SELECTED BY THE TALOS SECURITY INTELLIGENCE AND RESEARCH GROUP
Title: Microsoft discloses 64 new vulnerabilities in monthly security update
Description: Microsoft released its monthly security update Tuesday, disclosing 64 vulnerabilities across the company’s hardware and software line, a sharp decline from the record number of issues Microsoft disclosed last month. September's security update features five critical vulnerabilities, 10 fewer than were included in last month’s Patch Tuesday. There are two moderate-severity vulnerabilities in this release, as well as a low-security issue that’s already been patched as a part of a recent Google Chromium update. The remainder are considered “important.” The most serious vulnerability exists in several versions of Windows Server and Windows 10 that could allow an attacker to gain the ability to execute remote code (RCE) by sending a singular, specially crafted IPv6 packet to a Windows node where IPSec is enabled. CVE-2022-34718 only affects instances that have IPSec enabled. This vulnerability has a severity score of 9.8 out of 10 and is considered “more likely” to be exploited by Microsoft. CVE-2022-34721 and CVE-2022-34722 also have severity scores of 9.8, though they are “less likely” to be exploited, according to Microsoft. These are remote code execution vulnerabilities in the Windows Internet Key Exchange protocol that could be triggered if an attacker sends a specially crafted IP packet.
References: https://blog.talosintelligence.com/2022/09/microsoft-patch-tuesday-for-september.html
Snort 3 SIDs: 300266 - 300270
Title: Lazarus APT deploying three trojans in attacks against users in North America
Description: Cisco Talos has been tracking a new campaign operated by the Lazarus APT group, attributed to North Korea by the United States government. This campaign involved the exploitation of vulnerabilities in VMWare Horizon to gain an initial foothold in targeted organizations. Targeted organizations include energy providers from around the world, including those headquartered in the United States, Canada and Japan. The campaign is meant to infiltrate organizations around the world for establishing long-term access and subsequently exfiltrating data of interest to the adversary's nation-state. Talos has discovered the use of two known families of malware in these intrusions — VSingle and YamaBot. Talos has also discovered the use of a recently disclosed implant we're calling "MagicRAT" in this campaign.
References: https://blog.talosintelligence.com/2022/09/lazarus-three-rats.html
Snort SIDs: 60465, 60466
Title: Microsoft discloses 64 new vulnerabilities in monthly security update
Description: Microsoft released its monthly security update Tuesday, disclosing 64 vulnerabilities across the company’s hardware and software line, a sharp decline from the record number of issues Microsoft disclosed last month. September's security update features five critical vulnerabilities, 10 fewer than were included in last month’s Patch Tuesday. There are two moderate-severity vulnerabilities in this release, as well as a low-security issue that’s already been patched as a part of a recent Google Chromium update. The remainder are considered “important.” The most serious vulnerability exists in several versions of Windows Server and Windows 10 that could allow an attacker to gain the ability to execute remote code (RCE) by sending a singular, specially crafted IPv6 packet to a Windows node where IPSec is enabled. CVE-2022-34718 only affects instances that have IPSec enabled. This vulnerability has a severity score of 9.8 out of 10 and is considered “more likely” to be exploited by Microsoft. CVE-2022-34721 and CVE-2022-34722 also have severity scores of 9.8, though they are “less likely” to be exploited, according to Microsoft. These are remote code execution vulnerabilities in the Windows Internet Key Exchange protocol that could be triggered if an attacker sends a specially crafted IP packet.
References: https://blog.talosintelligence.com/2022/09/microsoft-patch-tuesday-for-september.html
Snort 3 SIDs: 300266 - 300270
Title: Lazarus APT deploying three trojans in attacks against users in North America
Description: Cisco Talos has been tracking a new campaign operated by the Lazarus APT group, attributed to North Korea by the United States government. This campaign involved the exploitation of vulnerabilities in VMWare Horizon to gain an initial foothold in targeted organizations. Targeted organizations include energy providers from around the world, including those headquartered in the United States, Canada and Japan. The campaign is meant to infiltrate organizations around the world for establishing long-term access and subsequently exfiltrating data of interest to the adversary's nation-state. Talos has discovered the use of two known families of malware in these intrusions — VSingle and YamaBot. Talos has also discovered the use of a recently disclosed implant we're calling "MagicRAT" in this campaign.
References: https://blog.talosintelligence.com/2022/09/lazarus-three-rats.html
Snort SIDs: 60465, 60466