CSW's Threat Intelligence - November 21, 2022 - November 25, 2022
Posted on Nov 21, 2022 | Updated on Nov 25, 2022 | By Supriya Aluri
This edition brings you early warnings, trending news about cyber threats, and the accurate threat context. Check out which threat group is on the rampage, what vulnerability it could soon weaponize, and more.
Why play catch up when you can fix this now?
Check out our podcast on the top critical threats of this week, hosted by David Rushton!
- Energy Organizations Breached via Bugs and Discontinued Servers
- A Threatening New DDoS BotNet - RobinBot
- AirAsia Breached by Daixin Ransomware
- Emotet Makes a Comeback with Malspam Campaign
- Quantum Ransomware Group Steals PII from County of Tehama
- BlackBasta Ransomware is Running QakBot Campaigns
Threats to Watch Out For
- PoC Available for macOS Vulnerability CVE-2022-26696
- Atlassian Fixes Critical Vulnerabilities
- Samba Patches Critical Vulnerability
- Patch Gap in Android’s Mali GPU Driver
- CVE-2022-33942: Intel DCM Vulnerability
- Emergency Security Update for Chrome Vulnerability
Chinese APT groups have targeted multiple Indian electrical grid operators in a bid to compromise organizations in the energy sector. These organizations had been using the discontinued Boa web server containing a vulnerable component. The flaw in Boa servers enabled hackers to gain initial access via Internet-exposed cameras on their networks as command-and-control servers. In this attack, the Indian national emergency response system and the subsidiary of a multinational logistics company were compromised. Boa servers were also exploited in an attempt to breach Tata Power in a Hive ransomware attack this October.
Microsoft disclosed and fixed two critical vulnerabilities among several others: CVE-2017-9833 and CVE-2021-33558. It is reported that over 1 million internet-exposed Boa server components were detected online worldwide within a single week.
If organizations are using Boa servers, they should immediately patch the critical vulnerabilities.
RobinBot is the latest botnet that is being spread in malware campaigns. The attackers behind this botnet are unknown. An analysis of infected systems showed that the samples are a variant of the Mirai and Gagfyt botnets. RobinBot could be spread through weak password brute force through the Telnet service.
RobinBot is a cross-platform DDoS trojan written in Java. This botnet was first seen in May 2022 and has conventional adversarial analysis measures borrowed from the Mirai family. It can run on both Windows and Linux platforms with additional capabilities on Windows. The botnet is targeting vulnerabilities in popular routers.
Some of the CVEs exploited by the botnet are: CVE-2018-10561, CVE-2018-10562, CVE-2014-8361, CVE-2017-17215, CVE-2016-10372, CVE-2015-2051, CVE-2016-20016, and CVE-2016-6277
In an attack on Nov 11 and 12, 2022, the Daixin ransomware group stole sensitive passenger and employee information from the AirAsia servers. About 5 million passengers and the entire staff of the airline group are said to have been impacted by this attack. The attackers claimed that the organization had very poor security measures and that it was too chaotic even for them to breach the systems and exfiltrate data. Further attacks were halted due to this reason.
The Daixin ransomware group has been active since June 2022 and has carried out many attacks in a brief period of time. Their favored sector is healthcare and is known for encrypting servers responsible for healthcare services, including electronic health records services, diagnostics services, imaging services, and intranet services. The group reuses Babuk’s ransomware code and has exploited CVE-2020-1472, CVE-2020-5135, CVE-2021-27065, CVE-2021-31207, CVE-2021-34473, CVE-2021-34523.
Emotet, a malware botnet used by TA542 AKA Mummy Spider, went into a hiatus in July 2022. Now, they are back with a high-volume malspam campaign in which it drops payloads like IcedID and BumbleBee. The malware is considered very dangerous as it can act as a primary door opener for devices to deploy next-stage binaries used for data theft and ransomware. The latest attacks are targeted on the U.S., the U.K., Japan, Germany, Italy, France, Spain, Mexico, and Brazil. Emotet is spread through email thread hijacking with macro-enabled Excel attachments. The malware has reportedly reached full-functionality after enhancing its techniques during the hiatus.
