Weekly Threat Digest: 21 – 27 March 2022
For a detailed threat digest, download the pdf file here
| Published Vulnerabilities | Interesting Vulnerabilities | Active Threat Groups | Targeted Countries | Targeted Industries | ATT&CK TTPs |
| 340 | 10 | 5 | 53 | 24 | 84 |
The fourth week of March 2022 witnessed the discovery of 340 vulnerabilities out of which 10 gained the attention of Threat Actors and security researchers worldwide. Among these 10, there was 1 which is undergoing reanalysis, and 2 were not present in the NVD at all. Hive Pro Threat Research Team has curated a list of 10 CVEs that require immediate action.
Furthermore, we also observed five threat actor groups being highly active in the last week. The Lapsus$, a new extortion threat actor group had attacked popular organizations such as Brazilian Ministry of Health, NVIDIA, Samsung, Vodafone, Ubisoft, Octa, and Microsoft for data theft and destruction, was observed using the Redline info-stealer. Additionally, North Korean state hackers known as Lazarus group, was exploiting the zero-day vulnerability in Google Chrome’s web browser (CVE-2022-0609). AvosLocker is a Ransomware as a Service (RaaS) affiliate-based group that has targeted 50+ organizations is currently exploiting Proxy Shell vulnerabilities (CVE-2021-31206, CVE-2021-31207, CVE-2021-34523, CVE-2021-34473, CVE-2021-26855). The threat actor APT35 aka Magic Hound, an Iranian-backed threat group is exploiting the Proxy Shell vulnerabilities to attack organizations across the globe. Another South Korean APT group DarkHotel was targeting the hospitality industry in China. Common TTPs which could potentially be exploited by these threat actors or CVEs can be found in the detailed section below.
Detailed Report:
Interesting Vulnerabilities:
| Vendor | CVEs | Patch Link |
 | CVE-2021-34484 CVE-2022-21919 | https://central.0patch.com/auth/login |
 | CVE-2022-0609* CVE-2022-1096* | https://www.google.com/intl/en/chrome/?standalone=1 |
 | CVE-2021-31206 CVE-2021-31207 CVE-2021-34523 CVE-2021-34473 CVE-2021-26855 | https://msrc.microsoft.com/update-guide/vulnerability/CVE-2021-31206 https://msrc.microsoft.com/update-guide/vulnerability/CVE-2021-31207 https://msrc.microsoft.com/update-guide/vulnerability/CVE-2021-34473 https://msrc.microsoft.com/update-guide/vulnerability/CVE-2021-34523 https://msrc.microsoft.com/update-guide/vulnerability/CVE-2021-26855 |
 | CVE-2022-0543 | https://security-tracker.debian.org/tracker/CVE-2022-0543 |
Active Actors:
| Icon | Name | Origin | Motive |
 | APT 35 (Magic Hound, Cobalt Illusion, Charming Kitten, TEMP.Beanie, Timberworm, Tarh Andishan, TA453, ITG18, Phosphorus, Newscaster) | Iran | Information theft and espionage |
 | AvosLocker | Unknown | Ecrime, Information theft, and Financial gain |
 | Lazarus Group (Labyrinth Chollima, Group 77, Hastati Group, Whois Hacking Team, NewRomanic Cyber Army Team, Zinc, Hidden Cobra, Appleworm, APT-C-26, ATK 3, SectorA01, ITG03) | North Korea | Information theft and espionage, Sabotage and destruction, Financial crime |
 | Lapsus$ (DEV-0537) | Unknown | Data theft and Destruction |
 | DarkHotel (APT-C-06, SIG25, Dubnium, Fallout Team, Shadow Crane, CTG-1948, Tungsten Bridge, ATK 52, Higaisa, TAPT-02, Luder) | South Korea | Information theft and espionage |
Targeted Location:
Targeted Sectors:
 |  |  |  |  |  |
 |  |  |  |  |  |
 |  |  |  |  |  |
 |  |  |  |  |  |
Common TTPs:
| TA0042: Resource Development | TA0001: Initial Access | TA0002: Execution | TA0003: Persistence | TA0004: Privilege Escalation | TA0005: Defense Evasion | TA0006: Credential Access | TA0007: Discovery | TA0008: Lateral Movement | TA0009: Collection | TA0011: Command and Control | TA0010: Exfiltration | TA0040: Impact |
| T1583: Acquire Infrastructure | T1189: Drive-by Compromise | T1059: Command and Scripting Interpreter | T1098: Account Manipulation | T1548: Abuse Elevation Control Mechanism | T1548: Abuse Elevation Control Mechanism | T1110: Brute Force | T1010: Application Window Discovery | T1021: Remote Services | T1560: Archive Collected Data | T1071: Application Layer Protocol | T1048: Exfiltration Over Alternative Protocol | T1485: Data Destruction |
| T1583.001: Domains | T1190: Exploit Public-Facing Application | T1059.001: PowerShell | T1547: Boot or Logon Autostart Execution | T1134: Access Token Manipulation | T1134: Access Token Manipulation | T1110.003: Password Spraying | T1083: File and Directory Discovery | T1021.001: Remote Desktop Protocol | T1560.003: Archive via Custom Method | T1071.001: Web Protocols | T1048.003: Exfiltration Over Unencrypted/Obfuscated Non-C2 Protocol | T1486: Data Encrypted for Impact |
