homepage
Open menu

@RISK

The Consensus Security Vulnerability Alert

December 9, 2021  |  Vol. 21, Num. 47

Internet Storm Center SpotlightInternet Storm Center EntriesRecent CVEsPrevalent Malware Files

Internet Storm Center Spotlight

SELECTED BY THE TALOS SECURITY INTELLIGENCE AND RESEARCH GROUP

Title: Magnat campaigns use malvertising to deliver information stealer, backdoor and malicious Chrome extension

Description: Talos recently observed a malicious campaign offering fake installers of popular software as bait to get users to execute malware on their systems. This campaign includes a set of malware distribution campaigns that started in late 2018 and have targeted mainly Canada, along with the U.S., Australia and some EU countries. Two undocumented malware families (a backdoor and a Google Chrome extension) are consistently delivered together in these campaigns. An unknown actor with the alias "Magnat" is the likely author of these new families and has been constantly developing and improving them. The attacker's motivations appear to be financial gain from selling stolen credentials, fraudulent transactions and Remote Desktop access to systems.

Reference: https://blog.talosintelligence.com/2021/12/magnat-campaigns-use-malvertising-to.html

Snort IDs: 58650 and 58651

ClamAV signature: Win.Dropper.MagnatExtension-9911899-0


Title: Attackers actively exploiting vulnerability in popular patch management software

Description: Software company Zoho warned users that they should update their Desktop Central and Desktop Central MSP services as soon as possible. Attackers are actively exploiting a vulnerability in the products, tracked as CVE-2021-44515, that could allow them to bypass authentication and execute arbitrary code on affected ManageEngine Desktop Central servers. Zoho also released an exploit detection tool for organizations to see if they had been targeted by attackers using this vulnerability.

Reference: https://www.bleepingcomputer.com/news/security/zoho-patch-new-manageengine-bug-exploited-in-attacks-asap/

Internet Storm Center Entries

iPhones belonging to several U.S. State Department employees were infected with the Pegasus spyware from Israeli tech group NSO Group.
https://www.reuters.com/technology/exclusive-us-state-department-phones-hacked-with-israeli-company-spyware-sources-2021-12-03/

Companies across the globe, including Google, are starting to make multi-factor authentication mandatory for employees, but attackers are working just as fast to develop workarounds.
https://readme.security/big-tech-is-mandating-mfa-hackers-have-workarounds-35b64f1a4f88

Spammers are targeting verified Twitter accounts with direct messages offering the ability to keep their blue “checkmark” badges that the social media site is starting to remove.
https://www.bleepingcomputer.com/news/security/as-twitter-removes-blue-badges-for-many-phishing-targets-verified-accounts/

Some Maryland Department of Health services went offline over the weekend after a cyber attack.
https://www.baltimoresun.com/health/bs-hs-mdh-website-down-20211206-o2ky2sn5znb3pdwtnu2a7m5g6q-story.html

A network access broker named “Babam” has made waves recently for selling backdoor access to cyber criminals via stolen VPN credentials.
https://krebsonsecurity.com/2021/12/who-is-the-network-access-broker-babam/

Spar, a popular convenience store chain in the U.K., had to close some of its stores and take only cash payments as a cyber attack disrupted their payment processing system.
https://www.bbc.com/news/uk-england-lancashire-59554433

U.S. Cyber Command publicly acknowledged for the first time that it is conducting offensive operations to disrupt ransomware operators who have targeted U.S. companies.
https://edition.cnn.com/2021/12/05/politics/us-cyber-command-disrupt-ransomware-operations/index.html

Recent CVEs

COMPILED BY THE QUALYS VULNERABILITY RESEARCH TEAM

This is a list of recent vulnerabilities for which exploits are available. System administrators can use this list to help in prioritization of their remediation activities. The Qualys Vulnerability Research Team compiles this information based on various exploit frameworks, exploit databases, exploit kits and monitoring of internet activity.

ID: CVE-2021-26777
Title: Buffer overflow vulnerability in CIRCUTOR COMPACT DC-S BASIC
Description: Buffer overflow vulnerability in function SetFirewall in index.cgi in CIRCUTOR COMPACT DC-S BASIC smart metering concentrator Firwmare version CIR_CDC_v1.2.17, allows attackers to execute arbitrary code.
CVSS v3.1 Base Score: 9.8 (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H)

ID: CVE-2021-33266
Title: Stack buffer overflow vulnerability in the D-Link DIR-809
Description: A stack buffer overflow issue was reported in the method FUN 8004776c in /formVirtualApp on D-Link DIR-809 devices with firmware through DIR-809Ax FW1.12WWB03 20190410. A crafted POST request triggers this vulnerability.
CVSS v3.1 Base Score: 9.8 (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H)

