Our threat intelligence this week focuses on the continued trend of cryptocurrency theft operations, as October has seen the largest total sum of assets stolen from cryptocurrency platforms in 2022 so far. On 1 November, the Panama-based cryptocurrency derivatives exchange platform Deribit disclosed the theft of USD 28 million following the compromise of one of the company’s hot wallets, which are connected to the internet and vulnerable to exploitation. While neither its client’s funds nor cold wallets were affected, Deribit has advised all users to create new wallet addresses and stated that any withdrawals will now need to be approved manually by a Deribit administrator.

This latest incident marks a continuation of multiple cryptocurrency thefts in October 2022, with recent incidents including the thefts of USD 14.5 million from the decentralised finance platform Team Finance, USD 100 million from the decentralised cryptocurrency trading platform Mango Markets, and USD 566 million from the cryptocurrency exchange Binance. The large sums of currency available on these platforms, combined with their weaker cybersecurity maturity in comparison to traditional financial services entities, make them attractive targets for financially motivated adversaries.

Key Vulnerabilities

1. CVE-2022-3602
A buffer overflow vulnerability (CVSS: 7.5|OVSS: 45) affects OpenSSL software, a software library for applications that secure communications over computer networks, including many HTTPS websites. This vulnerability requires a Certificate Authority (CA) to have signed a malicious certificate and occurs after the certificate chain signature verification stage. A user could craft a malicious email address to overflow four attacker-controlled bytes on the stack, resulting in a denial of service or potentially remote code execution. The vulnerability, which was disclosed with another buffer overflow vulnerability tracked as CVE-2022-3786, affects versions 3.0.0 up to and including 3.0.6.  There is no evidence of exploitation, however, users are advised to upgrade to OpenSSL 3.0.7 as soon as possible.

2. CVE-2022-43571
A remote code execution vulnerability (CVSS: 8.8|OVSS: 23) affecting Splunk Enterprise (versions up to 8.2.9, 8.1.12, and 9.0.2), a software which facilitates the collection, analysis, and visualisation of data gathered from components of IT infrastructure. The vulnerability allows an unauthenticated adversary to execute arbitrary code via the dashboard PDF generation component. On 2 November, Splunk released a security update to address CVE-2022-43571 and eight other vulnerabilities

3. CVE-2022-36537
A vulnerability (CVSS: 7.5|OVSS: 20) affecting the ZK framework, which enables the creation of graphical user interfaces for web applications. The vulnerability could allow an adversary to perform remote code execution or directly access confidential data. The framework is used in ConnectWise Recover (version 2.9.7 and earlier) and R1Soft Server Backup Manager (version 6.16.3 and earlier). On 28 October, ConnectWise released a security update to address the vulnerability. A patch has automatically been applied to ConnectWise Recover, and users of affected R1Soft Server Backup Manager versions are advised to upgrade to version 6.16.4.

Key Intelligence Reports

1. American government vulnerable to mobile malware campaigns due to outdated Android and iOS devices
A new report discloses that almost half of Android-based mobile phones used by American state and local government employees are running outdated versions of their respective operating systems (OS), exposing them to hundreds of software vulnerabilities that can be leveraged for compromise actions. Read full report >>

2. Two high-severity vulnerabilities found in OpenSSL software
Researchers have reported on two high-severity vulnerabilities in OpenSSL, a software library for applications that secures communications over computer networks including many HTTPS websites. Read full report >>

3. Deribit cryptocurrency exchange discloses theft of USD 28 million
The Panama-based cryptocurrency derivatives exchange platform Deribit has disclosed the theft of USD 28 million following the compromise of one of the company’s hot wallets on 1 November 2022. Read full report >>

If you come across any issues or need assistance, please do not hesitate to reach out to Secrutiny. 

What is OVSS?

The Orpheus Vulnerability Severity Score (OVSS) helps companies understand the risk associated with particular vulnerabilities. Orpheus does this by adding additional context on the likely threat to and impact of CVEs, building upon the vulnerability information that is provided as part of the CVSS (Common Vulnerabilities Scoring System) score.

The Orpheus Vulnerability Severity Score (OVSS)