@RISK Newsletter for April 07, 2022
The consensus security vulnerability alert.
Vol. 22, Num. 14
This is a weekly newsletter that provides in-depth analysis of the latest vulnerabilities with straightforward remediation advice. Qualys supplies a large part of the newly-discovered vulnerability content used in this newsletter.
Archived issues may be found at the SANS @RISK Newletter Archive.
CONTENTS:
NOTABLE RECENT SECURITY ISSUES
INTERESTING NEWS FROM AROUND THE SECURITY COMMUNITY
VULNERABILITIES FOR WHICH EXPLOITS ARE AVAILABLE
MOST PREVALENT MALWARE FILES MARCH 31-APRIL 7, 2022
TOP VULNERABILITY THIS WEEK: Attackers actively exploiting Spring4Shell vulnerabilities
NOTABLE RECENT SECURITY ISSUES
SELECTED BY THE TALOS SECURITY INTELLIGENCE AND RESEARCH GROUP
Title: CISA warns of active exploitation of Spring4Shell vulnerabilities
Description: The U.S. Cybersecurity and Infrastructure Security Agency recently added the Spring4Shell vulnerabilities to its to its Known Exploited Vulnerabilities Catalog based on “evidence of active exploitation.” Spring4Shell affects Spring model–view–controller (MVC) and Spring WebFlux applications running on Java Development Kit 9 and later. The Kenna Risk Score for CVE-2022-22965 is currently at maximum 100. This is an exceptionally rare score, of which only 415 out of 184,000 CVEs (or 0.22 percent) have achieved, reflecting the severity and potential effects of this vulnerability. To get a risk score this high means it is a widely deployed technology with a public exploit available, and Cisco Talos researchers have seen proof of an ongoing active internet breach using the vulnerability.
References:
- https://thehackernews.com/2022/04/cisa-warns-of-active-exploitation-of.html
- https://blog.talosintelligence.com/2022/03/threat-advisory-spring4shell.html
SNORT® SIDs: 30790-30793, 59388 and 59416
Title: AsyncRAT campaigns feature new version of 3LOSH crypter
Description: Ongoing malware distribution campaigns are using ISO disk images to deliver AsyncRAT, LimeRAT and other commodity malware to victims. The infections leverage process injection to evade detection by endpoint security software. These campaigns appear to be linked to a new version of the 3LOSH crypter. These malware distribution campaigns have been ongoing for the past several months, with new samples being uploaded to public repositories on a daily basis. The 3LOSH crypter continues to be actively maintained and improved by its author and will likely continue to be used by various threat actors attempting to evade detection in corporate environments.
References: https://blog.talosintelligence.com/2022/04/asyncrat-3losh-update.html
SNORT® SIDs: 58087 and 58773
INTERESTING NEWS FROM AROUND THE SECURITY COMMUNITY
Satellite company Viasat has published an overview of the February 24 cyberattack against the KA-SAT network.
https://www.viasat.com/about/newsroom/blog/ka-sat-network-cyber-attack-overview/
German authorities shut down the high-profile Hydra darknet market and seized $1.3 billion in virtual currency.
https://www.washingtonpost.com/business/germany-shuts-down-darknet-platform-specializing-in-drugs/2022/04/05/33818f50-b4b9-11ec-8358-20aa16355fb4_story.html
New analysis shows the zero-click iMessage exploit FORCEDENTRY can escape sandboxes attempts.
https://googleprojectzero.blogspot.com/2022/03/forcedentry-sandbox-escape.html
US Senator Ron Wyden is asking tech companies and federal agencies about how hackers are using phony emergency data requests to obtain sensitive personal information.
https://krebsonsecurity.com/2022/03/fake-emergency-search-warrants-draw-scrutiny-from-capitol-hill/
Quantum computers in development by the world’s superpowers could soon render current encryption ineffective, pressing the timeline for private organizations and governments to adapt new encryption techniques.
https://blog.talosintelligence.com/2022/03/on-radar-is-2022-year-encryption-is.html
RECENT VULNERABILITIES FOR WHICH EXPLOITS ARE AVAILABLE
COMPILED BY THE QUALYS VULNERABILITY RESEARCH TEAM
This is a list of recent vulnerabilities for which exploits are available. System administrators can use this list to help in prioritization of their remediation activities. The Qualys Vulnerability Research Team compiles this information based on various exploit frameworks, exploit databases, exploit kits and monitoring of internet activity.
