Exploitation of Atlassian and Microsoft's Major Vulnerability

Exploit Tools and Targets: Threat Actors Continue to Leverage the Follina Exploit

Multiple threat actors are leveraging the Microsoft Office vulnerability CVE-2022-30190 dubbed “Follina”, with first samples identified in public repositories on April 12th, 2022 (1). Follina is a remote code execution (RCE) vulnerability in the Microsoft Windows Support Diagnostic Tool (MSDT), which allows an attacker to run arbitrary code with the same privileges of the calling application (2). An attacker can create an office document that uses the remote template feature to retrieve an HTML file, which uses the MSDT vulnerability to load and execute code. The vulnerability is effective with macros disabled, and RTF documents leveraging this vulnerability run without opening the document (in the preview pane in Windows Explorer) (3). Updates are available to patch the vulnerability with a workaround solution available here (4).

Attacks leveraging the Follina vulnerability have been attributed to Russian and China's APT actors (5) and criminal actors (6). The following activity has been observed exploiting CVE-2022-30190:

• TA413, a Chinese APT has been observed exploiting the vulnerability to target the Tibetan government (5).
• Malicious exploit documents dropping CresecentImp and targeting Ukraine have been attributed with medium confidence to the group Sandworm (7).
• The exploit was leveraged in an attack targeting Ukraine dropping Cobalt Strike Beacon (8).
• European and US local government organizations were targeted with a phishing campaign utilizing a malicious RTF document which eventually runs PowerShell (9).
• The criminal group TA570 has been using the Follina exploit to deliver Qbot payloads (10).
• An actor leveraged Follina to drop the remote access trojan (RAT), AsyncRAT.

Exploit Tools and Targets: Ransomware Affiliates Actively Exploit the Atlassian Confluence Server Vulnerability

Ransomware affiliates are actively exploiting CVE-2022-26134, which is an object graph navigation language (OGNL) vulnerability in the Atlassian Confluence Server and Data Center. It enables unauthenticated remote code execution (RCE), allowing an attacker to execute arbitrary code on a confluence server or data center instance (12). The vulnerability allows an attacker to use a specially crafted HTTP request with the payload located in the URI of the request, which can be executed on the vulnerable server. You can find the patch and mitigation details for the vulnerability here (12).

Multiple ransomware affiliates have been observed performing mass scanning and exploitation of vulnerable servers (13). The increase in activity correlates with the release of CVE-2022-26134 proof-of-concept (PoC) exploits (13). Affiliates linked to cyber criminal organizations Cerber2021 (14) and Avos Ransomware have been observed leveraging the confluence vulnerability to gain access to victims' networks to execute ransomware (13). EclecticIQ analysts recommend that affected organizations prioritize patching vulnerable systems.

Landscape: Extortion Techniques Continue to Evolve

The cybercriminal group Industrial Spy was observed defacing the website of a French company on June 2nd, 2022 (15). They claimed to have compromised the organization’s data and are allegedly threatening to release the data onto “the market” unless they are “contacted” (16). The claim cannot be verified but is an aggressive technique leveraged by the group to extort money from the targeted victim.

Cybercriminal groups continue to use and evolve their extortion techniques to exert pressure on victims for financial gain. Recently, the ransomware group ALPHV created a dedicated website allowing employees and customers of a victim to check if their data was compromised during the ransomware attack (17). Recently formed extortion group, RansomHouse took responsibility for a ransomware attack against Shoprite Holding, Africa’s largest supermarket chain. They used a common extortion technique by threatening to sell the victim’s data and if there were no sellers they would publish online for free (18).

Appendix

1. https://twitter.com/h2jazi/status/1513870903590936586
2. https://msrc.microsoft.com/update-guide/en-US/vulnerability/CVE-2022-30190
3. https://doublepulsar.com/follina-a-microsoft-office-code-execution-vulnerability-1a47fce5629e
4. https://msrc-blog.microsoft.com/2022/05/30/guidance-for-cve-2022-30190-microsoft-support-diagnostic-tool-vulnerability/
5. https://twitter.com/threatinsight/status/1531688214993555457?ref_src=twsrc%5Etfw%7Ctwcamp%5Etweetembed%7Ctwterm%5E1531688214993555457%7Ctwgr%5E%7Ctwcon%5Es1_&ref_url=https%3A%2F%2Fcdn.embedly.com%2Fwidgets%2Fmedia.html%3Ftype%3Dtext2Fhtmlkey%3Da19fcc184b9711e1b4764040d3dc5c07schema%3Dtwitterurl%3Dhttps3A%2F%2Ftwitter.com%2Fthreatinsight%2Fstatus%2F1531688214993555457image%3Dhttps3A%2F%2Fi.embed.ly%2F1%2Fimage3Furl3Dhttps253A252F252Fabs.twimg.com252Ferrors252Flogo46x38.png26key3Da19fcc184b9711e1b4764040d3dc5c07
6. https://twitter.com/threatinsight/status/1534227444915482625
7. https://cert.gov.ua/article/160530
8. https://cert.gov.ua/article/40559
9. https://twitter.com/threatinsight/status/1532830739208732673
10. https://twitter.com/threatinsight/status/1534227444915482625
11. https://symantec-enterprise-blogs.security.com/blogs/threat-intelligence/follina-msdt-exploit-malware
12. https://confluence.atlassian.com/doc/confluence-security-advisory-2022-06-02-1130377146.html
13. https://www.bleepingcomputer.com/news/security/confluence-servers-hacked-to-deploy-avoslocker-cerber2021-ransomware/
14. https://twitter.com/MsftSecIntel/status/1535417779960131584
15. https://twitter.com/malwrhunterteam/status/1532325586508587008
16. https://www.bleepingcomputer.com/news/security/ransomware-gang-now-hacks-corporate-websites-to-show-ransom-notes/
17. https://www.bleepingcomputer.com/news/security/ransomware-gang-creates-site-for-employees-to-search-for-their-stolen-data/
18. https://www.bleepingcomputer.com/news/security/extortion-gang-ransoms-shoprite-largest-supermarket-chain-in-africa/ 

Structured Data

Find the Analyst Prompt and earlier editions in our public TAXII collection for easy use in your security stack.

TAXII v1 Discovery services: https://cti.eclecticiq.com/taxii/discovery

You may also download the content as eiq_json, stix1_2, stix2_1.

Please refer to our support page for guidance on how to access the feeds.

About EclecticIQ Threat Research

EclecticIQ is a global provider of threat intelligence, hunting and response technology and services. Headquartered in Amsterdam, the EclecticIQ Threat Research team is made up of experts from Europe and the U.S. with decades of experience in cyber security and intelligence in industry and government.

We would love to hear from you. Please send us your feedback by emailing us at research@eclecticiq.com or fill in the EclecticIQ Audience Interest Survey to drive our research towards your priority area..