CONTENTS:

NOTABLE RECENT SECURITY ISSUES
INTERESTING NEWS FROM AROUND THE SECURITY COMMUNITY
VULNERABILITIES FOR WHICH EXPLOITS ARE AVAILABLE
MOST PREVALENT MALWARE FILES January 14-21, 2021
TOP VULNERABILITY THIS WEEK: BumbleBee webshell opens Exchange servers to attack

NOTABLE RECENT SECURITY ISSUES
SELECTED BY THE TALOS SECURITY INTELLIGENCE AND RESEARCH GROUP

Title: Adversaries use BumbleBee tool to target organizations in Kuwait
Description: Researchers recently discovered a webshell called “BumbleBee” being used in an espionage campaign against Microsoft Exchange servers. The affected organizations thus far are located in Kuwait. BumbleBee was observed being used to upload and download files on a targeted Exchange server back in September. The operators behind this campaign, which researchers indicate is the xHunt group, used BumbleBee to execute commands and upload and download files. This is the latest tool xHunt’s added to its arsenal. The group dates back to at least 2018 and has targeted Kuwaiti organizations and government agencies in the past, specifically going after the shipping and trading sectors.
References: https://threatpost.com/bumblebee-exchange-servers-xhunt-spy/162973/
Snort SIDs: 56887 - 56890

Title: Cisco urges users to update to new routers after vulnerabilities disclosed
Description: Cisco disclosed 74 vulnerabilities in some of its RV series of wireless routers last week, urging users to purchase new hardware rather than patching them. The vulnerabilities all exist in products that have already reached their end-of-life. The affected devices include the Cisco Small Business RV110W, RV130, RV130W and RV215W systems, which could all be use as firewalls, VPNs or standard routers. All of the vulnerabilities require that an attacker has login credentials for the targeted device, and therefore are not easily exploitable. This should give users a small runway to upgrade to new gear.
Reference: https://www.zdnet.com/article/cisco-says-it-wont-patch-74-security-bugs-in-older-rv-routers-that-reached-eol/
Snort SIDs: 56839 - 56845, 56866 - 56876, 56893, 56894

INTERESTING NEWS FROM AROUND THE SECURITY COMMUNITY

Security researchers found a fourth malware strain used in the broad SolarWinds breach, though it was only deployed on a few targets’ networks.
https://www.zdnet.com/article/fourth-malware-strain-discovered-in-solarwinds-incident/

Other threat actors are sure to copy many of the same tactics used in the SolarWinds incident and look to carry out supply chain attacks.
https://www.wired.com/story/solarwinds-hacker-methods-copycats/

The SolarWinds supply chain attack will likely influence cybersecurity legislation that U.S. President Joe Biden will look to pass in his first 100 days in office.
https://www.csoonline.com/article/3603519/solarwinds-hack-is-quickly-reshaping-congress-s-cybersecurity-agenda.html

The FBI released a warning that Iranian cyber threat actors are threatening US election officials and and trying to spread fear and disinformation online.
https://www.ic3.gov/Media/Y2021/PSA210115

A woman accused of stealing U.S. House Speaker Nancy Pelosi’s laptop was arrested. The woman allegedly wanted to send the laptop to Russia’s foreign intelligence service.
https://www.washingtonpost.com/2021/01/18/pelosi-laptop-riley-june-williams/

WhatsApp is delaying enforcement of its new privacy policies after users pushed back against a new rule that would have allowed WhatsApp to share its data directly with Facebook.
https://www.welivesecurity.com/2021/01/18/whatsapp-delays-privacy-policy-update/

A security flaw in Amazon’s Ring home security service’s Neighbors website exposed users’ precise locations and home addresses.
https://techcrunch.com/2021/01/14/ring-neighbors-exposed-locations-addresses/

Supporters of a data breach notification bill in Congress hope the SolarWinds hack will push their colleagues to take up debate on the topic, though similar efforts stalled after the 2017 Equifax breach.
https://www.washingtonpost.com/politics/2021/01/15/cybersecurity-202-sen-mark-warner-plans-breach-notification-debate-wake-solarwinds-hack/

RECENT VULNERABILITIES FOR WHICH EXPLOITS ARE AVAILABLE
COMPILED BY THE QUALYS VULNERABILITY RESEARCH TEAM

This is a list of recent vulnerabilities for which exploits are available. System administrators can use this list to help in prioritization of their remediation activities. The Qualys Vulnerability Research Team compiles this information based on various exploit frameworks, exploit databases, exploit kits and monitoring of internet activity.

ID: CVE-2020-29583
Title: Zyxel Firewalls And AP Controller Hardcoded Credential Vulnerability
Vendor: Zyxel
Description: Firmware version Zyxel USG devices contains an undocumented account (zyfwp) with an unchangeable password. The password for this account can be found in cleartext in the firmware. This account can be used by someone to login to the ssh server or web interface with admin privileges.
CVSS v3 Base Score: 9.8 (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H)

ID: CVE-2021-3007
Title: Zend Framework Remote Code Execution Vulnerability
Vendor: Zend
Description: Zend Framework has a deserialization vulnerability that can lead to remote code execution if the content is controllable, related to the __destruct method of the Zend\Http\Response\Stream class in Stream.php.
CVSS v3 Base Score: 9.8 (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H)

