Weekly Threat Digest: 18 – 24 April 2022

Threat Digests

Weekly Threat Digest: 18 – 24 April 2022

For a detailed threat digest, download the pdf file here

Published VulnerabilitiesInteresting VulnerabilitiesActive Threat GroupsTargeted CountriesTargeted IndustriesATT&CK TTPs
43052Worldwide1746

The fourth week of April 2022 witnessed the discovery of  430 vulnerabilities out of which 5 gained the attention of Threat Actors and security researchers worldwide. Among these 5, there was 1 zero-day, and 1 vulnerability that was awaiting analysis on the National Vulnerability Database (NVD). Hive Pro Threat Research Team has curated a list of 5 CVEs that require immediate action.

Further, we also observed Two Threat Actor groups being highly active in the last week. Lazarus, a North Korea threat actor group popular for financial crime and gain, was observed targeting blockchain technology and the cryptocurrency industry using a new malware TraderTraitor and Hive ransomware group was seen using the ProxyShell vulnerabilities to target organizations all around the world. Common TTPs which could potentially be exploited by these threat actors or CVEs can be found in the detailed section.

Detailed Report:

Interesting Vulnerabilities:
VendorCVEsPatch Link
CVE-2021-34473
CVE-2021-34523
CVE-2021-31207
https://msrc.microsoft.com/update-guide/en-US/vulnerability/CVE-2021-34473
https://msrc.microsoft.com/update-guide/en-US/vulnerability/CVE-2021-34523
https://msrc.microsoft.com/update-guide/en-US/vulnerability/CVE-2021-31207
CVE-2022-0540https://www.atlassian.com/software/jira/core/download 
https://www.atlassian.com/software/jira/update
CVE-2022-29072*Not Available

Active Actors:

IconNameOriginMotive
Lazarus Group (APT38, BlueNoroff, and
Stardust Chollima)
North KoreaFinancial crime and gain
Hive Ransomware GroupUnknownFinancial crime and gain

Targeted Location:

Targeted Sectors:


Common TTPs:

TA0042: Resource DevelopmentTA0001: Initial AccessTA0002: ExecutionTA0003: PersistenceTA0004: Privilege EscalationTA0005: Defense EvasionTA0006: Credential AccessTA0007: DiscoveryTA0008: Lateral MovementTA0009: CollectionTA0011: Command and ControlTA0010: ExfiltrationTA0040: Impact
T1588: Obtain CapabilitiesT1190: Exploit Public-Facing ApplicationT1059: Command and Scripting InterpreterT1136: Create AccountT1134: Access Token ManipulationT1134: Access Token ManipulationT1110: Brute ForceT1083: File and Directory DiscoveryT1570: Lateral Tool TransferT1560: Archive Collected DataT1071: Application Layer ProtocolT1567: Exfiltration Over Web ServiceT1486: Data Encrypted for Impact
T1588.005: ExploitsT1566: PhishingT1059.007: JavaScriptT1136.002: Domain AccountT1543: Create or Modify System ProcessT1140: Deobfuscate/Decode Files or InformationT1003: OS Credential DumpingT1135: Network Share DiscoveryT1021: Remote ServicesT1560.001: Archive via UtilityT1071.001: Web ProtocolsT1496: Resource Hijacking
T1588.006: VulnerabilitiesT1566.001: Spearphishing AttachmentT1059.001: PowerShellT1053: Scheduled Task/JobT1068: Exploitation for Privilege EscalationT1562: Impair DefensesT1003.005: Cached Domain CredentialsT1057: Process DiscoveryT1021.001: Remote Desktop ProtocolT1005: Data from Local SystemT1105: Ingress Tool Transfer
T1566.002: Spearphishing LinkT1059.003: Windows Command ShellT1053.005: Scheduled TaskT1053: Scheduled Task/JobT1562.001: Disable or Modify ToolsT1018: Remote System DiscoveryT1021.002: SMB/Windows Admin SharesT1113: Screen Capture
T1078: Valid AccountsT1106: Native APIT1078: Valid AccountsT1053.005: Scheduled TaskT1070: Indicator Removal on HostT1518: Software DiscoveryT1021.006: Windows Remote Management
T1078.002: Domain AccountsT1053: Scheduled Task/JobT1078.002: Domain AccountsT1078: Valid AccountsT1553: Subvert Trust ControlsT1518.001: Security Software Discovery
T1053.005: Scheduled TaskT1078.002: Domain AccountsT1078: Valid AccountsT1049: System Network Connections Discovery
T1204: User ExecutionT1078.002: Domain Accounts
T1204.002: Malicious File
T1047: Windows Management Instrumentation

Threat Advisories:

Bypass Authentication vulnerability in Atlassian Jira Seraph

Hive Ransomware targets organizations with ProxyShell exploit

Lazarus is back, targeting organizations with cryptocurrency thefts via TraderTraitor malware

What will be the consequence of this disputed vulnerability in 7-ZIP?