Monthly Threat Digest: February 2022
Monthly Threat Digest: February 2022
This was a month of cyber warfare. The cyberwar between Ukraine and Russia introduced new attacks to global cybersecurity firms. This month, 55 vulnerabilities were discussed, of which 5 were zero-day vulnerabilities and a few vulnerabilities were exploited in the wild. Some of the threat actors active this month were APT27, MuddyWater, Molerats, BlackCats, APT28, UNC2596, and APT10. Several other threat actors across the globe started taking sides in the war and started using new sophisticated malware and brought previously used techniques as well. Highly targeted sectors for this month were government, telecommunications, financial, defense, and construction & engineering. Amongst all the malware that had been launched this month, three malware garnered more attention and have been discussed in this report. Last but not the least, the top ten most used TTPs are also depicted.
Ukraine – Russia
The war in the East European nations has forced hacker groups to take sides between Ukraine and Russia. A cyber-espionage collective known as Gamaredon (aka Shuckworm or Armageddon) became active in the run-up to Russia’s war on Ukraine. Phishing emails are commonly used in Gamaredon assaults to deceive victims into installing Pterodo, a proprietary remote access trojan. As Russian forces formally launched a full-scale military assault against Ukraine, renowned cybersecurity organizations revealed that they have detected a new data wiper malware used in fresh attacks against hundreds of workstations.
Russia, on the other hand, has been subjected to cyber-attacks on its infrastructure. The Russian National Computer Incident Response and Coordination Center have cautioned that “attacks can be aimed at disrupting the functioning of vital information resources and services, causing reputational damage, including for political purposes”. Hacking organizations have gained access to the Russian Ministry of Defense database and have exposed sensitive material.
Russia – United States
The Federal Bureau of Investigation (FBI), the National Security Agency (NSA), and the Cybersecurity and Infrastructure Security Agency (CISA) released a combined cybersecurity alert in which they stated that Russian threat actor APT28 has targeted US defense contractors from January 2020 to February 2022. Small and big enterprises in the United States working on defense and intelligence contracts, including missile development, vehicle and aircraft development, and software development, were targeted by the threat actor. CDCs serving the US Army, US Air Force, US Navy, US Space Force, and DoD and Intelligence programs have all been compromised.
China – Taiwan
Chinese advanced persistent threat (APT) group known as Antlion has been targeting Taiwanese financial institutions for at least 18 months as part of a “persistent campaign.” The espionage-focused breaches resulted in the implementation of a backdoor known as xPack, which gave the adversary extensive control over infected workstations.
APT10, also known as Stone Panda, the MenuPass organization, and Bronze Riverside, is a Chinese threat group that has been linked to a systematic supply chain attack on Taiwan’s financial sector since at least 2009. According to a new report published by a Taiwanese cybersecurity firm, the second wave of attacks peaked between February 10 and 13, 2022, with the wide-ranging supply chain compromise specifically targeting the software systems of financial institutions, resulting in “abnormal cases of placing orders.”
For February 2022, 55 vulnerabilities were highlighted. Out of these, there were five zero-day vulnerabilities and a few exploited in the wild. Here we provide a brief of a few critical vulnerabilities.
Zero-day vulnerability in Windows Kernel (CVE-2022-21989)
In Microsoft’s February 2022 patch Tuesday release, one zero-day vulnerability was identified. The publicly disclosed zero-day bug has been assigned CVE-2022-21989 and has not been confirmed exploited in the wild. An attacker requires to take additional actions before exploitation to prepare the target environment for the successful exploitation of this vulnerability.
Zero-day vulnerability in WebKit affects Apple macOS (CVE-2022-22620)
A third zero-day vulnerability has been identified since the latest zero-day bugs discovery in macOS Monterey in the year 2022. This flaw impacts the WebKit component, which is a cross-platform web browser engine that is predominantly used in Safari. This vulnerability tracked as CVE-2022-22620 exists due to a use-after-free error when processing HTML content in WebKit.
Magento zero-day vulnerability (CVE-2022-24086)
Adobe issued an emergency advisory informing Adobe Commerce and Magento Open-Source product users of a critical zero-day vulnerability that is being actively exploited in the wild. A zero-day vulnerability that has been assigned CVE-2022-24086 affects the Adobe Commerce and Magento Open-Source products as they fail to properly validate the user input.
