CONTENTS:

NOTABLE RECENT SECURITY ISSUES
INTERESTING NEWS FROM AROUND THE SECURITY COMMUNITY
VULNERABILITIES FOR WHICH EXPLOITS ARE AVAILABLE
MOST PREVALENT MALWARE FILES February 18-25, 2021
TOP VULNERABILITY THIS WEEK: Masslogger trojan sets its sights on login credentials

NOTABLE RECENT SECURITY ISSUES
SELECTED BY THE TALOS SECURITY INTELLIGENCE AND RESEARCH GROUP

Title: Masslogger steals users’ credentials from Outlook, Chrome
Description: Cisco Talos recently discovered a campaign utilizing a variant of the Masslogger trojan designed to retrieve and exfiltrate user credentials from multiple sources such as Microsoft Outlook, Google Chrome and instant messengers. The actor employs a multi-modular approach that starts with the initial phishing email and carries through to the final payload. The adversaries behind this campaign likely do this to evade detection. But it can also be a weakness, as there are plenty of opportunities for defenders to break the killchain. While most of the public attention seems to be focused on ransomware attacks, big game hunting and APTs, it is important to keep in mind that crimeware actors are still active and can inflict significant damage to organizations by stealing users’ credentials. The credentials themselves have value on the dark web and actors sell them for money or use them in other attacks.
References: https://blog.talosintelligence.com/2021/02/masslogger-cred-exfil.html
Snort SID: 57141-57154
OSQueries: https://github.com/Cisco-Talos/osquery_queries/blob/master/win_forensics/potential_compiled_HTML_abuse.yaml

Title: Gamaredon APT spreads rapidly, looking to steal and sell information
Description: Gamaredon is a threat actor, active since at least 2013, that has long been associated with pro-Russian activities in several reports throughout the years. It is extremely aggressive and is usually not associated with high-visibility campaigns, Cisco Talos sees it is incredibly active and we believe the group is on par with some of the most prolific crimeware gangs. Gamaredon has been exposed several times in multiple threat intelligence reports, without any significant effects on their operations. Their information-gathering activities can almost be classified as a second-tier APT, whose main goal is to gather information and share it with their units, who will eventually use that information to perform the end goal. Recently, Cisco Talos researchers discovered four different campaigns using different initial infection vectors and final payloads.
Reference: https://blog.talosintelligence.com/2021/02/gamaredonactivities.html
Snort SIDs: 57194 – 57196
ClamAV: Lnk.Malware.Gamaredon-7448135-3

INTERESTING NEWS FROM AROUND THE SECURITY COMMUNITY

The U.S. is preparing to issue sanctions against Russia for its alleged involvement in the massive SolarWinds breach that affected government agencies and Fortune 500 companies.
https://www.washingtonpost.com/national-security/biden-russia-sanctions-solarwinds-hacks/2021/02/23/b77039d6-71fa-11eb-85fa-e0ccb3660358_story.html

American prosecutors charged three North Koreans for allegedly conspiring to steal more than $1.3 billion from banks, ATMs, and cryptocurrency traders.
https://www.cnn.com/2021/02/17/politics/north-korea-hackers-charged/index.html

Apple updated its Platform Security guide, outlining how its devices offer better data protection via upgrades to its FileVault service, new password protection options and more.
https://9to5mac.com/2021/02/18/2021-apple-platform-security-guide-available/

The company behind a line of cameras that allows parents to look in on their children while they’re at daycare warned customers of a data breach and has temporarily suspended service.
https://www.theregister.com/2021/02/22/nurserycam_breach/

Jamaica’s immigration website left travelers’ personal information exposed though an inadequately secured cloud storage server; the compromised information includes results of COVID-19 tests and immigration records.
https://techcrunch.com/2021/02/17/jamaica-immigration-travelers-data-exposed/

Apple says it’s already taken multiple steps to eliminate the “Silver Sparrow” malware that reportedly targeted the company’s M1 chips.
https://www.techradar.com/news/apple-says-it-has-already-beaten-new-m1-mac-malware

