img23

Securin’s Threat Intelligence – Oct 10, 2022 – Oct 14, 2022

Updated on Oct 14, 2022

This edition brings you early warnings, trending news about cyber threats, and the accurate threat context. Check out which threat group is on the rampage, what vulnerability it could soon weaponize, and more.

Why play catch up when you can fix this now?

Check out our podcast on the top critical threats of this week, hosted by David Rushton!

Trending Threats

Threats to Watch out for:

 

Trending Threats

CISA Adds CVE-2022-40684 and CVE-2022-41033 to the KEV.

On Oct 11, 2022, CISA added CVE-2022-40684, an Authentication Bypass vulnerability in Fortinet to the Known Exploited Vulnerabilities list.

Following Microsoft’s Patch Tuesday update on Oct 12, 2022, CISA added CVE-2022-41033, a Windows COM+ Event System Service Elevation of Privilege vulnerability to the KEV. It could potentially allow an unauthenticated user access to the victim’s system.

 

LockBit Ransomware Deployed in Microsoft Exchange Servers

Attackers used compromised Microsoft Exchange Servers and an undisclosed zero-day vulnerability to hack an organization and steal 1.3 TB worth of data. The attackers likely deployed the web shells in July 2022, and then exploited new vulnerabilities to gain access to the AD admin account.

Microsoft is working to patch three associated zero-days: CVE-2022-41040, CVE-2022-41082, and CVE-2022-21969.

Check out the All About LockBit Ransomware blog to learn the group’s attack methodology and latest attacks.

CVE Details

CVE

CVE-2022-41040

CVE-2022-41082

CVE-2022-21969

CVSS Score

9

9

8.8

CWE

Not assigned yet

CWE-269

Not assigned yet

Affected Product Count

5

5

5

Patch

Download

Download

Download

We will be following up on this and update you in the coming weeks.

Aruba Patches 3 Critical Vulnerabilities

Aruba fixed 3 vulnerabilities – CVE-2022-37913, CVE-2022-37914, and CVE-2022-37915 in EdgeConnect Enterprise Orchestrator on October 11, 2022.

CVE-2022-37913 and CVE-2022-37914 are authentication bypass flaws. If exploited, they could allow an unauthenticated remote attacker to bypass authentication and gain administrator privileges, thereby compromising the system.

CVE-2022-37915 is a remote code execution vulnerability in the web-based management interface of EdgeConnect Orchestrator. It could also lead to system takeover by a malicious actor.

Here is the security advisory for these vulnerabilities.

Multiple Campaigns carried out by IcedID Malware Gang

Since September 2022, the threat actors behind IcedID malware have attacked multiple targets seeking out the best ways to deploy the malware. These campaigns use phishing emails to drop IcedID malware via ISO files, archives, or macro-laden document attachments. Most of the campaigns were unsuccessful. The IcedID malware was used as a modular banking trojan in 2017 but has been updated to act as a malware dropper that is commonly used to gain initial access to corporate networks. Malware droppers are used to install further malware on an infected device and also deploy other payloads.

 

CVE-2018-6882 and CVE-2017-8570 are the vulnerabilities exploited to drop this malware.

CVE Details

CVE

CVE-2018-6882

CVE-2017-8570

CVSS Score

6.1

7.8

CWE

CWE-79

Not Assigned

Patch

Download

Download

 

 

Pro-Russian APT Group KillNet Takes Down Airports’ Sites

Multiple US Airport sites experienced a DDoS attack which resulted in downtime. Customers were not able to connect and get updates about their scheduled flights or book airport services. The attack was claimed by  the Pro-Russian hacktivist group KillNet which has been very active in the Russia-Ukraine war. They used a custom software to generate fake requests and garbage traffic directed at the sites’ servers with the goal of depleting their resources and making them unavailable to legitimate users. Hartsfield-Jackson Atlanta International Airport (ATL), Los Angeles International Airport (LAX) among the attacked airports. This DDoS attack however, did not impact flight services.

KillNet has targeted multiple countries that backed Ukraine in the war and with new developments in the war, we will be seeing a lot more of this group.

 

 

Microsoft Fixes 84 Vulnerabilities on October Patch Tuesday

On this month’s Patch Tuesday (11-10-2022), Microsoft released patches for 84 vulnerabilities including two zero-days, one of which is actively exploited.

CVE-2022-41033 is a Windows COM+ Event System Service Elevation of Privilege vulnerability. It is actively exploited in the wild. This vulnerability could allow access to the victim’s system.
CVE-2022-41043 is a Microsoft Office Information Disclosure vulnerability. It is another zero-day but it is publicly disclosed.
Here are the other critical vulnerabilities for which patches are now available: CVE-2022-41038, CVE-2022-41036, CVE-2022-38053, CVE-2022-38051, CVE-2022-38050, CVE-2022-38048, CVE-2022-38028, CVE-2022-37997, CVE-2022-37989, CVE-2022-37987, CVE-2022-37974, CVE-2022-37970, CVE-2022-34689.

