Internet Storm Center Spotlight


SELECTED BY THE TALOS SECURITY INTELLIGENCE AND RESEARCH GROUP


Title: Microsoft disclosed more than 80 vulnerabilities as part of Patch Tuesday, including several in PTP tunneling

Description: Microsoft released its monthly security update Tuesday, disclosing 84 vulnerabilities across the company’s hardware and software line, including seven critical issues in Windows’ point-to-point tunneling protocol. September's security update features 11 critical vulnerabilities, with the remainder being “important.” One of the most notable vulnerabilities Microsoft fixed this month is CVE-2022-41038, a remote code execution issue in Microsoft SharePoint. There are several other SharePoint vulnerabilities included in this month’s Patch Tuesday, though this seems the most severe, as Microsoft continues it to be “more likely” to be exploited. An attacker must be authenticated to the target site with the correct permissions to use manage lists in SharePoint to exploit this vulnerability, and eventually gain the ability to execute remote code on the SharePoint server.

References: https://blog.talosintelligence.com/2022/10/microsoft-patch-tuesday-for-october.html

Snort SIDs: 60429, 60430 and 60627

Snort 3 SID: 300248


Title: Alchimist is new attack framework in Chinese for Mac, Linux and Windows

Description: Cisco Talos has discovered a new single-file command and control (C2) framework the authors call "Alchimist [sic]." Talos researchers found this C2 on a server that had a file listing active on the root directory along with a set of post-exploitation tools. Talos assesses with moderate-high confidence that this framework is being used in the wild. "Alchimist" is a 64-bit Linux executable written in GoLang and packed with assets including resources for the web interface and Insekt RAT payloads compiled for Windows and Linux. Insekt RAT, a new trojan Cisco Talos discovered, is Alchimist's beacon implant written in GoLang and has a variety of remote access capabilities that can be instrumented by the Alchimist C2 server. Alchimist C2 has a web interface written in Simplified Chinese and can generate a configured payload, establish remote sessions, deploy payload to the remote machines, capture screenshots, perform remote shellcode execution and run arbitrary commands.

References: https://blog.talosintelligence.com/2022/10/alchimist-offensive-framework.html

ClamAV signatures:

* Osx.Exploit.CVE_2021_4034-9951522-2

* Unix.Exploit.CVE_2021_4034-9951523-0

* Unix.Exploit.CVE_2021_4034-9951524-0

* Unix.Exploit.CVE_2021_4034-9951525-0

* Unix.Exploit.CVE_2021_4034-9951526-0

* Unix.Malware.Insekt-9955436-0

* Win.Malware.Insekt-9955440-0

* Unix.Malware.Alchimist-9955784-0

* Multios.Malware.Insekt-9961177-0

Snort SIDs: 58955 - 58956

Internet Storm Center Entries


Attacks responsible for disrupting some US airport and state government websites may have been the work of threat actors with ties to Russia.

https://www.npr.org/2022/10/10/1127902795/airport-killnet-cyberattack-hacker-russia

https://www.cnn.com/2022/10/05/politics/russian-hackers-state-government-websites/index.html


Hackers stole emails and sensitive information from the Mexican Defense Ministry.

https://www.nytimes.com/2022/10/06/world/americas/mexico-hack-government-military.html


Microsoft released updated mitigation recommendations for the “ProxyNotShell” vulnerabilities after security researchers uncovered ways to work around the company’s originals guidance.

https://therecord.media/microsoft-updates-guidance-for-proxynotshell-bugs-after-researchers-get-around-mitigations/


Researchers discovered a vulnerability in an Ikea smart lighting system that could allow attackers to take control of lightbulbs and turn them all the way up while disabling the original user’s ability to control the lights through apps.

https://www.darkreading.com/application-security/ikea-smart-light-system-flaw-lets-attackers-turn-bulbs-on-full-blast


US CommonSpirit Health healthcare system experienced an IT security issue and took systems offline.

https://www.nbcnews.com/tech/security/ransomware-attack-delays-patient-care-hospitals-us-rcna50919


Meta has notified more than one million Facebook users were warned that their login information may have been stolen if they downloaded one of 400 different malicious apps on the iOS and Google Play stores.

https://www.zdnet.com/article/facebook-users-warned-you-may-have-downloaded-these-password-stealing-android-and-ios-apps/

Recent CVEs


COMPILED BY THE QUALYS VULNERABILITY RESEARCH TEAM

This is a list of recent vulnerabilities for which exploits are available. System administrators can use this list to help in prioritization of their remediation activities. The Qualys Vulnerability Research Team compiles this information based on various exploit frameworks, exploit databases, exploit kits and monitoring of internet activity.