| T1583.006: Web Services | T1133: External Remote Services | T1059.005: Visual Basic | T1547.006: Kernel Modules and Extensions | T1134.002: Create Process with Token | T1134.002: Create Process with Token | T1056: Input Capture | T1120: Peripheral Device Discovery | T1021.002: SMB/Windows Admin Shares | T1560.002: Archive via Library | T1132: Data Encoding | T1041: Exfiltration Over C2 Channel | T1491: Defacement |
| T1587: Develop Capabilities | T1566: Phishing | T1059.004: Unix Shell | T1547.001: Registry Run Keys / Startup Folder | T1547: Boot or Logon Autostart Execution | T1564: Hide Artifacts | T1056.004: Credential API Hooking | T1057: Process Discovery | T1021.004: SSH | T1213: Data from Information Repositories | T1132.001: Standard Encoding | T1537: Transfer Data to Cloud Account | T1491.001: Internal Defacement |
| T1587.001: Malware | T1566.001: Spearphishing Attachment | T1059.003: Windows Command Shell | T1547.009: Shortcut Modification | T1547.006: Kernel Modules and Extensions | T1564.001: Hidden Files and Directories | T1056.001: Keylogging | T1012: Query Registry | T1005: Data from Local System | T1001: Data Obfuscation | T1561: Disk Wipe | ||
| T1588: Obtain Capabilities | T1199: Trusted Relationship | T1203: Exploitation for Client Execution | T1543: Create or Modify System Process | T1547.001: Registry Run Keys / Startup Folder | T1562: Impair Defenses | T1003: OS Credential Dumping | T1082: System Information Discovery | T1074: Data Staged | T1001.003: Protocol Impersonation | T1561.001: Disk Content Wipe | ||
| T1588.004: Digital Certificates | T1078: Valid Accounts | T1106: Native API | T1543.003: Windows Service | T1547.009: Shortcut Modification | T1562.004: Disable or Modify System Firewall | T1111: Two-Factor Authentication Interception | T1016: System Network Configuration Discovery | T1074.001: Local Data Staging | T1573: Encrypted Channel | T1561.002: Disk Structure Wipe | ||
| T1588.006: Vulnerabilities | T1053: Scheduled Task/Job | T1133: External Remote Services | T1543: Create or Modify System Process | T1562.001: Disable or Modify Tools | T1552: Unsecured Credentials | T1033: System Owner/User Discovery | T1056: Input Capture | T1573.001: Symmetric Cryptography | T1490: Inhibit System Recovery | |||
| T1204: User Execution | T1137: Office Application Startup | T1543.003: Windows Service | T1070: Indicator Removal on Host | T1124: System Time Discovery | T1056.004: Credential API Hooking | T1008: Fallback Channels | T1489: Service Stop | |||||
| T1204.002: Malicious File | T1542: Pre-OS Boot | T1068: Exploitation for Privilege Escalation | T1070.004: File Deletion | T1056.001: Keylogging | T1105: Ingress Tool Transfer | T1529: System Shutdown/Reboot | ||||||
| T1047: Windows Management Instrumentation | T1542.003: Bootkit | T1055: Process Injection | T1070.006: Timestomp | T1571: Non-Standard Port | ||||||||
| T1053: Scheduled Task/Job | T1055.001: Dynamic-link Library Injection | T1036: Masquerading | T1090: Proxy | |||||||||
| T1505: Server Software Component | T1053: Scheduled Task/Job | T1036.005: Match Legitimate Name or Location | T1090.002: External Proxy | |||||||||
| T1505.003: Web Shell | T1078: Valid Accounts | T1027: Obfuscated Files or Information | ||||||||||
| T1078: Valid Accounts | T1027.006: HTML Smuggling | |||||||||||
| T1027.002: Software Packing | ||||||||||||
| T1542: Pre-OS Boot | ||||||||||||
| T1542.003: Bootkit | ||||||||||||
| T1055: Process Injection | ||||||||||||
| T1055.001: Dynamic-link Library Injection | ||||||||||||
| T1218: Signed Binary Proxy Execution | ||||||||||||
| T1218.001: Compiled HTML File | ||||||||||||
| T1078: Valid Accounts | ||||||||||||
| T1497: Virtualization/Sandbox Evasion |
Threat Advisories:
Microsoft’s privilege escalation vulnerability that refuses to go away
Google Chrome’s second zero-day in 2022
Magic Hound Exploiting Old Microsoft Exchange ProxyShell Vulnerabilities
AvosLocker Ransomware group has targeted 50+ Organizations Worldwide
North Korean state-sponsored threat actor Lazarus Group exploiting Chrome Zero-day vulnerability
LAPSUS$ – New extortion group involved in the breach against Nvidia, Microsoft, Okta and Samsung
DarkHotel APT group targeting the Hospitality Industry in China
New Threat Actor using Serpent Backdoor attacking French Entities
Muhstik botnet adds another vulnerability exploit to its arsenal
