@RISK Newsletter for March 17, 2022
The consensus security vulnerability alert.
Vol. 22, Num. 11
This is a weekly newsletter that provides in-depth analysis of the latest vulnerabilities with straightforward remediation advice. Qualys supplies a large part of the newly-discovered vulnerability content used in this newsletter.
Archived issues may be found at the SANS @RISK Newletter Archive.
CONTENTS:
NOTABLE RECENT SECURITY ISSUES
INTERESTING NEWS FROM AROUND THE SECURITY COMMUNITY
VULNERABILITIES FOR WHICH EXPLOITS ARE AVAILABLE
MOST PREVALENT MALWARE FILES MARCH 10-17, 2022
TOP VULNERABILITY THIS WEEK: Scammers, spammers capitalize on Ukraine headlines to spread malware
NOTABLE RECENT SECURITY ISSUES
SELECTED BY THE TALOS SECURITY INTELLIGENCE AND RESEARCH GROUP
Title: Opportunistic cyber criminals take advantage of Ukraine invasion
Description: Since the beginning of the war in Ukraine, Cisco Talos has observed threat actors using email lures with themes related to the conflict, including humanitarian assistance and various types of fundraising. This activity has been increasing since the end of February. These emails are primarily related to scam activity but have also delivered a variety of threats, including remote access trojans (RATs). This is in addition to the malicious activity we’ve recently seen related to the crowd-sourced attacks in the region. This pattern is consistent with what we typically see following global events or crises, such as the COVID-19 pandemic, when opportunistic cybercriminals attempt to exploit high public interest for their own gain. Some campaigns attempt to spread malware by pointing users to malicious documents or URLs, while others are scammers pretending to be legitimate organizations or individuals looking to raise money to help residents of Ukraine.
References: https://blog.talosintelligence.com/2022/03/ukraine-invasion-scams-malware.html
Domains to blocklist:
- genautilus[.]com
- newremc22[.]ddns[.]net
IPs to blocklist: - 136[.]144[.]41[.]109
- 142[.]93[.]227[.]231
Title: MuddyWater APT likely made up of smaller sub-groups
Description: Cisco Talos has identified multiple campaigns and tools being perpetrated by the MuddyWater APT group, widely considered to be affiliated with Iranian interests. These threat actors are considered extremely motivated and persistent when it comes to targeting victims across the globe. In our latest findings, we discovered a new campaign targeting Turkey and the Arabian peninsula with maldocs to deliver a Windows script file (WSF)-based remote access trojan (RAT) we’re calling “SloughRAT” an implant known by “canopy” in CISA’s most recent alert from February 2022 about MuddyWater. MuddyWater’s variety of lures and payloads — along with the targeting of several different geographic regions — strengthens Talos’ growing hypothesis that MuddyWater is a conglomerate of sub-groups rather than a single actor. While these teams seem to operate independently, they are all motivated by the same factors that align with Iranian national security objectives, including espionage, intellectual theft, and destructive or disruptive operations based on the victims they target.
References: https://blog.talosintelligence.com/2022/03/iranian-supergroup-muddywater.html
SNORT® SIDs: 59226 - 59230
INTERESTING NEWS FROM AROUND THE SECURITY COMMUNITY
A Linux exploit known as “Dirty Pipe” could allow attackers to obtain root privileges, affecting many distributions of the operating systems, including those running on Android devices.
https://www.bleepingcomputer.com/news/security/new-linux-bug-gives-root-on-all-major-distros-exploit-released/
QNAP warned users that many of its network-attached storage devices (NAS) are affected by Dirty Pipe.
https://www.bleepingcomputer.com/news/security/qnap-warns-severe-linux-bug-affects-most-of-its-nas-devices/
Researchers discovered a possible variant of the Spectre malware in Intel chips, pushing back an expected update to Linux. AMD products not appear to be affected at this time.
https://www.techradar.com/news/spectre-returns-intel-and-arm-based-cpus-hit-by-serious-vulnerability
Video game developer and publisher Ubisoft disclosed a “cybersecurity incident” with few details last week, adding that it forced a company-wide password reset.
