Ransomware Q2 & Q3 Report is live now!

CSW’s Friday Threat Intelligence

Posted on Jul 8, 2022 | By Pavithra Shankar, Supriya Aluri

CSW’s weekly threat intelligence edition brings to you early warnings about critical vulnerabilities that are already weaponized or could potentially be weaponized and prove dangerous to your organization and its assets. This week, we bring to you eight threats that are currently trending as well as new vulnerabilities that hackers are exploiting.  

 

Why play catch-up when you can proactively patch these vulnerabilities now?

 

Check out our new Threat Intelligence Podcast featuring Top Three Threats of the Week hosted by David Rushton from the CSW Research Team.

 

 

Top Critical Cyber Threats of the Week

  1. Black Basta Ransomware Operators Expand Their Attack Arsenal With QakBot Trojan and PrintNightmare Exploit

  2. ShadowPad Targets Industrial Control Systems

  3. CVE-2022-2819: Unauthenticated XXE to RCE and Domain Compromise in ManageEngine ADAudit Plus

  4. Microsoft Warns of Cryptomining Malware Campaign Targeting Linux Servers

  5. The Miracle Exploit affects Oracle Fusion Middleware and Oracle Online Systems

  6. ZuoRAT Hijacks SOHO Routers to Silently Stalk Networks

  7. FabricScape: Escaping Service Fabric, Privilege Escalation

  8. UnRAR Vulnerability Could Let Attackers Hack Zimbra Webmail Servers

Black Basta Ransomware Operators Expand Their Attack Arsenal With QakBot Trojan and PrintNightmare Exploit

Black Basta is a highly notorious ransomware group that has extorted from over 50 organizations in recent times. This week, the group was caught deploying a banking trojan named QakBot as a means of entry and movement to exploit the PrintNightmare vulnerability (CVE-2021-34527). This vulnerability is caused by improper privilege management and can be used to remotely execute code. Black Basta abused the Windows Print Spooler Service or spoolsv.exe to drop its payload, spider.dll, and perform privileged file operations. It also exploited the vulnerability to execute another file in the affected system, but samples of this file were no longer available in the system. Additionally, researchers found that the ransomware actors used the Coroxy backdoor in conjunction with the abuse of the computer networking utility tool Netcat to move laterally across the network. Once the attackers gained a wide foothold in the network, they executed the Black Basta ransomware.

Check out our Detailed Blog on Printnightmare and Get the Script to Detect the Vulnerability.
 

ShadowPad Targets Industrial Control Systems

Recently, a ShadowPad malware attack campaign was launched targeting unpatched Microsoft Exchange servers across Asia. According to an advisory, once the attacker gains initial access via the Proxylogon vulnerabilities, the threat actors deploy the ShadowPad malware on the industrial control systems (ICS) of telecommunications companies in Pakistan and Afghanistan and a logistics and a transport organization in Malaysia. Although the true motive behind this campaign is not clear, the attackers seem to be interested in the operations of the IC systems and may be gathering information on the larger infrastructure of various countries.

The adversary began launching intrusions around March 2021, when the ProxyLogon vulnerabilities in Exchange Servers were made public. It is also reported that some of the targets were breached by exploiting CVE-2021-26855, a server-side request forgery (SSRF) vulnerability.

Threat Associated CVEs: CVE-2021-26855 

CVSS Score: 9.8

Affected Product Count: 24

Exploit Type: ['RCE', 'PE', 'WebApp']

CWE: NA

Ransomware Associations: AvosLocker, Conti, Black Kingdom, Cuba, Epsilon Red, DearCry

APT Groups: HAFNIUM, Tonto Team, BRONZE BUTLER, Mustang Panda, Threat Group-3390, Calypso, Winnti Group, Websiic, Mikroceen, FamousSparrow, APT29, TR

Malware: ShadowPad

CISA KEV: Yes

CISA Patch Deadline: April 16, 2021

Patch: Download

CVE-2022-28219: Unauthenticated XXE to RCE and Domain Compromise in ManageEngine ADAudit Plus

CVE-2022-28219 is an unauthenticated remote code execution vulnerability affecting Zoho ManageEngine ADAudit Plus, a compliance tool used by enterprises to monitor changes to Active Directory. The vulnerability consists of several issues, including untrusted Java deserialization, path traversal, and blind injection of XML External Entities (XXE). It can be exploited to steal encrypted login credentials of customers’ domains. It can also be used to distribute malware on all machines on the network.

