This posting is here to collect cyber security news in May 2022.
I post links to security vulnerability news to comments of this article.
You are also free to post related links to comments.
This posting is here to collect cyber security news in May 2022.
I post links to security vulnerability news to comments of this article.
You are also free to post related links to comments.
408 Comments
Tomi Engdahl says:
Costa Rica’s public health agency hit by Hive ransomware https://www.bleepingcomputer.com/news/security/costa-rica-s-public-health-agency-hit-by-hive-ransomware/
All computer systems on the network of Costa Rica’s public health service (known as Costa Rican Social Security Fund or CCCS) are now offline following a Hive ransomware attack that hit them this morning.
Hive, a Ransomware-as-a-Service (RaaS) operation active since at least June 2021, has been behind attacks on over 30 organizations, counting only the victims who refused to pay the ransom and had their data leaked online.
Tomi Engdahl says:
Microsoft Confirms Exploitation of ‘Follina’ Zero-Day Vulnerability
https://www.securityweek.com/microsoft-confirms-exploitation-follina-zero-day-vulnerability
Microsoft has confirmed that Windows is affected by a zero-day vulnerability after researchers warned of exploitation in the wild.
The security hole, now tracked as CVE-2022-30190, came to light after a researcher who uses the online moniker “nao_sec” reported finding a malicious Word file designed to execute arbitrary PowerShell code. The file was uploaded to VirusTotal from Belarus.
Researcher Kevin Beaumont, who was among the first to analyze the exploit, decided to name it “Follina” because the malicious file references 0438, the area code for the Italian village of Follina.
It was revealed on Monday that Microsoft has known about the vulnerability since April, when it was notified by “CrazymanArmy” of the Shadow Chaser Group, a research team focusing on APT hunting and analysis.
It appears that Microsoft initially classified it as “not a security related issue,” despite the researcher informing the company in April that a sample exploiting it had been seen in the wild. The tech giant later informed the researcher that the “issue has been fixed,” but a patch does not appear to be available.
Follina was initially described as a Microsoft Office zero-day vulnerability, but Microsoft says it actually affects the Microsoft Support Diagnostic Tool (MSDT), which collects information that is sent to Microsoft support.
Tomi Engdahl says:
Kate Brumback / Associated Press:
CISA says Dominion’s voting machines used in at least 16 states have nine vulnerabilities that have not been exploited, and suggests mitigation measures — ATLANTA (AP) — Electronic voting machines from a leading vendor used in at least 16 states have software vulnerabilities that leave …
https://apnews.com/article/2022-midterm-elections-technology-georgia-election-2020-a746b253f3404dbf794349df498c9542
Tomi Engdahl says:
Cyber Agency: Voting Software Vulnerable in Some States
https://www.securityweek.com/cyber-agency-voting-software-vulnerable-some-states
Electronic voting machines from a leading vendor used in at least 16 states have software vulnerabilities that leave them susceptible to hacking if unaddressed, the nation’s leading cybersecurity agency says in an advisory sent to state election officials.
The U.S. Cybersecurity and Infrastructure Agency, or CISA, said there is no evidence the flaws in the Dominion Voting Systems’ equipment have been exploited to alter election results. The advisory is based on testing by a prominent computer scientist and expert witness in a long-running lawsuit that is unrelated to false allegations of a stolen election pushed by former President Donald Trump after his 2020 election loss.
The advisory, obtained by The Associated Press in advance of its expected Friday release, details nine vulnerabilities and suggests protective measures to prevent or detect their exploitation. Amid a swirl of misinformation and disinformation about elections, CISA seems to be trying to walk a line between not alarming the public and stressing the need for election officials to take action.
CISA Executive Director Brandon Wales said in a statement that “states’ standard election security procedures would detect exploitation of these vulnerabilities and in many cases would prevent attempts entirely.” Yet the advisory seems to suggest states aren’t doing enough. It urges prompt mitigation measures, including both continued and enhanced “defensive measures to reduce the risk of exploitation of these vulnerabilities.” Those measures need to be applied ahead of every election, the advisory says, and it’s clear that’s not happening in all of the states that use the machines.
Tomi Engdahl says:
Costa Rica Public Health System Targeted by Ransomware
https://www.securityweek.com/costa-rica-public-health-system-targeted-ransomware
Another attempted hacking of a Costa Rican government agency’s computer system led the country’s public health agency to shut down its systems Tuesday to protect itself, complicating the medical care of thousands of people.
