This edition brings you early warnings, trending news about cyber threats, and the accurate threat context. Check out which threat group is on the rampage, what vulnerability it could soon weaponize, and more.
Why play catch up when you can fix this now?
Watch David Rushton elaborate on the top three critical threats of the week on our podcast!
Trending Threats
- CISA Adds 1 More Vulnerability to the KEV
- New Malware from Cranefly: Geppei
- LockBit Adds More CVEs to its Assault Arsenal
- BlackBasta Ransomware Linked to FIN7
Threats to Watch Out For
- Critical Vulnerabilities Addressed in OpenSSL
- Vulnerabilities in Apache Batik Library
- Juniper Fixes Critical Vulnerabilities in Junos OS
Trending Threats
CISA Adds 1 More Vulnerability to the KEV
On Oct 28, 2022, CISA added CVE-2022-3723 to the KEV. It is an actively-exploited Google Chrome zero-day vulnerability. It is described as a type confusion flaw in the V8 JavaScript engine. On abusing this vulnerability, an attacker will be able to read sensitive information of other apps, cause crashes, or execute arbitrary code. Chrome released a patch for it on Oct 27, 2022 after multiple exploit campaigns in the wild.
CVE Details
|
CVE |
V2 Score |
V2 Severity |
V3 Score |
V3 Severity |
CVSS Score |
CVSS Severity |
CWE |
Affected Product Count |
Patch Link |
|---|---|---|---|---|---|---|---|---|---|
|
CVE-2022-3723 |
8.80 |
HIGH |
8.8 |
HIGH |
CWE-843 |
1 |
New Malware from Cranefly: Geppei
Hacking group Cranefly has been using new malwares on target systems. Their latest technique is using reading commands from IIS (Internet Information Service) logs to communicate with an unknown dropper trojan known as Geppei to install backdoors and other custom tools. The malware used to distribute and gather information are Danfuan and Regeorg. Cranefly spent at least 18 months on victim networks and used backdoors on devices that didn’t support security tools to remain undetected.
Cranefly deploys these backdoors to mainly gather intelligence from corporate organizations using phishing emails to their employees. From their techniques, it looks like they are a sophisticated group of attackers with intelligence gathering as the main motive.
IIS logs have never before been used in cyber attacks and in future, this technique could be used to deliver different types of malware if leveraged by threat actors with malicious goals.
LockBit Adds More CVEs to its Assault Arsenal
LockBit has added more CVEs to its exploit list. Among them, Microsoft vulnerabilities are widely targeted and abused. LockBit’s latest attacks were on Thales, a French defence and technology group. LockBit claimed that data had been stolen from the organization and threatened to publish it if their ransom demands aren’t met by Nov 7, 2022.
They also claimed responsibility for a cyberattack against the German multinational automotive group Continental in which data was stolen.
CVE Details
BlackBasta Ransomware Linked to FIN7
Recent research has revealed that BlackBasta ransomware may be linked to a financially motivated Russian hacking group FIN7 (AKA Carbanak). In attack analysis of both groups, researchers found that the (Endpoint Detection and Response) evasion tools had the same authors. BlackBasta has been using these EDR tools since June 2022. In their recent attacks, SocksBot malware samples were also found which is a backdoor used exclusively by FIN7.
FIN7 was observed using Cobalt Strike and Meterpreter C2 frameworks in simulated malware-dropping attacks earlier this year. BlackBasta used the same TTPs and IP addresses in the following months, another indication of collaboration between the groups.
FIN7 has previously worked with multiple ransomware groups namely, Maze, Ryuk, Darkside, and BlackCat/ALPHV for initial compromise.
CVE-2022-30190, CVE-2020-1472, CVE-2021-42287, CVE-2021-42278, and CVE-2021-34527 are exploited by BlackBasta and FIN7.
CVE Details
|
CVE |
V3 Score |
V3 Severity |
CVSS Score |
CVSS Severity |
CWE |
Attack Classification |
Ransomware Names |
Threat Actor Names |
Patch Link |
|---|---|---|---|---|---|---|---|---|---|
|
CVE-2022-30190 |
7.80 |
HIGH |
7.8 |
HIGH |
RCE,WebApp,Other |
Bisamware |
APT29 | UAC-0098 | Leviathan | Sandworm Team | TA413 |
||
|
CVE-2021-34527 |
8.80 |
HIGH |
8.8 |
HIGH |
CWE-269 |
RCE,DoS,Other |
Conti | Vice Society | Black Basta | Magniber |
DEV-0832 |
|
|
CVE-2021-42278 |
8.80 |
HIGH |
8.8 |
HIGH |
CWE-269 |
Black Basta |
|||
|
CVE-2021-42287 |
8.80 |
HIGH |
8.8 |
HIGH |
CWE-269 |
Black Basta |
|||
|
CVE-2020-1472 |
10.00 |
CRITICAL |
10 |
CRITICAL |
CWE-330 | CWE-287 |
PE,DoS,WebApp,Other |
Darkside | Conti | Ryuk | CLOP | Thanos | Black Basta | Babuk | Epsilon Red |
Wizard Spider | Prophet Spider | MuddyWater | TA505 | menuPass | FIN7 | Sandworm Team | Earth Lusca |
Threats to Watch Out For
Critical Vulnerabilities Addressed in OpenSSL
CVE-2022-3602 and CVE-2022-3786 are vulnerabilities found in OpenSSL, an open-source cryptography library that allows for the implementation of secure communications online.