https://portswigger.net/daily-swig/cybersecurity-incident-at-ubisoft-disrupts-operations-forces-company-wide-password-reset
Chinese state-sponsored actors recently breached the networks of six state governments by exploiting a vulnerability in the U.S. Animal Health Emergency Reporting Diagnostic System.
https://www.wired.com/story/china-apt41-hacking-usaherds-log4j/
A cyber attack recently crashed government-run Israeli websites.
https://www.bloomberg.com/news/articles/2022-03-14/israeli-government-websites-crash-and-emergency-declared
RECENT VULNERABILITIES FOR WHICH EXPLOITS ARE AVAILABLE
COMPILED BY THE QUALYS VULNERABILITY RESEARCH TEAM
This is a list of recent vulnerabilities for which exploits are available. System administrators can use this list to help in prioritization of their remediation activities. The Qualys Vulnerability Research Team compiles this information based on various exploit frameworks, exploit databases, exploit kits and monitoring of internet activity.
ID: CVE-2021-44622 |
Title: Buffer overflow vulnerability in TP-LINK WR-886N 20190826 2.3.8
Description: A Buffer Overflow vulnerability exists in TP-LINK WR-886N 20190826 2.3.8 in the /cloud_config/router_post/check_reg_verify_code function which could allow a remote malicious user to execute arbitrary code via a crafted post request.
CVSS v3.1 Base Score: 9.8 (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H)
ID: CVE-2021-44623 |
Title: Buffer overflow vulnerability in TP-LINK WR-886N 20190826 2.3.8
Description: A Buffer Overflow vulnerability exists in TP-LINK WR-886N 20190826 2.3.8 via the /cloud_config/router_post/check_reset_pwd_verify_code interface. The manipulation with an unknown input can lead to a memory corruption vulnerability.
CVSS v3.1 Base Score: 9.8 (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H)
ID: CVE-2021-44625 |
Title: Buffer overflow vulnerability in TP-LINK WR-886N 20190826 2.3.8
Description: A Buffer Overflow vulnerability exists in TP-LINK WR-886N 20190826 2.3.8 in /cloud_config/cloud_device/info interface, which allows a malicious user to execute arbitrary code on the system via a crafted post request. The manipulation with an unknown input leads to a memory corruption vulnerability.
CVSS v3.1 Base Score: 9.8 (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H)
ID: CVE-2021-44626 |
Title: Buffer overflow vulnerability in TP-LINK WR-886N 20190826 2.3.8
Description: A Buffer Overflow vulnerability exists in TP-LINK WR-886N 20190826 2.3.8 in the /cloud_config/router_post/get_reg_verify_code feature, which allows malicious users to execute arbitrary code on the system via a crafted post request.
CVSS v3.1 Base Score: 9.8 (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H)
ID: CVE-2021-44627 |
Title: Buffer overflow vulnerability in TP-LINK WR-886N 20190826 2.3.8
Description: A Buffer Overflow vulnerability exists in TP-LINK WR-886N 20190826 2.3.8 in the /cloud_config/router_post/get_reset_pwd_veirfy_code feature, which allows malicious users to execute arbitrary code on the system via a crafted post request.
CVSS v3.1 Base Score: 9.8 (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H)
ID: CVE-2021-44628 |
Title: Buffer overflow vulnerability in TP-LINK WR-886N 20190826 2.3.8
Description: A Buffer Overflow vulnerability exists in TP-LINK WR-886N 20190826 2.3.8 in the /cloud_config/router_post/login feature, which allows malicious users to execute arbitrary code on the system via a crafted post request.
CVSS v3.1 Base Score: 9.8 (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H)
ID: CVE-2021-44629 |
Title: Buffer overflow vulnerability in TP-LINK WR-886N 20190826 2.3.8
Description: A Buffer Overflow vulnerability exists in TP-LINK WR-886N 20190826 2.3.8 in the /cloud_config/router_post/register feature, which allows malicious users to execute arbitrary code on the system via a crafted post request.
