Initial Access Brokers (IAB) are still the main way cyber criminals use to get access to their next target, but in 2022, as never before, I saw an increment of exploited vulnerabilities used by threat actors as initial vector or escalation vector. This behavior highlights the rise of a new skill-set belonging with specific actors named: exposed vulnerability exploitation. If you are wondering what are such a vulnerabilities or if you want to know what are the most important exploited vulnerabilities in 2022, I had summarize them for you in this very last post of the year.

Exploited Vulnerabilities

1. The first exploited vulnerability is for sure Follina (CVE-2022-30190). Microsoft Windows Support Diagnostic Tool (ms-msdt) back in May contained a zero-click remote code execution vulnerability. The zero day appears to have been exploited in the wild since at least early April 2022 by Chinese APT groups (TA413) but later on it has been widely (ab)used by many different state sponsored groups such as APT28 (Russia) as well.

2. Microsoft Office Bug (CVE-2017-11882) looks lik to be a “never ending” story. It is a memory corruption glitch in Microsoft Office’s Equation Editor that enables remote code execution on vulnerable devices. Nowadays it’s still widely (ab)used from many cybercriminals in order to inoculate first-stage of droppers. The joint inquiry from the Department of Homeland Security, the FBI, and the US government puts CVE-2017-11882 on the list of flaws most frequently used by advanced threat actors in their malicious operations. As per the report, Chinese, North Korean, and Russian hackers are continuously leveraging the Microsoft Office bug since at least 2016.

3. Log4Shell (CVE-2021-44228) is still one of the most “incredible” vulnerabilities discovered in 2021. Unoticed until 2013, It was a zero-day vulnerability in Log4j, a popular Java logging framework, involving arbitrary code execution. In 2022 one of the most exploited vulnerabilities used by many knwon and unknown threat actors (rif HERE). Chinese and Iranian state threat actors were exploiting Log4Shell as well. The Iranian threat actor, DEV-0270, and Chinese threat actor, APT10, were among the first to aggressively exploit Log4Shell. Mandiant observed reconnaissance activity linked to APT10 and DEV-0270 successfully attacked multiple U.S. companies via ransomware deployments during these years.

4. ProxyNotShell (CVE-2022-41082) affects Microsoft Exchange Server 2013, 2016, and 2019 and allows attackers to escalate privileges to run PowerShell in the context of the system and gain arbitrary or remote code execution on compromised servers. This vulnerability has been mostly observed during the last half of the year and it is still mostly (ab)used by Ransomware groups

5. F5 BIG-IP (CVE-2022-1388) allows an unauthenticated attacker with network access to the BIG-IP system through the management port and/or self IP addresses to execute arbitrary system commands, create or delete files, or disable services. According to CISA (HERE) exploited by multiple State sponsored APTs.

6. Chrome zero-day (CVE-2022-0609) is a fresh uses after free vulnerability. It allows a remote attacker to potentially exploit heap corruption via a crafted HTML page. On February 10, Threat Analysis Group (Google’s TAG) discovered two distinct North Korean government-backed attacker groups exploiting a remote code execution vulnerability in Chrome, CVE-2022-0609. These groups’ activity has been publicly tracked as Operation Dream Job and Operation AppleJeus.

7. Spring4Shell (CVE-2022-1388) is a critical vulnerability in the Spring Framework, which emerged in late March 2022. Because 60% of developers use Spring for their Java applications, many applications are potentially affected. With a critical CVSS rating of 9.8, Spring4Shell leaves affected systems vulnerable to remote code execution (RCE). During 2022 it has been seen weaponizing Mirai botnet and spreading itself over /tmp/ folder in a very radical way.

8. Atlassian Confluence (CVE-2022-26134) allows an OGNL injection that would allows an unauthenticated attacker to execute arbitrary code on a Confluence Server or Data Center instance. According to Aquasec (HERE) it has been used to deploy backdoors, cryptominers and Tsunami Malware by an unknown threat actor named 8220 gang.

Conclusions

In my last post of the 2022, I had dislosed the most seen exploited vulnerabities of the year according to Yoroi Threat Intelligence and by summarizing several readings over the last twelves months. My goal is to make a more confortable knowledge for me (to better remember in the far future) and for my readers as well.