SELECTED BY THE TALOS SECURITY INTELLIGENCE AND RESEARCH GROUP
Title: Cobalt Strike still playing major role on threat landscape
Description: Cisco Talos recently discovered a malicious campaign with a modularised attack technique to deliver Cobalt Strike beacons on infected endpoints. The initial vector of this attack is a phishing email with a malicious Microsoft Word document attachment containing an exploit that attempts to exploit the vulnerability CVE-2017-0199, a remote code execution issue in Microsoft Office. If a victim opens the maldoc, it downloads a malicious Word document template hosted on an attacker-controlled Bitbucket repository. The payload discovered is a leaked version of a Cobalt Strike beacon. The beacon configuration contains commands to perform targeted process injection of arbitrary binaries and has a high reputation domain configured, exhibiting the redirection technique to masquerade the beacon's traffic.
Snort SIDs: 60600
ClamAV signatures: Win.Packed.Generic-9956955-0, Win.Malware.CobaltStrike-9968593-1, Win.Dropper.AgentTesla-9969002-0, Win.Dropper.Swisyn-9969191-0, Win.Trojan.Swisyn-9969193-0, Win.Malware.RedlineStealer-9970633-0
Title: Vulnerabilities in popular library affect Unix-based devices
Description: Cisco Talos recently discovered a memory corruption vulnerability in the uClibC library that could affect any Unix-based devices that use this library. uClibC and uClibC-ng are lightweight replacements for the popular gLibc library, which is the GNU Project's implementation of the C standard library. CVE-2022-29503 and CVE-2022-29504 are memory corruption vulnerabilities in uClibC and uClibc-ng that can occur if a malicious user repeatedly creates threads. Many embedded devices utilize this library, but Talos specifically confirmed that the Anker Eufy Homebase 2, version 126.96.36.199h, is affected by this vulnerability.