{"id":7364,"date":"2022-07-01T08:26:40","date_gmt":"2022-07-01T15:26:40","guid":{"rendered":"https:\/\/webdev.securin.xyz\/?p=7364"},"modified":"2023-04-05T12:32:37","modified_gmt":"2023-04-05T19:32:37","slug":"securin-weekly-threat-intelligence-1","status":"publish","type":"post","link":"https:\/\/10.42.32.162\/articles\/securin-weekly-threat-intelligence-1\/","title":{"rendered":"Securin&#8217;s Weekly Threat Intelligence"},"content":{"rendered":"<p dir=\"ltr\">CSW\u2019s weekly threat intelligence edition brings to you early warnings about critical vulnerabilities that could potentially be weaponized and prove dangerous to your organization and its assets.<\/p>\n<p dir=\"ltr\"><strong>All CVEs mentioned in this blog edition have received a maximum rating from the Threat Intelligence platform indicating high probability of exploitation. We urge organizations to prioritize these warnings and proactively patch these vulnerabilities.<\/strong><\/p>\n<h2 dir=\"ltr\" style=\"text-align: center;\"><strong>Check out our Podcast\u00a0on Top 3 Threats of the Week!<\/strong><\/h2>\n<p style=\"text-align: center;\"><iframe src=\"https:\/\/player.vimeo.com\/video\/726627775?h=b3122a1ec5\" width=\"640\" height=\"360\" frameborder=\"0\" allowfullscreen=\"allowfullscreen\"><\/iframe><\/p>\n<h2 dir=\"ltr\">Top Critical Cyber Threats of the Week<\/h2>\n<ol>\n<li dir=\"ltr\" aria-level=\"1\">\n<p dir=\"ltr\" role=\"presentation\"><a href=\"#Russia\u2019s APT28\">Russia\u2019s APT28 Launches Follina Exploit Campaign in Ukraine\u00a0<\/a><\/p>\n<\/li>\n<li dir=\"ltr\" aria-level=\"1\">\n<p dir=\"ltr\" role=\"presentation\"><a href=\"#QNAP\">Critical PHP Flaw Opens QNAP NAS devices to RCE attacks<\/a><\/p>\n<\/li>\n<li dir=\"ltr\" aria-level=\"1\">\n<p dir=\"ltr\" role=\"presentation\"><a href=\"#Apple\">CVE-2022-22620: Apple\u2019s Safari Zombie Zero-Day Fixed!<\/a><\/p>\n<\/li>\n<li dir=\"ltr\" aria-level=\"1\">\n<p dir=\"ltr\" role=\"presentation\"><a href=\"#Microsoft\">New ToddyCat APT Gang Hacks Microsoft Exchange Servers<\/a><\/p>\n<\/li>\n<li dir=\"ltr\" aria-level=\"1\">\n<p dir=\"ltr\" role=\"presentation\"><a href=\"#Adobe\">Adobe Illustrator Patches Multiple Zero-Day Vulnerabilities<\/a><\/p>\n<\/li>\n<li dir=\"ltr\" aria-level=\"1\">\n<p dir=\"ltr\" role=\"presentation\"><a href=\"#Avos\">Avos Ransomware Group Develops New Attack Methods<\/a><\/p>\n<\/li>\n<li dir=\"ltr\" aria-level=\"1\">\n<p dir=\"ltr\" role=\"presentation\"><a href=\"#RIG\">RIG Exploit Kit Infects Victim\u2019s PCs With Dridex<\/a><\/p>\n<\/li>\n<li dir=\"ltr\" aria-level=\"1\">\n<p dir=\"ltr\" role=\"presentation\"><a href=\"#Vmware\">PoC Now Available for VMware Vulnerability (CVE-2022-22980)<\/a><\/p>\n<\/li>\n<li dir=\"ltr\" aria-level=\"1\">\n<p dir=\"ltr\" role=\"presentation\"><a href=\"#Simens\">Siemens&#8217; Industrial Network Management System Fixed 15 Vulnerabilities<\/a><\/p>\n<\/li>\n<li dir=\"ltr\" aria-level=\"1\">\n<p dir=\"ltr\" role=\"presentation\"><a href=\"#Linux\">Privilege Escalation Vulnerability in Linux kernel<\/a><\/p>\n<\/li>\n<\/ol>\n<h2 dir=\"ltr\"><a id=\"Russia\u2019s APT28\" name=\"Russia\u2019s APT28\"><\/a>Russia\u2019s APT28 Launches Follina Exploit Campaign in Ukraine<\/h2>\n<p dir=\"ltr\">APT28, a notorious advanced persistent threat group from Russia, is the latest attacker to attempt to exploit the Follina vulnerability in the Microsoft Support Diagnostic Tool (MSDT). The threat actor &#8211; aka Fancy Bear and Sofacy &#8211; has been observed this week sending out phishing emails to Ukrainian users that contain a malicious document containing an exploit for the now-patched vulnerability (CVE-2022-30190). The document was titled &#8220;Nuclear Terrorism A Very Real Threat.rtf&#8221; and appeared to be an attempt to exploit fears that the conflict in Ukraine would spiral into a nuclear holocaust.