The Consensus Security Vulnerability Alert

SELECTED BY THE TALOS SECURITY INTELLIGENCE AND RESEARCH GROUP

Title: Wiper malware disguised as ransomware targets Ukrainian users, government agencies

Description: Several cyber attacks against Ukrainian government websites — including website defacements and destructive wiper malware — have made headlines over the past few weeks as military tensions along the Russian/Ukrainian border have escalated. Cisco Talos research found that The WhisperGate malware has some strategic similarities to the notorious NotPetya wiper that attacked Ukranian entities in 2017, including masquerading as ransomware and targeting and destroying the master boot record (MBR) instead of encrypting it, it notably has more components designed to inflict additional damage. The multi-stage infection chain downloads a payload that wipes the MBR, then downloads a malicious DLL file hosted on a Discord server, which drops and executes another wiper payload that destroys files on the infected machines.

References: https://blog.talosintelligence.com/2022/01/ukraine-campaign-delivers-defacement.html

IOC hashes to blocklist:

* a196c6b8ffcb97ffb276d04f354696e2391311db3841ae16c8c9f56f36a38e92

* dcbbae5a1c61dbbbb7dcd6dc5dd1eb1169f5329958d38b58c3fd9384081c9b78

* 923eb77b3c9e11d6c56052318c119c1a22d11ab71675e6b95d05eeb73d1accd6

* 9ef7dbd3da51332a78eff19146d21c82957821e464e8133e9594a07d716d892d

Title: Vulnerability in Apple iOS, iPad OS and MacOS could lead to disclosure of sensitive memory data

Description: Cisco Talos recently discovered an out-of-bounds read vulnerability in Apple’s macOS and iOS operating systems that could lead to the disclosure of sensitive memory content. An attacker could capitalize on that information to aid in the exploitation of other vulnerabilities. This vulnerability specifically exists in the DDS image parsing functionality of Apple’s ImageIO library that exists in its desktop and mobile operating systems. The issue arises if an attacker tricks a user into opening a specially crafted, malicious file. An attacker could exploit this vulnerability to leak the target’s heap addresses and other information that could aid in further exploitation if the leaked data can be accessed in the context of a vulnerable application.

References:

- https://blog.talosintelligence.com/2022/01/vuln-spotlight-apple-ios-.html

- https://www.cisa.gov/uscert/ncas/current-activity/2021/12/14/apple-releases-security-updates-multiple-products

State-sponsored actors lurked on Ukrainian networks for months before carrying out a recent spate of cyber attacks against government-controlled websites, according to Cisco Talos researchers.

https://zetter.substack.com/p/hackers-were-in-ukraine-systems-months

World leaders are on heightened alert of a potential military invasion of Ukraine, raising concerns about the cybersecurity consequences.

https://www.technologyreview.com/2022/01/21/1043980/how-a-russian-cyberwar-in-ukraine-could-ripple-out-globally/

The U.S. released a warning to law enforcement agencies across the country to be prepared for a potential cyber attack from Russian actors if the US responds to a possible Russian invasion of Ukraine.

https://abcnews.go.com/Politics/dhs-warns-russian-cyberattack-us-responds-ukraine-invasion/story?id=82441727

Google has stopped providing security updates for its Pixel 3 phone only three years after the device was released.

https://www.vice.com/en/article/dypxpx/google-is-forcing-me-to-dump-a-perfectly-good-phone

Apple is no longer providing updates to iOS 14; users who want security updates will need to upgrade to iOS 15.

https://arstechnica.com/gadgets/2022/01/apple-ends-security-updates-for-ios-14-pushes-users-to-install-ios-15-instead/

The Cybersecurity and Infrastructure Security Agency added 17 vulnerabilities to its list of high-profile vulnerabilities that attackers often exploit in the wild, warning users to patch for them immediately if they have not already.

https://www.bleepingcomputer.com/news/security/cisa-adds-17-vulnerabilities-to-list-of-bugs-exploited-in-attacks/

The U.S. Small Business Administration announced a new $3 million program to help small businesses with cybersecurity.

https://www.infosecurity-magazine.com/news/sba-announces-3m-cybersecurity/

Russian law enforcement has arrested the alleged leader of the Infraud Organization hacker group.

https://www.bleepingcomputer.com/news/security/russia-arrests-leader-of-infraud-organization-hacker-group/

COMPILED BY THE QUALYS VULNERABILITY RESEARCH TEAM 

This is a list of recent vulnerabilities for which exploits are available. System administrators can use this list to help in prioritization of their remediation activities. The Qualys Vulnerability Research Team compiles this information based on various exploit frameworks, exploit databases, exploit kits and monitoring of internet activity.

ID: CVE-2021-1049

Title: Arbitrary code execution in Google Android versions

Description: A malicious program can use this flaw to gain elevated access to the system. A logic issue in the Unisoc slogmodem has resulted in the vulnerability. With higher privileges, a local program can run arbitrary code.

