By Jon Munshaw.
The one big thing
Why do I care?
This vulnerability is the only one disclosed as part of last week’s Patch Tuesday that’s been exploited in the wild. An attacker could exploit this vulnerability to execute code on the targeted machine as SYSTEM. However, they would need physical access to a machine to exploit the issue. That being said, if CISA is warning users that it’s being actively exploited in the wild, it’s good of a time as any to remember to patch.So now what?
Our Patch Tuesday blog post contains links to Microsoft’s updates for Patch Tuesday and a rundown of other vulnerabilities you should know about. Additionally, we have multiple Snort rules that can detect attempts to exploit CVE-2022-22047.
Other news of note
The U.S. Department of Homeland Security declared the Log4shell vulnerability is “endemic” and will present a risk to organizations for at least the next decade. A new report into the major vulnerability in Log4j declared that the open-source community does not have enough resources to properly secure its code and needs the public and private sector to assist with the implementation of patches. They also warned that there are still many instances of vulnerable software that attackers could take advantage of. The DHS report also says the original vulnerable code could have been detected in 2013 had the reviewers had the time had the appropriate cybersecurity knowledge to spot the flaw. That being said, the investigating panel said there were no major cyber attacks against U.S. critical infrastructure leveraging Log4shell. (Dark Reading, Associated Press, ZDNet)
The European Union is warning that increased cyber attacks from Russian state-sponsored actors run the risk of unnecessary escalation and spillover effects to all of Europe. A formal EU declaration says that member nations “strongly condemn this unacceptable behaviour in cyberspace and express solidarity with all countries that have fallen victim.” A Lithuanian energy firm was the recent target of a distributed denial-of-service attack that the country said was the largest cyber attack in a decade. Belgian leaders also say their country was recently targeted by several Chinese state-sponsored groups. (Bleeping Computer, Council of the European Union, Infosecurity Magazine)
A relatively small botnet is suspected to be behind more than 3,000 recent distributed denial-of-service attacks. The Mantis botnet, which is suspected to be an evolution of Meris, has already targeted users in Germany, Taiwan, South Korea, Japan, the U.S. and the U.K. Most recently, it launched a malware campaign against Android users in France, using malicious SMS messages to lure victims into downloading malware that adds devices to the botnet’s growing system. Security researchers say users have already downloaded the malware about 90,000 times. (Bleeping Computer, ZDNet)
Can’t get enough Talos?
- Vulnerability Spotlight: Issue in Accusoft ImageGear could lead to memory corruption, code execution
- EMEAR Monthly Talos Update: Training the next generation of cybersecurity researchers
- Beers with Talos Ep. #123: Hunting for ransomware actors on *whispers* the dark web
- Talos Takes Ep. #104: The psychology of multi-factor authentication
- Pakistani Hackers Targeting Indian Students in Latest Malware Campaign
Upcoming events where you can find Talos
New York City
Talos Twitter, LinkedIn and YouTube pages
BlackHat U.S. (Aug. 6 - 11, 2022)
Las Vegas, Nevada
Las Vegas, Nevada
Most prevalent malware files from Talos telemetry over the past week
MD5: 93fefc3e88ffb78abb36365fa5cf857c
Typical Filename: Wextract
Claimed Product: Internet Explorer
Detection Name: PUA.Win.Trojan.Generic::85.lp.ret.sbx.tg