Spyware activity particularly impactful in July

Mercenary spyware developers appear to have been exceptionally active in their weaponization of Common Vulnerabilities and Exposures (CVEs) in July 2022 – according to research published this week by Recorded Future – although this is simply due to the fact that other actors in the threat are less busy during the summer months remains to be seen.
This is the third monthly vulnerability bulletin produced by Recorded Future’s Insikt Group Threat Research Team – the first was released in June to coincide with the introduction of Microsoft’s automated patching service for businesses, which brought relief to Patch Tuesday for many.
In the future, Recorded Future plans to release its monthly CVE report on the first Tuesday of each month – Patch Tuesday continues to drop on the second Tuesday.
In its latest report, the research team said it observed the exploitation of recently disclosed zero-day vulnerabilities affecting both Microsoft and Google, in both cases to distribute spyware, which it says demonstrates a often close connection between high-end spyware developers and new zero-days.
“On July 4, 2022, Google disclosed an actively exploited zero-day vulnerability, CVE-2022-2294, which affects Google Chrome,” the team said. “While the company did not disclose details of attacks involving this flaw, it was not long before the exploit was reported by others.
“Avast threat researchers (who originally notified Google of the vulnerability) published a report on July 21, 2022, on a campaign in which Israeli spyware vendor Candiru exploited CVE-2022-2294 to deploy the DevilsTongue spyware.
“Spyware was [also] associated with another zero-day vulnerability, this time for Microsoft. On July 12, 2022, Microsoft disclosed a zero-day vulnerability, CVE-2022-22047, which affects current versions of Windows and Windows Server. This vulnerability was exploited by Austrian mercenary threat group Knotweed to distribute its Subzero spyware.
“A second vulnerability, CVE-2022-30216, also affects current versions of Windows and Windows Server and has a very high CVSS score because it allows remote code execution, but we have not yet seen any attempts to ‘exploitation,’ the researchers said.
Among the other most impactful vulnerabilities in July 2022 was a remote code execution (RCE) vulnerability in Apache Spark, tracked as CVE-2022-33891 – discovered by Databricks researcher Kostya Kortchinsky – which was exploited. observed in the wild within 48 hours of disclosure, and a SQL injection vulnerability in the Django Python web framework, tracked as CVE-2022-34265.
July also saw high levels of exploitation of CVE-2022-30190, or Follina, a dangerous no-click vulnerability in Microsoft Office that, if left unchecked, allows a malicious actor to execute PowerShell commands without user interaction. Follina was leaked in late May and patched in the June Patch Tuesday update, but understandably remains unpatched by many.
“If we could have predicted a vulnerability to see a high profile exploit after the initial disclosure, it would have been Follina,” the Recorded Future team said.
“Indeed, on July 6, 2022, Fortinet researchers published an analytical report on a phishing campaign using Follina to distribute the Rozena backdoor, malware that allows attackers to completely take control of Windows systems. Fortinet researchers have observed adversaries using Rozena to reinject a remote shell login to the attacker’s machine.