Securin’s Threat Intelligence Sep 5, 2022 – Sep 9, 2022

APT Groups, BackupBuddy, BlackCat, Chrom, CISA KEVs, EoL Routers, EvilCorp, Hive Ransomware, Linux, Malware, Malware Shikitega, MooBot, NAS Devices, Nemesis Kitten, QNAP, ransomware, Vice Society Ransomware, Weekly Threat Intelligence, Worok Espionage Group, Zero Days

Sep 9, 2022

This edition brings you early warnings, trending news about cyber threats, and the accurate threat context. Check out which threat group is on the rampage, what vulnerability it could soon weaponize, and more.

Why play catch up when you can fix this now?

Check out our podcast on the top critical threats of this week, hosted by David Rushton!

Trending Critical Threats

Nemesis Kitten: A New Iranian Ransomware Group

Nemesis Kitten, believed to be a sub-group of the Iranian APT group, Phosphorus, has been conducting vulnerability scanning for the Iran Government. In addition to this, they have been carrying out multiple ransom attacks on organizations.

Their attack methodology involves exploiting newly-discovered high severity vulnerabilities and using LOLBINs (Living Off the Land Binaries) to gain persistence or escalate privileges. After initial access, the group uses the built-in BitLocker tool to encrypt files on compromised devices.

Apart from geo-political reasons, the group also appears to be financially motivated and has ransomed private organizations as well in the past.

CVE-2018-13379, CVE-2021-26855, CVE-2021-26858, CVE-2021-26857, CVE-2021-27065 are the CVEs exploited by Nemesis Kitten.

CISA Warns of Vice Society Ransomware that Targets Schools

Threat actors have been targeting schools for extorting large ransoms since before the pandemic. The education sector is an easy target due to its poor security infrastructure and insufficient resources. The CISA and FBI together released a warning against the Vice Society group who have been targeting K-12 school districts with various ransomware versions of Hello Kitty/Five Hands and Zeppelin, Cobalt Strike, etc. After initial access, they extract data and use double extortion techniques to demand ransom from victims.

CVE-2021-1675 and CVE-2021-34527 are the two CVEs commonly targeted by the Vice Society group. CVE-2021-34527 is a critical vulnerability that has been used in various attacks. We had called this out in our 2021 Q3 ransomware report.

Here is an article of how you can detect CVE-2021-34527 in your environment.

Worok Espionage Group Targets Asian Government and Private Entities

Worok, a threat actor group using techniques similar to TA428, was discovered carrying out malicious campaigns against various entities in East Asia and Africa in 2020. They have been using C++ loader CLRLoad, a PowerShell backdoor PowHeartBeat, and a C# Loader PNGLoad to deliver malicious payloads via PNG files. Worok was MIA since May 2021, and has now resurfaced. In the latest attacks, it has targeted an energy company, and a government entity in Asian countries. This is a serious threat to watch out for.

CVE-2021-34523 is one of the CVEs targeted by this threat actor group.

CVE DETAILS

CVE: CVE-2021-34523

Exploit Type: [‘RCE’, ‘PE’, ‘WebApp’]

CVSS SCORE: 9.8

CWE ID: CWE-287, CWE-269

Ransomware Associations: Conti, Hive, BianLian, AvosLocker, BlackCat, LockFile, Karma, BlackByte, Babuk

APT Associations: ChamelGang, TR, Tropical Scorpius, Worok

Affected Products: 5

Patch: Download

LINUX OS under Attack by New Malware Shikitega

A new malware in Linux systems uses an infection chain in multiple layers to exploit vulnerabilities and download a cryptominer. Dubbed as Shikitega, this malware is used on endpoints and IoT devices that run on a Linux OS. It avoids detection by anti-virus software by using a polymorphic encoder. Shikitega also abuses legitimate cloud services to store some of its command and control servers (C&C). This malware could potentially take control of webcams, processes, execute shell commands and also take over the systems completely.

CVE-2021-4034 and CVE-2021-3493 are the vulnerabilities to patch if you want to avoid falling victim to Shikitega.

EvilCorp Uses New Cyberattack Panel TeslaGun in Attacks

EvilCorp (aka TA505) has come up with a new cyber attack panel named TeslaGun that was used in campaigns against more than 80,000 organizations in the US and other countries. EvilCorp is a Russian APT group that has carried out some of the biggest attacks against organizations and Governments.

TeslaGun is mainly used to deploy backdoor attacks effectively. EvilCorp has been using ServHelper malware backdoor since 2019 and TeslaGun will now make it easier to manage the backdoor attack operations. Cyberattack panels contain multiple campaign records representing different delivery methods and attack data. They also collect lots of information from victim’s systems, enabling the threat actor to profile their victims for future exploits.

EvilCorp uses the following CVEs to attack its victims:

BlackCat Ransomware Attacks Italian Energy Agency

Italy’s energy agency Gestore dei Servizi Energetici SpA (GSE) experienced a cyberattack on September 4, 2022. The notorious BlackCat ransomware group claimed credit for the attack. The energy agency took down their websites to curb the extent of the attack, and have been offline since September 5, 2022. GSE has not revealed the extent of data loss but the ransomware group claimed that they had stolen 700 GB of data during the attack. Negotiations for ransom are underway.

BlackCat is known for targeting Europe’s energy agencies. Their last attack was on Luxembourg’s Creos, disrupting the customer portal of the energy supplier.

Here are the CVEs exploited by BlackCat:

For more information about BlackCat Ransomware check out our blog here.

Hive Ransomware Group goes after Damart

Damart is a French clothing store with more than 130 branches across the globe. On August 15, 2022, their online services were down reportedly due to an unscheduled maintenance activity. Damart then clarified that some of their systems were encrypted resulting in website disruptions. More than 92 stores were affected during this attack, impacting sales and customer service.

