This edition brings you early warnings, trending news about cyber threats, and the accurate threat context. Check out which threat group is on the rampage, what vulnerability it could soon weaponize, and more.
Why play catch up when you can fix this now?
Check out our podcast on the top critical threats of this week, hosted by David Rushton!
Trending Threats
- Joint Advisory warning about Iranian APT groups
- Lorenz Ransomware Exploiting CVE-2022-29499
- Be Warned of Play Ransomware
- CVE-2022-32917 : Apple Zero-Day Vulnerability
- Microsoft Patch Tuesday September 2022: CVE-2022-37969 Exploited in the Wild
- CVE-2022-3180 : Zero-Day Vulnerability in WPGateway
- ProxyLogon(CVE-2021-26855) and Netlogon(CVE-2020-1472) Vulnerabilities
- Vulnerabilities in Apex One
Threats to Watch Out For
Trending Threats
Joint Advisory warning about Iranian APT groups
The FBI, CISA, the Australian Cyber Security Centre (ACSC), and the United Kingdom’s National Cyber Security Centre (NCSC) have released a joint advisory warning of malicious cyber activity by an Iranian APT group. The group is believed to be using ProxyShell and Fortinet vulnerabilities to gain initial access into vulnerable networks of victims across critical infrastructure sectors, including healthcare, transportation, and government.
Our researchers highlight 27 vulnerabilities with previously known exploitation by Iran-based APT groups; organizations are advised to apply required mitigation measures to protect their networks from being breached. Six of these vulnerabilities are not yet part of CISA KEVs, and we urge CISA to add them to their catalog for organizations to take notice.
Lorenz Ransomware exploiting CVE-2022-29499
The Lorenz ransomware group is now using CVE-2022-29499, an incorrect input validation vulnerability in Mitel MiVoice Connect, to gain initial access into vulnerable networks. Lorenz ransomware was first seen in December 2020, and is best known for its attack on Hensoldt, a multinational defense contractor that develops sensor solutions for defense, aerospace, and security applications. The group is known for leaking victim data despite ransomware payments and is a formidable threat to watch out for.
We had warned of the highly exploitable nature of this vulnerability back in mid-2022. The CVE is also a part of the CISA KEVs since June 2022, warranting immediate patching of the same.
CVE Details
CVE : CVE-2022-29499
CVSS Score : 9.8 (v3)
CVSS Severity : Critical
CWE : CWE-20
Patch : Download
Be warned of Play Ransomware
The Play ransomware is one of the new entrants to the ransomware scene, targeting Argentina’s Court of Cordoba last month. Recent research suggests that the group’s attack techniques and tactics are similar to that of Hive and Nokoyawa ransomware and could be an indication that the groups are operated by the same threat actor.
Play ransomware has now been associated with two vulnerabilities: CVE-2018-13379 and CVE-2020-12812. Both vulnerabilities are FortiOS SSL VPN vulnerabilities, which can allow attackers to download system files or log in without proper authentication, allowing them to enter into and penetrate vulnerable networks via the VPN. We urge you to patch both vulnerabilities to stay safe from Play ransomware attacks.
CVE Details
|
CVE |
CVE-2018-13379 |
CVE-2020-12812 |
|---|---|---|
|
CVSS Score |
9.8 |
9.8 |
|
CVSS Severity |
Critical |
Critical |
|
CWE |
CWE-22 |
CWE-287, CWE-178 |
|
Threat Associations |
5 ransomware groups including Conti and LockBit 9 APT groups including Nobelium |
– |
|
Exploit Type |
WebApp |
– |
|
Patch |
CVE-2018-13379 has been repeatedly warned about by CSW for more than two years now, and both the vulnerabilities were part of our research into vulnerabilities in VPNs.
CVE-2022-32917 : Apple Zero-Day Vulnerability
Apple released a patch for CVE-2022-32917 that saw active exploitation as a zero-day vulnerability. This is the eighth zero-day addressed by Apple in 2022. If exploited, the vulnerability could be misused to change the behavior of software applications by altering application code using elevated permissions.
Users are recommended to upgrade to iOS 15.7 and iPadOS 15.7, macOS Monterey 12.6, and macOS Big Sur 11.7 to protect their devices from attacks. The vulnerability was added to CISA KEVs on September 14 2022, two days after we called them out in this blog.
Microsoft Patch Tuesday September 2022: CVE-2022-37969 Exploited in the Wild
Microsoft released its September edition of Patch Tuesday with fixes for 63 vulnerabilities. Notable amongst them are patches for zero-day vulnerabilities CVE-2022-37969 and CVE-2022-23960. Users are recommended to upgrade their Microsoft products to the latest available versions without delay.
Of these, CVE-2022-37969, a Windows Common Log File System Driver Elevation of Privilege Vulnerability, has been exploited in the wild. The vulnerability was added to CISA KEVs on September 14 2022, a day after we called them out here.
