Search for your darkweb exposure
Cyble-CRIL
Main Menu
Cyble-Vulnerability

Exposed Assets – A major threat to organizations

Organizations racing against time as active exploitation of vulnerabilities continues

Introduction

The COVID-19 outbreak has accelerated digital transformation and the exponential increase of remote work, resulting in organizations having an expanded digital footprint and attack surface, with new assets regularly being connected to the company network(s).

The existing processes, technologies, and tools organizations place for asset discovery and vulnerability management cannot defend against the barrage of new vulnerabilities arising almost daily.

Organizations might be overwhelmed trying to keep track of all existing assets within the organization as they add new internet-connected devices, domains, plugins, or other potentially external-facing applications, further complicating the threat landscape for organizations. 

Threat Actors (TAs), Advanced Persistence Threat (APT) groups, and other cyber criminals continuously scan the internet to find vulnerabilities that will be further exploited to achieve the desired objective. It should be noted that there are thousands of vulnerabilities arising every year. Still, not all vulnerabilities can be exploited, and not all vulnerabilities pose the same level of risk to an organization’s assets.

Analysis

To understand the vulnerability exploitation trend, Cyble Research & Intelligence Labs (CRIL) picked up a few vulnerabilities being actively exploited by TAs.

Active exploitation of Atlassian Confluence

On June 2, 2022, Atlassian released an advisory for CVE-2022-26134 (RCE), and within a matter of two days, the Proof-Of-Concept (POC) was being distributed via social media platforms. As the vulnerability targeted the internet-exposed Confluence servers, researchers noticed that vulnerability exploitation started within two days.

On July 20, 2022, the vendor released a security advisory for the Atlassian Confluence app consisting of vulnerability details for CVE-2022-26138, CVE-2022-26136, and CVE-2022-26137. Out of all the three vulnerabilities, CVE-2022-26138 is frequently exploited even at the time of writing this analysis.

We noticed that TAs are selling Confluence Server access by exploiting CVE-2022-26134 on various cybercrime forums. One such example is shown below.

Figure 1 – TA selling Confluence access on a cybercrime forum

Active exploitation of Zimbra Vulnerability

Zimbra released a patch on August 10, 2022, for Zimbra Vulnerability CVE-2022-37042. As expected, the active exploitation of this vulnerability started within a few days. Cyble Research and Intelligence Labs published a detailed blog on the vulnerability after its exploitation.


Cyble recently investigated a claim made by a TA selling nearly 2,700 email servers on a cybercrime forum by exploiting CVE-2022-37042, as shown below.

Figure 2 – TA selling Zimbra servers on a cybercrime forum

Active exploitation of Zyxel firewall and VPN

On September 7, 2022, the Twitter account “@1ZRR4H” tweeted about the mass exploitation of CVE-2022-30525. An Operating System command injection vulnerability in the CGI program of the affected product of Zyxel makes this a critical vulnerability.

Cyble researchers investigated the exposure of Zyxel-affected products that might be vulnerable to CVE-2022-30525 and found over 14,000 instances of exposure, as shown below.                                      

Figure 3 – Exposed Zyxel products exposure (Source: online scanner)

The top 5 countries with the highest number of exposures are:

Figure 4 – Top 5 countries with exposure

VMware Workspace ONE

On April 06, 2022, VMWare released a security advisory for vulnerabilities affecting VMware Workspace One, including CVE-2022-22954.

An advisory released by Cybersecurity and Infrastructure Security Agency (CISA) stated:

According to a trusted third party, malicious cyber actors were able to reverse engineer the updates to develop an exploit within 48 hours and quickly began exploiting the disclosed vulnerabilities in unpatched devices. CISA was made aware of this exploit a week later and added CVE-2022-22954 and CVE-2022-22960 to its catalog of Known Exploited Vulnerabilities on April 14 and April 15, respectively.”

Cyble researchers investigated claims made by the TA in a cybercrime forum. This led us to conclude that TAs leverage this VMware vulnerability to deploy web shells on various global organizations.

Our research into the matter indicated that all of the compromised access points hosted virtual applications via the enterprise application management platform – VMware Workspace ONE.

A screenshot from one of the compromised accesses demonstrated that the JSP-based web shell was downloaded by the TAs in the directory shown below.

