Industrial Control Systems Cyber Emergency Response TeamAA23-250AMultiple Nation-State Threat Actors Exploit CVE-2022-47966 and CVE-2022-42475
10 High
CVSS3
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
NONE
User Interaction
NONE
Scope
CHANGED
Confidentiality Impact
HIGH
Integrity Impact
HIGH
Availability Impact
HIGH
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H
9.3 High
CVSS2
Access Vector
NETWORK
Access Complexity
MEDIUM
Authentication
NONE
Confidentiality Impact
COMPLETE
Integrity Impact
COMPLETE
Availability Impact
COMPLETE
AV:N/AC:M/Au:N/C:C/I:C/A:C
0.976 High
EPSS
Percentile
100.0%
Actions to take today to mitigate malicious cyber activity:
- Patch all systems for known exploited vulnerabilities (KEVs), including firewall security appliances.
- Monitor for unauthorized use of remote access software using endpoint detection tools.
- Remove unnecessary (disabled) accounts and groups from the enterprise that are no longer needed, especially privileged accounts.
References
attack.mitre.org/versions/v11/software/S0508/
attack.mitre.org/versions/v11/software/S0508/
attack.mitre.org/versions/v13/datasources/DS0002/
attack.mitre.org/versions/v13/datasources/DS0003/
attack.mitre.org/versions/v13/datasources/DS0009/
attack.mitre.org/versions/v13/datasources/DS0017/
attack.mitre.org/versions/v13/datasources/DS0017/
attack.mitre.org/versions/v13/datasources/DS0028/
attack.mitre.org/versions/v13/datasources/DS0029/
attack.mitre.org/versions/v13/matrices/enterprise/
attack.mitre.org/versions/v13/matrices/enterprise/
attack.mitre.org/versions/v13/mitigations/M1016/
attack.mitre.org/versions/v13/mitigations/M1032/
attack.mitre.org/versions/v13/mitigations/M1042/
attack.mitre.org/versions/v13/mitigations/M1050/
attack.mitre.org/versions/v13/mitigations/M1051/
attack.mitre.org/versions/v13/software/S0002/
attack.mitre.org/versions/v13/software/S0002/
attack.mitre.org/versions/v13/tactics/TA0009/
attack.mitre.org/versions/v13/tactics/TA0010/
attack.mitre.org/versions/v13/techniques/T1003/
attack.mitre.org/versions/v13/techniques/T1003/
attack.mitre.org/versions/v13/techniques/T1003/001/
attack.mitre.org/versions/v13/techniques/T1003/001/
attack.mitre.org/versions/v13/techniques/T1003/002/
attack.mitre.org/versions/v13/techniques/T1003/002/
attack.mitre.org/versions/v13/techniques/T1012/
attack.mitre.org/versions/v13/techniques/T1012/
attack.mitre.org/versions/v13/techniques/T1018/
attack.mitre.org/versions/v13/techniques/T1018/
attack.mitre.org/versions/v13/techniques/T1021/001/
attack.mitre.org/versions/v13/techniques/T1021/001/
attack.mitre.org/versions/v13/techniques/T1027/009/
attack.mitre.org/versions/v13/techniques/T1027/009/
attack.mitre.org/versions/v13/techniques/T1036/004/
attack.mitre.org/versions/v13/techniques/T1036/004/
attack.mitre.org/versions/v13/techniques/T1036/008/
attack.mitre.org/versions/v13/techniques/T1036/008/
attack.mitre.org/versions/v13/techniques/T1040/
attack.mitre.org/versions/v13/techniques/T1040/
attack.mitre.org/versions/v13/techniques/T1046/
attack.mitre.org/versions/v13/techniques/T1046/
attack.mitre.org/versions/v13/techniques/T1049/
attack.mitre.org/versions/v13/techniques/T1049/
attack.mitre.org/versions/v13/techniques/T1053/005/
attack.mitre.org/versions/v13/techniques/T1053/005/
attack.mitre.org/versions/v13/techniques/T1057/
attack.mitre.org/versions/v13/techniques/T1057/
