CSW's Threat Intelligence - December 12, 2022 - December 16, 2022
Posted on Dec 12, 2022 | Updated on Dec 16, 2022 | By Supriya Aluri
This edition brings you early warnings, trending news about cyber threats, and the accurate threat context. Check out which threat group is on the rampage, what vulnerability it could soon weaponize, and more.
Why play catch up when you can fix this now?
Check out our podcast on the top critical threats of this week, hosted by Sandeep Challa!
- Apple Fixes New Webkit Zero-Day Used in Attacks against iPhones
- Clop Ransomware Uses TrueBot Malware Variant to Access Networks
- CISA Adds 5 New CVEs to the KEV Catalog
- Multiple 0-Day Vulnerabilities in Leading EDR and AV Solutions Exploited to Create Data Wipers
- Drokbk Malware Uses GitHub as Dead Drop Resolver
- New Python Backdoor Targeting VMware ESXI Servers
- Cloud Atlas goes after Russia and Belarus in the Cyber War
- Microsoft December 2022 Patch Tuesday: 2 zero-days Fixed, 49 Flaws Enumerated
- BlackCat and LockBit 3.0 Target Healthcare Sector
- New Spear Phishing Campaign Targeting Japanese Politicians
Vulnerabilities to Watch Out For
- CVE-2022-21225: RCE Vulnerability in Intel DCM
- CVE-2022-42475: Critical Vulnerability in FortiOS
- CVE-2022-27518: Citrix Zero-Day Vulnerability Exploited by APT5
Apple has fixed its tenth zero-day vulnerability, CVE-2022-42856, a type confusion issue in Apple’s Webkit web browser engine, which has been actively used in attacks against iPhones.
A successful exploitation can allow maliciously crafted web content to perform arbitrary code execution on a vulnerable device, which in turn could allow the malicious site to execute commands in the operating system, deploy additional malware or spyware, and perform other malicious activities.
Disclosed in a security bulletin released on December 13, it appears the vulnerability affects iOS/iPadOS 15.7.2, Safari 16.2, tvOS 16.2, and macOS Ventura 13.1, with a high possibility that previous versions may also have been actively exploited.
We therefore urge customers to patch their iPhones, iPads and macOS as soon as possible.
<meta charset="utf-8" />CISA added this CVE to the KEV catalog on Dec 14, 2022 with the patch due date on Jan 4, 2023.
The Silence threat actor group is infecting devices with a new variant of the TrueBot malware downloader. This was done by exploiting a critical vulnerability in Netwrix Auditor servers tracked as CVE-2022-31199. The group is also using a new custom data exfiltration tool called Teleport. It can steal files from OneDrive folders, collect the victim’s Outlook emails, or target specific file extensions. The attackers deployed Grace malware and Clop ransomware to steal and encrypt the victims’ systems. In most of the attacks, Windows servers exposing SMB, RDP, and WinRM services on the public internet were targeted. US organizations accounted for 75% of the infected victims while entities from Mexico, Brazil, and Pakistan account for the rest.
CWE ID: CWE-502
APT Group: Silence
Affected Product Count: 1
There is no official patch for CVE-2022-31199 yet.
CVE-2022-42475 is a heap-based buffer overflow vulnerability (CWE-122) in FortiOS SSL-VPN. The vulnerability may allow a remote unauthenticated attacker to execute arbitrary code or commands via specifically crafted requests.
We warned our users about this vulnerability in last week’s threat intelligence blog.
CVE-2022-44698 is a security feature bypass vulnerability in Windows SmartScreen, a feature built into Windows that works with its Mark of the Web (MOTW) functionality, which flags files downloaded from the internet. The SmartScreen also performs a reputation check, depending on how the MOTW flags the file.
Microsoft confirmed that the vulnerability has been exploited in the wild, and can be exploited through malicious websites, malicious attachments delivered over email and through messaging services. However, the attacker would require the potential victim to visit the malicious website or open the malicious attachment in order to bypass the SmartScreen.
