Internet Storm Center Spotlight


SELECTED BY THE TALOS SECURITY INTELLIGENCE AND RESEARCH GROUP


Title: Abode Systems home security kit could allow attacker to take over cameras, remotely disable them

Description: Cisco Talos recently discovered several vulnerabilities in the Abode Systems iota All-In-One Security Kit. This kit includes a main security camera and hub that can alert users of unwanted movement in their homes. It also includes several motion sensors that can be attached to windows and doors. The devices communicate with the user via a website or app on their mobile device and can connect to smart hubs like Google Home, Amazon Alexa and Apple Homekit. The vulnerabilities Talos discovered could lead to a variety of conditions, including providing attackers with the ability to change users’ login passwords, inject code onto the device, manipulate sensitive device configurations, and cause the system to shut down. The devices contain several format string injection vulnerabilities in various functions of its software that could lead to memory corruption, information disclosure and a denial of service. An attacker could send a malicious XML payload to trigger these vulnerabilities.

References:

- https://blog.talosintelligence.com/2022/10/vuln-spotlight-abode-.html

- https://techcrunch.com/2022/10/20/abode-security-flaws/

Snort SIDs: 60096-60099, 60100-60106, 60123-60126, 60215-60217, 60287, 60288, 60309–60311 and 60329-60336


Title: Cisco warns of high-severity vulnerabilities in Identity Services Engine

Description: Cisco disclosed multiple vulnerabilities last week in its Identity Services Engine software. Two of the issues, CVE-2022-20822 and CVE-2022-20959, could be exploited to read and delete files on a targeted device, or to execute arbitrary code or access sensitive information. Cisco’s PSIRT team said it believes proof of concept code for the vulnerability will become available in the wild after the disclosures. However, there is no evidence of these issues being exploited in the wild.

References:

- https://www.helpnetsecurity.com/2022/10/21/cve-2022-20822-cve-2022-20959/

- https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-ise-path-trav-Dz5dpzyM

Snort SIDs: 60751, 60752

Internet Storm Center Entries


The Biden administration is preparing to release warnings about election security threats from Russia, China and other state-sponsored actors.

https://www.politico.com/news/2022/10/24/biden-election-infrastructure-national-security-warnings-00063134


PayPal is rolling out support for passkeys on Apple devices in the US.

https://techcrunch.com/2022/10/24/paypal-rolls-out-support-for-passkeys-on-apple-devices/


Apple fixed a zero-day vulnerability being used to target iPads and iPhones, the ninth such vulnerability this year.

https://www.bleepingcomputer.com/news/apple/apple-fixes-new-zero-day-used-in-attacks-against-iphones-ipads/


Cisco Talos Incident Response says that ransomware and pre-ransomware activities rose over the past quarter, making up 40 percent of all engagements Talos IR worked on in the third quarter of 2022.

https://blog.talosintelligence.com/2022/10/quarterly-report-incident-response.html


The Hive ransomware group began leaking employee data it says it stole during a recent cyber attack on Tata Power, a leading power supplier in India.

https://techcrunch.com/2022/10/25/tata-power-hive-ransomware/


A recent cyber attack against Australian health insurance provider Medibank began with stolen login credentials that were sold on a Russian-language dark web forum.

https://www.theguardian.com/technology/2022/oct/24/medibank-hack-started-with-theft-of-staff-members-credentials-investigation-suggests


NATO's Secretary General says the alliance is reluctant to disclose precise circumstances under which a cyberattack would trigger Article 5.

https://thehill.com/policy/cybersecurity/3699052-when-would-a-cyberattack-trigger-a-nato-response-its-a-mystery/

Prevalent Malware Files


COMPILED BY THE TALOS SECURITY INTELLIGENCE AND RESEARCH GROUP


SHA 256: e12b6641d7e7e4da97a0ff8e1a0d4840c882569d47b8fab8fb187ac2b475636c

MD5: a087b2e6ec57b08c0d0750c60f96a74c

VirusTotal: https://www.virustotal.com/gui/file/e12b6641d7e7e4da97a0ff8e1a0d4840c882569d47b8fab8fb187ac2b475636c/details

Typical Filename: AAct.exe

Claimed Product: N/A

Detection Name: PUA.Win.Tool.Kmsauto::1201


SHA 256: e4973db44081591e9bff5117946defbef6041397e56164f485cf8ec57b1d8934

MD5: 93fefc3e88ffb78abb36365fa5cf857c

VirusTotal: https://www.virustotal.com/gui/file/e4973db44081591e9bff5117946defbef6041397e56164f485cf8ec57b1d8934/details

Typical Filename: Wextract

Claimed Product: Internet Explorer

Detection Name: PUA.Win.Trojan.Generic::85.lp.ret.sbx.tg


SHA 256: c67b03c0a91eaefffd2f2c79b5c26a2648b8d3c19a22cadf35453455ff08ead0

MD5: 8c69830a50fb85d8a794fa46643493b2

VirusTotal: https://www.virustotal.com/gui/file/c67b03c0a91eaefffd2f2c79b5c26a2648b8d3c19a22cadf35453455ff08ead0/details

Typical Filename: AAct.exe

Claimed Product: N/A

Detection Name: PUA.Win.Dropper.Generic::1201


SHA 256: 58d6fec4ba24c32d38c9a0c7c39df3cb0e91f500b323e841121d703c7b718681

MD5: f1fe671bcefd4630e5ed8b87c9283534

VirusTotal: https://www.virustotal.com/gui/file/58d6fec4ba24c32d38c9a0c7c39df3cb0e91f500b323e841121d703c7b718681/details

Typical Filename: KMSAuto Net.exe

Claimed Product: KMSAuto Net

Detection Name: PUA.Win.Tool.Hackkms::1201


SHA 256: 125e12c8045689bb2a5dcad6fa2644847156dec8b533ee8a3653b432f8fd5645

MD5: 2c8ea737a232fd03ab80db672d50a17a

VirusTotal: https://www.virustotal.com/gui/file/125e12c8045689bb2a5dcad6fa2644847156dec8b533ee8a3653b432f8fd5645/details

Typical Filename: LwssPlayer.scr

Claimed Product: ?????????

Detection Name: Auto.125E12.241442.in02