This posting is here to collect cyber security news in May 2022.
I post links to security vulnerability news to comments of this article.
You are also free to post related links to comments.
This posting is here to collect cyber security news in May 2022.
I post links to security vulnerability news to comments of this article.
You are also free to post related links to comments.
408 Comments
Tomi Engdahl says:
Microsoft Azure Vulnerability Allowed Code Execution, Data Theft
https://www.securityweek.com/microsoft-azure-vulnerability-allowed-code-execution-data-theft
Microsoft on Monday shared information on patches and mitigations for a vulnerability impacting Azure Data Factory and Azure Synapse Pipelines.
Tracked as CVE-20220-29972, the security hole was identified in the third-party Open Database Connectivity (ODBC) data connector used in Integration Runtime (IR) in the affected Azure services to connect to Amazon Redshift.
A remote attacker could have exploited the flaw to execute arbitrary commands across the IR infrastructure, impacting multiple tenants, the tech giant explains.
Microsoft notes that the issue allowed a user running jobs in a Synapse pipeline to execute remote commands, potentially acquiring the Azure Data Factory service certificate and running commands in another tenant’s Data Factory IR.
“These certificates are specific to Azure Data Factory and Synapse Pipelines, and do not pertain to the rest of Azure Synapse,” Microsoft explains.
Tomi Engdahl says:
Adobe Warns of ‘Critical’ Security Flaws in Enterprise Products
https://www.securityweek.com/adobe-warns-critical-security-flaws-enterprise-products
Software maker Adobe on Tuesday shipped patches to cover at least 18 serious security defects in multiple enterprise-facing products and warned that unpatched systems are at risk of remote code execution attacks.
As part of its planned ‘Patch Tuesday’ release cycle, Adobe warned of critical vulnerabilities found and fixed in the FrameMaker document processor, the InCopy and InDesign suites, the Character Animator motion capture tool and the Adobe ColdFusion platform.
Tomi Engdahl says:
Politico:
Leaked proposal: the European Union plans to release a draft law this week that requires tech companies to scan for CSAM and threatens end-to-end encryption — Brussels is bracing for one of its biggest and most emotional tech fights yet as companies face stringent new rules to clamp down on sexual abuse material.
Brussels braces for tense tech fight over child sex abuse content
https://www.politico.eu/article/brussels-braces-for-tense-tech-fight-on-law-to-crack-down-on-child-porn/
The Commission is set to release a rulebook that could force digital companies to detect, remove and report illegal images of child sexual abuse.
Brussels is bracing for one of its biggest and most emotional tech fights yet as companies face stringent new rules to clamp down on sexual abuse material.
The Commission is expected to release a draft law this week that could require digital companies like Meta Platforms, Google and Apple to detect, remove and report illegal images of abuse to law enforcement under threat of fines.
According to a leak of the proposal obtained by POLITICO on Tuesday, the Commission said voluntary measures taken by some platforms have so far “proven insufficient” to address the misuse of online services for the purposes of child sexual abuse.
The rulebook comes as child protection hotlines report a record amount of disturbing content circulating online during the coronavirus pandemic. Europe is a hot spot for hosting such content, with 62 percent of the world’s illegal images located on European data servers in 2021.
The law has already been delayed by a year due to complex negotiations on a temporary bill that clarified that tech companies can voluntarily check for child abuse on their platforms. There was also internal pushback within the Commission over concerns on how legislation will affect privacy.
After months of lobbying, tech companies and children’s rights organizations are anxiously waiting to see how drastic the rules will be.
“There’s a mountain of undetected suffering underneath and if it’s voluntary, companies can change their policies whenever they like, which is why I want to make detection of child sexual abuse mandatory,” said the Swedish politician on April 25 at an event organized by a child protection group, WeProtect Global Alliance.
Digital rights activists are deeply worried that the rules could severely weaken privacy, at a time when law enforcement and national governments are pushing hard to find ways around encrypted messaging services.
Privacy fears
All eyes this week will be on the requirements for digital companies to look for illegal pictures of sexual abuse amid the vast amounts of content circulating on their platforms and in conversations on apps and messaging services.
