Ransomware Q2 & Q3 Report is live now!

CSW's Threat Intelligence - October 31, 2022 - November 4, 2022

Posted on Oct 31, 2022 | Updated on November 4, 2022 | By Supriya Aluri

This edition brings you early warnings, trending news about cyber threats, and the accurate threat context. Check out which threat group is on the rampage, what vulnerability it could soon weaponize, and more.

Why play catch up when you can fix this now?

Watch David Rushton elaborate on the top three critical threats of the week on our podcast!

 

Trending Threats

Threats to Watch Out For

 

Trending Threats

 

CISA Adds 1 More Vulnerability to the KEV

On Oct 28, 2022, CISA added CVE-2022-3723 to the KEV. It is an actively-exploited Google Chrome zero-day vulnerability. It is described as a type confusion flaw in the V8 JavaScript engine. On abusing this vulnerability, an attacker will be able to read sensitive information of other apps, cause crashes, or execute arbitrary code. Chrome released a patch for it on Oct 27, 2022 after multiple exploit campaigns in the wild. 

 

CVE Details

CVE

V2 Score

V2 Severity

V3 Score

V3 Severity

CVSS Score

CVSS Severity

CWE

Affected Product Count

Patch Link

CVE-2022-3723

   

8.80

HIGH

8.8

HIGH

CWE-843

1

Download

 

 

New Malware from Cranefly: Geppei

Hacking group Cranefly has been using new malwares on target systems. Their latest technique is using reading commands from IIS (Internet Information Service) logs to communicate with an unknown dropper trojan known as Geppei to install backdoors and other custom tools. The malware used to distribute and gather information are Danfuan and Regeorg. Cranefly spent at least 18 months on victim networks and used backdoors on devices that didn’t support security tools to remain undetected. 

 

Cranefly deploys these backdoors to mainly gather intelligence from corporate organizations using phishing emails to their employees. From their techniques, it looks like they are a sophisticated group of attackers with intelligence gathering as the main motive.  

 

IIS logs have never before been used in cyber attacks and in future, this technique could be used to deliver different types of malware if leveraged by threat actors with malicious goals.

 

 

LockBit Adds More CVEs to its Assault Arsenal

LockBit has added more CVEs to its exploit list. Among them, Microsoft vulnerabilities are widely targeted and abused. LockBit’s latest attacks were on Thales, a French defence and technology group. LockBit claimed that data had been stolen from the organization and threatened to publish it if their ransom demands aren’t met by Nov 7, 2022.

 

They also claimed responsibility for a cyberattack against the German multinational automotive group Continental in which data was stolen.

CVE Details

 

BlackBasta Ransomware Linked to FIN7

Recent research has revealed that BlackBasta ransomware may be linked to a financially motivated Russian hacking group FIN7 (AKA Carbanak). In attack analysis of both groups, researchers found that the (Endpoint Detection and Response) evasion tools had the same authors. BlackBasta has been using these EDR tools since June 2022. In their recent attacks, SocksBot malware samples were also found which is a backdoor used exclusively by FIN7.

FIN7 was observed using Cobalt Strike and Meterpreter C2 frameworks in simulated malware-dropping attacks earlier this year. BlackBasta used the same TTPs and IP addresses in the following months, another indication of collaboration between the groups. 

FIN7 has previously worked with multiple ransomware groups namely, Maze, Ryuk, Darkside, and BlackCat/ALPHV for initial compromise.

CVE-2022-30190, CVE-2020-1472, CVE-2021-42287, CVE-2021-42278, and CVE-2021-34527 are exploited by BlackBasta and FIN7.

 

CVE Details

CVE

V3 Score

V3 Severity

CVSS Score

CVSS Severity

CWE

Attack Classification

Ransomware Names

Threat Actor Names

Patch Link

CVE-2022-30190

7.80

HIGH

7.8

HIGH

 

RCE,WebApp,Other

Bisamware

APT29 | UAC-0098 | Leviathan | Sandworm Team | TA413

Download

CVE-2021-34527

8.80

HIGH

8.8

HIGH

CWE-269

RCE,DoS,Other

Conti | Vice Society | Black Basta | Magniber

DEV-0832

Download

CVE-2021-42278

8.80

HIGH

8.8

HIGH

CWE-269

 

Black Basta

 

Download

CVE-2021-42287

8.80

HIGH

8.8

HIGH

CWE-269

 

Black Basta

 

Download

CVE-2020-1472

10.00

CRITICAL

10

CRITICAL

CWE-330 | CWE-287

PE,DoS,WebApp,Other

Darkside | Conti | Ryuk | CLOP | Thanos | Black Basta | Babuk | Epsilon Red

Wizard Spider | Prophet Spider | MuddyWater | TA505 | menuPass | FIN7 | Sandworm Team | Earth Lusca

Download

 

 

Threats to Watch Out For

 

Critical Vulnerabilities Addressed in OpenSSL 

CVE-2022-3602 and CVE-2022-3786 are vulnerabilities found in OpenSSL, an open-source cryptography library that allows for the implementation of secure communications online. 

