CSW's Threat Intelligence - August 08, 2022 - August 12, 2022
Posted on Aug 9, 2022 | By Supriya Aluri
This edition brings you early warnings, trending news about cyber threats, and the accurate threat context. Check out which threat group is on the rampage, what vulnerability it could soon weaponize, and more.
Why play catch up when you can fix this now?
Watch David Rushton talk about the Top Three Threats of the Week in his Threat Intelligence Podcast!
Here are this week’s threats to watch out for:
In May 2022, a threat actor named Tropical Scorpius was observed deploying Cuba ransomware using new techniques and tools. According to the latest research conducted in June 2022, it was discovered that they’ve been using a new malware variant of ROMCOM RAT, a weaponized local privilege escalation exploit, a kernel driver, and the ZeroLogan hacktool to launch attacks.
While the actual number of Tropical Scorpius’s victims is unknown, they have published stolen files from four victims on their Onion site.
CVE-2020-1472 and CVE-2022-24521 are the CVEs associated with the Cuba ransomware.
Exploit Type: ['DoS', 'WebApp','PE']
CWE ID: CWE-330, CWE-287
Ransomware Associations: Darkside, CryptoMix, Babuk, Ryuk, Conti, Epsilon Red, Thanos
APT Group Associations: Wizard Spider, Prophet Spider, MuddyWater, TA505, menuPass, Sandworm Team, FIN7
Affected Product Count: 24
Patch Link: Download
Maui ransomware, used extensively in targets against the healthcare sector is now found to be linked to the North Korean APT group, Andariel. The ransomware, first spotted in 2021, in Japan, could not be associated with any APT group at that time. CISA had also published an alert regarding it on July 7, 2022, but there was no mention of Andariel. After research, it was concluded that a variant of the well-known DTrack malware was deployed in the target system before Maui ransomware in the 2021 attack by the group. 3 months prior to this, the targeted system was infected with a suspicious 3proxy tool. As this is the modus operandi of the Andariel group, researchers have concluded that Maui ransomware is used by the Andariel group.
Maui ransomware is also confirmed to be used in a healthcare attack in 2022.
CVE-2017-10271 is the CVE associated with this ransomware.
Exploit Type: ['RCE', 'WebApp']
Ransomware Associations: GandCrab, Stop, Satan, Satan, QNAPCrypt
APT Group Associations: Rocke
Affected Product Count: 4
Patch Link: Download
CVE-2022-30333, CVE-2022-34713, CVE-2022-27925, and CVE-2022-37042 are the latest vulnerabilities added to the KEV list. The first two were added on 9th, August 2022 and the latter two were added on 11th August, 2022..
CVE-2022-30333 is a path traversal vulnerability in RarLab's UnRAR binary. It was exploited in ZIMRA devices. We had warned of this vulnerability to our users back in June when it was actively exploited and you can also find this in our threat blog.
CVE-2022-34713 is the DogWalk Zero-Day found in Windows Support Diagnostic Tool (MSDT). It is a remote code execution vulnerability wherein the attacker could exploit the vulnerability by sending the specially crafted file to the user and convincing the user to open the file. Although it was brought to Microsoft’s attention back in June, they did not patch it until it was actively exploited in the wild. CISA has now added it to its KEV list and has warned federal organizations to patch it.
We had warned our customers of this CVE back in June and helped them patch it.
CVE-2022-27925 and CVE-2022-37042 are unauthenticated RCE vulnerabilities that grant access to the ZCS email servers. There is evidence of mass exploitation of CVE-2022-27925, some of which have been in Government organizations. We’ve covered more details of this CVE in our threat blog.
BlueSky is the latest evolving threat in the cyber realm. So far, BlueSky has been observed to target Windows hosts and utilizes multithreading to encrypt files on the host for faster encryption. The attack methodologies bear many similarities with the Conti and Babuk ransomware families.
CVE-2020-0796 and CVE-2021-1732 are the two vulnerabilities this ransomware has exploited. Microsoft has released patches for both these vulnerabilities back in 2020 and 2021, respectively.
We had called CVE-2021-1732 out as being one of the top exploited vulnerabilities in Microsoft.
CVE-2022-20866 is a highly critical vulnerability which allows an unauthenticated attacker to retrieve a RSA private key remotely. Using the private key, the attacker can decrypt the device traffic or impersonate Cisco ASA/FTD devices. There is a possibility that the RSA private keys of Cisco ASA or FTD device administrators may have been stolen by attackers. However, there is no evidence of any exploitation in the wild.
CISCO has released a patch for this vulnerability on August 10, 2022.
Old vulnerabilities have often taken many organizations by surprise. This week make sure you patch SmokeLpader - a malware that helps distribute other malware variants has been targeting CVEs that were discovered in 2017.
