CONTENTS:

NOTABLE RECENT SECURITY ISSUES
INTERESTING NEWS FROM AROUND THE SECURITY COMMUNITY
VULNERABILITIES FOR WHICH EXPLOITS ARE AVAILABLE
MOST PREVALENT MALWARE FILES January 21-28, 2021
TOP VULNERABILITY THIS WEEK: ElectroRAT malware tries to empty cryptocurrency wallets

NOTABLE RECENT SECURITY ISSUES
SELECTED BY THE TALOS SECURITY INTELLIGENCE AND RESEARCH GROUP

Title: ElectroRAT trojan makes full push to infect cryptocurrency users
Description: A recently discovered trojan known as ElectroRAT is pulling out all the stops to try and infect cryptocurrency wallets. The actors behind this campaign have so far created three cryptocurrency-related apps that are disguised as legitimate. They’ve also invested in a full-fledged marketing campaign trying to encourage users to download the apps. If a victim downloads the trojanized apps, they are infected with the malware that then takes over their cryptocurrency wallet.
References: https://cyware.com/news/electrorat-yet-another-golang-multi-platform-malware-12406d32
Snort SIDs: 56991 - 56993

Title: Cisco SD-WAN vulnerabilities could allow for remote code execution
Description: Cisco disclosed multiple vulnerabilities last week that could allow attackers to execute malicious code remotely on affected devices. Three of these vulnerabilities collectively have a severity score of 9.9 out of 10. An adversary could cause a variety of conditions on the affected products that could eventually lead to remote code execution. These issues affect several Cisco products, including SD-WAN vBond Orchestrator Software, SD-WAN vEdge Cloud Routers, SD-WAN vEdge Routers, SD-WAN vManage Software, and SD-WAN vSmart Controller Software.
Reference: https://www.zdnet.com/article/cisco-warns-on-critical-security-vulnerabilities-in-sd-wan-software-so-update-now/
Snort SIDs: 56942 - 56944, 56957 - 56963

INTERESTING NEWS FROM AROUND THE SECURITY COMMUNITY

Google disclosed a wide-ranging campaign from North Korean state-sponsored actors looking to compromise cybersecurity researchers and organizations.
https://blog.google/threat-analysis-group/new-campaign-targeting-security-researchers/

President Joe Biden’s administration is facing increasing pressure to disclose more information regarding the SolarWinds breach that’s affected many private companies and government agencies.
https://www.cnn.com/2021/01/23/politics/solarwinds-hack-biden-pressure/index.html

During Biden’s first full week in office, he’s tapped many cybersecurity veterans to his cabinet and advisory teams and is still working to fill a cyber-focused office reporting to a new National Cyber Director.
https://www.reuters.com/article/us-usa-biden-cyber/after-big-hack-of-u-s-government-biden-enlists-world-class-cybersecurity-team-idUSKBN29R18I

A website uploaded screenshots from the now-shutdown Parler app to try and identify individuals who participated in the riot on the U.S. Capitol earlier this month.
https://www.cnet.com/news/website-features-faces-from-parlers-capitol-riot-videos/

Vulnerabilities in Amazon’s Kindle devices could have allowed adversaries to take over a device by tricking them into opening specially crafted eBooks.
https://www.vice.com/en/article/93wgzy/bugs-allowed-hackers-to-hack-kindle-accounts-with-malicious-ebooks

As the COVID-19 vaccination effort ramps up across the globe, security experts are bracing for a new wave of attacks looking to cause economic or civil disruption.
https://www.washingtonpost.com/politics/2021/01/26/cybersecurity-202-vaccine-distribution-unleashes-new-cybersecurity-risks/

The US Defense Intelligence Agency has circumvented warrant requirements for obtaining mobile phone location data by purchasing commercially available databases of information.
https://www.nytimes.com/2021/01/22/us/politics/dia-surveillance-data.html

