Monthly Threat Digest: February 2022

Theat Digests

Monthly Threat Digest: February 2022

Overview

This was a month of cyber warfare. The cyberwar between Ukraine and Russia introduced new attacks to global cybersecurity firms. This month, 55 vulnerabilities were discussed, of which 5 were zero-day vulnerabilities and a few vulnerabilities were exploited in the wild. Some of the threat actors active this month were APT27, MuddyWater, Molerats, BlackCats, APT28, UNC2596, and APT10. Several other threat actors across the globe started taking sides in the war and started using new sophisticated malware and brought previously used techniques as well. Highly targeted sectors for this month were government, telecommunications, financial, defense, and construction & engineering. Amongst all the malware that had been launched this month, three malware garnered more attention and have been discussed in this report. Last but not the least, the top ten most used TTPs are also depicted.

Cyber Warfare

Ukraine – Russia

The war in the East European nations has forced hacker groups to take sides between Ukraine and Russia. A cyber-espionage collective known as Gamaredon (aka Shuckworm or Armageddon) became active in the run-up to Russia’s war on Ukraine. Phishing emails are commonly used in Gamaredon assaults to deceive victims into installing Pterodo, a proprietary remote access trojan. As Russian forces formally launched a full-scale military assault against Ukraine, renowned cybersecurity organizations revealed that they have detected a new data wiper malware used in fresh attacks against hundreds of workstations.

Russia, on the other hand, has been subjected to cyber-attacks on its infrastructure. The Russian National Computer Incident Response and Coordination Center have cautioned that “attacks can be aimed at disrupting the functioning of vital information resources and services, causing reputational damage, including for political purposes”. Hacking organizations have gained access to the Russian Ministry of Defense database and have exposed sensitive material.

Russia – United States

The Federal Bureau of Investigation (FBI), the National Security Agency (NSA), and the Cybersecurity and Infrastructure Security Agency (CISA) released a combined cybersecurity alert in which they stated that Russian threat actor APT28 has targeted US defense contractors from January 2020 to February 2022. Small and big enterprises in the United States working on defense and intelligence contracts, including missile development, vehicle and aircraft development, and software development, were targeted by the threat actor. CDCs serving the US Army, US Air Force, US Navy, US Space Force, and DoD and Intelligence programs have all been compromised.

China – Taiwan

Chinese advanced persistent threat (APT) group known as Antlion has been targeting Taiwanese financial institutions for at least 18 months as part of a “persistent campaign.” The espionage-focused breaches resulted in the implementation of a backdoor known as xPack, which gave the adversary extensive control over infected workstations.

APT10, also known as Stone Panda, the MenuPass organization, and Bronze Riverside, is a Chinese threat group that has been linked to a systematic supply chain attack on Taiwan’s financial sector since at least 2009. According to a new report published by a Taiwanese cybersecurity firm, the second wave of attacks peaked between February 10 and 13, 2022, with the wide-ranging supply chain compromise specifically targeting the software systems of financial institutions, resulting in “abnormal cases of placing orders.”

Monthly Insights

Vulnerabilities

For February 2022, 55 vulnerabilities were highlighted. Out of these, there were five zero-day vulnerabilities and a few exploited in the wild. Here we provide a brief of a few critical vulnerabilities.

Zero-day vulnerability in Windows Kernel (CVE-2022-21989)

In Microsoft’s February 2022 patch Tuesday release, one zero-day vulnerability was identified. The publicly disclosed zero-day bug has been assigned CVE-2022-21989 and has not been confirmed exploited in the wild. An attacker requires to take additional actions before exploitation to prepare the target environment for the successful exploitation of this vulnerability.

Zero-day vulnerability in WebKit affects Apple macOS (CVE-2022-22620)

A third zero-day vulnerability has been identified since the latest zero-day bugs discovery in macOS Monterey in the year 2022. This flaw impacts the WebKit component, which is a cross-platform web browser engine that is predominantly used in Safari. This vulnerability tracked as CVE-2022-22620 exists due to a use-after-free error when processing HTML content in WebKit.

