Internet Storm Center Spotlight


SELECTED BY THE TALOS SECURITY INTELLIGENCE AND RESEARCH GROUP


Title: Apple releases patches for iPad OS, iOS

Description: Apple released security updates for iPhones, iPads and Mac desktops last week, warning of two security vulnerabilities that attackers were actively exploiting in the wild. The two security issues exist in WebKit, the browser engine for Safari and other Apple apps. Apple said an attacker could exploit these vulnerabilities if a targeted device accessed attacker-created content that could lead to code execution, while another attack could lead to arbitrary code execution with kernel privileges. The flaws affect iOS, iPadOS and macOS Monterey, especially older models of the iPhone and iPad.

References: https://techcrunch.com/2022/08/17/iphone-ipad-mac-zero-days/

Snort 3 SIDs: 300244


Title: Cisco patches high-severity vulnerability in AsyncOS

Description: Cisco released patches for a high-severity vulnerability in AsynchOS for Cisco Secure Web Appliance. CVE-2022-20871 exists because the software improperly validates user input from the web interface. An attacker could exploit this vulnerability by authenticating to the targeted system and then elevating their privileges to root. However, the attacker first needs to acquire appropriate read-only credentials. Cisco stated in a security advisory that is not aware of any exploitation attempts of this in the wild.

References:

- https://www.securityweek.com/cisco-squashes-high-severity-bug-web-protection-solution

- https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-wsa-prv-esc-8PdRU8t8

Snort SIDs: 60424 - 60427

Internet Storm Center Entries


Google says its Cloud Armor Adaptive Protection blocked the largest attempted Layer 7 distributed denial-of-service attack in history, which maxed out at 46 million requests per second.

https://cloud.google.com/blog/products/identity-security/how-google-cloud-blocked-largest-layer-7-ddos-attack-at-46-million-rps


The newest Android operating system, 13, includes several new security features and settings, including the ability for users to more easily tweak data permissions app-by-app.

https://www.wired.com/story/android-13-privacy-security-settings/


Threat actors have already developed ways to bypass certain security settings in Android 13, potentially allowing them to deploy malware that has higher permissions by default.

https://www.bleepingcomputer.com/news/security/malware-devs-already-bypassed-android-13s-new-security-feature/


The US House of Representatives passed an amendment to its military spending budget that would require the Department of Defense to disclose any purchases of smartphone or web browsing data that would otherwise require a warrant.

https://gizmodo.com/pentagon-budget-force-data-purchase-disclosure-ndaa-1849432085


The FBI warned of an increase in credential-stuffing attacks in which attackers are hijacking home IP addresses to hide their activity.

https://www.infosecurity-magazine.com/news/fbi-beware-residential-ips/


The former head of Twitter security says the company is not doing enough to crack down on spam attacks and bot accounts.

https://www.washingtonpost.com/technology/interactive/2022/twitter-whistleblower-sec-spam/


The Clop ransomware gang recently compromised a U.K. water utility manager, though it mistakenly claimed to leak data from the wrong water company.

https://www.darkreading.com/attacks-breaches/clop-ransomware-gang-breaches-water-utility

Recent CVEs


COMPILED BY THE QUALYS VULNERABILITY RESEARCH TEAM

This is a list of recent vulnerabilities for which exploits are available. System administrators can use this list to help in prioritization of their remediation activities. The Qualys Vulnerability Research Team compiles this information based on various exploit frameworks, exploit databases, exploit kits and monitoring of internet activity.


ID: CVE-2022-27255

Title: Buffer overflow vulnerability in the Realtek AP-Router SDK

Description: In Realtek eCos RSDK 1.5.7p1 and MSDK 4.9.4p1, the SIP ALG function that rewrites SDP data has a stack-based buffer overflow. This allows an attacker to remotely execute code without authentication via a crafted SIP packet that contains malicious SDP data.

CVSS v3.1 Base Score: 9.8 (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H)


ID: CVE-2022-36728

Title: SQL injection vulnerability in Library Management System v1.0

Description: Library Management System v1.0 was discovered to contain a SQL injection vulnerability via the RollNo parameter at /staff/delstu.php.

CVSS v3.1 Base Score: 9.8 (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H)

Prevalent Malware Files


COMPILED BY THE TALOS SECURITY INTELLIGENCE AND RESEARCH GROUP


SHA 256: e4973db44081591e9bff5117946defbef6041397e56164f485cf8ec57b1d8934

MD5: 93fefc3e88ffb78abb36365fa5cf857c

VirusTotal: https://www.virustotal.com/gui/file/e4973db44081591e9bff5117946defbef6041397e56164f485cf8ec57b1d8934/details

Typical Filename: Wextract

Claimed Product: Internet Explorer

Detection Name: PUA.Win.Trojan.Generic::85.lp.ret.sbx.tg


SHA 256: 125e12c8045689bb2a5dcad6fa2644847156dec8b533ee8a3653b432f8fd5645

MD5: 2c8ea737a232fd03ab80db672d50a17a

VirusTotal: https://www.virustotal.com/gui/file/125e12c8045689bb2a5dcad6fa2644847156dec8b533ee8a3653b432f8fd5645/details

Typical Filename: LwssPlayer.scr

Claimed Product: ?????????

Detection Name: Auto.125E12.241442.in02


SHA 256: a31f222fc283227f5e7988d1ad9c0aecd66d58bb7b4d8518ae23e110308dbf91

MD5: 7bdbd180c081fa63ca94f9c22c457376

VirusTotal: https://www.virustotal.com/gui/file/a31f222fc283227f5e7988d1ad9c0aecd66d58bb7b4d8518ae23e110308dbf91/details

Typical Filename: c0dwjdi6a.dll

Claimed Product: N/A

Detection Name: Trojan.GenericKD.33515991


SHA 256: e12b6641d7e7e4da97a0ff8e1a0d4840c882569d47b8fab8fb187ac2b475636c

MD5: a087b2e6ec57b08c0d0750c60f96a74c

VirusTotal: https://www.virustotal.com/gui/file/e12b6641d7e7e4da97a0ff8e1a0d4840c882569d47b8fab8fb187ac2b475636c/details

Typical Filename: AAct.exe

Claimed Product: N/A

Detection Name: PUA.Win.Tool.Kmsauto::1201


SHA 256: c67b03c0a91eaefffd2f2c79b5c26a2648b8d3c19a22cadf35453455ff08ead0

MD5: 8c69830a50fb85d8a794fa46643493b2

VirusTotal: https://www.virustotal.com/gui/file/c67b03c0a91eaefffd2f2c79b5c26a2648b8d3c19a22cadf35453455ff08ead0/details

Typical Filename: AAct.exe

Claimed Product: N/A

Detection Name: PUA.Win.Dropper.Generic::1201