Severe Security vulnerabilities & interesting news around the Cyber threats

In cyber security, risk is the potential for loss, damage or destruction of assets or data. Threat is a negative event, such as the exploit of a vulnerability. And a vulnerability is a weakness that exposes you to threats, and therefore increases the likelihood of a negative event.
Asset discovery involves keeping a check on the active and inactive assets on a network. For many modern corporations, this will now include cloud, virtual, and mobile devices in addition to the traditional on-premise workstations and servers. This can start to make gathering insight into devices more difficult.

Notable Recent Security Issues

  • BlackByte threat actor goes global with its ransomware

Description: The BlackByte ransomware group uses its software for its own goals and as a ransomware-as-a-service offering to other criminals. The ransomware group and its affiliates have infected victims all over the world, from North America to Colombia, the Netherlands, China, Mexico and Vietnam. Cisco Talos has been monitoring BlackByte for several months and we can confirm they are still active after the FBI released a joint cybersecurity advisory in February 2022. Additionally, BlackByte is considered part of the big game ransomware groups, which are targeting large, high-profile targets, looking to exfiltrate internal data and threatening to publicly release it. Like similar groups, they have their own leaks site on the darknet. The actual TOR address of this site is frequently moved. BlackByte updated its leak site with a new design and new victims and is still actively exploiting victims worldwide.

Snort SIDs: 58791 – 58794

  • NVIDIA fixes 10 vulnerabilities in graphics cards drivers

Description: GPU maker NVIDIA released a round of security updates for several of its graphics cards last week, including four high-severity vulnerabilities. While the updates cover all active NVIDIA units, it also covers GTX 600 and GTX 700 Kepler-series cards, whose support ended in October 2021. Cisco Talos specifically discovered four vulnerabilities in the NVIDIA D3D10 driver for graphics cards that could allow an attacker to corrupt memory and write arbitrary memory on the card. An attacker could exploit these vulnerabilities by sending the target a specially crafted executable or shader file. These issues could also allow an adversary to perform a guest-to-host escape if they target a guest machine running virtualization environments. We specifically tested these issues with a HYPER-V guest using the RemoteFX feature, leading to the execution of vulnerable code on the HYPER-V host.

References

Snort SIDs: 58880 – 58883, 58885, 58886, 58910 and 58911

 

Recent Vulnerabilities with Available Exploits 

This is a list of recent vulnerabilities for which exploits are available. System administrators can use this list to help in prioritization of their remediation activities. The Qualys Vulnerability Research Team compiles this information based on various exploit frameworks, exploit databases, exploit kits and monitoring of internet activity.

ID: CVE-2022-30525                          

  • OS command injection vulnerability in Zyxel Firewall

Description: Zyxel Communications Corp. is a manufacturer of DSL and other networking devices.

A command injection vulnerability in the CGI program of some firewall versions could allow an attacker to modify specific files and then execute some OS commands on a vulnerable device.

CVSS v3.1 Base Score: 9.8 (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H)

ID: CVE-2022-22796                          

  • Improper authentication vulnerability in SysAid wmiwizard.jsp

Description: An attacker can bypass the authentication process by accessing to: /wmiwizard.jsp, Then to: /ConcurrentLogin.jsp, then click on the login button, and it will redirect you to /home.jsp without any authentication.

CVSS v3.1 Base Score: 9.8 (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H)

ID: CVE-2022-23166                          

  • Sysaid index.html file inclusion Vulnerability

Description: An unauthenticated attacker can access the system by accessing the “/lib/tinymce/examples/index.html” path. in the “Insert/Edit Embedded Media” window Choose Type : iFrame and File/URL : [here is the LFI] Solution: Update to 22.2.20 cloud version, or to 22.1.64 on premise version.

CVSS v3.1 Base Score: 9.8 (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H)

ID: CVE-2022-29303                          

  • Command injection vulnerability in SolarView Compact conf_mail.php

Description: SolarView Compact ver.6.00 was discovered to contain a command injection vulnerability via conf_mail.php.

CVSS v3.1 Base Score: 9.8 (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H)

Most Prevalent Malware Files May 19-26, 2022

SHA 256: e4973db44081591e9bff5117946defbef6041397e56164f485cf8ec57b1d8934

MD5: 93fefc3e88ffb78abb36365fa5cf857c

Typical Filename: Wextract

Claimed Product: Internet Explorer

Detection Name: PUA.Win.Trojan.Generic:

SHA 256: 125e12c8045689bb2a5dcad6fa2644847156dec8b533ee8a3653b432f8fd5645 

MD5: 2c8ea737a232fd03ab80db672d50a17a 

Typical Filename: LwssPlayer.scr 

Claimed Product: ????????? 

Detection Name: Auto.125E12.241442.in02

SHA 256: 1fce2981e0d7d9c85adeea59a637d77555b466d6a6639999c6ae9b254c12dc6b

MD5: f5d20b351d56605bbb51befee989fa6e

Typical Filename: lavasoft_overlay_new_setup_progress_en.exe

Claimed Product: PF001’s Installer

SHA 256: 818d2d5bdde999f70563c16bfa9c724897d3b01adc67089137ae97d8f7ab6ba3

MD5: 9b1f8a838b5c195f9cf2f11017e38175

Typical Filename: document-launch-powershell.xls

Claimed Product: N/A

Detection Name: Auto.818D2D.242455.in02

SHA 256: 59f1e69b68de4839c65b6e6d39ac7a272e2611ec1ed1bf73a4f455e2ca20eeaa

MD5: df11b3105df8d7c70e7b501e210e3cc3

Typical Filename: DOC001.exe

Claimed Product: N/A

Detection Name: Win.Worm.Coinminer::1201

@ The information contained in this newsletter, including any external links, is provided “AS IS,” with no express or implied warranty, for informational purposes only. Original Info come from SANS Institute.

More To Explore

Lenovo Diagnostics Driver Memory Access

This Metasploit module demonstrates how an incorrect access control for the Lenovo Diagnostics Driver allows a low-privileged user the ability to issue device IOCTLs to

We can help improve your Business

Ensure your Organization Assets are well  protected in front of the Cyber Attacks

Delivery Workflow

Register for Free and get your test done withn 24 to 48 hours

See Workflow

Sample Report

Here is a sample report of a Security Testing Engagement

See Sample Report PDF

Work Request

Order your security test and Get Your Report

Get Your Test Report

1. Client Onboarding

Access to all of Cyber Legion's services is provided through the Web Secure Client Portal. To create a Free account, you can sign up through the portal, or contact the Cyber Legion team and they will set up an account for you.

2. NDA , Agreements & Digital Signature

The integration of Digital Signature in our Web Client Portal allows us to legally sign all necessary documents and agreements, enabling us to carry out security assessments on targeted systems.

3. Submit Work Request

Our pricing structure is adaptable to meet the needs of all clients. By filling out the Work Request Form, you can select from pre-existing services or request a personalized proposal.

The Cyber Legion team will acknowledge your order, set up a project in your account, and proceed with the testing and delivery.

4. Security Testing & Report

We meet agreed upon SLAs and follow security testing framework checklists. Based on our commitment, our team of engineers will utilize all of our tools, automation, and testing capabilities to achieve the objectives.

Within the agreed upon timeframe, you will receive a report on the security test that was conducted, including the results, recommendations, and references for addressing any identified issues.

5. Retesting & Validation of Remediation

We not only identify potential threats, risks, and vulnerabilities, but also provide detailed recommendations for resolution. To ensure complete remediation, we offer complimentary retesting and a range of ongoing security testing options for continued vulnerability detection and verification.