This edition brings you early warnings, trending news about cyber threats, and the accurate threat context. Check out which threat group is on the rampage, what vulnerability it could soon weaponize, and more.
Why play catch up when you can fix this now?
Check out our podcast on the top critical threats of this week, hosted by David Rushton!
Trending Threats
- CISA Adds CVE-2022-40684 and CVE-2022-41033 to the KEV.
- LockBit Ransomware Deployed in Microsoft Exchange Servers
- Aruba Patches 3 Critical Vulnerabilities
- Multiple Campaigns carried out by IcedID Malware Gang
- Pro-Russian APT Group KillNet Takes Down Airports’ Sites
- Microsoft Fixes 84 Vulnerabilities on October Patch Tuesday
- Alchimist : New Attack Framework Designed using Go Lang
- Magniber Ransomware Targets Windows Home Users using JavaScript Files
Threats to Watch out for:
- CVE-2022-40684: Authentication Bypass Vulnerability in Fortinet
- CVE-2022-41343: RCE Vulnerability in Dompdf
- CVE-2022-36067: Critical VM2 Sandbox Escape Vulnerability
- Two Vulnerabilities Exploited in GLPi
- CVE-2022-0030: Authentication Bypass Flaw in PAN OS Web Interface
Trending Threats
CISA Adds CVE-2022-40684 and CVE-2022-41033 to the KEV.
On Oct 11, 2022, CISA added CVE-2022-40684, an Authentication Bypass vulnerability in Fortinet to the Known Exploited Vulnerabilities list.
Following Microsoft’s Patch Tuesday update on Oct 12, 2022, CISA added CVE-2022-41033, a Windows COM+ Event System Service Elevation of Privilege vulnerability to the KEV. It could potentially allow an unauthenticated user access to the victim’s system.
LockBit Ransomware Deployed in Microsoft Exchange Servers
Attackers used compromised Microsoft Exchange Servers and an undisclosed zero-day vulnerability to hack an organization and steal 1.3 TB worth of data. The attackers likely deployed the web shells in July 2022, and then exploited new vulnerabilities to gain access to the AD admin account.
Microsoft is working to patch three associated zero-days: CVE-2022-41040, CVE-2022-41082, and CVE-2022-21969.
Check out the All About LockBit Ransomware blog to learn the group’s attack methodology and latest attacks.
CVE Details
|
CVE |
CVE-2022-41040 |
CVE-2022-41082 |
CVE-2022-21969 |
|---|---|---|---|
|
CVSS Score |
9 |
9 |
8.8 |
|
CWE |
Not assigned yet |
CWE-269 |
Not assigned yet |
|
Affected Product Count |
5 |
5 |
5 |
|
Patch |
We will be following up on this and update you in the coming weeks.
Aruba Patches 3 Critical Vulnerabilities
Aruba fixed 3 vulnerabilities – CVE-2022-37913, CVE-2022-37914, and CVE-2022-37915 in EdgeConnect Enterprise Orchestrator on October 11, 2022.
CVE-2022-37913 and CVE-2022-37914 are authentication bypass flaws. If exploited, they could allow an unauthenticated remote attacker to bypass authentication and gain administrator privileges, thereby compromising the system.
CVE-2022-37915 is a remote code execution vulnerability in the web-based management interface of EdgeConnect Orchestrator. It could also lead to system takeover by a malicious actor.
Here is the security advisory for these vulnerabilities.
Multiple Campaigns carried out by IcedID Malware Gang
Since September 2022, the threat actors behind IcedID malware have attacked multiple targets seeking out the best ways to deploy the malware. These campaigns use phishing emails to drop IcedID malware via ISO files, archives, or macro-laden document attachments. Most of the campaigns were unsuccessful. The IcedID malware was used as a modular banking trojan in 2017 but has been updated to act as a malware dropper that is commonly used to gain initial access to corporate networks. Malware droppers are used to install further malware on an infected device and also deploy other payloads.
CVE-2018-6882 and CVE-2017-8570 are the vulnerabilities exploited to drop this malware.
CVE Details
|
CVE |
CVE-2018-6882 |
CVE-2017-8570 |
|---|---|---|
|
CVSS Score |
6.1 |
7.8 |
|
CWE |
CWE-79 |
Not Assigned |
|
Patch |
Pro-Russian APT Group KillNet Takes Down Airports’ Sites
Multiple US Airport sites experienced a DDoS attack which resulted in downtime. Customers were not able to connect and get updates about their scheduled flights or book airport services. The attack was claimed by the Pro-Russian hacktivist group KillNet which has been very active in the Russia-Ukraine war. They used a custom software to generate fake requests and garbage traffic directed at the sites’ servers with the goal of depleting their resources and making them unavailable to legitimate users. Hartsfield-Jackson Atlanta International Airport (ATL), Los Angeles International Airport (LAX) among the attacked airports. This DDoS attack however, did not impact flight services.
KillNet has targeted multiple countries that backed Ukraine in the war and with new developments in the war, we will be seeing a lot more of this group.
Microsoft Fixes 84 Vulnerabilities on October Patch Tuesday
On this month’s Patch Tuesday (11-10-2022), Microsoft released patches for 84 vulnerabilities including two zero-days, one of which is actively exploited.