The County of Tehama suffered a data breach in April 2022. The files on the county’s department of social services systems were accessed by an unknown entity and personal information, including names, addresses, birth dates, Social Security numbers, driver’s license numbers, were stolen. The county did not reveal the identity of its attackers but in June 2022, the Quantum ransomware group published 32 GB of data on its website , allegedly stolen from the county. The officials of Tehama county have notified the individuals impacted by this attack and offered complimentary credit monitoring and identity theft protection services.
Western nations such as the US, UK, Canada, etc., are being targeted in an aggressive campaign by BlackBasta. The ransomware group is using Qbot malware and Cobalt Strike to deploy ransomware and encrypt the victims’ devices. The group is also locking the victims out of the network by disabling DNS services to make recovery more difficult. QakBot infections are spread through spam/phishing emails.
Black Basta is known for its double-extortion technique and is notorious for targeting energy companies. Some of the vulnerabilities that the group exploits are: CVE-2022-30190,CVE-2020-1472,CVE-2021-42287,CVE-2021-42278,CVE-2021-34527,CVE-2022-41049,CVE-2022-41091.
Threats to Watch Out For
CVE-2022-26696 is a high-severity vulnerability that was reported last year. This vulnerability allows a sandboxed process to circumvent sandbox restrictions and if exploited, enables the attacker to execute low-privileged code on the target system. Apple patched this vulnerability in the release of macOS Monterey 12.4 in May this year. Since the exploit is now publicly exposed, organizations are recommended to update their devices with the latest version.
Affected Product Count: 1
CVE-2022-43781: A critical command injection vulnerability in Atlassian BitBucket, allows an attacker to remotely execute code.
CVE-2022-43782 : A misconfiguration issue in Atlassian Crowd, a framework for authentication and authorization for web-based applications. Can lead to privilege escalation and unauthorized access, if exploited.
Atlassian vulnerabilities are actively targeted by many hackers and we recommend users to immediately patch these vulnerabilities.
Samba is an open source Server Message Block (SMB) implementation for Linux and Unix systems and can be used as an Active Directory Domain Controller (AD DC). CVE-2022-42898 is a vulnerability found in multiple Samba releases. If exploited, it can potentially lead to arbitrary code execution and Denial of Service and even complete take over of the system. The KDC server is said to be most vulnerable to this flaw and Samba has fixed it on priority. The latest releases of Samba, v. 4.15.12, v.4.16.7, and v.4.17.3 all have patches for CVE-2022-42898.
CWE ID: CWE-190
Considering the severity of this vulnerability, CISA has warned users to patch this vulnerability urgently.
Five vulnerabilities in Mali GPU driver were patched by the vendor recently. However, there is a gap in the fix which exposes millions of Android users to attacks. There are two vulnerabilities that need urgent attention:
CVE-2022-33917, which allows a non-privileged user to make improper GPU processing operations to gain access to free memory sections. The vulnerability impacts Arm Mali GPU kernel drivers Valhall r29p0 to r38p0.
CVE-2022-36449, which allows a non-privileged user to gain access to freed memory, write outside of buffer bounds, and disclose details of memory mappings.
Users need to wait for the vulnerability to be fixed and update their Android devices.
A vulnerable configuration in Intel’s Data Center Manager Console leads to an unauthenticated user to gain full access and remotely execute code. It is achieved by spoofing Kerberos and LDAP responses. This flaw has been assigned CVE-2022-33942. Intel has patched this vulnerability and advised users to move to DCM version 5.0 or above.
Affected Product Count: 1
A high-severity vulnerability, CVE-2022-4135 was discovered in Chrome on Nov 22, 2022. An exploit for this vulnerability exists in the wild and it allows attackers to execute arbitrary code or access information unrestricted. Chrome has patched this vulnerability with an emergency update in browser version 107.0.5304.121/.122. Interestingly, this is the 8th zero-day vulnerability that Chrome has patched this year.
Check out this section to track how these threats evolve!
We use our threat intelligence platform driven by Artificial Intelligence (AI) and Machine Learning (ML) models to analyze the vulnerabilities that hackers could potentially exploit. We warn our customers continuously about exposures and prioritize vulnerabilities to facilitate rapid remediation.
Follow our weekly blog and podcast to get proactive alerts on trending threats. Reach out to us if you need help managing your vulnerabilities and exposures.
Leverage our expertise and manage your threats continuously to stay safe from attackers.
Never miss a patch or an update with CSW's Patch Watch Newsletter. Subscribe now!