Internet Storm Center Spotlight


SELECTED BY THE TALOS SECURITY INTELLIGENCE AND RESEARCH GROUP


Title: ModernLoader delivers multiple stealers, cryptominers and RATs

Description: Cisco Talos recently observed three separate, but related, campaigns between March and June 2022 delivering a variety of threats, including the ModernLoader bot, RedLine information-stealer and cryptocurrency-mining malware to victims. The actors use PowerShell, .NET assemblies, and HTA and VBS files to spread across a targeted network, eventually dropping other pieces of malware, such as the SystemBC trojan and DCRAT, to enable various stages of their operations. The attackers' use of a variety of off-the-shelf tools makes it difficult to attribute this activity to a specific adversary. The actors are attempting to compromise vulnerable web applications to serve malware and deliver threats via files masquerading as fake Amazon gift cards. Because of the use of off-the-shelf tools, the group improves its operational security and there are no obvious signs of who the actor behind the attacks is, except that they likely speak Russian.

References: https://blog.talosintelligence.com/2022/08/modernloader-delivers-multiple-stealers.html

Snort SIDs: 60437 - 60440


Title: LockBit ransomware group looking to add DDoS attacks to its arsenal

Description: The LockBit ransomware group is hoping to double down on its triple extortion efforts after a recent distributed denial-of-service attack against its leaks website. The group’s public leader posted on a popular forum that it was improving its DDoS defenses after a recent hacking-back attempt from a security firm, and was also looking to add DDoS experts to its team to start triple extortion attacks. This means LockBit would steal victim’s data, threaten to leak it online, and if the target doesn’t pay the extortion payment, LockBit would target it with DDoS attacks. The group also claims to have 300GB of data stolen from software make Entrust.

References: https://www.bleepingcomputer.com/news/security/lockbit-ransomware-gang-gets-aggressive-with-triple-extortion-tactic/

Snort SIDs: 54910 – 54917, 58023

Internet Storm Center Entries


Nobelium, the threat actor known for the infamous SolarWinds supply chain attack, has a new tool called MagicWeb that allows them to maintain access to compromised environments.

https://www.scmagazine.com/news/network-security/magicweb-gives-nobelium-threat-group-persistent-access-to-compromised-systems


New cryptocurrency mining malware disguises itself as the Google Translate desktop app and other legitimate pieces of software, waiting at least a month before starting to zap computers’ power.

https://research.checkpoint.com/2022/check-point-research-detects-crypto-miner-malware-disguised-as-google-translate-desktop-and-other-legitimate-applications/


Apple updates scheduled for release this fall will support the passkey standard, which requires users to have two-factor authentication (2FA) enabled on their accounts; Apple says that 95 percent of iCloud users already have 2FA enabled.

https://9to5mac.com/2022/08/27/passkeys-two-factor-apple-use/


An attack on a major service provider for the U.K.’s National Health Service is leading to a backlog of paper medical records, and it could still take up to 12 weeks to get all affected services back online.

https://www.bbc.com/news/technology-62725363


Montenegro’s government is struggling to recover from a cyber attack that disrupted online services for several ministries and agencies.

https://therecord.media/montenegro-struggles-to-recover-from-cyberattack-that-officials-blame-on-russia/


The U.S. Federal Trade Commission is suing data broker Kochava for selling sensitive geolocation information.

https://www.vice.com/en/article/z343kw/ftc-sues-data-broker-kochava-selling-location-data-abortion-clinics


Chinese state-sponsored actor TA423 is using a new Australian-focused watering hole attack to spread the ScanBox JavaScript-based reconnaissance tool.

https://threatpost.com/watering-hole-attacks-push-scanbox-keylogger/180490/


The FBI is warning of an increase in cyber criminals exploiting vulnerabilities in decentralized finance (DeFi) platforms to steal cryptocurrency.

https://www.ic3.gov/Media/Y2022/PSA220829


The U.S. Cybersecurity and Infrastructure Security Agency announced new guidelines to help organizations prepare for the threat of quantum computing.

https://www.zdnet.com/article/quantum-computing-poses-cyber-threats-to-critical-infrastructure-action-to-secure-it-is-needed-now-warns-cisa/

Recent CVEs


COMPILED BY THE QUALYS VULNERABILITY RESEARCH TEAM

This is a list of recent vulnerabilities for which exploits are available. System administrators can use this list to help in prioritization of their remediation activities. The Qualys Vulnerability Research Team compiles this information based on various exploit frameworks, exploit databases, exploit kits and monitoring of internet activity.


