Today, Talos is publishing a glimpse into the most prevalent threats we've observed between Dec. 2 and Dec. 9. As with previous roundups, this post isn't meant to be an in-depth analysis. Instead, this post will summarize the threats we've observed by highlighting key

Threat Round up for December 2 to December 9

Welcome to this week’s edition of the Threat Source newsletter.
As we hurtle toward the end of another year I get that tightness in my chest – that feeling that I think most, if not all, Threat Source readers get at this time of year. That's

Thursday, December 8, 2022 16:12

Welcome to this week’s edition of the Threat Source newsletter.

As we hurtle toward the end of another year I get that tightness in my chest – that feeling that I think most, if not all, Threat Source readers get at this time of year. That's right, it’s once again the time of year when no matter what your current role or area of expertise you become tech support for your entire family and anyone they’ve ever met. They will give you unsolvable tech problems and expect holiday miracles. I have no particularly stellar advice that will help you. I have no words of wisdom that will keep you from your pain. I have only this – you aren’t alone. Make sure to take copious notes so that you can regale your workplace associates with the highlights and kick off the new year by putting that pain behind you.

Stay tuned next week for our inaugural Year in Review report!

**The one big thing**

Cisco Talos Incident Response shared a white paper on the steps organizations should follow to secure any major event. Outlining ten major event preparation focus areas, for each of the ten identified areas, Talos IR provides a short checklist to ensure that different organizations and committees can ask the right questions to vendors, suppliers and other event participants. Although the checklist can serve as a useful starting point for most of our readers, the complexity of the problem and diverse security requirements will likely require an in-depth analysis to identify all risk avenues.

**Why do I care?**

Cisco Talos IR has successfully participated in a number of global events at both the forefront as well as in supporting roles, to ensure that threats are contained before causing major disruption. This white paper leverages that experience to provide the reader with insight into the challenges, critical aspects and methodologies that can be utilized to achieve a strong sense of cyber security and IR readiness at both strategic and tactical levels.

**So now what?**

Ensure that the proper teams read the white paper, follow the blueprint, and are prepared to handle several types of attacks before, during and after the event. Leverage the ten focus areas to help your organization build appropriate security strategies ahead of major events.

**Top security headlines of the week**

Many endpoint detection and response (EDR) technologies may have a vulnerability in them that gives attackers a way to manipulate the products into erasing any data on installed systems. Or Yair, a security researcher at SafeBreach discovered the issue, Security products, such as EDR tools have super-user rights on systems, which could allow an attacker to wipe almost any file on the system, including system files. Yair disclosed the issue at the Black Hat Europe conference on Wednesday, Dec 7 having notified the vendors between July and August. Vulnerable products included Microsoft Windows Defender, Windows Defender for Endpoint, TrendMicro ApexOne, Avast Antivirus, AVG Antivirus, and SentinelOne. (Darkreading)

Rackspace has confirmed today that a ransomware attack is behind an ongoing Hosted Exchange outage. Rackspace tweeted "Since becoming aware of suspicious activity in our Hosted Exchange environment on 12/2, we’ve determined that the isolated disruption is the result of ransomware and our security team is working with a lead cyber defense firm to investigate." The cloud service provider says it will notify customers if it finds evidence that the attackers gained access to their sensitive information.(Bleepingcomputer)

**Can’t get enough Talos?**

*   https://blog.talosintelligence.com/vulnerability-spotlight-memory-corruption-vulnerability-discovered-in-poweriso/
*   https://blog.talosintelligence.com/vulnerability-spotlight-nvidia-driver-memory-corruption-vulnerabilities-discovered/
*   https://blog.talosintelligence.com/vulnerability-spotlight-callback-technologies-cbfs-filter-denial-of-service-vulnerabilities/
*   https://blog.talosintelligence.com/vulnerability-spotlight-lansweeper-directory-traversal-and-cross-site-scripting-vulnerabilities/

**Upcoming events where you can find Talos**

CactusCon (Jan 27-28)  
Mesa, AZ

**Most prevalent malware files from Talos telemetry over the past week**

SHA 256:  
9f1f11a708d393e0a4109ae189bc64f1f3e312653dcf317a2bd406f18ffcc507  
MD5: 2915b3f8b703eb744fc54c81f4a9c67f  
Typical Filename: VID001.exe  
Detection Name: Simple\_Custom\_Detection

