Monthly Threat Digest April 2022

Overview

This conclusive report for April would be brief about all cybersecurity-related activities. This month was filled with activities from several threat actor groups across the globe. This month 15 vulnerabilities were discussed, of which 7 were zero-day vulnerabilities and a few vulnerabilities were exploited in the wild. Some of the threat actors are active this month Sandworm Team, APT 10, Armageddon group, Lazarus Group, Old Gremlin, Rocket Kitten, and Hive ransomware gang. Highly targeted sectors for this month were government, defense, finance, technology, and media. Amongst all the malware that had been launched this month, four malwares garnered more attention and have been discussed in this report. Last but not the least, the top ten most used TTPs are also depicted.

Monthly Insights

Vulnerabilities

For April 2022, 15 vulnerabilities were highlighted. Out of these, there were 7 zero-day vulnerabilities and a few exploited in the wild. Here we would be briefing a few critical vulnerabilities.

Actively exploited Vulnerabilities in Mozilla Firefox

Two critical zero-day vulnerabilities have been identified in Mozilla Firefox that are being exploited in-the wild and tracked as CVE-2022-26485 and CVE-2022-26486. Both are use-after-free bugs that exist in XSLT parameter processing and the WebGPU IPC Framework, respectively.

RCE Spring Framework Zero-Day vulnerability “Spring4Shell”

A zero-day vulnerability (CVE-2022-22965) has been discovered in the Spring framework, a Java framework that provides infrastructure support for web application development. The remote code execution bug affects Spring MVC and Spring WebFlux apps running on JDK 9. An active exploitation of Spring4Shell has been observed, an attacker is able to weaponize and execute the Mirai botnet malware on vulnerable servers.

Microsoft Patch Tuesday April 2022 addressed two zero-day vulnerabilities

Microsoft addressed 128 vulnerabilities in there April patch Tuesday update. Two of them have been categorized as zero-day vulnerabilities (CVE-2022-24521 and CVE-2022-26904). One of the two zero-days is exploited-in-the-wild as well.

Google Chrome issues an emergency update to address the third zero-day of year 2022

A zero-day vulnerability (CVE-2022-1364) has been discovered in Google Chrome versions prior to 100.0.4896.127. A type of confusion vulnerability tracked as CVE-2022-1364, is said to be exploited in the wild. This vulnerability affects the V8 component, which is used to parse JavaScript code in Google Chrome.

Two actively exploited vulnerabilities affect multiple VMware products

Multiple vulnerabilities have been discovered in VMware products. Two of these have been exploited in the wild. The first zero-day vulnerability, CVE-2022-22954, is a server-side template injection flaw. An attacker could exploit this bug to gain network access and remotely execute code in order to deliver cryptominers. The second zero-day vulnerability, CVE-2022-22960 exists due to improper permissions in support scripts. An attacker could exploit this issue to escalate privileges to root on vulnerable servers.

What will be the consequence of this disputed vulnerability in 7-ZIP?

The zero-day vulnerability in 7- Zip software, tracked as CVE-2022-29072 is marked as disputed by the National Vulnerability Database (NVD), and sparked discussions over its consequences. This started when a researcher published a proof-of-concept (POC) for this vulnerability and stated that it allowed remote privilege escalation. However, other well-known researchers, such as those from Google’s Project Zero, have indicated that this security flaw would allow the execution of arbitrary code via 7-Zip while opening a file with the.7z extension.

Bypass Authentication vulnerability in Atlassian Jira Seraph

Atlassian has addressed a vulnerability in its Jira Seraph software, tracked as CVE-2022-0540. An unauthenticated attacker can use to bypass authentication. By submitting a specially crafted HTTP request to the affected software, a threat actor could exploit the vulnerability.

Old Zimbra vulnerability used to target Ukrainian Government Organizations

CERT-UA has released an alert about a campaign targeting Ukrainian government entities that involve an exploit for an XSS vulnerability in Zimbra Collaboration Suite. The attackers have been sending out phishing emails with the subject “Volodymyr Zelenskyy” presented the Golden Star Orders to servicemen of the Armed Forces of Ukraine and members of the families of the fallen Heroes of Ukraine” which contain JavaScript code that evokes the exploitation of the vulnerability (CVE-2018-6882) in Zimbra Collaboration Suite, an email and collaboration platform.

Two Vulnerabilities discovered in AWS Client VPN

Two flaws have been discovered in the AWS VPN Client. One of them (CVE-2022-25166) was discovered due to a time-of-check to time-of-use (TOCTOU) condition, which could lead to privilege escalation. Another vulnerability (CVE-2022-25165) could allow an attacker to obtain an end-Net-NTLMv2 user’s hash if a specially crafted configuration file is used, including a specific network file path imported into the client, and the machine’s firewall is configured to allow outbound external connections.

