Cyberwar Bulletin: Iran and Albania

CSW's Threat Intelligence - September 19, 2022 - September 23, 2022

Posted on Sep 19, 2022 | Updated on Sep 23, 2022 | By Supriya Aluri

This edition brings you early warnings, trending news about cyber threats, and the accurate threat context. Check out which threat group is on the rampage, what vulnerability it could soon weaponize, and more.

Why play catch up when you can fix this now?

Check out our podcast on the top critical threats of this week, hosted by David Rushton!

 

Trending Threats

 

Threats to watch out for

Trending Threats

 

Bitdefender Introduces a Decryptor Tool for the LockerGoga Ransomware

Bitdefender—in collaboration with law enforcement agencies, including Europol, the No More Ransom Project, the Zürich Public Prosecutor's Office, and the Cantonal Police of Zürich—has developed a free decryptor tool to recover files encrypted by the LockerGoga ransomware. The free tool and a user guide are available for download from Bitdefender’s servers.

LockerGoga is a ransomware group that has been operational since January 2019 and has attacked prominent organizations all over the world. It is estimated that the group has caused damages worth $US 104 million with its activities. Twelve members of the group were arrested in October 2021, causing the group’s operations to cease. 

The free tool is expected to be used by victims, whose files are still encrypted, of the LockerGoga group.

CVE-2019-3396 is the CVE targeted by the LockerGoga group.

CVE             : CVE-2019-3396

CVSS Score       : 9.8 (v3)

Exploit Type   : ['RCE', 'PE', 'WebApp','Other']

CWE                   : CWE-22

Ransomware Associations    : MegaCortex, GandCrab, LockerGoga

APT Associations    : Winnti Group, Rocke, Volatile Cedar

Affected Products    : 4

Patch                 : Download

 

More Information on Ragnor Locker Ransomware

Ragnor Locker has been making headlines in the news with its attacks on Air Portugal, DESFA, etc.

There is now more information about how this ransomware group operates. The attacks are carried out on Windows and Linux systems where a compromised machine is used to gather information and also encrypt files using the Salsa 20 encryption algorithm. Once this is done, the group employs the double extortion tactic to get ransom from their victims—to decrypt the files and to not publish the stolen information to the public.

The Ragnor Locker ransomware also deletes volume shadow copies and terminates  services such as VSS, SQL, Veeam, LogMeIN, etc. to keep the victim from recovering the affected files. 

 

CVE-2017-0213 (Windows COM Elevation of Privilege Vulnerability) is a vulnerability that Ragnor Locker exploits. It uses the RDP services exposed to the internet to compromise victim machines with brute-forcing techniques and leaked credentials


The FBI has warned organizations against Ragnor Locker in March 2022.

CVE             : CVE-2017-0213

CVSS Score       : 4.7 (v3)

Exploit Type       : ['RCE', 'PE']

Ransomware Associations : Phobos, Mailto, WannaCry, Ragnar Locker, Petya, Nefilim

APT Associations    : Winnti Group, APT29, APT33, Threat Group-3390

Patch                 : Download


 

CISA Adds One New CVE to its Known Exploited Vulnerabilities Catalog 

CVE-2022-35405 is a critical remote code execution vulnerability in ManageEngine applications. CISA added this vulnerability to its KEV list on September 22, 2022. ManageEngine published an advisory fixing this vulnerability.

 

We had advised our customers to patch this vulnerability in the first week of August, 2022. CISA has added the CVE to the KEV after a 51-day latency.

 

 

Threats to Watch Out For

15-Year-Old Unpatched Vulnerability in Python

CVE-2007-4559 was first discovered in 2007. It is a path traversal bug allowing attackers to overwrite arbitrary files. When it was first disclosed, a mitigation advisory was put forth by Python, but no patch was made available. When it was rediscovered recently, Python updated their documentation calling it a dangerous bug. This vulnerability is said to have impacted approximately 350,000 projects. There is no evidence that this vulnerability was exploited.

CVE             : CVE-2007-4559

CVSS Score       : 6.8 (v2)

Affected Products: 1

CWE                   : CWE-22

 

 

A Vulnerability in Atlassian Bitbucket Server and Data Center

CVE-2022-36804, a command injection vulnerability, in Bitbucket API endpoints can allow an attacker to execute arbitrary code by sending malicious HTTP requests. The attacker must have access to a public repository or have read permissions to a private Bitbucket repository to perform malicious operations.

Atlassian published an advisory for Bitbucket Server and Data Center on how to patch this vulnerability. Users are recommended to patch this vulnerability immediately.


 

CVE-2022-2585: Linux Privilege Escalation Vulnerability

CVE-2022-2585 is a vulnerability caused by the way Linux handles  CLOCK_THREAD_CPUTIME_ID. It allows privilege escalation to root when an attacker abuses this error. An exploit is already available for this vulnerability, and users are recommended to apply the  patch published by Linux as soon as possible.

CVE             : CVE-2022-2585

CVSS Score       : 7.8 (v3)

CVSS Severity   : Critical

CWE                   : CWE-416

Patch                 : Download

 

Raspberry Robin’s Roshtyak Backdoor

Raspberry Robin,  a USB-based worm used in attacks against QNAP devices has a DLL (Dynamic Link Library) backdoor called Roshtyak. This backdoor is heavily protected with encryption and is used to deliver payloads and also establish persistence, escalateg privileges, lateral movement, and exfiltrate information about the victim.

 

CVE-2020-1054 and CVE-2021-1732 are the two vulnerabilities associated with Raspberry Robin


 

4 RCE Vulnerabilities in dotCMS 

CVE-2022-37431, CVE-2022-35740, CVE-2022-37033, and CVE-2022-37034 were discovered in dotCMS in June 2022. All these vulnerabilities can lead to remote code execution and were successfully exploited in a test environment. dotCMS has released updates fixing these vulnerabilities. 

 

Magento 2 Template Attacks on eCommerce Websites

CVE-2022-24086 is a critical template vulnerability in Magneto2, an open-source ecommerce platform. Cybercriminals are exploiting this vulnerability to  compromise e-stores. There are three exploits available for this vulnerability. Successful exploitation of CVE-2022-24086 can lead to arbitrary code execution. There is a patch available for this vulnerability.

 

Check out this section to track how these threats evolve!

 

We use our threat intelligence platform driven by Artificial Intelligence (AI) and Machine Learning (ML) models to analyze the vulnerabilities that hackers could potentially exploit. We warn our customers continuously about exposures and prioritize vulnerabilities to facilitate rapid remediation.

 

Follow our weekly blog and podcast to get proactive alerts on trending threats. Reach out to us if you need help managing your vulnerabilities and exposures.

Leverage our expertise and manage your threats continuously to stay safe from attackers.

Talk to Us!



 

Never miss a patch or an update with CSW's Patch Watch Newsletter. Subscribe now!

csw

Secure your environment from cyber-attacks!

Know How

incognito