This edition brings you early warnings, trending news about cyber threats, and the accurate threat context. Check out which threat group is on the rampage, what vulnerability it could soon weaponize, and more.
Why play catchup when you can fix this now?
Check out our podcast, hosted by David Rushton, on the top critical threats of this week!
Trending Threats
- Microsoft’s Zero Days exploited in the Wild
- Witchetty Group Employs New Techniques in Latest Attacks
- ZINC Attacks Security Researchers
- TA413 Introduces New Malware ‘LOWZERO’ Against Tibetan Targets
- APT28 Comes Up With a New Stealer – CredoMap
- Chaos – The Latest Go-based Malware
- Cobalt Strike Beacon Used in Attacks Against Various Countries
- CISA Adds CVE-2022-3236 to the KEV List
- Data Breach in Australian Government Servers Using Optus
Threats to Watch out for
Trending Threats
Microsoft’s Zero Days Exploited in the Wild
Security researchers have traced back an attack in critical infrastructure in a yet-to-be-named company to two zero-day vulnerabilities in Microsoft Exchange servers. The vulnerabilities have now been assigned the following CVEs: CVE-2022-41040 and CVE-2022-41082.
CVE-2022-41040: Server-Side Request Forgery (SSRF) vulnerability
CVE-2022-41082: Microsoft Exchange Server Remote code execution (RCE) vulnerability. Authenticated attackers who can access PowerShell Remoting on vulnerable Exchange systems will be able to trigger RCE using CVE-2022-41082.
There are no patches available for these vulnerabilities yet. However, Microsoft is reportedly working on an accelerated timeline to release a fix.
Here’s a guide to mitigating the vulnerabilities.
Witchetty Group Employs New Techniques in Latest Attacks
Witchetty, a cyber espionage group, has been active since April 2022. It is believed to be a subgroup of TA410. In its attacks on Middle Eastern and African organizations this year, the group used new tools such as Trojan backdoor and steganography. Steganography allows the attacker to hide the payload within an image and distribute it. The group also used a custom proxy utility, a custom port scanner, and a persistence utility.
Witchetty exploited the PowerShell Execution Policy and ProxyShell vulnerability to breach a Middle Eastern Government agency. In this attack, it also used the LookBack Backdoor.
CVE-2021-34473, CVE-2021-34523, CVE-2021-31207, CVE-2021-26855, and CVE-2021-27065 are the CVEs exploited by Witchetty.
ZINC Attacks Security Researchers
A threat actor known as ZINC has been attacking security researchers after a long and carefully planned campaign. The threat actor gained the trust of more than 2,.000 followers on Twitter, many of whom were security researchers. After approaching them on Twitter, the threat actor moved the conversations to another medium (email, DISCORD, etc.) and exchanged blog posts, research materials, etc. In some cases, the threat actor sent encrypted or PGP-protected ZIP files. Some files and links contained malicious payloads downloaded to the victims’ systems. Some of the files sent by ZINC to researchers were malicious Visual Studio projects that included prebuilt binaries.
The malware the threat actor used includes Comebacker malware, Klackring malware, and an encrypted Chrome password-stealer.
The Twitter account maintained by ZINC is under the handle of Zhang Guo. The blogs are hosted on (br0vvnn[.]io).
CVE-2017-16238 is heavily exploited by ZINC. This CVE discovered in 2017 is not listed in the NVD or in MITRE. There are no official resources detailing this vulnerability. It is another example of how there are huge gaps in data in national cyber resources. In most cases, these are the only reference points for security officers in government agencies. At this rate, organizations will be completely in the dark regarding exploits and fall easy prey to attackers.
Here’s a blog detailing the gaps in MITRE techniques.
TA413 Introduces New Malware “LOWZERO” against Tibetan Targets
TA413, a Chinese APT group, has attacked Tibetan government agencies since 2020 to gather intelligence. Thus far, it has deployed malware such as ExileRAT, Sepulcher, and a malicious Mozilla Firefox browser extension, dubbed FriarFox. In its latest attacks in September 2022, it deployed a new malware named LOWZERO. This malware can receive additional modules from its command-and-control (C2) server, but only on the condition that the compromised machine is deemed to be of interest to the threat actor. The latest attacks exploited two CVEs, CVE-2022-1040 (Sophos Firewall) and CVE-2022-30190 (Follina bug). CVE-2022-1040 is a zero-day exploit used in previous attacks by TA413 and other APT groups. The Follina bug in Microsoft Office is widely exploited by multiple APT groups. TA413 is known for using tried-and-tested methods of exploits in zero-day bugs. It also uses multiple malware samples to extract information and avoid detection.
APT28 Comes up with a New Stealer—CredoMap
A new stealer named CredoMap was developed by the Russian APT group FancyBear (APT28) to be used against Ukrainian organizations. The version used in the latest attacks in May 2022 is dubbed CredoMap_v_2. The stealer is the malware designed specifically to steal sensitive information such as OS credentials, passwords stored in browsers and cookies, etc.
APT 28 exploits the Follina bug (CVE-2022-30190) to deploy the malware samples and extract information.
