{"id":7225,"date":"2022-09-09T07:17:06","date_gmt":"2022-09-09T14:17:06","guid":{"rendered":"https:\/\/webdev.securin.xyz\/?p=7225"},"modified":"2023-04-05T12:27:02","modified_gmt":"2023-04-05T19:27:02","slug":"securins-threat-intelligence-september-05-2022-september-09-2022","status":"publish","type":"post","link":"https:\/\/webdev.securin.xyz\/articles\/securins-threat-intelligence-september-05-2022-september-09-2022\/","title":{"rendered":"Securin’s Threat Intelligence Sep 5, 2022 – Sep 9, 2022"},"content":{"rendered":"
This edition brings you early warnings, trending news about cyber threats, and the accurate threat context. Check out which threat group is on the rampage, what vulnerability it could soon weaponize, and more.<\/p>\n
Why play catch up when you can fix this now?<\/strong><\/p>\n Check out our podcast on the top critical threats of this week, hosted by David Rushton!<\/strong><\/p>\n Trending Critical Threats<\/a> Nemesis Kitten, believed to be a sub-group of the Iranian APT group, Phosphorus, has been conducting vulnerability scanning for the Iran Government. In addition to this, they have been carrying out multiple ransom attacks on organizations.<\/p>\n Their attack methodology involves exploiting newly-discovered high severity vulnerabilities and using LOLBINs (Living Off the Land Binaries) to gain persistence or escalate privileges. After initial access, the group uses the built-in BitLocker tool to encrypt files on compromised devices.<\/p>\n Apart from geo-political reasons, the group also appears to be financially motivated and has ransomed private organizations as well in the past.<\/p>\n CVE-2018-13379, CVE-2021-26855, CVE-2021-26858, CVE-2021-26857, CVE-2021-27065 are the CVEs exploited by Nemesis Kitten.<\/p>\n <\/p>\n Threat actors have been targeting schools<\/a> for extorting large ransoms since before the pandemic. The education sector is an easy target due to its poor security infrastructure and insufficient resources. The CISA and FBI together released a warning<\/a> against the Vice Society group who have been targeting K-12 school districts with various ransomware versions of Hello Kitty\/Five Hands and Zeppelin, Cobalt Strike, etc. After initial access, they extract data and use double extortion techniques to demand ransom from victims.<\/p>\n CVE-2021-1675<\/a> and CVE-2021-34527<\/a> are the two CVEs commonly targeted by the Vice Society group.\u00a0 CVE-2021-34527 is a critical vulnerability that has been used in various attacks. We had called this out in our 2021 Q3 ransomware<\/a> report.<\/p>\n <\/p>\n Here is an article<\/a> of how you can detect\u00a0 CVE-2021-34527 in your environment.<\/p>\n Worok<\/a>, a threat actor group using techniques similar to TA428, was discovered carrying out malicious campaigns against various entities in East Asia and Africa in 2020. They have been using C++ loader CLRLoad, a PowerShell backdoor PowHeartBeat, and a C# Loader PNGLoad to deliver malicious payloads via PNG files. Worok was MIA since May 2021, and has now resurfaced. In the latest attacks, it has targeted an energy company, and a government entity in Asian countries. This is a serious threat to watch out for.<\/p>\n CVE-2021-34523<\/a> is one of the CVEs targeted by this threat actor group.<\/p>\n CVE DETAILS<\/strong><\/p>\n CVE: CVE-2021-34523<\/p>\n Exploit Type: [‘RCE’, ‘PE’, ‘WebApp’]<\/p>\n CVSS SCORE: 9.8<\/p>\n CWE ID: CWE-287, CWE-269<\/p>\n Ransomware Associations: Conti, Hive, BianLian, AvosLocker, BlackCat, LockFile, Karma, BlackByte, Babuk<\/p>\n APT Associations: ChamelGang, TR, Tropical Scorpius, Worok<\/p>\n Affected Products: 5<\/p>\n Patch: Download<\/a><\/p>\n A new malware in Linux systems uses an infection chain in multiple layers to exploit vulnerabilities and download a cryptominer. Dubbed as Shikitega, this malware is used on endpoints and IoT devices that run on a Linux OS. It avoids detection by anti-virus software by using a polymorphic encoder. Shikitega also abuses legitimate cloud services to store some of its command and control servers (C&C). This malware could potentially take control of webcams, processes, execute shell commands and also take over the systems completely.<\/p>\n <\/p>\n CVE-2021-4034<\/a> and CVE-2021-3493<\/a> are the vulnerabilities to patch if you want to avoid falling victim to Shikitega.<\/p>\n <\/p>\n EvilCorp (aka TA505) has come up with a new cyber attack panel named TeslaGun that was used in campaigns against more than 80,000 organizations in the US and other countries. EvilCorp is a Russian APT group that has carried out some of the biggest attacks against organizations and Governments.