CONTENTS:

NOTABLE RECENT SECURITY ISSUES
INTERESTING NEWS FROM AROUND THE SECURITY COMMUNITY
VULNERABILITIES FOR WHICH EXPLOITS ARE AVAILABLE
MOST PREVALENT MALWARE FILES APRIL 7-14, 2022
TOP VULNERABILITY THIS WEEK: Microsoft releases largest Patch Tuesday in 18 months

NOTABLE RECENT SECURITY ISSUES
SELECTED BY THE TALOS SECURITY INTELLIGENCE AND RESEARCH GROUP

Title: Remote code execution vulnerabilities in Hyper-V, NFS part of Patch Tuesday
Description: Microsoft released its latest security update Tuesday, disclosing more than 140 vulnerabilities across its array of products. This is a departure from past Patch Tuesdays this year, which have only featured a few dozen vulnerabilities, and is the largest number of issues in a single Patch Tuesday since September 2020. Ten of these vulnerabilities are considered to be “critical,” while three others are listed as being of “moderate” severity and the remainder are considered “important.” There are also nine vulnerabilities that were first found in the Chromium web browser but affect Microsoft Edge, since it’s a Chromium-based browser. Edge users do not need to take any action to patch for these issues.
References: https://blog.talosintelligence.com/2022/04/microsoft-patch-tuesday-includes-most.html
SNORT® SIDs: 59497, 59498, 59511, 59512, 59519 - 59526, 59529 and 59530 - 59535

Title: Several new information-stealers pop up in wake of Raccoon’s shutdown
Description: Threat actors are pivoting to several different, new information-stealing malware families in the wake of Raccoon Stealer shutting down. The creators of Raccoon Stealer, a malware available for purchase, announced it was ceasing operations after one of its developers died in the Russian invasion of Ukraie. Taking its place are several different “as a service” tools attackers can purchase access to infect targets and steal their personal information and login credentials. Security researchers have specifically called out FFDroider and Lightning Stealer, of stealing data and launching follow-on attacks by infiltrating the Telegram messaging app. The operators behind another malware, MarsStealer, claim they’ve received an uptick in requests after Raccoon’s shutdown.
References:

• https://thehackernews.com/2022/04/researchers-warn-of-ffdroider-and.html
• https://www.bleepingcomputer.com/news/security/raccoon-stealer-malware-suspends-operations-due-to-war-in-ukraine/

SNORT® SIDs: 59421

INTERESTING NEWS FROM AROUND THE SECURITY COMMUNITY

Ukrainian officials said the country successfully fended off a cyber attack on its power grid, pinning the blame on the infamous Sandworm APT.
https://www.reuters.com/world/europe/russian-hackers-tried-sabotage-ukrainian-power-grid-officials-researchers-2022-04-12/

The U.S. government shut down a botnet controlled by a state-sponsored Russian threat actor that supported the CyclopsBlink wireless router malware.
https://www.pcmag.com/news/us-shuts-down-raidforums-a-hacking-site-trading-in-stolen-information

US law enforcement has shut down RaidForums, a popular online platform for trading and selling compromised user data.
https://www.pcmag.com/news/us-shuts-down-raidforums-a-hacking-site-trading-in-stolen-information

Google banned dozens of apps from its Play Store that quietly collected user data.
https://www.protocol.com/bulletins/google-android-apps-data-harvesting

Women are reporting an increase in stalking incidents in which Apple AirTags are being used to track their locations.
https://www.vice.com/en/article/y3vj3y/apple-airtags-police-reports-stalking-harassment

Attackers are actively exploiting the Spring4Shell vulnerabilities disclosed earlier this month to spread the Mirai botnet.
https://www.trendmicro.com/en_us/research/22/d/cve-2022-22965-analyzing-the-exploitation-of-spring4shell-vulner.html

US organizations lost nearly $2.4 billion to business email compromises (BEC) scams in 2021, according to the FBI.
https://apnews.com/article/technology-travel-business-crime-cybercrime-2f050130524aae7641da7005ecc02562

RECENT VULNERABILITIES FOR WHICH EXPLOITS ARE AVAILABLE
COMPILED BY THE QUALYS VULNERABILITY RESEARCH TEAM

This is a list of recent vulnerabilities for which exploits are available. System administrators can use this list to help in prioritization of their remediation activities. The Qualys Vulnerability Research Team compiles this information based on various exploit frameworks, exploit databases, exploit kits and monitoring of internet activity.