SHA 256:  
1077bff9128cc44f98379e81bd1641e5fbaa81fc9f095b89c10e4d1d2c89274d  
MD5: 26f927fb7560c11e509f0b8a7e787f79  
Typical Filename: Iris QuickLinks.exe  
Claimed Product: N/A  
Detection Name: W32.File.MalParent

SHA256:  
e4973db44081591e9bff5117946defbef6041397e56164f485cf8ec57b1d8934  
MD5: 93fefc3e88ffb78abb36365fa5cf857c  
Typical Filename: Wextract  
Claimed Product: Internet Explorer  
Detection Name: PUA.Win.Trojan.Generic::85.lp.ret.sbx.tg

SHA 256:  
125e12c8045689bb2a5dcad6fa2644847156dec8b533ee8a3653b432f8fd5645  
MD5: 2c8ea737a232fd03ab80db672d50a17a  
Typical Filename: LwssPlayer.scr  
Claimed Product: 梦想之巅幻灯播放器  
Detection Name: Auto.125E12.241442.in02

Threat Source newsletter (Dec. 8, 2022): Your uncle clicked every link

Since August 2022, we have seen an increase in infections of Truebot (aka Silence.Downloader) malware. Truebot was first identified in 2017 and researchers have linked it to a threat actor called Silence Group that is responsible for several high-impact attacks on financial institutions in several countries around the world.

Breaking the silence - Recent Truebot activity

Did you miss our livestream focused on the Ukraine topics presented in the Cisco Talos Year in Review report? Join host Hazel Burton and special guests Kendall McKay, Nick Randolph, and Vanja Svajcer as they discuss Talos' now-years-long critical infrastructure effort in Ukraine.

Thursday, December 8, 2022 11:12

Did you miss our livestream focused on the Ukraine topics presented in the Cisco Talos Year in Review report? Join host Hazel Burton and special guests Kendall McKay, Nick Randolph, and Vanja Svajcer as they discuss Talos' now-years-long critical infrastructure effort in Ukraine.  Their breifing gives critical insight into the topic of cyber warfare and creates useful comparisons for those defending against these same actors in different contexts.

Visit the Year in Review page for the full report, with topic summary reports, livestreams, podcasts, and other content starting December 14th.  New content will be added with each topic summary release through February.  

You can access the full 2022 Cisco Talos Year in Review report directly here:

2022 Year in Review Livestream

TEST-2022YiR Livestream Post-TEST

TEST-2022 Talos Year in Review Report-TEST2

Piotr Bania of Cisco Talos discovered this vulnerability.
Cisco Talos recently discovered a memory corruption vulnerability in PowerISO.
TALOS-2022-1644 (CVE-2022-41992) is a memory corruption vulnerability that exists in the VHD File Format parsing functionality of PowerISO 8.3. A specially crafted file can lead to an out-of-bounds write. A victim

Wednesday, December 7, 2022 13:12

_Piotr Bania_ of Cisco Talos discovered this vulnerability.

Cisco Talos recently discovered a memory corruption vulnerability in PowerISO.

TALOS-2022-1644 (CVE-2022-41992) is a memory corruption vulnerability that exists in the VHD File Format parsing functionality of PowerISO 8.3. A specially crafted file can lead to an out-of-bounds write. A victim needs to open a malicious file to trigger this vulnerability. The vulnerability exists because the "Num of blocks" value from the CXSPARSE record is not validated properly. An attacker can control the loop counter leading to arbitrary memory write.

Cisco Talos worked with PowerISO to ensure that these issues are resolved and an update is available for affected customers, all in adherence to Cisco’s vulnerability disclosure policy.

Although PowerISO has fixed this issue, they did not change the version number on the fixed release. Users should confirm that they are running PowerISO, version 8.3 with the most recent bug fixes. Talos tested and confirmed this version of PowerISO could be exploited by this vulnerability.

The following Snort rules will detect exploitation attempts against this vulnerability: 60805-60806. Additional rules may be released in the future and current rules are subject to change, pending additional vulnerability information. For the most current rule information, please refer to your Firepower Management Center or Snort.org.

Vulnerability Spotlight: Memory corruption vulnerability discovered in PowerISO

Piotr Bania of Cisco Talos discovered these vulnerabilities.
Cisco Talos recently discovered two memory corruption vulnerabilities in shader functionality of an NVIDIA driver.
NVIDIA Graphics drivers are software for NVIDIA Graphics GPU installed on the PC. They are used to communicate between the operating system and the GPU device. This

Tuesday, December 6, 2022 11:12

_Piotr Bania of Cisco Talos discovered these vulnerabilities._

Cisco Talos recently discovered two memory corruption vulnerabilities in shader functionality of an NVIDIA driver.

