CONTENTS:

NOTABLE RECENT SECURITY ISSUES
INTERESTING NEWS FROM AROUND THE SECURITY COMMUNITY
VULNERABILITIES FOR WHICH EXPLOITS ARE AVAILABLE
MOST PREVALENT MALWARE FILES May 13-20, 2021
TOP VULNERABILITY THIS WEEK: Transparent Tribe adds a new RAT to its toolkit

NOTABLE RECENT SECURITY ISSUES
SELECTED BY THE TALOS SECURITY INTELLIGENCE AND RESEARCH GROUP

Title: Transparent Tribe APT expands its Windows malware arsenal
Description: Transparent Tribe, also known as APT36 and Mythic Leopard, continues to create fake domains mimicking legitimate military and defense organizations as a core component of their operations. While military and defense personnel continue to be the group’s primary targets, Transparent Tribe is increasingly targeting diplomatic entities, defense contractors, research organizations and conference attendees, indicating that the group is expanding its targeting. Transparent Tribe uses a two-pronged approach for registering malicious domains: Fake domains masquerading as legitimate sites belonging to government, defense, or research entities, and malicious domains that resemble file-sharing websites.
Reference: https://blog.talosintelligence.com/2021/05/transparent-tribe-infra-and-targeting.html
Snort SIDs: 57551 - 57562

Title: Lemon Duck cryptocurrency miner targeting vulnerable Microsoft Exchange Servers
Description: Cisco Talos has recently observed updated infrastructure and new components associated with the Lemon Duck cryptocurrency mining botnet that target unpatched Microsoft Exchange Servers and attempt to download and execute payloads for Cobalt Strike DNS beacons. This activity reflects updated tactics, techniques and procedures (TTPs) associated with this threat actor. After several zero-day Microsoft Exchange Server vulnerabilities were made public on March 2, Cisco Talos and several other security researchers began observing various threat actors, including Lemon Duck, leveraging these vulnerabilities for initial exploitation before security patches were made available. Microsoft released a report on March 25 highlighting Lemon Duck’s targeting of Exchange Servers to install cryptocurrency-mining malware and a malware loader that was used to deliver secondary malware payloads, such as information stealers. Talos also discovered that Lemon Duck actors have been generating fake domains on East Asian top-level domains (TLDs) to mask connections to their legitimate C2 domain since at least February 2020, highlighting another attempt to make their operations more effective.
Reference: https://blog.talosintelligence.com/2021/05/lemon-duck-spreads-wings.html
Snort SIDs: 45549:4, 46237, 50795, 55926, 57469 – 57474
ClamAV signatures: Ps1.Trojan.Lemonduck-9856143, Ps1.Trojan.Lemonduck-9856144, Win.Trojan.CobaltStrike-7917400, Win.Trojan.CobaltStrike-8091534
Cisco Secure Endpoint Cloud IOCs: W32.LemonDuckCryptoMiner.ioc, Clam.Ps1.Dropper.LemonDuck-9775016-1, Win.Miner.LemonDuck.tii.Talos, Ps1.Dropper.LemonDuck, Clam.Js.Malware.LemonDuck-9775029-1

INTERESTING NEWS FROM AROUND THE SECURITY COMMUNITY

Colonial Pipeline reportedly paid a $5 million ransom after its systems became infected with ransomware.
https://www.usatoday.com/story/news/nation/2021/05/15/colonial-pipeline-cyberattack-ransomware-payouts-banned/5097768001/

As the pipeline slowly came back online last week, some gas stations were still experiencing fuel shortages.
https://www.cnbc.com/2021/05/15/colonial-pipeline-resumes-normal-operations-after-hack.html

The DarkSide ransomware group behind the attack said it was shutting down operations.
https://zetter.substack.com/p/darkside-retreats-to-the-dark

U.S. President Joe Biden released an Executive Order aimed at strengthening America’s cybersecurity posture by creating new guidelines for federal contractors and creating a new standard playbook for responding to cyber incidents.
https://www.csoonline.com/article/3618730/biden-administration-releases-ambitious-cybersecurity-executive-order.html

