Internet Storm Center Spotlight


SELECTED BY THE TALOS SECURITY INTELLIGENCE AND RESEARCH GROUP

Title: Cisco warns of active exploitation of cross-site scripting vulnerability

Description: Cisco warned users this week that a vulnerability in its Adaptive Security Appliance software is being exploited in the wild. The company first disclosed this vulnerability, identified as CVE-2020-3580, in October. However, a proof-of-concept recently became publicly available and used in the wild. ASA is a perimeter defense appliance that block threats from entering corporate networks. An attacker could exploit this cross-site scripting vulnerability (XSS) to execute arbitrary code in the context of ASA and view sensitive browser-based information on the victim’s network. An XSS attack occurs when an adversary injects malicious scripts into otherwise trusted websites. An affected user comes under attack if they visit that compromised website.

References:

-https://threatpost.com/cisco-asa-bug-exploited-poc/167274/

-https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-asaftd-xss-multiple-FCB3vPZe

Snort SIDs: 57856, 57857



Title: Microsoft-signed DLL points to APT-controlled C2s

Description: Security researchers recently discovered Netfilter, a malicious rootkit disguised as a legitimate DLL. Microsoft confirmed this week that it signed the driver, commonly distributed among the video game players, saying that the developers behind the tool managed to acquire a Microsoft-signed binary in a legitimate manner, and the company is now investigating the manner. Once installed, Netfilter eventually connects to several China-based command and control sites, though the URLs do not appear to have any legitimate use.

Reference: https://www.bleepingcomputer.com/news/security/microsoft-admits-to-signing-rootkit-malware-in-supply-chain-fiasco/

Internet Storm Center Entries


A new letter from the Department of Homeland Security suggests that government agencies could have avoided being affected by the recent SolarWinds attack if they had set their firewalls to disable all outbound traffic.

https://www.reuters.com/technology/solarwinds-hackers-could-have-been-waylaid-by-simple-countermeasure-us-officials-2021-06-21/

Dell patched vulnerabilities in its BIOSConnect feature; the issues affect 128 models of Dell desktops, laptops, and tablets.

https://www.wired.com/story/dell-firmware-vulnerabilities/

The U.S. government seized domains belonging to alleged Iranian disinformation groups, some of them state-sponsored.

https://theintercept.com/2021/06/26/us-iran-censor-websites-evidence/

A recent data breach at Mercedes-Benz compromised payment card numbers and other personal data belonging to fewer than 1,000 customers.

https://www.bleepingcomputer.com/news/security/mercedes-benz-data-breach-exposes-ssns-credit-card-numbers/

The Scottish Environmental Protection Agency (Sepa) is rebuilding its IT system from scratch following a December 2020 ransomware attack; Sepa’s chief executive says it could take a year or more to fully recover from the incident.

https://www.bbc.com/news/uk-scotland-57578762

A new app is drawing global interest for paying gig workers in the developing world to collect open-source information for its clients, which include the U.S. military and private companies looking for consumer data. (Please note this story is behind a paywall.)

https://www.wsj.com/articles/app-taps-unwitting-users-abroad-to-gather-open-source-intelligence-11624544026

As part of its continued research into the SolarWinds breach, Microsoft said it discovered its own customer support system was the target of a related attack, allegedly part of a larger Nobelium campaign focused on targeting global IT companies and governments.

https://www.theverge.com/2021/6/25/22551193/microsoft-customer-support-tools-solarwinds-hackers-nobelium

The U.S. Department of Energy is asking for $201 million in its FY 2022 budget to address cybersecurity concerns, $44 million more than last year.

https://www.cnbc.com/2021/06/24/energy-wants-201-million-to-bolster-cybersecurity-in-wake-of-attacks.html

Recent CVEs


COMPILED BY THE QUALYS VULNERABILITY RESEARCH TEAM

This is a list of recent vulnerabilities for which exploits are available. System administrators can use this list to help in prioritization of their remediation activities. The Qualys Vulnerability Research Team compiles this information based on various exploit frameworks, exploit databases, exploit kits and monitoring of internet activity.

ID: CVE-2020-26829

Title: Weak Authentication Vulnerability in SAP NetWeaver

Vendor: SAP

Description: SAP NetWeaver AS JAVA (P2P Cluster Communication), versions - 7.11, 7.20, 7.30, 7.31, 7.40, 7.50, allows arbitrary connections from processes because of missing authentication check, that are outside the cluster and even outside the network segment dedicated for the internal cluster communication. As result, an unauthenticated attacker can invoke certain functions that would otherwise be restricted to system administrators only, including access to system administration functions or shutting down the system completely.

CVSS v3.1 Base Score: 10 (AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H)


ID: CVE-2017-5645

Title: Deserialization Vulnerability in Apache Log4j

Vendor: Apache, NetApp and Multiple Other Vendors

Description: In Apache Log4j 2.x before 2.8.2, when using the TCP socket server or UDP socket server to receive serialized log events from another application, a specially crafted binary payload can be sent that, when deserialized, can execute arbitrary code.

