EclecticIQ
nav-solutions

Learn how EclecticIQ can help you address your specific challenges – by team and by need – and improve your overall security posture.

Solutions overview

Our Ecosystem

An ecosystem supporting our customers' intelligence-led proactive cybersecurity needs with collaborative partner programs delivering world-class joint solutions. 

Partner Program

Partner with EclecticIQ to bring valuable and innovative security solutions and services to end users. Open to all partner types, including technology developers, service providers, resellers, and community.

Our Partnerships

We partner with the world's premier technology and solution providers to support all phases of your cybersecurity needs. Explore all our partners' solutions and offerings to build and extend your cyber defense ecosystem.

EclecticIQ Resources

We are committed to increasing the knowledge and capabilities of the cybersecurity community through our research & analysis efforts and open source projects.

Browse Resources

Learn more about our technology, solutions and services, and stay updated on the cyber threat landscape with our research reports, webinars and other information.

Open Source Projects

We are proud to be an active member in the open source community and to help develop and advance progress of security technology. Learn more about contributions or go directly to our GitHub page.

nav-solutions

Learn how EclecticIQ can help you address your specific challenges – by team and by need – and improve your overall security posture.

Solutions overview

Our Ecosystem

An ecosystem supporting our customers' intelligence-led proactive cybersecurity needs with collaborative partner programs delivering world-class joint solutions. 

Partner Program

Partner with EclecticIQ to bring valuable and innovative security solutions and services to end users. Open to all partner types, including technology developers, service providers, resellers, and community.

Our Partnerships

We partner with the world's premier technology and solution providers to support all phases of your cybersecurity needs. Explore all our partners' solutions and offerings to build and extend your cyber defense ecosystem.

EclecticIQ Resources

We are committed to increasing the knowledge and capabilities of the cybersecurity community through our research & analysis efforts and open source projects.

Browse Resources

Learn more about our technology, solutions and services, and stay updated on the cyber threat landscape with our research reports, webinars and other information.

Open Source Projects

We are proud to be an active member in the open source community and to help develop and advance progress of security technology. Learn more about contributions or go directly to our GitHub page.

nav-solutions

Learn how EclecticIQ can help you address your specific challenges – by team and by need – and improve your overall security posture.

Solutions overview

Our Ecosystem

An ecosystem supporting our customers' intelligence-led proactive cybersecurity needs with collaborative partner programs delivering world-class joint solutions. 

Partner Program

Partner with EclecticIQ to bring valuable and innovative security solutions and services to end users. Open to all partner types, including technology developers, service providers, resellers, and community.

Our Partnerships

We partner with the world's premier technology and solution providers to support all phases of your cybersecurity needs. Explore all our partners' solutions and offerings to build and extend your cyber defense ecosystem.

EclecticIQ Resources

We are committed to increasing the knowledge and capabilities of the cybersecurity community through our research & analysis efforts and open source projects.

Browse Resources

Learn more about our technology, solutions and services, and stay updated on the cyber threat landscape with our research reports, webinars and other information.

Open Source Projects

We are proud to be an active member in the open source community and to help develop and advance progress of security technology. Learn more about contributions or go directly to our GitHub page.

nav-solutions

Learn how EclecticIQ can help you address your specific challenges – by team and by need – and improve your overall security posture.

Solutions overview

Our Ecosystem

An ecosystem supporting our customers' intelligence-led proactive cybersecurity needs with collaborative partner programs delivering world-class joint solutions. 

Partner Program

Partner with EclecticIQ to bring valuable and innovative security solutions and services to end users. Open to all partner types, including technology developers, service providers, resellers, and community.

Our Partnerships

We partner with the world's premier technology and solution providers to support all phases of your cybersecurity needs. Explore all our partners' solutions and offerings to build and extend your cyber defense ecosystem.

EclecticIQ Resources

We are committed to increasing the knowledge and capabilities of the cybersecurity community through our research & analysis efforts and open source projects.

