Unit 42 Threat Intel Bulletin - June

Cybersecurity Trends

“Sixty-three percent of organizations were breached in the past year …” – Forrester, The 2021 State Of Enterprise Breaches

Read the report

Unit 42 Threat Intel Blogs 

CVE-2022-22954 and Others: VMware Vulnerabilities Exploited in the Wild (Threat Brief, Vulnerability)

On April 6, 2022, VMware published a security advisory mentioning eight vulnerabilities, including CVE-2022-22954 and CVE-2022-22960 impacting their products VMware Workspace ONE Access, Identity Manager and vRealize Automation. On April 13, they updated their advisory with information that CVE-2022-22954 is being exploited in the wild.

Learn more about these vulnerabilities

CVE-2022-1388: Remote code execution vulnerability in the iControlREST component of F5’s BIG-IP product (Threat Brief, Vulnerability)

On May 4, 2022, F5 released a security advisory for a remote code execution vulnerability in the iControlREST component of its BIG-IP product tracked in CVE-2022-1388. Threat actors can exploit this vulnerability to bypass authentication and run arbitrary code on unpatched systems. This is a critical vulnerability that needs immediate attention, as it was given a 9.8 CVSS score. Since the release of this advisory, mass scanning activity has started to occur, seeking unpatched systems, and in-the-wild exploitation has begun.

Discover the details of CVE-2022-1388

Operation Delilah: Unit 42 Helps INTERPOL Identify Nigerian Business Email Compromise Actor (Law Enforcement)

INTERPOL and The Nigeria Police Force announced the arrest of a prominent business email compromise (BEC) actor who has been active since 2015. His apprehension marks the latest success for Operation Delilah - a counter-BEC operation that began in May 2021 and has involved international law enforcement and industry cooperation across four continents.

Learn more about Operation Delilah

A Look into Public Clouds from the Ransomware Actor’s Perspective (Ransomware, Cloud)

Traditional ransomware mainly targets on-premises IT infrastructure but doesn't work well in cloud environments, which is one reason we haven't heard much about ransomware in public clouds. However, ransomware actors could adapt their tactics, techniques and procedures (TTPs) to be more cloud native, and now is a good time for organizations to get ahead of this possibility.

Read about ransomware and the cloud

Emotet Summary: November 2021 Through January 2022 (Malware)

Emotet is one of the most prolific email-distributed malware families in our current threat landscape. Although a coordinated law enforcement effort shut down this malware in January 2021, Emotet resumed operations in November 2021. Since then, Emotet has returned to its status as a prominent threat.

Get more information about Emotet

Threat Rollup

• (APT) Operation RestyLink: APT campaign targeting Japanese companies. (Source: NTT Security)
• (APT) Members of the Five Eyes intelligence alliance warned MSPs and their customers that they're increasingly targeted by supply chain attacks. (Source: CISA)
• (Data Breach) U.S. manufacturing company Parker-Hannifin Corporation has announced a data breach exposing employees’ PII (Source: Parker-Hannafin Corp.)
• (Ransomware) U.S. agricultural machinery maker AGCO hit by ransomware attack. (Source: AGCO) 
• (Ransomware) U.S. State Department offers $15 million for ransomware gang info (Source: US DoS)

More Information

• Learn More About Unit 42
• Read Unit 42 Blogs & Threat Briefs
• Actionable Threat Object & Mitigations (ATOMS)

Under Attack?

If you think you may have been compromised or have an urgent matter, get in touch with the Unit 42 Incident Response team by filling out this form or calling: North America Toll-Free: 1.866.486.4842 (866.4.UNIT42), UK: +44.20.3743.3660, EMEA: +31.20.299.3130, APAC: +65.6983.8730, and Japan: +81.50.1790.0200.

If you have cyber insurance or legal counsel, you can request for Unit 42 to serve as your incident response team. Unit 42 is on over 70 cyber insurance panels as a preferred vendor.