“On the one hand, we’re excited to hear what the alternatives are that the Commission would like to suggest, but on the other hand, we’re worried about what that actually means,” said Siada El Ramly, director general of Dot Europe, a tech lobby representing tech firms like Apple, Meta Platforms, Google and TikTok.
El Ramly and her members are keen to see how the Commission plans to ensure the rules work with a prohibition on general monitoring, a practice — deemed illegal by the Court of Justice of the European Union — where tech companies would scan every single piece of user-generated content.
“The idea that all the hundreds of millions of people in the EU would have their intimate private communications, where they have a reasonable expectation that that is private, to instead be kind of indiscriminately and generally scanned 24/7 is unprecedented,” said Ella Jakubowska, policy adviser at European Digital Rights (EDRi), a network of 45 nongovernmental organizations.
Beyond the scanning of content, activists as well as tech companies, are concerned that the EU executive could seek to create backdoors to end-to-end encrypted messaging services, where secure conversations cannot be intercepted, which offers protection for journalists, lawyers and NGOs, especially in authoritarian countries.
“Abusers hide behind the end-to-end encryption; it’s easy to use but nearly impossible to crack, making it difficult for law enforcement to investigate and prosecute crimes,” said Johansson at the April 25 event.
The commissioner said technical solutions existed to keep conversations safe while finding illegal content, something that many cybersecurity experts doubt given the state of technology.
“The EU shouldn’t be proposing things that are technologically impossible,” said Jakubowska.
The stage is now set for a tough battle between privacy advocates and law enforcement hawks. Reacting to the leak of the proposal, centrist Renew Europe MEP Moritz Körner said the Commission’s proposal would mean “the privacy of digital correspondence would be dead.”
Yet, for child protection organizations, the law is strongly needed.
Tomi Engdahl says:
Windowsiin hyökätään – korjaus tuli viiveellä, kannattaa asentaa heti https://www.is.fi/digitoday/tietoturva/art-2000008809333.html
Tomi Engdahl says:
Critical F5 BIG-IP vulnerability exploited to wipe devices https://www.bleepingcomputer.com/news/security/critical-f5-big-ip-vulnerability-exploited-to-wipe-devices/
A recently disclosed F5 BIG-IP vulnerability has been used in destructive attacks, attempting to erase a device’s file system and make the server unusable.
Tomi Engdahl says:
New post-exploitation threat deployed on Microsoft Exchange servers is spotted by researchers https://therecord.media/iceapple-post-exploitation-malware-microsoft-crowdstrike/
Recently discovered malware that helps attackers capture, move and delete data is aimed at organizations Microsoft Exchange servers and has the capability to expand into other web applications, researchers at CrowdStrike reported Wednesday.. The threat, dubbed IceApple, is used for post-exploitation tasks, the researchers said, meaning that it does not provide access, rather it is used to further mission objectives after access has already been achieved.. see also https://www.crowdstrike.com/blog/falcon-overwatch-detects-iceapple-framework/
Tomi Engdahl says:
It-kumppani tunaroi verkkolevyn kanssa talotekniikkajätissä sattui tietoturvaloukkaus
https://www.tivi.fi/uutiset/tv/07e63bd6-be99-47b6-b509-4a2ceeaec077
Verkkolevy oli kuukausia suojaamatta asianmukaisesti Aren it-palveluntarjoajalle sattuneen virheen vuoksi.. Katso myös
https://www.are.fi/media/#/news/aren-palkkahallinnon-tiedoissa-tietoturvaloukkaus-447643
Tomi Engdahl says:
Canadian fighter jet training company investigating ransomware attack https://therecord.media/top-aces-ransomware-attack-lockbit/
A Canadian company that supplies fighter jets for airborne training exercises has been hit with a ransomware attack. . The Montreal-based firm which said it is the exclusive adversary air provider to the Canadian and German armed forces showed up on the leak site for the LockBit ransomware group.
Tomi Engdahl says:
Malicious NPM Packages Target German Companies in Supply Chain Attack https://thehackernews.com/2022/05/malicious-npm-packages-target-german.html
Cybersecurity researchers have discovered a number of malicious packages in the NPM registry specifically targeting a number of prominent media, logistics, and industrial firms based in Germany to carry out supply chain attacks.
