Weekly Threat Digest: 28 March – 3 April 2022
Weekly Threat Digest: 28 March – 3 April 2022
For a detailed threat digest, download the pdf file here
| Published Vulnerabilities | Interesting Vulnerabilities | Active Threat Groups | Targeted Countries | Targeted Industries | ATT&CK TTPs |
| 500 | 7 | 3 | 27 | 16 | 46 |
The fourth week of March 2022 witnessed the discovery of 500 vulnerabilities out of which 7 gained the attention of Threat Actors and security researchers worldwide. Among these 10, there were 3 awaiting analysis and 2 were not present in the NVD at all. Hive Pro Threat Research Team has curated a list of 7 CVEs that require immediate action.
Furthermore, we also observed three threat actor groups being highly active in the last week. A financially motivated threat actor called TA551 primarily targeted English, German, Italian, and Japanese speakers through IcedID an email-based malware. A new variant of the famous PlugX malware called Talisman has been discovered to be used by Chinese state-sponsored threat actor RedFoxtrot. These attacks were staged on telecommunication and defense sectors in South Asian countries to protect the Belt and Road initiative. Deep Panda aka APT 19, a Chinese APT group, exploited the infamous Log4Shell vulnerability in VMware Horizon servers to stage attack on various sectors across the globe. Common TTPs which could potentially be exploited by these threat actors or CVEs can be found in the detailed section below.
Detailed Report:
Interesting Vulnerabilities:
| Vendor | CVEs | Patch Link |
 | CVE-2022-22274 | https://www.hivepro.com/dos-vulnerability-discovered -in-sonicwall-next-generation-firewall/ |
 | CVE-2022-1040 | https://www.hivepro.com/sophos-firewall-rce-vulnerability-actively-exploited/ |
 | CVE-2022-22965* | https://spring.io/blog/2022/03/31/spring-framework-rce-early -announcement https://tanzu.vmware.com/security/cve-2022-22965 |
 | CVE-2022-22674* CVE-2022-22675* | https://support.apple.com/en-us/HT213220 |
 | CVE-2022-26871* | https://files.trendmicro.com/jp/ucmodule/apexcentral/win/2019 /apexcentral_2019_gm_win_ja_3945_r3.exe https://appweb.trendmicro.com/supportNews/NewsDetail.aspx?id=4395 |
 | CVE-2022-0342 | https://support.zyxel.eu/hc/en-us/articles/4672704562578-USG-FLEX- ATP-Series-Firmware-Update-5-21-Patch-1-Installation-Notes |
Active Actors:
| Icon | Name | Origin | Motive |
 | TA551 (Gold Cabin, Shathak) | Unknown | Financial gain |
 | RedFoxtrot (Nomad Panda) | China | Information theft and espionage |
 | APT 19 (Deep Panda, Codoso, Sunshop Group, TG-3551, Bronze Firestone, Pupa) | China | Information theft and espionage |
Targeted Location:
Targeted Sectors:
 |  |  |  |  |
 |  |  |  |  |
 |  |  |  |  |
Common TTPs:
| TA0043: Reconnaissance | TA0042: Resource Development | TA0001: Initial Access | TA0002: Execution | TA0003: Persistence | TA0004: Privilege Escalation | TA0005: Defense Evasion | TA0006: Credential Access | TA0007: Discovery | TA0009: Collection | TA0011: Command and Control | TA0010: Exfiltration | TA0040: Impact |
| T1592: Gather Victim Host Information | T1588: Obtain Capabilities | T1190: Exploit Public-Facing Application | T1059: Command and Scripting Interpreter | T1547: Boot or Logon Autostart Execution | T1548: Abuse Elevation Control Mechanism | T1140: Deobfuscate/Decode Files or Information | T1040: Network Sniffing | T1087: Account Discovery | T1185: Browser Session Hijacking | T1071: Application Layer Protocol | T1041: Exfiltration Over C2 Channel | T1565: Data Manipulation |
| T1588.003: Code Signing Certificates | T1566: Phishing | T1059.001: PowerShell | T1547.001: Registry Run Keys / Startup Folder | T1543: Create or Modify System Process | T1574: Hijack Execution Flow | T1087.002: Domain Account | T1005: Data from Local System | T1071.001: Web Protocols | T1499: Endpoint Denial of Service | |||
| T1588.006: Vulnerabilities | T1566.001: Spearphishing Attachment | T1059.005: Visual Basic | T1574: Hijack Execution Flow | T1574: Hijack Execution Flow | T1574.002: DLL Side-Loading | T1083: File and Directory Discovery | T1056: Input Capture | T1573: Encrypted Channel | T1499.001: OS Exhaustion Flood | |||
| T1059.003: Windows Command Shell | T1574.002: DLL Side-Loading | T1574.002: DLL Side-Loading | T1036: Masquerading | T1135: Network Share Discovery | T1113: Screen Capture | T1573.002: Asymmetric Cryptography | ||||||
| T1203: Exploitation for Client Execution | T1053: Scheduled Task/Job | T1055: Process Injection | T1112: Modify Registry | T1040: Network Sniffing | T1105: Ingress Tool Transfer | |||||||
| T1106: Native API | T1053.005: Scheduled Task | T1055.004: Asynchronous Procedure Call | T1027: Obfuscated Files or Information | T1069: Permission Groups Discovery | T1095: Non-Application Layer Protocol | |||||||
| T1053: Scheduled Task/Job | T1053: Scheduled Task/Job | T1027.002: Software Packing | T1057: Process Discovery | |||||||||
| T1053.005: Scheduled Task | T1053.005: Scheduled Task | T1027.003: Steganography | T1012: Query Registry | |||||||||
| T1569: System Services | T1055: Process Injection | T1082: System Information Discovery | ||||||||||
| T1569.002: Service Execution | T1055.004: Asynchronous Procedure Call | T1049: System Network Connections Discovery | ||||||||||
| T1204: User Execution | T1620: Reflective Code Loading | |||||||||||
| T1204.002: Malicious File | T1014: Rootkit | |||||||||||
| T1047: Windows Management Instrumentation | T1218: Signed Binary Proxy Execution | |||||||||||
| T1218.007: Msiexec |
Threat Advisories:
Sophos Firewall RCE vulnerability actively exploited
DOS Vulnerability discovered in SonicWall Next-Generation Firewall
Prolific threat actor TA551 using new malware IcedID
New PlugX variant “Talisman” used by famous Chinese APT
RCE Spring Framework Zero-Day vulnerability “Spring4Shell”
Two Vulnerabilities affecting Apple macOS exploited-in-the-wild
Actively exploited vulnerability affects Trend Micro Apex Central
