Ransomware Q2 & Q3 Report is live now!

CSW's Threat Intelligence - October 17, 2022 - October 21, 2022

Posted on Oct 18, 2022 | Updated on Oct 21, 2022 | By Supriya Aluri

This edition brings you early warnings, trending news about cyber threats, and the accurate threat context. Check out which threat group is on the rampage, what vulnerability it could soon weaponize, and more.

Why play catch up when you can fix this now?

Check out our podcast on the top critical threats of this week, hosted by David Rushton!

Threats to watch out for

Trending Threats

 

Threats to Watch out for

 

Three Vulnerabilities Leading to Proxy Related Attacks in Microsoft Exchange

CVE-2021-33768, CVE-2022-21979 and CVE-2021-26414 are bugs in Microsoft Exchange that could cause proxy related attacks. The problem has existed since 2021 and Microsoft released patches for these in Exchange Server 2019 CU 12 and Exchange Server 2016 CU 23 on April 20, 2022. However, this patch was not enabled by default and Microsoft finally released patch-activating methods on August 09, 2022. The impact of these vulnerabilities is that an attacker can bypass Exchange authentications or even get code execution without user-interaction. 


CVE Details

CVE

CVSS V3 Score

CVSS V2 Score

Affected Product Count

Patch

CVE-2021-33768

8

5.2

4

Download

CVE-2022-21979

5.7

N/A

5

Download

CVE-2021-26414

6.5

4.3

36

Download

 

CVE-2022-35829 - Microsoft Azure SFX Bug

CVE-2022-35829  is a spoofing vulnerability in Service Fabric Explorer which could enable an attacker to gain full administrator permissions and hijack Azure Service Fabric clusters. This vulnerability is found in older, unsupported versions of Service Fabric Explorer (SFXv1), with the current default SFX web client (SFXv2) not being vulnerable to attacks. There is no evidence of any exploitation in the wild yet.


CVE Details

CVE                   : CVE-2022-35829

CVSS Score      : 4.8 (v3)

Affected Product Count : 1

Patch                 : Download


Service Fabric customers are recommended to upgrade to the latest SFX version, and not switch to the vulnerable SFXv1 web client version.

 

 

CVE-2022-42889: Apache Commons Text RCE

Proof-of-Concept is available for a critical Apache Commons Text vulnerability (CVSS v3 9.8). This flaw could allow remote code execution on web applications that accept user input. Fortunately, there are not many applications that utilize the Apache Commons Text library in a vulnerable configuration allowing attackers to execute code. Apache released a security advisory for this vulnerability.

 

CVE Details

CVE                   : CVE-2022-35829

CVSS Score      : 9.8 (v3)

Affected Product Count : 1

CWE ID              : CWE-94, CWE-1188

Patch                 : Download

 

 

CVE-2022-35698: Highly-Critical Magneto Vulnerability

Users of Adobe Magneto should be aware of the highly-critical cross-scripting vulnerability tracked as CVE-2022-35698. If exploited, it could allow attackers to fully compromise e-commerce platforms and there are more than 267,000 active e-commerce websites built with Magento.

 

CVE Details

CVE                   : CVE-2022-35698

CVSS Score      : 5.4 (v3)

Affected Product Count : 8

CWE ID             : CWE-79

Patch                 : Download


Adobe published a security advisory with the patch for this vulnerability and recommends that it be patched immediately.

 

 

Mark of the Web (MotW) Zero-Day gets a Patch

Windows adds the Mark of the Web (MotW) label to all files downloaded from untrusted sources. However, a zero-day bypass flaw in Windows allows the attacker to prevent the files extracted from ZIP archives downloaded from the Internet from being labeled. This zero-day received an unofficial patch from the  0patch platform (a free security platform that releases micropatches) as Microsoft has not released a patch yet.


To install the micropatches on your Windows device, you need to register a 0patch account and install its agent.

 

 

FLEXlm and Citrix ADM Denial of Service Vulnerability

Citrix ADM (Application Delivery Management) addressed two vulnerabilities CVE-2022-27511 and CVE-2022-27512 in their security advisory released on June 27, 2022. These vulnerabilities cause Denial of Service attacks in exploited systems. However, the patches provided in the advisory do not sufficiently prevent exploitation.


