CSW’s weekly threat intelligence edition brings to you early warnings about critical vulnerabilities that are already weaponized or could potentially be weaponized and prove dangerous to your organization and its assets.
Why play catch-up when you can proactively patch these vulnerabilities now?
Check out our Threat Intelligence Podcast featuring Top Three Threats of the Week!
Microsoft fixes the actively exploited Windows CSRSS Elevation of Privilege zero-day vulnerability and 83 other CVEs
On Patch Tuesday, Microsoft released patches to fix 84 vulnerabilities, one of which is an actively exploited zero-day vulnerability (CVE-2022-22047). This CVE, caused by improper privilege management in the Windows Client Server Runtime Subsystem (CSRSS), can be used to execute code remotely. With this, attackers can disable local services such as Endpoint Detection and Security tools and deploy tools to recover admin and domain level accounts. CISA has added this CVE to the list of Known Exploited Vulnerabilities on 12-07-2022. Apart from this, four other critical RCE vulnerabilities (CVE-2022-30220, CVE-2022-22026, CVE-2022-22029, and CVE-2022-22039) also have available patches.
VMware patches critical CVE (CVE-2021-22048)
VMware has released a patch for a high-severity privilege escalation vulnerability, CVE-2021-22048, 8 months after it was discovered. This vulnerability is found in vCenter Server’s Integrated Windows Authentication and can only be exploited from the same physical or logical network on which the targeted server is located. The attackers can gain access using low privileges and no user interaction, making it highly dangerous. VMware has categorized this CVE to be in the Important Severity range, meaning that an exploit would result in the complete compromise of the confidentiality and the integrity of user data and processing resources.
Our Predictive VI Reconnaissance had picked out traces of discussion around the CVE on the Deep & Dark Web and prioritized it as a highly exploitable vulnerability long ago.
CVE: CVE-2021-22048
CVSS Score: 8.8
Patch Link: Download
Amazon fixes bugs in AWS Kubernetes service
In the AWS Kubernetes service, three authentication bugs—causing the vulnerability CVE-2022-2385—have been fixed in the latest version of AWS IAM Authenticator for Kubernetes. This vulnerability could be used to exploit the username through the AccessKeyID in AWS IAM Authenticator. However, no significant exploits have been detected or reported. All users of the AWS Kubernetes service who host and manage their own Kubernetes clusters have been asked to update their AWS IAM Authenticator for Kubernetes to version 0.5.9.
CVE: CVE-2022-30190
CVSS Score: 7.8
CWE ID: CWE-20
Patch Link: Download
The Rozena backdoor is the latest malware used to exploit the Follina bug
Microsoft’s Follina bug is trending and has been actively exploited by several APT and ransomware groups, especially from Russia and China. In the Follina bug exploit, social engineering tools and phishing campaigns have been deployed to bait victims. To date, the groups have used various malware—such as Qbot and AsyncRAT—to exploit the bug.
Most recently, hackers have started using the Rozena backdoor to inject a remote shell connection back to the attacker, allowing the attacker to take control of the system to access information while maintaining a backdoor to the compromised system. The vulnerability associated with this is CVE-2022-30190, and a patch has been released. If your organization relies heavily on Microsoft Word and Excel, you may want to patch this vulnerability immediately.
CVE: CVE-2022-30190
CVSS Score: 7.8
Exploit Type: [‘RCE’, ‘WebApp’]
Affected Products: 18
Patch Link: Download
APT Associations: TA413
For more information on Follina, check out our blog.
North Korean threat actor targets CVE-2022-26352 with H0lyGh0st ransomware
CVE-2022-26352, a DotCMS remote code execution vulnerability is now actively being exploited by a North Korean threat actor dubbed as DEV-0530. They have been developing and deploying ransomware in small and medium businesses across multiple countries since June 2021. They gain initial access to target networks by exploiting vulnerabilities in public-facing web applications and content management systems. The vulnerability allows directory crawl attack while downloading files using which the attacker can take control of the system. The patch is available in the latest dotCMS versions 22.03, 5.3.8.10_lts and/or 21.06.7_lts.
CSW’s predictive VI analysis tool picked up this CVE in May and warned that it was an extremely exploitable vulnerability. True to this, the CVE is trending as an active exploit now.
Interestingly, this CVE is yet to be added in the NVD or CISA KEV list.
CVE: CVE-2022-26352
Exploit Type: RCE
APT Associations: DEV-0530
Ransomware Association: H0lyGh0st
New vulnerabilities discovered in the IBM MQ Operator and queue managers
On July 8, IBM released a security bulletin stating the IBM MQ Operator catalog container images are vulnerable to an issue in the Golang Go packages. There were three CVEs named for this issue: CVE-2020-15257, CVE-2021-21334, and CVE-2021-41771. The first two allow remote code execution, while the last can be used in a DDoS attack. These vulnerabilities have a CVSS base score of 7.5 and higher and are found in the 1.8.2 version of the IBM MQ Operator CD release. IBM has released fixes in the latest version of the IBM MQ Operator (2.0.0 LTS).
CVE: CVE-2020-15257
CVSS Score: 5.2
Affected Products: 4
Patch Link: Download
New sandbox vulnerability discovered in macOS
In October 2021, an AppleApp Sandbox vulnerability was discovered and reported to Apple. The vulnerability is now named CVE-2022-26706 and Apple released a patch for it, this week. The vulnerability allows attackers to escape the App Sandbox and run unrestricted on the system using specially crafted codes.
Apple has recommended that all users install these security updates as soon as possible.
CVE: CVE-2022-26706
CVSS Score: 5.5
Affected Products: 6
Patch Link: Download
We use our Threat Intelligence Platform driven by Artificial Intelligence (AI) and Machine Learning (ML) models to analyze the vulnerabilities that could potentially be exploited by hackers. We warn our customers continuously about their exposures and prioritize their vulnerabilities to facilitate rapid remediation.
Follow our weekly blog and podcast to get proactive alerts on trending threats. Reach out to us if you need help in managing your vulnerabilities and exposures from attackers.
Leverage our expertise and manage your threats on a continuous basis to stay safe from attackers.