Please see Security Advisories for the week ending May 7, 2021
- CISA Releases Analysis Reports on New FiveHands Ransomware
- Cisco Releases Security Updates for Multiple Products
- Mozilla Releases Security Updates for Firefox
- Joint NCSC-CISA-FBI-NSA Cybersecurity Advisory on Russian SVR Activity
- VMware Releases Security Update
- Multiple Vulnerabilities in Exim Disclosed
- Samba Releases Security Updates
- Apple Releases Security Updates
- Xen Advisory - x86 Vulnerabilities
________________________________
CISA Releases Analysis Reports on New FiveHands Ransomware
Situation
CISA is aware of a recent, successful cyberattack against an organization using a new ransomware variant, known as FiveHands.
Problem
A successful cyberattack against an anonymous organization implemented the FiveHands ransomware along with several tactics and tools to steal information, obfuscate files, and demand ransom. The tactics and tools involved a zero-day vulnerability as an initial access vector, using SoftPerfect Network Scanner and netscan for network discovery, and using SombRAT to invoke PowerShell scripts to by-pass anti-malware and achieve obfuscation through modification of artifacts to masquerade as system process and security tools.
Implication
A remote attacker could exploit some of these vulnerabilities to take control of an affected system and extort resources from their victims.
Need
CISA encourages organizations to review AR21-126A and MAR-10324784.r1.v1 for information about the tactics and tools used in this attack and steps for detection, analysis, containment, and eradication of ransomware.
For a brief overview:
For a more technical overview:
https://us-cert.cisa.gov/ncas/analysis-reports/ar21-126a
https://us-cert.cisa.gov/ncas/analysis-reports/ar21-126b
________________________________
Cisco Releases Security Updates for Multiple Products
Situation
Cisco has released security updates to address vulnerabilities in multiple Cisco products.
Problem
The security updates released by Cisco address the following products: Cisco SD-WAN which had software vulnerabilities, Cisco Hyperflex HX which had injection vulnerabilities, Cisco SD-WAN Software vDaemon which had a denial-of-service vulnerability, Cisco SD-WAN vEdge Software which had buffer overflow vulnerabilities, Cisco SD-WAN vManage Software which had an authentication bypass vulnerability, Cisco Small Business 100, 300, and 500 series wireless access points, Cisco Enterprise NFV Infrastructure Softwarewhich had command injection vulnerabilities, Cisco Unified Communications Manager IM & Presence Service which had SQL injection vulnerabilities, and Cisco Anyconnect Secure Mobility Client for Windows which had DLL and executable hijacking vulnerabilities.
Implication
A remote attacker could exploit some of these vulnerabilities to take control of an affected system.
Need
CISA encourages users and administrators to review the following Cisco advisories and apply the necessary updates.
For a brief overview:
For a more technical overview:
https://tools.cisco.com/security/center/publicationListing.x
________________________________
Mozilla Releases Security Updates for Firefox
Situation
Mozilla has released security updates to address vulnerabilities in Firefox and Firefox for Android.
Problem
Mozilla has released security updates to address vulnerabilities in Firefox and Firefox for Android. An attacker could exploit some of these vulnerabilities to take control of an affected system.
Implication
Failure to patch systems could result in loss of control of affected systems.
Need
Mozilla advises patching to the most up to date versions of Firefox 88.0.1 and Firefox for Android 88.1.3.
For a brief overview:
https://us-cert.cisa.gov/ncas/current-activity/2021/05/06/mozilla-releases-security-updates-firefox
For a more technical overview:
https://www.mozilla.org/en-US/security/advisories/mfsa2021-20/
________________________________
Joint NCSC-CISA-FBI-NSA Cybersecurity Advisory on Russian SVR Activity
Situation
The Cybersecurity Infrastructure Security Agency (CISA) has joined with the United Kingdom's National Cyber Security Centre (NCSC), the Federal Bureau of Investigation (FBI), and the National Security Agency (NSA), in releasing a Joint Cybersecurity Advisory on Russian Foreign Intelligence Service (SVR also known as APT29 and CozyBear) tactics, techniques, and procedures.
Problem
Joint cybersecurity advisory details the vulnerabilities that SVR are exploiting as well as the techniques it is using in their attempts to compromise these networks. In response to this activity the joint advisory provides mitigations both general and tailored for each technique to help network defenders protect against this activity.
The SVR has been targeting cloud resources, particularly e-mail, to obtain information. The exploitation of Microsoft Office 365 environments following network access gained through use of modified SolarWinds software. Targeting cloud resources probably reduces the likelihood of detection by using compromised accounts or system misconfigurations to blend in with normal or unmonitored traffic in an environment not well defended, monitored, or understood by victim organizations. The joint cybersecurity advisory points out that because the SVR rapidly moves to exploit newly disclosed vulnerabilities, network defenders should make sure that systems are patched promptly following CVE announcements for products they manage.
