The Consensus Security Vulnerability Alert

SELECTED BY THE TALOS SECURITY INTELLIGENCE AND RESEARCH GROUP

Title: High-profile Russian APT develops new backdoor tool

Description: Cisco Talos found a previously undiscovered backdoor from the Turla APT that we are seeing in the wild. This simple backdoor is likely used as a second-chance backdoor to maintain access to the system, even if the primary malware is removed. It could also be used as a second-stage dropper to infect the system with additional malware. The adversaries installed the backdoor as a service on the infected machine. They attempted to operate under the radar by naming the service "Windows Time Service", like the existing Windows service. The backdoor can upload and execute files or exfiltrate files from the infected system. In our review of this malware, the backdoor contacted the command and control (C2) server via an HTTPS encrypted channel every five seconds to check if there were new commands from the operator.

Reference: https://blog.talosintelligence.com/2021/09/tinyturla.html

ClamAV signature: Win.Trojan.Turla-9891506-1

Cisco Secure OSQuery: https://github.com/Cisco-Talos/osquery_queries/blob/master/win_malware/malware_tinyturla_registry_persistence.yaml

Title: Microsoft releases updated protection for OMIGOD vulnerabilities

Description: Microsoft updated its patches for the so-called “OMIGOD” vulnerabilities in Open Management Infrastructure. The most severe vulnerability, CVE-2021-38647, could allow an attacker to remotely execute code. The three others (CVE-2021-38648, CVE-2021-38645 and CVE-2021-38649) could allow an adversary to obtain higher-level privileges on the targeted machine. Microsoft first disclosed these vulnerabilities last week as part of its monthly Patch Tuesday. However, security researchers found that some Linux machines could still be attacked using these exploits, prompting Microsoft to release updated guidance.

Reference: https://searchsecurity.techtarget.com/news/252506937/Microsoft-details-OMIGOD-Azure-vulnerability-fixes-threats

Snort SID: 58169

COVID-19 testing information was left unprotected on the Walgreens website, exposing test results, names, addresses and emails.

https://www.vox.com/recode/22623871/walgreens-covid-test-site-data-vulnerability

Apple officially released iOS 15 this week; the newest version of the mobile operating system includes several new privacy and security features.

https://www.fastcompany.com/90673312/ios-15-iphone-privacy-security-features

Customer experience firm TTEC was hit with a ransomware attack last week, affecting major customers such as Verizon and Bank of America.

https://www.zdnet.com/article/ttec-hit-with-ransomware-attack-hampering-work-for-major-clients/

Many organizations are adopting a new “Security.txt” framework to include easy-to-access information on their website informing researchers of how they can report security issues and vulnerabilities.

https://krebsonsecurity.com/2021/09/does-your-organization-have-a-security-txt-file/

The U.S. is reportedly developing new sanctions to prevent ransomware actors from collecting cryptocurrencies as a form of ransom payments.

https://www.wsj.com/articles/u-s-to-target-crypto-ransomware-payments-with-sanctions-11631885336

A ransomware attack on a farm cooperative in Iowa could impact the food supply chain.

https://www.cyberscoop.com/blackmatter-new-cooperative-ransomware-iowa/

Threat actors are using the encrypted messaging app Telegram to buy and sell stolen data and new hacking tools.

https://arstechnica.com/information-technology/2021/09/telegram-emerges-as-new-dark-web-for-cyber-criminals/

Police in Europe arrested more than 100 individuals allegedly involved in laundering millions of euros made through cybercrime.

https://www.vice.com/en/article/5dbvx3/police-announce-huge-bust-of-mafias-cyber-crime-operations

COMPILED BY THE QUALYS VULNERABILITY RESEARCH TEAM

This is a list of recent vulnerabilities for which exploits are available. System administrators can use this list to help in prioritization of their remediation activities. The Qualys Vulnerability Research Team compiles this information based on various exploit frameworks, exploit databases, exploit kits and monitoring of internet activity.

ID: CVE-2020-10683

Title: XXE Vulnerability in dom4j library

Vendor: dom4j, Oracle and multiple other vendors

Description: dom4j before 2.0.3 and 2.1.x before 2.1.3 allows external DTDs and External Entities by default, which might enable XXE attacks. However, there is popular external documentation from OWASP showing how to enable the safe, non-default behavior in any application that uses dom4j.

