Internet Storm Center Spotlight


SELECTED BY THE TALOS SECURITY INTELLIGENCE AND RESEARCH GROUP

Title: New U.S. federal warning highlights MedusaLocker group targeting health care organizations

Description: The FBI and U.S. Cybersecurity and Infrastructure Security Agency warned of an uptick in activity from the MedusaLocker ransomware group. The group, which has been around since 2019, gained notoriety during the COVID-19 pandemic for targeting health care organizations. The group operates as a ransomware-as-a-service model, according to the joint alert, based on the way it splits payments. Medusa recently switched to a new infiltration method by targeting vulnerable RDP configurations. Then, it can carry out a variety of actions, including killing popular anti-virus software processes, schedules a task to run the ransomware every 15 minutes and deletes local backups.

References:

- https://www.zdnet.com/article/fbi-and-cisa-warn-this-ransomware-is-using-rdp-flaws-to-break-into-networks/

- https://www.cisa.gov/uscert/ncas/alerts/aa22-181a

Snort SIDs: 53662 - 53664


Title: Popular wireless data router vulnerable to code execution vulnerabilities

Description: Cisco Talos recently discovered four vulnerabilities in the Robustel R1510 industrial cellular router. The R1510 is a portable router that shares 2G, 3G and 4G wireless internet access. It comes with several advanced software features for users like the ability to connect to a VPN, cloud data management and smart reboot. There are three command injection vulnerabilities that exist in this device, as well as a data removal vulnerability that could allow an attacker to arbitrarily remove files from the device. An attacker could trigger the command injection issues — CVE-2022-32585, CVE-2022-33312 - CVE-2022-33314 and CVE-2022-33325 - CVE-2022-33329 — by sending a specific series of requests to the targeted device. If successful, the attacker could gain the ability to execute remote code.

References: https://blog.talosintelligence.com/2022/06/vuln-spotlight-robustel-cell-router.html

Snort SIDs: 60007 - 60034

Internet Storm Center Entries


Iran’s steel industry is being targeted as part of a wave of cyber attacks that started with disruptions to the country’s public transportation systems.

https://threatpost.com/cyberattack-iran-campaign/180122/


NATO created a new multi-nation program to quickly respond to cyber attacks against member nations, with the U.S. offering “robust national capabilities” to support this program.

https://www.politico.com/news/2022/06/29/nato-cyberattacks-russia-00043149


Public and private sector websites in Norway briefly went offline last week after a denial-of-service attack.

https://apnews.com/article/russia-ukraine-technology-norway-government-and-politics-b837c155fde5d9cb4215b77dff9a94f0


An attack on a Florida-based IT services company disrupted unemployment benefits and payments in multiple states.

https://www.cnn.com/2022/07/01/politics/unemployment-benefits-disrupted-apparent-cyberattack/index.html


Google released an update for its Chrome browser that fixes a zero-day vulnerability that is being actively exploited.

https://www.bleepingcomputer.com/news/security/google-patches-new-chrome-zero-day-flaw-exploited-in-attacks/


The FBI is warning of an increase in complaints that deep fakes and stole personally identifiable information are being used to apply for remote employment positions.

https://www.ic3.gov/Media/Y2022/PSA220628

https://www.vice.com/en/article/akedaa/deepfakes-might-be-used-in-remote-job-interviews-fbi-warns


Canada’s national police force says it has used spyware in the past to track suspected criminals, including turning on targeted devices' microphones and cameras.

https://www.politico.com/news/2022/06/29/canada-national-police-spyware-phones-00043092

Recent CVEs


COMPILED BY THE QUALYS VULNERABILITY RESEARCH TEAM

This is a list of recent vulnerabilities for which exploits are available. System administrators can use this list to help in prioritization of their remediation activities. The Qualys Vulnerability Research Team compiles this information based on various exploit frameworks, exploit databases, exploit kits and monitoring of internet activity.


ID: CVE-2021-26638

Title: Improper authentication vulnerability in S&D Smarthome

Description: Improper Authentication vulnerability in S&D Smarthome(smartcare) application can cause authentication bypass and information exposure. Remote attackers can use this vulnerability to take control of the home environment including indoor control.

CVSS v3.1 Base Score: 9.8 (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H)


ID: CVE-2022-2068

Title: Command injection vulnerability in OpenSSL

Description: The vulnerability exists due to improper input validation in the c_rehash script distributed by some operating systems. A remote attacker with the ability to pass data to c_rehash script can execute arbitrary OS commands with the privileges of the script.

