Internet Storm Center Spotlight


SELECTED BY THE TALOS SECURITY INTELLIGENCE AND RESEARCH GROUP


Title: Apache Commons vulnerability in the spotlight after proof-of-concept code becomes available

Description: Security researchers are warning users to patch for a recently disclosed critical vulnerability in Apache Commons Text that could allow an unauthenticated attacker to execute code remotely on servers running applications with the affected component. CVE-2022-42889 has a 9.8 out of a possible 10.0 CVSS severity ranking. Proof-of-concept code for the vulnerability is already available, though as of Tuesday, there were no reports of the vulnerability being exploited in the wild. Apache released a patch for this vulnerability back in September though it did not release an advisory on the issue until this week. Researchers and admins have continually focused on Apache software since last year’s Log4Shell vulnerability.

References: https://www.darkreading.com/application-security/researchers-keep-a-wary-eye-on-critical-new-vulnerability-in-apache-commons-text

Snort SIDs: 60737 - 60742


Title: Multiple issues in Robustel R1510 cellular router could lead to code execution, denial of service

Description: Cisco Talos recently discovered nine vulnerabilities in the Robustel R1510 industrial cellular router, several of which could allow an adversary to inject operating system code remotely. The Robustel R1510 router is a dual-ethernet port wireless router that shares 3G and 4G wireless signals for use in industrial and internet-of-things environments. The router includes the use of open VPN tunneling, a cloud management platform to manage other devices and routers and different safeguards to manage data caps. Talos discovered five operating system command injection vulnerabilities in the router that an adversary could trigger by sending the targeted device a specially crafted network request. All these vulnerabilities have a CVSS severity score of 9.1 out of 10.

References: https://blog.talosintelligence.com/2022/10/vuln-spotlight-robustel-router.html

Snort SIDs: 60007 - 60035, 60388-60391, 60393 and 60455

Internet Storm Center Entries


A massive leak of classified documents from the Colombian government mistakenly revealed the identities of undercover agents who were working in Australia to stop drug cartel activity.

https://www.smh.com.au/national/secret-agents-targeting-drug-cartels-in-australia-exposed-in-data-hack-20221004-p5bmzg.html


Microsoft Office 365 Message Encryption (OME) uses the Electronic Codebook (ECB) method for encrypting emails, which can leak information about the messages' structure.

https://labs.withsecure.com/advisories/microsoft-office-365-message-encryption-insecure-mode-of-operation


A novel ransomware campaign is targeting IT systems of organizations in the transportation and related logistics industries in Ukraine and Poland.

https://www.microsoft.com/security/blog/2022/10/14/new-prestige-ransomware-impacts-organizations-in-ukraine-and-poland/


Microsoft had not been updating a promised blocklist of malicious drivers, opening users to potential "bring your own vulnerable driver" cyber attacks.

https://arstechnica.com/information-technology/2022/10/how-a-microsoft-blunder-opened-millions-of-pcs-to-potent-malware-attacks/


In the annual security lecture at the Royal United Service Institute, the director of the UK's GCHQ, said that China is working to gain "strategic advantage by shaping the world's technology ecosystem."

https://www.bbc.com/news/uk-63207771

Recent CVEs


COMPILED BY THE QUALYS VULNERABILITY RESEARCH TEAM

This is a list of recent vulnerabilities for which exploits are available. System administrators can use this list to help in prioritization of their remediation activities. The Qualys Vulnerability Research Team compiles this information based on various exploit frameworks, exploit databases, exploit kits and monitoring of internet activity.


ID: CVE-2022-42889

Title: Remote code execution vulnerability in Apache Common Text

Description: An arbitrary code execution vulnerability was reported in the Apache Common Text library (Text4Shell). The vulnerability exists when StringSubstitutor is used with the default interpolators object. The vulnerability could be exploited to trigger an arbitrary code execution when untrusted input is passed on to certain StringSubstitutor methods.

Note: This vulnerability is NOT as serious as "Log4Shell" as hyped by some articles online. We have extensively analyzed this vulnerability and it was found that very few projects make use of the vulnerable Apache Common Text Interpolation methods. Moreover, the vulnerability only affects Apache Common Text versions starting from 1.5 to 1.9.

CVSS v3.1 Base Score: 9.8 (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H)


ID: CVE-2022-3236

Title: Remote code execution vulnerability in Sophos Firewall

Description: Critical severity actively exploited remote code execution vulnerability in Sophos firewall products. The vulnerability exists in the User Portal and Webadmin of Sophos Firewall. This code injection vulnerability can allow an attacker to execute commands remotely on the affected systems.

CISA has also added this vulnerability to its Known Exploited Vulnerabilities (KEV) Catalog.

CVSS v3.1 Base Score: 9.8 (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H)

Prevalent Malware Files


COMPILED BY THE TALOS SECURITY INTELLIGENCE AND RESEARCH GROUP


SHA 256: e4973db44081591e9bff5117946defbef6041397e56164f485cf8ec57b1d8934

MD5: 93fefc3e88ffb78abb36365fa5cf857c

VirusTotal: https://www.virustotal.com/gui/file/e4973db44081591e9bff5117946defbef6041397e56164f485cf8ec57b1d8934/details

Typical Filename: Wextract

Claimed Product: Internet Explorer

Detection Name: PUA.Win.Trojan.Generic::85.lp.ret.sbx.tg


SHA 256: 125e12c8045689bb2a5dcad6fa2644847156dec8b533ee8a3653b432f8fd5645

MD5: 2c8ea737a232fd03ab80db672d50a17a

VirusTotal: https://www.virustotal.com/gui/file/125e12c8045689bb2a5dcad6fa2644847156dec8b533ee8a3653b432f8fd5645/details

Typical Filename: LwssPlayer.scr

Claimed Product: ?????????

Detection Name: Auto.125E12.241442.in02


SHA 256: f484f919ba6e36ff33e4fb391b8859a94d89c172a465964f99d6113b55ced429

MD5: df0b88dafe7a65295f99e69a67db9e1b

VirusTotal: https://www.virustotal.com/gui/file/f484f919ba6e36ff33e4fb391b8859a94d89c172a465964f99d6113b55ced429/details

Typical Filename: avi.exe

Claimed Product: N/A

Detection Name: Gen:Variant.Lazy.228707


SHA 256: 93d7749054f314b948a99012fd930ea8a0c4124a72d98746bd21fcd17eb7219c

MD5: 3d1212389bfcdc91be084e6c093a32a1

VirusTotal: https://www.virustotal.com/gui/file/93d7749054f314b948a99012fd930ea8a0c4124a72d98746bd21fcd17eb7219c/details

Typical Filename: sysrdsvms.exe

Claimed Product: N/A

Detection Name: Gen:Trojan.FWDisable.emW@a8FOMod


SHA 256: 36efad0617db0d45de00cc4f3cf49af7c2d6b5b15ca456d13703b5d366c58431

MD5: 147c7241371d840787f388e202f4fdc1

VirusTotal: https://www.virustotal.com/gui/file/36efad0617db0d45de00cc4f3cf49af7c2d6b5b15ca456d13703b5d366c58431/details

Typical Filename: eksplorasi.exe

Claimed Product: N/A

Detection Name: W32.Generic:Rontokbromm.21dz.1201