Everything you need to measure, manage, and reduce your cyber risk in one place
See entire attack surface, continuously maintain your CMDB, and track EOL/EOS software
Gain an attacker’s view of your external internet-facing assets and unauthorized software
Discover, assess, prioritize, and patch critical vulnerabilities up to 50% faster
Consolidate & translate security & vulnerability findings from 3rd party tools
Automate scanning in CI/CD environments with shift left DAST testing
Detect, prioritize, and remediate vulnerabilities in your cloud environment
Efficiently remediate vulnerabilities and patch systems
Quickly create custom scripts and controls for faster, more automated remediation
Advanced endpoint threat protection, improved threat context, and alert prioritization
Extend detection and response beyond the endpoint to the enterprise
Reduce risk, and comply with internal policies and external regulations with ease
Reduce alert noise and safeguard files from nefarious actors and cyber threats
Cloud-Native Application Protection Platform (CNAPP) for multi-cloud environment.
Continuously discover, monitor, and analyze your cloud assets for misconfigurations and non-standard deployments.
Detect and remediate security issues within IaC templates
Manage your security posture and risk across your entire SaaS application stack
Detect, prioritize, and remediate vulnerabilities in your cloud environment
Continuous real-time protection of the multi-cloud environment against active exploitation, malware, and unknown threats.
Discover, track, and continuously secure containers – from build to runtime
Everything you need to measure, manage, and reduce your cyber risk in one place
Contact us below to request a quote, or for any product-related questions
See entire attack surface, continuously maintain your CMDB, and track EOL/EOS software
Gain an attacker’s view of your external internet-facing assets and unauthorized software
Discover, assess, prioritize, and patch critical vulnerabilities up to 50% faster
Consolidate & translate security & vulnerability findings from 3rd party tools
Discover, track, and continuously secure containers – from build to runtime
Detect, prioritize, and remediate vulnerabilities in your cloud environment
Automate scanning in CI/CD environments with shift left DAST testing
Efficiently remediate vulnerabilities and patch systems
Quickly create custom scripts and controls for faster, more automated remediation
Advanced endpoint threat protection, improved threat context, and alert prioritization
Extend detection and response beyond the endpoint to the enterprise
Reduce risk, and comply with internal policies and external regulations with ease
Reduce alert noise and safeguard files from nefarious actors and cyber threats
Cloud-Native Application Protection Platform (CNAPP) for multi-cloud environment.
Continuously discover, monitor, and analyze your cloud assets for misconfigurations and non-standard deployments.
Detect and remediate security issues within IaC templates
Manage your security posture and risk across your entire SaaS application stack
Detect, prioritize, and remediate vulnerabilities in your cloud environment
Continuous real-time protection of the multi-cloud environment against active exploitation, malware, and unknown threats.
Discover, track, and continuously secure containers – from build to runtime
Vol. 21, Num. 22
This is a weekly newsletter that provides in-depth analysis of the latest vulnerabilities with straightforward remediation advice. Qualys supplies a large part of the newly-discovered vulnerability content used in this newsletter.
Archived issues may be found at the SANS @RISK Newletter Archive.
NOTABLE RECENT SECURITY ISSUES
INTERESTING NEWS FROM AROUND THE SECURITY COMMUNITY
VULNERABILITIES FOR WHICH EXPLOITS ARE AVAILABLE
MOST PREVALENT MALWARE FILES June 3-10, 2021
TOP VULNERABILITY THIS WEEK: Severe VMware vulnerability being exploited in the wild
NOTABLE RECENT SECURITY ISSUES
SELECTED BY THE TALOS SECURITY INTELLIGENCE AND RESEARCH GROUP
Title: Vulnerability with 9.8 severity score under attack on VMware products
Description: VMware issued a warning Friday alerting users to protect against exploitation of a severe vulnerability in its vSphere Client’s Virtual SAN Health Check plug-in, which is enabled by default in vCenter Server. An attacker with network access to this service can exploit this vulnerability to gain remote code execution on the affected vCenter Server. The vulnerability, tracked as CVE-2021-21985, exists in the software that allows users to manage virtualization in large data centers. VMware warned users in an advisory earlier this month that vCenter machines using the default configurations contained the vulnerability. An attacker could exploit this vulnerability to execute malicious code on machines that are connected to vCenter and are exposed to the internet. The vulnerability has a CVSS severity rating of 9.8 out of 10.