CVE-2022-27518 is a critical remote code execution zero-day vulnerability discovered in Citrix Application Delivery Controller (ADC) and Gateway products. It impacts the products mentioned only when configured as a Security Assertion Markup Language (SAML) service provider (SP) or a SAML identity provider (IdP). Targeted attacks by APT5 have been observed in the wild, making it critical for customers to patch this vulnerability. The vulnerability allows an unauthenticated attacker to execute commands remotely on vulnerable devices and take control over them.
The vulnerability impacts the following versions of Citrix ADC and Citrix Gateway:
Citrix ADC and Citrix Gateway 13.0 before 13.0-58.32
Citrix ADC and Citrix Gateway 12.1 before 12.1-65.25
Citrix ADC 12.1-FIPS before 12.1-55.291
Citrix ADC 12.1-NDcPP before 12.1-55.291
We urge all Citrix ADC and Gateway customers to patch this vulnerability immediately.
CVE-2022-26500 and CVE-2022-26501 are improper limitations of path names (CWE-22) vulnerabilities affecting Veeam Backup and Replication versions 9.5U3, 9.5U4, 10.x, and 11.x. The vulnerability allows remote authenticated users access to internal API functions that can allow unauthenticated attackers to remotely upload and execute arbitrary code.
Veeam Software has also patched the two critical vulnerabilities.
We warned our users about this vulnerability in our threat intelligence blog in October 2022.
Endpoint Detection and Response (EDR) and Anti-Virus (AV) software can be manipulated to act as wipers. Wipers erase the data files on a system with no scope of recovery. What’s worse is that threat actors using these wipers need not have any user-privileges to carry on this activity. The threat actor can create a special path with the malicious file and stop the EDR or AV from deleting it until the system is rebooted. Once the system is forced to reboot, the EDR and AV wipes all the files, considering all to be malicious. Some of the popular security solutions that can be manipulated to create wipers are Microsoft Defender, Defender for Endpoint, SentinelOne EDR, TrendMicro Apex One, Avast Antivirus, and AVG Antivirus. The wiper tool is named as Aikido Wiper after the security researcher who came up with it. It is completely undetectable. The vulnerable vendors have been notified and they’ve released fixes for this issue. The vulnerability IDs assigned by the vendors for this issue are CVE-2022-37971 (Microsoft), CVE-2022-45797 (Trend Micro), and CVE-2022-4173 (Avast and AVG).
Cluster B is a sub-group of the Iranian APT group Cobalt Mirage. Since February 2022, this group was observed to be using Drokbk, a dropper and a payload written in .NET. It can execute additional commands or code from the command and control (C2) server. The group uses GitHub as a "dead-drop resolver'', meaning that their content on GitHub is embedded with malicious domains or IP addresses that can infect a user. Thus far, the group has targeted entities in the US and Israel by exploiting the two Log4j vulnerabilities (CVE-2021-44228 and CVE-2021-45046) to gain initial access. CISA has warned all federal organizations to patch the Log4j vulnerabilities.
VMware ESXi servers can be exploited using a new Python backdoor. The unnamed malware can also be used on Linux and Unix systems. Initial access to the ESXi servers is gained via CVE-2019-5544 and CVE-2020-3992 vulnerabilities. Then, a malicious script which launches a web server is made to run. This leads to bypassing of the firewall, and remote code execution.
The malicious Python script is saved as "/store/packages/vmtools.py," in a directory that stores VM disk images, logs, and more.
CVE-2019-5544 and CVE-2020-3992 were also exploited by the RansomEXX gang to attack Bombardier Recreational Products (BRP).
Cloud Atlas, a cyber espionage group has been attacking entities in Russia and Belarus recently. The group uses spear phishing emails with malicious files to infect victims with malware. The files are usually remote templates of RTF documents that exploit 5-year-old vulnerabilities in Microsoft Equation Editor, such as CVE-2017-11882 and CVE-2018-0802. Then, the group uses a PowerShell-based backdoor called PowerShower. It is then used to remotely execute code.
