Internet Storm Center Spotlight


SELECTED BY THE TALOS SECURITY INTELLIGENCE AND RESEARCH GROUP

Title: Attackers exploit critical F5 BIG-IP vulnerability to wipe systems, CISA urges patch

Description: A critical F5 BIG-IP vulnerability continues to dominate security headlines this week, as it’s still being used in the wild. Most recently, security researchers saw attackers exploiting the vulnerability to try and completely wipe some Linux systems. Adversaries are running specific commands to erase all the files on the BIG-IP devices' Linux file system when executed. Since attackers could exploit CVE-2022-1388 to obtain root privileges in the Linux operating system powering the BIG-IP devices, they could delete almost every file on the machine, including configuration files needed to run the Linux system. The U.S. Cybersecurity and Infrastructure Security Agency also added the vulnerability to their running list of actively exploited vulnerabilities, warning federal agencies that they need to patch the issue by May 30.

References:

- https://www.bleepingcomputer.com/news/security/critical-f5-big-ip-vulnerability-exploited-to-wipe-devices/

- https://therecord.media/cisa-adds-f5-vulnerability-to-catalog-of-exploited-bugs/

Snort 2 SID: 59735

Snort 3 SID: 300131


Title: Bitter APT adds Bangladesh to their targets

Description: Cisco Talos discovered an ongoing campaign operated by what we believe is the Bitter APT group since August 2021. This campaign is a typical example of an actor targeting South Asian government entities. This campaign targets an elite unit of Bangladesh's government with a themed lure document alleging to relate to the regular operational tasks in the victim's organization. The lure document is a spear-phishing email sent to high-ranking officers of the Rapid Action Battalion Unit of the Bangladesh police (RAB). The emails contain either a malicious RTF document or a Microsoft Excel spreadsheet weaponized to exploit known vulnerabilities. Once the victim opens the maldoc, the Equation Editor application is automatically launched to run the embedded objects containing the shellcode to exploit known vulnerabilities described by CVE-2017-11882, CVE-2018-0798 and CVE-2018-0802 — all in Microsoft Office — then downloads the trojan from the hosting server and runs it on the victim's machine. The trojan masquerades as a Windows Security update service and allows the malicious actor to perform remote code execution, opening the door to other activities by installing other tools. In this campaign, the trojan runs itself but the actor has other RATs and downloaders in their arsenal.

References: https://blog.talosintelligence.com/2022/05/bitter-apt-adds-bangladesh-to-their.html

Snort 2 SID: 59736

Snort 3 SIDs: 300132

ClamAV signatures: Ole2.Exploit.ZxxZDownloader-9944376-0; Win.Downloader.ZxxZ-9944378-0

Internet Storm Center Entries


Bitcoin has now lost more than half its value over the past six months, leading some to call to a risk asset.

https://www.nbcnews.com/business/markets/bitcoin-whats-going-on-explainer-rcna28097


Researchers have developed malware that takes advantage of the fact that iPhones do not fully power down, even when turned off.

https://arstechnica.com/information-technology/2022/05/researchers-devise-iphone-malware-that-runs-even-when-device-is-turned-off/


White House officials say the US is ahead of China in the race toward quantum computing, mainly in part to public-private partnerships.

https://www.cyberscoop.com/white-house-u-s-china-quantum-jonah-force-hill/


As the U.S. develops quantum computing technology and new encryption mechanisms, the National Security Agency says it will have no way to backdoor these methods.

https://www.bloomberg.com/news/articles/2022-05-13/nsa-says-no-backdoor-in-new-encryption-scheme-for-us-tech


Italy says it thwarted attempted pro-Russian cyber attacks against the Eurovision Song Contest’s semifinals and finals.

https://www.reuters.com/world/europe/italian-police-prevents-pro-russian-hacker-attacks-during-eurovision-contest-2022-05-15/


Several U.S. federal agencies warned this week that North Korean hackers are posing as remote workers attempting to gain employment at American companies and eventually steal sensitive information.

https://home.treasury.gov/system/files/126/20220516_dprk_it_worker_advisory.pdf

Recent CVEs


COMPILED BY THE QUALYS VULNERABILITY RESEARCH TEAM

This is a list of recent vulnerabilities for which exploits are available. System administrators can use this list to help in prioritization of their remediation activities. The Qualys Vulnerability Research Team compiles this information based on various exploit frameworks, exploit databases, exploit kits and monitoring of internet activity.