<\/p>\n<p dir=\"ltr\"><strong>Threat Associated CVEs:\u00a0<\/strong>CVE-2022-30190<\/p>\n<p dir=\"ltr\"><strong>CVSS Score: <\/strong>7.8<\/p>\n<p dir=\"ltr\"><strong>Affected Product Count:<\/strong> 18<\/p>\n<p dir=\"ltr\"><strong>Exploit Type: <\/strong>RCE<\/p>\n<p dir=\"ltr\"><strong>CWE: <\/strong>NVD-CWE-noinfo<\/p>\n<p dir=\"ltr\"><strong>Ransomware Associations: <\/strong>NA<\/p>\n<p dir=\"ltr\"><strong>APT Groups: <\/strong>TA413, APT28, and TA570<\/p>\n<p dir=\"ltr\"><strong>Malware:<\/strong> QBot, Sandworm, and AsyncRAT<\/p>\n<p dir=\"ltr\"><strong>CISA KEV: <\/strong>Yes<\/p>\n<p dir=\"ltr\"><strong>CISA Patch Deadline:\u00a0<\/strong>June 6, 2022<\/p>\n<p dir=\"ltr\"><strong>Patch:<\/strong> <a href=\"https:\/\/msrc.microsoft.com\/update-guide\/vulnerability\/CVE-2022-30190\">Download<\/a><\/p>\n<h2 dir=\"ltr\"><a id=\"QNAP\" name=\"QNAP\"><\/a>Critical PHP Flaw Opens QNAP NAS devices to RCE attacks<\/h2>\n<p dir=\"ltr\">QNAP has warned customers today that some of its Network Attached Storage (NAS) devices (with non-default configurations) may be vulnerable to attacks exploiting a three-year-old critical PHP vulnerability. The vendor has already patched the security flaw (CVE-2019-11043) for the affected operating systems (QTS 5.0.1.2034 build 20220515 or later, and QuTS hero h5.0.0.2069 build 20220614 or later).<\/p>\n<p dir=\"ltr\"><strong>Threat Associated CVEs: <\/strong>CVE-2019-11043<\/p>\n<p dir=\"ltr\"><strong>CVSS Score:<\/strong> 9.8<\/p>\n<p dir=\"ltr\"><strong>Affected\u00a0Product Counts: <\/strong>11<\/p>\n<p dir=\"ltr\"><strong>Exploit Type:<\/strong> [&#8216;RCE&#8217;, &#8216;PE&#8217;, &#8216;WebApp&#8217;, &#8216;DoS&#8217;]<\/p>\n<p dir=\"ltr\"><strong>CWE:<\/strong> CWE-787|CWE-120<\/p>\n<p dir=\"ltr\"><strong>Ransomware Associations: <\/strong>NextCry<\/p>\n<p dir=\"ltr\"><strong>APT Groups:<\/strong> NA<\/p>\n<p dir=\"ltr\"><strong>Malware:<\/strong> NA<\/p>\n<p dir=\"ltr\"><strong>CISA KEV: <\/strong>Yes<\/p>\n<p dir=\"ltr\"><strong>CISA Patch Deadline:<\/strong> April 15, 2022<\/p>\n<p dir=\"ltr\"><strong>Patch:<\/strong> <a href=\"https:\/\/bugs.php.net\/bug.php?id=78599\">Download<\/a><\/p>\n<h2 dir=\"ltr\"><a id=\"Apple\" name=\"Apple\"><\/a>CVE-2022-22620: Apple\u2019s Safari Zombie Zero-Day Fixed!<\/h2>\n<p dir=\"ltr\">A Google project researcher described the vulnerability as a &#8220;zombie&#8221; Safari zero-day (CVE-2022-22620) which came back from the dead, was found and exploited in the wild. Originally patched in 2013, the flaw reappeared in December 2016, according to Google Project Zero. It can be exploited by processing maliciously crafted web content. Considering the exploitation, CISA added this CVE to its catalog.