A Taiwanese telecommunications company was the victim of an email-phishing campaign in which CVE-2017-0199 and CVE-2017-11882 were exploited. SmokeLoader was used to deliver zgRAT malware in the targeted systems. Both these CVEs have been on CISA’s top-10 most exploited vulnerabilities list for 2016-2019.
CSW has been warning our customers of these two CVEs since 2021.
CVE-2017-11882 is a Microsoft Office Memory Corruption Vulnerability that allows an attacker to run arbitrary code in the context of the user.
CVE-2017-0199 is a Microsoft Office/WordPad Remote Code Execution Vulnerability w/Windows API" that allows an attacker to execute arbitrary code via a crafted document.
CVE-2017-0199 and CVE-2017-11882 are actively used in the cyberwar against Ukraine by Gamaredon, a Russian APT group. From CSW’s AI-based analysis, it is clear that CVE-2017-11882 is the most favored vulnerability in 2022 with 22 APT groups actively exploiting it. 18 APT groups are exploiting CVE-2017-0199.
If your organization is yet to patch these vulnerabilities, it is high-time to get it done.
On Wednesday, August, 10, CISCO announced that they had been a victim of a cyber attack in May 2022. A threat actor had gained access to an employee’s personal Google account and stole the credentials from the victim’s browser. The actor then used voice phishing to get the victim to successfully accept multi-factor authentication (MFA) push notifications initiated by the attacker.
CISCO was alerted to the threat actor’s presence and revoked their access before they could access any critical systems or information. The actor is suspected to be an initial-access broker with links to the UNC2447 cybercrime gang, Lapsus$ threat actor group, and the Yanluowang ransomware operators.
There were multiple instances of serious breaches in the Zimbra Collaboration Suite (ZCS) email servers in July and August. The unauthenticated RCE CVE-2022-27925 was exploited during these attacks to compromise servers in several organizations including Government departments and ministries; military branches; worldwide businesses with billions of dollars of revenue, etc. This CVE does not need administrator credentials to access the victims’ ZCS email servers because of the authentication bypass bug, CVE-2022-37042.
ZIMBRA had previously released a patch for CVE-2022-27925 in March 2022 but it did not address the authentication bypass flaw. In the latest patch released in August they have fixed it.
Zimbra has advised all organizations using versions that are older than Zimbra 8.8.15 patch 33 or Zimbra 9.0.0 patch 26 to update to the latest patch as soon as possible.
CISA and the FBI released a joint Cybersecurity Advisory (CSA) announcement on Thursday Aug 11th, 2022 in an effort to stop ransomware attacks. The focus of Thursday’s announcement was the Zeppelin ransomware. The latest tactics and techniques undertaken by the ransomware group, indicators of compromise (IOCs), and mitigation measures were detailed in this announcement.
Zeppelin ransomware attacks are known to deploy multiple malware instances in a single victim’s systems thereby creating different IDs or file extensions. In most cases, the victims need several unique decryption keys to recover their data. Zeppelin’s last known attack had occurred as recently as June 2022.
CVE-2020-0796, CVE-2020-1210, and CVE-2020-16875 are the CVEs associated with the Zeppelin ransomware.
CVE-2022-0028, a vulnerability caused by the misconfiguration in the URL filtering policy in Palo Alto Networks PA-Series (hardware), VM-Series (virtual) and CN-Series (container) firewall could allow a network-based attacker to conduct reflected and amplified TCP denial-of-service (RDoS) attacks.
The attack may not cause any loss in the availability of the PAN services or compromise the confidentiality or integrity of data. However, the attacker’s identity may be undiscoverable and implicates the firewall as the source of attack.
Pal0 Alto Networks has addressed this issue and released a patch for this misconfiguration in August 2022 and urges all organizations to apply it in their PAN-OS products.
On August’s Patch Tuesday, Microsoft announced patches for 121 vulnerabilities, including two zero-day vulnerabilities: CVE-2022-34713 & CVE-2022-30134. Seventeen of the 121 vulnerabilities fixed are classified as 'Critical' as they allow remote code execution or elevation of privileges.
A new high severity vulnerability in the Django project, an open-source Python-based web framework has been discovered. It could impact 3rd party database backends using Django. Django has released a fix for it in in Django 4.0.6 and Django 3.2.14 versions.
Check out this section to track how these threats evolve!
We use our Threat Intelligence Platform driven by Artificial Intelligence (AI) and Machine Learning (ML) models to analyze the vulnerabilities that hackers could potentially exploit. We warn our customers continuously about exposures and prioritize vulnerabilities to facilitate rapid remediation.
Follow our weekly blog and podcast to get proactive alerts on trending threats. Reach out to us if you need help managing your vulnerabilities and exposures.
Leverage our expertise and manage your threats continuously to stay safe from attackers.
Never miss a patch or an update with CSW's Patch Watch Newsletter. Subscribe now!