Recent Security Issues


SELECTED BY THE TALOS SECURITY INTELLIGENCE AND RESEARCH GROUP


Title: More than 120 vulnerabilities disclosed as part of Microsoft Patch Tuesday

Description: Microsoft released its monthly security update Tuesday, disclosing more than 120 vulnerabilities across its line of products and software, the most in a single Patch Tuesday in four months. This batch of updates also includes a fix for a new vulnerability in the Microsoft Windows Support Diagnostic Tool (MSDT) that’s actively being exploited in the wild, according to Microsoft. MSDT was already the target of the so-called “Follina” zero-day vulnerability in June. Two of the important vulnerabilities CVE-2022-35743 and CVE-2022-34713, are remote code execution vulnerabilities in MSDT. However, only CVE-2022-34713 has been exploited in the wild and Microsoft considers “more likely” to be exploited.

References: https://blog.talosintelligence.com/2022/08/microsoft-patch-tuesday-for-august-2022.html

Snort SIDs: 60371 - 60380, 60382 - 60384, 60386 and 60387


Title: Attackers take advantage of new “C2-as-a-service" platform

Description: In early 2022, a new C2 platform called "Dark Utilities" was established, offering a variety of services such as remote system access, DDoS capabilities and cryptocurrency mining. The operators of the service also established Discord and Telegram communities where they provide technical support and assistance for customers on the platform. Since its initial release, Cisco Talos researchers observed malware samples in the wild leveraging it to facilitate remote access and cryptocurrency mining. Payloads provided by the platform support Windows, Linux and Python-based implementations and are hosted within the Interplanetary File System (IPFS), making them resilient to content moderation or law enforcement intervention.

References: https://blog.talosintelligence.com/2022/08/dark-utilities.html

Snort SIDs: 60319 – 60325

Security News


The U.S. Cybersecurity and Infrastructure Security Agency said Agent Tesla was the most prevalent malware it observed in 2021, followed by several other remote access trojans and information-stealers.

https://www.cisa.gov/uscert/ncas/alerts/aa22-216a


The U.K.’s National Health Service 111 resources were briefly disrupted after a suspected ransomware attack, leading to ambulance delays and leaving some patients unable to schedule appointments.

https://www.infosecurity-magazine.com/news/nhs-cyberattack-delays-ambulances/


A bug in Slack mistakenly exposed many users’ hashed passwords for more than five years.

https://www.wired.com/story/slack-hashed-passwords-exposed/


Many small-time, petty criminals are turning to online scams and phishing to make money, and it’s an issue that could affect everyday users at home and multi-national corporations.

https://blog.talosintelligence.com/2022/08/smalltime-cybercrime.html


Taiwan faced several cyber attacks targeting government websites and point-of-sale systems last week before, during and after U.S. House Speaker Nancy Pelosi’s visit.

https://www.reuters.com/technology/7-11s-train-stations-cyber-attacks-plague-taiwan-over-pelosi-visit-2022-08-04/


Twitter disclosed a campaign by threat actors to brute-force emails and phone numbers and try to match them up with Twitter usernames.

https://privacy.twitter.com/en/blog/2022/an-issue-affecting-some-anonymous-accounts


Industry groups are decrying a new plan from the U.S. Environmental Protection Agency to have water sanitation inspection firms also oversee cybersecurity reviews at water plants across the country.

https://www.cyberscoop.com/water-sector-epa-rules-change-misguided/

Vulnerabilities with Exploits


COMPILED BY THE QUALYS VULNERABILITY RESEARCH TEAM

This is a list of recent vulnerabilities for which exploits are available. System administrators can use this list to help in prioritization of their remediation activities. The Qualys Vulnerability Research Team compiles this information based on various exploit frameworks, exploit databases, exploit kits and monitoring of internet activity.


ID: CVE-2022-34819
Title: Heap-based Buffer Overflow vulnerability in SINEMA Remote Connect Server (SRCS) VPN
Description: SINEMA Remote Connect allows end users to remotely access plants and machines and leverages VPN connections between the control center, service engineers and installed plants, according to Siemens. The application lacks proper validation of user-supplied data when parsing specific messages. This could result in a heap-based buffer overflow. An attacker could leverage this vulnerability to execute code in the context of device.
CVSS v3.1 Base Score: 10 (AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H)

ID: CVE-2022-34820
Title: Command Injection vulnerability in Siemens products
Description: The application does not correctly escape some user provided fields during the authentication process. This could allow an attacker to inject custom commands and execute arbitrary code with elevated privileges.
CVSS v3.1 Base Score: 9.8 (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H)

ID: CVE-2022-34821
Title: Code Injection vulnerability in Siemens SIMATIC CP 1242-7 V2 Open VPN
Description: By injecting code to specific configuration options for OpenVPN, an attacker could execute arbitrary
code with elevated privileges.
CVSS v3.1 Base Score: 9.8 (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H)

Prevalent Malware Files


COMPILED BY THE TALOS SECURITY INTELLIGENCE AND RESEARCH GROUP


SHA 256: e4973db44081591e9bff5117946defbef6041397e56164f485cf8ec57b1d8934

MD5: 93fefc3e88ffb78abb36365fa5cf857c

VirusTotal: https://www.virustotal.com/gui/file/e4973db44081591e9bff5117946defbef6041397e56164f485cf8ec57b1d8934/details

Typical Filename: Wextract

Claimed Product: Internet Explorer

Detection Name: PUA.Win.Trojan.Generic::85.lp.ret.sbx.tg


SHA 256: 125e12c8045689bb2a5dcad6fa2644847156dec8b533ee8a3653b432f8fd5645

MD5: 2c8ea737a232fd03ab80db672d50a17a

VirusTotal: https://www.virustotal.com/gui/file/125e12c8045689bb2a5dcad6fa2644847156dec8b533ee8a3653b432f8fd5645/details

Typical Filename: LwssPlayer.scr

Claimed Product: ?????????

Detection Name: Auto.125E12.241442.in02


SHA 256: e12b6641d7e7e4da97a0ff8e1a0d4840c882569d47b8fab8fb187ac2b475636c

MD5: a087b2e6ec57b08c0d0750c60f96a74c

VirusTotal: https://www.virustotal.com/gui/file/e12b6641d7e7e4da97a0ff8e1a0d4840c882569d47b8fab8fb187ac2b475636c/details

Typical Filename: AAct.exe

Claimed Product: N/A

Detection Name: PUA.Win.Tool.Kmsauto::1201


SHA 256: c67b03c0a91eaefffd2f2c79b5c26a2648b8d3c19a22cadf35453455ff08ead0

MD5: 8c69830a50fb85d8a794fa46643493b2

VirusTotal: https://www.virustotal.com/gui/file/c67b03c0a91eaefffd2f2c79b5c26a2648b8d3c19a22cadf35453455ff08ead0/details

Typical Filename: AAct.exe

Claimed Product: N/A

Detection Name: PUA.Win.Dropper.Generic::1201


SHA 256: 168e625c7eb51720f5ce1922aec6ad316b3aaca838bd864ee2bcdbd9b66171d0

MD5: 311d64e4892f75019ee257b8377c723e

VirusTotal: https://www.virustotal.com/gui/file/168e625c7eb51720f5ce1922aec6ad316b3aaca838bd864ee2bcdbd9b66171d0/details

Typical Filename: ultrasurf-21-32.exe

Claimed Product: N/A

Detection Name: W32.DFC.MalParent