CONTENTS:

NOTABLE RECENT SECURITY ISSUES
INTERESTING NEWS FROM AROUND THE SECURITY COMMUNITY
VULNERABILITIES FOR WHICH EXPLOITS ARE AVAILABLE
MOST PREVALENT MALWARE FILES MARCH 24-31, 2022
TOP VULNERABILITY THIS WEEK: Wipers continue to target Ukraine

NOTABLE RECENT SECURITY ISSUES
SELECTED BY THE TALOS SECURITY INTELLIGENCE AND RESEARCH GROUP

Title: DoubleZero malware is just latest wiper malware to hit Ukraine during Russian invasion
Description: The Computer Emergency Response Team of Ukraine released an advisory on March 22, 2022 disclosing another wiper dubbed “DoubleZero” targeting Ukrainian enterprises during Russia’s invasion of the country. DoubleZero is a .NET-based implant that destroys files, registry keys and trees on the infected endpoint. This is yet another wiper discovered targeting Ukraine, in addition to previously disclosed attacks we’ve seen in Ukraine over the past two months, such as “CaddyWiper” “HermeticWiper” and “WhisperGate.” The malware aims to overwrite all files in all drives, except for a specific list of the locations hardcoded in the wiper. It destroys non-system files first, then system-related files. Destroying system related files while the overwriting of other files is pending can create instability and may lead to bricking the system before the complete destruction of the user’s files is completed. In such cases, it may be possible to recover the files from the disk that haven’t been overwritten yet.
References:

• https://blog.talosintelligence.com/2022/03/threat-advisory-doublezero.html
• https://www.splunk.com/en_us/blog/security/threat-update-doublezero-destructor.html

ClamAV® signature: Win.Malware.DoubleZeroWiper-9942171-0

Title: Transparent Tribe campaign uses new bespoke malware to target Indian government officials
Description: Cisco Talos has observed a new Transparent Tribe campaign targeting Indian government and military entities. While the actors are infecting victims with CrimsonRAT, their well-known malware of choice, they are also using new stagers and implants. This campaign, which has been ongoing since at least June 2021, uses fake domains mimicking legitimate government and related organizations to deliver malicious payloads, a common Transparent tribe tactic. The group has continued to change its initial entry mechanisms and incorporate new bespoke malware, indicating the actors are actively diversifying their portfolio to compromise even more victims. Notably, the adversary has moved towards deploying small, bespoke stagers and downloaders that can be easily modified, likely to enable quick and agile operations.
References: https://blog.talosintelligence.com/2022/03/transparent-tribe-new-campaign.html
ClamAV® signatures:

• Vbs.Downloader.Agent-9940743-0
• Win.Downloader.TransparentTribe-9940744-0
• Win.Trojan.MargulasRAT-9940745-0
• Win.Downloader.Agent-9940746-0
• Win.Trojan.MSILAgent-9940762-1
• Win.Trojan.PythonAgent-9940791-0
• Lnk.Trojan.Agent-9940793-0
• Win.Trojan.TransparentTribe-9940795-0
• Win.Trojan.TransparentTribe-9940801-0
• Win.Downloader.TransparentTribe-9940802-0

INTERESTING NEWS FROM AROUND THE SECURITY COMMUNITY

London, UK, police arrested seven teens in connection to the Lapsus$ threat actor that targeted Okta and Microsoft earlier this month.
https://www.bbc.com/news/technology-60864283

Recent Lapsus$ attacks used a method similar to the one used by the threat actors behind the massive SolarWinds breach.
https://arstechnica.com/information-technology/2022/03/lapsus-and-solar-winds-hackers-both-use-the-same-old-trick-to-bypass-mfa/

Newly leaked documents show that Lapsus$ breached Okta’s networks by first infecting customer service company Sitel and then pivoting to Okta’s own network in January.
https://techcrunch.com/2022/03/28/lapsus-passwords-okta-breach/

Ukrtrlecom, Ukraine’s state-owned telecommunications provider, was targeted in the largest cyber attack against the country since Russia’s invasion, briefly taking internet in the country offline Monday.
https://www.reuters.com/business/media-telecom/ukrainian-telecom-companys-internet-service-disrupted-by-powerful-cyberattack-2022-03-28/

Attackers are deploying a new “browser-in-the-browser” method to trick users into entering their login credentials to spoofed websites only to be stolen by a fake browser window.
https://arstechnica.com/information-technology/2022/03/behold-a-password-phishing-site-that-can-trick-even-savvy-users/

Some Honda cars’ remote keyless system contain a vulnerability that could allow a malicious user to conduct a replay attack and open the cars’ doors or start the engine.
https://github.com/nonamecoder/CVE-2022-27254

