BRAINTRACE THREAT ADVISORY REPORT MAY 13, 2021 TABLE OF CONTENTS BACKGROUND ..................................................................................................................................................... 2 ADMIN ACCOUNTS AND COMMANDS EXECUTED AS ROOT BY CISCO BUG ................................................ 2 A NEW QUALCOMM VULNERABILITY ............................................................................................................... 2 CRITICAL 21NAILS EXIM BUGS ........................................................................................................................... 3 CODECOV COVERAGE TOOL HACKED .............................................................................................................. 4 NEW TSUNAME DNS BUG ................................................................................................................................. 4 FIVEHANDS RANSOMWARE ANALYZED BY CISA ............................................................................................ 5 ACTIVE DOUBLEDRAG, DOUBLEDROP, AND DOUBLEBACK MALWARE STRAINS ...................................... 6 BUER MALWARE VARIANT RE-WRITTEN IN E-Z RUST.................................................................................. 9 NEW PINGBACK MALWARE TARGETING WINDOWS ................................................................................... 10 VULNERABILITIES DISCOVERED ACROSS APPLE'S PRODUCT LINES .......................................................... 11 AUTHENTICATION BYPASS VULNERABILITY FOUND IN ASUS ROUTER .................................................... 12 PORTDOOR MALWARE TAKES DOWN RUSSIAN DEFENSE FIRM ................................................................ 12 MORIYA ROOTKIT USED TO BACKDOOR WINDOWS SYSTEMS ................................................................... 14 VPN & CRYPTOCURRENCY CREDENTIALS BEING TARGETED ..................................................................... 14 SIX VULNERABILITIES DISCOVERED WITH REMOTE MOUSE ....................................................................... 15 MILLIONS OF DELL SYSTEMS AT RISK ............................................................................................................ 16 THE LARGEST PIPELINE IN THE US ATTACKED BY DARKSIDE RANSOMWARE ........................................ 16 TWITTER TIP JAR SPARKS PRIVACY CONCERNS .......................................................................................... 17 VULNERABILITIES CURRENTLY EXPLOITED BY RUSSIAN HACKERS .......................................................... 18 POTENTIAL SECURITY THREATS IN RECYCLED PHONE NUMBERS ............................................................ 19 BRAINTRACE.COM CONFIDENTIAL 1 BACKGROUND This report was created to update our clients on up-and-coming vulnerabilities and exploits that our security experts have discovered. Our team works diligently on researching threats and vulnerabilities to provide you with a safer network. If you have any questions, do not hesitate to contact us. ADMIN ACCOUNTS AND COMMANDS EXECUTED AS ROOT BY CISCO BUG Cisco has fixed multiple security flaws that would give remote attackers the ability to execute commands or create rogue admin accounts as a root user. Other security updates have also been released that address high and medium severity vulnerabilities within different software products. Cisco's Incident Response Team has stated that it is not aware of an active exploit in the wild of these different vulnerabilities at this time. Affected Systems ◾ Cisco SD-WAN vManage Software Vulnerability Overview Analysis has found that the attackers do not need to chain them with these vulnerabilities to gain successful exploitation. These bugs can also be exploited in a low complexity attack that does not require user interaction or even authentication. The bugs, however, only affect the software operating in a cluster. Verification of the software running in cluster mode can be done by going to the Cisco SD- WANvManage web-based management interface Administration > Cluster Management view. If these vulnerabilities are left, unaddressed attackers will execute denial of service, escalate privileges, and remotely execute arbitrary code. Recommendation It is recommended that computers and running software are running the current most up-to-date operating systems. The link above will also give customers the location of the appropriate fixed software release upgrade. Patch URL https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-sd-wan-vmanage- 4TbynnhZ Reference https://www.bleepingcomputer.com/news/security/cisco-bugs-allow-creating-admin-accounts- executing-commands-as-root/ A NEW QUALCOMM VULNERABILITY A new vulnerability