Internet Storm Center Spotlight


SELECTED BY THE TALOS SECURITY INTELLIGENCE AND RESEARCH GROUP


Title: Microsoft warns of “ProxyNotShell” vulnerabilities in Exchange Server

Description: Microsoft warned of two Exchange Server vulnerabilities collectively referred to as "ProxyNotShell” that had been actively exploited in the wild. One of these vulnerabilities could allow an attacker to execute remote code on the targeted server. CVE-2022-41040 is a Server-Side Request Forgery (SSRF) vulnerability, while CVE-2022-41082 enables Remote Code Execution (RCE) when PowerShell is accessible to the attackers. While no fixes or patches are available yet, Microsoft has provided mitigations for on-premises Microsoft Exchange users. Even organizations that use Exchange Online may still be affected if they run a hybrid server. Exchange vulnerabilities have become increasingly popular with threat actors, as they can provide initial access to network environments and are often used to facilitate more effective phishing and malspam campaigns.

References:

- https://blog.talosintelligence.com/2022/09/threat-advisory-exchange-server-vulns.html

- https://doublepulsar.com/proxynotshell-the-story-of-the-claimed-zero-day-in-microsoft-exchange-5c63d963a9e9

Snort SIDs: 27966-27968, 28323, 37245 and 42834 - 42838

ClamAV signatures: Asp.Backdoor.AntSword-9972727-1, Asp.Backdoor.Awen-9972728-0 and Asp.Backdoor.AntSword-9972729-0


Title: New malware builder used to deliver updated version of Agent Tesla

Description: Security researchers recently discovered a malware builder being sold on the dark web known as “Quantum Builder.” Attackers are using the new builder to deliver an updated version of the Agent Tesla trojan, which is known for stealing and spying on user interactions and keystrokes. Quantum Builder can create malicious shortcut files, and has previously been linked to the Lazarus Group APT. The attackers in this campaign send a spearphishing email to targets that contains a malicious GZIP attachment that holds a malicious shortcut to execute PowerShell code.

References: https://www.csoonline.com/article/3675536/malware-builder-uses-fresh-tactics-to-hit-victims-with-agent-tesla-rat.html

Snort SIDs: 60638, 60639

Internet Storm Center Entries


Researchers say that Microsoft's suggested mitigations for vulnerabilities in Exchange Server can be easily bypassed.

https://www.bleepingcomputer.com/news/security/microsoft-exchange-server-zero-day-mitigation-can-be-bypassed/


A hacking group with ties to North Korea has been using Trojanized open source apps to compromise media, defense and aerospace, and IT industry organizations.

https://arstechnica.com/information-technology/2022/09/north-korean-threat-actors-are-weaponizing-all-kinds-of-open-source-apps/


A new IoT malware called “Chaos” is compromising Windows and Linux devices to build up a group of infected devices to launch distributed denial-of-service attacks.

https://www.zdnet.com/article/chaos-iot-malware-taps-go-language-to-harvest-windows-linux-for-ddos-attacks/


The Witchetty espionage group is using a backdoor that leverages steganography.

https://symantec-enterprise-blogs.security.com/blogs/threat-intelligence/witchetty-steganography-espionage


Hackers have leaked more than 500 GB of data stolen during a recent ransomware attack on the Los Angeles Unified School District (LAUSD).

https://techcrunch.com/2022/10/03/los-angeles-school-district-ransomware-data/


Attackers are using the browser-in-a-browser attack method to target users of the video game storefront Steam, aimed at stealing their login credentials using fake pop-up windows and tabs.

https://www.darkreading.com/attacks-breaches/steam-gaming-phish-showcases-browser-in-browser-threat

Recent CVEs


COMPILED BY THE QUALYS VULNERABILITY RESEARCH TEAM

This is a list of recent vulnerabilities for which exploits are available. System administrators can use this list to help in prioritization of their remediation activities. The Qualys Vulnerability Research Team compiles this information based on various exploit frameworks, exploit databases, exploit kits and monitoring of internet activity.


