Cyber Threat Intel Brief for April 4, 2022

Recent Threat Highlights

Critical Google Chrome CVE-2022-1096 Emergency Patch- Not much is known about the vulnerability itself or how great the impact would be if exploited, but the unusual release of this patch, which notably addresses just one vulnerability, means that this update shouldn’t be ignored.

https://www.pcmag.com/news/google-patches-this-years-second-actively-exploited-chrome-zero-day

CVE-2022-1040- An authentication bypass vulnerability in the User Portal and Webadmin allows a remote attacker to execute code in Sophos Firewall version v18.5 MR3 and older.

https://nvd.nist.gov/vuln/detail/CVE-2022-1040

A severe vulnerability (CVE-2022-22965) in the Java Spring Framework can lead to total system compromise by a remote attacker. Organizations using the Java Spring Framework are advised to patch vulnerable systems immediately and to look for IOCs and IOAs relelvant to this cyber-threat.

https://www.darkreading.com/application-security/zero-day-vulnerability-discovered-in-java-spring-framework

High CVE-2021-34484- allows elevation of privilege in Windows 10, Windows 11, and Windows Server. Microsoft Windows User Profile Service contains an unspecified vulnerability which allows for privilege escalation.

https://www.techradar.com/news/this-nasty-windows-10-zero-day-vulnerability-finally-has-an-unofficial-fix

CVE-2022-26871- An arbitrary file upload vulnerability in Trend Micro Apex Central could allow an unauthenticated remote attacker to upload an arbitrary file which could lead to remote code execution.

https://nvd.nist.gov/vuln/detail/CVE-2022-26871

Cyber Intel by Industry

Cyber / MSP / MSSP An authentication bypass vulnerability allowing remote code execution was discovered in the User Portal and Webadmin of Sophos Firewall and responsibly disclosed to Sophos. It was reported via the Sophos bug bounty program by an external security researcher. The vulnerability has been fixed. There is no action required for Sophos Firewall customers with the "Allow automatic installation of hotfixes" feature enabled. Enabled is the default setting. Sophos has observed this vulnerability being used to target a small set of specific organizations primarily in the South Asia region. We have informed each of these organizations directly. Sophos will provide further details as we continue to investigate.

https://www.sophos.com/en-us/security-advisories/sophos-sa-20220325-sfos-rce

Healthcare The healthcare industry suffered the highest number of cyber attacks in 2021, with ransomware the leading danger, as bad actors took advantage of the Covid-19 pandemic, a study by Cisco has found. "The main reasons adversaries are continuing to target this industry is due to healthcare providers’ often underfunded cyber-security budgets and extremely low downtime tolerance, the latter of which has been exacerbated by the ongoing Covid-19 pandemic."

https://www.thenationalnews.com/business/technology/2022/03/23/gisec-2022-health-care-most-targeted-sector-for-cyber-attacks-in-2021-cisco-says/

SaaS Providers CISOs turn to Remote Browser Isolation for zero trust- Reducing the size of the attack surface by isolating every user’s internet activity from enterprise networks and systems is the goal of remote browser isolation. The most compelling aspect of RBI is how well it integrates into their zero trust strategies and is complementary to their security tech stacks. Zero trust looks to eliminate trusted relationships across an enterprise’s tech stack because any trust gap is a major liability.

https://venturebeat.com/2022/03/31/why-remote-browser-isolation-is-core-to-zero-trust-security/

Financial Services Attackers have stolen $1.4 million from the One Ring protocol via a flash loan attack, blockchain platform One Ring Finance has revealed. Losses from the attack, which unfolded on Monday (March 21), totaled $2 million after swap and flash loan fees, said One Ring, a ‘multi-chain cross-stable yield optimizer platform’.

https://portswigger.net/daily-swig/flash-loan-attack-on-one-ring-protocol-nets-crypto-thief-1-4-million

Biotech / Pharma The sensitive medical data of more than 1,200 Washington residents has been exposed after a successful phishing attack against a local public health agency. Spokane Regional Health District (SRHD) said that “files containing client protected health information” associated with 1,260 individuals and two departments may have been “previewed” by an attacker during the incident on February 24, 2022.

https://portswigger.net/daily-swig/washington-residents-medical-data-exposed-by-phishing-attack-on-spokane-regional-health-district

Government, Military, and Critical Infrastructure Texas Power Grid- Energy Sectors on high alert- Russian hackers have been probing Texas’ energy infrastructure for weak points in digital systems that would allow them to steal sensitive information or disrupt operations, according to interviews with energy companies, state officials and cybersecurity experts.

https://www.texastribune.org/2022/03/31/texas-energy-grid-russia-cyberattack-hackers/

The Cybersecurity and Infrastructure Security Agency (CISA), the Federal Bureau of Investigation (FBI), and the Department of Energy (DOE) have issued a joint cybersecurity advisory on Tactics, Techniques, and Procedures of Indicted State-Sponsored Russian Cyber Actors Targeting the Energy Sector. US engergy sector entities should be on high alert based on indicators of possible attacks being planned by Russia.

https://www.cisa.gov/uscert/ncas/alerts/aa22-083a

Cyber Threat Forecast

Cyber Attacks Targeting US Critical Infrastructure- The FBI warns that we will likely see an increase in Russian based attacks on US energy, finance, government, and healthcare companies. Finance being the most likely target in retaliation to the sanctions the US and NATO have placed on Russia.
US Based Company Attacks - With the situation in Ukraine escalating and various Russian malware groups and APTs showing support of Russia. We expect a huge increase in cyberattacks on US based healthcare, financial, pharma, and cloud provider companies. This will likely be a starting point on the cyber war Russia has declared on the US. We expect to see exploits of known vulnerabilities, brute force attacks, and spear phishing attempts, as a way to initially compromise.
Supply Chain Attacks - Electronic or physical attacks on suppliers, which can affect confidentiality, integrity, or availability of goods or services continue to be a significant threat. All entities should closely monitor, assess, and proactively address supply chain stability and security threats on an ongoing basis.