Internet Storm Center Spotlight


SELECTED BY THE TALOS SECURITY INTELLIGENCE AND RESEARCH GROUP


Title: New insight into recently unmasked MuddyWater APT

Description: Cisco Talos has observed a new campaign targeting Turkish private organizations alongside governmental institutions. Talos attributes this campaign with high confidence to MuddyWater — an APT group recently attributed to Iran's Ministry of Intelligence and Security (MOIS) by the U.S. Cyber Command. This campaign utilizes malicious PDFs, XLS files and Windows executables to deploy malicious PowerShell-based downloaders acting as initial footholds into the target's enterprise. MuddyWater's use of script-based components such as obfuscated PowerShell-based downloaders is also a tactic described in the advisory from January 2021 by the U.S. Cyber Command. This campaign also utilizes canary tokens to track successful infection of targets, a new addition to this group's arsenal of tactics, techniques and procedures (TTPs). This specific method of taking advantage of canary tokens in this campaign may also be a measure to evade sandbox-based detection systems.

References: https://blog.talosintelligence.com/2022/01/iranian-apt-muddywater-targets-turkey.html

SNORT® SIDs: 58929 - 58938


Title: WiFi-connected security camera could be manipulated to spy on communications

Description: Cisco Talos recently discovered several vulnerabilities in the Reolink RLC-410W security camera that could allow an attacker to perform several malicious actions, including performing man-in-the-middle attacks, stealing user login credentials and more. The Reolink RLC-410W is a WiFi-connected security camera. The camera includes motion detection functionalities and multiple ways to save and view the recordings. The vulnerabilities Talos discovered exist in various functions and features of the camera. Some of these exploits could be combined, as well, to reboot the camera without authentication or run certain APIs. There are five denial-of-service vulnerabilities that could allow an adversary to make the web service unresponsive and restart the device if they send specific network requests to the target. There are two other vulnerabilities that could be combined to reformat the camera’s memory card, effectively erasing all its recordings.

References: https://blog.talosintelligence.com/2022/01/vuln-spotlight-reolink-cameras.html

SNORT® SIDs: 58691 - 58693, 58698, 58699, 58718, 58817 – 58720 and 58926 – 58928

Internet Storm Center Entries


The UK's The National Cyber Security Centre has warned of potential cyber attacks against the country’s critical infrastructure should Russia invade Ukraine.

https://www.theguardian.com/uk-news/2022/jan/28/uk-firms-warned-over-possible-russian-cyber-attacks-amid-ukraine-crisis


A massive oil supplier in Germany is operating at limited capacity after a cyber attack shut down all of its loading and unloading operations.

https://www.bbc.com/news/technology-60215252


Apple released updates for all its major operating systems last week, including fixes for a vulnerability in Safari that could have allowed an attacker to spy on a user’s actions in the web browser.

https://www.macworld.com/article/608772/ios-15-3-bug-fixes-security-updates-features-install.html


The FBI purchased the NSO Group’s controversial Pegasus spyware in 2019 but ultimately decided against using it.

https://www.nytimes.com/2022/01/28/magazine/nso-group-israel-spyware.html


Although the blockchain is fairly secure, a recent spate of cyber attacks against cryptocurrency exchanges and NFT thefts show that the devices that connect to the blockchain still leave it vulnerable.

https://www.vice.com/en/article/epxa57/this-is-why-theres-been-so-many-nft-and-crypto-hacks


The White House formally announced its plan for all federal agencies to move to a zero-trust model for cybersecurity, giving them until the end of fiscal year 2024 to meet new regulations.

https://www.nbcnews.com/politics/white-house/white-house-announces-strategy-boost-federal-cybersecurity-after-hacks-n1288038


The FBI warned Olympic athletes they should leave personal wireless devices at home when traveling to the Winter Olympics in Beijing over security concerns, recommending that they instead use burner cell phones.

https://www.zdnet.com/article/fbi-urges-olympic-athletes-to-keep-personal-devices-at-home-use-burners/

Recent CVEs


COMPILED BY THE QUALYS VULNERABILITY RESEARCH TEAM

This is a list of recent vulnerabilities for which exploits are available. System administrators can use this list to help in prioritization of their remediation activities. The Qualys Vulnerability Research Team compiles this information based on various exploit frameworks, exploit databases, exploit kits and monitoring of internet activity.


