AtRisk March 31, 2022 Vol. XXII – Num. 13

SELECTED BY THE TALOS SECURITY INTELLIGENCE AND RESEARCH GROUP

Title: DoubleZero malware is just latest wiper malware to hit Ukraine during Russian invasion

Description: The Computer Emergency Response Team of Ukraine released an advisory on March 22, 2022 disclosing another wiper dubbed "DoubleZero" targeting Ukrainian enterprises during Russia's invasion of the country. DoubleZero is a .NET-based implant that destroys files, registry keys and trees on the infected endpoint. This is yet another wiper discovered targeting Ukraine, in addition to previously disclosed attacks we've seen in Ukraine over the past two months, such as "CaddyWiper" "HermeticWiper" and "WhisperGate." The malware aims to overwrite all files in all drives, except for a specific list of the locations hardcoded in the wiper. It destroys non-system files first, then system-related files. Destroying system related files while the overwriting of other files is pending can create instability and may lead to bricking the system before the complete destruction of the user's files is completed. In such cases, it may be possible to recover the files from the disk that haven't been overwritten yet.

References:

- https://blog.talosintelligence.com/2022/03/threat-advisory-doublezero.html

- https://www.splunk.com/en_us/blog/security/threat-update-doublezero-destructor.html

ClamAV® signature: Win.Malware.DoubleZeroWiper-9942171-0

Title: Transparent Tribe campaign uses new bespoke malware to target Indian government officials

Description: Cisco Talos has observed a new Transparent Tribe campaign targeting Indian government and military entities. While the actors are infecting victims with CrimsonRAT, their well-known malware of choice, they are also using new stagers and implants. This campaign, which has been ongoing since at least June 2021, uses fake domains mimicking legitimate government and related organizations to deliver malicious payloads, a common Transparent tribe tactic. The group has continued to change its initial entry mechanisms and incorporate new bespoke malware, indicating the actors are actively diversifying their portfolio to compromise even more victims. Notably, the adversary has moved towards deploying small, bespoke stagers and downloaders that can be easily modified, likely to enable quick and agile operations.

References: https://blog.talosintelligence.com/2022/03/transparent-tribe-new-campaign.html

ClamAV® signatures:

* Vbs.Downloader.Agent-9940743-0

* Win.Downloader.TransparentTribe-9940744-0

* Win.Trojan.MargulasRAT-9940745-0

* Win.Downloader.Agent-9940746-0

* Win.Trojan.MSILAgent-9940762-1

* Win.Trojan.PythonAgent-9940791-0

* Lnk.Trojan.Agent-9940793-0

* Win.Trojan.TransparentTribe-9940795-0

* Win.Trojan.TransparentTribe-9940801-0

* Win.Downloader.TransparentTribe-9940802-0

London, UK, police arrested seven teens in connection to the Lapsus$ threat actor that targeted Okta and Microsoft earlier this month.

https://www.bbc.com/news/technology-60864283

Recent Lapsus$ attacks used a method similar to the one used by the threat actors behind the massive SolarWinds breach.

https://arstechnica.com/information-technology/2022/03/lapsus-and-solar-winds-hackers-both-use-the-same-old-trick-to-bypass-mfa/

Newly leaked documents show that Lapsus$ breached Okta’s networks by first infecting customer service company Sitel and then pivoting to Okta's own network in January.

https://techcrunch.com/2022/03/28/lapsus-passwords-okta-breach/

Ukrtrlecom, Ukraine’s state-owned telecommunications provider, was targeted in the largest cyber attack against the country since Russia’s invasion, briefly taking internet in the country offline Monday.

https://www.reuters.com/business/media-telecom/ukrainian-telecom-companys-internet-service-disrupted-by-powerful-cyberattack-2022-03-28/

Attackers are deploying a new “browser-in-the-browser" method to trick users into entering their login credentials to spoofed websites only to be stolen by a fake browser window.

https://arstechnica.com/information-technology/2022/03/behold-a-password-phishing-site-that-can-trick-even-savvy-users/

Some Honda cars’ remote keyless system contain a vulnerability that could allow a malicious user to conduct a replay attack and open the cars’ doors or start the engine.

https://github.com/nonamecoder/CVE-2022-27254

Google and Microsoft released updates for their Chromium and Edge browsers, respectively, to fix a zero-day vulnerability.

https://therecord.media/google-releases-emergency-security-update-for-chrome-users-after-second-0-day-of-2022-discovered/

COMPILED BY THE QUALYS VULNERABILITY RESEARCH TEAM

This is a list of recent vulnerabilities for which exploits are available. System administrators can use this list to help in prioritization of their remediation activities. The Qualys Vulnerability Research Team compiles this information based on various exploit frameworks, exploit databases, exploit kits and monitoring of internet activity.

