Top 10 Emerging Cyber Threats of 2022

The Red Report 2023

The Top 10 MITRE ATT&CK Techniques Used by Adversaries

DOWNLOAD

Year after year, cyber threat actors come up with new techniques and malware for their malicious operations. As expected from the recent trends in the cyber threat landscape, we observed a significant rise in cyber attacks and new threats in 2022. From zero-day vulnerabilities and new ransomware variants to advanced persistent threat campaigns, cybercriminals have been continuously innovating to evade security measures. As always, Picus Labs swiftly added attack simulations to Picus Threat Library for these new threats as they were discovered.

In this article, we list the 10 top threats that were observed in the year 2022. You can easily simulate these threats and validate and improve your security controls against them with the Picus Complete Security Validation Platform.

Start your 14-day Free Trial: Validate your security controls against the top threats of 2022!

1. The LAPSUS$ Group 

LAPSUS$ (DEV-0537) is a cyber-extortion threat group tracked back to December 2021. Even though the threat group first targeted countries in the United Kingdom and South America, the LAPSUS$ threat group soon started to exfiltrate data from various organizations and demand money, threatening to disclose sensitive organizational data information to the public.

In March 2022, the threat group published a recruitment post looking for insiders with VPN access to telecommunication companies, gaming corporations such as Microsoft, Apple, EA, IBM, and server hosts [1]. Victim statistics show that the group was successful in targeting those companies. In mid-February 2022, the LAPSUS$ threat group targeted NVIDIA, exfiltrating one terabyte of sensitive data about the designs of NVIDIA graphics cards, source code for an NVIDIA AI rendering system called DLSS, and valid account credentials of 71,00 employees [2]. 

In March 2022, Vodafone suffered from a data breach attack campaign of 200 GB source code, allegedly contained in 5,000 GitHub repositories, performed by the LAPSUS$ threat group [3].

Even though the group has many successful data exfiltration campaigns, they are mainly famous for their Rockstar Games and Uber [4] attack campaigns. In September 2022, a few days before the Rockstar Games attack campaign [5], an 18-year-old member of the LAPSUS$ threat group launched a multi-factor authentication (MFA) fatigue attack by overwhelming an Uber employee with text messages, tricking them into accepting an MFA prompt, which gave the hacker VPN access to Uber's internal network. Once inside, the attacker conducted internal reconnaissance and discovered a shared network folder containing PowerShell scripts that held administrative credentials for a PAM tool. The hacker then used these credentials to gain access to Uber's critical systems, such as the Sentinel incident response platform, Google Cloud Platform, AWS, DUO, OneLogin, and Slack. 

Using the Picus Continuous Security Validation Platform, you can test your security controls against the LAPSUS$ attacks. Picus Threat Library includes the following threats to simulate attacks and malicious tools used by the LAPSUS$ group.

Threat ID

Threat Name

Attack Module

45493

Lapsus Threat Group Campaign Malware Download Threat

Network Infiltration

35139

Lapsus Threat Group Campaign Malware Email Threat

Email Infiltration

To learn about the Tactics, Techniques and Procedures (TTPs) leveraged by LAPSUS$ threat group, visit our blog.

2. F5 BIG-IP RCE Vulnerability (CVE-2022-1388)

On May 18th, 2022, two government agencies, the Cybersecurity and Infrastructure Security Agency (CISA) and the Multi-State Information Sharing & Analysis Center (MS-ISAC), published a joint advisory warning about a security vulnerability (CVE-2022-1388) affecting F5 BIG-IP products [6]. 

"/mgmt/tm/util/bash" is a service in F5 BIG-IP that allows users to run arbitrary commands as the root user of BIP-IP, without requiring a password or authentication. As no authentication is needed, an unauthenticated adversary with network access to affected F5 BIG-IP products can execute arbitrary code on the systems with elevated privileges, giving the adversary complete control over the affected products.

Considering that 48 out of 50 Fortune companies use F5 products and it's high CVSSv3 base score (9.8), CVE-2022-1388 is expected to be seen in attack campaigns as part of attack life cycles.

