CONTENTS:

NOTABLE RECENT SECURITY ISSUES
INTERESTING NEWS FROM AROUND THE SECURITY COMMUNITY
VULNERABILITIES FOR WHICH EXPLOITS ARE AVAILABLE
MOST PREVALENT MALWARE FILES May 27-June 3, 2021
TOP VULNERABILITY THIS WEEK: Trend Micro vulnerabilities put home network devices at risk

NOTABLE RECENT SECURITY ISSUES
SELECTED BY THE TALOS SECURITY INTELLIGENCE AND RESEARCH GROUP

Title: Vulnerabilities in Trend Micro Home Network Security Station could lead to device takeover
Description: Trend Micro recently patched multiple security vulnerabilities in its Home Network Security systems. Attackers could exploit the vulnerabilities to cause a denial of service on connected devices, privilege escalation and code execution. The Home Network Security Station is an all-in-one device that protects users’ home networks by scanning for vulnerabilities on connected devices and serves as an intrusion prevention system. An attacker could manipulate the device in a way, using these vulnerabilities, that could allow them to execute remote code on the device or takeover PCs that are connected to the targeted home network.
Reference: https://blog.talosintelligence.com/2021/05/vuln-spotlight-trend-i.html
Snort SIDs: 51719 - 57122

Title: Multiple vulnerabilities in Accusoft ImageGear
Description: Cisco Talos researchers recently discovered multiple vulnerabilities in Accusoft ImageGear. The ImageGear library is a document-imaging developer toolkit that allows users to create, edit, annotate and convert various images. It supports more than 100 file formats such as DICOM, PDF, Microsoft Office. These vulnerabilities Talos discovered could allow an attacker to carry out various malicious actions, including corrupting memory on the victim machine and gaining the ability to execute remote code. CVE-2021-21793, CVE-2021-21794 and CVE-2021-21824 are all out-of-bounds write vulnerabilities that exist in various functions of the software. An attacker could trigger these vulnerabilities by tricking a user into opening a specially crafted, malicious file.
Reference: https://blog.talosintelligence.com/2021/06/vuln-spotlight-accusoft-.html
Snort SIDs: 54411 - 54414, 57249 - 57252, 57270 - 57273, 57301, 57302, 57378, 57379

INTERESTING NEWS FROM AROUND THE SECURITY COMMUNITY

The Nobelium threat actor is launching spear phishing attacks against government agencies, think tanks and non-governmental organizations.
https://blogs.microsoft.com/on-the-issues/2021/05/27/nobelium-cyberattack-nativezone-solarwinds/

US officials believe government agencies largely fended off the Nobelium spear phishing attacks.
https://apnews.com/article/europe-phishing-government-and-politics-technology-business-6f4154aac7d90787ea85d46a3422eb0a

A recently discovered flaw in Apple’s new M1 chips could allow two malicious apps to communicate with each other.
https://m1racles.com/

A popular Russian language dark net market Hydra reportedly made $1 billion in 2020.
https://www.cyberscoop.com/hydra-cybercrime-russia-bitcoin-laundering-darkside/

New disk-wiping malware that disguises itself as ransomware is being used against Israeli targets.
https://arstechnica.com/gadgets/2021/05/disk-wiping-malware-with-irananian-fingerprints-is-striking-israeli-targets/

JBS, the largest meat-processing company in the world, shut down multiple facilities after a ransomware attack.
https://www.nytimes.com/2021/06/01/business/meat-plant-cyberattack-jbs.html

US soldiers were leaking information about US nuclear weapons in Europe though an online flashcard app.
https://www.bellingcat.com/news/2021/05/28/us-soldiers-expose-nuclear-weapons-secrets-via-flashcard-apps/

Cisco Talos is proposing using the term “Privateer [to refer to] groups [that] are not sponsored directly by a state and are financially motivated, but … benefit from direct or indirect protection from that state.”
https://blog.talosintelligence.com/2021/05/privateer-groups.html

RECENT VULNERABILITIES FOR WHICH EXPLOITS ARE AVAILABLE
COMPILED BY THE QUALYS VULNERABILITY RESEARCH TEAM

This is a list of recent vulnerabilities for which exploits are available. System administrators can use this list to help in prioritization of their remediation activities. The Qualys Vulnerability Research Team compiles this information based on various exploit frameworks, exploit databases, exploit kits and monitoring of internet activity.

ID: CVE-2021-26937 |
Title: Denial of Service Vulnerability in GNU Screen
Vendor: Gnu, Debian, and Fedora Project
Description: encoding.c in GNU Screen through 4.8.0 allows remote attackers to cause a denial of service (invalid write access and application crash) or possibly have unspecified other impact via a crafted UTF-8 character sequence.
CVSS v3.1 Base Score: 9.8 (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H)

ID: CVE-2021-26120 |
Title: Code Injection Vulnerability in Smarty
Vendor: Smarty, Debian
Description: Smarty before 3.1.39 allows code injection via an unexpected function name after a {function name= substring.
CVSS v3.1 Base Score: 9.8 (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H)

ID: CVE-2021-20231 |
Title: Memory Corruption Vulnerability in Gnutls
Vendor: Gnu, Redhat, NetApp, and Fedora Project
Description A flaw was found in gnutls. A use after free issue in client sending key_share extension may lead to memory corruption and other consequences.
CVSS v3.1 Base Score: 9.8 (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H)

