CSW's Threat Intelligence - November 7, 2022 - November 11, 2022
Posted on Nov 7, 2022 | Updated on November 11, 2022 | By Priya Ravindran, Supriya Aluri
This edition brings you early warnings, trending news about cyber threats, and the accurate threat context. Check out which threat group is on the rampage, what vulnerability it could soon weaponize, and more.
Why play catch up when you can fix this now?
Check out our podcast on the top critical threats of this week, hosted by David Rushton!
- APT29 Abuses Windows Credential Roaming
- APT41 has a New Sub-Group - Earth Longzhi
- LockBit continues its rampage, the latest being Kearney & Company
- Research reports an uptick in hackers leveraging zero-day vulnerabilities
- Microsoft Fixes 62 vulnerabilities in November Patch Tuesday
- CISA Adds 7 Vulnerabilities to the KEV
- Malicious extension lets attackers control Google Chrome remotely
Threats to Watch Out For
- VMWare Fixes Critical RCEs
- Critical Vulnerabilities in Citrix You Should Patch Now
- Lenovo Releases Patches for BYOVD Vulnerabilities
- Apple Releases Emergency Code Execution Patches
- Patches Available for Critical and Moderate Grafana Vulnerabilities
APT29 Abuses Windows Credential Roaming
Russian espionage group APT29 successfully carried out a phishing attack on a European diplomatic entity by abusing the Windows Credential Roaming feature in early 2022. This feature enables certificates and private keys to be used on more than one domain without having to create duplicates. APT29 exploits CVE-2022-30170 which allows the attacker to write arbitrary files to the affected systems in the context of any users they can control, possibly allowing for lateral movement. This vulnerability was fixed in September 2022 by Microsoft. Other than this vulnerability, an attacker can directly exploit the current or previous cleartext password of a user.
Affected Product Count: 6
Users of Windows Credential Roaming feature are recommended to immediately patch CVE-2022-30170.
Our threat intelligence platform is tracking this vulnerability and it has been actively exploited since May, 2022 and it slowly gaining traction since then.
CSW analysts recommend that this CVE be added to the CISA KEV.
APT41 has a New Sub-Group - Earth Longzhi
In early 2020, a Taiwanese organization suffered from a cyber attack. An investigation into this attack led to the discovery of a new APT group named Earth Longzhi. This group is believed to be a subgroup of the China-based threat actor APT41 (Wicked Panda).
In the attack, the group had made use of phishing emails and fake websites to gain initial access. Post this, the group deployed samples of CroxLoader, a variant of Cobalt Striker to infiltrate and retrieve data. Till date, the group has targeted high-profile victims in the defense, aviation, insurance, and urban development industries in Taiwan, China, Thailand, Malaysia, Indonesia, Pakistan, and Ukraine. The group also uses publicly available applications to deploy and execute a simple downloader to download a shellcode loader and the necessary hack tools for the routine. BigpipeLoader, and OutLoader malware samples were also used in other attacks. Earth Longzhi deploys customized hack tools to bypass the protection of security products and steal data.
CVE-2019-16098, an MSI Afterburner RTCore vulnerability which allows privilege escalation is favored by these attackers.
Exploit Type: PE
CWE ID: CWE-125, CWE-787
Affected Product Count: 1
Our threat intelligence platform is tracking this vulnerability and it has been actively exploited since September, 2019 and received the highest rating in July 2021.
CSW analysts recommend that this CVE be added to the CISA KEV.
LockBit continues its rampage, the latest being Kearney & Company
In last week’s Threat Intelligence blog, we had called out how the LockBit ransomware group has been continuously expanding its arsenal. It now has exploit capabilities for nine vulnerabilities, including five critical severity vulnerabilities and five capable of remote code execution.
The latest LockBit victim is the consulting and IT services provider Kearney & Company, which provides a variety of financial services to the Federal Government. The group has demanded a ransom payment of $2M by the 26th for destroying stolen data, and an additional $10K for a 24-hour timeline extension. Demanding ransoms by threatening to leak stolen data and conversation chat logs with the cybercriminals seems to be the modus operandi for the group, as seen in the case of Continental as well last week. LockBit recently demanded a record-breaking $60M ransom from car dealer group Pendragon.
Research reports an uptick in hackers leveraging zero-day vulnerabilities
CSW’s Ransomware Reports in 2021 highlighted the fact that ransomware groups are leveraging yet-to-be-disclosed and even yet-to-be-acknowledged zero-day vulnerabilities in their attacks. Microsoft’s recent research validates the fact and reports that it only takes 14 days on average for an exploit to be available in the wild after public disclosure of a flaw.
Further, in keeping with CISA’s recent release of the top vulnerabilities weaponized by China-based actors since 2020, here are some vulnerabilities that were first exploited by Chinese groups as zero-day vulnerabilities. With high possibilities of damage if exploited, organizations are warned to patch these vulnerabilities without further delay.
The above vulnerabilities have a maximum predictive rating on our threat intelligence platform, indicating attackers are on the prowl for instances left unpatched.
Microsoft Fixes 62 vulnerabilities in November Patch Tuesday
On November 2022 Patch Tuesday, Microsoft fixed 62 vulnerabilities among which 6 vulnerabilities are actively exploited zero-days. There are 26 Privilege Escalation vulnerabilities and 15 RCE vulnerabilities.
