Internet Storm Center Spotlight


SELECTED BY THE TALOS SECURITY INTELLIGENCE AND RESEARCH GROUP


Title: Microsoft discloses 64 new vulnerabilities in monthly security update
Description: Microsoft released its monthly security update Tuesday, disclosing 64 vulnerabilities across the company’s hardware and software line, a sharp decline from the record number of issues Microsoft disclosed last month. September's security update features five critical vulnerabilities, 10 fewer than were included in last month’s Patch Tuesday. There are two moderate-severity vulnerabilities in this release, as well as a low-security issue that’s already been patched as a part of a recent Google Chromium update. The remainder are considered “important.” The most serious vulnerability exists in several versions of Windows Server and Windows 10 that could allow an attacker to gain the ability to execute remote code (RCE) by sending a singular, specially crafted IPv6 packet to a Windows node where IPSec is enabled. CVE-2022-34718 only affects instances that have IPSec enabled. This vulnerability has a severity score of 9.8 out of 10 and is considered “more likely” to be exploited by Microsoft. CVE-2022-34721 and CVE-2022-34722 also have severity scores of 9.8, though they are “less likely” to be exploited, according to Microsoft. These are remote code execution vulnerabilities in the Windows Internet Key Exchange protocol that could be triggered if an attacker sends a specially crafted IP packet.
References: https://blog.talosintelligence.com/2022/09/microsoft-patch-tuesday-for-september.html
Snort 3 SIDs: 300266 - 300270


Title: Lazarus APT deploying three trojans in attacks against users in North America
Description: Cisco Talos has been tracking a new campaign operated by the Lazarus APT group, attributed to North Korea by the United States government. This campaign involved the exploitation of vulnerabilities in VMWare Horizon to gain an initial foothold in targeted organizations. Targeted organizations include energy providers from around the world, including those headquartered in the United States, Canada and Japan. The campaign is meant to infiltrate organizations around the world for establishing long-term access and subsequently exfiltrating data of interest to the adversary's nation-state. Talos has discovered the use of two known families of malware in these intrusions — VSingle and YamaBot. Talos has also discovered the use of a recently disclosed implant we're calling "MagicRAT" in this campaign.
References: https://blog.talosintelligence.com/2022/09/lazarus-three-rats.html
Snort SIDs: 60465, 60466

Internet Storm Center Entries


The former head of security at Twitter testified in front of Congress Tuesday, following up on reports he made public that the social media company is not doing enough to protect user data.
https://www.washingtonpost.com/technology/2022/09/13/twitter-whistleblower-peiter-zatko-testifies/

Montenegro’s government continues to grapple with a cyber attack from a suspected Russian state-sponsored actor, putting the country’s essential infrastructure at high risk.
https://www.nbcnews.com/tech/security/montenegro-wrestles-massive-cyberattack-russia-blamed-rcna47277

Recent attacks against NATO member nations have highlighted that the “attack on one is an attack on all” motto may not apply in cyberspace.
https://www.npr.org/2022/09/13/1122621461/examining-2-recent-cyberattacks-against-nato-members

The Los Angeles Unified School District is still returning to capacity after a ransomware attack during the opening week of classes. The district was reportedly warned of a potential threat in 2021, when it narrowly avoided a similar attack.
https://www.theverge.com/2022/9/9/23344349/lausd-warned-ransomware-threat-trickbot

A cyber attack on IHG Hotels & Resorts — the parent company of several popular hotel chains — briefly halted users’ ability to log into their loyalty accounts and book reservations.
https://www.cpomagazine.com/cyber-security/cyber-attack-on-ihg-impacted-hotel-booking-system-and-mobile-apps-exposes-unknown-quantity-of-data-causes-extended-system-outage/

Patreon, a popular platform for supporting content creators, laid off a portion of its security engineering team last week.
https://gizmodo.com/patreon-layoffs-1849516408

The U.S. federal government seized $30 million worth of cryptocurrency the Lazarus Group APT originally stole from the popular online game Axie Infinity.
https://www.reuters.com/technology/us-seizes-30-mln-crypto-north-korea-linked-hackers-2022-09-08/

One of Ukraine’s largest cell phone service providers continues to withstand a barrage of cyber attacks from Russian state-sponsored actors while also having to defend some of its towers from physical attacks.
https://www.politico.com/news/2022/09/07/hackers-ukraine-telecom-00055060

Recent CVEs


COMPILED BY THE QUALYS VULNERABILITY RESEARCH TEAM

This is a list of recent vulnerabilities for which exploits are available. System administrators can use this list to help in prioritization of their remediation activities. The Qualys Vulnerability Research Team compiles this information based on various exploit frameworks, exploit databases, exploit kits and monitoring of internet activity.


