Cyberwar Bulletin: Iran and Albania

CSW's Threat Intelligence - September 12, 2022 - September 16, 2022

Posted on Sep 12, 2022 | Updated on Sep 16, 2022 | By Priya Ravindran

This edition brings you early warnings, trending news about cyber threats, and the accurate threat context. Check out which threat group is on the rampage, what vulnerability it could soon weaponize, and more.

Why play catch up when you can fix this now?

Check out our podcast on the top critical threats of this week, hosted by David Rushton!

 

Trending Threats

Threats to Watch Out For

 

Trending Threats

 

Joint Advisory warning about Iranian APT groups

The FBI, CISA, the Australian Cyber Security Centre (ACSC), and the United Kingdom’s National Cyber Security Centre (NCSC) have released a joint advisory warning of malicious cyber activity by an Iranian APT group. The group is believed to be using ProxyShell and Fortinet vulnerabilities to gain initial access into vulnerable networks of victims across critical infrastructure sectors, including healthcare, transportation, and government.

Our researchers highlight 27 vulnerabilities with previously known exploitation by Iran-based APT groups; organizations are advised to apply required mitigation measures to protect their networks from being breached. Six of these vulnerabilities are not yet part of CISA KEVs, and we urge CISA to add them to their catalog for organizations to take notice.

 

Lorenz Ransomware exploiting CVE-2022-29499

The Lorenz ransomware group is now using CVE-2022-29499, an incorrect input validation vulnerability in Mitel MiVoice Connect, to gain initial access into vulnerable networks. Lorenz ransomware was first seen in December 2020, and is best known for its attack on Hensoldt, a multinational defense contractor that develops sensor solutions for defense, aerospace, and security applications. The group is known for leaking victim data despite ransomware payments and is a formidable threat to watch out for.

We had warned of the highly exploitable nature of this vulnerability back in mid-2022. The CVE is also a part of the CISA KEVs since June 2022, warranting immediate patching of the same.

CVE Details

CVE                   : CVE-2022-29499

CVSS Score      : 9.8 (v3)

CVSS Severity   :  Critical

CWE                  : CWE-20

Patch                 : Download

 

Be warned of Play Ransomware

The Play ransomware is one of the new entrants to the ransomware scene, targeting Argentina’s Court of Cordoba last month. Recent research suggests that the group’s attack techniques and tactics are similar to that of Hive and Nokoyawa ransomware and could be an indication that the groups are operated by the same threat actor.

Play ransomware has now been associated with two vulnerabilities: CVE-2018-13379 and CVE-2020-12812. Both vulnerabilities are FortiOS SSL VPN vulnerabilities, which can allow attackers to download system files or log in without proper authentication, allowing them to enter into and penetrate vulnerable networks via the VPN. We urge you to patch both vulnerabilities to stay safe from Play ransomware attacks.

CVE Details

CVE               

CVE-2018-13379

CVE-2020-12812

CVSS Score       

9.8

9.8

CVSS Severity  

Critical

Critical

CWE                 

CWE-22

CWE-287, CWE-178

Threat Associations

5 ransomware groups including Conti and LockBit

9 APT groups including Nobelium

-

Exploit Type

WebApp

-

Patch

Download

Download

CVE-2018-13379 has been repeatedly warned about by CSW for more than two years now, and both the vulnerabilities were part of our research into vulnerabilities in VPNs.

 

CVE-2022-32917 : Apple Zero-Day Vulnerability

Apple released a patch for CVE-2022-32917 that saw active exploitation as a zero-day vulnerability. This is the eighth zero-day addressed by Apple in 2022. If exploited, the vulnerability could be misused to change the behavior of software applications by altering application code using elevated permissions.

Users are recommended to upgrade to iOS 15.7 and iPadOS 15.7, macOS Monterey 12.6, and macOS Big Sur 11.7 to protect their devices from attacks. The vulnerability was added to CISA KEVs on September 14 2022, two days after we called them out in this blog.


Microsoft Patch Tuesday September 2022: CVE-2022-37969 Exploited in the Wild

Microsoft released its September edition of Patch Tuesday with fixes for 63 vulnerabilities. Notable amongst them are patches for zero-day vulnerabilities CVE-2022-37969 and CVE-2022-23960. Users are recommended to upgrade their Microsoft products to the latest available versions without delay.

