Internet Storm Center Spotlight


SELECTED BY THE TALOS SECURITY INTELLIGENCE AND RESEARCH GROUP


Title: Transparent Tribe adds new tools to its arsenal as it targets Indian colleges

Description: Cisco Talos has been tracking a new malicious campaign operated by the Transparent Tribe APT group. This campaign involves the targeting of educational institutions and students in the Indian subcontinent, a deviation from the adversary's typical focus on government entities. The attacks result in the deployment of CrimsonRAT, Transparent Tribe's malware of choice for establishing long-term access into victim networks. We assess with high confidence that a Pakistani web hosting services provider "Zain Hosting" was used for deploying and operating components of Transparent Tribe's infrastructure. This is likely one of many third parties Transparent Tribe employs to prepare, stage and/or deploy components of their operation. Transparent Tribe primarily uses three Windows-based malware families to carry out espionage activities against their targets, including CrimsonRAT and ObliqueRAT.

References: https://blog.talosintelligence.com/2022/07/transparent-tribe-targets-education.html

Snort SIDs: 57215, 57216, 60180 – 60183

ClamAV signature: Doc.Dropper.CrimsonRAT-9953641-4


Title: Google fixes several vulnerabilities in Chrome, including one actively exploited in the wild

Description: Google released a series of patches for its Chrome web browser, including fixes for a high-severity heap buffer overflow vulnerability (CVE-2022-2294) in WebRTC. An attacker could exploit this vulnerability to carry out a range of malicious actions, including crashing the targeted device, causing a denial of service or executing remote code. Google stated in its release that CVE-2022-2294 is actively being exploited in the wild and is withholding additional information until users can patch for the issue. Additionally, Cisco Talos discovered a vulnerability in Chrome’s WebGPU standard that causes a use-after-free condition. The WebRTC vulnerability is the fourth zero-day vulnerability in Chrome to appear in the wild this year.

References:

- https://blog.talosintelligence.com/2022/07/chrome-web-gpu-useafterfree.html

- https://www.darkreading.com/vulnerabilities-threats/google-chrome-webrtc-zero-day-active-exploitation

Snort SIDs: 59448 and 59449

Internet Storm Center Entries


More than 30 pro-democracy activists in Thailand were the targets of the NSO Group’s Pegasus spyware.

https://www.washingtonpost.com/technology/2022/07/17/pegasus-nso-thailand-apple/


The U.S. Department of Justice recently seized $500,000 worth of cryptocurrency from North Korean state-sponsored threat actors.

https://www.coindesk.com/policy/2022/07/19/us-justice-department-seizes-500k-in-ransom-payments-and-crypto-from-north-korean-hackers-report/


The U.S. Cybersecurity and Infrastructure Security Agency (CISA) urged federal agencies to patch a Microsoft vulnerability (CVE-2022-22047) that’s being actively exploited, giving a deadline of Aug. 2.

https://threatpost.com/cisa-urges-patch-11-bug/180235/


A cyber attack against a debt collection service potentially exposed the data of almost 2 million patients across the US.

https://www.cybersecuritydive.com/news/healthcare-data-breach-professional-finance-company-PFC/627508/


A phishing campaign that can hijack MFA-protected accounts has targeted more than 10,000 organizations since the start of this year.

https://arstechnica.com/information-technology/2022/07/microsoft-details-phishing-campaign-that-can-hijack-mfa-protected-accounts/


CISA declared the Log4shell vulnerability “endemic” in networks but acknowledged that the likelihood of exploitation has decreased since the major issue in Log4j was first discovered.

https://www.dhs.gov/news/2022/07/14/cyber-safety-review-board-releases-report-its-review-log4j-vulnerabilities-and


An alleged password-cracking tool designed to allow network administrators to recover access to their systems is installing backdoor malware on industrial control system networks.

https://www.theregister.com/2022/07/18/password-sality-malware/


The World Health Organization recently implemented several new cybersecurity protocols after a huge increase in cyber attacks after the start of the COVID-19 pandemic.

https://www.wsj.com/articles/who-rushed-in-new-security-steps-after-2020-cyberattack-11658223001

Recent CVEs


COMPILED BY THE QUALYS VULNERABILITY RESEARCH TEAM

This is a list of recent vulnerabilities for which exploits are available. System administrators can use this list to help in prioritization of their remediation activities. The Qualys Vulnerability Research Team compiles this information based on various exploit frameworks, exploit databases, exploit kits and monitoring of internet activity.


ID: CVE-2022-20083

Title: Out-of-bounds write in Modem 2G/3G CC

Description: In Modem 2G/3G CC, there is a possible out-of-bounds write due to missing bounds check. This could lead to remote code execution when decoding combined FACILITY with no additional execution privileges needed. User interaction is not needed for exploitation.

