CSW's Threat Intelligence - November 28, 2022 - December 2, 2022
Posted on Nov 28, 2022 | Updated on Dec 2, 2022 | By Supriya Aluri
This edition brings you early warnings, trending news about cyber threats, and the accurate threat context. Check out which threat group is on the rampage, what vulnerability it could soon weaponize, and more.
Why play catch up when you can fix this now?
Check out our podcast on the top critical threats of this week, hosted by David Rushton!
- North Korean APT Groups use Dolphin Backdoor on South Korea
- A New Windows Exploit Framework is used to Deploy Spyware
- CISA Adds CVE-2022-4135 and CVE-2021-35587 to the KEV Catalog
- New Backdoor Malware Affecting Redis Servers
Threats to watch out for
- CVE-2022-40684 Critical Fortinet Vulnerability Exploited by IABs
- Windows Internet Key Exchange Vulnerability Exploited in the Wild
- Watch Out for these CISCO Vulnerabilities
- CVE-2022-3328: Linux Privilege Escalation in Snap-Confine
- CVE-2022-4116: Critical RCE Vulnerability Affecting Quarkus Java Framework
North Korean hackers are spying on South Korean targets using a new backdoor named Dolphin. This malware is capable of spying on monitoring drives and portable devices, exfiltrating files of interest, keylogging and taking screenshots, and stealing credentials from browsers. It primarily spies on cloud storage services such as Google Drive. It is even able to change the settings on Google and Gmail to lower security. Initial access and Dolphin distribution is carried out by another malware known as Bluelight.
To gain initial access, the hackers exploited CVE-2021-26411 and CVE-2020-1380.
Dubbed as the Heliconia framework, this exploits former zero-day vulnerabilities to deploy exploits for Chrome, Windows Defender and Firefox. Heliconia has 3 parts: Heliconia Noise (a web framework for deploying an exploit for a Chrome renderer bug followed by a sandbox escape), Heliconia Soft (a web framework that deploys a PDF containing a Windows Defender exploit), and Files (a set of Firefox exploits for Linux and Windows). There is no evidence of exploitation in the wild using this framework. However, it is a powerful tool for spying and can be used for digital espionage.
The framework has links to Variston IT, a custom security solutions provider in Spain. The vulnerabilities that this framework exploits are CVE-2021-42298 and CVE-2022-26485.
This vulnerability is actively being exploited since Nov 2021.
Our analysts recommend that CVE-2021-42298 be added to the CISA KEV list considering the dangerous consequences of its exploits.
CVE-2022-4135 is a Google Chrome zero-day vulnerability which is being exploited in the wild. This is the 8th zero-day vulnerability that Chrome has fixed in 2022.
We warned our users about this vulnerability in last week’s threat intelligence blog.
CVE-2021-35587 is a remote code execution vulnerability in Oracle Access Manager (OAM). If exploited, it can allow an unauthenticated attacker with network access via HTTP to compromise Oracle Access Manager and use it to create users with any privileges or to execute arbitrary code on the victim’s server. Oracle fixed this vulnerability in January 2022.
The malware named Redigo is designed to target Redis vulnerability CVE-2022-0543 and exploit it to compromise the server. CVE-2022-0543 is a Lua sandbox escape flaw that allows an attacker to execute arbitrary code on the victim’s server. The attack chain starts with scans for the Redis server exposing port 6379 to the internet, and then the threat actor runs various redis commands to connect and exploit the server. Redigo is used to elevate the permissions of the corrupt library file exp_lin.so, and execute it. This malware can be used to launch DDoS attacks on target servers and compromise resources on networks.
CWE ID: CWE-94
Exploit Type: RCE,PE,WebApp
Affected Product Count: 4
Patch Link: Download
Threats to Watch Out For
A critical authentication vulnerability, CVE-2022-40684 is targeted by Initial Access Brokers (IABs) to compromise enterprise networks. The threat actors then sell access to the victims’ systems for a price. These threat actors were found on Russian cybercrime forums.
This vulnerability affects FortiGate firewalls and FortiProxy web proxies and was patched by the vendor in October 2022. CVE-2022-40684 can be exploited to allow an unauthenticated attacker to perform operations on the administrative interface via specially crafted HTTP or HTTPS requests. In October 2022, it was found that more than 17K Fortinet devices exposed online were vulnerable to attacks exploiting the CVE-2022-40684 flaw. Most of them are in Germany and in the US. There are more than 100,000 instances of outdated Fortinet firewalls around the world vulnerable to attacks.
CWE ID: CWE-306
Exploit Type: RCE,DoS,WebApp
Affected Product Count: 6
Patch Link: Download
CVE-2022-34721, a remote code execution vulnerability, is being exploited by Chinese threat actors in the wild. The PoC for this vulnerability was published on September 16, 2022, and Microsoft patched this vulnerability during its September Patch Tuesday. However, this vulnerability continues to be exploited in weak and vulnerable Windows OS, Windows Servers, Windows protocols, and services in a campaign called “Bleed You.”
Our MI-based analytical platform has given this vulnerability the maximum rating, indicating that it is very dangerous.
Users of Windows are highly recommended to patch this vulnerability immediately.
5 vulnerabilities in CISCO are critical and a cause for concern.
CVE-2022-20964 and CVE-2022-20959 are XSS vulnerabilities, which when chained together can allow an attacker to easily obtain a remote root shell on the vulnerable system.
CVE-2022-20965, is an access bypass in the web-based management interface. It can expand the attack surface of the chained exploits.
CVE-2022-20966 and CVE-2022-20967, vulnerabilities in web-based management interfaces, can store malicious HTML or script code within the application interface to be used for XSS attacks.
Patches for these vulnerabilities will be available in the first quarter of 2023. Meanwhile, customers can contact CISCO for hotpatches.
This vulnerability in snap-confine can be exploited to gain full root privileges on Linux OS. It is combined with the Leeloo Multipath vulnerabilities (CVE-2022-41974,CVE-2022-41973,CVE-2021-44731) to bypass authorization and gain access to the system. A local attacker could race against snap-confine,retain control over /tmp/snap.$SNAP_NAME, and eventually obtain full root privileges. Qualys released a security advisory for the vulnerability.
CWE ID: CWE-94
Affected Product Count: 3
Patch Link: Download
Check out this section to track how this threat evolves!
We use our threat intelligence platform driven by Artificial Intelligence (AI) and Machine Learning (ML) models to analyze the vulnerabilities that hackers could potentially exploit. We warn our customers continuously about exposures and prioritize vulnerabilities to facilitate rapid remediation.
Follow our weekly blog and podcast to get proactive alerts on trending threats. Reach out to us if you need help managing your vulnerabilities and exposures.
Leverage our expertise and manage your threats continuously to stay safe from attackers.
Never miss a patch or an update with CSW's Patch Watch Newsletter. Subscribe now!