CVE Details

CVE

CVSS V3

CVSS V2

Exploit Type

CWE ID

Affected Product Count

Patch Link

CVE-2022-27511

8.1

7.8

N/A

CWE-863|CWE-284

2

Download

CVE-2022-27512

5.3

5

N/A

CWE-664|CWE-416

2

Download


Citrix ADM users are advised to contact Revenera and Citrix for direct guidance on mitigating these vulnerabilities.

 

Trending Threats

 

CVE-2022-41352 and CVE-2021-3493 are Added to CISA’s KEV


On October 20, 2022, CISA added CVE-2022-41352 and CVE-2021-3493 to the KEV list since they are being actively exploited. 

CVE-2022-41352: This is a Zimbra Collaboration Suite zero day vulnerability. A patch was released recently following its active exploitation. CISA had already warned of the possibility that threat actors already exploiting other Zimbra Collaboration Suite vulnerabilities, may jump at the newfound opportunity. Now, it’s been added to the list. The vulnerability allows remote code execution due to an error in the cpio method in Zimbra’s antivirus engine, Amaviz, which scans inbound emails. 

We had recommended that this CVE be added to the CISA KEV list two weeks ago when it first started trending.

CVE-2021-3493: This vulnerability was exploited by a malware known as Shikitega more than a month ago. CVE-2021-3493 is a Linux vulnerability that allows remote code execution and privilege escalation. 


CVE Details

CVE

CVSS V3

CVSS V2

Exploit Type

CWE ID

Affected Product Count

Patch Link

CVE-2022-41352

9.8

N/A

N/A

CWE-434

2

Download

CVE-2021-3493

7.8

7.2

['RCE', 'PE','Other']

CWE-269|CWE-270|CWE-552

3

Download


Organizations are recommended to patch both vulnerabilities immediately to avoid an untoward incident.

 

 

OldGremlin Ransomware Group Launch New Attack Campaigns

 

OldGremlin, a ransomware group targeting Russian businesses, has been active since 2020. In three years, they have carried out 16 successful attacks and extracted more than $16.9 million as ransom. The group uses well-crafted phishing emails as interview requests, commercial proposals, and financial documents to gain initial access. While the primary targets have been Windows systems, they have also attacked Linux devices and utilized tools such as Cobalt Strike and open-source frameworks (e.g. PowerSploit) while doing so. OldGremlin also used Cisco AnyConnect vulnerabilities to gain privilege escalation.

The group has attacked banks, logistics, and manufacturing companies, insurance firms, retailers, real estate developers, software companies and most recently, an arms manufacturer.


The CVEs exploited by OldGremlin Ransomware are:

CVE

CVSS V3

Exploit Type

CWE ID

Affected Product Count

Patch Link

CVE-2020-3153

6.5

['RCE', 'PE', 'WebApp']

CWE-427

1 (Cisco AnyConnect Secure Mobility Client for Windows)

Download

CVE-2020-3433

7.8

['RCE', 'PE', 'WebApp']

CWE-427

1(Cisco AnyConnect Secure Mobility Client for Windows)

Download


 

 

CVE-2022-22954 Targeted in Multiple Malware Campaigns

 

CVE-2022-22954 is a VMware vulnerability which allows attackers to inject a payload and achieve remote code execution on VMware Workspace ONE Access and Identity Manager. Recently, it has been targeted by multiple malicious actors deploying various malware strains. Some of them are Mirai, RAR1Ransom, and GuardMiner. 

Mirai is used on exposed networking devices running Linux. RAR1ransom is used to leverage legitimate WinRaR to deploy encryption, and GuardMiner, a variant of XMRig is used to mine Monero, a cryptocurrency.

CVE-2022-22954 was patched back in April 2022, although a few VMware users still have vulnerable applications and are targeted by attackers.


CVE Details

CVE

CVSS V3

CVSS V2

Exploit Type

CWE ID

Affected Product Count

Patch Link

CVE-2022-22954

9.8

10

['RCE']

CWE-94

12

Download

CVE-2020-28188

9.8

10

N/A

CWE-78

1

Download

CVE-2018-1000533

9.8

7.5

['Other']

CWE-20

1

N/A

CVE-2017-9841

9.8

7.5

['RCE', 'WebApp']

CWE-94

3

N/A

CVE-2019-20224

8.8

9

N/A

CWE-78

1

N/A

CVE-2022-22947

10

6.8

['RCE','DOS', 'WebApp']

