CONTENTS:

NOTABLE RECENT SECURITY ISSUES
INTERESTING NEWS FROM AROUND THE SECURITY COMMUNITY
VULNERABILITIES FOR WHICH EXPLOITS ARE AVAILABLE
MOST PREVALENT MALWARE FILES September 16-23, 2021
TOP VULNERABILITY THIS WEEK: Turla deploys new malware to keep a secret backdoor on victim machines

NOTABLE RECENT SECURITY ISSUES
SELECTED BY THE TALOS SECURITY INTELLIGENCE AND RESEARCH GROUP

Title: High-profile Russian APT develops new backdoor tool
Description: Cisco Talos found a previously undiscovered backdoor from the Turla APT that we are seeing in the wild. This simple backdoor is likely used as a second-chance backdoor to maintain access to the system, even if the primary malware is removed. It could also be used as a second-stage dropper to infect the system with additional malware. The adversaries installed the backdoor as a service on the infected machine. They attempted to operate under the radar by naming the service “Windows Time Service”, like the existing Windows service. The backdoor can upload and execute files or exfiltrate files from the infected system. In our review of this malware, the backdoor contacted the command and control (C2) server via an HTTPS encrypted channel every five seconds to check if there were new commands from the operator.
Reference: https://blog.talosintelligence.com/2021/09/tinyturla.html
ClamAV signature: Win.Trojan.Turla-9891506-1
Cisco Secure OSQuery: https://github.com/Cisco-Talos/osquery_queries/blob/master/win_malware/malware_tinyturla_registry_persistence.yaml

Title: Microsoft releases updated protection for OMIGOD vulnerabilities
Description: Microsoft updated its patches for the so-called “OMIGOD” vulnerabilities in Open Management Infrastructure. The most severe vulnerability, CVE-2021-38647, could allow an attacker to remotely execute code. The three others (CVE-2021-38648, CVE-2021-38645 and CVE-2021-38649) could allow an adversary to obtain higher-level privileges on the targeted machine. Microsoft first disclosed these vulnerabilities last week as part of its monthly Patch Tuesday. However, security researchers found that some Linux machines could still be attacked using these exploits, prompting Microsoft to release updated guidance.
Reference: https://searchsecurity.techtarget.com/news/252506937/Microsoft-details-OMIGOD-Azure-vulnerability-fixes-threats
Snort SID: 58169

INTERESTING NEWS FROM AROUND THE SECURITY COMMUNITY

COVID-19 testing information was left unprotected on the Walgreens website, exposing test results, names, addresses and emails.
https://www.vox.com/recode/22623871/walgreens-covid-test-site-data-vulnerability

Apple officially released iOS 15 this week; the newest version of the mobile operating system includes several new privacy and security features.
https://www.fastcompany.com/90673312/ios-15-iphone-privacy-security-features

Customer experience firm TTEC was hit with a ransomware attack last week, affecting major customers such as Verizon and Bank of America.
https://www.zdnet.com/article/ttec-hit-with-ransomware-attack-hampering-work-for-major-clients/

Many organizations are adopting a new “Security.txt” framework to include easy-to-access information on their website informing researchers of how they can report security issues and vulnerabilities.
https://krebsonsecurity.com/2021/09/does-your-organization-have-a-security-txt-file/

The U.S. is reportedly developing new sanctions to prevent ransomware actors from collecting cryptocurrencies as a form of ransom payments.
https://www.wsj.com/articles/u-s-to-target-crypto-ransomware-payments-with-sanctions-11631885336

A ransomware attack on a farm cooperative in Iowa could impact the food supply chain.
https://www.cyberscoop.com/blackmatter-new-cooperative-ransomware-iowa/

Threat actors are using the encrypted messaging app Telegram to buy and sell stolen data and new hacking tools.
https://arstechnica.com/information-technology/2021/09/telegram-emerges-as-new-dark-web-for-cyber-criminals/

Police in Europe arrested more than 100 individuals allegedly involved in laundering millions of euros made through cybercrime.
https://www.vice.com/en/article/5dbvx3/police-announce-huge-bust-of-mafias-cyber-crime-operations

RECENT VULNERABILITIES FOR WHICH EXPLOITS ARE AVAILABLE
COMPILED BY THE QUALYS VULNERABILITY RESEARCH TEAM

This is a list of recent vulnerabilities for which exploits are available. System administrators can use this list to help in prioritization of their remediation activities. The Qualys Vulnerability Research Team compiles this information based on various exploit frameworks, exploit databases, exploit kits and monitoring of internet activity.

