Monthly Threat Digest: March 2022
Monthly Threat Digest: March 2022
This conclusive report for March would be brief about all cybersecurity-related activities. This month was filled with activities from several threat actor groups across the globe. This report highlights the most feared of all – The LAPSUS$ Group. This month 76 vulnerabilities were discussed, of which 11 were zero-day vulnerabilities and a few vulnerabilities were exploited in the wild. Some of the threat actors active this month were Magic Hound, AvosLocker, Lazarus Group, Lapsus$, DarkHotel, APT41, Prophet Spider, Mustang Panda, Sandworm Team, Exotic Lily, UAC-0056, Pandora Ransomware Gang, Lockbit 2.0. Highly targeted sectors for this month were government, technology, energy, finance, telecommunications, and media. Amongst all the malware that had been launched this month, four malwares garnered more attention and have been discussed in this report. Last but not the least, the top ten most used TTPs are also depicted.
Attack on the World – The LAPSUS$ Group
Lapsus$ (DEV-0537) is a threat group that first appeared on December 10th, 2021 and is renowned for adopting a pure extortion and destruction approach without distributing ransomware payloads. Since then, it has violated the Brazilian Ministry of Health, NVIDIA, Samsung, Vodafone, Ubisoft, Okta, and Microsoft, etc. Unlike other extortionist groups that use a combination of ransomware and data leaks to support their operations, LAPSUS$ primarily funds their activities through data dumps disclosed on Telegram. The threat actor first targeted corporations in the United Kingdom and South America, but it quickly expanded to include firms in the government, technology, telecom, media, retail, and healthcare sectors. DEV-0537 is also known to hijack individual user accounts on cryptocurrency exchanges to drain cryptocurrency assets.
DEV-0537 also employs several methods that are less commonly employed by other threat actors. Phone-based social engineering; SIM-swapping to facilitate account takeover; accessing personal email accounts of target employees; paying employees, suppliers, or business partners of target organizations for access to credentials and multifactor authentication (MFA) approval; and intruding on ongoing crisis-communication calls of their targets are among their tactics.
To gain initial access to an organization, Lapsus$ employs a range of tactics, the majority of which are centered on compromising user identities, such as using the malware Redline password stealer to gain access to credentials and session tokens or purchasing session tokens and credentials from criminal underground forums. The threat actor also contacts employees at targeted organizations (or suppliers/business partners) who are then compensated for accessing credentials and MFA clearance. To gain privileges on the target network, the threat actor tries to exploit unpatched vulnerabilities on internally accessible servers, including JIRA, Gitlab, and Confluence. After gaining privileged access to cloud instances of the organization, the threat actor creates a global admin account and sets an Office 365 tenant-level mail transport rule to send all mail in and out of the organization to the newly created account, and then removes all other global admin accounts, effectively locking the organization out of all cloud resources. Lapsus$ often deletes the target’s resources and systems after exfiltration.
For March 2022, 76 vulnerabilities were highlighted. Out of these, there were 11 zero-day vulnerabilities and a few exploited in the wild. Here we would be briefing a few critical vulnerabilities.
Two critical zero-day vulnerabilities have been identified in Mozilla Firefox that are being exploited in-the wild and tracked as CVE-2022-26485 and CVE-2022-26486. Both are use-after-free bugs that exist in XSLT parameter processing and the WebGPU IPC Framework, respectively.
A vulnerability in the Linux kernel existed since version 5.8 and allows overwriting data in arbitrary read-only files. Because unprivileged processes can inject code into root processes, this results in privilege escalation. It has been named Dirty Pipe by the researcher. It is a local privilege escalation vulnerability assigned CVE-2022-0847. This bug is due to a lack of proper initialization in the Linux kernel’s ‘copy_page_to_iter_pipe’ and ‘push_pipe’ functions. An attacker could use this issue to write to pages in the page cache that are backed up by read-only files, escalating their privileges on the system.
Microsoft included three zero-day vulnerabilities in the March 2022 Patch Tuesday Update. Two out of the three zero-days are remote code execution (CVE-2022-24512, CVE-2022-21990) and one of them is a privilege escalation (CVE-2022-24459). A zero-day vulnerability, CVE-2022-21990 has been labeled as “Exploitation More Likely” by Microsoft as a proof-of-concept (PoC) exploit is publicly available.
The vulnerability, identified as CVE-2022-0778, arises from parsing a malformed certificate with invalid explicit elliptic-curve parameters, resulting in an “infinite loop”. The flaw is in the function BN_mod_sqrt(), which is used to compute the modular square root. Because certificate parsing occurs prior to certificate signature verification, any process that parses an externally supplied certificate may be subject to a denial-of-service attack.
