Weekly Threat Digest: 21-27 February 2022

Theat Digests

Weekly Threat Digest: 21-27 February 2022

For a detailed threat digest, download the pdf file here

Published Vulnerabilities

Interesting

Vulnerabilities

Active Threat GroupsTargeted CountriesTargeted IndustriesATT&CK TTPs
35022171879

The last week of February 2022 witnessed 2 highly exploited vulnerabilities which were published by National Vulnerability Database (NVD) on 13th January 2022. These vulnerabilities came into highlight after Cybersecurity and Infrastructure Security Agency (CISA) added them to the known exploited vulnerabilities catalog.

The Hive Pro Threat Research team has also spotted two Threat Actor groups that have been extremely active in the last week. APT10, a well-known Chinese threat actor group famously known for information theft and espionage, has been detected targeting 28 different countries with the latest attack on Taiwanese financial institutions. Furthermore, a highly complex and innovative ransomware group known as UNC2596 targeted 50+ companies in 11 different countries. Common TTPs which could potentially be exploited by these threat actors or CVEs can be found in the detailed section.

Detailed Report:

Interesting Vulnerabilities:
VendorCVEsPatch Link

CVE-2022-23131

CVE-2022-23134

https://support.zabbix.com/browse/ZBX-20384

https://support.zabbix.com/browse/ZBX-20350

Active Actors:

IconNameOriginMotive

APT10

(Stone Panda, APT 10, menuPass, Red Apollo, CVNX, Potassium, Hogfish, Happyyongzi, Cicada, Bronze Riverside, CTG-5938, ATK 41, TA429, ITG01)

China

Information theft and espionage

 

 

UNC2596

 

Unknownecrime

Targeted Locations:

Targeted Sectors:

Common TTPs:

TA0042: Resource DevelopmentTA0001: Initial AccessTA0002: ExecutionTA0003: PersistenceTA0004: Privilege EscalationTA0005: Defense Evasion
T1583: Acquire InfrastructureT1190: Exploit Public-Facing ApplicationT1059: Command and Scripting InterpreterT1574: Hijack Execution FlowT1574: Hijack Execution FlowT1140: Deobfuscate/Decode Files or Information
T1583.001: DomainsT1566: PhishingT1059.001: PowerShellT1574.001: DLL Search Order HijackingT1574.001: DLL Search Order HijackingT1574: Hijack Execution Flow
T1583.003: Virtual Private ServerT1566.001: Spearphishing AttachmentT1059.003: Windows Command ShellT1574.002: DLL Side-LoadingT1574.002: DLL Side-LoadingT1574.001: DLL Search Order Hijacking
T1588: Obtain CapabilitiesT1199: Trusted RelationshipT1106: Native APIT1574.011: Services Registry Permissions WeaknessT1574.011: Services Registry Permissions WeaknessT1574.002: DLL Side-Loading
T1588.002: ToolT1078: Valid AccountsT1053: Scheduled Task/JobT1053: Scheduled Task/JobT1055: Process InjectionT1574.011: Services Registry Permissions Weakness
T1588.003: Code Signing Certificates T1053.005: Scheduled TaskT1053.005: Scheduled TaskT1055.003: Thread Execution HijackingT1070: Indicator Removal on Host
T1608: Stage Capabilities T1204: User ExecutionT1078: Valid AccountsT1055.012: Process HollowingT1070.003: Clear Command History
T1608.001: Upload Malware T1204.002: Malicious FileT1098: Account ManipulationT1053: Scheduled Task/JobT1070.004: File Deletion
T1608.002: Upload Tool T1047: Windows Management InstrumentationT1136: Create AccountT1053.005: Scheduled TaskT1036: Masquerading
T1608.003: Install Digital Certificate T1129: Shared ModulesT1136.001: Local AccountT1078: Valid AccountsT1036.005: Match Legitimate Name or Location
T1608.005: Link Target T1569: System ServicesT1543: Create or Modify System ProcessT1068: Exploitation for Privilege EscalationT1036.003: Rename System Utilities
T1587: Develop Capabilities T1569.002: Service ExecutionT1543.003: Windows ServiceT1134: Access Token ManipulationT1027: Obfuscated Files or Information
T1587.003: Digital Certificates  T1505: Server Software ComponentT1134.001: Token Impersonation/TheftT1055: Process Injection
   T1505.003: Web Shell T1055.003: Thread Execution Hijacking
     T1055.012: Process Hollowing
     T1218: Signed Binary Proxy Execution
     T1218.004: InstallUtil
     T1553: Subvert Trust Controls
     T1553.002: Code Signing
     T1078: Valid Accounts
     T1112: Modify Registry
     T1134: Access Token Manipulation
     T1134.001: Token Impersonation/Theft
     T1497: Virtualization/Sandbox Evasion
     T1497.001: System Checks
     T1564: Hide Artifacts
     T1564.003: Hidden Window
     T1620: Reflective Code Loading
     T1480: Execution Guardrails
     T1562: Impair Defenses
     T1562.001: Disable or Modify Tools

 

TA0006: Credential AccessTA0007: DiscoveryTA0008: Lateral MovementTA0009: CollectionTA0011: Command and ControlTA0040: Impact
T1056: Input CaptureT1087: Account DiscoveryT1210: Exploitation of Remote ServicesT1560: Archive Collected DataT1568: Dynamic ResolutionT1486: Data Encrypted for Impact
T1056.001: KeyloggingT1087.002: Domain AccountT1021: Remote ServicesT1560.001: Archive via UtilityT1568.001: Fast Flux DNST1489: Service Stop
T1003: OS Credential DumpingT1083: File and Directory DiscoveryT1021.001: Remote Desktop ProtocolT1119: Automated CollectionT1105: Ingress Tool Transfer 
T1003.004: LSA SecretsT1046: Network Service ScanningT1021.004: SSHT1005: Data from Local SystemT1090: Proxy 
T1003.003: NTDST1018: Remote System Discovery T1039: Data from Network Shared DriveT1090.002: External Proxy 
T1003.002: Security Account ManagerT1016: System Network Configuration Discovery T1074: Data StagedT1071: Application Layer Protocol 
T1555: Credentials from Password StoresT1049: System Network Connections Discovery T1074.001: Local Data StagingT1071.001: Web Protocols 
T1555.003: Credentials from Web BrowsersT1010: Application Window Discovery T1074.002: Remote Data StagingT1071.004: DNS 
 T1012: Query Registry T1056: Input CaptureT1095: Non-Application Layer Protocol 
 T1033: System Owner/User Discovery T1056.001: KeyloggingT1573: Encrypted Channel 
 T1057: Process Discovery  T1573.002: Asymmetric Cryptography 
 T1082: System Information Discovery    
 T1497: Virtualization/Sandbox Evasion    
 T1497.001: System Checks    
 T1518: Software Discovery    
 T1518.001: Security Software Discovery    
      


Threat Advisories:

Chinese APT group targets financial institutions in the campaign “Operation Cache Panda”

Zabbix affected by two actively exploited vulnerabilities