CSW's Threat Intelligence - December 5, 2022 - December 9, 2022
Posted on Dec 5, 2022 | Updated on Dec 9, 2022 | By Supriya Aluri
This edition brings you early warnings, trending news about cyber threats, and the accurate threat context. Check out which threat group is on the rampage, what vulnerability it could soon weaponize, and more.
Why play catch up when you can fix this now?
Check out our podcast on the top critical threats of this week, hosted by David Rushton!
- Internet Explorer 0-day Exploited by North Korean Actor APT37 AKA ScarCruft
- Another Go-Based Botnet - Zerobot
- Agrius APT Group Utilizes a New Wiper in Supply Chain Attacks
- Telecommunications and BPO Companies Targeted in Intrusion Campaigns
Vulnerabilities to Watch Out For
- Google Patches 9th Chrome Zero-Day
- CVE-2022-23093: Critical Vulnerability in FreeBSD
- CVE-2022-20968: High-Severity CISCO IP Phone Bug
In last week’s blog, we discussed the Dolphin malware. It is now revealed that the North Korean APT group, APT37 or ScarCruft, is behind the deployment of this malware campaign. The group has been using this campaign for cyber espionage aligning with North Korean interests since 2012. Dolphin and BLUELIGHT malware have the potential to infect any phone connected to the compromised host using the Windows Portable Device API.
The latest Go language-based malware is a botnet termed as Zerobot. It has been used in campaigns exploiting multiple vulnerabilities. The botnet contains several modules, including self-replication, attacks for different protocols, and self-propagation. It also communicates with its command-and-control server using the WebSocket protocol. Linux devices are targeted by this malware and the actors behind these attacks seem to be financially motivated. The malware is used to add compromised devices to a distributed denial-of-service (DDoS) botnet to launch powerful attacks against specified targets. Two versions of Zerobot have been released. The first version containing the basic functions was used before November 24, 2022. The second version is currently being used and is able to reproduce itself and infect more endpoints with different protocols or vulnerabilities.
Agrius is an attack group that is targeting Israeli organizations to steal sensitive data. They have been using a wiper known as Fantasy, since February 2022, in their attack campaign. A wiper malware infects and deletes all the data and programs on the compromised device. Agriius uses webshells to tunnel traffic into the network in order to leverage compromised credentials to move laterally using Remote Desktop Protocol. Along with Fantasy, a secondary malware known as Deadwood (also known as, Detbosit) is also used by the group. Deadwood may be linked to an Iranian threat group.
After initial access, and infection, Agrius deploys fake ransomware to mask their espionage activities and pretends to be financially motivated. The encrypted data cannot be retrieved even after ransom is paid as the wiper malware deletes everything.
CVE-2018-13379 is a FortiOS vulnerability that has been targeted in Agrius’ attacks. In July 2021 too, Agrius went after old Fortinet vulnerabilities. Here’s a blog where you can read more about the attacks.
A new threat actor group known as Scattered Spider is targeting telecommunication and BPO organizations in financially-motivated intrusion campaigns. They gain access to the victims’ mobile carrier networks using social engineering tactics. Once inside, the group re-enables disabled accounts and uses that to deploy malware and perform other malicious activities. The group also used VPN access and/or multiple RMM tools for persistence. In two of their attacks, they attempted to leverage access to mobile carrier networks from a Telco or BPO environment, and swapped SIMs. In another attack, CVE-2021-35464 (an exploit in ForgeRock OpenAM application server) was used to gain initial access.
CWE ID: CWE-502
Exploit Type: RCE,WebApp,Other
Affected Product Count: 2
Vulnerabilities to Watch Out For
A heap buffer overflow bug in GPU was already exploited in the wild before Google took notice of it. Within two weeks of urgently fixing CVE-2022-4135, Google patched the next vulnerability, CVE-2022-4262. It’s the 9th zero-day vulnerability in Chrome this year. The vulnerability can be exploited to remotely execute code and crash the browser as well. Chrome’s latest security advisory contains mitigation and patch for the vulnerability.
CWE ID: CWE-843
Exploit Type: Other
Affected Product Count: 1
On 5th December, 2022, CISA added CVE-2022-4262 to the KEV catalog, with the patching deadline on December 26, 2022.
CVE-2022-23093 is a stack-based buffer overflow bug in the ping service of FreeBSD systems. It can be remotely triggered causing the ping program to crash and potentially lead to remote code execution in ping. If the attacker has enough privileges, this exploit can even allow complete takeover of the FreeBSD system.
FreeBSD released a security advisory with instructions on how to tackle the problem.
This vulnerability is caused by insufficient input validation of received Cisco Discovery Protocol packets. An unauthenticated adjacent attacker can exploit it to trigger a stack overflow resulting in Denial-of-Service attacks. The vulnerability can also be exploited for remote code execution.
CVE-2022-20968 is found in Cisco IP phones running 7800 and 8800 Series firmware version 14.2 and earlier.
A proof of concept for this exploit is publicly available. CISCO does not have a patch for CVE-2022-20968. However, there are steps for mitigation.
Check out this section to track how this threat evolves!
We use our threat intelligence platform driven by Artificial Intelligence (AI) and Machine Learning (ML) models to analyze the vulnerabilities that hackers could potentially exploit. We warn our customers continuously about exposures and prioritize vulnerabilities to facilitate rapid remediation.
Follow our weekly blog and podcast to get proactive alerts on trending threats. Reach out to us if you need help managing your vulnerabilities and exposures.
Leverage our expertise and manage your threats continuously to stay safe from attackers.
Never miss a patch or an update with CSW's Patch Watch Newsletter. Subscribe now!