Internet Storm Center Spotlight


SELECTED BY THE TALOS SECURITY INTELLIGENCE AND RESEARCH GROUP

Title: Transparent Tribe adds new tools to its arsenal as it targets Indian colleges

Description: Cisco Talos discovered an uncommon piece of malware targeting Ukraine aimed at a large software development company whose software is used in various state organizations within Ukraine. Talos believes this campaign is likely sourced by Russian state-sponsored actors or those acting in their interests. As this firm is involved in software development, we cannot ignore the possibility that the perpetrating threat actor's intent was to gain access to source a supply chain-style attack, though at this time, we do not have any evidence that they were successful. Cisco Talos confirmed that the malware is a slightly modified version of the open-source backdoor named "GoMet." The malware was first observed on March 28, 2022.

References: https://blog.talosintelligence.com/2022/07/attackers-target-ukraine-using-gomet.html

Snort SIDs: 60247 - 60253


Title: Users urged to patch Atlassian Confluence vulnerability immediately

Description: Atlassian disclosed three critical vulnerabilities in its Confluence software last week, including one for a hardcoded password that was leaked on Twitter. The company urged users to immediately update to the latest version of the software or apply a mitigation measure. An attacker could use this hardcoded password to view all non-restricted pages within the Confluence user-group by default. Atlassian said in its advisory that the issue is expected to be exploited in the wild once the exploit was leaked online. The two other critical vulnerabilities affect almost all other Atlassian products.

References:

- https://confluence.atlassian.com/doc/questions-for-confluence-security-advisory-2022-07-20-1142446709.html

- https://www.darkreading.com/vulnerabilities-threats/critical-bugs-atlassian-confluence-workspaces-open

Snort SIDs: 60280, 60281

Internet Storm Center Entries


The proxy cyberwar between Israel and Iran continues to escalate with attacks on critical infrastructure and public utilities.

https://www.washingtonpost.com/politics/2022/07/25/iran-israel-cyber-war/


T-Mobile agreed to pay $350 million to settle multiple class action lawsuits stemming from an August 2021 data breach that affected nearly 76 million U.S. customers.

https://www.cnn.com/2022/07/25/tech/tmobile-data-breach-settlement/index.html


A new report details how the Conti ransomware group infiltrated Costa Rica’s government using multiple Cobalt Strike beacons, the last major attack from Conti before its rebranding.

https://www.bleepingcomputer.com/news/security/how-conti-ransomware-hacked-and-encrypted-the-costa-rican-government/


Experts are concerned that electric vehicle charging station management systems are "vulnerable in numerous ways."

https://arstechnica.com/cars/2022/07/ev-charging-networks-create-a-tempting-target-for-cyberattacks/


Experts say that the Biden administration's May 2021 Executive Order on Improving the Nation's Cybersecurity does not adequately address operational technology (OT) security.

https://www.utilitydive.com/news/biden-executive-order-on-power-system-cybersecurity-leaves-critical-operati/626058/


The Transportation Security Agency revised its cybersecurity guidelines for gas pipeline owners and operators in response to requests for more flexibility in meeting the requirements.

https://www.fedscoop.com/tsa-revises-cybersecurity-reqs-to-be-more-flexible-and-performance-based-for-gas-pipeline-owners-and-operators/

Recent CVEs


COMPILED BY THE QUALYS VULNERABILITY RESEARCH TEAM

This is a list of recent vulnerabilities for which exploits are available. System administrators can use this list to help in prioritization of their remediation activities. The Qualys Vulnerability Research Team compiles this information based on various exploit frameworks, exploit databases, exploit kits and monitoring of internet activity.


ID: CVE-2022-20216

Title: Google Android permission vulnerability

Description: The vulnerability exists due to improperly imposed security restrictions in Unisoc Telephony component. A local application can execute arbitrary code with elevated privileges. The vulnerability affects the Google Android versions: 10 - 10 2022-07-01, 11 - 11 2022-07-01, 12 - 12L 2022-07-01.

