The Consensus Security Vulnerability Alert

SELECTED BY THE TALOS SECURITY INTELLIGENCE AND RESEARCH GROUP

Title: Attackers spread malware disguised as solution for Pegasus spyware

Description: Threat actors are impersonating the group Amnesty International and promising to protect against the Pegasus spyware as part of a scheme to deliver malware. Amnesty International recently made international headlines when it released a groundbreaking report on the widespread use of Pegasus to target international journalists and activists. Adversaries have set up a phony website that looks like Amnesty International's — a human rights-focused non-governmental organization — and points to a promised anti-virus tool to protect against the NSO Group's Pegasus tool. However, the download actually installs the little-known Sarwent malware. Sarwent contains the usual abilities of a remote access tool (RAT) — mainly serving as a backdoor on the victim machine — and can also activate the remote desktop protocol on the victim machine, potentially allowing the adversary to access the desktop directly.

Reference: https://blog.talosintelligence.com/2021/09/fakeantipegasusamnesty.html

Snort SIDs: 54357, 57901

Title: SonicWall patches critical vulnerability in remote connect device

Description: SonicWall released a security update for its Secure Mobile Access (SMA) 100 line of devices. The company disclosed a critical vulnerability that could allow unauthenticated attackers to remotely gain admin access on targeted devices. CVE-2021-20034 has a severity score of 9.1 out of a possible 10. The SMA 100 allows remote workers to securely connect to their office’s network and devices. The product recently came under additional scrutiny after SonicWall warned users that attackers were specifically targeting end-of-life versions of the device to spread ransomware attacks.

Reference: https://www.bleepingcomputer.com/news/security/sonicwall-fixes-critical-bug-allowing-sma-100-device-takeover/

Snort SID: 58224 - 58226

A medical malpractice lawsuit alleges that a ransomware attack against an Alabama hospital in 2019 led to a patient’s death.

https://www.govinfosecurity.com/lawsuit-hospitals-ransomware-attack-led-to-babys-death-a-17663

The White House is organizing a meeting of cybersecurity officials from 30 countries to discuss how to combat the recent rise in ransomware and cybercrime.

https://www.reuters.com/world/us/white-house-plans-30-country-meeting-cyber-crime-ransomware-official-2021-10-01/

New cybersecurity protocols for critical infrastructure from the U.S. Transportation Security Administration have some industry officials and analysts concerned that they could interrupt normal operations.

https://www.washingtonpost.com/national-security/cybersecurity-energy-pipelines-ransomware/2021/10/03/6df9cab2-2157-11ec-8200-5e3fd4c49f5e_story.html

A new report shows that cyberattacks against the maritime transportation system grew by 400 percent in 2020.

https://www.atlanticcouncil.org/in-depth-research-reports/report/raising-the-colors-signaling-for-cooperation-on-maritime-cybersecurity/

Information processing company Sandhills Global is experiencing an outage after a ransomware attack.

https://www.bleepingcomputer.com/news/security/sandhills-online-machinery-markets-shut-down-by-ransomware-attack/

Russian authorities have arrested Group-IB founder Ilya Sachkov for alleged high treason.

https://www.bloomberg.com/news/articles/2021-10-02/russian-it-leader-s-treason-case-shows-cyber-impasse-with-u-s

Facebook, Instagram and WhatsApp were knocked offline earlier this week due to an issue with BGP.

https://www.theverge.com/2021/10/4/22709260/what-is-bgp-border-gateway-protocol-explainer-internet-facebook-outage

A new Senate bill would require federal government agencies to disclose any cyberattacks or breaches to Congress and the U.S. Cybersecurity and Infrastructure Security Agency.

https://thehill.com/policy/cybersecurity/575198-senators-introduce-bill-to-strengthen-federal-cybersecurity-after

Google has taken down 200 malicious apps from the Google Play store; the apps had been downloaded 10 million times. Some of the apps are still available in third-party stores.

https://arstechnica.com/gadgets/2021/10/hundreds-of-scam-apps-hit-over-10-million-android-devices/

COMPILED BY THE QUALYS VULNERABILITY RESEARCH TEAM

This is a list of recent vulnerabilities for which exploits are available. System administrators can use this list to help in prioritization of their remediation activities. The Qualys Vulnerability Research Team compiles this information based on various exploit frameworks, exploit databases, exploit kits and monitoring of internet activity.