Magento zero-day vulnerability (CVE-2022-24086)

Adobe issued an emergency advisory informing Adobe Commerce and Magento Open-Source product users of a critical zero-day vulnerability that is being actively exploited in the wild. A zero-day vulnerability that has been assigned CVE-2022-24086 affects the Adobe Commerce and Magento Open-Source products as they fail to properly validate the user input.

First zero-day vulnerability of Google Chrome (CVE-2022-0609)

Google released a stable channel update for their Chrome browser that contains a zero-day vulnerability and is actively being exploited in wild. This is the first zero-day bug reported in the Chrome browser this year. A Use-After-Free (UAF) vulnerability which has been assigned CVE-2022-0609 affects the Animation component that may allow attackers to corrupt data, crash programs, or execute arbitrary code on computers running unpatched Chrome versions or escape the browser’s security sandbox.

Zero-day vulnerability in Zimbra Servers (CVE-2022 24682)

A zero-day cross-site scripting (XSS) vulnerability has been discovered in the Zimbra email software. A threat actor is taking advantage of this issue by launching a targeted spear-phishing attack named Operation EmailThief.

Zabbix was affected by two actively exploited vulnerabilities (CVE-2022-23131, CVE-2022-23134)

Multiple security vulnerabilities have been discovered in Zabbix (open-source network traffic monitoring software) Web Frontend component while implementing client-side sessions storage and are being actively exploited as per CISA. Successful exploitation of these vulnerabilities may allow an attacker to bypass authentication, escalate privileges and execute an arbitrary code on a targeted server instance that could lead to the complete compromise of the network infrastructure.

Threat Actors
NameOriginAboutTarget LocationsTarget Sectors

APT27
(Emissary Panda, LuckyMouse, Bronze Union, TG-3390, TEMP.Hippo, Budworm, Group 35, ATK 15, Iron Tiger, Earth Smilodon, ZipToken)

ChinaThe malicious campaign targets German commercial organizations where the attackers use the HyperBro remote access trojan to inject backdoors into the victims’ network. HyperBro allows hackers to persist on victim networks by acting as an in-memory backdoor with remote administration capabilities. The threat group’s goal is to steal sensitive information as well as attempt to target their victim’s customers in supply chain attacks.Australia, Canada, China, Hong Kong, India, Iran, Israel, Japan, France Middle East, Philippines, Russia, South Korea, Taiwan, Thailand, Tibet, UK, USA, GermanyRetail, Defense, Education, Healthcare, Embassies, Government, Technology, Telecommunications, and Think Tanks
MuddyWater (Static Kitten, Seedworm, TEMP.Zagros, Mercury, TA450, Cobalt Ulster, ATK 51, T APT-14, ITG17)
IranThe Iranian-backed MuddyWater hacking group is conducting a new malicious campaign targeting private organizations and governmental institutions in Turkey. This cyber-espionage group mainly used the PowGoop DLL Loader and Mori Backdoor in the current attack campaign.Afghanistan, Armenia, Austria, Azerbaijan, Bahrain, Belarus, Egypt, Georgia, India, Iran, Iraq, Israel, Jordan, Kuwait, Laos, Lebanon, Mali, Netherlands, Oman, Pakistan, Russia, Saudi Arabia, Tajikistan, Thailand, Tunisia, Turkey, UAE,Defense, Education, Energy, Financial, Food and Agriculture, Gaming, Government, Healthcare, High-Tech, IT, Media, NGOs, Oil and Gas, Telecommunications, Transportation.
Molerats (Extreme Jackal, Gaza Cybergang, Gaza Hackers Team, TA402, Aluminum Saratoga, ATK 89, TAG-CT5)
GazaAn APT group Molerats associated with Gaza has launched a new threat campaign using a malware NimbleMamba aimed at Middle Eastern governments, foreign policy think tanks, and even a state-owned airline.Afghanistan, Algeria, Canada, China, Chile, Denmark, Egypt, Germany, India, Iran, Iraq, Israel, Jordan, Kuwait, Lebanon, Latvia, Libya, Macedonia, Morocco, New Zealand, Oman, Palestine, Qatar, Russia, Saudi Arabia, Serbia, Slovenia, Somalia, South Korea, Syria, Turkey, UAE, UK, USA, YemenAerospace, Defense, Embassies, Energy, Financial, Government, High-Tech, Media, Oil and gas, Telecommunications
BlackCats aka ALPHV
UnknownThe Blackcat Ransomware gang also known as ALPHV has targeted around 25 organizations belonging to multiple sectors globally since November 2021.United States, France, Thailand, Canada, Switzerland, Italy, Hungary, Hong Kong, China, Italian, Philippines, United Kingdom, North America, Germany, Netherlands, Argentina, SpainConstruction and engineering, Retail, Transportation, Commercial Services, Insurance, Machinery, Professional services, Telecommunication, Auto components, and Pharmaceuticals