At least 30 of the Social Security agency’s 1,500 servers were infected with ransomware, according to the government.
The latest breach follows an attack by the Russian-speaking Conti gang in April. That ransomware attack targeted multiple Costa Rican government agencies, especially its finance ministry, which still has not recovered control of some of its systems.
This time the attack appeared to come from another ransomware gang known as “Hive.”
Tomi Engdahl says:
Code execution 0-day in Windows has been under active exploit for 7 weeks | Ars Technica
https://arstechnica.com/information-technology/2022/05/code-execution-0day-in-windows-has-been-under-active-exploit-for-7-weeks/
A critical code execution zero-day in all supported versions of Windows has been under active exploit for seven weeks, giving attackers a reliable means for installing malware without triggering Windows Defender and a roster of other endpoint protection products.
The Microsoft Support Diagnostic Tool vulnerability was reported to Microsoft on April 12 as a zero-day that was already being exploited in the wild, researchers from Shadow Chaser Group said on Twitter. A response dated April 21, however, informed the researchers that the Microsoft Security Response Center team didn’t consider the reported behavior a security vulnerability because, supposedly, the MSDT diagnostic tool required a password before it would execute payloads.
On Monday, Microsoft reversed course, identifying the behavior with the vulnerability tracker CVE-2022-30190 and warning for the first time that the reported behavior constituted a critical vulnerability after all.
“A remote code execution vulnerability exists when MSDT is called using the URL protocol from a calling application such as Word,” the advisory stated. “An attacker who successfully exploits this vulnerability can run arbitrary code with the privileges of the calling application. The attacker can then install programs, view, change, or delete data, or create new accounts in the context allowed by the user’s rights.”
No, Protected View won’t save you
Normally, Word is set up to load content downloaded from the Internet in what’s known as protected view, a mode that disables macros and other potentially harmful functions. For reasons that aren’t clear, Beaumont said, if the document is loaded as a Rich Text Format file, it “runs without even opening the document (via the preview tab in Explorer) let alone Protected View.
At the time of this story’s publication, Microsoft had yet to issue a patch. Instead, it was advising customers to disable the MSDT URL Protocol by:
1. Run Command Prompt as Administrator.
2. To back up the registry key, execute the command “reg export HKEY_CLASSES_ROOT\ms-msdt filename”
3. Execute the command “reg delete HKEY_CLASSES_ROOT\ms-msdt /f”
Although initially missed by Microsoft, the vulnerability was again spotted when a researcher identified a Word document uploaded to VirusTotal on Friday that exploited the previously unknown attack vector.
Windows MSDT zero-day now exploited by Chinese APT hackers
https://www.bleepingcomputer.com/news/security/windows-msdt-zero-day-now-exploited-by-chinese-apt-hackers/
Chinese-linked threat actors are now actively exploiting a Microsoft Office zero-day vulnerability (known as ‘Follina’) to execute malicious code remotely on Windows systems.
This Microsoft Windows Support Diagnostic Tool (MSDT) remote code execution flaw (tracked as CVE-2022-30190) impacts all Windows client and server platforms still receiving security updates (Windows 7 or later and Windows Server 2008 or later).
Shadow Chaser Group’s crazyman, the researcher who first reported the zero-day in April, said Microsoft initially tagged the flaw as not a “security-related issue,” however, it later closed the vulnerability submission report with a remote code execution impact.
Actively exploited in the wild
The TA413 APT group, a hacking outfit linked to Chinese state interests, has adopted this vulnerability in attacks against their favorite target, the international Tibetan community.
As observed on May 30 by Proofpoint security researchers, they’re now using CVE-2022-30190 exploits to execute malicious code via the MSDT protocol when targets open or preview Word documents delivered in ZIP archives.
“TA413 CN APT spotted ITW exploiting the Follina 0Day using URLs to deliver Zip Archives which contain Word Documents that use the technique,” enterprise security firm Proofpoint revealed today.
“Campaigns impersonate the ‘Women Empowerments Desk’ of the Central Tibetan Administration and use the domain tibet-gov.web[.]app.”
Tomi Engdahl says:
https://www.bleepingcomputer.com/news/security/lazarus-hackers-target-vmware-servers-with-log4shell-exploits/
Tomi Engdahl says:
https://www.bleepingcomputer.com/news/security/national-bank-hit-by-ransomware-trolls-hackers-with-dick-pics/