CVSS v3.1 Base Score: 9.8 (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H)


ID: CVE-2022-30308

Title: OS command injection vulnerability in Festo Controller CECC-X-M1

Description: In Festo Controller CECC-X-M1 product family in multiple versions, the http-endpoint "cecc-x-web-viewer-request-on" POST request doesn't check for port syntax. This can result in unauthorized execution of system commands with root privileges due to improper access control command injection.

CVSS v3.1 Base Score: 9.8 (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H)


ID: CVE-2022-30309

Title: OS command injection vulnerability in Festo Controller CECC-X-M1

Description: In Festo Controller CECC-X-M1 product family in multiple versions, the http-endpoint "cecc-x-web-viewer-request-off" POST request doesn't check for port syntax. This can result in unauthorized execution of system commands with root privileges due to improper access control command injection.

CVSS v3.1 Base Score: 9.8 (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H)


ID: CVE-2022-30310

Title: OS command injection vulnerability in Festo Controller CECC-X-M1

Description: In Festo Controller CECC-X-M1 product family in multiple versions, the http-endpoint "cecc-x-acknerr-request" POST request doesn't check for port syntax. This can result in unauthorized execution of system commands with root privileges due to improper access control command injection.

CVSS v3.1 Base Score: 9.8 (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H)


ID: CVE-2022-30311

Title: OS command injection vulnerability in Festo Controller CECC-X-M1

Description: In Festo Controller CECC-X-M1 product family in multiple versions, the http-endpoint "cecc-x-refresh-request" POST request doesn't check for port syntax. This can result in unauthorized execution of system commands with root privileges due to improper access control command injection.

CVSS v3.1 Base Score: 9.8 (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H)

Prevalent Malware Files


COMPILED BY THE TALOS SECURITY INTELLIGENCE AND RESEARCH GROUP


SHA 256: 9f1f11a708d393e0a4109ae189bc64f1f3e312653dcf317a2bd406f18ffcc507

MD5: 2915b3f8b703eb744fc54c81f4a9c67f

VirusTotal: https://www.virustotal.com/gui/file/9f1f11a708d393e0a4109ae189bc64f1f3e312653dcf317a2bd406f18ffcc507/details

Typical Filename: VID001.exe

Claimed Product: N/A

Detection Name: Win.Worm.Coinminer::1201


SHA 256: e4973db44081591e9bff5117946defbef6041397e56164f485cf8ec57b1d8934

MD5: 93fefc3e88ffb78abb36365fa5cf857c

VirusTotal: https://www.virustotal.com/gui/file/e4973db44081591e9bff5117946defbef6041397e56164f485cf8ec57b1d8934/details

Typical Filename: Wextract

Claimed Product: Internet Explorer

Detection Name: PUA.Win.Trojan.Generic::85.lp.ret.sbx.tg


SHA 256: 125e12c8045689bb2a5dcad6fa2644847156dec8b533ee8a3653b432f8fd5645

MD5: 2c8ea737a232fd03ab80db672d50a17a

VirusTotal: https://www.virustotal.com/gui/file/125e12c8045689bb2a5dcad6fa2644847156dec8b533ee8a3653b432f8fd5645/details

Typical Filename: LwssPlayer.scr

Claimed Product: ?????????

Detection Name: Auto.125E12.241442.in02


SHA 256: 1a234656f81e870cdeb0e648a6b305a41452c405cca21124de26b54f79d55ad0

MD5: 10f1561457242973e0fed724eec92f8c

VirusTotal: https://www.virustotal.com/gui/file/1a234656f81e870cdeb0e648a6b305a41452c405cca21124de26b54f79d55ad0/details

Typical Filename: ntuser.vbe

Claimed Product: N/A

Detection Name: Auto.1A234656F8.211848.in07.Talos


SHA 256: 91e994229a7c8fdd899ce9b961516179da4c41be0818b5f07f07e4f4b4ebf28e

MD5: a7742a6d7d8b39f1a8cdf7f0b50f12bb

VirusTotal: https://www.virustotal.com/gui/file/91e994229a7c8fdd899ce9b961516179da4c41be0818b5f07f07e4f4b4ebf28e/details

Typical Filename: wrsanvs.exe

Claimed Product: N/A

Detection Name: W32.Auto:91e994229a.in03.Talos