The Consensus Security Vulnerability Alert

SELECTED BY THE TALOS SECURITY INTELLIGENCE AND RESEARCH GROUP

Title: Public exploit code worsens Atlassian Confluence vulnerability scenario

Description: Threat actors continue to target unpatched versions of Atlassian Confluence with public exploits. The vulnerability, CVE-2022-26134, initially arrived as a zero-day last week that affects all versions of the popular collaboration tool. If exploited, the attacker could completely take over the host and execute remote code on the targeted machine. The vulnerability itself appears to be an OGNL injection vulnerability specifically impacting the web server and can be exploited via an HTTP request. It appears that all HTTP methods are vulnerable as well. The exploitation appears to be relatively straightforward and should be resolved immediately either through patching or other mitigations. Although a patch is publicly available, many instances of the software remain unpatched.

References:

- https://blog.talosintelligence.com/2022/06/atlassian-confluence-0day.html

- https://threatpost.com/public-exploits-atlassian-confluence-flaw/179887/

Snort SIDs: 59925-59934

Title: ChinaChopper web shell pops up again on backs of Atlassian bugs

Description: The ChinaChopper web shell is being spread as part of the attacks exploiting the zero-day vulnerability in Atlassian Confluence. Attackers exploiting CVE-2022-26134 install ChinaChopper but rarely access it, leading researchers to believe that it’s being used as a source of backup access. The nearly 11-year-old malware allows attackers to retain access to an infected system using a client-side application that contains all the logic required to control the target. Cisco Talos has documented several instances of different threat groups using China Chopper. This web shell is widely available, so almost any threat actor can use. This also means it's nearly impossible to attribute attacks to a particular group using only presence of China Chopper as an indicator.

References:

- https://www.itpro.co.uk/security/zero-day-exploit/368086/exploitation-of-atlassian-confluence-zero-day-surges-fifteen-fold

- https://thehackernews.com/2022/06/hackers-exploiting-unpatched-critical.html

Snort SIDs: 59928, 59931

Law enforcement officials are developing new ways to track and recover stolen cryptocurrency.

https://www.nbcnews.com/tech/tech-news/local-high-tech-crime-units-are-tracking-seizing-stolen-cryptocurrency-rcna30655

The AlphV ransomware group recently attacked systems belonging to the city of Alexandria, Louisiana. As of Tuesday, June 7, there was no information on how widespread the effects were.

https://therecord.media/louisiana-authorities-investigating-ransomware-attack-on-city-of-alexandria/

The U.S. enlisted the help of an unnamed European country to help secretly manage the encrypted phone company Anom.

https://www.vice.com/en/article/qjbggq/anom-third-country-europe-european-union-fbi

Security researchers from Proofpoint say a single state-sponsored actor is behind a phishing campaign that is targeting European and local US government entities.

https://www.infosecurity-magazine.com/news/statebacked-hacker-follina-attacks/

Microsoft has yet to release a patch for Follina, although security researchers say the vulnerability is relatively easy to exploit.

https://arstechnica.com/information-technology/2022/06/microsoft-wont-say-if-it-will-patch-critical-windows-vulnerability-under-exploit/

The city of Palermo, Italy took its online services completely offline Tuesday in response to a cyber attack.

https://www.bleepingcomputer.com/news/security/italian-city-of-palermo-shuts-down-all-systems-to-fend-off-cyberattack/

COMPILED BY THE QUALYS VULNERABILITY RESEARCH TEAM

This is a list of recent vulnerabilities for which exploits are available. System administrators can use this list to help in prioritization of their remediation activities. The Qualys Vulnerability Research Team compiles this information based on various exploit frameworks, exploit databases, exploit kits and monitoring of internet activity.

