The Consensus Security Vulnerability Alert

SELECTED BY THE TALOS SECURITY INTELLIGENCE AND RESEARCH GROUP

Title: Attackers actively target Atlassian Confluence vulnerability

Description: U.S. Cyber Command warned American organizations prior to Labor Day weekend that a vulnerability in Atlassian Confluence was under active exploitation. The popular project management software disclosed the vulnerability in August as CVE-2021-26084, which could allow an attacker to remotely execute arbitrary code. Although a patch had been available for about a week, the Cyber Command warning reminded users to patch immediately, advising them to not wait until after the holiday to update. Atlassian described the issue as “an OGNL injection vulnerability” in the Atlassian Confluence Server and Confluence Data Center products, both of which are vulnerable to unauthenticated remote attackers. CVE-2021-26084 has a severity rating of 9.8 out of a possible 10.

Reference: https://www.techradar.com/news/atlassian-confluence-is-under-heavy-attack

Snort SIDs: 58093, 58094

Title: Cisco discloses vulnerability that could allow attackers to authenticate in as admins

Description: Cisco patched a critical vulnerability in its Cisco Enterprise Network Function Virtualization Infrastructure Software (NFVIS) last week that could allow an attacker to gain admin privileges on an affected system. The U.S. Cybersecurity and Infrastructure Security Agency followed up with a warning to all users to patch immediately. Cisco stated in its security advisory that there is no workaround to protect against exploitation of the vulnerability outside of downloading the latest patch. "This vulnerability is due to incomplete validation of user-supplied input that is passed to an authentication script. An attacker could exploit this vulnerability by injecting parameters into an authentication request. A successful exploit could allow the attacker to bypass authentication and login as an administrator to the affected device," the advisory reads.

Reference: https://www.zdnet.com/article/cisa-urges-it-teams-to-address-critical-vulnerability-affecting-cisco-enterprise-network-function-virtualization-infrastructure-software/

Snort SIDs: 58097 - 58099

New zero trust draft guidance documents from the US Office of Management and Budget (OMB) support the current administration’s efforts to improve the country’s cybersecurity.

https://fcw.com/articles/2021/09/07/zero-trust-cyber-guidance-released.aspx

Thailand’s Bangkok Airlines has acknowledged that customer data were compromised in a cyberattack in August.

https://www.bleepingcomputer.com/news/security/lockbit-gang-leaks-bangkok-airways-data-hits-accenture-customers/

German intelligence officials have called on Russia to stop “illegal cyber-activities” in the lead-up to Germany’s parliamentary elections later this month.

https://www.washingtonpost.com/world/germany-russia-cyber-attack/2021/09/06/7b9ca734-0f28-11ec-baca-86b144fc8a2d_story.html

The Dallas Independent School District disclosed a data breach affecting former and current students, parents, and district employees that includes information dating back to 2010.

https://www.nbcdfw.com/news/local/student-teacher-personal-information-taken-in-dallas-isd-data-theft/2733525/

Ireland’s national health service is still dealing with the aftermath of a ransomware attack that took place months ago, leading to disruptions in care.

https://www.bbc.com/news/world-europe-58413448

The U.S. Federal Trade Commission banned spyware app SpyFone from operating, ordering the company to delete all of its illegally harvested data and to inform users if the software had been downloaded on their device without their knowledge.

https://www.theverge.com/2021/9/2/22653859/ftc-bans-spyware-app-spyfone-delete-data-stalkerware

Attackers are capitalizing on the devastation from Hurricane Ida to spread scams and spam email.

https://www.zdnet.com/article/watch-out-for-digital-hurricane-ida-scams-sec/

COMPILED BY THE QUALYS VULNERABILITY RESEARCH TEAM 

This is a list of recent vulnerabilities for which exploits are available. System administrators can use this list to help in prioritization of their remediation activities. The Qualys Vulnerability Research Team compiles this information based on various exploit frameworks, exploit databases, exploit kits and monitoring of internet activity.

ID: CVE-2021-39199

Title: XSS Vulnerability in Remark HTML

Description: remark-html is an open source nodejs library which compiles Markdown to HTML. In affected versions the documentation of remark-html has mentioned that it was safe by default. In practice the default was never safe and had to be opted into. That is, user input was not sanitized. This means arbitrary HTML can be passed through leading to potential XSS attacks. The problem has been patched in 13.0.2 and 14.0.1: `remark-html` is now safe by default, and the implementation matches the documentation. On older affected versions, pass `sanitize: true` if you cannot update.

