The Consensus Security Vulnerability Alert

SELECTED BY THE TALOS SECURITY INTELLIGENCE AND RESEARCH GROUP

Title: Code execution, privilege escalations part of monthly Microsoft security update

Description: Microsoft released its monthly security update Tuesday, disclosing 51 vulnerabilities across its large collection of hardware and software. None of the vulnerabilities disclosed this month are considered “critical,” an extreme rarity for the company’s Patch Tuesdays. Additionally, none of the issues Microsoft patched have been exploited in the wild to this point, nor have they been publicly disclosed. There are still a few vulnerabilities of note, however, including CVE-2022-21997, CVE-2022-21999 and CVE-2022-22715, which are all privilege elevation vulnerabilities in the Microsoft print spooler service. In the event an exploit is developed, an adversary could use these vulnerabilities to execute code as a system user or higher-level privileges. Though considered to be of “important” severity, CVE-2022-22005 is a remote code execution vulnerability in SharePoint that received a severity score of 8.8 out of 10. An adversary would need to be authenticated and possess correct permissions for page creation to exploit this vulnerability.

References: https://blog.talosintelligence.com/2022/02/microsoft-patch-tuesday-for-feb-2022.html

SNORT® SIDs: 58993, 58994, 58999 - 59002 and 59004 - 59009

Title: Arid Viper APT targets Palestine with new wave of politically themed phishing attacks, malware

Description: Cisco Talos has identified a new wave of what is believed to be an ongoing campaign using the Delphi malware since 2017. Talos believes with high confidence that this is the work of the Arid Viper threat actor. This is a group believed to be based out of Gaza that's known to target organizations all over the world. The actor uses the Micropsia implant in the most recent wave that started around October 2021. This actor uses their Delphi-based Micropsia implant to target Palestinian individuals and organizations, using politically themed file names and decoy documents. The most recent wave uses content originally published on the Turkish state-run news agency Anadolu and on the Palestinian MA'AN development center to target activists and Palestinian institutions.

References: https://blog.talosintelligence.com/2022/02/arid-viper-targets-palestine.html

SNORT® SIDs: 58957 and 58958

Multiple oil storage and transportation companies in Europe were targeted with ransomware attacks last week.

https://www.bbc.com/news/technology-60250956

Adversaries recently targeted the emails of News Corp. employees, including people working at the Wall Street Journal and the New York Post. (This story is behind a paywall)

https://www.wsj.com/articles/cyberattack-on-news-corp-believed-linked-to-china-targeted-emails-of-journalists-others-11643979328

Vodafone services in Portugal were disrupted after what the company called a “deliberate and malicious” cyber attack.

https://www.reuters.com/technology/vodafone-portugal-hit-by-hackers-says-no-client-data-breach-2022-02-08/

Meta warned that it would pull Facebook and Instagram from Europe if the EU and U.S. can’t come to terms on a new data transfer agreement.

https://fortune.com/2022/02/07/meta-threatens-to-pull-plug-facebook-instagram-europe-data-privacy-dispute-zuckerberg-sec/

The U.S. Cybersecurity and Infrastructure Security Agency added a Windows Win32k vulnerability to its list of known exploited vulnerabilities, giving federal agencies until Feb. 18 to patch to protect against the issue.

https://www.cisa.gov/uscert/ncas/current-activity/2022/02/04/cisa-adds-one-known-exploited-vulnerability-catalog

A new United Nations report found that North Korean funds much of its development of nuclear weapons through profits from cyber attacks, many of which have targeted cryptocurrency exchanges.

https://www.reuters.com/world/asia-pacific/exclusive-nkorea-grows-nuclear-missiles-programs-profits-cyberattacks-un-report-2022-02-05/

Recent law enforcement crackdowns on ransomware-as-a-service groups are forcing the attackers to narrow their targeting and develop new evasive techniques.

https://www.bleepingcomputer.com/news/security/law-enforcement-action-push-ransomware-gangs-to-surgical-attacks/

COMPILED BY THE QUALYS VULNERABILITY RESEARCH TEAM

This is a list of recent vulnerabilities for which exploits are available. System administrators can use this list to help in prioritization of their remediation activities. The Qualys Vulnerability Research Team compiles this information based on various exploit frameworks, exploit databases, exploit kits and monitoring of internet activity.