ID: CVE-2021-33267
Title: Stack buffer overflow vulnerability in the D-Link DIR-809
Description: A stack buffer overflow issue was reported in the function FUN 80034d60 in the /formStaticDHCP of D-Link DIR-809 devices with firmware through DIR-809Ax FW1.12WWB03 20190410. A specially written POST request exploits this vulnerability.
CVSS v3.1 Base Score: 9.8 (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H)

ID: CVE-2021-33268
Title: Stack buffer overflow vulnerability in the D-Link DIR-809
Description: A stack buffer overflow issue was reported in the function sub 8003183C in the /fromLogin section of D-Link DIR-809 devices with firmware through DIR-809Ax FW1.12WWB03 20190410. A crafted POST request triggers this vulnerability.
CVSS v3.1 Base Score: 9.8 (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H)

ID: CVE-2021-33270
Title: Stack buffer overflow vulnerability in the D-Link DIR-809
Description: A stack buffer overflow issue was reported in the method FUN 800462c4 in /formAdvFirewall on D-Link DIR-809 devices with firmware through DIR-809Ax FW1.12WWB03 20190410. A crafted POST request triggers this vulnerability.
CVSS v3.1 Base Score: 9.8 (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H)

ID: CVE-2021-33271
Title: Stack buffer overflow vulnerability in the D-Link DIR-809
Description: D-Link DIR-809 devices with firmware through DIR-809Ax_FW1.12WWB03_20190410 were discovered to contain a stack buffer overflow vulnerability in the function sub_80046EB4 in /formSetPortTr. This vulnerability is triggered via a crafted POST request.
CVSS v3.1 Base Score: 9.8 (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H)

ID: CVE-2021-33274
Title: Stack buffer overflow vulnerability in the D-Link DIR-809
Description: D-Link DIR-809 devices with firmware through DIR-809Ax_FW1.12WWB03_20190410 were discovered to contain a stack buffer overflow vulnerability in the function FUN_80040af8 in /formWlanSetup. This vulnerability is triggered via a crafted POST request.
CVSS v3.1 Base Score: 9.8 (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H)

ID: CVE-2021-43033
Title: Unauthenticated remote code execution vulnerability in the Kaseya Unitrends Backup Appliance
Description: An issue was discovered in Kaseya Unitrends Backup Appliance before 10.5.5. Multiple functions in the bpserverd daemon were vulnerable to arbitrary remote code execution as root. The vulnerability was caused by untrusted input (received by the server) being passed to system calls.
CVSS v3.1 Base Score: 9.8 (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H)

Prevalent Malware Files

SHA 256: 0ab024b0da0436fddc99679a74a26fdcd9851eb00e88ff2998f001ccd0c9016f
MD5: ee30d6928c9de84049aa055417cc767e VirusTotal: https://www.virustotal.com/gui/file/0ab024b0da0436fddc99679a74a26fdcd9851eb00e88ff2998f001ccd0c9016f/details
Typical Filename: app.exe
Claimed Product: N/A
Detection Name: Glupteba::gravity::W32.Auto:0ab024b0da.in03.Talos

SHA 256: 5bab2ae1cada90f37b821e4803912c5b351fda417bbf0a9c768b715c6d492e13
MD5: a6a7eb61172f8d988e47322ebf27bf6d VirusTotal: https://www.virustotal.com/gui/file/5bab2ae1cada90f37b821e4803912c5b351fda417bbf0a9c768b715c6d492e13/details
Typical Filename: wx.exe
Claimed Product: N/A
Detection Name: Win.Dropper.Wingo::in07.talos

SHA 256: 1b259d8ca9bb4579feb56748082a32239a433cea619c09f827fd6df805707f37
MD5: a5e345518e6817f72c9b409915741689 VirusTotal: https://www.virustotal.com/gui/file/1b259d8ca9bb4579feb56748082a32239a433cea619c09f827fd6df805707f37/details
Typical Filename: swupdater.exe
Claimed Product: Wavesor SWUpdater
Detection Name: W32.1B259D8CA9.Wavesor.SSO.Talos

SHA 256: e5044d5ac2f8ea3090c2460a5f7d92a5a49e7fa040bf26659ec2f7c442dda762
MD5: 6ea750c9d69b7db6532d90ac0960e212 VirusTotal: https://www.virustotal.com/gui/file/e5044d5ac2f8ea3090c2460a5f7d92a5a49e7fa040bf26659ec2f7c442dda762/details
Typical Filename: deps.zip
Claimed Product: N/A
Detection Name: Auto.E5044D5AC2.242358.in07.Talos

SHA 256: 1487f122c92f3bade35e03b6b0554a80b1563f2c167d9064263845653d912ec6
MD5: ee62e8f42ed70e717b2571c372e9de9a VirusTotal: https://www.virustotal.com/gui/file/1487f122c92f3bade35e03b6b0554a80b1563f2c167d9064263845653d912ec6/details
Typical Filename: lHe
Claimed Product: N/A
Detection Name: W32.Gen:MinerDM.24ls.1201