Weekly Threat Digest: 14 – 20 March 2022

Threat Digests

Weekly Threat Digest: 14 – 20 March 2022

For a detailed threat digest, download the pdf file here

Published Vulnerabilities

Interesting Vulnerabilities

Active Threat Groups

Targeted Countries

Targeted Industries

ATT&CK TTPs

567

22

5

36

15

60

The third week of March 2022 witnessed the discovery of 567 vulnerabilities out of which 22 gained the attention of Threat Actors and security researchers worldwide. Among these 22, there were 2 vulnerabilities about which the National vulnerability Database (NVD) is awaiting analysis, while 2 more of them are undergoing reanalysis, and 14 were not present in the NVD at all. Hive Pro Threat Research Team has curated a list of 22 CVEs that require immediate action.

Furthermore, we also observed five threat actor groups being highly active in the last week. The Sandworm Team, a well-known Russian threat actor group popular for sabotage and destruction, was observed using a new malware known as Cyclops Blink. Additionally, a new threat actor, Exotic Lily, was acting as Initial Access Broker (IAB) for Conti and Diavol ransomware groups exploiting the zero-day vulnerability in Microsoft MSHTML (CVE-2021-40444). Another threat actor from Russia, UAC-0056, was observed targeting Western European and North American ministries as well as private sectors. Two ransomware gangs, Pandora and Lockbit, were active across different organizations around the globe. Common TTPs which could potentially be exploited by these threat actors or CVEs can be found in the detailed section below.

Detailed Report:

Interesting Vulnerabilities:
VendorCVEsPatch Link
CVE-2021-20083https://wordpress.org/news/2022/03/wordpress
-5-9-2-security-maintenance-release/  
CVE-2022-24728
CVE-2022-24729
https://www.drupal.org/project/drupal/releases/9.2.15
https://www.drupal.org/project/drupal/releases/9.3.8  
CVE-2022-0337https://download3.operacdn.com/pub/opera/desktop/
84.0.4316.42/win/Opera_84.0.4316.42_Setup_x64.exe
CVE-2022-0337https://files02.tchspt.com/temp/MicrosoftEdgeSetup.exe
VendorCVEsPatch Link
CVE-2022-0971
CVE-2022-0972
CVE-2022-0973
CVE-2022-0974
CVE-2022-0975
CVE-2022-0976
CVE-2022-0977
CVE-2022-0978
CVE-2022-0979
CVE-2022-0980
CVE-2022-0337
https://www.google.com/intl/en/chrome/?standalone=1  
CVE-2022-0778https://github.com/openssl/openssl/commit/a
466912611aa6cbdf550cd10601390e587451246
https://github.com/openssl/openssl/commit/311
8eb64934499d93db3230748a452351d1d9a65
CVE-2022- 25636https://git.kernel.org/pub/scm/linux/kernel/git/netfilter/nf
.git/snapshot/nf-b1a5983f56e371046dcf164f90bfaf704d
2b89f6.tar.gz
CVE-2021-22986https://support.f5.com/csp/article/K03009991
CVE-2018-13379https://www.fortiguard.com/psirt/FG-IR-18-384
CVE-2021-25220
CVE-2022-0396
CVE-2022-0635
CVE-2022-0667
https://www.isc.org/bind/

Active Actors:

IconNameOriginMotive
Exotic LilyUnknownEcrime 
UAC-0056 (SaintBear, UNC2589, TA471)RussiaInformation theft
Pandora Ransomware GangUnknownEcrime, Information theft, and Financial gain
Lockbit 2.0UnknownFinancial gain
Sandworm Team (ELECTRUM, Telebots, IRON VIKING,
BlackEnergy (Group), Quedagh, VOODOO BEAR)
RussiaSabotage and
destruction

Targeted Location:

Targeted Sectors:

Common TTPs:

