CSW Weekly Threat Intelligence

Posted on Jun 27, 2022 | By Pavithra Shankar

CSW weekly threat intelligence edition brings to you early warnings about critical vulnerabilities that could potentially be weaponized and prove dangerous to your organization and its assets.

Top Critical Cyber Threats of the Week

Confluence Servers Hacked to Deploy AvosLocker, Cerber2021 ransomware

Ransomware groups are exploiting an already patched RCE vulnerability in Atlassian Confluence Server and Data Center. In addition, several new botnets are also actively abusing it for initial access to target networks. A week ago, attackers leveraged this CVE-2022-26134 vulnerability for installing web shells to achieve remote code execution.

Threat Associated CVEs: CVE-2022-26134

CVSS Score: 9.8

Vendor & Product: Confluence Server 7.18.0 version and Confluence Server and Data Center 7.4.0 and higher

Exploit Type: RCE Vulnerability

CWE: CWE-74

Ransomware Associations: Cerber, Avoslocker

APT Groups: NA

Malware: Linux Botnets

Early Warning: Our AI and ML models have given a Maximum rating for this vulnerability indicating a high risk of exploitation by attackers.

BlackCat ransomware Targets Microsoft Exchange servers 

Microsoft warns that one cybercrime gang exploited an unpatched Exchange server in order to deploy the notorious BlackCat/ALPHV ransomware on a target organization. BlackCat affiliates reportedly used Exchange server CVE-2021-31207 to gain access to the server and install a web shell to access it remotely.  While Microsoft didn't mention any Exchange vulnerability used for initial access, it links to a security advisory from March 2021 with guidance on investigating and mitigating ProxyLogon attacks. 

Considering this, organizations should patch the below-listed BlackCat-associated CVEs, including the ProxyLogon vulnerabilities.

Threat Associated CVEs: CVE-2016-0099, CVE-2019-7481, CVE-2021-31207, and CVE-2021-26855.

Early Warning: Unusual hacker chat discussions about this vulnerability have increased its exploitability rating. 

 

Threat Associated CVEs

CVSS Score

Vendor & Product

Exploit Type

CWE ID

Ransomware Associations

APT Groups

CVE-2016-0099

7.8

Windows SMB 

PE

CWE-264

BlackCat

NA

CVE-2019-7481

7.5

Microsoft Exchange Server

-

CWE-89

BlackCat|HelloKitty

-

CVE-2021-31207

7.2

Microsoft Exchange Server

PE, RCE, WebApp

-

BlackByte|Cuba|Babuk|LockFile|

Conti|Hive|AvosLocker|Karma|BlackCat

ChamelGang|TR

CVE-2021-26855

9.8

Microsoft Exchange Server

PE, RCE, WebApp

-

Cuba|DearCry|EpsilonRed| Conti|AvosLocker|Black Kingdom

BRONZE BUTLER|HAFNIUM| FamousSparrow|Mikroceen| Threat Group-3390|  Websiic|WinntiGroup| Calypso|Mustang Panda| APT29| Tonto Team|TR

New Hertzbleed: A Side-Channel Vulnerability Attack Affects Intel And AMD CPUs

A new security vulnerability discovered by researchers from the University of Texas called Hertzbleed could allow attackers to steal cryptographic keys from all modern Intel and Advanced Micro Devices CPUs. The researchers have dubbed this attack as Hertzbleed because it uses the insights into Dynamic voltage and frequency scaling (DVFS) to expose or bleed out data that's expected to remain private. The vulnerability is tracked as CVE-2022-24436 for Intel chips and CVE-2022-23823 for AMD CPUs. There is no patch available at this time.

 

Threat Associated CVEs: CVE-2022-24436 and CVE-2022-23823

 

Threat Associated CVEs

CVSS Score

Vendor & Product

Exploit Type

CWE ID

Ransomware Associations

APT Groups

CVE-2022-24436

6.3

Intel

Information Disclosure

-

-

-

CVE-2022-23823

-

AMD

Information Disclosure

-

-

-

 

Critical Citrix Bug (CVE-2022-27511) Impacts All ADM Servers, Agents

Citrix is advising users of its Application Delivery Management (ADM) solutions to update their systems against a newly discovered vulnerability. Tracked as CVE-2022-27511, this vulnerability could allow system corruption leading to the admin password being reset after reboot. It affects all supported versions of the Citrix ADM server and Citrix ADM agent. 

Threat Associated CVEs: CVE-2022-27511

CVSS Score: 8.1

Vendor & Product: All supported versions of Citrix ADM server and Citrix ADM agent

Exploit Type: NA

CWE: CWE-284

Ransomware Associations: NA

APT Groups: NA

Malware: NA

Early Warning: Our AI and ML models predict a high risk of exploitation by attackers.

CISA Added Follina to its Known Exploited Vulnerability to Catalog

CISA added the Microsoft Follina zero day after a patch was released on Patch Tuesday. This Follina vulnerability is identified as CVE-2022-30190, which is currently used in multiple attacks to execute malicious PowerShell commands via the Microsoft Diagnostic Tool (MSDT) when opening or previewing specially crafted Office documents. 

This vulnerability is being targeted by threat actors such as TA413, QBot, and Sandworm, and most notably, there were multiple PoC available publicly even before the patch.  

To know more about our Follina analysis, click here.

CVSS Score: 7.8

Vendor & Product: All current supported Windows versions

Exploit Type: RCE Vulnerability

CWE: NVD-CWE-noinfo

Ransomware Associations: NA

APT Groups: TA413, APT28, and TA570 

Malware: QBot, Sandworm

Early Warning: Our AI and ML models have given a maximum rating for this vulnerability indicating a high risk of exploitation by attackers.

 

CSW is on a mission to fix the biggest gap in the cybersecurity industry!

Threat Intelligence will no longer be responding to security incidents. We are breaking the wheel to provide you with an early warning system based on our AI and ML capabilities, hacker chats, and attacker behavior. Leverage our expertise and manage your threats on a continuous basis to stay safe from attackers.

 

Talk to Us | Schedule a Consultation

 Our Services

Vulnerability Management | Penetration Testing 

 Attack Surface Management | Cloud Security

Never miss a patch or an update with CSW's Patch Watch Newsletter. Subscribe now!

csw

Secure your environment from cyber-attacks!

Know How

incognito