Monthly Advisory • 3 MIN READ
March Threat Advisory – Top 5
by Eleanor Barlow • Mar 2022
SecurityHQ’s Monthly Threat Report, Drawn from Recent Advisories of March 2022.
Privileges Escalation Bug Known as Dirty Pipe, Targeting Linux Systems
Threat Reference: Global
Risks: Privilege Escalation
Advisory Type: Threats
Priority: Elevated
New Linux Privileges escalation bug known as Dirty Pipe (CVE-2022-0847) can allow a local user to access root privileges. Successful exploitation of this vulnerability permits a non-privileged user to inject their own data into sensitive read-only files, which will allow an attacker to remove restrictions or modify configurations to provide greater access. For example, the attacker can overwrite the /etc/password file and easily modify or erase root user password, which in turn will allow an attacker to gain root privileged account by simply executing the ‘sub root’ command.
Recommendation
It is recommended to update Linux kernels to the latest available versions.
Cyberattack on Ukraine Authorities Utilizing Bitdefender Update Package as Lure
Threat Reference: Global
Risks: Malware, Phishing
Advisory Type: Threats
Priority: Standard
Ukraine government authorities are receiving an email disguised as state bodies of the Ukraine with instructions on improving the level of information security. Later this file downloads multiple other files, one of them being Cobalt Strike Beacon, which compromises the victim.
Recommendations
• Avoid handling files or URL links in emails, chats, or shared folders from untrusted sources.
• Provide phishing awareness training to your employees/contractors.
• Keep Anti-malware solutions at the endpoint and network-level always updated.
• Deploy Endpoint Detection & Response (EDR) tools to detect the latest malware and suspicious activities on endpoints.
Gh0stCringe RAT Targeting SQL and MySQL Servers
Threat Reference: Global
Risks: Remote Access Trojan (RAT)
Advisory Type: Threats
Priority: Standard
Gh0stCringe also known as CirenegRAT is a remote access trojan continuously exploiting misconfigured vulnerable MSSQL and MYQL servers with weak account credentials.
Once compromised RAT deploys an executable file and after successful exploitation it establishes a connection with the C2 (command and control) server to receive commands from the attacker.
Recommendations
- Deploy Endpoint Detection & Response (EDR) tools to detect latest malwares and suspicious activities on endpoints.
- Update the Anti-malware solutions at endpoint and perimeter level solutions to include the given IOCs.
- Analyze Endpoint solutions – EDR, AV, Email Anti-malware solution logs for the presence of mentioned IOCs.
LAPSUS$ Extorsion Group Claimed to Have Breached Authentication Services Company
Threat Reference: Global
Risks: Credential Compromise, Account Takeover
Advisory Type: Threats
Priority: Elevated
Extorsion group LAPSUS$ have posted the evidence of having ‘super user’ access to a company’s internal IT services. The attacker group claims to have access to multiple services as per the screen shots shared on telegram. LAPSUS$ claims that they did not breach the targets databases but targeted the customers.
Recommendation
Perform Threat Hunting for suspicious user activities.
Ragner Locker Ransomware APT Group Targeting Critical Sectors
Threat Reference: Global
Risks: Ransomware
Advisory Type: Threats
Priority: Elevated
Security researchers identified that Ragnar Locker Ransomware APT group infected critical sectors including manufacturing, energy, financial services, government, and information technology by RagnarLocker ransomware.
Recommendations
- Deploy Endpoint Detection & Response (EDR) tools to detect latest malware and suspicious activities on endpoints.
- Update the Anti-malware solutions at endpoint and perimeter level solutions to include the mentioned IOCs.
- Analyse Endpoint solutions – EDR, AV, Email Anti-malware solution logs for the presence of mentioned IOCs.
Having conducted incident response investigations across a wide range of industries, SecurityHQ are best placed to work with businesses large and small, and across numerous technical environments to reduce the impact of a cyber security incident. For more information on these threats, speak to an expert here.
Or if you suspect a security incident, you can report an incident here.