We also strongly suggest simulating CVE-2022-1388 vulnerability to test the effectiveness of your security controls like Web Application Firewalls (WAF), Intrusion Prevention Systems (IPS), and NGFW against F5 BIG-IP RCE attacks using the Picus The Complete Security Validation Platform

Picus Threat Library includes the following threats for the CVE-2022-1388 vulnerability: 

Threat ID

Threat Name

Attack Module

97569

F5 Web Attack Campaign

Web Application 

To learn more about how adversaries exploit the CVE-2022-1388 vulnerability, visit our blog.

3. BlackByte Ransomware

On February 15th, 2022, the FBI and US Secret Service (USSS) issued a joint advisory on a Ransomware-as-a-Service (RaaS) operator, BlackByte ransomware [7]. The BlackByte ransomware does not refer to a single variant but a collective name for ransomware variants that the BlackByte provides as a service. The group is tracked back to July 2021 and mainly exploits public-facing servers, such as ProxyShell vulnerabilities within the Microsoft Exchange Servers, to gain a foothold on the target network. 

The BlackByte ransomware is known for checking if Cyrillic is installed as a keyboard language to avoid performing any attack on systems with Russian or former Soviet republic languages. However, it is important to note that the keyboard layout option is often configurable, and downloading an additional Cyrillic, Russian or Ukrainian keyboard may not always protect users from this ransom. For instance, in one analysis, malware researchers came across a BlackByte variant that encrypted their Russian machine [8]. 

In older versions, the group used a hard-coded RSA public key that could have been used as a backup if the command and control servers were down. However, in newer versions, the encryption occurs without any communication with external IP addresses, indicating that the threat actors have moved away from retrievable hosting keys [9]. After the encryption phase, the BlackByte ransomware leaves a ransom note in which encrypted files are appended with the ".blackbyte" extension.

Using the Picus Continuous Security Validation Platform, you can test your security controls against the BlackByte ransomware. Picus Threat Library includes the following threats to simulate BlackByte ransomware.

Threat ID

Threat Name

Attack Module

87523

BlackByte Ransomware Campaign 2021

Windows Endpoint

65501

BlackByte Ransomware Download Threat 

Network Infiltration

51353

BlackByte Ransomware Email Threat

Email Infiltration

To learn more about the attack life-cycle of the BlackByte ransomware, visit our blog.

4. WhisperGate Wiper Malware

On January 15, 2021, Microsoft Threat Intelligence Center (MSTIC) published a report indicating that a nation-state cyber-espionage group known as DEV-0586 has been conducting malicious operations targeting Ukrainian organizations using the destructive malware WhisperGate [10]. As of 2022, starting from the very early stages of the Russo-Ukrainian war, the Russian threat group has been performing attack campaigns on Ukrainian clients, paralyzing many Ukrainian organizations [11]

WhisperGate wiper is a two-stage malware that misrepresents itself as ransomware. The initial access vector for the malware is currently unknown, but it is suspected to be a supply chain attack. 

In the first stage, WhisperGate malware specifically targets the Master Boot Record (MBR) of the infected system. The malware overwrites the MBR with a phony ransom note, thereby rendering the system unbootable. As the MBR is the first sector of the hard drive and contains the boot loader, the malware bricks the target system [12].

In the final stage, WhisperGate malware targets specific files and directories, corrupting and renaming them with a sequence of 0x100000 bytes of 0xCC [13]. This effectively corrupts the files, making them impossible to be opened or recovered.

Picus Continuous Security Validation Platform tests your security controls against WhisperGate malware variants and suggests related prevention methods. Picus Threat Library includes the following threat template for the WhisperGate wiper:

Threat ID

Threat Name

Attack Module

98285

WhisperGate MBR Wiper Download Threat

Network Infiltration

79415

WhisperGate MBR Wiper Downloader Download Threat

Network Infiltration

55624

DEV-0586 Threat Group Campaign Malware Download Threat

Network Infiltration

65338

DEV-0586 Threat Group Campaign Malware Downloader Download Threat

Network Infiltration

57406

WhisperGate MBR Wiper Email Threat



Email Infiltration

38254

WhisperGate MBR Wiper Downloader Email Threat

Email Infiltration

24352

DEV-0586 Threat Group Campaign Malware Email Threat

Email Infiltration

89308

DEV-0586 Threat Group Campaign Malware Downloader Email Threat

Email Infiltration

To learn about the Tactics, Techniques and Procedures (TTPs) used by WhisperGate actors, visit our blog.

