Internet Storm Center Spotlight


SELECTED BY THE TALOS SECURITY INTELLIGENCE AND RESEARCH GROUP

Title: BlackByte threat actor goes global with its ransomware

Description: The BlackByte ransomware group uses its software for its own goals and as a ransomware-as-a-service offering to other criminals. The ransomware group and its affiliates have infected victims all over the world, from North America to Colombia, the Netherlands, China, Mexico and Vietnam. Cisco Talos has been monitoring BlackByte for several months and we can confirm they are still active after the FBI released a joint cybersecurity advisory in February 2022. Additionally, BlackByte is considered part of the big game ransomware groups, which are targeting large, high-profile targets, looking to exfiltrate internal data and threatening to publicly release it. Like similar groups, they have their own leaks site on the darknet. The actual TOR address of this site is frequently moved. BlackByte updated its leak site with a new design and new victims and is still actively exploiting victims worldwide.

References: https://blog.talosintelligence.com/2022/05/the-blackbyte-ransomware-group-is.html

Snort SIDs: 58791 - 58794


Title: NVIDIA fixes 10 vulnerabilities in graphics cards drivers

Description: GPU maker NVIDIA released a round of security updates for several of its graphics cards last week, including four high-severity vulnerabilities. While the updates cover all active NVIDIA units, it also covers GTX 600 and GTX 700 Kepler-series cards, whose support ended in October 2021. Cisco Talos specifically discovered four vulnerabilities in the NVIDIA D3D10 driver for graphics cards that could allow an attacker to corrupt memory and write arbitrary memory on the card. An attacker could exploit these vulnerabilities by sending the target a specially crafted executable or shader file. These issues could also allow an adversary to perform a guest-to-host escape if they target a guest machine running virtualization environments. We specifically tested these issues with a HYPER-V guest using the RemoteFX feature, leading to the execution of vulnerable code on the HYPER-V host.

References:

- https://blog.talosintelligence.com/2022/05/vuln-spotlight-nvidia-driver-memory.html

- https://www.bleepingcomputer.com/news/security/nvidia-fixes-ten-vulnerabilities-in-windows-gpu-display-drivers/

Snort SIDs: 58880 - 58883, 58885, 58886, 58910 and 58911

Internet Storm Center Entries


Google security researchers found at least three recent examples of attacks using the Predator spyware to target Android users.

https://www.wired.com/story/android-spyware-cytrox-predator-google-tag/


Some U.S. Senators are asking the Federal Trade Commission to investigate facial recognition company ID.me over what they say are “deceptive statements” regarding how the company collected and stored data on behalf of the Internal Revenue Service.

https://krebsonsecurity.com/2022/05/senators-urge-ftc-to-probe-id-me-over-selfie-data/


A vulnerability in Bluetooth communications could allow anyone to mount a Bluetooth Low Energy (BLE) relay attack, potentially putting all sorts of devices at risk, including Tesla cars.

https://www.techradar.com/news/hackers-can-steal-your-tesla-via-bluetooth


Wedding services site Zola has reset all account passwords after a credential stuffing attack compromised multiple accounts.

https://www.vice.com/en/article/k7wmm9/hackers-drain-wedding-cash-from-couples-zola-registry-accounts


A malicious Python package uploaded to the PyPl registry tricked users into downloading the Cobalt Strike tool on Windows, Mac and Linux systems.

https://www.darkreading.com/application-security/malicious-package-python-repository-cobalt-strike-windows-macos-linux


The UK has fined facial recognition company Clearview AI more than £7.5m to ordered the company delete all of data of UK residents.

https://www.bbc.com/news/technology-61550776

Recent CVEs


COMPILED BY THE QUALYS VULNERABILITY RESEARCH TEAM

This is a list of recent vulnerabilities for which exploits are available. System administrators can use this list to help in prioritization of their remediation activities. The Qualys Vulnerability Research Team compiles this information based on various exploit frameworks, exploit databases, exploit kits and monitoring of internet activity.


