Recent Security Issues


SELECTED BY THE TALOS SECURITY INTELLIGENCE AND RESEARCH GROUP

Title: New detection for wiper disguising itself as ransomware

Description: An APT with potential connections to Iran is spreading a new wiper malware that disguises itself as ransomware. The actor, known as Agrius, has been conducting cyber espionage dating back to November, and recently started focusing on the more destructive malware. It uses a backdoor known as IPsec Helper to spread wiper malware. It deletes users’ files completely, but still informs the victims that their data was stolen and encrypted in the hopes of still receiving a ransom payment. The adversary exploits a few different vulnerabilities, but a favorite is a long-fixed path traversal vulnerability in Fortinet’s FortiOS operating system — CVE-2018-13379.

References: https://beta.darkreading.com/threat-intelligence/new-iranian-threat-actor-using-ransomware-wipers-in-destructive-attacks

Snort SIDs: 57780 - 57782


Title: BazarLoader spreads via fake video streaming site

Description: The actors behind the BazarLoader trojan are using a new, fake video streaming site to lure victims into downloading their malware. The attackers are sending emails to users advertising a new service called "BravoMovies" from a company called UrbanCinema. The site uses legitimate movie posters to disguise itself as a streaming service, but the site only eventually points to BazarLoader. BazarLoader is commonly used to download and execute other malicious files.

Reference: https://www.bleepingcomputer.com/news/security/new-bazaflix-attack-pushes-bazarloader-malware-via-fake-movie-site/

Snort SIDs: 57773

Security News


NATO’s Secretary General said a cyberattack could be just as serious as kinetic warfare by its member nations, raising the stakes for future potential state-sponsored attacks on critical infrastructure.

https://www.bbc.com/news/av/world-57478561


Russia and the U.S., along with 23 other countries, reaffirmed United Nations guidelines that state that states should not hack each other’s critical infrastructure during peacetime or shelter criminals who lunch cyberattacks against other countries.

https://www.washingtonpost.com/national-security/russia-us-un-cyber-norms/2021/06/12/9b608cd4-866b-11eb-bfdf-4d36dab83a6d_story.html


Thousands of internet-facing devices have yet to patch a critical vulnerability in VMware vCenter servers that researchers warn is being actively exploited.

https://www.zdnet.com/article/critical-remote-code-execution-flaw-in-thousands-of-vmware-vcenter-servers-remains-unpatched/


Most of Cisco Talos Incident Response’s engagements last quarter involved the exploitation (or attempted exploitation) of zero-day vulnerabilities in Microsoft Exchange Server disclosed earlier this year.

https://blog.talosintelligence.com/2021/06/quarterly-report-incident-response.html


A government contractor that sells GPS ankle bracelets to law enforcement leaked the information of people police in Chicago are monitoring.

https://www.vice.com/en/article/3aqagy/contractor-exposed-the-movements-of-people-wearing-ankle-gps-bracelets


Security researchers discovered more than a terabyte of stolen login credentials for sale online, though its exact origins are still unknown.

https://arstechnica.com/gadgets/2021/06/nameless-malware-collects-1-2tb-of-sensitive-data-and-stashes-it-online/


Video game developer and publisher EA was the victim of a recent cyberattack, and hackers are claiming some games’ source code is for sale.

https://www.theverge.com/2021/6/10/22528003/ea-data-breach-frostbite-fifa-internal-tools-hack


Another video game company, CD Projekt Red, announced that a hack earlier this year was worse than initially thought, and information stolen in the attack is now circulating online.

https://kotaku.com/cd-projekt-red-confess-hack-severity-while-everyones-di-1847074826

Vulnerabilities with Exploits


COMPILED BY THE QUALYS VULNERABILITY RESEARCH TEAM

This is a list of recent vulnerabilities for which exploits are available. System administrators can use this list to help in prioritization of their remediation activities. The Qualys Vulnerability Research Team compiles this information based on various exploit frameworks, exploit databases, exploit kits and monitoring of internet activity.

ID: CVE-2020-6364

Title: Code Injection Vulnerability in SAP Solution Manager

Vendor: SAP

Description: SAP Solution Manager and SAP Focused Run (update provided in WILY_INTRO_ENTERPRISE 9.7, 10.1, 10.5, 10.7), allows an attacker to modify a cookie in a way that OS commands can be executed and potentially gain control over the host running the CA Introscope Enterprise Manager,leading to Code Injection. With this, the attacker is able to read and modify all system files and also impact system availability.

CVSS v3.1 Base Score: 10 (AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H)


ID: CVE-2021-32637

Title: Authentication Bypass Vulnerability in Authelia

Vendor: Authelia

Description: Authelia is a a single sign-on multi-factor portal for web apps. This affects uses who are using nginx ngx_http_auth_request_module with Authelia, it allows a malicious individual who crafts a malformed HTTP request to bypass the authentication mechanism. It additionally could theoretically affect other proxy servers, but all of the ones we officially support except nginx do not allow malformed URI paths. The problem is rectified entirely in v4.29.3. As this patch is relatively straightforward we can back port this to any version upon request. Alternatively we are supplying a git patch to 4.25.1 which should be relatively straightforward to apply to any version, the git patches for specific versions can be found in the references. The most relevant workaround is upgrading. You can also add a block which fails requests that contains a malformed URI in the internal location block.