5. Microsoft Office Word Follina Vulnerability (CVE-2022-30190) 

On May 27th, 2022, a malicious Microsoft Office Word file that leverages a zero-day remote code execution vulnerability (dubbed Follina) was discovered and submitted to VirusTotal [14]. 

This vulnerability can be exploited even if macros are disabled or the malicious document is opened in Protected View. Follina was assigned the identifier of CVE-2022-30190; it has a CVSS severity rating of 7.8 out of 10. 

The malicious Word document contains an external reference to a remote HTML file. As this file contains a script that spawns the Microsoft Support Diagnostic Tool (ms-msdt) process to execute PowerShell commands, Microsoft named this vulnerability "Microsoft Windows Support Diagnostic Tool (MSDT) Remote Code Execution Vulnerability. [15]" 

We also strongly suggest simulating the Microsoft Office Follina vulnerability exploitation attacks to assess the effectiveness of your security controls using the Picus The Complete Security Validation Platform.

Picus Threat Library includes the following threats for the Microsoft Office Follina vulnerability:

Threat ID

Threat Name

Attack Module

71494

Microsoft Support Diagnostics Tool (MSDT) Attack Campaign (CVE-2022-30190)

Windows Endpoint

23559

MSDT Compatibility Troubleshooter Vulnerability Threat

Network Infiltration

43958

MSDT Compatibility Troubleshooter Vulnerability Threat

Email Infiltration

To learn more about the Microsoft Office CVE-2022-30190 Follina Vulnerability, visit our blog.

6. Linux "Dirty Pipe" Vulnerability (CVE-2022-0847)

On March 7, 2022, a security vulnerability called Dirty Pipe (CVE-2022-0847) was discovered by Max Kellerman from CM4All in Linux kernel version 5.8 and newer [16]. Dirt Pipe vulnerability allows attackers with unprivileged access to the target system to change read-only or immutable files and escalate privileges to the root level [17]. The vulnerability has been rated a high-severity vulnerability with a CVSS score of 7.8 [18].

In a typical attack life-cycle, an adversary creates a pipe, copies arbitrary data into the pipe, and sets the PIPE_BUF_FLAG_CAN_MERGE flag to 1 for all instances. Next, the adversary drains the pipe; however, due to the vulnerability, the flag does not get reset and remains as 1. Then, the attacker transfers a read-only file to the pipe leveraging the splice() system call. Finally, the adversary overwrites this read-only file, as the flag is still set to 1.

Using the Dirty Pipe vulnerability, an adversary with limited access can gain higher privileges on the target system. 

Picus Labs advises you to simulate the Dirty Pipe vulnerability exploitation attack and determine the effectiveness of your security controls against it.

Threat ID

Threat Name

Attack Module

26581

Linux Kernel Dirty Pipe Elevation of Privilege Vulnerability Threat

Network Infiltration

49377

Linux Kernel Dirty Pipe Elevation of Privilege Vulnerability Threat

Email Infiltration

To see how Picus Continuous Security Validation Platform simulates a Dirty Pipe attack, visit our blog.

7. Atlassian Confluence Zero-Day Vulnerability (CVE-2022-26134)

On June 2, 2022, Atlassian released a security warning for a critical vulnerability, identified as CVE-2022-26134, which affects Atlassian Confluence Server and Data Center [19]. The vulnerability has a critical rating of 9.8, and allows unauthenticated attackers to remotely execute arbitrary code (RCE) on the corresponding Confluence Server or Data Center installations [20].