<\/p>\n<p dir=\"ltr\"><strong>Threat Associated CVEs: <\/strong>CVE-2022-22620<\/p>\n<p dir=\"ltr\"><strong>CVSS Score: <\/strong>8.8<\/p>\n<p dir=\"ltr\"><strong>Affected Product Counts: <\/strong>4<\/p>\n<p dir=\"ltr\"><strong>Exploit Type: <\/strong>NA<\/p>\n<p dir=\"ltr\"><strong>CWE: <\/strong>CWE-416<\/p>\n<p dir=\"ltr\"><strong>Ransomware Associations: <\/strong>NA<\/p>\n<p dir=\"ltr\"><strong>APT Groups:<\/strong> NA<\/p>\n<p dir=\"ltr\"><strong>Malware:<\/strong> NA<\/p>\n<p dir=\"ltr\"><strong>CISA KEV: <\/strong>Yes<\/p>\n<p dir=\"ltr\"><strong>CISA Patch Deadline: <\/strong>February 25, 2022<\/p>\n<p dir=\"ltr\"><strong>Patch:<\/strong> <a href=\"https:\/\/support.apple.com\/en-us\/HT213091\">Download<\/a><\/p>\n<h2 dir=\"ltr\"><a id=\"Microsoft\" name=\"Microsoft\"><\/a>New ToddyCat APT Gang Hacks Microsoft Exchange Servers<\/h2>\n<p dir=\"ltr\">The ToddyCat advanced persistent threat group has been targeting Microsoft Exchange servers throughout Asia and Europe for more than a year, since at least December 2020.<\/p>\n<p dir=\"ltr\">Researchers found a previously unknown passive backdoor they called Samurai, and a new trojan malware they named Ninja Trojan, while tracking the group&#8217;s activity. With both malware strains, attackers can control infected systems, and move laterally in networks.<\/p>\n<p dir=\"ltr\">The hacking group exploited Microsoft Exchange ProxyLogon vulnerabilities at the time to execute remote code on vulnerable servers in order to deploy the China Chopper web shells.<\/p>\n<p dir=\"ltr\"><img decoding=\"async\" style=\"width: 467px; height: 263px; border-width: 1px; border-style: solid;\" src=\"https:\/\/lh6.googleusercontent.com\/V473N9ZJ5ZXmfiUX_tce-DjA_qsb-a5M8R5ro3XlaeGNskX93Yr1WbCdUvsYU6tEf9WTUJF-fLGIki7pTkETZJuhEgwL2_aHLYPSJOn91Lnn-TY3O4iQVG4GKX9DFVH6tLxGSsTFmaIzKHT5Fw\" \/><\/p>\n<p><iframe class=\"airtable-embed\" style=\"background: transparent; border: 1px solid #ccc;\" src=\"https:\/\/airtable.com\/embed\/shr09fN746AuW1K3t?backgroundColor=gray&amp;viewControls=on\" width=\"100%\" height=\"533\" frameborder=\"0\"><\/iframe><\/p>\n<h2 dir=\"ltr\"><a id=\"Adobe\" name=\"Adobe\"><\/a>Adobe Illustrator Patches Multiple Zero-Day Vulnerabilities<\/h2>\n<p dir=\"ltr\">On June 14, 2022, Adobe released a <a href=\"https:\/\/helpx.adobe.com\/security\/products\/illustrator\/apsb22-26.html\">security patch<\/a> that fixed five vulnerabilities, identified as CVE-2022-30649, CVE-2022-30666, CVE-2022-30667, CVE-2022-30668, and CVE-2022-30669. These vulnerabilities have different root causes related to two Illustrator plugins. Users of Adobe Illustrator 2022, versions 26.0.2\u202fand\u202fearlier, and users of Adobe Illustrator 2021, versions 25.4.5,\u202fand\u202fearlier are affected.<\/p>\n<p>&nbsp;<\/p>\n<p><iframe class=\"airtable-embed\" style=\"background: transparent; border: 1px solid #ccc;\" src=\"https:\/\/airtable.com\/embed\/shrgjBA0cqSPNLsJF?backgroundColor=gray&amp;viewControls=on\" width=\"100%\" height=\"533\" frameborder=\"0\"><\/iframe><\/p>\n<h2 dir=\"ltr\"><a id=\"Avos\" name=\"Avos\"><\/a>Avos Ransomware Group Develops New Attack Methods<\/h2>\n<p dir=\"ltr\">Researchers have discovered AvosLocker&#8217;s new campaign to hunt for exposed networks. Attackers used a variety of tools, including Sliver, Cobalt Strike, and several commercially available network scanners. Initially, this incident was triggered by a pair of VMWare Horizon Unified Access Gateways that were vulnerable to Log4Shell.