Headline
3 Flaws, 1 War Dominated Cyber-Threat Landscape in 2022
Attackers continued to favor software exploits, phishing, and stolen credentials as initial-access methods last year, as Log4j and the Russia-Ukraine cyber conflict changed the threat landscape.
Popular attacks for a trio of critical vulnerabilities kept exploitation at the top of the list of initial-access methods in 2022, while the war between Russia and Ukraine resulted in an unprecedented volume of attacks from a specific group of threat actors.
That’s according to the annual M-Trends report from Google Cloud’s Mandiant, published on April 18, which highlights that a few global incidents can dramatically affect the overall threat landscape.
The volume of attacks used in the Russia-Ukraine conflict, for example, resulted in the government sector’s rise to the top of the list of targeted industries, accounting for 25% of all attacks investigated by Mandiant, up from 9% in 2021, when government agencies ranked sixth on the list. Meanwhile, about 36% of incidents investigated by Mandiant included the use of software exploits, with four out of every nine of those attacks targeting a vulnerable version of Log4j, the open source logging library.
Significant events — such as the Log4j patch effort — can have massive, albeit temporary, effects on the threat landscape, says Luke McNamara, a principal analyst with Mandiant.
“You have this … massive spike in these methods as the initial infection vector, but a lot of it was … the impact of one singular incident,” he says, comparing the impact to the surge in supply chain attacks in 2021 due to the compromise of SolarWinds. “It’s not necessarily indicative that this is going to be a large-scale trend that we’re gonna see more and more of, but just something that impacts the threat activity for that given year.”
Similarly, Russia’s war against Ukraine had a dramatic impact on the threat landscape for more than year, Google Cloud stated in the report. A cyber-espionage group, UNC2589, and another group linked to Russian military intelligence, APT28, conducted extensive information collection and disinformation operations prior to Russia’s February 2022 invasion of Ukraine. Now the threat groups appear to alternate information gathering and espionage campaigns with destructive attacks.
In the first four months of the war, the Mandiant group recorded more destructive attacks against Ukrainian organizations than in the previous eight years, according to the report.
“The invasion of Ukraine represents one of the first instances in which a major cyber power has conducted disruptive attacks, espionage, and information operations concurrently with widespread, kinetic military operations,” the Mandiant report stated. “Mandiant has never observed threat actor activity that matches the volume of attacks, variety of threat actors, and coordination of effort as was seen during the first months following the invasion by Russia.”
A Few Good Flaws
Those attacks — and the threat landscape more generally — relied on a handful of initial access methods. Overall, 80% of the incidents investigated by Mandiant typically used a software exploit, phishing attacks, stolen credentials, or leveraged a prior compromise, the report stated. The exploitation of known vulnerabilities was the most popular initial access vector, accounting for 32% of incidents where the initial compromise could be determined, while phishing accounted for 22% and stolen credentials for 14%.
Exploits accounted for about a third of initial attacks, with more than 80% enabled by three vulnerabilities. Source: M-Trends 2023
Among exploits, three vulnerabilities made up the lion’s share of the attacks. The primary vulnerability in Log4j (CVE-2021-44228) accounted for the largest portion (44%) of known exploits, but along with two other vulnerabilities — one affecting F5’s Big-IP (CVE-2022-1388) and another affecting VMware’s Workspace One Access and Identity Manager (CVE-2022-22954) — the trio accounted for nearly 90% of exploits.
Because all three vulnerabilities are often accessible remotely, attackers scan for them regularly, McNamara says.
“Targeting and exploiting perimeter devices that are accessible via the internet — things like firewalls, virtualization solutions, VPN — those are highly sought after targets for attackers,” he says. “We saw this with Ukraine because [threat groups] leverage a lot kind of ‘living on the edge,’ as we put it, where they’ve used edge and perimeter network devices to come back in when they’ve been kicked out multiple times from a given organization.”
More External Detections, Less Dwell Time
In another trend, the share of incidents discovered internally shrank in 2022, with 37% incidents detected by the targeted company and 63% of incidents disclosed to the target by a third party. The share of incidents not detected by a company’s internal security teams has grown in every geography, slowly in the Americas, but much more quickly in the Asia-Pacific region (APAC) and the Europe, Middle East, and Africa (EMEA) regions.
Yet despite the more significant role played by third parties in attack detection, dwell time has decreased to 16 days in 2022, down from 21 in 2021. The debate is whether the decrease is due to defenders detecting attacks more quickly or attackers ending an attack with a destructive — and obvious — payload, Google Cloud’s McNamara says.
“Really, the last two, three, four years, we’ve seen more and more disruptive activity, as the extortion space has become more multifaceted,” he says. “Trying to kind of tease out how much of that is due to organizational maturity — organizations are getting better at catching threat actors — and how much of it is due to … the nature of the activity itself is difficult.”
