Internet Storm Center Spotlight


Title: Vice Society group exploiting PrintNightmare in recent ransomware attacks

Description: Another threat actor is actively exploiting the so-called PrintNightmare vulnerability (CVE-2021-1675 / CVE-2021-34527) in Windows' print spooler service to spread laterally across a victim's network as part of a recent ransomware attack, according to Cisco Talos Incident Response research. While previous research found that other threat actors had been exploiting this vulnerability, this appears to be new for the threat actor Vice Society. Talos Incident Response's research demonstrates that multiple, distinct threat actors view this vulnerability as attractive to use during their attacks and may indicate that this vulnerability will continue to see more widespread adoption and incorporation by various adversaries moving forward. For defenders, it is important to understand the attack lifecycle leading up to the deployment of ransomware. If users have not already, they should download the latest patch for PrintNightmare from Microsoft.


Snort SIDs: 57876, 57877

Title: Signed MSI files, Raccoon and Amadey are used for installing ServHelper RAT

Description: Group TA505 has been active for at least seven years, making wide-ranging connections with other threat actors involved in ransomware, stealing credit card numbers and exfiltrating data. One of the common tools in TA505's arsenal is ServHelper. In mid-June, Cisco Talos detected an increase in ServHelper's activity. We investigated the activity and discovered a set of intertwined malware families and TTPs. Although ServHelper has existed since at least early 2019, we detected the use of other malware families to install it. The installation comes as a GoLang dropper, .NET dropper or PowerShell script. Its activity is generally linked to Group TA505, but we cannot be certain that they are the exclusive users of this RAT.


Snort SID: 57975

ClamAV signatures: Win.Downloader.Powershell-9883640, Win.Trojan.Powershell-9883642, Win.Downloader.Powershell-9883641, Win.Downloader.ServHelper-9883708, Win.Downloader.Powershell-9883847, Win.Trojan.ServHelper-9883848, Win.Trojan.ServHelper-9883866, Win.Trojan.ServHelper-9883867

Internet Storm Center Entries

The recent ransomware attack on Colonial Pipeline also led to the theft of personal information belonging to nearly 6,000 individuals, including current and former employees and their family members.

Jen Easterly, the recently installed director of the Cybersecurity and Infrastructure Security Agency (CISA), called on all federal agencies to develop a collective response to election security.

Security researchers discovered an unpatched vulnerability in a popular gym management platform called Wodify that could allow attackers to tamper with payment information.

T-Mobile is investigating a potential cyberattack after threat actors claimed to be selling the personal information of more than 100 million customers.

A misconfigured customer engagement system on the Ford Motor Company’s website could have allowed access to access sensitive systems.

Several hospitals in Ohio and West Virginia are having to turn away patients and cancel surgeries after a cyberattack knocked out staff access to their system’s network.

The US withdrawal from Afghanistan poses a risk of sensitive national U.S. intelligence being left behind in the country.

Consulting firm Accenture said the company suffered no negative effects from an alleged ransomware attack last week, after a threat actor claimed to be selling stolen data from the organization.

Attackers are abusing the reCAPTCHA authentication service and phony CAPTCHA-like applications to hide malware and phishing links.

Recent CVEs


This is a list of recent vulnerabilities for which exploits are available. System administrators can use this list to help in prioritization of their remediation activities. The Qualys Vulnerability Research Team compiles this information based on various exploit frameworks, exploit databases, exploit kits and monitoring of internet activity.

ID: CVE-2020-15196

Title: Buffer Overflow Vulnerability in Tensorflow

Vendor: Google

Description: In Tensorflow version 2.3.0, the `SparseCountSparseOutput` and `RaggedCountSparseOutput` implementations don't validate that the `weights` tensor has the same shape as the data. The check exists for `DenseCountSparseOutput`, where both tensors are fully specified. In the sparse and ragged count weights are still accessed in parallel with the data. But, since there is no validation, a user passing fewer weights than the values for the tensors can generate a read from outside the bounds of the heap buffer allocated for the weights. The issue is patched in commit 3cbb917b4714766030b28eba9fb41bb97ce9ee02 and is released in TensorFlow version 2.3.1.

