Severity
High
Analysis Summary
CVE-2021-1306
DirtyMoe (a.k.a PurpleFox, NuggetPhantom, and Perkiler) has increased its operation 900% since 2020. While the botnet only infected 10,000 computers in 2020, it has since then infected 100,000 only in the first half of 2021.
The botnet is defined as a complex malware that is designed as a modular system. The group has been active since 2017, however, it was mainly used for cryptocurrency mining. The botnet was also used for causing a DDoS condition in 2018. The group uses CVE-2020-0674 scripting engine memory corruption vulnerability and many others to deliver the DirtyMoe rootkit.
Now the botnet has evolved to spread via the internet to other Windows systems.
“Recently, a new infection vector that cracks Windows machines through SMB password brute force is on the rise”
The number of infected devices can also be far greater than the reported number. As the C2 serversinvolved in the attacks are located in China, it implicates that the threat actors behind DirtyMoe are experts and sophisticated.
Impact
- Distributed Denial of Service (DDoS)
- Credential Theft
- Data Theft
- Unauthorized Access
Affected Vendors
Cisco
Affected Products
- Cisco EPN Manager Earlier than 5.0.1
- Cisco ISE Earlier than Release 2.6 Patch10
- Cisco ISE Earlier than Release 2.7 Patch4
- Cisco ISE Earlier than Release 3.0 Patch2
- Cisco ISE Earlier than Release 3.1
- Cisco Prime Infrastructure Releases 3.5 and later
- Cisco Prime Infrastructure Earlier than Release 3.8.1 Update 2
- Cisco Prime Infrastructure Earlier than Release 3.9.0
Remediation
- Closely monitor windows systems for suspicious activities.
- Keep devices and systems patched.
for more updates visit https://decoded.avast.io/martinchlumecky/dirtymoe-1/#ref