CSW's Threat Intelligence - September 05, 2022 - September 09, 2022
Posted on Sep 9, 2022 | By Supriya Aluri
This edition brings you early warnings, trending news about cyber threats, and the accurate threat context. Check out which threat group is on the rampage, what vulnerability it could soon weaponize, and more.
Why play catch up when you can fix this now?
Check out our podcast on the top critical threats of this week, hosted by David Rushton!
Trending Critical Threats
Nemesis Kitten: A New Iranian Ransomware Group
CISA Warns of Vice Society Ransomware that Targets Schools
Worok Espionage Group Targets Asian Government and Private Entities
LINUX OS under Attack by New Malware Shikitega
EvilCorp Uses New Cyberattack Panel TeslaGun in Attacks
BlackCat Ransomware Attacks Italian Energy Agency
Hive Ransomware Group goes after Damart
CISA Adds 12 New Vulnerabilities to the KEV
Iranian Threat Actors Attack Albanian Government
Threats to Watch Out For
CVE-2022-3075 - High Severity Chrome Zero-Day Vulnerability
QNAP Zero-Day Vulnerability Exploited in Attacks
CVE-2022-34747: Critical RCE Vulnerability in Zyxel NAS Devices
MooBot Targets Unpatched D-Link Routers
CVE-2022-31474: Critical vulnerability in BackupBuddy
CVE-2022-31814: Root RCE IN pfBlocker NG
CVE-2022-38395: High-Severity PE Bug
CVE-2022-20923: Unpatched Zero-Day Vulnerability in EoL Routers
Nemesis Kitten, believed to be a sub-group of the Iranian APT group, Phosphorus, has been conducting vulnerability scanning for the Iran Government. In addition to this, they have been carrying out multiple ransom attacks on organizations.
Their attack methodology involves exploiting newly-discovered high severity vulnerabilities and using LOLBINs (Living Off the Land Binaries) to gain persistence or escalate privileges. After initial access, the group uses the built-in BitLocker tool to encrypt files on compromised devices.
Apart from geo-political reasons, the group also appears to be financially motivated and has ransomed private organizations as well in the past.
CVE-2018-13379, CVE-2021-26855, CVE-2021-26858, CVE-2021-26857, CVE-2021-27065 are the CVEs exploited by Nemesis Kitten.
Threat actors have been targeting schools for extorting large ransoms since before the pandemic. The education sector is an easy target due to its poor security infrastructure and insufficient resources. The CISA and FBI together released a warning against the Vice Society group who have been targeting K-12 school districts with various ransomware versions of Hello Kitty/Five Hands and Zeppelin, Cobalt Strike, etc. After initial access, they extract data and use double extortion techniques to demand ransom from victims.
CVE-2021-1675 and CVE-2021-34527 are the two CVEs commonly targeted by the Vice Society group. CVE-2021-34527 is a critical vulnerability that has been used in various attacks. We had called this out in our 2021 Q3 ransomware report.
Here is an article of how you can detect CVE-2021-34527 in your environment.
Worok, a threat actor group using techniques similar to TA428, was discovered carrying out malicious campaigns against various entities in East Asia and Africa in 2020. They have been using C++ loader CLRLoad, a PowerShell backdoor PowHeartBeat, and a C# Loader PNGLoad to deliver malicious payloads via PNG files. Worok was MIA since May 2021, and has now resurfaced. In the latest attacks, it has targeted an energy company, and a government entity in Asian countries. This is a serious threat to watch out for.
CVE-2021-34523 is one of the CVEs targeted by this threat actor group.
Exploit Type: ['RCE', 'PE', 'WebApp']
CVSS SCORE: 9.8
CWE ID: CWE-287, CWE-269
Ransomware Associations: Conti, Hive, BianLian, AvosLocker, BlackCat, LockFile, Karma, BlackByte, Babuk
APT Associations: ChamelGang, TR, Tropical Scorpius, Worok
Affected Products: 5
A new malware in Linux systems uses an infection chain in multiple layers to exploit vulnerabilities and download a cryptominer. Dubbed as Shikitega, this malware is used on endpoints and IoT devices that run on a Linux OS. It avoids detection by anti-virus software by using a polymorphic encoder. Shikitega also abuses legitimate cloud services to store some of its command and control servers (C&C). This malware could potentially take control of webcams, processes, execute shell commands and also take over the systems completely.
EvilCorp (aka TA505) has come up with a new cyber attack panel named TeslaGun that was used in campaigns against more than 80,000 organizations in the US and other countries. EvilCorp is a Russian APT group that has carried out some of the biggest attacks against organizations and Governments.
TeslaGun is mainly used to deploy backdoor attacks effectively. EvilCorp has been using ServHelper malware backdoor since 2019 and TeslaGun will now make it easier to manage the backdoor attack operations. Cyberattack panels contain multiple campaign records representing different delivery methods and attack data. They also collect lots of information from victim’s systems, enabling the threat actor to profile their victims for future exploits.
EvilCorp uses the following CVEs to attack its victims:
Italy's energy agency Gestore dei Servizi Energetici SpA (GSE) experienced a cyberattack on September 4, 2022. The notorious BlackCat ransomware group claimed credit for the attack. The energy agency took down their websites to curb the extent of the attack, and have been offline since September 5, 2022. GSE has not revealed the extent of data loss but the ransomware group claimed that they had stolen 700 GB of data during the attack. Negotiations for ransom are underway.