Hive ransomware group claimed responsibility for this attack. They demanded $2 million as ransom. However, there is no data pertaining to Damart published on Hive’s Onion site.

Hive ransomware uses the following CVEs to exploit systems: CVE-2021-34473,CVE-2021-34523,CVE-2021-31207

CISA Adds 12 New Vulnerabilities to the KEV

CISA maintains a list of Known Exploited Vulnerabilities which are actively targeted by attackers. These CVEs come with a recommended patch-by-date before which all federal agencies are required to patch the vulnerabilities.

On September 08, 2022, the CISA added 12 vulnerabilities. Among these is the Apple vulnerability, CVE-2020-9934, which was trending in July 2022. Four of the new vulnerabilities are in D-Link routers: CVE-2011-4723, CVE-2018-6530, CVE-2022-28958, CVE-2022-26258.

Here’s more information about the CVEs:

Iranian Threat Actors Attack Albanian Government

Iranian threat actors have actively been perpetrating cyber attacks against the Albanian Government since July 2022. Sensitive information was stolen from the Government agency and leaked by threat actors in Tehran.

On July 15, several Albanian websites and digital services were shut down following an attack. 4 threat actor groups/individuals are said to have worked on distinct phases of the attack: Initial intrusion, Data exfiltration, Data encryption and destruction, Information operations. However, a ransomware group called HomeLand Justice has claimed the attack. Iran has been using ransomware gangs to carry out attacks against political enemies.

Once it was discovered that Iran was responsible for this, Albania severed ties with Iran and expelled its embassy staff from the country.

CVE-2019-0604 and CVE-2021-26855 are associated with the Iranian threat actors.

Threats to Watch Out For

CVE-2022-3075 – High Severity Chrome Zero-Day Vulnerability

Google Chrome released a security patch for a zero-day vulnerability, CVE-2022-3075 on September 2, 2022. The vulnerability is caused by insufficient data validation in Mojo, a collection of runtime libraries that facilitates message passing across arbitrary inter- and intra-process boundaries. It is a critical vulnerability with active exploits in the wild.

Chrome has recommended that all its users upgrade to 105.0.5195.102 to fix this CVE. We also recommend that CISA adds this CVE to the KEV list.

QNAP Zero-Day Vulnerability Exploited in Attacks

Deadbolt ransomware group has been exploiting a zero-day vulnerability in Photo Station, a private photo storage application by QNAP. The company has released a security advisory patching this vulnerability.

DeadBolt has been targeting NAS (Network Attached Storage) devices since January 2022 using zero-day vulnerabilities in exposed NAS products. It is recommended that users have strong passwords for their NAS accounts.

Photo Station users are advised to upgrade to QTS 5.0.1: Photo Station 6.1.2 and later to fix the vulnerability.

CVE-2022-34747: Critical RCE Vulnerability in Zyxel NAS Devices

A patch was released on September 6, 2022 for a critical vulnerability, CVE-2022-34747 in Zyxel devices. The CVE can allow unauthorized remote code execution via a crafted UDP packet.

CVE: CVE-2022-34747

CWE: CWE-134

Patch: Download

NAS devices are vulnerable to ransomware attacks. Hence, patching this vulnerability is of high priority for NAS users.

Here’s an article on how to secure your storage devices.

MooBot Targets Unpatched D-Link Routers

CVE-2015-2051, CVE-2018-6530, CVE-2022-26258, and CVE-2022-28958 are some of the CVEs that MooBot is targeting in its latest campaign against D-Link routers. The vulnerabilities are used to deploy DDoS attacks.

D-Link users are recommended to apply the latest firmware update released by their manufacturer.

CVE-2022-31474: Critical Vulnerability in BackupBuddy

A high severity arbitrary file download/read vulnerability is being exploited in BackupBuddy. WordPress websites running BackupBuddy are asked to patch this vulnerability immediately as it enables unauthenticated attackers to download sensitive files from vulnerable sites.

CVE-2022-31814: Root RCE IN pfBlocker NG

An unauthenticated remote command execution vulnerability was found in pfSense’s pfBlockerNG plugin version 2.1.4_26. This is critical and has a CVSS rating of 9.8. To patch this, users are recommended to download the latest stable version of pfSense (2.6.0), and install the latest stable version of pfBlockerNG (2.1.4_26) or higher.

CVE-2022-38395: High-Severity Privilege Escalation Bug

A critical privilege escalation vulnerability was discovered in HP Support Assistant which comes pre-installed on all HP laptops and desktop computers. This CVE enables attackers to elevate their privileges on vulnerable systems.

Users are recommended to patch this vulnerability immediately.

CVE-2022-20923: Unpatched Zero-Day Vulnerability in EoL Routers

CISCO has decided not to patch a zero-day vulnerability in its routers citing that the product is at its End-of-Life. The vulnerability, CVE-2022-20923, is an authentication bypass flaw that is actively being exploited in the wild.

CISCO recommends that customers migrate to Cisco Small Business RV132W, RV160, or RV160W Routers.

Check out this section to track how these threats evolve!

We use our Threat Intelligence Platform driven by Artificial Intelligence (AI) and Machine Learning (ML) models to analyze the vulnerabilities that hackers could potentially exploit. We warn our customers continuously about exposures and prioritize vulnerabilities to facilitate rapid remediation.

Follow our weekly blog and podcast to get proactive alerts on trending threats. Reach out to us if you need help managing your vulnerabilities and exposures.

Leverage our expertise and manage your threats continuously to stay safe from attackers.

Talk to Us

Cyber Security Works Inc. Has Rebranded as Securin Inc.

Attack Surface Management

Vulnerability Intelligence

Vulnerability Management

Penetration Testing