A vulnerability that was addressed in August 2021 patch Tuesday has remained unpatched. This locally exploited vulnerability is tracked as CVE-2021-34484 and affects the Windows User Profile Service. Renowned researcher Naceri noted that Microsoft’s fix was incomplete soon after it was issued and presented a proof of concept (POC) that bypassed it on all Windows versions. That is when the 0patch team, published an unofficial security update for all Windows versions and made it available for free download to all registered users. Microsoft then patched this security flaw in their January 2022 release, tracking it as CVE-2022-21919.
A zero-day vulnerability has been discovered in the Spring framework(CVE-2022-22965), a Java framework that provides infrastructure support for web application development. By sending a carefully crafted request to a susceptible server, an attacker could exploit Spring4Shell.
Two zero-day vulnerabilities were discovered in macOS Monterey. One of which, CVE-2022-22674 is an out-of-bounds read vulnerability in the Intel Graphics Driver module that could allow a malicious actor to read kernel memory. CVE-2022-22675 is defined as an out-of-bounds write vulnerability in AppleAVD, an audio and video decoding component, that could allow an application to execute arbitrary code with kernel privileges
|Name||Origin||About||Target Locations||Target Sectors|
|APT 35 (Magic Hound, Cobalt Illusion, Charming Kitten, TEMP.Beanie, Timberworm, Tarh Andishan, TA453, ITG18, Phosphorus, Newscaster)||Iran||APT35 aka Magic Hound, an Iranian-backed threat group, has begun using Microsoft Exchange ProxyShell vulnerabilities as an initial attack vector and to execute code through multiple web shells.||Afghanistan, Canada, Egypt, Iran, Iraq, Israel, Jordan, Kuwait, Morocco, Pakistan, Saudi Arabia, Spain, Syria, Turkey, UAE, UK, USA, Venezuela, Yemen||Defense, Energy, Financial, Government, Healthcare, IT, Oil and gas, Technology, Telecommunications|
|AvosLocker||Unknown||AvosLocker is a Ransomware as a Service (RaaS) affiliate-based group that has targeted 50+ organizations in critical infrastructure sectors. The threat actors exploits Proxy Shell vulnerabilities as well as CVE-2021-26855 to gain access to victim’s machine and then they deploy Mimikatz to steal passwords.||United States, Syria, Saudi Arabia, Germany, Spain, Belgium, Turkey, United Arab Emirates, United Kingdom, Canada, China, Taiwan, Lebanon, Poland, South Africa||Professional Services, Logistics, Construction & Engineering, Fashion, Retail, Government, Technology, Oil and Gas, Hospitality, Electrical Equipment|
|Deep Panda (APT 19, Codoso, Sunshop Group, TG3551, Bronze Firestone, Pupa)||China||Deep Panda, a Chinese APT group, took advantage of the well-known Log4Shell vulnerability in VMware Horizon servers to deploy a backdoor, rootkit, and steal sensitive data.||Australia, USA||Defense, Education, Energy, Financial, Government, High-Tech, Fashion, Manufacturing, Pharmaceutical, Telecommunications, Think Tanks and political dissidents and Forbes|
|Lazarus Group (Labyrinth Chollima, Group 77, Hastati Group, Whois Hacking Team, NewRomanic Cyber Army Team, Zinc, Hidden Cobra, Appleworm, APT-C-26, ATK 3, SectorA01, ITG03)||North Korea|
|North Korean state hackers known as Lazarus group exploited a zero-day, remote code execution vulnerability (CVE-2022-0609) in Google Chrome’s web browser.||Australia, Bangladesh, Brazil, Canada, Chile, China, Ecuador, France, Germany, Guatemala, Hong Kong, India, Israel, Japan, Mexico, Philippines, Poland, Russia, South Africa, South Korea, Taiwan, Thailand, UK, USA, Vietnam||Aerospace, Defense, Engineering, Financial, Government, Media, Shipping and Logistics, Technology|
|Lapsus$ (DEV-0537)||Unknown||Lapsus$ (DEV-0537) is an extortion threat group that first appeared on December 10, 2021, and has since breached the Brazilian Ministry of Health, NVIDIA, Samsung, Vodafone, Ubisoft, Octa, and Microsoft. Unlike other extortionist groups, which utilize a combination of ransomware and data leaks to monetize their operations.||Brazil, United Kingdom, United States||Telecommunication, Technology, Higher education, gaming and government organizations|
|DarkHotel (APT-C-06, SIG25, Dubnium, Fallout Team, Shadow Crane, CTG-1948, Tungsten Bridge, ATK 52, Higaisa, TAPT-02, Luder)||South Korea|
