Internet Storm Center Spotlight


SELECTED BY THE TALOS SECURITY INTELLIGENCE AND RESEARCH GROUP


Title: Operation: ArmorPiercer hits Indian subcontinent

Description: Cisco Talos recently discovered a malicious campaign we’re calling “Operation: ArmorPiercer” targeting government employees and military personnel in the Indian subcontinent with two commercial and commodity RAT families known as NetwireRAT (aka NetwireRC) and WarzoneRAT (aka Ave Maria). The attackers delivered a variety of lures to their targets, predominantly posing as guides related to Indian governmental infrastructure and operations such as Kavach and I.T.-related guides in the form of malicious Microsoft Office documents and archives (RARs, ZIPs) containing loaders for the RATs. This campaign illustrates another instance of a highly motivated threat actor using a set of commercial and commodity RAT families to infect their victims. These RATs are packed with many features out-of-the-box to achieve comprehensive control over the infected systems. It is also highly likely that these malware families establish footholds into the victim's networks to deploy additional plugins and modules.

Reference: https://blog.talosintelligence.com/2021/09/operation-armor-piercer.html

Snort SIDs: 58115 - 58119


Title: Proof-of-concept code in the wild for remote code execution vulnerability in VMWare vCenter

Description: A remote code execution vulnerability for VMWare vCenter is circulating on the internet and actively being exploited in the wild. CVE-2021-22005 can allow an attacker to open a reverse shell on a vulnerable server, allowing them to remotely execute arbitrary code. VCenter is a server virtualization management platform that allows users to manage VMs and containers. Working proof-of-concept code became available online Tuesday, Sept. 28. VMWare disclosed this vulnerability and patched it last week. This vulnerability is considered critical, with a CVSS severity score of 9.8 out of a possible 10.

Reference: https://threatpost.com/working-exploit-vmware-vcenter-cve-2021-22005/175059/

Snort SID: 58217 - 58219

Internet Storm Center Entries


This year has already set a record for the number of zero-day vulnerabilities discovered by security researchers, according to a new report.

https://www.technologyreview.com/2021/09/23/1036140/2021-record-zero-day-hacks-reasons/


Microsoft added a new feature to Exchange Server that automatically applies interim mitigations for high-risk vulnerabilities.

https://www.bleepingcomputer.com/news/microsoft/new-microsoft-exchange-service-mitigates-high-risk-bugs-automatically/


A security researcher published three unpatched vulnerabilities in iOS last week that attackers could use to steal personal information.

https://www.vice.com/en/article/k78dpx/researcher-publishes-source-code-for-three-unpatched-iphone-exploits


The National Security Agency and other U.S. federal agencies encourage their users to use ad blockers on their web browsers.

https://gizmodo.com/even-the-nsa-agrees-targeted-ads-are-terrifying-1847733298


US state and local governments looking to hire cybersecurity professionals are struggling to compete with salaries offered by private sector organizations.

https://apnews.com/article/business-technology-internships-0d7fc0ee18295585292b2e13b62e88f3


Chinese regulators banned all cryptocurrency transactions and mining last week.

https://www.reuters.com/world/china/china-central-bank-vows-crackdown-cryptocurrency-trading-2021-09-24/


The Port of Houston, Texas, successfully fended off a cyberattack recently.

https://www.infosecurity-magazine.com/news/port-of-houston-quells-cyberattack/


The National Institute of Standards and Technology plans to release new guidelines in 2022 to steer federal agencies toward a zero-trust approach to cybersecurity.

https://www.fedscoop.com/nist-cybersecurity-practice-guide-2022/


Leaders from Australia, Japan, India and the U.S. have “pledge[d] to work together to combat cyber threats, promote resilience and secure [their] critical infrastructure.”

https://www.cyberscoop.com/quad-china-cyber-australia-india-japan/

Recent CVEs


COMPILED BY THE QUALYS VULNERABILITY RESEARCH TEAM

This is a list of recent vulnerabilities for which exploits are available. System administrators can use this list to help in prioritization of their remediation activities. The Qualys Vulnerability Research Team compiles this information based on various exploit frameworks, exploit databases, exploit kits and monitoring of internet activity.

ID: CVE-2021-39296

Title: Weak Authentication in Open BMC

Vendor: Open BMC Project

Description: In OpenBMC 2.9, crafted IPMI messages allow an attacker to bypass authentication and gain full control of the system.