CVE Details
CVE : CVE-2022-37969
CVSS Score : 7.8 (v3)
CVSS Severity : High
CWE : NA
Patch : Download
CVE-2022-3180 : Zero-Day Vulnerability in WPGateway
Attackers are actively exploiting CVE-2022-3180, a privilege escalation security bug in WPGateway plugins for WordPress. The WPGateway plugin allows users to set up, backup, and manage WordPress sites from a central dashboard.
An attacker can exploit the vulnerability to gain admin access and completely takeover connected sites. WPGateway versions <=3.5 are at risk, and users are advised to remove the plugin until a patch is made available by the vendor.
ProxyLogon(CVE-2021-26855) and Netlogon (CVE-2020-1472) Vulnerabilities
Unpatched instances of the infamous ProxyLogon(CVE-2021-26855) and Netlogon(CVE-2020-1472) vulnerabilities are being highly sought out by an unknown threat actor. The targeted attacks against government and state-owned organizations appear to aim at intelligence gathering and use the Dynamic-link library (DLL) side-loading technique. Open SMB services might also be at risk.
The attackers were earlier associated with the ShadowPad malware, which we warned about in a July edition of the Threat blog.
The ProxyLogon and Netlogon vulnerabilities have surfaced multiple times in the past, and were associated with some of the groups that played a major role in the recent Russia-Ukraine cyber war. CVE-2021-26855 is a pet favorite of APT groups as well.
CVE Details
|
CVE |
CVE-2021-26855 |
CVE-2020-1472 |
|---|---|---|
|
CVSS Score |
9.8 |
10 |
|
CVSS Severity |
Critical |
Critical |
|
CWE |
CWE-918 |
CWE-330 |
|
Threat Associations |
6 ransomware groups including Conti and AvisLocker 12 APT groups including Nobelium and Hafnium |
7 ransomware groups including Conti, Ryuk and DarkSide 12 APT Groups including Hafnium and Wizard Spider |
|
Exploit Type |
RCE, PE, WebApp |
WebApp ,PE |
|
Patch |
Read about how a popular SMB worm used the EternalBlue vulnerabilities in its attack here.
Vulnerabilities in Apex One
TrendMicro has alerted customers about two vulnerabilities in their endpoint security platform, Apex One. The vulnerabilities in question are CVE-2022-40139 and CVE-2022-40144. The former is an improper validation bug that can allow attackers to remotely execute custom code on systems, and has begun seeing active exploitation. The latter is an authentication bypass vulnerablity that attackers can use to gain unauthorized access to systems. Users are urged to upgrade to the latest version of Apex One without further ado.
Threats to Watch Out For
Vulnerabilities in Apache Shiro and dotCMS
A code audit of open source Java projects brings up two path filter bypass vulnerabilities that could lead to compromised access issues.
The first vulnerability is CVE-2021-41303 which arises when Apache Shiro is used with a web framework like SpringBoot. Shiro is an intuitive and easy-to-use software security framework used for authentication, authorization, cryptography, and session management. The issue appears due to differences in how the two applications parse URL paths. The vulnerability can be successfully exploited by attackers to bypass the authentication mechanism of Apache Shiro, leading to information loss, modification, or denial of service. Users are recommended to upgrade to Apache Shiro versions 1.8.0 or above.
CVE Details
CVE : CVE-2021-41303
CVSS Score : 9.8 (v3)
CVSS Severity : Critical
CWE : CWE-287 (assigned by Apache Software Foundation)
Patch : Download
The second vulnerability is CVE-2022-35740 in the admin portal of dotCMS, a Java-based content management system used for managing content and content-driven sites and applications. The vulnerability is a cross-site-scripting (XSS) vulnerability that is caused by insufficient sanitization of inputs to the CMS. An attacker exploiting the vulnerability can remotely gain access to admin controls.
CVE Details
CVE : CVE-2022-35740
CVSS Score : 9.8 (v3)
CVSS Severity : Critical
CWE : CWE-798
Patch : Download
CVE-2022-34169 in Xalan-J XSLT Library
Xalan-J XLST is a Java-based implementation of XLST, a markup language used to transform XML documents into other languages like HTML. CVE-2022-34169 is the result of incorrect conversion between numeric types and is vulnerable to integer truncation during processing. An attacker can use this vulnerability to corrupt generated Java files. An exploit code is available in the public domain as well.
The Apache Xalan Java project is in the process of being retired, and users are recommended to switch to alternative libraries that can perform the necessary functions. Java runtimes (such as OpenJDK) include repackaged copies of Xalan; patches are available for affected OpenJDK instances.
CVE Details
CVE : CVE-2022-34169
CVSS Score : 7.5 (v3)
CVSS Severity : High
CWE : CWE-681
Patch : Download (OpenJDK)
Check out this section to track how these threats evolve!
We use our Threat Intelligence Platform driven by Artificial Intelligence (AI) and Machine Learning (ML) models to analyze the vulnerabilities that hackers could potentially exploit. We warn our customers continuously about exposures and prioritize vulnerabilities to facilitate rapid remediation.
Follow our weekly blog and podcast to get proactive alerts on trending threats. Reach out to us if you need help managing your vulnerabilities and exposures.
Leverage our expertise and manage your threats continuously to stay safe from attackers.