Weekly Threat Digest: 28 March – 3 April 2022

For a detailed threat digest, download the pdf file here Published Vulnerabilities Interesting Vulnerabilities Active Threat Groups Targeted Countries Targeted Industries ATT&CK TTPs 500 7 3 27 16 46 The fourth week of March 2022 witnessed the discovery of 500 vulnerabilities out of which 7 gained the attention of Threat Actors and security researchers worldwide. Among these 10, there were 3 awaiting analysis and 2 were not present in the NVD at all. Hive Pro Threat Research Team has curated a list of 7 CVEs that require immediate action. Furthermore, we also observed three threat actor groups being highly active in the last week. A financially motivated threat actor called TA551 primarily targeted English, German, Italian, and Japanese speakers through IcedID an email-based malware. A new variant of the famous PlugX malware called Talisman has been discovered to be used by Chinese state-sponsored threat actor RedFoxtrot. These attacks were staged on telecommunication and defense sectors in South Asian countries to protect the Belt and Road initiative. Deep Panda aka APT 19, a Chinese APT group, exploited the infamous Log4Shell vulnerability in VMware Horizon servers to stage attack on various sectors across the globe. Common TTPs which could potentially be exploited by these threat actors or CVEs can be found in the detailed section below. Detailed Report: Interesting Vulnerabilities: Vendor CVEs Patch Link CVE-2022-22274 https://www.hivepro.com/dos-vulnerability-discovered-in-sonicwall-next-generation-firewall/ CVE-2022-1040 https://www.hivepro.com/sophos-firewall-rce-vulnerability-actively-exploited/ CVE-2022-22965* https://spring.io/blog/2022/03/31/spring-framework-rce-early-announcement https://tanzu.vmware.com/security/cve-2022-22965 CVE-2022-22674* CVE-2022-22675* https://support.apple.com/en-us/HT213220 CVE-2022-26871* https://files.trendmicro.com/jp/ucmodule/apexcentral/win/2019/apexcentral_2019_gm_win_ja_3945_r3.exehttps://appweb.trendmicro.com/supportNews/NewsDetail.aspx?id=4395 CVE-2022-0342 https://support.zyxel.eu/hc/en-us/articles/4672704562578-USG-FLEX-ATP-Series-Firmware-Update-5-21-Patch-1-Installation-Notes Active Actors: Icon Name Origin Motive TA551 (Gold Cabin, Shathak) Unknown Financial gain RedFoxtrot (Nomad Panda) China Information theft and espionage APT 19 (Deep Panda, Codoso, Sunshop Group, TG-3551, Bronze Firestone, Pupa) China Information theft and espionage Targeted Location: Targeted Sectors: Common TTPs: TA0043: Reconnaissance TA0042: Resource Development TA0001: Initial Access TA0002: Execution TA0003: Persistence TA0004: Privilege Escalation TA0005: Defense Evasion TA0006: Credential Access TA0007: Discovery TA0009: Collection TA0011: Command and Control TA0010: Exfiltration TA0040: Impact T1592: Gather Victim Host Information T1588: Obtain Capabilities T1190: Exploit Public-Facing Application T1059: Command and Scripting Interpreter T1547: Boot or Logon Autostart Execution T1548: Abuse Elevation Control Mechanism T1140: Deobfuscate/Decode Files or Information T1040: Network Sniffing T1087: Account Discovery T1185: Browser Session Hijacking T1071: Application Layer Protocol T1041: Exfiltration Over C2 Channel T1565: Data Manipulation T1588.003: Code Signing Certificates T1566: Phishing T1059.001: PowerShell T1547.001: Registry Run Keys / Startup Folder T1543: Create or Modify System Process T1574: Hijack Execution Flow T1087.002: Domain Account T1005: Data from Local System T1071.001: Web Protocols T1499: Endpoint Denial of Service T1588.006: Vulnerabilities T1566.001: Spearphishing Attachment T1059.005: Visual Basic T1574: Hijack Execution Flow T1574: Hijack Execution Flow T1574.002: DLL Side-Loading T1083: File and Directory Discovery T1056: Input Capture T1573: Encrypted Channel T1499.001: OS Exhaustion Flood T1059.003: Windows Command Shell T1574.002: DLL Side-Loading T1574.002: DLL Side-Loading T1036: Masquerading T1135: Network Share Discovery T1113: Screen Capture T1573.002: Asymmetric Cryptography T1203: Exploitation for Client Execution T1053: Scheduled Task/Job T1055: Process Injection T1112: Modify Registry T1040: Network Sniffing T1105: Ingress Tool Transfer T1106: Native API T1053.005: Scheduled Task T1055.004: Asynchronous Procedure Call T1027: Obfuscated Files or Information T1069: Permission Groups Discovery T1095: Non-Application Layer Protocol T1053: Scheduled Task/Job T1053: Scheduled Task/Job T1027.002: Software Packing T1057: Process Discovery T1053.005: Scheduled Task T1053.005: Scheduled Task T1027.003: Steganography T1012: Query Registry T1569: System Services T1055: Process Injection T1082: System Information Discovery T1569.002: Service Execution T1055.004: Asynchronous Procedure Call T1049: System Network Connections Discovery T1204: User Execution T1620: Reflective Code Loading T1204.002: Malicious File T1014: Rootkit T1047: Windows Management Instrumentation T1218: Signed Binary Proxy Execution T1218.007: Msiexec Threat Advisories: Sophos Firewall RCE vulnerability actively exploited DOS Vulnerability discovered in SonicWall Next-Generation Firewall Prolific threat actor TA551 using new malware IcedID New PlugX variant “Talisman” used by famous Chinese APT RCE Spring Framework Zero-Day vulnerability “Spring4Shell” Two Vulnerabilities affecting Apple macOS exploited-in-the-wild Actively exploited vulnerability affects Trend Micro Apex Central Authentication Bypass Vulnerability in Zyxel Firmware