SELECTED BY THE TALOS SECURITY INTELLIGENCE AND RESEARCH GROUP
Title: CISA warns of active exploitation of Spring4Shell vulnerabilities
Description: The U.S. Cybersecurity and Infrastructure Security Agency recently added the Spring4Shell vulnerabilities to its to its Known Exploited Vulnerabilities Catalog based on "evidence of active exploitation." Spring4Shell affects Spring model–view–controller (MVC) and Spring WebFlux applications running on Java Development Kit 9 and later. The Kenna Risk Score for CVE-2022-22965 is currently at maximum 100. This is an exceptionally rare score, of which only 415 out of 184,000 CVEs (or 0.22 percent) have achieved, reflecting the severity and potential effects of this vulnerability. To get a risk score this high means it is a widely deployed technology with a public exploit available, and Cisco Talos researchers have seen proof of an ongoing active internet breach using the vulnerability.
References:
- https://thehackernews.com/2022/04/cisa-warns-of-active-exploitation-of.html
- https://blog.talosintelligence.com/2022/03/threat-advisory-spring4shell.html
SNORT® SIDs: 30790-30793, 59388 and 59416
Title: AsyncRAT campaigns feature new version of 3LOSH crypter
Description: Ongoing malware distribution campaigns are using ISO disk images to deliver AsyncRAT, LimeRAT and other commodity malware to victims. The infections leverage process injection to evade detection by endpoint security software. These campaigns appear to be linked to a new version of the 3LOSH crypter. These malware distribution campaigns have been ongoing for the past several months, with new samples being uploaded to public repositories on a daily basis. The 3LOSH crypter continues to be actively maintained and improved by its author and will likely continue to be used by various threat actors attempting to evade detection in corporate environments.
References: https://blog.talosintelligence.com/2022/04/asyncrat-3losh-update.html
SNORT® SIDs: 58087 and 58773