The Consensus Security Vulnerability Alert

SELECTED BY THE TALOS SECURITY INTELLIGENCE AND RESEARCH GROUP

Title: Attackers redirect government-controlled website to spread Cobalt Strike

Description: Cisco Talos discovered a new malicious campaign using a leaked version of Cobalt Strike in September 2021. This shows that Cobalt Strike, although it was originally created as a legitimate tool, continues to be something defenders need to monitor, as attackers are using it to set up attacks. The malware is typically a loader that runs on a victim machine, decodes and executes the Cobalt Strike beacon DLL via reflective injection. It loads several libraries during the runtime and generates the beacon traffic according to the embedded configuration file. The configuration file contains the information related to the command and control (C2) server which instructs the victim's machine to send the initial DNS request attempting to connect to the host of the Myanmar government-owned domain www[.]mdn[.]gov[.]mm. The site is hosted behind the Cloudflare content delivery network and the actual C2 traffic is redirected to an attacker-controlled server test[.]softlemon[.]net based on the HTTP host header information specified in the beacon's configuration data.

References: https://blog.talosintelligence.com/2021/11/attackers-use-domain-fronting-technique.html

Title: North Korean attackers use malicious blogs to deliver malware to high-profile South Korean targets

Description: Cisco Talos has observed a new malware campaign operated by the Kimsuky APT group since June 2021. Kimsuky, also known as Thallium and Black Banshee, is a North Korean state-sponsored advanced persistent threat (APT) group active since 2012. This campaign utilizes malicious blogs hosted on Blogspot to deliver three types of preliminary malicious content: beacons, file exfiltrators and implant deployment scripts. The implant deployment scripts, in turn, can infect the endpoint with additional implants such as system information-stealers, keyloggers and credential stealers. These implants are derivatives of the Gold Dragon/Brave Prince family of malware operated by Kimsuky since at least 2017 — now forked into three separate modules. This campaign targets South Korea-based think tanks whose research focuses on political, diplomatic and military topics pertaining to North Korea, China, Russia and the U.S.

Reference: https://blog.talosintelligence.com/2021/11/kimsuky-abuses-blogs-delivers-malware.html

U.S. President Joe Biden signed a massive infrastructure bill that includes nearly $2 billion for cybersecurity improvements, including large grants for local and state governments to improve critical infrastructure security.

https://www.cyberscoop.com/cybersecurity-infrastructure-investment-jobs-act-biden-signed/

Attackers used the fbi.gov domain name to send out a blast of fake emails about a cybercrime investigation.

https://krebsonsecurity.com/2021/11/hoax-email-blast-abused-poor-coding-in-fbi-website/

The U.S. and Israel announced a new joint initiative to combat ransomware and protect critical infrastructure.

https://home.treasury.gov/news/press-releases/jy0479

Epic Games is alleging that Google overstated a security flaw in its Fortnite video game to damage the company’s reputation.

https://www.newsobserver.com/news/business/article255840326.html

China is considering implementing cybersecurity reviews to assess the national security threat posed companies that wish to be listed on the Hong Kong stock exchange.

https://www.bloomberg.com/news/articles/2021-11-14/china-may-seek-cyber-check-for-hk-listings-of-firms-holding-data

Attackers reportedly exploited then-unknown security vulnerabilities in Mac operating systems to target users in Hong Kong.

https://www.vice.com/en/article/93bw8y/google-caught-hackers-using-a-mac-zero-day-against-hong-kong-users

The research into that exploit uncovered details that indicates Apple may not be releasing security updates for older versions of some Mac operating systems at the same pace as more current versions.

https://arstechnica.com/gadgets/2021/11/psa-apple-isnt-actually-patching-all-the-security-holes-in-older-versions-of-macos/

Microsoft released an out-of-band security update for some Windows Server systems, fixing a vulnerability that was causing some servers to fail to authenticate users that relied on single sign-on tokens and some Active Directory and SQL Server services.

https://searchsecurity.techtarget.com/news/252509525/Microsoft-releases-out-of-band-update-for-Windows-Server

COMPILED BY THE QUALYS VULNERABILITY RESEARCH TEAM

This is a list of recent vulnerabilities for which exploits are available. System administrators can use this list to help in prioritization of their remediation activities. The Qualys Vulnerability Research Team compiles this information based on various exploit frameworks, exploit databases, exploit kits and monitoring of internet activity.

ID: CVE-2021-40521

Title: Remote code execution vulnerability in HSMX internet gateway

Description: The HSMX Gateway is a platform designed to manage authentication and billing in your network.

The device can be tricked into downloading and running a malicious package from a remote server controlled by the attacker, allowing the attacker to execute root-level code. When these holes are combined, an attacker may be able to get root access to the device.

The vulnerability affects version 5.2.04 and before.

CVSS v3.1 Base Score: 9.8 (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H)

ID: CVE-2021-42669

Title: Remote Code Execution Vulnerability in Oracle Secure Product Engineers Online Portal system

Description: The Engineers Online Portal system has an uncontrolled file upload vulnerability. An attacker can take advantage of this flaw to gain remote code execution on the vulnerable web server.

