Volume 21 – Number 20

Internet Storm Center Spotlight

SELECTED BY THE TALOS SECURITY INTELLIGENCE AND RESEARCH GROUP

Title: Researchers find POC for wormable vulnerability in Microsoft Windows HTTP protocol stack

Description: A recently discovered wormable vulnerability in the Windows HTTP protocol stack could also be used to target unpatched Windows 10 and Server systems publicly exposing the Windows Remote Management service. A security researcher released POC code for the vulnerability, patched in this month’s Microsoft security update, last week. The vulnerability only affects WinRM if a user manually enables it on their Windows 10 systems, though enterprise Windows Server endpoints have it toggled on by default. This potentially increases the attack surface for any adversaries that uses the vulnerability to spread a ransomware attack, as they could move quickly across the targeted environment. Microsoft has urged users to update their affected products as soon as possible.

Reference: https://www.bleepingcomputer.com/news/security/wormable-windows-http-vulnerability-also-affects-winrm-servers/

Snort SIDs: 57605

Title: Heap-based buffer overflow in Google Chrome could lead to code execution

Description: Cisco Talos recently discovered an exploitable heap-based buffer overflow vulnerability in Google Chrome. CVE-2021-21160 is a buffer overflow vulnerability in Chrome’s AudioDelay function that could allow an adversary to execute remote code. An attacker could exploit this vulnerability by tricking a user into visiting a specially crafted HTML page in Chrome. Proper heap grooming can give the attacker full control of this heap overflow vulnerability, and as a result, could allow it to be turned into arbitrary code execution.

Reference: https://blog.talosintelligence.com/2021/05/vuln-spotlight-google-chrome-heap.html

Snort SIDs: 57057, 57058

Internet Storm Center Entries

Apple released iOS 14.6 to address more than 40 security issues affecting iPhone, Pads, and iPod Touch.

https://gizmodo.com/update-your-iphone-to-ios-14-6-now-for-major-security-f-1846958391

Apple also released an update for macOS that addresses several vulnerabilities that are being actively exploited.

https://techcrunch.com/2021/05/24/malware-xcsset-macos/

Ireland’s health care system is still recovering from a massive ransomware attack that has prevented access to patient records and resulted in cancellations of routine appointments.

https://abcnews.go.com/International/10-days-ransomware-attack-irish-health-system-struggling/story?id=77876092

A bill introduced in the US Senate would grant users greater control over their data online.

https://www.theverge.com/2021/5/20/22444515/amy-klobuchar-data-privacy-protection-facebook-state-laws

Air India says that personal information belonging to more than 4.5 million customers was compromised in a data breach affecting the airline’s data processor, SITA.

https://www.reuters.com/world/india/air-india-says-februarys-data-breach-affected-45-mln-passengers-2021-05-21/

Global insurance company AXA’s decision to stop writing policies that cover ransomware payments for clients in France may be an indication the insurance industry is acknowledging that paying ransomware demands fuels more attacks.

https://www.darkreading.com/risk/cyber-insurance-firms-start-tapping-out-as-ransomware-continues-to-rise/d/d-id/1341109

The SolarWinds CEO recently said the company saw evidence of a potential intrusion into its networks as early as January 2019, eight months before the previously disclosed date of September 2019.

https://www.cyberscoop.com/solarwinds-ceo-reveals-much-earlier-hack-timeline-regrets-company-blaming-intern/

Microsoft announced it will retire its Internet Explorer web browser in June 2022.

https://techcrunch.com/2021/05/20/so-long-internet-explorer-and-your-decades-of-security-bugs/

Newly detected disk-wiping malware is disguising itself as ransomware and infecting Israeli targets.

https://arstechnica.com/gadgets/2021/05/disk-wiping-malware-with-irananian-fingerprints-is-striking-israeli-targets/

Recent CVEs

COMPILED BY THE QUALYS VULNERABILITY RESEARCH TEAM

This is a list of recent vulnerabilities for which exploits are available. System administrators can use this list to help in prioritization of their remediation activities. The Qualys Vulnerability Research Team compiles this information based on various exploit frameworks, exploit databases, exploit kits and monitoring of internet activity.

ID: CVE-2021-33509

Title: Privilege Escalation Vulnerability in Plone

Vendor: Plone

Description: Plone through 5.2.4 allows remote authenticated managers to perform disk I/O via crafted keyword arguments to the ReStructuredText transform in a Python script.

CVSS v3.1 Base Score: 9.9 (AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H)

ID: CVE-2017-10818

Title: Weak Authentication Vulnerability in MaLion

Vendor: Intercom

Description: MaLion for Windows and Mac versions 3.2.1 to 5.2.1 uses a hardcoded cryptographic key which may allow an attacker to alter the connection settings of Terminal Agent and spoof the Relay Service.