Cyberwar Bulletin: Iran and Albania

CSW's Threat Intelligence - August 22, 2022 - August 26, 2022

Posted on Aug 22, 2022 | By Supriya Aluri

This edition brings you early warnings, trending news about cyber threats, and the accurate threat context. Check out which threat group is on the rampage, what vulnerability it could soon weaponize, and more.

Why play catch up when you can fix this now?

Check out our podcast on the top critical threats of this week, hosted by David Rushton!

Trending Critical Threats

Quantum Ransomware Attack on Dominican Republic Government Agency

RansomEXX Ransomware Attack on Bombardier Recreational Products

TA558 Targeting Travel and Hospitality Sectors

CISA adds CVE-2022-0028 to the KEV

Royal Road Weaponized Used by South-Asian APT Groups

HikVision Cameras Exposed Online

8 Year Old Linux Kernel Vulnerability Uncovered

CISA  Adds 10 More Vulnerabilities to the CISA KEV

Threats to Watch Out For

CVE-2022-2587: ChromeOS remote memory corruption vulnerability

Useless Path Traversals in Zyxel Admin Interface

CVE-2022-36804 - Command Injection Vulnerability

Users Need to Patch Critical GitLab Vulnerability

 

Trending Critical Threats

 

Quantum Ransomware Attack on Dominican Republic Government Agency

 

The Instituto Agrario Dominicano (Ministry of Agriculture) in Dominican Republic suffered an attack by a threat actor using Quantum Ransomware. Four physical servers and eight virtual servers were held ransom for more than 600 thousand dollars. The attack occurred on August 18, 2022, and the threat actors claimed to have stolen over 1TB of data.

Quantum ransomware is believed to be a derivative of the Conti ransomware which has now shutdown all its operations. Quantum has been active since August 2021, and has been adding .quantum file extension to encrypted files' names. It has also been linked to an attack on PFC that impacted over 650 healthcare organizations.

 

CVE-2018-6882 and CVE-2017-8570 are the CVEs exploited by Quantum ransomware.

CVE-2017-8570, a Microsoft RCE vulnerability,  is also targeted by the TA558 APT group.

 

RansomEXX Ransomware Attack on Bombardier Recreational Products

Canadian motor vehicle manufacturing company, Bombardier Recreational Products (BRP) had to halt its operations following a cyber attack by the RansomEXX gang. The point of attack is believed to be through a third-party service provider used by BRP. Through this, the attackers have stolen employee information and sensitive company documentation such as non-disclosure agreements, passports and IDs, material supply agreements, contract renewals, and more.

 

The RansomEXX gang alleged that 29.9GB worth of files were stolen in the attack. They have published some of the stolen data on their leak site. They have maintained a low-profile in 2022 but have ransomed high-end organizations in the past. 

CVE-2019-5544 and CVE-2020-3992 are the two CVEs favored by the RansomEXX gang.

 

TA558 Targeting Travel and Hospitality Sectors


Operational since the pandemic, threat group TA558 have been targeting European, Latin American, and North American organizations. They employ a variety of tools, which include Loda RAT, Vjw0rm, and Revenge RAT, and are used to ransom organizations and extort from them. Their latest targets are small and medium travel organizers and hospitality providers in Latin America.
In 2022, TA558 conducted at least 22 campaigns wherein they used Loda RAT, Revenge RAT, and AsyncRAT on target systems.


TA558’s methods allow them to steal data including hotel customer user and credit card data, allow lateral movement, and deliver follow-on payloads. The popular languages used in their attacks are Portuguese and Spanish, with English used less often.
 

CVEs Most Exploited by TA558

CVE ID

Vulnerability Description

Patch Details

CVE-2017-11882

Microsoft Office Memory Corruption Vulnerability

https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2017-11882

CVE-2017-8570

Microsoft Office Remote Code Execution Vulnerability

https://msrc.microsoft.com/update-guide/en-us/vulnerability/CVE-2017-8570 

 

Travel organizations in Latin America and Europe are advised to be on the lookout for TA558’s attacks.

 

CISA adds CVE-2022-0028 to the KEV


The PAN-OS vulnerability which is actively exploited has been added to the CISA KEV list on August 22, 2022. 

 

CVE-2022-0028 is a vulnerability caused by the misconfiguration in the URL filtering policy in Palo Alto Networks PA-Series (hardware), VM-Series (virtual) and CN-Series (container) firewall could allow a network-based attacker to conduct reflected and amplified TCP denial-of-service (DoS) attacks. 

 

There is a patch available for this vulnerability.

 

We had warned of this vulnerability in our Cyber Threat Intelligence blog for Aug 08 - Aug 12, 2022. CISA added the CVE to the Known Exploited Vulnerabilities list after a 10-day latency.

