CONTENTS:

NOTABLE RECENT SECURITY ISSUES
INTERESTING NEWS FROM AROUND THE SECURITY COMMUNITY
VULNERABILITIES FOR WHICH EXPLOITS ARE AVAILABLE
MOST PREVALENT MALWARE FILES MARCH 17-24, 2022
TOP VULNERABILITY THIS WEEK: BlackCat ransomware group borrows from other APTs

NOTABLE RECENT SECURITY ISSUES
SELECTED BY THE TALOS SECURITY INTELLIGENCE AND RESEARCH GROUP

Title: BlackCat ransomware actor may be connected to attackers behind Colonial Pipeline shutdown
Description: BlackCat ransomware, also known as “ALPHV,” has quickly gained notoriety for being used in double ransom (encrypted files and stolen file disclosure) attacks against companies. It first appeared in November 2021 and, since then, several companies have been hit across the globe. There are rumors of a relationship between BlackCat and the BlackMatter/DarkSide ransomware groups, infamous for attacking the Colonial Pipeline last year. According to a BlackCat representative, BlackCat is not a rebranding of BlackMatter, but its team is made from affiliates of other RaaS groups (including BlackMatter). Cisco Talos has observed at least one attacker that used BlackMatter was one of the early adopters of BlackCat. One key aspect of these attacks is that adversaries take time exploring the environment and preparing it for a successful and broad attack before launching the ransomware, at which point every second means lost data. Therefore, it is key that the attack is detected in its initial stages. The two attacks described here took over 15 days to reach the encryption stage. Knowing the attackers’ tools and techniques and having monitoring and response processes in place could have prevented the successful encryption of the companies’ files.
References: https://blog.talosintelligence.com/2022/03/from-blackmatter-to-blackcat-analyzing.html
SNORT® SIDs: 58237, 58238

Title: CaddyWiper is latest malware to be connected to Ukraine war
Description: Security researchers recently discovered another Ukraine-focused wiper dubbed “CaddyWiper” on March 14. This wiper is smaller than previous wiper attacks seen in Ukraine such as “HermeticWiper” and “WhisperGate,” with a compiled size of just 9KB. The wiper discovered has the same compilation timestamp day (March 14) and initial reports suggest that it was deployed via GPO. The wiper is small and dynamically resolves most of the APIs it uses. Cisco Talos analysis did not show any indications of persistency, self-propagation or exploitation code.
References: https://www.zdnet.com/article/caddywiper-more-destructive-wiper-malware-strikes-ukrainian-targets/
SNORT® SIDs: 59268, 59269

INTERESTING NEWS FROM AROUND THE SECURITY COMMUNITY

The White House is warning that Russian state-sponsored actors could be planning cyber attacks against US critical infrastructure.
https://www.npr.org/2022/03/21/1087903332/us-companies-russia-cyberattacks-ukraine-infrastructure

Deepfake videos of the Ukrainian and Russian presidents made their rounds on social media last week.
https://www.bbc.com/news/technology-60780142

In September 2021, Google researchers detected several initial access brokers connected to the Conti ransomware group.
https://blog.google/threat-analysis-group/exposing-initial-access-broker-ties-conti/

Security researchers have learned a lot about Conti since a rogue member leaked documents linked to the group.
https://www.washingtonpost.com/politics/2022/03/18/11-big-takeaways-conti-ransomware-leaks/

The U.S. Cybersecurity and Infrastructure Security Agency and the FBI warned of possible cyber attacks targeting satellite communication networks after a recent campaign targeting European SATCOM provider Viasat.
https://techcrunch.com/2022/03/18/cisa-fbi-satellite-networks/

Recent cyber attacks targeting American logistics and shipping companies are disrupting the supply chain and are expected to slow down major ports, according to a US Customs and Border Protection bulletin.
https://news.yahoo.com/exclusive-ransomware-attacks-on-us-supply-chain-are-undermining-national-security-customs-and-border-protection-bulletin-warns-191403260.html

RECENT VULNERABILITIES FOR WHICH EXPLOITS ARE AVAILABLE
COMPILED BY THE QUALYS VULNERABILITY RESEARCH TEAM

This is a list of recent vulnerabilities for which exploits are available. System administrators can use this list to help in prioritization of their remediation activities. The Qualys Vulnerability Research Team compiles this information based on various exploit frameworks, exploit databases, exploit kits and monitoring of internet activity.

