Recent Security Issues


SELECTED BY THE TALOS SECURITY INTELLIGENCE AND RESEARCH GROUP

Title: Long-running trojan spotted in the wild using another campaign to target users in South Asia

Description: Cisco Talos recently discovered another new campaign distributing the malicious remote access trojan (RAT) ObliqueRAT. In the past, Talos connected ObliqueRAT and another campaign from December 2019 distributing CrimsonRAT. These two malware families share similar maldocs and macros. This new campaign, however, utilizes completely different macro code to download and deploy the ObliqueRAT payload. The attackers have also updated the infection chain to deliver ObliqueRAT via adversary-controlled websites. This new campaign is a typical example of how adversaries react to attack disclosures and evolve their infection chains to evade detections. Modifications in the ObliqueRAT payloads also highlight the usage of obfuscation techniques that can be used to evade traditional signature-based detection mechanisms.

References: https://blog.talosintelligence.com/2021/02/obliquerat-new-campaign.html

Snort SIDs: 57168 - 57175

ClamAV signature: Doc.Downloader.ObliqueRAT-9835361-0


Title: Cisco discloses three critical vulnerabilities

Description: Cisco patched three critical vulnerabilities for some of the company’s high-end software systems last week — two that effect the Application Services Engine and one that exists in the NX-OS operating system. The most severe of the vulnerabilities is rated a 10 out of 10 on the CVSS scale. Cisco’s advisory states an attacker could exploit this vulnerability to bypass authentication on a targeted device by receiving a token with administrator-level privileges. They could then authenticate to the targeted devices’ API.

Reference: https://www.networkworld.com/article/3609510/cisco-issues-3-critical-warnings-around-aci-ns-ox-security-holes.html

Snort SIDs: 57222, 57223

Security News


Rumors swirled last week that the SolarWinds security incident may have begun with the leak of a very basic password, however, company officials have clarified that the password incident had nothing to do with the wide-ranging breach.

https://www.zdnet.com/article/solarwinds-security-fiasco-may-have-started-with-simple-password-blunders/

Several government entities are launching their own independent investigations into the SolarWinds breach, including the Securities and Exchange Commission, the Department of Justice and several state attorneys general.

https://www.cyberscoop.com/solarwinds-sec-doj-state-attorneys-general-inquiries-breach/

Major American tech leaders, including representatives from SolarWinds, Microsoft, FireEye, and CrowdStrike, spent last week answering questions from the U.S. Senate about SolarWinds supply chain attack.

https://www.reuters.com/article/us-cyber-solarwinds/solarwinds-microsoft-fireeye-crowdstrike-defend-actions-in-major-hack-us-senate-hearing-idUSKBN2AN1Q4

US legislators and security researchers are displeased that Amazon Web Services has not been more forthcoming with information related to the SolarWinds attack. AWS declined to participate in the hearings. (Please note: this story is behind a paywall.)

https://www.wsj.com/articles/amazons-lack-of-public-disclosure-on-solarwinds-hack-angers-lawmakers-11614258004

Oxford University has confirmed that hackers breached some systems at a lab involved with COVID-19 research.

https://www.zdnet.com/article/oxford-university-biochemical-lab-involved-in-covid-19-research-targeted-by-hackers/

U.S. Immigration and Customs Enforcement (ICE) has used private databases of phone, water, electricity and other utility records while pursuing alleged immigration violations.

https://www.washingtonpost.com/technology/2021/02/26/ice-private-utility-data/

The Federal Communications Commission unveiled a new $3.2 billion plan to provide broadband access to Americans who cannot afford internet access during the COVID-19 pandemic.

https://www.vice.com/en/article/k7ajb9/fcc-unveils-dollar32-billion-plan-to-help-struggling-americans-afford-broadband

New social media app Clubhouse has risen in popularity over the past few months; experts are warning of privacy and security concerns.

https://www.wired.com/story/clubhouse-privacy-security-growth/

Ransomware attacks against school systems and hospitals are down during the first two months of 2021.

https://www.scmagazine.com/home/security-news/ransomware/so-far-ransomware-attacks-way-down-at-schools-hospitals-in-2021/

Vulnerabilities with Exploits


COMPILED BY THE QUALYS VULNERABILITY RESEARCH TEAM

This is a list of recent vulnerabilities for which exploits are available. System administrators can use this list to help in prioritization of their remediation activities. The Qualys Vulnerability Research Team compiles this information based on various exploit frameworks, exploit databases, exploit kits and monitoring of internet activity.

ID: CVE-2021-21315

Title: Command Injection Vulnerability in NPM Package

Vendor: Systeminformation

Description: The System Information Library for Node.JS (npm package "systeminformation") is an open source collection of functions to retrieve detailed hardware, system and OS information. In systeminformation before version 5.3.1 there is a command injection vulnerability.

CVSS v3.1 Base Score: 7.8 (AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H)


ID: CVE-2021-21617

Title: CSRF Vulnerability in Jenkins Plugin

Vendor: Jenkins

Description: A cross-site request forgery (CSRF) vulnerability in Jenkins Configuration Slicing Plugin 1.51 and earlier allows attackers to apply different slice configurations.

