The Consensus Security Vulnerability Alert

SELECTED BY THE TALOS SECURITY INTELLIGENCE AND RESEARCH GROUP

Title: Microsoft patches PrintNightmare as part of Patch Tuesday

Description: Microsoft released its monthly security update Tuesday, disclosing 117 vulnerabilities across its suite of products, by far the most in a month this year. Most notably, Microsoft released the update to patch the so-called “PrintNightmare” vulnerability in its print spooler function that could allow an attacker to execute remote code. This vulnerability was first disclosed in April, though security researchers later discovered it could be exploited in a more serious way than initially thought. Microsoft attempted to fix the vulnerability with an out-of-band release earlier this month, though the vulnerability could still be exploited. Besides the print spooler vulnerability, there is one other issue attackers have exploited in the wild, according to Microsoft. CVE-2021-34448 is a memory corruption vulnerability in the Scripting Engine that is triggered when the user opens a specially crafted file, either attached to an email or a compromised website.

References:

- https://blog.talosintelligence.com/2021/07/printnightmare-coverage.html

- https://blog.talosintelligence.com/2021/07/microsoft-patch-tuesday-for-july-2021.html

Snort SIDs: 57890, 57891, 57894 - 57897 and 57906 - 57910

Title: Kaseya rolls out patches for vulnerabilities exploited by ransomware attackers

Description: The supply chain attack on Kaseya VSA continues to dominate the security landscape as hundreds of organizations deal with the ramifications, including ransomware attacks. Kaseya released a patch for its remote monitoring software that could be exploited to bypass authentication and execute remote code. REvil, the ransomware group behind the attack, is demanding a $70 million ransom for a universal decryption key. The current patch only applies to on-premise customers. Users who have the software-as-a-service version of VSA are still advised to shut down their affected servers while Kaseya works with users to fix the issues.

References:

- https://blog.talosintelligence.com/2021/07/revil-ransomware-actors-attack-kaseya.html

- https://www.zdnet.com/article/kaseya-issues-patch-for-on-premise-customers-saas-rollout-underway/

Cisco Secure Endpoint signatures: Gen:Variant.Graftor.952042, W32.D55F983C99-100.SBX.TG, W32.File.MalParent, W32.RetroDetected

ClamAV signatures: Win.Dropper.REvil-9875493-0, Win.Ransomware.REvil-9875494-0

Cloud IOCs: W32.PingPredicatedDel.ioc, W32.DisableRealtimeMonitoring.ioc, W32.CertutilDecodedExecutableFile.ioc, W32.CertUtilCopy.ioc

Snort SID: 57879

The Kaseya supply chain attack was just the latest example of attackers looking at IT management software as a “skeleton key” to access victims’ networks.

https://www.wired.com/story/it-management-tools-hacking-jamf-kaseya/

A Dutch security group warned Kaseya of the vulnerabilities in its product that would eventually lead to the large supply chain attack in April. However, the company could not release a patch in time, and attackers beat them to the punch.

https://www.wsj.com/articles/software-firm-at-center-of-ransomware-attack-was-warned-of-cyber-flaw-in-april-11625673291

Many cybersecurity firms are struggling to keep up with customer demand as the threat of ransomware rises, forcing some to turn down would-be clientele.

https://www.nbcnews.com/tech/security/ransomware-attacks-leave-cybersecurity-experts-barely-able-keep-rcna1337

A vulnerability in chipmaker Broadcom’s firmware leaves many Cisco IP phones open to attack, potentially allowing an adversary to listen in on calls.

https://www.wired.com/story/office-phone-flaw-cant-be-fixed-by-cisco-alone/

A new open-source project aims to collect information on ransomware attacks and aggregate data, including tracking payments to bitcoin addresses associated with known ransomware groups.

https://www.cyberscoop.com/jack-cable-ransomwhere-ransomware/

The U.S. Senate confirmed Jen Easterly as the next head of the Cybersecurity and Infrastructure Security Agency; filling an eight-month leadership vacuum at the agency.

https://www.politico.com/news/2021/07/12/senate-confirms-jen-easterly-cyber-499335

Mint Mobile warned users that a small number of customers had their account information breached and some phone numbers were temporarily ported to another carrier.

https://www.bleepingcomputer.com/news/security/mint-mobile-hit-by-a-data-breach-after-numbers-ported-data-accessed/

U.S. President Joe Biden said he would take “any necessary action” to stop Russian state-sponsored actors from carrying out ransomware attacks, shortly after he and his Russian counterpart, Vladimir Putin, spoke on the phone Friday.

https://www.bbc.com/news/world-us-canada-57786302

Microsoft researchers discovered a zero-day vulnerability in the SolarWinds Serv-U product line that could allow attackers to run malicious code on affected machines.

https://arstechnica.com/gadgets/2021/07/microsoft-discovers-critical-solarwinds-zero-day-under-active-attack/

COMPILED BY THE QUALYS VULNERABILITY RESEARCH TEAM

This is a list of recent vulnerabilities for which exploits are available. System administrators can use this list to help in prioritization of their remediation activities. The Qualys Vulnerability Research Team compiles this information based on various exploit frameworks, exploit databases, exploit kits and monitoring of internet activity.