<\/p>\n<h2><iframe class=\"airtable-embed\" style=\"background: transparent; border: 1px solid #ccc;\" src=\"https:\/\/airtable.com\/embed\/shrY4M4lWf135voVS?backgroundColor=gray&amp;viewControls=on\" width=\"100%\" height=\"533\" frameborder=\"0\"><\/iframe><br \/>\n<a id=\"RIG\" name=\"RIG\"><\/a>RIG Exploit Kit Infects Victim\u2019s PCs With Dridex<\/h2>\n<p dir=\"ltr\">A few months ago, the cybercriminals behind the RIG Exploit Kit traded out the credential-stealing Trojan Raccoon Stealer after their lead developer was killed in the Russian invasion of Ukraine. Cyberattackers behind the RIG Exploit Kit were able to quickly replace the notorious financial Trojan Dridex, which is capable of keylogging and screenshot theft, with the tried-and-true RIG Exploit Kit.<\/p>\n<p><iframe class=\"airtable-embed\" style=\"background: transparent; border: 1px solid #ccc;\" src=\"https:\/\/airtable.com\/embed\/shrp2DdlIma3EcnGl?backgroundColor=gray&amp;viewControls=on\" width=\"100%\" height=\"533\" frameborder=\"0\"><\/iframe><\/p>\n<h2 dir=\"ltr\"><a id=\"Vmware\" name=\"Vmware\"><\/a>PoC Now Available for VMware Vulnerability (CVE-2022-22980)<\/h2>\n<p dir=\"ltr\">VMware released a security bulletin revealing a high-severity SpEL Expression injection vulnerability (CVE-2022-22980) in Spring Data MongoDB. This vulnerability affects Spring Data MongoDB applications using repository query methods annotated with @Query or @Aggregate and using parameterized SpEL statements. In order to perform particular exploits, non-sanitized input must be used for repository queries.<\/p>\n<p dir=\"ltr\"><strong>Threat Associated CVEs:<\/strong> CVE-2022-22980<\/p>\n<p dir=\"ltr\"><strong>CVSS Score:<\/strong> NA<\/p>\n<p dir=\"ltr\"><strong>Exploit Type:<\/strong> NA<\/p>\n<p dir=\"ltr\"><strong>CWE:<\/strong> NA<\/p>\n<p dir=\"ltr\"><strong>Ransomware Associations:<\/strong> NA<\/p>\n<p dir=\"ltr\"><strong>APT Groups: <\/strong>NA<\/p>\n<p dir=\"ltr\"><strong>Malware:<\/strong> NA<\/p>\n<p dir=\"ltr\"><strong>Patch:<\/strong> <a href=\"https:\/\/tanzu.vmware.com\/security\/cve-2022-22980\">Download<\/a><\/p>\n<h2 dir=\"ltr\"><a id=\"Simens\" name=\"Simens\"><\/a>Siemens&#8217; Industrial Network Management System Fixed 15 Vulnerabilities<\/h2>\n<p dir=\"ltr\">Siemens SINEC has disclosed details about 15 security flaws in its network management system (NMS), some of which could be exploited by an attacker to achieve remote code execution on affected systems.<\/p>\n<p><iframe class=\"airtable-embed\" style=\"background: transparent; border: 1px solid #ccc;\" src=\"https:\/\/airtable.com\/embed\/shrI60S3qKaa0r7JV?backgroundColor=gray&amp;viewControls=on\" width=\"100%\" height=\"533\" frameborder=\"0\"><\/iframe><\/p>\n<h2 dir=\"ltr\"><a id=\"Linux\" name=\"Linux\"><\/a>Privilege Escalation Vulnerability in Linux Kernel<\/h2>\n<p dir=\"ltr\">Linux disclosed CVE-2022-0492, a new kernel privilege escalation vulnerability on Feb 4, 2022. The CVE-2022-0492 vulnerability affects control groups, a Linux component that is the basis of containers. This is one of the easiest Linux privilege escalations discovered in recent history that exposes a privileged operation to non-privileged users by mistake.