The Biden administration says the American Jobs Plan with bolster cybersecurity.
https://www.whitehouse.gov/briefing-room/statements-releases/2021/05/18/fact-sheet-the-american-jobs-plan-will-bolster-cybersecurity/

The Irish health system had to shut down its IT systems after a cyberattack over the weekend in what is “possibly the most significant cybercrime attack on the Irish state.”
https://www.bbc.com/news/world-europe-57111615

In the wake of the Colonial Pipeline ransomware attack, a popular Russian language online criminal forum claims it will prevent the sale of any ransomware tools.
https://www.cyberscoop.com/colonial-pipeline-ransomware-xss-criminal/

Google’s upcoming Android 12 operating system will reportedly include a new privacy dashboard for users to personalize what permissions certain apps have and what type of information they’re collecting.
https://www.xda-developers.com/android-12-privacy-dashboard-rumor/

A security researcher warned that a feature in the new Apple AirTags could allow criminals to figure out when people are away from home, making it an easier target for crime.
https://www.vice.com/en/article/jg8mvy/airtags-can-be-used-to-figure-out-when-a-house-is-empty-researcher-warns

RECENT VULNERABILITIES FOR WHICH EXPLOITS ARE AVAILABLE
COMPILED BY THE QUALYS VULNERABILITY RESEARCH TEAM

This is a list of recent vulnerabilities for which exploits are available. System administrators can use this list to help in prioritization of their remediation activities. The Qualys Vulnerability Research Team compiles this information based on various exploit frameworks, exploit databases, exploit kits and monitoring of internet activity.

ID: CVE-2021-31166 |
Title: HTTP Protocol Stack Remote Code Execution Vulnerability
Vendor: Microsoft
Description: Microsoft released patches addressing a critical RCE vulnerability in Windows. This vulnerability allows an unauthenticated attacker to remotely execute code as kernel. This is a wormable vulnerability where an attacker can simply send a malicious crafted packet to the target impacted webserver.
CVSS v3.1 Base Score: 9.8 (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H)

ID: CVE-2021-28476 |
Title: Hyper-V Remote Code Execution Vulnerability
Vendor: Microsoft
Description: Microsoft released patches addressing a critical RCE in Windows Server that impacts Hyper-V. Though the exploitation of this vulnerability is less likely (according to Microsoft), this should be prioritized for patching since adversaries can abuse this vulnerability and cause Denial of Service (DoS) in the form of a bug check.
CVSS v3.1 Base Score: 9.9 (AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H)

ID: CVE-2021-31181 |
Title: SharePoint Remote Code Execution Vulnerability
Vendor: Microsoft
Description This is a remote code execution vulnerability in Microsoft SharePoint server. This server allows unauthenticated users to send specially crafted request to SharePoint server and again unauthorized access as a SharePoint user.
CVSS v3.1 Base Score: 8.8 (AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H)

ID: CVE-2020-27655 |
Title: Improper Access Control Vulnerability in Synology Router Manager
Vendor: Synology
Description: Improper access control vulnerability in Synology Router Manager (SRM) before 1.2.4-8081 allows remote attackers to access restricted resources via inbound QuickConnect traffic.
CVSS v3.1 Base Score: 10 (AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H)

ID: CVE-2019-12725 |
Title: Remote Code Execution Vulnerability in Zeroshell
Vendor: Zeroshell
Description: Zeroshell 3.9.0 is prone to a remote command execution vulnerability. Specifically, this issue occurs because the web application mishandles a few HTTP parameters. An unauthenticated attacker can exploit this issue by injecting OS commands inside the vulnerable parameters.
CVSS v3.1 Base Score: 9.8 (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H)

