This edition brings you early warnings, trending news about cyber threats, and the accurate threat context. Check out which threat group is on the rampage, what vulnerability it could soon weaponize, and more.
Why play catch up when you can fix this now?
Check out our podcast on the top critical threats of this week, hosted by David Rushton!
Threats to watch out for
- Three Vulnerabilities Leading to Proxy Related Attacks in Microsoft Exchange
- CVE-2022-35829 – Microsoft Azure SFX Bug
- CVE-2022-42889: Apache Commons Text RCE
- CVE-2022-35698: Highly-Critical Magneto Vulnerability
- Mark of the Web (MotW) Zero-Day gets a Patch
- FLEXlm and Citrix ADM Denial of Service Vulnerability
Trending Threats
- CVE-2022-41352 and CVE-2021-3493 are Added to CISA’s KEV
- OldGremlin Ransomware Group Launch New Attack Campaigns
- CVE-2022-22954 Targeted in Multiple Malware Campaigns
- FBI Issues Warning Against Iranian Cyber Group Emennet Pasargad
Threats to Watch out for
Three Vulnerabilities Leading to Proxy Related Attacks in Microsoft Exchange
CVE-2021-33768, CVE-2022-21979 and CVE-2021-26414 are bugs in Microsoft Exchange that could cause proxy related attacks. The problem has existed since 2021 and Microsoft released patches for these in Exchange Server 2019 CU 12 and Exchange Server 2016 CU 23 on April 20, 2022. However, this patch was not enabled by default and Microsoft finally released patch-activating methods on August 09, 2022. The impact of these vulnerabilities is that an attacker can bypass Exchange authentications or even get code execution without user-interaction.
CVE Details
|
CVE |
CVSS V3 Score |
CVSS V2 Score |
Affected Product Count |
Patch |
|---|---|---|---|---|
|
CVE-2021-33768 |
8 |
5.2 |
4 |
|
|
CVE-2022-21979 |
5.7 |
N/A |
5 |
|
|
CVE-2021-26414 |
6.5 |
4.3 |
36 |
CVE-2022-35829 – Microsoft Azure SFX Bug
CVE-2022-35829 is a spoofing vulnerability in Service Fabric Explorer which could enable an attacker to gain full administrator permissions and hijack Azure Service Fabric clusters. This vulnerability is found in older, unsupported versions of Service Fabric Explorer (SFXv1), with the current default SFX web client (SFXv2) not being vulnerable to attacks. There is no evidence of any exploitation in the wild yet.
CVE Details
CVE : CVE-2022-35829
CVSS Score : 4.8 (v3)
Affected Product Count : 1
Patch : Download
Service Fabric customers are recommended to upgrade to the latest SFX version, and not switch to the vulnerable SFXv1 web client version.
CVE-2022-42889: Apache Commons Text RCE
Proof-of-Concept is available for a critical Apache Commons Text vulnerability (CVSS v3 9.8). This flaw could allow remote code execution on web applications that accept user input. Fortunately, there are not many applications that utilize the Apache Commons Text library in a vulnerable configuration allowing attackers to execute code. Apache released a security advisory for this vulnerability.
CVE Details
CVE : CVE-2022-35829
CVSS Score : 9.8 (v3)
Affected Product Count : 1
CWE ID : CWE-94, CWE-1188
Patch : Download
CVE-2022-35698: Highly-Critical Magneto Vulnerability
Users of Adobe Magneto should be aware of the highly-critical cross-scripting vulnerability tracked as CVE-2022-35698. If exploited, it could allow attackers to fully compromise e-commerce platforms and there are more than 267,000 active e-commerce websites built with Magento.
CVE Details
CVE : CVE-2022-35698
CVSS Score : 5.4 (v3)
Affected Product Count : 8
CWE ID : CWE-79
Patch : Download
Adobe published a security advisory with the patch for this vulnerability and recommends that it be patched immediately.
Mark of the Web (MotW) Zero-Day gets a Patch
Windows adds the Mark of the Web (MotW) label to all files downloaded from untrusted sources. However, a zero-day bypass flaw in Windows allows the attacker to prevent the files extracted from ZIP archives downloaded from the Internet from being labeled. This zero-day received an unofficial patch from the 0patch platform (a free security platform that releases micropatches) as Microsoft has not released a patch yet.
To install the micropatches on your Windows device, you need to register a 0patch account and install its agent.
FLEXlm and Citrix ADM Denial of Service Vulnerability
Citrix ADM (Application Delivery Management) addressed two vulnerabilities CVE-2022-27511 and CVE-2022-27512 in their security advisory released on June 27, 2022. These vulnerabilities cause Denial of Service attacks in exploited systems. However, the patches provided in the advisory do not sufficiently prevent exploitation.
CVE Details
|
CVE |
CVSS V3 |
CVSS V2 |
Exploit Type |
CWE ID |
Affected Product Count |
Patch Link |
|---|---|---|---|---|---|---|
|
CVE-2022-27511 |
8.1 |
7.8 |
N/A |
CWE-863|CWE-284 |
2 |
|
|
CVE-2022-27512 |
5.3 |
5 |
N/A |
CWE-664|CWE-416 |
2 |
Citrix ADM users are advised to contact Revenera and Citrix for direct guidance on mitigating these vulnerabilities.