Figure 5 – Web Shell access uploaded in the VMWare directory

WS02 Active Exploitation

In early April 2022, a vendor released a security advisory for CVE-2022-29464. This vulnerability’s severity is tagged “Critical,” as TAs could upload an arbitrary file to a user-controlled server location due to insufficient validation of user input. It is also possible to gain remote code execution capabilities on the server by exploiting this arbitrary file upload vulnerability.

Researchers came up with the Proof of Concepts (POC) within a few days, which were distributed across social media platforms within no time. Later in the same month, CISA added the vulnerability in the Known Exploited Vulnerabilities Catalog, indicating active exploitation.

Figure – 6 Screenshot from CISA known Known exploited Vulnerability catalog

Cyble researchers observed a few instances of TAs selling web shells on several public and private organizations. One of these instances is shown below.

Figure 7 – TA selling webshells by exploiting WSO2 vulnerability

What is common in these Active Exploitation vulnerabilities?

  • Type of Exploit – Remote Code Execution.
  • Vulnerable instances exposed over the internet that can be searched via various online scanners.
  • Usage of automation scripts and tools used by TAs.
  • Active exploitation of vulnerabilities is seen within a few days of the release of advisory by the vendor or the PoC distributed over social media.
  • TAs actively use automation scripts and vulnerability scanning tools to exploit vulnerable instances from state and private organizations.
  • TAs were observed selling web shells and other accesses on cybercrime forums as soon as vulnerability details were out.
  • Organizations dealing in Critical Infrastructure sectors are disproportionately targeted via actively exploiting new vulnerabilities.
  • TAs have a wide scope for attacks as organizations fail to patch critical vulnerabilities in time, leading to their active exploitation.

Conclusion

With the active exploitation of various vulnerabilities occurring almost every month, organizations have difficulty managing patches and updates. TAs are leveraging online scanners, automation scripts, and vulnerability scanning tools to exploit vulnerabilities in no time. Most TAs are further selling web shells and accesses on cybercrime forums to botnet operators or people looking to target a particular organization.

Keeping these factors in mind, we highly recommend that organizations leveraging traditional Vulnerability Management processes should shift toward Risk-Based Vulnerability Management. With the immense number of attacks being carried out against organizations regularly, it has become crucial to monitor the dark web for accesses and any shells being sold.

Recommendations

  • Keep systems updated with the latest patches released by the official vendor.
  • Prioritize patching with a Risk-based vulnerability management process.
  • Limit exposure of critical assets over the internet with proper network segmentation.
  • Place critical assets behind an updated and well-configured firewall.
  • Regular audits and VAPT exercises can help the organization find security loopholes that attackers might exploit.
  • Follow the Zero Trust approach.

Recent Blogs

Anonymous Sudan Launches Fresh Wave of DDoS Attacks on American Organizations Including Microsoft

June 7, 2023

 LockBit 2.0 Ransomware Resurfaces

June 6, 2023

HelloTeacher: New Android Malware Targeting Banking Users In Vietnam

June 5, 2023
Cyble-Blogs-Anonymous-Sudan
June 7, 2023

Cyble analyzes recent hacktivism claims by Anonymous Sudan impacting US entities including Microsoft Corporation.

Read More »
Cyble-Blogs-LockBit-Ransomware
June 6, 2023

Cyble analyzes LockBit Ransomware, which is distributed via malicious documents, specifically targeting users in Korea.

Read More »
Cyble-Blogs-HelloTeacher-Malware
June 5, 2023

Cyble analyzes a new malware “HelloTeacher” masquerading as popular messaging app to target banking users from Vietnam and steals sensitive data.

Read More »

About Us 


Cyble is a global threat intelligence SaaS provider that helps enterprises protect themselves from cybercrimes and exposure in the Darkweb. Its prime focus is to provide organizations with real-time visibility to their digital risk footprint.

Backed by Y Combinator as part of the 2021 winter cohort, Cyble has also been recognized by Forbes as one of the top 20 Best Cybersecurity Start-ups To Watch In 2020.

Headquartered in Alpharetta, Georgia, and with offices in Australia, Singapore, Dubai and India, Cyble has a global presence. To learn more about Cyble, visit www.cyble.com.  

Scroll to Top