Even though Atlassian suggests its users to upgrade to the latest Long Term Support release to get protected from the vulnerability [21], CVE-2022-26134 is still being exploited actively in the wild. For instance, in September 2022, adversaries used this gap within the Atlassian Confluence servers to install and run crypto miner malware [22] called hezb [23]. In another analysis, malware researchers found a sample that exploits the CVE-2022-26134 vulnerability for crypto mining, specifically Monero [24]. Considering the possibility of many non-up-to-date Atlassian Confluence servers, it is likely that we will see CVE-2022-26134 getting exploited for malicious actions such as Monero mining. 

Picus Threat Library includes the following threat for CVE-2022-26134 vulnerability. We highly recommend your Atlassian Confluence Servers against this vulnerability.

Threat ID

Threat Name

Attack Module

58423

Atlassian Confluence Web Attack Campaign

Web Application 

To learn more about the Atlassian Confluence Server vulnerability, visit our blog.

8. HermeticWiper Destructive Malware 

On February 23rd, 2022, researchers from Eset and Symantec published their findings on a new wiper malware they named HermeticWiper.

HermeticWiper is a type of malware that disguises itself as ransomware (just like WhisperGate, but its main function is to destroy data on infected systems. 

The malware gains initial access to its target by exploiting SMB and Tomcat vulnerabilities found in endpoint devices. It then downloads a malicious file using encoded PowerShell commands and sets up scheduled tasks to dump credentials [25]. 

In the second and final stage, HermeticWiper deploys a wiper that damages the Master Boot Record (MBR) and makes the system inoperable. It then drops a phony ransom note. However, the victim should ignore the message and not pay the ransom, as it is impossible to recover data once the MBR is damaged. 

Using the Picus Continuous Security Validation Platform, you can test your security controls against the HermeticWiper malware:

Threat ID

Threat Name

Attack Module

64194

HermeticWiper Wiper Malware Download Threat

Network Infiltration

54190

HermeticWiper Wiper Malware Email Threat

Email Infiltration

To learn about the Tactics, Techniques and Procedures (TTPs) used by Hermetic Wiper actors, visit our blog.

9. Fortinet Authentication Bypass Vulnerability (CVE-2022-40684) 

On October 22rd, 2022, FortiNet published the FG-IR-22-377 advisory that warns about the CVE-2022-40684 vulnerability affecting the following FortiOS (7.0.0-7.0.6, 7.2.0-7.2.1), FortiProxy (7.0.0-7.0.6, 7.2.0), FortiSwitchManager (7.0.0, 7.2.0) products [26].

CVE-2022-40684 vulnerability allows an unauthenticated attacker to bypass the authentication process and access the administrative interface. The adversary achieved this by crafting special HTTPS requests that take advantage of an alternative path or channel [27].  

Picus Threat Library includes the following threat for CVE-2022-40684 vulnerability: 

Threat ID

Threat Name

Attack Module

85726

FortiOS Web Attack Campaign (Web Application)

Web Application 

For further information and mitigation suggestions, visit our blog.

10. Zeppelin Ransomware 

On August 12, 2022, the Cybersecurity and Infrastructure Security Agency (CISA) issued a joint advisory about a new strain of ransomware called Zeppelin [28], which is distributed by a group that operates on a Ransomware-as-a-Service (RaaS) business model.

Zeppelin group is tracked back to 2019, targeting Russian-speaking users through malvertisements. Later, the group started avoiding hosts in Russia and ex-USSR countries. The group is known for using the "double extortion method" by exfiltrating sensitive data from victims to pressure them into paying the ransom.

Victim statistics show that the Zeppelin ransomware group has targeted various sectors, such as defense, education, manufacturing, IT, and healthcare. In addition, the group is also known for distributing different variants of ransomware, including Vega, Jamper, Storm, and Buran.

We highly recommend you simulate the Zeppelin ransomware attacks to evaluate the efficiency of your security controls against ransomware attacks using Picus Complete Security Validation Platform

Picus Threat Library includes the following threats for Zeppelin ransomware:

Threat ID

Threat Name

Attack Module

90105

Zeppelin Ransomware Download Threat

Network Infiltration

21938

Zeppelin Ransomware Email Threat

Email Infiltration

To learn more about the attack life-cycle of the Zeppelin ransomware, visit our blog.