BlackCat is known for targeting Europe’s energy agencies. Their last attack was on Luxembourg’s Creos, disrupting the customer portal of the energy supplier.
Here are the CVEs exploited by BlackCat:
For more information about BlackCat Ransomware check out our blog here.
Damart is a French clothing store with more than 130 branches across the globe. On August 15, 2022, their online services were down reportedly due to an unscheduled maintenance activity. Damart then clarified that some of their systems were encrypted resulting in website disruptions. More than 92 stores were affected during this attack, impacting sales and customer service.
Hive ransomware group claimed responsibility for this attack. They demanded $2 million as ransom. However, there is no data pertaining to Damart published on Hive’s Onion site.
Hive ransomware uses the following CVEs to exploit systems: CVE-2021-34473,CVE-2021-34523,CVE-2021-31207
CISA maintains a list of Known Exploited Vulnerabilities which are actively targeted by attackers. These CVEs come with a recommended patch-by-date before which all federal agencies are required to patch the vulnerabilities.
On September 08, 2022, the CISA added 12 vulnerabilities. Among these is the Apple vulnerability, CVE-2020-9934, which was trending in July 2022. Four of the new vulnerabilities are in D-Link routers: CVE-2011-4723, CVE-2018-6530, CVE-2022-28958, CVE-2022-26258.
Here’s more information about the CVEs:
Iranian threat actors have actively been perpetrating cyber attacks against the Albanian Government since July 2022. Sensitive information was stolen from the Government agency and leaked by threat actors in Tehran.
On July 15, several Albanian websites and digital services were shut down following an attack. 4 threat actor groups/individuals are said to have worked on distinct phases of the attack: Initial intrusion, Data exfiltration, Data encryption and destruction, Information operations. However, a ransomware group called HomeLand Justice has claimed the attack. Iran has been using ransomware gangs to carry out attacks against political enemies.
Once it was discovered that Iran was responsible for this, Albania severed ties with Iran and expelled its embassy staff from the country.
CVE-2019-0604 and CVE-2021-26855 are associated with the Iranian threat actors.
Google Chrome released a security patch for a zero-day vulnerability, CVE-2022-3075 on September 2, 2022. The vulnerability is caused by insufficient data validation in Mojo, a collection of runtime libraries that facilitates message passing across arbitrary inter- and intra-process boundaries. It is a critical vulnerability with active exploits in the wild.
Chrome has recommended that all its users upgrade to 105.0.5195.102 to fix this CVE. We also recommend that CISA adds this CVE to the KEV list.
Deadbolt ransomware group has been exploiting a zero-day vulnerability in Photo Station, a private photo storage application by QNAP. The company has released a security advisory patching this vulnerability.
DeadBolt has been targeting NAS (Network Attached Storage) devices since January 2022 using zero-day vulnerabilities in exposed NAS products. It is recommended that users have strong passwords for their NAS accounts.
Photo Station users are advised to upgrade to QTS 5.0.1: Photo Station 6.1.2 and later to fix the vulnerability.
A patch was released on September 6, 2022 for a critical vulnerability, CVE-2022-34747 in Zyxel devices. The CVE can allow unauthorized remote code execution via a crafted UDP packet.
NAS devices are vulnerable to ransomware attacks. Hence, patching this vulnerability is of high priority for NAS users.
Here’s an article on how to secure your storage devices.
CVE-2015-2051, CVE-2018-6530, CVE-2022-26258, and CVE-2022-28958 are some of the CVEs that MooBot is targeting in its latest campaign against D-Link routers. The vulnerabilities are used to deploy DDoS attacks.
D-Link users are recommended to apply the latest firmware update released by their manufacturer.
A high severity arbitrary file download/read vulnerability is being exploited in BackupBuddy. WordPress websites running BackupBuddy are asked to patch this vulnerability immediately as it enables unauthenticated attackers to download sensitive files from vulnerable sites.
An unauthenticated remote command execution vulnerability was found in pfSense’s pfBlockerNG plugin version 2.1.4_26. This is critical and has a CVSS rating of 9.8. To patch this, users are recommended to download the latest stable version of pfSense (2.6.0), and install the latest stable version of pfBlockerNG (2.1.4_26) or higher.
A critical privilege escalation vulnerability was discovered in HP Support Assistant which comes pre-installed on all HP laptops and desktop computers. This CVE enables attackers to elevate their privileges on vulnerable systems.
Users are recommended to patch this vulnerability immediately.
CISCO has decided not to patch a zero-day vulnerability in its routers citing that the product is at its End-of-Life. The vulnerability, CVE-2022-20923, is an authentication bypass flaw that is actively being exploited in the wild.
CISCO recommends that customers migrate to Cisco Small Business RV132W, RV160, or RV160W Routers.
Check out this section to track how these threats evolve!
We use our Threat Intelligence Platform driven by Artificial Intelligence (AI) and Machine Learning (ML) models to analyze the vulnerabilities that hackers could potentially exploit. We warn our customers continuously about exposures and prioritize vulnerabilities to facilitate rapid remediation.
Follow our weekly blog and podcast to get proactive alerts on trending threats. Reach out to us if you need help managing your vulnerabilities and exposures.
Leverage our expertise and manage your threats continuously to stay safe from attackers.
Never miss a patch or an update with CSW's Patch Watch Newsletter. Subscribe now!