In cyber security, risk is the potential for loss, damage or destruction of assets or data. Threat is a negative event, such as the exploit of a vulnerability. And a vulnerability is a weakness that exposes you to threats, and therefore increases the likelihood of a negative event.
Asset discovery involves keeping a check on the active and inactive assets on a network. For many modern corporations, this will now include cloud, virtual, and mobile devices in addition to the traditional on-premise workstations and servers. This can start to make gathering insight into devices more difficult.
Notable Recent Security Issues
BlackByte threat actor goes global with its ransomware
Description: The BlackByte ransomware group uses its software for its own goals and as a ransomware-as-a-service offering to other criminals. The ransomware group and its affiliates have infected victims all over the world, from North America to Colombia, the Netherlands, China, Mexico and Vietnam. Cisco Talos has been monitoring BlackByte for several months and we can confirm they are still active after the FBI released a joint cybersecurity advisory in February 2022. Additionally, BlackByte is considered part of the big game ransomware groups, which are targeting large, high-profile targets, looking to exfiltrate internal data and threatening to publicly release it. Like similar groups, they have their own leaks site on the darknet. The actual TOR address of this site is frequently moved. BlackByte updated its leak site with a new design and new victims and is still actively exploiting victims worldwide.
Snort SIDs: 58791 – 58794
NVIDIA fixes 10 vulnerabilities in graphics cards drivers
Description: GPU maker NVIDIA released a round of security updates for several of its graphics cards last week, including four high-severity vulnerabilities. While the updates cover all active NVIDIA units, it also covers GTX 600 and GTX 700 Kepler-series cards, whose support ended in October 2021. Cisco Talos specifically discovered four vulnerabilities in the NVIDIA D3D10 driver for graphics cards that could allow an attacker to corrupt memory and write arbitrary memory on the card. An attacker could exploit these vulnerabilities by sending the target a specially crafted executable or shader file. These issues could also allow an adversary to perform a guest-to-host escape if they target a guest machine running virtualization environments. We specifically tested these issues with a HYPER-V guest using the RemoteFX feature, leading to the execution of vulnerable code on the HYPER-V host.
References:
Snort SIDs: 58880 – 58883, 58885, 58886, 58910 and 58911
Recent Vulnerabilities with Available Exploits
This is a list of recent vulnerabilities for which exploits are available. System administrators can use this list to help in prioritization of their remediation activities. The Qualys Vulnerability Research Team compiles this information based on various exploit frameworks, exploit databases, exploit kits and monitoring of internet activity.
ID: CVE-2022-30525
OS command injection vulnerability in Zyxel Firewall
Description: Zyxel Communications Corp. is a manufacturer of DSL and other networking devices.
A command injection vulnerability in the CGI program of some firewall versions could allow an attacker to modify specific files and then execute some OS commands on a vulnerable device.
CVSS v3.1 Base Score: 9.8 (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H)
ID: CVE-2022-22796
Improper authentication vulnerability in SysAid wmiwizard.jsp
Description: An attacker can bypass the authentication process by accessing to: /wmiwizard.jsp, Then to: /ConcurrentLogin.jsp, then click on the login button, and it will redirect you to /home.jsp without any authentication.
CVSS v3.1 Base Score: 9.8 (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H)
ID: CVE-2022-23166
Sysaid index.html file inclusion Vulnerability
Description: An unauthenticated attacker can access the system by accessing the “/lib/tinymce/examples/index.html” path. in the “Insert/Edit Embedded Media” window Choose Type : iFrame and File/URL : [here is the LFI] Solution: Update to 22.2.20 cloud version, or to 22.1.64 on premise version.
CVSS v3.1 Base Score: 9.8 (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H)
ID: CVE-2022-29303
Command injection vulnerability in SolarView Compact conf_mail.php
Description: SolarView Compact ver.6.00 was discovered to contain a command injection vulnerability via conf_mail.php.
CVSS v3.1 Base Score: 9.8 (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H)
Most Prevalent Malware Files May 19-26, 2022
SHA 256: e4973db44081591e9bff5117946defbef6041397e56164f485cf8ec57b1d8934
MD5: 93fefc3e88ffb78abb36365fa5cf857c
Typical Filename: Wextract
Claimed Product: Internet Explorer
Detection Name: PUA.Win.Trojan.Generic:
SHA 256: 125e12c8045689bb2a5dcad6fa2644847156dec8b533ee8a3653b432f8fd5645
MD5: 2c8ea737a232fd03ab80db672d50a17a
Typical Filename: LwssPlayer.scr
Claimed Product: ?????????
Detection Name: Auto.125E12.241442.in02
SHA 256: 1fce2981e0d7d9c85adeea59a637d77555b466d6a6639999c6ae9b254c12dc6b
MD5: f5d20b351d56605bbb51befee989fa6e
Typical Filename: lavasoft_overlay_new_setup_progress_en.exe
Claimed Product: PF001’s Installer
SHA 256: 818d2d5bdde999f70563c16bfa9c724897d3b01adc67089137ae97d8f7ab6ba3
MD5: 9b1f8a838b5c195f9cf2f11017e38175
Typical Filename: document-launch-powershell.xls
Claimed Product: N/A
Detection Name: Auto.818D2D.242455.in02
SHA 256: 59f1e69b68de4839c65b6e6d39ac7a272e2611ec1ed1bf73a4f455e2ca20eeaa
MD5: df11b3105df8d7c70e7b501e210e3cc3
Typical Filename: DOC001.exe
Claimed Product: N/A
Detection Name: Win.Worm.Coinminer::1201
@ The information contained in this newsletter, including any external links, is provided “AS IS,” with no express or implied warranty, for informational purposes only. Original Info come from SANS Institute.
