This edition brings you early warnings, trending news about cyber threats, and the accurate threat context. Check out which threat group is on the rampage, what vulnerability it could soon weaponize, and more.
Why play catch up when you can fix this now?
Check out our podcast on the top critical threats of this week, hosted by David Rushton!
Trending Threats
- CISA Warns Against Iranian APT Groups Attacking Federal Organizations
- Magento Stores Under a Barrage of Cyberattacks
- CISA Adds the Second MoTW Vulnerability to the KEV
- Ocean Lotus APT Group carries out Several Malicious Campaigns
- The Chinese APT Group Lotus Blossom Is Attacking Several Asian Countries
- CISA Warns of Hive Ransomware
Threats to Watch Out For
- CVE-2019-8561, CVE-2022-32895: PackageKit FrameWork Vulnerabilities in macOS
- CVE-2022-34169: Integer Truncation Bug in JIT Compiler
- Zimbra Collaboration Suite (ZCS) Vulnerabilities Exploited
- RCE Vulnerability in Backstage Platform
- CVE-2022-41622 and CVE-2022-41800: F5 Vulnerabilities
- CVE-2022-35803 Patch Bypassed and Exploited
Trending Threats
CISA Warns Against Iranian APT Groups Attacking Federal Organizations
Iranian APT groups have recently begun targeting federal organizations and exploiting the Log4j vulnerability to gain access to their networks. In July 2022, the Federal Civilian Executive Branch (FCEB) was infiltrated after exploiting a Log4j vulnerability in an unpatched VMware horizon server. The attackers installed XMRig crypto mining software, moved laterally to the domain controller (DC), compromised credentials, and then implanted Ngrok reverse proxies on several hosts to maintain persistence.
CISA posted a warning to all organizations asking them to patch all the vulnerabilities and to assume a “server compromised” mindset while looking for signs of infection.
Apache Log4j vulnerability CVE-2021-44228 is a critical zero-day code execution vulnerability which is exploited by many threat actors. Check out our blog to learn more about this vulnerability.
CVE Details:
CVE: CVE-2021-44228
CVSS: 10
CWE ID: CWE-400 | CWE-502 | CWE-20 | CWE-917
Exploit Type: RCE,DoS,WebApp,Other
Ransomware: MSIL/Khonsari.A | Conti | AvosLocker | TellYouThePass |
APT Association: Bronze Starlight | HAFNIUM | OilRig | Earth Lusca | Winnti Group
Magento Stores Under a Barrage of Cyberattacks
In the latest round of attacks, Magento store websites were taken down by at least 7 hacking groups. The attack is named TrojanOrders, and the Adobe vulnerability CVE-2022-24086 was exploited to gain access to the systems. CVE-2022-24086 allows unauthenticated attackers to execute code and inject RATs (remote access trojans) on unpatched websites. In the TrojanOrders attacks, the hackers create an account on the target website and place an order that contains malicious template code in the name, VAT, or other fields. Then, using PHP backdoor, they run commands. Once inside, they inject RATs to exploit further.
In this case, the vulnerability was fixed 10 months ago by Adobe. Magento which relies on Adobe for many operations failed to patch this vulnerability even though the store is continuously under cyber attacks.
Note: The available patch for CVE-2022-24086 was bypassed and a new CVE identifier was assigned to the flaw, namely CVE-2022-24087.
CVE Details:
|
CVE |
V3 Score |
V3 Severity |
CVSS Score |
CVSS Severity |
CWE |
|---|---|---|---|---|---|
|
CVE-2022-24807 |
5.9 |
MEDIUM |
5.9 |
MEDIUM |
CWE-1320 |
|
CVE-2022-24806 |
5.9 |
MEDIUM |
5.9 |
MEDIUM |
CWE-20 |
CISA Adds the Second MoTW Vulnerability to the KEV
Last week, CISA added CVE-2022-41091 to the KEV. This is one of the two Microsoft Mark-of-the-Web vulnerabilities. The other vulnerability, CVE-2022-41049 was added to the KEV catalog on November 14, 2022. The Mark-of-the-Web vulnerability allows files downloaded from the internet to be executed without a warning for users. Hackers can exploit this vulnerability to execute malicious files and gain access to the systems.
CVE Details
CVE: CVE-2022-41049
CVSS: 5.40
Patch Link: Download
Ocean Lotus APT Group carries out Several Malicious Campaigns
Ocean Lotus is a Chinese APT group that targets countries in Asia, Middle East, and the US. In 2021, this group carried out many attacks by exploiting zero-day and N-day vulnerabilities, notably, CVE-2020-14882 (WebLogic remote command execution vulnerability) and CVE-2021-22986 (F5 BIG-IP iControl REST unauthorized remote command execution vulnerability) and another Jboss deserialization vulnerability. They used an encrypted CS payloader on a PowerShell Web Server for lateral movement within the victims’ network. Ocean Lotus also used a trojan horse, busybox, and dropbear to further infiltrate the system and steal data from the victims’ systems.
The group has also started using Cobalt Striker’s C2 server for malicious activities.