CVSS v3.1 Base Score: 10 (AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H)


ID: CVE-2021-31891

Title: Command Injection Vulnerability in Simens Desigo

Vendor: Siemens

Description: A vulnerability has been identified in Desigo CC (All versions with OIS Extension Module), GMA-Manager (All versions with OIS running on Debian 9 or earlier), Operation Scheduler (All versions with OIS running on Debian 9 or earlier), Siveillance Control (All versions with OIS running on Debian 9 or earlier), Siveillance Control Pro (All versions). The affected application incorrectly neutralizes special elements in a specific HTTP GET request which could lead to command injection. An unauthenticated remote attacker could exploit this vulnerability to execute arbitrary code on the system with root privileges.

CVSS v3.0 Base Score: 10 (AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H)


ID: CVE-2021-37181

Title: Remote Code Execution Vulnerability in Siemens Cerberus

Vendor: Siemens

Description: A vulnerability has been identified in Cerberus DMS V4.0 (All versions), Cerberus DMS V4.1 (All versions), Cerberus DMS V4.2 (All versions), Cerberus DMS V5.0 (All versions < v5.0 QU1), Desigo CC Compact V4.0 (All versions), Desigo CC Compact V4.1 (All versions), Desigo CC Compact V4.2 (All versions), Desigo CC Compact V5.0 (All versions < V5.0 QU1), Desigo CC V4.0 (All versions), Desigo CC V4.1 (All versions), Desigo CC V4.2 (All versions), Desigo CC V5.0 (All versions < V5.0 QU1). The application deserialises untrusted data without sufficient validations, that could result in an arbitrary deserialization. This could allow an unauthenticated attacker to execute code in the affected system. The CCOM communication component used for Windows App / Click-Once and IE Web / XBAP client connectivity are affected by the vulnerability.

CVSS v3.0 Base Score: 10 (AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H)


ID: CVE-2021-20790

Title: Arbitrary Code Execution Vulnerability in RevoWorks Browser

Vendor: Jscom

Description: Improper control of program execution vulnerability in RevoWorks Browser 2.1.230 and earlier allows an attacker to execute an arbitrary command or code via unspecified vectors.

CVSS v3.1 Base Score: 9.6 (AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:H)

Prevalent Malware Files


COMPILED BY THE TALOS SECURITY INTELLIGENCE AND RESEARCH GROUP


SHA 256: c1d5a585fce188423d31df3ea806272f3daa5eb989e18e9ecf3d94b97b965f8e

MD5: 9a4b7b0849a274f6f7ac13c7577daad8

VirusTotal: https://www.virustotal.com/gui/file/c1d5a585fce188423d31df3ea806272f3daa5eb989e18e9ecf3d94b97b965f8e/details

Typical Filename: ww31.exe

Claimed Product: N/A

Detection Name: W32.GenericKD:Attribute.24ch.1201


SHA 256: 6c62b768d8b22888724288af038bc0b6e55280ddbbe42a436cdf68889346df18

MD5: 830ffb393ba8cca073a1c0b66af78de5

VirusTotal: https://www.virustotal.com/gui/file/6c62b768d8b22888724288af038bc0b6e55280ddbbe42a436cdf68889346df18/details

Typical Filename: smbscanlocal0902.exe

Claimed Product: N/A

Detection Name: MS17010::mURLin::W32.Auto:6c62b768d8.in03.Talos


SHA 256: 8b4216a7c50599b11241876ada8ae6f07b48f1abe6590c2440004ea4db5becc9

MD5: 34560233e751b7e95f155b6f61e7419a

VirusTotal: https://www.virustotal.com/gui/file/8b4216a7c50599b11241876ada8ae6f07b48f1abe6590c2440004ea4db5becc9/details

Typical Filename: SAntivirusService.exe

Claimed Product: A n t i v i r u s S e r v i c e

Detection Name: PUA.Win.Dropper.Segurazo::tpd


SHA 256: 9f1f11a708d393e0a4109ae189bc64f1f3e312653dcf317a2bd406f18ffcc507

MD5: 2915b3f8b703eb744fc54c81f4a9c67f

VirusTotal: https://www.virustotal.com/gui/file/9f1f11a708d393e0a4109ae189bc64f1f3e312653dcf317a2bd406f18ffcc507/details

Typical Filename: VID[1].dat

Claimed Product: N/A

Detection Name: Win.Worm.Coinminer::1201


SHA 256: fad16599a866f466bdeff2a716b9aa79faa6677f2895f0b262cf9402deb4b66c

MD5: 04c1f4395f80a3890aa8b12ebc2b4855

VirusTotal: https://www.virustotal.com/gui/file/fad16599a866f466bdeff2a716b9aa79faa6677f2895f0b262cf9402deb4b66c/details

Typical Filename: zReXhNb

Claimed Product: N/A

Detection Name: Auto.FAD16599A8.241842.in07.Talos