Browse Resources

Learn more about our technology, solutions and services, and stay updated on the cyber threat landscape with our research reports, webinars and other information.

Open Source Projects

We are proud to be an active member in the open source community and to help develop and advance progress of security technology. Learn more about contributions or go directly to our GitHub page.

Exploitation of Atlassian and Microsoft's Major Vulnerability

This issue of the Analyst Prompt looks at activity surrounding the Follina exploit, the ransomware affiliates exploiting CVE-2022-26134 and recent extortion techniques by cybercriminal groups.

EclecticIQ Threat Research Team June 17, 2022

tap-11-2022

Exploit Tools and Targets: Threat Actors Continue to Leverage the Follina Exploit

Multiple threat actors are leveraging the Microsoft Office vulnerability CVE-2022-30190 dubbed “Follina”, with first samples identified in public repositories on April 12th, 2022 (1). Follina is a remote code execution (RCE) vulnerability in the Microsoft Windows Support Diagnostic Tool (MSDT), which allows an attacker to run arbitrary code with the same privileges of the calling application (2). An attacker can create an office document that uses the remote template feature to retrieve an HTML file, which uses the MSDT vulnerability to load and execute code. The vulnerability is effective with macros disabled, and RTF documents leveraging this vulnerability run without opening the document (in the preview pane in Windows Explorer) (3). Updates are available to patch the vulnerability with a workaround solution available here (4).

Attacks leveraging the Follina vulnerability have been attributed to Russian and China's APT actors (5) and criminal actors (6). The following activity has been observed exploiting CVE-2022-30190:

  • TA413, a Chinese APT has been observed exploiting the vulnerability to target the Tibetan government (5).
  • Malicious exploit documents dropping CresecentImp and targeting Ukraine have been attributed with medium confidence to the group Sandworm (7).
  • The exploit was leveraged in an attack targeting Ukraine dropping Cobalt Strike Beacon (8).
  • European and US local government organizations were targeted with a phishing campaign utilizing a malicious RTF document which eventually runs PowerShell (9).
  • The criminal group TA570 has been using the Follina exploit to deliver Qbot payloads (10).
  • An actor leveraged Follina to drop the remote access trojan (RAT), AsyncRAT.

Exploit Tools and Targets: Ransomware Affiliates Actively Exploit the Atlassian Confluence Server Vulnerability

Ransomware affiliates are actively exploiting CVE-2022-26134, which is an object graph navigation language (OGNL) vulnerability in the Atlassian Confluence Server and Data Center. It enables unauthenticated remote code execution (RCE), allowing an attacker to execute arbitrary code on a confluence server or data center instance (12). The vulnerability allows an attacker to use a specially crafted HTTP request with the payload located in the URI of the request, which can be executed on the vulnerable server. You can find the patch and mitigation details for the vulnerability here (12).

Multiple ransomware affiliates have been observed performing mass scanning and exploitation of vulnerable servers (13). The increase in activity correlates with the release of CVE-2022-26134 proof-of-concept (PoC) exploits (13). Affiliates linked to cyber criminal organizations Cerber2021 (14) and Avos Ransomware have been observed leveraging the confluence vulnerability to gain access to victims' networks to execute ransomware (13). EclecticIQ analysts recommend that affected organizations prioritize patching vulnerable systems.

Landscape: Extortion Techniques Continue to Evolve

The cybercriminal group Industrial Spy was observed defacing the website of a French company on June 2nd, 2022 (15). They claimed to have compromised the organization’s data and are allegedly threatening to release the data onto “the market” unless they are “contacted” (16). The claim cannot be verified but is an aggressive technique leveraged by the group to extort money from the targeted victim.

