CONTENTS:

NOTABLE RECENT SECURITY ISSUES
INTERESTING NEWS FROM AROUND THE SECURITY COMMUNITY
VULNERABILITIES FOR WHICH EXPLOITS ARE AVAILABLE
MOST PREVALENT MALWARE FILES March 11-18, 2021
TOP VULNERABILITY THIS WEEK: F5 warns of critical vulnerabilities in BIG-IP and BIG-IQ

NOTABLE RECENT SECURITY ISSUES
SELECTED BY THE TALOS SECURITY INTELLIGENCE AND RESEARCH GROUP

Title: F5 urges users to patch exploits that could open the door to take complete control of systems
Description: F5’s BIG-IP and BIG-IQ applications contain multiple critical vulnerabilities that could allow adversaries to completely compromise systems. The company urged users to patch as soon as possible. Several of the vulnerabilities disclosed last week could allow attackers to execute malicious code, disable services, manipulate, delete and create files, among other malicious actions. In all, F5 Networks disclosed four critical vulnerabilities, seven high-severity bugs and 10 that are considered of “medium” severity. BIG-IP and BIG-IQ users are usually deployed for application delivery services, such as load balancing, app security and access control. In a worst-case scenario, F5 said, an attacker could exploit a vulnerable BIG-IP appliance to break into the broader enterprise network.
References: https://www.darkreading.com/vulnerabilities---threats/f5-networks-urges-customers-to-update-to-new-versions-of-its-app-delivery-tech/d/d-id/1340385
Snort SID: 57298

Title: New detection, information available on Microsoft Exchange Server zero-day vulnerabilities
Description: Since Microsoft’s initial disclosure of multiple zero-day vulnerabilities in Microsoft Exchange Server, Cisco Talos has seen shifts in the tactics, techniques, and procedures (TTPs) associated with this malicious activity. Talos researchers have discovered other actors exploiting these vulnerabilities that appear to be separate from the initial “Hafnium” actor and include groups that are leveraging infrastructure previously attributed to cryptocurrency mining campaigns, groups creating or accessing web shells using notepad.exe or notepad++.exe and large amounts of scanning activity without successful exploitation. Talos has also identified organizations that may be involved in post-exploitation activity. The victimology shows that financial services have been disproportionately affected by exploitation, with a few other notable verticals following including health care, education and local/state governments.
Reference: https://blog.talosintelligence.com/2021/03/hafnium-update.html
Snort SIDs: 57233 - 57246, 57251 – 57253
ClamAV signatures:
Win.Trojan.MSExchangeExploit-9838898-0
Win.Trojan.MSExchangeExploit-9838899-0
Win.Trojan.MSExchangeExploit-9838900-0
Asp.Trojan.Webshell0321-9839392-0
Asp.Trojan.Webshelljs0321-9839431-0
Asp.Trojan.Webshell0321-9839771-0

INTERESTING NEWS FROM AROUND THE SECURITY COMMUNITY

At least six APT groups have been exploiting the Microsoft Exchange Server zero-day vulnerabilities so far.
https://arstechnica.com/gadgets/2021/03/security-unicorn-exchange-server-0-days-were-exploited-by-6-apts/

Other threat actors, including ransomware and botnet operators are also targeting systems with unpatched Exchange Server vulnerabilities.
https://www.cyberscoop.com/exchange-microsoft-ransomware-botnet-criminal/

A massive fire at an OVHcloud data center in Strasbourg, France affected the IT infrastructure of some of its customers, including several government-sponsored cyber threat groups.
https://www.vice.com/en/article/3an9wb/ovh-datacenter-fire-takes-down-government-hacking-infrastructure

Law enforcement officials and tech companies in the UK are reportedly testing tools that would allow them to track the web browsing history of every person in the country.
https://www.wired.co.uk/article/internet-connection-records-ip-act

The leaders of the U.S., Australia, India, and Japan agreed to establish several new “quad” working groups, including one that will address cyber threats.
https://www.npr.org/2021/03/12/976305089/biden-and-quad-leaders-launch-vaccine-push-deepen-coordination-against-china

As of March 12, Microsoft reports that there were only 82,000 exposed versions of Server exchange still vulnerable to the zero-day vulnerabilities it recently disclosed out of an initial 400,000.
https://www.microsoft.com/security/blog/2021/03/12/protecting-on-premises-exchange-servers-against-recent-attacks/

Many expired domains available to anyone on the internet pose serious risk for users who could be duped by seemingly legitimate-looking scams.
https://blog.talosintelligence.com/2021/03/domain-dumpster-diving.html

The UK’s top cybersecurity office warned nurseries and childcare centers that they have become an “appealing target” for cyber attacks.
https://www.bbc.com/news/education-56403778

American cyber officials are considering deeper partnerships with private sector computer security companies after intelligence agencies failed to detect the recent Hafnium and SolarWinds campaigns.
https://www.nytimes.com/2021/03/14/us/politics/us-hacks-china-russia.html

RECENT VULNERABILITIES FOR WHICH EXPLOITS ARE AVAILABLE
COMPILED BY THE QUALYS VULNERABILITY RESEARCH TEAM

This is a list of recent vulnerabilities for which exploits are available. System administrators can use this list to help in prioritization of their remediation activities. The Qualys Vulnerability Research Team compiles this information based on various exploit frameworks, exploit databases, exploit kits and monitoring of internet activity.

