Ransomware Q2 & Q3 Report is live now!

CSW's Threat Intelligence - October 24, 2022 - October 28, 2022

Posted on Oct 25, 2022 | Updated on October 28, 2022 | By Supriya Aluri

This edition brings you early warnings, trending news about cyber threats, and the accurate threat context. Check out which threat group is on the rampage, what vulnerability it could soon weaponize, and more.

Why play catch up when you can fix this now?

Check out our podcast on the top critical threats of this week, hosted by David Rushton!

Trending Threats

Threats to Watch Out For

Trending Threats

 

CISA Adds 6 More Vulnerabilities to the KEV

On Oct 24, 2022, CISA added two CISCO vulnerabilities (CVE-2020-3153, CVE-2020-3433) and 4 Gigabyte vulnerabilities (CVE-2018-19322, CVE-2018-19320, CVE-2018-19323, CVE-2018-19321) to the Known Exploitable Vulnerabilities. 

CVE-2020-3433, an AnyConnect Secure vulnerability allows an attacker with valid credentials on Windows to execute code on the affected machine with SYSTEM privileges.

CVE-2020-3153, an AnyConnect Secure vulnerability allows for incorrect handling of directory paths. An attacker with valid credentials on Windows would be able to copy malicious files to arbitrary locations with system level privileges. This could include DLL pre-loading, DLL hijacking, and other related attacks.

These CVEs are actively exploited by the OldGremlin ransomware group.

CVE-2018-19320 is a Gigabyte vulnerability that could allow a local attacker to take complete control of the affected system. 

Our security experts have deemed this vulnerability as a critical ransomware threat. You can read more about this in the latest Ransomware Report.

CVE-2018-19322, CVE-2018-19323, and CVE-2018-19321 could be leveraged in a number of ways to ultimately run code with elevated privileges.

 

CVE Details

CVE

CVSS V3 Score

CVSS V2 Score

Exploit Type

CWE ID

Affected Product Count

Ransomware Associations Names

APT Groups Names

Link

CVE-2020-3433

7.8

7.2

['RCE', 'PE', 'WebApp']

CWE-427

1

OldGremlin

N/A

Download

CVE-2020-3153

6.5

4.9

['RCE', 'PE', 'WebApp']

CWE-427

1

OldGremlin

N/A

Download

CVE-2018-19323

9.8

9

N/A

N/A

4

BlackByte

N/A

 

CVE-2018-19322

7.8

4.6

N/A

CWE-749

4

BlackByte

N/A

 

CVE-2018-19321

7.8

7.2

N/A

N/A

4

BlackByte

N/A

 

CVE-2018-19320

7.8

7.2

['PE']

N/A

4

Robinhood, AvosLocker, BlackByte

N/A

 

 

 

Vice Society Uses Zeppelin Variant to Attack Schools

Vice Society, a ransomware group is deemed as a threat to the education sector by the FBI and CISA. The group which was previously using Zeppelin, Cobalt Strike, and Black cat to attack schools has developed a variant of Zeppelin. They've used this malware in their latest attacks between July to October 2022 which heavily impacted the education sector.  In these attacks ransomware wasn't used but malwares strains from Quantum locker and Zeppelin were used to extract data.  In many attacks, Vice Society stages their ransomware payloads in a hidden share on a Windows system, for example accessed via a share name containing “$”. Vice Society also abuses PowerShell scripts to conduct a variety of malicious activities and make system-related changes within compromised networks.

CVE-2022-24521 was exploited in the latest Vice Society attacks.

CVE Details

CVE                   : CVE-2022-24521

CVSS Score      : 7.8 (v3)

Affected Product Count : 20

APT Group    : Tropical Scorpius

Patch                 : Download

 

 

New LV Ransomware Exploits ProxyShell in Attacks

 

LV ransomware has been active since 2020 and primarily aims to monetize ransomware activities. Their RaaS operations have been targeted at corporations around the world, in particular, North America, Europe, and Asia. It may be based on the REvil v2.03 beta version with modified configuration to the binary script.

 

In their attacks they abuse vulnerabilities in ProxyShell (CVE-2021-34473, CVE-2021-34523, and CVE-2021-31207) and ProxyLogon (CVE-2021-26855 and CVE-2021-27065) with web shell files to gain access. Next, they execute a persistent malicious PowerShell code that is used to download and execute another PowerShell backdoor file in the server. For the credential access and lateral movement phases, LV ransomware group uses Mimikatz to dump credentials, while NetScan and Advanced Port Scanner are used for discovery.

After laying low from February to May this year, they have again ramped up attacks on Government agencies and corporations. A Jordon-based company is the latest victim of LV ransomware.

