CONTENTS:

NOTABLE RECENT SECURITY ISSUES
INTERESTING NEWS FROM AROUND THE SECURITY COMMUNITY
VULNERABILITIES FOR WHICH EXPLOITS ARE AVAILABLE
MOST PREVALENT MALWARE FILES August 12-19, 2021
TOP VULNERABILITY THIS WEEK: Attackers still exploiting PrintNightmare as part of ransomware attacks

NOTABLE RECENT SECURITY ISSUES
SELECTED BY THE TALOS SECURITY INTELLIGENCE AND RESEARCH GROUP

Title: Vice Society group exploiting PrintNightmare in recent ransomware attacks
Description: Another threat actor is actively exploiting the so-called PrintNightmare vulnerability (CVE-2021-1675 / CVE-2021-34527) in Windows’ print spooler service to spread laterally across a victim’s network as part of a recent ransomware attack, according to Cisco Talos Incident Response research. While previous research found that other threat actors had been exploiting this vulnerability, this appears to be new for the threat actor Vice Society. Talos Incident Response’s research demonstrates that multiple, distinct threat actors view this vulnerability as attractive to use during their attacks and may indicate that this vulnerability will continue to see more widespread adoption and incorporation by various adversaries moving forward. For defenders, it is important to understand the attack lifecycle leading up to the deployment of ransomware. If users have not already, they should download the latest patch for PrintNightmare from Microsoft.
Reference: https://blog.talosintelligence.com/2021/08/vice-society-ransomware-printnightmare.html
Snort SIDs: 57876, 57877

Title: Signed MSI files, Raccoon and Amadey are used for installing ServHelper RAT
Description: Group TA505 has been active for at least seven years, making wide-ranging connections with other threat actors involved in ransomware, stealing credit card numbers and exfiltrating data. One of the common tools in TA505’s arsenal is ServHelper. In mid-June, Cisco Talos detected an increase in ServHelper’s activity. We investigated the activity and discovered a set of intertwined malware families and TTPs. Although ServHelper has existed since at least early 2019, we detected the use of other malware families to install it. The installation comes as a GoLang dropper, .NET dropper or PowerShell script. Its activity is generally linked to Group TA505, but we cannot be certain that they are the exclusive users of this RAT.
Reference: https://blog.talosintelligence.com/2021/08/raccoon-and-amadey-install-servhelper.html
Snort SID: 57975
ClamAV signatures: Win.Downloader.Powershell-9883640, Win.Trojan.Powershell-9883642, Win.Downloader.Powershell-9883641, Win.Downloader.ServHelper-9883708, Win.Downloader.Powershell-9883847, Win.Trojan.ServHelper-9883848, Win.Trojan.ServHelper-9883866, Win.Trojan.ServHelper-9883867

INTERESTING NEWS FROM AROUND THE SECURITY COMMUNITY

The recent ransomware attack on Colonial Pipeline also led to the theft of personal information belonging to nearly 6,000 individuals, including current and former employees and their family members.
https://us.cnn.com/2021/08/16/tech/colonial-pipeline-ransomware/index.html

Jen Easterly, the recently installed director of the Cybersecurity and Infrastructure Security Agency (CISA), called on all federal agencies to develop a collective response to election security.
https://apnews.com/article/elections-voting-iowa-local-elections-misinformation-c9878bf50e3c72c720f7928979f162d7

Security researchers discovered an unpatched vulnerability in a popular gym management platform called Wodify that could allow attackers to tamper with payment information.
https://portswigger.net/daily-swig/unpatched-vulnerabilities-in-wodify-fitness-management-platform-allow-attackers-to-steal-gym-payments-extract-member-data

T-Mobile is investigating a potential cyberattack after threat actors claimed to be selling the personal information of more than 100 million customers.
https://www.vice.com/en/article/akg8wg/tmobile-investigating-customer-data-breach-100-million

A misconfigured customer engagement system on the Ford Motor Company’s website could have allowed access to access sensitive systems.
https://www.bleepingcomputer.com/news/security/ford-bug-exposed-customer-and-employee-records-from-internal-systems/

Several hospitals in Ohio and West Virginia are having to turn away patients and cancel surgeries after a cyberattack knocked out staff access to their system’s network.
https://arstechnica.com/gadgets/2021/08/hospitals-hamstrung-by-ransomware-are-turning-away-patients/

The US withdrawal from Afghanistan poses a risk of sensitive national U.S. intelligence being left behind in the country.
https://www.washingtonpost.com/politics/2021/08/17/cybersecurity-202-sensitive-government-data-could-be-another-casualty-afghan-pullout/

Consulting firm Accenture said the company suffered no negative effects from an alleged ransomware attack last week, after a threat actor claimed to be selling stolen data from the organization.
https://www.zdnet.com/article/accenture-says-lockbit-ransomware-attack-caused-no-impact-on-operations-or-clients/

Attackers are abusing the reCAPTCHA authentication service and phony CAPTCHA-like applications to hide malware and phishing links.
https://threatpost.com/cyberattackers-captchas-phishing-malware/168684/

RECENT VULNERABILITIES FOR WHICH EXPLOITS ARE AVAILABLE
COMPILED BY THE QUALYS VULNERABILITY RESEARCH TEAM

This is a list of recent vulnerabilities for which exploits are available. System administrators can use this list to help in prioritization of their remediation activities. The Qualys Vulnerability Research Team compiles this information based on various exploit frameworks, exploit databases, exploit kits and monitoring of internet activity.