CVSS v3.1 Base Score: 9.8 (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H)
ID: CVE-2021-44630 |
Title: Buffer overflow vulnerability in TP-LINK WR-886N 20190826 2.3.8
Description: A Buffer Overflow vulnerability exists in TP-LINK WR-886N 20190826 2.3.8 in the /cloud_config/router_post/modify_account_pwd feature, which allows malicious users to execute arbitrary code on the system via a crafted post request.
CVSS v3.1 Base Score: 9.8 (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H)
ID: CVE-2021-44631 |
Title: Buffer overflow vulnerability in TP-LINK WR-886N 20190826 2.3.8
Description: A Buffer Overflow vulnerability exists in TP-LINK WR-886N 20190826 2.3.8 in the /cloud_config/router_post/reset_cloud_pwd feature, which allows malicious users to execute arbitrary code on the system via a crafted post request.
CVSS v3.1 Base Score: 9.8 (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H)
ID: CVE-2021-44632 |
Title: Buffer overflow vulnerability in TP-LINK WR-886N 20190826 2.3.8
Description: A Buffer Overflow vulnerability exists in TP-LINK WR-886N 20190826 2.3.8 in the /cloud_config/router_post/upgrade_info feature, which allows malicious users to execute arbitrary code on the system via a crafted post request.
CVSS v3.1 Base Score: 9.8 (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H)
MOST PREVALENT MALWARE FILES March 10-17, 2022
COMPILED BY TALOS SECURITY INTELLIGENCE AND RESEARCH GROUP
SHA 256: e4973db44081591e9bff5117946defbef6041397e56164f485cf8ec57b1d8934
MD5: 93fefc3e88ffb78abb36365fa5cf857c
VirusTotal: https://www.virustotal.com/gui/file/e4973db44081591e9bff5117946defbef6041397e56164f485cf8ec57b1d8934/details
Typical Filename: Wextract
Claimed Product: Internet Explorer
Detection Name: PUA.Win.Trojan.Generic::85.lp.ret.sbx.tg
SHA 256: 20a98a7e6e137bb1b9bd5ef6911a479cb8eac925b80d6db4e70b19f62a40cce2
MD5: c578d9653b22800c3eb6b6a51219bbb8
VirusTotal: https://www.virustotal.com/gui/file/20a98a7e6e137bb1b9bd5ef6911a479cb8eac925b80d6db4e70b19f62a40cce2/details
Typical Filename: invisible.vbs
Claimed Product: N/A
Detection Name: Win.Trojan.Pistacchietto.Talos
SHA 256: 59f1e69b68de4839c65b6e6d39ac7a272e2611ec1ed1bf73a4f455e2ca20eeaa
MD5: df11b3105df8d7c70e7b501e210e3cc3
VirusTotal: https://www.virustotal.com/gui/file/59f1e69b68de4839c65b6e6d39ac7a272e2611ec1ed1bf73a4f455e2ca20eeaa/details
Typical Filename: DOC001.exe
Claimed Product: N/A
Detection Name: Win.Worm.Coinminer::1201
SHA 256: 125e12c8045689bb2a5dcad6fa2644847156dec8b533ee8a3653b432f8fd5645
MD5: 2c8ea737a232fd03ab80db672d50a17a
VirusTotal: https://www.virustotal.com/gui/file/125e12c8045689bb2a5dcad6fa2644847156dec8b533ee8a3653b432f8fd5645/details
Typical Filename: LwssPlayer.scr
Claimed Product: LwssPlayer
Detection Name: Auto.125E12.241442.in02
SHA 256: 5616b94f1a40b49096e2f8f78d646891b45c649473a5b67b8beddac46ad398e1
MD5: 3e10a74a7613d1cae4b9749d7ec93515
VirusTotal: https://www.virustotal.com/gui/file/5616b94f1a40b49096e2f8f78d646891b45c649473a5b67b8beddac46ad398e1/details
Typical Filename: IMG001.exe
Claimed Product: N/A
Detection Name: Win.Dropper.Coinminer::1201