CVSS v3.1 Base Score: 10 (AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:N)

ID: CVE-2020-35575

Title: Weak Authentication in TP-Link Devices

Vendor: Tp-link

Description: A password-disclosure issue in the web interface on certain TP-Link devices allows a remote attacker to get full administrative access to the web panel. This affects WA901ND devices before 3.16.9(201211) beta, and Archer C5, Archer C7, MR3420, MR6400, WA701ND, WA801ND, WDR3500, WDR3600, WE843N, WR1043ND, WR1045ND, WR740N, WR741ND, WR749N, WR802N, WR840N, WR841HP, WR841N, WR842N, WR842ND, WR845N, WR940N, WR941HP, WR945N, WR949N, and WRD4300 devices.

CVSS v3.0 Base Score: 9.8 (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H)

ID: CVE-2021-35048

Title: SQL Injection Vulnerability in Fidelis Network

Vendor: Fidelis Security

Description: Vulnerability in Fidelis Network and Deception CommandPost enables unauthenticated SQL injection through the web interface. The vulnerability could lead to exposure of authentication tokens in some versions of Fidelis software. The vulnerability is present in Fidelis Network and Deception versions prior to 9.3.7 and in version 9.4. Patches and updates are available to address this vulnerability.

CVSS v3.0 Base Score: 9.8 (AVAV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H)

ID: CVE-2021-39509

Title: Command Injection Vulnerability in D-Link Devices

Vendor: Dlink

Description: An issue was discovered in D-Link DIR-816 DIR-816A2_FWv1.10CNB05_R1B011D88210 The HTTP request parameter is used in the handler function of /goform/form2userconfig.cgi route, which can construct the user name string to delete the user function. This can lead to command injection through shell metacharacters.

CVSS v3.1 Base Score: 9.8 (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H)

COMPILED BY THE TALOS SECURITY INTELLIGENCE AND RESEARCH GROUP

SHA 256: c1d5a585fce188423d31df3ea806272f3daa5eb989e18e9ecf3d94b97b965f8e

MD5: 9a4b7b0849a274f6f7ac13c7577daad8

VirusTotal: https://www.virustotal.com/gui/file/c1d5a585fce188423d31df3ea806272f3daa5eb989e18e9ecf3d94b97b965f8e/details

Typical Filename: ww31.exe

Claimed Product: N/A

Detection Name: W32.GenericKD:Attribute.24ch.1201

SHA 256: 6c62b768d8b22888724288af038bc0b6e55280ddbbe42a436cdf68889346df18

MD5: 830ffb393ba8cca073a1c0b66af78de5

VirusTotal: https://www.virustotal.com/gui/file/6c62b768d8b22888724288af038bc0b6e55280ddbbe42a436cdf68889346df18/details

Typical Filename: smbscanlocal0902.exe

Claimed Product: N/A

Detection Name: MS17010::mURLin::W32.Auto:6c62b768d8.in03.Talos

SHA 256: e3eeaee0af4b549eae4447fa20cfe205e8d56beecf43cf14a11bf3e86ae6e8bd

MD5: 8193b63313019b614d5be721c538486b

VirusTotal: https://www.virustotal.com/gui/file/e3eeaee0af4b549eae4447fa20cfe205e8d56beecf43cf14a11bf3e86ae6e8bd/details

Typical Filename: SAService.exe

Claimed Product: SAService

Detection Name: PUA.Win.Dropper.Segurazo::95.sbx.tg

SHA 256: 5e46ecffcff9440e97bf4f0a85ad34132407f925b27a8759f5a01de5ea4da6af

MD5: 0a13d106fa3997a0c911edd5aa0e147a

VirusTotal: https://www.virustotal.com/gui/file/5e46ecffcff9440e97bf4f0a85ad34132407f925b27a8759f5a01de5ea4da6af/details

Typical Filename: mg20201223-1.exe

Claimed Product: N/A

Detection Name: RanumBot::mURLin::W32.5E46ECFFCF.in12.Talos

SHA 256: a10acc24581855565579bdf17d23989e67ef15343fdd2d9b6736c10be137c06c

MD5: de0d35c8d3f065ec997878b31a0cf365

VirusTotal: https://www.virustotal.com/gui/file/a10acc24581855565579bdf17d23989e67ef15343fdd2d9b6736c10be137c06c/details

Typical Filename: Quote request.exe

Claimed Product: N/A

Detection Name: W32.A10ACC2458-95.SBX.TG