Internet Storm Center Spotlight


SELECTED BY THE TALOS SECURITY INTELLIGENCE AND RESEARCH GROUP

Title: Could SquirrelWaffle fill the spam void left behind by Emotet?

Description: Recently, a new threat, referred to as "SQUIRRELWAFFLE" is being spread more widely via spam campaigns, infecting systems with a new malware loader. This is a malware family that's been spread with increasing regularity and could become the next big player in the spam space. SQUIRRELWAFFLE provides threat actors with an initial foothold onto systems and their network environments that can then be used to facilitate further compromise or additional malware infections depending on how adversaries choose to attempt to monetize their access. In many cases, these infections are also being used to deliver and infect systems with other malware like Qakbot and the penetration-testing tool Cobalt Strike. Let's take a look at how this new threat operates and the volume and characteristics of the malicious email campaigns associated with it. Organizations should be aware of this threat, as it will likely persist across the threat landscape for the foreseeable future.

Reference: https://blog.talosintelligence.com/2021/10/squirrelwaffle-emerges.html

ClamAV signatures: Doc.Downloader.SquirrelWaffle09210-9895192-0, Xls.Downloader.SquirrelWaffle20921-9895790-0, Xls.Downloader.SquirrelWaffle1021-9903731-0


Title: Malicious campaign uses a barrage of commodity RATs to target Afghanistan and India

Description: Cisco Talos has observed a new campaign targeting Afghanistan and India utilizing malicious RTF documents to deliver a variety of commodity malware to victims. The campaign consists of two phases: A reconnaissance phase that involves a custom file enumerator and infector to the victims and an attack phase that deploys a variety of commodity RATs, such as DcRAT and QuasarRAT. The threat actor registered multiple domains with political and government themes. These domains hosted malware payloads that were distributed to their victims. Their malicious lures also contained themes related to Afghan entities, specifically diplomatic and humanitarian efforts.

Reference: https://blog.talosintelligence.com/2021/10/crimeware-targets-afghanistan-india.html

Snort SIDs: 58356 - 58361

Internet Storm Center Entries


Government officials and private security researchers from multiple countries worked to take down the REvil ransomware group.

https://www.reuters.com/technology/exclusive-governments-turn-tables-ransomware-gang-revil-by-pushing-it-offline-2021-10-21/


A first-hand account from a New York Times journalist describes his experience with his iPhone being infected with Pegasus spyware.

https://www.nytimes.com/2021/10/24/insider/hacking-nso-surveillance.html


Tesco, a large grocery store chain in the U.K., says its website and app were down for multiple days after an attempted cyber attack.

https://www.bloomberg.com/news/articles/2021-10-24/tesco-hack-attempt-disrupts-u-k-grocer-s-website-for-second-day


Employees at Sinclair Broadcast Group say many television stations are still struggling to perform normal operations a week after a ransomware attack.

https://www.vice.com/en/article/dypg4w/sinclair-workers-say-tv-channels-are-in-pandemonium-after-ransomware-attack


Many non-profit's websites are riddled with ad trackers that gather information about users' interactions with the site and other browsing data.

https://themarkup.org/blacklight/2021/10/21/nonprofit-websites-are-riddled-with-ad-trackers


A Dutch government-sponsored forensics lab says it has decoded Tesla’s driving data storage system.

https://www.reuters.com/business/autos-transportation/dutch-forensic-lab-says-it-has-decoded-teslas-driving-data-2021-10-21/


The largest candy corn manufacturer in the U.S. experienced production issues after a ransomware attack.

https://www.businessinsider.com/ferrara-largest-candy-corn-manufacturer-hacked-2021-10

Recent CVEs


COMPILED BY THE QUALYS VULNERABILITY RESEARCH TEAM

This is a list of recent vulnerabilities for which exploits are available. System administrators can use this list to help in prioritization of their remediation activities. The Qualys Vulnerability Research Team compiles this information based on various exploit frameworks, exploit databases, exploit kits and monitoring of internet activity.