CVSS v3.1 Base Score: 9.8 (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H)


ID: CVE-2022-20222

Title: Google Android out-of-bounds vulnerability

Description: In read_attr_value of gatt_db.cc, there is a possible out of bounds write due to a missing bounds check. This could lead to remote code execution with no additional execution privileges needed. User interaction is not needed for exploitation.

Affected Android versions: Android-12 Android-12LAndroid ID: A-228078096

CVSS v3.1 Base Score: 9.8 (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H)


ID: CVE-2022-31209

Title: Buffer overflow vulnerability in Infiray IRAY-A8Z3 1.0.957 strcpy

Description: An issue was discovered in Infiray IRAY-A8Z3 1.0.957. The firmware contains a potential buffer overflow by calling strcpy() without checking the string length beforehand. Manipulation with an unknown input can lead to a memory corruption vulnerability.

CVSS v3.1 Base Score: 9.8 (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H)


ID: CVE-2022-31211

Title: Missing authentication vulnerability in Infiray IRAY-A8Z3 1.0.957 TELNET service

Description: An issue was discovered in Infiray IRAY-A8Z3 1.0.957. There is a blank root password for TELNET by default.

CVSS v3.1 Base Score: 9.8 (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H)


ID: CVE-2022-2302

Title: Password authentication flaw in the multiple Lenze products

Description: Multiple Lenze products of the cabinet series skip the password verification upon second login. After a user has been logged on to the device once, a remote attacker can get full access without knowledge of the password.

CVSS v3.1 Base Score: 9.8 (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H)

Prevalent Malware Files


COMPILED BY THE TALOS SECURITY INTELLIGENCE AND RESEARCH GROUP


SHA 256: 9f1f11a708d393e0a4109ae189bc64f1f3e312653dcf317a2bd406f18ffcc507

MD5: 2915b3f8b703eb744fc54c81f4a9c67f

VirusTotal: https://www.virustotal.com/gui/file/9f1f11a708d393e0a4109ae189bc64f1f3e312653dcf317a2bd406f18ffcc507/details

Typical Filename: VID001.exe

Claimed Product: N/A

Detection Name: Win.Worm.Coinminer::1201


SHA 256: e4973db44081591e9bff5117946defbef6041397e56164f485cf8ec57b1d8934

MD5: 93fefc3e88ffb78abb36365fa5cf857c

VirusTotal: https://www.virustotal.com/gui/file/e4973db44081591e9bff5117946defbef6041397e56164f485cf8ec57b1d8934/details

Typical Filename: Wextract

Claimed Product: Internet Explorer

Detection Name: PUA.Win.Trojan.Generic::85.lp.ret.sbx.tg


SHA 256: 125e12c8045689bb2a5dcad6fa2644847156dec8b533ee8a3653b432f8fd5645

MD5: 2c8ea737a232fd03ab80db672d50a17a

VirusTotal: https://www.virustotal.com/gui/file/125e12c8045689bb2a5dcad6fa2644847156dec8b533ee8a3653b432f8fd5645/details

Typical Filename: LwssPlayer.scr

Claimed Product: ?????????

Detection Name: Auto.125E12.241442.in02


SHA 256: e12b6641d7e7e4da97a0ff8e1a0d4840c882569d47b8fab8fb187ac2b475636c

MD5: a087b2e6ec57b08c0d0750c60f96a74c

VirusTotal: https://www.virustotal.com/gui/file/e12b6641d7e7e4da97a0ff8e1a0d4840c882569d47b8fab8fb187ac2b475636c/details

Typical Filename: AAct.exe

Claimed Product: N/A

Detection Name: PUA.Win.Tool.Kmsauto::1201


SHA 256: ea500d77aabc3c9d440480002c3f1d2f2977a7f860f35260edda8a26406ca1c3

MD5: 5741eadfc89a1352c61f1ff0a5c01c06

VirusTotal: https://www.virustotal.com/gui/file/ea500d77aabc3c9d440480002c3f1d2f2977a7f860f35260edda8a26406ca1c3/details

Typical Filename: 3.exe

Claimed Product: N/A

Detection Name: W32.DFC.MalParent