However, while the median dwell time is 16 days, ransomware investigations are only seeing a median dwell time of nine days, whereas it’s 17 days for non-ransomware investigations.
The cyber conflict between Russia and Ukraine also impacted the dwell time, according to Mandiant’s report, as external intelligence agencies and companies notified Ukrainian organizations of breaches.
“The increase in external notification observed in 2022 is likely impacted by Mandiant’s investigative support of cyber threat activity which targeted Ukraine and an increase in proactive notification efforts,” the report stated. “Proactive notifications from security partners enable organizations to launch response efforts more effectively.”
Related news
While distilling risk down to a simple numerical score is helpful for many in the security space, it is also an imperfect system that can often leave out important context.
F5 has alerted customers of a critical security vulnerability impacting BIG-IP that could result in unauthenticated remote code execution. The issue, rooted in the configuration utility component, has been assigned the CVE identifier CVE-2023-46747, and carries a CVSS score of 9.8 out of a maximum of 10. "This vulnerability may allow an unauthenticated attacker with network access to the BIG-IP
Categories: Exploits and vulnerabilities Categories: News Tags: Zoho ManageEngine Tags: CVE-2021-40539 Tags: Log4Shell Tags: CVE-2021-44228 Tags: CVE-2021-13379 Tags: ProxyShell Tags: CVE-2021-34473 Tags: CVE-2021-31207 Tags: CVE-2021-34523 Tags: CVE-2021-26084 Tags: Atlassian Tags: CVE-2022-22954 Tags: CVE-2022-22960 Tags: CVE-2022-26134 Tags: CVE-2022-1388 Tags: CVE-2022-30190 Tags: Follina What can the routinely exploited vulnerabilities of 2022 tell us, and what do we think will make it on to next year's list? (Read more...) The post 2022's most routinely exploited vulnerabilities—history repeats appeared first on Malwarebytes Labs.
Vulnerability in the Oracle Hyperion Financial Reporting product of Oracle Hyperion (component: Repository). The supported version that is affected is 11.2.13.0.000. Easily exploitable vulnerability allows low privileged attacker with network access via HTTP to compromise Oracle Hyperion Financial Reporting. While the vulnerability is in Oracle Hyperion Financial Reporting, attacks may significantly impact additional products (scope change). Successful attacks of this vulnerability can result in unauthorized access to critical data or complete access to all Oracle Hyperion Financial Reporting accessible data and unauthorized ability to cause a partial denial of service (partial DOS) of Oracle Hyperion Financial Reporting. CVSS 3.1 Base Score 8.5 (Confidentiality and Availability impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:N/A:L).
The custom malware used by the state-backed Iranian threat group Drokbk has so far flown under the radar by using GitHub as a "dead-drop resolver" to more easily evade detection.
The latest version (5.1) and all prior versions of Intel's Data Center Manager are vulnerable to a local privileges escalation vulnerability using the application user "dcm" used to run the web application and the rest interface. An attacker who gained remote code execution using this dcm user (i.e., through Log4j) is then able to escalate their privileges to root by abusing a weak sudo configuration for the "dcm" user.
Improper Input Validation of plugin files in Administrator Interface of Secomea GateManager allows a server administrator to inject code into the GateManager interface. This issue affects: Secomea GateManager versions prior to 10.0.
By Waqas The attack, according to authorities, was launched on the Federal Civilian Executive Branch (FCEB). This is a post from HackRead.com Read the original post: Log4Shell – Iranian Hackers Accessed Domain Controller of US Federal Network
Hole-y software alert, Batman: Cybercriminal faves Citrix Gateway and VMware Workspace ONE have authentication-bypass bugs that could offer up total access to attackers.
Linus Torvalds, the creator of Linux and Git, has his own law in software development, and it goes like this: "given enough eyeballs, all bugs are shallow." This phrase puts the finger on the very principle of open source: the more, the merrier - if the code is easily available for anyone and everyone to fix bugs, it's pretty safe. But is it? Or is the saying "all bugs are shallow" only true for
A now-patched vulnerability in VMware Workspace ONE Access has been observed being exploited to deliver both cryptocurrency miners and ransomware on affected machines. "The attacker intends to utilize a victim's resources as much as possible, not only to install RAR1Ransom for extortion, but also to spread GuardMiner to collect cryptocurrency," Fortinet FortiGuard Labs researcher Cara Lin said
Hello everyone! This is the second episode of Vulnerability Management news and publications. In fact, this is a collection of my posts from the avleonovcom and avleonovrus telegram channels. Therefore, if you want to read them earlier, subscribe to these channels. Alternative video link (for Russia): https://vk.com/video-149273431_456239097 What’s in this episode: Microsoft released a propaganda […]
Open source utility exposes payloads without running vulnerable Java code
MobileIron Core is affected by the Log4Shell vulnerability whereby a JNDI string sent to the server will cause it to connect to the attacker and deserialize a malicious Java object. This results in OS command execution in the context of the tomcat user. This Metasploit module will start an LDAP server that the target will need to connect to.
