Weekly Threat Digest: 4 – 10 April 2022
For a detailed threat digest, download the pdf file here
Published Vulnerabilities | Interesting Vulnerabilities | Active Threat Groups | Targeted Countries | Targeted Industries | ATT&CK TTPs |
438 | 3 | 3 | 53 | 16 | 54 |
The second week of April 2022 witnessed the discovery of 438 vulnerabilities out of which 3 gained the attention of Threat Actors and security researchers worldwide. All these 3 were zero-day and require immediate action.
Further, we also observed 3 Threat Actor groups being highly active in the last week. Armageddon, a well-known Russian threat actor group popular for information theft and espionage, was observed targeting European government agencies Additionally, 2 Threat Actor groups originating from China were observed targeting organizations all around the world. Common TTPs which could potentially be exploited by these threat actors or CVEs can be found in the detailed section.
Detailed Report:
Interesting Vulnerabilities:
zero-day vulnerability
Active Actors:
Icon | Name | Origin | Motive |
APT 10 (Stone Panda, menuPass, Red Apollo, CVNX, Potassium, Hogfish, Happyyongzi, Cicada, Bronze Riverside, CTG-5938, ATK 41, TA429, ITG01) | China | Information theft and espionage | |
APT 19(Deep Panda, Codoso, Sunshop, TG-3551, Bronze Firestone, Pupa) | China | Information theft and espionage | |
Armageddon(Gamaredon Group, Winterflounder, Primitive Bear, BlueAlpha, Blue Otso, Iron Tilden, SectorC08, Callisto, Shuckworm, Actinium, DEV-0157, UAC-0010) | Russia | Information theft and espionage |
Targeted Location:
Targeted Sectors:
Common TTPs:
TA0043: Reconnaissance | TA0042: Resource Development | TA0001: Initial Access | TA0002: Execution | TA0003: Persistence | TA0004: Privilege Escalation | TA0005: Defense Evasion | TA0006: Credential Access | TA0007: Discovery | TA0008: Lateral Movement | TA0009: Collection | TA0011: Command and Control | TA0010: Exfiltration |
T1592: Gather Victim Host Information | T1583: Acquire Infrastructure | T1190: Exploit Public-Facing Application | T1059: Command and Scripting Interpreter | T1574: Hijack Execution Flow | T1574: Hijack Execution Flow | T1140: Deobfuscate/Decode Files or Information | T1056: Input Capture | T1087: Account Discovery | T1210: Exploitation of Remote Services | T1560: Archive Collected Data | T1568: Dynamic Resolution | T1041: Exfiltration Over C2 Channel |
T1583.001: Domains | T1566: Phishing | T1059.001: PowerShell | T1574.001: DLL Search Order Hijacking | T1574.001: DLL Search Order Hijacking | T1564: Hide Artifacts | T1056.001: Keylogging | T1087.002: Domain Account | T1021: Remote Services | T1560.001: Archive via Utility | T1568.001: Fast Flux DNS | ||
T1588: Obtain Capabilities | T1566.001: Spearphishing Attachment | T1059.003: Windows Command Shell | T1574.002: DLL Side-Loading | T1574.002: DLL Side-Loading | T1574: Hijack Execution Flow | T1003: OS Credential Dumping | T1083: File and Directory Discovery | T1021.001: Remote Desktop Protocol | T1119: Automated Collection | T1105: Ingress Tool Transfer | ||
T1588.003: Code Signing Certificates | T1199: Trusted Relationship | T1106: Native API | T1053: Scheduled Task/Job | T1055: Process Injection | T1574.001: DLL Search Order Hijacking | T1003.004: LSA Secrets | T1046: Network Service Scanning | T1021.004: SSH | T1005: Data from Local System | |||
T1588.002: Tool | T1078: Valid Accounts | T1053: Scheduled Task/Job | T1053.005: Scheduled Task | T1055.012: Process Hollowing | T1574.002: DLL Side-Loading | T1003.003: NTDS | T1018: Remote System Discovery | T1039: Data from Network Shared Drive | ||||
T1053.005: Scheduled Task | T1078: Valid Accounts | T1053: Scheduled Task/Job | T1070: Indicator Removal on Host | T1003.002: Security Account Manager | T1082: System Information Discovery | T1074: Local Data Staged | ||||||
T1569: System Services | T1053.005: Scheduled Task | T1070.003: Clear Command History | T1016: System Network Configuration Discovery | T1074.001: Local Data Staging | ||||||||
T1569.002: Service Execution | T1078: Valid Accounts | T1070.004: File Deletion | T1049: System Network Connections Discovery | T1074.002: Remote Data Staging | ||||||||
T1204: User Execution | T1036: Masquerading | T1056: Input Capture | ||||||||||
T1204.002: Malicious File | T1036.005: Match Legitimate Name or Location | T1056.001: Keylogging | ||||||||||
T1047: Windows Management Instrumentation | T1036.003: Rename System Utilities | T1113: Screen Capture | ||||||||||
T1027: Obfuscated Files or Information | ||||||||||||
T1027.002: Software Packing | ||||||||||||
T1055: Process Injection | ||||||||||||
T1055.012: Process Hollowing | ||||||||||||
T1620: Reflective Code Loading | ||||||||||||
T1014: Rootkit | ||||||||||||
T1218: Signed Binary Proxy Execution | ||||||||||||
T1218.004: InstallUtil | ||||||||||||
T1553: Subvert Trust Controls | ||||||||||||
T1553.002: Code Signing | ||||||||||||
T1078: Valid Accounts |
Threat Advisories:
Deep Panda deploys new rootkit “Fire Chili” by exploiting Log4shell in VMware horizon
Sandworm Team using a new modular malware Cyclops Blink
APT 10, a state-sponsored Chinese threat group, conducting a global cyber espionage operation
RCE Spring Framework Zero-Day vulnerability “Spring4Shell”
Attacks on European Union and Ukrainian government entities carried out by the Armageddon group