CSW's Threat Intelligence - August 02, 2022 - August 05, 2022
Posted on Aug 1, 2022 | By Supriya Aluri
In this edition, we bring you early warnings, trending news about cyber threats, and the accurate threat context. Check out which threat group is on the rampage, what vulnerability it could soon weaponize, and more.
Watch David Rushton talk about the Top Three Threats of the Week in his Threat Intelligence Podcast!
Here are the top threats of this week:
The notorious ransomware group, BlackCat attacked Creos, the energy supplier in Luxembourg. Creos is a subsidiary of Enveco. During the attack none of the services were interrupted, but the customer portals were down for a while. It is estimated that sizable data of 150 GB containing contracts, agreements, passports, bills, and emails was stolen. BlackCat (ALPHV) has threatened to leak this data if their ransom demands are not met. BlackCat is believed to be a rebrand of DarkSide, known for its attack on the Colonial Pipeline.
The following CVEs are associated with BlackCat ransomware’s attacks: CVE-2016-0099,CVE-2019-7481,CVE-2021-31207,CVE-2021-34473,CVE-2021-34523.
BlackCat has carried out attacks against public and private organizations without distinction. Check out our comprehensive blog on BlackCat's activities.
Two vulnerabilities, CVE-2022-31656,CVE-2022-31659 were discovered in VMware Workspace ONE Access, Identity Manager, and vRealize Automation products. If exploited, these vulnerabilities could affect local domain users and enable unauthenticated attackers to gain admin privileges.
VMware has released patches for these vulnerabilities as soon as news of their discovery was publicized.
Since this affects the on-premises devices, VMware has insisted that any organization using ITIL methodologies for change management should consider fixing this as an emergency and apply the patches.
There are no known exploits in the wild for these vulnerabilities.
DrayTek is a Taiwanese company manufacturing Small and Home Office routers. They are widely adopted in the UK, Taiwan, Vietnam, etc. Recently, a remote code execution vulnerability, CVE-2022-32548 was discovered in these devices. Over 200k devices have the vulnerable service exposed on the internet and can be exploited without user interaction when configured to be internet facing. A one-click attack can also be performed from within the LAN in the default device configuration. If exploited, it can lead to a full compromise of the device and may lead to a network breach and unauthorized access to internal resources.
CVE-2022-32548 has a CVSS score of 10.0, classifying it as extremely critical.
DrayTek has immediately released patches for this vulnerability and is urging its customers to apply them.
Unauthenticated, remote attackers can exploit two security flaws identified as CVE-2022-20842 and CVE-2022-20827 to execute arbitrary code or commands, resulting in denial of service (DoS) conditions on vulnerable devices. These vulnerabilities are caused by insufficient input validation in Cisco's web-based management interfaces and web filter database update feature. In attacks with no user interaction, these vulnerabilities allow the attacker to take over without authentication..
There is no evidence of exploit in the wild.
CISCO has released patches for both the CVEs. Organizations using CISCO’s Small Business VPN routers are required to apply these patches with utmost urgency.
This week we've added a new section to track evolving threats.
CVE-2022-35650, identified in Moodle can lead to arbitrary file read due to insufficient path checks. A vendor advisory has been released for this CVE.
CVSS Score: 7.5
CWE: CWE-20, CWE-22
Affected Product Count: 5
Vulnerability in ZIMRA
A vulnerability in Zimbra Collaboration (aka ZCS) 8.8.15 and 9.0 allows an unauthenticated attacker to inject arbitrary memcache commands into a targeted instance. The vulnerability is assigned the CVE: CVE-2022-27924
CVSS Score: 7.5
Affected Product Count: 2
This vulnerability was added to the CISA KEV list on 4th of Aug, 2 days after we called it out in this blog.
CVE-2022-34918, a vulnerability in the Linux kernel through 5.18.9 could be used by an attacker to escalate privileges.
CVSS Score: 7.8
CWE: CWE-843, CWE-1025
Affected Product Count: 1
Raspberry Robin worm
Russian hacking group Evil Corp has been using Raspberry Robin, a USB-based worm in their recent attacks. In July 2022, it was used extensively in attacks on QNAP storage devices.
Woody RAT malware
Russian organizations, including a government-controlled defense corporation were recently attacked by unknown actors using the Woody RAT malware. The CVE associated with this malware is CVE-2022-30190, the Follina bug.
CVSS Score: 7.8
Exploit Type: ['RCE', 'WebApp']
APT Group Association: TA413, APT29, Sandworm Team
Affected Product Count: 18
Watch out for this section to track how these threats evolve.
We use our Threat Intelligence Platform driven by Artificial Intelligence (AI) and Machine Learning (ML) models to analyze the vulnerabilities that hackers could potentially exploit. We warn our customers continuously about exposures and prioritize vulnerabilities to facilitate rapid remediation.
Follow our weekly blog and podcast to get proactive alerts on trending threats. Reach out to us if you need help managing your vulnerabilities and exposures.
Leverage our expertise and manage your threats continuously to stay safe from attackers.
Never miss a patch or an update with CSW's Patch Watch Newsletter. Subscribe now!