Recent Security Issues


Title: Cisco patches critical issues in WSA, BPA

Description: Multiple, critical vulnerabilities in Cisco’s Web Security Appliance (WSA) and Business Process Automation (BPA) could allow an attacker to elevate their privileges to the level of an administrator. This opens the door for the attacker to access sensitive data or take over a targeted system. The issues both received a CVSS severity score of 8.8 out of 10. An adversary could exploit these vulnerabilities, identified as CVE-2021-1574 and CVE-2021-1576, by sending specially crafted HTTP messages to the targeted system.

References:

- https://threatpost.com/cisco-bpa-wsa-bugs-cyberattacks/167654/

- https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-bpa-priv-esc-dgubwbH4

Snort SIDs: 57882 – 57887


Title: Critical vulnerabilities in ForgeRock’s Access Management actively under attack

Description: The U.S. Cybersecurity and Infrastructure Security Agency warned users that attackers are actively exploiting critical remote code execution vulnerabilities in ForgeRock’s Access Management software. Access Management serves as a front end for web apps and remote access setups in enterprise networks. CISA, along with ForgeRock, warned users that the vulnerabilities are actively under exploitation in the wild, although ForgeRock has already released a patch. An adversary could exploit these vulnerabilities to execute commands in the context of the current user.

Reference: https://threatpost.com/critical-vulnerability-rce-forgerock-openam/167679/

Snort SIDs: 57912, 57913

Security News


Researchers from human rights organizations say that Apple needs to collaborate with other tech companies to help prevent the ability of surveillance technology to exploit vulnerabilities in mobile devices.

https://arstechnica.com/information-technology/2021/07/apple-under-pressure-over-iphone-security-after-nso-spyware-claims/


As part of a multi-pronged effort to combat ransomware, the US government launched a plan last week to prevent threat actors from accessing cryptocurrency.

https://www.cyberscoop.com/us-government-crypocurrency-ransomware-criminals-treasury-state-reward/


The U.S. Department of Justice says it will pay up to $10 million for information leading to the identification of state-sponsored threat actors.

https://portswigger.net/daily-swig/us-authorities-are-offering-10-million-for-information-on-nation-state-cyber-attacks


Spyware made by Candiru, which is sold to governments, can infect and monitor iPhones, Androids, Macs, PCs, and cloud accounts and has been used to spy on human rights defenders, dissidents, journalists, activists and politicians.

https://citizenlab.ca/2021/07/hooking-candiru-another-mercenary-spyware-vendor-comes-into-focus/


The US, along with a group of allies and partners, has accused the People’s Republic of China of being responsible for the Microsoft Exchange server attacks earlier this year.

https://www.washingtonpost.com/national-security/microsoft-hack-china-biden-nato/2021/07/19/a90ac7b4-e827-11eb-84a2-d93bc0b50294_story.html


The US Department of Homeland Security’s (DHS) Transportation Security Administration (TSA) has issued a new security directive mandating additional cybersecurity for critical pipelines.

https://www.cnn.com/2021/07/20/politics/dhs-increases-cybersecuriy-mandates-key-us-pipelines/


Many victims of the Kaseya supply chain attack are struggling to decrypt their affected files after the REvil group behind the attack virtually disappeared from the web.

https://www.zdnet.com/article/kaseya-victim-struggling-with-decryption-after-revil-goes-dark/

Vulnerabilities with Exploits


ID: CVE-2017-5461

Title: Denial of Service Vulnerability in Mozilla NSS

Vendor: Mozilla

Description: Mozilla Network Security Services (NSS) before 3.21.4, 3.22.x through 3.28.x before 3.28.4, 3.29.x before 3.29.5, and 3.30.x before 3.30.1 allows remote attackers to cause a denial of service (out-of-bounds write) or possibly have unspecified other impact by leveraging incorrect base64 operations.

CVSS v3.1 Base Score: 9.8 (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H)


ID: CVE-2018-15686

Title: Privilege Escalation Vulnerability in Ubuntu

Vendor: Canonical

Description: A vulnerability in unit_deserialize of systemd allows an attacker to supply arbitrary state across systemd re-execution via NotifyAccess. This can be used to improperly influence systemd execution and possibly lead to root privilege escalation. Affected releases are systemd versions up to and including 239.