is discovered in Qualcomm's Mobile Station Modem (MSM) chips. They have an ongoing series of 2G/3G/4G/5G systems based on these chips. These chips (SoCs) are used by more than 40% of mobile phone companies. Some of them include big names like Google, Samsung, OnePlus, BRAINTRACE.COM CONFIDENTIAL 2 LG, and Xiaomi. Hackers often target MSM because they are trying to find a way to remotely execute malicious actions. One of the ways how attackers can access the modem is the Qualcomm MSM Interface (QMI). QMI is a protocol that is used for communication between modem software and external subsystems. Affected Systems ◾ Android Vulnerability Overview Some of the malicious activities that a bad actor could execute are accessing text messages, call history, and listening to their conversations. Attackers could also inject malicious and invisible code on the victim's device and unlock the subscriber identification module (SIM). This is where authentication information is saved. Recommendation It is recommended to update the newest patched versions of the Android software to prevent possible future exploitations. Patch URL https://www.qualcomm.com/company/product-security/bulletins Reference https://www.bleepingcomputer.com/news/security/qualcomm-vulnerability-impacts-nearly-40- percent-of-all-mobile-phones/ CRITICAL 21NAILS EXIM BUGS The Qualys Research Team reported vulnerabilities in the Exim mail server. Exim is free software that is used on Unix-like operating systems. It is also pre-installed on Linux. Researchers published that Exim is used by 60% of internet servers, and it is also the world's most popular MTA. Mail transfers are an easy target for malicious actors. Once they gain access, they can change private email settings. Exim was last year already a victim of a cyber-attack by the sandworm team. BinaryEdge published that more than 3,564,945 Exim mail servers are using the vulnerable version. Affected Systems ◾ Exim 4.94.2 Vulnerability Overview This Exim mail transfer agent (MTA) software vulnerability allows malicious actors to execute remote attacks with arbitrary code. This will enable them high root privilege. Ten of these vulnerabilities are remotely exploitable, and eleven locally. When these vulnerabilities are combined, they allow hackers to take complete control. Some of the actions that could be executed are installing programs, data modification, and creating new accounts. BRAINTRACE.COM CONFIDENTIAL 3 Recommendation It is recommended that all Exim users upgrade to the newest Exim version. This will prevent future attacks from exploiting vulnerabilities. Patch URL http://exim.org/mirrors.html Reference https://www.bleepingcomputer.com/news/security/critical-21nails-exim-bugs-expose-millions-of- servers-to-attacks/ CODECOV COVERAGE TOOL HACKED An application can contain millions of lines of code, and if the code is not reviewed, there may be possibilities that the code can be vulnerable to exploitation. Codecov is a company that has a tool that measures the code coverage of a company's source code of an application. Code coverage is a software testing technique that stress tests the amount of code contained in an application. Codecov's tool has been hacked by modifying a Bash Uploader script. Affected Systems ◾ Codecov clients using their Codecov coverage tool. Vulnerability Overview The Bash Uploader script is used as data collection for the code coverage reports of the customers of Codecov. The researchers found that the hackers modified this code around the end of January 2021, and the modification would send the customer details to the hackers. The change to this code could have sent credentials, tokens, and even git remote information of repositories. It was possible this had to do with an error with the Docker image creation, and that the credentials to the Bash Uploader script can be extracted. Recommendation Update credentials, tokens, or keys that were present in the environment variables. Verify code at line 525 for modification, and please see the article for an example of the script. Reference https://www.bleepingcomputer.com/news/security/popular-codecov-code-coverage-tool-hacked- to-steal-dev-credentials/ NEW TSUNAME DNS BUG Domain Name System is required for every page visit. It is also an attractive target for malicious actors. Researchers from SIDN Labs, InternetNZ, the Information Science Institute at the University of Southern BRAINTRACE.COM CONFIDENTIAL 4 California discovered a new domain name server (DNS) vulnerability named TsuNAME. This vulnerability is used for DDoS distribution. Google Public DNS and Cisco OpenDNS have already updated their software. This bug does not impact unbound, BIND, and KnotDNS. Affected Systems ◾ DNS Vulnerability Overview The TsuNAME