APT28 (Sofacy Fancy Bear, Sednit, Group 74, TG-4127, Pawn Storm, Tsar Team, Strontium, Swallowtail, SIG40, Snakemackerel, Iron Twilight, ATK 5, T-APT-12, ITG05, TAG-0700, Grizzly Steppe)

RussiaThe threat actors exfiltrated sensitive data from small and large companies in the U.S. working on defense and intelligence contracts, including missile development, vehicle & aircraft, and software development.Afghanistan, Armenia, Australia, Azerbaijan, Belarus, Belgium, Brazil, Bulgaria, Canada, Chile, China, Croatia, Cyprus, France, Georgia, Germany, Hungary, India, Iran, Iraq, Japan, Jordan, Kazakhstan, Latvia, Malaysia, Mexico, Mongolia, Montenegro, Netherlands, Norway, Pakistan, Poland, Romania, Slovakia, South Africa, South Korea, Spain, Sweden, Switzerland, Tajikistan, Thailand, Turkey, Uganda, UAE, UK, Ukraine, USA, UzbekistanAutomotive, Aviation, Chemical, Construction, Defense, Education, Embassies, Engineering, Financial, Government, Healthcare, Industrial, IT, Media, NGOs, Oil and gas, Think Tanks, and Intelligence organizations.

UNC2596

UnknownThreat actor UNC2596 popularly known for their Ecrime business has targeted more than 50 organizations in 11+ countries. The threat actors increased their initial attack vector by exploiting proxyshell and proxylogon vulnerabilities to deploy Cuba ransomware.Australia, Belgium, Canada, Germany, India, UK, USA, Austria, Colombia, Jordan, PolandConstruction & Engineering, Education, Manufacturing, Oil & Gas, Transportation, Defense, Energy, Financial, Government, Healthcare, High-Tech, IT, Media, Pharmaceutical, Telecommunications, and MSPs

APT10 (Stone Panda, APT 10, menuPass, Red Apollo, CVNX, Potassium, Hogfish, Happyyongzi, Cicada, Bronze Riverside, CTG-5938, ATK 41, TA429, ITG01)

ChinaChinese threat actor APT10 conducted a series of large-scale supply chain attacks that exclusively targeted the financial software systems of Taiwanese financial institutions from the end of November 2021 until the middle of February 2022. The actor is well-known for the attacks on Japanese automakers, British managed service providers, US-based aerospace and defense corporations, and South Korean missile defense systems.Australia, Belgium, Brazil, Canada, China, Finland, France, Germany, Hong Kong, India, Japan, Netherlands, Norway, Philippines, Singapore, South Africa, South Korea, Sweden, Switzerland, Taiwan, Thailand, Turkey, UAE, UK, USA, Vietnam.Aerospace, Defense, Energy, Financial, Government, Healthcare, High-Tech, IT, Media, Pharmaceutical, Telecommunications, and MSPs.
Targeted Sectors

