Internet Storm Center Spotlight


SELECTED BY THE TALOS SECURITY INTELLIGENCE AND RESEARCH GROUP

Title: Microsoft’s security update includes 84 vulnerabilities, one that’s exploited in the wild

Description: Microsoft released its monthly security update Tuesday, disclosing more than 80 vulnerabilities in the company’s various software, hardware and firmware offerings, including one that’s actively being exploited in the wild. July's security update features three critical vulnerabilities, up from one last month, still lower than Microsoft’s average in a Patch Tuesday. All the other vulnerabilities fixed are considered “important.” All three critical vulnerabilities allow remote code execution on Microsoft Windows Systems. Of these, Microsoft considers the exploitation of CVE-2022-22029, CVE-2022-22038 and CVE-2022-22039 less likely to occur. CVE-2022-22029 could be exploited over the network by making an unauthenticated, specially crafted call to a Network File System (NFS). However, according to Microsoft, it has high attack complexity and would require repeated exploitation attempts through sending constant or intermittent data. Another critical vulnerability, CVE-2022-22038, is also considered to be more difficult to exploit because it requires undisclosed additional actions by an attacker to prepare the target environment for exploitation. CVE-2022-22039 iss another remote code execution flaw in Windows Network File System that requires an attacker to win a race condition to exploit it, making this vulnerability less likely to be exploited.

References: https://blog.talosintelligence.com/2022/07/microsoft-patch-tuesday-for-july-2022.html

Snort SIDs: 60191, 60192, 60198, 60199, 60201, 60202, 60206, 60207, 60213 and 60214. Additionally, Snort 3 SIDs: 300215 and 300216.


Title: Adobe discloses critical vulnerabilities in Acrobat, Reader and Photoshop

Description: Adobe released a large swath of patches for its products Tuesday, including disclosing 22 vulnerabilities in Adobe Acrobat Reader, some of which could lead to arbitrary code execution. Affected product versions include Acrobat DC, Acrobat Reader DC, Acrobat 2020, Acrobat 2017 and Acrobat Reader 2017. Cisco Talos discovered one of the vulnerabilities, CVE-2022-34230, a use-after-free issue that is triggered if the targeted user opens a PDF with specially crafted, malicious JavaScript. The code could give attackers control over reused memory, which can lead to arbitrary code execution.

References: https://www.securityweek.com/adobe-patch-tuesday-critical-flaws-acrobat-reader-photoshop

Snort SIDs: 59644 and 59645

Internet Storm Center Entries


The European Central Bank says its president was the target of a recent cyber attack.

https://www.bloomberg.com/news/articles/2022-07-12/ecb-says-lagarde-was-targeted-in-cyber-attack-no-data-stolen#xj4y7vzkg


Apple released a new setting for its major operating systems called Lockdown Mode that allow users to disable many major features on their device if they suspect they’re being targeted with spyware.

https://www.theverge.com/2022/7/6/23196978/apple-lockdown-mode-security-hacking-pegasus-macos-ios-ipados


Hotel chain Marriott said it was the victim of a data breach that affected customers’ credit card data.

https://techcrunch.com/2022/07/06/marriott-breach-again/


U.S. Department of Commerce’s National Institute of Standards and Technology (NIST) selected four encryption algorithms it says can withstand threats from quantum computing.

https://www.nist.gov/news-events/news/2022/07/nist-announces-first-four-quantum-resistant-cryptographic-algorithms


The U.S. House Oversight Committee says it’s investigating the privacy of reproductive health data and the data collection policies of period tracking apps.

https://www.vice.com/en/article/m7geb4/congress-to-investigate-data-brokers-and-period-tracking-apps


Microsoft says it still plans to block Visual Basic macros by default after rolling out a brief, temporary reversal of the policy earlier this month.

https://techcrunch.com/2022/07/11/microsoft-office-macros-block/

Recent CVEs


COMPILED BY THE QUALYS VULNERABILITY RESEARCH TEAM

This is a list of recent vulnerabilities for which exploits are available. System administrators can use this list to help in prioritization of their remediation activities. The Qualys Vulnerability Research Team compiles this information based on various exploit frameworks, exploit databases, exploit kits and monitoring of internet activity.


