Notable Recent Security Issues
Follina exploit in Microsoft Office gives attackers potential backdoor to code execution
Description: Security researchers and Microsoft are warning of a zero-day vulnerability in Office that could allow an attacker to run malicious code on targeted systems. The vulnerability, tracked as CVE-2022-30190, exists in Microsoft Word’s remote templating feature, unlike traditional Office vulnerabilities that rely on macros. If successful, an attacker could load malware onto targeted machines from remote servers while bypassing Microsoft Defender’s anti-virus scanner. This issue affects every version of Microsoft Office currently receive updates, some versions dating back to 2003. Although no patch was available as of Tuesday, Microsoft did publish remediation guidelines to keep the vulnerability from being exploited.
References:
– https://msrc.microsoft.com/update-guide/en-US/vulnerability/CVE-2022-30190
Snort 2 rules: 59889 – 59894
Snort 3 rules: 300192 – 300194
ClamAV signature: Win.Exploit.CVE_2022_30190-9951234-1
Vulnerabilities in Open Automation Software Platform could lead to information disclosure, denial of service
Description: Cisco Talos recently discovered eight vulnerabilities in the Open Automation Software Platform that could allow an adversary to carry out a variety of malicious actions, including improperly authenticating into the targeted device and causing a denial of service. The OAS Platform facilitates the simplified data transfer between various proprietary devices and applications, including software and hardware. The most serious of these issues is TALOS-2022-1493 (CVE-2022-26082), which an attacker could exploit to gain the ability to execute arbitrary code on the targeted machine. This issue has a severity score of 9.1 out of a possible 10. Another vulnerability, TALOS-2022-1513 (CVE-2022-26833) has a 9.4 severity score and could lead to the unauthenticated use of the REST API.
References: https://blog.talosintelligence.com/2022/05/vuln-spotlight-open-automation-platform.html
Snort SIDs: 59275 – 59279, 59732
Interesting News from Around The Security Community
Computer systems belonging to Costa Rica’s public health ministry were offline as of Tuesday afternoon after an attack from the Hive ransomware group, just weeks after the Conti group targeted other critical government systems.
Twitter agreed to pay a $150 million fine to the U.S. Federal Trade Commission over improper use and sale of users’ personal data.
https://www.npr.org/2022/05/25/1101275323/twitter-privacy-settlement-doj-ftc
The SideWinder APT is suspected to be behind at least 1,000 cyber attacks over the past two years.
https://thehackernews.com/2022/05/sidewinder-hackers-launched-over-1000.html
Italy’s cybersecurity agency warned of incoming cyber attacks targeting both public and private sector networks.
China recently picked up its public warnings of alleged incoming cyber attacks from the US, but these warnings are built off years-old technical details.
The ChromeLoader malware that hijacks the Google Chrome web browser recently added new features, specifically posing a threat to business users.
https://www.darkreading.com/application-security/chromeloader-malware-hijacks-browsers-iso-files
Recent Vulnerabilities with Available Exploits
This is a list of recent vulnerabilities for which exploits are available. System administrators can use this list to help in prioritization of their remediation activities. The Qualys Vulnerability Research Team compiles this information based on various exploit frameworks, exploit databases, exploit kits and monitoring of internet activity.
ID: CVE-2022-23657, CVE-2022-23658, CVE-2022-23660
Arbitrary code execution vulnerability in Aruba ClearPass Policy Manager
Description: Vulnerabilities in the web-based management interface of ClearPass Policy Manager could allow an unauthenticated remote attacker to run arbitrary commands on the underlying host. Successful exploitation of these vulnerabilities allows an attacker to execute arbitrary commands as root on the underlying operating system leading to complete system compromise.
CVSS v3.1 Base Score: 10 (AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H)
ID: CVE-2022-28348
Improper GPU memory use in Mali GPU Kernel Driver
Description: The vulnerability affects Midgard GPU Kernel Driver: All versions from r4p0 – r31p0, Bifrost GPU Kernel Driver: All versions from r0p0 – r36p0, and Valhall GPU Kernel Driver: All versions from r19p0 – r36p0. A non-privileged user can make improper operations on GPU memory to enter a use-after-free scenario. This issue is fixed in Bifrost and Valhall GPU Kernel Driver r37p0.
