Our 24x7x365 security operations team closely monitors all cyber news and related cyber attacks through our own insider sources to ensure our customers Get There First™- every time. Here are our SOC's top cyber attack picks from June 2022:
Ransomware circles unpatched Confluence servers
Ransomware gangs targeted a recently patched and actively exploited remote code execution (RCE) vulnerability affecting Atlassian Confluence Server and Data Center instance for initial access to corporate networks. Threat actors could take over unpatched servers remotely by creating new admin accounts and executing arbitrary code.
Swiss cyber threat intelligence firm, Prodaft, found that AvosLocker ransomware affiliates were targeting and hacking into internet-exposed Confluence servers still left unpatched. This was done to systematically infect multiple victims on a mass scale and has affected multiple organizations globally. Another ransomware, Cerber2021, also targeted and encrypted unpatched Confluence servers.
CVE Code: CVE-2022-26134
CVSS Score: 9.8/10🔥
Industry: Software
Key takeaway: Confluence remains a prime target for threat actors as the platform has seen several critical vulnerabilities over the past few years. Atlassian released security fixes and urged its customers to patch their installations to mitigate ongoing attacks.
Mitel VoIP Zero-Day
There was a suspected ransomware intrusion attempt against an unnamed target that leveraged a Mitel VoIP appliance as an entry point to achieve remote code execution and acquire initial access to the environment.
Less than two weeks before this event, German penetration testing firm, SySS, disclosed two flaws in Mitel 6800/6900 desk phones that enabled attackers to get root privileges on the devices.
CVE Code: CVE-2022-29499
CVSS score: 9.8/10🔥
Industry: Telecommunications
Key takeaway: Even though timely patching is essential to protecting perimeter devices, it becomes irrelevant when threat actors exploit an undocumented vulnerability. Critical assets should be isolated from perimeter devices to an extent to ensure threat actors would not be able to access the assets from compromised devices.
Critical Atlassian Confluence Zero-Day actively used in attacks
Ransomware gangs had actively exploited the Atlassian Confluence zero-day vulnerability tracked as CVE-2022-26134 to install web shells. As mentioned above, CVE-2022-26134 is a critical unauthenticated RCE vulnerability tracked in both Confluence Server and Data Center, and there were no patches available at that point to address this vulnerability.
While waiting for the security fixes, Atlassian told customers to make their servers inaccessible with these options:
- Restricting Confluence Server and Data Center instances from the internet
- Disabling Confluence Server and Data Center instances
Cybersecurity firm, Volexity, discovered that the threat actors installed BEHINDER, a JSP web shell that allows threat actors to execute commands on the compromised server remotely. They then used BEHINDER to install the China Chopper web shell and file upload tool as backups, writing additional web shells and altering access logs to evade detection.
CVE Code: CVE-2022-26134
CVSS score: 9.8/10🔥
Industry: Software
Key takeaway: When there are no immediate security fixes to a vulnerability, the best you can do is to quickly stop the threat from getting to you.
CISA warns over software flaws in industrial control systems
US Cybersecurity and Infrastructure Agency (CISA) warned organizations to check recently disclosed vulnerabilities affecting operational technology (OT) devices that should be- but aren’t always- isolated from the internet. OT is a part of the Internet of Things (IoT) that covers industrial control systems (ICS) that may be connected to the internet.
Researchers at Forescout found several ICS vulnerabilities, which CISA covered in five advisories:
- ICSA-22-172-02: JTEKT TOYOPUC
- ICSA-22-172-03: Phoenix Contact Classic Line Controllers
- ICSA-22-172-04: Phoenix Contact ProConOS and MULTIPROG
- ICSA-22-172-05: Phoenix Contact Classic Line Industrial Controllers
- ICSA-22-172-06: Siemens WinCC OA
Forescout also released its report “OT: ICEFALL” which covers common security issues in software for OT. The bugs mentioned affect devices from Honeywell, Motorola, Siemens, and others. Threat actors could use these OT susceptible devices to disrupt business continuity or move laterally from one system to another.
CVSS score: 7.2/10🔥
Industry: Multiple industries
Key takeaway: There are some solutions to the common faults that developers should be aware of, such as:
- Discover and inventory vulnerable devices
- Restrict external communication paths and contain vulnerable devices if they can’t be patched or until they can be
- Monitor all network traffic for suspicious activity that tries to exploit insecure-by-design functionality
- Monitor progressive patches released by affected device vendors and make a remediation plan for your vulnerable asset inventory
- Actively procure secure-by-design variants of products
- Use physical mode switches on controllers before dangerous engineering operations can be performed
- Work toward consequence reduction by following Cyber-PHA and CCE methodologies
About Digital Hands
As a new kind of MSSP, Digital Hands is how organizations are getting ahead of the bad guys in a world where compliance alone is no guarantee of protection. Too many companies invest in cybersecurity solutions, follow the recommendations, achieve compliance … and then still get breached. You’ve got to get to your exposures before the bad guys do.