ID: CVE-2020-17383

Title: Path Traversal vulnerability in Telosalliance Z/Ip ONE Firmware

Description: Through Telos Z/IP One 4.0.0r, a directory traversal vulnerability provides unauthenticated individual root-level access to the device's file system. This may be used to find configuration parameters, built-in account password hashes, and the cleartext password for remote device configuration via the WebUI.

CVSS v3.1 Base Score: 9.8 (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H)


ID: CVE-2021-46089

Title: SQL Injection vulnerability in Jeecg Boot 3.0

Description: A SQL injection vulnerability is created by manipulating an unknown input. It is recognized to have an impact on secrecy, integrity, and availability. An attacker can inject and/or edit existing SQL statements, causing the database exchange to be influenced.

CVSS v3.1 Base Score: 9.8 (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H)


ID: CVE-2021-46061

Title: SQL Injection vulnerability exists in Sourcecodester Computer and Mobile Repair Shop Management system (RSMS) 1.0

Description: This flaw affects an unknown code block in the /rsms/ file. A sql injection vulnerability is created by manipulating the argument code with unknown input. It is recognized to have an impact on secrecy, integrity, and availability. An attacker may be able to inject and/or edit existing SQL statements, causing the database exchange to be influenced.

CVSS v3.1 Base Score: 9.8 (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H)

Prevalent Malware Files


COMPILED BY THE TALOS SECURITY INTELLIGENCE AND RESEARCH GROUP


SHA 256: 0013b356966c3d693b253cdf00c7fdf698890c9b75605be07128cac446904ad9

MD5: 63a86932a5bad5da32ebd1689aa814b3

VirusTotal: https://www.virustotal.com/gui/file/0013b356966c3d693b253cdf00c7fdf698890c9b75605be07128cac446904ad9/details

Typical Filename: bashirc

Claimed Product: N/A

Detection Name: Auto.0013B35696.251462.in07.Talos


SHA 256: 2bd102ddc0e618d91a7adc3f3fb92fcfb258680f11b904bb129f5f2f918dcc5f

MD5: eb2f5e1b8f818cf6a7dafe78aea62c93

VirusTotal: https://www.virustotal.com/gui/file/2bd102ddc0e618d91a7adc3f3fb92fcfb258680f11b904bb129f5f2f918dcc5f/details

Typical Filename: vsb2nasl7.dll

Claimed Product: N/A

Detection Name: W32.A4DE11B029.Wavesor.SSO.Talos


SHA 256: 8b4216a7c50599b11241876ada8ae6f07b48f1abe6590c2440004ea4db5becc9

MD5: 34560233e751b7e95f155b6f61e7419a

VirusTotal: https://www.virustotal.com/gui/file/8b4216a7c50599b11241876ada8ae6f07b48f1abe6590c2440004ea4db5becc9/details

Typical Filename: SAntivirusService.exe

Claimed Product: A n t i v i r u s S e r v i c e

Detection Name: PUA.Win.Dropper.Segurazo::tpd


SHA 256: e3eeaee0af4b549eae4447fa20cfe205e8d56beecf43cf14a11bf3e86ae6e8bd

MD5: 8193b63313019b614d5be721c538486b

VirusTotal: https://www.virustotal.com/gui/file/e3eeaee0af4b549eae4447fa20cfe205e8d56beecf43cf14a11bf3e86ae6e8bd/details

Typical Filename: SAService.exe

Claimed Product: SAService

Detection Name: PUA.Win.Dropper.Segurazo::95.sbx.tg


SHA 256: d339e195ca0b74746b02a4ee1a5820fa3074f43bec2988737005d2562a90cd34

MD5: 3f75eb823cd1a73e4c89185fca77cb38

VirusTotal: https://www.virustotal.com/gui/file/d339e195ca0b74746b02a4ee1a5820fa3074f43bec2988737005d2562a90cd34/details

Typical Filename: signup.png

Claimed Product: N/A

Detection Name: Win.Dropper.Generic::231945.in02