Internet Storm Center Spotlight


Title: The BlackCat ransomware group becomes one of the most widely spread families

Description: Threat actors are continually spreading the BlackCat ransomware group, raising it up the ranks of the most-used ransomware-as-a-service groups. Security researchers have seen different threat groups deploy BlackCat, sometimes after using Mimikatz as the initial infection vector and a credential dumper. Microsoft recently found that two of the most prolific ransomware groups recently switched away from other families like Conti in favor of BlackCat. BlackCat’s been spotted being deployed in regions across the globe, including Africa, North America, South America, Asia and Europe. Microsoft also warned that attackers most often target unpatched Microsoft Exchange Server instances with widely known vulnerabilities.


Title: Cisco patches critical, high-severity vulnerabilities in Email Security Appliance, home routers

Description: Cisco patched several significant vulnerabilities last week, including some in end-of-life routers it will not fix. One critical vulnerability exists in the Email Security Appliance, Secure Email and Web Manager software. Any virtual or hardware appliances running a vulnerable version of AsyncOS are affected by this vulnerability, potentially allowing attackers to bypass security protections in place on the machine. There is also a fix out for a high-severity issue in the same products that could allow an adversary to obtain information from an LDAP external authentication sever connected to the vulnerable appliance. Another issue, CVE-2022-20825, could allow an unauthenticated attacker to execute remote code on several models of Cisco’s RV series of routers. However, the devices have reached their end-of-life periods and the vulnerability will not be patched.


Internet Storm Center Entries

Popular cryptocurrency trading platform Coinbase laid off 18 percent of its staff last week.

According to the Kremlin, a speech from Russian President Vladimir Putin had to be delayed by one hour on Friday after a cyber attack stopped entrance badges from working at the venue where he was scheduled to appear.

A new law introduced in the U.S. Senate would ban the sale of health and location data harvested from smartphones.

Cloudflare recently mitigated a distributed-denial-of-service (DDoS) attack that peaked at 26 million request per second. The botnet used in the attack comprised just over 5,000 devices.

A Chinese state-sponsored actor known as Aoqin Dragon has been operating since 2013, mainly conducting espionage campaigns.

A phishing campaign on Facebook Messenger has successfully hit more than 10 million users over the past few months, tricking targets into handing over their login credentials.

Recent CVEs


This is a list of recent vulnerabilities for which exploits are available. System administrators can use this list to help in prioritization of their remediation activities. The Qualys Vulnerability Research Team compiles this information based on various exploit frameworks, exploit databases, exploit kits and monitoring of internet activity.

ID: CVE-2022-29797

Title: Buffer Overflow vulnerability in Huawei CV81-WDM FW

Description: Because of improper bounds checking, the Huawei CV81-WDM FW is vulnerable to buffer overflow. A remote attacker might overflow a buffer and gain elevated access to the system by sending a carefully crafted request.

CVSS v3.1 Base Score: 9.8 (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H)

ID: CVE-2022-31446

Title: Remote code execution vulnerability in Tenda AC18 router V15.03.05.19 and V15.03.05.05

Description: Tenda AC18 router V15.03.05.19 and V15.03.05.05 was discovered to contain a remote code execution (RCE) vulnerability via the Mac parameter at ip/goform/WriteFacMac. The manipulation of the argument Mac with an unknown input led to a privilege escalation vulnerability.

CVSS v3.1 Base Score: 9.8 (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H)

ID: CVE-2022-31479

Title: Privilege escalation vulnerability in HID Mercury LP1501, LP1502, LP2500, LP4502 and EP4502

Description: An unauthenticated attacker can update the hostname with a specially crafted name that will allow for shell commands to be executed during the core collection process. This vulnerability impacts products based on HID Mercury Intelligent Controllers LP1501, LP1502, LP2500, LP4502, and EP4502 which contain firmware versions prior to 1.302 for the LP series and 1.296 for the EP series. An attacker with this level of access on the device can monitor all communications sent to and from this device, modify onboard relays, change configuration files, or cause the device to become unstable. The injected commands only get executed during startup or when unsafe calls regarding the hostname are used. This allows the attacker to gain remote access to the device and can make their persistence permanent by modifying the filesystem.

CVSS v3.1 Base Score: 9.8 (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H)

Prevalent Malware Files


SHA 256: e4973db44081591e9bff5117946defbef6041397e56164f485cf8ec57b1d8934

MD5: 93fefc3e88ffb78abb36365fa5cf857c


Typical Filename: Wextract

Claimed Product: Internet Explorer

Detection Name:

SHA 256: c67b03c0a91eaefffd2f2c79b5c26a2648b8d3c19a22cadf35453455ff08ead0

MD5: 8c69830a50fb85d8a794fa46643493b2


Typical Filename: AAct.exe

Claimed Product: N/A

Detection Name: PUA.Win.Dropper.Generic::1201

SHA 256: 58d6fec4ba24c32d38c9a0c7c39df3cb0e91f500b323e841121d703c7b718681

MD5: f1fe671bcefd4630e5ed8b87c9283534


Typical Filename: KMSAuto Net.exe

Claimed Product: KMSAuto Net

Detection Name: PUA.Win.Tool.Hackkms::1201

SHA 256: 125e12c8045689bb2a5dcad6fa2644847156dec8b533ee8a3653b432f8fd5645

MD5: 2c8ea737a232fd03ab80db672d50a17a


Typical Filename: LwssPlayer.scr

Claimed Product: ?????????

Detection Name: Auto.125E12.241442.in02

SHA 256: 1a234656f81e870cdeb0e648a6b305a41452c405cca21124de26b54f79d55ad0

MD5: 10f1561457242973e0fed724eec92f8c


Typical Filename: ntuser.vbe

Claimed Product: N/A

Detection Name: Auto.1A234656F8.211848.in07.Talos