Our threat intelligence this week highlights that cybercriminals continue to diversify their malware arsenal to gain access to target networks. A new version of the IceXLoader commodity loader has been delivered via a large-scale phishing campaign that has infected thousands of private and corporate devices globally. IceXLoader can gather system information about the infected machine and download second-stage payloads. The initial access achieved by IceXLoader operators can be sold to financially motivated third-party cybercriminals and enable follow on operations. For instance, cybercriminals have used previous versions of IceXLoader to distribute the Dark Crystal remote access trojan and a Monero cryptocurrency miner.

We also reported that affiliates of the LockBit Ransomware-as-a-Service gang have been observed leveraging the Amadey Bot to distribute their LockBit 3.0 ransomware payload. The operators crafted malicious spear-phishing attachments and executables masquerading as Microsoft Word files that download Amadey, which, in turn, proceeds to install LockBit from its Command-and-Control server. The use of different tools is likely an attempt to stay ahead of security defence mechanisms and increase the likelihood of a successful ransomware infection.

Key Vulnerabilities

1. CVE-2022-27510
An authentication bypass vulnerability (CVSS: 9.8|OVSS: 74) affecting the Citrix Application Delivery Controller (ADC), a load-balancing solution for cloud applications, and Citrix Gateway, an SSL VPN service. If exploited, the vulnerability could allow an adversary to bypass authentication using an alternate path or channel. Citrix addressed the vulnerability with the release of ADC and Gateway versions 13.1-33.47, 13.0-88.12, and 12.1-65.21, and in ADC 12.1-FIPS 12.1-55.289 and ADC 12.1-NDcPP 12.1-55.289.

2. CVE-2022-31685
An authentication bypass vulnerability (CVSS: 9.8|OVSS: 68) in VMware Workspace ONE Assist (versions up to 22.10), a software that allows users to remotely access and troubleshoot devices in real time. The vulnerability allows an adversary with network access to obtain administrative access without the need to authenticate to the application. VMWare has released a security update to address this vulnerability, alongside two other privilege escalation vulnerabilities, CVE-2022-31686 and CVE-2022-31687.

3. CVE-2022-20961
A vulnerability (CVSS: 8.8|OVSS: 51) affecting the web-based management interface of Cisco Identity Services Engine, a solution for managing endpoint, user, and device access to network resources. An adversary could exploit this vulnerability by prompting a user to follow a malicious link. If successfully exploited, this vulnerability enables an unauthenticated remote adversary to conduct a cross-site request forgery attack. This may involve using social engineering to convince a user to execute the adversary’s malicious actions on a device, enabling the actor to perform arbitrary actions with the privileges of the target user.

Key Intelligence Reports

1. Updated variant of IceXLoader deployed to infect thousands of endpoints globally
Discovered in June 2022, a new version of the IceXLoader (v3.3.3) commodity loader is being used to infect thousands of private and corporate machines globally with second-stage payloads. IceXLoader is written in the Nim programming language, which has been used by China-based adversaries to compile the Nimbda loader. Read full report >>

2. LockBit RaaS affiliates use Amadey Bot to distribute ransomware payload
Affiliates of the LockBit Ransomware-as-a-Service gang are using the Amadey Bot to install the LockBit 3.0 ransomware payload on target systems. First discovered in 2018, the Amadey Bot is capable of exfiltrating data and installing second-stage payloads by receiving instructions from its Command-and-Control (C2) server. It has been deployed previously by the cybercriminal group TA505 to install the FlawedAmmy remote access trojan, an adversary known for deploying Clop ransomware. Read full report >>

3. Mississippi state websites briefly offline following DDoS attack
A Distributed Denial-of-Service (DDoS) campaign temporarily disrupted access to multiple Mississippi state websites on the afternoon of 8 November 2022, the day of the US midterm election.The DDoS attack targeted the office of Mississippi’s Secretary of State. Although websites were intermittently down, the disruption was brief and did not interfere with voting or the vote-counting processes. It was also noted that there is no indication that the incident is part of a wider, coordinated campaign, or reports of similar issues on election result reporting websites. Read full report >>

If you come across any issues or need assistance, please do not hesitate to reach out to Secrutiny. 

What is OVSS?

The Orpheus Vulnerability Severity Score (OVSS) helps companies understand the risk associated with particular vulnerabilities. Orpheus does this by adding additional context on the likely threat to and impact of CVEs, building upon the vulnerability information that is provided as part of the CVSS (Common Vulnerabilities Scoring System) score.

The Orpheus Vulnerability Severity Score (OVSS)