April 21, 2022

Weekly Threat Digest: 11 – 17 April 2022

For a detailed threat digest, download the pdf file here

Published VulnerabilitiesInteresting VulnerabilitiesActive Threat GroupsTargeted CountriesTargeted IndustriesATT&CK TTPs
7651412625

The third week of April 2022 witnessed a huge spike on the discovery of  765 vulnerabilities out of which 14 gained the attention of Threat Actors and security researchers worldwide. Among these 14, there were 5 zero-day, 9 of them are undergoing analysis and 2 other vulnerabilities about which the National vulnerability Database (NVD) is awaiting analysis while 1 was not present in the NVD at all. Hive Pro Threat Research Team has curated a list of 14 CVEs that require immediate action.

Further, we also observed a Threat Actor groups being highly active in the last week. OldGremlin, a Russian threat actor group popular for financial crime and gain, was observed targeting Russian agencies Common TTPs which could potentially be exploited by these threat actors or CVEs can be found in the detailed section.

Detailed Report:

Interesting Vulnerabilities:
VendorCVEsPatch Link
CVE-2022-24521* CVE-2022-26904*https://msrc.microsoft.com/update-guide/vulnerability/CVE-2022-24521
https://msrc.microsoft.com/update-guide/vulnerability/CVE-2022-26904


CVE-2022-1364*https://www.google.com/intl/en/chrome/?standalone=1
CVE-2022-22954*
CVE-2022-22955
CVE-2022-22956
CVE-2022-22957
CVE-2022-22958
CVE-2022-22959
CVE-2022-22960*
CVE-2022-22961
https://kb.vmware.com/s/article/88099
CVE-2018-6882https://wiki.zimbra.com/wiki/Zimbra_Releases/8.8.7
CVE-2022-25165
CVE-2022-25166
https://aws.amazon.com/vpn/client-vpn-download/

*zero-day vulnerability 

Active Actors:

IconNameOriginMotive
OldGremlinRussiaFinancial crime and gain

Targeted Location:

Targeted Sectors:

Common TTPs:

TA0043: ReconnaissanceTA0042: Resource DevelopmentTA0001: Initial AccessTA0002: ExecutionTA0004: Privilege EscalationTA0005: Defense EvasionTA0006: Credential AccessTA0011: Command and Control
T1592: Gather Victim Host InformationT1583: Acquire InfrastructureT1190: Exploit Public-Facing ApplicationT1059: Command and Scripting InterpreterT1548: Abuse Elevation Control MechanismT1548: Abuse Elevation Control MechanismT1555: Credentials from Password StoresT1071: Application Layer Protocol
T1592.001: HardwareT1583.002: DNS ServerT1566: PhishingT1059.007: JavaScriptT1068: Exploitation for Privilege EscalationT1027: Obfuscated Files or InformationT1555.004: Windows Credential ManagerT1071.004: DNS
T1592.002: SoftwareT1583.001: DomainsT1566.001: Spearphishing AttachmentT1059.003: Windows Command ShellT1071.001: Web Protocols
T1590: Gather Victim Network InformationT1587: Develop CapabilitiesT1566.002: Spearphishing LinkT1204: User ExecutionT1132: Data Encoding
T1590.005: IP AddressesT1587.001: MalwareT1204.002: Malicious FileT1132.001: Standard Encoding
T1585: Establish AccountsT1204.001: Malicious LinkT1568: Dynamic Resolution
T1585.002: Email AccountsT1568.002: Domain Generation Algorithms
T1588: Obtain CapabilitiesT1573: Encrypted Channel
T1588.006: VulnerabilitiesT1573.001: Symmetric Cryptography
T1572: Protocol Tunneling

Threat Advisories:

Two actively exploited vulnerabilities affect multiple VMware products

Google Chrome issues an emergency update to address the third zero-day of year 2022

Microsoft Patch Tuesday April 2022 addressed two zero-day vulnerabilities

Old Zimbra vulnerability used to target Ukrainian Government Organizations

Two Vulnerabilities discovered in AWS Client VPN

OldGremlin, a threat actor targeting Russian organizations with phishing emails since 2020

Recent Resources

Dive into our library of resources for expert insights, guides, and in-depth analysis on maximizing Uni5 Xposure’s capabilities

Book a demo and find out more about how Hive Pro can double your operational efficiency

Book a Demo