Ransomware Q2 & Q3 Report is live now!

CSW's Threat Intelligence - September 26, 2022 - September 30, 2022

Posted on Sep 27, 2022 | Updated on September 29, 2022 | By Supriya Aluri

This edition brings you early warnings, trending news about cyber threats, and the accurate threat context. Check out which threat group is on the rampage, what vulnerability it could soon weaponize, and more.

Why play catch up when you can fix this now?

Check out our podcast on the top critical threats of this week, hosted by David Rushton!

Trending Threats

Threats to watch out for

 

Trending Threats

Microsoft’s Zero Days exploited in the Wild

Security researchers have traced back an attack in critical infrastructure in a yet-to-be-named company to two zero-day vulnerabilities in Microsoft Exchange servers. The vulnerabilities have now been assigned CVEs - CVE-2022-41040 and CVE-2022-41082.

CVE-2022-41040 -  Server-Side Request Forgery (SSRF) vulnerability

CVE-2022-41082 - Microsoft Exchange Server Remote code execution (RCE) vulnerability. Authenticated attackers who can access PowerShell Remoting on vulnerable Exchange systems will be able to trigger RCE using CVE-2022-41082.

There are no patches available for these vulnerabilities yet. However, the Microsoft teams are said to be working on an accelerated timeline to release a fix.

Here’s a guide to mitigate the vulnerabilities.

 

Witchetty Group Employs New Techniques in Latest Attacks

Witchetty, a cyber espionage group has been active since April 2022. It is believed to be a sub group of TA410. In their attacks on Middle Eastern and African organizations this year, they used new tools such as Trojan backdoor and steganography. Steganography allows the attacker to hide the payload within an image and distribute it.  The groups also used a custom proxy utility, a custom port scanner, and a persistence utility.

Witchetty exploited the PowerShell Execution Policy and ProxyShell vulnerability to breach a Middle-Eastern Government agency. In this attack they also used the LookBack Backdoor.

CVE-2021-34473,CVE-2021-34523,CVE-2021-31207,CVE-2021-26855, and CVE-2021-27065 are the CVEs exploited by Witchetty.

 

ZINC Attacks Security Researchers

A threat actor known as ZINC has been attacking security researchers after a long and carefully planned campaign. The threat actor gained the trust of more than 2000 followers on Twitter, many of whom were security researchers. After approaching them on Twitter, the threat actor moved the conversations to another medium (email, DISCORD, etc) and exchanged blog posts, researches, etc. In some cases, encrypted or PGP protected ZIPs files were sent by the actor. Some of these files and links contained  malicious payloads which were downloaded to the victims’ systems. Some of the files sent by ZINC to researchers were malicious Visual Studio projects that included prebuilt binaries.

A few of the malware used by the threat actor are: Comebacker malware, Klackring malware, and an encrypted Chrome password-stealer.

The twitter account maintained by ZINC is under the handle Zhang Guo. Their blogs are hosted on (br0vvnn[.]io). 

CVE-2017-16238 is heavily exploited by ZINC. This CVE which was discovered back in 2017 is not listed in the NVD nor in MITRE. There are no official resources detailing this vulnerability. It is another example of how there are huge gaps in data in national cyber resources. In most cases, they are the only points of reference for security officers in Government agencies. At this rate, organizations will be completely in the dark regarding exploits and fall easy prey to attackers.


Here’s a blog detailing the gaps in MITRE techniques.

 

TA413 Introduces New Malware ‘LOWZERO’ Against Tibetan Targets

TA413, a Chinese APT group has been carrying out attacks on Tibetan Government agencies since 2020 to gather intelligence. Thus far, they have deployed malware such as ExileRAT, Sepulcher, and a malicious Mozilla Firefox browser extension, dubbed FriarFox. In their latest attacks in September 2022, they have deployed a new malware named LOWZERO. This malware can receive additional modules from its command-and-control (C2) server, but only on the condition that the compromised machine is deemed to be of interest to the threat actor. The latest attacks exploited two CVEs - CVE-2022-1040 (Sophos Firewall) and CVE-2022-30190 (Follina bug). CVE-2022-1040 is a zero day exploit used in previous attacks by TA413 and other APT groups. The Follina bug in Microsoft Office is widely exploited by multiple APT groups. TA413 is known for using tried-and-tested methods of exploit in zero-day bugs. They also use multiple malware samples to extract information and avoid detection.

 

APT28 Comes Up With a New Stealer - CredoMap

A new stealer named CredoMap was developed by Russian APT group FancyBear (APT28), to be used against Ukrainian organizations. The version used in the latest attacks in May 2022 is dubbed as CredoMap_v_2. The stealer is a malware designed specifically to steal sensitive information such as OS credentials, Passwords stored in Browsers, cookies etc.

 

APT 28 exploits the Follina bug (CVE-2022-30190) to deploy these malware samples and extract information.

