April Threat Advisory- Top 5

SecurityHQ’s Monthly Threat Report, Drawn from Recent Advisories of April 2022.

Credit to SecurityHQ team members: Devendra Bendre, Harsh Gajbhiya, Mandeep Sheoran, Geethu Krishna G

Zero-Day Privilege Escalation Vulnerability Affecting Windows Version of 7-Zip.

Threat Reference: Global

Risks: Privilege Escalation

Advisory Type: Zero-Day Exploits

Priority: Elevated

Security Researchers observed a recently published zero-day vulnerability in 7-Zip that allows an attacker to perform privilege escalation and command execution on Windows machines running with the 7-Zip version 21.07. This is exploitable due to misconfiguration of 7z.dll and a heap overflow.

Publicly Available POCs can be found below:

https[://]github.com[/]tiktb8/CVE-2022-29072

https[://]github.com[/]kagancapar/CVE-2022-29072

Recommendations

• It is recommended to keep all devices and software updated to their latest versions.
• Monitor your IT infrastructure 24×7 for suspicious activities.
• It is recommended to keep anti-malware solutions at endpoints, and IPS signatures at the network level, always updated.

Google Released a Patch for Zero-Day Vulnerability (CVE-2022-1364) in Chrome, Exploited in the Wild.

Threat Reference: Global

Risks: Zero Days

Advisory Type: Updates/Patches

Priority: Standard

Google has released Chrome version 100.0.4896.127 for Windows, Mac, and Linux to fix high severity Type Confusion vulnerability in V8 (CVE-2022-1364) which is exploited in the wild.

Recommendation

• It is recommended to update Google Chrome to the latest available versions/patch level.

Apache Released Update to Fix RCE Vulnerability in Struts.

Threat Reference: Global

Risks: Remote Code Execution

Advisory Type: Updates/Patches

Priority: Standard

Apache has fixed a critical remote code execution vulnerability in Struts, tracked as CVE-2021-31805 and having CVSs score 9.8. Successful exploitation of this vulnerability can allow the attacker to execute remote code execution on the victims’ system.

Affected versions: Struts 2 versions from 2.0.0 up to and including 2.5.29.

Recommendations

• It is recommended to update Apache Strut to the latest available version 2.5.30 or greater.

Mirai Botnet Infecting Vulnerable Web Servers by Exploiting Spring4shell Vulnerability

Threat Reference: Global

Risks: Malware

Advisory Type: Threat

Priority: Standard

Researchers have observed that attackers are actively exploiting Spring4Shell vulnerability on vulnerable web servers to deploy mirai botnet. The Spring4shell vulnerability tracked as CVE-2022-22965 and having cvss score 9.8. Successful exploitation of this vulnerability can allow the attacker to install mirai botnet on web server.

Recommendations

• It is recommended to update Spring Framework to the latest available version.
• Deploy Endpoint Detection & Response (EDR) tools to detect latest malwares and suspicious activities on endpoints.
• Update the Anti-malware solutions at endpoint and perimeter level solutions to include the given IOCs.
• Analyze Endpoint solutions – EDR, AV, Email Anti-malware solution logs for the presence of mentioned IOCs.

Threat Actors Targeting Energy Sectors ICS/SCADA Devices

Threat Reference: Global

Risks: Potential Threat

Advisory Type: Threat

Priority: Standard

Security Researchers discovered that threat actors are targeting the Energy Sector by using custom tools for targeting ICS/SCADA devices. This can scan for compromised and control affected devices and gain access to operational technology network.

Threat actors can also compromise workstations present in Information Technology or OT organizations, this exploit can also compromise ASRock Motherboard driver with known vulnerabilities.

Recommendations

• Monitor your IT infrastructure 24/7 for suspicious activities.
• It is recommended to keep anti-malware solutions at endpoints and IPS signatures at the network level always updated.
• It is recommended to keep all devices and software updated to their latest versions.

Having conducted incident response investigations across a wide range of industries, SecurityHQ are best placed to work with businesses large and small, and across numerous technical environments to reduce the impact of a cyber security incident. For more information on these threats, speak to an expert here.

Or if you suspect a security incident, you can report an incident here.