Internet Storm Center Spotlight


SELECTED BY THE TALOS SECURITY INTELLIGENCE AND RESEARCH GROUP


Title: “Follina” exploit in Microsoft Office gives attackers potential backdoor to code execution

Description: Security researchers and Microsoft are warning of a zero-day vulnerability in Office that could allow an attacker to run malicious code on targeted systems. The vulnerability, tracked as CVE-2022-30190, exists in Microsoft Word’s remote templating feature, unlike traditional Office vulnerabilities that rely on macros. If successful, an attacker could load malware onto targeted machines from remote servers while bypassing Microsoft Defender’s anti-virus scanner. This issue affects every version of Microsoft Office currently receive updates, some versions dating back to 2003. Although no patch was available as of Tuesday, Microsoft did publish remediation guidelines to keep the vulnerability from being exploited.

References:

- https://threatpost.com/zero-day-follina-bug-lays-older-microsoft-office-versions-open-to-attack/179756/

- https://msrc.microsoft.com/update-guide/en-US/vulnerability/CVE-2022-30190

Snort 2 rules: 59889 – 59894

Snort 3 rules: 300192 – 300194

ClamAV signature: Win.Exploit.CVE_2022_30190-9951234-1


Title: Vulnerabilities in Open Automation Software Platform could lead to information disclosure, denial of service

Description: Cisco Talos recently discovered eight vulnerabilities in the Open Automation Software Platform that could allow an adversary to carry out a variety of malicious actions, including improperly authenticating into the targeted device and causing a denial of service. The OAS Platform facilitates the simplified data transfer between various proprietary devices and applications, including software and hardware. The most serious of these issues is TALOS-2022-1493 (CVE-2022-26082), which an attacker could exploit to gain the ability to execute arbitrary code on the targeted machine. This issue has a severity score of 9.1 out of a possible 10. Another vulnerability, TALOS-2022-1513 (CVE-2022-26833) has a 9.4 severity score and could lead to the unauthenticated use of the REST API.

References: https://blog.talosintelligence.com/2022/05/vuln-spotlight-open-automation-platform.html

Snort SIDs: 59275 – 59279, 59732

Internet Storm Center Entries


Computer systems belonging to Costa Rica’s public health ministry were offline as of Tuesday afternoon after an attack from the Hive ransomware group, just weeks after the Conti group targeted other critical government systems.

https://www.bleepingcomputer.com/news/security/costa-rica-s-public-health-agency-hit-by-hive-ransomware/


Twitter agreed to pay a $150 million fine to the U.S. Federal Trade Commission over improper use and sale of users' personal data.

https://www.npr.org/2022/05/25/1101275323/twitter-privacy-settlement-doj-ftc


The SideWinder APT is suspected to be behind at least 1,000 cyber attacks over the past two years.

https://thehackernews.com/2022/05/sidewinder-hackers-launched-over-1000.html


Italy’s cybersecurity agency warned of incoming cyber attacks targeting both public and private sector networks.

https://www.itpro.co.uk/security/cyber-warfare/367859/russian-killnet-cyber-attacks-begin-on-italian-linked-businesses


China recently picked up its public warnings of alleged incoming cyber attacks from the US, but these warnings are built off years-old technical details.

https://arstechnica.com/information-technology/2022/05/the-mystery-of-chinas-sudden-warnings-about-us-hackers/


The ChromeLoader malware that hijacks the Google Chrome web browser recently added new features, specifically posing a threat to business users.

https://www.darkreading.com/application-security/chromeloader-malware-hijacks-browsers-iso-files

Recent CVEs


COMPILED BY THE QUALYS VULNERABILITY RESEARCH TEAM

This is a list of recent vulnerabilities for which exploits are available. System administrators can use this list to help in prioritization of their remediation activities. The Qualys Vulnerability Research Team compiles this information based on various exploit frameworks, exploit databases, exploit kits and monitoring of internet activity.


ID: CVE-2022-23657, CVE-2022-23658, CVE-2022-23660

Title: Arbitrary code execution vulnerability in Aruba ClearPass Policy Manager

Description: Vulnerabilities in the web-based management interface of ClearPass Policy Manager could allow an unauthenticated remote attacker to run arbitrary commands on the underlying host. Successful exploitation of these vulnerabilities allows an attacker to execute arbitrary commands as root on the underlying operating system leading to complete system compromise.