ID: CVE-2020-14115 |
Title: Command injection vulnerability in Xiaomi Router AX3600
Description: A command injection vulnerability exists in the Xiaomi Router AX3600. The vulnerability is caused by a lack of inspection for incoming data detection. Attackers can exploit this vulnerability to execute code.
CVSS v3.1 Base Score: 9.8 (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H)

ID: CVE-2021-4039 |
Title: Command injection vulnerability in Zyxel NWA-1100-NH firmware
Description: A command injection vulnerability in the web interface of the Zyxel NWA-1100-NH firmware could allow an attacker to execute arbitrary OS commands on the device.
CVSS v3.1 Base Score: 9.8 (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H)

ID: CVE-2021-4045 |
Title: Remote code execution vulnerability in TP-Link Tapo C200 IP camera
Description: TP-Link Tapo C200 IP camera, on its 1.1.15 firmware version and below, is affected by an unauthenticated RCE vulnerability, present in the uhttpd binary running by default as root. The exploitation of this vulnerability allows an attacker to take full control of the camera.
CVSS v3.1 Base Score: 9.8 (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H)

ID: CVE-2021-40050 |
Title: Out-of-bounds read vulnerability in the IFAA module
Description: Successful exploitation of this vulnerability may cause stack overflow.
CVSS v3.1 Base Score: 9.8 (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H)

MOST PREVALENT MALWARE FILES March 17-24, 2022
COMPILED BY TALOS SECURITY INTELLIGENCE AND RESEARCH GROUP

SHA 256: 59f1e69b68de4839c65b6e6d39ac7a272e2611ec1ed1bf73a4f455e2ca20eeaa
MD5: df11b3105df8d7c70e7b501e210e3cc3
VirusTotal: https://www.virustotal.com/gui/file/59f1e69b68de4839c65b6e6d39ac7a272e2611ec1ed1bf73a4f455e2ca20eeaa/details
Typical Filename: DOC001.exe
Claimed Product: N/A
Detection Name: Win.Worm.Coinminer::1201

SHA 256: e4973db44081591e9bff5117946defbef6041397e56164f485cf8ec57b1d8934
MD5: 93fefc3e88ffb78abb36365fa5cf857c
VirusTotal: https://www.virustotal.com/gui/file/e4973db44081591e9bff5117946defbef6041397e56164f485cf8ec57b1d8934/details
Typical Filename: Wextract
Claimed Product: Internet Explorer
Detection Name: PUA.Win.Trojan.Generic::85.lp.ret.sbx.tg

SHA 256: 5616b94f1a40b49096e2f8f78d646891b45c649473a5b67b8beddac46ad398e1
MD5: 3e10a74a7613d1cae4b9749d7ec93515
VirusTotal: https://www.virustotal.com/gui/file/5616b94f1a40b49096e2f8f78d646891b45c649473a5b67b8beddac46ad398e1/details
Typical Filename: IMG001.exe
Claimed Product: N/A
Detection Name: Win.Dropper.Coinminer::1201

SHA 256: 94e50729a9ccf722ecc62bf766404e1520d5a5a9b44507c7d74dc4ff5cad991c
MD5: 376ead6e862e2957628576a77c08d1e1
VirusTotal: https://www.virustotal.com/gui/file/94e50729a9ccf722ecc62bf766404e1520d5a5a9b44507c7d74dc4ff5cad991c/details
Typical Filename: LyricsTube.exe
Claimed Product: LyricsTube
Detection Name: PUA.Win.Adware.Addlyrics::dk

SHA 256: 1c25a55f121d4fe4344914e4d5c89747b838506090717f3fb749852b2d8109b6
MD5: 4c9a8e82a41a41323d941391767f63f7
VirusTotal: https://www.virustotal.com/gui/file/1c25a55f121d4fe4344914e4d5c89747b838506090717f3fb749852b2d8109b6/details
Typical Filename: !!mreader.exe
Claimed Product: N/A
Detection Name: Win.Dropper.Generic::sheath