Recent Security Issues


SELECTED BY THE TALOS SECURITY INTELLIGENCE AND RESEARCH GROUP


Title: Predecessor to DarkSide ransomware game could make waves in coming weeks

Description: Major U.S. government agencies released a warning this week that the BlackMatter ransomware could strike major organizations or public sector targets. An advisory from the U.S. Cybersecurity and Infrastructure Security Agency, the FBI and the National Security Agency stated that BlackMatter is likely a predecessor to DarkSide, the ransomware group known for attacking the Colonial Pipeline earlier this year. The advisory warns businesses that they should implement multi-factor authentication and enact stronger credential rules to prepare for potential BlackMatter attacks. According to the report, the ransomware has already targeted two large food cooperatives in the U.S.

References: https://threatpost.com/feds-warn-blackmatter-ransomware-gang-is-poised-to-strike/175567/

Snort SIDs: 58237, 58238


Title: Multiple vulnerabilities in ZTE MF971R LTE router

Description: Cisco Talos recently discovered multiple vulnerabilities in the ZTE MF971R LTE portable router. The MF971R is a portable router with Wi-Fi support and works as an LTE/GSM modem. An attacker could exploit all these vulnerabilities by sending a specially crafted HTTP request to the targeted device. TALOS-2021-1320 and TALOS-2021-1321 are stack-based buffer overflow vulnerabilities. An attacker could exploit these issues to execute arbitrary remote code on the targeted device. As part of these exploits, the attacker needs to complete a referrer bypass, which is outlined in TALOS-2021-1317. TALOS-2021-1318 and TALOS-2021-1319 are cross-site scripting vulnerabilities that an attacker could use to execute arbitrary JavaScript in the victim’s browser. In this case, an attacker would need to trick the user into opening an attacker-controlled URL that hosts the malicious HTTP request.

Reference: https://blog.talosintelligence.com/2021/10/vuln-spotlight-.html

Snort SID: 57749 - 57752, 57798, 57799, 57802, 57803, 57829

Security News


The REvil ransomware gang claims it is shutting down again after someone breached their Tor sites. The group also took its leaks website offline.

https://techcrunch.com/2021/10/18/revil-ransomware-group-goes-dark-after-its-tor-sites-were-hijacked/


Several television stations owned by Sinclair Broadcast Group are experiencing disruptions after a ransomware attack on the media company.

https://apnews.com/article/technology-business-arts-and-entertainment-be48d7582fdd5604664fff33ed81ca80


Researchers released a free decryptor tool for the BlackByte ransomware after they discovered an error in the ransomware’s encryption algorithm.

https://grahamcluley.com/free-blackbyte-decryptor-released-after-researchers-say-they-found-flaw-in-ransomware-code/


Twitter suspended two accounts used by North Korean hackers in a campaign to lure security researchers into visiting malicious sites.

https://therecord.media/twitter-suspends-two-accounts-used-by-dprk-hackers-to-catfish-security-researchers/


The White House’s plan to prevent government employees from getting phished includes moving away from SMS and app-based authentication to hardware security keys and other phishing-resistant methods.

https://www.vice.com/en/article/93yemz/white-house-omb-phishing-plan


The U.S. convened a meeting of 30 nations to discuss combatting ransomware globally, though Russia was notably not invited.

https://www.nytimes.com/2021/10/14/us/politics/global-ransomware-meeting.html


Missouri’s governor is drawing fire from security experts for threatening to criminally charge a reporter who discovered and responsibly disclosed a vulnerability in a state education website.

https://krebsonsecurity.com/2021/10/missouri-governor-vows-to-prosecute-st-louis-post-dispatch-for-reporting-security-vulnerability/


The U.S. government warned critical infrastructure providers that attackers are increasingly targeting the country’s water and wastewater systems sector.

https://www.infosecurity-magazine.com/news/us-government-warns-threat-to/

Vulnerabilities with Exploits


COMPILED BY THE QUALYS VULNERABILITY RESEARCH TEAM

This is a list of recent vulnerabilities for which exploits are available. System administrators can use this list to help in prioritization of their remediation activities. The Qualys Vulnerability Research Team compiles this information based on various exploit frameworks, exploit databases, exploit kits and monitoring of internet activity.

ID: CVE-2020-27134

Title: Arbitrary Code Execution in Cisco Jabber

Vendor: Cisco

Description: Multiple vulnerabilities in Cisco Jabber for Windows, Jabber for MacOS, and Jabber for mobile platforms could allow an attacker to execute arbitrary programs on the underlying operating system (OS) with elevated privileges or gain access to sensitive information. For more information about these vulnerabilities, see the Details section of this advisory.

