THREAT DIGEST - Vulnerabilities & Threats that Matter 20 June - 26 June 2022
←
→
Page content transcription
If your browser does not render page correctly, please read the page content below
THREAT DIGEST Vulnerabilities & Threats that Matter 20 June - 26 June 2022
Summary
The last week of June 2022 witnessed the discovery of 413 vulnerabilities out of which
14 gained the attention of Threat Actors and security researchers worldwide. Among
these 14,there were 9 vulnerabilities that were not available on NVD and one of them
remained unassigned till date. Hive Pro Threat Research Team has curated a list of 14
CVEs that require immediate action.
Further, we also observed 4 Threat Actor groups being highly active in the last week. All
these threat groups are popular for information theft and espionage. One of them
originated from Russia (APT28), two of them were from China(ToddyCat and
DriftingCloud) and one was from Iran(LYCEUM). Common TTPs which could potentially
be exploited by these threat actors or CVEs can be found in the detailed section.
Active
Published Interesting Targeted Targeted ATT&CK
Threat
Vulnerabilities Vulnerabilities Countries Industries TTPs
Groups
413 14 4 121 19 33
THREAT DIGEST• WEEKLY 2 |Detailed Report
Interesting Vulnerabilities
VENDOR CVE PATCH DETAILS
Update to versions 3.0.34.2, 3.1.10, 3.2.28,
3.3.21.4, 3.4.34.2, 3.5.8.4, 3.6.11
Unassigned CVE
Zimbra patched the vulnerability by
creating a SHA-256 hash of all Memcache
keys before sending them to the
CVE-2022-27924 Memcache server. •9.0.0 Patch 24•8.8.15
Patch 31Patch
Linkhttps://wiki.zimbra.com/wiki/Zimbra_R
eleases/8.8.15/P31.1
Update to versions v19.0 GA and v18.5
CVE-2022-1040 MR4 (18.5.4)
CVE-2022-2156 Update Google Chrome to version
CVE-2022-2157 103.0.5060.53
CVE-2022-2158 Patch Link
CVE-2022-2160 https://www.google.com/intl/en/chrome/?
CVE-2022-2161 standalone=1
CVE-2022-2162
CVE-2022-2163
CVE-2022-2164
CVE-2022-2165
https://msrc.microsoft.com/update-
guide/en-US/vulnerability/CVE-2022-30190
CVE-2022-30190
https://www.vmware.com/security/advisor
CVE-202-44228 ies/VMSA-2021-0028.html
THREAT DIGEST• WEEKLY 3 |Active Actors
ICON NAME ORIGIN MOTIVE
LYCEUM
(Hexane, Information
Cobalt Lyceum, Iran theft and
Siamesekitten, espionage
ATK 120)
Information
China theft and
DriftingCloud
Espionage
Information
China
ToddyCat theft and
(Suspected)
espionage
APT28 (FANCY
BEAR,
STRONTIUM,
Sofacy,
Zebrocy,
Sednit, Pawn Information
Storm, TG4127, TsarTeam, Iron Russia Theft and
Twilight, Espionage
Swallowtail,
SNAKEMACKE
REL, Frozen
Lake)
THREAT DIGEST• WEEKLY 4 |Targeted Locations
Color Targeted By
APT28
DrftingCloud
DrftingCloud;APT28
DrftingCloud;Toddycat
DrftingCloud;Toddycat;AP
T28
LYCEUM
LYCEUM;APT28
LYCEUM;DrftingCloud
LYCEUM;DrftingCloud;APT
28
LYCEUM;DrftingCloud;Tod
dycat
LYCEUM;DrftingCloud;Tod
dycat;APT28
LYCEUM;Toddycat;APT28
Toddycat
Toddycat;APT28
THREAT DIGEST• WEEKLY 5 |Targeted Industries THREAT DIGEST• WEEKLY 6 |
Common MITRE ATT&CK TTPs
TA0042:
TA0001: Initial TA0002: TA0003: TA0004: Privilege TA0005: Defense
Resource
Access Execution Persistence Escalation Evasion
Development
T1037: Boot or T1037: Boot or T1140:
T1190: Exploit T1059: Command
T1587: Develop Logon Logon Deobfuscate/Dec
Public-Facing and Scripting
Capabilities Initialization Initialization ode Files or
Application Interpreter
Scripts Scripts Information
T1068:
T1059.001: T1574: Hijack Exploitation for T1574: Hijack
T1566: Phishing
PowerShell Execution Flow Privilege Execution Flow
Escalation
T1566.001: T1203:
T1574.002: DLL T1574: Hijack T1574.002: DLL
Spearphishing Exploitation for
Side-Loading Execution Flow Side-Loading
Attachment Client Execution
T1505: Server
T1053: Scheduled T1574.002: DLL T1562: Impair
Software
Task/Job Side-Loading Defenses
Component
T1053.005: T1505.003: Web T1055: Process T1036:
Scheduled Task Shell Injection Masquerading
T1036.004:
T1204: User T1053: Scheduled
Masquerade Task
Execution Task/Job
or Service
T1027:
T1204.002: T1053.005:
Obfuscated Files
Malicious File Scheduled Task
or Information
T1055: Process
Injection
TA0011:
TA0006: TA0007: TA0008: Lateral TA0009: TA0010:
Command and
Credential Access Discovery Movement Collection Exfiltration
Control
T1010: T1048:
T1557: T1557: T1071:
Application T1021: Remote Exfiltration Over
Adversary-in-the- Adversary-in-the- Application Layer
Window Services Alternative
Middle Middle Protocol
Discovery Protocol
T1021.001: T1041:
T1056: Input T1040: Network T1560: Archive T1071.001: Web
Remote Desktop Exfiltration Over
Capture Sniffing Collected Data Protocols
Protocol C2 Channel
T1056.001: T1057: Process T1560.001: T1573: Encrypted
Keylogging Discovery Archive via Utility Channel
T1573.001:
T1040: Network T1018: Remote T1056: Input
Symmetric
Sniffing System Discovery Capture
Cryptography
T1518: Software T1056.001: T1105: Ingress
Discovery Keylogging Tool Transfer
T1571: Non-
Standard Port
T1090: Proxy
T1102: Web
Service
THREAT DIGEST• WEEKLY 7 |Threat Advisories
https://www.hivepro.com/iranian-apt-targets-middle-easts-energy-
telecommunications-industry/
https://www.hivepro.com/vulnerability-in-zimbra-that-steals-clear-text-credentials-
from-users/
https://www.hivepro.com/new-vulnerability-allows-attackers-to-takeover-entire-
wordpress-website/
https://www.hivepro.com/driftingcloud-exploits-zero-day-in-sophos-firewall/
https://www.hivepro.com/toddycat-exploits-unknown-vulnerability-in-microsoft-
exchange-servers-to-targets-entities-in-europe-and-asia/
https://www.hivepro.com/google-addresses-new-vulnerabilities-in-chrome/
https://www.hivepro.com/apt28-exploits-follina-to-deploy-credomap/
THREAT DIGEST• WEEKLY 8 |What Next?
Book a free demo with HivePro Uni5 to check your exposure to
this advisory. HivePro Uni5 is a Threat Exposure Management
Solution that proactively reduces an organization’s attack surface
before it gets exploited.
At Hive Pro we take a long hard look at your vulnerabilities so you
can bolster your defenses and fine-tune your offensive
cybersecurity tactics.
REPORT GENERATED ON
June 28, 2022 • 8:00 AM
© 2022 All Rights are Reserved by HivePro
More at www.hivepro.comYou can also read