attack.mitre.org/versions/v13/techniques/T1059/001/
attack.mitre.org/versions/v13/techniques/T1059/001/
attack.mitre.org/versions/v13/techniques/T1059/007/
attack.mitre.org/versions/v13/techniques/T1059/007/
attack.mitre.org/versions/v13/techniques/T1068/
attack.mitre.org/versions/v13/techniques/T1068/
attack.mitre.org/versions/v13/techniques/T1070/001/
attack.mitre.org/versions/v13/techniques/T1070/001/
attack.mitre.org/versions/v13/techniques/T1071/001/
attack.mitre.org/versions/v13/techniques/T1071/001/
attack.mitre.org/versions/v13/techniques/T1074/
attack.mitre.org/versions/v13/techniques/T1074/
attack.mitre.org/versions/v13/techniques/T1078/003/
attack.mitre.org/versions/v13/techniques/T1078/003/
attack.mitre.org/versions/v13/techniques/T1133/
attack.mitre.org/versions/v13/techniques/T1133/
attack.mitre.org/versions/v13/techniques/T1136/001/
attack.mitre.org/versions/v13/techniques/T1136/001/
attack.mitre.org/versions/v13/techniques/T1190/
attack.mitre.org/versions/v13/techniques/T1190/
attack.mitre.org/versions/v13/techniques/T1219/
attack.mitre.org/versions/v13/techniques/T1219/
attack.mitre.org/versions/v13/techniques/T1505/003/
attack.mitre.org/versions/v13/techniques/T1505/003/
attack.mitre.org/versions/v13/techniques/T1543/003/
attack.mitre.org/versions/v13/techniques/T1543/003/
attack.mitre.org/versions/v13/techniques/T1553/002/
attack.mitre.org/versions/v13/techniques/T1553/002/
attack.mitre.org/versions/v13/techniques/T1564/001/
attack.mitre.org/versions/v13/techniques/T1564/001/
attack.mitre.org/versions/v13/techniques/T1564/003/
attack.mitre.org/versions/v13/techniques/T1564/003/
attack.mitre.org/versions/v13/techniques/T1570/
attack.mitre.org/versions/v13/techniques/T1570/
attack.mitre.org/versions/v13/techniques/T1571/
attack.mitre.org/versions/v13/techniques/T1571/
attack.mitre.org/versions/v13/techniques/T1572/
attack.mitre.org/versions/v13/techniques/T1573/002/
attack.mitre.org/versions/v13/techniques/T1573/002/
attack.mitre.org/versions/v13/techniques/T1583/005/
attack.mitre.org/versions/v13/techniques/T1583/005/
attack.mitre.org/versions/v13/techniques/T1587/001/
attack.mitre.org/versions/v13/techniques/T1587/001/
attack.mitre.org/versions/v13/techniques/T1588/002/
attack.mitre.org/versions/v13/techniques/T1588/002/
datatracker.ietf.org/doc/rfc9116/
datatracker.ietf.org/doc/rfc9116/
github.com/cisagov/Decider/
github.com/cisagov/Decider/
github.com/projectdiscovery/interactsh
github.com/projectdiscovery/interactsh
learn.microsoft.com/en-us/windows-server/administration/windows-commands/quser
learn.microsoft.com/en-us/windows-server/administration/windows-commands/quser
learn.microsoft.com/en-us/windows-server/identity/ad-ds/plan/security-best-practices/best-practices-for-securing-active-directory
learn.microsoft.com/en-us/windows-server/identity/ad-ds/plan/security-best-practices/best-practices-for-securing-active-directory
learn.microsoft.com/en-us/windows/security/threat-protection/windows-security-configuration-framework/windows-security-baselines
learn.microsoft.com/en-us/windows/security/threat-protection/windows-security-configuration-framework/windows-security-baselines
media.defense.gov/2019/Sep/09/2002180325/-1/-1/0/Segment%20Networks%20and%20Deploy%20Application%20Aware%20Defenses%20-%20Copy.pdf
media.defense.gov/2019/Sep/09/2002180325/-1/-1/0/Segment%20Networks%20and%20Deploy%20Application%20Aware%20Defenses%20-%20Copy.pdf
