Weekly Threat Digest: 14-20 February 2022

Theat Digests

Weekly Threat Digest: 14-20 February 2022

For a detailed threat digest, download the pdf file here

Published VulnerabilitiesInteresting VulnerabilitiesActive Threat GroupsTargeted CountriesTargeted IndustriesATT&CK TTPs

The third week of February 2022 witnessed the discovery of 551 vulnerabilities out of which 17 gained the attention of Threat Actors and security researchers worldwide. Among these 17, there were 2 zero-day and 7 other vulnerabilities about which the National vulnerability Database (NVD) is awaiting analysis while 9 were not present in the NVD at all. Hive Pro Threat Research Team has curated a list of 17 CVEs that require immediate action.

Further, we also observed 2 Threat Actor groups being highly active in the last week. APT28, a well-known Russian threat actor group popular for information theft and espionage, was observed targeting US-based defense contractors (CDCs). Additionally, a highly sophisticated and innovative ransomware family BlackCat, first observed in November 2021 was also prominent targeting 30+ organizations in 17 different countries. Common TTPs which could potentially be exploited by these threat actors or CVEs can be found in the detailed section.

Detailed Report:

Interesting Vulnerabilities:
VendorCVEsPatch Link
CVE-2021-22043 CVE-2021-22050
CVE-2022-0633https://downloads.wordpress.org/plugin/updraftplus.1.22.4.zip https://updraftplus.com/wp-content/uploads/updraftplus.zip

                                                                              * Zero-day vulnerability

Active Actors:

APT28 (FANCY BEAR, STRONTIUM, Sofacy, Zebrocy, Sednit, Pawn Storm, TG-4127, Tsar-Team, Iron Twilight,  Swallowtail, SNAKEMACKEREL, Frozen Lake)RussiaInformation theft and espionage    
Blackcat (ALPHV)UnknownFinancial gain

Targeted Locations:

Targeted Sectors:


EducationEngineeringHealthcareIndustrialChemicalThink Tanks
MediaOil and gasTelecommunicationsRetailAutomotiveConstruction

Common TTPs:

TA0043: ReconnaissanceTA0001: Initial AccessTA0002: ExecutionTA0003: PersistenceTA0004: Privilege EscalationTA0005: Defense Evasion
T1589: Gather Victim Identity InformationT1189: Drive-by CompromiseT1059: Command and Scripting InterpreterT1543: Create or Modify System ProcessT1543: Create or Modify System ProcessT1140: Deobfuscate/Decode Files or Information
T1589.001: CredentialsT1190: Exploit Public-Facing ApplicationT1203: Exploitation for Client ExecutionT1543.003: Windows ServiceT1543.003: Windows ServiceT1202: Indirect Command Execution
 T1133: External Remote Services T1133: External Remote ServicesT1068: Exploitation for Privilege EscalationT1027: Obfuscated Files or Information
 T1566: Phishing T1078: Valid AccountsT1078: Valid AccountsT1027.002: Software Packing
 T1566.002: Spearphishing Link T1078.004: Cloud AccountsT1078.004: Cloud AccountsT1550: Use Alternate Authentication Material
 T1195: Supply Chain Compromise T1078.002: Domain AccountsT1078.002: Domain AccountsT1550.002: Pass the Hash
 T1078: Valid Accounts   T1078: Valid Accounts
 T1078.004: Cloud Accounts   T1078.004: Cloud Accounts
 T1078.002: Domain Accounts   T1078.002: Domain Accounts
     T1497: Virtualization/Sandbox Evasion
TA0006: Credential AccessTA0007: DiscoveryTA0008: Lateral MovementTA0009: CollectionTA0011: Command and ControlTA0040: Impact
T1110: Brute ForceT1482: Domain Trust DiscoveryT1550: Use Alternate Authentication MaterialT1213: Data from Information RepositoriesT1090: ProxyT1485: Data Destruction
T1110.003: Password SprayingT1083: File and Directory DiscoveryT1550.002: Pass the HashT1213.002: SharepointT1090.003: Multi-hop ProxyT1486: Data Encrypted for Impact
T1003: OS Credential DumpingT1082: System Information Discovery   T1499: Endpoint Denial of Service
T1003.003: NTDST1007: System Service Discovery   T1499.004: Application or System Exploitation
 T1497: Virtualization/Sandbox Evasion   T1499.001: OS Exhaustion Flood
     T1490: Inhibit System Recovery

Threat Advisories:

Critical Magento zero-day vulnerability actively exploiting multiple e-commerce websites

BlackCat Ransomware group attacks on the rise

VMware addresses security flaws discovered during Tianfu Cup Pwn Contest

First zero-day vulnerability of Google Chrome this year actively exploited in wild

Privilege Escalation Vulnerability in Snap Package Manager puts Linux users at risk

Russian state-sponsored cyber actors targeting U.S. critical infrastructure

Millions of WordPress site backups at risk due to a vulnerability in UpdraftPlus plugin