President Biden’s Peloton exercise bike could be a security risk, highlighting the dangers of having any internet-of-things devices connected to sensitive networks.
https://securityboulevard.com/2021/01/is-bidens-peloton-bike-an-iot-cybersecurity-risk/

RECENT VULNERABILITIES FOR WHICH EXPLOITS ARE AVAILABLE
COMPILED BY THE QUALYS VULNERABILITY RESEARCH TEAM

This is a list of recent vulnerabilities for which exploits are available. System administrators can use this list to help in prioritization of their remediation activities. The Qualys Vulnerability Research Team compiles this information based on various exploit frameworks, exploit databases, exploit kits and monitoring of internet activity.

ID: CVE-2021-3129
Title: Laravel in debug mode susceptible to Remote code execution vulnerability
Vendor: Beyondco
Description: Ignition before 2.5.2, as used in Laravel and other products, allows unauthenticated remote attackers to execute arbitrary code because of insecure usage of file_get_contents() and file_put_contents() methods. This is exploitable on sites using debug mode with Laravel before 8.4.2.
CVSS v3 Base Score: 9.8 (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H)

ID: CVE-2021-3118
Title: ECSIMAGING PACS 6.21.5 - SQL injection Vulnerability
Vendor: Medicalexpo
Description: Unsupported versions of EVOLUCARE ECSIMAGING (aka ECS Imaging) products through 6.21.5 has multiple SQL Injection issues in the login form and the password-forgotten form. This allows an attacker to steal data in the database and obtain access to the application.
CVSS v3 Base Score: 9.8 (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H)

ID: CVE-2020-11651
Title: Improper method call validation allows arbitrary code execution vulnerability
Vendor: Saltstack
Description: This vulnerability exists in SaltStack Salt before 2019.2.4 and 3000 before 3000.2. The salt-master process ClearFuncs class does not properly validate method calls. This allows a remote user to access some methods without authentication. These methods can be used to retrieve user tokens from the salt master and/or run arbitrary commands on salt minions.
CVSS v3 Base Score: 9.8 (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H)

ID: CVE-2020-6207
Title: Missing Authentication Check in SAP Solution Manager
Vendor: SAP
Description: SAP Solution Manager (User Experience Monitoring), version- 7.2, due to Missing Authentication Check does not perform any authentication for a service resulting in complete compromise of all SMDAgents connected to the Solution Manager.
CVSS v3 Base Score: 9.8 (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H)

ID: CVE-2020-1337
Title: Windows Print Spooler Elevation of Privilege Vulnerability
Vendor: MicroSoft
Description: An elevation of privilege vulnerability exists when the Windows Print Spooler service improperly allows arbitrary writing to the file system.
CVSS v3 Base Score: 7.8 (AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H)

ID: CVE-2020-17136
Title: Windows Cloud Files Mini Filter Driver Elevation of Privilege Vulnerability
Vendor: MicroSoft
Description: , Microsoft Windows could allow a local authenticated malicious user to gain elevated privileges on the system, caused by a flaw in the Cloud Files Mini Filter Driver. By executing a specially-crafted program, an authenticated attacker could exploit this vulnerability to execute arbitrary code with higher privileges.
CVSS v3 Base Score: 7.8 (AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H)

ID: CVE-2021-2109
Title: Oracle WebLogic Server 14.1.1.0 Remote Code Execution Vulnerability
Vendor: Oracle
Description: Vulnerability in the Oracle WebLogic Server product of Oracle Fusion Middleware (component: Console). This vulnerability is easily exploitable and allows high privileged attacker with network access via HTTP to compromise Oracle WebLogic Server. Successful attacks of this vulnerability can result in takeover of Oracle WebLogic Server.
CVSS v3 Base Score: 7.2 (AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H)