References

[1] H. C. Yuceel, "The LAPSUS$ Group - A Chaotic Start of Ransomware-free Extortion," Mar. 23, 2022. [Online]. Available: https://www.picussecurity.com/resource/the-lapsus-group-a-chaotic-start-of-ransomware-free-extortion. [Accessed: Jan. 16, 2023]

[2] L. H. Newman, "The Lapsus$ Hacking Group Is Off to a Chaotic Start," WIRED, Mar. 15, 2022. [Online]. Available: https://www.wired.com/story/lapsus-hacking-group-extortion-nvidia-samsung/. [Accessed: Jan. 16, 2023]

[3] P. Paganini, "Vodafone investigates claims of a data breach made by Lapsus$ gang," Security Affairs, Mar. 11, 2022. [Online]. Available: https://securityaffairs.com/128903/cyber-crime/vodafone-investigates-data-breach.html. [Accessed: Jan. 16, 2023]

[4] K. Alspach, "Uber's breach shows how hackers keep finding a way in," Protocol, Sep. 19, 2022. [Online]. Available: https://www.protocol.com/bulletins/uber-breach-hacker-twilio-mfa. [Accessed: Nov. 14, 2022]

[5] A. J. Hawkins, "Uber blames Lapsus$ hacking group for security breach," The Verge, Sep. 19, 2022. [Online]. Available: https://www.theverge.com/2022/9/19/23361511/uber-hack-blame-lapsus-gta-vi-rockstar. [Accessed: Jan. 16, 2023]

[6] "Threat Actors Exploiting F5 BIG-IP CVE-2022-1388." [Online]. Available: https://www.cisa.gov/uscert/ncas/alerts/aa22-138a. [Accessed: Jan. 16, 2023]

[7] "[No title]." [Online]. Available: https://www.ic3.gov/Media/News/2022/220211.pdf. [Accessed: Jan. 16, 2023]

[8] M. Loman, "BlackMatter ransomware emerges from the shadow of DarkSide," Sophos News, Aug. 09, 2021. [Online]. Available: https://news.sophos.com/en-us/2021/08/09/blackmatter-ransomware-emerges-from-the-shadow-of-darkside/. [Accessed: Jan. 17, 2023]

[9] A. Elsad, "Threat Assessment: BlackByte Ransomware," Unit 42, Apr. 21, 2022. [Online]. Available: https://unit42.paloaltonetworks.com/blackbyte-ransomware/. [Accessed: Jan. 17, 2023]

[10] Microsoft Threat Intelligence Center (MSTIC), Microsoft Digital Security Unit (DSU), M. D. T. Intelligence, and M. Detection, "Destructive malware targeting Ukrainian organizations," Microsoft Security Blog, Jan. 16, 2022. [Online]. Available: https://www.microsoft.com/en-us/security/blog/2022/01/15/destructive-malware-targeting-ukrainian-organizations/. [Accessed: Jan. 17, 2023]

[11] C. Nocturnus, "Cybereason vs. WhisperGate and HermeticWiper." [Online]. Available: https://www.cybereason.com/blog/research/cybereason-vs.-whispergate-wiper. [Accessed: Jan. 17, 2023]

[12] H. C. Yuceel, "TTPs used by DEV-0586 APT Group in WhisperGate Attack Targeting Ukraine," Jan. 17, 2022. [Online]. Available: https://www.picussecurity.com/resource/blog/dev-0586-apt-group-in-whispergate-attack-targeting-ukraine. [Accessed: Jan. 17, 2023]

[13] G. Palazolo, "Netskope Threat Coverage: WhisperGate," Netskope, Jan. 26, 2022. [Online]. Available: https://www.netskope.com/blog/netskope-threat-coverage-whispergate. [Accessed: Jan. 17, 2023]

