The Consensus Security Vulnerability Alert

SELECTED BY THE TALOS SECURITY INTELLIGENCE AND RESEARCH GROUP

Title: LockBit 2.0 targets organizations across the globe

Description: The ransomware-as-a-service network behind the LockBit ransomware is launching new attacks using the 2.0 version of its malware. LockBit has recently been spotted targeting organizations in the U.K., Taiwan, Chile and Italy. This new version of LockBit includes new encryption features and an effort to recruit “insiders” at the targeted organizations. Once the malware encrypts the data on the targeted machine, it changes the wallpaper to display an advertisement, telling users that they can become a part of LockBit’s recruitment process, promising payouts in the millions of dollars. LockBit’s been behind several recent high-profile attacks, including one on global consulting firm Accenture.

Reference: https://threatpost.com/lockbit-ransomware-proliferates-globally/168746/

Snort SIDs: 58024, 58025

Title: Several RATs targeting users in Latin America, stealing high-profile credential

Description: Cisco Talos has observed a new malware campaign delivering commodity RATs, including njRAT and AsyncRAT. The campaign targets travel and hospitality organizations in Latin America. Techniques utilized in this campaign bear a resemblance to those of the Aggah group but are operated by a distinct threat actor based out of Brazil. We've also discovered a builder/crypter known as "Crypter 3losh rat" used to generate various stages of the highly modularized infection chain used by the campaign operators. The threat actor authoring the crypter primarily aims to sell it as a service. We've observed the authors advertise their crypters on Facebook, YouTube and other social media. However, we've also discovered that the crypter's authors have conducted their own malware campaigns abusing archive[.]org to deliver commodity RATs. The highly modular structure of the Latin American attack indicates a focus on stealth to deliver two widely popular RAT families of AsynRAT and njRAT. These techniques along with other indicators are shared with the Aggah group indicating that the crypter author might have sold it to both parties.

Reference: https://blog.talosintelligence.com/2021/08/rat-campaign-targets-latin-america.html

Cisco Secure Endpoint orbital search queries: 

- https://github.com/Cisco-Talos/osquery_queries/blob/master/win_malware/malware_njrat_filepath.yaml

- https://github.com/Cisco-Talos/osquery_queries/blob/master/win_malware/malware_asyncrat_mutex_detected.yaml

The U.S. State Department was reportedly the target of a cyberattack several weeks ago.

https://www.cnbc.com/2021/08/21/us-state-department-reportedly-hit-by-a-cyberattack-in-recent-weeks.html

The FBI recently warned major tech companies that state-sponsored actors are attempting to recruit their employees to conduct economic espionage and intellectual property theft.

https://www.protocol.com/fbi-delta-protocol-economic-espionage

T-Mobile confirmed a massive data breach that potentially puts 54 million customers at risk of fraud and identity theft.

https://www.wsj.com/articles/t-mobile-data-hack-what-we-know-and-what-you-need-to-do-11629404953

MacOS 11 may have several security features that Apple previously did not disclose, including endpoint security API improvements and protections against potential attacks against CPUs.

https://blog.malwarebytes.com/mac/2021/08/macos-11s-hidden-security-improvements/

Vulnerabilities in the Kalay Internet-of-Things protocol puts millions of security devices at risk of complete attacker takeover.

https://duo.com/decipher/critical-bug-in-kalay-iot-protocol-threatens-millions-of-devices

Leaders from Apple, Microsoft and Amazon are slated to meet with U.S. President Joe Biden to discuss ways the private sector can help protect critical infrastructure from cyberattacks.

https://www.zdnet.com/article/apple-microsoft-and-amazon-chiefs-to-meet-biden-over-critical-infrastructure-cyber-attacks/

COMPILED BY THE QUALYS VULNERABILITY RESEARCH TEAM

This is a list of recent vulnerabilities for which exploits are available. System administrators can use this list to help in prioritization of their remediation activities. The Qualys Vulnerability Research Team compiles this information based on various exploit frameworks, exploit databases, exploit kits and monitoring of internet activity.

ID: CVE-2017-6028

Title: Weak Authentication Vulnerability in Schneider Electric Modicon PLC

Vendor: SE Modicon

Description: An Insufficiently Protected Credentials issue was discovered in Schneider Electric Modicon PLCs Modicon M241, all firmware versions, and Modicon M251, all firmware versions. Log-in credentials are sent over the network with Base64 encoding leaving them susceptible to sniffing. Sniffed credentials could then be used to log into the web application.

