CSW’s weekly threat intelligence edition brings to you early warnings about critical vulnerabilities that could potentially be weaponized and prove dangerous to your organization and its assets.
All CVEs mentioned in this blog edition have received a maximum rating from the Threat Intelligence platform indicating high probability of exploitation. We urge organizations to prioritize these warnings and proactively patch these vulnerabilities.
Check out our Podcast on Top 3 Threats of the Week!
Top Critical Cyber Threats of the Week
Russia’s APT28 Launches Follina Exploit Campaign in Ukraine
APT28, a notorious advanced persistent threat group from Russia, is the latest attacker to attempt to exploit the Follina vulnerability in the Microsoft Support Diagnostic Tool (MSDT). The threat actor – aka Fancy Bear and Sofacy – has been observed this week sending out phishing emails to Ukrainian users that contain a malicious document containing an exploit for the now-patched vulnerability (CVE-2022-30190). The document was titled “Nuclear Terrorism A Very Real Threat.rtf” and appeared to be an attempt to exploit fears that the conflict in Ukraine would spiral into a nuclear holocaust.
Threat Associated CVEs: CVE-2022-30190
CVSS Score: 7.8
Affected Product Count: 18
Exploit Type: RCE
CWE: NVD-CWE-noinfo
Ransomware Associations: NA
APT Groups: TA413, APT28, and TA570
Malware: QBot, Sandworm, and AsyncRAT
CISA KEV: Yes
CISA Patch Deadline: June 6, 2022
Patch: Download
Critical PHP Flaw Opens QNAP NAS devices to RCE attacks
QNAP has warned customers today that some of its Network Attached Storage (NAS) devices (with non-default configurations) may be vulnerable to attacks exploiting a three-year-old critical PHP vulnerability. The vendor has already patched the security flaw (CVE-2019-11043) for the affected operating systems (QTS 5.0.1.2034 build 20220515 or later, and QuTS hero h5.0.0.2069 build 20220614 or later).
Threat Associated CVEs: CVE-2019-11043
CVSS Score: 9.8
Affected Product Counts: 11
Exploit Type: [‘RCE’, ‘PE’, ‘WebApp’, ‘DoS’]
CWE: CWE-787|CWE-120
Ransomware Associations: NextCry
APT Groups: NA
Malware: NA
CISA KEV: Yes
CISA Patch Deadline: April 15, 2022
Patch: Download
CVE-2022-22620: Apple’s Safari Zombie Zero-Day Fixed!
A Google project researcher described the vulnerability as a “zombie” Safari zero-day (CVE-2022-22620) which came back from the dead, was found and exploited in the wild. Originally patched in 2013, the flaw reappeared in December 2016, according to Google Project Zero. It can be exploited by processing maliciously crafted web content. Considering the exploitation, CISA added this CVE to its catalog.
Threat Associated CVEs: CVE-2022-22620
CVSS Score: 8.8
Affected Product Counts: 4
Exploit Type: NA
CWE: CWE-416
Ransomware Associations: NA
APT Groups: NA
Malware: NA
CISA KEV: Yes
CISA Patch Deadline: February 25, 2022
Patch: Download
New ToddyCat APT Gang Hacks Microsoft Exchange Servers
The ToddyCat advanced persistent threat group has been targeting Microsoft Exchange servers throughout Asia and Europe for more than a year, since at least December 2020.
Researchers found a previously unknown passive backdoor they called Samurai, and a new trojan malware they named Ninja Trojan, while tracking the group’s activity. With both malware strains, attackers can control infected systems, and move laterally in networks.
The hacking group exploited Microsoft Exchange ProxyLogon vulnerabilities at the time to execute remote code on vulnerable servers in order to deploy the China Chopper web shells.
Adobe Illustrator Patches Multiple Zero-Day Vulnerabilities
On June 14, 2022, Adobe released a security patch that fixed five vulnerabilities, identified as CVE-2022-30649, CVE-2022-30666, CVE-2022-30667, CVE-2022-30668, and CVE-2022-30669. These vulnerabilities have different root causes related to two Illustrator plugins. Users of Adobe Illustrator 2022, versions 26.0.2 and earlier, and users of Adobe Illustrator 2021, versions 25.4.5, and earlier are affected.
Avos Ransomware Group Develops New Attack Methods
Researchers have discovered AvosLocker’s new campaign to hunt for exposed networks. Attackers used a variety of tools, including Sliver, Cobalt Strike, and several commercially available network scanners. Initially, this incident was triggered by a pair of VMWare Horizon Unified Access Gateways that were vulnerable to Log4Shell.
RIG Exploit Kit Infects Victim’s PCs With Dridex
A few months ago, the cybercriminals behind the RIG Exploit Kit traded out the credential-stealing Trojan Raccoon Stealer after their lead developer was killed in the Russian invasion of Ukraine. Cyberattackers behind the RIG Exploit Kit were able to quickly replace the notorious financial Trojan Dridex, which is capable of keylogging and screenshot theft, with the tried-and-true RIG Exploit Kit.
PoC Now Available for VMware Vulnerability (CVE-2022-22980)
VMware released a security bulletin revealing a high-severity SpEL Expression injection vulnerability (CVE-2022-22980) in Spring Data MongoDB. This vulnerability affects Spring Data MongoDB applications using repository query methods annotated with @Query or @Aggregate and using parameterized SpEL statements. In order to perform particular exploits, non-sanitized input must be used for repository queries.
Threat Associated CVEs: CVE-2022-22980
CVSS Score: NA
Exploit Type: NA
CWE: NA
Ransomware Associations: NA
APT Groups: NA
Malware: NA
Patch: Download
Siemens’ Industrial Network Management System Fixed 15 Vulnerabilities
Siemens SINEC has disclosed details about 15 security flaws in its network management system (NMS), some of which could be exploited by an attacker to achieve remote code execution on affected systems.
Privilege Escalation Vulnerability in Linux Kernel
Linux disclosed CVE-2022-0492, a new kernel privilege escalation vulnerability on Feb 4, 2022. The CVE-2022-0492 vulnerability affects control groups, a Linux component that is the basis of containers. This is one of the easiest Linux privilege escalations discovered in recent history that exposes a privileged operation to non-privileged users by mistake.
Threat Associated CVEs: CVE-2022-0492
CVSS Score: 7.8
Affected Product Count: 43
Exploit Type: NA
CWE: CWE-287
Ransomware Associations: NA
APT Groups: NA
Malware: NA
CISA KEV: Yes
Patch: Download
CSW is on a mission to fix the biggest gap in the cybersecurity industry!
Get early warning alerts from our Threat Intelligence team and proactively patch!
Leverage our expertise and manage your threats on a continuous basis to stay safe from attackers.
Talk to Us | Schedule a Consultation