Volume 21 – Number 23

Internet Storm Center Spotlight

SELECTED BY THE TALOS SECURITY INTELLIGENCE AND RESEARCH GROUP

Title: New detection for wiper disguising itself as ransomware

Description: An APT with potential connections to Iran is spreading a new wiper malware that disguises itself as ransomware. The actor, known as Agrius, has been conducting cyber espionage dating back to November, and recently started focusing on the more destructive malware. It uses a backdoor known as IPsec Helper to spread wiper malware. It deletes users’ files completely, but still informs the victims that their data was stolen and encrypted in the hopes of still receiving a ransom payment. The adversary exploits a few different vulnerabilities, but a favorite is a long-fixed path traversal vulnerability in Fortinet’s FortiOS operating system — CVE-2018-13379.

References: https://beta.darkreading.com/threat-intelligence/new-iranian-threat-actor-using-ransomware-wipers-in-destructive-attacks

Snort SIDs: 57780 - 57782

Title: BazarLoader spreads via fake video streaming site

Description: The actors behind the BazarLoader trojan are using a new, fake video streaming site to lure victims into downloading their malware. The attackers are sending emails to users advertising a new service called "BravoMovies" from a company called UrbanCinema. The site uses legitimate movie posters to disguise itself as a streaming service, but the site only eventually points to BazarLoader. BazarLoader is commonly used to download and execute other malicious files.

Reference: https://www.bleepingcomputer.com/news/security/new-bazaflix-attack-pushes-bazarloader-malware-via-fake-movie-site/

Snort SIDs: 57773

Internet Storm Center Entries

NATO’s Secretary General said a cyberattack could be just as serious as kinetic warfare by its member nations, raising the stakes for future potential state-sponsored attacks on critical infrastructure.

https://www.bbc.com/news/av/world-57478561

Russia and the U.S., along with 23 other countries, reaffirmed United Nations guidelines that state that states should not hack each other’s critical infrastructure during peacetime or shelter criminals who lunch cyberattacks against other countries.

https://www.washingtonpost.com/national-security/russia-us-un-cyber-norms/2021/06/12/9b608cd4-866b-11eb-bfdf-4d36dab83a6d_story.html

Thousands of internet-facing devices have yet to patch a critical vulnerability in VMware vCenter servers that researchers warn is being actively exploited.

https://www.zdnet.com/article/critical-remote-code-execution-flaw-in-thousands-of-vmware-vcenter-servers-remains-unpatched/

Most of Cisco Talos Incident Response’s engagements last quarter involved the exploitation (or attempted exploitation) of zero-day vulnerabilities in Microsoft Exchange Server disclosed earlier this year.

https://blog.talosintelligence.com/2021/06/quarterly-report-incident-response.html

A government contractor that sells GPS ankle bracelets to law enforcement leaked the information of people police in Chicago are monitoring.

https://www.vice.com/en/article/3aqagy/contractor-exposed-the-movements-of-people-wearing-ankle-gps-bracelets

Security researchers discovered more than a terabyte of stolen login credentials for sale online, though its exact origins are still unknown.

https://arstechnica.com/gadgets/2021/06/nameless-malware-collects-1-2tb-of-sensitive-data-and-stashes-it-online/

Video game developer and publisher EA was the victim of a recent cyberattack, and hackers are claiming some games’ source code is for sale.

https://www.theverge.com/2021/6/10/22528003/ea-data-breach-frostbite-fifa-internal-tools-hack

Another video game company, CD Projekt Red, announced that a hack earlier this year was worse than initially thought, and information stolen in the attack is now circulating online.

https://kotaku.com/cd-projekt-red-confess-hack-severity-while-everyones-di-1847074826

Recent CVEs

COMPILED BY THE QUALYS VULNERABILITY RESEARCH TEAM

This is a list of recent vulnerabilities for which exploits are available. System administrators can use this list to help in prioritization of their remediation activities. The Qualys Vulnerability Research Team compiles this information based on various exploit frameworks, exploit databases, exploit kits and monitoring of internet activity.

ID: CVE-2020-6364

Title: Code Injection Vulnerability in SAP Solution Manager

Vendor: SAP

Description: SAP Solution Manager and SAP Focused Run (update provided in WILY_INTRO_ENTERPRISE 9.7, 10.1, 10.5, 10.7), allows an attacker to modify a cookie in a way that OS commands can be executed and potentially gain control over the host running the CA Introscope Enterprise Manager,leading to Code Injection. With this, the attacker is able to read and modify all system files and also impact system availability.

CVSS v3.1 Base Score: 10 (AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H)

ID: CVE-2021-32637

Title: Authentication Bypass Vulnerability in Authelia

Vendor: Authelia

Description: Authelia is a a single sign-on multi-factor portal for web apps. This affects uses who are using nginx ngx_http_auth_request_module with Authelia, it allows a malicious individual who crafts a malformed HTTP request to bypass the authentication mechanism. It additionally could theoretically affect other proxy servers, but all of the ones we officially support except nginx do not allow malformed URI paths. The problem is rectified entirely in v4.29.3. As this patch is relatively straightforward we can back port this to any version upon request. Alternatively we are supplying a git patch to 4.25.1 which should be relatively straightforward to apply to any version, the git patches for specific versions can be found in the references. The most relevant workaround is upgrading. You can also add a block which fails requests that contains a malformed URI in the internal location block.

CVSS v3.1 Base Score: 10 (AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H)

ID: CVE-2021-27905

Title: Server Side Request Forgery Vulnerability in Apache Solr Core

Vendor: Apache

Description: The ReplicationHandler (normally registered at "/replication" under a Solr core) in Apache Solr has a "masterUrl" (also "leaderUrl" alias) parameter that is used to designate another ReplicationHandler on another Solr core to replicate index data into the local core. To prevent a SSRF vulnerability, Solr ought to check these parameters against a similar configuration it uses for the "shards" parameter. Prior to this bug getting fixed, it did not. This problem affects essentially all Solr versions prior to it getting fixed in 8.8.2.