Our reporting this week highlighted the destructive impact that can be caused by the provision of initial access to cybercriminals by Initial Access Brokers (IABs). In May 2022, the LockBit, Hive, and ALPHV, also known as BlackCat, ransomware-as-a-service (RaaS) gangs each individually compromised an automotive supplier. All three operations exploited a misconfigured firewall rule that exposed Remote Desktop Protocol on a management server, indicating that an IAB sold the same initial access vector to the ransomware families. The adversaries each exfiltrated data and dropped ransomware payloads, subjecting the victim to three separate double extortion operations in a period of two weeks.  

RaaS groups have previously compromised the same victim in separate operations, for instance, in May 2022 Hive affiliates compromised Costa Rica’s public health service following a compromise of six Costa Rican government departments by Conti in the previous month. Since Conti’s disbandment, its affiliates have migrated to other groups, including Hive and ALPHV, which allows the groups to leverage Conti’s resources, including its IABs.

Key Vulnerabilities

  1. CVE-2022-31656  
    A critical authentication bypass vulnerability (CVSS: 9.8|OVSS: 41) affecting VMware Workspace ONE Access, Identity Manager and vRealize Automation. This vulnerability enables a threat actor with network access to obtain administrative privileges.   
  2. CVE-2022-27925 
    A vulnerability (CVSS: 7.2|OVSS: 33) allowing remote code execution (RCE) on Zimbra Collaboration instances through mboximport from an authenticated user. Threat actors have been widely exploiting this vulnerability since as early as June 2022, with more than 1,000 ZCS instances belonging to government departments, ministries, military branches, and high-profile private entities globally having been compromised. This vulnerability can be chained to CVE-2022-37042 which enables authentication bypass.
  3. CVE-2022-35804  
    A vulnerability (CVSS: 8.8|OVSS: 23) affecting Microsoft’s Server Message Block (SMB) client and server running on Windows 11 systems using Microsoft SMB 3.1.1 (SMBv3) which enables unauthenticated remote code execution.

Key Intelligence Reports

  1. Maui ransomware operation linked to North Korean state-unit Stonefly
    North Korean nation-state unit Stonefly (also known as Andariel and Silent Chollima) has been linked to the Maui ransomware operation which has opportunistically compromised targets in Japan, India, Russia, and Vietnam. Read full report >>
  2. LockBit, Hive, and BlackCat ransomware affiliates use common infection vector to compromise automotive supplier
    Over two weeks in May 2022, the LockBit, Hive, and ALPHV, also known as BlackCat, ransomware-as-a-service (RaaS) gangs individually compromised an automotive supplier via a single initial access vector. Read full report >>
  3. Former Twitter employee uses insider access to collect intelligence for Saudi Arabia
    Former Twitter employee Ahman Abouammo has been found guilty of using his access within Twitter’s network to target and collect sensitive personal data from Twitter users considered to be dissidents or known critics of the government of Saudi Arabia. Read full report >> 

If you come across any issues or need assistance, please do not hesitate to reach out to Secrutiny. 

What is OVSS?

The Orpheus Vulnerability Severity Score (OVSS) helps companies understand the risk associated with particular vulnerabilities. Orpheus does this by adding additional context on the likely threat to and impact of CVEs, building upon the vulnerability information that is provided as part of the CVSS (Common Vulnerabilities Scoring System) score.

The Orpheus Vulnerability Severity Score (OVSS)