Internet Storm Center Spotlight


Title: Log4j continues to haunt defenders even after holiday break
Description: A critical vulnerability in Log4j is still under active exploitation weeks after it was initially disclosed. Microsoft released a warning this week that its customers are still seeing state-sponsored actors and cyber criminals target the widely used library. The vulnerability could allow an attacker to completely take over an affected server. Log4Shell, the nickname given to this vulnerability, will likely take years to remediate because of how widely the software component is used in applications and services. It can be leveraged in default configurations by an unauthenticated remote attacker to target applications that make use of the Log4j library. This vulnerability, tracked as CVE-2021-44228, received a CVSS severity score of a maximum 10.0, and is widely believed to be easy to exploit. This library may also be used as a dependency by a variety of web applications found in enterprise environments, including Elastic. Due to the nature of this vulnerability, Cisco Talos believes this will be a widely exploited vulnerability among attackers moving forward, and users should patch affected products and implement mitigation solutions as soon as possible.
Snort SIDs: 58722 - 58744, 58751, 58784 - 58790, 58795, 58801 and 58811-58814
Snort 3 SIDs: 300055 - 300058
ClamAV signatures: Java.Exploit.CVE_2021_44228-9914600-1 Java.Exploit.CVE_2021_44228-9914601-1 Java.Exploit.CVE_2021_44228-9914600-2 Java.Exploit.CVE_2021_44228-9914601-4 Java.Exploit.CVE_2021_44228-9915330-0 Java.Malware.CVE_2021_44228-9915820-0 Java.Malware.CVE_2021_44228-9915819-0 Java.Malware.CVE_2021_44228-9915818-0 Java.Malware.CVE_2021_44228-9915817-0 Java.Malware.CVE_2021_44228-9915816-0 Java.Malware.CVE_2021_44228-9915813-0 Java.Malware.CVE_2021_44228-9915812-0 PUA.Java.Tool.CVE_2021_44228-9916978-0

Title: Vulnerabilities in metal detector peripheral could allow attackers to manipulate security devices
Description: Cisco Talos recently discovered multiple vulnerabilities in a device from Garrett Metal Detectors that could allow remote attackers to bypass authentication requirements, manipulate metal detector configurations, and even execute arbitrary code on the device. The vulnerabilities specifically exist in the Garrett iC module, which provides network connectivity to the Garrett PD 6500i or Garrett MZ 6100 walk-through metal detectors commonly used at security checkpoints. An attacker could manipulate this module to remotely monitor statistics on the metal detector, such as whether the alarm has been triggered or how many visitors have walked through. They could also make configuration changes, such as altering the sensitivity level of a device, which potentially poses a security risk to users who rely on these metal detectors.
Snort SIDs: 58013 - 58017

Internet Storm Center Entries

Threat actors are actively scanning for and attempting to exploit the Log4j vulnerabilities.

The U.S. Federal Trade Commission warned that it will take legal action against companies that do not take appropriate steps to mitigate the Log4j vulnerability.

China is mining social media sites to gather information about foreign journalists and academics.

The U.S. Cybersecurity and Infrastructure Security Agency is setting up a network of federal cybersecurity coordinators.

A cyber attack against the U.K.’s Defence Academy in March caused significant damage.

Newly obtained documents show Anom phones collected even more information on users than initially thought.

Microsoft Exchange Servers briefly shut down to ring in 2022 after a date check failure caused on-premises devices to not recognize the proper date.

Many old Blackberry devices ceased to function reliably as of Jan. 4, when the company shut down services for BlackBerry 7.1 and BlackBerry 10 handsets.

Recent CVEs


This is a list of recent vulnerabilities for which exploits are available. System administrators can use this list to help in prioritization of their remediation activities. The Qualys Vulnerability Research Team compiles this information based on various exploit frameworks, exploit databases, exploit kits and monitoring of internet activity.

ID: CVE-2021-0889
Title: Privilege escalation vulnerability in Google Android TV
Description: Due to a lack of rate-limiting in the pairing procedure in Android TV, there is a possibility of quiet pairing. This could result in remote code execution without the need for any extra execution privileges. Exploitation does not necessitate user participation.
CVSS v3.1 Base Score: 9.8 (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H)

ID: CVE-2021-0956
Title: Privilege escalation vulnerability in Google Android
Description: There is a potential out of bounds write in NfcTag::discoverTechnologies (activation) in NfcTag.cpp due to an erroneous bounds check. This could lead to remote privilege escalation without the need for additional System execution privileges. Exploitation does not necessitate user participation.
CVSS v3.1 Base Score: 9.8 (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H)