First zero-day vulnerability of Google Chrome (CVE-2022-0609)
Google released a stable channel update for their Chrome browser that contains a zero-day vulnerability and is actively being exploited in wild. This is the first zero-day bug reported in the Chrome browser this year. A Use-After-Free (UAF) vulnerability which has been assigned CVE-2022-0609 affects the Animation component that may allow attackers to corrupt data, crash programs, or execute arbitrary code on computers running unpatched Chrome versions or escape the browser’s security sandbox.
Zero-day vulnerability in Zimbra Servers (CVE-2022 24682)
A zero-day cross-site scripting (XSS) vulnerability has been discovered in the Zimbra email software. A threat actor is taking advantage of this issue by launching a targeted spear-phishing attack named Operation EmailThief.
Zabbix was affected by two actively exploited vulnerabilities (CVE-2022-23131, CVE-2022-23134)
Multiple security vulnerabilities have been discovered in Zabbix (open-source network traffic monitoring software) Web Frontend component while implementing client-side sessions storage and are being actively exploited as per CISA. Successful exploitation of these vulnerabilities may allow an attacker to bypass authentication, escalate privileges and execute an arbitrary code on a targeted server instance that could lead to the complete compromise of the network infrastructure.
|Name||Origin||About||Target Locations||Target Sectors|
|China||The malicious campaign targets German commercial organizations where the attackers use the HyperBro remote access trojan to inject backdoors into the victims’ network. HyperBro allows hackers to persist on victim networks by acting as an in-memory backdoor with remote administration capabilities. The threat group’s goal is to steal sensitive information as well as attempt to target their victim’s customers in supply chain attacks.||Australia, Canada, China, Hong Kong, India, Iran, Israel, Japan, France Middle East, Philippines, Russia, South Korea, Taiwan, Thailand, Tibet, UK, USA, Germany||Retail, Defense, Education, Healthcare, Embassies, Government, Technology, Telecommunications, and Think Tanks|
|MuddyWater (Static Kitten, Seedworm, TEMP.Zagros, Mercury, TA450, Cobalt Ulster, ATK 51, T APT-14, ITG17)||Iran||The Iranian-backed MuddyWater hacking group is conducting a new malicious campaign targeting private organizations and governmental institutions in Turkey. This cyber-espionage group mainly used the PowGoop DLL Loader and Mori Backdoor in the current attack campaign.||Afghanistan, Armenia, Austria, Azerbaijan, Bahrain, Belarus, Egypt, Georgia, India, Iran, Iraq, Israel, Jordan, Kuwait, Laos, Lebanon, Mali, Netherlands, Oman, Pakistan, Russia, Saudi Arabia, Tajikistan, Thailand, Tunisia, Turkey, UAE,||Defense, Education, Energy, Financial, Food and Agriculture, Gaming, Government, Healthcare, High-Tech, IT, Media, NGOs, Oil and Gas, Telecommunications, Transportation.|
|Molerats (Extreme Jackal, Gaza Cybergang, Gaza Hackers Team, TA402, Aluminum Saratoga, ATK 89, TAG-CT5)||Gaza||An APT group Molerats associated with Gaza has launched a new threat campaign using a malware NimbleMamba aimed at Middle Eastern governments, foreign policy think tanks, and even a state-owned airline.||Afghanistan, Algeria, Canada, China, Chile, Denmark, Egypt, Germany, India, Iran, Iraq, Israel, Jordan, Kuwait, Lebanon, Latvia, Libya, Macedonia, Morocco, New Zealand, Oman, Palestine, Qatar, Russia, Saudi Arabia, Serbia, Slovenia, Somalia, South Korea, Syria, Turkey, UAE, UK, USA, Yemen||Aerospace, Defense, Embassies, Energy, Financial, Government, High-Tech, Media, Oil and gas, Telecommunications|
|BlackCats aka ALPHV||Unknown||The Blackcat Ransomware gang also known as ALPHV has targeted around 25 organizations belonging to multiple sectors globally since November 2021.||United States, France, Thailand, Canada, Switzerland, Italy, Hungary, Hong Kong, China, Italian, Philippines, United Kingdom, North America, Germany, Netherlands, Argentina, Spain||Construction and engineering, Retail, Transportation, Commercial Services, Insurance, Machinery, Professional services, Telecommunication, Auto components, and Pharmaceuticals|
APT28 (Sofacy Fancy Bear, Sednit, Group 74, TG-4127, Pawn Storm, Tsar Team, Strontium, Swallowtail, SIG40, Snakemackerel, Iron Twilight, ATK 5, T-APT-12, ITG05, TAG-0700, Grizzly Steppe)
