CONTENTS:

NOTABLE RECENT SECURITY ISSUES
INTERESTING NEWS FROM AROUND THE SECURITY COMMUNITY
VULNERABILITIES FOR WHICH EXPLOITS ARE AVAILABLE
MOST PREVALENT MALWARE FILES January 27-February 3, 2022
TOP VULNERABILITY THIS WEEK: Iranian APT MuddyWater targets Turkish users via malicious PDFs, executables

NOTABLE RECENT SECURITY ISSUES
SELECTED BY THE TALOS SECURITY INTELLIGENCE AND RESEARCH GROUP

Title: New insight into recently unmasked MuddyWater APT
Description: Cisco Talos has observed a new campaign targeting Turkish private organizations alongside governmental institutions. Talos attributes this campaign with high confidence to MuddyWater — an APT group recently attributed to Iran’s Ministry of Intelligence and Security (MOIS) by the U.S. Cyber Command. This campaign utilizes malicious PDFs, XLS files and Windows executables to deploy malicious PowerShell-based downloaders acting as initial footholds into the target’s enterprise. MuddyWater’s use of script-based components such as obfuscated PowerShell-based downloaders is also a tactic described in the advisory from January 2021 by the U.S. Cyber Command. This campaign also utilizes canary tokens to track successful infection of targets, a new addition to this group’s arsenal of tactics, techniques and procedures (TTPs). This specific method of taking advantage of canary tokens in this campaign may also be a measure to evade sandbox-based detection systems.
References: https://blog.talosintelligence.com/2022/01/iranian-apt-muddywater-targets-turkey.html
SNORT® SIDs: 58929 - 58938

Title: WiFi-connected security camera could be manipulated to spy on communications
Description: Cisco Talos recently discovered several vulnerabilities in the Reolink RLC-410W security camera that could allow an attacker to perform several malicious actions, including performing man-in-the-middle attacks, stealing user login credentials and more. The Reolink RLC-410W is a WiFi-connected security camera. The camera includes motion detection functionalities and multiple ways to save and view the recordings. The vulnerabilities Talos discovered exist in various functions and features of the camera. Some of these exploits could be combined, as well, to reboot the camera without authentication or run certain APIs. There are five denial-of-service vulnerabilities that could allow an adversary to make the web service unresponsive and restart the device if they send specific network requests to the target. There are two other vulnerabilities that could be combined to reformat the camera’s memory card, effectively erasing all its recordings.
References: https://blog.talosintelligence.com/2022/01/vuln-spotlight-reolink-cameras.html
SNORT® SIDs: 58691 - 58693, 58698, 58699, 58718, 58817 – 58720 and 58926 – 58928

INTERESTING NEWS FROM AROUND THE SECURITY COMMUNITY

The UK’s The National Cyber Security Centre has warned of potential cyber attacks against the country’s critical infrastructure should Russia invade Ukraine.
https://www.theguardian.com/uk-news/2022/jan/28/uk-firms-warned-over-possible-russian-cyber-attacks-amid-ukraine-crisis

A massive oil supplier in Germany is operating at limited capacity after a cyber attack shut down all of its loading and unloading operations.
https://www.bbc.com/news/technology-60215252

Apple released updates for all its major operating systems last week, including fixes for a vulnerability in Safari that could have allowed an attacker to spy on a user’s actions in the web browser.
https://www.macworld.com/article/608772/ios-15-3-bug-fixes-security-updates-features-install.html

The FBI purchased the NSO Group’s controversial Pegasus spyware in 2019 but ultimately decided against using it.
https://www.nytimes.com/2022/01/28/magazine/nso-group-israel-spyware.html

Although the blockchain is fairly secure, a recent spate of cyber attacks against cryptocurrency exchanges and NFT thefts show that the devices that connect to the blockchain still leave it vulnerable.
https://www.vice.com/en/article/epxa57/this-is-why-theres-been-so-many-nft-and-crypto-hacks

The White House formally announced its plan for all federal agencies to move to a zero-trust model for cybersecurity, giving them until the end of fiscal year 2024 to meet new regulations.
https://www.nbcnews.com/politics/white-house/white-house-announces-strategy-boost-federal-cybersecurity-after-hacks-n1288038

The FBI warned Olympic athletes they should leave personal wireless devices at home when traveling to the Winter Olympics in Beijing over security concerns, recommending that they instead use burner cell phones.
https://www.zdnet.com/article/fbi-urges-olympic-athletes-to-keep-personal-devices-at-home-use-burners/

RECENT VULNERABILITIES FOR WHICH EXPLOITS ARE AVAILABLE
COMPILED BY THE QUALYS VULNERABILITY RESEARCH TEAM

This is a list of recent vulnerabilities for which exploits are available. System administrators can use this list to help in prioritization of their remediation activities. The Qualys Vulnerability Research Team compiles this information based on various exploit frameworks, exploit databases, exploit kits and monitoring of internet activity.

