Ransomware Q2 & Q3 Report is live now!

CSW's Threat Intelligence - October 3, 2022 - October 7, 2022

Posted on Oct 3, 2022 | Updated on October 07, 2022 | By Supriya Aluri

This edition brings you early warnings, trending news about cyber threats, and the accurate threat context. Check out which threat group is on the rampage, what vulnerability it could soon weaponize, and more.

Why play catch up when you can fix this now?

Check out our podcast on the top critical threats of this week, hosted by David Rushton!

Trending Threats

Threats to Watch Out For

 

Trending Threats
 

CISA Shares a List of Top CVEs Exploited by Chinese APT groups

CISA shared a list of 20 vulnerabilities that have been associated with Chinese APT groups in the past. Of the 20 vulnerabilities, there are 16 critical severity and 4 high severity vulnerabilities. 

CSW cybersecurity experts analyzed the data and were able to identify 48 Chinese APT groups abusing the vulnerabilities. The oldest threat groups, NetTraveler and RedStar, date back to as far as 2004. 

The vulnerabilities that have the largest impact footprint from the perspective of products affected are the HikVision vulnerability (CVE-2021-36260), with a total of 512 products impacted, and the infamous Log4J vulnerability (CVE-2021-44228) which comes in second with 156 impacted products. 

CSW cyber analysts and experts have called out all the vulnerabilities shared by CISA in our immersive blogs and detailed patchwatch editions. 

We urge all organizations to implement patches to these vulnerabilities to avoid being compromised by Chinese threat groups. 

 

CVE-2022-41352: New Zero-day RCE Vulnerability in Zimbra Collaboration Suite

The active exploitation of a new zero-day remote code execution vulnerability tagged as CVE-2022-41352, affecting Zimbra Collaboration Suite was discovered in the wild this week. Zimbra provided a workaround for the vulnerability, which means the issue is still unpatched! 

The vulnerability is caused by a cpio method in Zimbra’s antivirus engine, Amaviz, which scans inbound emails. The workaround suggested by Zimbra involves installing the pax utility and restarting the service. The Linux distros that are affected include, Oracle Linux 8, Red Hat Enterprise Linux 8, Rocky Linux 8 and CentOS 8. It is interesting to note that Ubuntu-based Zimbra installations are not vulnerable as pax is installed by default. 

CISA has also warned of the possibility that threat actors already exploiting other Zimbra Collaboration Suite vulnerabilities, may jump at the newfound opportunity. 

CSW cybersecurity analysts predict that the vulnerability will gain traction amongst threat actors in the coming months, and as a result, urge CISA to add the vulnerability to the KEV catalog soon.  


Read more to know about how the Apache Log4j vulnerability is still affecting thousands of customers. You also get a detection script to check if you are vulnerable!

 

Patch Urgently: FortiGate Firewalls and FortiProxy Web Proxies Affected by Critical Vulnerability

A critical severity vulnerability in FortiGate firewalls and FortiProxy web proxies, tracked as CVE-2022-40684, was discovered on October 7, 2022. The vulnerability  is an authentication bypass flaw on the administrative interface that has the potential to allow remote attackers to log into unpatched devices. 

CSW analysts urge all organizations to patch the vulnerability immediately to avoid any untoward incidents and upgrade their versions of FortiOS and FortiProxy to v7.0.7 and v7.2.2 respectively.

CVE ID CVE-2022-40684
CVSS Score 10 (v3)
Exploit Type RCE
CWE CWE-88
Patch Download

 

 

 

 

 

Lazarus Hackers Exploit Dell Driver Bug using FudModule Rootkit

In the last quarter of 2021, the North Korean APT group Lazarus launched a spear phishing campaign on EU targets. Among these are an aerospace expert in the Netherlands and a political journalist in Belgium whose devices were hacked and data stolen. 

