2021/05/disk-wiping-malware-with-irananian-fingerprints-is-striking-israeli-targets/

Recent CVEs


COMPILED BY THE QUALYS VULNERABILITY RESEARCH TEAM

This is a list of recent vulnerabilities for which exploits are available. System administrators can use this list to help in prioritization of their remediation activities. The Qualys Vulnerability Research Team compiles this information based on various exploit frameworks, exploit databases, exploit kits and monitoring of internet activity.


ID: CVE-2021-33509

Title: Privilege Escalation Vulnerability in Plone

Vendor: Plone

Description: Plone through 5.2.4 allows remote authenticated managers to perform disk I/O via crafted keyword arguments to the ReStructuredText transform in a Python script.

CVSS v3.1 Base Score: 9.9 (AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H)


ID: CVE-2017-10818

Title: Weak Authentication Vulnerability in MaLion

Vendor: Intercom

Description: MaLion for Windows and Mac versions 3.2.1 to 5.2.1 uses a hardcoded cryptographic key which may allow an attacker to alter the connection settings of Terminal Agent and spoof the Relay Service.

CVSS v3.1 Base Score: 9.8 (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H)


ID: CVE-2018-14718

Title: Remote Code Execution Vulnerability in FasterXML Data Bind

Vendor: Oracle, Redhat, NetApp, FasterXML, Debian

Description FasterXML jackson-databind 2.x before 2.9.7 might allow remote attackers to execute arbitrary code by leveraging failure to block the slf4j-ext class from polymorphic deserialization.

CVSS v3.1 Base Score: 9.8 (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H)


ID: CVE-2021-27135

Title: Denial of Service Vulnerability in xTerm

Vendor: Debian, Fedora Project, Invisible-Island

Description: xterm before Patch #366 allows remote attackers to execute arbitrary code or cause a denial of service (segmentation fault) via a crafted UTF-8 combining character sequence.

CVSS v3.1 Base Score: 9.8 (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H)


ID: CVE-2020-36326

Title: Object Injection Vulnerability in PHPMailer

Vendor: PHPmailer_project

Description: PHPMailer 6.1.8 through 6.4.0 allows object injection through Phar Deserialization via addAttachment with a UNC pathname. NOTE: this is similar to CVE-2018-19296, but arose because 6.1.8 fixed a functionality problem in which UNC pathnames were always considered unreadable by PHPMailer, even in safe contexts. As an unintended side effect, this fix eliminated the code that blocked addAttachment exploitation.

CVSS v3.1 Base Score: 9.8 (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H)


ID: CVE-2021-26583

Title: Remote Code Execution Vulnerability in HP Amplifier Pack

Vendor: HP

Description: A potential security vulnerability was identified in HPE iLO Amplifier Pack. The vulnerabilities could be remotely exploited to allow remote code execution.

CVSS v3.1 Base Score: 9.8 (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H)


ID: CVE-2020-13873

Title: SQL Injection Vulnerability in Codologic

Vendor: Codologic

Description: A SQL Injection vulnerability in get_topic_info() in sys/CODOF/Forum/Topic.php in Codoforum before 4.9 allows remote attackers (pre-authentication) to bypass the admin page via a leaked password-reset token of the admin. (As an admin, an attacker can upload a PHP shell and execute remote code on the operating system.)

CVSS v3.1 Base Score: 9.8 (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H)

Prevalent Malware Files


COMPILED BY THE TALOS SECURITY INTELLIGENCE AND RESEARCH GROUP

SHA 256: 7263ec6afa49dcb11ab9e3ee7e453e26b9ba91c3f8a440bcab3b92048175eb33

MD5: 29c8ba0d89a9265c270985b02572e693

VirusTotal: https://www.virustotal.com/gui/file/7263ec6afa49dcb11ab9e3ee7e453e26b9ba91c3f8a440bcab3b92048175eb33/details

Typical Filename: 29C8BA0D89A9265C270985B02572E693.mlw

Claimed Product: N/A

Detection Name: W32.7263EC6AFA.smokeloader.in11.Talos


SHA 256: c1d5a585fce188423d31df3ea806272f3daa5eb989e18e9ecf3d94b97b965f8e

MD5: 9a4b7b0849a274f6f7ac13c7577daad8

VirusTotal: https://www.virustotal.com/gui/file/c1d5a585fce188423d31df3ea806272f3daa5eb989e18e9ecf3d94b97b965f8e/details

Typical Filename: ww31.exe

Claimed Product: N/A

Detection Name: W32.GenericKD:Attribute.24ch.1201


SHA 256: e3eeaee0af4b549eae4447fa20cfe205e8d56beecf43cf14a11bf3e86ae6e8bd

MD5: 8193b63313019b614d5be721c538486b

VirusTotal: https://www.virustotal.com/gui/file/e3eeaee0af4b549eae4447fa20cfe205e8d56beecf43cf14a11bf3e86ae6e8bd/details

Typical Filename: SAService.exe

Claimed Product: SAService

Detection Name: PUA.Win.Dropper.Segurazo::95.sbx.tg


SHA 256: d88b26b3699c3b02f8be712552185533d77d7866f1a9a723c1fbc40cdfc2287d

MD5: 4dd358e4af31fb9bf83c2078cd874ff4

VirusTotal: https://www.virustotal.com/gui/file/d88b26b3699c3b02f8be712552185533d77d7866f1a9a723c1fbc40cdfc2287d/details

Typical Filename: smbscanlocal1805.exe

Claimed Product: N/A

Detection Name: Auto.D88B26B369.241855.in07.Talos


SHA 256: 8b4216a7c50599b11241876ada8ae6f07b48f1abe6590c2440004ea4db5becc9

MD5: 34560233e751b7e95f155b6f61e7419a

VirusTotal: https://www.virustotal.com/gui/file/8b4216a7c50599b11241876ada8ae6f07b48f1abe6590c2440004ea4db5becc9/details

Typical Filename: SAntivirusService.exe

Claimed Product: A n t i v i r u s S e r v i c e

Detection Name: PUA.Win.Dropper.Segurazo::tpd