CVE-2022-41033 is a Windows COM+ Event System Service Elevation of Privilege vulnerability. It is actively exploited in the wild. This vulnerability could allow access to the victim’s system.
CVE-2022-41043 is a Microsoft Office Information Disclosure vulnerability. It is another zero-day but it is publicly disclosed.
Here are the other critical vulnerabilities for which patches are now available: CVE-2022-41038, CVE-2022-41036, CVE-2022-38053, CVE-2022-38051, CVE-2022-38050, CVE-2022-38048, CVE-2022-38028, CVE-2022-37997, CVE-2022-37989, CVE-2022-37987, CVE-2022-37974, CVE-2022-37970, CVE-2022-34689.
Alchimist : New Attack Framework Designed using Go Lang
A new attack framework with a command and control tool called Alchimist was recently discovered. This framework also uses a remote access trojan known as Insekt to infect victims’ systems. Insekt can run arbitrary commands, manipulate SSH keys, perform port and IP scans, write or unzip files to the disk, and execute shellcode on the host.
Alchimist has been actively targeting and attacking Windows, Linux, and macOS systems. It uses Simplified Chinese language in its web-based interface and is very similar to a recently-emerged post-exploitation attack framework, Manjusaka which is growing popular among Chinese hackers. It is suspected to have originated from China.
CVE-2021-4034 is used by Alchimist to exploit systems.
CVE : CVE-2021-4034
CVSS Score : 7.8 (v3)
Patch : Download
Magniber Ransomware Targets Windows Home Users using JavaScript Files
Recently, Windows Home users have raised concerns about ransomware attacks on their systems. The systems were infected with the Magniber ransomware when they downloaded antivirus and Windows 10 and 11 security updates from illegitimate websites. Magniber has been distributed via malicious sites since April 2022. The downloaded files contained JavaScript that initiated an intricate infection with the file-encrypting malware. Magniber operators demanded around $2500 to deliver the tool used to decrypt infected files.
CVE-2016-0189, CVE-2018-8174, CVE-2019-1367, CVE-2020-0968, CVE-2021-26411, CVE-2021-34527, and CVE-2021-40444 are the CVEs associated with Magniber ransomware.
Threats to Watch out for
CVE-2022-40684: Authentication Bypass Vulnerability in Fortinet
Users of FortiGate firewalls and FortiProxy web proxies should be aware of CVE-2022-40684 which could potentially allow administration access in vulnerable devices. According to a Shodan search, more than 100,000 FortiGate firewalls are open to the Internet, although it’s unknown if their management interfaces are also exposed. Fortinet has released an advisory for this vulnerability.
CVE-2022-41343: RCE Vulnerability in Dompdf
A recently discovered vulnerability, tagged as CVE-2022-41343 allows remote code execution via phar deserialization in a vulnerable application even without an internet connection. Phar Deserialization involves exploiting a vulnerability once it is parsed and the metadata is deserialized. A patch is available for this vulnerability in the latest Dompdf app update.
CVE Details
CVE : CVE-2022-41343
CVSS Score : 7.5 (v3)
CWE ID : CWE-552
Patch : Download
CVE-2022-36067: Critical VM2 Sandbox Escape Vulnerability
CVE-2022-36067 was recently uncovered in VM2 JavaScript Sandbox, which is widely used by developers all around the world. It has a score of 10.0 on CVSS. If exploited, the vulnerability could allow an attacker to bypass the vm2 sandbox environment and run shell commands on the machine hosting it.
CVE Details
CVE : CVE-2022-36067
CVSS Score :10 (v3)
CWE ID : CWE-552
All VM2 sandbox users are urged to patch this vulnerability immediately.
Two Vulnerabilities Exploited in GLPi
GLPi (Gestionnaire Libre de Parc Informatique), an IT asset management company disclosed 2 vulnerabilities (CVE-2022-35947 and CVE-2022-35914) to the public on October 7, 2022.
These vulnerabilities are said to have been exploited in the wild. Both the vulnerabilities allow remote code execution and bypass of security policy.
GLPi has released a security advisory for these vulnerabilities.
CVE Details
|
CVE |
CVE-2022-35947 |
CVE-2022-35914 |
|---|---|---|
|
CVSS Score |
9.8 |
9.8 |
|
CWE |
CWE-89 |
CWE-74 |
|
Affected Product Count |
1 |
1 |
|
Patch |
CVE-2022-0030: Authentication Bypass Flaw in PAN OS Web Interface
Palo Alto Networks released a patch for CVE-2022-0030 which is found in the PAN-OS 8.1 web interface. A network-based attacker with specific knowledge of the target firewall or Panorama appliance could potentially impersonate an existing PAN-OS administrator and perform privileged actions using this vulnerability.
PAN has advised its web interface users to patch this vulnerability immediately.
Check out this section to track how these threats evolve!
We use our threat intelligence platform driven by Artificial Intelligence (AI) and Machine Learning (ML) models to analyze the vulnerabilities that hackers could potentially exploit. We warn our customers continuously about exposures and prioritize vulnerabilities to facilitate rapid remediation.
Follow our weekly blog and podcast to get proactive alerts on trending threats. Reach out to us if you need help managing your vulnerabilities and exposures.
Leverage our expertise and manage your threats continuously to stay safe from attackers.