CVSS v3.0 Base Score: 9.8 (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H)


ID: CVE-2021-27198

Title: Remote Code Execution Vulnerability in VisualWare

Vendor: Visualware

Description: An issue was discovered in Visualware MyConnection Server before v11.1a. Unauthenticated Remote Code Execution can occur via Arbitrary File Upload in the web service when using a myspeed/sf?filename= URI. This application is written in Java and is thus cross-platform. The Windows installation runs as SYSTEM, which means that exploitation gives one Administrator privileges on the target system.

CVSS v3.1 Base Score: 9.8 (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H)


ID: CVE-2021-21344

Title: Arbitrary Code Execution in XStream Library

Vendor: XStream_project

Description: XStream is a Java library to serialize objects to XML and back again. In XStream before version 1.4.16, there is a vulnerability which may allow a remote attacker to load and execute arbitrary code from a remote host only by manipulating the processed input stream. No user is affected, who followed the recommendation to setup XStream's security framework with a whitelist limited to the minimal required types. If you rely on XStream's default blacklist of the Security Framework, you will have to use at least version 1.4.16.

CVSS v3.1 Base Score: 9.8 (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H)


ID: CVE-2020-18544

Title: SQL Injection Vulnerability in WMS

Vendor: WMS_project

Description: SQL Injection in WMS v1.0 allows remote attackers to execute arbitrary code via the "username" parameter in the component "chkuser.php".

CVSS v3.1 Base Score: 9.8(AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H)

Prevalent Malware Files


SHA 256: c1d5a585fce188423d31df3ea806272f3daa5eb989e18e9ecf3d94b97b965f8e

MD5: 9a4b7b0849a274f6f7ac13c7577daad8

VirusTotal: https://www.virustotal.com/gui/file/c1d5a585fce188423d31df3ea806272f3daa5eb989e18e9ecf3d94b97b965f8e/details

Typical Filename: ww31.exe

Claimed Product: N/A

Detection Name: W32.GenericKD:Attribute.24ch.1201


SHA 256: 9a74640ca638b274bc8e81f4561b4c48b0c5fbcb78f6350801746003ded565eb

MD5: 6be10a13c17391218704dc24b34cf736

VirusTotal: https://www.virustotal.com/gui/file/9a74640ca638b274bc8e81f4561b4c48b0c5fbcb78f6350801746003ded565eb/details

Typical Filename: smbscanlocal0906.exe

Claimed Product: N/A

Detection Name: Win.Dropper.Ranumbot::in03.talos


SHA 256: 9f1f11a708d393e0a4109ae189bc64f1f3e312653dcf317a2bd406f18ffcc507

MD5: 2915b3f8b703eb744fc54c81f4a9c67f

VirusTotal: https://www.virustotal.com/gui/file/9f1f11a708d393e0a4109ae189bc64f1f3e312653dcf317a2bd406f18ffcc507/details

Typical Filename: VID001.exe

Claimed Product: N/A

Detection Name: Win.Worm.Coinminer::1201


SHA 256: 8b4216a7c50599b11241876ada8ae6f07b48f1abe6590c2440004ea4db5becc9

MD5: 34560233e751b7e95f155b6f61e7419a

VirusTotal: https://www.virustotal.com/gui/file/8b4216a7c50599b11241876ada8ae6f07b48f1abe6590c2440004ea4db5becc9/details

Typical Filename: SAntivirusService.exe

Claimed Product: A n t i v i r u s S e r v i c e

Detection Name: PUA.Win.Dropper.Segurazo::tpd


SHA 256: e3eeaee0af4b549eae4447fa20cfe205e8d56beecf43cf14a11bf3e86ae6e8bd

MD5: 8193b63313019b614d5be721c538486b

VirusTotal: https://www.virustotal.com/gui/file/e3eeaee0af4b549eae4447fa20cfe205e8d56beecf43cf14a11bf3e86ae6e8bd/details

Typical Filename: SAService.exe

Claimed Product: SAService

Detection Name: PUA.Win.Dropper.Segurazo::95.sbx.tg