@RISK Newsletter for January 07, 2021
The consensus security vulnerability alert.
Vol. 21, Num. 01
This is a weekly newsletter that provides in-depth analysis of the latest vulnerabilities with straightforward remediation advice. Qualys supplies a large part of the newly-discovered vulnerability content used in this newsletter.
Archived issues may be found at the SANS @RISK Newletter Archive.
CONTENTS:
NOTABLE RECENT SECURITY ISSUES
INTERESTING NEWS FROM AROUND THE SECURITY COMMUNITY
VULNERABILITIES FOR WHICH EXPLOITS ARE AVAILABLE
MOST PREVALENT MALWARE FILES January 7-14, 2021
TOP VULNERABILITY THIS WEEK: First Patch Tuesday of 2021
NOTABLE RECENT SECURITY ISSUES
SELECTED BY THE TALOS SECURITY INTELLIGENCE AND RESEARCH GROUP
Title: Microsoft disclosed 83 vulnerabilities, 10 critical, in monthly security update
Description: Microsoft released its monthly security update Tuesday, disclosing 83 vulnerabilities across its suite of products to kick off 2021. There are only 10 critical vulnerabilities as part of this release, while there are two moderate-severity exploits, and the remainder are considered “important.” Users of all Microsoft and Windows products are urged to update their software as soon as possible to avoid possible exploitation of all these bugs. The security updates cover several different products and services, including the Microsoft Defender antivirus software, the Microsoft Remote Procedure Call tools and Bluetooth communication with Windows devices. One of the most serious vulnerabilities exists in Microsoft Defender. CVE-2021-1647 affects some versions of Windows dating back to Windows 2008. An attacker could exploit this vulnerability to execute arbitrary code on the victim machine. No action is required to install this update and protect against this vulnerability, according to Microsoft, as the fix is part of Microsoft’s regular updates to its anti-malware products.
References: https://blog.talosintelligence.com/2021/01/microsoft-patch-tuesday-for-jan-2021.html
Snort SIDs: 56849 - 56860, 56865
Title: Lokibot adds new dropper to its arsenal
Description: Lokibot is one of the most well-known information stealers on the malware landscape. The actors behind Lokibot usually can steal multiple types of credentials and other sensitive information. This new campaign utilizes a complex, multi-stage, multi-layered dropper to execute Lokibot on the victim machine. The attack starts with a malicious XLS attachment, sent in a phishing email, containing an obfuscated macro that downloads a heavily packed second-stage downloader. The second stage fetches the encrypted third stage, which includes three layered encrypted Lokibot. After a privilege escalation, the third stage deploys Lokibot. The Image below shows the infection chain.
Reference: https://blog.talosintelligence.com/2021/01/a-deep-dive-into-lokibot-infection-chain.html
Snort SIDs: 56577, 56578
INTERESTING NEWS FROM AROUND THE SECURITY COMMUNITY
Several American intelligence agencies released a joint statement saying they believe the recent exploitation of SolarWinds products can be linked to Russia.
https://apnews.com/article/us-blames-russia-federal-hacking-3921096dfd9693a020420acc787132bd
Security researchers discovered a third, new malware strain the actors behind the SUNBURST campaign used that was used as far back as September 2019.
https://www.zdnet.com/article/third-malware-strain-discovered-in-solarwinds-supply-chain-attack/
SolarWinds, whose products were affected by the campaign, has hired former U.S. cybersecurity chief Chris Krebs as a consultant to investigate how attackers exploited its systems.
https://www.cnet.com/news/solarwinds-hires-former-cisa-director-chris-krebs-to-consult-on-hack-aftermath/
Social media platform Parler shut down this week after Amazon Web Services and other third parties dropped the app, leading to a massive data leak of users’ information, including pictures of ID cards.
https://www.inputmag.com/culture/parlers-user-data-is-leaking-but-no-ones-really-sure-how
DDosSecrets, considered to be a successor to WikiLeaks, is sharing corporate information attackers stole as part of past ransomware attacks.
https://www.wired.com/story/ddosecrets-ransomware-leaks/
Attackers are transitioning more to SMS messages for their phishing attempts as local and national governments use text messages to provide COVID-19 information to citizens.
https://www.vice.com/en/article/m7appv/sms-phishing-is-getting-out-of-control
A new trojan known as “ElectroRAT” is infecting users’ cryptocurrency wallets and stealing their contents.
https://www.infosecurity-magazine.com/news/electrorat-drains-crypto-wallets/
Officials in Hong Kong are using a new security law passed last year to ban certain sites inside the territory and track activists.
https://www.washingtonpost.com/world/asia_pacific/hong-kong-national-security-law-internet/2021/01/12/01738064-53b6-11eb-acc5-92d2819a1ccb_story.html
RECENT VULNERABILITIES FOR WHICH EXPLOITS ARE AVAILABLE
COMPILED BY THE QUALYS VULNERABILITY RESEARCH TEAM
This is a list of recent vulnerabilities for which exploits are available. System administrators can use this list to help in prioritization of their remediation activities. The Qualys Vulnerability Research Team compiles this information based on various exploit frameworks, exploit databases, exploit kits and monitoring of internet activity.
ID: CVE-2020-17519
Title: Apache Flink Directory Traversal Vulnerability
Vendor: Apache
Description: Apache Flink allows attackers to read any file on the local filesystem of the JobManager through the REST interface of the JobManager process. Access is restricted to files accessible by the JobManager process.