ID: CVE-2020-26301

Title: Command injection Vulnerability in ssh2

Vendor: ssh2 project

Description: ssh2 is client and server modules written in pure JavaScript for node.js. In ssh2 before version 1.4.0 there is a command injection vulnerability. The issue only exists on Windows. This issue may lead to remote code execution if a client of the library calls the vulnerable method with untrusted input. This is fixed in version 1.4.0.

CVSS v3.1 Base Score: 10 (AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H)

ID: CVE-2020-12083

Title: Privilege Escalation Vulnerability in Flexera

Vendor: Flexera

Description: An elevated privileges issue related to Spring MVC calls impacts Code Insight v7.x releases up to and including 2020 R1 (7.11.0-64).

CVSS v3.0 Base Score: 9.9 (AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H)

ID: CVE-2020-14343

Title: Arbitrary Code Execution in PyYaml

Vendor: Pyyaml

Description: A vulnerability was discovered in the PyYAML library in versions before 5.4, where it is susceptible to arbitrary code execution when it processes untrusted YAML files through the full_load method or with the FullLoader loader. Applications that use the library to process untrusted input may be vulnerable to this flaw. This flaw allows an attacker to execute arbitrary code on the system by abusing the python/object/new constructor. This flaw is due to an incomplete fix for CVE-2020-1747.

CVSS v3.0 Base Score: 9.8 (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H)

ID: CVE-2021-34345

Title: Buffer Overflow Vulnerability in QNap Device

Vendor: Qnap

Description: A stack buffer overflow vulnerability has been reported to affect QNAP device running NVR Storage Expansion. If exploited, this vulnerability allows attackers to execute arbitrary code. We have already fixed this vulnerability in the following versions of NVR Storage Expansion: NVR Storage Expansion 1.0.6 ( 2021/08/03 ) and later

CVSS v3.1 Base Score: 9.8 (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H)

COMPILED BY THE TALOS SECURITY INTELLIGENCE AND RESEARCH GROUP

SHA 256: c1d5a585fce188423d31df3ea806272f3daa5eb989e18e9ecf3d94b97b965f8e

MD5: 9a4b7b0849a274f6f7ac13c7577daad8

VirusTotal: https://www.virustotal.com/gui/file/c1d5a585fce188423d31df3ea806272f3daa5eb989e18e9ecf3d94b97b965f8e/details

Typical Filename: ww31.exe

Claimed Product: N/A

Detection Name: W32.GenericKD:Attribute.24ch.1201

SHA 256: 6c62b768d8b22888724288af038bc0b6e55280ddbbe42a436cdf68889346df18

MD5: 830ffb393ba8cca073a1c0b66af78de5

VirusTotal: https://www.virustotal.com/gui/file/6c62b768d8b22888724288af038bc0b6e55280ddbbe42a436cdf68889346df18/details

Typical Filename: smbscanlocal0902.exe

Claimed Product: N/A

Detection Name: MS17010::mURLin::W32.Auto:6c62b768d8.in03.Talos

SHA 256: fad16599a866f466bdeff2a716b9aa79faa6677f2895f0b262cf9402deb4b66c

MD5: 04c1f4395f80a3890aa8b12ebc2b4855

VirusTotal: https://www.virustotal.com/gui/file/fad16599a866f466bdeff2a716b9aa79faa6677f2895f0b262cf9402deb4b66c/details

Typical Filename: zReXhNb

Claimed Product: N/A

Detection Name: Auto.FAD16599A8.241842.in07.Talos

SHA 256: 8b4216a7c50599b11241876ada8ae6f07b48f1abe6590c2440004ea4db5becc9

MD5: 34560233e751b7e95f155b6f61e7419a

VirusTotal: https://www.virustotal.com/gui/file/8b4216a7c50599b11241876ada8ae6f07b48f1abe6590c2440004ea4db5becc9/details

Typical Filename: SAntivirusService.exe

Claimed Product: A n t i v i r u s S e r v i c e

Detection Name: PUA.Win.Dropper.Segurazo::tpd

SHA 256: 8639fd3ef8d55c45808f2fa8a5b398b0de18e5dd57af00265e42c822fb6938e2

MD5: fe3659119e683e1aa07b2346c1f215af

VirusTotal: https://www.virustotal.com/gui/file/8639fd3ef8d55c45808f2fa8a5b398b0de18e5dd57af00265e42c822fb6938e2/details

Typical Filename: SqlServerWorks.Runner.exe

Claimed Product: SqlServerWorks.Runner

Detection Name: W32.8639FD3EF8-95.SBX.TG