THREAT DIGEST - Vulnerabilities & Threats that Matter 20 June - 26 June 2022

Page created by Lorraine Simpson
 
CONTINUE READING
THREAT DIGEST - Vulnerabilities & Threats that Matter 20 June - 26 June 2022
THREAT DIGEST

Vulnerabilities & Threats that Matter
20 June - 26 June 2022
Summary
     The last week of June 2022 witnessed the discovery of 413 vulnerabilities out of which
     14 gained the attention of Threat Actors and security researchers worldwide. Among
     these 14,there were 9 vulnerabilities that were not available on NVD and one of them
     remained unassigned till date. Hive Pro Threat Research Team has curated a list of 14
     CVEs that require immediate action.

     Further, we also observed 4 Threat Actor groups being highly active in the last week. All
     these threat groups are popular for information theft and espionage. One of them
     originated from Russia (APT28), two of them were from China(ToddyCat and
     DriftingCloud) and one was from Iran(LYCEUM). Common TTPs which could potentially
     be exploited by these threat actors or CVEs can be found in the detailed section.

                                            Active
       Published         Interesting                     Targeted     Targeted         ATT&CK
                                            Threat
     Vulnerabilities    Vulnerabilities                  Countries   Industries         TTPs
                                            Groups

          413                14                4           121           19                33

THREAT DIGEST• WEEKLY                                                              2   |
Detailed Report
        Interesting Vulnerabilities
        VENDOR               CVE                      PATCH DETAILS
                                         Update to versions 3.0.34.2, 3.1.10, 3.2.28,
                                         3.3.21.4, 3.4.34.2, 3.5.8.4, 3.6.11
                        Unassigned CVE

                                         Zimbra patched the vulnerability by
                                         creating a SHA-256 hash of all Memcache
                                         keys before sending them to the
                        CVE-2022-27924   Memcache server. •9.0.0 Patch 24•8.8.15
                                         Patch 31Patch
                                         Linkhttps://wiki.zimbra.com/wiki/Zimbra_R
                                         eleases/8.8.15/P31.1
                                         Update to versions v19.0 GA and v18.5
                        CVE-2022-1040    MR4 (18.5.4)

                        CVE-2022-2156    Update Google Chrome to version
                        CVE-2022-2157    103.0.5060.53
                        CVE-2022-2158    Patch Link
                        CVE-2022-2160    https://www.google.com/intl/en/chrome/?
                        CVE-2022-2161    standalone=1
                        CVE-2022-2162
                        CVE-2022-2163
                        CVE-2022-2164
                        CVE-2022-2165

                                         https://msrc.microsoft.com/update-
                                         guide/en-US/vulnerability/CVE-2022-30190
                        CVE-2022-30190

                                         https://www.vmware.com/security/advisor
                        CVE-202-44228    ies/VMSA-2021-0028.html

THREAT DIGEST• WEEKLY                                                     3   |
Active Actors
        ICON                      NAME                   ORIGIN        MOTIVE
                                  LYCEUM
                                  (Hexane,                            Information
                               Cobalt Lyceum,              Iran         theft and
                               Siamesekitten,                          espionage
                                  ATK 120)
                                                                      Information
                                                          China         theft and
                                DriftingCloud
                                                                       Espionage

                                                                      Information
                                                           China
                                  ToddyCat                              theft and
                                                        (Suspected)
                                                                       espionage
                                APT28 (FANCY
                                   BEAR,
                                STRONTIUM,
                                   Sofacy,
                                  Zebrocy,
                                Sednit, Pawn                          Information
                        Storm, TG4127, TsarTeam, Iron     Russia       Theft and
                                  Twilight,                            Espionage
                                 Swallowtail,
                                SNAKEMACKE
                                 REL, Frozen
                                    Lake)

THREAT DIGEST• WEEKLY                                                  4   |
Targeted Locations
Color           Targeted By

        APT28

        DrftingCloud

        DrftingCloud;APT28

        DrftingCloud;Toddycat
        DrftingCloud;Toddycat;AP
        T28
        LYCEUM

        LYCEUM;APT28

        LYCEUM;DrftingCloud
        LYCEUM;DrftingCloud;APT
        28
        LYCEUM;DrftingCloud;Tod
        dycat
        LYCEUM;DrftingCloud;Tod
        dycat;APT28
        LYCEUM;Toddycat;APT28