ID: CVE-2021-3148
Title: Command Injection Vulnerability in SaltStack
Vendor: Saltstack
Description: An issue was discovered in SaltStack Salt before 3002.5. Sending crafted web requests to the Salt API can result in salt.utils.thin.gen_thin() command injection because of different handling of single versus double quotes. This is related to salt/utils/thin.py.
CVSS v3.1 Base Score: 9.8 (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H)

ID: CVE-2021-28041
Title: Double-Free Memory Corruption Vulnerability in OpenSSH
Vendor: Openbsd
Description: ssh-agent in OpenSSH before 8.5 has a double free that may be relevant in a few less-common scenarios, such as unconstrained agent-socket access on a legacy operating system, or the forwarding of an agent to an attacker-controlled host.
CVSS v3.1 Base Score: 7.3 (AV:N/AC:H/PR:L/UI:R/S:U/C:H/I:H/A:H)

ID: CVE-2021-27886
Title: Command Injection Vulnerability in Docker Dashboard
Vendor: Docker Dashboard Project
Description: rakibtg Docker Dashboard before 2021-02-28 allows command injection in backend/utilities/terminal.js via shell metacharacters in the command parameter of an API request. NOTE: this is NOT a Docker, Inc. product.
CVSS v3.1 Base Score: 9.8 (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H)

ID: CVE-2021-27730 |
Title: Argument Injection Vulnerability in Accellion FTA
Vendor: Accellion
Description: Accellion FTA 9_12_432 and earlier is affected by argument injection via a crafted POST request to an admin endpoint. The fixed version is FTA_9_12_444 and later.
CVSS v3.1 Base Score: 9.8 (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H)

ID: CVE-2021-25283
Title: Server Side Template Injection Vulnerability in Saltstack
Vendor: Saltstack
Description: An issue was discovered in through SaltStack Salt before 3002.5. The jinja renderer does not protect against server-side template injection attacks.
CVSS v3.1 Base Score: 9.8 (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H)

ID: CVE-2021-25281
Title: Remote Unauthentication Vulnerability in Saltstack
Vendor: Saltstack
Description: An issue was discovered in through SaltStack Salt before 3002.5. salt-api does not honor eauth credentials for the wheel_async client. Thus, an attacker can remotely run any wheel modules on the master.
CVSS v3.1 Base Score: 9.8 (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H)

ID: CVE-2021-2047
Title: Unauthenticated Access Vulnerability in Oracle WebLogic Server
Vendor: Oracle
Description: This vulnerability is in the Oracle WebLogic Server product of Oracle Fusion Middleware (component: Core Components). Supported versions that are affected are 10.3.6.0.0, 12.1.3.0.0, and 12.2.1.3.0. Easily exploitable vulnerability allows unauthenticated attacker with network access via IIOP, T3 to compromise Oracle WebLogic Server. Successful attacks of this vulnerability can result in takeover of Oracle WebLogic Server. CVSS 3.1 Base Score 9.8 (Confidentiality, Integrity and Availability impacts).
CVSS v3.1 Base Score: 9.8 (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H)

MOST PREVALENT MALWARE FILES March 11-18, 2021
COMPILED BY TALOS SECURITY INTELLIGENCE AND RESEARCH GROUP

SHA 256: c1d5a585fce188423d31df3ea806272f3daa5eb989e18e9ecf3d94b97b965f8e
MD5: 9a4b7b0849a274f6f7ac13c7577daad8
VirusTotal: https://www.virustotal.com/gui/file/c1d5a585fce188423d31df3ea806272f3daa5eb989e18e9ecf3d94b97b965f8e/details
Typical Filename: ww31.exe
Claimed Product: N/A
Detection Name: W32.GenericKD:Attribute.24ch.1201

SHA 256: 85B936960FBE5100C170B777E1647CE9F0F01E3AB9742DFC23F37CB0825B30B5
MD5: 8c80dd97c37525927c1e549cb59bcbf3
VirusTotal: https://www.virustotal.com/gui/file/85b936960fbe5100c170b777e1647ce9f0f01e3ab9742dfc23f37cb0825b30b5/detection
Typical Filename: Eternalblue-2.2.0.exe
Claimed Product: N/A
Detection Name: Win.Exploit.Shadowbrokers::5A5226262.auto.talos

SHA 256: 8b4216a7c50599b11241876ada8ae6f07b48f1abe6590c2440004ea4db5becc9
MD5: 34560233e751b7e95f155b6f61e7419a
VirusTotal: https://www.virustotal.com/gui/file/8b4216a7c50599b11241876ada8ae6f07b48f1abe6590c2440004ea4db5becc9/details
Typical Filename: SAntivirusService.exe
Claimed Product: A n t i v i r u s S e r v i c e
Detection Name: PUA.Win.Dropper.Segurazo::tpd

SHA 256: 5901ce0f36a875e03e4d5e13e728a2724b8eff3c61cc24eb810be3df7508997f
MD5: b8a582da0ad22721a8f66db0a7845bed
VirusTotal: https://www.virustotal.com/gui/file/5901ce0f36a875e03e4d5e13e728a2724b8eff3c61cc24eb810be3df7508997f/details
Typical Filename: flashhelperservice.exe
Claimed Product: Flash Helper Service
Detection Name: W32.Auto:5901ce0f36.in03.Talos

SHA 256: 4647f1a0850a961e341a863194e921c102578a9c4ef898fa5e4b54d9fb65e57b
MD5: f37167c1e62e78b0a222b8cc18c20ba7
VirusTotal: https://www.virustotal.com/gui/file/4647f1a0850a961e341a863194e921c102578a9c4ef898fa5e4b54d9fb65e57b/details
Typical Filename: flashhelperservice.exe
Claimed Product: Flash Helper Service
Detection Name: W32.4647F1A085.in12.Talos