Developers of mercenary spyware seem to have been unusually active in their weaponisation of common vulnerabilities and exposures (CVEs) during July 2022 – according to research published this week by Recorded Future – although whether or not that is simply down to other threat actors being less busy during the summer months remains to be seen.
This is the third monthly vulnerability bulletin produced by the threat research team at Recorded Future’s Insikt Group – the first was published in June to coincide with the introduction of Microsoft’s automated patching service for enterprises, which has taken the sting out of Patch Tuesday for many.
Going forward, Recorded Future plans to publish its CVE monthly report on the first Tuesday of every month – Patch Tuesday continues to drop on the second Tuesday.
In its latest report, the research team said it had observed exploitation of newly disclosed zero-day vulnerabilities affecting both Microsoft and Google, in both cases to distribute spyware, which it said demonstrated an often close link between top-of-the-line spyware developers and new zero-days.
“On 4 July 2022, Google disclosed an actively exploited zero-day vulnerability, CVE-2022-2294, which affects Google Chrome,” the team said. “While the company did not disclose details about attacks involving this flaw, it was not long before exploitation was reported by others.
“Avast threat researchers (who had originally informed Google about the vulnerability) released a report on 21 July 2022, about a campaign in which Israeli spyware vendor Candiru exploited CVE-2022-2294 to deploy DevilsTongue spyware.
“Spyware was [also] associated with another zero-day vulnerability, this time for Microsoft. On 12 July 2022, Microsoft disclosed a zero-day vulnerability, CVE-2022-22047, that affects current versions of Windows and Windows Server. This vulnerability was exploited by the Austria-based mercenary threat group Knotweed to distribute its Subzero spyware.
“A second vulnerability, CVE-2022-30216, also affects current versions of Windows and Windows Server and has a very high CVSS score due to allowing remote code execution, but we have not yet seen exploitation attempts,” the researchers said.
Among the other more impactful vulnerabilities in July 2022 were a remote code execution (RCE) vulnerability in Apache Spark, tracked as CVE-2022-33891 – discovered by Databricks researcher Kostya Kortchinsky – exploitation of which was observed in the wild within 48 hours of disclosure, and an SQL injection vulnerability in the Django Python web framework, tracked as CVE-2022-34265.
July also saw continued high levels of exploitation of CVE-2022-30190, or Follina, a dangerous zero-click vulnerability in Microsoft Office which, left unchecked, allows a threat actor to execute PowerShell commands with no user interaction. Follina was disclosed at the end of May and fixed in the June Patch Tuesday update, but naturally remains unpatched by many.
“If we could have predicted any vulnerability to see high-profile exploitation after initial disclosure, it would have been Follina,” said the Recorded Future team.
“Sure enough, on 6 July 2022, Fortinet researchers released an analytic report on a phishing campaign using Follina to distribute the Rozena backdoor, a malware that allows attackers to completely take over Windows systems. Fortinet researchers observed adversaries using Rozena to inject a remote shell connection back to the attacker’s machine.”