ID: CVE-2020-15196 |
Title: Buffer Overflow Vulnerability in Tensorflow
Vendor: Google
Description: In Tensorflow version 2.3.0, the SparseCountSparseOutput and RaggedCountSparseOutput implementations don’t validate that the weights tensor has the same shape as the data. The check exists for DenseCountSparseOutput, where both tensors are fully specified. In the sparse and ragged count weights are still accessed in parallel with the data. But, since there is no validation, a user passing fewer weights than the values for the tensors can generate a read from outside the bounds of the heap buffer allocated for the weights. The issue is patched in commit 3cbb917b4714766030b28eba9fb41bb97ce9ee02 and is released in TensorFlow version 2.3.1.
CVSS v3.1 Base Score: 9.9 (AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H)

ID: CVE-2020-3161
Title: Remote Code Execution Vulnerability in Cisco IP Phones
Vendor: Cisco
Description: A vulnerability in the web server for Cisco IP Phones could allow an unauthenticated, remote attacker to execute code with root privileges or cause a reload of an affected IP phone, resulting in a denial of service (DoS) condition. The vulnerability is due to a lack of proper input validation of HTTP requests. An attacker could exploit this vulnerability by sending a crafted HTTP request to the web server of a targeted device. A successful exploit could allow the attacker to remotely execute code with root privileges or cause a reload of an affected IP phone, resulting in a DoS condition.
CVSS v3.0 Base Score: 9.8 (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H)

ID: CVE-2021-21307
Title: Remote Code Execution Vulnerability in Lucee Server
Vendor: Lucee
Description: Lucee Server is a dynamic, Java based (JSR-223), tag and scripting language used for rapid web application development. In Lucee Admin before versions 5.3.7.47, 5.3.6.68 or 5.3.5.96 there is an unauthenticated remote code exploit. This is fixed in versions 5.3.7.47, 5.3.6.68 or 5.3.5.96. As a workaround, one can block access to the Lucee Administrator.
CVSS v3.0 Base Score: 9.8 (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H)

ID: CVE-2021-29200
Title: Deserialization Vulnerability in Apache OFBiz
Vendor: Apache |
Description: Apache OFBiz has unsafe deserialization prior to 17.12.07 version. An unauthenticated user can perform an RCE attack
CVSS v3.1 Base Score: 9.8 (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H)

ID: CVE-2021-22891
Title: Missing Authorization Vulnerability in Citrix ShareFile
Vendor: Citrix
Description: A missing authorization vulnerability exists in Citrix ShareFile Storage Zones Controller before 5.7.3, 5.8.3, 5.9.3, 5.10.1 and 5.11.18 may allow unauthenticated remote compromise of the Storage Zones Controller.
CVSS v3.1 Base Score: 9.8 (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H)

MOST PREVALENT MALWARE FILES August 12-19, 2021
COMPILED BY TALOS SECURITY INTELLIGENCE AND RESEARCH GROUP

SHA 256: c1d5a585fce188423d31df3ea806272f3daa5eb989e18e9ecf3d94b97b965f8e
MD5: 9a4b7b0849a274f6f7ac13c7577daad8
VirusTotal: https://www.virustotal.com/gui/file/c1d5a585fce188423d31df3ea806272f3daa5eb989e18e9ecf3d94b97b965f8e/details
Typical Filename: ww31.exe
Claimed Product: N/A
Detection Name: W32.GenericKD:Attribute.24ch.1201

SHA 256: 9a74640ca638b274bc8e81f4561b4c48b0c5fbcb78f6350801746003ded565eb
MD5: 6be10a13c17391218704dc24b34cf736
VirusTotal: https://www.virustotal.com/gui/file/9a74640ca638b274bc8e81f4561b4c48b0c5fbcb78f6350801746003ded565eb/details
Typical Filename: smbscanlocal0906.exe
Claimed Product: N/A
Detection Name: Win.Dropper.Ranumbot::in03.talos

SHA 256: 5e46ecffcff9440e97bf4f0a85ad34132407f925b27a8759f5a01de5ea4da6af
MD5: 0a13d106fa3997a0c911edd5aa0e147a
VirusTotal: https://www.virustotal.com/gui/file/5e46ecffcff9440e97bf4f0a85ad34132407f925b27a8759f5a01de5ea4da6af/details
Typical Filename: mg20201223-1.exe
Claimed Product: N/A
Detection Name: RanumBot::mURLin::W32.5E46ECFFCF.in12.Talos

SHA 256: 8b4216a7c50599b11241876ada8ae6f07b48f1abe6590c2440004ea4db5becc9
MD5: 34560233e751b7e95f155b6f61e7419a
VirusTotal: https://www.virustotal.com/gui/file/8b4216a7c50599b11241876ada8ae6f07b48f1abe6590c2440004ea4db5becc9/details
Typical Filename: SAntivirusService.exe
Claimed Product: A n t i v i r u s S e r v i c e
Detection Name: PUA.Win.Dropper.Segurazo::tpd

SHA 256: 5191548b8edf4b98e623f055f5205e2db17aa220c28928b1da1c3a9ba1a75ee0
MD5: d54ade674cb0c3e6d322ed7380e8adf6
VirusTotal: https://www.virustotal.com/gui/file/5191548b8edf4b98e623f055f5205e2db17aa220c28928b1da1c3a9ba1a75ee0/details
Typical Filename: ml20201223.exe
Claimed Product: N/A
Detection Name: RanumBot::mURLin::GenericRXMW:Win32-tpd