ID: CVE-2022-1292

Title: Command injection vulnerability in Open SSL

Description: The c_rehash script does not properly sanitize shell metacharacters to prevent command injection. This script is distributed by some operating systems in a manner where it is automatically executed. On such operating systems, an attacker could execute arbitrary commands with the privileges of the script. The use of the c_rehash script is considered obsolete and should be replaced by the OpenSSL rehash command-line tool.

The vulnerability is fixed in OpenSSL 3.0.3, OpenSSL 1.1.1o, and OpenSSL 1.0.2ze.

CVSS v3.1 Base Score: 9.8 (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H)

ID: CVE-2020-16209

Title: Stack-based overflow vulnerability in Fieldcomm Group HART-IP

Description: The HART-IP server component hipserver takes HART-IP messages from its clients and transports the embedded HART messages to various HART application programs. An unchecked memory transfer in the IP interface would potentially allow an internal buffer to overflow. A malicious user could exploit this interface by constructing HART-IP messages with payloads sufficiently large to overflow the internal buffer and crash the device or obtain control of the device.

CVSS v3.1 Base Score: 9.8 (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H)

ID: CVE-2021-34111

Title: Command injection vulnerability in Thecus N4800Eco Nas Server Control Panel

Description: Thecus 4800Eco was discovered to contain a command injection vulnerability via the username parameter in /adm/setmain.php.

CVSS v3.1 Base Score: 9.8 (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H)

COMPILED BY THE TALOS SECURITY INTELLIGENCE AND RESEARCH GROUP

SHA 256: e4973db44081591e9bff5117946defbef6041397e56164f485cf8ec57b1d8934

MD5: 93fefc3e88ffb78abb36365fa5cf857c

VirusTotal: https://www.virustotal.com/gui/file/e4973db44081591e9bff5117946defbef6041397e56164f485cf8ec57b1d8934/details

Typical Filename: Wextract

Claimed Product: Internet Explorer

Detection Name: PUA.Win.Trojan.Generic::85.lp.ret.sbx.tg

SHA 256: e12b6641d7e7e4da97a0ff8e1a0d4840c882569d47b8fab8fb187ac2b475636c

MD5: a087b2e6ec57b08c0d0750c60f96a74c

VirusTotal: https://www.virustotal.com/gui/file/e12b6641d7e7e4da97a0ff8e1a0d4840c882569d47b8fab8fb187ac2b475636c/details

Typical Filename: AAct.exe

Claimed Product: N/A

Detection Name: PUA.Win.Tool.Kmsauto::1201

SHA 256: 125e12c8045689bb2a5dcad6fa2644847156dec8b533ee8a3653b432f8fd5645

MD5: 2c8ea737a232fd03ab80db672d50a17a

VirusTotal: https://www.virustotal.com/gui/file/125e12c8045689bb2a5dcad6fa2644847156dec8b533ee8a3653b432f8fd5645/details

Typical Filename: LwssPlayer.scr

Claimed Product: ?????????

Detection Name: Auto.125E12.241442.in02

SHA 256: b2ef49a10d07df6db483e86516d2dfaaaa2f30f4a93dd152fa85f09f891cd049

MD5: 067f9a24d630670f543d95a98cc199df

VirusTotal: https://www.virustotal.com/gui/file/b2ef49a10d07df6db483e86516d2dfaaaa2f30f4a93dd152fa85f09f891cd049/details

Typical Filename: RzxDivert32.sys

Claimed Product: WinDivert 1.4 driver

Detection Name: W32.B2EF49A10D-95.SBX.TG

SHA 256: c67b03c0a91eaefffd2f2c79b5c26a2648b8d3c19a22cadf35453455ff08ead0

MD5: 8c69830a50fb85d8a794fa46643493b2

VirusTotal: https://www.virustotal.com/gui/file/c67b03c0a91eaefffd2f2c79b5c26a2648b8d3c19a22cadf35453455ff08ead0/details

Typical Filename: AAct.exe

Claimed Product: N/A

Detection Name: PUA.Win.Dropper.Generic::1201