SELECTED BY THE TALOS SECURITY INTELLIGENCE AND RESEARCH GROUP
Title: Operation: ArmorPiercer hits Indian subcontinent
Description: Cisco Talos recently discovered a malicious campaign we’re calling “Operation: ArmorPiercer” targeting government employees and military personnel in the Indian subcontinent with two commercial and commodity RAT families known as NetwireRAT (aka NetwireRC) and WarzoneRAT (aka Ave Maria). The attackers delivered a variety of lures to their targets, predominantly posing as guides related to Indian governmental infrastructure and operations such as Kavach and I.T.-related guides in the form of malicious Microsoft Office documents and archives (RARs, ZIPs) containing loaders for the RATs. This campaign illustrates another instance of a highly motivated threat actor using a set of commercial and commodity RAT families to infect their victims. These RATs are packed with many features out-of-the-box to achieve comprehensive control over the infected systems. It is also highly likely that these malware families establish footholds into the victim's networks to deploy additional plugins and modules.
Reference: https://blog.talosintelligence.com/2021/09/operation-armor-piercer.html
Snort SIDs: 58115 - 58119
Title: Proof-of-concept code in the wild for remote code execution vulnerability in VMWare vCenter
Description: A remote code execution vulnerability for VMWare vCenter is circulating on the internet and actively being exploited in the wild. CVE-2021-22005 can allow an attacker to open a reverse shell on a vulnerable server, allowing them to remotely execute arbitrary code. VCenter is a server virtualization management platform that allows users to manage VMs and containers. Working proof-of-concept code became available online Tuesday, Sept. 28. VMWare disclosed this vulnerability and patched it last week. This vulnerability is considered critical, with a CVSS severity score of 9.8 out of a possible 10.
Reference: https://threatpost.com/working-exploit-vmware-vcenter-cve-2021-22005/175059/
Snort SID: 58217 - 58219