Cybercriminal groups continue to use and evolve their extortion techniques to exert pressure on victims for financial gain. Recently, the ransomware group ALPHV created a dedicated website allowing employees and customers of a victim to check if their data was compromised during the ransomware attack (17). Recently formed extortion group, RansomHouse took responsibility for a ransomware attack against Shoprite Holding, Africa’s largest supermarket chain. They used a common extortion technique by threatening to sell the victim’s data and if there were no sellers they would publish online for free (18).

Appendix

  1. https://twitter.com/h2jazi/status/1513870903590936586
  2. https://msrc.microsoft.com/update-guide/en-US/vulnerability/CVE-2022-30190
  3. https://doublepulsar.com/follina-a-microsoft-office-code-execution-vulnerability-1a47fce5629e
  4. https://msrc-blog.microsoft.com/2022/05/30/guidance-for-cve-2022-30190-microsoft-support-diagnostic-tool-vulnerability/
  5. https://twitter.com/threatinsight/status/1531688214993555457?ref_src=twsrc%5Etfw%7Ctwcamp%5Etweetembed%7Ctwterm%5E1531688214993555457%7Ctwgr%5E%7Ctwcon%5Es1_&ref_url=https%3A%2F%2Fcdn.embedly.com%2Fwidgets%2Fmedia.html%3Ftype%3Dtext2Fhtmlkey%3Da19fcc184b9711e1b4764040d3dc5c07schema%3Dtwitterurl%3Dhttps3A%2F%2Ftwitter.com%2Fthreatinsight%2Fstatus%2F1531688214993555457image%3Dhttps3A%2F%2Fi.embed.ly%2F1%2Fimage3Furl3Dhttps253A252F252Fabs.twimg.com252Ferrors252Flogo46x38.png26key3Da19fcc184b9711e1b4764040d3dc5c07
  6. https://twitter.com/threatinsight/status/1534227444915482625
  7. https://cert.gov.ua/article/160530
  8. https://cert.gov.ua/article/40559
  9. https://twitter.com/threatinsight/status/1532830739208732673
  10. https://twitter.com/threatinsight/status/1534227444915482625
  11. https://symantec-enterprise-blogs.security.com/blogs/threat-intelligence/follina-msdt-exploit-malware
  12. https://confluence.atlassian.com/doc/confluence-security-advisory-2022-06-02-1130377146.html
  13. https://www.bleepingcomputer.com/news/security/confluence-servers-hacked-to-deploy-avoslocker-cerber2021-ransomware/
  14. https://twitter.com/MsftSecIntel/status/1535417779960131584
  15. https://twitter.com/malwrhunterteam/status/1532325586508587008
  16. https://www.bleepingcomputer.com/news/security/ransomware-gang-now-hacks-corporate-websites-to-show-ransom-notes/
  17. https://www.bleepingcomputer.com/news/security/ransomware-gang-creates-site-for-employees-to-search-for-their-stolen-data/
  18. https://www.bleepingcomputer.com/news/security/extortion-gang-ransoms-shoprite-largest-supermarket-chain-in-africa/ 

Structured Data

Find the Analyst Prompt and earlier editions in our public TAXII collection for easy use in your security stack.

TAXII v1 Discovery services: https://cti.eclecticiq.com/taxii/discovery

You may also download the content as eiq_json, stix1_2, stix2_1.

Please refer to our support page for guidance on how to access the feeds.

About EclecticIQ Threat Research

EclecticIQ is a global provider of threat intelligence, hunting and response technology and services. Headquartered in Amsterdam, the EclecticIQ Threat Research team is made up of experts from Europe and the U.S. with decades of experience in cyber security and intelligence in industry and government.

We would love to hear from you. Please send us your feedback by emailing us at research@eclecticiq.com or fill in the EclecticIQ Audience Interest Survey to drive our research towards your priority area..

Receive all our latest updates

Subscribe to receive the latest EclecticIQ news, event invites, and Threat Intelligence blog posts.

Explore all topics

© 2014 – 2022 EclecticIQ B.V.
EclecticIQ. Intelligence, Hunting, Response.
Get demo