Targeted Countries
Malware of the Month
MalwareDescription
DaxinDaxin malware is a sophisticated rootkit backdoor with complicated, stealthy command and control (C2) features that allowed remote actors to communicate with secured devices that were not directly connected to the internet. This malware communicates with legitimate services through network tunneling and uses daisy-chain communication that provides it the ability to move internally via hops between several linked computers. The malware appears to be designed for the use against hardened targets, allowing actors to dig deeply into targeted networks and exfiltrate data without raising suspicions.
HermeticWiperSeveral cybersecurity researchers reported from across the globe and disclosed a highly catastrophic malware known as HermeticWiper which was targeting several organizations in Ukraine. The malware targets the Windows device’s master boot record and manipulates to cause the boot failure. To infiltrate the network, lateral movement, and malware distribution, attackers used tools like Impacket and RemCom as remote access software. A worm HermeticWizard uses WMI and SMB to spread through the network and deploy a wiper to the local computer. Successful exploitation may directly impact the daily operations of any organization and cause the unavailability of critical assets and data.
IsaacwiperIsaacWiper was discovered as a Windows DLL or EXE with no Authenticode signature; the earliest PE compilation timestamp was discovered by a well-known internet security firm on October 19th, 2021, implying that the malware may have been used in previous operations months earlier without being detected. Isaacwiper is now focusing on groups that are immune to Hermeticwiper.
Most Used TTPs
T1190Exploit Public-Facing Application
T1068Exploitation for Privilege Escalation
T1059Command and Scripting Interpreter
T1140Deobfuscate/Decode Files or Information
T1105Ingress Tool Transfer
T1027Obfuscated Files or Information
T1566.002Spearphishing Link
T1204.001Malicious Link
T1083File and Directory Discovery
T1082System Information Discovery
 
Check out Detailed Threat Advisories
  1. https://www.hivepro.com/russian-state-sponsored-cyber-actors-targeting-u-s-critical-infrastructure/
  2. https://www.hivepro.com/apt27-group-uses-the-hyperbro-remote-access-trojan-to-inject-backdoors-into-victims-network/
  3. https://www.hivepro.com/unc2596-exploits-microsofts-proxyshell-and-proxylogon-vulnerabilities-to-distribute-cuba-ransomware/
  4. https://www.hivepro.com/critical-samba-vulnerability-allows-remote-code-execution-as-root/
  5. https://www.hivepro.com/iranian-state-sponsored-apt-group-muddywater-targeting-organizations-via-malicious-executables/
  6. https://www.hivepro.com/microsoft-patch-tuesday-addresses-a-zero-day-vulnerability-in-windows-kernel/
  7. https://www.hivepro.com/google-chrome-affected-by-high-severity-vulnerabilities/
  8. https://www.hivepro.com/critical-remote-code-execution-vulnerabilities-in-wordpress-php-everywhere-plugin/
  9. https://www.hivepro.com/zero-day-vulnerability-in-webkit-affects-apple-macos/
  10. https://www.hivepro.com/multiple-security-vulnerabilities-identified-in-adobe/
  11. https://www.hivepro.com/critical-magento-zero-day-vulnerability-actively-exploiting-multiple-e-commerce-websites/
  12. https://www.hivepro.com/threat-campaign-by-molerats-uses-nimblemamba-malware-to-target-middle-east/
  13. https://www.hivepro.com/first-zero-day-vulnerability-of-google-chrome-this-year-actively-exploited-in-wild/
  14. https://www.hivepro.com/vmware-addresses-security-flaws-discovered-during-tianfu-cup-pwn-contest/
  15. https://www.hivepro.com/blackcat-ransomware-group-attacks-on-the-rise/
  16. https://www.hivepro.com/russian-state-sponsored-cyber-actors-targeting-u-s-critical-infrastructure/
  17. https://www.hivepro.com/apache-cassandra-database-affected-by-easily-exploitable-remote-code-execution/
  18. https://www.hivepro.com/privilege-escalation-vulnerability-in-snap-package-manager-puts-linux-users-at-risk/
  19. https://www.hivepro.com/millions-of-wordpress-site-backups-at-risk-due-to-a-vulnerability-in-updraftplus-plugin/
  20. https://www.hivepro.com/chinese-apt-group-targets-financial-institutions-in-the-campaign-operation-cache-panda/
  21. https://www.hivepro.com/zabbix-affected-by-two-actively-exploited-vulnerabilities/
  22. https://www.hivepro.com/zero-day-vulnerability-in-zimbra-servers-being-exploited-in-the-wild/