ID: CVE-2021-1257
Title: Cisco DNA Center Cross-Site Request Forgery Vulnerability
Vendor: Cisco
Description: A vulnerability in the web-based management interface of Cisco DNA Center Software could allow an unauthenticated, remote attacker to conduct a cross-site request forgery (CSRF) attack to manipulate an authenticated user into executing malicious actions without their awareness or consent. The vulnerability is due to insufficient CSRF protections for the web-based management interface of an affected device. An attacker could exploit this vulnerability by persuading a web-based management user to follow a specially crafted link. A successful exploit could allow the attacker to perform arbitrary actions on the device with the privileges of the authenticated user. These actions include modifying the device configuration, disconnecting the user’s session, and executing Command Runner commands.
CVSS v3 Base Score: 8.8 (AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H)

ID: CVE-2020-1472
Title: Netlogon Elevation of Privilege Vulnerability
Vendor: Multi-Vendor
Description: An elevation of privilege vulnerability exists when an attacker establishes a vulnerable Netlogon secure channel connection to a domain controller, using the Netlogon Remote Protocol (MS-NRPC), aka ‘Netlogon Elevation of Privilege Vulnerability’.
CVSS v3 Base Score: 10 (AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H)

MOST PREVALENT MALWARE FILES January 21-28, 2021
COMPILED BY TALOS SECURITY INTELLIGENCE AND RESEARCH GROUP

SHA 256: e3eeaee0af4b549eae4447fa20cfe205e8d56beecf43cf14a11bf3e86ae6e8bd
MD5: 8193b63313019b614d5be721c538486b
VirusTotal: https://www.virustotal.com/gui/file/e3eeaee0af4b549eae4447fa20cfe205e8d56beecf43cf14a11bf3e86ae6e8bd/details
Typical Filename: SAService.exe
Claimed Product: SAService
Detection Name: PUA.Win.Dropper.Segurazo::95.sbx.tg

SHA 256: 8b4216a7c50599b11241876ada8ae6f07b48f1abe6590c2440004ea4db5becc9
MD5: 34560233e751b7e95f155b6f61e7419a
VirusTotal: https://www.virustotal.com/gui/file/8b4216a7c50599b11241876ada8ae6f07b48f1abe6590c2440004ea4db5becc9/details
Typical Filename: SAntivirusService.exe
Claimed Product: A n t i v i r u s S e r v i c e
Detection Name: PUA.Win.Dropper.Segurazo::tpd

SHA 256: b76fbd5ff8186d43364d4532243db1f16f3cca3138c1fab391f7000a73de2ea6
MD5: 6a7401614945f66f1c64c6c845a60325
VirusTotal: https://www.virustotal.com/gui/file/b76fbd5ff8186d43364d4532243db1f16f3cca3138c1fab391f7000a73de2ea6/details
Typical Filename: pmropn.exe
Claimed Product: PremierOpinion
Detection Name: PUA.Win.Adware.Relevantknowledge::231753.in02

SHA 256: 85B936960FBE5100C170B777E1647CE9F0F01E3AB9742DFC23F37CB0825B30B5
MD5: 8c80dd97c37525927c1e549cb59bcbf3
VirusTotal: https://www.virustotal.com/gui/file/85b936960fbe5100c170b777e1647ce9f0f01e3ab9742dfc23f37cb0825b30b5/detection
Typical Filename: Eternalblue-2.2.0.exe
Claimed Product: N/A
Detection Name: Win.Exploit.Shadowbrokers::5A5226262.auto.talos

SHA 256: c1d5a585fce188423d31df3ea806272f3daa5eb989e18e9ecf3d94b97b965f8e
MD5: 9a4b7b0849a274f6f7ac13c7577daad8
VirusTotal: https://www.virustotal.com/gui/file/c1d5a585fce188423d31df3ea806272f3daa5eb989e18e9ecf3d94b97b965f8e/details
Typical Filename: ww31.exe
Claimed Product: N/A
Detection Name: W32.GenericKD:Attribute.24ch.1201