Grocery store chain Kroger says some of its pharmacy and clinic customers may have had their social security numbers and prescription information stolen as a result of an attack on Accellion’s FTA file transfer product.
https://abcnews.go.com/Business/wireStory/kroger-pharmacy-customer-data-impacted-vendor-hack-76031082

Ukraine blamed Russian threat actors for a series of distributed denial-of-service attacks on Ukrainian security and defense websites.
https://www.reuters.com/article/ukraine-cyber/ukraine-accuses-russian-networks-of-new-massive-cyber-attacks-idUSL1N2KS1BD

RECENT VULNERABILITIES FOR WHICH EXPLOITS ARE AVAILABLE
COMPILED BY THE QUALYS VULNERABILITY RESEARCH TEAM

This is a list of recent vulnerabilities for which exploits are available. System administrators can use this list to help in prioritization of their remediation activities. The Qualys Vulnerability Research Team compiles this information based on various exploit frameworks, exploit databases, exploit kits and monitoring of internet activity.

ID: CVE-2020-17095
Title: Hyper-V Remote Code Execution Vulnerability
Vendor: MicroSoft
Description: A remote code execution vulnerability exists when Windows Hyper-V on a host server fails to properly validate input from an authenticated user on a guest operating system. To exploit this vulnerability, an attacker could run a specially crafted application on a Hyper-V guest that could cause the Hyper-V host operating system to execute arbitrary code when it fails to properly validate vSMB packet data.
CVSS v3.1 Base Score: 9.9 (AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H)

ID: CVE-2021-20016
Title: SQL Injection Vulnerability in SonicWall SSL VPN
Vendor: SonicWall
Description: A SQL-Injection vulnerability in the SonicWall SSLVPN SMA100 product allows a remote unauthenticated attacker to perform SQL query to access username password and other session related information. This vulnerability impacts SMA100 build versions 10.x.
CVSS v3.1 Base Score: 9.8 (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H)

ID: CVE-2021-23885
Title: Privilege Escalation Vulnerability in McAfee Web Gateway
Vendor: McAfee
Description: Privilege escalation vulnerability in McAfee Web Gateway (MWG) prior to 9.2.8 allows an authenticated user to gain elevated privileges through the User Interface and execute commands on the appliance via incorrect improper neutralization of user input in the troubleshooting page.
CVSS v3.1 Base Score: 8.8 (AV:N/AC:L/PR:L/UI:R/S:C/C:H/I:H/A:H)

ID: CVE-2020-13957 |
Title: Remote Code Execution Vulnerability in Apache Solr
Vendor: Apache
Description: Apache Solr versions 6.6.0 to 6.6.6, 7.0.0 to 7.7.3 and 8.0.0 to 8.6.2 prevents some features considered dangerous (which could be used for remote code execution) to be configured in a ConfigSet that’s uploaded via API without authentication/authorization. The checks in place to prevent such features can be circumvented by using a combination of UPLOAD/CREATE actions.
CVSS v3.1 Base Score: 9.8 (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H)

ID: CVE-2020-14882
Title: Unauthenticated RCE Vulnerability in Oracle WebLogic Server
Vendor: Oracle
Description: Vulnerability in the Oracle WebLogic Server product of Oracle Fusion Middleware (component: Console). Supported versions that are affected are 10.3.6.0.0, 12.1.3.0.0, 12.2.1.3.0, 12.2.1.4.0 and 14.1.1.0.0. Easily exploitable vulnerability allows unauthenticated attacker with network access via HTTP to compromise Oracle WebLogic Server. Successful attacks of this vulnerability can result in takeover of Oracle WebLogic Server.
CVSS v3.1 Base Score: 9.8 (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H)

