Just two days after the nefarious CVE-2022-30190 aka Follina was revealed, security researchers report in-the-wild attacks leveraging the exploits to target state institutions of Ukraine. On June 2, 2022, CERT-UA issued a heads-up warning of an ongoing campaign spreading Cobalt Strike Beacon malware by exploiting Windows CVE-2021-40444 and CVE-2022-30190 zero-day vulnerabilities, which have been recently in the spotlight of the global cybersecurity community.
Cobalt Strike Beacon malware resurfaces to target Ukraine once again. This time, the nation-state actors utilize exploits for the novel Follina zero-day (CVE-2022-30190) and the notorious Microsoft MSHTML flaw (CVE-2021-40444) to proceed with attacks against the Ukrainian government and drop Cobalt Stike Beacon loaders to the systems of interest.
The Cobalt Strike Beacon malware has been frequently used by state-backed actors in campaigns against the Ukrainian government. CERT-UA experts highlighted multiple intrusions delivering this type of malware during March-June 2022.
Cyber-attacks leveraging the recently-revealed Follina zero-day tracked as CVE-2022-30190 showcase the accelerating speed the offense part incorporates into novel security gaps expanding the scope of its arsenal. It takes only hours for the new exploit to be included in the kill chain which means security performers should be swift in data exchange and addressing new challenges.
To proactively withstand the attack exploiting CVE-2021-40444 and CVE-2022-30190 zero-day vulnerabilities, tap into the power of collaborative cyber defense and download a set of dedicated Sigma rules available in the SOC Prime Platform. Detection algorithms for relevant vulnerabilities are tagged as #CVE-2021-40444 and #CVE-2022-30190 respectively. Make sure to log in or sign up for the SOC Prime Platform to access these detection rules:
Cyber defenders can also obtain a batch of curated threat hunting queries aimed at detecting the malicious activity associated with this latest campaign against the Ukrainian government. Follow the link below to take advantage of the dedicated hunting content filtered by the custom tag, which matches the relevant CERT-UA#4753 alert:
To boost threat investigation, security practitioners can run instant hunts in their environment using the above-referenced curated queries via SOC Prime’s Quick Hunt module.
To gain insights into the context of the most recent phishing cyber-attack on Ukrainian government officials spreading Cobalt Strike Beacon, the above-mentioned Sigma rules are aligned with the ATT&CK framework addressing relevant tactics and techniques:
Signed Binary Proxy Execution (T1218)
Hide Artifacts (T1564)
Obfuscated Files or Information (T1027)
Hijack Execution Flow (T1574)
Template Injection (T1221)
Modify Registry (T1112)
Process Injection (T1055)
Command and Scripting Interpreter (T1059)
User Execution (T1204)
Exploitation for Client Execution (T1203)
Exploitation of Remote Services (T1210)
Command and Control
Data Obfuscation (T1001)
Ingress Tool Transfer (T1105)