Alchimist : New Attack Framework Designed using Go Lang

A new attack framework with a command and control tool called Alchimist was recently discovered. This framework also uses a remote access trojan known as Insekt to infect victims’ systems. Insekt can run arbitrary commands, manipulate SSH keys, perform port and IP scans, write or unzip files to the disk, and execute shellcode on the host.

Alchimist has been actively targeting and attacking Windows, Linux, and macOS systems. It uses Simplified Chinese language in its web-based interface and is very similar to a recently-emerged post-exploitation attack framework, Manjusaka which is growing popular among Chinese hackers. It is suspected to have originated from China.

 

CVE-2021-4034 is used by Alchimist to exploit systems.

CVE                   : CVE-2021-4034

CVSS Score      : 7.8 (v3)

Patch                 : Download

 

Magniber Ransomware Targets Windows Home Users using JavaScript Files

 

Recently, Windows Home users have raised concerns about ransomware attacks on their systems. The systems were infected with the Magniber ransomware when they downloaded antivirus and Windows 10 and 11 security updates from illegitimate websites. Magniber has been distributed via malicious sites since April 2022. The downloaded files contained JavaScript that initiated an intricate infection with the file-encrypting malware. Magniber operators demanded around $2500 to deliver the tool used to decrypt infected files.

 

CVE-2016-0189, CVE-2018-8174, CVE-2019-1367, CVE-2020-0968, CVE-2021-26411, CVE-2021-34527, and CVE-2021-40444 are the CVEs associated with Magniber ransomware.

 

Threats to Watch out for

CVE-2022-40684: Authentication Bypass Vulnerability in Fortinet

Users of FortiGate firewalls and FortiProxy web proxies should be aware of CVE-2022-40684 which could potentially allow administration access in vulnerable devices. According to a Shodan search, more than 100,000 FortiGate firewalls are open to the Internet, although it’s unknown if their management interfaces are also exposed. Fortinet has released an advisory for this vulnerability.

 

 

CVE-2022-41343: RCE Vulnerability in Dompdf

A recently discovered vulnerability, tagged as  CVE-2022-41343 allows remote code execution via phar deserialization in a vulnerable application even without an internet connection. Phar Deserialization involves exploiting a vulnerability once it is parsed and the metadata is deserialized. A patch is available for this vulnerability in the latest Dompdf app update.

CVE Details

CVE                   : CVE-2022-41343

CVSS Score      : 7.5 (v3)

CWE ID             : CWE-552

Patch                 : Download

CVE-2022-36067: Critical VM2 Sandbox Escape Vulnerability

CVE-2022-36067 was recently uncovered in VM2 JavaScript Sandbox, which is widely used by developers all around the world. It has a score of 10.0 on CVSS. If exploited, the vulnerability could allow an attacker to bypass the vm2 sandbox environment and run shell commands on the machine hosting it.

CVE Details

CVE                   : CVE-2022-36067

CVSS Score      :10 (v3)

CWE ID              : CWE-552

All VM2 sandbox users are urged to patch this vulnerability immediately.

Two Vulnerabilities Exploited in GLPi

GLPi (Gestionnaire Libre de Parc Informatique), an IT asset management company disclosed 2 vulnerabilities (CVE-2022-35947 and CVE-2022-35914) to the public on October 7, 2022.

These vulnerabilities are said to have been exploited in the wild. Both the vulnerabilities allow remote code execution and bypass of security policy.

GLPi has released a security advisory for these vulnerabilities.

CVE Details

CVE

CVE-2022-35947

CVE-2022-35914

CVSS Score

9.8

9.8

CWE

CWE-89

CWE-74

Affected Product Count

1

1

Patch

Download

Download

 

CVE-2022-0030: Authentication Bypass Flaw in PAN OS Web Interface

Palo Alto Networks released a patch for CVE-2022-0030 which is found in the PAN-OS 8.1 web interface. A network-based attacker with specific knowledge of the target firewall or Panorama appliance could potentially impersonate an existing PAN-OS administrator and perform privileged actions using this vulnerability.

 

PAN has advised its web interface users to patch this vulnerability immediately.

 

Check out this section to track how these threats evolve!

We use our threat intelligence platform driven by Artificial Intelligence (AI) and Machine Learning (ML) models to analyze the vulnerabilities that hackers could potentially exploit. We warn our customers continuously about exposures and prioritize vulnerabilities to facilitate rapid remediation.

Follow our weekly blog and podcast to get proactive alerts on trending threats. Reach out to us if you need help managing your vulnerabilities and exposures.

Leverage our expertise and manage your threats continuously to stay safe from attackers.

Talk to Us!

Share This Post On