SISA Weekly Threat Watch – December 05th, 2022

SISA’s weekly series on threat advisories offers a quick snapshot of top security vulnerabilities and exploits, to help organizations stay up-to-date with the evolving threat landscape. The advisories also provide relevant information and recommendations to help them take preventive actions against the latest and critical threats.

Organizations can also opt-in for our free daily threat advisories by subscribing here.

SISA Weekly Threat Watch - 05 December 2022

According to recent cyber breaches and attacks, cybercriminals appear to be particularly interested in gathering data that can be sold for a high price on online marketplaces, allowing them to run profitable follow-up tactics. This week, threat actors attempted to exploit new and old vulnerabilities through thread hijacking emails, arbitrary code execution, infostealer malware, and state-sponsored ransomware attacks. Researchers believe these threat groups will continue to develop new evasion techniques to avoid detection and breach larger networks.

SISA Weekly Threat Watch – our weekly feature brings to you a quick snapshot of all the major security vulnerabilities that posed a threat to organizations worldwide. These recurring actionable threat advisories will also provide information and recommendations that will help security teams take appropriate actions to defend against the latest and critical threats.

1. CVE-2022-4135: New zero-day vulnerability in Google Chrome

Google has released an emergency security update for the desktop version of the Chrome web browser, addressing the eighth zero-day vulnerability exploited in attacks this year. In the context of the logged-on user, successful exploitation of this vulnerability could result in arbitrary code execution. An attacker might then install software, read, modify, or remove data, or create new accounts with full user access, depending on the privileges attached to the user.

Heap buffer overflow is a memory flaw that allows data to be written, unchecked, or forbidden (usually neighboring) locations. Attackers may manipulate the execution path of an application by overwriting its memory using a heap buffer overflow, resulting to arbitrary code execution or unrestricted information access. Chrome users are recommended to upgrade to version 107.0.5304.121/122 for Windows and 107.0.5304.122 for Mac and Linux, which addresses CVE-2022-4135. It is also advised to restrict code execution to a virtual environment on or when it is being sent to an endpoint system.

2. Emotet delivering thread hijacking emails

When it first appeared in 2014, the malware botnet known as Emotet served as a banking trojan. Emotet spreads mostly through Office email attachments that contain a macro. If enabled, it downloads and then executes the malicious PE file Emotet. The current wave of Emotet malspam is delivered via “thread hijacking” emails. The attachments come in password-protected zips and plain attachments.

The victim is instructed to copy and run the file from the Microsoft Office templates folder. The Excel 4.0 macro is launched automatically when the file is opened when Office files are executed from a specific location, bypassing the security warning. Any unsolicited attachments, even from someone you know, should be avoided. It is recommended to install software updates to prevent hackers from exploiting known issues or vulnerabilities.

3. Cybercriminals increasingly using Aurora stealer malware

A new piece of Go-based malware called Aurora Stealer is increasingly being used in a number of campaigns intended to steal confidential data from affected servers. Aurora is a multi-purpose botnet with stealing, downloading and remote access capabilities. The botnet was sold as a Malware-as-a-Service (MaaS) by a threat actor. The malware was created as a botnet in April 2022, but sometime between July and September 2022, its creators switched to only using it as an infostealer.

Initially, Aurora uses Windows Management Instrumentation Command (WMIC) to identify the system. It then tries to gather information from Telegram, browser extensions, and browsers in general, numerous user directories for worthwhile things to download. Employing command-line logging and surveillance for unusual WMIC and PowerShell commands can help businesses identify Aurora and similar malware. Implementing Canary files can also help in detecting file grabber activity, and user behavioral analysis of NetFlow data can reveal unusual network activity such connections to odd external ports.

4. RansomBoggs ransomware targets multiple Ukrainian organizations

Recently discovered ransomware attacks on Ukrainian organizations have been linked to the famous Russian military threat group Sandworm. The ransomware RansomBoggs has been identified on the networks of numerous Ukrainian enterprises, according to ESET, which was the first to notice this wave of attacks. The ransomware is reported to be distributed through a PowerShell script used in the RansomBoggs operation, which is “nearly identical” to the malware employed in the April malware attacks known as Industroyer2.

The PowerShell script POWERGAP, according to the Computer Emergency Response Team of Ukraine (CERT-UA), was used to spread the CaddyWiper data wiper malware utilizing the ArguePatch loader (aka AprilAxe). AES-256 in CBC mode is used to encrypt files with the new ransomware, which also appends the “.chsch” file extension. The malware also generates a randomly generated key. It is recommended to block the IOCs on your security devices, wherever possible and actively monitor PowerShell command line executions.

5. CISA warns of actively exploited critical Oracle Fusion Middleware vulnerability

Based on the evidence of active exploitation, CISA has warned of a critical flaw affecting Oracle Fusion Middleware. It has added the vulnerability to its Known Exploited Vulnerabilities (KEV) catalog. Oracle Access Manager, a product of Oracle Fusion Middleware (component: OpenSSO Agent) has the vulnerability and the affected versions are: 11.1.2.3.0, 12.2.1.3.0 and 12.2.1.4.0.

Successful exploitation of this flaw allows an unauthenticated attacker with network access via HTTP to completely compromise and takeover the Oracle Access Manager. It gives an attacker the potential to access OAM server and create any user with any privileges, or just get code execution in the victim’s server. To avoid system compromise, make sure the systems are updated and patched. It is also recommended to enable automatic software updates whenever possible.

To get daily updates on the critical vulnerabilities being exploited by threat actors, subscribe to SISA Daily Threat Watch – our daily actionable threat advisories.

For a deeper understanding of how you can prevent these threats from affecting your organization, request a call to get in touch with our experts.

SISA’s Latest
close slider