Weekly Threat Digest: 7 – 13 March 2022

Theat Digests

Weekly Threat Digest: 7 – 13 March 2022

For a detailed threat digest, download the pdf file here

Published Vulnerabilities



Active Threat Groups

Targeted Countries

Targeted Industries








The second week of March 2022 witnessed the discovery of 538 vulnerabilities out of which 16 gained the attention of Threat Actors and security researchers worldwide. Among these 16, there were 3 zero-days and 5 other vulnerabilities about which the National vulnerability Database (NVD) is awaiting analysis, while 6 of them are undergoing analysis, and 3 were not present in the NVD at all. Hive Pro Threat Research Team has curated a list of 16 CVEs that require immediate action.

Further, we also observed 3 Threat Actor groups being highly active in the last week. APT41, a well-known Chinese threat actor group popular for espionage and financial gain, was observed targeting US state government networks using the famous Log4j vulnerability (CVE-2021-44228) and the USAHerds program (CVE-2021- 44207). Additionally, a famous Initial Access Broker (IAB) was also prominent targeting organizations from the US, UK, and India. Another threat actor from China, Mustang Panda, was observed targeting European diplomats using a revised version of the PlugX backdoor. Common TTPs which could potentially be exploited by these threat actors or CVEs can be found in the detailed section.

Detailed Report:

Interesting Vulnerabilities:
VendorCVEsPatch Link
CVE-2022-0847  https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/

Active Actors:

APT41 (Double Dragon, TG-2633, Bronze Atlas, Red Kelpie,
Blackfly, Earth Baku, SparklingGoblin, Grayfly)
ChinaEspionage and financial gain    
Prophet SpiderUnknownCrypto mining, ransomware, and extortion.
Mustang Panda (Bronze President, TEMP.Hex, HoneyMyte, Red Lich, RedDelta, TA416)ChinaInformation theft and espionage

Targeted Location:

Targeted Sectors:

Common TTPs:

