CSW's Threat Intelligence - July 18, 2022 - July 22, 2022
Posted on Jul 18, 2022 | By Supriya Aluri
In this edition, we bring you early warnings and trending news about cyber threats along with accurate threat context. Check out which threat group is on the rampage and what vulnerability they could weaponize soon and more….
Why play catch up when you can fix this now!
Check out our Threat Intelligence Podcast featuring Top Three Threats of the Week!
Transparent Tribe launches cyber attacks in the Indian sub-continent
Transparent Tribe, an APT group, has been targeting educational institutions in India by deploying CrimsonRAT and ObliqueRAT malware. To deploy this, they have used various campaigns including email phishing, setting up fake domains, weaponized documents, etc. The group is suspected to have originated in Pakistan and the latest infection campaign is hosted on a Pakistani web-hosting service ZainHosting. Two RCE CVEs are associated with this attack: CVE-2017-0199 and CVE-2012-0158. The group may have motives of stealing research information from these educational institutions by exploiting student/staff data stolen during these attacks.
CloudMensis spyware targets macOS cloud users
A new spyware exploits the Apple cloud to exfiltrate documents, screenshots, email attachments, and other sensitive data. Dubbed CloudMensis, this spyware was discovered in April 2022, although it has been around for quite some years. The method used to compromise the device still remains unknown but the malware uses a cloud storage provider and an access token to gain access and exfiltrate files. CloudMensis supports three different providers: pCloud, Yandex Disk, and Dropbox. The target victims and the mode of injection of the CloudMensis malware is yet to be discovered, but it is considered a very powerful tool of exploitation.
The CVE associated with this malware is CVE-2020–9934.
Affected Product Count: 3
Exploit Type: Other
CVSS Score: 5.5
Elastix VoIP servers under massive attack
Two attack groups have targeted Elastix VoIP servers with more than 500,000 malware samples since December 2021. These attacks use the remote code execution vulnerability CVE-2021-45461 to plant a PHP web shell that could run arbitrary commands on the compromised communications servers. This CVE has been exploited since December 2021 and has received a critical rating of 9.8 in NVD.
CVSS Score: 9.8
Exploit Type: RCE
Affected Product Count: 4
Patch Link: Download
Potential RCE exploit in Juniper’s nginx component
During an external security scan, it was discovered that an off-by-one error in Juniper’s nginx resolver, could be used to create a worker process crash or arbitrary code execution by forging UDP packets from the DNS server to cause a 1-byte memory overwrite. The CVE associated with this is CVE-2021-23017 and Juniper has released patches for this issue. Thus far, there have been no attacks reported based on this vulnerability.
CVSS Score: 9.4
Exploit Type: DoS
CWE ID: CWE-193
Affected Products: 25
Patch Link: Download
Candiru exploits Chrome zero-day vulnerability CVE-2022-2294
The Candiru spyware was making rounds in July 2021 has made a comeback after disappearing for a while. It is now exploiting a zero-day Chrome vulnerability, CVE-2022-2294, and targeting Lebanese journalists, in particular.
The vulnerability is caused by a heap buffer overflow in WebRTC. This can be exploited to achieve shellcode execution inside a renderer process.
Chrome has released a patch to fix this vulnerability.
We use our Threat Intelligence Platform driven by Artificial Intelligence (AI) and Machine Learning (ML) models to analyze the vulnerabilities that could potentially be exploited by hackers. We warn our customers continuously about their exposures and prioritize their vulnerabilities to facilitate rapid remediation.
Follow our weekly blog and podcast to get proactive alerts on trending threats. Reach out to us if you need help in managing your vulnerabilities and exposures from attackers.
Leverage our expertise and manage your threats on a continuous basis to stay safe from attackers.
Subscribe to our blogs and let us decode the CISA KEV for you.