Implication
SVR actors may use multiple vulnerabilities or other exploitation techniques to gain access to multiple commercial, government, and technology services. Gaining initial access and positioning the SVR actors to execute additional attacks.
Need
The CISA strongly encourages users and administrators to review the joint advisory as well as the other advisories summarized on the fact sheet for mitigation strategies to aid organizations in securing their networks against Russian SVR activity.
For a brief overview:
https://www.ncsc.gov.uk/news/joint-advisory-further-ttps-associated-with-svr-cyber-actors
Fact Sheet: Russian SVR Activities Related to SolarWinds Compromise
________________________________
VMware Releases Security Update
Situation
VMware has released security updates to address a vulnerability— CVE-2021-21984— in its product VMware vRealize Business for Cloud.
Problem
A remote code execution vulnerability in VMware vRealize Business for Cloud was privately reported to VMware. Updates are available to remediate this vulnerability in affected VMware product. A malicious actor with network access may exploit this issue causing unauthorized remote code execution on vRealize Business for Cloud Virtual Appliance.
Implication
Failure to patch systems could result in loss of control of affected systems. Possible compromise of system and network integrity.
Need
VMware has released security updates for VMware vRealize Business for Cloud please upgrade to the latest version to ensure that you are protected.
For a brief overview:
https://us-cert.cisa.gov/ncas/current-activity/2021/05/06/vmware-releases-security-update
For a more technical overview:
https://www.vmware.com/security/advisories/VMSA-2021-0007.html
________________________________
Multiple Vulnerabilities in Exim Disclosed
Situation
Twenty-one vulnerabilities in Exim have been released by Qualys.
Problem
While Qualys has not provided details of working exploits, they have provided proof-of-concept code. All versions of Exim released since 2004 are considered vulnerable. Of the most severe vulnerabilities, three could allow remote code execution, and four could allow root privilege escalation. In total, eleven of the vulnerabilities locally exploitable and ten are remotely exploitable.
Implication
An attacker could exploit these vulnerabilities to take control of an affected system.
Need
Qualys has also declared that an updated version of Exim (4.94.2) has been released, rendering all previous version obsolete. All deployments of Exim should be updated to version 4.94.2.
For a more technical overview:
________________________________
Samba Releases Security Updates
Situation
Twenty-one vulnerabilities in Exim have been released by Qualys.
Problem
While Qualys has not provided details of working exploits, they have provided proof-of-concept code. All versions of Exim released since 2004 are considered vulnerable. Of the most severe vulnerabilities, three could allow remote code execution, and four could allow root privilege escalation. In total, eleven of the vulnerabilities locally exploitable and ten are remotely exploitable.
Implication
An attacker could exploit these vulnerabilities to take control of an affected system.
Need
Qualys has also declared that an updated version of Exim (4.94.2) has been released, rendering all previous version obsolete. All deployments of Exim should be updated to version 4.94.2.
For a more technical overview:
________________________________
Apple Releases Security Updates
Situation:
Apple has released security updates to address vulnerabilities in multiple products.
Problem:
These security updates address vulnerabilities in the following products: macOS Big Sur 11.3.1, iOS and iPadOS 14.5.1, iOS 12.5.3, and watchOS 7.4.1. These vulnerabilities include integer overflow, buffer overflow, memory corruption, and “free-after-use” memory management issues.
Implication:
An attacker could exploit some of these vulnerabilities to take control of an affected device.
Need:
CISA encourages administrators and end-users to review Apple security page for their respective product(s), and to apply the necessary updates.
For a brief overview:
https://us-cert.cisa.gov/ncas/current-activity/2021/05/04/apple-releases-security-updates
________________________________
Xen Advisory - x86 Vulnerabilities
Situation
32-bit x86 PV guest kernels run in ring 1. At the time when Xen was developed, this area of the i386 architecture was rarely used, which is why Xen was able to use it to implement paravirtualisation, Xen's novel approach to virtualization. In AMD64, Xen had to use a different implementation approach, so Xen does not use ring 1 to support 64-bit guests. With the focus now being on 64-bit systems, and the availability of explicit hardware support for virtualization, fixing speculation issues in ring 1 is not a priority for processor companies.
Problem
Systems running all versions of Xen are affected. Only x86 systems are vulnerable, and only CPUs which are potentially vulnerable to Spectre v2. Consult your hardware manufacturer.
The vulnerability can only be exploited by 32-bit PV guests which are not run in PV-Shim.
Implication
A malicious 32-bit guest kernel may be able to mount a Spectre v2 attack against Xen, despite the presence hardware protections being active.
It therefore might be able to infer the contents of arbitrary host memory, including memory assigned to other guests.
Need
Running 32-bit PV guests under PV-Shim avoids the vulnerability when Spectre v2 protections are otherwise enabled on the system.
PV shim is available and fully security-supported in all security-supported versions of Xen. Using shim is the recommended configuration.
Not running 32-bit PV guests avoids the vulnerability.
For a brief overview:
https://xenbits.xen.org/xsa/advisory-370.html
_____________________