Google and Microsoft released updates for their Chromium and Edge browsers, respectively, to fix a zero-day vulnerability. https://therecord.media/google-releases-emergency-security-update-for-chrome-users-after-second-0-day-of-2022-discovered/

RECENT VULNERABILITIES FOR WHICH EXPLOITS ARE AVAILABLE
COMPILED BY THE QUALYS VULNERABILITY RESEARCH TEAM

This is a list of recent vulnerabilities for which exploits are available. System administrators can use this list to help in prioritization of their remediation activities. The Qualys Vulnerability Research Team compiles this information based on various exploit frameworks, exploit databases, exploit kits and monitoring of internet activity.

ID: CVE-2022-23812 |
Title: Arbitrary file overwrite vulnerability in the Node-IPC NPM package
Description: T The package node-ipc versions 10.1.1 and 10.1.2 are vulnerable to embedded malicious code that was introduced by the maintainer. The malicious code was intended to overwrite arbitrary files depending on the geolocation of the user’s IP address. The maintainer removed the malicious code in version 10.1.3.
CVSS v3.1 Base Score: 9.8 (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H)

ID: CVE-2021-45966 |
Title: Arbitrary code execution in Pascom Cloud Phone System
Description: An issue was discovered in Pascom Cloud Phone System before 7.20.x. In the management REST API, /services/apply in exd.pl allows remote attackers to execute arbitrary code via shell metacharacters.
CVSS v3.1 Base Score: 9.8 (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H)

ID: CVE-2022-27228 |
Title: Remote code execution vulnerability in Bitrix Site Manager Vote Module
Description: Insufficient validation of user input allows a remote unauthenticated attacker to execute arbitrary code on a system. It can result in gaining control of the target system.
CVSS v3.1 Base Score: 9.8 (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H)

MOST PREVALENT MALWARE FILES March 24-31, 2022
COMPILED BY TALOS SECURITY INTELLIGENCE AND RESEARCH GROUP

SHA 256: e4973db44081591e9bff5117946defbef6041397e56164f485cf8ec57b1d8934
MD5: 93fefc3e88ffb78abb36365fa5cf857c
VirusTotal: https://www.virustotal.com/gui/file/e4973db44081591e9bff5117946defbef6041397e56164f485cf8ec57b1d8934/details
Typical Filename: Wextract
Claimed Product: Internet Explorer
Detection Name: PUA.Win.Trojan.Generic::85.lp.ret.sbx.tg

SHA 256: 1c25a55f121d4fe4344914e4d5c89747b838506090717f3fb749852b2d8109b6
MD5: 4c9a8e82a41a41323d941391767f63f7
VirusTotal: https://www.virustotal.com/gui/file/1c25a55f121d4fe4344914e4d5c89747b838506090717f3fb749852b2d8109b6/details
Typical Filename: !!mreader.exe
Claimed Product: N/A
Detection Name: Win.Dropper.Generic::sheath

SHA 256: 5516d898970854dbab9e3a49aced96186f3e748a56ed2f7cd7809447b7dd5c1a
MD5: 814358af9c54b6eb66333cd117f38423
VirusTotal: https://www.virustotal.com/gui/file/5516d898970854dbab9e3a49aced96186f3e748a56ed2f7cd7809447b7dd5c1a/details
Typical Filename: USPSSIBDSJDSS.zip
Claimed Product: N/A
Detection Name: Win.Dropper.Upatre::hw

SHA 256: 7cfdf65b1f93bd600a4e7cadbcfeccc634d0c34b5b098740af1cf2afa7c64b97
MD5: 258e7698054fc8eaf934c7e03fc96e9e
VirusTotal: https://www.virustotal.com/gui/file/7cfdf65b1f93bd600a4e7cadbcfeccc634d0c34b5b098740af1cf2afa7c64b97/details
Typical Filename: samsungfrp2021.exe
Claimed Product: N/A
Detection Name: W32.7CFDF65B1F-85.TPD2.RET.SBX.TG34

SHA 256: dc6a484441c59a75fe586ea789a9637921b33dc86e3ac5b57fdb376c9f6e5d7e
MD5: 94e1b019cc2720b7e33a94c2f643216f
VirusTotal: https://www.virustotal.com/gui/file/dc6a484441c59a75fe586ea789a9637921b33dc86e3ac5b57fdb376c9f6e5d7e/details
Typical Filename: 2012f643216f_1.exe
Claimed Product: N/A
Detection Name: Win.Dropper.Generic::90.tpd2.ret.sbx.tg