Notable Recent Security Issues
40 high-severity vulnerabilities included in June’s Patch Tuesday
Description: Microsoft released its monthly security update Tuesday, disclosing 55 vulnerabilities in the company’s firmware and software. One of these vulnerabilities is considered critical, 40 are listed as high severity, and the remainder is considered “moderate.” The most serious issue is CVE-2022-30136, a remote code execution vulnerability in the Windows Network File System (NFS) service, version NFSv4.1, with a severity score of near-maximum 9.8. An attacker can exploit the vulnerability over the network by making an unauthenticated, specially crafted call to a Network File System (NFS) service to execute remote code. To mitigate this vulnerability, users are advised to disable the vulnerable version NFSV4.1 and restart the NFS server or reboot the machine. Microsoft SharePoint server contains a remote code execution vulnerability, CVE-2022-30157, with a severity score of 8.8.
References: https://blog.talosintelligence.com/2022/06/microsoft-patch-tuesday-for-june-2022.html
Snort SIDs: 59967, 59968, 59971 and 59972
Snort 3 SIDs: 300201 and 300202
Symbiote malware can remain undetected on Linux machines
Description: A new Linux malware that can go undetected on infected machines is being used to target the financial sector in Latin America. Once the “Symbiote” malware infects the machine, it hides itself, making infections hard to detect. If successful, the malware provides a backdoor for the threat actor and allows them to log in as any user on the machine with a hardcoded password. They can also execute arbitrary code on the infected machine with the highest privileges. Because of its stealth, security researchers are unaware how widespread the campaign currently is and are unsure if it can even be detected by conventional security software.
References: https://therecord.media/linux-malware-symbiote-used-to-attack-latin-american-financial-sector/
Snort SIDs: 59957, 59958
Interesting News from Around The Security Community
A vulnerability in Tesla’s NFC cards could give an attacker their own personal key to affected cars through a Bluetooth LowEnergy attack.
A proposed bill in Canada would give the country’s federal government more power to compel companies in certain sectors to improve their cybersecurity capabilities.
https://www.cbc.ca/news/politics/cyberattacks-bill-1.6487826
iOS 16 for iPhone devices will include standalone, automatic security updates and will not require users to install a new version of the operating system to implement.
https://www.macrumors.com/2022/06/06/ios-16-security-fixes-automatic/
The recent Conti ransomware attack against the Costa Rican government highlights a new phase of ransomware campaigns targeting national governments.
https://www.wired.com/story/costa-rica-ransomware-conti/
Attackers are actively targeting Microsoft Exchange Servers to spread the BlackCat ransomware.
https://www.techradar.com/news/microsoft-exchange-servers-are-being-hacked-to-deploy-ransomware
Microsoft fixed the high-profile Follina vulnerability this month as part of its cumulative Windows Updates.
Recent Vulnerabilities with Available Exploits
This is a list of recent vulnerabilities for which exploits are available. System administrators can use this list to help in prioritization of their remediation activities. The Qualys Vulnerability Research Team compiles this information based on various exploit frameworks, exploit databases, exploit kits and monitoring of internet activity.
ID: CVE-2021-34079
OS Command injection vulnerability in Mintzo Docker-Tester
Description: docker-tester is a Start a testing environment with a docker-compose file and verify it’s up before running tests.
Affected versions of this package are vulnerable to Command Injection via shell meta-characters in the ‘ports’ entry of a crafted docker-compose.yml file.
CVSS v3.1 Base Score: 9.8 (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H)
ID: CVE-2021-34080
OS Command Injection vulnerability in es128 ssl-utils
Description: ssl-utils is a Node.js utility for SSL certificates using OpenSSL (generating, verifying, etc.).
Affected versions of this package are vulnerable to Remote Code Execution (RCE) via unsanitized shell metacharacters provided to the createCertRequest() and the createCert() functions.
CVSS v3.1 Base Score: 9.8 (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H)
ID: CVE-2021-34082
- OS Command Injection vulnerability in allenhwkim proctree
Description: proctree is a Retrieve or display process tree.
OS Command Injection vulnerability in es128 ssl-utils 1.0.0 for Node.js allows attackers to execute arbitrary commands via unsensitized shell metacharacters provided to the createCertRequest() and the createCert() functions.
CVSS v3.1 Base Score: 9.8 (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H)
ID: CVE-2021-34084
OS command injection vulnerability in Turistforeningen node-s3-uploader
Description: s3-uploader is a Flexible and efficient image resize, rename, and upload to Amazon S3 disk storage. Uses the official AWS Node SDK, im-resize, and im-metadata for image processing. OS command injection vulnerability in Turistforeningen node-s3-uploader through 2.0.3 for Node.js allows attackers to execute arbitrary commands via the metadata() function.
CVSS v3.1 Base Score: 9.8 (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H)
Most Prevalent Malware Files June 9-16, 2022
SHA 256: e4973db44081591e9bff5117946defbef6041397e56164f485cf8ec57b1d8934
MD5: 93fefc3e88ffb78abb36365fa5cf857c
VirusTotal: https://www.virustotal.com/gui/file/e4973db44081591e9bff5117946defbef6041397e56164f485cf8ec57b1d8934/details
Typical Filename: Wextract
Claimed Product: Internet Explorer
Detection Name: PUA.Win.Trojan.Generic::85.lp.ret.sbx.tg
SHA 256: 125e12c8045689bb2a5dcad6fa2644847156dec8b533ee8a3653b432f8fd5645
MD5: 2c8ea737a232fd03ab80db672d50a17a
VirusTotal: https://www.virustotal.com/gui/file/125e12c8045689bb2a5dcad6fa2644847156dec8b533ee8a3653b432f8fd5645/details
Typical Filename: LwssPlayer.scr
Claimed Product: ?????????
Detection Name: Auto.125E12.241442.in02
SHA 256: e12b6641d7e7e4da97a0ff8e1a0d4840c882569d47b8fab8fb187ac2b475636c
MD5: a087b2e6ec57b08c0d0750c60f96a74c
VirusTotal: https://www.virustotal.com/gui/file/e12b6641d7e7e4da97a0ff8e1a0d4840c882569d47b8fab8fb187ac2b475636c/details
Typical Filename: AAct.exe
Claimed Product: N/A
Detection Name: PUA.Win.Tool.Kmsauto::1201
SHA 256: b2ef49a10d07df6db483e86516d2dfaaaa2f30f4a93dd152fa85f09f891cd049
MD5: 067f9a24d630670f543d95a98cc199df
VirusTotal: https://www.virustotal.com/gui/file/b2ef49a10d07df6db483e86516d2dfaaaa2f30f4a93dd152fa85f09f891cd049/details
Typical Filename: RzxDivert32.sys
Claimed Product: WinDivert 1.4 driver
Detection Name: W32.B2EF49A10D-95.SBX.TG
SHA 256: c67b03c0a91eaefffd2f2c79b5c26a2648b8d3c19a22cadf35453455ff08ead0
MD5: 8c69830a50fb85d8a794fa46643493b2
VirusTotal: https://www.virustotal.com/gui/file/c67b03c0a91eaefffd2f2c79b5c26a2648b8d3c19a22cadf35453455ff08ead0/details
Typical Filename: AAct.exe
Claimed Product: N/A
Detection Name: PUA.Win.Dropper.Generic::1201
@ The information contained in this newsletter, including any external links, is provided “AS IS,” with no express or implied warranty, for informational purposes only. Original Info come from SANS Institute
