Internet Storm Center Spotlight


SELECTED BY THE TALOS SECURITY INTELLIGENCE AND RESEARCH GROUP

Title: Critical Apache Log4j vulnerability being exploited in the wild

Description: Defenders across the security community are pushing to address CVE-2021-44228, an actively exploited vulnerability in Apache Log4j. The vulnerability affects a widely used Java logging library that many large organizations may have in their environment. So far, major targets have included Apple and the popular video game "Minecraft." This library may also be used as a dependency by a variety of web applications found in enterprise environments, including Elastic. Due to the nature of this vulnerability, Cisco Talos believes this will be a widely exploited vulnerability among attackers moving forward, and users should patch affected products and implement mitigation solutions as soon as possible. Apache has released a new update for Log4j, version 2.16.0. While the previous release (2.15.0) removed the ability to resolve lookups and addressed issues to mitigate CVE-2021-44228, this release disables JNDI by default and removes support for message lookups. Please refer to the Mitigations section for more details.

References: https://blog.talosintelligence.com/2021/12/apache-log4j-rce-vulnerability.html

Snort SIDs: 58722 - 58744, 58751

Snort 3 SIDs: 300055 - 300058

ClamAV signatures: Java.Exploit.CVE_2021_44228-9914600-1, Java.Exploit.CVE_2021_44228-9914601-1, Java.Exploit.CVE_2021_44228-9914600-2, Java.Exploit.CVE_2021_44228-9914601-4 and Java.Exploit.CVE_2021_44228-9915330-0


Title: Microsoft issues patches for 80 vulnerabilities as part of December Patch Tuesday

Description: Microsoft released its monthly security update Tuesday, disclosing 80 vulnerabilities across its large collection of hardware and software. None of the vulnerabilities disclosed this month have been actively exploited in the wild, the first that’s been the case in several months, though four have already been publicly disclosed. December’s security update features five critical vulnerabilities, with the remaining being considered “important.” The most serious of the issues is CVE-2021-43215, a memory corruption vulnerability that could lead to remote code execution in iSNS Server. The iSNS protocol interacts with iSNS servers and iSNS clients, which manages a server that allows network users to query an iSNS database. An attacker could exploit this vulnerability by sending a specially crafted request to an iSNS Server. This vulnerability was assigned a severity score of 9.8 out of 10.

References: https://msrc.microsoft.com/update-guide/en-us

Snort SIDs: 58752 - 58757, 58635 and 58636

Internet Storm Center Entries


The Log4J vulnerability could be around for years, according to security experts, who have found that attackers can exploit the code in ways that will likely go undetected by network admins and users.

https://www.wired.com/story/log4j-log4shell/


Security advisories, bulletins, and vendor responses related to Log4Shell

https://gist.github.com/SwitHak/b66db3a06c2955a9cb71a8718970c592


U.S. Cybersecurity and Infrastructure Security Agency head Jen Easterly said the Log4J issue illustrates the need for vendors should maintain “software bills of materials.”

https://www.cisa.gov/news/2021/12/11/statement-cisa-director-easterly-log4j-vulnerability


Adversaries stole about $140 million worth of virtual currency from users of popular blockchain gaming company VulcanForge, the latest campaign targeting cryptocurrency investors.

https://www.vice.com/en/article/4awxep/hackers-steal-dollar140-million-from-users-of-crypto-gaming-company


A new White House policy requires some federal agencies to assess the impact of cyberattacks and report them within 24 hours.

https://www.cnn.com/2021/12/10/politics/white-house-red-line-policy-cyberattacks/index.html


An independent report found that a cyber attack targeting Ireland’s national health care system could have been much worse than it was.

https://www.bbc.com/news/technology-59612917


Telehealth app Doxy.me says it fixed a vulnerability in its site that mistakenly leaked confidential patient information to Facebook and Google.

https://www.cyberscoop.com/doxy-me-data-leak-facebook-google/


Car manufacturer Volvo says a ransomware gang infiltrated its network and stole research and developmental information.

https://www.bleepingcomputer.com/news/security/volvo-cars-discloses-security-breach-leading-to-randd-data-theft/

Recent CVEs


COMPILED BY THE QUALYS VULNERABILITY RESEARCH TEAM

This is a list of recent vulnerabilities for which exploits are available. System administrators can use this list to help in prioritization of their remediation activities. The Qualys Vulnerability Research Team compiles this information based on various exploit frameworks, exploit databases, exploit kits and monitoring of internet activity.


ID: CVE-2021-44228

Title: Remote code execution vulnerability in Apache Log4j (Log4Shell)

Description: Log4j2 is a ubiquitous library used by millions for Java applications. In Apache Log4j2, attackers can create customized requests to execute remote code. When message lookup replacement is allowed, an attacker with control over log messages or log message parameters can run arbitrary code imported from LDAP servers.

All versions of Log4j2 versions >= 2.0-beta9 and <= 2.14.1 are affected by this vulnerability.

CVSS v3.1 Base Score: 10 (AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H)


ID: CVE-2021-21954

Title: Command execution vulnerability Anker Eufy Homebase 2.1.6.9h

Description: Anker Eufy Homebase 2.1.6.9h was determined to have vulnerability. This has an impact on the component Network Packet Handler's function wifi country code update in the file home security. The privilege escalation vulnerability is created by manipulating an unknown input.

