Our reporting this week highlighted the technical sophistication possessed by Chinese adversaries facilitating initial access and post-exploitation activity. Between February and September 2022, an espionage group known as Witchetty, assessed to have links to the Chinese nation-state unit APT10, exploited ProxyShell and ProxyLogon vulnerabilities on Microsoft Exchange instances of Middle Eastern governments and an African stock exchange to deliver multiple backdoors. Witchetty operators used steganography to conceal an encrypted backdoor in an outdated Windows logo image to evade antivirus software.

Other threat actors assessed to be Chinese-linked exploited two zero-day vulnerabilities, CVE-2022-41040 and CVE-2022-41082, affecting Microsoft Exchange servers. There is evidence that Chinese adversaries have successfully chained the vulnerabilities to deploy China Chopper web shells on compromised servers, steal data, and move laterally to other systems in the infected network.

Key Vulnerabilities

  1. CVE-2022-36804
    A command injection vulnerability (CVSS: 8.8|OVSS: 75) in Atlassian’s Bitbucket Server and Data Center versions after 6.10.17, including 7.0.0 and up to 8.3.0. Adversaries with access to a public repository or read permissions to a private repository can execute arbitrary code by sending a malicious HTTP request. A Proof-of-Concept exploit code is publicly available.
  2. CVE-2022-41040
    A server-side request forgery vulnerability (CVSS: 8.8|OVSS: 59) affecting Microsoft Exchange Server 2013, 2016, and 2019 instances. The vulnerability enables an authenticated adversary to send crafted requests from the back-end server of a vulnerable application, to elevate its privileges. We advise all organisations using the vulnerable versions of Microsoft Exchange to use the URL Rewrite Instructions provided in the Microsoft advisory as temporary mitigation until a patch is released.
  3. CVE-2022-36934
    A zero-day integer overflow vulnerability (CVSS: 9.8|OVSS: 26) affecting WhatsApp’s Video Call Handler component. The vulnerability is triggered when an app attempts to perform a process when it does not have enough space in its allocated memory, which causes the data to overflow into other parts of the system’s memory and overwrite it. This can be exploited to overwrite memory with malicious code, enabling a threat actor to take over a victim’s device and deploy malware. The vulnerability has been patched in WhatsApp versions v2.22.16.12 and v2.22.15.9 for Android and iOS.

Key Intelligence Reports

  1. Adversaries exploit two zero-day vulnerabilities impacting Microsoft Exchange servers
    Microsoft has reported that it is investigating two zero-day vulnerabilities, CVE-2022-41040 and CVE-2022-41082, affecting Microsoft Exchange Server 2013, 2016, and 2019 instances. Read full report >>
  2. Chinese-linked espionage unit Witchetty exploits ProxyShell and ProxyLogon to deliver the Stegmap backdoor
    Between February and September 2022, an espionage group known as Witchetty, assessed to have links to the Chinese nation-state unit APT10, exploited ProxyShell and ProxyLogon vulnerabilities on Microsoft Exchange instances of Middle Eastern governments and an African stock exchange to deliver multiple backdoors. Read full report >>
  3. New Royal ransomware operates closed group and uses callback phishing to gain initial access
    Launched in January 2022, the Royal ransomware operation has targeted multiple private entities, demanding ransom payments between USD 250,000 and USD 2 million. Read full report >>

If you come across any issues or need assistance, please do not hesitate to reach out to Secrutiny. 

What is OVSS?

The Orpheus Vulnerability Severity Score (OVSS) helps companies understand the risk associated with particular vulnerabilities. Orpheus does this by adding additional context on the likely threat to and impact of CVEs, building upon the vulnerability information that is provided as part of the CVSS (Common Vulnerabilities Scoring System) score.

The Orpheus Vulnerability Severity Score (OVSS)