TA0042: Resource DevelopmentTA0001: Initial AccessTA0002: ExecutionTA0003: PersistenceTA0004: Privilege EscalationTA0005: Defense Evasion
T1583: Acquire InfrastructureT1190: Exploit Public-Facing ApplicationT1059: Command and Scripting InterpreterT1197: BITS JobsT1547: Boot or Logon Autostart ExecutionT1197: BITS Jobs
T1583.001: DomainsT1133: External Remote ServicesT1059.001: PowerShellT1547: Boot or Logon Autostart ExecutionT1547.001: Registry Run Keys / Startup FolderT1480: Execution Guardrails
T1588: Obtain CapabilitiesT1566: PhishingT1059.004: Unix ShellT1547.001: Registry Run Keys / Startup FolderT1543: Create or Modify System ProcessT1480.001: Environmental Keying
T1588.002: ToolT1566.001: Spearphishing AttachmentT1059.005: Visual BasicT1136: Create AccountT1543.003: Windows ServiceT1564: Hide Artifacts
 T1566.002: Spearphishing LinkT1059.003: Windows Command ShellT1136.001: Local AccountT1546: Event Triggered ExecutionT1564.001: Hidden Files and Directories
 T1091: Replication Through Removable MediaT1203: Exploitation for Client ExecutionT1543: Create or Modify System ProcessT1546.003: Windows Management Instrumentation Event SubscriptionT1564.006: Run Virtual Instance
 T1195: Supply Chain CompromiseT1053: Scheduled Task/JobT1543.003: Windows ServiceT1546.008: Accessibility FeaturesT1574: Hijack Execution Flow
 T1195.002: Compromise Software Supply ChainT1053.005: Scheduled TaskT1546: Event Triggered ExecutionT1068: Exploitation for Privilege EscalationT1574.001: DLL Search Order Hijacking
 T1078: Valid AccountsT1569: System ServicesT1546.008: Accessibility FeaturesT1574: Hijack Execution FlowT1574.002: DLL Side-Loading
  T1204: User ExecutionT1546.003: Windows Management Instrumentation Event SubscriptionT1574.001: DLL Search Order HijackingT1574.006: Dynamic Linker Hijacking
  T1204.002: Malicious FileT1133: External Remote ServicesT1574.002: DLL Side-LoadingT1562: Impair Defenses
  T1204.001: Malicious LinkT1574: Hijack Execution FlowT1574.006: Dynamic Linker HijackingT1562.001: Disable or Modify Tools
  T1047: Windows Management InstrumentationT1574.001: DLL Search Order HijackingT1055: Process InjectionT1070: Indicator Removal on Host
   T1574.002: DLL Side-LoadingT1053: Scheduled Task/JobT1070.003: Clear Command History
   T1574.006: Dynamic Linker HijackingT1053.005: Scheduled TaskT1070.001: Clear Windows Event Logs
   T1542: Pre-OS Boot T1070.004: File Deletion
   T1542.003: Bootkit T1036: Masquerading
   T1053: Scheduled Task/Job T1036.007: Double File Extension
   T1053.005: Scheduled Task T1036.004: Masquerade Task or Service
   T1505: Server Software Component T1036.005: Match Legitimate Name or Location
   T1505.003: Web Shell T1112: Modify Registry
     T1027: Obfuscated Files or Information
     T1027.001: Binary Padding
     T1542: Pre-OS Boot
     T1542.003: Bootkit
     T1014: Rootkit
     T1218: Signed Binary Proxy Execution
     T1218.001: Compiled HTML File
     T1218.004: InstallUtil
     T1218.005: Mshta
     T1218.007: Msiexec
     T1218.010: Regsvr32
     T1218.011: Rundll32
     T1553: Subvert Trust Controls
     T1553.002: Code Signing
TA0006: Credential AccessTA0007: DiscoveryTA0008: Lateral MovementTA0009: CollectionTA0011: Command and ControlTA0010: ExfiltrationTA0040: Impact
T1110: Brute ForceT1083: File and Directory DiscoveryT1021: Remote ServicesT1560: Archive Collected DataT1071: Application Layer ProtocolT1052: Exfiltration Over Physical MediumT1486: Data Encrypted for Impact
T1110.002: Password CrackingT1046: Network Service ScanningT1021.001: Remote Desktop ProtocolT1560.003: Archive via Custom MethodT1071.004: DNST1052.001: Exfiltration over USBT1490: Inhibit System Recovery
T1056: Input CaptureT1135: Network Share DiscoveryT1021.002: SMB/Windows Admin SharesT1560.001: Archive via UtilityT1071.002: File Transfer Protocols T1496: Resource Hijacking
T1056.001: KeyloggingT1120: Peripheral Device DiscoveryT1091: Replication Through Removable MediaT1119: Automated CollectionT1071.001: Web Protocols T1489: Service Stop
T1003: OS Credential DumpingT1057: Process Discovery T1005: Data from Local SystemT1568: Dynamic Resolution  
T1003.001: LSASS MemoryT1518: Software Discovery T1074: Data StagedT1568.002: Domain Generation Algorithms  
T1003.003: NTDST1082: System Information Discovery T1074.001: Local Data StagingT1573: Encrypted Channel  
 T1614: System Location Discovery T1056: Input CaptureT1573.001: Symmetric Cryptography  
 T1614.001: System Language Discovery T1056.001: KeyloggingT1105: Ingress Tool Transfer  
 T1016: System Network Configuration Discovery  T1104: Multi-Stage Channels  
 T1016.001: Internet Connection Discovery  T1090: Proxy  
 T1049: System Network Connections Discovery  T1219: Remote Access Software  
 T1033: System Owner/User Discovery  T1102: Web Service  
    T1102.001: Dead Drop Resolver  

Threat Advisories:

Dirty Pipe: A privilege escalation vulnerability in Linux Kernel

Microsoft addressed three zero-day vulnerabilities March 2022 Patch Tuesday UpdateMozilla release

Security Advisories for multiple vulnerabilities affecting Firefox and Firefox ESR

Multiple security vulnerabilities in Adobe After Effects and Illustrator

Chinese state-sponsored threat group APT41 targets U.S. critical organizations using two Zero-Days

RangnarLocker Ransomware hits Critical Infrastructure Compromising 50+ Organizations

Prophet Spider exploits Log4j and Citrix vulnerabilities to deploy webshells

Mustang Panda targets European diplomats using enhanced PlugX backdoor