ID: CVE-2022-34918

Title: Type Confusion vulnerability in the Linux Kernel

Description: An issue was discovered in the Linux kernel through 5.18.9. A type confusion bug in nft_set_elem_init (leading to a buffer overflow) could be used by a local attacker to escalate privileges, a different vulnerability than CVE-2022-32250. (The attacker can obtain root access but must start with an unprivileged user namespace to obtain CAP_NET_ADMIN access.) This can be fixed in nft_setelem_parse_data in net/netfilter/nf_tables_api.c.

CVSS v3.1 Base Score: 7.8 (AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H)


ID: CVE-2022-32081

Title: Use after poison vulnerability in MariaDB

Description: MariaDB v10.4 to v10.7 was discovered to contain a use-after-poison in prepare_inplace_add_virtual at /storage/innobase/handler/handler0alter.cc.

CVSS v3.1 Base Score: 7.5 (AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H)

Prevalent Malware Files



COMPILED BY THE TALOS SECURITY INTELLIGENCE AND RESEARCH GROUP


SHA 256: 9f1f11a708d393e0a4109ae189bc64f1f3e312653dcf317a2bd406f18ffcc507

MD5: 2915b3f8b703eb744fc54c81f4a9c67f

VirusTotal: https://www.virustotal.com/gui/file/9f1f11a708d393e0a4109ae189bc64f1f3e312653dcf317a2bd406f18ffcc507/details

Typical Filename: VID001.exe

Claimed Product: N/A

Detection Name: Win.Worm.Coinminer::1201


SHA 256: e4973db44081591e9bff5117946defbef6041397e56164f485cf8ec57b1d8934

MD5: 93fefc3e88ffb78abb36365fa5cf857c

VirusTotal: https://www.virustotal.com/gui/file/e4973db44081591e9bff5117946defbef6041397e56164f485cf8ec57b1d8934/details

Typical Filename: Wextract

Claimed Product: Internet Explorer

Detection Name: PUA.Win.Trojan.Generic::85.lp.ret.sbx.tg


SHA 256: 125e12c8045689bb2a5dcad6fa2644847156dec8b533ee8a3653b432f8fd5645

MD5: 2c8ea737a232fd03ab80db672d50a17a

VirusTotal: https://www.virustotal.com/gui/file/125e12c8045689bb2a5dcad6fa2644847156dec8b533ee8a3653b432f8fd5645/details

Typical Filename: LwssPlayer.scr

Claimed Product: ?????????

Detection Name: Auto.125E12.241442.in02


SHA 256: f21b040f7c47d8d3d9c1f0ef00f09e69f2c3f0e19d91988efc0ddd4833ced121

MD5: 9066dff68c1d66a6d5f9f2904359876c

VirusTotal: https://www.virustotal.com/gui/file/f21b040f7c47d8d3d9c1f0ef00f09e69f2c3f0e19d91988efc0ddd4833ced121/details

Typical Filename: dota-15_id3622928ids1s.exe

Claimed Product: N/A

Detection Name: W32.F21B040F7C.in12.Talos


SHA 256: a31f222fc283227f5e7988d1ad9c0aecd66d58bb7b4d8518ae23e110308dbf91

MD5: 7bdbd180c081fa63ca94f9c22c457376

VirusTotal: https://www.virustotal.com/gui/file/a31f222fc283227f5e7988d1ad9c0aecd66d58bb7b4d8518ae23e110308dbf91/details

Typical Filename: c0dwjdi6a.dll

Claimed Product: N/A

Detection Name: Trojan.GenericKD.33515991