ID: CVE-2020-35184

Title: Weak Authentication Vulnerability in Official Docker Compose

Vendor: Docker

Description: The official composer docker images before 1.8.3 contain a blank password for a root user. System using the composer docker container deployed by affected versions of the docker image may allow a remote attacker to achieve root access with a blank password.

CVSS v3.1 Base Score: 9.8 (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H)

ID: CVE-2021-34458

Title: Windows Kernel Remote Code Execution Vulnerability

Vendor: Windows

Description: This issue allows an SR-IOV device which is assigned to a guest to potentially interfere with its PCIe siblings which are attached to other guests or to the root. In short, SR-IOV devices allow your virtual machines to share resources on a single, physical interface on your server.

CVSS v3.0 Base Score: 9.9 (AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H)

ID: CVE-2021-215131

Title: Weak Authentication Vulnerability in Dell EMC OpenManage

Vendor: Dell

Description: Dell EMC OpenManage Server Administrator (OMSA) version 9.5 Microsoft Windows installations with Distributed Web Server (DWS) enabled configuration contains an authentication bypass vulnerability. A remote unauthenticated attacker could potentially exploit this vulnerability to gain admin access on the affected system.

CVSS v3.1 Base Score: 9.8 (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H)

ID: CVE-2021-22911

Title: Improper Input Validation Vulnerability in Rocket Chat Server

Vendor: Rocket Chat

Description: A improper input sanitization vulnerability exists in Rocket.Chat server 3.11, 3.12 & 3.13 that could lead to unauthenticated NoSQL injection, resulting potentially in RCE.

CVSS v3.1 Base Score: 9.8 (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H)

ID: CVE-2021-34527

Title: Windows Print Spooler Remote Code Execution Vulnerability

Vendor: Microsoft

Description: The Print Spooler remote code execution vulnerability takes advantage of the RpcAddPrinterDriver function call in the Print Spooler service that allows clients to add arbitrary dll files as printer drivers and load them as SYSTEM (the spooler service context).

CVSS v3.1 Base Score: 8.8 (AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H)

COMPILED BY THE TALOS SECURITY INTELLIGENCE AND RESEARCH GROUP

SHA 256: c1d5a585fce188423d31df3ea806272f3daa5eb989e18e9ecf3d94b97b965f8e

MD5: 9a4b7b0849a274f6f7ac13c7577daad8

VirusTotal: https://www.virustotal.com/gui/file/c1d5a585fce188423d31df3ea806272f3daa5eb989e18e9ecf3d94b97b965f8e/details

Claimed Product: N/A

Detection Name: W32.GenericKD:Attribute.24ch.1201

SHA 256: 9a74640ca638b274bc8e81f4561b4c48b0c5fbcb78f6350801746003ded565eb

MD5: 6be10a13c17391218704dc24b34cf736

VirusTotal: https://www.virustotal.com/gui/file/9a74640ca638b274bc8e81f4561b4c48b0c5fbcb78f6350801746003ded565eb/details

Claimed Product: N/A

Detection Name: Win.Dropper.Ranumbot::in03.talos

SHA 256: 9f1f11a708d393e0a4109ae189bc64f1f3e312653dcf317a2bd406f18ffcc507

MD5: 2915b3f8b703eb744fc54c81f4a9c67f

VirusTotal: https://www.virustotal.com/gui/file/9f1f11a708d393e0a4109ae189bc64f1f3e312653dcf317a2bd406f18ffcc507/details

Typical Filename: VID001.exe

Claimed Product: N/A

Detection Name: Win.Worm.Coinminer::1201

SHA 256: 8b4216a7c50599b11241876ada8ae6f07b48f1abe6590c2440004ea4db5becc9

MD5: 34560233e751b7e95f155b6f61e7419a

VirusTotal: https://www.virustotal.com/gui/file/8b4216a7c50599b11241876ada8ae6f07b48f1abe6590c2440004ea4db5becc9/details

Typical Filename: SAntivirusService.exe

Claimed Product: A n t i v i r u s S e r v i c e

Detection Name: PUA.Win.Dropper.Segurazo::tpd

SHA 256: e3eeaee0af4b549eae4447fa20cfe205e8d56beecf43cf14a11bf3e86ae6e8bd

MD5: 8193b63313019b614d5be721c538486b

VirusTotal: https://www.virustotal.com/gui/file/e3eeaee0af4b549eae4447fa20cfe205e8d56beecf43cf14a11bf3e86ae6e8bd/details

Typical Filename: SAService.exe

Claimed Product: SAService

Detection Name: PUA.Win.Dropper.Segurazo::95.sbx.tg