CVSS v3.1 Base Score: 10 (AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H)


ID: CVE-2021-27905

Title: Server Side Request Forgery Vulnerability in Apache Solr Core

Vendor: Apache

Description: The ReplicationHandler (normally registered at "/replication" under a Solr core) in Apache Solr has a "masterUrl" (also "leaderUrl" alias) parameter that is used to designate another ReplicationHandler on another Solr core to replicate index data into the local core. To prevent a SSRF vulnerability, Solr ought to check these parameters against a similar configuration it uses for the "shards" parameter. Prior to this bug getting fixed, it did not. This problem affects essentially all Solr versions prior to it getting fixed in 8.8.2.

CVSS v3.1 Base Score: 9.8 (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H)


ID: CVE-2021-33574

Title: Buffer Overflow Vulnerability in GNU

Vendor: Gnu

Description: The mq_notify function in the GNU C Library (aka glibc) versions 2.32 and 2.33 has a use-after-free. It may use the notification thread attributes object (passed through its struct sigevent parameter) after it has been freed by the caller, leading to a denial of service (application crash) or possibly unspecified other impact.

CVSS v3.1 Base Score: 9.8 (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H)


ID: CVE-2021-30461

Title: Remote Code Execution Vulnerability in VoIP Monitor

Vendor: Voip Monitor

Description: A remote code execution issue was discovered in the web UI of VoIPmonitor before 24.61. When the recheck option is used, the user-supplied SPOOLDIR value (which might contain PHP code) is injected into config/configuration.php.

CVSS v3.1 Base Score: 9.8 (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H)


ID: CVE-2021-25641

Title: Deserialization Vulnerability in Apache Dubbo Server

Vendor: Apache

Description: Each Apache Dubbo server will set a serialization id to tell the clients which serialization protocol it is working on. But for Dubbo versions before 2.7.8 or 2.6.9, an attacker can choose which serialization id the Provider will use by tampering with the byte preamble flags, aka, not following the server's instruction. This means that if a weak deserializer such as the Kryo and FST are somehow in code scope (e.g. if Kryo is somehow a part of a dependency), a remote unauthenticated attacker can tell the Provider to use the weak deserializer, and then proceed to exploit it.

CVSS v3.1 Base Score: 9.8 (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H)


ID: CVE-2021-33180

Title: SQL Injection Vulnerability in Synology Media Server

Vendor: Synology

Description: Improper neutralization of special elements used in an SQL command ('SQL Injection') vulnerability in cgi component in Synology Media Server before 1.8.1-2876 allows remote attackers to execute arbitrary SQL commands via unspecified vectors.

CVSS v3.1 Base Score: 9.8 (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H)

Prevalent Malware Files


COMPILED BY THE TALOS SECURITY INTELLIGENCE AND RESEARCH GROUP


SHA 256: c1d5a585fce188423d31df3ea806272f3daa5eb989e18e9ecf3d94b97b965f8e

MD5: 9a4b7b0849a274f6f7ac13c7577daad8

VirusTotal: https://www.virustotal.com/gui/file/c1d5a585fce188423d31df3ea806272f3daa5eb989e18e9ecf3d94b97b965f8e/details

Typical Filename: ww31.exe

Claimed Product: N/A

Detection Name: W32.GenericKD:Attribute.24ch.1201


SHA 256: 9a74640ca638b274bc8e81f4561b4c48b0c5fbcb78f6350801746003ded565eb

MD5: 6be10a13c17391218704dc24b34cf736

VirusTotal: https://www.virustotal.com/gui/file/9a74640ca638b274bc8e81f4561b4c48b0c5fbcb78f6350801746003ded565eb/details

Typical Filename: smbscanlocal0906.exe

Claimed Product: N/A

Detection Name: Win.Dropper.Ranumbot::in03.talos


SHA 256: 8b4216a7c50599b11241876ada8ae6f07b48f1abe6590c2440004ea4db5becc9

MD5: 34560233e751b7e95f155b6f61e7419a

VirusTotal: https://www.virustotal.com/gui/file/8b4216a7c50599b11241876ada8ae6f07b48f1abe6590c2440004ea4db5becc9/details

Typical Filename: SAntivirusService.exe

Claimed Product: A n t i v i r u s S e r v i c e

Detection Name: PUA.Win.Dropper.Segurazo::tpd


SHA 256: e3eeaee0af4b549eae4447fa20cfe205e8d56beecf43cf14a11bf3e86ae6e8bd

MD5: 8193b63313019b614d5be721c538486b

VirusTotal: https://www.virustotal.com/gui/file/e3eeaee0af4b549eae4447fa20cfe205e8d56beecf43cf14a11bf3e86ae6e8bd/details

Typical Filename: SAService.exe

Claimed Product: SAService

Detection Name: PUA.Win.Dropper.Segurazo::95.sbx.tg


SHA 256: 5524fee1bb95b3778857b414586611584794867c5fce1952d22dcba93c5cd243

MD5: f2c1aa209e185ed50bf9ae8161914954

VirusTotal: https://www.virustotal.com/gui/file/5524fee1bb95b3778857b414586611584794867c5fce1952d22dcba93c5cd243/details

Typical Filename: webnavigatorbrowser.exe

Claimed Product: WebNavigatorBrowser

Detection Name: W32.5524FEE1BB.5A6DF6a61.auto.Talos