Vulnerability exploitation and spyware activities picked up in July, with abnormally high amounts of activity observed in incursions connected to spyware, according to research conducted by Recorded Future. The creators of mercenary spyware appear to have been unusually active in weaponizing common vulnerabilities and exposures (CVEs). It is unknown, however, whether this is simply due to other threat actors being less active during the summer.
The CVE report details the latest spyware activities
Spyware is a sort of malicious software that is installed on a computer without the knowledge of the end user. Spyware infiltrates the device, obtains sensitive information and internet usage statistics, and then sends it to advertising, data firms, or other users.
The software that is downloaded without the user’s permission is called spyware. Spyware is contentious because, even when installed for seemingly innocuous reasons, it can breach the privacy of the end user and has the potential to be abused.
Spyware is one of the most common online threats. Once installed, it monitors internet traffic, tracks login passwords, and eavesdrops on sensitive information. Spyware’s primary purpose is to collect credit card numbers, banking information, and passwords.
This is the third monthly vulnerability bulletin created by Recorded Future’s Insikt Group’s threat research team; the first was released in June to coincide with the launch of Microsoft’s automated patching service for organizations, which has helped many people feel less anxious about Patch Tuesday.
The CVE monthly report will now be released by Recorded Future on the first Tuesday of each month, with Patch Tuesday continuing to be released on the second Tuesday.
In its most recent report, the research team stated that it had observed the distribution of spyware using newly disclosed zero-day vulnerabilities that affected both Microsoft and Google. The team claimed this showed an often close relationship between top-tier spyware developers and new zero-days.
“On July 4, 2022, Google disclosed an actively exploited zero-day vulnerability, CVE-2022-2294, which affects Google Chrome. While the company did not disclose details about attacks involving this flaw, it was not long before others reported exploitation,” the team explained.
On July 21, 2022, Avast threat researchers (who were the first to alert Google to the issue) published a report detailing a campaign in which Israeli spyware firm Candiru used CVE-2022-2294 to distribute DevilsTongue software.
Another zero-day vulnerability, this time for Microsoft, was linked to spyware. Microsoft announced a zero-day vulnerability, CVE-2022-22047, on July 12, 2022, affecting the most recent releases of Windows and Windows Server. The mercenary threat organization Knotweed, operating in Austria, used this vulnerability to spread its Subzero spyware.
“A second vulnerability, CVE-2022-30216, also affects current versions of Windows and Windows Server and has a very high CVSS score due to remote code execution, but we have not yet seen exploitation attempts,” the researchers said.
A remote code execution (RCE) vulnerability in Apache Spark, tracked as CVE-2022-33891, found by Databricks researcher Kostya Kortchinsky, whose exploitation was seen in the wild within 48 hours of disclosure, and a SQL injection vulnerability in the Django Python web framework, tracked as CVE-2022-34265, were among the other more serious vulnerabilities in July 2022.
CVE-2022-30190, commonly known as Follina, is a risky zero-click vulnerability in Microsoft Office that, if left unchecked, enables a threat actor to execute PowerShell commands without requiring user input, continues to see high levels of exploitation in July. Although Follina was made public at the end of May and addressed in the June Patch Tuesday update, many people still do not apply the patch.
“If we could have predicted any vulnerability to see high-profile exploitation after initial disclosure, it would have been Follina. Sure enough, on July 6, 2022, Fortinet researchers released an analytic report on a phishing campaign using Follina to distribute the Rozena backdoor. This malware allows attackers to take over Windows systems completely. Fortinet researchers observed adversaries using Rozena to inject a remote shell connection back to the attacker’s machine,” the Recorded Future team stated.