Recent Security Issues


SELECTED BY THE TALOS SECURITY INTELLIGENCE AND RESEARCH GROUP

Title: Infamous Russian state-sponsored actor launches new campaign in Ukraine

Description: Cisco Talos discovered Gamaredon APT activity targeting users in Ukraine with malicious LNK files distributed in RAR archives. The campaign, part of an ongoing espionage operation observed as recently as August 2022, aims to deliver information-stealing malware to Ukrainian victim machines and makes heavy use of multiple modular PowerShell and VBScript (VBS) scripts as part of the infection chain. The infostealer is a dual-purpose malware that includes capabilities for exfiltrating specific file types and deploying additional binary and script-based payloads on an infected endpoint. This campaign aligns with Gamaredon’s past motivations of targeting Ukraine since Russia’s invasion.

References: https://blog.talosintelligence.com/2022/09/gamaredon-apt-targets-ukrainian-agencies.html

Snort SIDs: 60517 - 60539


Title: Microsoft warns of zero-day affecting all versions of Windows

Description: Microsoft is warning of a zero-day vulnerability affecting all versions of Windows that the company disclosed last week as part of Patch Tuesday. Since the initial disclosure, the U.S. Cybersecurity and Infrastructure Security Agency warned federal agencies to patch for the vulnerability in Windows Common Log File System Driver as soon as possible. CVE-2022-37969 could enable an attacker to establish SYSTEM-level privileges, which could be used to make changes on the targeted device or use those privileges to execute follow-on attacks. Microsoft warned that users running Windows 11 and earlier, and Windows Server 2008 and Windows Server 2012, are affected.

References:

- https://www.bleepingcomputer.com/news/security/cisa-orders-agencies-to-patch-windows-ios-bugs-used-in-attacks/

- https://techcrunch.com/2022/09/14/microsoft-zero-day-windows/

Snort SIDs: 60555 - 60558

Security News


The U.S. Department of Justice has charged Iranian nationals with a string of cyber attacks against critical infrastructure, including power companies and local governments.

https://apnews.com/article/technology-iran-violence-new-jersey-united-states-76c970bd4f1cdac3dc6bffa7ce925961


Uber said the Lapsus$ ransomware group was behind a recent data breach on the company’s networks.

https://www.zdnet.com/article/uber-blames-security-breach-on-lapsus-says-they-bought-credentials-on-the-dark-web/


U.S. Customs and Border Protection officials are building a database of information from travelers who have had their cellphones, tables and computers seized at U.S. airports, seaports and border crossings.

https://www.washingtonpost.com/technology/2022/09/15/government-surveillance-database-dhs/


A data leak from video game developer Rockstar revealed new details of the upcoming “Grand Theft Auto VI” game.

https://www.vice.com/en/article/n7zd4m/rockstar-confirms-gta6-hack-was-real


The police department in Suffolk County, New York is having to rely on the New York Police Department for assistance after a cyber attack disrupted its 911 call center and other services.

https://www.nbcnewyork.com/news/local/suffolk-county-hack-cripples-911-call-center-and-police-hq-as-they-turn-to-nypd-for-help/3871797/


Bosnia and Herzegovina is investigating a cyber attack that’s disrupted its parliament’s operations for nearly two weeks.

https://therecord.media/bosnia-and-herzegovina-investigating-alleged-ransomware-attack-on-parliament/


Password manager LastPass says no customer data was affected in a recent data breach.

https://www.engadget.com/lastpass-hacked-no-user-data-was-compromised-064640557.html


Former Twitter head of security Peiter “Mudge” Zatko testified before U.S. Congress last week, warning members of the Judiciary Committee that their personal data is at risk because of the social media company’s security policies.

https://www.politico.com/news/2022/09/13/whistleblower-zatko-testimony-agrawal-twitter-00056291

Vulnerabilities with Exploits


COMPILED BY THE QUALYS VULNERABILITY RESEARCH TEAM

This is a list of recent vulnerabilities for which exploits are available. System administrators can use this list to help in prioritization of their remediation activities. The Qualys Vulnerability Research Team compiles this information based on various exploit frameworks, exploit databases, exploit kits and monitoring of internet activity.