Microsoft released their December 2022 Patch Tuesday list of security flaws, which comes with fixes for two zero-day vulnerabilities, CVE-2022-44698 and CVE-2022-44710. The Windows SmartScreen Security Feature Bypass Vulnerability, CVE-2022-44698, was also added to the CISA KEV catalog on December 13.
Of the 49 vulnerabilities fixed by Microsoft, six are classified as ‘Critical’ since they all allow remote code execution.
Some of the other notable vulnerabilities that CSW experts would like to call out are:
CVE-2022-44671, CVE-2022-41121, CVE-2022-41076, CVE-2022-44704, CVE-2022-44683, CVE-2022-44675, CVE-2022-44673, CVE-2022-37967, CVE-2022-41079, CVE-2022-44710, CVE-2022-44713, CVE-2022-44690, CVE-2022-44693, CVE-2022-37958.
Healthcare organizations around the world continue to fall victim to ransomware attacks. In recent campaigns, the BlackCat and Lockbot 3.0 ransomware groups in particular have developed tactics to attack the healthcare sector. The Department of Health and Human Services Cybersecurity Coordination Center issued warnings against these groups on Dec 12, 2022.
BlackCat has a highly adaptable malware that can be configured with domain credentials to distribute the ransomware payload, while terminating processes and Windows services that are meant to protect against encryption.
After adopting the triple extortion method, LockBit 3.0 has launched multiple attacks on the healthcare industry. New tactics include purchasing access to networks, phishing, brute forcing remote desktop protocol (RDP) accounts, and the exploit of known vulnerabilities.
Healthcare organizations need to have a solid action plan when it comes to defending themselves against such attacks.
In June 2022, a Chinese APT group known as MirrorFace launched a spear phishing attack on politicians in the Japanese House of Councillors election. In these attacks, they used a new credential stealer malware known as MirrorStealer. Malicious emails containing a backdoor LODEINFO was sent to the target. The backdoor was used to deliver additional malware, exfiltrate the victim’s credentials, and steal the victim’s documents and emails. MirrorFace is a cyber-espionage group with a special interest in Japanese entities. They have favored exploiting CVE-2017-0143, CVE-2017-8759, and CVE-2020-1472 vulnerabilities in the past.
Vulnerabilities to Watch Out For
In Intel’s DCM console, a low-privileged user can exploit the SQL injection to escalate privileges and remotely execute code. However, at least one server must be configured in the console for an attacker to perform this exploit. The vulnerability is assigned CVE-2022-21225. Intel has already patched this vulnerability and released a security advisory.
This is a zero-day vulnerability that is already exploited in the wild. It is present in Fortinet's SSL-VPN and is caused by a heap-based buffer overflow flaw. Exploitation of this vulnerability even by an unauthenticated attacker can lead to remote code execution.
Fortinet released an emergency patch to fix this flaw.
This is a zero-day vulnerability affecting Citrix Application Delivery Controller (ADC) and Gateway products, that is already exploited in the wild by a Chinese threat actor tagged as APT5 (also known as UNC2630).
Since there are no workarounds for this vulnerability, the only way to defend against this vulnerability is by installing the updates. The NSA’s advisory on APT5 activity mentions that APT5 has been modifying legitimate binaries after exploitation in order to maintain persistence.
On December 13, 2022, the Department of Homeland Security CISA added CVE-2022-27518 to the CISA KEV catalog, urging users to take action as soon as possible.
Check out this section to track how these threats evolve!
We use our threat intelligence platform driven by Artificial Intelligence (AI) and Machine Learning (ML) models to analyze the vulnerabilities that hackers could potentially exploit. We warn our customers continuously about exposures and prioritize vulnerabilities to facilitate rapid remediation.
Follow our weekly blog and podcast to get proactive alerts on trending threats. Reach out to us if you need help managing your vulnerabilities and exposures.
Leverage our expertise and manage your threats continuously to stay safe from attackers.
Never miss a patch or an update with CSW's Patch Watch Newsletter. Subscribe now!