Emerging Cyber Threats of June 2022

The Blue Report 2024

Get a comprehensive analysis of over 136 million cyber attacks and understand the state of threat exposure management.

DOWNLOAD

The cyber threat landscape expands continuously, and June 2022 was no exception. Picus Labs added attack simulations for new APT groups, critical vulnerabilities, and ransomware campaigns of June 2022 to Picus Threat Library

This blog post lists the top cyber threats observed in June 2022. You can easily test your security controls against each threat with the Picus Complete Security Control Validation Platform.

Simulate Emerging Cyber Threats with 14-Day Free Trial of the Picus Platform

Top Cyber Threats of June 2022

1. Atlassian Confluence CVE-2022-26134 RCE Vulnerability

2. Karakurt Threat Group

3. The BlackCat (ALPHV) Ransomware

4. Aoqin Dragon APT Group

5. Symbiote Malware

1. Atlassian Confluence (CVE-2022-26134) Remote Code Execution Vulnerability

Atlassian issued a security advisory for a critical vulnerability discovered at Atlassian Confluence Server and Data Center that allows an unauthenticated adversary to execute arbitrary code remotely [1]. Active exploitation of the vulnerability by threat actors in the wild led to the discovery of CVE-2022-26134 remote code execution vulnerability. The CVSS score of CVE-2022-26134 is 9.8 Critical.

The vulnerability affected all supported versions of the Confluence Server and Data Center at the time of the discovery. Shortly after, Atlassian remedied the vulnerability with a patch. Organizations are advised to update their Confluence Server and Data Center as soon as possible.

Confluence Server and Data Center versions affected by CVE-2022-26134 RCE

7.4.0

7.13.6

7.15.0

7.18.0

7.4.16

7.14.0

7.15.1

 

7.13.0

7.14.2

7.17.3

 

The vulnerability allows unauthenticated code execution via Object-Graph Navigation Language (OGNL) injection. The malicious payload can be sent in the URI of an HTTP GET request.

GET /page890767/%24%7B%28%23a%3D%40org.apache.commons.io.IOUtils%40toString%28%40java.lang.Runtime%40getRuntime%28%29.exec%28%22whoami%22%29.getInputStream%28%29%2C%22utf-8%22%29%29.%28%40com.opensymphony.webwork.ServletActionContext%40getResponse%28%29.setHeader%28%22X-Cmd-Response%22%2C%23a%29%29%7D/ HTTP/1.1
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:97.0) Gecko/20100101 Firefox/97.0
Accept: */*
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate

Example 1: GET request example for Atlassian Confluence (CVE-2022-26134) RCE Vulnerability Exploitation

Picus Threat Library includes the following threat for CVE-2022-26134 vulnerability: 

Threat ID

Threat Name

58423

Atlassian Confluence Web Attack Campaign

For more detailed information, you can check our blog post "Actively Exploited Atlassian Confluence Zero-Day CVE-2022-26134".

2. Karakurt Threat Group

On June 1st, 2022, Cybersecurity and Infrastructure Security Agency (CISA) released a joint advisory on a data extortion group called Karakurt [2]. Karakurt threat group is known for stealing their victim's sensitive data and threatening to auction it online unless the victim pays the demanded ransom. Karakurt threat group appears to operate similar to a ransomware gang. However, they do not use ransomware to encrypt the victim's files. Their extortion method only relies on data exfiltration.

Karakurt uses phishing, Initial Access Brokers (IABs), and common critical vulnerabilities to gain initial access to their target's network. After gaining access, they establish persistence, elevate privileges, conduct reconnaissance and move laterally in the victim's network. These actions allow Karakurt to gain in-depth knowledge about the victim's network and assets. Then, Karakurt steals the victim's data and demands the ransom to be paid within one week of the ransom notice sent to the victim. If the victim does not pay the ransom, Karakurt threatens to auction the stolen information or release it to the public.