Of these, CVE-2022-37969, a Windows Common Log File System Driver Elevation of Privilege Vulnerability, has been exploited in the wild. The vulnerability was added to CISA KEVs on September 14 2022, a day after we called them out here.

CVE Details

CVE                    : CVE-2022-37969

CVSS Score       : 7.8 (v3)

CVSS Severity   : High

CWE                   : NA

Patch                  : Download

 

CVE-2022-3180 : Zero-Day Vulnerability in WPGateway

Attackers are actively exploiting CVE-2022-3180, a privilege escalation security bug in WPGateway plugins for WordPress. The WPGateway plugin allows users to set up, backup, and manage WordPress sites from a central dashboard.

An attacker can exploit the vulnerability to gain admin access and completely takeover connected sites. WPGateway versions <=3.5 are at risk, and users are advised to remove the plugin until a patch is made available by the vendor.

 

ProxyLogon(CVE-2021-26855) and Netlogon(CVE-2020-1472) Vulnerabilities

Unpatched instances of the infamous ProxyLogon(CVE-2021-26855) and Netlogon(CVE-2020-1472)  vulnerabilities are being highly sought out by an unknown threat actor. The targeted attacks against government and state-owned organizations appear to aim at intelligence gathering and use the Dynamic-link library (DLL) side-loading technique. Open SMB services might also be at risk.

The attackers were earlier associated with the ShadowPad malware, which we warned about in a July edition of the Threat blog.

The ProxyLogon and Netlogon vulnerabilities have surfaced multiple times in the past, and were associated with some of the groups that played a major role in the recent Russia-Ukraine cyber war. CVE-2021-26855 is a pet favorite of APT groups as well.

CVE Details

CVE               

CVE-2021-26855

CVE-2020-1472

CVSS Score       

9.8

10

CVSS Severity  

Critical

Critical

CWE                 

CWE-918

CWE-330

Threat Associations

6 ransomware groups including Conti and AvisLocker

12 APT groups including Nobelium and Hafnium

7  ransomware groups including Conti, Ryuk and DarkSide

12 APT Groups including Hafnium and Wizard Spider

Exploit Type

RCE, PE, WebApp

WebApp ,PE

Patch

Download

Download

 

Read about how a popular SMB worm used the EternalBlue vulnerabilities in its attack here.

 

Vulnerabilities in Apex One

TrendMicro has alerted customers about two vulnerabilities in their endpoint security platform, Apex One. The vulnerabilities in question are CVE-2022-40139 and CVE-2022-40144. The former is an improper validation bug that can allow attackers to remotely execute custom code on systems, and has begun seeing active exploitation. The latter is an authentication bypass vulnerablity that attackers can use to gain unauthorized access to systems. Users are urged to upgrade to the latest version of Apex One without further ado.

CISA added this CVE-2022-40144 to the KEV on September 15, 2022.

 

Hive Ransomware Group Attacks Bell Technical Solutions in Canada

 

The Canadian division of Bell Technical Solutions was taken down by the Hive Ransomware Group. Hive claimed that in the attack on August 20, 2022, they encrypted Bell’s internal systems, while also stealing residential and small business customer information in Ontario and Québec. Bell’s service website has been down since then. Bell has issued a statement that no sensitive information was stolen, and that they are investigating the incident.

 

Hive ransomware has been actively targeting businesses and went after Damart last week. 

CVE-2021-34473, CVE-2021-34523, and CVE-2021-31207 are most often exploited by the Hive ransomware group.

 

CISA Adds 6 More Vulnerabilities to the KEV

On September 15, 2022, the CISA added 6 CVEs to its Known Exploited Vulnerabilities list. Among these CVEs is CVE-2022-40139 which is a vulnerability in Apex One that we warned about on Tuesday. The rest of the CVEs are old vulnerabilities (from 2010 and 2013) which have many exploits and can be very dangerous if left unpatched.