CWE-94

16

Download

CVE-2020-21224

9.8

10

N/A

CWE-88

1

N/A

CVE-2022-26134

9.8

7.5

['RCE', 'WebApp','Other']

CWE-74

14

Download

CVE-2018-7700

8.8

6.8

N/A

CWE-352

1

N/A

CVE-2019-15107

9.8

10

['RCE', 'PE', 'WebApp']

CWE-78

1

Download

CVE-2018-7600

9.8

7.5

['RCE', 'WebApp']

CWE-20

7

Download

CVE-2020-7980

9.8

10

['RCE', 'WebApp']

CWE-78

1

N/A

CVE-2020-35476

9.8

7.5

N/A

CWE-78

1

N/A

CVE-2019-12725

9.8

10

['RCE', 'PE']

CWE-78

1

Download

CVE-2021-31805

9.8

7.5

N/A

CWE-917

1

Download

CVE-2019-16920

9.8

10

N/A

CWE-78

4

N/A

 

 

FBI Issues Warning Against Iranian Cyber Group Emennet Pasargad

Emennet Pasargard is an  Iranian cyber group that has targeted various entities in Israel and the US. The group is known to steal PII, sensitive data and publish them on public sites or their own website. They have operated under false-flag personas taking after Hackers of Savior and Deus and conducted 5 attacks in total. The actors typically demonstrate a preference for websites running PHP code or those with externally accessible MySQL databases. They also use open source penetration testing tools such as SQLmap and Acunetix and encryption malware. Most of Emennet’s targets are large companies with significant traffic and a wide customer base. 

The FBI has issued a list of recommendations for fending off attacks from this group. Given below are details of CVEs targeted by Emennet Pasargad:


CVE Details

CVE

CVSS V3

CVSS V2

Exploit Type

CWE ID

Affected Product Count

Patch Link

CVE-2019-0232

8.1

9.3

['RCE']

CWE-78|CWE-20

29

Download

CVE-2017-5963

6.1

4.3

N/A

CWE-79

22

N/A

CVE-2018-7600

9.8

7.5

['RCE', 'WebApp']

CWE-20

7

Download

CVE-2018-1000001

7.8

7.2

['RCE', 'PE']

CWE-787|CWE-122

12

N/A

CVE-2014-0160

7.5

5

['Other']

CWE-119|CWE-201|N/A|CWE-130

43

Download

CVE 2019-9546

9.8

7.5

N/A

CWE-427

3

N/A

CVE-2016-10033

9.8

7.5

['RCE', 'DoS', 'WebApp']

CWE-77

3

Download

CVE-2009-1151

N/A

7.5

['RCE', 'PE', 'WebApp','Other']

CWE-94

41

Download

CVE-2017-5930

2.7

3.5

['WebApp']

CWE-862

3

Download

CVE-2019-0708

9.8

10

['RCE', 'PE','DoS','Other']

CWE-416

10

Download

CVE-2017-0213

4.7

1.9

['RCE', 'PE','Other']

N/A

12

Download

CVE-2018-8639

7.8

7.2

['Other']

CWE-404

18

Download

CVE-2017-14723

9.8

7.5

N/A

CWE-89

1

Download

CVE-2017-8295

5.9

4.3

['WebApp']

CWE-640

1

N/A

CVE-2017-14726

6.1

4.3

N/A

CWE-79

1

Download

CVE-2017-5611

9.8

7.5

N/A

CWE-89

6

Download

CVE-2019-0044

7.5

5

N/A

CWE-404

53

Download

CVE-2019-9621

7.5

5

['RCE', 'PE', 'WebApp']

CWE-918

36

Download

CVE-2021-44228

10

9.3

['RCE', 'DoS', 'WebApp','Other']

CWE-400|CWE-502|CWE-20|CWE-917

379

Download

 

 

We use our threat intelligence platform driven by Artificial Intelligence (AI) and Machine Learning (ML) models to analyze the vulnerabilities that hackers could potentially exploit. We warn our customers continuously about exposures and prioritize vulnerabilities to facilitate rapid remediation.

 

Follow our weekly blog and podcast to get proactive alerts on trending threats. Reach out to us if you need help managing your vulnerabilities and exposures.

Leverage our expertise and manage your threats continuously to stay safe from attackers.

Talk to Us!

Never miss a patch or an update with CSW's Patch Watch Newsletter. Subscribe now!

csw

Secure your environment from cyber-attacks!

Know How

incognito