ID: CVE-2022-41040 and CVE-2022-41082

Title: Microsoft Exchange Server multiple vulnerabilities

Description: The first flaw (CVE-2022-41040) is a Server-Side Request Forgery (SSRF) vulnerability. The second flaw (CVE-2022-41082) allows remote code execution (RCE) when PowerShell is accessible to the attacker. The customers should know that authenticated access to the vulnerable Exchange Server is necessary to successfully exploit either of the two vulnerabilities.

CVSS v3.1 Base Score: 8.8 (AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H)


ID: CVE-2022-41429

Title: Heap-based overflow vulnerability in AP4_Atom::TypeFromString

Description: This issue affects the function AP4_Atom::TypeFromString of the component mp4tag. Manipulation with an unknown input may lead to a memory corruption vulnerability.

CVSS v3.1 Base Score: 8.8 (AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H)


ID: CVE-2022-41430

Title: Heap-based overflow vulnerability in Axiomatic Bento4 mp4mux ReadBit function

Description: The flaw affects the function AP4_BitReader::ReadBit of the component mp4mux. Manipulation with an unknown input may lead to a memory corruption vulnerability.

CVSS v3.1 Base Score: 8.8 (AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H)

Prevalent Malware Files


COMPILED BY THE TALOS SECURITY INTELLIGENCE AND RESEARCH GROUP


SHA 256: c67b03c0a91eaefffd2f2c79b5c26a2648b8d3c19a22cadf35453455ff08ead0

MD5: 8c69830a50fb85d8a794fa46643493b2

VirusTotal: https://www.virustotal.com/gui/file/c67b03c0a91eaefffd2f2c79b5c26a2648b8d3c19a22cadf35453455ff08ead0/details

Typical Filename: AAct.exe

Claimed Product: N/A

Detection Name: PUA.Win.Dropper.Generic::1201


SHA 256: e4973db44081591e9bff5117946defbef6041397e56164f485cf8ec57b1d8934

MD5: 93fefc3e88ffb78abb36365fa5cf857c

VirusTotal: https://www.virustotal.com/gui/file/e4973db44081591e9bff5117946defbef6041397e56164f485cf8ec57b1d8934/details

Typical Filename: Wextract

Claimed Product: Internet Explorer

Detection Name: PUA.Win.Trojan.Generic::85.lp.ret.sbx.tg


SHA 256: 58d6fec4ba24c32d38c9a0c7c39df3cb0e91f500b323e841121d703c7b718681

MD5: f1fe671bcefd4630e5ed8b87c9283534

VirusTotal: https://www.virustotal.com/gui/file/58d6fec4ba24c32d38c9a0c7c39df3cb0e91f500b323e841121d703c7b718681/details

Typical Filename: KMSAuto Net.exe

Claimed Product: KMSAuto Net

Detection Name: PUA.Win.Tool.Hackkms::1201


SHA 256: e12b6641d7e7e4da97a0ff8e1a0d4840c882569d47b8fab8fb187ac2b475636c

MD5: a087b2e6ec57b08c0d0750c60f96a74c

VirusTotal: https://www.virustotal.com/gui/file/e12b6641d7e7e4da97a0ff8e1a0d4840c882569d47b8fab8fb187ac2b475636c/details

Typical Filename: AAct.exe

Claimed Product: N/A

Detection Name: PUA.Win.Tool.Kmsauto::1201


SHA 256: 63d543945e33b4b6088dc34d0550213dc73ea6acce248d8353c63039e8fa284f

MD5: a779d230c944ef200bce074407d2b8ff

VirusTotal: https://www.virustotal.com/gui/file/63d543945e33b4b6088dc34d0550213dc73ea6acce248d8353c63039e8fa284f/details

Typical Filename: mediaget.exe

Claimed Product: MediaGet

Detection Name: W32.File.MalParent