CVSS v3.1 Base Score: 9.9 (AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H)

ID: CVE-2020-3161

Title: Remote Code Execution Vulnerability in Cisco IP Phones

Vendor: Cisco

Description: A vulnerability in the web server for Cisco IP Phones could allow an unauthenticated, remote attacker to execute code with root privileges or cause a reload of an affected IP phone, resulting in a denial of service (DoS) condition. The vulnerability is due to a lack of proper input validation of HTTP requests. An attacker could exploit this vulnerability by sending a crafted HTTP request to the web server of a targeted device. A successful exploit could allow the attacker to remotely execute code with root privileges or cause a reload of an affected IP phone, resulting in a DoS condition.

CVSS v3.0 Base Score: 9.8 (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H)

ID: CVE-2021-21307

Title: Remote Code Execution Vulnerability in Lucee Server

Vendor: Lucee

Description: Lucee Server is a dynamic, Java based (JSR-223), tag and scripting language used for rapid web application development. In Lucee Admin before versions, or there is an unauthenticated remote code exploit. This is fixed in versions, or As a workaround, one can block access to the Lucee Administrator.

CVSS v3.0 Base Score: 9.8 (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H)

ID: CVE-2021-29200

Title: Deserialization Vulnerability in Apache OFBiz

Vendor: Apache

Description: Apache OFBiz has unsafe deserialization prior to 17.12.07 version. An unauthenticated user can perform an RCE attack

CVSS v3.1 Base Score: 9.8 (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H)

ID: CVE-2021-22891

Title: Missing Authorization Vulnerability in Citrix ShareFile

Vendor: Citrix

Description: A missing authorization vulnerability exists in Citrix ShareFile Storage Zones Controller before 5.7.3, 5.8.3, 5.9.3, 5.10.1 and 5.11.18 may allow unauthenticated remote compromise of the Storage Zones Controller.

CVSS v3.1 Base Score: 9.8 (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H)

Prevalent Malware Files


SHA 256: c1d5a585fce188423d31df3ea806272f3daa5eb989e18e9ecf3d94b97b965f8e

MD5: 9a4b7b0849a274f6f7ac13c7577daad8


Typical Filename: ww31.exe

Claimed Product: N/A

Detection Name: W32.GenericKD:Attribute.24ch.1201

SHA 256: 9a74640ca638b274bc8e81f4561b4c48b0c5fbcb78f6350801746003ded565eb

MD5: 6be10a13c17391218704dc24b34cf736


Typical Filename: smbscanlocal0906.exe

Claimed Product: N/A

Detection Name: Win.Dropper.Ranumbot::in03.talos

SHA 256: 5e46ecffcff9440e97bf4f0a85ad34132407f925b27a8759f5a01de5ea4da6af

MD5: 0a13d106fa3997a0c911edd5aa0e147a


Typical Filename: mg20201223-1.exe

Claimed Product: N/A

Detection Name: RanumBot::mURLin::W32.5E46ECFFCF.in12.Talos

SHA 256: 8b4216a7c50599b11241876ada8ae6f07b48f1abe6590c2440004ea4db5becc9

MD5: 34560233e751b7e95f155b6f61e7419a


Typical Filename: SAntivirusService.exe

Claimed Product: A n t i v i r u s S e r v i c e

Detection Name: PUA.Win.Dropper.Segurazo::tpd

SHA 256: 5191548b8edf4b98e623f055f5205e2db17aa220c28928b1da1c3a9ba1a75ee0

MD5: d54ade674cb0c3e6d322ed7380e8adf6


Typical Filename: ml20201223.exe

Claimed Product: N/A

Detection Name: RanumBot::mURLin::GenericRXMW:Win32-tpd