Our selection of key intelligence reports this week illustrate the continued threat of ransomware groups, as both Conti and Hive targeted the Attica group. We assess that either an access broker provided entry into Attica’s network to Conti and Hive, or that an affiliate of the two groups deployed both strains to maximise ransom rewards. This latest compromise adds to Conti’s growing list of victims, which includes the Costa Rican and Peruvian governments. The ransomware campaign against Costa Rica has led the country to declare a national emergency after Conti published 672 GB worth of data belonging to government agencies, while the United States has offered a $10 million reward for information on Conti group members. We assess that the shift from targeting private sector companies to foreign governments (albeit those with a weaker cyber security posture) shows that Conti is emboldened by recent successes and has calculated that these ransomware campaigns are worth the increase in law enforcement attention that is highly likely to follow.

Key Vulnerabilities

  1. CVE-2021-40539
    A critical REST API authentication bypass vulnerability (CVSS 9.8|OVS: 89) affecting Zoho ManageEngine ADSelfService Plus (ADSS), that can allow an authorised user to conduct remote code execution. AvosLocker ransomware group recently exploited this vulnerability to gain a foothold in the network of an unnamed US company, prior to using a legitimate driver file to disable endpoint security solutions.
  2. CVE-2022-0543 
    A packaging issue in the in-memory data structure store Redis (CVSS 10.0|OVS: 39) means that it is prone to a (Debian-specific) Lua sandbox escape that allows adversaries to run arbitrary Lua scripts remotely, escape from a sandbox and execute arbitrary code on the target host. We observed the Chinese linked Muhstik gang exploit this vulnerability to expand its botnet and launch Distributed Denial of Service attacks.
  3. CVE-2020-6287
    A critical vulnerability (CVSS 9.8|OVS: 70) affecting SAP NetWeaver AS JAVA (LM Configuration Wizard), versions – 7.30, 7.31, 7.40, 7.50. The absence of an authentication check allows an unauthorised user to execute critical commands against the SAP Java system, including the ability to create an administrative user, thereby compromising the Confidentiality Integrity and Availability of the system.

Key Intelligence Reports

  1. Attica Group targeted by Conti and Hive ransomware groups. Read full report >>
  2. Killnet launches DDoS attacks on Romanian government sites using BrownFlood Javascript implant and vulnerable WordPress websites. Read full report >>
  3. Newly identified threat group UNC3524 use IP cameras to deploy backdoors and steal emails. Read full report >>

If you come across any issues or need assistance, please do not hesitate to reach out to Secrutiny.

What is OVS?

The Orpheus Vulnerability Score (OVS) helps companies understand the risk associated with particular vulnerabilities. Orpheus does this by adding additional context on the likely threat to and impact of CVEs, building upon the vulnerability information that is provided as part of the CVSS (Common Vulnerabilities Scoring System) score.

The Orpheus Vulnerability Score (OVS)