Trending Threats
CVE-2022-41352 and CVE-2021-3493 are Added to CISA’s KEV
On October 20, 2022, CISA added CVE-2022-41352 and CVE-2021-3493 to the KEV list since they are being actively exploited.
CVE-2022-41352: This is a Zimbra Collaboration Suite zero day vulnerability. A patch was released recently following its active exploitation. CISA had already warned of the possibility that threat actors already exploiting other Zimbra Collaboration Suite vulnerabilities, may jump at the newfound opportunity. Now, it’s been added to the list. The vulnerability allows remote code execution due to an error in the cpio method in Zimbra’s antivirus engine, Amaviz, which scans inbound emails.
We had recommended that this CVE be added to the CISA KEV list two weeks ago when it first started trending.
CVE-2021-3493: This vulnerability was exploited by a malware known as Shikitega more than a month ago. CVE-2021-3493 is a Linux vulnerability that allows remote code execution and privilege escalation.
CVE Details
|
CVE |
CVSS V3 |
CVSS V2 |
Exploit Type |
CWE ID |
Affected Product Count |
Patch Link |
|---|---|---|---|---|---|---|
|
CVE-2022-41352 |
9.8 |
N/A |
N/A |
CWE-434 |
2 |
|
|
CVE-2021-3493 |
7.8 |
7.2 |
[‘RCE’, ‘PE’,’Other’] |
CWE-269|CWE-270|CWE-552 |
3 |
Organizations are recommended to patch both vulnerabilities immediately to avoid an untoward incident.
OldGremlin Ransomware Group Launch New Attack Campaigns
OldGremlin, a ransomware group targeting Russian businesses, has been active since 2020. In three years, they have carried out 16 successful attacks and extracted more than $16.9 million as ransom. The group uses well-crafted phishing emails as interview requests, commercial proposals, and financial documents to gain initial access. While the primary targets have been Windows systems, they have also attacked Linux devices and utilized tools such as Cobalt Strike and open-source frameworks (e.g. PowerSploit) while doing so. OldGremlin also used Cisco AnyConnect vulnerabilities to gain privilege escalation.
The group has attacked banks, logistics, and manufacturing companies, insurance firms, retailers, real estate developers, software companies and most recently, an arms manufacturer.
The CVEs exploited by OldGremlin Ransomware are:
|
CVE |
CVSS V3 |
Exploit Type |
CWE ID |
Affected Product Count |
Patch Link |
|---|---|---|---|---|---|
|
CVE-2020-3153 |
6.5 |
[‘RCE’, ‘PE’, ‘WebApp’] |
CWE-427 |
1 (Cisco AnyConnect Secure Mobility Client for Windows) |
|
|
CVE-2020-3433 |
7.8 |
[‘RCE’, ‘PE’, ‘WebApp’] |
CWE-427 |
1(Cisco AnyConnect Secure Mobility Client for Windows) |
CVE-2022-22954 Targeted in Multiple Malware Campaigns
CVE-2022-22954 is a VMware vulnerability which allows attackers to inject a payload and achieve remote code execution on VMware Workspace ONE Access and Identity Manager. Recently, it has been targeted by multiple malicious actors deploying various malware strains. Some of them are Mirai, RAR1Ransom, and GuardMiner.
Mirai is used on exposed networking devices running Linux. RAR1ransom is used to leverage legitimate WinRaR to deploy encryption, and GuardMiner, a variant of XMRig is used to mine Monero, a cryptocurrency.
CVE-2022-22954 was patched back in April 2022, although a few VMware users still have vulnerable applications and are targeted by attackers.