ID: CVE-2021-42554

Title: Out-of-bounds Write vulnerability in Insyde Insydeh2O

Description: An unauthenticated attacker could use the SMM memory corruption issue to write fixed or predictable data to SMRAM. Exploiting this flaw could result in privileges being escalated to SMM.

CVSS v3.1 Base Score: 9.8 (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H)

ID: CVE-2021-45733

Title: Command Injection vulnerability in Totolink X5000R Firmware 9.1.0U.6118B20201102

Description: The function NTPSyncWithHost in TOTOLINK X5000R v9.1.0u.6118 B20201102 was discovered to have a command injection vulnerability. This vulnerability allows attackers to run arbitrary commands via the parameter host_time.

CVSS v3.1 Base Score: 9.8 (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H)

ID: CVE-2021-45738

Title: Command Injection vulnerability in Totolink X5000R Firmware 9.1.0U.6118B20201102

Description: The method UploadFirmwareFile in TOTOLINK X5000R v9.1.0u.6118 B20201102 was determined to have a command injection vulnerability. This vulnerability allows attackers to run arbitrary commands via the parameter FileName.

CVSS v3.1 Base Score: 9.8 (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H)

ID: CVE-2021-45742

Title: Command Injection vulnerability in Totolink A720R Firmware 4.1.5Cu.470B20200911

Description: In the "Main" function of the TOTOLINK A720R v4.1.5cu.470 B20200911, a command injection vulnerability was detected. This vulnerability allows attackers to run arbitrary commands via the QUERY_STRING parameter.

CVSS v3.1 Base Score: 9.8 (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H)

COMPILED BY THE TALOS SECURITY INTELLIGENCE AND RESEARCH GROUP

SHA 256: e4973db44081591e9bff5117946defbef6041397e56164f485cf8ec57b1d8934

MD5: 93fefc3e88ffb78abb36365fa5cf857c

VirusTotal: https://www.virustotal.com/gui/file/e4973db44081591e9bff5117946defbef6041397e56164f485cf8ec57b1d8934/details

Typical Filename: Wextract

Claimed Product: Internet Explorer

Detection Name: PUA.Win.Trojan.Generic::85.lp.ret.sbx.tg

SHA 256: 792bc2254ce371be35fcba29b88a228d0c6e892f9a525c330bcbc4862b9765d0

MD5: b46b60327c12290e13b86e75d53114ae

VirusTotal: https://www.virustotal.com/gui/file/792bc2254ce371be35fcba29b88a228d0c6e892f9a525c330bcbc4862b9765d0/details

Typical Filename: NAPA_HQ_SetW10config.exe

Claimed Product: N/A

Detection Name: W32.File.MalParent

SHA 256: 3321b8ee0cafe7d336a93913c455bebbb821622c011ce10a9198a49392a3bb66

MD5: ed249eeca5364b32391801ec5c2d9a33

VirusTotal: https://www.virustotal.com/gui/file/3321b8ee0cafe7d336a93913c455bebbb821622c011ce10a9198a49392a3bb66/details

Typical Filename: Wave Browser.exe

Claimed Product: WaveBrowser

Detection Name: W32.PUA.Wavebrowser.Hunt.Talos

SHA 256: d8cb871ae0d704fe21b8514833f9c93e5d216fa33a95225e6dea80817a91af26

MD5: 2eafcc4d24470187151fce8e47402e7c

VirusTotal: https://www.virustotal.com/gui/file/d8cb871ae0d704fe21b8514833f9c93e5d216fa33a95225e6dea80817a91af26/details

Typical Filename: GPL2002.exe

Claimed Product: GPL2002.EXE

Detection Name: Gen:Variant.Graftor.515911

SHA 256: e4973db44081591e9bff5117946defbef6041397e56164f485cf8ec57b1d8934

MD5: 93fefc3e88ffb78abb36365fa5cf857c

VirusTotal: https://www.virustotal.com/gui/file/e4973db44081591e9bff5117946defbef6041397e56164f485cf8ec57b1d8934/details

Typical Filename: Wextract

Claimed Product: Internet Explorer

Detection Name: PUA.Win.Trojan.Generic::85.lp.ret.sbx.tg