ID: CVE-2021-40859
Title: Privilege escalation vulnerability in Auerswald COMpact
Description: Backdoors in Auerswald COMpact 5500R 7.8A and 8.0B devices have been identified, allowing attackers with access to the web-based management application full administrative access to the device.
CVSS v3.1 Base Score: 9.8 (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H)

ID: CVE-2021-41560
Title: Arbitrary code execution vulnerability in OpenCATS 0.9.6
Description: By uploading an executable file via lib/FileUtility.php in OpenCATS 0.9.6, remote attackers can execute arbitrary code.
CVSS v3.1 Base Score: 9.8 (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H)

ID: CVE-2021-42311 & CVE-2021-42313
Title: IoT Remote code execution vulnerability in Microsoft Defender
Description: This vulnerability allows remote attackers to bypass authentication on Microsoft Azure Defender for IoT installations that are vulnerable. This vulnerability can be exploited without requiring authentication.
CVSS v3.1 Base Score: 9.8 (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H)

ID: CVE-2021-43907
Title: Remote code execution vulnerability in Microsoft Visual Studio
Description: A remote attacker might use the Microsoft Visual Studio Code WSL Extension to execute arbitrary code on the system. An attacker might use this vulnerability to execute arbitrary code on the system by delivering a specially crafted request.
CVSS v3.1 Base Score: 9.8 (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H)

ID: CVE-2021-21903
Title: Stack-based buffer overflow vulnerability in Garrett Metal Detectors
Description: The CMA check udp crc function of Garrett Metal Detectors' iC Module CMA Version 5.0 contains a stack-based buffer overflow vulnerability. During a call to strcpy, a specially constructed packet can cause a stack-based buffer overflow. An attacker can exploit this flaw by sending a malicious packet.
CVSS v3.1 Base Score: 9.8 (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H)

ID: CVE-2021-44041
Title: Privilege escalation vulnerability in UiPath Assistant 21.4.4
Description: The attacker-controlled data from the file path supplied to the -dev-widget option of the URI handler for uipath-assistant:/ will be loaded and executed by UiPath Assistant 21.4.4. By submitting a networked or WebDAV file path, an attacker can execute code on a victim's workstation or collect NTLM credentials.
CVSS v3.1 Base Score: 9.8 (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H)

ID: CVE-2021-44515
Title: Authentication bypass vulnerability in Zoho ManageEngine Desktop Central and Desktop Central MSP
Description: Zoho ManageEngine Desktop Central is vulnerable to authentication bypass, leading to remote code execution on the server, as exploited in the wild in December 2021. An authentication bypass vulnerability has been discovered in ManageEngine Desktop Central MSP, which might allow an attacker to bypass authentication and execute arbitrary code on the Desktop Central MSP server.
CVSS v3.1 Base Score: 9.8 (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H)

Prevalent Malware Files


SHA 256: 1b259d8ca9bb4579feb56748082a32239a433cea619c09f827fd6df805707f37
MD5: a5e345518e6817f72c9b409915741689
Typical Filename: swupdater.exe
Claimed Product: Wavesor SWUpdater
Detection Name: W32.1B259D8CA9.Wavesor.SSO.Talos

SHA 256: 8b4216a7c50599b11241876ada8ae6f07b48f1abe6590c2440004ea4db5becc9
MD5: 34560233e751b7e95f155b6f61e7419a
Typical Filename: SAntivirusService.exe
Claimed Product: A n t i v i r u s S e r v i c e
Detection Name: PUA.Win.Dropper.Segurazo::tpd

SHA 256: 0fa5cf65905b79ede6fe39e9ee8a8a8b2d04b71b859fe6e7a0ee583a7b832f43
MD5: cbd421ed5799f498e42ec6c598dc0aef
Typical Filename: N/A
Claimed Product: N/A
Detection Name: W32.Auto:0fa5cf6590.in03.Talos

SHA 256: 8639fd3ef8d55c45808f2fa8a5b398b0de18e5dd57af00265e42c822fb6938e2
MD5: fe3659119e683e1aa07b2346c1f215af
Typical Filename: SqlServerWorks.Runner.exe
Claimed Product: SqlServerWorks.Runner
Detection Name: W32.8639FD3EF8-95.SBX.TG

SHA 256: d339e195ca0b74746b02a4ee1a5820fa3074f43bec2988737005d2562a90cd34
MD5: 3f75eb823cd1a73e4c89185fca77cb38
Typical Filename: signup.png
Claimed Product: N/A
Detection Name: Win.Dropper.Generic::231945.in02