NVIDIA Graphics drivers are software for NVIDIA Graphics GPU installed on the PC. They are used to communicate between the operating system and the GPU device. This software is required in most cases for the hardware device to function properly.

Two exploitable memory corruption vulnerabilities exist in the NVIDIA graphics driver: TALOS-2022-1603 (CVE-2022-34671) and TALOS-2022-1604 (CVE-2022-34671). An attacker can use arbitrary code execution to trigger these vulnerabilities. These vulnerabilities could also potentially be triggered from guest machines running virtualization environments (ie. VMware, qemu, VirtualBox, etc.) in order to perform guest-to-host escape.

Cisco Talos worked with NVIDIA to ensure that these issues were resolved and an update is available for affected customers, all in adherence to Cisco’s vulnerability disclosure policy.

Users are encouraged to update this affected product as soon as possible: NVIDIA D3D10 Driver, Version 516.94 , 31.0.15.1694. Talos tested and confirmed this version of the NVIDIA could be exploited by these vulnerabilities.

The following Snort rules will detect exploitation attempts against these vulnerabilities: 60606-60607 and 60611-60612. Additional rules may be released in the future and current rules are subject to change, pending additional vulnerability information. For the most current rule information, please refer to your Firepower Management Center or Snort.org.

Vulnerability Spotlight: NVIDIA driver memory corruption vulnerabilities discovered

Cisco Talos Incident Response (Talos IR) is sharing a white paper on the steps organizations should follow to secure any major event. These ten focus areas should help guide any organizing committee or participating businesses in preparation for securing such events..

Friday, December 2, 2022 10:12

The cyber security of major events, whether they are related to sports, professional conferences, expos or other events can be a time-consuming, complex undertaking. It necessitates a multifaceted approach and the involvement of multiple entities, including but not limited to the vendors, hospitality teams and service providers to facilitate a uniform approach to cybersecurity across the event ecosystem.

Cisco Talos Incident Response (Talos IR) is sharing a white paper on the steps organizations should follow to secure any major event. These ten focus areas should help guide any organizing committee or participating businesses in preparation for securing such events, including the key questions that need to be asked and associated answers.

Protecting major events: an incident response blueprint

Marcin ‘Icewall’ Noga of Cisco Talos discovered these vulnerabilities.
Cisco Talos recently discovered several directory traversal and cross-site scripting vulnerabilities in Lansweeper.
Lansweeper is an IT Asset Management solution that gathers hardware and software information of computers and other devices on a computer network for management, compliance and

Thursday, December 1, 2022 10:12

_Marcin ‘Icewall’ Noga of Cisco Talos discovered these vulnerabilities._

Cisco Talos recently discovered several directory traversal and cross-site scripting vulnerabilities in Lansweeper.

Lansweeper is an IT Asset Management solution that gathers hardware and software information of computers and other devices on a computer network for management, compliance and audit purposes.

Talos has identified two directory traversal vulnerabilities that can lead to arbitrary file upload: TALOS-2022-1528 (CVE-2022-32573) and TALOS-2022-1529 (CVE-2022-29517). Two other vulnerabilities exist where directory traversal can lead to arbitrary file read: TALOS-2022-1530 (CVE-2022-29511) and TALOS-2022-1531 (CVE-2022-27498). An attacker can send an HTTP request to trigger these vulnerabilities.

Both TALOS-2022-1532 (CVE-2022-28703) and TALOS-2022-1541 (CVE-2022-32763) are cross-site scripting sanitation bypass vulnerabilities which can lead to arbitrary Javascript code injection. An attacker can send an HTTP request to trigger these vulnerabilities as well.

Cisco Talos worked with Lansweeper to ensure that these issues were resolved and an update is available for affected customers, all in adherence to Cisco’s vulnerability disclosure policy.

Users are encouraged to update this affected product as soon as possible: Lansweeper 10.1.1.0. Talos tested and confirmed this version of Lansweeper could be exploited by these vulnerabilities.

The following Snort rules will detect exploitation attempts against these vulnerabilities: 59990-59992, 59999-60000, 60001-60002, 60054-60056, 60142-60144 and 60219. Additional rules may be released in the future and current rules are subject to change, pending additional vulnerability information. For the most current rule information, please refer to your Firepower Management Center or Snort.org.