Our selection of key IntReps this week illustrates the impact of the CVE-2022-30190 vulnerability (also known as Follina) on the threat landscape. An unnamed nation-state actor has exploited the vulnerability in a phishing campaign against government entities in Europe and the United States. In this instance, the threat actor exploited CVE-2022-30190 to execute a Powershell downloader and later a Powershell script, which conducted reconnaissance and acted as an information stealer within local browsers, mail clients and file services. We also reported on the Qakbot malware botnet exploiting CVE-2022-30190 in a phishing campaign to execute Powershell code, and on this occasion, deliver a Qakbot DLL payload on the compromised device. These incidents demonstrate that the vulnerability is being exploited by both cybercriminals and nation-state actors, reaffirming its popularity within the threat landscape. We advise users to follow the latest mitigation advice which recommends users of Microsoft Defender for Endpoint enable the rule “BlockOfficeCreateProcessRule”, that blocks Office apps from creating child processes.

Key Vulnerabilities

  1. CVE-2022-30190
    A zero-day vulnerability found in Microsoft Office can be exploited to achieve arbitrary code execution on affected systems (CVSS:7.8| OVSS:93). This vulnerability was reported last week but has since been exploited by cybercriminals and nation-state actors resulting in an updated OVSS score.
  2. CVE-2022-31481
    A vulnerability in Carrier’s LenelS2 HID Mercury access control system (CVSS:10|OVSS:27) could allow an unauthenticated user to send a specially crafted update file to the device that can overflow a buffer. The overflowed data can allow the user to manipulate code execution to monitor device communications, modify onboard relays, change configuration files or cause the device to become unstable. This vulnerability was one of eight flaws disclosed that pertain to this technology.
  3. CVE-2020-14871
    An easily exploitable vulnerability in the Oracle Solaris product of Oracle Systems (CVSS:10|OVSS:82) allows an unauthenticated user with network access via multiple protocols to compromise Oracle Solaris, with the flaw also capable of affecting additional products.

Key Intelligence Reports

  1. Qakbot malware botnet exploits “Follina” vulnerability. Read full report >>
  2. State-backed threat actor exploits CVE-2022-30190; targets government entities in Europe and the United States. Read full report >>
  3. VMware ESXi on Linux servers targeted with Black Basta ransomware. Read full report >>

If you come across any issues or need assistance, please do not hesitate to reach out to Secrutiny.

What is OVSS?

The Orpheus Vulnerability Severity Score (OVSS) helps companies understand the risk associated with particular vulnerabilities. Orpheus does this by adding additional context on the likely threat to and impact of CVEs, building upon the vulnerability information that is provided as part of the CVSS (Common Vulnerabilities Scoring System) score.

The Orpheus Vulnerability Severity Score (OVSS)