CVE-2022-3602 allows a crafted email address to overflow exactly four attacker-controlled bytes on the stack allowing access to the server.

CVE-2022-3786 can overflow an arbitrary number of bytes on the stack with the "." character leading to denial of service on a client authenticated server. 

Initial access through these vulnerabilities is complicated and requires pre-authenticated configurations, limiting widespread exploitation.

OpenSSL has released a security advisory to help fix these vulnerabilities.

 

CVE Details

CVE

V3 Score

V3 Severity

CVSS Score

CVSS Severity

CWE

Affected Product Count

Patch Link

CVE-2022-3602

9.80

CRITICAL

9.8

CRITICAL

CWE-120 , CWE-119 , CWE-121

3

Download

CVE-2022-3786

7.50

HIGH

7.5

HIGH

CWE-120 , CWE-193 , CWE-119 , CWE-121

3

Download

 

 

Vulnerabilities in Apache Batik Library

CVE-2022-40146 is a Server-Side Request Forgery (SSRF) vulnerability that could potentially allow remote attackers to execute arbitrary code on affected installations of Apache Batik. It is caused by the lack of proper validation of a URI prior to accessing resources.

 

CVE-2022-38398 is also a SSRF vulnerability that allows remote attackers to disclose sensitive information on affected installations of Apache Batik.

Users are recommended to upgrade to Apache Batik 1.15 latest version to resolve these vulnerabilities.

 

CVE Details

CVE

V3 Score

V3 Severity

CVSS Score

CVSS Severity

CWE

Affected Product Count

Patch Link

CVE-2022-40146

7.50

HIGH

7.5

HIGH

CWE-918

1

Download

CVE-2022-38398

5.30

MEDIUM

5.3

MEDIUM

CWE-918

1

Download

 

 

Juniper Fixes Critical Vulnerabilities in Junos OS 

6 high-severity vulnerabilities in Juniper Junos OS affect enterprise networking devices. They are: 

CVE-2022-22241 - Remote pre-authenticated PHP archive file deserialization vulnerability

CVE-2022-22242 - A pre-authenticated reflected XSS allowing a remote adversary to siphon Junos OS admin session and chained with other flaws that require authentication.

CVE-2022-22243 and CVE-2022-22244 - Two XPATH injection flaws that allow a remote authenticated attacker to steal and manipulate Junos OS admin sessions

CVE-2022-22245 - A path traversal flaw that could allow a remote authenticated attacker to upload PHP files to any arbitrary location

CVE-2022-22246 - A local file inclusion vulnerability that could be weaponized to run untrusted PHP code.

Juniper released a security advisory on how to patch these vulnerabilities.

 

CVE Details

CVE

V3 Score

V3 Severity

CVSS Score

CVSS Severity

CWE

Affected Product Count

Patch Link

CVE-2022-22242

6.10

MEDIUM

6.1

MEDIUM

CWE-79

160

Download

CVE-2022-22241

9.80

CRITICAL

9.8

CRITICAL

CWE-502 , CWE-20

161

Download

CVE-2022-22243

4.30

MEDIUM

4.3

MEDIUM

CWE-20 , CWE-91

162

Download

CVE-2022-22246

8.80

HIGH

8.8

HIGH

CWE-829

161

Download

CVE-2022-22245

4.30

MEDIUM

4.3

MEDIUM

CWE-22 , CWE-23

160

Download

CVE-2022-22244

5.30

MEDIUM

5.3

MEDIUM

CWE-91

160

Download

 

We use our threat intelligence platform driven by Artificial Intelligence (AI) and Machine Learning (ML) models to analyze the vulnerabilities that hackers could potentially exploit. We warn our customers continuously about exposures and prioritize vulnerabilities to facilitate rapid remediation.

 

Follow our weekly blog and podcast to get proactive alerts on trending threats. Reach out to us if you need help managing your vulnerabilities and exposures.

Leverage our expertise and manage your threats continuously to stay safe from attackers.

Talk to Us!

Never miss a patch or an update with CSW's Patch Watch Newsletter. Subscribe now!

csw

Secure your environment from cyber-attacks!

Know How

incognito