Internet Storm Center Spotlight


SELECTED BY THE TALOS SECURITY INTELLIGENCE AND RESEARCH GROUP


Title: Opportunistic cyber criminals take advantage of Ukraine invasion

Description: Since the beginning of the war in Ukraine, Cisco Talos has observed threat actors using email lures with themes related to the conflict, including humanitarian assistance and various types of fundraising. This activity has been increasing since the end of February. These emails are primarily related to scam activity but have also delivered a variety of threats, including remote access trojans (RATs). This is in addition to the malicious activity we've recently seen related to the crowd-sourced attacks in the region. This pattern is consistent with what we typically see following global events or crises, such as the COVID-19 pandemic, when opportunistic cybercriminals attempt to exploit high public interest for their own gain. Some campaigns attempt to spread malware by pointing users to malicious documents or URLs, while others are scammers pretending to be legitimate organizations or individuals looking to raise money to help residents of Ukraine.

References: https://blog.talosintelligence.com/2022/03/ukraine-invasion-scams-malware.html

Domains to blocklist:

* genautilus[.]com

* newremc22[.]ddns[.]net

IPs to blocklist:

* 136[.]144[.]41[.]109

* 142[.]93[.]227[.]231


Title: MuddyWater APT likely made up of smaller sub-groups

Description: Cisco Talos has identified multiple campaigns and tools being perpetrated by the MuddyWater APT group, widely considered to be affiliated with Iranian interests. These threat actors are considered extremely motivated and persistent when it comes to targeting victims across the globe. In our latest findings, we discovered a new campaign targeting Turkey and the Arabian peninsula with maldocs to deliver a Windows script file (WSF)-based remote access trojan (RAT) we're calling "SloughRAT" an implant known by "canopy" in CISA's most recent alert from February 2022 about MuddyWater. MuddyWater's variety of lures and payloads — along with the targeting of several different geographic regions — strengthens Talos’ growing hypothesis that MuddyWater is a conglomerate of sub-groups rather than a single actor. While these teams seem to operate independently, they are all motivated by the same factors that align with Iranian national security objectives, including espionage, intellectual theft, and destructive or disruptive operations based on the victims they target.

References: https://blog.talosintelligence.com/2022/03/iranian-supergroup-muddywater.html

SNORT® SIDs: 59226 - 59230

Internet Storm Center Entries


A Linux exploit known as “Dirty Pipe” could allow attackers to obtain root privileges, affecting many distributions of the operating systems, including those running on Android devices.

https://www.bleepingcomputer.com/news/security/new-linux-bug-gives-root-on-all-major-distros-exploit-released/


QNAP warned users that many of its network-attached storage devices (NAS) are affected by Dirty Pipe.

https://www.bleepingcomputer.com/news/security/qnap-warns-severe-linux-bug-affects-most-of-its-nas-devices/


Researchers discovered a possible variant of the Spectre malware in Intel chips, pushing back an expected update to Linux. AMD products not appear to be affected at this time.

https://www.techradar.com/news/spectre-returns-intel-and-arm-based-cpus-hit-by-serious-vulnerability


Video game developer and publisher Ubisoft disclosed a “cybersecurity incident” with few details last week, adding that it forced a company-wide password reset.

https://portswigger.net/daily-swig/cybersecurity-incident-at-ubisoft-disrupts-operations-forces-company-wide-password-reset


Chinese state-sponsored actors recently breached the networks of six state governments by exploiting a vulnerability in the U.S. Animal Health Emergency Reporting Diagnostic System.

https://www.wired.com/story/china-apt41-hacking-usaherds-log4j/


A cyber attack recently crashed government-run Israeli websites.

https://www.bloomberg.com/news/articles/2022-03-14/israeli-government-websites-crash-and-emergency-declared

Recent CVEs


COMPILED BY THE QUALYS VULNERABILITY RESEARCH TEAM

This is a list of recent vulnerabilities for which exploits are available. System administrators can use this list to help in prioritization of their remediation activities. The Qualys Vulnerability Research Team compiles this information based on various exploit frameworks, exploit databases, exploit kits and monitoring of internet activity.


ID: CVE-2021-44622

Title: Buffer overflow vulnerability in TP-LINK WR-886N 20190826 2.3.8

Description: A Buffer Overflow vulnerability exists in TP-LINK WR-886N 20190826 2.3.8 in the /cloud_config/router_post/check_reg_verify_code function which could allow a remote malicious user to execute arbitrary code via a crafted post request.

CVSS v3.1 Base Score: 9.8 (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H)


ID: CVE-2021-44623

Title: Buffer overflow vulnerability in TP-LINK WR-886N 20190826 2.3.8

Description: A Buffer Overflow vulnerability exists in TP-LINK WR-886N 20190826 2.3.8 via the /cloud_config/router_post/check_reset_pwd_verify_code interface. The manipulation with an unknown input can lead to a memory corruption vulnerability.

CVSS v3.1 Base Score: 9.8 (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H)


ID: CVE-2021-44625

Title: Buffer overflow vulnerability in TP-LINK WR-886N 20190826 2.3.8

Description: A Buffer Overflow vulnerability exists in TP-LINK WR-886N 20190826 2.3.8 in /cloud_config/cloud_device/info interface, which allows a malicious user to execute arbitrary code on the system via a crafted post request. The manipulation with an unknown input leads to a memory corruption vulnerability.