CVSS v3.1 Base Score: 9.8 (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H)
ID: CVE-2022-28349
Mali GPU Kernel Driver allows access to already freed memory
Description: The vulnerability affects Midgard GPU Kernel Driver: All versions from r28p0 – r29p0, Bifrost GPU Kernel Driver: All versions from r17p0 – r23p0, and Valhall GPU Kernel Driver: All versions from r19p0 – r23p0. A non-privileged user can obtain access to already freed memory. This issue is fixed in Bifrost and Valhall GPU Kernel Driver version r24p0 and Midgard GPU Kernel Driver version r30p0 release.
CVSS v3.1 Base Score: 9.8 (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H)
ID: CVE-2022-28349
Mali GPU Kernel Driver allows access to already freed memory
Description: The vulnerability affects Valhall GPU Kernel Driver: All versions from r29p0 – r36p0. A non-privileged user can make improper GPU processing operations to gain access to already freed memory. This issue is fixed in Valhall GPU Kernel Driver r37p0.
CVSS v3.1 Base Score: 9.8 (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H)
Most Prevalent Malware Files May 26-June 2, 2022
SHA 256: e4973db44081591e9bff5117946defbef6041397e56164f485cf8ec57b1d8934
MD5: 93fefc3e88ffb78abb36365fa5cf857c
VirusTotal: https://www.virustotal.com/gui/file/e4973db44081591e9bff5117946defbef6041397e56164f485cf8ec57b1d8934/details
Typical Filename: Wextract
Claimed Product: Internet Explorer
Detection Name: PUA.Win.Trojan.Generic::85.lp.ret.sbx.tg
SHA 256: 125e12c8045689bb2a5dcad6fa2644847156dec8b533ee8a3653b432f8fd5645
MD5: 2c8ea737a232fd03ab80db672d50a17a
VirusTotal: https://www.virustotal.com/gui/file/125e12c8045689bb2a5dcad6fa2644847156dec8b533ee8a3653b432f8fd5645/details
Typical Filename: LwssPlayer.scr
Claimed Product: ?????????
Detection Name: Auto.125E12.241442.in02
SHA 256: 4b34e3637fa7af93ab628ae5adad2c7f3464053316963297844324a4f649a206
MD5: 3632f27604f5a82cf73b9ade710a1656
VirusTotal: https://www.virustotal.com/gui/file/4b34e3637fa7af93ab628ae5adad2c7f3464053316963297844324a4f649a206/details
Typical Filename: mediaget_installer_467.exe
Claimed Product: N/A
Detection Name: FileRepPup:MediaGet-tpd
SHA 256: a9f7d7525aad1c7007ae9d1d3fc531a1065b28225c5b7efb7347aaf77d9aba92
MD5: 8f90e544a48d75f42f9d44811320689c
VirusTotal: https://www.virustotal.com/gui/file/a9f7d7525aad1c7007ae9d1d3fc531a1065b28225c5b7efb7347aaf77d9aba92/details
Typical Filename: tata communications wholesale retai lpak ncl ethopia napal spice srilanka bd cli bangladesh.wsf
Claimed Product: N/A
Detection Name: Xml.Dropper.Valyria::100.sbx.vioc
SHA 256: 85B936960FBE5100C170B777E1647CE9F0F01E3AB9742DFC23F37CB0825B30B5
MD5: 8c80dd97c37525927c1e549cb59bcbf3
Typical Filename: Eternalblue-2.2.0.exe
Claimed Product: N/A
Detection Name: Win.Exploit.Shadowbrokers::5A5226262.auto.talos
@ The information contained in this newsletter, including any external links, is provided “AS IS,” with no express or implied warranty, for informational purposes only. Original Info come from SANS Institute.