ID: CVE-2022-23812

Title: Arbitrary file overwrite vulnerability in the Node-IPC NPM package

Description: T The package node-ipc versions 10.1.1 and 10.1.2 are vulnerable to embedded malicious code that was introduced by the maintainer. The malicious code was intended to overwrite arbitrary files depending on the geolocation of the user's IP address. The maintainer removed the malicious code in version 10.1.3.

CVSS v3.1 Base Score: 9.8 (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H)

ID: CVE-2021-45966

Title: Arbitrary code execution in Pascom Cloud Phone System

Description: An issue was discovered in Pascom Cloud Phone System before 7.20.x. In the management REST API, /services/apply in exd.pl allows remote attackers to execute arbitrary code via shell metacharacters.

CVSS v3.1 Base Score: 9.8 (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H)

ID: CVE-2022-27228

Title: Remote code execution vulnerability in Bitrix Site Manager Vote Module

Description: Insufficient validation of user input allows a remote unauthenticated attacker to execute arbitrary code on a system. It can result in gaining control of the target system.

CVSS v3.1 Base Score: 9.8 (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H)

COMPILED BY THE TALOS SECURITY INTELLIGENCE AND RESEARCH GROUP

SHA 256: e4973db44081591e9bff5117946defbef6041397e56164f485cf8ec57b1d8934

MD5: 93fefc3e88ffb78abb36365fa5cf857c

VirusTotal: https://www.virustotal.com/gui/file/e4973db44081591e9bff5117946defbef6041397e56164f485cf8ec57b1d8934/details

Typical Filename: Wextract

Claimed Product: Internet Explorer

Detection Name: PUA.Win.Trojan.Generic::85.lp.ret.sbx.tg

SHA 256: 1c25a55f121d4fe4344914e4d5c89747b838506090717f3fb749852b2d8109b6

MD5: 4c9a8e82a41a41323d941391767f63f7

VirusTotal: https://www.virustotal.com/gui/file/1c25a55f121d4fe4344914e4d5c89747b838506090717f3fb749852b2d8109b6/details

Typical Filename: !!mreader.exe

Claimed Product: N/A

Detection Name: Win.Dropper.Generic::sheath

SHA 256: 5516d898970854dbab9e3a49aced96186f3e748a56ed2f7cd7809447b7dd5c1a

MD5: 814358af9c54b6eb66333cd117f38423

VirusTotal: https://www.virustotal.com/gui/file/5516d898970854dbab9e3a49aced96186f3e748a56ed2f7cd7809447b7dd5c1a/details

Typical Filename: USPSSIBDSJDSS.zip

Claimed Product: N/A

Detection Name: Win.Dropper.Upatre::hw

SHA 256: 7cfdf65b1f93bd600a4e7cadbcfeccc634d0c34b5b098740af1cf2afa7c64b97

MD5: 258e7698054fc8eaf934c7e03fc96e9e

VirusTotal: https://www.virustotal.com/gui/file/7cfdf65b1f93bd600a4e7cadbcfeccc634d0c34b5b098740af1cf2afa7c64b97/details

Typical Filename: samsungfrp2021.exe

Claimed Product: N/A

Detection Name: W32.7CFDF65B1F-85.TPD2.RET.SBX.TG34

SHA 256: dc6a484441c59a75fe586ea789a9637921b33dc86e3ac5b57fdb376c9f6e5d7e

MD5: 94e1b019cc2720b7e33a94c2f643216f

VirusTotal: https://www.virustotal.com/gui/file/dc6a484441c59a75fe586ea789a9637921b33dc86e3ac5b57fdb376c9f6e5d7e/details

Typical Filename: 2012f643216f_1.exe

Claimed Product: N/A

Detection Name: Win.Dropper.Generic::90.tpd2.ret.sbx.tg