ID: CVE-2021-31800 |
Title: Arbitrary Code Execution Vulnerability in SMbserver Instance
Vendor: SecureAuth, Fedora Project
Description: Multiple path traversal vulnerabilities exist in smbserver.py in Impacket through 0.9.22. An attacker that connects to a running smbserver instance can list and write to arbitrary files via ../ directory traversal. This could potentially be abused to achieve arbitrary code execution by replacing /etc/shadow or an SSH authorized key.
CVSS v3.1 Base Score: 9.8 (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H)

ID: CVE-2021-29921 |
Title: Weak Authentication Control in Python Version < 3,9,5
Vendor: Python
Description: In Python before 3,9,5, the ipaddress library mishandles leading zero characters in the octets of an IP address string. This (in some situations) allows attackers to bypass access control that is based on IP addresses.
CVSS v3.1 Base Score: 9.8 (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H)

ID: CVE-2021-28799 |
Title: Weak Authorization Vulnerability in QNAP
Vendor: Qnap
Description: An improper authorization vulnerability has been reported to affect QNAP NAS running HBS 3 (Hybrid Backup Sync. ) If exploited, the vulnerability allows remote attackers to log in to a device. This issue affects: QNAP Systems Inc. HBS 3 versions prior to v16.0.0415 on QTS 4.5.2; versions prior to v3.0.210412 on QTS 4.3.6; versions prior to v3.0.210411 on QTS 4.3.4; versions prior to v3.0.210411 on QTS 4.3.3; versions prior to v16.0.0419 on QuTS hero h4.5.1; versions prior to v16.0.0419 on QuTScloud c4.5.1~c4.5.4. This issue does not affect: QNAP Systems Inc. HBS 2 . QNAP Systems Inc. HBS 1.3 .
CVSS v3.1 Base Score: 9.8 (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H)

ID: CVE-2021-31474 |
Title: Arbitrary Code Execution Vulnerability in SolarWinds
Vendor: Solarwinds
Description: This vulnerability allows remote attackers to execute arbitrary code on affected installations of SolarWinds Network Performance Monitor 2020.2.1. Authentication is not required to exploit this vulnerability. The specific flaw exists within the SolarWinds.Serialization library. The issue results from the lack of proper validation of user-supplied data, which can result in deserialization of untrusted data. An attacker can leverage this vulnerability to execute code in the context of SYSTEM. Was ZDI-CAN-12213.
CVSS v3.1 Base Score: 9.8 (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H)

MOST PREVALENT MALWARE FILES May 27-June 3, 2021
COMPILED BY TALOS SECURITY INTELLIGENCE AND RESEARCH GROUP

SHA 256: c1d5a585fce188423d31df3ea806272f3daa5eb989e18e9ecf3d94b97b965f8e
MD5: 9a4b7b0849a274f6f7ac13c7577daad8
VirusTotal: https://www.virustotal.com/gui/file/c1d5a585fce188423d31df3ea806272f3daa5eb989e18e9ecf3d94b97b965f8e/details
Typical Filename: ww31.exe
Claimed Product: N/A
Detection Name: W32.GenericKD:Attribute.24ch.1201

SHA 256: 583418f8f4c156be56ae65b932ca1d8e431e8f845806d0fc814f40562241fbc4
MD5: 52ed8d8b8f1d37b7db0319a3351f6a16
VirusTotal: https://www.virustotal.com/gui/file/583418f8f4c156be56ae65b932ca1d8e431e8f845806d0fc814f40562241fbc4/details
Typical Filename: smbscanlocal2705.exe
Claimed Product: N/A
Detection Name: W32.Auto:583418f8f4.in03.Talos

SHA 256: 8b4216a7c50599b11241876ada8ae6f07b48f1abe6590c2440004ea4db5becc9
MD5: 34560233e751b7e95f155b6f61e7419a
VirusTotal: https://www.virustotal.com/gui/file/8b4216a7c50599b11241876ada8ae6f07b48f1abe6590c2440004ea4db5becc9/details
Typical Filename: SAntivirusService.exe
Claimed Product: A n t i v i r u s S e r v i c e
Detection Name: PUA.Win.Dropper.Segurazo::tpd

SHA 256: 3bc24c618151b74ebffb9fbdaf89569fadcce6682584088fde222685079f7bb9
MD5: d709ea22945c98782dc69e996a98d643
VirusTotal: https://www.virustotal.com/gui/file/3bc24c618151b74ebffb9fbdaf89569fadcce6682584088fde222685079f7bb9/details
Typical Filename: FlashHelperService.exe
Claimed Product: Flash Helper Service
Detection Name: W32.Auto:3bc24c6181.in03.Talos

SHA 256: e3eeaee0af4b549eae4447fa20cfe205e8d56beecf43cf14a11bf3e86ae6e8bd
MD5: 8193b63313019b614d5be721c538486b
VirusTotal: https://www.virustotal.com/gui/file/e3eeaee0af4b549eae4447fa20cfe205e8d56beecf43cf14a11bf3e86ae6e8bd/details
Typical Filename: SAService.exe
Claimed Product: SAService
Detection Name: PUA.Win.Dropper.Segurazo::95.sbx.tg