Reference: https://arstechnica.com/gadgets/2021/06/under-exploit-vmware-vulnerability-with-severity-rating-of-9-8-out-of-10/
Snort SIDs: 57720
Title: Microsoft patches 49 vulnerabilities as part of monthly security update
Description: Microsoft released its monthly security update Tuesday, disclosing 49 vulnerabilities across its suite of products, breaking last month’s 16-month record of the fewest vulnerabilities disclosed in a month by the company. There are only four critical vulnerabilities patched in this month, while all the other ones are considered “important.” However, there are several vulnerabilities that Microsoft states are being actively exploited in the wild. One of the critical vulnerabilities this month exists in the Windows Defender anti-malware software. CVE-2021-31985 could allow an attacker to execute remote code on the targeted machine. However, Microsoft stated the vulnerability, along with others identified in Windows Defender this month, will be updated automatically. Users can verify the update was downloaded and installed by verifying steps Microsoft outlined in its advisory.
Reference: https://blog.talosintelligence.com/2021/06/microsoft-patch-tuesday-for-june-2021.html
Snort SIDs: 49388, 49389, 57722 - 57727, 57730 - 57733, 57735 and 57736
INTERESTING NEWS FROM AROUND THE SECURITY COMMUNITY
The U.S. Department of Justice announced it recovered $2.3 million of the $4.4 million ransom Colonial Pipeline paid following the attack in May.
https://www.npr.org/2021/06/08/1004223000/how-a-new-team-of-feds-hacked-the-hackers-and-got-colonial-pipelines-bitcoin-bac
Colonial Pipeline CEO Joseph Blount testified in front of Congress Tuesday to discuss the cyberattack, as the government takes a deeper look at the threat of ransomware attacks on American infrastructure and companies.
https://www.bloomberg.com/news/articles/2021-06-08/ceo-of-hacked-pipeline-company-tells-senate-he-s-deeply-sorry
A recent cyber attack against meat supplier JBS could cause meat prices to rise in the U.S. and Australia, though commodities experts say the supply chain is doing everything it can to stay on track.
https://www.cnn.com/2021/06/01/business/jbs-cyberattack-meat-shortage/index.html
American law enforcement officials seized two domains associated with a recent phishing attack targeting government agencies, think tanks, and non-government organizations.
https://www.reuters.com/technology/us-seizes-two-domains-used-cyber-attacks-that-mimicked-usaid-communications-2021-06-01/
As the debate over whether organizations should be banned from paying ransomware demands intensifies, Chris Painter, co-chair of the Ransomware Task Force, said that if there is to be such a ban, it should be rolled out gradually.
https://www.fedscoop.com/ransomware-task-force-co-chair-chris-painter-says-a-ban-on-ransomware-payments-would-need-to-be-phased/
The Director of the FBI Christopher Wray said his agency is currently investigating 100 types of ransomware and compared the challenges posed by ransomware to those faced after the 9/11 attacks.
https://www.wsj.com/articles/fbi-director-compares-ransomware-challenge-to-9-11-11622799003 (paywall)
Google plans to add a new feature in Android 12 that will allow users to opt out of tracking from apps they download from the Google Play store, following in the footsteps of Apple on its iOS platform.
https://gizmodo.com/google-will-let-you-opt-out-of-being-tracked-by-apps-in-1847029681
According to court documents, the FBI took control of a communications company called Anom and used it as a honeypot to collect suspected criminals’ communications.
https://www.vice.com/en/article/akgkwj/operation-trojan-shield-anom-fbi-secret-phone-network
The Department of Justice arrested a Latvian national, charging her with computer fraud, aggravated identity theft, and other offenses for her role in the organizations behind the Trickbot remote access trojan.
https://www.zdnet.com/article/after-doj-arrest-of-latvian-trickbot-user-experts-highlight-public-private-efforts/
RECENT VULNERABILITIES FOR WHICH EXPLOITS ARE AVAILABLE
COMPILED BY THE QUALYS VULNERABILITY RESEARCH TEAM
This is a list of recent vulnerabilities for which exploits are available. System administrators can use this list to help in prioritization of their remediation activities. The Qualys Vulnerability Research Team compiles this information based on various exploit frameworks, exploit databases, exploit kits and monitoring of internet activity.
ID: CVE-2021-33742 |
Title: Windows MSHTML Platform Remote Code Execution Vulnerability
Vendor: Microsoft
Description: This is a critical memory corruption vulnerability in the Chakra JScript scripting engine. This vulnerability impacts Windows RT, Windows 7, Windows 8, Windows 10, Windows Server 2008 R2, Windows Server 2012 (R2) and Windows Server 2016. An adversary can exploit this vulnerability when the target user opens a specially crafted file.
