SISA Weekly Threat Watch – August 8th, 2022
SISA’s weekly series on threat advisories offers a quick snapshot of top security vulnerabilities and exploits, to help organizations stay up-to-date with the evolving threat landscape. The advisories also provide relevant information and recommendations to help them take preventive actions against the latest and critical threats.
Organizations can also opt-in for our free daily threat advisories by subscribing here.
1. SonicWall warns about critical SQL injection bug
SonicWall recently warned organizations about a critical SQL injection flaw impacting the GMS and Analytics On-Prem products. The vulnerability, designated as CVE-2022-22280 and rated 9.4 for severity on the CVSS scoring system, comes from the “improper neutralizing of special elements” used in a SQL command, which might result in an unauthenticated SQL injection. By exploiting the SQL injection bug, the attackers can potentially delete the data from the database or bypass authentication to gain access. Versions lower than GMS 9.3.1-SP2-Hotfix-2 and Analytics 18.104.22.168-Hotfix-1 are vulnerable to this flaw. Since there is currently no available fix for this vulnerability, it is advised to install the latest security updates with a Web Application Firewall (WAF) that is effective in blocking SQL injection attacks even on unpatched deployments.
2. Russian state-sponsored threat actors abuse storage services and RCE vulnerabilities
Russian state-sponsored hacking groups and threat actors have been lately targeting Western diplomatic missions and foreign embassies globally. One of the oldest and most active threat groups linked to the Russian government – APT29 is running a new sophisticated phishing campaign to target employees of diplomatic companies worldwide. They make use of trusted cloud services like Google Drive and Dropbox to deliver malicious payloads on compromised desktop computers. The threat group starts infecting the target system through HTML Smuggling by implanting a payload file (Agenda[.]html) as a malicious ISO file on victim’s hard drive. A malicious HTML file – EnvyScout, hyperlinked in the messages, also acts as a dropper for additional malware and malicious payloads which further infects the target. Another threat campaign that is most likely to be an effort from the same sources is the remotely operated GoMet Backdoor. GoMet enables single command execution, file download, upload, and shell opening in addition to job scheduling with the ability to install agents on various operating systems (OS). GoMet also has the potential to daisy chain, which allows attackers to break into one network or computer and then utilize that knowledge to break into other networks or PCs. One of the harmful actions discovered was a fake Windows update scheduled job that the GoMet dropper had produced. It is advised to patch the Remote code execution vulnerabilities such as CVE-2022-1040, as this access can be used to launch other attacks or gain deeper access, with the potential to damage the software supply chain.
3. New ‘Lightning Framework’ Linux malware installs rootkits and backdoors
Previously undetected malware known as “Lightning Framework” that targets Linux systems can be used to install rootkits and hide the attacker’s tracks by utilizing SSH to backdoor infected devices. Lightning Framework, called “Swiss Army Knife” in a report released by Intezer, is a modular malware that also supports plugins. The framework’s primary module, Core, takes commands (C2) and executes its plugins, while the Downloader component is used to download and install modules and plugins. The Lightening.Core module uses a variety of techniques to mask the artefacts. The malicious artefacts timestamps are then modified via time stomping, and one of the installed rootkits is used to mask its Process ID (PID) and associated network ports. For persistence, it creates a script that starts the downloader module and reinfects the device every time the system boots. Lightning Framework is a potentially dangerous Linux application that presents a severe threat to the security field since it has the potential to compromise or backdoor devices. It is advised to use a trustworthy anti-malware solution or leverage threat intelligence platforms to prevent such new threats.
4. New ‘Redeemer’ ransomware version promoted on hacker forums
A threat actor has been promoting a new version of the freely accessible ‘Redeemer’ ransomware builder on hacker forums, providing less-skilled users with a short introduction to the world of encryption-backed extortion attacks. This latest release is completely written in C++, has multi-threaded performance and a medium anti-virus detection rate. Unlike RaaS, the ransomware builder is accessible to anyone who wishes to conduct their own attack but with 20% of ransom being paid to the author. The affiliate can now build the executable ransomware and decryption tools using a new graphical user interface (GUI) and track multiple attacks simultaneously with a campaign ID tracking system. The affiliate can also acquire the kit, establish communication, access instructions, and receive support to carry out a successful attack through a page set up on the dark website ‘Dread’. To prevent such threats, it is advised to avoid clicking on suspicious links and opening email attachments before checking their legitimacy. It is also recommended to maintain the backup and save it offline or on a different network. Automatic software updates on computers, phones, and other connected devices, whenever feasible, is also a good practice to steer clear of ransomware attacks.
To get daily updates on the critical vulnerabilities being exploited by threat actors, subscribe to SISA Daily Threat Watch – our daily actionable threat advisories.
For a deeper understanding of how you can prevent these threats from affecting your organization, request a call to get in touch with our experts.