ID: CVE-2020-35128
Title: XSS Vulnerability in Mautic Interface
Vendor: Acquia
Description: Mautic before 3.2.4 is affected by stored XSS. An attacker with permission to manage companies, an application feature, could attack other users, including administrators. For example, by loading an externally crafted JavaScript file, an attacker could eventually perform actions as the target user. These actions include changing the user passwords, altering user or email addresses, or adding a new administrator to the system.
CVSS v3.1 Base Score: 9.0 (AV:N/AC:L/PR:L/UI:R/S:C/C:H/I:H/A:H)

ID: CVE-2021-21463
Title: Improper Input Validation Vulnerability in SAP 3D VEV
Vendor: SAP
Description: SAP 3D Visual Enterprise Viewer, version - 9, allows a user to open manipulated PCX file received from untrusted sources which results in crashing of the application and becoming temporarily unavailable until the user restarts the application, this is caused due to Improper Input Validation.
CVSS v3.1 Base Score: 8.8 (AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H)

ID: CVE-2020-9492
Title: Privilege Escalation in Apache Hadoop
Vendor: Apache
Description: In Apache Hadoop 3.2.0 to 3.2.1, 3.0.0-alpha1 to 3.1.3, and 2.0.0-alpha to 2.10.0, WebHDFS client can send SPNEGO authorization header to remote URL without proper verification.
CVSS v3.1 Base Score: 8.8 (AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H)

MOST PREVALENT MALWARE FILES February 18-25, 2021
COMPILED BY TALOS SECURITY INTELLIGENCE AND RESEARCH GROUP

SHA 256: c1d5a585fce188423d31df3ea806272f3daa5eb989e18e9ecf3d94b97b965f8e
MD5: 9a4b7b0849a274f6f7ac13c7577daad8
VirusTotal: https://www.virustotal.com/gui/file/c1d5a585fce188423d31df3ea806272f3daa5eb989e18e9ecf3d94b97b965f8e/details
Typical Filename: ww31.exe
Claimed Product: N/A
Detection Name: W32.GenericKD:Attribute.24ch.1201

SHA 256: 4647f1a0850a961e341a863194e921c102578a9c4ef898fa5e4b54d9fb65e57b
MD5: f37167c1e62e78b0a222b8cc18c20ba7
VirusTotal: https://www.virustotal.com/gui/file/4647f1a0850a961e341a863194e921c102578a9c4ef898fa5e4b54d9fb65e57b/details
Typical Filename: flashhelperservice.exe
Claimed Product: Flash Helper Service
Detection Name: W32.4647F1A085.in12.Talos

SHA 256: 85B936960FBE5100C170B777E1647CE9F0F01E3AB9742DFC23F37CB0825B30B5
MD5: 8c80dd97c37525927c1e549cb59bcbf3
VirusTotal: https://www.virustotal.com/gui/file/85b936960fbe5100c170b777e1647ce9f0f01e3ab9742dfc23f37cb0825b30b5/detection
Typical Filename: Eternalblue-2.2.0.exe
Claimed Product: N/A
Detection Name: Win.Exploit.Shadowbrokers::5A5226262.auto.talos

SHA 256: 8b4216a7c50599b11241876ada8ae6f07b48f1abe6590c2440004ea4db5becc9
MD5: 34560233e751b7e95f155b6f61e7419a
VirusTotal: https://www.virustotal.com/gui/file/8b4216a7c50599b11241876ada8ae6f07b48f1abe6590c2440004ea4db5becc9/details
Typical Filename: SAntivirusService.exe
Claimed Product: A n t i v i r u s S e r v i c e
Detection Name: PUA.Win.Dropper.Segurazo::tpd

SHA 256: 1a8a17b615799f504d1e801b7b7f15476ee94d242affc103a4359c4eb5d9ad7f
MD5: 88781be104a4dcb13846189a2b1ea055
VirusTotal: https://www.virustotal.com/gui/file/1a8a17b615799f504d1e801b7b7f15476ee94d242affc103a4359c4eb5d9ad7f/details
Typical Filename: ActivityElement.dp
Claimed Product: N/A
Detection Name: Win.Trojan.Generic::sso.talos