Internet Storm Center Spotlight


Title: BlackCat ransomware actor may be connected to attackers behind Colonial Pipeline shutdown

Description: BlackCat ransomware, also known as "ALPHV," has quickly gained notoriety for being used in double ransom (encrypted files and stolen file disclosure) attacks against companies. It first appeared in November 2021 and, since then, several companies have been hit across the globe. There are rumors of a relationship between BlackCat and the BlackMatter/DarkSide ransomware groups, infamous for attacking the Colonial Pipeline last year. According to a BlackCat representative, BlackCat is not a rebranding of BlackMatter, but its team is made from affiliates of other RaaS groups (including BlackMatter). Cisco Talos has observed at least one attacker that used BlackMatter was one of the early adopters of BlackCat. One key aspect of these attacks is that adversaries take time exploring the environment and preparing it for a successful and broad attack before launching the ransomware, at which point every second means lost data. Therefore, it is key that the attack is detected in its initial stages. The two attacks described here took over 15 days to reach the encryption stage. Knowing the attackers' tools and techniques and having monitoring and response processes in place could have prevented the successful encryption of the companies' files.


SNORT® SIDs: 58237, 58238

Title: CaddyWiper is latest malware to be connected to Ukraine war

Description: Security researchers recently discovered another Ukraine-focused wiper dubbed "CaddyWiper" on March 14. This wiper is smaller than previous wiper attacks seen in Ukraine such as "HermeticWiper" and "WhisperGate," with a compiled size of just 9KB. The wiper discovered has the same compilation timestamp day (March 14) and initial reports suggest that it was deployed via GPO. The wiper is small and dynamically resolves most of the APIs it uses. Cisco Talos analysis did not show any indications of persistency, self-propagation or exploitation code.


SNORT® SIDs: 59268, 59269

Internet Storm Center Entries

The White House is warning that Russian state-sponsored actors could be planning cyber attacks against US critical infrastructure.

Deepfake videos of the Ukrainian and Russian presidents made their rounds on social media last week.

In September 2021, Google researchers detected several initial access brokers connected to the Conti ransomware group.

Security researchers have learned a lot about Conti since a rogue member leaked documents linked to the group.

The U.S. Cybersecurity and Infrastructure Security Agency and the FBI warned of possible cyber attacks targeting satellite communication networks after a recent campaign targeting European SATCOM provider Viasat.

Recent cyber attacks targeting American logistics and shipping companies are disrupting the supply chain and are expected to slow down major ports, according to a US Customs and Border Protection bulletin.

Recent CVEs


This is a list of recent vulnerabilities for which exploits are available. System administrators can use this list to help in prioritization of their remediation activities. The Qualys Vulnerability Research Team compiles this information based on various exploit frameworks, exploit databases, exploit kits and monitoring of internet activity.

ID: CVE-2020-14115

Title: Command injection vulnerability in Xiaomi Router AX3600

Description: A command injection vulnerability exists in the Xiaomi Router AX3600. The vulnerability is caused by a lack of inspection for incoming data detection. Attackers can exploit this vulnerability to execute code.

CVSS v3.1 Base Score: 9.8 (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H)

ID: CVE-2021-4039

Title: Command injection vulnerability in Zyxel NWA-1100-NH firmware

Description: A command injection vulnerability in the web interface of the Zyxel NWA-1100-NH firmware could allow an attacker to execute arbitrary OS commands on the device.

CVSS v3.1 Base Score: 9.8 (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H)

ID: CVE-2021-4045

Title: Remote code execution vulnerability in TP-Link Tapo C200 IP camera

Description: TP-Link Tapo C200 IP camera, on its 1.1.15 firmware version and below, is affected by an unauthenticated RCE vulnerability, present in the uhttpd binary running by default as root. The exploitation of this vulnerability allows an attacker to take full control of the camera.

CVSS v3.1 Base Score: 9.8 (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H)

ID: CVE-2021-40050

Title: Out-of-bounds read vulnerability in the IFAA module

Description: Successful exploitation of this vulnerability may cause stack overflow.

CVSS v3.1 Base Score: 9.8 (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H)

Prevalent Malware Files


SHA 256: 59f1e69b68de4839c65b6e6d39ac7a272e2611ec1ed1bf73a4f455e2ca20eeaa

MD5: df11b3105df8d7c70e7b501e210e3cc3


Typical Filename: DOC001.exe

Claimed Product: N/A

Detection Name: Win.Worm.Coinminer::1201

SHA 256: e4973db44081591e9bff5117946defbef6041397e56164f485cf8ec57b1d8934

MD5: 93fefc3e88ffb78abb36365fa5cf857c


Typical Filename: Wextract

Claimed Product: Internet Explorer

Detection Name:

SHA 256: 5616b94f1a40b49096e2f8f78d646891b45c649473a5b67b8beddac46ad398e1

MD5: 3e10a74a7613d1cae4b9749d7ec93515


Typical Filename: IMG001.exe

Claimed Product: N/A

Detection Name: Win.Dropper.Coinminer::1201

SHA 256: 94e50729a9ccf722ecc62bf766404e1520d5a5a9b44507c7d74dc4ff5cad991c

MD5: 376ead6e862e2957628576a77c08d1e1


Typical Filename: LyricsTube.exe

Claimed Product: LyricsTube

Detection Name: PUA.Win.Adware.Addlyrics::dk

SHA 256: 1c25a55f121d4fe4344914e4d5c89747b838506090717f3fb749852b2d8109b6

MD5: 4c9a8e82a41a41323d941391767f63f7


Typical Filename: !!mreader.exe

Claimed Product: N/A

Detection Name: Win.Dropper.Generic::sheath