CVSS v3.1 Base Score: 9.8 (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H)

ID: CVE-2020-15373

Title: Buffer Overflow Vulnerability in Broadcom Brocade Fabric OS

Vendor: Broadcom

Description: Multiple buffer overflow vulnerabilities in REST API in Brocade Fabric OS versions v8.2.1 through v8.2.1d, and 8.2.2 versions before v8.2.2c could allow remote unauthenticated attackers to perform various attacks.

CVSS v3.0 Base Score: 9.8 (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H)

ID: CVE-2021-35042

Title: SQL Injection Vulnerability in Django 3.1.0

Vendor: Django Project

Description: Django 3.1.x before 3.1.13 and 3.2.x before 3.2.5 allows QuerySet.order_by SQL injection if order_by is untrusted input from a client of a web application.

CVSS v3.0 Base Score: 9.8 (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H)

ID: CVE-2021-20032

Title: Remote Code Execution Vulnerability in SonicWall Analytics

Vendor: Sonicwall

Description: SonicWall Analytics 2.5 On-Prem is vulnerable to Java Debug Wire Protocol (JDWP) interface security misconfiguration vulnerability which potentially leads to Remote Code Execution. This vulnerability impacts Analytics On-Prem 2.5.2518 and earlier.

CVSS v3.1 Base Score: 9.8 (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H)

ID: CVE-2021-20418

Title: Weak Authentication Vulnerability in IBM Security Guardium

Vendor: IBM

Description: IBM Security Guardium 11.2 does not require that users should have strong passwords by default, which makes it easier for attackers to compromise user accounts. IBM X-Force ID: 196279.

CVSS v3.1 Base Score: 9.8 (AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:N/A:N)

COMPILED BY THE TALOS SECURITY INTELLIGENCE AND RESEARCH GROUP

SHA 256: c1d5a585fce188423d31df3ea806272f3daa5eb989e18e9ecf3d94b97b965f8e

MD5: 9a4b7b0849a274f6f7ac13c7577daad8

VirusTotal: https://www.virustotal.com/gui/file/c1d5a585fce188423d31df3ea806272f3daa5eb989e18e9ecf3d94b97b965f8e/details

Typical Filename: ww31.exe

Claimed Product: N/A

Detection Name: W32.GenericKD:Attribute.24ch.1201

SHA 256: 9a74640ca638b274bc8e81f4561b4c48b0c5fbcb78f6350801746003ded565eb

MD5: 6be10a13c17391218704dc24b34cf736

VirusTotal: https://www.virustotal.com/gui/file/9a74640ca638b274bc8e81f4561b4c48b0c5fbcb78f6350801746003ded565eb/details

Typical Filename: smbscanlocal0906.exe

Claimed Product: N/A

Detection Name: Win.Dropper.Ranumbot::in03.talos

SHA 256: cda7eb57321e133ca126aa8237a8432e8c539830656d64976bc953a70c0fa587

MD5: ec26aef08313a27cfa06bfa897972fc1

VirusTotal: https://www.virustotal.com/gui/file/cda7eb57321e133ca126aa8237a8432e8c539830656d64976bc953a70c0fa587/details

Typical Filename: 01fd0f9a83cb940bca23fbeea3ecaffcfb4df2ef.vbs

Claimed Product: N/A

Detection Name: Win.Worm.Dunihi::tpd

SHA 256: 85b936960fbe5100c170b777e1647ce9f0f01e3ab9742dfc23f37cb0825b30b5

MD5: 8c80dd97c37525927c1e549cb59bcbf3

VirusTotal: https://www.virustotal.com/gui/file/85b936960fbe5100c170b777e1647ce9f0f01e3ab9742dfc23f37cb0825b30b5/details

Typical Filename: Eter.exe

Claimed Product: N/A

Detection Name: Win.Exploit.Shadowbrokers::5A5226262.auto.talos

SHA 256: 5e46ecffcff9440e97bf4f0a85ad34132407f925b27a8759f5a01de5ea4da6af

MD5: 0a13d106fa3997a0c911edd5aa0e147a

VirusTotal: https://www.virustotal.com/gui/file/5e46ecffcff9440e97bf4f0a85ad34132407f925b27a8759f5a01de5ea4da6af/details

Typical Filename: mg20201223-1.exe

Claimed Product: N/A

Detection Name: RanumBot::mURLin::W32.5E46ECFFCF.in12.Talos