CSW's Threat Intelligence - February 6, 2022 - February 10, 2022
Posted on Feb 6, 2023 | Updated on Feb 10, 2023 | By Supriya Aluri
This edition brings you early warnings, trending news about cyber threats, and the accurate threat context. Check out which threat group is on the rampage, what vulnerability it could soon weaponize, and more.
Why play catch up when you can fix this now?
- VMware ESXi Servers are Under Attack from Ransomware Groups
- White Elephant APT Group Actively Exploits CVE-2017-11882
- Clop Ransomware Uses Flawed Encryption Logic in New Linux Variant
- Enigma Stealer Targets Victims in Europe with Fake Jobs
- Healthcare and Critical Infrastructure Sectors Under Attack From Korean Actors
Vulnerabilities to Watch Out For
- GoAnywhere MFT Zero-day Vulnerability
- CVE-2023-22501: Jira Service Management Authentication Vulnerability
- CVE-2023-21608: Adobe Acrobat Reader Vulnerability
- CVE-2023-25136: OpenSSH Pre-Authentication Vulnerability
VMware ESXi Servers are Under Attack from Ransomware Groups
The Royal Ransomware group and the new ESXiArgs ransomware group have launched massive campaigns targeting VMware ESXi servers worldwide. CVE-2021-21974, in VMware products is exploited to gain access to the servers. This vulnerability is caused by a heap overflow issue in the OpenSLP service that can be exploited by unauthenticated threat actors in low-complexity attacks. ESXi server versions before 7.0 U3i are primarily targeted through the OpenSLP port (427). The attackers seem to have used the Sosemanuk algorithm to encrypt files, which may have been derived from the Babuk (ESXi variant) source code.
The vulnerability, CVE-2021-21974 has already been patched and users should ensure that it is applied to their VMware servers immediately.
Our predictive analysis platform has estimated this vulnerability as a very critical threat two years ago.
White Elephant APT Group Actively Exploits CVE-2017-11882
CVE-2017-11882 is a Microsoft Office Memory Corruption vulnerability that has been widely exploited by more than 5 ransomware groups and 20+ APT groups. One of the APT groups is the suspected Indian threat actor group, White Elephant, AKA Hangover, Patchwork, Mahacao, etc. The group targets entities in China, Pakistan, Israel and other countries and uses harpoon attacks, supplemented by a small number of watering hole attacks to carry out cyber espionage activities. CVE-2017-11882 is used for Trojan horse implantation wherein a shellcode is deployed first to release the second-order sample. Using the malware sample, victims’ data is exfiltrated and accessed by the attacker.
This vulnerability was patched by Microsoft and it is important that users patch this vulnerability immediately.
Within a month of this CVE being published, our ML & AI based Predictive Analysis platform gave it the maximum rating for exploitability.
Clop Ransomware Uses Flawed Encryption Logic in New Linux Variant
A new variant of the Clop ransomware was recently used in a few of the group’s attacks. This variant is used on Linux devices. However, the encryption algorithm that the group used in this variant is flawed and allows the victims to decrypt locked files without paying a ransom. The ELF variant of Clop ransomware was used from late December 2022 and it doesn’t use a hashing algorithm, such as the Windows variant, in order to avoid encrypting specific folders and files. Researchers found that the ransomware-encryption logic contained a hardcoded RC4 “master-key” which allowed the victim to decrypt Cl0p-ELF encrypted files.
The Clop ransomware group exploits the following CVEs for initial access: CVE-2019-19781, CVE-2020-1472, CVE-2021-27101, CVE-2021-27102, CVE-2021-27103, CVE-2021-27104, and CVE-2021-35211.
Enigma Stealer Targets Victims in Europe with Fake Jobs
Suspected Russian threat actors have been targeting Eastern Europeans with fake cryptocurrency jobs. They have been using a modified version of the Stealerium information stealer named Enigma stealer. This stealer is an open source C++ project that is used as a stealer, clipper, and keylogger with logging capabilities using the Telegram API. The fake employment campaign sends highly obfuscated and under-development custom loaders which then infect the victims with the Enigma stealer malware. The stealer uses two servers - one for delivering payloads, sending commands, and receiving the payload heartbeat. The other for DevOps and logging purposes.
Apart from this, the Russian threat actors also exploit CVE-2015-2291, an Intel driver vulnerability, to load a malicious driver designed to reduce the token integrity of Microsoft Defender.
Healthcare and Critical Infrastructure Sectors Under Attack From Korean Actors
The Cybersecurity Advisory has published a warning against various ransomware actors in the Democratic People’s Republic of Korea (DPRK). There is an ongoing campaign targeting the Healthcare and Public Health Sector organizations and other critical infrastructure sector entities in the United States and South Korea. The Maui and H0lyGh0st ransomware families are the primary threat actors working against these entities. For ransom payments, they receive cryptocurrency. CVE 2021-44228, CVE-2021-20038, and CVE-2022-24990 are exploited in these attacks.
Vulnerabilities to Watch Out For
GoAnywhere MFT Zero-day Vulnerability
GoAnywhere MFT file transfer solution has reported a CVE-unassigned zero-day vulnerability which could grant access to their administrator consoles if exploited. It is a remote code execution vulnerability. There may be more than a 1000 administrative ports exposed to the public internet. An attacker should however have administrative console access for successful exploitation.
Forta has published an advisory for this vulnerability.
CVE-2023-22501: Jira Service Management Authentication Vulnerability
This authentication vulnerability allows an attacker to impersonate another user and gain access to a Jira Service Management instance when exploited. However, to carry this out, the attacker should have write access to a User Directory and outgoing email enabled on a Jira Service Management instance. CVE-2023-22501 has a CVSS score of 9.4 making it critical.
Atlassian has released a security advisory for this vulnerability.
CVE-2023-21608: Adobe Acrobat Reader Vulnerability
CVE-2023-21608 is a remote code execution vulnerability in the Adobe Acrobat Reader DC. A proof of concept for this exploit has been released. Users should take note of this vulnerability and patch it according to the advisory.
CVE-2023-25136: OpenSSH Pre-Authentication Vulnerability
This vulnerability is caused by a boundary error within the sshd(8) daemon. An unauthenticated attacker can send specially crafted data to the application, trigger a double free error and execute arbitrary code on the target system by exploiting the vulnerability. OpenSSH has fixed this flaw in OpenSSH 9.2.
Check out this section to track how these threats evolve!
We use our threat intelligence platform driven by Artificial Intelligence (AI) and Machine Learning (ML) models to analyze the vulnerabilities that hackers could potentially exploit. We warn our customers continuously about exposures and prioritize vulnerabilities to facilitate rapid remediation.
Follow our weekly blog and podcast to get proactive alerts on trending threats. Reach out to us if you need help managing your vulnerabilities and exposures.
Leverage our expertise and manage your threats continuously to stay safe from attackers.
Never miss a patch or an update with CSW's Patch Watch Newsletter. Subscribe now!