ID: CVE-2020-10683 |
Title: XXE Vulnerability in dom4j library
Vendor: dom4j, Oracle and multiple other vendors
Description: dom4j before 2.0.3 and 2.1.x before 2.1.3 allows external DTDs and External Entities by default, which might enable XXE attacks. However, there is popular external documentation from OWASP showing how to enable the safe, non-default behavior in any application that uses dom4j.
CVSS v3.1 Base Score: 9.8 (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H)

ID: CVE-2021-33204
Title: Arbitrary Code Execution Vulnerability in PG Partition Manager
Vendor: pgxn
Description: In the pg_partman (aka PG Partition Manager) extension before 4.5.1 for PostgreSQL, arbitrary code execution can be achieved via SECURITY DEFINER functions because an explicit search_path is not set.
CVSS v3.0 Base Score: 9.8 (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H)

ID: CVE-2021-38173
Title: Command Injection Vulnerability in BTRbk
Vendor: Digint
Description: Btrbk before 0.31.2 allows command execution because of the mishandling of remote hosts filtering SSH commands using ssh_filter_btrbk.sh in authorized_keys.
CVSS v3.0 Base Score: 9.8 (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H)

ID: CVE-2021-37608
Title: Unrestricted File Upload Vulnerability in Apache OFBiz
Vendor: Apache
Description: Unrestricted Upload of File with Dangerous Type vulnerability in Apache OFBiz allows an attacker to execute remote commands. This issue affects Apache OFBiz version 17.12.07 and prior versions. Upgrade to at least 17.12.08 or apply patches at https://issues.apache.org/jira/browse/OFBIZ-12297.
CVSS v3.1 Base Score: 9.8 (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H)

MOST PREVALENT MALWARE FILES September 16-23, 2021
COMPILED BY TALOS SECURITY INTELLIGENCE AND RESEARCH GROUP

SHA 256: c1d5a585fce188423d31df3ea806272f3daa5eb989e18e9ecf3d94b97b965f8e
MD5: 9a4b7b0849a274f6f7ac13c7577daad8
VirusTotal: https://www.virustotal.com/gui/file/c1d5a585fce188423d31df3ea806272f3daa5eb989e18e9ecf3d94b97b965f8e/details
Typical Filename: ww31.exe
Claimed Product: N/A
Detection Name: W32.GenericKD:Attribute.24ch.1201

SHA 256: 6c62b768d8b22888724288af038bc0b6e55280ddbbe42a436cdf68889346df18
MD5: 830ffb393ba8cca073a1c0b66af78de5
VirusTotal: https://www.virustotal.com/gui/file/6c62b768d8b22888724288af038bc0b6e55280ddbbe42a436cdf68889346df18/details
Typical Filename: smbscanlocal0902.exe
Claimed Product: N/A
Detection Name: MS17010::mURLin::W32.Auto:6c62b768d8.in03.Talos

SHA 256: 8b4216a7c50599b11241876ada8ae6f07b48f1abe6590c2440004ea4db5becc9
MD5: 34560233e751b7e95f155b6f61e7419a
VirusTotal: https://www.virustotal.com/gui/file/8b4216a7c50599b11241876ada8ae6f07b48f1abe6590c2440004ea4db5becc9/details
Typical Filename: SAntivirusService.exe
Claimed Product: A n t i v i r u s S e r v i c e
Detection Name: PUA.Win.Dropper.Segurazo::tpd

SHA 256: 9f1f11a708d393e0a4109ae189bc64f1f3e312653dcf317a2bd406f18ffcc507
MD5: 2915b3f8b703eb744fc54c81f4a9c67f
VirusTotal: https://www.virustotal.com/gui/file/9f1f11a708d393e0a4109ae189bc64f1f3e312653dcf317a2bd406f18ffcc507/details
Typical Filename: VID[1].dat
Claimed Product: N/A
Detection Name: Win.Worm.Coinminer::1201

SHA 256: fad16599a866f466bdeff2a716b9aa79faa6677f2895f0b262cf9402deb4b66c
MD5: 04c1f4395f80a3890aa8b12ebc2b4855
VirusTotal: https://www.virustotal.com/gui/file/fad16599a866f466bdeff2a716b9aa79faa6677f2895f0b262cf9402deb4b66c/details
Typical Filename: zReXhNb
Claimed Product: N/A
Detection Name: Auto.FAD16599A8.241842.in07.Talos