CONTENTS:

NOTABLE RECENT SECURITY ISSUES
INTERESTING NEWS FROM AROUND THE SECURITY COMMUNITY
VULNERABILITIES FOR WHICH EXPLOITS ARE AVAILABLE
MOST PREVALENT MALWARE FILES September 30-October 7, 2021
TOP VULNERABILITY THIS WEEK: Threat actors spread malware by leveraging trust in Amnesty International and fear of Pegasus

NOTABLE RECENT SECURITY ISSUES
SELECTED BY THE TALOS SECURITY INTELLIGENCE AND RESEARCH GROUP

Title: Attackers spread malware disguised as solution for Pegasus spyware
Description: Threat actors are impersonating the group Amnesty International and promising to protect against the Pegasus spyware as part of a scheme to deliver malware. Amnesty International recently made international headlines when it released a groundbreaking report on the widespread use of Pegasus to target international journalists and activists. Adversaries have set up a phony website that looks like Amnesty International’s — a human rights-focused non-governmental organization — and points to a promised anti-virus tool to protect against the NSO Group’s Pegasus tool. However, the download actually installs the little-known Sarwent malware. Sarwent contains the usual abilities of a remote access tool (RAT) — mainly serving as a backdoor on the victim machine — and can also activate the remote desktop protocol on the victim machine, potentially allowing the adversary to access the desktop directly.
Reference: https://blog.talosintelligence.com/2021/09/fakeantipegasusamnesty.html
Snort SIDs: 54357, 57901

Title: SonicWall patches critical vulnerability in remote connect device
Description: SonicWall released a security update for its Secure Mobile Access (SMA) 100 line of devices. The company disclosed a critical vulnerability that could allow unauthenticated attackers to remotely gain admin access on targeted devices. CVE-2021-20034 has a severity score of 9.1 out of a possible 10. The SMA 100 allows remote workers to securely connect to their office’s network and devices. The product recently came under additional scrutiny after SonicWall warned users that attackers were specifically targeting end-of-life versions of the device to spread ransomware attacks.
Reference: https://www.bleepingcomputer.com/news/security/sonicwall-fixes-critical-bug-allowing-sma-100-device-takeover/
Snort SID: 58224 - 58226

INTERESTING NEWS FROM AROUND THE SECURITY COMMUNITY

A medical malpractice lawsuit alleges that a ransomware attack against an Alabama hospital in 2019 led to a patient’s death.
https://www.govinfosecurity.com/lawsuit-hospitals-ransomware-attack-led-to-babys-death-a-17663

The White House is organizing a meeting of cybersecurity officials from 30 countries to discuss how to combat the recent rise in ransomware and cybercrime.
https://www.reuters.com/world/us/white-house-plans-30-country-meeting-cyber-crime-ransomware-official-2021-10-01/

New cybersecurity protocols for critical infrastructure from the U.S. Transportation Security Administration have some industry officials and analysts concerned that they could interrupt normal operations.
https://www.washingtonpost.com/national-security/cybersecurity-energy-pipelines-ransomware/2021/10/03/6df9cab2-2157-11ec-8200-5e3fd4c49f5e_story.html

A new report shows that cyberattacks against the maritime transportation system grew by 400 percent in 2020.
https://www.atlanticcouncil.org/in-depth-research-reports/report/raising-the-colors-signaling-for-cooperation-on-maritime-cybersecurity/

Information processing company Sandhills Global is experiencing an outage after a ransomware attack.
https://www.bleepingcomputer.com/news/security/sandhills-online-machinery-markets-shut-down-by-ransomware-attack/

Russian authorities have arrested Group-IB founder Ilya Sachkov for alleged high treason.
https://www.bloomberg.com/news/articles/2021-10-02/russian-it-leader-s-treason-case-shows-cyber-impasse-with-u-s

Facebook, Instagram and WhatsApp were knocked offline earlier this week due to an issue with BGP.
https://www.theverge.com/2021/10/4/22709260/what-is-bgp-border-gateway-protocol-explainer-internet-facebook-outage

A new Senate bill would require federal government agencies to disclose any cyberattacks or breaches to Congress and the U.S. Cybersecurity and Infrastructure Security Agency.
https://thehill.com/policy/cybersecurity/575198-senators-introduce-bill-to-strengthen-federal-cybersecurity-after

Google has taken down 200 malicious apps from the Google Play store; the apps had been downloaded 10 million times. Some of the apps are still available in third-party stores.
https://arstechnica.com/gadgets/2021/10/hundreds-of-scam-apps-hit-over-10-million-android-devices/

RECENT VULNERABILITIES FOR WHICH EXPLOITS ARE AVAILABLE
COMPILED BY THE QUALYS VULNERABILITY RESEARCH TEAM

This is a list of recent vulnerabilities for which exploits are available. System administrators can use this list to help in prioritization of their remediation activities. The Qualys Vulnerability Research Team compiles this information based on various exploit frameworks, exploit databases, exploit kits and monitoring of internet activity.