The attackers exploited the CVE-2021-21551 vulnerability in a legitimate Dell driver using a user-mode module (a BYOVD) that has the ability to read and write kernel memory. A Bring Your Own Vulnerable Driver (BYOVD) can read and write kernel memory on an already vulnerable system. The BYOVD was sent to the victims in fake job-offer emails who then mistakenly downloaded the malicious payload. 

The Dell hardware driver exploited in this attack is "dbutil_2_3.sys", which had five flaws that remained exploitable for 12 years before security updates were pushed for it.

Lazarus gang is known for trojanizing open-source tools and is becoming more dangerous everyday.

CVE   CVE-2021-21551
CVSS Score  7.8 (CVSS V3)
Exploit Type RCE, PE, DoS
CWE        CWE-285
Patch Download

 

BlackByte Ransomware now Abuses Driver Vulnerability

The BlackByte ransomware has been slowly but steadily expanding its attack arsenal, with its recent new data leak site that adopts extortion techniques borrowed from LockBit. 

Like the Lazarus group, BlackByte also uses the evasion technique known as the Bring Your Own Driver (BYOD) that abuses CVE-2019-16098 in the RTCore64.sys driver used by popular graphics cards. By exploiting this vulnerability, the attackers can disable over 1000 drivers protecting security products. On successful exploitation, attackers can gain elevated privileges, execute malicious code, and extort information.

We warn of the vulnerabilities associated with the BlackByte group. Organizations are advised to patch these vulnerabilities on priority and block malicious actors from entering and propagating through vulnerable networks. 


 

CISA Adds Three New Vulnerabilities

In its latest update to the Known Exploited vulnerabilities (KEV) catalog, CISA has added three more vulnerabilities taking the total to 837 vulnerabilities overall. Two of the vulnerabilities are the latest Microsoft zero days we warned about in our previous threat intelligence blog. The third is CVE-2022-36084, a vulnerability in Atlassian Bitbucket Server and Data Center, a vulnerability CSW’s customers were warned about the vulnerability 36 days before they were added to the KEVs.

CVE Details:

CVE CVSS Score Patch
CVE-2022-41082   Download
CVE-2022-41040   Download
CVE-2022-36804 8.8 Download

Read more on our analysis of CISA vulnerabilities and why it is important to patch them. 

 

Water Labbu Exploits Electron-Based Applications

Water Labbu is the latest threat actor in town, known for their usage of a complex routine and infrastructure. The group leverages schemes of other scammers and exploits live chat applications on preexisting scam websites developed using the ElectronJS framework. Water Labbu also exploits a Chromium vulnerability to target scammers running unpatched versions of applications. 

CVE-2021-21220 is a Chromium vulnerability that CSW has been warning about since April 20, 2021. CVE-2021-21220 is now also a CISA KEV, added to the catalog on November 3, 2021. 

CVE   CVE-2021-21220
CVSS Score  8.8 (v3)
Exploit Type RCE
CWE      CWE-787
Patch         Download

 

Night Sky and Cheerscrypt Ransomware 

The NightSky ransomware group that gained popularity during the Apache Log4j incident, is now back again in another avatar. Techniques and tactics of the Nightsky ransomware were recently observed in a ransomware incident involving the Cheerscrypt ransomware group. Further research reveals that the Cheerscrypt and Night Sky are both rebrands of a single threat group being called the Emperor Dragonfly, DEV-0401, or Bronze Starlight. It is believed that both Windows and ESXi environments could be targeted. 

CVE CVE-2021-44228
CVSS Score 10 (v3)
Exploit Type       RCE, DoS, WebApp
CWE CWE-400, CWE-502, CWE-20, CWE-917
Patch Download

Read more to know about how the Apache Log4j vulnerability is still affecting thousands of customers. You also get a detection script to check if you are vulnerable!

