free counter

Spyware activity particularly impactful in July

Arpad Nagy-Bagoly – stock.adobe.

Following a quiet June, vulnerability exploitation ramped up in July, with intrusions associated with spyware seeing unusually high volumes of activity, in accordance with a written report

Alex Scroxton


Published: 04 Aug 2022 11: 22

Developers of mercenary spyware appear to have already been unusually active within their weaponisation of common vulnerabilities and exposures (CVEs) during July 2022 in accordance with research published this week by Recorded Future although whether that’s simply right down to other threat actors being less busy through the summertime remains to be observed.

That is the 3rd monthly vulnerability bulletin made by the threat research team at Recorded Futures Insikt Group the initial was published in June to coincide with the introduction of Microsofts automated patching service for enterprises, which includes taken the sting out of Patch Tuesday for most.

In the years ahead, Recorded Future plans to create its CVE monthly report on the initial Tuesday of each month Patch Tuesday continues to drop on the next Tuesday.

In its latest report, the study team said it had observed exploitation of newly disclosed zero-day vulnerabilities affecting both Microsoft and Google, in both cases to distribute spyware, which it said demonstrated an often close link between top-of-the-line spyware developers and new zero-days.

On 4 July 2022, Google disclosed an actively exploited zero-day vulnerability, CVE-2022-2294, which affects Google Chrome, the team said. As the company didn’t disclose information regarding attacks involving this flaw, it had been shortly before exploitation was reported by others.

Avast threat researchers (who had originally informed Google concerning the vulnerability) released a written report on 21 July 2022, in regards to a campaign where Israeli spyware vendor Candiru exploited CVE-2022-2294 to deploy DevilsTongue spyware.

Spyware was [also] connected with another zero-day vulnerability, this time around for Microsoft. On 12 July 2022, Microsoft disclosed a zero-day vulnerability, CVE-2022-22047, that affects current versions of Windows and Windows Server. This vulnerability was exploited by the Austria-based mercenary threat group Knotweed to distribute its Subzero spyware.

Another vulnerability, CVE-2022-30216, also affects current versions of Windows and Windows Server and contains an extremely high CVSS score because of allowing remote code execution, but we’ve not yet seen exploitation attempts, the researchers said.

On the list of other more impactful vulnerabilities in July 2022 were a remote code execution (RCE) vulnerability in Apache Spark, tracked as CVE-2022-33891 discovered by Databricks researcher Kostya Kortchinsky exploitation which was seen in the wild within 48 hours of disclosure, and an SQL injection vulnerability in the Django Python web framework, tracked as CVE-2022-34265.

July also saw continued high degrees of exploitation of CVE-2022-30190, or Follina, a dangerous zero-click vulnerability in Microsoft Office which, left unchecked, allows a threat actor to execute PowerShell commands without user interaction. Follina was disclosed by the end of May and fixed in the June Patch Tuesday update, but naturally remains unpatched by many.

If we’re able to have predicted any vulnerability to see high-profile exploitation after initial disclosure, it could have already been Follina, said the Recorded Future team.

Affirmed, on 6 July 2022, Fortinet researchers released an analytic report on a phishing campaign using Follina to distribute the Rozena backdoor, a malware which allows attackers to totally dominate Windows systems. Fortinet researchers observed adversaries using Rozena to inject a remote shell connection back again to the attackers machine.

Read more on Hackers and cybercrime prevention

Read More

Related Articles

Leave a Reply

Your email address will not be published.

Back to top button

Adblock Detected

Please consider supporting us by disabling your ad blocker