CVSS v3.0 Base Score: 10 (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H)


ID: CVE-2020-5413

Title: Deserialization Vulnerability in Spring Framework

Vendor: VMWare

Description: Spring Integration framework provides Kryo Codec implementations as an alternative for Java (de)serialization. When Kryo is configured with default options, all unregistered classes are resolved on demand. This leads to the "deserialization gadgets" exploit when provided data contains malicious code for execution during deserialization. In order to protect against this type of attack, Kryo can be configured to require a set of trusted classes for (de)serialization. Spring Integration should be proactive against blocking unknown "deserialization gadgets" when configuring Kryo in code.

CVSS v3.1 Base Score: 8.1 (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H)


ID: CVE-2021-33564

Title: Code Injection Vulnerability in Dragonfly Gem

Vendor: DragonFly Project

Description: An argument injection vulnerability in the Dragonfly gem before 1.4.0 for Ruby allows remote attackers to read and write to arbitrary files via a crafted URL when the verify_url option is disabled. This may lead to code execution. The problem occurs because the generate and process features mishandle use of the ImageMagick convert utility.

CVSS v3.1 Base Score: 9.3 (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H)


ID: CVE-2021-33790

Title: Remote Code Execution Vulnerability in RebornCore Library

Vendor: Tech Reborn

Description: The RebornCore library before 4.7.3 allows remote code execution because it deserializes untrusted data in ObjectInputStream.readObject as part of reborncore.common.network.ExtendedPacketBuffer. An attacker can instantiate any class on the classpath with any data. A class usable for exploitation might or might not be present, depending on what Minecraft modifications are installed.

CVSS v3.1 Base Score: 9.8 (AV AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H)


ID: CVE-2021-23017

Title: Buffer Overflow Vulnerability in Ngnix Resolver

Vendor: Nginx

Description: A security issue in nginx resolver was identified, which might allow an attacker who is able to forge UDP packets from the DNS server to cause 1-byte memory overwrite, resulting in worker process crash or potential other impact.

CVSS v3.1 Base Score: 9.8 (AV: AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H)


Prevalent Malware Files


COMPILED BY THE TALOS SECURITY INTELLIGENCE AND RESEARCH GROUP


SHA 256: c1d5a585fce188423d31df3ea806272f3daa5eb989e18e9ecf3d94b97b965f8e

MD5: 9a4b7b0849a274f6f7ac13c7577daad8

VirusTotal: https://www.virustotal.com/gui/file/c1d5a585fce188423d31df3ea806272f3daa5eb989e18e9ecf3d94b97b965f8e/details

Typical Filename: ww31.exe

Claimed Product: N/A

Detection Name: W32.GenericKD:Attribute.24ch.1201


SHA 256: 9a74640ca638b274bc8e81f4561b4c48b0c5fbcb78f6350801746003ded565eb

MD5: 6be10a13c17391218704dc24b34cf736

VirusTotal: https://www.virustotal.com/gui/file/9a74640ca638b274bc8e81f4561b4c48b0c5fbcb78f6350801746003ded565eb/details

Typical Filename: smbscanlocal0906.exe

Claimed Product: N/A

Detection Name: Win.Dropper.Ranumbot::in03.talos


SHA 256: e3eeaee0af4b549eae4447fa20cfe205e8d56beecf43cf14a11bf3e86ae6e8bd

MD5: 8193b63313019b614d5be721c538486b

VirusTotal: https://www.virustotal.com/gui/file/e3eeaee0af4b549eae4447fa20cfe205e8d56beecf43cf14a11bf3e86ae6e8bd/details

Typical Filename: SAService.exe

Claimed Product: SAService

Detection Name: PUA.Win.Dropper.Segurazo::95.sbx.tg


SHA 256: d0c3e85195fb2782cff3de09de5003f37d9bdd351e7094a22dbf205966cc8c43

MD5: 1971fc3783aa6fa3c0efb1276dd1143c

VirusTotal: https://www.virustotal.com/gui/file/d0c3e85195fb2782cff3de09de5003f37d9bdd351e7094a22dbf205966cc8c43/details

Typical Filename: iRiNpQaAxCcNxPdKyG

Claimed Product: Segurazo Antivirus

Detection Name: PUA.Win.File.Segurazo::222360.in02


SHA 256: 85B936960FBE5100C170B777E1647CE9F0F01E3AB9742DFC23F37CB0825B30B5

MD5: 8c80dd97c37525927c1e549cb59bcbf3

VirusTotal: https://www.virustotal.com/gui/file/85b936960fbe5100c170b777e1647ce9f0f01e3ab9742dfc23f37cb0825b30b5/detection

Typical Filename: Eternalblue-2.2.0.exe

Claimed Product: N/A

Detection Name: Win.Exploit.Shadowbrokers::5A5226262.auto.talos