Internet Storm Center Spotlight


SELECTED BY THE TALOS SECURITY INTELLIGENCE AND RESEARCH GROUP


Title: QNAP warns NAS users of high-severity vulnerability that could lead to code execution

Description: QNAP released a patch for a high-severity vulnerability in some of its network-attached storage devices that could allow an attacker to execute remote code on the targeted device. The vulnerability, identified as CVE-2019-11043, exists in PHP and the FastCGI Process Manager. An attacker could manipulate FPM to write data over an allocated buffer and open the door for remote code. This issue had been known for nearly three years, but only recently became realistic to exploit. The company recommends users update to the latest firmware for their storage box to fix this issue. QNAP devices have faced a stretch of cyber attacks, also recently being targeted by the Deadbolt ransomware gang.

References:

- https://www.tomshardware.com/news/qnap-php-vulnerability-patched

- https://www.qnap.com/en/security-advisory/QSA-22-20

Snort SIDs: 60107 - 60110


Title: Gallium APT uses new PingPull malware for espionage campaigns

Description: A China-based APT called “Gallium” is using a new trojan to target companies operating in Southeast Asia, Europe and Africa. Called “PingPull,” the backdoor uses ICMP for C2 communications and has never been seen before in the wild. PingPull is a Visual C++-based malware that provides actors with the ability to access a reverse shell and run arbitrary commands on a compromised host. The actor could then move files, enumerate storage devices and timestomp files. Gallium traditionally targets telecommunications, finance and government organizations.

References: https://thehackernews.com/2022/06/chinese-gallium-hackers-using-new.html

Snort SIDs: 60059 - 60061

Internet Storm Center Entries


Russian state-sponsored actors have stepped up their cyberespionage activities since the invasion of Ukraine, according to a new report, with the U.S. being the most targeted country.

https://www.cnn.com/2022/06/22/politics/microsoft-russia-hackings/index.html


Twitter settled with the U.S. Federal Trade Commission for $150 million over a misuse of security information for targeted advertising.

https://therecord.media/twitter-apologizes-for-abusing-user-security-information-after-150-million-ftc-settlement/


A line of smart Jacuzzis mistakenly expose users’ personal information when another user tries to set up a new device.

https://gizmodo.com/jacuzzi-smart-tubs-expose-user-data-research-1849093671


Google security researchers discovered a new mobile device malware targeting Android and iOS users in Italy, Syria and Kazakhstan.

https://www.wired.com/story/hermit-spyware-rcs-labs/


An attacker exploited a vulnerability in the Harmony’s Horizon blockchain bridge to steal $100 million worth of cryptocurrency.

https://techcrunch.com/2022/06/24/harmony-blockchain-crypto-hack/


Napa Valley College in California had its website and networks completely knocked offline by a ransomware attack.

https://napavalleyregister.com/news/local/ransomware-attack-caused-ongoing-napa-valley-college-internet-and-phone-system-outage/article_8bc46c5a-f410-11ec-bca2-e35eddc616de.html

Recent CVEs


COMPILED BY THE QUALYS VULNERABILITY RESEARCH TEAM

This is a list of recent vulnerabilities for which exploits are available. System administrators can use this list to help in prioritization of their remediation activities. The Qualys Vulnerability Research Team compiles this information based on various exploit frameworks, exploit databases, exploit kits and monitoring of internet activity.


ID: CVE-2017-20049

Title: Improper Privilege Management vulnerability in Axis products

Description: A critical vulnerability was found in AXIS P1204, P3225, P3367, M3045, M3005, and M3007. This affects an unknown part of the component CGI Script. The manipulation leads to improper privilege management. It is possible to initiate the attack remotely. The software does not properly assign, modify, track, or check privileges for an actor, creating an unintended sphere of control for that actor. This is going to have an impact on confidentiality, integrity, and availability.

CVSS v3.1 Base Score: 9.8 (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H)


ID: CVE-2022-20825

Title: Remote code execution and denial of service vulnerability in Cisco Small Business Routers

Description: A vulnerability in the web-based management interface of Cisco Small Business RV110W, RV130, RV130W, and RV215W Routers could allow an unauthenticated, remote attacker to execute arbitrary code or cause an affected device to restart unexpectedly, resulting in a denial of service (DoS) condition. A successful exploit could allow the attacker to execute arbitrary commands on an affected device using root-level privileges.