ID: CVE-2020-25681
Title: DNS Forwarder dnsmasq multiple Vulnerabilities
Vendor: Multi-Vendor
Description: A flaw was found in dnsmasq. A heap-based buffer overflow was discovered in the way RRSets are sorted before validating with DNSSEC data. An attacker on the network, who can forge DNS replies such as that they are accepted as valid, could use this flaw to cause a buffer overflow with arbitrary data in a heap memory segment, possibly executing code on the machine.
CVSS v3 Base Score: 9.8 (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H)

ID: CVE-2020-29015
Title: FortiWeb Blind SQL Injection Vulnerability
Vendor: Fortinet
Description: A blind SQL injection in the user interface of FortiWeb that may allow an unauthenticated, remote attacker to execute arbitrary SQL queries or commands by sending a request with a crafted Authorization header containing a malicious SQL statement.
CVSS v3 Base Score: 9.8 (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H)

ID: CVE-2020-10148
Title: SolarWinds Orion API Authentication Bypass Vulnerability
Vendor: SolarWinds
Description: The SolarWinds Orion API is vulnerable to an authentication bypass that could allow a remote attacker to execute API commands. This vulnerability could allow a remote attacker to bypass authentication and execute API commands which may result in a compromise of the SolarWinds instance.
CVSS v3 Base Score: 9.8 (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H)

ID: CVE-2020-3452
Title: Cisco ASA Remote File Disclosure Vulnerability
Vendor: Cisco
Description: A vulnerability in the web services interface of Cisco Adaptive Security Appliance (ASA) Software and Cisco Firepower Threat Defense (FTD) Software could allow an unauthenticated, remote attacker to conduct directory traversal attacks and read sensitive files on a targeted system. The vulnerability is due to a lack of proper input validation of URLs in HTTP requests processed by an affected device. An attacker could exploit this vulnerability by sending a crafted HTTP request containing directory traversal character sequences to an affected device.
CVSS v3 Base Score: 7.5 (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N)

ID: CVE-2020-17096
Title: Microsoft Windows NTFS Remote Code Execution Vulnerability
Vendor: Microsoft
Description: Microsoft Windows is exposed to NTFS remote code execution vulnerability. A local attacker could run a specially crafted application that would elevate the attacker’s privileges. A remote attacker with SMBv2 access to a vulnerable system could send specially crafted requests over a network to exploit this vulnerability and execute code on the target system.
CVSS v3 Base Score: 8.8 (AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H)

ID: CVE-2021-2109
Title: Oracle WebLogic Server Vulnerability
Vendor: Oracle
Description: A vulnerability exists in the Oracle WebLogic Server product of Oracle Fusion Middleware. Easily exploitable vulnerability allows high privileged attacker with network access via HTTP to compromise Oracle WebLogic Server. Successful attacks of this vulnerability can result in takeover of Oracle WebLogic Server.
CVSS v3 Base Score: 7.2 (AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H)

MOST PREVALENT MALWARE FILES January 14-21, 2021
COMPILED BY TALOS SECURITY INTELLIGENCE AND RESEARCH GROUP

SHA 256: 8cb8e8c9fafa230ecf2f9513117f7679409e6fd5a94de383a8bc49fb9cdd1ba4
MD5: 176e303bd1072273689db542a7379ea9
VirusTotal: https://www.virustotal.com/gui/file/8cb8e8c9fafa230ecf2f9513117f7679409e6fd5a94de383a8bc49fb9cdd1ba4/details
Typical Filename: FlashHelperService.exe
Claimed Product: Flash Helper Service
Detection Name: W32.Variant.24cl.1201

SHA 256: 8b4216a7c50599b11241876ada8ae6f07b48f1abe6590c2440004ea4db5becc9
MD5: 34560233e751b7e95f155b6f61e7419a
VirusTotal: https://www.virustotal.com/gui/file/8b4216a7c50599b11241876ada8ae6f07b48f1abe6590c2440004ea4db5becc9/details
Typical Filename: SAntivirusService.exe
Claimed Product: A n t i v i r u s S e r v i c e
Detection Name: PUA.Win.Dropper.Segurazo::tpd

SHA 256: 85B936960FBE5100C170B777E1647CE9F0F01E3AB9742DFC23F37CB0825B30B5
MD5: 8c80dd97c37525927c1e549cb59bcbf3
VirusTotal: https://www.virustotal.com/gui/file/85b936960fbe5100c170b777e1647ce9f0f01e3ab9742dfc23f37cb0825b30b5/detection
Typical Filename: Eternalblue-2.2.0.exe
Claimed Product: N/A
Detection Name: Win.Exploit.Shadowbrokers::5A5226262.auto.talos

SHA 256: e3eeaee0af4b549eae4447fa20cfe205e8d56beecf43cf14a11bf3e86ae6e8bd
MD5: 8193b63313019b614d5be721c538486b
VirusTotal: https://www.virustotal.com/gui/file/e3eeaee0af4b549eae4447fa20cfe205e8d56beecf43cf14a11bf3e86ae6e8bd/details
Typical Filename: SAService.exe
Claimed Product: SAService
Detection Name: PUA.Win.Dropper.Segurazo::95.sbx.tg

SHA 256: 6fdfcd051075383b28f5e7833fde1bb7371192f54e381c8bdfa8e68269e3dc30
MD5: 0083bc511149ebc16109025b8b3714d7
VirusTotal: https://www.virustotal.com/gui/file/6fdfcd051075383b28f5e7833fde1bb7371192f54e381c8bdfa8e68269e3dc30/details
Typical Filename: webnavigatorbrowser.exe
Claimed Product: WebNavigatorBrowser
Detection Name: P W32.6FDFCD0510-100.SBX.VIOC