CVSS v3.1 Base Score: 9.8 (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H)


ID: CVE-2022-21744

Title: Out-of-bounds write in Modem 2G RR

Description: In Modem 2G RR, there is a possible out-of-bounds write due to missing bounds check. This could lead to remote code execution when decoding GPRS Packet Neighbour Cell Data (PNCD) improper neighboring cell size with no additional execution privileges needed. User interaction is not needed for exploitation.

CVSS v3.1 Base Score: 9.8 (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H)


ID: CVE-2022-33936

Title: Remote code execution vulnerability in Dell EMC Storage

Description: Cloud Mobility for Dell EMC Storage, 1.3.0.XXX contains an RCE vulnerability. A non-privileged user could potentially exploit this vulnerability, leading to achieving a root shell. This is a critical issue; so, Dell recommends customers upgrade at the earliest opportunity.

CVSS v3.1 Base Score: 9.8 (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H)


ID: CVE-2022-32449

Title: Command injection vulnerability in TOTOLINK EX300_V2 V4.0.3c.7484

Description: TOTOLINK EX300_V2 V4.0.3c.7484 was discovered to contain a command injection vulnerability via the langType parameter in the setLanguageCfg function. This vulnerability is exploitable via a crafted MQTT data packet.

CVSS v3.1 Base Score: 9.8 (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H)


ID: CVE-2022-31137

Title: Remote code execution vulnerability in Roxy-WI

Description: Roxy-WI is a web interface for managing Haproxy, Nginx, Apache, and Keepalived servers.

Roxy-WI versions older than 6.1.1.0 are subject to a remote code execution vulnerability. System commands can be run remotely via the subprocess_execute function without processing the inputs received from the user in the /app/options.py file. Attackers need not be authenticated to exploit this vulnerability.

CVSS v3.1 Base Score: 9.8 (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H)


ID: CVE-2022-25046

Title: Path traversal vulnerability in CWP v0.9.8.1122

Description: A path traversal vulnerability in loader.php of CWP v0.9.8.1122 allows attackers to execute arbitrary code via a crafted POST request.

CVSS v3.1 Base Score: 9.8 (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H)

Prevalent Malware Files


COMPILED BY THE TALOS SECURITY INTELLIGENCE AND RESEARCH GROUP


SHA 256: 9f1f11a708d393e0a4109ae189bc64f1f3e312653dcf317a2bd406f18ffcc507

MD5: 2915b3f8b703eb744fc54c81f4a9c67f

VirusTotal: https://www.virustotal.com/gui/file/9f1f11a708d393e0a4109ae189bc64f1f3e312653dcf317a2bd406f18ffcc507/details

Typical Filename: VID001.exe

Claimed Product: N/A

Detection Name: Win.Worm.Coinminer::1201


SHA 256: e4973db44081591e9bff5117946defbef6041397e56164f485cf8ec57b1d8934

MD5: 93fefc3e88ffb78abb36365fa5cf857c

VirusTotal: https://www.virustotal.com/gui/file/e4973db44081591e9bff5117946defbef6041397e56164f485cf8ec57b1d8934/details

Typical Filename: Wextract

Claimed Product: Internet Explorer

Detection Name: PUA.Win.Trojan.Generic::85.lp.ret.sbx.tg


SHA 256: e12b6641d7e7e4da97a0ff8e1a0d4840c882569d47b8fab8fb187ac2b475636c

MD5: a087b2e6ec57b08c0d0750c60f96a74c

VirusTotal: https://www.virustotal.com/gui/file/e12b6641d7e7e4da97a0ff8e1a0d4840c882569d47b8fab8fb187ac2b475636c/details

Typical Filename: AAct.exe

Claimed Product: N/A

Detection Name: PUA.Win.Tool.Kmsauto::1201


SHA 256: ea500d77aabc3c9d440480002c3f1d2f2977a7f860f35260edda8a26406ca1c3

MD5: 5741eadfc89a1352c61f1ff0a5c01c06

VirusTotal: https://www.virustotal.com/gui/file/ea500d77aabc3c9d440480002c3f1d2f2977a7f860f35260edda8a26406ca1c3/details

Typical Filename: 3.exe

Claimed Product: N/A

Detection Name: W32.DFC.MalParent

SHA 256: 125e12c8045689bb2a5dcad6fa2644847156dec8b533ee8a3653b432f8fd5645

MD5: 2c8ea737a232fd03ab80db672d50a17a

VirusTotal: https://www.virustotal.com/gui/file/125e12c8045689bb2a5dcad6fa2644847156dec8b533ee8a3653b432f8fd5645/details

Typical Filename: LwssPlayer.scr

Claimed Product: ?????????

Detection Name: Auto.125E12.241442.in02