Weekly Threat Digest: 11 – 17 April 2022

For a detailed threat digest, download the pdf file here Published Vulnerabilities Interesting Vulnerabilities Active Threat Groups Targeted Countries Targeted Industries ATT&CK TTPs 765 14 1 2 6 25 The third week of April 2022 witnessed a huge spike on the discovery of 765 vulnerabilities out of which 14 gained the attention of Threat Actors and security researchers worldwide. Among these 14, there were 5 zero-day, 9 of them are undergoing analysis and 2 other vulnerabilities about which the National vulnerability Database (NVD) is awaiting analysis while 1 was not present in the NVD at all. Hive Pro Threat Research Team has curated a list of 14 CVEs that require immediate action. Further, we also observed a Threat Actor groups being highly active in the last week. OldGremlin, a Russian threat actor group popular for financial crime and gain, was observed targeting Russian agencies Common TTPs which could potentially be exploited by these threat actors or CVEs can be found in the detailed section. Detailed Report: Interesting Vulnerabilities: Vendor CVEs Patch Link CVE-2022-24521* CVE-2022-26904* https://msrc.microsoft.com/update-guide/vulnerability/CVE-2022-24521 https://msrc.microsoft.com/update-guide/vulnerability/CVE-2022-26904 CVE-2022-1364* https://www.google.com/intl/en/chrome/?standalone=1 CVE-2022-22954* CVE-2022-22955 CVE-2022-22956 CVE-2022-22957 CVE-2022-22958 CVE-2022-22959 CVE-2022-22960* CVE-2022-22961 https://kb.vmware.com/s/article/88099 CVE-2018-6882 https://wiki.zimbra.com/wiki/Zimbra_Releases/8.8.7 CVE-2022-25165 CVE-2022-25166 https://aws.amazon.com/vpn/client-vpn-download/ *zero-day vulnerability Active Actors: Icon Name Origin Motive OldGremlin Russia Financial crime and gain Targeted Location: Targeted Sectors: Common TTPs: TA0043: Reconnaissance TA0042: Resource Development TA0001: Initial Access TA0002: Execution TA0004: Privilege Escalation TA0005: Defense Evasion TA0006: Credential Access TA0011: Command and Control T1592: Gather Victim Host Information T1583: Acquire Infrastructure T1190: Exploit Public-Facing Application T1059: Command and Scripting Interpreter T1548: Abuse Elevation Control Mechanism T1548: Abuse Elevation Control Mechanism T1555: Credentials from Password Stores T1071: Application Layer Protocol T1592.001: Hardware T1583.002: DNS Server T1566: Phishing T1059.007: JavaScript T1068: Exploitation for Privilege Escalation T1027: Obfuscated Files or Information T1555.004: Windows Credential Manager T1071.004: DNS T1592.002: Software T1583.001: Domains T1566.001: Spearphishing Attachment T1059.003: Windows Command Shell T1071.001: Web Protocols T1590: Gather Victim Network Information T1587: Develop Capabilities T1566.002: Spearphishing Link T1204: User Execution T1132: Data Encoding T1590.005: IP Addresses T1587.001: Malware T1204.002: Malicious File T1132.001: Standard Encoding T1585: Establish Accounts T1204.001: Malicious Link T1568: Dynamic Resolution T1585.002: Email Accounts T1568.002: Domain Generation Algorithms T1588: Obtain Capabilities T1573: Encrypted Channel T1588.006: Vulnerabilities T1573.001: Symmetric Cryptography T1572: Protocol Tunneling Threat Advisories: Two actively exploited vulnerabilities affect multiple VMware products Google Chrome issues an emergency update to address the third zero-day of year 2022 Microsoft Patch Tuesday April 2022 addressed two zero-day vulnerabilities Old Zimbra vulnerability used to target Ukrainian Government Organizations Two Vulnerabilities discovered in AWS Client VPN OldGremlin, a threat actor targeting Russian organizations with phishing emails since 2020