CVE Details
The Chinese APT Group Lotus Blossom Is Attacking Several Asian Countries
Billbug (aka Lotus Blossom), a Chinese cyber espionage group, has been around for more than a decade. In its recent attacks, Billbug targeted a certificate authority, several government agencies, and defense organizations in Asia. All these attacks are believed to be state-sponsored attacks. The group exploits public-facing applications with known vulnerabilities and deploys signed malware, making it difficult to detect or decrypt the HTTPS traffic. In one of its operations, the group used Stowaway, a rarely deployed multilevel proxy tool that helps pentesters bypass network access restrictions. Hannotag and Sagerunex are custom backdoors used to gain further access and execute commands in the victims’ systems. Billbug prefers exploiting CVE-2012-0158 and CVE-2017-11882, with over 1,000 exploits.
CVE Details
CISA Warns of Hive Ransomware
In its latest StopRansomware alert campaign, CISA warned organizations to look out for the Hive ransomware gang attacks. Till date, Hive ransomware group has claimed 1300 victims including, Damart and Bell Canada. They have received approximately US$100 million in ransom payments. The group has favored the exploits of Microsoft Exchange Servers CVE-2021-34473, CVE-2021-34523, and CVE-2021-31207. They disable anti-virus programs, Windows Defender, etc., to stay longer and undetected in the victims’ networks. To exfiltrate data, they use a combination of Rclone and the cloud storage service Mega.nz.
The Hive ransomware group is financially motivated and is very active in seeking out targets and extracting ransom. Organizations should patch the above mentioned vulnerabilities and take a defensive approach in warding them off.
CVE Details:
Threats to Watch Out For
CVE-2019-8561, CVE-2022-32895: PackageKit FrameWork Vulnerabilities in macOS
CVE-2019-8561 was discovered and patched in March 2019 by Apple. This vulnerability is present in the PackageKit framework and could be exploited to get privilege escalation and bypass SIP (System Integrity Protection) restrictions. Recently, researchers have found that this vulnerability still affected the later versions of macOS, Monterey and Mojave. Apple re-addressed this vulnerability in macOS Ventura with a new CVE, CVE-2022-32895, on Oct. 24, 2022.
Since users who do not update their macOS may be vulnerable to root privilege escalation, signature bypassing, and SIP bypassing, they are recommended to update it immediately.
CVE Details
CVE-2022-34169: Integer Truncation Bug in JIT Compiler
A bug in the Java JIT compiler allows processing of untrusted XSLT programs during XML signature verification. A remote attacker will be able to execute code arbitrarily in many Java-based web applications and identity providers that support the SAML single-sign-on standard using this flaw. The bug is assigned with CVE-2022-34169. OpenJDK released a patch for this in September 2022.
XML signatures and SAML are prone to attacks as their default configurations are not very secure. Hence, users should manually set up the configurations to limit unnecessary functionalities.
CVE Details
CVE: CVE-2022-34169
CVSS: 7.20
CWE ID: CWE-434
Exploit Type: RCE,PE,DoS,WebApp
Patch Link: Download
Zimbra Collaboration Suite (ZCS) Vulnerabilities Exploited
Zimbra has been under continuous attacks from hackers who target their ZCS vulnerabilities such as CVE-2022-24682, CVE-2022-27924, CVE-2022-27925, CVE-2022-37042, and CVE-2022-30333. In August 2022, CVE-2022-27925 and CVE-2022-37042 suffered multiple breaches. In a recent attack, analysts revealed that three Java Server Pages (JSP) webshells were dropped by exploiting these vulnerabilities. The webshells allowed malicious files to be uploaded to a victim’s web server and allowed execution of remote code.
Zimbra has patched these vulnerabilities and continues to urge its customers to apply the patches.
CVE Details
RCE Vulnerability in Backstage Platform
A critical vulnerability in the open-source developer portal platform Backstage can allow attackers to arbitrarily execute code. CVE-2022-36067, a VM2 sandbox escape flaw, is also called SandBreak. Backstage platform is used by many major organizations, including Netflix, American Airlines, Doordash, Palo Alto Networks, HP, Siemens, LinkedIn, and Booz Allen Hamilton.
CVE Details:
CVE: CVE-2022-36067
CVSS: 10
CWE ID: CWE-913r
Affected Product Count: 1
Here’s the patch for the vulnerability.
CVE-2022-41622 and CVE-2022-41800: F5 Vulnerabilities
CVE-2022-41622 is an unauthenticated remote code execution via cross-site request forgery (CSRF) in BIG-IP and BIG-IQ. Here’s the advisory for the vulnerability.
CVE-2022-41800 is an authenticated remote code execution via RPM spec injection affecting Appliance mode iControl REST. F5 released the security advisory for this vulnerability.
CVE-2022-35803 Patch Bypassed and Exploited
The Windows Common Log File System Driver vulnerability named CVE-2022-24481 was patched by Microsoft on April Patch Tuesday (12 April 2022). In a recent attack, this patch was
bypassed with an exploit that grants the attack escalated privileges. The new vulnerability is tracked as CVE-2022-35803. Microsoft patched this vulnerability in September 2022 to prevent the type confusion flaw.
CVE Details:
CVE: CVE-2022-35803
CVSS: 7.8
Affected Product Count: 19
Users are recommended to deploy this patch immediately.
Check out this section to track how these threats evolve!
We use our threat intelligence platform driven by Artificial Intelligence (AI) and Machine Learning (ML) models to analyze the vulnerabilities that hackers could potentially exploit. We warn our customers continuously about exposures and prioritize vulnerabilities to facilitate rapid remediation.
Follow our weekly blog and podcast to get proactive alerts on trending threats. Reach out to us if you need help managing your vulnerabilities and exposures.
Leverage our expertise and manage your threats continuously to stay safe from attackers.