SELECTED BY THE TALOS SECURITY INTELLIGENCE AND RESEARCH GROUP
Title: QNAP warns NAS users of high-severity vulnerability that could lead to code execution
Description: QNAP released a patch for a high-severity vulnerability in some of its network-attached storage devices that could allow an attacker to execute remote code on the targeted device. The vulnerability, identified as CVE-2019-11043, exists in PHP and the FastCGI Process Manager. An attacker could manipulate FPM to write data over an allocated buffer and open the door for remote code. This issue had been known for nearly three years, but only recently became realistic to exploit. The company recommends users update to the latest firmware for their storage box to fix this issue. QNAP devices have faced a stretch of cyber attacks, also recently being targeted by the Deadbolt ransomware gang.
References:
- https://www.tomshardware.com/news/qnap-php-vulnerability-patched
- https://www.qnap.com/en/security-advisory/QSA-22-20
Snort SIDs: 60107 - 60110
Title: Gallium APT uses new PingPull malware for espionage campaigns
Description: A China-based APT called “Gallium” is using a new trojan to target companies operating in Southeast Asia, Europe and Africa. Called “PingPull,” the backdoor uses ICMP for C2 communications and has never been seen before in the wild. PingPull is a Visual C++-based malware that provides actors with the ability to access a reverse shell and run arbitrary commands on a compromised host. The actor could then move files, enumerate storage devices and timestomp files. Gallium traditionally targets telecommunications, finance and government organizations.
References: https://thehackernews.com/2022/06/chinese-gallium-hackers-using-new.html
Snort SIDs: 60059 - 60061