        Toddycat

        Toddycat;APT28

  THREAT DIGEST• WEEKLY                     5   |
Targeted Industries

THREAT DIGEST• WEEKLY          6   |
Common MITRE ATT&CK TTPs
      TA0042:
                      TA0001: Initial       TA0002:          TA0003:        TA0004: Privilege TA0005: Defense
      Resource
                         Access            Execution        Persistence        Escalation         Evasion
    Development
                                                          T1037: Boot or     T1037: Boot or         T1140:
                      T1190: Exploit T1059: Command
   T1587: Develop                                              Logon              Logon       Deobfuscate/Dec
                      Public-Facing    and Scripting
     Capabilities                                          Initialization     Initialization     ode Files or
                       Application      Interpreter
                                                              Scripts            Scripts         Information
                                                                                 T1068:
                                          T1059.001:       T1574: Hijack     Exploitation for   T1574: Hijack
                      T1566: Phishing
                                          PowerShell      Execution Flow        Privilege      Execution Flow
                                                                               Escalation
                        T1566.001:            T1203:
                                                          T1574.002: DLL  T1574: Hijack       T1574.002: DLL
                       Spearphishing     Exploitation for
                                                            Side-Loading Execution Flow        Side-Loading
                        Attachment       Client Execution
                                                           T1505: Server
                                        T1053: Scheduled                 T1574.002: DLL       T1562: Impair
                                                              Software
                                             Task/Job                     Side-Loading          Defenses
                                                            Component
                                            T1053.005:    T1505.003: Web T1055: Process           T1036:
                                         Scheduled Task         Shell       Injection         Masquerading
                                                                                                T1036.004:
                                          T1204: User                       T1053: Scheduled
                                                                                             Masquerade Task
                                           Execution                            Task/Job
                                                                                                 or Service
                                                                                                  T1027:
                                          T1204.002:                           T1053.005:
                                                                                             Obfuscated Files
                                         Malicious File                      Scheduled Task
                                                                                              or Information
                                                                                              T1055: Process
                                                                                                 Injection
                                                                               TA0011:
      TA0006:            TA0007:        TA0008: Lateral      TA0009:                            TA0010:
                                                                             Command and
  Credential Access     Discovery         Movement          Collection                         Exfiltration
                                                                                Control
                          T1010:                                                                  T1048:
      T1557:                                                T1557:               T1071:
                        Application      T1021: Remote                                      Exfiltration Over
  Adversary-in-the-                                    Adversary-in-the- Application Layer
                         Window             Services                                          Alternative
      Middle                                                Middle             Protocol
                         Discovery                                                               Protocol
                                           T1021.001:                                             T1041:
    T1056: Input      T1040: Network                    T1560: Archive T1071.001: Web
                                        Remote Desktop                                      Exfiltration Over
      Capture             Sniffing                      Collected Data         Protocols
                                            Protocol                                          C2 Channel
     T1056.001:       T1057: Process                      T1560.001:       T1573: Encrypted
     Keylogging         Discovery                      Archive via Utility      Channel
                                                                              T1573.001:
   T1040: Network T1018: Remote                          T1056: Input
                                                                              Symmetric
       Sniffing   System Discovery                         Capture
                                                                             Cryptography
                      T1518: Software                       T1056.001:       T1105: Ingress
                         Discovery                          Keylogging        Tool Transfer
                                                                              T1571: Non-
                                                                             Standard Port
                                                                              T1090: Proxy
                                                                              T1102: Web
                                                                                Service

THREAT DIGEST• WEEKLY                                                                            7   |
Threat Advisories
     https://www.hivepro.com/iranian-apt-targets-middle-easts-energy-
     telecommunications-industry/
     https://www.hivepro.com/vulnerability-in-zimbra-that-steals-clear-text-credentials-
     from-users/
     https://www.hivepro.com/new-vulnerability-allows-attackers-to-takeover-entire-
     wordpress-website/
     https://www.hivepro.com/driftingcloud-exploits-zero-day-in-sophos-firewall/
     https://www.hivepro.com/toddycat-exploits-unknown-vulnerability-in-microsoft-
     exchange-servers-to-targets-entities-in-europe-and-asia/
     https://www.hivepro.com/google-addresses-new-vulnerabilities-in-chrome/
     https://www.hivepro.com/apt28-exploits-follina-to-deploy-credomap/

THREAT DIGEST• WEEKLY                                                           8   |
What Next?
  Book a free demo with HivePro Uni5 to check your exposure to
  this advisory. HivePro Uni5 is a Threat Exposure Management
  Solution that proactively reduces an organization’s attack surface
  before it gets exploited.

  At Hive Pro we take a long hard look at your vulnerabilities so you
  can bolster your defenses and fine-tune your offensive
  cybersecurity tactics.

REPORT GENERATED ON

June 28, 2022 • 8:00 AM

© 2022 All Rights are Reserved by HivePro
                                                            More at www.hivepro.com
You can also read