nvd.nist.gov/vuln/detail/CVE-2022-42475
nvd.nist.gov/vuln/detail/CVE-2022-42475
nvd.nist.gov/vuln/detail/CVE-2022-47966
nvd.nist.gov/vuln/detail/CVE-2022-47966
public.govdelivery.com/accounts/USDHSCISA/subscriber/new?topic_id=USDHSCISA_138
snort.org/rule_docs/1-58992
snort.org/rule_docs/1-58992
twitter.com/CISAgov
twitter.com/intent/tweet?text=Multiple%20Nation-State%20Threat%20Actors%20Exploit%20CVE-2022-47966%20and%20CVE-2022-42475+https://www.cisa.gov/news-events/cybersecurity-advisories/aa23-250a
www.cisa.gov/cross-sector-cybersecurity-performance-goals
www.cisa.gov/cross-sector-cybersecurity-performance-goals
www.cisa.gov/known-exploited-vulnerabilities-catalog
www.cisa.gov/MFA
www.cisa.gov/MFA
www.cisa.gov/news-events/cybersecurity-advisories/aa22-294a
www.cisa.gov/news-events/cybersecurity-advisories/aa22-294a
www.cisa.gov/news-events/cybersecurity-advisories/aa22-320a
www.cisa.gov/news-events/cybersecurity-advisories/aa22-320a
www.cisa.gov/news-events/cybersecurity-advisories/aa23-075a
www.cisa.gov/news-events/cybersecurity-advisories/aa23-075a
www.cisa.gov/news-events/news/best-practices-mitre-attckr-mapping
www.cisa.gov/news-events/news/best-practices-mitre-attckr-mapping
www.cisa.gov/resources-tools/resources/guide-securing-remote-access-software
www.cisa.gov/resources-tools/resources/guide-securing-remote-access-software
www.cisa.gov/sites/default/files/2023-03/CISA_CPG_REPORT_v1.0.1_FINAL.pdf
www.cisa.gov/sites/default/files/publications/CISAInsights-Cyber-RemediateVulnerabilitiesforInternetAccessibleSystems_S508C.pdf
www.cisa.gov/sites/default/files/publications/layering-network-security-segmentation_infographic_508_0.pdf
www.cisa.gov/topics/cyber-threats-and-advisories/cyber-hygiene-services
www.cisa.gov/topics/cyber-threats-and-advisories/cyber-hygiene-services
www.dhs.gov
www.dhs.gov/foia
www.dhs.gov/performance-financial-reports
www.facebook.com/CISA
www.facebook.com/sharer/sharer.php?u=https://www.cisa.gov/news-events/cybersecurity-advisories/aa23-250a&title=Multiple%20Nation-State%20Threat%20Actors%20Exploit%20CVE-2022-47966%20and%20CVE-2022-42475
www.instagram.com/cisagov
www.linkedin.com/company/cybersecurity-and-infrastructure-security-agency
www.linkedin.com/sharing/share-offsite/?url=https://www.cisa.gov/news-events/cybersecurity-advisories/aa23-250a
www.nsa.gov/Press-Room/News-Highlights/Article/Article/2949885/nsa-details-network-infrastructure-best-practices/
www.nsa.gov/Press-Room/News-Highlights/Article/Article/2949885/nsa-details-network-infrastructure-best-practices/
www.oig.dhs.gov/
www.surveymonkey.com/r/CISA-cyber-survey?product=https://www.cisa.gov/news-events/cybersecurity-advisories/aa23-250a
www.usa.gov/
www.whitehouse.gov/
www.youtube.com/@cisagov
mailto:?subject=Multiple%20Nation-State%20Threat%20Actors%20Exploit%20CVE-2022-47966%20and%20CVE-2022-42475&body=www.cisa.gov/news-events/cybersecurity-advisories/aa23-250a
Related
10 High
CVSS3
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
NONE
User Interaction
NONE
Scope
CHANGED
Confidentiality Impact
HIGH
Integrity Impact
HIGH
Availability Impact
HIGH
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H
9.3 High
CVSS2
Access Vector
NETWORK
Access Complexity
MEDIUM
Authentication
NONE
Confidentiality Impact
COMPLETE
Integrity Impact
COMPLETE
Availability Impact
COMPLETE
AV:N/AC:M/Au:N/C:C/I:C/A:C
0.976 High
EPSS
Percentile
100.0%