CVE

CVE-2022-30190

CVSS Score

7.8

Exploit Type

['RCE', 'WebApp','Other']

APT Group

UAC-0098, Sandworm Team, APT29, Leviathan, TA413

Affected Product Count

18

Patch Link

Download

 

 

Chaos - The Latest Go-based Malware

There’s yet another malware developed using the Go language - Chaos. It is used in attacks on Windows, and Linux devices for DDoS attacks and cryptomining. This botnet malware has already been deployed in many small routers and security researchers are warning everyone to be on the lookout for any unpatched vulnerabilities in the system. The Chaos malware propagates through these security vulnerabilities as well as using SSH brute-forcing. It will also use stolen SSH keys to hijack more devices. 

Small/home office routers are targeted in Europe, America, and the Asia-Pacific regions. Australia and New Zealand have no traces of the Chaos bots.

CVE-2017-17215, CVE-2022-30525, and CVE-2022-1388 are the most exploited vulnerabilities by Chaos malware.

 

Cobalt Strike Beacon Used in Attacks Against Various Countries

Russian APT group, TrickBot has been using Cobalt Strike Beacon in phishing campaigns targeting Ukrainian officials and leveraging emails related to Azovstal. These samples were found in cyber attacks since April 2022. As the war escalates, cyber attacks have also increased prompting the Ukraine CERT to officially call out APT groups and malware targeting Ukrainian organizations and entities. 

Cobalt Strike Beacon is said to leverage a lure document that triggers an infection chain and leads to an HTML file download, followed by executing malicious JavaScript code, which further spreads malware on the compromised systems. 

There are other Government entities in New Zealand and the US that have been breached using this same phishing technique to deploy malware. 

CVE-2017-0199, a remote code execution issue in Microsoft Office is used to deploy Cobalt Strike Beacon malware samples.

CVE

CVE-2017-0199

CVSS Score

7.8

Exploit Type

['RCE', 'WebApp','Other']

APT Group

Silence, Mustang Panda, Cobalt Group, Winnti Group, Patchwork, MuddyWater, Molerats, TA459, Transparent Tribe, Higaisa, Kimsuky, Leviathan, OilRig, Gamaredon Group, CopyKittens, White Tur, BlackTech

Ransomware

PEC 2017, Karmen, Petya, Cerber

Affected Product Count

9

Patch Link

Download

 

Data Breach in Australian Government Servers Using Optus

An exposed API endpoint in Optus was accessed by a hacker who used it to steal 11.2 million customer records with sensitive information. The hacker released data samples containing around 100 records which includes names, email addresses, physical addresses, passport numbers, etc of Australian citizens. The ransom for the stolen data is US $1 Million.The hacker has warned Optus that if the ransom demand is not met by the weekend, they would sell the data to anyone who pays them $1 Million.  Australian Federal Police are actively investigating this incident. This incident is a reminder to keep tabs on your application and network infrastructure. ASM can make this work easier by regularly scanning and alerting you to any unguarded endpoints in your systems.

 

CISA Adds CVE-2022-3236 to the KEV List

On September 23, 2022, CISA added the Sophos Firewall Vulnerability CVE-2022-3236 to the Known Exploited Vulnerabilities list. CVE-2022-3236 is a Remote Execution Code vulnerability found in the User Portal and Webadmin of Sophos Firewall. It has been targeted in exploits against specific organizations in South Asia. Sophos has a hotfix for this vulnerability and it is said to be automatically applied to the firewalls. However, users of older versions of Sophos Firewall would have to upgrade to a supported version to receive the CVE-2022-3236 patch.

 

CVE CVE-2022-3236
CNA Score 9.8 (v3)
Exploit Type RCE
Patch Download

 

Threats to Watch Out For

 

CVE-2022-37767: Command Injection Vulnerability in Java Pebbles

A yet-to-be patched vulnerability exists in the Java Pebbles application which can be used to bypass Pebble’s command execution defense with carefully crafted code and template files. Check out this section to track how these threats evolve!

CVE

CVE-2022-37767

CVSS Score       

  9.8

CWE

         CWE-863

Affected Product Count

1 

 

Flaws in Ethernet VLAN 

CVE-2021-27853, CVE-2021-27854, CVE-2021-27861, and CVE-2021-27862 are vulnerabilities in Ethernet VLAN stacking which allows hackers to launch Distributed Denial of Service (DDoS) and Man-in-the-middle (MiTM) attacks. These vulnerabilities allow an attacker to route traffic to arbitrary destinations from a target device.

 

We use our threat intelligence platform driven by Artificial Intelligence (AI) and Machine Learning (ML) models to analyze the vulnerabilities that hackers could potentially exploit. We warn our customers continuously about exposures and prioritize vulnerabilities to facilitate rapid remediation.

Follow our weekly blog and podcast to get proactive alerts on trending threats. Reach out to us if you need help managing your vulnerabilities and exposures. Leverage our expertise and manage your threats continuously to stay safe from attackers.

Talk to Us!

Never miss a patch or an update with CSW's Patch Watch Newsletter. Subscribe now!

csw

Secure your environment from cyber-attacks!

Know How

incognito