Volume 22 – Number 11

Internet Storm Center Spotlight

SELECTED BY THE TALOS SECURITY INTELLIGENCE AND RESEARCH GROUP

Title: Opportunistic cyber criminals take advantage of Ukraine invasion

Description: Since the beginning of the war in Ukraine, Cisco Talos has observed threat actors using email lures with themes related to the conflict, including humanitarian assistance and various types of fundraising. This activity has been increasing since the end of February. These emails are primarily related to scam activity but have also delivered a variety of threats, including remote access trojans (RATs). This is in addition to the malicious activity we've recently seen related to the crowd-sourced attacks in the region. This pattern is consistent with what we typically see following global events or crises, such as the COVID-19 pandemic, when opportunistic cybercriminals attempt to exploit high public interest for their own gain. Some campaigns attempt to spread malware by pointing users to malicious documents or URLs, while others are scammers pretending to be legitimate organizations or individuals looking to raise money to help residents of Ukraine.

References: https://blog.talosintelligence.com/2022/03/ukraine-invasion-scams-malware.html

Domains to blocklist:

* genautilus[.]com

* newremc22[.]ddns[.]net

IPs to blocklist:

* 136[.]144[.]41[.]109

* 142[.]93[.]227[.]231

Title: MuddyWater APT likely made up of smaller sub-groups

Description: Cisco Talos has identified multiple campaigns and tools being perpetrated by the MuddyWater APT group, widely considered to be affiliated with Iranian interests. These threat actors are considered extremely motivated and persistent when it comes to targeting victims across the globe. In our latest findings, we discovered a new campaign targeting Turkey and the Arabian peninsula with maldocs to deliver a Windows script file (WSF)-based remote access trojan (RAT) we're calling "SloughRAT" an implant known by "canopy" in CISA's most recent alert from February 2022 about MuddyWater. MuddyWater's variety of lures and payloads — along with the targeting of several different geographic regions — strengthens Talos’ growing hypothesis that MuddyWater is a conglomerate of sub-groups rather than a single actor. While these teams seem to operate independently, they are all motivated by the same factors that align with Iranian national security objectives, including espionage, intellectual theft, and destructive or disruptive operations based on the victims they target.

References: https://blog.talosintelligence.com/2022/03/iranian-supergroup-muddywater.html

SNORT® SIDs: 59226 - 59230

Internet Storm Center Entries

A Linux exploit known as “Dirty Pipe” could allow attackers to obtain root privileges, affecting many distributions of the operating systems, including those running on Android devices.

https://www.bleepingcomputer.com/news/security/new-linux-bug-gives-root-on-all-major-distros-exploit-released/

QNAP warned users that many of its network-attached storage devices (NAS) are affected by Dirty Pipe.

https://www.bleepingcomputer.com/news/security/qnap-warns-severe-linux-bug-affects-most-of-its-nas-devices/

Researchers discovered a possible variant of the Spectre malware in Intel chips, pushing back an expected update to Linux. AMD products not appear to be affected at this time.

https://www.techradar.com/news/spectre-returns-intel-and-arm-based-cpus-hit-by-serious-vulnerability

Video game developer and publisher Ubisoft disclosed a “cybersecurity incident” with few details last week, adding that it forced a company-wide password reset.

https://portswigger.net/daily-swig/cybersecurity-incident-at-ubisoft-disrupts-operations-forces-company-wide-password-reset

Chinese state-sponsored actors recently breached the networks of six state governments by exploiting a vulnerability in the U.S. Animal Health Emergency Reporting Diagnostic System.

https://www.wired.com/story/china-apt41-hacking-usaherds-log4j/

A cyber attack recently crashed government-run Israeli websites.

https://www.bloomberg.com/news/articles/2022-03-14/israeli-government-websites-crash-and-emergency-declared

Recent CVEs

COMPILED BY THE QUALYS VULNERABILITY RESEARCH TEAM

This is a list of recent vulnerabilities for which exploits are available. System administrators can use this list to help in prioritization of their remediation activities. The Qualys Vulnerability Research Team compiles this information based on various exploit frameworks, exploit databases, exploit kits and monitoring of internet activity.

ID: CVE-2021-44622

Title: Buffer overflow vulnerability in TP-LINK WR-886N 20190826 2.3.8

Description: A Buffer Overflow vulnerability exists in TP-LINK WR-886N 20190826 2.3.8 in the /cloud_config/router_post/check_reg_verify_code function which could allow a remote malicious user to execute arbitrary code via a crafted post request.