ID: CVE-2022-22963 |
Title: Remote Code Execution Vulnerability in Spring Cloud Functions
Description: Spring Cloud Function is one of the features of Spring Cloud. It allows developers to write cloud-agnostic functions with Spring features. In Spring Cloud Function versions 3.1.6, 3.2.2, and older unsupported versions, when using routing functionality, it is possible for a user to provide a specially crafted SpEL as a routing expression that may result in remote code execution and access to local resources.
CVSS v3.1 Base Score: N/A
ID: CVE-2022-22965 |
Title: Remote Code Execution Vulnerability in Spring Framework (Spring4Shell)
Description: A Spring MVC or Spring WebFlux application running on JDK 9+ may be vulnerable to remote code execution (RCE) via data binding. The specific exploit requires the application to run on Tomcat as a WAR deployment. If the application is deployed as a Spring Boot executable jar, i.e., the default, it is not vulnerable to exploitation. However, the nature of vulnerability is more general, and there may be other ways to exploit it.
CVSS v3.1 Base Score: N/A
MOST PREVALENT MALWARE FILES March 31-April 7, 2022
COMPILED BY TALOS SECURITY INTELLIGENCE AND RESEARCH GROUP
SHA 256: e4973db44081591e9bff5117946defbef6041397e56164f485cf8ec57b1d8934
MD5: 93fefc3e88ffb78abb36365fa5cf857c
VirusTotal: https://www.virustotal.com/gui/file/e4973db44081591e9bff5117946defbef6041397e56164f485cf8ec57b1d8934/details
Typical Filename: Wextract
Claimed Product: Internet Explorer
Detection Name: PUA.Win.Trojan.Generic::85.lp.ret.sbx.tg
SHA 256: 59f1e69b68de4839c65b6e6d39ac7a272e2611ec1ed1bf73a4f455e2ca20eeaa
MD5: df11b3105df8d7c70e7b501e210e3cc3
VirusTotal: https://www.virustotal.com/gui/file/59f1e69b68de4839c65b6e6d39ac7a272e2611ec1ed1bf73a4f455e2ca20eeaa/details
Typical Filename: DOC001.exe
Claimed Product: N/A
Detection Name: Win.Worm.Coinminer::1201
SHA 256: 5616b94f1a40b49096e2f8f78d646891b45c649473a5b67b8beddac46ad398e1
MD5: 3e10a74a7613d1cae4b9749d7ec93515
VirusTotal: https://www.virustotal.com/gui/file/5616b94f1a40b49096e2f8f78d646891b45c649473a5b67b8beddac46ad398e1/details
Typical Filename: IMG001.exe
Claimed Product: N/A
Detection Name: Win.Dropper.Coinminer::1201
SHA 256: 1a234656f81e870cdeb0e648a6b305a41452c405cca21124de26b54f79d55ad0
MD5: 10f1561457242973e0fed724eec92f8c
VirusTotal: https://www.virustotal.com/gui/file/1a234656f81e870cdeb0e648a6b305a41452c405cca21124de26b54f79d55ad0/details
Typical Filename: ntuser.vbe
Claimed Product: N/A
Detection Name: Auto.1A234656F8.211848.in07.Talos
SHA 256: 12459a5e9afdb2dbff685c8c4e916bb15b34745d56ef5f778df99416d2749261
MD5: 3e2dbdfa5e58cb43cca56a3e077d50bf
VirusTotal: https://www.virustotal.com/gui/file/12459a5e9afdb2dbff685c8c4e916bb15b34745d56ef5f778df99416d2749261/details
Typical Filename: NirCmd.exe
Claimed Product: NirCmd
Detection Name: Win.PE.SocGholish.tii.Talos