CVE |
CVE-2022-30190 |
---|---|
CVSS Score |
7.8 |
Exploit Type |
[‘RCE’, ‘WebApp’,’Other’] |
APT Group |
UAC-0098, Sandworm Team, APT29, Leviathan, TA413 |
Affected Product Count |
18 |
Patch Link |
Chaos—The Latest Go-Based Malware
There’s yet another malware developed using the Go language—Chaos. It is used in attacks on Windows and Linux devices for DDoS attacks and cryptomining. This botnet malware has already been deployed in many small routers, and security researchers are warning everyone to be on the lookout for any unpatched vulnerabilities in the system. The Chaos malware propagates through these security vulnerabilities and uses SSH brute-forcing. It also uses stolen SSH keys to hijack more devices.
Small or home office routers are targeted in Europe, America, and the Asia-Pacific regions. Australia and New Zealand have no traces of the Chaos bots.
CVE-2017-17215, CVE-2022-30525, and CVE-2022-1388 are the most exploited vulnerabilities by Chaos malware.
Cobalt Strike Beacon Used in Attacks against Various Countries
The Russian APT group TrickBot has been using Cobalt Strike Beacon in phishing campaigns targeting Ukrainian officials and leveraging emails related to Azovstal. These samples were found in cyberattacks since April 2022. As the war escalates, cyberattacks have also increased, prompting the Ukraine CERT to officially call out APT groups and malware targeting Ukrainian organizations and entities.
Cobalt Strike Beacon is said to leverage a lure document that triggers an infection chain and leads to an HTML file download, followed by executing malicious JavaScript code, which further spreads malware on the compromised systems.
Other government entities in New Zealand and the US have been breached using this same phishing technique to deploy malware.
CVE-2017-0199, a remote code execution issue in Microsoft Office, is used to deploy Cobalt Strike Beacon malware samples.
CVE |
CVE-2017-0199 |
---|---|
CVSS Score |
7.8 |
Exploit Type |
[‘RCE’, ‘WebApp’,’Other’] |
APT Group |
Silence, Mustang Panda, Cobalt Group, Winnti Group, Patchwork, MuddyWater, Molerats, TA459, Transparent Tribe, Higaisa, Kimsuky, Leviathan, OilRig, Gamaredon Group, CopyKittens, White Tur, BlackTech |
Ransomware |
PEC 2017, Karmen, Petya, Cerber |
Affected Product Count |
9 |
Patch Link |
Data Breach in Australian Government Servers Using Optus
An exposed API endpoint in Optus was accessed by a hacker who used it to steal 11.2 million customer records with sensitive information. The hacker released data samples containing around 100 records, including Australian citizens’ names, email addresses, physical addresses, passport numbers, etc. The ransom for the stolen data is US $1 million. The hacker has warned Optus that if the ransom demand is not met by the weekend, they would sell the data to anyone who pays them $1 million. The Australian Federal Police is actively investigating this incident. This incident is a reminder to keep tabs on your application and network infrastructure. ASM can make this work easier by regularly scanning and alerting you to any unguarded endpoints in your systems.
CISA Adds CVE-2022-3236 to the KEV List
On September 23, 2022, CISA added the Sophos Firewall Vulnerability CVE-2022-3236 to the Known Exploited Vulnerabilities list. CVE-2022-3236 is a Remote Execution Code vulnerability found in the User Portal and Webadmin of Sophos Firewall. It has been targeted in exploits against specific organizations in South Asia. Sophos has a hotfix for this vulnerability, and it is said to be automatically applied to the firewalls. However, users of older versions of Sophos Firewall would have to upgrade to a supported version to receive the CVE-2022-3236 patch.
CVE | CVE-2022-3236 |
---|---|
CNA Score | 9.8 (v3) |
Exploit Type | RCE |
Patch | Download |
Threats to Watch out for
CVE-2022-37767: Command Injection Vulnerability in Java Pebbles
A yet-to-be-patched vulnerability exists in the Java Pebbles application, which can be used to bypass Pebble’s command execution defense with carefully crafted code and template files. Check out this section to track how these threats evolve!
CVE |
CVE-2022-37767 |
---|---|
CVSS Score |
9.8 |
CWE |
CWE-863 |
Affected Product Count |
1 |
Flaws in Ethernet VLAN
CVE-2021-27853, CVE-2021-27854, CVE-2021-27861, and CVE-2021-27862 are vulnerabilities in Ethernet VLAN stacking, allowing hackers to launch Distributed Denial-of-Service (DDoS) and Man-in-the-Middle (MiTM) attacks. These vulnerabilities allow an attacker to route traffic from a target device to arbitrary destinations.
We use our threat intelligence platform driven by Artificial Intelligence (AI) and Machine Learning (ML) models to analyze the vulnerabilities that hackers could potentially exploit. We warn our customers continuously about exposures and prioritize vulnerabilities to facilitate rapid remediation.
Follow our weekly blog and podcast to get proactive alerts on trending threats. Reach out to us if you need help managing your vulnerabilities and exposures. Leverage our expertise and manage your threats continuously to stay safe from attackers.