TTPs used by the Karakurt Group are:

  • MITRE ATT&CK TA0043 Reconnaissance
    • T1589.001 Gather Victim Identify Information: Credentials
    • T1589.002 Gather Victim Identity Information: Email Addresses
    • T1591.002 Gather Victim Org Information: Business Relationships
  • MITRE ATT&CK TA0001 Initial Access
    • T1078 Valid Accounts
    • T1133 External Remote Services
    • T1190 Exploit Public-Facing Applications
    • T1566 Phishing
    • T1566.001 Phishing: Spearphishing Attachment
  • MITRE ATT&CK TA0004 Privilege Escalation
    • T1078 Valid Accounts
  • MITRE ATT&CK TA0007 Discovery
    • T1083 File and Directory Discovery
  • MITRE ATT&CK TA0011 Command and Control
    • T1219 Remote Access Software
  • MITRE ATT&CK TA0010 Exfiltration
    • T1048 Exfiltration over Alternative Protocol
    • T1567.002 Exfiltration over Web Service: Exfiltration to Cloud Storage

Picus Threat Library includes the following threats for Karakurt Threat Group:

Threat ID

Threat Name

41434

Karakurt Dropper Download Threat (Network Infiltration)

86137

Karakurt Dropper Email Threat (Email Infiltration (Phishing))

3. The BlackCat (ALPHV) Ransomware

As one of the most impactful players in the Ransomware-as-a-Service (RaaS) market, The BlackCat ransomware is used by various threat actors to attack organizations worldwide. Unlike other ransomware groups, the BlackCat, also known as ALPHV, uses Rust programming language. Rust allows the BlackCat ransomware to target multiple operating systems and avoid detection since many security controls are not able to analyze malicious payloads written in Rust. The ransomware group exfiltrates and encrypts their victims' confidential data and threatens to release stolen data unless the demanded ransom is paid. This method of extortion is called double extortion.

The BlackCat ransomware group was first observed back in November 2021. Since then, they have developed many ransomware variants and cooperated with multiple threat actors such as access brokers, RaaS operators, other ransomware groups, and APT actors. For example, a representative from the BlackCat confirmed that they are affiliated with REvil, BlackMatter, Maze, LockBit, and DarkSide ransomware groups [3]. Also, DEV-0237 (FIN12) and DEV-0504 are known to use the BlackCat ransomware in their attack campaigns [4]. Since the RaaS programs such as BlackMatter, Conti, and REvil are depreciated, many threat actors turned to BlackCat as an alternative.

Figure 1: Ransomware payloads used by DEV-0504 [5]

Picus Threat Library includes the following threats for the BlackCat (ALPHV) ransomware

Threat ID

Threat Name

75742

BlackCat Ransomware Campaign 2022

54213

BlackCat Ransomware Download Threat (Network Infiltration)

92332

BlackCat Ransomware Email Threat (Email Infiltration (Phishing)) 

4. Aoqin Dragon APT Group

A newly discovered APT group called Aoqin Dragon has been conducting cyber espionage campaigns against organizations in Southeast Asia and Australia for nearly ten years [6]. Aoqin Dragon targets government, education, and telecommunication organizations in Australia, Cambodia, Hong Kong, Singapore, and Vietnam. The tools, C2 servers, and targets of Aoqin Dragon strongly indicate that the APT group is affiliated with the Chinese government.

Aoqin Dragon relies on phishing and exploiting unpatched known vulnerabilities for initial access to its victim's network. After initial access, the threat actors infect their victims with two backdoor malware called Mongall and Heyoka; and exfiltrate sensitive information from the victims. In some cases, both malware are observed using the same C2 servers located in China. Aoqin Dragon APT group prioritizes staying stealthy and has been able to operate undetected since 2013. Here are the TTPs used by Aoqin Dragon:

  • MITRE ATT&CK TA0001 Initial Access
    • T1091 Replication Through Removable Media
    • T1190 Exploit Public-Facing Applications
    • T1566 Phishing
  • MITRE ATT&CK TA0002 Execution
    • T1106 Native API
    • T1204 User Execution
    • T1569 System Service
  • MITRE ATT&CK TA0003 Persistence
    • T1542.003 Bootkit
    • T1547 Boot or Logon Autostart Execution
  • MITRE ATT&CK TA0004 Privilege Escalation
    • T1055 Process Injection
    • T1055.001 Process Injection: DLL Injection
  • MITRE ATT&CK TA0005 Defense Evasion
    • T1027 Obfuscated Files or Information
    • T1027.002 Software Packing
    • T1036 Masquerading
    • T1055 Process Injection
    • T1070.004 File Deletion
    • T1112 Modify Registry
    • T1211 Exploitation for Defense Evasion
    • T1497 Virtualization/Sandbox Evasion
    • T1542.003 Bootkit
  • MITRE ATT&CK TA0007 Discovery
    • T1010 Application Window Discovery
    • T1012 Query Registry
    • T1033 System Owner/User Discovery
    • T1057 Process Discovery
    • T1082 System Information Discovery
    • T1497 Virtualization/Sandbox Evasion
    • T1518.001 Security Software Discovery
  • MITRE ATT&CK TA0008 Lateral Movement
    • T1021.001 Remote Desktop Protocol
  • MITRE ATT&CK TA0009 Collection
    • T1560 Archived Collected Data
  • MITRE ATT&CK TA0011 Command and Control
    • T1071.001 – Application Layer Protocol: Web Protocols
    • T1071.004 – Application Layer Protocol: DNS
    • T1132 – Data Encoding
    • T1571 – Non-Standard Port

