The Consensus Security Vulnerability Alert

SELECTED BY THE TALOS SECURITY INTELLIGENCE AND RESEARCH GROUP

Title: Vulnerability with 9.8 severity score under attack on VMware products

Description: VMware issued a warning Friday alerting users to protect against exploitation of a severe vulnerability in its vSphere Client’s Virtual SAN Health Check plug-in, which is enabled by default in vCenter Server. An attacker with network access to this service can exploit this vulnerability to gain remote code execution on the affected vCenter Server. The vulnerability, tracked as CVE-2021-21985, exists in the software that allows users to manage virtualization in large data centers. VMware warned users in an advisory earlier this month that vCenter machines using the default configurations contained the vulnerability. An attacker could exploit this vulnerability to execute malicious code on machines that are connected to vCenter and are exposed to the internet. The vulnerability has a CVSS severity rating of 9.8 out of 10.

Reference: https://arstechnica.com/gadgets/2021/06/under-exploit-vmware-vulnerability-with-severity-rating-of-9-8-out-of-10/

Snort SIDs: 57720

Title: Microsoft patches 49 vulnerabilities as part of monthly security update

Description: Microsoft released its monthly security update Tuesday, disclosing 49 vulnerabilities across its suite of products, breaking last month’s 16-month record of the fewest vulnerabilities disclosed in a month by the company. There are only four critical vulnerabilities patched in this month, while all the other ones are considered “important.” However, there are several vulnerabilities that Microsoft states are being actively exploited in the wild. One of the critical vulnerabilities this month exists in the Windows Defender anti-malware software. CVE-2021-31985 could allow an attacker to execute remote code on the targeted machine. However, Microsoft stated the vulnerability, along with others identified in Windows Defender this month, will be updated automatically. Users can verify the update was downloaded and installed by verifying steps Microsoft outlined in its advisory.

Reference: https://blog.talosintelligence.com/2021/06/microsoft-patch-tuesday-for-june-2021.html

Snort SIDs: 49388, 49389, 57722 - 57727, 57730 - 57733, 57735 and 57736

The U.S. Department of Justice announced it recovered $2.3 million of the $4.4 million ransom Colonial Pipeline paid following the attack in May.

https://www.npr.org/2021/06/08/1004223000/how-a-new-team-of-feds-hacked-the-hackers-and-got-colonial-pipelines-bitcoin-bac

Colonial Pipeline CEO Joseph Blount testified in front of Congress Tuesday to discuss the cyberattack, as the government takes a deeper look at the threat of ransomware attacks on American infrastructure and companies.

https://www.bloomberg.com/news/articles/2021-06-08/ceo-of-hacked-pipeline-company-tells-senate-he-s-deeply-sorry

A recent cyber attack against meat supplier JBS could cause meat prices to rise in the U.S. and Australia, though commodities experts say the supply chain is doing everything it can to stay on track.

https://www.cnn.com/2021/06/01/business/jbs-cyberattack-meat-shortage/index.html

American law enforcement officials seized two domains associated with a recent phishing attack targeting government agencies, think tanks, and non-government organizations.

https://www.reuters.com/technology/us-seizes-two-domains-used-cyber-attacks-that-mimicked-usaid-communications-2021-06-01/

As the debate over whether organizations should be banned from paying ransomware demands intensifies, Chris Painter, co-chair of the Ransomware Task Force, said that if there is to be such a ban, it should be rolled out gradually.

https://www.fedscoop.com/ransomware-task-force-co-chair-chris-painter-says-a-ban-on-ransomware-payments-would-need-to-be-phased/

The Director of the FBI Christopher Wray said his agency is currently investigating 100 types of ransomware and compared the challenges posed by ransomware to those faced after the 9/11 attacks.

https://www.wsj.com/articles/fbi-director-compares-ransomware-challenge-to-9-11-11622799003 (paywall)

Google plans to add a new feature in Android 12 that will allow users to opt out of tracking from apps they download from the Google Play store, following in the footsteps of Apple on its iOS platform.

https://gizmodo.com/google-will-let-you-opt-out-of-being-tracked-by-apps-in-1847029681

According to court documents, the FBI took control of a communications company called Anom and used it as a honeypot to collect suspected criminals’ communications.

https://www.vice.com/en/article/akgkwj/operation-trojan-shield-anom-fbi-secret-phone-network

The Department of Justice arrested a Latvian national, charging her with computer fraud, aggravated identity theft, and other offenses for her role in the organizations behind the Trickbot remote access trojan.

https://www.zdnet.com/article/after-doj-arrest-of-latvian-trickbot-user-experts-highlight-public-private-efforts/

COMPILED BY THE TALOS SECURITY INTELLIGENCE AND RESEARCH GROUP

SHA 256: c1d5a585fce188423d31df3ea806272f3daa5eb989e18e9ecf3d94b97b965f8e

MD5: 9a4b7b0849a274f6f7ac13c7577daad8

VirusTotal: https://www.virustotal.com/gui/file/c1d5a585fce188423d31df3ea806272f3daa5eb989e18e9ecf3d94b97b965f8e/details

Typical Filename: ww31.exe

Claimed Product: N/A

Detection Name: W32.GenericKD:Attribute.24ch.1201

SHA 256: 583418f8f4c156be56ae65b932ca1d8e431e8f845806d0fc814f40562241fbc4

MD5: 52ed8d8b8f1d37b7db0319a3351f6a16

VirusTotal: https://www.virustotal.com/gui/file/583418f8f4c156be56ae65b932ca1d8e431e8f845806d0fc814f40562241fbc4/details

Typical Filename: smbscanlocal2705.exe

Claimed Product: N/A

Detection Name: W32.Auto:583418f8f4.in03.Talos

SHA 256: 8b4216a7c50599b11241876ada8ae6f07b48f1abe6590c2440004ea4db5becc9

MD5: 34560233e751b7e95f155b6f61e7419a

VirusTotal: https://www.virustotal.com/gui/file/8b4216a7c50599b11241876ada8ae6f07b48f1abe6590c2440004ea4db5becc9/details

Typical Filename: SAntivirusService.exe

Claimed Product: A n t i v i r u s S e r v i c e

Detection Name: PUA.Win.Dropper.Segurazo::tpd

SHA 256: d8ccc7b34c875d9bbbde99de2338b76aab46a87b777e3f010f205028d7bf9156

MD5: d04b460018cf958816d35fc122a955df

VirusTotal: https://www.virustotal.com/gui/file/d8ccc7b34c875d9bbbde99de2338b76aab46a87b777e3f010f205028d7bf9156/details

Typical Filename: hd8vct.exe

Claimed Product: N/A

Detection Name: W32.Auto:d8ccc7b34c.in03.Talo

SHA 256: e3eeaee0af4b549eae4447fa20cfe205e8d56beecf43cf14a11bf3e86ae6e8bd

MD5: 8193b63313019b614d5be721c538486b

VirusTotal: https://www.virustotal.com/gui/file/e3eeaee0af4b549eae4447fa20cfe205e8d56beecf43cf14a11bf3e86ae6e8bd/details

Typical Filename: SAService.exe

Claimed Product: SAService

Detection Name: PUA.Win.Dropper.Segurazo::95.sbx.tg