SELECTED BY THE TALOS SECURITY INTELLIGENCE AND RESEARCH GROUP
Title: Attackers exploit critical F5 BIG-IP vulnerability to wipe systems, CISA urges patch
Description: A critical F5 BIG-IP vulnerability continues to dominate security headlines this week, as it’s still being used in the wild. Most recently, security researchers saw attackers exploiting the vulnerability to try and completely wipe some Linux systems. Adversaries are running specific commands to erase all the files on the BIG-IP devices' Linux file system when executed. Since attackers could exploit CVE-2022-1388 to obtain root privileges in the Linux operating system powering the BIG-IP devices, they could delete almost every file on the machine, including configuration files needed to run the Linux system. The U.S. Cybersecurity and Infrastructure Security Agency also added the vulnerability to their running list of actively exploited vulnerabilities, warning federal agencies that they need to patch the issue by May 30.
Snort 2 SID: 59735
Snort 3 SID: 300131
Title: Bitter APT adds Bangladesh to their targets
Description: Cisco Talos discovered an ongoing campaign operated by what we believe is the Bitter APT group since August 2021. This campaign is a typical example of an actor targeting South Asian government entities. This campaign targets an elite unit of Bangladesh's government with a themed lure document alleging to relate to the regular operational tasks in the victim's organization. The lure document is a spear-phishing email sent to high-ranking officers of the Rapid Action Battalion Unit of the Bangladesh police (RAB). The emails contain either a malicious RTF document or a Microsoft Excel spreadsheet weaponized to exploit known vulnerabilities. Once the victim opens the maldoc, the Equation Editor application is automatically launched to run the embedded objects containing the shellcode to exploit known vulnerabilities described by CVE-2017-11882, CVE-2018-0798 and CVE-2018-0802 — all in Microsoft Office — then downloads the trojan from the hosting server and runs it on the victim's machine. The trojan masquerades as a Windows Security update service and allows the malicious actor to perform remote code execution, opening the door to other activities by installing other tools. In this campaign, the trojan runs itself but the actor has other RATs and downloaders in their arsenal.
Snort 2 SID: 59736
Snort 3 SIDs: 300132
ClamAV signatures: Ole2.Exploit.ZxxZDownloader-9944376-0; Win.Downloader.ZxxZ-9944378-0