ID: CVE-2022-30525

Title: OS command injection vulnerability in Zyxel Firewall

Description: Zyxel Communications Corp. is a manufacturer of DSL and other networking devices.

A command injection vulnerability in the CGI program of some firewall versions could allow an attacker to modify specific files and then execute some OS commands on a vulnerable device.

CVSS v3.1 Base Score: 9.8 (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H)


ID: CVE-2022-22796

Title: Improper authentication vulnerability in SysAid wmiwizard.jsp

Description: An attacker can bypass the authentication process by accessing to: /wmiwizard.jsp, Then to: /ConcurrentLogin.jsp, then click on the login button, and it will redirect you to /home.jsp without any authentication.

CVSS v3.1 Base Score: 9.8 (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H)


ID: CVE-2022-23166

Title: Sysaid index.html file inclusion Vulnerability

Description: An unauthenticated attacker can access the system by accessing the "/lib/tinymce/examples/index.html" path. in the "Insert/Edit Embedded Media" window Choose Type : iFrame and File/URL : [here is the LFI] Solution: Update to 22.2.20 cloud version, or to 22.1.64 on premise version.

CVSS v3.1 Base Score: 9.8 (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H)


ID: CVE-2022-29303

Title: Command injection vulnerability in SolarView Compact conf_mail.php

Description: SolarView Compact ver.6.00 was discovered to contain a command injection vulnerability via conf_mail.php.

CVSS v3.1 Base Score: 9.8 (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H)

Prevalent Malware Files


COMPILED BY THE TALOS SECURITY INTELLIGENCE AND RESEARCH GROUP


SHA 256: e4973db44081591e9bff5117946defbef6041397e56164f485cf8ec57b1d8934

MD5: 93fefc3e88ffb78abb36365fa5cf857c

VirusTotal: https://www.virustotal.com/gui/file/e4973db44081591e9bff5117946defbef6041397e56164f485cf8ec57b1d8934/details

Typical Filename: Wextract

Claimed Product: Internet Explorer

Detection Name: PUA.Win.Trojan.Generic::85.lp.ret.sbx.tg


SHA 256: 125e12c8045689bb2a5dcad6fa2644847156dec8b533ee8a3653b432f8fd5645

MD5: 2c8ea737a232fd03ab80db672d50a17a

VirusTotal: https://www.virustotal.com/gui/file/125e12c8045689bb2a5dcad6fa2644847156dec8b533ee8a3653b432f8fd5645/details

Typical Filename: LwssPlayer.scr

Claimed Product: ?????????

Detection Name: Auto.125E12.241442.in02


SHA 256: 1fce2981e0d7d9c85adeea59a637d77555b466d6a6639999c6ae9b254c12dc6b

MD5: f5d20b351d56605bbb51befee989fa6e

VirusTotal: https://www.virustotal.com/gui/file/1fce2981e0d7d9c85adeea59a637d77555b466d6a6639999c6ae9b254c12dc6b/details

Typical Filename: lavasoft_overlay_new_setup_progress_en.exe

Claimed Product: PF001's Installer

Detection Name: W32.8B439CC5BF-95.SBX.TG


SHA 256: 818d2d5bdde999f70563c16bfa9c724897d3b01adc67089137ae97d8f7ab6ba3

MD5: 9b1f8a838b5c195f9cf2f11017e38175

VirusTotal: https://www.virustotal.com/gui/file/818d2d5bdde999f70563c16bfa9c724897d3b01adc67089137ae97d8f7ab6ba3/details

Typical Filename: document-launch-powershell.xls

Claimed Product: N/A

Detection Name: Auto.818D2D.242455.in02


SHA 256: 59f1e69b68de4839c65b6e6d39ac7a272e2611ec1ed1bf73a4f455e2ca20eeaa

MD5: df11b3105df8d7c70e7b501e210e3cc3

VirusTotal: https://www.virustotal.com/gui/file/59f1e69b68de4839c65b6e6d39ac7a272e2611ec1ed1bf73a4f455e2ca20eeaa/details

Typical Filename: DOC001.exe

Claimed Product: N/A

Detection Name: Win.Worm.Coinminer::1201