March 29, 2022

Weekly Threat Digest: 21 – 27 March 2022

For a detailed threat digest, download the pdf file here

Published VulnerabilitiesInteresting VulnerabilitiesActive Threat GroupsTargeted CountriesTargeted IndustriesATT&CK TTPs

The fourth week of March 2022 witnessed the discovery of 340 vulnerabilities out of which 10 gained the attention of Threat Actors and security researchers worldwide. Among these 10, there was 1 which is undergoing reanalysis, and 2 were not present in the NVD at all. Hive Pro Threat Research Team has curated a list of 10 CVEs that require immediate action.

Furthermore, we also observed five threat actor groups being highly active in the last week. The Lapsus$, a new extortion threat actor group had attacked popular organizations such as Brazilian Ministry of Health, NVIDIA, Samsung, Vodafone, Ubisoft, Octa, and Microsoft for data theft and destruction, was observed using the Redline info-stealer. Additionally, North Korean state hackers known as Lazarus group, was exploiting the zero-day vulnerability in Google Chrome’s web browser (CVE-2022-0609). AvosLocker is a Ransomware as a Service (RaaS) affiliate-based group that has targeted 50+ organizations is currently exploiting Proxy Shell vulnerabilities (CVE-2021-31206, CVE-2021-31207, CVE-2021-34523, CVE-2021-34473, CVE-2021-26855). The threat actor APT35 aka Magic Hound, an Iranian-backed threat group is exploiting the Proxy Shell vulnerabilities to attack organizations across the globe. Another South Korean APT group DarkHotel was targeting the hospitality industry in China. Common TTPs which could potentially be exploited by these threat actors or CVEs can be found in the detailed section below.

Detailed Report:

Interesting Vulnerabilities:
VendorCVEsPatch Link
CVE-2021-34523 CVE-2021-34473 CVE-2021-26855

Active Actors:

APT 35 (Magic Hound, Cobalt Illusion, Charming Kitten, TEMP.Beanie, Timberworm, Tarh Andishan, TA453, ITG18, Phosphorus, Newscaster)IranInformation theft and espionage 
AvosLockerUnknownEcrime, Information theft, and Financial gain
Lazarus Group (Labyrinth Chollima, Group 77, Hastati Group, Whois Hacking Team, NewRomanic Cyber Army Team, Zinc, Hidden Cobra, Appleworm, APT-C-26, ATK 3, SectorA01, ITG03)North KoreaInformation theft and espionage, Sabotage and destruction, Financial crime
Lapsus$ (DEV-0537)UnknownData theft and Destruction
DarkHotel (APT-C-06, SIG25, Dubnium, Fallout Team, Shadow Crane, CTG-1948, Tungsten Bridge, ATK 52, Higaisa, TAPT-02, Luder)South KoreaInformation theft and espionage

Targeted Location:

Targeted Sectors:

Common TTPs:

