Interesting News from Around The Security Community
According to the Kremlin, a speech from Russian President Vladimir Putin had to be delayed by one hour on Friday after a cyber attack stopped entrance badges from working at the venue where he was scheduled to appear.
- A new law introduced in the U.S. Senate would ban the sale of health and location data harvested from smartphones.
Cloudflare recently mitigated a distributed-denial-of-service (DDoS) attack that peaked at 26 million request per second. The botnet used in the attack comprised just over 5,000 devices.
https://www.zdnet.com/article/a-tiny-botnet-launched-the-largest-ddos-attack-on-record/
A Chinese state-sponsored actor known as Aoqin Dragon has been operating since 2013, mainly conducting espionage campaigns.
- A phishing campaign on Facebook Messenger has successfully hit more than 10 million users over the past few months, tricking targets into handing over their login credentials.
https://threatpost.com/acebook-messenger-scam/179977/
Notable Recent Security Issues
The BlackCat ransomware group becomes one of the most widely spread families
Description: Threat actors are continually spreading the BlackCat ransomware group, raising it up the ranks of the most-used ransomware-as-a-service groups. Security researchers have seen different threat groups deploy BlackCat, sometimes after using Mimikatz as the initial infection vector and a credential dumper. Microsoft recently found that two of the most prolific ransomware groups recently switched away from other families like Conti in favor of BlackCat. BlackCat’s been spotted being deployed in regions across the globe, including Africa, North America, South America, Asia and Europe. Microsoft also warned that attackers most often target unpatched Microsoft Exchange Server instances with widely known vulnerabilities.
References: https://duo.com/decipher/prolific-affiliate-threat-groups-linked-to-blackcat-ransomware
Cisco patches critical, high-severity vulnerabilities in Email Security Appliance, home routers
Description: Cisco patched several significant vulnerabilities last week, including some in end-of-life routers it will not fix. One critical vulnerability exists in the Email Security Appliance, Secure Email and Web Manager software. Any virtual or hardware appliances running a vulnerable version of AsyncOS are affected by this vulnerability, potentially allowing attackers to bypass security protections in place on the machine. There is also a fix out for a high-severity issue in the same products that could allow an adversary to obtain information from an LDAP external authentication sever connected to the vulnerable appliance. Another issue, CVE-2022-20825, could allow an unauthenticated attacker to execute remote code on several models of Cisco’s RV series of routers. However, the devices have reached their end-of-life periods and the vulnerability will not be patched.
References: https://www.securityweek.com/cisco-patches-critical-vulnerability-email-security-appliance
Recent Vulnerabilities with Available Exploits
This is a list of recent vulnerabilities for which exploits are available. System administrators can use this list to help in prioritization of their remediation activities. The Qualys Vulnerability Research Team compiles this information based on various exploit frameworks, exploit databases, exploit kits and monitoring of internet activity.
ID: CVE-2022-29797
Buffer Overflow vulnerability in Huawei CV81-WDM FW
Description: Because of improper bounds checking, the Huawei CV81-WDM FW is vulnerable to buffer overflow. A remote attacker might overflow a buffer and gain elevated access to the system by sending a carefully crafted request.
CVSS v3.1 Base Score: 9.8 (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H)
ID: CVE-2022-31446
Remote code execution vulnerability in Tenda AC18 router V15.03.05.19 and V15.03.05.05
Description: Tenda AC18 router V15.03.05.19 and V15.03.05.05 was discovered to contain a remote code execution (RCE) vulnerability via the Mac parameter at ip/goform/WriteFacMac. The manipulation of the argument Mac with an unknown input led to a privilege escalation vulnerability.
CVSS v3.1 Base Score: 9.8 (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H)
ID: CVE-2022-31479
Privilege escalation vulnerability in HID Mercury LP1501, LP1502, LP2500, LP4502 and EP4502
Description: An unauthenticated attacker can update the hostname with a specially crafted name that will allow for shell commands to be executed during the core collection process. This vulnerability impacts products based on HID Mercury Intelligent Controllers LP1501, LP1502, LP2500, LP4502, and EP4502 which contain firmware versions prior to 1.302 for the LP series and 1.296 for the EP series. An attacker with this level of access on the device can monitor all communications sent to and from this device, modify onboard relays, change configuration files, or cause the device to become unstable. The injected commands only get executed during startup or when unsafe calls regarding the hostname are used. This allows the attacker to gain remote access to the device and can make their persistence permanent by modifying the filesystem.
CVSS v3.1 Base Score: 9.8 (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H)
Most Prevalent Malware Files June 16-23, 2022
SHA 256: e4973db44081591e9bff5117946defbef6041397e56164f485cf8ec57b1d8934
MD5: 93fefc3e88ffb78abb36365fa5cf857c
VirusTotal: https://www.virustotal.com/gui/file/e4973db44081591e9bff5117946defbef6041397e56164f485cf8ec57b1d8934/details
Typical Filename: Wextract
Claimed Product: Internet Explorer
Detection Name: PUA.Win.Trojan.Generic::85.lp.ret.sbx.tg
SHA 256: c67b03c0a91eaefffd2f2c79b5c26a2648b8d3c19a22cadf35453455ff08ead0
MD5: 8c69830a50fb85d8a794fa46643493b2
VirusTotal: https://www.virustotal.com/gui/file/c67b03c0a91eaefffd2f2c79b5c26a2648b8d3c19a22cadf35453455ff08ead0/details
Typical Filename: AAct.exe
Claimed Product: N/A
Detection Name: PUA.Win.Dropper.Generic::1201
SHA 256: 58d6fec4ba24c32d38c9a0c7c39df3cb0e91f500b323e841121d703c7b718681
MD5: f1fe671bcefd4630e5ed8b87c9283534
VirusTotal: https://www.virustotal.com/gui/file/58d6fec4ba24c32d38c9a0c7c39df3cb0e91f500b323e841121d703c7b718681/details
Typical Filename: KMSAuto Net.exe
Claimed Product: KMSAuto Net
Detection Name: PUA.Win.Tool.Hackkms::1201
SHA 256: 125e12c8045689bb2a5dcad6fa2644847156dec8b533ee8a3653b432f8fd5645
MD5: 2c8ea737a232fd03ab80db672d50a17a
VirusTotal: https://www.virustotal.com/gui/file/125e12c8045689bb2a5dcad6fa2644847156dec8b533ee8a3653b432f8fd5645/details
Typical Filename: LwssPlayer.scr
Claimed Product: ?????????
Detection Name: Auto.125E12.241442.in02
SHA 256: 1a234656f81e870cdeb0e648a6b305a41452c405cca21124de26b54f79d55ad0
MD5: 10f1561457242973e0fed724eec92f8c
VirusTotal: https://www.virustotal.com/gui/file/1a234656f81e870cdeb0e648a6b305a41452c405cca21124de26b54f79d55ad0/details
Typical Filename: ntuser.vbe
Claimed Product: N/A
Detection Name: Auto.1A234656F8.211848.in07.Talos
@ The information contained in this newsletter, including any external links, is provided “AS IS,” with no express or implied warranty, for informational purposes only. Original Info come from SANS Institute
