Recent Security Issues


SELECTED BY THE TALOS SECURITY INTELLIGENCE AND RESEARCH GROUP

Title: Vulnerabilities in Trend Micro Home Network Security Station could lead to device takeover

Description: Trend Micro recently patched multiple security vulnerabilities in its Home Network Security systems. Attackers could exploit the vulnerabilities to cause a denial of service on connected devices, privilege escalation and code execution. The Home Network Security Station is an all-in-one device that protects users’ home networks by scanning for vulnerabilities on connected devices and serves as an intrusion prevention system. An attacker could manipulate the device in a way, using these vulnerabilities, that could allow them to execute remote code on the device or takeover PCs that are connected to the targeted home network.

Reference: https://blog.talosintelligence.com/2021/05/vuln-spotlight-trend-i.html

Snort SIDs: 51719 - 57122


Title: Multiple vulnerabilities in Accusoft ImageGear

Description: Cisco Talos researchers recently discovered multiple vulnerabilities in Accusoft ImageGear. The ImageGear library is a document-imaging developer toolkit that allows users to create, edit, annotate and convert various images. It supports more than 100 file formats such as DICOM, PDF, Microsoft Office. These vulnerabilities Talos discovered could allow an attacker to carry out various malicious actions, including corrupting memory on the victim machine and gaining the ability to execute remote code. CVE-2021-21793, CVE-2021-21794 and CVE-2021-21824 are all out-of-bounds write vulnerabilities that exist in various functions of the software. An attacker could trigger these vulnerabilities by tricking a user into opening a specially crafted, malicious file.

Reference: https://blog.talosintelligence.com/2021/06/vuln-spotlight-accusoft-.html

Snort SIDs: 54411 - 54414, 57249 - 57252, 57270 - 57273, 57301, 57302, 57378, 57379

Security News


The Nobelium threat actor is launching spear phishing attacks against government agencies, think tanks and non-governmental organizations.

https://blogs.microsoft.com/on-the-issues/2021/05/27/nobelium-cyberattack-nativezone-solarwinds/


US officials believe government agencies largely fended off the Nobelium spear phishing attacks.

https://apnews.com/article/europe-phishing-government-and-politics-technology-business-6f4154aac7d90787ea85d46a3422eb0a


A recently discovered flaw in Apple’s new M1 chips could allow two malicious apps to communicate with each other.

https://m1racles.com/


A popular Russian language dark net market Hydra reportedly made $1 billion in 2020.

https://www.cyberscoop.com/hydra-cybercrime-russia-bitcoin-laundering-darkside/


New disk-wiping malware that disguises itself as ransomware is being used against Israeli targets.

https://arstechnica.com/gadgets/2021/05/disk-wiping-malware-with-irananian-fingerprints-is-striking-israeli-targets/


JBS, the largest meat-processing company in the world, shut down multiple facilities after a ransomware attack.

https://www.nytimes.com/2021/06/01/business/meat-plant-cyberattack-jbs.html


US soldiers were leaking information about US nuclear weapons in Europe though an online flashcard app.

https://www.bellingcat.com/news/2021/05/28/us-soldiers-expose-nuclear-weapons-secrets-via-flashcard-apps/


Cisco Talos is proposing using the term “Privateer [to refer to] groups [that] are not sponsored directly by a state and are financially motivated, but … benefit from direct or indirect protection from that state.”

https://blog.talosintelligence.com/2021/05/privateer-groups.html

Vulnerabilities with Exploits


COMPILED BY THE QUALYS VULNERABILITY RESEARCH TEAM 

This is a list of recent vulnerabilities for which exploits are available. System administrators can use this list to help in prioritization of their remediation activities. The Qualys Vulnerability Research Team compiles this information based on various exploit frameworks, exploit databases, exploit kits and monitoring of internet activity.

ID: CVE-2021-26937

Title: Denial of Service Vulnerability in GNU Screen

Vendor: Gnu, Debian, and Fedora Project

Description: encoding.c in GNU Screen through 4.8.0 allows remote attackers to cause a denial of service (invalid write access and application crash) or possibly have unspecified other impact via a crafted UTF-8 character sequence.

CVSS v3.1 Base Score: 9.8 (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H)


ID: CVE-2021-26120

Title: Code Injection Vulnerability in Smarty

Vendor: Smarty, Debian

Description: Smarty before 3.1.39 allows code injection via an unexpected function name after a {function name= substring.

CVSS v3.1 Base Score: 9.8 (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H)


ID: CVE-2021-20231

Title: Memory Corruption Vulnerability in Gnutls

Vendor: Gnu, Redhat, NetApp, and Fedora Project

Description A flaw was found in gnutls. A use after free issue in client sending key_share extension may lead to memory corruption and other consequences.