<\/p>\n TeslaGun is mainly used to deploy backdoor attacks effectively. EvilCorp has been using ServHelper malware backdoor since 2019 and TeslaGun will now make it easier to manage the backdoor attack operations. Cyberattack panels contain multiple campaign records representing different delivery methods and attack data. They also collect lots of information from victim\u2019s systems, enabling the threat actor to profile their victims for future exploits.<\/p>\n EvilCorp uses the following CVEs to attack its victims:<\/p>\n <\/p>\n Italy’s energy agency Gestore dei Servizi Energetici SpA (GSE) experienced a cyberattack on September 4, 2022. The notorious BlackCat ransomware group claimed credit for the attack. The energy agency took down their websites to curb the extent of the attack, and have been offline since September 5, 2022. GSE has not revealed the extent of data loss but the ransomware group claimed that they had stolen 700 GB of data during the attack. Negotiations for ransom are underway.<\/p>\n BlackCat is known for targeting Europe\u2019s energy agencies. Their last attack<\/a> was on Luxembourg\u2019s Creos, disrupting the customer portal of the energy supplier.<\/p>\n Here are the CVEs exploited by BlackCat:<\/p>\n <\/p>\n <\/p>\n For more information about BlackCat Ransomware check out our blog<\/a> here.<\/p>\n Damart is a French clothing store with more than 130 branches across the globe. On August 15, 2022, their online services were down reportedly due to an unscheduled maintenance activity. Damart then clarified that some of their systems were encrypted resulting in website disruptions. More than 92 stores were affected during this attack, impacting sales and customer service.<\/p>\n Hive ransomware group claimed responsibility for this attack. They demanded $2 million as ransom. However, there is no data pertaining to Damart published on Hive\u2019s Onion site.<\/p>\n Hive ransomware uses the following CVEs to exploit systems: CVE-2021-34473,CVE-2021-34523,CVE-2021-31207<\/p>\n <\/p>\n CISA maintains a list of Known Exploited Vulnerabilities which are actively targeted by attackers. These CVEs come with a recommended patch-by-date before which all federal agencies are required to patch the vulnerabilities.<\/p>\n On September 08, 2022, the CISA added 12 vulnerabilities. Among these is the Apple vulnerability, CVE-2020-9934, which was trending in July 2022. Four of the new vulnerabilities are in D-Link routers: CVE-2011-4723, CVE-2018-6530, CVE-2022-28958, CVE-2022-26258.<\/p>\n Here\u2019s more information about the CVEs:<\/p>\n <\/p>\n Iranian threat actors have actively been perpetrating cyber attacks against the Albanian Government since July 2022. Sensitive information was stolen from the Government agency and leaked by threat actors in Tehran.<\/p>\n On July 15, several Albanian websites and digital services were shut down following an attack. 4 threat actor groups\/individuals are said to have worked on distinct phases of the attack: Initial intrusion, Data exfiltration, Data encryption and destruction, Information operations. However, a ransomware group called HomeLand Justice has claimed the attack. Iran has been using ransomware gangs to carry out attacks against political enemies.<\/p>\n Once it was discovered that Iran was responsible for this, Albania severed ties with Iran and expelled its embassy staff from the country.<\/p>\n CVE-2019-0604 and CVE-2021-26855 are associated with the Iranian threat actors.<\/p>\n <\/p>\n Google Chrome released a security patch<\/a> for a zero-day vulnerability, CVE-2022-3075 on September 2, 2022. The vulnerability is caused by insufficient data validation in Mojo, a collection of runtime libraries that facilitates message passing across arbitrary inter- and intra-process boundaries. It is a critical vulnerability with active exploits in the wild.<\/p>\n Chrome has recommended that all its users upgrade to 105.0.5195.102 to fix this CVE. We also recommend that CISA adds this CVE to the KEV list.<\/strong><\/em><\/p>\n Deadbolt ransomware group has been exploiting a zero-day vulnerability in Photo Station, a private photo storage application by QNAP. The company has released a security advisory <\/a>patching this vulnerability.<\/p>\n DeadBolt has been targeting NAS (Network Attached Storage) devices since January 2022<\/a> using zero-day vulnerabilities in exposed NAS products. It is recommended that users have strong passwords for their NAS accounts.<\/p>\n Photo Station users are advised to upgrade to QTS 5.0.1: Photo Station 6.1.2 and later to fix the vulnerability.<\/strong><\/em><\/p>\n A patch was released<\/a> on September 6, 2022 for a critical vulnerability, CVE-2022-34747 in Zyxel devices. The CVE can allow unauthorized remote code execution via a crafted UDP packet.