Internet Storm Center Spotlight


SELECTED BY THE TALOS SECURITY INTELLIGENCE AND RESEARCH GROUP


Title: Chinese APT using new version of PlugX malware

Description: The Chinese state-sponsored actor Bronze President (aka Mustang Panda) recently started deploying a new version of the PlugX malware in several espionage campaigns. Security researchers say the group is actively targeting the Russian military. The group is sending targets a decoy document alleged to relate to the Russian military, though it eventually downloads a malicious DLL that loads an updated version of PlugX, a remote access Trojan (RAT) previously associated with Bronze President. This group is known to previously target Asian countries with its malware, and is particularly surprising given China is military allies with Russia and has yet to strongly condemn the country’s invasion of Ukraine. Once installed, PlugX can remotely monitor and access the targeted machine.

References: https://www.darkreading.com/threat-intelligence/chinese-apt-bronze-president-spy-campaign-russian-military

Snort rules: 59622 - 59625


Title: Cisco patches vulnerabilities in ASA, FTD

Description: Cisco disclosed and patched several vulnerabilities in some of its most notable security systems — Cisco Adaptive Security Appliance (ASA), Firepower Threat Defense (FTD) and Firepower Management Center (FMC). Of the 19 vulnerabilities fixed earlier this week, 11 are of high severity. CVE-2022-20746 is the most serious of the group with a severity score of 8.8 out of 10. This is an issue in FTD that exists because the software doesn’t properly handle TCP flows. An attacker could exploit this vulnerability without authentication to cause a denial of service. In its release of the vulnerabilities, Cisco said it was not aware of any active attempts to exploit these vulnerabilities.

References: https://www.securityweek.com/cisco-patches-11-high-severity-vulnerabilities-security-products

SNORT® SIDs: 59654, 59658 – 59663 and 59668

Internet Storm Center Entries


Russia may have been setting the stage for its invasion of Ukraine more than a year ago by gaining a foothold on Ukrainian critical infrastructure and government networks, according to a report from Microsoft.

https://zetter.substack.com/p/russia-began-setting-stage-for-cyberattacks?s=r


A recent sabotage of fiber optic cables in France highlights the dangers of physical attacks against Internet infrastructure.

https://www.cyberscoop.com/french-fiber-optic-cables-attack-critical-infrastructure/


The FBI may have conducted millions of searches in Americans’ electronic data in 2021 without a warrant.

https://www.cnn.com/2022/04/29/politics/intel-report-fbi-searches/index.html


Google now allows anyone to request to have personally identifiable information removed from search results about themselves, including phone numbers and emails.

https://krebsonsecurity.com/2022/04/you-can-now-ask-google-to-remove-your-phone-number-email-or-address-from-search-results/


Romania says its government websites were the targets of a distributed denial-of-service attack last week.

https://therecord.media/romanian-government-says-websites-attacked-by-pro-russian-group/


Two local hospitals in Palm Beach, Florida recently had to switch to paper record keeping for a few days after a cyber attack against their parent company.

https://www.palmbeachpost.com/story/news/healthcare/2022/04/30/west-palm-beach-hospitals-handle-cyber-attack-ransomware-hive/9575400002/

Recent CVEs


COMPILED BY THE QUALYS VULNERABILITY RESEARCH TEAM

This is a list of recent vulnerabilities for which exploits are available. System administrators can use this list to help in prioritization of their remediation activities. The Qualys Vulnerability Research Team compiles this information based on various exploit frameworks, exploit databases, exploit kits and monitoring of internet activity.


ID: CVE-2022-22954

Title: Remote code execution vulnerability in VMware Workspace ONE Access and Identity Manager

Description: VMware Workspace ONE Access and Identity Manager contain a remote code execution vulnerability due to server-side template injection. A malicious actor with network access can trigger a server-side template injection that may result in remote code execution.

CVSS v3.1 Base Score: 9.8 (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H)

Prevalent Malware Files


COMPILED BY THE TALOS SECURITY INTELLIGENCE AND RESEARCH GROUP


SHA 256: e4973db44081591e9bff5117946defbef6041397e56164f485cf8ec57b1d8934

MD5: 93fefc3e88ffb78abb36365fa5cf857c

VirusTotal: https://www.virustotal.com/gui/file/e4973db44081591e9bff5117946defbef6041397e56164f485cf8ec57b1d8934/details

Typical Filename: Wextract

Claimed Product: Internet Explorer

Detection Name: PUA.Win.Trojan.Generic::85.lp.ret.sbx.tg


SHA 256: 59f1e69b68de4839c65b6e6d39ac7a272e2611ec1ed1bf73a4f455e2ca20eeaa

MD5: df11b3105df8d7c70e7b501e210e3cc3

VirusTotal: https://www.virustotal.com/gui/file/59f1e69b68de4839c65b6e6d39ac7a272e2611ec1ed1bf73a4f455e2ca20eeaa/details

Typical Filename: DOC001.exe

Claimed Product: N/A

Detection Name: Win.Worm.Coinminer::1201


SHA 256: 5616b94f1a40b49096e2f8f78d646891b45c649473a5b67b8beddac46ad398e1

MD5: 3e10a74a7613d1cae4b9749d7ec93515

VirusTotal: https://www.virustotal.com/gui/file/5616b94f1a40b49096e2f8f78d646891b45c649473a5b67b8beddac46ad398e1/details

Typical Filename: IMG001.exe

Claimed Product: N/A

Detection Name: Win.Dropper.Coinminer::1201


SHA 256: 1b94aaa71618d4ecba665130ae54ef38b17794157123675b24641dc85a379426

MD5: a841c3d335907ba5ec4c2e070be1df53

VirusTotal: https://www.virustotal.com/gui/file/1b94aaa71618d4ecba665130ae54ef38b17794157123675b24641dc85a379426/details

Typical Filename: chip 1-click installer.exe

Claimed Product: chip 1-click installer

Detection Name: Win.Trojan.Generic::ptp.cam


SHA 256: 7cfdf65b1f93bd600a4e7cadbcfeccc634d0c34b5b098740af1cf2afa7c64b97

MD5: 258e7698054fc8eaf934c7e03fc96e9e

VirusTotal: https://www.virustotal.com/gui/file/7cfdf65b1f93bd600a4e7cadbcfeccc634d0c34b5b098740af1cf2afa7c64b97/details

Typical Filename: samsungfrp2021.exe

Claimed Product: N/A

Detection Name: W32.7CFDF65B1F-85.TPD2.RET.SBX.TG34