CVSS v3 Base Score: 7.5 (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N)
ID: CVE-2020-3452
Title: Cisco ASA Remote File Disclosure Vulnerability
Vendor: Cisco
Description: A vulnerability in the web services interface of Cisco Adaptive Security Appliance (ASA) Software and Cisco Firepower Threat Defense (FTD) Software could allow an unauthenticated, remote attacker to conduct directory traversal attacks and read sensitive files on a targeted system. The vulnerability is due to a lack of proper input validation of URLs in HTTP requests processed by an affected device. An attacker could exploit this vulnerability by sending a crafted HTTP request containing directory traversal character sequences to an affected device.
CVSS v3 Base Score: 7.5 (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N)
ID: CVE-2020-17096
Title: Microsoft Windows NTFS Remote Code Execution Vulnerability
Vendor: Microsoft
Description: Microsoft Windows is exposed to NTFS remote code execution vulnerability. A local attacker could run a specially crafted application that would elevate the attacker’s privileges. A remote attacker with SMBv2 access to a vulnerable system could send specially crafted requests over a network to exploit this vulnerability and execute code on the target system.
CVSS v3 Base Score: 8.8 (AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H)
ID: CVE-2020-29583
Title: Zyxel Hardcoded Credential Vulnerability
Vendor: Zyxel
Description: Zyxel USG devices contains an undocumented account (zyfwp) with an unchangeable password. The password for this account can be found in cleartext in the firmware. This account can be used by someone to login to the ssh server or web interface with admin privileges.
CVSS v3 Base Score: 7.8 (AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H)
ID: CVE-2020-16040
Title: Google Chrome Heap Corruption Vulnerability
Vendor: Google
Description: Insufficient data validation in V8 in Google Chrome allowed a remote attacker to potentially exploit heap corruption via a crafted HTML page. The exploitation doesn’t require any form of authentication. However, successful exploitation requires user interaction by the victim.
CVSS v3 Base Score: 6.5 (AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H)
ID: CVE-2020-0646
Title: Microsoft .Net Framework Remote Code Execution Injection Vulnerability
Vendor: Microsoft
Description: A remote code execution vulnerability exists when the Microsoft .NET Framework fails to validate input properly. An attacker who successfully exploited this vulnerability could take control of an affected system. To exploit the vulnerability, an attacker would need to pass specific input to an application utilizing susceptible .Net methods.
CVSS v3 Base Score: 9.8 (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H)
ID: CVE-2020-11851
Title: Micro Focus ArcSight Logger Code Injection Vulnerability
Vendor: Micro Focus
Description: Arbitrary code execution vulnerability on Micro Focus ArcSight Logger product. The vulnerability could be remotely exploited resulting in the execution of arbitrary code.
CVSS v3 Base Score: 9.8 (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H)
ID: CVE-2020-10148
Title: SolarWinds Orion API Authentication Bypass Vulnerability
Vendor: SolarWinds
Description: The SolarWinds Orion API is vulnerable to an authentication bypass that could allow a remote attacker to execute API commands. This vulnerability could allow a remote attacker to bypass authentication and execute API commands which may result in a compromise of the SolarWinds instance.
CVSS v3 Base Score: 9.8 (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H)
MOST PREVALENT MALWARE FILES January 7-14, 2021
COMPILED BY TALOS SECURITY INTELLIGENCE AND RESEARCH GROUP
SHA 256: 20f0ce6ae08d954767bdd8445017453475d53fe1e448c07da7a8a6a1194374c6
MD5: 6902aa6dd0fbd0d1b647e8d529c7ad3f
VirusTotal: https://www.virustotal.com/gui/file/20f0ce6ae08d954767bdd8445017453475d53fe1e448c07da7a8a6a1194374c6/details
Typical Filename: FlashHelperService.exe
Claimed Product: Flash Helper Service
Detection Name: W32.Variant.23nh.1201
SHA 256: a463f9a8842a5c947abaa2bff1b621835ff35f65f9d3272bf1fa5197df9f07d0
MD5: 9b7c2b0abf5478ef9a23d9a9e87c7835
VirusTotal: https://www.virustotal.com/gui/file/a463f9a8842a5c947abaa2bff1b621835ff35f65f9d3272bf1fa5197df9f07d0/details
Typical Filename: INV1458863388-20210111852384.xlsm
Claimed Product: N/A
Detection Name: W32.A463F9A884-90.SBX.TG
SHA 256: 85B936960FBE5100C170B777E1647CE9F0F01E3AB9742DFC23F37CB0825B30B5
MD5: 8c80dd97c37525927c1e549cb59bcbf3
VirusTotal: https://www.virustotal.com/gui/file/85b936960fbe5100c170b777e1647ce9f0f01e3ab9742dfc23f37cb0825b30b5/detection
Typical Filename: Eternalblue-2.2.0.exe
Claimed Product: N/A
Detection Name: Win.Exploit.Shadowbrokers::5A5226262.auto.talos
SHA 256: 8b4216a7c50599b11241876ada8ae6f07b48f1abe6590c2440004ea4db5becc9
MD5: 34560233e751b7e95f155b6f61e7419a
VirusTotal: https://www.virustotal.com/gui/file/8b4216a7c50599b11241876ada8ae6f07b48f1abe6590c2440004ea4db5becc9/details
Typical Filename: SAntivirusService.exe
Claimed Product: A n t i v i r u s S e r v i c e
Detection Name: PUA.Win.Dropper.Segurazo::tpd
SHA 256: 6fdfcd051075383b28f5e7833fde1bb7371192f54e381c8bdfa8e68269e3dc30
MD5: 0083bc511149ebc16109025b8b3714d7
VirusTotal: https://www.virustotal.com/gui/file/6fdfcd051075383b28f5e7833fde1bb7371192f54e381c8bdfa8e68269e3dc30/details
Typical Filename: webnavigatorbrowser.exe
Claimed Product: WebNavigatorBrowser
Detection Name: P W32.6FDFCD0510-100.SBX.VIOC