CONTENTS:

NOTABLE RECENT SECURITY ISSUES
INTERESTING NEWS FROM AROUND THE SECURITY COMMUNITY
VULNERABILITIES FOR WHICH EXPLOITS ARE AVAILABLE
MOST PREVALENT MALWARE FILES August 19-26, 2021
TOP VULNERABILITY THIS WEEK: New version of LockBit ransomware spreads internationally

NOTABLE RECENT SECURITY ISSUES
SELECTED BY THE TALOS SECURITY INTELLIGENCE AND RESEARCH GROUP

Title: LockBit 2.0 targets organizations across the globe
Description: The ransomware-as-a-service network behind the LockBit ransomware is launching new attacks using the 2.0 version of its malware. LockBit has recently been spotted targeting organizations in the U.K., Taiwan, Chile and Italy. This new version of LockBit includes new encryption features and an effort to recruit “insiders” at the targeted organizations. Once the malware encrypts the data on the targeted machine, it changes the wallpaper to display an advertisement, telling users that they can become a part of LockBit’s recruitment process, promising payouts in the millions of dollars. LockBit’s been behind several recent high-profile attacks, including one on global consulting firm Accenture.
Reference: https://threatpost.com/lockbit-ransomware-proliferates-globally/168746/
Snort SIDs: 58024, 58025

Title: Several RATs targeting users in Latin America, stealing high-profile credential
Description: Cisco Talos has observed a new malware campaign delivering commodity RATs, including njRAT and AsyncRAT. The campaign targets travel and hospitality organizations in Latin America. Techniques utilized in this campaign bear a resemblance to those of the Aggah group but are operated by a distinct threat actor based out of Brazil. We’ve also discovered a builder/crypter known as “Crypter 3losh rat” used to generate various stages of the highly modularized infection chain used by the campaign operators. The threat actor authoring the crypter primarily aims to sell it as a service. We’ve observed the authors advertise their crypters on Facebook, YouTube and other social media. However, we’ve also discovered that the crypter’s authors have conducted their own malware campaigns abusing archive[.]org to deliver commodity RATs. The highly modular structure of the Latin American attack indicates a focus on stealth to deliver two widely popular RAT families of AsynRAT and njRAT. These techniques along with other indicators are shared with the Aggah group indicating that the crypter author might have sold it to both parties.
Reference: https://blog.talosintelligence.com/2021/08/rat-campaign-targets-latin-america.html
Cisco Secure Endpoint orbital search queries:

• https://github.com/Cisco-Talos/osquery_queries/blob/master/win_malware/malware_njrat_filepath.yaml
• https://github.com/Cisco-Talos/osquery_queries/blob/master/win_malware/malware_asyncrat_mutex_detected.yaml

INTERESTING NEWS FROM AROUND THE SECURITY COMMUNITY

The U.S. State Department was reportedly the target of a cyberattack several weeks ago.
https://www.cnbc.com/2021/08/21/us-state-department-reportedly-hit-by-a-cyberattack-in-recent-weeks.html

The FBI recently warned major tech companies that state-sponsored actors are attempting to recruit their employees to conduct economic espionage and intellectual property theft.
https://www.protocol.com/fbi-delta-protocol-economic-espionage

T-Mobile confirmed a massive data breach that potentially puts 54 million customers at risk of fraud and identity theft.
https://www.wsj.com/articles/t-mobile-data-hack-what-we-know-and-what-you-need-to-do-11629404953

MacOS 11 may have several security features that Apple previously did not disclose, including endpoint security API improvements and protections against potential attacks against CPUs.
https://blog.malwarebytes.com/mac/2021/08/macos-11s-hidden-security-improvements/

Vulnerabilities in the Kalay Internet-of-Things protocol puts millions of security devices at risk of complete attacker takeover.
https://duo.com/decipher/critical-bug-in-kalay-iot-protocol-threatens-millions-of-devices

Leaders from Apple, Microsoft and Amazon are slated to meet with U.S. President Joe Biden to discuss ways the private sector can help protect critical infrastructure from cyberattacks.
https://www.zdnet.com/article/apple-microsoft-and-amazon-chiefs-to-meet-biden-over-critical-infrastructure-cyber-attacks/

RECENT VULNERABILITIES FOR WHICH EXPLOITS ARE AVAILABLE
COMPILED BY THE QUALYS VULNERABILITY RESEARCH TEAM

This is a list of recent vulnerabilities for which exploits are available. System administrators can use this list to help in prioritization of their remediation activities. The Qualys Vulnerability Research Team compiles this information based on various exploit frameworks, exploit databases, exploit kits and monitoring of internet activity.