ID: CVE-2020-11854 |
Title: Arbitrary Code Execution Vulnerability in Operations Bridge Manager
Vendor: Microfocus
Description: Arbitrary code execution vlnerability in Operation bridge Manager, Application Performance Management and Operations Bridge (containerized) vulnerability in Micro Focus products products Operation Bridge Manager, Operation Bridge (containerized) and Application Performance Management. The vulneravility affects: 1.) Operation Bridge Manager versions 2020.05, 2019.11, 2019.05, 2018.11, 2018.05, 10.63,10.62, 10.61, 10.60, 10.12, 10.11, 10.10 and all earlier versions. 2.) Operations Bridge (containerized) 2020.05, 2019.08, 2019.05, 2018.11, 2018.08, 2018.05. 2018.02 and 2017.11. 3.) Application Performance Management versions 9,51, 9.50 and 9.40 with uCMDB 10.33 CUP 3. The vulnerability could allow Arbitrary code execution.
CVSS v3.1 Base Score: 10 (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H)

ID: CVE-2021-20987 |
Title: Denial of Service Vulnerability in Hilscher EtherNet
Vendor: Hilcher
Description: A denial of service and memory corruption vulnerability was found in Hilscher EtherNet/IP Core V2 prior to V2.13.0.21that may lead to code injection through network or make devices crash without recovery.
CVSS v3.1 Base Score: 9.8 (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H)

MOST PREVALENT MALWARE FILES May 13-20, 2021
COMPILED BY TALOS SECURITY INTELLIGENCE AND RESEARCH GROUP

SHA 256: c1d5a585fce188423d31df3ea806272f3daa5eb989e18e9ecf3d94b97b965f8e
MD5: 9a4b7b0849a274f6f7ac13c7577daad8
VirusTotal: https://www.virustotal.com/gui/file/c1d5a585fce188423d31df3ea806272f3daa5eb989e18e9ecf3d94b97b965f8e/details
Typical Filename: ww31.exe
Claimed Product: N/A Detection Name: W32.GenericKD:Attribute.24ch.1201

SHA 256: e3eeaee0af4b549eae4447fa20cfe205e8d56beecf43cf14a11bf3e86ae6e8bd
MD5: 8193b63313019b614d5be721c538486b
VirusTotal: https://www.virustotal.com/gui/file/e3eeaee0af4b549eae4447fa20cfe205e8d56beecf43cf14a11bf3e86ae6e8bd/details
Typical Filename: SAService.exe
Claimed Product: SAService
Detection Name: PUA.Win.Dropper.Segurazo::95.sbx.tg

SHA 256: 5524fee1bb95b3778857b414586611584794867c5fce1952d22dcba93c5cd243
MD5: f2c1aa209e185ed50bf9ae8161914954
VirusTotal: https://www.virustotal.com/gui/file/5524fee1bb95b3778857b414586611584794867c5fce1952d22dcba93c5cd243/details
Typical Filename: webnavigatorbrowser.exe
Claimed Product: WebNavigatorBrowser
Detection Name: W32.5524FEE1BB.5A6DF6a61.auto.Talos

SHA 256: 3bc24c618151b74ebffb9fbdaf89569fadcce6682584088fde222685079f7bb9
MD5: d709ea22945c98782dc69e996a98d643
VirusTotal: https://www.virustotal.com/gui/file/3bc24c618151b74ebffb9fbdaf89569fadcce6682584088fde222685079f7bb9/details
Typical Filename: FlashHelperService.exe
Claimed Product: Flash Helper Service
Detection Name: W32.Auto:d0442520e2.in03.Talos

SHA 256: 85B936960FBE5100C170B777E1647CE9F0F01E3AB9742DFC23F37CB0825B30B5
MD5: 8c80dd97c37525927c1e549cb59bcbf3
VirusTotal: https://www.virustotal.com/gui/file/85b936960fbe5100c170b777e1647ce9f0f01e3ab9742dfc23f37cb0825b30b5/detection
Typical Filename: Eternalblue-2.2.0.exe
Claimed Product: N/A
Detection Name: Win.Exploit.Shadowbrokers::5A5226262.auto.talos