CVE Details

CVE

CVSS V3 Score

CVSS V2 Score

Exploit Type

CWE ID

Affected Product Count

Ransomware Associations Names

APT Groups Names

Link

CVE-2021-34473

9.8

10

['RCE', 'PE', 'DoS', 'WebApp','Other']

CWE-918

5

BianLian, BlackCat, Babuk, LockFile, LV, Conti, AvosLocker, BlackByte, Hive, Karma

TR, Witchetty, OilRig, Tropical Scorpius, ChamelGang, Bronze Starlight, DEV-0270

Download

CVE-2021-34523

9.8

7.5

['RCE', 'PE', 'DoS', 'WebApp','Other']

CWE-287

5

BianLian, BlackCat, Babuk, N/A, LockFile, LV, Conti, AvosLocker, BlackByte, Hive, Karma

TR, Witchetty, OilRig, Tropical Scorpius, ChamelGang, Worok, DEV-0270

Download

CVE-2021-31207

7.2

6.5

['RCE', 'PE', 'DoS', 'WebApp','Other']

CWE-22

5

BianLian, BlackCat, Babuk, LockFile, LV, Conti, AvosLocker, BlackByte, Hive, Karma

TR, Witchetty, OilRig, Tropical Scorpius, ChamelGang, DEV-0270

Download

CVE-2021-26855

9.8

7.5

['RCE', 'PE', 'WebApp','Other']

CWE-918

24

DearCry, Epsilon Red, Conti, Black Kingdom, AvosLocker, Hive

TR, Winnti Group, Threat Group-3390, Tonto Team, Witchetty, FamousSparrow, DEV-0270, HAFNIUM, Calypso, Tropical Scorpius, ToddyCat, APT29, BRONZE BUTLER, Mustang Panda

Download

CVE-2021-27065

7.8

6.8

['RCE', 'PE', 'WebApp','Other']

CWE-22

23

DearCry, Babuk, Black Kingdom, Epsilon Red, Hive

TR, Winnti Group, Threat Group-3390, Tonto Team, Witchetty, FamousSparrow, DEV-0270, HAFNIUM, Calypso, Tropical Scorpius, ToddyCat, BRONZE BUTLER, Mustang Panda

Download

 

 

Raspberry Robin Worm Facilitates Pre-Ransomware Activity

A threat group tracked as DEV-0950 (overlaps with FIN11 and TA505) used Clop ransomware to encrypt the network of a victim previously infected with the Raspberry Robin worm. From this infection, the DEV-0950 activity led to Cobalt Strike hands-on-keyboard compromises. A Truebot infection was also observed in between the Raspberry Robin and Cobalt Strike stage. The Raspberry Robin infections are believed to have been distributed via malicious ads and emails. It is also reported that Raspberry Robin was spreading to Windows systems through infected USB drives containing a Windows shortcut (LNK) file disguised as a folder. The worm allows the threat actor to deliver payloads to existing infections and move their campaigns more quickly to ransomware stages. 

Raspberry Robin is associated with another malware known as Fauppod which is also used to deliver FakeUpdates Javascript backdoor to carry out further malicious activity. Both the malwares are evolving into complex threats that could increase the severity of cyber attacks.

 


Threats to Watch out for 

 

CVE-2022-20822 : Unpatched CISCO Vulnerability

CVE-2022-20822 is a path traversal vulnerability in the web-based management interface of Cisco ISE that could be exploited by an authenticated, remote attacker. Attackers could exploit this flaw by sending malicious HTTP requests to an affected system. A successful exploit could allow the attacker to read or delete specific files on the device that they should not have access to. CISCO published a security advisory with a hot fix. There is no workaround or patch yet. 


 

Apple Fixes New Zero-Day Used in Attacks against iPhones, iPads

CVE-2022-42827 is an actively exploited zero-day vulnerability found in iPhones and iPads. It is caused by an out-of-bounds write issue in the Kernel, and could lead to arbitrary code execution attacks. Apple released an update for this vulnerability.

On Oct 25, 2022, CISA added this vulnerability to the KEV.

 

 

Pre-Authenticated RCE Vulnerabilities in VMWare NSX Manager

CVE-2015-3253, CVE-2021-39144, and CVE-2022-31678 are deserialization vulnerabilities that an attacker can use to send a specially crafted XStream marshaled payload with a dynamic proxy and trigger remote code execution in the context of root.

Here are the CVE Details:

CVE

CVSS V3 Score

CVSS V2 Score

Exploit Type

CWE ID

Affected Product Count

Ransomware Associations Names

APT Groups Names

Link

CVE-2015-3253

9.8

7.5

N/A

CWE-74, CWE-284, CWE-502

120

N/A

N/A

Download

CVE-2021-39144

8.5

6

N/A

CWE-502, CWE-94

36

N/A

N/A

Download

 

 

Multiple RCE Vulnerabilities Affecting Veeam Backup & Replication

CVE-2022-26500, CVE-2022-26501, and CVE-2022-26504 are highly critical vulnerabilities in Veeam Backup & Replication which is used for backing up virtual environments built on VMware vSphere, Nutanix AHV, and Microsoft Hyper-V hypervisors. Recently, many threat actors have been advertising a fully weaponized tool for remote code execution which exploits Veeam’s vulnerabilities. The tool is named Veeamp and is used by Monti Ransomware and Yanluowang Ransomware to dump credentials from a SQL database for Veeam backup management software.

