Top Cyber Attacks of July 2022
Our 24x7x365 security operations team closely monitors all cyber news and related cyber attacks through our own insider sources to ensure our customers Get There First™- every time. Here are our SOC's top cyber attack picks from July 2022:
Threat actors exploit recently patched critical flaw in Atlassian Confluence Server and Data Center
Atlassian recently released security updates to address a critical hardcoded credentials vulnerability in its Confluence Server and Data Center. The vulnerability would allow a remote, unauthenticated attacker to log into unpatched servers.
Three versions of the Questions for Confluence app (versions 2.7.34, 2.7.35, and 3.0.2) were affected by this vulnerability. Once the app was installed, a Confluence account with the username ‘disabledsystemuser’ would be created along with a hard coded password and added to the Confluence-users group, allowing administrators to migrate data from the app to Confluence Cloud and access, view, and edit all non-restricted pages within Confluence.
CVE code: CVE-2022-26138
CVSS score: 9.8/10🔥
Key takeaway: A remote, unauthenticated attacker with knowledge of the hardcoded password could exploit this to log into Confluence and access any pages the group has access to. The attacks began after the release of the hard-coded credentials on Twitter. Admins of impacted Confluence Server and Data Center instances can remediate this vulnerability with the following actions:
- Option 1: Update to a non-vulnerable version of Questions for Confluence
- Option 2: Disable or delete the ‘disabledsystemuser’ account
OpenSSL releases patch for high-severity bug that could lead to remote-code execution (RCE) attacks
A high-severity bug was discovered in OpenSSL’s cryptographic library which could have led to remote code execution under certain scenarios. OpenSSL is a general-purpose cryptography library that offers open-source implementation of the Secure Sockets Layer (SSL) and Transport Layer Security (TLS) protocols, enabling users to generate private keys, create certificate signing requests (CSRs), install SSL/TLS certificates.
The flaw, tracked as CVE-2022-2274, was due to a bug in the RSA implementation for X86_64 CPUs supporting AVX512IFMA instructions. The issue makes the RSA implementation with 2048 bit private keys incorrect on such machines, causing a memory corruption during computation. The memory corruption could be weaponized by a threat actor to trigger remote code execution on the machine performing the computation, allowing the attacker to control the affected system.
CVE code: CVE-2022-2274
CVSS score: 9.8/10🔥
Key takeaway: The issue was reported to OpenSSL on June 22 by a PhD student at Xidian University, Xi Ruoyao. According to OpenSSL, CVE-2022-2274 impacts SSL/TLS servers or other servers using 2048 bit RSA private keys running on machines supporting AVX512IFMA instructions of the X86_64 architecture. With the help of Xi Ruoyao, OpenSSL released a fix by introducing OpenSSL 3.0.5. While OpenSSL 1.1.1 and 1.0.2 are not affected by this issue, users of OpenSSL 3.0.4 should update to the latest version (3.0.2) to prevent potential exploitation attempts.
CISA orders agencies to patch new Windows zero-day used in attacks
Microsoft released a patch for an actively exploited high severity zero-day flaw that impacted both server and client platforms, including the Windows 11 and Windows Server 2022 releases. The flaw is related to a local privilege escalation vulnerability in the Windows Client/Server Runtime Subsystem, and when exploited, could allow a threat actor to gain system privileges.
The Cybersecurity and Infrastructure Security Agency (CISA) added the vulnerability to its list of bugs abused in the wild. It also gave federal agencies until August 2 to patch the flaw and block ongoing attacks that could target their systems.
CVE code: CVE-2022-22047
CVSS score: 7.8/10🔥
Industry: Multiple industries
Key takeaway: In total, 84 vulnerabilities were addressed in the July 2022 Patch Tuesday. This includes 52 Elevation of Privilege vulnerabilities, 4 Security Feature Bypass vulnerabilities, 12 Remote Code Execution vulnerabilities, 11 Information Disclosure vulnerabilities, and 5 Denial of Service vulnerabilities. Four of the 84 vulnerabilities have been rated critical in severity.
- CVE-2022-30221: Windows Graphics Component Remote Code Execution Vulnerability
- CVE-2022- 22029: Windows Network File System Remote Code Execution Vulnerability
- CVE-2022-22039: Windows Network File System Remote Code Execution Vulnerability
- CVE-2022-22038: Remote Procedure Call Runtime Remote Code Execution Vulnerability
Critical FileWave MDM flaws open organization-managed devices to remote hackers
FileWave’s mobile device management (MDM) system fell vulnerable to two critical security flaws that could be used to carry out remote attacks and seize control of the devices connected to it.