[14] V. Díaz, "Hunting Follina." [Online]. Available: https://blog.virustotal.com/2022/08/hunting-follina.html. [Accessed: Jan. 18, 2023]

[15] H. C. Yuceel, "Microsoft Office CVE-2022-30190 Vulnerability (Follina) Exploitation," May 30, 2022. [Online]. Available: https://www.picussecurity.com/resource/follina-ms-office-zero-day-vulnerability-exploitation-and-simulation. [Accessed: Jan. 18, 2023]

[16] "The Dirty Pipe Vulnerability — The Dirty Pipe Vulnerability documentation." [Online]. Available: https://dirtypipe.cm4all.com. [Accessed: Jan. 18, 2023]

[17] H. C. Yuceel, "Linux ‘Dirty Pipe' CVE-2022-0847 Vulnerability Exploitation Explained," Mar. 24, 2022. [Online]. Available: https://www.picussecurity.com/resource/linux-dirty-pipe-cve-2022-0847-vulnerability-exploitation-explained. [Accessed: Jan. 18, 2023]

[18] "NVD - CVE-2022-0847." [Online]. Available: https://nvd.nist.gov/vuln/detail/CVE-2022-0847. [Accessed: Jan. 18, 2023]

[19] "Confluence Security Advisory 2022-06-02." [Online]. Available: https://confluence.atlassian.com/. [Accessed: Jan. 18, 2023]

[20] S. Ozarslan, "Actively Exploited Atlassian Confluence Zero-Day CVE-2022-26134," Jun. 03, 2022. [Online]. Available: https://www.picussecurity.com/resource/cve-2022-26134-atlassian-confluence-zero-day-vulnerability-exploited. [Accessed: Jan. 18, 2023]

[21] "FAQ for CVE-2022-26134." [Online]. Available: https://confluence.atlassian.com/. [Accessed: Jan. 18, 2023]

[22] "Atlassian Confluence Vulnerability CVE-2022-26134 Abused For Cryptocurrency Mining, Other Malware," Trend Micro, Sep. 21, 2022. [Online]. Available: https://www.trendmicro.com/en_us/research/22/i/atlassian-confluence-vulnerability-cve-2022-26134-abused-for-cryptocurrency-mining-other-malware.html. [Accessed: Jan. 18, 2023]

[23] X. T. I. SOCRadar, "Threat Actors Exploit Atlassian Confluence RCE Flaw to Install Crypto Miners," SOCRadar® Cyber Intelligence Inc., Sep. 22, 2022. [Online]. Available: https://socradar.io/threat-actors-exploit-atlassian-confluence-rce-flaw-to-install-crypto-miners/. [Accessed: Jan. 18, 2023]

[24] T. Richabadas, "Threat Spotlight: Continuing attacks on Atlassian Confluence zero day," Journey Notes, Sep. 27, 2022. [Online]. Available: https://blog.barracuda.com/articles/2022/09/28/threat-spotlight-continuing-attacks-on-atlassian-confluence-zero-day/. [Accessed: Jan. 18, 2023]

[25] H. C. Yuceel, "HermeticWiper Destructive Malware Attacks Targeting Ukraine," Feb. 25, 2022. [Online]. Available: https://www.picussecurity.com/resource/hermeticwiper-destructive-malware-attacks-targeting-ukraine. [Accessed: Jan. 18, 2023]

[26] S. Ozeren, "CVE-2022-40684: Fortinet Authentication Bypass Vulnerability Explained," Oct. 18, 2022. [Online]. Available: https://www.picussecurity.com/resource/blog/cve-2022-40684-fortinet-authentication-bypass-vulnerability-explained. [Accessed: Jan. 18, 2023]

[27] "Fortinet Fortigate Authentication Bypass (FG-IR-22-377)." [Online]. Available: https://www.tenable.com/plugins/nessus/165763. [Accessed: Jan. 18, 2023]

[28] "#StopRansomware: Zeppelin Ransomware." [Online]. Available: https://www.cisa.gov/uscert/ncas/alerts/aa22-223a. [Accessed: Jan. 18, 2023]