 

Royal Road Weaponized Used by South-Asian APT Groups

A new phishing weaponizer named Royal Road is being used by several Asia-based APT threat actors. Royal Road allows the creation of RTF files with embedded objects that can be used to exploit vulnerabilities in Microsoft Word to infect targets. Once the malware is in the target system, the attacker can control the victim's machine and collect sensitive information.

 

CVE-2017-11882, CVE-2018-0802, CVE-2018-0798 are the three Microsoft vulnerabilities most targeted by the APT groups.

 

The Asian threat actors are believed to be active since mid-2016 and may have been a part of Operation NightScout in 2021. They are also suspected to have Chinoxy and PivNoxy puppeteer tools in their arsenal.

 

HikVision Cameras Exposed Online

A security flaw in HikVision allows hackers to bypass the protected shell, limiting the use of the system by their owners to a specific scope of commands. HikVision released a patch for it in September 2021. However, it has now come to light that over 2,300 organizations across 100 countries have still not applied the security update. 


The vulnerability tracked as CVE-2021-36260, has already been exploited multiple times. In January 2022, CISA had warned that this vulnerability was among the most actively exploited bugs list.


CSW experts strongly recommend that all organizations using HikVision should apply the security update immediately to avoid serious damage.

 

8 Year Old Linux Kernel Vulnerability Uncovered

Security researchers have discovered an 8 year old vulnerability in the Linux Kernel that could swap unprivileged kernel credentials with privileged ones to escalate privileges. The vulnerability, CVE-2022-2588, dubbed as DirtyCred, has the capability to bypass all the kernel protections. It is similar to the DirtyPipe vulnerability (CVE-2022-0847), yet more powerful in terms of the ability to escape the container actively, something that theDirty Pipe vulnerability was not  capable of.


There is no patch for this vulnerability as on August 24, 2022.

 

CISA  adds 10 more Vulnerabilities to the CISA KEV

On August 25, 2022, CISA added 10 more critical vulnerabilities to the KEV list. There are 4 critical vulnerabilities among the new CVEs. Given below are the details of the CVEs:

 

CVE

Vendor

Product

CVSS Score

CVSS Severity

CVE-2021-39226

Grafana Labs

Grafana

5.82

Medium

CVE-2020-28949

PEAR

Archive_Tar

7.6

High

CVE-2022-24706

Apache

CouchDB

9.29

Critical

CVE-2021-31010

Apple

iOS, macOS, watchOS

6.01

Medium

CVE-2022-22963

VMware Tanzu

Spring Cloud

9.29

Critical

CVE-2022-24112

Apache

APISIX

9.29

Critical

CVE-2022-2294

WebRTC

WebRTC

6.53

Medium

CVE-2021-38406

Delta Electronics

DOPSoft 2

5.59

Medium

CVE-2020-36193

PEAR

Archive_Tar

6.15

Medium

CVE-2022-26352

dotCMS

dotCMS

9.96

Critical

 

Threats to Watch Out For

 

CVE-2022-2587: ChromeOS remote memory corruption vulnerability

CVE-2022-2587 is a memory corruption vulnerability that can be used to perform either a denial-of-service (DoS) or, in extreme cases, remote code execution (RCE) in ChromeOS. It was discovered in April 2022 and has a CVSS score of 9.8. Chrome released a patch for this vulnerability in June.



All ChromeOS users are advised to apply this patch immediately.

 

Useless Path Traversals in Zyxel Admin Interface

Zyxel’s device management web interface contains a vulnerability, CVE-2022-2030, that can grant an attacker read access to all files on the file system. It is caused due to improper limitation of a path name to a restricted directory ('Path Traversal').
A patch is available for this CVE.

 

CVE-2022-36804 - Command Injection Vulnerability

CVE-2022-36804 is a command injection vulnerability in Bitbucket Server and Bitbucket Data Center (Atlassian Confluence servers). If exploited, it could allow an attacker access to the public repository or with read permissions to a private Bitbucket repository. The attacker will also be able to execute arbitrary code by sending a malicious HTTP request.

A patch is available for this CVE.

 

Users Need to Patch Critical GitLab Vulnerability

CVE-2022-2884 is a critical vulnerability in GitLab that users should immediately take notice and fix at the earliest. It is a remote code execution vulnerability rating at 9.9 in the CVSS scale. GitLab has fixed this vulnerability in the latest security update.

 

 

Check out this section to track how these threats evolve!

 

We use our Threat Intelligence Platform driven by Artificial Intelligence (AI) and Machine Learning (ML) models to analyze the vulnerabilities that hackers could potentially exploit. We warn our customers continuously about exposures and prioritize vulnerabilities to facilitate rapid remediation.

 

Follow our weekly blog and podcast to get proactive alerts on trending threats. Reach out to us if you need help managing your vulnerabilities and exposures.

Leverage our expertise and manage your threats continuously to stay safe from attackers.

Talk to Us

 

Never miss a patch or an update with CSW's Patch Watch Newsletter. Subscribe now!

csw

Secure your environment from cyber-attacks!

Know How

incognito