ID: CVE-2017-6028 |
Title: Weak Authentication Vulnerability in Schneider Electric Modicon PLC
Vendor: SE Modicon
Description: An Insufficiently Protected Credentials issue was discovered in Schneider Electric Modicon PLCs Modicon M241, all firmware versions, and Modicon M251, all firmware versions. Log-in credentials are sent over the network with Base64 encoding leaving them susceptible to sniffing. Sniffed credentials could then be used to log into the web application.
CVSS v3.1 Base Score: 9.8 (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H)

ID: CVE-2020-15373
Title: Buffer Overflow Vulnerability in Broadcom Brocade Fabric OS
Vendor: Broadcom
Description: Multiple buffer overflow vulnerabilities in REST API in Brocade Fabric OS versions v8.2.1 through v8.2.1d, and 8.2.2 versions before v8.2.2c could allow remote unauthenticated attackers to perform various attacks.
CVSS v3.0 Base Score: 9.8 (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H)

ID: CVE-2021-35042
Title: SQL Injection Vulnerability in Django 3.1.0
Vendor: Django Project
Description: Django 3.1.x before 3.1.13 and 3.2.x before 3.2.5 allows QuerySet.order_by SQL injection if order_by is untrusted input from a client of a web application.
CVSS v3.0 Base Score: 9.8 (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H)

ID: CVE-2021-20032
Title: Remote Code Execution Vulnerability in SonicWall Analytics
Vendor: Sonicwall |
Description: SonicWall Analytics 2.5 On-Prem is vulnerable to Java Debug Wire Protocol (JDWP) interface security misconfiguration vulnerability which potentially leads to Remote Code Execution. This vulnerability impacts Analytics On-Prem 2.5.2518 and earlier.
CVSS v3.1 Base Score: 9.8 (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H)

ID: CVE-2021-20418
Title: Weak Authentication Vulnerability in IBM Security Guardium
Vendor: IBM
Description: IBM Security Guardium 11.2 does not require that users should have strong passwords by default, which makes it easier for attackers to compromise user accounts. IBM X-Force ID: 196279.
CVSS v3.1 Base Score: 9.8 (AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:N/A:N)

MOST PREVALENT MALWARE FILES August 19-26, 2021
COMPILED BY TALOS SECURITY INTELLIGENCE AND RESEARCH GROUP

SHA 256: c1d5a585fce188423d31df3ea806272f3daa5eb989e18e9ecf3d94b97b965f8e
MD5: 9a4b7b0849a274f6f7ac13c7577daad8
VirusTotal: https://www.virustotal.com/gui/file/c1d5a585fce188423d31df3ea806272f3daa5eb989e18e9ecf3d94b97b965f8e/details
Typical Filename: ww31.exe
Claimed Product: N/A
Detection Name: W32.GenericKD:Attribute.24ch.1201

SHA 256: 9a74640ca638b274bc8e81f4561b4c48b0c5fbcb78f6350801746003ded565eb
MD5: 6be10a13c17391218704dc24b34cf736
VirusTotal: https://www.virustotal.com/gui/file/9a74640ca638b274bc8e81f4561b4c48b0c5fbcb78f6350801746003ded565eb/details
Typical Filename: smbscanlocal0906.exe
Claimed Product: N/A
Detection Name: Win.Dropper.Ranumbot::in03.talos

SHA 256: cda7eb57321e133ca126aa8237a8432e8c539830656d64976bc953a70c0fa587
MD5: ec26aef08313a27cfa06bfa897972fc1
VirusTotal: https://www.virustotal.com/gui/file/cda7eb57321e133ca126aa8237a8432e8c539830656d64976bc953a70c0fa587/details
Typical Filename: 01fd0f9a83cb940bca23fbeea3ecaffcfb4df2ef.vbs
Claimed Product: N/A
Detection Name: Win.Worm.Dunihi::tpd

SHA 256: 85b936960fbe5100c170b777e1647ce9f0f01e3ab9742dfc23f37cb0825b30b5
MD5: 8c80dd97c37525927c1e549cb59bcbf3
VirusTotal: https://www.virustotal.com/gui/file/85b936960fbe5100c170b777e1647ce9f0f01e3ab9742dfc23f37cb0825b30b5/details
Typical Filename: Eter.exe
Claimed Product: N/A
Detection Name: Win.Exploit.Shadowbrokers::5A5226262.auto.talos

SHA 256: 5e46ecffcff9440e97bf4f0a85ad34132407f925b27a8759f5a01de5ea4da6af
MD5: 0a13d106fa3997a0c911edd5aa0e147a
VirusTotal: https://www.virustotal.com/gui/file/5e46ecffcff9440e97bf4f0a85ad34132407f925b27a8759f5a01de5ea4da6af/details
Typical Filename: mg20201223-1.exe
Claimed Product: N/A
Detection Name: RanumBot::mURLin::W32.5E46ECFFCF.in12.Talos