ID: CVE-2021-2011

Title: Denial of Service Vulnerability in Juniper Junos

Vendor: Juniper

Description: An improper check for unusual or exceptional conditions in Juniper Networks Junos OS and Junos OS Evolved Routing Protocol Daemon (RPD) service allows an attacker to send a valid BGP FlowSpec message thereby causing an unexpected change in the route advertisements within the BGP FlowSpec domain leading to disruptions in network traffic causing a Denial of Service (DoS) condition. Continued receipt of these update messages will cause a sustained Denial of Service condition. This issue affects Juniper Networks: Junos OS: All versions prior to 17.3R3-S10 with the exceptions of 15.1X49-D240 on SRX Series and 15.1R7-S8 on EX Series; 17.3 versions prior to 17.3R3-S10; 17.4 versions prior to 17.4R2-S12, 17.4R3-S4; 18.1 versions prior to 18.1R3-S12; 18.2 versions prior to 18.2R2-S8, 18.2R3-S6; 18.3 versions prior to 18.3R3-S4; 18.4 versions prior to 18.4R1-S8, 18.4R2-S6, 18.4R3-S6; 19.1 versions prior to 19.1R1-S6, 19.1R2-S2, 19.1R3-S3; 19.2 versions prior to 19.2R3-S1; 19.3 versions prior to 19.3R2-S5, 19.3R3-S1; 19.4 versions prior to 19.4R1-S3, 19.4R2-S3, 19.4R3; 20.1 versions prior to 20.1R2; 20.2 versions prior to 20.2R1-S3 20.2R2; 20.3 versions prior to 20.3R1-S1, 20.3R2. Junos OS Evolved: All versions prior to 20.3R1-S1-EVO, 20.3R2-EVO.

CVSS v3.1 Base Score: 10 (AV:N/AC:L/PR:N/UI:N/S:C/C:N/I:H/A:H)


ID: CVE-2021-21783

Title: Remote Code Execution Vulnerability in Genivia

Vendor: Genivia

Description: A code execution vulnerability exists in the WS-Addressing plugin functionality of Genivia gSOAP 2.8.107. A specially crafted SOAP request can lead to remote code execution. An attacker can send an HTTP request to trigger this vulnerability.

CVSS v3.0 Base Score: 9.8 (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H)


ID: CVE-2021-22931

Title: XSS Vulnerability in Nodejs

Vendor: Nodejs

Description: Node.js before 16.6.0, 14.17.4, and 12.22.4 is vulnerable to Remote Code Execution, XSS, Application crashes due to missing input validation of host names returned by Domain Name Servers in Node.js dns library which can lead to output of wrong hostnames (leading to Domain Hijacking) and injection vulnerabilities in applications using the library.

CVSS v3.0 Base Score: 9.8 (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H)


ID: CVE-2021-40438

Title: SSRF Vulnerability in Apache Server

Vendor: Apache

Description: A crafted request uri-path can cause mod_proxy to forward the request to an origin server chosen by the remote user. This issue affects Apache HTTP Server 2.4.48 and earlier.

CVSS v3.1 Base Score: 9.0 (AV:N/AC:H/PR:N/UI:N/S:C/C:H/I:H/A:H)

Prevalent Malware Files


COMPILED BY THE TALOS SECURITY INTELLIGENCE AND RESEARCH GROUP


SHA 256: 3993aa1a1cf9ba37316db59a6ef67b15ef0f49fcd79cf2420989b9e4a19ffc2a

MD5: 3c3046f640f7825c720849aaa809c963

VirusTotal: https://www.virustotal.com/gui/file/3993aa1a1cf9ba37316db59a6ef67b15ef0f49fcd79cf2420989b9e4a19ffc2a/details

Typical Filename: app.exe

Claimed Product: N/A

Detection Name: Auto.3993AA.242356.in02


SHA 256: e5044d5ac2f8ea3090c2460a5f7d92a5a49e7fa040bf26659ec2f7c442dda762

MD5: 6ea750c9d69b7db6532d90ac0960e212

VirusTotal: https://www.virustotal.com/gui/file/e5044d5ac2f8ea3090c2460a5f7d92a5a49e7fa040bf26659ec2f7c442dda762/details

Typical Filename: deps.zip

Claimed Product: N/A

Detection Name: Auto.E5044D5AC2.242358.in07.Talos


SHA 256: d339e195ca0b74746b02a4ee1a5820fa3074f43bec2988737005d2562a90cd34

MD5: 3f75eb823cd1a73e4c89185fca77cb38

VirusTotal: https://www.virustotal.com/gui/file/d339e195ca0b74746b02a4ee1a5820fa3074f43bec2988737005d2562a90cd34/details

Typical Filename: signup.png

Claimed Product: N/A

Detection Name: Win.Dropper.Generic::231945.in02


SHA 256: 8639fd3ef8d55c45808f2fa8a5b398b0de18e5dd57af00265e42c822fb6938e2

MD5: fe3659119e683e1aa07b2346c1f215af

VirusTotal: https://www.virustotal.com/gui/file/8639fd3ef8d55c45808f2fa8a5b398b0de18e5dd57af00265e42c822fb6938e2/details

Typical Filename: SqlServerWorks.Runner.exe

Claimed Product: SqlServerWorks.Runner

Detection Name: W32.8639FD3EF8-95.SBX.TG


SHA 256: 1487f122c92f3bade35e03b6b0554a80b1563f2c167d9064263845653d912ec6

MD5: ee62e8f42ed70e717b2571c372e9de9a

VirusTotal: https://www.virustotal.com/gui/file/1487f122c92f3bade35e03b6b0554a80b1563f2c167d9064263845653d912ec6/details

Typical Filename: lHe

Claimed Product: N/A

Detection Name: W32.Gen:MinerDM.24ls.1201