Ransomware Q2 & Q3 Report is live now!

CSW's Weekly Threat Intelligence - July 11, 2022 - July 15, 2022

Posted on Jul 13, 2022 | By Supriya Aluri

CSW’s weekly threat intelligence edition brings to you early warnings about critical vulnerabilities that are already weaponized or could potentially be weaponized and prove dangerous to your organization and its assets.

 

Why play catch-up when you can proactively patch these vulnerabilities now?

 

Check out our Threat Intelligence Podcast featuring Top Three Threats of the Week!

 

Microsoft fixes the actively exploited Windows CSRSS Elevation of Privilege zero-day vulnerability and 83 other CVEs

On Patch Tuesday, Microsoft released patches to fix 84 vulnerabilities, one of which is an actively exploited zero-day vulnerability (CVE-2022-22047). This CVE, caused by improper privilege management in the Windows Client Server Runtime Subsystem (CSRSS), can be used to execute code remotely. With this, attackers can disable local services such as Endpoint Detection and Security tools and deploy tools to recover admin and domain level accounts. CISA has added this CVE to the list of Known Exploited Vulnerabilities on 12-07-2022.  Apart from this, four other critical RCE vulnerabilities (CVE-2022-30220, CVE-2022-22026, CVE-2022-22029, and CVE-2022-22039) also have available patches. 

 

VMware patches critical CVE (CVE-2021-22048)

VMware has released a patch for a high-severity privilege escalation vulnerability, CVE-2021-22048, 8 months after it was discovered. This vulnerability is found in vCenter Server's Integrated Windows Authentication and can only be exploited from the same physical or logical network on which the targeted server is located. The attackers can gain access using low privileges and no user interaction, making it highly dangerous. VMware has categorized this CVE to be in the Important Severity range, meaning that an exploit would result in the complete compromise of the confidentiality and the integrity of user data and processing resources. 

Our Predictive VI Reconnaissance had picked out traces of discussion around the CVE on the Deep & Dark Web and prioritized it as a highly exploitable vulnerability long ago.

 

CVE: CVE-2021-22048

CVSS Score: 8.8

Patch Link: Download

Amazon fixes bugs in AWS Kubernetes service

In the AWS Kubernetes service, three authentication bugs—causing the vulnerability CVE-2022-2385—have been fixed in the latest version of AWS IAM Authenticator for Kubernetes. This vulnerability could be used to exploit the username through the AccessKeyID in AWS IAM Authenticator. However, no significant exploits have been detected or reported. All users of the AWS Kubernetes service who host and manage their own Kubernetes clusters have been asked to update their AWS IAM Authenticator for Kubernetes to version 0.5.9.

 

CVE: CVE-2022-30190

CVSS Score: 7.8

CWE ID: CWE-20

Patch Link: Download

 

The Rozena backdoor is the latest malware used to exploit the Follina bug

Microsoft’s Follina bug is trending and has been actively exploited by several APT and ransomware groups, especially from Russia and China. In the Follina bug exploit, social engineering tools and phishing campaigns have been deployed to bait victims. To date, the groups have used various malware—such as Qbot and AsyncRAT—to exploit the bug. 

Most recently, hackers have started using the Rozena backdoor to inject a remote shell connection back to the attacker, allowing the attacker to take control of the system to access information while maintaining a backdoor to the compromised system. The vulnerability associated with this is CVE-2022-30190, and a patch has been released. If your organization relies heavily on Microsoft Word and Excel, you may want to patch this vulnerability immediately.

 

CVE: CVE-2022-30190

CVSS Score: 7.8

Exploit Type: ['RCE', 'WebApp']

Affected Products: 18 

Patch Link: Download

APT Associations: TA413

 

For more information on Follina, check out our blog.

 

North Korean threat actor targets CVE-2022-26352 with H0lyGh0st ransomware

CVE-2022-26352, a DotCMS remote code execution vulnerability is now actively being exploited by a North Korean threat actor dubbed as DEV-0530. They have been developing and deploying ransomware in small and medium businesses across multiple countries since June 2021. They gain initial access to target networks by exploiting vulnerabilities in public-facing web applications and content management systems. The vulnerability allows directory crawl attack while downloading files using which the attacker can take control of the system. The patch is available in the latest dotCMS versions 22.03, 5.3.8.10_lts and/or 21.06.7_lts.

CSW's predictive VI analysis tool picked up this CVE in May and warned that it was an extremely  exploitable vulnerability. True to this, the CVE is trending as an active exploit now.

Interestingly, this CVE is yet to be added in the NVD or CISA KEV list.

 

CVE:  CVE-2022-26352 

Exploit Type: RCE

APT Associations: DEV-0530

Ransomware Association: H0lyGh0st

 

New vulnerabilities discovered in the IBM MQ Operator and queue managers

On July 8, IBM released a security bulletin stating the IBM MQ Operator catalog container images are vulnerable to an issue in the Golang Go packages. There were three CVEs named for this issue: CVE-2020-15257, CVE-2021-21334, and CVE-2021-41771. The first two allow remote code execution, while the last can be used in a DDoS attack. These vulnerabilities have a CVSS base score of 7.5 and higher and are found in the 1.8.2 version of the IBM MQ Operator CD release. IBM has released fixes in the latest version of the IBM MQ Operator (2.0.0 LTS).

 

CVE: CVE-2020-15257

CVSS Score: 5.2

Affected Products:

Patch Link: Download

 

New sandbox vulnerability discovered in macOS

In October 2021, an AppleApp Sandbox vulnerability was discovered and reported to Apple. The vulnerability is now named CVE-2022-26706 and Apple released a patch for it, this week. The vulnerability allows attackers to escape the App Sandbox and run unrestricted on the system using specially crafted codes. 

Apple has recommended that all users install these security updates as soon as possible.

 

CVE: CVE-2022-26706

CVSS Score: 5.5

Affected Products: 6 

Patch Link: Download


 

We use our Threat Intelligence Platform driven by Artificial Intelligence (AI) and Machine Learning (ML) models to analyze the vulnerabilities that could potentially be exploited by hackers. We warn our customers continuously about their exposures and prioritize their vulnerabilities to facilitate rapid remediation.

Follow our weekly blog and podcast to get proactive alerts on trending threats. Reach out to us if you need help in managing your vulnerabilities and exposures from attackers.

 

Leverage our expertise and manage your threats on a continuous basis to stay safe from attackers.

Talk to Us 

 

Never miss a patch or an update with CSW's Patch Watch Newsletter. Subscribe now!

csw

Secure your environment from cyber-attacks!

Know How

incognito