Threat Actors

Name	Origin	About	Target Locations	Target Sectors
Sandworm Team (ELECTRUM, Telebots, IRON VIKING, BlackEnergy (Group), Quedagh, VOODOO BEAR)	Russia	The Sandworm actor is employing a new malware known as Cyclops Blink. Cyclops Blink looks to be a replacement framework for the VPNFilter virus, which was first discovered in 2018 and targeted network equipment such as SOHO routers and network-attached storage (NAS) devices. The actor is seen exploiting CVE-2022-23176	Azerbaijan, Belarus, France, Georgia, Iran, Israel, Kazakhstan, Kyrgyzstan, Lithuania, Poland, Russia, Ukraine	Education, Energy, Government, Telecommunications
APT 10 (Stone Panda, menuPass Team, menuPass, Red Apollo, Potassium, Hogfish, Happyyongzi, Bronze Riverside, Cicada, CTG5938, ATK 41, TA429, ITG01)	China	APT 10 group has been attacking government, legal, religious entities and non-governmental organizations (NGOs) around the world in what appears to be an espionage campaign that has been underway for several months. The actor gained initial access by exploiting unpatched Microsoft Exchange Server vulnerabilities, and the attacker then distributed a variety of tools, including a custom loader and the Sodamaster backdoor.	Australia, Belgium, Brazil, Canada, China, Finland, France, Germany, Hong Kong, India, Israel, Italy, Japan, Montenegro, Netherlands, Norway, Philippines, Singapore, South Africa, South Korea, Sweden, Switzerland, Taiwan, Thailand, Turkey, UAE, UK, USA, Vietnam	Aerospace, Defense, Energy, Financial, Government, Healthcare, High-Tech, IT, Media, NGOs, Pharmaceutical, Telecommunications, and MSPs
Armageddon (Gamaredon Group, Winterflounder, Primitive Bear, BlueAlpha, Blue Otso, Iron Tilden, SectorC08, Callisto, Shuckworm, Actinium, DEV-0157, UAC-0010)	Russia	UAC0010, also known as Armageddon, is responsible for spear-phishing attempts against Ukrainian government personnel. the Gamaredon group used simple tools written in VBScript, VBA Script, C#, C++, and other programming languages, mostly relying on open-source software, before gradually expanding their toolkit with a number of custom cyber-espionage tools, such as Pterodo/Pteranodon and EvilGnome malware.	Albania, Austria, Australia, Bangladesh, Brazil, Canada, Chile, China, Colombia, Croatia, Denmark, Georgia, Germany, Guatemala, Honduras, India, Indonesia, Iran, Israel, Italy, Japan, Kazakhstan, Latvia, Malaysia, Netherlands, Nigeria, Norway, Pakistan, Papua New Guinea, Poland, Portugal, Romania, Russia, South Africa, South Korea, Spain, Sweden, Turkey, UK, Ukraine, USA, Vietnam	Defense, Government, Law enforcement, NGOs and diplomats and journalists.
Lazarus Group (APT38, BlueNoroff, and Stardust Chollima)	North Korea	North Korean state hackers known as Lazarus group exploited a zero-day, remote code execution vulnerability (CVE-2022-0609) in Google Chrome’s web browser.	Australia, Bangladesh, Brazil, Canada, Chile, China, Ecuador, France, Germany, Guatemala, Hong Kong, India, Israel, Japan, Mexico, Philippines, Poland, Russia, South Africa, South Korea, Taiwan, Thailand, UK, USA, Vietnam	Blockchain technology and cryptocurrency industry, Financial, Critical Infrastructure, Government, Gaming, Financial Services, Technology
OldGremlin	Russia	Over the last two years, OldGremlin has carried out 13 malicious email campaigns aimed at banks, industrial enterprises, medical organizations, and software developers. OldGremlin is known to carry out multi-stage targeted attacks using sophisticated tactics and techniques via ransomwares and malwares such as TinyCryptor and TinyFluff.	Russia	Financial, Healthcare, Media, banks, industrial enterprises, and software developers
Rocket kitten (Newscaster, NewsBeef, Parastoo, Group 83)	Iran	An Iranian cyber espionage gang known as Rocket Kitten has begun delivering the Core Impact penetration testing tool on susceptible computers by exploiting a newly fixed severe vulnerability (CVE-2022-22954) in VMware Workspace ONE Access/Identity Manager program.	Algeria, Brazil, China, Germany, India, Israel, Japan, Kazakhstan, Romania, Russia, Turkey, UK, Ukraine, USA.	Construction, Defense, Education, Embassies, Entertainment, Government, Manufacturing, Media
Hive Ransomware Group	Unknown	Hive Ransomware has been active since its discovery in June 2021, and it is constantly deploying different backdoors, including the Cobalt Strike beacon, on Microsoft Exchange servers that are vulnerable to ProxyShell (CVE-2021-31207, CVE-2021-34473 and CVE-2021-34523) security flaws. The threat actors then conduct network reconnaissance, obtain admin account credentials, and exfiltrate valuable data before deploying the file-encrypting payload.	United States, Germany, United Kingdom, Spain, Canada, China, Italy, Portugal, Netherlands, India, Switzerland, Peru, Colombia, Australia, Brazil	Technology, Healthcare, Transportation, Construction, Media, Professional Services, Retail, Materials, Automotive, Apparel and Fashion, Nonprofits, Retailers, Energy Providers

Targeted Sectors

Targeted Countries

Malware of the Month

Malware	About
TraderTraitor	As part of Lazarus APT’s multi-channel Operation Dream Job, the TraderTraitor virus is disseminated via spear-phishing schemes. TraderTraitor operators bombarded their targets with a significant number of spear-phishing communications delivered over messaging and email systems.
Mirai botnet	Active exploitation of Spring4Shell has been observed, an attacker is able to weaponize and execute the Mirai botnet malware on vulnerable servers, specifically in the Singapore region. The Mirai sample is downloaded to the “/tmp” folder and executed after permissions are changed to make them executable using “chmod”
TinyFluff backdoor	OldGremlin uses a backdoor, TinyFluff, that launches the Node.js interpreter and grants the attacker remote access to the target system.
TinyCryptor ransomware	OldGremlin encrypted data on computers in the network with help of TinyCryptor ransomware and the ransomware is deployed with PsExec module of Cobalt Strike.