Internet Storm Center Spotlight


SELECTED BY THE TALOS SECURITY INTELLIGENCE AND RESEARCH GROUP


Title: "Haskers Gang" Introduces New ZingoStealer

Description: Cisco Talos recently observed a new information stealer, called "ZingoStealer" that has been released for free by a threat actor known as "Haskers Gang." This information stealer, first introduced to the wild in March 2022, is currently undergoing active development and multiple releases of new versions have been observed recently. The malware leverages Telegram chat features to facilitate malware executable build delivery and data exfiltration. It can exfiltrate sensitive information such as credentials, steal cryptocurrency wallet information, and mine cryptocurrency on victims' systems. While this stealer is freely available and can be used by multiple threat actors, we have observed a focus on infecting Russian speaking victims under the guise of game cheats, key generators and pirated software, which likely indicates a current focus on home users. The threat actor "Haskers Gang" uses collaborative platforms such as Telegram and Discord to distribute updates, share tooling and otherwise coordinate activities. In many cases, ZingoStealer also delivers additional malware such as RedLine Stealer and the XMRig cryptocurrency mining malware to victims.

References: https://blog.talosintelligence.com/2022/04/haskers-gang-zingostealer.html

SNORT® SIDs: 59145, 59160, 59500 and 59501


Title: Cisco patches several new vulnerabilities related to Spring4Shell

Description: Cisco released fixes for multiple critical and high-severity vulnerabilities last week, some of which are related to the high-profile Spring4Shell vulnerabilities disclosed earlier this month. A management interface authentication bypass vulnerability in Cisco’s wireless LAN management software (CVE-2022-20695) is the most severe of the vulnerabilities with a severity score of 10 out of 10. An attacker could exploit this vulnerability to log into the management interface using crafted credentials, potentially the same as the admin. The company also announced in another critical advisory that it is still working on updates to some products to fix the Spring Framework vulnerability known as Spring4Shell.

References:

- https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-wlc-auth-bypass-JRNhV4fF

- https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-java-spring-scf-rce-DQrHhJxH

- https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-ncossh-dos-ZAkfOdq8

SNORT® SIDs: 59564 – 59569

Internet Storm Center Entries


According to Trend aMicro Threat Research, the Spring4Shell vulnerability is being actively exploited to download and execute the Mirai botnet.

https://www.trendmicro.com/en_us/research/22/d/cve-2022-22965-analyzing-the-exploitation-of-spring4shell-vulner.html


A new bipartisan bill proposed in U.S. Congress would require the federal government to develop a formal strategy for adapting to quantum computing and addressing any potential security risks from the country’s adversaries.

https://www.scmagazine.com/analysis/asset-management/congress-wants-a-plan-for-post-quantum-hacking-threats-for-federal-it-systems


CISA, DoE, the NSA, and the FBI have released a joint advisory warning of a hacking toolset that can be customized to target ICS/SCADA systems.

https://arstechnica.com/information-technology/2022/04/us-uncovers-swiss-army-knife-for-hacking-industrial-control-systems/


Google Chrome released an emergency patch to fix a vulnerability attackers are actively exploiting.

https://www.pcmag.com/news/google-patches-third-actively-exploited-chrome-zero-day-of-2022


NATO member countries are participating in a cyber exercise to prepare for possible Russian cyberattacks.

https://gizmodo.com/nato-russia-ukraine-locked-shields-cyberattack-war-game-1848807942


U.S. officials are ramping up warnings around a potential Russian cyber attacks targeting the financial and energy sectors.

https://thehill.com/policy/cybersecurity/3271898-us-officials-ramp-up-warnings-about-russian-cyber-attacks/

Recent CVEs


COMPILED BY THE QUALYS VULNERABILITY RESEARCH TEAM

This is a list of recent vulnerabilities for which exploits are available. System administrators can use this list to help in prioritization of their remediation activities. The Qualys Vulnerability Research Team compiles this information based on various exploit frameworks, exploit databases, exploit kits and monitoring of internet activity.


ID: CVE-2022-26854

Title: Risky cryptographic algorithms in Dell PowerScale OneFS

Description: Dell PowerScale OneFS, versions 8.2.x-9.2.x, contain risky cryptographic algorithms. A remote unprivileged malicious attacker could potentially exploit this vulnerability, leading to full system access.

CVSS v3.1 Base Score: 9.8 (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H)


ID: CVE-2022-27016

Title: Stack overflow vulnerability in the SetStaticRouteCfg() function

Description: There is a stack overflow vulnerability in the SetStaticRouteCfg() function in the httpd service of Tenda AC9 15.03.2.21_cn.

CVSS v3.1 Base Score: 9.8 (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H)


ID: CVE-2022-27022

Title: Stack overflow vulnerability in the SetSysTimeCfg() function

Description: There is a stack overflow vulnerability in the SetSysTimeCfg() function in the httpd service of Tenda AC9 V15.03.2.21_cn. The attacker can obtain a stable root shell through a constructed payload.

CVSS v3.1 Base Score: 9.8 (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H)

Prevalent Malware Files


COMPILED BY THE TALOS SECURITY INTELLIGENCE AND RESEARCH GROUP


SHA 256: e4973db44081591e9bff5117946defbef6041397e56164f485cf8ec57b1d8934

MD5: 93fefc3e88ffb78abb36365fa5cf857c

VirusTotal: https://www.virustotal.com/gui/file/e4973db44081591e9bff5117946defbef6041397e56164f485cf8ec57b1d8934/details

Typical Filename: Wextract

Claimed Product: Internet Explorer

Detection Name: PUA.Win.Trojan.Generic::85.lp.ret.sbx.tg


SHA 256: 5616b94f1a40b49096e2f8f78d646891b45c649473a5b67b8beddac46ad398e1

MD5: 3e10a74a7613d1cae4b9749d7ec93515

VirusTotal: https://www.virustotal.com/gui/file/5616b94f1a40b49096e2f8f78d646891b45c649473a5b67b8beddac46ad398e1/details

Typical Filename: IMG001.exe

Claimed Product: N/A

Detection Name: Win.Dropper.Coinminer::1201


SHA 256: 59f1e69b68de4839c65b6e6d39ac7a272e2611ec1ed1bf73a4f455e2ca20eeaa

MD5: df11b3105df8d7c70e7b501e210e3cc3

VirusTotal: https://www.virustotal.com/gui/file/59f1e69b68de4839c65b6e6d39ac7a272e2611ec1ed1bf73a4f455e2ca20eeaa/details

Typical Filename: DOC001.exe

Claimed Product: N/A

Detection Name: Win.Worm.Coinminer::1201


SHA 256: 125e12c8045689bb2a5dcad6fa2644847156dec8b533ee8a3653b432f8fd5645

MD5: 2c8ea737a232fd03ab80db672d50a17a

VirusTotal: https://www.virustotal.com/gui/file/125e12c8045689bb2a5dcad6fa2644847156dec8b533ee8a3653b432f8fd5645/details

Typical Filename: LwssPlayer.scr

Claimed Product: ?????????

Detection Name: Auto.125E12.241442.in02


SHA 256: 1a234656f81e870cdeb0e648a6b305a41452c405cca21124de26b54f79d55ad0

MD5: 10f1561457242973e0fed724eec92f8c

VirusTotal: https://www.virustotal.com/gui/file/1a234656f81e870cdeb0e648a6b305a41452c405cca21124de26b54f79d55ad0/details

Typical Filename: ntuser.vbe

Claimed Product: N/A

Detection Name: Auto.1A234656F8.211848.in07.Talos