<\/p>\n CVE: CVE-2022-34747<\/p>\n CWE: CWE-134<\/p>\n Patch: Download<\/a><\/p>\n NAS devices are vulnerable to ransomware attacks. Hence, patching this vulnerability is of high priority for NAS users.<\/p>\n Here\u2019s an article<\/a> on how to secure your storage devices.<\/p>\n CVE-2015-2051<\/a>, CVE-2018-6530<\/a>, CVE-2022-26258<\/a>, and CVE-2022-28958<\/a> are some of the CVEs that MooBot is targeting in its latest campaign against D-Link routers. The vulnerabilities are used to deploy DDoS attacks.<\/p>\n <\/p>\n D-Link users are recommended to apply the latest firmware update released by their manufacturer.<\/p>\n A high severity arbitrary file download\/read vulnerability is being exploited in BackupBuddy. WordPress websites running BackupBuddy are asked to patch this vulnerability immediately as it enables unauthenticated attackers to download sensitive files from vulnerable sites.<\/p>\n An unauthenticated remote command execution vulnerability was found in pfSense\u2019s pfBlockerNG plugin version 2.1.4_26. This is critical and has a CVSS rating of 9.8. To patch this, users are recommended to download the latest stable version of pfSense (2.6.0), and install the latest stable version of pfBlockerNG (2.1.4_26) or higher.<\/p>\n A critical privilege escalation vulnerability was discovered in HP Support Assistant which comes pre-installed on all HP laptops and desktop computers. This CVE enables attackers to elevate their privileges on vulnerable systems.<\/p>\n Users are recommended to patch this vulnerability<\/a> immediately.<\/p>\n CISCO has decided not to patch a zero-day vulnerability in its routers citing that the product is at its End-of-Life. The vulnerability, CVE-2022-20923, is an authentication bypass flaw that is actively being exploited in the wild.<\/p>\n CISCO recommends that customers migrate to Cisco Small Business RV132W, RV160, or RV160W Routers.<\/p>\n Check out this section to track how these threats evolve!<\/em><\/p>\n We use our Threat Intelligence Platform driven by Artificial Intelligence (AI) and Machine Learning (ML) models to analyze the vulnerabilities that hackers could potentially exploit. We warn our customers continuously about exposures and prioritize vulnerabilities to facilitate rapid remediation.<\/p>\n Follow our weekly blog and podcast to get proactive alerts on trending threats. Reach out to us if you need help managing your vulnerabilities and exposures.<\/p>\n Leverage our expertise and manage your threats continuously to stay safe from attackers.<\/p>\n
\nNemesis Kitten: A New Iranian Ransomware Group<\/a>
\nCISA Warns of Vice Society Ransomware that Targets Schools<\/a>
\nWorok Espionage Group Targets Asian Government and Private Entities<\/a>
\nLINUX OS under Attack by New Malware Shikitega<\/a>
\nEvilCorp Uses New Cyberattack Panel TeslaGun in Attacks<\/a>
\nBlackCat Ransomware Attacks Italian Energy Agency<\/a>
\nHive Ransomware Group goes after Damart<\/a>
\nCISA Adds 12 New Vulnerabilities to the KEV<\/a>
\nIranian Threat Actors Attack Albanian Government<\/a>
\nThreats to Watch Out For<\/a>
\nCVE-2022-3075 – High Severity Chrome Zero-Day Vulnerability<\/a>
\nQNAP Zero-Day Vulnerability Exploited in Attacks<\/a>
\nCVE-2022-34747: Critical RCE Vulnerability in Zyxel NAS Devices<\/a>
\nMooBot Targets Unpatched D-Link Routers<\/a>
\nCVE-2022-31474: Critical vulnerability in BackupBuddy<\/a>
\nCVE-2022-31814: Root RCE IN pfBlocker NG<\/a>
\nCVE-2022-38395: High-Severity PE Bug<\/a>
\nCVE-2022-20923: Unpatched Zero-Day Vulnerability in EoL Routers<\/a><\/p>\n<\/a>Trending Critical Threats<\/h2>\n
<\/a>Nemesis Kitten: A New Iranian Ransomware Group<\/h3>\n
<\/a>CISA Warns of Vice Society Ransomware that Targets Schools<\/h3>\n
<\/h3>\n
<\/a>Worok Espionage Group Targets Asian Government and Private Entities<\/h3>\n
<\/a>LINUX OS under Attack by New Malware Shikitega<\/h3>\n
<\/a>EvilCorp Uses New Cyberattack Panel TeslaGun in Attacks<\/h3>\n
<\/a>BlackCat Ransomware Attacks Italian Energy Agency<\/h3>\n
<\/a>Hive Ransomware Group goes after Damart<\/h3>\n
<\/a>CISA Adds 12 New Vulnerabilities to the KEV<\/h3>\n
<\/a>Iranian Threat Actors Attack Albanian Government<\/h3>\n
<\/a>Threats to Watch Out For<\/h2>\n
<\/a>CVE-2022-3075 – High Severity Chrome Zero-Day Vulnerability<\/h3>\n
<\/a>QNAP Zero-Day Vulnerability Exploited in Attacks<\/h3>\n
<\/h3>\n
<\/a>CVE-2022-34747: Critical RCE Vulnerability in Zyxel NAS Devices<\/h3>\n
<\/a>MooBot Targets Unpatched D-Link Routers<\/h3>\n
<\/a>CVE-2022-31474: Critical Vulnerability in BackupBuddy<\/h3>\n
<\/a>CVE-2022-31814: Root RCE IN pfBlocker NG<\/h3>\n
<\/a>CVE-2022-38395: High-Severity Privilege Escalation Bug<\/h3>\n
<\/a>CVE-2022-20923: Unpatched Zero-Day Vulnerability in EoL Routers<\/h3>\n