ID: CVE-2021-33643

Title: Out of bounds read vulnerability in libtar Tar File malloc

Description: The vulnerability affects the malloc function of the Tar File Handler. An attacker who submits a crafted tar file with size in header struct being 0 may be able to trigger a calling of malloc(0) for a variable gnu_longlink, causing an out-of-bounds read.

CVSS v3.1 Base Score: 9.1 (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:H)


ID: CVE-2021-33644

Title: Out of bounds read vulnerability in libtar Tar File malloc gnu_longname

Description: The vulnerability affects the malloc function of the Tar File Handler. An attacker who submits a crafted tar file with size in header struct being 0 may be able to trigger a calling of malloc(0) for a variable gnu_longname, causing an out-of-bounds read.

CVSS v3.1 Base Score: 8.1 (AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:H)


ID: CVE-2021-33645

Title: Memory leak vulnerability in libtar th_read

Description: The vulnerability affects the th_read function. The th_read() function doesn't free a variable t->th_buf.gnu_longlink after allocating memory, which may cause a memory leak.

CVSS v3.1 Base Score: 7.5 (AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H)


ID: CVE-2021-33646

Title: Memory leak vulnerability in libtar th_read

Description: The vulnerability affects the th_read function. The th_read() function doesn't free a variable t->th_buf.gnu_longname after allocating memory, which may cause a memory leak.

CVSS v3.1 Base Score: 7.5 (AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H)

Prevalent Malware Files


COMPILED BY THE TALOS SECURITY INTELLIGENCE AND RESEARCH GROUP


SHA 256: 9f1f11a708d393e0a4109ae189bc64f1f3e312653dcf317a2bd406f18ffcc507

MD5: 2915b3f8b703eb744fc54c81f4a9c67f

VirusTotal: https://www.virustotal.com/gui/file/9f1f11a708d393e0a4109ae189bc64f1f3e312653dcf317a2bd406f18ffcc507/details

Typical Filename: VID001.exe

Claimed Product: N/A

Detection Name: Win.Worm.Coinminer::1201


SHA 256: e4973db44081591e9bff5117946defbef6041397e56164f485cf8ec57b1d8934

MD5: 93fefc3e88ffb78abb36365fa5cf857c

VirusTotal: https://www.virustotal.com/gui/file/e4973db44081591e9bff5117946defbef6041397e56164f485cf8ec57b1d8934/details

Typical Filename: Wextract

Claimed Product: Internet Explorer

Detection Name: PUA.Win.Trojan.Generic::85.lp.ret.sbx.tg


SHA 256: c326d1c65c72eb66f5f5c0a84b1dcf3e8a79b69fffbd7a6e232b813ffbb23254

MD5: 8a5f8ed00adbdfb1ab8a2bb8016aafc1

VirusTotal: https://www.virustotal.com/gui/file/c326d1c65c72eb66f5f5c0a84b1dcf3e8a79b69fffbd7a6e232b813ffbb23254/details

Typical Filename: RunFallGuys.exe

Claimed Product: N/A

Detection Name: W32.Auto:c326d1.in03.Talos


SHA 256: 125e12c8045689bb2a5dcad6fa2644847156dec8b533ee8a3653b432f8fd5645

MD5: 2c8ea737a232fd03ab80db672d50a17a

VirusTotal: https://www.virustotal.com/gui/file/125e12c8045689bb2a5dcad6fa2644847156dec8b533ee8a3653b432f8fd5645/details

Typical Filename: LwssPlayer.scr

Claimed Product: ?????????

Detection Name: Auto.125E12.241442.in02


SHA 256: c67b03c0a91eaefffd2f2c79b5c26a2648b8d3c19a22cadf35453455ff08ead0

MD5: 8c69830a50fb85d8a794fa46643493b2

VirusTotal: https://www.virustotal.com/gui/file/c67b03c0a91eaefffd2f2c79b5c26a2648b8d3c19a22cadf35453455ff08ead0/details

Typical Filename: AAct.exe

Claimed Product: N/A

Detection Name: PUA.Win.Dropper.Generic::1201