CSW's Threat Intelligence - July 25, 2022 - July 29, 2022
Posted on Jul 25, 2022 | By Supriya Aluri
In this edition, we bring you early warnings and trending news about cyber threats along with accurate threat context. Check out which threat group is on the rampage and what vulnerability they could weaponize soon and more….
Why play catch up when you can fix this now!
Check out our Threat Intelligence Podcast featuring Top Three Threats of the Week!
1. KnotWeed attacks European and Central American targets using zero-day exploits
2. Atlassian vulnerabilities under active attacks
3. GoMet backdoor used to attack Ukrainian organizations
4. LockBit ransomware has an upgrade!
5. SonicWall releases a patch for a critical SQL injection bug
6. Potential RCE vulnerabilities discovered in Grails
7. Microsoft releases patches for more critical vulnerabilities
A private-sector offensive actor (PSOA) called KnotWeed has developed a malware known as SubZero which uses zero-day exploits in Windows and Adobe Reader to attack corporations in Europe and Central America. Knotweed has offered their hacking services and malware toolset, SubZero to multinational corporations claiming that they could help enhance their security using its services. One prominent exploit CVE is CVE-2022-22047, a zero-day CSRSS exploit, for which a patch was released on July’s Patch Tuesday. Microsoft has since urged its clients to patch this CVE immediately to avoid grave attacks. Knotweed has also targeted the following CVEs in 2021: CVE-2021-31199 ,and CVE-2021-31201, CVE-2021-28550, CVE-2021-36948. All of these have patches.
KnotWeed is the upcoming PSOA to watch out for as they have been conducting unauthorized attacks.
In our previous Cyber Threat Intelligence blog, we had called out CVE-2022-22047 as a critical vulnerability and we again urge you to patch this without delay.
Following the attack on Atlassian Confluence Servers (2022-26134), three more vulnerabilities - CVE-2022-26138, CVE-2022-26136 & CVE-2022-26137 in Atlassian products are under active exploitation.
CVE-2022-26138 is found in the Questions for Confluence app. It has a hardcoded password using which it was exploited in the wild. An attacker can browse an organization’s Confluence Cloud instance using this exploit and even execute ransomware attacks. This is the most critical of the three vulnerabilities. Atlassian’s advisory has steps to mitigate this vulnerability and also includes information on how to look for evidence of exploitation.
CVE-2022-26136 & CVE-2022-26137 are found in multiple Atlassian Cloud products. These vulnerabilities are due to issues in Servlet Filters in Java. If exploited, it can grant remote access code execution privilege to attackers.
Atlassian has released security advisories for all three vulnerabilities and recommends they be patched urgently.
Patch Link: Download
The Ukraine government agencies and many private Ukrainian organizations have been constantly targeted by Russian APT groups since before the Russia-Ukraine war began. In the latest rounds of attacks, hackers are using the GoMet backdoor to gain access to networks in the Ukraine state agencies. This malware was first used in 2020 and exploited the CVE-2020-5902 vulnerability. In the next attack in 2022, CVE-2022-1040 was exploited in a Ukrainian software development organization. To break into a network, the hackers use a public vulnerability on appliances and then deploy the GoMet backdoor to further exploit it. This vulnerability (CVE-2022-1040) is expected to be exploited more in the upcoming days.
Patches are available for both these vulnerabilities.
The LockBit ransomware gang released LockBit 3.0 in June with various upgrades such as a bug bounty program, Zcash payment, and new extortion tactics. They’re offering handsome payments for bounty hunters who can find flaws in their malware. Malicious actors can also purchase stolen data from them using cryptocurrency, Zcash, etc. The gang which has been active since 2019 has made at least two headlines this week - attacking the Italian Revenue Agency and a county in Ontario, St.Mary with its new LockBit 3.0. The attack on the Italian Revenue Agency is considered to be the biggest attack in the agency’s history and could potentially have grave repercussions. The town in Ontario has been locked out of their systems disrupting day-to-day operations. It is not known if both the victims have been contacted for ransom.
The two CVEs most recently associated with the LockBit ransomware is: CVE-2018-13379 (WebApp exploit affecting Fortinet) and CVE-2021-22986 (RCE/PE exploit affecting F5).
A critical SQL injection vulnerability was discovered in its Global Management System (GMS) software. There are no known instances of exploits as of yet, but this vulnerability could allow a hacker to gain complete access to the system including read, write, and modify data in it. The vulnerability, tracked as CVE-2022-22280, arises due to insufficient sanitization of user-supplied data. Sonicwall has released a patch for this vulnerability and is urging all its global enterprise customers to apply it immediately.
A critical vulnerability which could potentially allow remote code execution was recently discovered in Grails, an open source web application framework based on the Apache Groovy programming language.A hacker can remotely execute code within a Grails application runtime by issuing a specially crafted web request that grants the attacker access to the class loader. The vulnerability, tracked as CVE-2022-35912, is found on Grails framework versions 3.3.10 and higher that are running on Java 8. Grails has immediately released a patch for this vulnerability.
CVSS Score: 9.8
Affected Product Count: 4
Patch Link: Download
Three critical vulnerabilities now have patches from Microsoft. The vulnerabilities are CVE-2022-26925, CVE-2022-26923, CVE-2022-26809. These vulnerabilities are added to the threat watchlist as CVE-2022-26925 has been actively exploited by the attacker, and the other two CVEs (CVE-2022-26923, CVE-2022-26809) have publicly available exploits.
CVE-2022-26809 can allow arbitrary code by sending a specially crafted Remote Procedure Call (RPC). CVE-2022-26923 can escalate privilege to a domain administrator in a default Active Directory environment with the “Active Directory Certificate Services” server role installed. CVE-2022-26925 could potentially allow remote exploits and force domain controllers to authenticate them via the Windows NT LAN Manager (NTLM) security protocol.
We use our Threat Intelligence Platform driven by Artificial Intelligence (AI) and Machine Learning (ML) models to analyze the vulnerabilities that could potentially be exploited by hackers. We warn our customers continuously about their exposures and prioritize their vulnerabilities to facilitate rapid remediation.
Follow our weekly blog and podcast to get proactive alerts on trending threats. Reach out to us if you need help in managing your vulnerabilities and exposures from attackers.
Leverage our expertise and manage your threats on a continuous basis to stay safe from attackers.
Never miss a patch or an update with CSW's Patch Watch Newsletter. Subscribe now!