Weekly Threat Digest: 4 – 10 April 2022

Theat Digests

Weekly Threat Digest: 4 – 10 April 2022

For a detailed threat digest, download the pdf file here

Published VulnerabilitiesInteresting VulnerabilitiesActive Threat GroupsTargeted CountriesTargeted IndustriesATT&CK TTPs
43833531654

The second week of April 2022 witnessed the discovery of 438 vulnerabilities out of which 3 gained the attention of Threat Actors and security researchers worldwide. All these 3 were zero-day and require immediate action.

Further, we also observed 3 Threat Actor groups being highly active in the last week. Armageddon, a well-known Russian threat actor group popular for information theft and espionage, was observed targeting European government agencies Additionally, 2 Threat Actor groups originating from China were observed targeting organizations all around the world. Common TTPs which could potentially be exploited by these threat actors or CVEs can be found in the detailed section.

Detailed Report:

Interesting Vulnerabilities:
VendorCVEsPatch Link
CVE-2022-23176*https://www.watchguard.com/support/release-notes/
fireware/12/en-US/EN_ReleaseNotes_Fireware_12_7/index.html 
CVE-2021-44228*https://logging.apache.org/log4j/2.x/manual/migration.html
https://kb.vmware.com/s/article/87073
CVE-2022-22965*https://spring.io/blog/2022/03/31/spring-framework-rce-early-announcement
https://tanzu.vmware.com/security/cve-2022-22965  

zero-day vulnerability 

Active Actors:

IconNameOriginMotive
APT 10 (Stone Panda, menuPass, Red Apollo, CVNX,
Potassium, Hogfish, Happyyongzi, Cicada,
Bronze Riverside, CTG-5938, ATK 41, TA429, ITG01)
ChinaInformation theft and espionage
APT 19(Deep Panda, Codoso, Sunshop, TG-3551,
Bronze Firestone, Pupa)
ChinaInformation theft and espionage
Armageddon(Gamaredon Group, Winterflounder, Primitive Bear,
BlueAlpha, Blue Otso, Iron Tilden, SectorC08, Callisto, Shuckworm,
Actinium, DEV-0157, UAC-0010)
RussiaInformation theft and espionage

Targeted Location:

Targeted Sectors:

Common TTPs:

TA0043: ReconnaissanceTA0042: Resource DevelopmentTA0001: Initial AccessTA0002: ExecutionTA0003: PersistenceTA0004: Privilege EscalationTA0005: Defense EvasionTA0006: Credential AccessTA0007: DiscoveryTA0008: Lateral MovementTA0009: CollectionTA0011: Command and ControlTA0010: Exfiltration
T1592: Gather Victim Host InformationT1583: Acquire InfrastructureT1190: Exploit Public-Facing ApplicationT1059: Command and Scripting InterpreterT1574: Hijack Execution FlowT1574: Hijack Execution FlowT1140: Deobfuscate/Decode Files or InformationT1056: Input CaptureT1087: Account DiscoveryT1210: Exploitation of Remote ServicesT1560: Archive Collected DataT1568: Dynamic ResolutionT1041: Exfiltration Over C2 Channel
T1583.001: DomainsT1566: PhishingT1059.001: PowerShellT1574.001: DLL Search Order HijackingT1574.001: DLL Search Order HijackingT1564: Hide ArtifactsT1056.001: KeyloggingT1087.002: Domain AccountT1021: Remote ServicesT1560.001: Archive via UtilityT1568.001: Fast Flux DNS
T1588: Obtain CapabilitiesT1566.001: Spearphishing AttachmentT1059.003: Windows Command ShellT1574.002: DLL Side-LoadingT1574.002: DLL Side-LoadingT1574: Hijack Execution FlowT1003: OS Credential DumpingT1083: File and Directory DiscoveryT1021.001: Remote Desktop ProtocolT1119: Automated CollectionT1105: Ingress Tool Transfer
T1588.003: Code Signing CertificatesT1199: Trusted RelationshipT1106: Native APIT1053: Scheduled Task/JobT1055: Process InjectionT1574.001: DLL Search Order HijackingT1003.004: LSA SecretsT1046: Network Service ScanningT1021.004: SSHT1005: Data from Local System
T1588.002: ToolT1078: Valid AccountsT1053: Scheduled Task/JobT1053.005: Scheduled TaskT1055.012: Process HollowingT1574.002: DLL Side-LoadingT1003.003: NTDST1018: Remote System DiscoveryT1039: Data from Network Shared Drive
T1053.005: Scheduled TaskT1078: Valid AccountsT1053: Scheduled Task/JobT1070: Indicator Removal on HostT1003.002: Security Account ManagerT1082: System Information DiscoveryT1074: Local Data Staged
T1569: System ServicesT1053.005: Scheduled TaskT1070.003: Clear Command HistoryT1016: System Network Configuration DiscoveryT1074.001: Local Data Staging
T1569.002: Service ExecutionT1078: Valid AccountsT1070.004: File DeletionT1049: System Network Connections DiscoveryT1074.002: Remote Data Staging
T1204: User ExecutionT1036: MasqueradingT1056: Input Capture
T1204.002: Malicious FileT1036.005: Match Legitimate Name or LocationT1056.001: Keylogging
T1047: Windows Management InstrumentationT1036.003: Rename System UtilitiesT1113: Screen Capture
T1027: Obfuscated Files or Information
T1027.002: Software Packing
T1055: Process Injection
T1055.012: Process Hollowing
T1620: Reflective Code Loading
T1014: Rootkit
T1218: Signed Binary Proxy Execution
T1218.004: InstallUtil
T1553: Subvert Trust Controls
T1553.002: Code Signing
T1078: Valid Accounts

Threat Advisories:

Deep Panda deploys new rootkit “Fire Chili” by exploiting Log4shell in VMware horizon

Sandworm Team using a new modular malware Cyclops Blink

APT 10, a state-sponsored Chinese threat group, conducting a global cyber espionage operation

RCE Spring Framework Zero-Day vulnerability “Spring4Shell”

Attacks on European Union and Ukrainian government entities carried out by the Armageddon group

Sign up to receive our Weekly Threat Digest