Volume 22 – Number 29

Internet Storm Center Spotlight

SELECTED BY THE TALOS SECURITY INTELLIGENCE AND RESEARCH GROUP

Title: Transparent Tribe adds new tools to its arsenal as it targets Indian colleges

Description: Cisco Talos has been tracking a new malicious campaign operated by the Transparent Tribe APT group. This campaign involves the targeting of educational institutions and students in the Indian subcontinent, a deviation from the adversary's typical focus on government entities. The attacks result in the deployment of CrimsonRAT, Transparent Tribe's malware of choice for establishing long-term access into victim networks. We assess with high confidence that a Pakistani web hosting services provider "Zain Hosting" was used for deploying and operating components of Transparent Tribe's infrastructure. This is likely one of many third parties Transparent Tribe employs to prepare, stage and/or deploy components of their operation. Transparent Tribe primarily uses three Windows-based malware families to carry out espionage activities against their targets, including CrimsonRAT and ObliqueRAT.

References: https://blog.talosintelligence.com/2022/07/transparent-tribe-targets-education.html

Snort SIDs: 57215, 57216, 60180 – 60183

ClamAV signature: Doc.Dropper.CrimsonRAT-9953641-4

Title: Google fixes several vulnerabilities in Chrome, including one actively exploited in the wild

Description: Google released a series of patches for its Chrome web browser, including fixes for a high-severity heap buffer overflow vulnerability (CVE-2022-2294) in WebRTC. An attacker could exploit this vulnerability to carry out a range of malicious actions, including crashing the targeted device, causing a denial of service or executing remote code. Google stated in its release that CVE-2022-2294 is actively being exploited in the wild and is withholding additional information until users can patch for the issue. Additionally, Cisco Talos discovered a vulnerability in Chrome’s WebGPU standard that causes a use-after-free condition. The WebRTC vulnerability is the fourth zero-day vulnerability in Chrome to appear in the wild this year.

References:

- https://blog.talosintelligence.com/2022/07/chrome-web-gpu-useafterfree.html

- https://www.darkreading.com/vulnerabilities-threats/google-chrome-webrtc-zero-day-active-exploitation

Snort SIDs: 59448 and 59449

Internet Storm Center Entries

More than 30 pro-democracy activists in Thailand were the targets of the NSO Group’s Pegasus spyware.

https://www.washingtonpost.com/technology/2022/07/17/pegasus-nso-thailand-apple/

The U.S. Department of Justice recently seized $500,000 worth of cryptocurrency from North Korean state-sponsored threat actors.

https://www.coindesk.com/policy/2022/07/19/us-justice-department-seizes-500k-in-ransom-payments-and-crypto-from-north-korean-hackers-report/

The U.S. Cybersecurity and Infrastructure Security Agency (CISA) urged federal agencies to patch a Microsoft vulnerability (CVE-2022-22047) that’s being actively exploited, giving a deadline of Aug. 2.

https://threatpost.com/cisa-urges-patch-11-bug/180235/

A cyber attack against a debt collection service potentially exposed the data of almost 2 million patients across the US.

https://www.cybersecuritydive.com/news/healthcare-data-breach-professional-finance-company-PFC/627508/

A phishing campaign that can hijack MFA-protected accounts has targeted more than 10,000 organizations since the start of this year.

https://arstechnica.com/information-technology/2022/07/microsoft-details-phishing-campaign-that-can-hijack-mfa-protected-accounts/

CISA declared the Log4shell vulnerability “endemic” in networks but acknowledged that the likelihood of exploitation has decreased since the major issue in Log4j was first discovered.

https://www.dhs.gov/news/2022/07/14/cyber-safety-review-board-releases-report-its-review-log4j-vulnerabilities-and

An alleged password-cracking tool designed to allow network administrators to recover access to their systems is installing backdoor malware on industrial control system networks.

https://www.theregister.com/2022/07/18/password-sality-malware/

The World Health Organization recently implemented several new cybersecurity protocols after a huge increase in cyber attacks after the start of the COVID-19 pandemic.

https://www.wsj.com/articles/who-rushed-in-new-security-steps-after-2020-cyberattack-11658223001

Recent CVEs

COMPILED BY THE QUALYS VULNERABILITY RESEARCH TEAM

This is a list of recent vulnerabilities for which exploits are available. System administrators can use this list to help in prioritization of their remediation activities. The Qualys Vulnerability Research Team compiles this information based on various exploit frameworks, exploit databases, exploit kits and monitoring of internet activity.

ID: CVE-2022-20083

Title: Out-of-bounds write in Modem 2G/3G CC

Description: In Modem 2G/3G CC, there is a possible out-of-bounds write due to missing bounds check. This could lead to remote code execution when decoding combined FACILITY with no additional execution privileges needed. User interaction is not needed for exploitation.