ID: CVE-2022-36067

Title: Sandbox bypass vulnerability in vm2

Description: vm2 is a sandbox that can run untrusted code with whitelisted Node's built-in modules. In versions prior to version 3.9.11, a threat actor can bypass the sandbox protections to gain remote code execution rights on the host running the sandbox. This vulnerability was patched in the release of version 3.9.11 of vm2. There are no known workarounds.

CVSS v3.1 Base Score: 10 (AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H)


ID: CVE-2022-41352

Title: Remote code execution vulnerability in Zimbra Collaboration Suite

Description: Zimbra Collaboration Suite (ZCS) has an actively exploited remote code execution vulnerability. This remote code execution vulnerability results from the unsafe use of the cpio utility. Especially from the use of the vulnerable cpio application to scan inbound emails by Zimbra's antivirus engine (Amavis).

CVSS v3.1 Base Score: 9.8 (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H)

Prevalent Malware Files


COMPILED BY THE TALOS SECURITY INTELLIGENCE AND RESEARCH GROUP


SHA 256: 125e12c8045689bb2a5dcad6fa2644847156dec8b533ee8a3653b432f8fd5645

MD5: 2c8ea737a232fd03ab80db672d50a17a

VirusTotal: https://www.virustotal.com/gui/file/125e12c8045689bb2a5dcad6fa2644847156dec8b533ee8a3653b432f8fd5645/details

Typical Filename: LwssPlayer.scr

Claimed Product: ?????????

Detection Name: Auto.125E12.241442.in02


SHA 256: e4973db44081591e9bff5117946defbef6041397e56164f485cf8ec57b1d8934

MD5: 93fefc3e88ffb78abb36365fa5cf857c

VirusTotal: https://www.virustotal.com/gui/file/e4973db44081591e9bff5117946defbef6041397e56164f485cf8ec57b1d8934/details

Typical Filename: Wextract

Claimed Product: Internet Explorer

Detection Name: PUA.Win.Trojan.Generic::85.lp.ret.sbx.tg


SHA 256: 1a234656f81e870cdeb0e648a6b305a41452c405cca21124de26b54f79d55ad0

MD5: 10f1561457242973e0fed724eec92f8c

VirusTotal: https://www.virustotal.com/gui/file/1a234656f81e870cdeb0e648a6b305a41452c405cca21124de26b54f79d55ad0/details

Typical Filename: ntuser.vbe

Claimed Product: N/A

Detection Name: Auto.1A234656F8.211848.in07.Talos


SHA 256: e12b6641d7e7e4da97a0ff8e1a0d4840c882569d47b8fab8fb187ac2b475636c

MD5: a087b2e6ec57b08c0d0750c60f96a74c

VirusTotal: https://www.virustotal.com/gui/file/e12b6641d7e7e4da97a0ff8e1a0d4840c882569d47b8fab8fb187ac2b475636c/details

Typical Filename: AAct.exe

Claimed Product: N/A

Detection Name: PUA.Win.Tool.Kmsauto::1201


SHA 256: 63d543945e33b4b6088dc34d0550213dc73ea6acce248d8353c63039e8fa284f

MD5: a779d230c944ef200bce074407d2b8ff

VirusTotal: https://www.virustotal.com/gui/file/63d543945e33b4b6088dc34d0550213dc73ea6acce248d8353c63039e8fa284f/details

Typical Filename: mediaget.exe

Claimed Product: MediaGet

Detection Name: W32.File.MalParent