TA0042: Resource DevelopmentTA0001: Initial AccessTA0002: ExecutionTA0003: PersistenceTA0004: Privilege EscalationTA0005: Defense EvasionTA0006: Credential AccessTA0007: DiscoveryTA0008: Lateral MovementTA0009: CollectionTA0011: Command and ControlTA0010: ExfiltrationTA0040: Impact
T1583: Acquire InfrastructureT1189: Drive-by CompromiseT1059: Command and Scripting InterpreterT1098: Account ManipulationT1548: Abuse Elevation Control MechanismT1548: Abuse Elevation Control MechanismT1110: Brute ForceT1010: Application Window DiscoveryT1021: Remote ServicesT1560: Archive Collected DataT1071: Application Layer ProtocolT1048: Exfiltration Over Alternative ProtocolT1485: Data Destruction
T1583.001: DomainsT1190: Exploit Public-Facing ApplicationT1059.001: PowerShellT1547: Boot or Logon Autostart ExecutionT1134: Access Token ManipulationT1134: Access Token ManipulationT1110.003: Password SprayingT1083: File and Directory DiscoveryT1021.001: Remote Desktop ProtocolT1560.003: Archive via Custom MethodT1071.001: Web ProtocolsT1048.003: Exfiltration Over Unencrypted/Obfuscated Non-C2 ProtocolT1486: Data Encrypted for Impact
T1583.006: Web ServicesT1133: External Remote ServicesT1059.005: Visual BasicT1547.006: Kernel Modules and ExtensionsT1134.002: Create Process with TokenT1134.002: Create Process with TokenT1056: Input CaptureT1120: Peripheral Device DiscoveryT1021.002: SMB/Windows Admin SharesT1560.002: Archive via LibraryT1132: Data EncodingT1041: Exfiltration Over C2 ChannelT1491: Defacement
T1587: Develop CapabilitiesT1566: PhishingT1059.004: Unix ShellT1547.001: Registry Run Keys / Startup FolderT1547: Boot or Logon Autostart ExecutionT1564: Hide ArtifactsT1056.004: Credential API HookingT1057: Process DiscoveryT1021.004: SSHT1213: Data from Information RepositoriesT1132.001: Standard EncodingT1537: Transfer Data to Cloud AccountT1491.001: Internal Defacement
T1587.001: MalwareT1566.001: Spearphishing AttachmentT1059.003: Windows Command ShellT1547.009: Shortcut ModificationT1547.006: Kernel Modules and ExtensionsT1564.001: Hidden Files and DirectoriesT1056.001: KeyloggingT1012: Query RegistryT1005: Data from Local SystemT1001: Data ObfuscationT1561: Disk Wipe
T1588: Obtain CapabilitiesT1199: Trusted RelationshipT1203: Exploitation for Client ExecutionT1543: Create or Modify System ProcessT1547.001: Registry Run Keys / Startup FolderT1562: Impair DefensesT1003: OS Credential DumpingT1082: System Information DiscoveryT1074: Data StagedT1001.003: Protocol ImpersonationT1561.001: Disk Content Wipe
T1588.004: Digital CertificatesT1078: Valid AccountsT1106: Native APIT1543.003: Windows ServiceT1547.009: Shortcut ModificationT1562.004: Disable or Modify System FirewallT1111: Two-Factor Authentication InterceptionT1016: System Network Configuration DiscoveryT1074.001: Local Data StagingT1573: Encrypted ChannelT1561.002: Disk Structure Wipe
T1588.006: VulnerabilitiesT1053: Scheduled Task/JobT1133: External Remote ServicesT1543: Create or Modify System ProcessT1562.001: Disable or Modify ToolsT1552: Unsecured CredentialsT1033: System Owner/User DiscoveryT1056: Input CaptureT1573.001: Symmetric CryptographyT1490: Inhibit System Recovery
T1204: User ExecutionT1137: Office Application StartupT1543.003: Windows ServiceT1070: Indicator Removal on HostT1124: System Time DiscoveryT1056.004: Credential API HookingT1008: Fallback ChannelsT1489: Service Stop
T1204.002: Malicious FileT1542: Pre-OS BootT1068: Exploitation for Privilege EscalationT1070.004: File DeletionT1056.001: KeyloggingT1105: Ingress Tool TransferT1529: System Shutdown/Reboot
T1047: Windows Management InstrumentationT1542.003: BootkitT1055: Process InjectionT1070.006: TimestompT1571: Non-Standard Port
T1053: Scheduled Task/JobT1055.001: Dynamic-link Library InjectionT1036: MasqueradingT1090: Proxy
T1505: Server Software ComponentT1053: Scheduled Task/JobT1036.005: Match Legitimate Name or LocationT1090.002: External Proxy
T1505.003: Web ShellT1078: Valid AccountsT1027: Obfuscated Files or Information
T1078: Valid AccountsT1027.006: HTML Smuggling
T1027.002: Software Packing
T1542: Pre-OS Boot
T1542.003: Bootkit
T1055: Process Injection
T1055.001: Dynamic-link Library Injection
T1218: Signed Binary Proxy Execution
T1218.001: Compiled HTML File
T1078: Valid Accounts
T1497: Virtualization/Sandbox Evasion

Threat Advisories:

Microsoft’s privilege escalation vulnerability that refuses to go away

Google Chrome’s second zero-day in 2022

Magic Hound Exploiting Old Microsoft Exchange ProxyShell Vulnerabilities

AvosLocker Ransomware group has targeted 50+ Organizations Worldwide

North Korean state-sponsored threat actor Lazarus Group exploiting Chrome Zero-day vulnerability

LAPSUS$ – New extortion group involved in the breach against Nvidia, Microsoft, Okta and Samsung

DarkHotel APT group targeting the Hospitality Industry in China

New Threat Actor using Serpent Backdoor attacking French Entities

Muhstik botnet adds another vulnerability exploit to its arsenal

Recent Resources

Dive into our library of resources for expert insights, guides, and in-depth analysis on maximizing Uni5 Xposure’s capabilities

Book a demo and find out more about how Hive Pro can double your operational efficiency

Book a Demo