Affected Android versions: Android SoCAndroid ID: A-204256722

CVSS v3.1 Base Score: 9.8 (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H)

ID: CVE-2021-42392

Title: Remote code execution vulnerability in H2 database console

Description: H2 is an open-source Java SQL database offering a lightweight in-memory solution that doesn't require data to be stored on a disk. Custom classes can be loaded from remote servers via JNDI in H2 Console versions 1.1.100 (2008-10-14) to 2.0.204 (2021-12-21). The H2 database's org.h2.util.JdbcUtils.get connection method takes the driver's class name and the database's URL as inputs. An attacker can cause remote code execution by passing a JNDI driver name and a URL to an LDAP or RMI server.

CVSS v3.1 Base Score: 9.8 (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H)

ID: CVE-2022-21874

Title: Remote code execution vulnerability in Microsoft Windows Security Center API

Description: A remote attacker can use this flaw to execute arbitrary code on the victim system. The cause of this vulnerability is a flaw in the Windows Security Center API's input validation. A remote attacker can send a specially crafted request to the target system and execute arbitrary code.

CVSS v3.1 Base Score: 9.8 (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H)

ID: CVE-2022-21898

Title: Remote code execution vulnerability in Microsoft DirectX Graphics Kernel

Description: The problem exists because of incorrect input validation. An attacker can send a specially crafted request to the target system and have it executed arbitrary code. Successful exploitation will result in the entire compromise of the system.

CVSS v3.1 Base Score: 9.8 (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H)

ID: CVE-2022-21907

Title: Remote code execution vulnerability in Microsoft DirectX Graphics Kernel

Description: The problem exists because of incorrect input validation. An attacker can send a specially crafted request to the target system and have it executed arbitrary code. Successful exploitation will result in the entire compromise of the system.

CVSS v3.1 Base Score: 9.8 (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H)

ID: CVE-2022-22055

Title: SQL-injection vulnerability in Le-yan dental management system

Description: Unauthenticated remote attackers can inject SQL instructions into the login page's input field to gain administrator privileges and perform arbitrary system operations or interrupt service.

CVSS v3.1 Base Score: 9.8 (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H)

ID: CVE-2022-22056

Title: Hard-coded credentials vulnerability in Le-yan dental management system

Description: In the web page source code of the Le-yan dental management system, there is a hard-coded credentials vulnerability that allows an unauthenticated remote attacker to gain administrator's privilege and manipulate the system or interrupt service.

CVSS v3.1 Base Score: 9.8 (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H)

COMPILED BY THE TALOS SECURITY INTELLIGENCE AND RESEARCH GROUP

SHA 256: 1b259d8ca9bb4579feb56748082a32239a433cea619c09f827fd6df805707f37

MD5: a5e345518e6817f72c9b409915741689

VirusTotal: https://www.virustotal.com/gui/file/1b259d8ca9bb4579feb56748082a32239a433cea619c09f827fd6df805707f37/details

Typical Filename: swupdater.exe

Claimed Product: Wavesor SWUpdater

Detection Name: W32.1B259D8CA9.Wavesor.SSO.Talos

SHA 256: 8b4216a7c50599b11241876ada8ae6f07b48f1abe6590c2440004ea4db5becc9

MD5: 34560233e751b7e95f155b6f61e7419a

VirusTotal: https://www.virustotal.com/gui/file/8b4216a7c50599b11241876ada8ae6f07b48f1abe6590c2440004ea4db5becc9/details

Typical Filename: SAntivirusService.exe

Claimed Product: A n t i v i r u s S e r v i c e

Detection Name: PUA.Win.Dropper.Segurazo::tpd

SHA 256: e3eeaee0af4b549eae4447fa20cfe205e8d56beecf43cf14a11bf3e86ae6e8bd

MD5: 8193b63313019b614d5be721c538486b

VirusTotal: https://www.virustotal.com/gui/file/e3eeaee0af4b549eae4447fa20cfe205e8d56beecf43cf14a11bf3e86ae6e8bd/details

Typical Filename: SAService.exe

Claimed Product: SAService

Detection Name: PUA.Win.Dropper.Segurazo::95.sbx.tg

SHA 256: 2bd102ddc0e618d91a7adc3f3fb92fcfb258680f11b904bb129f5f2f918dcc5f

MD5: eb2f5e1b8f818cf6a7dafe78aea62c93

VirusTotal: https://www.virustotal.com/gui/file/2bd102ddc0e618d91a7adc3f3fb92fcfb258680f11b904bb129f5f2f918dcc5f/details

Typical Filename: vsb2nasl7.dll

Claimed Product: N/A

Detection Name: W32.A4DE11B029.Wavesor.SSO.Talos

SHA 256: 8639fd3ef8d55c45808f2fa8a5b398b0de18e5dd57af00265e42c822fb6938e2

MD5: fe3659119e683e1aa07b2346c1f215af

VirusTotal: https://www.virustotal.com/gui/file/8639fd3ef8d55c45808f2fa8a5b398b0de18e5dd57af00265e42c822fb6938e2/details

Typical Filename: SqlServerWorks.Runner.exe

Claimed Product: SqlServerWorks.Runner

Detection Name: W32.8639FD3EF8-95.SBX.TG