The most notable ones are:
CVE-2022-41091 - Windows Mark of the Web vulnerability which is actively targeted by attackers. Along with this, another MoTW vulnerability (CVE not assigned) was also fixed.
CVE-2022-41040 - Windows Exchange Server vulnerability that is exploited by LockBit.
Our threat intelligence platform is tracking this vulnerability and it has been actively exploited since the 30th of September, 2022 and is rated as highly critical since then.
CVE-2022-41082 - Another Windows Exchange Server vulnerability that was exploited in the wild and also by the LockBit ransomware group. This was added to the CISA KEV catalog on September 30, 2022.
CVE-2022-41040 and CVE-2022-41082 are known as the ProxyNotShell vulnerabilities.
CVE-2022-41128 - A Windows Scripting Languages Remote Code Execution vulnerability which is used in phishing campaigns.
CISA Adds 7 Vulnerabilities to the KEV
After Microsoft released Patch Tuesday, CISA updated their KEV catalog with 4 of Microsoft’s vulnerabilities - CVE-2022-41091, CVE-2022-41073, CVE-2022-41125, and CVE-2022-41128. These vulnerabilities are currently exploited by the LocKBit ransomware gang and other threat actors. The 3 other CVEs (CVE-2021-25337, CVE-2021-25369, CVE-2021-25370) added to the KEV are Samsung mobile devices zero-days which are primarily used in phone spyware.
Malicious extension lets attackers control Google Chrome remotely
A malicious browser extension named Cloud9 that is capable of stealing cookies, clipboard data, installing malware on users’ devices, and even taking over the entire system.
Thus far, this extension has spread to many countries with impacted users from various organizations.
Threats to Watch Out For
VMWare Fixes Critical RCEs
CVE-2022-31685, CVE-2022-31686, CVE-2022-31687, CVE-2022-31688, and CVE-2022-31689 are critical vulnerabilities in Workspace ONE Assist solutionSolution. All these vulnerabilities allow bypass authentication and elevate privileges to admin. They have been rated as critical and on the CVSS scale. VMware released patches for these vulnerabilities and which they are available for Workspace ONE Assist 22.10 (89993) for Windows customers.
Critical Vulnerabilities in Citrix You Should Patch Now
Citix has announced fixes for vulnerabilities affecting Citrix Gateway, the SSL VPN provider and Citrix ADC, a load-balancing solution for cloud applications. The three vulnerabilities, CVE-2022-27510, CVE-2022-27513, and CVE-2022-27516 allow authentication bypass and remote take over of the devices. These products are used by enterprises all over the world and could critically impact services if exploited.
Lenovo Releases Patches for BYOVD Vulnerabilities
CVE-2022-3699, CVE-2022-3430, CVE-2022-3431, and CVE-2022-3432 are vulnerabilities in several Lenovo products such as the ThinkPad, Yoga laptop, etc. These vulnerabilities have the ability to disable the UEFI Secure Boot, a verification system that ensures no malicious code can be loaded and executed during the computer boot process. The vulnerabilities were caused due to the inclusion of an early development driver that could change secure boot settings from the OS in the final production versions. Lenovo has released patches for these flaws and urges users to patch them immediately as they are highly critical and can cause maximum damage.
Apple Releases Emergency Code Execution Patches
There are two vulnerabilities, CVE-2022-40303 and CVE-2022-40304 for which public exploits are not available. However, it is presumed that potential attackers are aware of these vulnerabilities and Apple has released emergency patches to avoid catastrophic attacks.
CVE-2022-40303 and CVE-2022-40304 are integer overflows addressed through improved input validation. If exploited, an attacker may be able to cause unexpected app termination or arbitrary code execution.
Patches Available for Critical and Moderate Grafana Vulnerabilities
Grafana’s latest update fixes CVE-2022-39328 (critical), CVE-2022-39307 (moderate), and CVE-2022-39306 (moderate) vulnerabilities. Ther
CVE-2022-39328 allows an unauthorized user to query arbitrary endpoints.
CVE-2022-39306 allows privilege escalation.
CVE-2022-39307 can be used to leak information to unauthenticated users and introduces a security risk.
Critical Vulnerabilities in OpenLiteSpeed Web Server
The open source web server OpenLiteSpeed has 3 vulnerabilities - CVE-2022-0072 (Directory Traversal, Medium Severity), CVE-2022-0073 (RCE, High Severity), CVE-2022-0074 (PE, High Severity).
Organizations using OpenLiteSpeed versions 1.5.11 up to 1.7.16 and LiteSpeed versions 5.4.6 up to 6.0.11 are advised to update their software to the latest matching release – v220.127.116.11 and 6.0.12.
We use our threat intelligence platform driven by Artificial Intelligence (AI) and Machine Learning (ML) models to analyze the vulnerabilities that hackers could potentially exploit. We warn our customers continuously about exposures and prioritize vulnerabilities to facilitate rapid remediation.
Follow our weekly blog and podcast to get proactive alerts on trending threats. Reach out to us if you need help managing your vulnerabilities and exposures.
Leverage our expertise and manage your threats continuously to stay safe from attackers.
Never miss a patch or an update with CSW's Patch Watch Newsletter. Subscribe now!