CVSS v3.1 Base Score: 9.8 (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H)


ID: CVE-2021-31800

Title: Arbitrary Code Execution Vulnerability in SMbserver Instance

Vendor: SecureAuth, Fedora Project

Description: Multiple path traversal vulnerabilities exist in smbserver.py in Impacket through 0.9.22. An attacker that connects to a running smbserver instance can list and write to arbitrary files via ../ directory traversal. This could potentially be abused to achieve arbitrary code execution by replacing /etc/shadow or an SSH authorized key.

CVSS v3.1 Base Score: 9.8 (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H)


ID: CVE-2021-29921

Title: Weak Authentication Control in Python Version < 3,9,5

Vendor: Python

Description: In Python before 3,9,5, the ipaddress library mishandles leading zero characters in the octets of an IP address string. This (in some situations) allows attackers to bypass access control that is based on IP addresses.

CVSS v3.1 Base Score: 9.8 (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H)


ID: CVE-2021-28799

Title: Weak Authorization Vulnerability in QNAP

Vendor: Qnap

Description: An improper authorization vulnerability has been reported to affect QNAP NAS running HBS 3 (Hybrid Backup Sync. ) If exploited, the vulnerability allows remote attackers to log in to a device. This issue affects: QNAP Systems Inc. HBS 3 versions prior to v16.0.0415 on QTS 4.5.2; versions prior to v3.0.210412 on QTS 4.3.6; versions prior to v3.0.210411 on QTS 4.3.4; versions prior to v3.0.210411 on QTS 4.3.3; versions prior to v16.0.0419 on QuTS hero h4.5.1; versions prior to v16.0.0419 on QuTScloud c4.5.1~c4.5.4. This issue does not affect: QNAP Systems Inc. HBS 2 . QNAP Systems Inc. HBS 1.3 .

CVSS v3.1 Base Score: 9.8 (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H)


ID: CVE-2021-31474

Title: Arbitrary Code Execution Vulnerability in SolarWinds

Vendor: Solarwinds

Description: This vulnerability allows remote attackers to execute arbitrary code on affected installations of SolarWinds Network Performance Monitor 2020.2.1. Authentication is not required to exploit this vulnerability. The specific flaw exists within the SolarWinds.Serialization library. The issue results from the lack of proper validation of user-supplied data, which can result in deserialization of untrusted data. An attacker can leverage this vulnerability to execute code in the context of SYSTEM. Was ZDI-CAN-12213.

CVSS v3.1 Base Score: 9.8 (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H)

Prevalent Malware Files


COMPILED BY THE TALOS SECURITY INTELLIGENCE AND RESEARCH GROUP

SHA 256: c1d5a585fce188423d31df3ea806272f3daa5eb989e18e9ecf3d94b97b965f8e

MD5: 9a4b7b0849a274f6f7ac13c7577daad8

VirusTotal: https://www.virustotal.com/gui/file/c1d5a585fce188423d31df3ea806272f3daa5eb989e18e9ecf3d94b97b965f8e/details

Typical Filename: ww31.exe

Claimed Product: N/A

Detection Name: W32.GenericKD:Attribute.24ch.1201


SHA 256: 583418f8f4c156be56ae65b932ca1d8e431e8f845806d0fc814f40562241fbc4

MD5: 52ed8d8b8f1d37b7db0319a3351f6a16

VirusTotal: https://www.virustotal.com/gui/file/583418f8f4c156be56ae65b932ca1d8e431e8f845806d0fc814f40562241fbc4/details

Typical Filename: smbscanlocal2705.exe

Claimed Product: N/A

Detection Name: W32.Auto:583418f8f4.in03.Talos


SHA 256: 8b4216a7c50599b11241876ada8ae6f07b48f1abe6590c2440004ea4db5becc9

MD5: 34560233e751b7e95f155b6f61e7419a

VirusTotal: https://www.virustotal.com/gui/file/8b4216a7c50599b11241876ada8ae6f07b48f1abe6590c2440004ea4db5becc9/details

Typical Filename: SAntivirusService.exe

Claimed Product: A n t i v i r u s S e r v i c e

Detection Name: PUA.Win.Dropper.Segurazo::tpd


SHA 256: 3bc24c618151b74ebffb9fbdaf89569fadcce6682584088fde222685079f7bb9

MD5: d709ea22945c98782dc69e996a98d643

VirusTotal: https://www.virustotal.com/gui/file/3bc24c618151b74ebffb9fbdaf89569fadcce6682584088fde222685079f7bb9/details

Typical Filename: FlashHelperService.exe

Claimed Product: Flash Helper Service

Detection Name: W32.Auto:3bc24c6181.in03.Talos


SHA 256: e3eeaee0af4b549eae4447fa20cfe205e8d56beecf43cf14a11bf3e86ae6e8bd

MD5: 8193b63313019b614d5be721c538486b

VirusTotal: https://www.virustotal.com/gui/file/e3eeaee0af4b549eae4447fa20cfe205e8d56beecf43cf14a11bf3e86ae6e8bd/details

Typical Filename: SAService.exe

Claimed Product: SAService

Detection Name: PUA.Win.Dropper.Segurazo::95.sbx.tg