CVSS v3.1 Base Score: 10 (AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H)


ID: CVE-2022-28348

Title: Improper GPU memory use in Mali GPU Kernel Driver

Description: The vulnerability affects Midgard GPU Kernel Driver: All versions from r4p0 - r31p0, Bifrost GPU Kernel Driver: All versions from r0p0 - r36p0, and Valhall GPU Kernel Driver: All versions from r19p0 - r36p0. A non-privileged user can make improper operations on GPU memory to enter a use-after-free scenario. This issue is fixed in Bifrost and Valhall GPU Kernel Driver r37p0.

CVSS v3.1 Base Score: 9.8 (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H)


ID: CVE-2022-28349

Title: Mali GPU Kernel Driver allows access to already freed memory

Description: The vulnerability affects Midgard GPU Kernel Driver: All versions from r28p0 - r29p0, Bifrost GPU Kernel Driver: All versions from r17p0 - r23p0, and Valhall GPU Kernel Driver: All versions from r19p0 - r23p0. A non-privileged user can obtain access to already freed memory. This issue is fixed in Bifrost and Valhall GPU Kernel Driver version r24p0 and Midgard GPU Kernel Driver version r30p0 release.

CVSS v3.1 Base Score: 9.8 (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H)


ID: CVE-2022-28349

Title: Mali GPU Kernel Driver allows access to already freed memory

Description: The vulnerability affects Valhall GPU Kernel Driver: All versions from r29p0 - r36p0. A non-privileged user can make improper GPU processing operations to gain access to already freed memory. This issue is fixed in Valhall GPU Kernel Driver r37p0.

CVSS v3.1 Base Score: 9.8 (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H)

Prevalent Malware Files


COMPILED BY THE TALOS SECURITY INTELLIGENCE AND RESEARCH GROUP


SHA 256: e4973db44081591e9bff5117946defbef6041397e56164f485cf8ec57b1d8934

MD5: 93fefc3e88ffb78abb36365fa5cf857c

VirusTotal: https://www.virustotal.com/gui/file/e4973db44081591e9bff5117946defbef6041397e56164f485cf8ec57b1d8934/details

Typical Filename: Wextract

Claimed Product: Internet Explorer

Detection Name: PUA.Win.Trojan.Generic::85.lp.ret.sbx.tg


SHA 256: 125e12c8045689bb2a5dcad6fa2644847156dec8b533ee8a3653b432f8fd5645

MD5: 2c8ea737a232fd03ab80db672d50a17a

VirusTotal: https://www.virustotal.com/gui/file/125e12c8045689bb2a5dcad6fa2644847156dec8b533ee8a3653b432f8fd5645/details

Typical Filename: LwssPlayer.scr

Claimed Product: ?????????

Detection Name: Auto.125E12.241442.in02


SHA 256: 4b34e3637fa7af93ab628ae5adad2c7f3464053316963297844324a4f649a206

MD5: 3632f27604f5a82cf73b9ade710a1656

VirusTotal: https://www.virustotal.com/gui/file/4b34e3637fa7af93ab628ae5adad2c7f3464053316963297844324a4f649a206/details

Typical Filename: mediaget_installer_467.exe

Claimed Product: N/A

Detection Name: FileRepPup:MediaGet-tpd


SHA 256: a9f7d7525aad1c7007ae9d1d3fc531a1065b28225c5b7efb7347aaf77d9aba92

MD5: 8f90e544a48d75f42f9d44811320689c

VirusTotal: https://www.virustotal.com/gui/file/a9f7d7525aad1c7007ae9d1d3fc531a1065b28225c5b7efb7347aaf77d9aba92/details

Typical Filename: tata communications wholesale retai lpak ncl ethopia napal spice srilanka bd cli bangladesh.wsf

Claimed Product: N/A

Detection Name: Xml.Dropper.Valyria::100.sbx.vioc


SHA 256: 85B936960FBE5100C170B777E1647CE9F0F01E3AB9742DFC23F37CB0825B30B5

MD5: 8c80dd97c37525927c1e549cb59bcbf3

VirusTotal: https://www.virustotal.com/gui/file/85b936960fbe5100c170b777e1647ce9f0f01e3ab9742dfc23f37cb0825b30b5/detection

Typical Filename: Eternalblue-2.2.0.exe

Claimed Product: N/A

Detection Name: Win.Exploit.Shadowbrokers::5A5226262.auto.talos