ID: CVE-2020-17383 |
Title: Path Traversal vulnerability in Telosalliance Z/Ip ONE Firmware
Description: Through Telos Z/IP One 4.0.0r, a directory traversal vulnerability provides unauthenticated individual root-level access to the device’s file system. This may be used to find configuration parameters, built-in account password hashes, and the cleartext password for remote device configuration via the WebUI.
CVSS v3.1 Base Score: 9.8 (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H)

ID: CVE-2021-46089 |
Title: SQL Injection vulnerability in Jeecg Boot 3.0
Description: A SQL injection vulnerability is created by manipulating an unknown input. It is recognized to have an impact on secrecy, integrity, and availability. An attacker can inject and/or edit existing SQL statements, causing the database exchange to be influenced.
CVSS v3.1 Base Score: 9.8 (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H)

ID: CVE-2021-46061 |
Title: SQL Injection vulnerability exists in Sourcecodester Computer and Mobile Repair Shop Management system (RSMS) 1.0
Description: This flaw affects an unknown code block in the /rsms/ file. A sql injection vulnerability is created by manipulating the argument code with unknown input. It is recognized to have an impact on secrecy, integrity, and availability. An attacker may be able to inject and/or edit existing SQL statements, causing the database exchange to be influenced.
CVSS v3.1 Base Score: 9.8 (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H)

MOST PREVALENT MALWARE FILES January 27-February 3, 2022
COMPILED BY TALOS SECURITY INTELLIGENCE AND RESEARCH GROUP

SHA 256: 0013b356966c3d693b253cdf00c7fdf698890c9b75605be07128cac446904ad9
MD5: 63a86932a5bad5da32ebd1689aa814b3
VirusTotal: https://www.virustotal.com/gui/file/0013b356966c3d693b253cdf00c7fdf698890c9b75605be07128cac446904ad9/details
Typical Filename: bashirc
Claimed Product: N/A
Detection Name: Auto.0013B35696.251462.in07.Talos

SHA 256: 2bd102ddc0e618d91a7adc3f3fb92fcfb258680f11b904bb129f5f2f918dcc5f
MD5: eb2f5e1b8f818cf6a7dafe78aea62c93
VirusTotal: https://www.virustotal.com/gui/file/2bd102ddc0e618d91a7adc3f3fb92fcfb258680f11b904bb129f5f2f918dcc5f/details
Typical Filename: vsb2nasl7.dll
Claimed Product: N/A
Detection Name: W32.A4DE11B029.Wavesor.SSO.Talos

SHA 256: 8b4216a7c50599b11241876ada8ae6f07b48f1abe6590c2440004ea4db5becc9
MD5: 34560233e751b7e95f155b6f61e7419a
VirusTotal: https://www.virustotal.com/gui/file/8b4216a7c50599b11241876ada8ae6f07b48f1abe6590c2440004ea4db5becc9/details
Typical Filename: SAntivirusService.exe
Claimed Product: A n t i v i r u s S e r v i c e
Detection Name: PUA.Win.Dropper.Segurazo::tpd

SHA 256: e3eeaee0af4b549eae4447fa20cfe205e8d56beecf43cf14a11bf3e86ae6e8bd
MD5: 8193b63313019b614d5be721c538486b
VirusTotal: https://www.virustotal.com/gui/file/e3eeaee0af4b549eae4447fa20cfe205e8d56beecf43cf14a11bf3e86ae6e8bd/details
Typical Filename: SAService.exe
Claimed Product: SAService
Detection Name: PUA.Win.Dropper.Segurazo::95.sbx.tg

SHA 256: d339e195ca0b74746b02a4ee1a5820fa3074f43bec2988737005d2562a90cd34
MD5: 3f75eb823cd1a73e4c89185fca77cb38
VirusTotal: https://www.virustotal.com/gui/file/d339e195ca0b74746b02a4ee1a5820fa3074f43bec2988737005d2562a90cd34/details
Typical Filename: signup.png
Claimed Product: N/A
Detection Name: Win.Dropper.Generic::231945.in02