|Russia||The threat actors exfiltrated sensitive data from small and large companies in the U.S. working on defense and intelligence contracts, including missile development, vehicle & aircraft, and software development.||Afghanistan, Armenia, Australia, Azerbaijan, Belarus, Belgium, Brazil, Bulgaria, Canada, Chile, China, Croatia, Cyprus, France, Georgia, Germany, Hungary, India, Iran, Iraq, Japan, Jordan, Kazakhstan, Latvia, Malaysia, Mexico, Mongolia, Montenegro, Netherlands, Norway, Pakistan, Poland, Romania, Slovakia, South Africa, South Korea, Spain, Sweden, Switzerland, Tajikistan, Thailand, Turkey, Uganda, UAE, UK, Ukraine, USA, Uzbekistan||Automotive, Aviation, Chemical, Construction, Defense, Education, Embassies, Engineering, Financial, Government, Healthcare, Industrial, IT, Media, NGOs, Oil and gas, Think Tanks, and Intelligence organizations.|
|Unknown||Threat actor UNC2596 popularly known for their Ecrime business has targeted more than 50 organizations in 11+ countries. The threat actors increased their initial attack vector by exploiting proxyshell and proxylogon vulnerabilities to deploy Cuba ransomware.||Australia, Belgium, Canada, Germany, India, UK, USA, Austria, Colombia, Jordan, Poland||Construction & Engineering, Education, Manufacturing, Oil & Gas, Transportation, Defense, Energy, Financial, Government, Healthcare, High-Tech, IT, Media, Pharmaceutical, Telecommunications, and MSPs|
APT10 (Stone Panda, APT 10, menuPass, Red Apollo, CVNX, Potassium, Hogfish, Happyyongzi, Cicada, Bronze Riverside, CTG-5938, ATK 41, TA429, ITG01)
|China||Chinese threat actor APT10 conducted a series of large-scale supply chain attacks that exclusively targeted the financial software systems of Taiwanese financial institutions from the end of November 2021 until the middle of February 2022. The actor is well-known for the attacks on Japanese automakers, British managed service providers, US-based aerospace and defense corporations, and South Korean missile defense systems.||Australia, Belgium, Brazil, Canada, China, Finland, France, Germany, Hong Kong, India, Japan, Netherlands, Norway, Philippines, Singapore, South Africa, South Korea, Sweden, Switzerland, Taiwan, Thailand, Turkey, UAE, UK, USA, Vietnam.||Aerospace, Defense, Energy, Financial, Government, Healthcare, High-Tech, IT, Media, Pharmaceutical, Telecommunications, and MSPs.|
Malware of the Month
|Daxin||Daxin malware is a sophisticated rootkit backdoor with complicated, stealthy command and control (C2) features that allowed remote actors to communicate with secured devices that were not directly connected to the internet. This malware communicates with legitimate services through network tunneling and uses daisy-chain communication that provides it the ability to move internally via hops between several linked computers. The malware appears to be designed for the use against hardened targets, allowing actors to dig deeply into targeted networks and exfiltrate data without raising suspicions.|
|HermeticWiper||Several cybersecurity researchers reported from across the globe and disclosed a highly catastrophic malware known as HermeticWiper which was targeting several organizations in Ukraine. The malware targets the Windows device’s master boot record and manipulates to cause the boot failure. To infiltrate the network, lateral movement, and malware distribution, attackers used tools like Impacket and RemCom as remote access software. A worm HermeticWizard uses WMI and SMB to spread through the network and deploy a wiper to the local computer. Successful exploitation may directly impact the daily operations of any organization and cause the unavailability of critical assets and data.|
|Isaacwiper||IsaacWiper was discovered as a Windows DLL or EXE with no Authenticode signature; the earliest PE compilation timestamp was discovered by a well-known internet security firm on October 19th, 2021, implying that the malware may have been used in previous operations months earlier without being detected. Isaacwiper is now focusing on groups that are immune to Hermeticwiper.|
Most Used TTPs
|T1190||Exploit Public-Facing Application|
|T1068||Exploitation for Privilege Escalation|
|T1059||Command and Scripting Interpreter|
|T1140||Deobfuscate/Decode Files or Information|
|T1105||Ingress Tool Transfer|
|T1027||Obfuscated Files or Information|
|T1083||File and Directory Discovery|
|T1082||System Information Discovery|
Check out Detailed Threat Advisories