​When an avatar is submitted, it goes into the /admin/uploads/ directory, which is accessible to all users. The attacker can get remote code execution on the web server by submitting a simple PHP web shell.

CVSS v3.1 Base Score: 9.8 (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H)

ID: CVE-2021-42077

Title: SQL injection vulnerability in the PHP Event Calendar

Description: PHP Event Calendar is an AJAX-based, multi-user modern event calendar. It is easy to integrate and fully customizable.

The /server/ajax/user manager.php username parameter in PHP Event Calendar prior to 2021-09-03 allows SQL injection.

This can be used to directly execute SQL statements on the database, allowing an attacker to entirely compromise the database system in some situations. It can also be used to avoid having to fill out the login form.

CVSS v3.1 Base Score: 9.8 (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H)

ID: CVE-2021-42237

Title: Remote code execution vulnerability in Sitecore XP 7.5

Description: Sitecore Experience Platform (XP) is a marketing automation solution that carves out personalized customer experiences.

From Sitecore XP 7.5 Initial Release to Sitecore XP 8.2 Update-7, an unsafe deserialization attack makes it possible to execute remote commands on the machine.

To exploit this flaw, no authentication or specific setting is necessary.

CVSS v3.1 Base Score: 9.8 (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H)

ID: CVE-2021-3064

Title: Memory corruption vulnerability in Palo Alto Networks PAN-OS GlobalProtect Portal and Gateway Interfaces

Description: PAN-OS is the software that runs all Palo Alto Network's next-generation firewalls.

The Palo Alto Networks GlobalProtect portal and gateway interfaces are susceptible to a memory corruption vulnerability that allows an unauthenticated network-based attacker to disrupt system processes and potentially execute arbitrary code with root capabilities.

To exploit this flaw, the attacker must have network access to the GlobalProtect interface.

This vulnerability affects PAN-OS 8.1 versions before 8.1.17 but does not affect Prisma Access customers.

CVSS v3.1 Base Score: 9.8 (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H)

ID: CVE-2021-26443

Title: Remote code execution vulnerability in Microsoft Virtual Machine Bus (VMBus)

Description: Microsoft Virtual Machine Bus (VMBus) is a mechanism within the Hyper-V architecture that enables logical communication in partitions. The VMBus works as the internal communications channel to redirect requests to virtual devices, allowing files to be dragged and dropped between the virtual machine and the host.

This vulnerability occurs due to insufficient input validation in VMBus. On the local network, a remote authenticated attacker can send a specially designed communication to the VMBus channel and run arbitrary code on the target system.

CVSS v3.1 Base Score: 9 (AV:A/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H)

COMPILED BY THE TALOS SECURITY INTELLIGENCE AND RESEARCH GROUP

SHA 256: 1b259d8ca9bb4579feb56748082a32239a433cea619c09f827fd6df805707f37

MD5: a5e345518e6817f72c9b409915741689

VirusTotal: https://www.virustotal.com/gui/file/1b259d8ca9bb4579feb56748082a32239a433cea619c09f827fd6df805707f37/details

Typical Filename: swupdater.exe

Claimed Product: Wavesor SWUpdater

Detection Name: W32.1B259D8CA9.Wavesor.SSO.Talos

SHA 256: 5bab2ae1cada90f37b821e4803912c5b351fda417bbf0a9c768b715c6d492e13

MD5: a6a7eb61172f8d988e47322ebf27bf6d

VirusTotal: https://www.virustotal.com/gui/file/5bab2ae1cada90f37b821e4803912c5b351fda417bbf0a9c768b715c6d492e13/details

Typical Filename: wx.exe

Claimed Product: N/A

Detection Name: Win.Dropper.Wingo::in07.talos

SHA 256: e5044d5ac2f8ea3090c2460a5f7d92a5a49e7fa040bf26659ec2f7c442dda762

MD5: 6ea750c9d69b7db6532d90ac0960e212

VirusTotal: https://www.virustotal.com/gui/file/e5044d5ac2f8ea3090c2460a5f7d92a5a49e7fa040bf26659ec2f7c442dda762/details

Typical Filename: deps.zip

Claimed Product: N/A

Detection Name: Auto.E5044D5AC2.242358.in07.Talos

SHA 256: 8b4216a7c50599b11241876ada8ae6f07b48f1abe6590c2440004ea4db5becc9

MD5: 34560233e751b7e95f155b6f61e7419a

VirusTotal: https://www.virustotal.com/gui/file/8b4216a7c50599b11241876ada8ae6f07b48f1abe6590c2440004ea4db5becc9/details

Typical Filename: SAntivirusService.exe

Claimed Product: A n t i v i r u s S e r v i c e

Detection Name: PUA.Win.Dropper.Segurazo::tpd

SHA 256: 1487f122c92f3bade35e03b6b0554a80b1563f2c167d9064263845653d912ec6

MD5: ee62e8f42ed70e717b2571c372e9de9a

VirusTotal: https://www.virustotal.com/gui/file/1487f122c92f3bade35e03b6b0554a80b1563f2c167d9064263845653d912ec6/details

Typical Filename: lHe

Claimed Product: N/A

Detection Name: W32.Gen:MinerDM.24ls.1201