 

CVE Details

CVE

CVSS V3 Score

CVSS V2 Score

Exploit Type

CWE ID

Affected Product Count

Ransomware Associations Names

APT Groups Names

Link

CVE-2022-26500

8.8

6.5

N/A

CWE-22

12

N/A

N/A

Download

CVE-2022-26501

9.8

10

['RCE', 'WebApp']

CWE-863

10

N/A

N/A

Download

CVE-2022-26504

8.8

9

N/A

CWE-287

12

N/A

N/A

Download

 

 

Leeloo Multipath: Authorization Bypass and Symlink Attack in multipathd 

The Leeloo multipathd daemon in Ubuntu server oversees checking for failed paths. The multipathd daemon runs as a root in the default installation of  Linux Operating Systems like Ubuntu Server. There are three vulnerabilities in the Leeloo multipathd, CVE-2022-41974, CVE-2022-41973 and an undisclosed vulnerability that can lead to privilege escalation on the root level in a vulnerable host. 

Qualys is working on a patch for these vulnerabilities and will soon publish a security advisory.

 

 

Multiple Critical Vulnerabilities in Aruba Products 

Aruba released a security advisory with patches for several vulnerabilities in their products.

CVE-2022-37903 -  Authenticated Remote Command Execution via Arbitrary File Write (Could lead to complete compromise of the host system)

CVE-2022-37904, CVE-2022-37905 - Authenticated Boot Sequence Modification in ArubaOS (Could allow an attacker to achieve permanent modification of the OS)

CVE-2022-37906 - Authenticated Path Traversal in ArubaOS Command Line Interface (Allows an attacker to delete arbitrary files on the OS)

CVE-2022-37907 - Denial of Service in ArubaOS Bootloader (Can cause a system hang which can only be resolved via a power cycle of the impacted controller)

CVE-2022-37908 -  Authenticated Compromise of Bootloader Integrity (Can compromise the hardware chain of trust on the impacted controller)

CVE-2022-37909 - ArubaOS Sensitive Information Disclosure (Can lead to sensitive information disclosure from the configured ESSIDs)

CVE-2022-37910 - Authenticated Buffer Overflow in ArubaOS Command Line Interface (Can lead to denial of service on the affected system)

CVE-2022-37911 - Authenticated XML External Entity (Can lead to Denial of Service on the affected system)

 

 

CVE-2022–34718 : Have you patched it right?

CVE-2022–34718 is a critical vulnerability that is exploited in the wild. It allows remote code execution for a pre-authenticated attacker, with no user interaction on receipt of a specially-crafted IPv6 packet, but only if the target system is running IPSec.

The patch for this was released first in August, and then in September, but they still contained a vulnerability in the TCP/IP protocol that allowed for code execution. Hence, Microsoft released a mitigation guide for this and has urged users to follow it.

 

 

Jira Align Vulnerabilities Allow Super Admin Privileges to Attackers

CVE-2022-36802, an authorization control flaw, and CVE-2022-36803, a server-side request forgery (SSRF) flaw, allow low-privileged malicious actors to gain super admin privileges upon exploitation. This is very dangerous as super admin privileges allow access to the entire Jira deployment architecture. Thus far there are no signs of exploitation in the wild. There are no official patches for these vulnerabilities.

 

 

CVE-2022-3723 : Google Fixes Another Zero-Day Flaw

CVE-2022-3723 is a high-severity type confusion bug in the Chrome V8 Javascript engine. It enables an attacker to read sensitive information of other apps, cause crashes, or execute arbitrary code. This is Google’s 7th zero-day vulnerability this year and is already exploited in the wild.

Google released a patch for this bug.

 

Check out this section to track how these threats evolve!

 

We use our threat intelligence platform driven by Artificial Intelligence (AI) and Machine Learning (ML) models to analyze the vulnerabilities that hackers could potentially exploit. We warn our customers continuously about exposures and prioritize vulnerabilities to facilitate rapid remediation.

 

Follow our weekly blog and podcast to get proactive alerts on trending threats. Reach out to us if you need help managing your vulnerabilities and exposures.

Leverage our expertise and manage your threats continuously to stay safe from attackers.

Talk to Us!

Never miss a patch or an update with CSW's Patch Watch Newsletter. Subscribe now!

csw

Secure your environment from cyber-attacks!

Know How

incognito