CVSS v3.1 Base Score: 7.8 (AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H)
ID: CVE-2021-31955 |
Title: Windows Kernel Information Disclosure Vulnerability
Vendor: Microsoft
Description: This is an information disclosure vulnerability in ntoskrnl.exe. The vulnerability is affiliated with a Windows OS feature called SuperFetch. It was introduced in Windows Vista and is aimed to reduce software loading times by pre-loading commonly used applications into memory. For SuperFetch purposes the function NtQuerySystemInformation implements a special system information class SystemSuperfetchInformation. This system information class incorporates more than a dozen of different SuperFetch information classes. The vulnerability lies in the fact that data returned by the NtQuerySystemInformation function for the SuperFetch information class SuperfetchPrivSourceQuery contains EPROCESS kernel addresses for currently executed processes..
CVSS v3.1 Base Score: 5.5 (AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N)
ID: CVE-2021-21985 |
Title: Remote Code Execution Vulnerability in vSphere Client
Vendor: VMware
Description: The vSphere Client (HTML5) contains a remote code execution vulnerability due to lack of input validation in the Virtual SAN Health Check plug-in which is enabled by default in vCenter Server. A malicious actor with network access to port 443 may exploit this issue to execute commands with unrestricted privileges on the underlying operating system that hosts vCenter Server.
CVSS v3.1 Base Score: 9.8 (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H)
ID: CVE-2021-21986 |
Title: Weak Authentication Vulnerability in vSphere Client
Vendor: VMware
Description: The vSphere Client (HTML5) contains a vulnerability in a vSphere authentication mechanism for the Virtual SAN Health Check, Site Recovery, vSphere Lifecycle Manager, and VMware Cloud Director Availability plug-ins.A malicious actor with network access to port 443 on vCenter Server may perform actions allowed by the impacted plug-ins without authentication.
CVSS v3.1 Base Score: 9.8 (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H)
MOST PREVALENT MALWARE FILES June 3-10, 2021
COMPILED BY TALOS SECURITY INTELLIGENCE AND RESEARCH GROUP
SHA 256: c1d5a585fce188423d31df3ea806272f3daa5eb989e18e9ecf3d94b97b965f8e
MD5: 9a4b7b0849a274f6f7ac13c7577daad8
VirusTotal: https://www.virustotal.com/gui/file/c1d5a585fce188423d31df3ea806272f3daa5eb989e18e9ecf3d94b97b965f8e/details
Typical Filename: ww31.exe
Claimed Product: N/A
Detection Name: W32.GenericKD:Attribute.24ch.1201
SHA 256: 583418f8f4c156be56ae65b932ca1d8e431e8f845806d0fc814f40562241fbc4
MD5: 52ed8d8b8f1d37b7db0319a3351f6a16
VirusTotal: https://www.virustotal.com/gui/file/583418f8f4c156be56ae65b932ca1d8e431e8f845806d0fc814f40562241fbc4/details
Typical Filename: smbscanlocal2705.exe
Claimed Product: N/A
Detection Name: W32.Auto:583418f8f4.in03.Talos
SHA 256: 8b4216a7c50599b11241876ada8ae6f07b48f1abe6590c2440004ea4db5becc9
MD5: 34560233e751b7e95f155b6f61e7419a
VirusTotal: https://www.virustotal.com/gui/file/8b4216a7c50599b11241876ada8ae6f07b48f1abe6590c2440004ea4db5becc9/details
Typical Filename: SAntivirusService.exe
Claimed Product: A n t i v i r u s S e r v i c e
Detection Name: PUA.Win.Dropper.Segurazo::tpd
SHA 256: d8ccc7b34c875d9bbbde99de2338b76aab46a87b777e3f010f205028d7bf9156
MD5: d04b460018cf958816d35fc122a955df
VirusTotal: https://www.virustotal.com/gui/file/d8ccc7b34c875d9bbbde99de2338b76aab46a87b777e3f010f205028d7bf9156/details
Typical Filename: hd8vct.exe
Claimed Product: N/A
Detection Name: W32.Auto:d8ccc7b34c.in03.Talo
SHA 256: e3eeaee0af4b549eae4447fa20cfe205e8d56beecf43cf14a11bf3e86ae6e8bd
MD5: 8193b63313019b614d5be721c538486b
VirusTotal: https://www.virustotal.com/gui/file/e3eeaee0af4b549eae4447fa20cfe205e8d56beecf43cf14a11bf3e86ae6e8bd/details
Typical Filename: SAService.exe
Claimed Product: SAService
Detection Name: PUA.Win.Dropper.Segurazo::95.sbx.tg