Cyberwar Bulletin: Iran and Albania

CSW's Threat Intelligence - August 15, 2022 - August 19, 2022

Posted on Aug 16, 2022 | By Supriya Aluri

This edition brings you early warnings, trending news about cyber threats, and the accurate threat context. Check out which threat group is on the rampage, what vulnerability it could soon weaponize, and more.

Why play catch up when you can fix this now?

Check out our podcast on the top critical threats of this week, hosted by David Rushton!

Trending Critical Threats

Apple Patches Two Critical Zero-Day Bugs

Chrome Fixes Critical Zero-Day Vulnerability

Critical Realtek Vulnerability Could Potentially Affect Users

Threat Actor Evil PLC Attacks High-value PLC Targets

CISA adds 7 more CVEs to the KEV list

Threats to Watch Out For

CVE-2021-0920: Exploit Targeting Android Devices

CVE-2022-33891: Exploit Used to Deploy Spyware

Iron Tiger APT Targeting Windows, Linux, and macOS Users

 

Trending Critical Threats

 

Apple Patches Two Critical Zero-Day Bugs

CVE-2022-32893 and CVE-2022-32894 are two zero-day bugs that were reported to Apple after they were exploited in the wild. These vulnerabilities can be used to hack into iPhones, iPads, and Macs.

CVE-2022-32894 can be used to execute code with Kernel privileges and even take over the system completely.

CVE-2022-32893 is an out-of-bounds write vulnerability in WebKit which could potentially allow a hacker to perform arbitrary code execution and could also likely be exploited remotely by visiting a maliciously crafted website.

Apple has released macOS Monterey 12.5.1 and  iOS 15.6.1/iPadOS 15.6.1 to resolve these two zero-day vulnerabilities.

CVE: CVE-2022-32983

CVSS Score: 5.3

CWE: CWE-290

Affected Product Count: 1


 

Chrome Fixes Critical Zero-Day Vulnerability

A zero-day vulnerability, CVE-2022-2856 in Google Chrome was patched this week, making it the fifth zero-day vulnerability patched this year. The vulnerability is caused by insufficient validation of untrusted input in Intents, which enables launching applications and web services directly from a web page. Exploiting this could potentially lead to buffer overflow, directory traversal, SQL injection, cross-site scripting, null byte injection, and more.

CVE-2022-2856 is already exploited in the wild, so it is recommended that all Chrome users move to the latest version (104.0.5112.102) to avoid falling victim to malicious activities.

According to CSW’s research analysis team, users and organizations should implement the fix immediately. CISA should also include this CVE in the DHS CISA KEV list.

 

Critical Realtek Vulnerability Could Potentially Affect Users

CVE-2022-27255 is a critical vulnerability found in Realtek’s RTL819x system on a chip (SoC). It is supposed to be a zero-click vulnerability, which means that exploitation requires no interaction from the user. There is no evidence yet of any attack in the wild using this vulnerability. 

Exploiting this vulnerability, however, could grant a hacker remote access to the system and could compromise vulnerable devices from various original equipment manufacturers (OEMs), ranging from routers and access points, to signal repeaters.

RealTek has released a patch for this vulnerability.

CVE: CVE-2022-27255

CVSS Score: 9.8

CWE: CWE-20

Affected Product Count: 2

 

Threat Actor Evil PLC Attacks High-value PLC Targets

PLCs in popular operational technology (OT) networks have been attacked by a threat actor named Evil PLC. As PLCs control manufacturing processes in critical infrastructure sectors, any attack on them results in the disruption of the entire manufacturing process. PLCs also act as a bridge between the OT networks and the corporate networks, which means a complex attack could allow the attacker to gain access to an organization’s internal network, and hold it hostage. 

Evil PLC deliberately induces a malfunction on an internet-exposed PLC, and later exploits the vulnerabilities in the software to gain control of the system.

In the past, software from Rockwell Automation, Schneider Electric, GE, B&R, Xinje, OVARRO, and Emerson have been exploited. PLC manufacturing companies have all released advisories for vulnerabilities in their software recommending users to patch them immediately.

Evil PLC is actively exploiting the following vulnerabilities found in various software: 

 

CISA adds 7 more CVEs to the KEV list

On Thursday, 18-08-2022, CISA added 7 new CVEs to the Known Exploited Vulnerabilities list. Among these are Apple’s and Google’s CVEs (discussed in this blog), Microsoft and SAP vulnerabilities. 

Given below are the details of CISA KEV latencies for the above mentioned CVEs:

 

 

CVE

VENDOR

CISA LATENCY (days)

CVE-2022-2856

Google

1

CVE-2022-32893

Apple

1

CVE-2022-32894

Apple

1

CVE-2022-26923

Microsoft

99

CVE-2022-22536

SAP

190

CVE-2022-21971

Microsoft

171

 

All the CVEs have been exploited in the wild and are a target of malicious actors. From our analysis, it is clear that CISA is lagging behind in adding critical threats in the KEV list. Hence, organizations should not merely depend on the CISA KEV list to track trending threats and refer to multiple sources in order to apply critical patches at the earliest.

 

Threats to Watch Out For

 

CVE-2021-0920: Exploit Targeting Android Devices

CVE-2021-0920 is a Use-after-free Vulnerability in Linux. This vulnerability was discovered in 2020 and can be exploited to grant Local Privilege Escalation in Android devices and. Linux has patched this in 2021.
CVE: CVE-2021-0920
CVSS Score: 6.4
CWE: CWE-362, CWE-416
Affected Product Count: 2

 

CVE-2022-33891: Exploit Used to Deploy Spyware

CVE-2022-33891 is found in certain versions of Apache Spark. It could lead to arbitrary code execution by malicious actors. This vulnerability has already been exploited in the wild and is considered one of the most dangerous vulnerabilities of 2022. CVE-2022-33891 has been used to deploy spyware in the attacks. Apache recommends that Spark users upgrade to versions  3.1.3, 3.2.2, or 3.3.0 or later.

As per our Predictive VI tool, CVE-2022-33891 has maximum risk of exploitability. 

CVE: CVE-2022-33891

CVSS Score: 8.8

CWE: CWE-77

Affected Product Count: 3

 

Iron Tiger APT Targeting Windows, Linux, and macOS Users

The Chinese APT group Iron Tiger has been targeting Windows, Linux, and macOS users in their latest attacks using trojanized MiMi Chat app installers. These apps also had a backdoor and could further deliver malware samples which would facilitate the attackers to execute shell commands, read, write and download files. The latest attacks targeted organizations in Taiwan and the Philippines. 

Users are recommended to check the version and legitimacy of the MiMi Chat app before installing it on their devices.

Iron Tiger is one of the most active groups exploiting at least 17 vulnerabilities as per our AI-based research.

 

Check out this section to track how these threats evolve!

 

We use our Threat Intelligence Platform driven by Artificial Intelligence (AI) and Machine Learning (ML) models to analyze the vulnerabilities that hackers could potentially exploit. We warn our customers continuously about exposures and prioritize vulnerabilities to facilitate rapid remediation.

Follow our weekly blog and podcast to get proactive alerts on trending threats. Reach out to us if you need help managing your vulnerabilities and exposures.

Leverage our expertise and manage your threats continuously to stay safe from attackers.

Talk to Us 

 

Never miss a patch or an update with CSW's Patch Watch Newsletter. Subscribe now!

csw

Secure your environment from cyber-attacks!

Know How

incognito