CVSS v3.1 Base Score: 9.8 (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H)

ID: CVE-2021-33204

Title: Arbitrary Code Execution Vulnerability in PG Partition Manager

Vendor: pgxn

Description: In the pg_partman (aka PG Partition Manager) extension before 4.5.1 for PostgreSQL, arbitrary code execution can be achieved via SECURITY DEFINER functions because an explicit search_path is not set.

CVSS v3.0 Base Score: 9.8 (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H)

ID: CVE-2021-38173

Title: Command Injection Vulnerability in BTRbk

Vendor: Digint

Description: Btrbk before 0.31.2 allows command execution because of the mishandling of remote hosts filtering SSH commands using ssh_filter_btrbk.sh in authorized_keys.

CVSS v3.0 Base Score: 9.8 (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H)

ID: CVE-2021-37608

Title: Unrestricted File Upload Vulnerability in Apache OFBiz

Vendor: Apache

Description: Unrestricted Upload of File with Dangerous Type vulnerability in Apache OFBiz allows an attacker to execute remote commands. This issue affects Apache OFBiz version 17.12.07 and prior versions. Upgrade to at least 17.12.08 or apply patches at https://issues.apache.org/jira/browse/OFBIZ-12297.

CVSS v3.1 Base Score: 9.8 (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H)

COMPILED BY THE TALOS SECURITY INTELLIGENCE AND RESEARCH GROUP

SHA 256: c1d5a585fce188423d31df3ea806272f3daa5eb989e18e9ecf3d94b97b965f8e

MD5: 9a4b7b0849a274f6f7ac13c7577daad8

VirusTotal: https://www.virustotal.com/gui/file/c1d5a585fce188423d31df3ea806272f3daa5eb989e18e9ecf3d94b97b965f8e/details

Typical Filename: ww31.exe

Claimed Product: N/A

Detection Name: W32.GenericKD:Attribute.24ch.1201

SHA 256: 6c62b768d8b22888724288af038bc0b6e55280ddbbe42a436cdf68889346df18

MD5: 830ffb393ba8cca073a1c0b66af78de5

VirusTotal: https://www.virustotal.com/gui/file/6c62b768d8b22888724288af038bc0b6e55280ddbbe42a436cdf68889346df18/details

Typical Filename: smbscanlocal0902.exe

Claimed Product: N/A

Detection Name: MS17010::mURLin::W32.Auto:6c62b768d8.in03.Talos

SHA 256: 8b4216a7c50599b11241876ada8ae6f07b48f1abe6590c2440004ea4db5becc9

MD5: 34560233e751b7e95f155b6f61e7419a

VirusTotal: https://www.virustotal.com/gui/file/8b4216a7c50599b11241876ada8ae6f07b48f1abe6590c2440004ea4db5becc9/details

Typical Filename: SAntivirusService.exe

Claimed Product: A n t i v i r u s S e r v i c e

Detection Name: PUA.Win.Dropper.Segurazo::tpd

SHA 256: 9f1f11a708d393e0a4109ae189bc64f1f3e312653dcf317a2bd406f18ffcc507

MD5: 2915b3f8b703eb744fc54c81f4a9c67f

VirusTotal: https://www.virustotal.com/gui/file/9f1f11a708d393e0a4109ae189bc64f1f3e312653dcf317a2bd406f18ffcc507/details

Typical Filename: VID[1].dat

Claimed Product: N/A

Detection Name: Win.Worm.Coinminer::1201

SHA 256: fad16599a866f466bdeff2a716b9aa79faa6677f2895f0b262cf9402deb4b66c

MD5: 04c1f4395f80a3890aa8b12ebc2b4855

VirusTotal: https://www.virustotal.com/gui/file/fad16599a866f466bdeff2a716b9aa79faa6677f2895f0b262cf9402deb4b66c/details

Typical Filename: zReXhNb

Claimed Product: N/A

Detection Name: Auto.FAD16599A8.241842.in07.Talos