|DarkHotel, a South Korean advanced persistent threat (APT), has been targeting premium hotels in Macao, China, since November 2021.||Afghanistan, Armenia, Bangladesh, Belgium, China, Ethiopia, Germany, Greece, Hong Kong, India, Indonesia, Malaysia, Ireland, Israel, Italy, Japan, Kazakhstan, Kyrgyzstan, Lebanon, Malaysia, Mexico, Mozambique, North Korea, Pakistan, Philippines, Russia, Saudi Arabia, Serbia, Singapore, South Korea, Taiwan, Tajikistan, Thailand, Turkey, UAE, UK, USA, Vietnam||Defense, Energy, Government, Healthcare, Hospitality, NGOs, Pharmaceutical, Research, Technology|
|APT41 (Double Dragon, TG-2633, Bronze Atlas, Red Kelpie, Blackfly, Earth Baku, SparklingGoblin, Grayfly)||China||A China state-sponsored threat group known as APT41 is observed compromising at least six U.S. state governments networks in a threat campaign beginning from May 2021. APT41 is a well-known Chinese state sponsored espionage outfit that targets companies in both the public and commercial sectors and engages in financially motivated behavior for personal benefit.||Australia, Bahrain, Brazil, Canada, Chile, Denmark, Finland, France, Georgia, Hong Kong, India, Indonesia, Italy, Japan, Malaysia, Mexico, Myanmar, Netherlands, Pakistan, Philippines, Poland, Qatar, Saudi Arabia, Singapore, South Korea, South Africa, Sweden, Switzerland, Taiwan, Thailand, Turkey, UAE, UK, USA, Vietnam||Construction, Defense, Education, Energy, Financial, Government, Healthcare, High-Tech, Hospitality, Manufacturing, Media, Oil and gas, Petrochemical, Pharmaceutical, Retail, Telecommunications, Transportation, Online video game companies|
|TA551 (Gold Cabin, Shathak)||Unknown||TA551 is a financially motivated threat group that has been active at least since 2018. The gang primarily targeted English, German, Italian, and Japanese speakers through email-based malware distribution activities. IcedID, a modular banking trojan, is used by this threat actor to hijack current email conversation threads and inject malicious payloads.||Worldwide||Energy, Financial, Healthcare, IT, Oil and gas, Telecommunications, Consumer Utilities|
Malware of the Month
|Serpent Backdoor||Threat actors are using a new backdoor called Serpent through macro-enabled Microsoft Word documents attacking French entities in sectors such as construction and government. Using this backdoor the attacker could potentially enable remote administration, command & control (C2), data theft or even deliver other additional payloads.|
|CaddyWiper||CaddyWiper is targeting Ukraine as of March second week. The wiper is deployed using Group Policy Objects and further avoids deleting data on domain controllers to keep access to the target organization while yet disrupting operations. Another method is employed by attackers to keep access to the infiltrated networks of the businesses they target while causing significant disruption to operations by deleting other vital devices.|
|Muhstik||Muhstik is a botnet that has been active since at least 2018. It is known to employ web application flaws to infect IoT devices. Botnet operators profit from their efforts by combining XMRig with DDoS-for-hire businesses. For command-and-control (C2) communications, the botnet makes use of IRC servers. Muhstik malware has begun attacking Redis Servers by exploiting a vulnerability, CVE-2022-0543. This flaw can be found in several Redis Debian packages.|
|RURansom Wiper||The RURansom malware traces the IP location of the victim machine and is executed only if it detects an IP belonging to Russia. If the malware does not get Admin privileges, it tries to execute itself in the elevated mode using a PowerShell command. The RURansom wiper malware proceeds to scan the drives, the removable and network drives and then encrypt the victim’s system using AES-CBC encryption.|
Most Used TTPs
|T1190||Exploit Public-Facing Application|
|T1588.006||Obtain Capabilities: Vulnerabilities|
|T1059||Command and Scripting Interpreter|
|T1059.003||Command and Scripting Interpreter: Windows Command Shell|
|T1082||System Information Discovery|
|T1027||Obfuscated Files or Information|
|T1047||Windows Management Instrumentation|
|T1068||Exploitation for Privilege Escalation|
Check out Detailed Threat Advisories