Our threat intelligence this week highlights the activity of a newly identified cyber espionage unit tracked as Worok. Active since 2020, Worok has been observed targeting high-profile entities in Africa, Asia, and the Middle East across multiple industry verticals, including telecommunications, financial services, maritime, energy and utilities, military, and government. The group is known to use both existing tools such as Mimikatz, EarthWorm, ReGeorg, and NBTscans, as well as dropping customised malware implants. In some instances, Worok has also been observed exploiting ProxyShell vulnerabilities – a group of vulnerabilities affecting Microsoft Exchange that enable remote code execution.

Based on its activity and tools, researchers have tentatively linked Worok to the Chinese espionage unit TA428, which has previously compromised entities in Belarus, Ukraine, Russia, and Afghanistan in information theft and espionage operations. If Worok is confirmed to be a Chinese cyber espionage unit, its activity would reaffirm Beijing’s continued focus on intelligence collection operations in regions of strategic interest to the People’s Republic of China.

Key Vulnerabilities

  1. CVE-2021-34473
    A pre-authentication path confusion vulnerability (CVSS: 9.8|OVSS: 100) affecting Microsoft Exchange. This vulnerability enables an unauthenticated adversary to bypass access control and can be exploited in conjunction with other ProxyShell vulnerabilities to execute arbitrary code. The cyber espionage unit Worok has been observed exploiting ProxyShell vulnerabilities to gain initial access to target networks.
  2. CVE-2022-28958
    A remote code execution vulnerability (CVSS: 9.8|OVSS: 39) found in the Value parameter at shareport.php, affecting devices made by network and connectivity products manufacturer D-Link. This vulnerability is actively being exploited by a Mirai-based botnet named ‘Moobot’ which enlists the compromised devices to launch Distributed Denial-of-Service campaigns.
  3. CVE-2022-34747
    A format string vulnerability (CVSS: 9.8|OVSS: 26), occurring when the submitted data of an input string is evaluated as a command, has been identified in Zyxel network-attached storage (NAS) devices, including NAS326, NAS540, and NAS542 models. The vulnerability allows an adversary to achieve unauthorised remote code execution via a crafted UDP packet.

Key Intelligence Reports

  1. Newly identified cyber espionage unit Worok targets high profile public and private entities
    Active since at least 2020, the newly identified cyber espionage unit Worok has used both customised and existing malware to compromise high-profile entities in Africa, Asia, and the Middle East. Read full report >>
  2. DeadBolt ransomware operators compromise QNAP NAS devices via zero-day vulnerability
    DeadBolt ransomware operators have leveraged an undisclosed zero-day vulnerability in Photo Station to encrypt QNAP network-attached storage (NAS) devices that are directly connected to the Internet. Read full report >>
  3. New Shikitega malware targets Linux systems to deploy XMRig miner
    A new malware known as Shikitega is targeting endpoint and IoT devices running Linux operating systems. Shikitega is delivered in a multistage infection chain to avoid detection and this involves each module executing the next one in sequence. Once the threat actor has full control of the infected system, a cryptocurrency miner is deployed and set to persist. Read full report >>

If you come across any issues or need assistance, please do not hesitate to reach out to Secrutiny. 

What is OVSS?

The Orpheus Vulnerability Severity Score (OVSS) helps companies understand the risk associated with particular vulnerabilities. Orpheus does this by adding additional context on the likely threat to and impact of CVEs, building upon the vulnerability information that is provided as part of the CVSS (Common Vulnerabilities Scoring System) score.

The Orpheus Vulnerability Severity Score (OVSS)