CVSS v3.1 Base Score: 9.9 (AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H)


ID: CVE-2021-20146

Title: Key management for the Gryphon Tower Router

Description: On the Gryphon devices, there is an unsecured ssh private key that might be exploited to gain root access to a server associated with Gryphon's development and infrastructure. The ssh key is used to log into the development server located on Amazon Web Services at the time of discovery.

CVSS v3.1 Base Score: 9.8 (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H)


ID: CVE-2021-21950

Title: Out-of-bounds write vulnerability in Anker Eufy Homebase 2.1.6.9h

Description: The CMD DEVICE GET SERVER LIST REQUEST feature of the home security binary of Anker Eufy Homebase 2 2.1.6.9h contains an out-of-bounds write vulnerability in the function recv server device response msg process. Code execution can be triggered by a specially constructed network packet.

CVSS v3.1 Base Score: 9.8 (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H)


ID: CVE-2021-21951

Title: Out-of-bounds write vulnerability in Anker Eufy Homebase 2.1.6.9h

Description: An out-of-bounds write vulnerability exists in the CMD_DEVICE_GET_SERVER_LIST_REQUEST functionality of the home_security binary of Anker Eufy Homebase 2 2.1.6.9h in function read_udp_push_config_file. A specially-crafted network packet can lead to code execution.

CVSS v3.1 Base Score: 9.8 (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H)


ID: CVE-2021-35978

Title: Protocol privilege escalation vulnerability in Digi TransPort DR64, TransPort SR44 VC74 and TransPort WR

Description: Digi TransPort DR64, SR44 VC74, and WR were found to have a bug. The ZING protocol enables for the execution of any remote command with SUPER privileges. An attacker who understands the protocol can utilize this flaw to run arbitrary code on the controller, such as overwriting firmware, adding/removing users, deactivating the internal firewall, and so on.

CVSS v3.1 Base Score: 9.8 (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H)


ID: CVE-2021-37045

Title: UAF vulnerability in Huawei Smartphone

Description: Successful exploitation of this vulnerability may cause the device to restart unexpectedly and the kernel-mode code to be executed.

CVSS v3.1 Base Score: 9.8 (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H)


ID: CVE-2021-39065

Title: Arbitrary code execution vulnerability in the IBM Spectrum Copy Data Management 2.2.13

Description: The poor validation of user-supplied information by the Spectrum Copy Data Management Admin Console login and uploadcertificate function in IBM Spectrum Copy Data Management 2.2.13 and older versions could allow a remote malicious user to execute arbitrary commands on the system. A remote attacker might insert arbitrary shell commands into the system, which would be executed. 214958 is the IBM X-Force ID.

CVSS v3.1 Base Score: 9.8 (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H)

Prevalent Malware Files


COMPILED BY THE TALOS SECURITY INTELLIGENCE AND RESEARCH GROUP


SHA 256: 0ab024b0da0436fddc99679a74a26fdcd9851eb00e88ff2998f001ccd0c9016f

MD5: ee30d6928c9de84049aa055417cc767e

VirusTotal: https://www.virustotal.com/gui/file/0ab024b0da0436fddc99679a74a26fdcd9851eb00e88ff2998f001ccd0c9016f/details

Typical Filename: app.exe

Claimed Product: N/A

Detection Name: Glupteba::gravity::W32.Auto:0ab024b0da.in03.Talos


SHA 256: 5bab2ae1cada90f37b821e4803912c5b351fda417bbf0a9c768b715c6d492e13

MD5: a6a7eb61172f8d988e47322ebf27bf6d

VirusTotal: https://www.virustotal.com/gui/file/5bab2ae1cada90f37b821e4803912c5b351fda417bbf0a9c768b715c6d492e13/details

Typical Filename: wx.exe

Claimed Product: N/A

Detection Name: Win.Dropper.Wingo::in07.talos


SHA 256: 1b259d8ca9bb4579feb56748082a32239a433cea619c09f827fd6df805707f37

MD5: a5e345518e6817f72c9b409915741689

VirusTotal: https://www.virustotal.com/gui/file/1b259d8ca9bb4579feb56748082a32239a433cea619c09f827fd6df805707f37/details

Typical Filename: swupdater.exe

Claimed Product: Wavesor SWUpdater

Detection Name: W32.1B259D8CA9.Wavesor.SSO.Talos


SHA 256: e5044d5ac2f8ea3090c2460a5f7d92a5a49e7fa040bf26659ec2f7c442dda762

MD5: 6ea750c9d69b7db6532d90ac0960e212

VirusTotal: https://www.virustotal.com/gui/file/e5044d5ac2f8ea3090c2460a5f7d92a5a49e7fa040bf26659ec2f7c442dda762/details

Typical Filename: deps.zip

Claimed Product: N/A

Detection Name: Auto.E5044D5AC2.242358.in07.Talos


SHA 256: 1487f122c92f3bade35e03b6b0554a80b1563f2c167d9064263845653d912ec6

MD5: ee62e8f42ed70e717b2571c372e9de9a

VirusTotal: https://www.virustotal.com/gui/file/1487f122c92f3bade35e03b6b0554a80b1563f2c167d9064263845653d912ec6/details

Typical Filename: lHe

Claimed Product: N/A

Detection Name: W32.Gen:MinerDM.24ls.1201