CVSS v3.1 Base Score: 8.8 (AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H)


ID: CVE-2020-2902

Title: Privilege Escalation Vulnerability in Oracle VM VirtualBox

Vendor: Oracle

Description: This vulnerability exists in the Oracle VM VirtualBox product of Oracle Virtualization (component: Core). Supported versions that are affected are Prior to 5.2.40, prior to 6.0.20 and prior to 6.1.6. This easily exploitable vulnerability allows low privileged attacker with logon to the infrastructure where Oracle VM VirtualBox executes to compromise Oracle VM VirtualBox. While the vulnerability is in Oracle VM VirtualBox, attacks may significantly impact additional products. Successful attacks of this vulnerability can result in takeover of Oracle VM VirtualBox. CVSS 3.0 Base Score 8.8 (Confidentiality, Integrity and Availability impacts).

CVSS v3.1 Base Score: 8.8 (AV:L/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H)


ID: CVE-2021-20658

Title: OS Command Injection in SolarView Compact

Vendor: Contec

Description: SolarView Compact SV-CPT-MC310 prior to Ver.6.5 allows an attacker to execute arbitrary OS commands with the web server privilege via unspecified vectors.

CVSS v3.1 Base Score: 9.8 (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H)


ID: CVE-2021-1388

Title: Unauthorized Authentication Vulnerability in Cisco MSO

Vendor: Cisco

Description: A vulnerability in an API endpoint of Cisco ACI Multi-Site Orchestrator (MSO) installed on the Application Services Engine could allow an unauthenticated, remote attacker to bypass authentication on an affected device. The vulnerability is due to improper token validation on a specific API endpoint. An attacker could exploit this vulnerability by sending a crafted request to the affected API. A successful exploit could allow the attacker to receive a token with administrator-level privileges that could be used to authenticate to the API on affected MSO and managed Cisco Application Policy Infrastructure Controller (APIC) devices.

CVSS v3.1 Base Score: 10 (AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H)


ID: CVE-2021-1393

Title: Cisco Application Services Engine Unauthorized Access Vulnerabilities

Vendor: Cisco

Description: Multiple vulnerabilities in Cisco Application Services Engine could allow an unauthenticated, remote attacker to gain privileged access to host-level operations or to learn device-specific information, create diagnostic files, and make limited configuration changes. For more information about these vulnerabilities, see the Details section of this advisory.

CVSS v3.1 Base Score: 9.8 (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H)


ID: CVE-2021-25758

Title: Deserialization Vulnerability in IntelliJ Idea

Vendor: JetBrains

Description: In JetBrains IntelliJ IDEA before 2020.3, potentially insecure deserialization of the workspace model could lead to local code execution.

CVSS v3.1 Base Score: 9.8 (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H)

Prevalent Malware Files


COMPILED BY THE TALOS SECURITY INTELLIGENCE AND RESEARCH GROUP

SHA 256: c1d5a585fce188423d31df3ea806272f3daa5eb989e18e9ecf3d94b97b965f8e

MD5: 9a4b7b0849a274f6f7ac13c7577daad8

VirusTotal: https://www.virustotal.com/gui/file/c1d5a585fce188423d31df3ea806272f3daa5eb989e18e9ecf3d94b97b965f8e/details

Typical Filename: ww31.exe

Claimed Product: N/A

Detection Name: W32.GenericKD:Attribute.24ch.1201


SHA 256: 85B936960FBE5100C170B777E1647CE9F0F01E3AB9742DFC23F37CB0825B30B5

MD5: 8c80dd97c37525927c1e549cb59bcbf3

VirusTotal: https://www.virustotal.com/gui/file/85b936960fbe5100c170b777e1647ce9f0f01e3ab9742dfc23f37cb0825b30b5/detection

Typical Filename: Eternalblue-2.2.0.exe

Claimed Product: N/A

Detection Name: Win.Exploit.Shadowbrokers::5A5226262.auto.talos


SHA 256: e3eeaee0af4b549eae4447fa20cfe205e8d56beecf43cf14a11bf3e86ae6e8bd

MD5: 8193b63313019b614d5be721c538486b

VirusTotal: https://www.virustotal.com/gui/file/e3eeaee0af4b549eae4447fa20cfe205e8d56beecf43cf14a11bf3e86ae6e8bd/details

Typical Filename: SAntivirusService.exe

Claimed Product: SAService

Detection Name: PUA.Win.Dropper.Segurazo::95.sbx.tg


SHA 256: 4647f1a0850a961e341a863194e921c102578a9c4ef898fa5e4b54d9fb65e57b

MD5: f37167c1e62e78b0a222b8cc18c20ba7

VirusTotal: https://www.virustotal.com/gui/file/4647f1a0850a961e341a863194e921c102578a9c4ef898fa5e4b54d9fb65e57b/details

Typical Filename: flashhelperservice.exe

Claimed Product: Flash Helper Service

Detection Name: W32.4647F1A085.in12.Talos


SHA 256: 8b4216a7c50599b11241876ada8ae6f07b48f1abe6590c2440004ea4db5becc9

MD5: 34560233e751b7e95f155b6f61e7419a

VirusTotal: https://www.virustotal.com/gui/file/8b4216a7c50599b11241876ada8ae6f07b48f1abe6590c2440004ea4db5becc9/details

Typical Filename: SAntivirusService.exe

Claimed Product: A n t i v i r u s S e r v i c e

Detection Name: PUA.Win.Dropper.Segurazo::tpd