ID: CVE-2020-22669

Title: SQL injection bypass vulnerability in Modsecurity owasp-modsecurity-crs 3.2.0

Description: Modsecurity owasp-modsecurity-crs 3.2.0 (Paranoia level at PL1) has a SQL injection bypass vulnerability. Attackers can use the comment characters and variable assignments in the SQL syntax to bypass Modsecurity WAF protection and implement SQL injection attacks on Web applications.

CVSS v3.1 Base Score: 9.8 (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H)


ID: CVE-2020-10735

Title: Denial of Service vulnerability in Python Non-binary Base int

Description: A flaw was found in python. In algorithms with quadratic time complexity using non-binary bases, when using int("text"), a system could take 50ms to parse an int string with 100,000 digits and 5s for 1,000,000 digits (float, decimal, int.from_bytes(), and int() for binary bases 2, 4, 8, 16, and 32 are not affected). The highest threat from this vulnerability is to system availability.

CVSS v3.1 Base Score: 7.5 (AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H)

Prevalent Malware Files


COMPILED BY TALOS SECURITY INTELLIGENCE AND RESEARCH GROUP

SHA 256: e4973db44081591e9bff5117946defbef6041397e56164f485cf8ec57b1d8934
MD5: 93fefc3e88ffb78abb36365fa5cf857c
VirusTotal: https://www.virustotal.com/gui/file/e4973db44081591e9bff5117946defbef6041397e56164f485cf8ec57b1d8934/details
Typical Filename: Wextract
Claimed Product: Internet Explorer
Detection Name: PUA.Win.Trojan.Generic::85.lp.ret.sbx.tg

SHA 256: 125e12c8045689bb2a5dcad6fa2644847156dec8b533ee8a3653b432f8fd5645
MD5: 2c8ea737a232fd03ab80db672d50a17a
VirusTotal: https://www.virustotal.com/gui/file/125e12c8045689bb2a5dcad6fa2644847156dec8b533ee8a3653b432f8fd5645/details
Typical Filename: LwssPlayer.scr
Claimed Product: ?????????
Detection Name: Auto.125E12.241442.in02

SHA 256: 63d543945e33b4b6088dc34d0550213dc73ea6acce248d8353c63039e8fa284f
MD5: a779d230c944ef200bce074407d2b8ff
VirusTotal: https://www.virustotal.com/gui/file/63d543945e33b4b6088dc34d0550213dc73ea6acce248d8353c63039e8fa284f/details
Typical Filename: mediaget.exe
Claimed Product: MediaGet
Detection Name: W32.File.MalParent

SHA 256: e12b6641d7e7e4da97a0ff8e1a0d4840c882569d47b8fab8fb187ac2b475636c
MD5: a087b2e6ec57b08c0d0750c60f96a74c
VirusTotal: https://www.virustotal.com/gui/file/e12b6641d7e7e4da97a0ff8e1a0d4840c882569d47b8fab8fb187ac2b475636c/details
Typical Filename: AAct.exe
Claimed Product: N/A
Detection Name: PUA.Win.Tool.Kmsauto::1201

SHA 256: c67b03c0a91eaefffd2f2c79b5c26a2648b8d3c19a22cadf35453455ff08ead0
MD5: 8c69830a50fb85d8a794fa46643493b2
VirusTotal: https://www.virustotal.com/gui/file/c67b03c0a91eaefffd2f2c79b5c26a2648b8d3c19a22cadf35453455ff08ead0/details
Typical Filename: AAct.exe
Claimed Product: N/A
Detection Name: PUA.Win.Dropper.Generic::1201