CVE-2022-3602 allows a crafted email address to overflow exactly four attacker-controlled bytes on the stack allowing access to the server.
CVE-2022-3786 can overflow an arbitrary number of bytes on the stack with the “.” character leading to denial of service on a client authenticated server.
Initial access through these vulnerabilities is complicated and requires pre-authenticated configurations, limiting widespread exploitation.
OpenSSL has released a security advisory to help fix these vulnerabilities.
CVE Details
|
CVE |
V3 Score |
V3 Severity |
CVSS Score |
CVSS Severity |
CWE |
Affected Product Count |
Patch Link |
|---|---|---|---|---|---|---|---|
|
CVE-2022-3602 |
9.80 |
CRITICAL |
9.8 |
CRITICAL |
CWE-120 , CWE-119 , CWE-121 |
3 |
|
|
CVE-2022-3786 |
7.50 |
HIGH |
7.5 |
HIGH |
CWE-120 , CWE-193 , CWE-119 , CWE-121 |
3 |
Vulnerabilities in Apache Batik Library
CVE-2022-40146 is a Server-Side Request Forgery (SSRF) vulnerability that could potentially allow remote attackers to execute arbitrary code on affected installations of Apache Batik. It is caused by the lack of proper validation of a URI prior to accessing resources.
CVE-2022-38398 is also a SSRF vulnerability that allows remote attackers to disclose sensitive information on affected installations of Apache Batik.
Users are recommended to upgrade to Apache Batik 1.15 latest version to resolve these vulnerabilities.
CVE Details
|
CVE |
V3 Score |
V3 Severity |
CVSS Score |
CVSS Severity |
CWE |
Affected Product Count |
Patch Link |
|---|---|---|---|---|---|---|---|
|
CVE-2022-40146 |
7.50 |
HIGH |
7.5 |
HIGH |
CWE-918 |
1 |
|
|
CVE-2022-38398 |
5.30 |
MEDIUM |
5.3 |
MEDIUM |
CWE-918 |
1 |
Juniper Fixes Critical Vulnerabilities in Junos OS
6 high-severity vulnerabilities in Juniper Junos OS affect enterprise networking devices. They are:
CVE-2022-22241 – Remote pre-authenticated PHP archive file deserialization vulnerability
CVE-2022-22242 – A pre-authenticated reflected XSS allowing a remote adversary to siphon Junos OS admin session and chained with other flaws that require authentication.
CVE-2022-22243 and CVE-2022-22244 – Two XPATH injection flaws that allow a remote authenticated attacker to steal and manipulate Junos OS admin sessions
CVE-2022-22245 – A path traversal flaw that could allow a remote authenticated attacker to upload PHP files to any arbitrary location
CVE-2022-22246 – A local file inclusion vulnerability that could be weaponized to run untrusted PHP code.
Juniper released a security advisory on how to patch these vulnerabilities.
CVE Details
|
CVE |
V3 Score |
V3 Severity |
CVSS Score |
CVSS Severity |
CWE |
Affected Product Count |
Patch Link |
|---|---|---|---|---|---|---|---|
|
CVE-2022-22242 |
6.10 |
MEDIUM |
6.1 |
MEDIUM |
CWE-79 |
160 |
|
|
CVE-2022-22241 |
9.80 |
CRITICAL |
9.8 |
CRITICAL |
CWE-502 , CWE-20 |
161 |
|
|
CVE-2022-22243 |
4.30 |
MEDIUM |
4.3 |
MEDIUM |
CWE-20 , CWE-91 |
162 |
|
|
CVE-2022-22246 |
8.80 |
HIGH |
8.8 |
HIGH |
CWE-829 |
161 |
|
|
CVE-2022-22245 |
4.30 |
MEDIUM |
4.3 |
MEDIUM |
CWE-22 , CWE-23 |
160 |
|
|
CVE-2022-22244 |
5.30 |
MEDIUM |
5.3 |
MEDIUM |
CWE-91 |
160 |
We use our threat intelligence platform driven by Artificial Intelligence (AI) and Machine Learning (ML) models to analyze the vulnerabilities that hackers could potentially exploit. We warn our customers continuously about exposures and prioritize vulnerabilities to facilitate rapid remediation.
Follow our weekly blog and podcast to get proactive alerts on trending threats. Reach out to us if you need help managing your vulnerabilities and exposures.
Leverage our expertise and manage your threats continuously to stay safe from attackers.