THREAT DIGEST - Vulnerabilities & Threats that Matter 20 June - 26 June 2022
←
→
Page content transcription
If your browser does not render page correctly, please read the page content below
Summary The last week of June 2022 witnessed the discovery of 413 vulnerabilities out of which 14 gained the attention of Threat Actors and security researchers worldwide. Among these 14,there were 9 vulnerabilities that were not available on NVD and one of them remained unassigned till date. Hive Pro Threat Research Team has curated a list of 14 CVEs that require immediate action. Further, we also observed 4 Threat Actor groups being highly active in the last week. All these threat groups are popular for information theft and espionage. One of them originated from Russia (APT28), two of them were from China(ToddyCat and DriftingCloud) and one was from Iran(LYCEUM). Common TTPs which could potentially be exploited by these threat actors or CVEs can be found in the detailed section. Active Published Interesting Targeted Targeted ATT&CK Threat Vulnerabilities Vulnerabilities Countries Industries TTPs Groups 413 14 4 121 19 33 THREAT DIGEST• WEEKLY 2 |
Detailed Report Interesting Vulnerabilities VENDOR CVE PATCH DETAILS Update to versions 3.0.34.2, 3.1.10, 3.2.28, 3.3.21.4, 3.4.34.2, 3.5.8.4, 3.6.11 Unassigned CVE Zimbra patched the vulnerability by creating a SHA-256 hash of all Memcache keys before sending them to the CVE-2022-27924 Memcache server. •9.0.0 Patch 24•8.8.15 Patch 31Patch Linkhttps://wiki.zimbra.com/wiki/Zimbra_R eleases/8.8.15/P31.1 Update to versions v19.0 GA and v18.5 CVE-2022-1040 MR4 (18.5.4) CVE-2022-2156 Update Google Chrome to version CVE-2022-2157 103.0.5060.53 CVE-2022-2158 Patch Link CVE-2022-2160 https://www.google.com/intl/en/chrome/? CVE-2022-2161 standalone=1 CVE-2022-2162 CVE-2022-2163 CVE-2022-2164 CVE-2022-2165 https://msrc.microsoft.com/update- guide/en-US/vulnerability/CVE-2022-30190 CVE-2022-30190 https://www.vmware.com/security/advisor CVE-202-44228 ies/VMSA-2021-0028.html THREAT DIGEST• WEEKLY 3 |
Active Actors ICON NAME ORIGIN MOTIVE LYCEUM (Hexane, Information Cobalt Lyceum, Iran theft and Siamesekitten, espionage ATK 120) Information China theft and DriftingCloud Espionage Information China ToddyCat theft and (Suspected) espionage APT28 (FANCY BEAR, STRONTIUM, Sofacy, Zebrocy, Sednit, Pawn Information Storm, TG4127, TsarTeam, Iron Russia Theft and Twilight, Espionage Swallowtail, SNAKEMACKE REL, Frozen Lake) THREAT DIGEST• WEEKLY 4 |
Targeted Locations Color Targeted By APT28 DrftingCloud DrftingCloud;APT28 DrftingCloud;Toddycat DrftingCloud;Toddycat;AP T28 LYCEUM LYCEUM;APT28 LYCEUM;DrftingCloud LYCEUM;DrftingCloud;APT 28 LYCEUM;DrftingCloud;Tod dycat LYCEUM;DrftingCloud;Tod dycat;APT28 LYCEUM;Toddycat;APT28 Toddycat Toddycat;APT28 THREAT DIGEST• WEEKLY 5 |
Targeted Industries THREAT DIGEST• WEEKLY 6 |
Common MITRE ATT&CK TTPs TA0042: TA0001: Initial TA0002: TA0003: TA0004: Privilege TA0005: Defense Resource Access Execution Persistence Escalation Evasion Development T1037: Boot or T1037: Boot or T1140: T1190: Exploit T1059: Command T1587: Develop Logon Logon Deobfuscate/Dec Public-Facing and Scripting Capabilities Initialization Initialization ode Files or Application Interpreter Scripts Scripts Information T1068: T1059.001: T1574: Hijack Exploitation for T1574: Hijack T1566: Phishing PowerShell Execution Flow Privilege Execution Flow Escalation T1566.001: T1203: T1574.002: DLL T1574: Hijack T1574.002: DLL Spearphishing Exploitation for Side-Loading Execution Flow Side-Loading Attachment Client Execution T1505: Server T1053: Scheduled T1574.002: DLL T1562: Impair Software Task/Job Side-Loading Defenses Component T1053.005: T1505.003: Web T1055: Process T1036: Scheduled Task Shell Injection Masquerading T1036.004: T1204: User T1053: Scheduled Masquerade Task Execution Task/Job or Service T1027: T1204.002: T1053.005: Obfuscated Files Malicious File Scheduled Task or Information T1055: Process Injection TA0011: TA0006: TA0007: TA0008: Lateral TA0009: TA0010: Command and Credential Access Discovery Movement Collection Exfiltration Control T1010: T1048: T1557: T1557: T1071: Application T1021: Remote Exfiltration Over Adversary-in-the- Adversary-in-the- Application Layer Window Services Alternative Middle Middle Protocol Discovery Protocol T1021.001: T1041: T1056: Input T1040: Network T1560: Archive T1071.001: Web Remote Desktop Exfiltration Over Capture Sniffing Collected Data Protocols Protocol C2 Channel T1056.001: T1057: Process T1560.001: T1573: Encrypted Keylogging Discovery Archive via Utility Channel T1573.001: T1040: Network T1018: Remote T1056: Input Symmetric Sniffing System Discovery Capture Cryptography T1518: Software T1056.001: T1105: Ingress Discovery Keylogging Tool Transfer T1571: Non- Standard Port T1090: Proxy T1102: Web Service THREAT DIGEST• WEEKLY 7 |
Threat Advisories https://www.hivepro.com/iranian-apt-targets-middle-easts-energy- telecommunications-industry/ https://www.hivepro.com/vulnerability-in-zimbra-that-steals-clear-text-credentials- from-users/ https://www.hivepro.com/new-vulnerability-allows-attackers-to-takeover-entire- wordpress-website/ https://www.hivepro.com/driftingcloud-exploits-zero-day-in-sophos-firewall/ https://www.hivepro.com/toddycat-exploits-unknown-vulnerability-in-microsoft- exchange-servers-to-targets-entities-in-europe-and-asia/ https://www.hivepro.com/google-addresses-new-vulnerabilities-in-chrome/ https://www.hivepro.com/apt28-exploits-follina-to-deploy-credomap/ THREAT DIGEST• WEEKLY 8 |
What Next? Book a free demo with HivePro Uni5 to check your exposure to this advisory. HivePro Uni5 is a Threat Exposure Management Solution that proactively reduces an organization’s attack surface before it gets exploited. At Hive Pro we take a long hard look at your vulnerabilities so you can bolster your defenses and fine-tune your offensive cybersecurity tactics. REPORT GENERATED ON June 28, 2022 • 8:00 AM © 2022 All Rights are Reserved by HivePro More at www.hivepro.com
You can also read