<\/p>\n<p dir=\"ltr\"><strong>Threat Associated CVEs:<\/strong> CVE-2022-0492<\/p>\n<p dir=\"ltr\"><strong>CVSS Score:<\/strong> 7.8<\/p>\n<p dir=\"ltr\"><strong>Affected\u00a0Product Count:<\/strong> 43<\/p>\n<p dir=\"ltr\"><strong>Exploit Type: <\/strong>NA<\/p>\n<p dir=\"ltr\"><strong>CWE: <\/strong>CWE-287<\/p>\n<p dir=\"ltr\"><strong>Ransomware Associations:<\/strong> NA<\/p>\n<p dir=\"ltr\"><strong>APT Groups: <\/strong>NA<\/p>\n<p dir=\"ltr\"><strong>Malware:<\/strong> NA<\/p>\n<p dir=\"ltr\"><strong>CISA KEV:<\/strong> Yes<\/p>\n<p dir=\"ltr\"><strong>Patch:<\/strong> <a href=\"https:\/\/access.redhat.com\/security\/cve\/cve-2022-0492\">Download<\/a><\/p>\n<h2 dir=\"ltr\" style=\"text-align: center;\"><\/h2>\n<p dir=\"ltr\" style=\"text-align: center;\"><strong><span style=\"text-align: center;\">CSW is on a mission to fix the biggest gap in the cybersecurity industry!\u00a0<\/span><\/strong><\/p>\n<p dir=\"ltr\" style=\"text-align: center;\"><strong>Get early warning alerts from our Threat Intelligence team and proactively patch!<\/strong><\/p>\n<p dir=\"ltr\" style=\"text-align: center;\"><strong>Leverage our expertise and manage your threats on a continuous basis to stay safe from attackers.<\/strong><\/p>\n<p>&nbsp;<\/p>\n<p dir=\"ltr\" style=\"text-align: center;\"><a href=\"https:\/\/cybersecurityworks.com\/contact-us.php\">Talk to Us<\/a> | <a href=\"https:\/\/cybersecurityworks.com\/get-quote.php\">Schedule a Consultation<\/a><\/p>\n<p dir=\"ltr\" style=\"text-align: center;\">\u00a0<a href=\"https:\/\/cybersecurityworks.com\/services\">Our Services<\/a><\/p>\n<p dir=\"ltr\" style=\"text-align: center;\"><a href=\"https:\/\/cybersecurityworks.com\/services\/vulnerability-management-as-a-service\">Vulnerability Management<\/a> | <a href=\"https:\/\/cybersecurityworks.com\/services\/pentesting-service\">Penetration Testing\u00a0<\/a><\/p>\n<p dir=\"ltr\" style=\"text-align: center;\">\u00a0<a href=\"https:\/\/cybersecurityworks.com\/services\">Attack Surface Management<\/a> | <a href=\"https:\/\/cybersecurityworks.com\/services\/aws-cloud-security\">Cloud Security<\/a><\/p>\n","protected":false},"excerpt":{"rendered":"<p>CSW weekly threat intelligence edition brings to you early warnings about critical vulnerabilities that could potentially be weaponized and prove dangerous to your organization and its assets.<\/p>\n","protected":false},"author":1,"featured_media":13471,"comment_status":"closed","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"content-type":""},"categories":[80,146],"tags":[268,172,107,264,269,89,272,116,150,178,266,153,182,91,270,206,271,267,265,218,103,149],"acf":[],"aioseo_notices":[],"_links":{"self":[{"href":"https:\/\/10.42.32.162\/wp-json\/wp\/v2\/posts\/7364"}],"collection":[{"href":"https:\/\/10.42.32.162\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/10.42.32.162\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/10.42.32.162\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/10.42.32.162\/wp-json\/wp\/v2\/comments?post=7364"}],"version-history":[{"count":4,"href":"https:\/\/10.42.32.162\/wp-json\/wp\/v2\/posts\/7364\/revisions"}],"predecessor-version":[{"id":13389,"href":"https:\/\/10.42.32.162\/wp-json\/wp\/v2\/posts\/7364\/revisions\/13389"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/10.42.32.162\/wp-json\/wp\/v2\/media\/13471"}],"wp:attachment":[{"href":"https:\/\/10.42.32.162\/wp-json\/wp\/v2\/media?parent=7364"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/10.42.32.162\/wp-json\/wp\/v2\/categories?post=7364"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/10.42.32.162\/wp-json\/wp\/v2\/tags?post=7364"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}