ID: CVE-2021-44056

Title: Improper authentication vulnerability in QNAP video station

Description: An improper authentication vulnerability has been reported to affect the QNAP device running Video Station. Successful exploitation of this vulnerability allows attackers to compromise the security of the system.

CVSS v3.1 Base Score: 9.8 (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H)


ID: CVE-2021-44057

Title: Improper authentication vulnerability in QNAP Photo station

Description: An improper authentication vulnerability has been reported to affect the QNAP device running Photo Station. If exploited, this vulnerability allows attackers to compromise the security of the system.

CVSS v3.1 Base Score: 9.8 (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H)


ID: CVE-2022-1292

Title: Arbitrary command execution vulnerability in c_rehash scripts

Description: The c_rehash script does not properly sanitize shell metacharacters to prevent command injection. This script is distributed by some operating systems in a manner where it is automatically executed. An attacker could execute arbitrary commands with the privileges of the script on such operating systems. The c_rehash script is considered obsolete and should be replaced by the OpenSSL rehash command-line tool.

CVSS v3.1 Base Score: 9.8 (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H)

Prevalent Malware Files


COMPILED BY THE TALOS SECURITY INTELLIGENCE AND RESEARCH GROUP


SHA 256: e4973db44081591e9bff5117946defbef6041397e56164f485cf8ec57b1d8934

MD5: 93fefc3e88ffb78abb36365fa5cf857c

VirusTotal: https://www.virustotal.com/gui/file/e4973db44081591e9bff5117946defbef6041397e56164f485cf8ec57b1d8934/details

Typical Filename: Wextract

Claimed Product: Internet Explorer

Detection Name: PUA.Win.Trojan.Generic::85.lp.ret.sbx.tg


SHA 256: 125e12c8045689bb2a5dcad6fa2644847156dec8b533ee8a3653b432f8fd5645

MD5: 2c8ea737a232fd03ab80db672d50a17a

VirusTotal: https://www.virustotal.com/gui/file/125e12c8045689bb2a5dcad6fa2644847156dec8b533ee8a3653b432f8fd5645/details

Typical Filename: LwssPlayer.scr

Claimed Product: ?????????

Detection Name: Auto.125E12.241442.in02


SHA 256: a31f222fc283227f5e7988d1ad9c0aecd66d58bb7b4d8518ae23e110308dbf91

MD5: 7bdbd180c081fa63ca94f9c22c457376

VirusTotal: https://www.virustotal.com/gui/file/a31f222fc283227f5e7988d1ad9c0aecd66d58bb7b4d8518ae23e110308dbf91/details

Typical Filename: c0dwjdi6a.dll

Claimed Product: N/A

Detection Name: Trojan.GenericKD.33515991


SHA 256: 59f1e69b68de4839c65b6e6d39ac7a272e2611ec1ed1bf73a4f455e2ca20eeaa

MD5: df11b3105df8d7c70e7b501e210e3cc3

VirusTotal: https://www.virustotal.com/gui/file/59f1e69b68de4839c65b6e6d39ac7a272e2611ec1ed1bf73a4f455e2ca20eeaa/details

Typical Filename: DOC001.exe

Claimed Product: N/A

Detection Name: Win.Worm.Coinminer::1201


SHA 256: e12b6641d7e7e4da97a0ff8e1a0d4840c882569d47b8fab8fb187ac2b475636c

MD5: a087b2e6ec57b08c0d0750c60f96a74c

VirusTotal: https://www.virustotal.com/gui/file/e12b6641d7e7e4da97a0ff8e1a0d4840c882569d47b8fab8fb187ac2b475636c/details

Typical Filename: AAct.exe

Claimed Product: N/A

Detection Name: PUA.Win.Tool.Kmsauto::1201