Internet Storm Center Spotlight


SELECTED BY THE TALOS SECURITY INTELLIGENCE AND RESEARCH GROUP


Title: Cisco warns of several vulnerabilities in routers aimed at small and mid-sized businesses

Description: Cisco recently disclosed 15 vulnerabilities in its RV series of wireless routers, five of which are considered critical. The RV routers are aimed at small and mid-sized businesses’ networks. Three of the vulnerabilities have the highest possible severity rating — including a remote code execution vulnerability and an issue that could allow an attacker to elevate their privileges. When taken as a group, an attacker could exploit any of these vulnerabilities to carry out several malicious actions, including executing arbitrary commands and code, bypass authentication processes and cause a denial of service.

References: https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-smb-mult-vuln-KA9PK6D

SNORT® SIDs: 58967 – 58972, 58984, 58987 - 58989


Title: Vulnerability in Hancom Office could lead to memory corruption, code execution

Description: Cisco Talos recently discovered a vulnerability in Hancom Office — a popular software suite in South Korea — that could allow an attacker to corrupt memory on the targeted machine or execute remote code. Hancom Office offers similar services to that of Microsoft Office, including word processing and spreadsheet creation and management. CVE-2021-21958 exists in Hancom Office’s HwordApp.dll. An attacker-created malicious document could trigger a heap-based buffer overflow, eventually leading to code execution and/or memory corruption if the attacker follows a specific attack vector.

References: https://blog.talosintelligence.com/2022/02/vuln-spotlight-.html

SNORT® SIDs: 58365 and 58366

Internet Storm Center Entries


CISA launched a new “Shields Up” campaign and website to inform critical infrastructure operators how to spot signs of potential intrusions from Russian state-sponsored actors.

https://www.usatoday.com/story/news/politics/2022/02/18/biden-administration-goes-shields-up-protect-u-s-russian-cyber-attack/6853643001/


British leaders issued similar warnings, stating potential attacks from Russia could have “international consequences.”

https://www.reuters.com/technology/britain-warns-cyberattacks-russia-ukraine-crisis-escalates-2022-02-22/


Research conducted by Chainalysis found that 74 percent of all ransomware extortion payments, more than $400 million in 2021, are going to Russian-linked threat actors.

https://www.bbc.com/news/technology-60378009


A Seattle-based logistics company had to shut down much of its operations across the globe after a cyber attack Tuesday, noting that the company was implementing a restoration from backup systems.

https://www.zdnet.com/article/billion-dollar-logistics-giant-expeditors-struggling-to-recover-from-cyberattack/

Recent CVEs


COMPILED BY THE QUALYS VULNERABILITY RESEARCH TEAM

This is a list of recent vulnerabilities for which exploits are available. System administrators can use this list to help in prioritization of their remediation activities. The Qualys Vulnerability Research Team compiles this information based on various exploit frameworks, exploit databases, exploit kits and monitoring of internet activity.


ID: CVE-2021-39675

Title: Heap buffer overflow in Google Android 12.0 gki buffer.cc

Description: In GKI_getbuf of gki_buffer.cc, there is a possible out of bounds write due to a heap buffer overflow. This could lead to remote escalation of privilege with no additional execution privileges needed. User interaction is not needed for exploitation.

Product: AndroidVersions: Android-12Android ID: A-205729183

CVSS v3.1 Base Score: 9.8 (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H)


ID: CVE-2022-20699

Title: DoS exec code bypass vulnerability in the Cisco Small Business RV345

Description: The vulnerability is introduced when processing specific HTTP requests due to insufficient boundary checks. By sending malicious HTTP queries to a susceptible SSL VPN Gateway device, a threat actor could exploit this issue. On successful exploitation, the attacker might get root access to the target device and execute code remotely.

CVSS v3.1 Base Score: 9.8 (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H)


ID: CVE-2022-20700, CVE-2022-20701, CVE-2022-20700

Title: DoS exec code bypass vulnerability in the Cisco Small Business RV345

Description: Because of insufficient authorization enforcement mechanisms, the flaws can be triggered by submitting specific commands to an affected device. The vulnerability affects Cisco Small Business RV160, RV260, RV340, and RV345

Series Routers.

CVSS v3.1 Base Score: 9.8 (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H)

Prevalent Malware Files


COMPILED BY THE TALOS SECURITY INTELLIGENCE AND RESEARCH GROUP


SHA 256: e4973db44081591e9bff5117946defbef6041397e56164f485cf8ec57b1d8934

MD5: 93fefc3e88ffb78abb36365fa5cf857c

VirusTotal: https://www.virustotal.com/gui/file/e4973db44081591e9bff5117946defbef6041397e56164f485cf8ec57b1d8934/details

Typical Filename: Wextract

Claimed Product: Internet Explorer

Detection Name: PUA.Win.Trojan.Generic::85.lp.ret.sbx.tg


SHA 256: 792bc2254ce371be35fcba29b88a228d0c6e892f9a525c330bcbc4862b9765d0

MD5: b46b60327c12290e13b86e75d53114ae

VirusTotal: https://www.virustotal.com/gui/file/792bc2254ce371be35fcba29b88a228d0c6e892f9a525c330bcbc4862b9765d0/details

Typical Filename: NAPA_HQ_SetW10config.exe

Claimed Product: N/A

Detection Name: W32.File.MalParent


SHA 256: 125e12c8045689bb2a5dcad6fa2644847156dec8b533ee8a3653b432f8fd5645

MD5: 2c8ea737a232fd03ab80db672d50a17a

VirusTotal: https://www.virustotal.com/gui/file/125e12c8045689bb2a5dcad6fa2644847156dec8b533ee8a3653b432f8fd5645/details

Typical Filename: LwssPlayer.scr

Claimed Product: ?????????

Detection Name: Auto.125E12.241442.in02


SHA 256: 3321b8ee0cafe7d336a93913c455bebbb821622c011ce10a9198a49392a3bb66

MD5: ed249eeca5364b32391801ec5c2d9a33

VirusTotal: https://www.virustotal.com/gui/file/3321b8ee0cafe7d336a93913c455bebbb821622c011ce10a9198a49392a3bb66/details

Typical Filename: Wave Browser.exe

Claimed Product: WaveBrowser

Detection Name: W32.PUA.Wavebrowser.Hunt.Talos


SHA 256: 59f1e69b68de4839c65b6e6d39ac7a272e2611ec1ed1bf73a4f455e2ca20eeaa

MD5: df11b3105df8d7c70e7b501e210e3cc3

VirusTotal: https://www.virustotal.com/gui/file/59f1e69b68de4839c65b6e6d39ac7a272e2611ec1ed1bf73a4f455e2ca20eeaa/details

Typical Filename: DOC001.exe

Claimed Product: N/A

Detection Name: Win.Worm.Coinminer::1201