Weekly Threat Digest: 11 – 17 April 2022
For a detailed threat digest, download the pdf file here
Published Vulnerabilities | Interesting Vulnerabilities | Active Threat Groups | Targeted Countries | Targeted Industries | ATT&CK TTPs |
765 | 14 | 1 | 2 | 6 | 25 |
The third week of April 2022 witnessed a huge spike on the discovery of 765 vulnerabilities out of which 14 gained the attention of Threat Actors and security researchers worldwide. Among these 14, there were 5 zero-day, 9 of them are undergoing analysis and 2 other vulnerabilities about which the National vulnerability Database (NVD) is awaiting analysis while 1 was not present in the NVD at all. Hive Pro Threat Research Team has curated a list of 14 CVEs that require immediate action.
Further, we also observed a Threat Actor groups being highly active in the last week. OldGremlin, a Russian threat actor group popular for financial crime and gain, was observed targeting Russian agencies Common TTPs which could potentially be exploited by these threat actors or CVEs can be found in the detailed section.
Detailed Report:
Interesting Vulnerabilities:
Vendor | CVEs | Patch Link |
CVE-2022-24521* CVE-2022-26904* | https://msrc.microsoft.com/update-guide/vulnerability/CVE-2022-24521 https://msrc.microsoft.com/update-guide/vulnerability/CVE-2022-26904 | |
CVE-2022-1364* | https://www.google.com/intl/en/chrome/?standalone=1 | |
CVE-2022-22954* CVE-2022-22955 CVE-2022-22956 CVE-2022-22957 CVE-2022-22958 CVE-2022-22959 CVE-2022-22960* CVE-2022-22961 | https://kb.vmware.com/s/article/88099 | |
CVE-2018-6882 | https://wiki.zimbra.com/wiki/Zimbra_Releases/8.8.7 | |
CVE-2022-25165 CVE-2022-25166 | https://aws.amazon.com/vpn/client-vpn-download/ |
*zero-day vulnerability
Active Actors:
Icon | Name | Origin | Motive |
OldGremlin | Russia | Financial crime and gain |
Targeted Location:
Targeted Sectors:
Common TTPs:
TA0043: Reconnaissance | TA0042: Resource Development | TA0001: Initial Access | TA0002: Execution | TA0004: Privilege Escalation | TA0005: Defense Evasion | TA0006: Credential Access | TA0011: Command and Control |
T1592: Gather Victim Host Information | T1583: Acquire Infrastructure | T1190: Exploit Public-Facing Application | T1059: Command and Scripting Interpreter | T1548: Abuse Elevation Control Mechanism | T1548: Abuse Elevation Control Mechanism | T1555: Credentials from Password Stores | T1071: Application Layer Protocol |
T1592.001: Hardware | T1583.002: DNS Server | T1566: Phishing | T1059.007: JavaScript | T1068: Exploitation for Privilege Escalation | T1027: Obfuscated Files or Information | T1555.004: Windows Credential Manager | T1071.004: DNS |
T1592.002: Software | T1583.001: Domains | T1566.001: Spearphishing Attachment | T1059.003: Windows Command Shell | T1071.001: Web Protocols | |||
T1590: Gather Victim Network Information | T1587: Develop Capabilities | T1566.002: Spearphishing Link | T1204: User Execution | T1132: Data Encoding | |||
T1590.005: IP Addresses | T1587.001: Malware | T1204.002: Malicious File | T1132.001: Standard Encoding | ||||
T1585: Establish Accounts | T1204.001: Malicious Link | T1568: Dynamic Resolution | |||||
T1585.002: Email Accounts | T1568.002: Domain Generation Algorithms | ||||||
T1588: Obtain Capabilities | T1573: Encrypted Channel | ||||||
T1588.006: Vulnerabilities | T1573.001: Symmetric Cryptography | ||||||
T1572: Protocol Tunneling | |||||||
Threat Advisories:
Two actively exploited vulnerabilities affect multiple VMware products
Google Chrome issues an emergency update to address the third zero-day of year 2022
Microsoft Patch Tuesday April 2022 addressed two zero-day vulnerabilities
Old Zimbra vulnerability used to target Ukrainian Government Organizations
Two Vulnerabilities discovered in AWS Client VPN
OldGremlin, a threat actor targeting Russian organizations with phishing emails since 2020