Internet Storm Center Spotlight


SELECTED BY THE TALOS SECURITY INTELLIGENCE AND RESEARCH GROUP


Title: Cobalt Strike still playing major role on threat landscape

Description: Cisco Talos recently discovered a malicious campaign with a modularised attack technique to deliver Cobalt Strike beacons on infected endpoints. The initial vector of this attack is a phishing email with a malicious Microsoft Word document attachment containing an exploit that attempts to exploit the vulnerability CVE-2017-0199, a remote code execution issue in Microsoft Office. If a victim opens the maldoc, it downloads a malicious Word document template hosted on an attacker-controlled Bitbucket repository. The payload discovered is a leaked version of a Cobalt Strike beacon. The beacon configuration contains commands to perform targeted process injection of arbitrary binaries and has a high reputation domain configured, exhibiting the redirection technique to masquerade the beacon's traffic.

References: https://blog.talosintelligence.com/2022/09/new-campaign-uses-government-union.html

Snort SIDs: 60600

ClamAV signatures: Win.Packed.Generic-9956955-0, Win.Malware.CobaltStrike-9968593-1, Win.Dropper.AgentTesla-9969002-0, Win.Dropper.Swisyn-9969191-0, Win.Trojan.Swisyn-9969193-0, Win.Malware.RedlineStealer-9970633-0


Title: Vulnerabilities in popular library affect Unix-based devices

Description: Cisco Talos recently discovered a memory corruption vulnerability in the uClibC library that could affect any Unix-based devices that use this library. uClibC and uClibC-ng are lightweight replacements for the popular gLibc library, which is the GNU Project's implementation of the C standard library. CVE-2022-29503 and CVE-2022-29504 are memory corruption vulnerabilities in uClibC and uClibc-ng that can occur if a malicious user repeatedly creates threads. Many embedded devices utilize this library, but Talos specifically confirmed that the Anker Eufy Homebase 2, version 2.1.8.8h, is affected by this vulnerability.

References: https://talosintelligence.com/vulnerability_reports/TALOS-2022-1517

Internet Storm Center Entries


Ukraine warned the international community that Russian state-sponsored threat actors are planning "massive cyberattacks" against critical infrastructure in Ukraine and its allies.

https://www.cyberscoop.com/ukrainians-warn-of-massive-cyberattacks/


Messaging app WhatsApp disclosed a vulnerability in older versions of the software that an attacker could exploit to execute arbitrary code on a target’s phone.

https://www.theverge.com/2022/9/27/23374468/whatsapp-bug-video-call-vulnerability-cve


A teen was arrested in the U.K. for their alleged involvement in recent data breaches against Uber and video game developer Rockstar.

https://gizmodo.com/hacker-arrest-rockstar-games-uber-lapsus-1849573312


Microsoft released an out-of-band patch for a medium-severity vulnerability in its Endpoint Configuration Manager solution that could allow attackers to move laterally across a network.

https://www.securityweek.com/microsoft-issues-out-band-patch-flaw-allowing-lateral-movement-ransomware-attacks


U.S. colleges are increasingly using third-party services to monitor and track students who are involved with protests on campus.

https://pulitzercenter.org/stories/tracked-how-colleges-use-ai-monitor-student-protests

Recent CVEs


COMPILED BY THE QUALYS VULNERABILITY RESEARCH TEAM

This is a list of recent vulnerabilities for which exploits are available. System administrators can use this list to help in prioritization of their remediation activities. The Qualys Vulnerability Research Team compiles this information based on various exploit frameworks, exploit databases, exploit kits and monitoring of internet activity.


ID: CVE-2022-21797

Title: Remote code execution vulnerability in Joblib

Description: The package joblib from 0 and before 1.2.0 are vulnerable to Arbitrary Code Execution via the pre_dispatch flag in Parallel() class due to the eval() statement.

CVSS v3.1 Base Score: 9.8 (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H)


ID: CVE-2022-36934

Title: Heap based buffer overflow vulnerability in WhatsApp

Description: An integer overflow in WhatsApp for Android prior to v2.22.16.12, Business for Android prior to v2.22.16.12, iOS prior to v2.22.16.12, Business for iOS prior to v2.22.16.12 could result in remote code execution in an established video call. The vulnerability affects the unknown code of the component Video Call Handler.

CVSS v3.1 Base Score: 9.8 (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H)

Prevalent Malware Files


COMPILED BY THE TALOS SECURITY INTELLIGENCE AND RESEARCH GROUP


SHA 256: e4973db44081591e9bff5117946defbef6041397e56164f485cf8ec57b1d8934

MD5: 93fefc3e88ffb78abb36365fa5cf857c

VirusTotal: https://www.virustotal.com/gui/file/e4973db44081591e9bff5117946defbef6041397e56164f485cf8ec57b1d8934/details

Typical Filename: Wextract

Claimed Product: Internet Explorer

Detection Name: PUA.Win.Trojan.Generic::85.lp.ret.sbx.tg


SHA 256: 125e12c8045689bb2a5dcad6fa2644847156dec8b533ee8a3653b432f8fd5645

MD5: 2c8ea737a232fd03ab80db672d50a17a

VirusTotal: https://www.virustotal.com/gui/file/125e12c8045689bb2a5dcad6fa2644847156dec8b533ee8a3653b432f8fd5645/details

Typical Filename: LwssPlayer.scr

Claimed Product: ?????????

Detection Name: Auto.125E12.241442.in02


SHA 256: 1a234656f81e870cdeb0e648a6b305a41452c405cca21124de26b54f79d55ad0

MD5: 10f1561457242973e0fed724eec92f8c

VirusTotal: https://www.virustotal.com/gui/file/1a234656f81e870cdeb0e648a6b305a41452c405cca21124de26b54f79d55ad0/details

Typical Filename: ntuser.vbe

Claimed Product: N/A

Detection Name: Auto.1A234656F8.211848.in07.Talos


SHA 256: c326d1c65c72eb66f5f5c0a84b1dcf3e8a79b69fffbd7a6e232b813ffbb23254

MD5: 8a5f8ed00adbdfb1ab8a2bb8016aafc1

VirusTotal: https://www.virustotal.com/gui/file/c326d1c65c72eb66f5f5c0a84b1dcf3e8a79b69fffbd7a6e232b813ffbb23254/details

Typical Filename: RunFallGuys.exe

Claimed Product: N/A

Detection Name: W32.Auto:c326d1.in03.Talos


SHA 256: 36efad0617db0d45de00cc4f3cf49af7c2d6b5b15ca456d13703b5d366c58431

MD5: 147c7241371d840787f388e202f4fdc1

VirusTotal: https://www.virustotal.com/gui/file/36efad0617db0d45de00cc4f3cf49af7c2d6b5b15ca456d13703b5d366c58431/details

Typical Filename: EKSPLORASI.EXE

Claimed Product: N/A

Detection Name: Win32.Generic.497796