While attackers continue to rely on older, unpatched vulnerabilities, many are jumping on new vulnerabilities as soon as they are disclosed.
CISA warns that threat actors are ramping up attacks against unpatched Log4Shell vulnerability in VMware servers.
EnemyBot DDoS botnet is rapidly weaponizing security bugs disclosed in CMS systems like WordPress plug-ins, Android devices, commercial Web servers, and other enterprise applications.
Malware borrows generously from code used by other botnets such as Mirai, Qbot and Zbot.
A nascent Linux-based botnet named Enemybot has expanded its capabilities to include recently disclosed security vulnerabilities in its arsenal to target web servers, Android devices, and content management systems (CMS). "The malware is rapidly adopting one-day vulnerabilities as part of its exploitation capabilities," AT&T Alien Labs said in a technical write-up published last week. "Services
A nascent Linux-based botnet named Enemybot has expanded its capabilities to include recently disclosed security vulnerabilities in its arsenal to target web servers, Android devices, and content management systems (CMS). "The malware is rapidly adopting one-day vulnerabilities as part of its exploitation capabilities," AT&T Alien Labs said in a technical write-up published last week. "Services
CISA orders US federal agencies to implement patches ASAP
CISA has issued severe warnings about disclosed vulnerabilities in VMWare products that are actively being exploited, probably by APT threat actors. The post VMWare vulnerabilities are actively being exploited, CISA warns appeared first on Malwarebytes Labs.
VMware has issued patches to contain two security flaws impacting Workspace ONE Access, Identity Manager, and vRealize Automation that could be exploited to backdoor enterprise networks. The first of the two flaws, tracked as CVE-2022-22972 (CVSS score: 9.8), concerns an authentication bypass that could enable an actor with network access to the UI to gain administrative access without prior
Publicly released proof-of-concept exploits are supercharging attacks against unpatched systems, CISA warns.
Researchers say a GitHub proof-of-concept exploitation of recently announced VMware bugs is being abused by hackers in the wild.
Calibre-Web before 0.6.18 allows user table SQL Injection.
This Metasploit module exploits an authentication bypass vulnerability in the F5 BIG-IP iControl REST service to gain access to the admin account, which is capable of executing commands through the /mgmt/tm/util/bash endpoint. Successful exploitation results in remote code execution as the root user.
The bug has a severe rating of 9.8, public exploits are released.
This Tech Tip walks network administrators through the steps to address the latest critical remote code execution vulnerability (CVE-2022-1388) in F5's BIG-IP management interface.
F5 BIG-IP remote code execution proof of concept exploit that leverages the vulnerability identified in CVE-2022-1388.
On F5 BIG-IP 16.1.x versions prior to 16.1.2.2, 15.1.x versions prior to 15.1.5.1, 14.1.x versions prior to 14.1.4.6, 13.1.x versions prior to 13.1.5, and all 12.1.x and 11.6.x versions, undisclosed requests may bypass iControl REST authentication. Note: Software versions which have reached End of Technical Support (EoTS) are not evaluated
On F5 BIG-IP 16.1.x versions prior to 16.1.2.2, 15.1.x versions prior to 15.1.5.1, 14.1.x versions prior to 14.1.4.6, 13.1.x versions prior to 13.1.5, and all 12.1.x and 11.6.x versions, undisclosed requests may bypass iControl REST authentication. Note: Software versions which have reached End of Technical Support (EoTS) are not evaluated
VMware Workspace ONE Access and Identity Manager contain a remote code execution vulnerability due to server-side template injection. A malicious actor with network access can trigger a server-side template injection that may result in remote code execution.
Improper Access Control vulnerability in web service of Secomea SiteManager allows local attacker without credentials to gather network information and configuration of the SiteManager. This issue affects: Secomea SiteManager All versions prior to 9.5 on Hardware.
Remote code execution is possible with Apache Tomcat before 6.0.48, 7.x before 7.0.73, 8.x before 8.0.39, 8.5.x before 8.5.7, and 9.x before 9.0.0.M12 if JmxRemoteLifecycleListener is used and an attacker can reach JMX ports. The issue exists because this listener wasn't updated for consistency with the CVE-2016-3427 Oracle patch that affected credential types.