April 5, 2022

Weekly Threat Digest: 28 March – 3 April 2022

For a detailed threat digest, download the pdf file here

Published VulnerabilitiesInteresting VulnerabilitiesActive Threat GroupsTargeted CountriesTargeted IndustriesATT&CK TTPs

The fourth week of March 2022 witnessed the discovery of 500 vulnerabilities out of which 7 gained the attention of Threat Actors and security researchers worldwide. Among these 10, there were 3 awaiting analysis and 2 were not present in the NVD at all. Hive Pro Threat Research Team has curated a list of 7 CVEs that require immediate action.

Furthermore, we also observed three threat actor groups being highly active in the last week. A financially motivated threat actor called TA551 primarily targeted English, German, Italian, and Japanese speakers through IcedID an email-based malware.  A new variant of the famous PlugX malware called Talisman has been discovered to be used by Chinese state-sponsored threat actor RedFoxtrot. These attacks were staged on telecommunication and defense sectors in South Asian countries to protect the Belt and Road initiative. Deep Panda aka APT 19, a Chinese APT group, exploited the infamous Log4Shell vulnerability in VMware Horizon servers to stage attack on various sectors across the globe. Common TTPs which could potentially be exploited by these threat actors or CVEs can be found in the detailed section below.

Detailed Report:

Interesting Vulnerabilities:
VendorCVEsPatch Link

Active Actors:

TA551 (Gold Cabin, Shathak)UnknownFinancial gain
RedFoxtrot (Nomad Panda)ChinaInformation theft and espionage
APT 19 (Deep Panda, Codoso, Sunshop Group,
TG-3551, Bronze Firestone, Pupa)
ChinaInformation theft and espionage

Targeted Location:

Targeted Sectors:

Common TTPs:

TA0043: ReconnaissanceTA0042: Resource DevelopmentTA0001: Initial AccessTA0002: ExecutionTA0003: PersistenceTA0004: Privilege EscalationTA0005: Defense EvasionTA0006: Credential AccessTA0007: DiscoveryTA0009: CollectionTA0011: Command and ControlTA0010: ExfiltrationTA0040: Impact
T1592: Gather Victim Host InformationT1588: Obtain CapabilitiesT1190: Exploit Public-Facing ApplicationT1059: Command and Scripting InterpreterT1547: Boot or Logon Autostart ExecutionT1548: Abuse Elevation Control MechanismT1140: Deobfuscate/Decode Files or InformationT1040: Network SniffingT1087: Account DiscoveryT1185: Browser Session HijackingT1071: Application Layer ProtocolT1041: Exfiltration Over C2 ChannelT1565: Data Manipulation
T1588.003: Code Signing CertificatesT1566: PhishingT1059.001: PowerShellT1547.001: Registry Run Keys / Startup FolderT1543: Create or Modify System ProcessT1574: Hijack Execution FlowT1087.002: Domain AccountT1005: Data from Local SystemT1071.001: Web ProtocolsT1499: Endpoint Denial of Service
T1588.006: VulnerabilitiesT1566.001: Spearphishing AttachmentT1059.005: Visual BasicT1574: Hijack Execution FlowT1574: Hijack Execution FlowT1574.002: DLL Side-LoadingT1083: File and Directory DiscoveryT1056: Input CaptureT1573: Encrypted ChannelT1499.001: OS Exhaustion Flood
T1059.003: Windows Command ShellT1574.002: DLL Side-LoadingT1574.002: DLL Side-LoadingT1036: MasqueradingT1135: Network Share DiscoveryT1113: Screen CaptureT1573.002: Asymmetric Cryptography
T1203: Exploitation for Client ExecutionT1053: Scheduled Task/JobT1055: Process InjectionT1112: Modify RegistryT1040: Network SniffingT1105: Ingress Tool Transfer
T1106: Native APIT1053.005: Scheduled TaskT1055.004: Asynchronous Procedure CallT1027: Obfuscated Files or InformationT1069: Permission Groups DiscoveryT1095: Non-Application Layer Protocol
T1053: Scheduled Task/JobT1053: Scheduled Task/JobT1027.002: Software PackingT1057: Process Discovery
T1053.005: Scheduled TaskT1053.005: Scheduled TaskT1027.003: SteganographyT1012: Query Registry
T1569: System ServicesT1055: Process InjectionT1082: System Information Discovery
T1569.002: Service ExecutionT1055.004: Asynchronous Procedure CallT1049: System Network Connections Discovery
T1204: User ExecutionT1620: Reflective Code Loading
T1204.002: Malicious FileT1014: Rootkit
T1047: Windows Management InstrumentationT1218: Signed Binary Proxy Execution
T1218.007: Msiexec

Threat Advisories:

Sophos Firewall RCE vulnerability actively exploited

DOS Vulnerability discovered in SonicWall Next-Generation Firewall

Prolific threat actor TA551 using new malware IcedID

New PlugX variant “Talisman” used by famous Chinese APT

RCE Spring Framework Zero-Day vulnerability “Spring4Shell”

Two Vulnerabilities affecting Apple macOS exploited-in-the-wild

Actively exploited vulnerability affects Trend Micro Apex Central

Authentication Bypass Vulnerability in Zyxel Firmware

Recent Resources

Dive into our library of resources for expert insights, guides, and in-depth analysis on maximizing Uni5 Xposure’s capabilities

Book a demo and find out more about how Hive Pro can double your operational efficiency

Book a Demo