Picus Threat Library includes the following threat for Aoqin Dragon APT Group attacks: 

Threat ID

Threat Name

76823

Aoqin Dragon Threat Group Campaign 2022

37572

Aoqin Dragon Threat Group Campaign Malware Download Threat (Network Infiltration)

71079

Aoqin Dragon Threat Group Campaign Malware Email Threat (Email Infiltration (Phishing)) 

5. Symbiote Malware

Researchers at Intezer Labs and Blackberry discovered a new type of Linux malware called Symbiote malware [7]. Unlike other standalone executable malware, Symbiote infects all processes running on the victim's machine by using T1574.006 Hijack Execution Flow:Dynamic Linker Hijacking technique. This behavior makes Symbiote a highly evasive malware. The threat actors use Symbiote malware to gain rootkit capabilities, harvest credentials, and gain elevated privileges. 

  • Credential collection and exfiltration
    • Symbiote malware hooks the "libc read" function and collects credentials when the ssh or scp process calls the "libc read" function.
    • Then, Symbiote encrypts the collected credentials and saves them into a file.
    • The saved credentials file is exfiltrated via DNS request sent to an adversary-controlled name server.
  • Privilege escalation
    • The threat actors use the stolen credentials to remotely access the victim's machine.
    • If threat actors do not have root-level privileges, Symbiote uses its rootkit functionality to spawn a root shell by manipulating the environment variable HTTP_SETTHIS.

Picus Threat Library includes the following threats for Symbiote malware

Threat ID

Threat Name

76746

Symbiote Malware Download Threat (Network Infiltration)

76937

Symbiote Malware Email Threat (Email Infiltration (Phishing)) 

References

[1] “Confluence Security Advisory 2022-06-02.” [Online]. Available: https://confluence.atlassian.com/

[2] “Karakurt Data Extortion Group.” [Online]. Available: https://www.cisa.gov/uscert/ncas/alerts/aa22-152a

[3] D. Smilyanets, “An ALPHV (BlackCat) representative discusses the group’s plans for a ransomware ‘meta-universe,’” The Record by Recorded Future, Feb. 04, 2022. [Online]. Available: https://therecord.media/an-alphv-blackcat-representative-discusses-the-groups-plans-for-a-ransomware-meta-universe/

[4] “The many lives of BlackCat ransomware,” Microsoft Security Blog, Jun. 13, 2022. [Online]. Available: https://www.microsoft.com/security/blog/2022/06/13/the-many-lives-of-blackcat-ransomware/

[5] Microsoft Threat Intelligence Center (MSTIC), “Ransomware-as-a-service: Understanding the cybercrime gig economy and how to protect yourself,” Microsoft Security Blog, May 09, 2022. [Online]. Available: https://www.microsoft.com/security/blog/2022/05/09/ransomware-as-a-service-understanding-the-cybercrime-gig-economy-and-how-to-protect-yourself/

[6] J. Chen, “Aoqin Dragon,” SentinelOne, Jun. 09, 2022. [Online]. Available: https://www.sentinelone.com/labs/aoqin-dragon-newly-discovered-chinese-linked-apt-has-been-quietly-spying-on-organizations-for-10-years/

[7] J. Kennedy, “Symbiote Deep-Dive: Analysis of a New, Nearly-Impossible-to-Detect Linux Threat,” Intezer, Jun. 09, 2022. [Online]. Available: https://www.intezer.com/blog/research/new-linux-threat-symbiote/