Our predictive VI had assessed the vulnerability at risk of weaponization way back in April 2022, based on deep & dark web reconnaissance.

Threat Associated CVEs: CVE-2022-28219 

CVSS Score: 9.8

Affected Product Count: 14

CWE: CWE-611

Exploit Type:  NA

Ransomware Associations: NA

APT Groups: NA

Malware: NA

CISA KEV: NA

CISA Patch Deadline: NA

Patch: Download

Microsoft Warns of Cryptomining Malware Campaign Targeting Linux Servers

8220 Gang Attack Again! The most recent attack of the '8220' malware gang was to compromise Linux systems and install crypto-mining malware. This gang has recently been spotted exploiting the critical bug affecting Atlassian Confluence Server and Data Center, tracked as CVE-2022-26134. The group has actively updated its techniques and payloads over the last year. On June 30, 2022, researchers observed campaigns targeting i686 and x86_64 Linux systems and uses RCE exploits for CVE-2022-26134 (Confluence) and CVE-2019-2725 (WebLogic) for initial access. The updates include the deployment of new versions of a crypto miner and an Internet Relay Chat (IRC) bot.

Know more about the threat that targets Confluence Vulnerability (CVE-2022-26134) here.

The Miracle Exploit Affects Oracle Fusion Middleware and Oracle Online Systems 

Four CVEs are a part of the ‘Miracle Exploit’ which affects Oracle Fusion Middleware due to a deserialization bug in the ADF Faces component of the software. Oracle has released a patch to fix these bugs six months after the bug was discovered. These bugs can be exploited through remotely executed code.

 

ZuoRAT Hijacks SOHO Routers to Silently Stalk Networks

 

Since 2020, a multistage remote access trojan (RAT) known as ZuoRAT has been targeting remote workers via small office/home office (SOHO) routers across North America and Europe undetected. These highly targeted campaigns and their attackers' tactics, techniques, and procedures (TTPs) are hallmarks of a state-sponsored threat actor, according to security researchers. In addition to passive network sniffing capabilities, the multi-stage ZuoRAT malware provided in-depth network reconnaissance capabilities once it was deployed on an unpatched router (unpatched against known security flaws).

 

CVE-2022-30137: Microsoft Azure FabricScape Bug let Hackers Hijack Linux Clusters

A new security flaw affecting Microsoft's Service Fabric has been discovered by Palo Alto Networks Unit 42, which could be exploited by malicious actors to gain elevated permissions and control of the cluster. It can only be weaponized on containers that have runtime access, which has been named FabricScape (CVE-2022-30137). The issue has been resolved in Service Fabric 9.0 Cumulative Update 1.0 as of June 14, 2022.

Threat Associated CVEs: CVE-2022-30137

CVSS Score: 6.7

Affected Product Count: 1

Exploit Type: N/A

CWE: N/A

Ransomware Associations: NA

APT Groups: N/A

Malware: NA

CISA KEV: No

CISA Patch Deadline: NA

Patch: Download

UnRAR Vulnerability Could Let Attackers Hack Zimbra Webmail Servers

An exploitable path traversal vulnerability in RarLab's UnRAR binary can potentially lead to remote code execution (RCE) on Zimbra and other applications. Assigned the identifier as CVE-2022-30333 which affects the Unix versions of UnRAR, where maliciously crafted RAR archives can trigger a path traversal vulnerability. Successful exploitation of this high severity issue on Zimbra, the open-source platform used by more than 200,000 businesses, allows attackers to access every email sent or received on compromised servers.

Threat Associated CVEs: CVE-2022-30333

CVSS Score: 7.5

Affected Product Count: 1

CWE: CWE-22

Exploit Type: NA

Ransomware Associations: NA

APT Groups: N/A

Malware: NA

CISA KEV: No

CISA Patch Deadline: NA

Patch: Download

 

We use our Threat Intelligence Platform driven by Artificial Intelligence (AI) and Machine Learning (ML) models to analyze the vulnerabilities that could potentially be exploited by hackers. We warn our customers continuously about their exposures and prioritize their vulnerabilities to facilitate rapid remediation.

Follow our weekly blog and podcast to get proactive alerts on trending threats. Reach out to us if you need help in managing your vulnerabilities and exposures from attackers.

 

Leverage our expertise and manage your threats on a continuous basis to stay safe from attackers.

Talk to Us 

Never miss a patch or an update with CSW’s Patch Watch Newsletter. Subscribe now!

csw

Secure your environment from cyber-attacks!

Know How

incognito