CVE Details
|
CVE |
CVSS V3 |
CVSS V2 |
Exploit Type |
CWE ID |
Affected Product Count |
Patch Link |
|---|---|---|---|---|---|---|
|
CVE-2022-22954 |
9.8 |
10 |
[‘RCE’] |
CWE-94 |
12 |
|
|
CVE-2020-28188 |
9.8 |
10 |
N/A |
CWE-78 |
1 |
|
|
CVE-2018-1000533 |
9.8 |
7.5 |
[‘Other’] |
CWE-20 |
1 |
N/A |
|
CVE-2017-9841 |
9.8 |
7.5 |
[‘RCE’, ‘WebApp’] |
CWE-94 |
3 |
N/A |
|
CVE-2019-20224 |
8.8 |
9 |
N/A |
CWE-78 |
1 |
N/A |
|
CVE-2022-22947 |
10 |
6.8 |
[‘RCE’,’DOS’, ‘WebApp’] |
CWE-94 |
16 |
|
|
CVE-2020-21224 |
9.8 |
10 |
N/A |
CWE-88 |
1 |
N/A |
|
CVE-2022-26134 |
9.8 |
7.5 |
[‘RCE’, ‘WebApp’,’Other’] |
CWE-74 |
14 |
|
|
CVE-2018-7700 |
8.8 |
6.8 |
N/A |
CWE-352 |
1 |
N/A |
|
CVE-2019-15107 |
9.8 |
10 |
[‘RCE’, ‘PE’, ‘WebApp’] |
CWE-78 |
1 |
|
|
CVE-2018-7600 |
9.8 |
7.5 |
[‘RCE’, ‘WebApp’] |
CWE-20 |
7 |
|
|
CVE-2020-7980 |
9.8 |
10 |
[‘RCE’, ‘WebApp’] |
CWE-78 |
1 |
N/A |
|
CVE-2020-35476 |
9.8 |
7.5 |
N/A |
CWE-78 |
1 |
N/A |
|
CVE-2019-12725 |
9.8 |
10 |
[‘RCE’, ‘PE’] |
CWE-78 |
1 |
|
|
CVE-2021-31805 |
9.8 |
7.5 |
N/A |
CWE-917 |
1 |
|
|
CVE-2019-16920 |
9.8 |
10 |
N/A |
CWE-78 |
4 |
N/A |
FBI Issues Warning Against Iranian Cyber Group Emennet Pasargad
Emennet Pasargard is an Iranian cyber group that has targeted various entities in Israel and the US. The group is known to steal PII, sensitive data and publish them on public sites or their own website. They have operated under false-flag personas taking after Hackers of Savior and Deus and conducted 5 attacks in total. The actors typically demonstrate a preference for websites running PHP code or those with externally accessible MySQL databases. They also use open source penetration testing tools such as SQLmap and Acunetix and encryption malware. Most of Emennet’s targets are large companies with significant traffic and a wide customer base.
The FBI has issued a list of recommendations for fending off attacks from this group. Given below are details of CVEs targeted by Emennet Pasargad:
CVE Details
|
CVE |
CVSS V3 |
CVSS V2 |
Exploit Type |
CWE ID |
Affected Product Count |
Patch Link |
|---|---|---|---|---|---|---|
|
CVE-2019-0232 |
8.1 |
9.3 |
[‘RCE’] |
CWE-78|CWE-20 |
29 |
|
|
CVE-2017-5963 |
6.1 |
4.3 |
N/A |
CWE-79 |
22 |
N/A |
|
CVE-2018-7600 |
9.8 |
7.5 |
[‘RCE’, ‘WebApp’] |
CWE-20 |
7 |
|
|
CVE-2018-1000001 |
7.8 |
7.2 |
[‘RCE’, ‘PE’] |
CWE-787|CWE-122 |
12 |
N/A |
|
CVE-2014-0160 |
7.5 |
5 |
[‘Other’] |
CWE-119|CWE-201|N/A|CWE-130 |
43 |
|
|
CVE 2019-9546 |
9.8 |
7.5 |
N/A |
CWE-427 |
3 |
N/A |
|
CVE-2016-10033 |
9.8 |
7.5 |
[‘RCE’, ‘DoS’, ‘WebApp’] |
CWE-77 |
3 |
|
|
CVE-2009-1151 |
N/A |
7.5 |
[‘RCE’, ‘PE’, ‘WebApp’,’Other’] |
CWE-94 |
41 |
|
|
CVE-2017-5930 |
2.7 |
3.5 |
[‘WebApp’] |
CWE-862 |
3 |
|
|
CVE-2019-0708 |
9.8 |
10 |
[‘RCE’, ‘PE’,’DoS’,’Other’] |
CWE-416 |
10 |
|
|
CVE-2017-0213 |
4.7 |
1.9 |
[‘RCE’, ‘PE’,’Other’] |
N/A |
12 |
|
|
CVE-2018-8639 |
7.8 |
7.2 |
[‘Other’] |
CWE-404 |
18 |
|
|
CVE-2017-14723 |
9.8 |
7.5 |
N/A |
CWE-89 |
1 |
|
|
CVE-2017-8295 |
5.9 |
4.3 |
[‘WebApp’] |
CWE-640 |
1 |
N/A |
|
CVE-2017-14726 |
6.1 |
4.3 |
N/A |
CWE-79 |
1 |
|
|
CVE-2017-5611 |
9.8 |
7.5 |
N/A |
CWE-89 |
6 |
|
|
CVE-2019-0044 |
7.5 |
5 |
N/A |
CWE-404 |
53 |
|
|
CVE-2019-9621 |
7.5 |
5 |
[‘RCE’, ‘PE’, ‘WebApp’] |
CWE-918 |
36 |
|
|
CVE-2021-44228 |
10 |
9.3 |
[‘RCE’, ‘DoS’, ‘WebApp’,’Other’] |
CWE-400|CWE-502|CWE-20|CWE-917 |
379 |
We use our threat intelligence platform driven by Artificial Intelligence (AI) and Machine Learning (ML) models to analyze the vulnerabilities that hackers could potentially exploit. We warn our customers continuously about exposures and prioritize vulnerabilities to facilitate rapid remediation.
Follow our weekly blog and podcast to get proactive alerts on trending threats. Reach out to us if you need help managing your vulnerabilities and exposures.
Leverage our expertise and manage your threats continuously to stay safe from attackers.