CyberArk Labs’ 2022 Threat Research in Review

January 3, 2023 Andy Thompson

CyberArk Labs’ 2022 Threat Research in Review

Cyber defenders need timely, accurate threat intelligence to protect their organizations. This is what drives our CyberArk Labs team to produce innovative research, expose new attack methods and encourage greater industry collaboration.

While there was no shortage of material to work with last year, here’s a quick look at CyberArk Labs’ 2022 threat research highlights reel:

1. Analyzing Conti Group TTPs and Why They Matter

In 2022, the Ukraine conflict drove increased attacks against critical infrastructure – including those using destructive HermeticWiper malware – along with deeper scrutiny of certain criminal gangs. After a Conti ransomware group member leaked troves of sensitive inside information, CyberArk Labs was one of the first to analyze content on the group’s tactics, techniques and procedures (TTPs) and their significance. Within a few months of the leak, Conti disbanded, though many of its former members are still at work today.

2. Extracting Clear-Text Credentials From Chromium’s Memory

Attackers and credential-stealing malware often target browsers (which seemingly know everything about us) to compromise stored credentials and session cookies. If hijacked, these cookies could allow threat actors to bypass multifactor authentication (MFA) and single sign-on (SSO) and access critical business applications. In 2022, CyberArk Labs researchers discovered a new attack technique for extracting sensitive data from the Chromium browser’s memory and designed a credential protection plan to aid defenders.

3. Hunting for PwnKits in Linux

PwnKit vulnerability CVE-2021-4034 – a critical privilege escalation vulnerability in the Polkit Linux module – continues to generate significant attention nearly a year after public disclosure. Industry researchers and government agencies urge teams to address this critical flaw if they haven’t already. Security teams can use the PwnKit-Hunter tool to scan Linux-based machines for the Polkit vulnerability, and browse this library for other free threat hunting tools developed by CyberArk Labs.

4. Attacking RDP From the Inside: The Leaky Named Pipes Saga

RDP is an extremely popular protocol for remote access to Windows machines, and an ongoing focus area for CyberArk Labs. In early 2022, the team uncovered a vulnerability by abusing named pipes for smart card hijacking, unauthorized file system access to client machines and more. Our team reported the vulnerability to Microsoft in a coordinated disclosure process and a patch was released. However, CyberArk Labs identified an attack vector that was not addressed in the fix, making the vulnerability still exploitable under certain conditions. Learn more about this unconventional attack vector and the latest patch to address these findings.

5. Digging Into Decentralized Identity: The Good, the Bad and the Ugly

Years of problematic passwords and endemic identity fraud highlight the need for stronger, more secure authentication methods. Decentralized identity (DID) offers some exciting possibilities — but it also presents new attack surfaces. In this two-part research piece, CyberArk Labs explores key DID concepts, benefits and security considerations and a critical vulnerability uncovered in Sovrin, the most popular DID network in production.

6. Analyzing Malware: Exploring Matanbuchus and Fantastic Rootkits (and Where to Find Them)

Threat research and red teaming discoveries often lead to new detections, creating the need for new bypasses, in which more detections are often discovered… it’s a game that never ends. In parts one and two of CyberArk Labs’ malware analysis using hook heaps, stomps and return addresses, you’ll see why threat research is as much about the journey as it is about the destination. While you’re at it, take an inside look at the quirky Matanbuchus loader’s tricks and loading techniques. And finally, in this in-depth rootkits research, explore highly evasive malware, how rootkits are built and where to find them.

7. Abusing Terminal Emulators with ANSI Escape Characters

Speaking of threat research twists and turns, what started out as a project on terminal emulators took a sharp turn when CyberArk Labs discovered a remote denial of service (DoS) vulnerability by abusing a Windows system call indirectly. Things snowballed from there, with their research leading to nine total vulnerabilities in different terminals. Buckle up – you’re in for a wild ride.

8. Uncovering Weaknesses in Cloud-Native Tech Stacks

Many of CyberArk Labs’ 2022 projects focused on modern DevOps methods and potential areas of risk. For instance, the team discovered an insufficient permissions handling vulnerability in Docker engine during a Linux exploration. They also created a new open-source GUI tool, “RPCMon,” based on Windows container communication research, which can monitor RPC calls and show their function names. And, most recently, the team analyzed a vulnerability in Istio to help organizations better understand service mesh concepts, Istio gateways and how to avoid potentially dangerous caching pitfalls.

9. Trusting RPA Bots With Heavily Guarded Secrets: Have We Gone too Far?

Industries from healthcare to financial services use robotic process automation (RPA) to automate repetitive tasks and free up humans so they can focus on more meaningful work. But when they do, access credentials and secrets to enterprise applications are placed in the “hands” of robots. Can these RPA bots really be trusted? Our team dug in to find out. Here’s what they learned.

10. Researching Third-Party Linux Kernel Drivers: It’s All Fun and Games Until …

Since our CyberArk Labs team loves gaming almost as much as we love finding bugs, we recently analyzed an open-source Linux driver used to make popular gaming devices. We found a buffer overflow vulnerability that could be exploited to a denial of service and possibly elevation of privileges – a significant finding due to the vast number of product users around the world.

11. Strengthening the Cybersecurity Community as a CVE Numbering Authority

And finally, to further enhance our ability to share accurate, timely threat intelligence with the cybersecurity community, CyberArk Labs was designated by the CVE Program as a CVE Numbering Authority (CNA). As a CNA, CyberArk Labs is now authorized to assign CVE IDs to newly discovered vulnerabilities and publicly disclose information about these vulnerabilities through CVE Records. And we’re in great company: According to a SecurityWeek analysis, more than 50 new CNAs were added in 2022, bringing the total to 260 CNAs across 35 countries – all united by a shared commitment to advancing global cybersecurity collaboration.

What CyberArk Labs and the broader threat research community uncovered in the last 12 months may be just the tip of the iceberg – and why we can’t let up efforts to support ongoing awareness and cybersecurity vigilance. With 2022 in the rear view, we’re gearing up for an eventful year ahead. Read our 2023 cybersecurity predictions and follow the CyberArk Threat Research Blog for the latest CyberArk Labs projects.

Previous Article
Ransomware Attacks: What Can We Learn From Them?
Ransomware Attacks: What Can We Learn From Them?

A single compromised identity can allow a bad actor to launch a ransomware attack and hold an organization’...

Next Article
Trust Issues Podcast: A 2022 Cyber Episodes Replay
Trust Issues Podcast: A 2022 Cyber Episodes Replay

Since launching last spring, the CyberArk Trust Issues Podcast has covered a range of top-of-mind cybersecu...