CVSS v3.1 Base Score: 9.9 (AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H)


ID: CVE-2021-21345

Title: Deserialization Vulnerability in Java xStream

Vendor: xStream, Debian, Oracle

Description: XStream is a Java library to serialize objects to XML and back again. In XStream before version 1.4.16, there is a vulnerability which may allow a remote attacker who has sufficient rights to execute commands of the host only by manipulating the processed input stream. No user is affected, who followed the recommendation to setup XStream's security framework with a whitelist limited to the minimal required types. If you rely on XStream's default blacklist of the Security Framework, you will have to use at least version 1.4.16.

CVSS v3.0 Base Score: 9.9 (AV:N/AC:H/PR:L/UI:R/S:C/C:N/I:H/A:N)


ID: CVE-2021-31556

Title: Weak Cryptography Usage in Mediawiki

Vendor: Media Wiki

Description: An issue was discovered in the Oauth extension for MediaWiki through 1.35.2. MWOAuthConsumerSubmitControl.php does not ensure that the length of an RSA key will fit in a MySQL blob.

CVSS v3.0 Base Score: 9.8 (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H)


ID: CVE-2021-26085

Title: Arbitrary File Read Vulnerability in Atlassian Confluence Server

Vendor: Atlassian

Description Affected versions of Atlassian Confluence Server allow remote attackers to view restricted resources via a Pre-Authorization Arbitrary File Read vulnerability in the /s/ endpoint. The affected versions are before version 7.4.10, and from version 7.5.0 before 7.12.3.

CVSS v3.1 Base Score: 5.3 (AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N)

Prevalent Malware Files


COMPILED BY THE TALOS SECURITY INTELLIGENCE AND RESEARCH GROUP


SHA 256: f0a5b257f16c4ccff520365ebc143f09ccf233e642bf540b5b90a2bbdb43d5b4

MD5: 84452e3633c40030e72c9375c8a3cacb

VirusTotal: https://www.virustotal.com/gui/file/f0a5b257f16c4ccff520365ebc143f09ccf233e642bf540b5b90a2bbdb43d5b4/details

Typical Filename: sqhost.exe

Claimed Product: sqhost.exe

Detection Name: W32.Auto:f0a5b257f1.in03.Talos


SHA 256: 8639fd3ef8d55c45808f2fa8a5b398b0de18e5dd57af00265e42c822fb6938e2

MD5: fe3659119e683e1aa07b2346c1f215af

VirusTotal: https://www.virustotal.com/gui/file/8639fd3ef8d55c45808f2fa8a5b398b0de18e5dd57af00265e42c822fb6938e2/details

Typical Filename: SqlServerWorks.Runner.exe

Claimed Product: SqlServerWorks.Runner

Detection Name: W32.8639FD3EF8-95.SBX.TG


SHA 256: 8b4216a7c50599b11241876ada8ae6f07b48f1abe6590c2440004ea4db5becc9

MD5: 34560233e751b7e95f155b6f61e7419a

VirusTotal: https://www.virustotal.com/gui/file/8b4216a7c50599b11241876ada8ae6f07b48f1abe6590c2440004ea4db5becc9/details

Typical Filename: SAntivirusService.exe

Claimed Product: A n t i v i r u s S e r v i c e

Detection Name: PUA.Win.Dropper.Segurazo::tpd


SHA 256: 0e043149a1970990d0098bf986585bf2f224e4be7407348ff91efe89f8c5999c

MD5: 7b7e4f2878799268e9dd0a515420a88e

VirusTotal: https://www.virustotal.com/gui/file/0e043149a1970990d0098bf986585bf2f224e4be7407348ff91efe89f8c5999c/details

Typical Filename: S A Service.exe

Claimed Product: S_A_Service

Detection Name: W32.Auto:0e043149a1.in03.Talos


SHA 256: 33677846134841aa2541b5707102646aeedb1fc32a717a58e89a6ff69f0ef7bb

MD5: bdd455b064413ee7e1997bd10daa4904

VirusTotal: https://www.virustotal.com/gui/file/33677846134841aa2541b5707102646aeedb1fc32a717a58e89a6ff69f0ef7bb/details

Typical Filename: 461502.exe

Claimed Product: N/A

Detection Name: W32.3367784613-100.SBX.TG