ID: CVE-2022-28381 |
Title: Buffer overflow vulnerability in ALLMediaServer 1.6
Description: Mediaserver.exe in ALLMediaServer 1.6 has a stack-based buffer overflow that allows remote attackers to execute arbitrary code via a long string to TCP port 888, a related issue to CVE-2017-17932.
CVSS v3.1 Base Score: 9.8 (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H)

ID: CVE-2021-44135 |
Title: SQL injection vulnerability in Pagekit
Description: Pagekit/pagekit is a modular and lightweight CMS built with Symfony components and Vue.js.
Affected versions of this package are vulnerable to SQL Injection via the configAction in SettingsController, which allows users to set the order of comments listing using ascending (ASC) and descending (DESC). That config then gets concatenated directly to the SQL query without sanitization.
CVSS v3.1 Base Score: 9.8 (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H)

ID: CVE-2021-35117 |
Title: Out-of-bounds Read vulnerability in Qualcomm products
Description: An Out of Bounds read may potentially occur while processing an IBSS beacon, in Snapdragon Auto, Snapdragon Compute, Snapdragon Connectivity, Snapdragon Consumer IoT, Snapdragon Industrial IoT, Snapdragon Mobile, Snapdragon Voice & Music. This vulnerability affects an unknown part of the component IBSS Beacon Handler. Manipulation with an unknown input led to an information disclosure vulnerability.
CVSS v3.1 Base Score: 9.1 (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:H)

ID: CVE-2021-26624 |
Title: Elevation of privilege vulnerability in eScan Anti-Virus
Description: A local privilege escalation vulnerability due to a “runasroot” command in eScan Anti-Virus. This vulnerability is due to invalid arguments and insufficient execution conditions related to “runasroot” command. This vulnerability can induce remote attackers to exploit root privileges by manipulating parameter values.
CVSS v3.1 Base Score: 8.8 (AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H)

MOST PREVALENT MALWARE FILES April 7-14, 2022
COMPILED BY TALOS SECURITY INTELLIGENCE AND RESEARCH GROUP

SHA 256: e4973db44081591e9bff5117946defbef6041397e56164f485cf8ec57b1d8934
MD5: 93fefc3e88ffb78abb36365fa5cf857c
VirusTotal: https://www.virustotal.com/gui/file/e4973db44081591e9bff5117946defbef6041397e56164f485cf8ec57b1d8934/details
Typical Filename: Wextract
Claimed Product: Internet Explorer
Detection Name: PUA.Win.Trojan.Generic::85.lp.ret.sbx.tg

SHA 256: 59f1e69b68de4839c65b6e6d39ac7a272e2611ec1ed1bf73a4f455e2ca20eeaa
MD5: df11b3105df8d7c70e7b501e210e3cc3
VirusTotal: https://www.virustotal.com/gui/file/59f1e69b68de4839c65b6e6d39ac7a272e2611ec1ed1bf73a4f455e2ca20eeaa/details
Typical Filename: DOC001.exe
Claimed Product: N/A
Detection Name: Win.Worm.Coinminer::1201

SHA 256: 12459a5e9afdb2dbff685c8c4e916bb15b34745d56ef5f778df99416d2749261
MD5: 3e2dbdfa5e58cb43cca56a3e077d50bf
VirusTotal: https://www.virustotal.com/gui/file/12459a5e9afdb2dbff685c8c4e916bb15b34745d56ef5f778df99416d2749261/details
Typical Filename: NirCmd.exe
Claimed Product: NirCmd
Detection Name: Win.PE.SocGholish.tii.Talos

SHA 256: 5616b94f1a40b49096e2f8f78d646891b45c649473a5b67b8beddac46ad398e1
MD5: 3e10a74a7613d1cae4b9749d7ec93515
VirusTotal: https://www.virustotal.com/gui/file/5616b94f1a40b49096e2f8f78d646891b45c649473a5b67b8beddac46ad398e1/details
Typical Filename: IMG001.exe
Claimed Product: N/A
Detection Name: Win.Dropper.Coinminer::1201

SHA 256: 792bc2254ce371be35fcba29b88a228d0c6e892f9a525c330bcbc4862b9765d0
MD5: b46b60327c12290e13b86e75d53114ae
VirusTotal: https://www.virustotal.com/gui/file/792bc2254ce371be35fcba29b88a228d0c6e892f9a525c330bcbc4862b9765d0/details
Typical Filename: NAPA_HQ_SetW10config.exe
Claimed Product: N/A
Detection Name: W32.File.MalParent