 

New CVEs: CVE-2022-40139, CVE-2013-6282, CVE-2013-2597, CVE-2013-2596, CVE-2013-2094, CVE-2010-2568

 

Threats to Watch Out For

 

Vulnerabilities in Apache Shiro and dotCMS

A code audit of open source Java projects brings up two path filter bypass vulnerabilities that could lead to compromised access issues.

 

The first vulnerability is CVE-2021-41303 which arises when Apache Shiro is used with a web framework like SpringBoot. Shiro is an intuitive and easy-to-use software security framework used for authentication, authorization, cryptography, and session management. The issue appears due to differences in how the two applications parse URL paths. The vulnerability can be successfully exploited by attackers to bypass the authentication mechanism of Apache Shiro, leading to information loss, modification, or denial of service. Users are recommended to upgrade to Apache Shiro versions 1.8.0 or above. 

CVE Details

CVE                   : CVE-2021-41303

CVSS Score      : 9.8 (v3)

CVSS Severity   :  Critical

CWE                  : CWE-287 (assigned by Apache Software Foundation)

Patch                 : Download


 

The second vulnerability is CVE-2022-35740 in the admin portal of dotCMS, a Java-based content management system used for managing content and content-driven sites and applications. The vulnerability is a cross-site-scripting (XSS) vulnerability that is caused by insufficient sanitization of inputs to the CMS. An attacker exploiting the vulnerability can remotely gain access to admin controls. 

CVE Details

CVE                    : CVE-2022-35740

CVSS Score       : 9.8 (v3)

CVSS Severity   : Critical

CWE                  : CWE-798

Patch                 : Download


 

CVE-2022-34169 in Xalan-J XSLT Library

Xalan-J XLST is a Java-based implementation of XLST, a markup language used to transform XML documents into other languages like HTML. CVE-2022-34169 is the result of incorrect conversion between numeric types and is vulnerable to integer truncation during processing. An attacker can use this vulnerability to corrupt generated Java files. An exploit code is available in the public domain as well.

The Apache Xalan Java project is in the process of being retired, and users are recommended to switch to alternative libraries that can perform the necessary functions. Java runtimes (such as OpenJDK) include repackaged copies of Xalan; patches are available for affected OpenJDK instances.

CVE Details

CVE                   : CVE-2022-34169

CVSS Score       : 7.5 (v3)

CVSS Severity   : High

CWE                   : CWE-681

Patch                  : Download (OpenJDK)

 

Multiple Vulnerabilities in WAPPLES firewall

 

CVE-2022-24706, CVE-2022-31322, CVE-2022-35413, CVE-2022-31324, and CVE-2022-35582 are critical vulnerabilities found in the web application of WAPPLES firewall. These vulnerabilities can be used to take over vulnerable devices and run arbitrary commands. 

 CVE-2022-24706 is the most critical vulnerability, and is caused by reliance on a vulnerable third-party component. To exploit this vulnerability, an attacker must have access to the management interface. CVE-2022-35582 is an unclosed backdoor which can easily provide  uncontrolled access to the device to even a moderately skilled attacker, if they get hold of credentials.

 

There are no patches for these CVEs.

 

RCE Vulnerability in Windows IKE Protocol Extensions 

CVE-2022-34721 rates 9.8 on the CVSS scale. It is found in Windows Internet Key Exchange (IKE) Protocol Extensions and can be used to remotely execute code by sending specially crafted IP packets. This vulnerability only impacts IKEv1. IKEv2 is not impacted. However, all Windows Servers are affected because they accept both V1 and V2 packets. 

 

Microsoft has already released a patch for this vulnerability.

 

 

Check out this section to track how these threats evolve!

 

We use our Threat Intelligence Platform driven by Artificial Intelligence (AI) and Machine Learning (ML) models to analyze the vulnerabilities that hackers could potentially exploit. We warn our customers continuously about exposures and prioritize vulnerabilities to facilitate rapid remediation.

 

Follow our weekly blog and podcast to get proactive alerts on trending threats. Reach out to us if you need help managing your vulnerabilities and exposures.

Leverage our expertise and manage your threats continuously to stay safe from attackers.

Talk to Us

 

Never miss a patch or an update with CSW's Patch Watch Newsletter. Subscribe now!

csw

Secure your environment from cyber-attacks!

Know How

incognito