TA0042: Resource DevelopmentTA0001: Initial AccessTA0002: ExecutionTA0003: PersistenceTA0004: Privilege EscalationTA0005: Defense EvasionTA0006: Credential Access
T1587: Develop CapabilitiesT1190: Exploit Public-Facing ApplicationT1059: Command and Scripting InterpreterT1547: Boot or Logon Autostart ExecutionT1547: Boot or Logon Autostart ExecutionT1562: Impair DefensesT1557: Adversary-in-the-Middle
T1587.001: MalwareT1133: External Remote ServicesT1059.007: JavaScriptT1547.001: Registry Run Keys / Startup FolderT1547.001: Registry Run Keys / Startup FolderT1562.004: Disable or Modify System FirewallT1110: Brute Force
T1588: Obtain CapabilitiesT1566: PhishingT1059.004: Unix ShellT1037: Boot or Logon Initialization ScriptsT1037: Boot or Logon Initialization ScriptsT1070: Indicator Removal on HostT1110.001: Password Guessing
T1588.006: VulnerabilitiesT1566.001: Spearphishing AttachmentT1059.003: Windows Command ShellT1037.004: RC ScriptsT1037.004: RC ScriptsT1070.004: File DeletionT1056: Input Capture
 T1078: Valid AccountsT1203: Exploitation for Client ExecutionT1133: External Remote ServicesT1068: Exploitation for Privilege EscalationT1036: MasqueradingT1056.004: Credential API Hooking
  T1204: User ExecutionT1556: Modify Authentication ProcessT1055: Process InjectionT1036.005: Match Legitimate Name or LocationT1556: Modify Authentication Process
  T1204.002: Malicious FileT1137: Office Application StartupT1078: Valid AccountsT1556: Modify Authentication ProcessT1003: OS Credential Dumping
  T1047: Windows Management InstrumentationT1542: Pre-OS Boot T1112: Modify RegistryT1003.003: NTDS
   T1542.001: System Firmware T1027: Obfuscated Files or Information 
   T1137: Office Application Startup T1027.006: HTML Smuggling 
   T1137.001: Office Template Macros T1027.002: Software Packing 
   T1078: Valid Accounts T1542: Pre-OS Boot 
     T1542.001: System Firmware 
     T1055: Process Injection 
     T1078: Valid Accounts 
     T1497: Virtualization/Sandbox Evasion 
TA0007: DiscoveryTA0008: Lateral MovementTA0009: CollectionTA0011: Command and ControlTA0010: ExfiltrationTA0040: Impact
T1087: Account DiscoveryT1021: Remote ServicesT1557: Adversary-in-the-MiddleT1071: Application Layer ProtocolT1041: Exfiltration Over C2 ChannelT1485: Data Destruction
T1083: File and Directory DiscoveryT1021.001: Remote Desktop ProtocolT1560: Archive Collected DataT1071.001: Web ProtocolsT1567: Exfiltration Over Web ServiceT1486: Data Encrypted for Impact
T1057: Process DiscoveryT1021.002: SMB/Windows Admin SharesT1560.001: Archive via UtilityT1132: Data EncodingT1567.002: Exfiltration to Cloud StorageT1565: Data Manipulation
T1012: Query Registry T1056: Input CaptureT1132.002: Non-Standard Encoding T1499: Endpoint Denial of Service
T1018: Remote System Discovery T1056.004: Credential API HookingT1573: Encrypted Channel T1499.004: Application or System Exploitation
T1518: Software Discovery  T1573.002: Asymmetric Cryptography T1490: Inhibit System Recovery
T1082: System Information Discovery  T1008: Fallback Channels T1498: Network Denial of Service
T1497: Virtualization/Sandbox Evasion  T1105: Ingress Tool Transfer T1498.001: Direct Network Flood
   T1571: Non-Standard Port  
   T1090: Proxy  
   T1090.003: Multi-hop Proxy  

Threat Advisories:

Pandora Ransomware Targets Multiple Plants around the Globe

LockBit 2.0 Ransomware affiliates targeting Renowned Organizations

Sandworm Team using a new modular malware Cyclops Blink

Environment Variables Leak affect Multiple browsers

Major Content Management Systems affected by Multiple vulnerabilities

New Threat Actor Exotic Lily acting as Initial Access Broker for Conti and Diavol ransomware group

Russian threat actors leveraging misconfigured multifactor authentication to exploit PrintNightmare vulnerability

Russian threat actor UAC-0056 targets European countries

Multiple Google Chrome Vulnerabilities affects all Platforms

Attackers could gain root access using vulnerability in Linux Kernel Netfilter Firewall

OpenSSL exposed to Denial-of-service vulnerability causing Infinite Loop

Attackers Escape Kubernetes Containers using “cr8escape” Vulnerability in CRI-O

Russia under Attack from New RURansom Wiper