 

Be warned of APT Group Earth Aughisky

The APT group Earth Aughisky, also known as Taidoor, that was first identified in 2011, has continued stealthily launching campaigns on unsuspecting organizations. Over the last decade, the group has adopted advanced tactics to evade detection and pervade networks exploiting weaknesses in network design and infrastructure.

The latest weapon in its arsenal is CVE-2015-2545, which is already associated with 7 other threat groups including Kimsuky and FIN7. Our threat intelligence platform predicts the highest possibility of exploitation for this vulnerability and users are warned to patch the same at the earliest.

CVE CVE-2015-2545
CVSS Score  9.3 (v2)
Exploit Type RCE
CWE CWE-20
Patch Download

 

Exploit for CVE-2022-26809, an RCE Vulnerability in Windows RPC

Exploits have been released in the public domain for CVE-2022-26809, a vulnerability in Remote Procedure Call (RPC) Runtime component of Windows. The exploit released can allow unauthorized attacks to execute custom code remotely, with added elevated privileges of the RPC service. The exploit is trending in the wild, with threat actors vying to get the exploit code, and leverage the same to enter into exposed networks. 

According to Shodan, 1,707,532 instances of the RPC are exposed to the internet, creating a ripe opportunity for threat actors.

Users of RPC are recommended to apply the latest security updates. Users are also advised to limit traffic through TCP port 445 to restrict access to threat actors.

CVE CVE-2022-26809
CVSS Score  9.8 (v3)
Patch   Download


Threats to Watch Out For

Cisco Fixes High-Severity Bugs in Communications and Networking Products

Cisco fixed two high-severity bugs, tracked as CVE-2022-20814 and CVE-2022-20853, affecting its Expressway series and TelePresence Video Communication Server software. 

CVE-2022-20814, an improper certificate validation vulnerability, has the potential to allow an unauthenticated remote attacker to access sensitive data through man-in-the-middle attacks. If exploited successfully, the flaw can let an attacker intercept or alter traffic. 

CVE-2022-20853 is a cross-site request forgery (CSRF) vulnerability that allows an unauthenticated remote attacker to leverage a vulnerability in the REST API of the Cisco Expressway and TelePresence VCS.  

CVE Details

CVE               

CVE-2022-20814

CVE-2022-20853

CVE-2022-20929

CVSS Score       

7.4 (v2)

7.4 (v2)

7.8 (v2)

CWE                 

Not assigned yet

Not assigned yet

Not assigned yet

Patch

Download

Download

Download


Though no known exploitations in the wild have been observed for these three vulnerabilities, we urge all organizations and customers to upgrade their versions of TelePresence VCS, Enterprise NFVIS and Expressway to the latest versions.

 

New Supply Chain Attack on PHP

Latest research shows that a vulnerability in Packagist, a central component of PHP, could allow for supply chain attacks. Packagist is a Composer repository that aggregates public PHP packages installed with Composer. It is used by developers to determine and download software libraries. Organizations running PHP code and using Composer could be at risk of a supply chain attack, as related requests have been hijacked to distribute malicious dependencies instead.

We warn you of two associated vulnerabilities and urge you to patch the same at the earliest.

CVE Details:

CVE CVSS Score CWE Patch
CVE-2022-24828 8.8 (v3) CWE-20, CWE-94 Download1, Download2
CVE-2021-29472 8.8 (v3) CWE-88, CWE-94 Download

 

We use our threat intelligence platform driven by Artificial Intelligence (AI) and Machine Learning (ML) models to analyze the vulnerabilities that hackers could potentially exploit. We warn our customers continuously about exposures and prioritize vulnerabilities to facilitate rapid remediation.

 

Follow our weekly blog and podcast to get proactive alerts on trending threats. Reach out to us if you need help managing your vulnerabilities and exposures.

Leverage our expertise and manage your threats continuously to stay safe from attackers.

Talk to Us!

Never miss a patch or an update with CSW's Patch Watch Newsletter. Subscribe now!

csw

Secure your environment from cyber-attacks!

Know How

incognito