ID: CVE-2022-32032

Title: Stack-based overflow vulnerability in Tenda AX1806 v1.0.0.1

Description: Tenda AX1806 v1.0.0.1 was discovered to contain a stack overflow vulnerability that affects the function formAddMacfilterRule. The manipulation of the argument deviceList with an unknown input can lead to a memory corruption vulnerability.

CVSS v3.1 Base Score: 9.8 (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H)


ID: CVE-2022-25900

Title: Command injection vulnerability in git-clone

Description: All versions of package git-clone are vulnerable to Command Injection due to insecure usage of the --upload-pack feature of git. The use of the --upload-pack feature of git is also supported for git clone and allows users to execute arbitrary commands on the OS.

CVSS v3.1 Base Score: 9.8 (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H)


ID: CVE-2022-2274

Title: Heap memory corruption with RSA private key operation

Description: The OpenSSL 3.0.4 release introduced a serious bug in the RSA implementation for X86_64 CPUs supporting the AVX512IFMA instructions. This issue makes the RSA implementation with 2048-bit private keys

incorrect on such machines and memory corruption will happen during the computation. Because of the memory corruption an attacker may be able to trigger a remote code execution on the machine performing the computation. SSL/TLS servers or other servers using 2048-bit RSA private keys running on machines supporting AVX512IFMA instructions of the X86_64 architecture are affected by this issue.

CVSS v3.1 Base Score: 9.8 (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H)

Prevalent Malware Files


COMPILED BY THE TALOS SECURITY INTELLIGENCE AND RESEARCH GROUP


SHA 256: 9f1f11a708d393e0a4109ae189bc64f1f3e312653dcf317a2bd406f18ffcc507

MD5: 2915b3f8b703eb744fc54c81f4a9c67f

VirusTotal: https://www.virustotal.com/gui/file/9f1f11a708d393e0a4109ae189bc64f1f3e312653dcf317a2bd406f18ffcc507/details

Typical Filename: VID001.exe

Claimed Product: N/A

Detection Name: Win.Worm.Coinminer::1201


SHA 256: e4973db44081591e9bff5117946defbef6041397e56164f485cf8ec57b1d8934

MD5: 93fefc3e88ffb78abb36365fa5cf857c

VirusTotal: https://www.virustotal.com/gui/file/e4973db44081591e9bff5117946defbef6041397e56164f485cf8ec57b1d8934/details

Typical Filename: Wextract

Claimed Product: Internet Explorer

Detection Name: PUA.Win.Trojan.Generic::85.lp.ret.sbx.tg


SHA 256: bd517b0695921df15586f2e81f970313112d008f52955502194cdf44a227a664

MD5: aa367b2ef077ffd51bf0597237ef513e

VirusTotal: https://www.virustotal.com/gui/file/bd517b0695921df15586f2e81f970313112d008f52955502194cdf44a227a664/details

Typical Filename: 1302323352.exe

Claimed Product: N/A

Detection Name: W32.DFC.MalParent


SHA 256: 125e12c8045689bb2a5dcad6fa2644847156dec8b533ee8a3653b432f8fd5645

MD5: 2c8ea737a232fd03ab80db672d50a17a

VirusTotal: https://www.virustotal.com/gui/file/125e12c8045689bb2a5dcad6fa2644847156dec8b533ee8a3653b432f8fd5645/details

Typical Filename: LwssPlayer.scr

Claimed Product: ?????????

Detection Name: Auto.125E12.241442.in02


SHA 256: 91e994229a7c8fdd899ce9b961516179da4c41be0818b5f07f07e4f4b4ebf28e

MD5: a7742a6d7d8b39f1a8cdf7f0b50f12bb

VirusTotal: https://www.virustotal.com/gui/file/91e994229a7c8fdd899ce9b961516179da4c41be0818b5f07f07e4f4b4ebf28e/details

Typical Filename: wrsanvs.exe

Claimed Product: N/A

Detection Name: W32.Auto:91e994229a.in03.Talos