CVSS v3.1 Base Score: 9.8 (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H)


ID: CVE-2022-24562

Title: Remote code execution vulnerability in IOBit IOTransfer 4.3.1.1561

Description: In IOBit IOTransfer 4.3.1.1561, an unauthenticated attacker can send GET and POST requests to Airserv and gain arbitrary read/write access to the entire filesystem (with admin privileges) on the victim's endpoint, which can result in data theft and remote code execution.

CVSS v3.1 Base Score: 9.8 (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H)


'ID: CVE-2021-30341

Title: Memory corruption vulnerability in Qualcomm Snapdragon Auto DSM Packet

Description: Improper buffer size validation of DSM packet received can lead to memory corruption in Snapdragon Auto, Snapdragon Compute, Snapdragon Connectivity, Snapdragon Consumer Electronics Connectivity, Snapdragon Consumer IOT, Snapdragon Industrial IOT, and Snapdragon Wearables. This vulnerability affects some unknown functions of the component DSM Packet Handler. Manipulation with an unknown input can lead to a memory corruption vulnerability.

CVSS v3.1 Base Score: 9.8 (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H)


ID: CVE-2021-35104

Title: Buffer overflow vulnerability in Qualcomm Snapdragon Auto FLAC Audio Clip

Description: Possible buffer overflow due to improper parsing of headers while playing the FLAC audio clip in Snapdragon Auto, Snapdragon Compute, Snapdragon Connectivity, Snapdragon Consumer IOT, Snapdragon Industrial IOT, Snapdragon Voice & Music, Snapdragon Wearables, Snapdragon Wired Infrastructure, and Networking. This vulnerability affects an unknown code of the component FLAC Audio Clip Handler. Manipulation with an unknown input can lead to a memory corruption vulnerability.

CVSS v3.1 Base Score: 9.8 (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H)

Prevalent Malware Files


COMPILED BY THE TALOS SECURITY INTELLIGENCE AND RESEARCH GROUP


SHA 256: e4973db44081591e9bff5117946defbef6041397e56164f485cf8ec57b1d8934

MD5: 93fefc3e88ffb78abb36365fa5cf857c

VirusTotal: https://www.virustotal.com/gui/file/e4973db44081591e9bff5117946defbef6041397e56164f485cf8ec57b1d8934/details

Typical Filename: Wextract

Claimed Product: Internet Explorer

Detection Name: PUA.Win.Trojan.Generic::85.lp.ret.sbx.tg


SHA 256: e12b6641d7e7e4da97a0ff8e1a0d4840c882569d47b8fab8fb187ac2b475636c

MD5: a087b2e6ec57b08c0d0750c60f96a74c

VirusTotal: https://www.virustotal.com/gui/file/e12b6641d7e7e4da97a0ff8e1a0d4840c882569d47b8fab8fb187ac2b475636c/details

Typical Filename: AAct.exe

Claimed Product: N/A

Detection Name: PUA.Win.Tool.Kmsauto::1201


SHA 256: c67b03c0a91eaefffd2f2c79b5c26a2648b8d3c19a22cadf35453455ff08ead0

MD5: 8c69830a50fb85d8a794fa46643493b2

VirusTotal: https://www.virustotal.com/gui/file/c67b03c0a91eaefffd2f2c79b5c26a2648b8d3c19a22cadf35453455ff08ead0/details

Typical Filename: AAct.exe

Claimed Product: N/A

Detection Name: PUA.Win.Dropper.Generic::1201


SHA 256: 8664e2f59077c58ac12e747da09d2810fd5ca611f56c0c900578bf750cab56b7

MD5: 0e4c49327e3be816022a233f844a5731

VirusTotal: https://www.virustotal.com/gui/file/8664e2f59077c58ac12e747da09d2810fd5ca611f56c0c900578bf750cab56b7/details

Typical Filename: aact.exe

Claimed Product: AAct x86

Detection Name: PUA.Win.Tool.Kmsauto::in03.talos


SHA 256: 125e12c8045689bb2a5dcad6fa2644847156dec8b533ee8a3653b432f8fd5645

MD5: 2c8ea737a232fd03ab80db672d50a17a

VirusTotal: https://www.virustotal.com/gui/file/125e12c8045689bb2a5dcad6fa2644847156dec8b533ee8a3653b432f8fd5645/details

Typical Filename: LwssPlayer.scr

Claimed Product: ?????????

Detection Name: Auto.125E12.241442.in02