CVSS v3.1 Base Score: 9.8 (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H)


ID: CVE-2021-44626

Title: Buffer overflow vulnerability in TP-LINK WR-886N 20190826 2.3.8

Description: A Buffer Overflow vulnerability exists in TP-LINK WR-886N 20190826 2.3.8 in the /cloud_config/router_post/get_reg_verify_code feature, which allows malicious users to execute arbitrary code on the system via a crafted post request.

CVSS v3.1 Base Score: 9.8 (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H)


ID: CVE-2021-44627

Title: Buffer overflow vulnerability in TP-LINK WR-886N 20190826 2.3.8

Description: A Buffer Overflow vulnerability exists in TP-LINK WR-886N 20190826 2.3.8 in the /cloud_config/router_post/get_reset_pwd_veirfy_code feature, which allows malicious users to execute arbitrary code on the system via a crafted post request.

CVSS v3.1 Base Score: 9.8 (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H)


ID: CVE-2021-44628

Title: Buffer overflow vulnerability in TP-LINK WR-886N 20190826 2.3.8

Description: A Buffer Overflow vulnerability exists in TP-LINK WR-886N 20190826 2.3.8 in the /cloud_config/router_post/login feature, which allows malicious users to execute arbitrary code on the system via a crafted post request.

CVSS v3.1 Base Score: 9.8 (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H)


ID: CVE-2021-44629

Title: Buffer overflow vulnerability in TP-LINK WR-886N 20190826 2.3.8

Description: A Buffer Overflow vulnerability exists in TP-LINK WR-886N 20190826 2.3.8 in the /cloud_config/router_post/register feature, which allows malicious users to execute arbitrary code on the system via a crafted post request.

CVSS v3.1 Base Score: 9.8 (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H)


ID: CVE-2021-44630

Title: Buffer overflow vulnerability in TP-LINK WR-886N 20190826 2.3.8

Description: A Buffer Overflow vulnerability exists in TP-LINK WR-886N 20190826 2.3.8 in the /cloud_config/router_post/modify_account_pwd feature, which allows malicious users to execute arbitrary code on the system via a crafted post request.

CVSS v3.1 Base Score: 9.8 (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H)


ID: CVE-2021-44631

Title: Buffer overflow vulnerability in TP-LINK WR-886N 20190826 2.3.8

Description: A Buffer Overflow vulnerability exists in TP-LINK WR-886N 20190826 2.3.8 in the /cloud_config/router_post/reset_cloud_pwd feature, which allows malicious users to execute arbitrary code on the system via a crafted post request.

CVSS v3.1 Base Score: 9.8 (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H)


ID: CVE-2021-44632

Title: Buffer overflow vulnerability in TP-LINK WR-886N 20190826 2.3.8

Description: A Buffer Overflow vulnerability exists in TP-LINK WR-886N 20190826 2.3.8 in the /cloud_config/router_post/upgrade_info feature, which allows malicious users to execute arbitrary code on the system via a crafted post request.

CVSS v3.1 Base Score: 9.8 (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H)

Prevalent Malware Files


COMPILED BY THE TALOS SECURITY INTELLIGENCE AND RESEARCH GROUP


SHA 256: e4973db44081591e9bff5117946defbef6041397e56164f485cf8ec57b1d8934

MD5: 93fefc3e88ffb78abb36365fa5cf857c

VirusTotal: https://www.virustotal.com/gui/file/e4973db44081591e9bff5117946defbef6041397e56164f485cf8ec57b1d8934/details

Typical Filename: Wextract

Claimed Product: Internet Explorer

Detection Name: PUA.Win.Trojan.Generic::85.lp.ret.sbx.tg


SHA 256: 20a98a7e6e137bb1b9bd5ef6911a479cb8eac925b80d6db4e70b19f62a40cce2

MD5: c578d9653b22800c3eb6b6a51219bbb8

VirusTotal: https://www.virustotal.com/gui/file/20a98a7e6e137bb1b9bd5ef6911a479cb8eac925b80d6db4e70b19f62a40cce2/details

Typical Filename: invisible.vbs

Claimed Product: N/A

Detection Name: Win.Trojan.Pistacchietto.Talos


SHA 256: 59f1e69b68de4839c65b6e6d39ac7a272e2611ec1ed1bf73a4f455e2ca20eeaa

MD5: df11b3105df8d7c70e7b501e210e3cc3

VirusTotal: https://www.virustotal.com/gui/file/59f1e69b68de4839c65b6e6d39ac7a272e2611ec1ed1bf73a4f455e2ca20eeaa/details

Typical Filename: DOC001.exe

Claimed Product: N/A

Detection Name: Win.Worm.Coinminer::1201


SHA 256: 125e12c8045689bb2a5dcad6fa2644847156dec8b533ee8a3653b432f8fd5645

MD5: 2c8ea737a232fd03ab80db672d50a17a

VirusTotal: https://www.virustotal.com/gui/file/125e12c8045689bb2a5dcad6fa2644847156dec8b533ee8a3653b432f8fd5645/details

Typical Filename: LwssPlayer.scr

Claimed Product: LwssPlayer

Detection Name: Auto.125E12.241442.in02


SHA 256: 5616b94f1a40b49096e2f8f78d646891b45c649473a5b67b8beddac46ad398e1

MD5: 3e10a74a7613d1cae4b9749d7ec93515

VirusTotal: https://www.virustotal.com/gui/file/5616b94f1a40b49096e2f8f78d646891b45c649473a5b67b8beddac46ad398e1/details

Typical Filename: IMG001.exe

Claimed Product: N/A

Detection Name: Win.Dropper.Coinminer::1201