Internet Storm Center Spotlight


SELECTED BY THE TALOS SECURITY INTELLIGENCE AND RESEARCH GROUP

Title: CISA warns of active exploitation of Spring4Shell vulnerabilities

Description: The U.S. Cybersecurity and Infrastructure Security Agency recently added the Spring4Shell vulnerabilities to its to its Known Exploited Vulnerabilities Catalog based on "evidence of active exploitation." Spring4Shell affects Spring model–view–controller (MVC) and Spring WebFlux applications running on Java Development Kit 9 and later. The Kenna Risk Score for CVE-2022-22965 is currently at maximum 100. This is an exceptionally rare score, of which only 415 out of 184,000 CVEs (or 0.22 percent) have achieved, reflecting the severity and potential effects of this vulnerability. To get a risk score this high means it is a widely deployed technology with a public exploit available, and Cisco Talos researchers have seen proof of an ongoing active internet breach using the vulnerability.

References:

- https://thehackernews.com/2022/04/cisa-warns-of-active-exploitation-of.html

- https://blog.talosintelligence.com/2022/03/threat-advisory-spring4shell.html

SNORT® SIDs: 30790-30793, 59388 and 59416


Title: AsyncRAT campaigns feature new version of 3LOSH crypter

Description: Ongoing malware distribution campaigns are using ISO disk images to deliver AsyncRAT, LimeRAT and other commodity malware to victims. The infections leverage process injection to evade detection by endpoint security software. These campaigns appear to be linked to a new version of the 3LOSH crypter. These malware distribution campaigns have been ongoing for the past several months, with new samples being uploaded to public repositories on a daily basis. The 3LOSH crypter continues to be actively maintained and improved by its author and will likely continue to be used by various threat actors attempting to evade detection in corporate environments.

References: https://blog.talosintelligence.com/2022/04/asyncrat-3losh-update.html

SNORT® SIDs: 58087 and 58773

Internet Storm Center Entries


Satellite company Viasat has published an overview of the February 24 cyberattack against the KA-SAT network.

https://www.viasat.com/about/newsroom/blog/ka-sat-network-cyber-attack-overview/


German authorities shut down the high-profile Hydra darknet market and seized $1.3 billion in virtual currency.

https://www.washingtonpost.com/business/germany-shuts-down-darknet-platform-specializing-in-drugs/2022/04/05/33818f50-b4b9-11ec-8358-20aa16355fb4_story.html


New analysis shows the zero-click iMessage exploit FORCEDENTRY can escape sandboxes attempts.

https://googleprojectzero.blogspot.com/2022/03/forcedentry-sandbox-escape.html


US Senator Ron Wyden is asking tech companies and federal agencies about how hackers are using phony emergency data requests to obtain sensitive personal information.

https://krebsonsecurity.com/2022/03/fake-emergency-search-warrants-draw-scrutiny-from-capitol-hill/


Quantum computers in development by the world’s superpowers could soon render current encryption ineffective, pressing the timeline for private organizations and governments to adapt new encryption techniques.

https://blog.talosintelligence.com/2022/03/on-radar-is-2022-year-encryption-is.html

Recent CVEs


COMPILED BY THE QUALYS VULNERABILITY RESEARCH TEAM

This is a list of recent vulnerabilities for which exploits are available. System administrators can use this list to help in prioritization of their remediation activities. The Qualys Vulnerability Research Team compiles this information based on various exploit frameworks, exploit databases, exploit kits and monitoring of internet activity.


ID: CVE-2022-22963

Title: Remote Code Execution Vulnerability in Spring Cloud Functions

Description: Spring Cloud Function is one of the features of Spring Cloud. It allows developers to write cloud-agnostic functions with Spring features. In Spring Cloud Function versions 3.1.6, 3.2.2, and older unsupported versions, when using routing functionality, it is possible for a user to provide a specially crafted SpEL as a routing expression that may result in remote code execution and access to local resources.

CVSS v3.1 Base Score: N/A


ID: CVE-2022-22965

Title: Remote Code Execution Vulnerability in Spring Framework (Spring4Shell)

Description: A Spring MVC or Spring WebFlux application running on JDK 9+ may be vulnerable to remote code execution (RCE) via data binding. The specific exploit requires the application to run on Tomcat as a WAR deployment. If the application is deployed as a Spring Boot executable jar, i.e., the default, it is not vulnerable to exploitation. However, the nature of vulnerability is more general, and there may be other ways to exploit it.

CVSS v3.1 Base Score: N/A

Prevalent Malware Files


COMPILED BY THE TALOS SECURITY INTELLIGENCE AND RESEARCH GROUP


SHA 256: e4973db44081591e9bff5117946defbef6041397e56164f485cf8ec57b1d8934

MD5: 93fefc3e88ffb78abb36365fa5cf857c

VirusTotal: https://www.virustotal.com/gui/file/e4973db44081591e9bff5117946defbef6041397e56164f485cf8ec57b1d8934/details

Typical Filename: Wextract

Claimed Product: Internet Explorer

Detection Name: PUA.Win.Trojan.Generic::85.lp.ret.sbx.tg


SHA 256: 59f1e69b68de4839c65b6e6d39ac7a272e2611ec1ed1bf73a4f455e2ca20eeaa

MD5: df11b3105df8d7c70e7b501e210e3cc3

VirusTotal: https://www.virustotal.com/gui/file/59f1e69b68de4839c65b6e6d39ac7a272e2611ec1ed1bf73a4f455e2ca20eeaa/details

Typical Filename: DOC001.exe

Claimed Product: N/A

Detection Name: Win.Worm.Coinminer::1201


SHA 256: 5616b94f1a40b49096e2f8f78d646891b45c649473a5b67b8beddac46ad398e1

MD5: 3e10a74a7613d1cae4b9749d7ec93515

VirusTotal: https://www.virustotal.com/gui/file/5616b94f1a40b49096e2f8f78d646891b45c649473a5b67b8beddac46ad398e1/details

Typical Filename: IMG001.exe

Claimed Product: N/A

Detection Name: Win.Dropper.Coinminer::1201


SHA 256: 1a234656f81e870cdeb0e648a6b305a41452c405cca21124de26b54f79d55ad0

MD5: 10f1561457242973e0fed724eec92f8c

VirusTotal: https://www.virustotal.com/gui/file/1a234656f81e870cdeb0e648a6b305a41452c405cca21124de26b54f79d55ad0/details

Typical Filename: ntuser.vbe

Claimed Product: N/A

Detection Name: Auto.1A234656F8.211848.in07.Talos


SHA 256: 12459a5e9afdb2dbff685c8c4e916bb15b34745d56ef5f778df99416d2749261

MD5: 3e2dbdfa5e58cb43cca56a3e077d50bf

VirusTotal: https://www.virustotal.com/gui/file/12459a5e9afdb2dbff685c8c4e916bb15b34745d56ef5f778df99416d2749261/details

Typical Filename: NirCmd.exe

Claimed Product: NirCmd

Detection Name: Win.PE.SocGholish.tii.Talos