The two vulnerabilities, tracked as CVE-2022-34906 and CVE-2022-34907, impact FileWave MDM before versions 14.6.3 and 14.7.x prior to 14.4.2. If exploited successfully, a threat actor could exfiltrate sensitive data and install malicious packages on the device, allowing for full remote control takeover.
- CVE-2022-34906: Hard-coded cryptographic key
- CVE-2022-34907: Authentication bypass flaw
CVSS score: 9.8/10 and 7.5/10🔥
Key takeaway: Claroty uncovered more than 1,100 instances of FileWave MDM, which were vulnerable to CVE-2022-34906 and CVE-2022-34907. These internet-facing servers belonged to organizations from many different fields, including corporations, schools and educational institutions, government agencies, and small-to-medium businesses.
“Using this vulnerability, in either variety described above, we were able to gain highest privileges in all versions of the FileWave MDM. This allows us to gain the ability to attack and control every instance exposed to the Internet, and allowed us to control all of the servers’ managed devices, exfiltrate all sensitive data being held by the devices, including usernames, email addresses, IP addresses, geo-location etc.” (Claroty, 2022)
Claroty was also able to install malicious packages and software on the devices and execute remote code on all devices.
Microsoft warns of large-scale AiTM phishing attacks against 10,000+ organizations
Microsoft disclosed a large-scale phishing campaign that targeted over 10,000 organizations since September 2021 by hijacking Office 365’s authentication process, even on accounts secured with multi-factor authentication (MFA).
The intrusions entailed setting up adversary-in-the-middle (AiTM) phishing sites, where the adversary deployed a proxy server between a potential victim and the targeted website so that recipients of a phishing email were redirected to lookalike landing pages designed to capture credentials and MFA information.
Industry: Multiple industries
Key takeaway: To gain initial access, the threat actors sent emails containing voice message-themed lures that were marked with high importance. The email messages informed victims that they had a new voice message, enticing them to open a malicious HTML file attachment. Opening the HTML attachment would redirect the victim to Evilginx2, a phishing site that proxied Microsoft’s login page, prompting the victim to enter their credentials. Once the target entered their credentials and got authenticated, they were redirected to the legitimate office.com page.
“The phishing page has two different Transport Layer Security (TLS) sessions—one with the target and the other with the actual website the target wants to access. These sessions mean that the phishing page practically functions as a AiTM agent, intercepting the whole authentication process and extracting valuable data from the HTTP requests such as passwords, and more importantly, session cookies.” (Microsoft, 2022)
The stolen credentials would then be used by threat actors to authenticate to Outlook online. Since the credentials included session cookies, even if the victim had MFA enabled, the attackers could still gain access to the compromised account.
Password recovery tool infects industrial systems with Sality malware
Industrial control systems were infected by software that created a botnet via a password cracking software for programmable logic controllers (PLCs).
The software, advertised as a password recovery tool, promised to unlock PLC and HMI (human-machine interface) terminals from Automation Direct, Omron, Siemens, Fuji Electric, Mitsubishi, LG, Vigor, Pro-Face, Allen Bradley, Weintek, ABB, and Panasonic. However, the tool also installed Sality, a known malware that creates a peer-to-peer botnet that uses distributed computing to perform various tasks quickly (such as password cracking and cryptocurrency mining).
CVE code: CVE-2022-20030
CVSS score: 6.7/10🔥
Industry: Multiple industries
Key takeaway: Sality is also capable of opening connections to remote sites, stealing data from the host system, and downloading additional payloads.
The malware can inject itself into running processes and abuse the Windows autorun function to spread copies of itself over USB, network shares, and external storage devices. To remain undetected, Sality will terminate security products such as antivirus systems or firewalls.
In the latest campaign, Dragos researchers uncovered a sample of Sality which drops clipboard hijacking malware, designed to steal cryptocurrency. During a cryptocurrency transaction, the malware replaces the original wallet address saved in the clipboard with the attacker’s wallet address, allowing the threat actor to successfully divert the funds.
About Digital Hands
As a new kind of MSSP, Digital Hands is how organizations are getting ahead of the bad guys in a world where compliance alone is no guarantee of protection. Too many companies invest in cybersecurity solutions, follow the recommendations, achieve compliance … and then still get breached. You’ve got to get to your exposures before the bad guys do.