ID: CVE-2020-26301
Title: Command injection Vulnerability in ssh2
Vendor: ssh2 project
Description: ssh2 is client and server modules written in pure JavaScript for node.js. In ssh2 before version 1.4.0 there is a command injection vulnerability. The issue only exists on Windows. This issue may lead to remote code execution if a client of the library calls the vulnerable method with untrusted input. This is fixed in version 1.4.0.
CVSS v3.1 Base Score: 10 (AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H)

ID: CVE-2020-12083
Title: Privilege Escalation Vulnerability in Flexera
Vendor: Flexera
Description: An elevated privileges issue related to Spring MVC calls impacts Code Insight v7.x releases up to and including 2020 R1 (7.11.0-64).
CVSS v3.0 Base Score: 9.9 (AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H)

ID: CVE-2020-14343
Title: Arbitrary Code Execution in PyYaml
Vendor: Pyyaml
Description: A vulnerability was discovered in the PyYAML library in versions before 5.4, where it is susceptible to arbitrary code execution when it processes untrusted YAML files through the full_load method or with the FullLoader loader. Applications that use the library to process untrusted input may be vulnerable to this flaw. This flaw allows an attacker to execute arbitrary code on the system by abusing the python/object/new constructor. This flaw is due to an incomplete fix for CVE-2020-1747.
CVSS v3.0 Base Score: 9.8 (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H)

ID: CVE-2021-34345
Title: Buffer Overflow Vulnerability in QNap Device
Vendor: Qnap
Description: A stack buffer overflow vulnerability has been reported to affect QNAP device running NVR Storage Expansion. If exploited, this vulnerability allows attackers to execute arbitrary code. We have already fixed this vulnerability in the following versions of NVR Storage Expansion: NVR Storage Expansion 1.0.6 ( 2021/08/03 ) and later
CVSS v3.1 Base Score: 9.8 (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H)

MOST PREVALENT MALWARE FILES September 30-October 7, 2021
COMPILED BY TALOS SECURITY INTELLIGENCE AND RESEARCH GROUP

SHA 256: c1d5a585fce188423d31df3ea806272f3daa5eb989e18e9ecf3d94b97b965f8e
MD5: 9a4b7b0849a274f6f7ac13c7577daad8
VirusTotal: https://www.virustotal.com/gui/file/c1d5a585fce188423d31df3ea806272f3daa5eb989e18e9ecf3d94b97b965f8e/details
Typical Filename: ww31.exe
Claimed Product: N/A
Detection Name: W32.GenericKD:Attribute.24ch.1201

SHA 256: 6c62b768d8b22888724288af038bc0b6e55280ddbbe42a436cdf68889346df18
MD5: 830ffb393ba8cca073a1c0b66af78de5
VirusTotal: https://www.virustotal.com/gui/file/6c62b768d8b22888724288af038bc0b6e55280ddbbe42a436cdf68889346df18/details
Typical Filename: smbscanlocal0902.exe
Claimed Product: N/A
Detection Name: MS17010::mURLin::W32.Auto:6c62b768d8.in03.Talos

SHA 256: fad16599a866f466bdeff2a716b9aa79faa6677f2895f0b262cf9402deb4b66c
MD5: 04c1f4395f80a3890aa8b12ebc2b4855
VirusTotal: https://www.virustotal.com/gui/file/fad16599a866f466bdeff2a716b9aa79faa6677f2895f0b262cf9402deb4b66c/details
Typical Filename: zReXhNb
Claimed Product: N/A
Detection Name: Auto.FAD16599A8.241842.in07.Talos

SHA 256: 8b4216a7c50599b11241876ada8ae6f07b48f1abe6590c2440004ea4db5becc9
MD5: 34560233e751b7e95f155b6f61e7419a
VirusTotal: https://www.virustotal.com/gui/file/8b4216a7c50599b11241876ada8ae6f07b48f1abe6590c2440004ea4db5becc9/details
Typical Filename: SAntivirusService.exe
Claimed Product: A n t i v i r u s S e r v i c e
Detection Name: PUA.Win.Dropper.Segurazo::tpd

SHA 256: 8639fd3ef8d55c45808f2fa8a5b398b0de18e5dd57af00265e42c822fb6938e2
MD5: fe3659119e683e1aa07b2346c1f215af
VirusTotal: https://www.virustotal.com/gui/file/8639fd3ef8d55c45808f2fa8a5b398b0de18e5dd57af00265e42c822fb6938e2/details
Typical Filename: SqlServerWorks.Runner.exe
Claimed Product: SqlServerWorks.Runner
Detection Name: W32.8639FD3EF8-95.SBX.TG