Tomi Engdahl says:
Alleged Iranian hackers caught targeting Jordans foreign ministry https://therecord.media/apt34-oilrig-iran-jordan-email-campaign-malwarebytes/
Cybersecurity researchers with Malwarebytes said they discovered a malicious email targeting a government official at Jordans foreign ministry, and it appeared to originate from a prolific threat group allegedly based in Iran.
Tomi Engdahl says:
HP fixes bug letting attackers overwrite firmware in over 200 models https://www.bleepingcomputer.com/news/security/hp-fixes-bug-letting-attackers-overwrite-firmware-in-over-200-models/
HP has released BIOS updates today to fix two high-severity vulnerabilities affecting a wide range of PC and notebook products, which allow code to run with Kernel privileges.
Tomi Engdahl says:
Ransomware Deals Deathblow to 157-year-old College https://threatpost.com/ransomware-deathblow-college/179574/
Why a private college that stayed in business for 157 years had to close after the combo of COVID-19 and ransomware proved too much.
Why a private college that stayed in business for 157 years had to close after the combo of COVID-19 and ransomware proved too much.
Illinois-based Lincoln College was established during the U.S. Civil War. Since then it has weathered two world wars, the Spanish Flu, the Great Depression, the Great Recession and a devastating fire. But two things it couldn’t survive?
A ransomware attack and financial pressures tied to the impact of COVID-19 on its enrollment.
It’s a warning sign for academic institutions around the country that have been disproportionately targeted by ransomware attacks. That’s why some universities are now taking new and remarkable measures to protect themselves against the threat of ransomware attacks.
The Ransomware Attack
In a March letter posted online and authored by Lincoln President David Gerlach, he explained the school’s plight.
“The institution experienced record-breaking student enrollment in Fall 2019, with residence halls at maximum capacity,” he explained. But then, of course, “the coronavirus pandemic dramatically impacted recruitment and fundraising efforts.”
Thus the 157-year-old college was in an already precarious financial state when, in Dec. 2021, it fell prey to ransomware.
The attack “thwarted admissions activities and hindered access to all institutional data, creating an unclear picture of Fall 2022 enrollment projections. All systems required for recruitment, retention, and fundraising efforts were inoperable.” In an interview with The Chicago Tribune last month, Gerlach admitted that the college paid their ransom – under $100,000 – to their Iranian hackers. They got their data back, but it took months longer to fully restore their IT systems
According to Emsisoft, over 1,000 U.S. schools were targeted with ransomware last year alone – more than any other sector besides healthcare.
Clearly colleges, many cash strapped like Lincoln, aren’t goldmines. So why are cyber attackers targeting the education sector so relentlessly?
Part of what makes schools attractive targets is the troves of unique and sensitive data they possess. As Edward Vasko, director at the Boise State Institute for Pervasive Cybersecurity, explained via email:
“The data captured and stored by schools includes not only personally identifiable information (PII) of students, faculty and staff, but also PII of parents, donors and other partners of the school. This treasure trove of data, if captured and held for ransom, can easily bring an institution to its knees.”
There’s also the problem of pain tolerance. As Lincoln demonstrated, recovery from ransomware attacks is a monthslong process, even after a ransom is paid.
How Schools Can Defeat Attackers
Schools face many unique cyber challenges, yet lack the resources to defend against them.
There’s no way to solve the first half of that problem without fundamentally hindering how schools operate. That’s why some academic institutions are focusing on the second half.
“One option open to schools and universities without significant endowments is to pool their resources and partner with other entities,” wrote Scott Shackelford, professor in the Kelley School of Business at Indiana University (IU), via email. IU runs a cyber response center called OmniSOC.
Tomi Engdahl says:
Intel Memory Bug Poses Risk for Hundreds of Products https://threatpost.com/intel-memory-bug-poses-risk-for-hundreds-of-products/179595/
Dell and HP were among the first to release patches and fixes for the bug.
Chipmaker Intel is reporting a memory bug impacting microprocessor firmware used in “hundreds” of products. According to an advisory issued by the company on Tuesday, the bug is firmware-based and rated as “high” risk with a Common Vulnerability Scoring System (CVSS) score of 7.
The vulnerability resides inside some of the Intel Optane SSD and Intel Optane Data Center (DC) products, the impact of which allows privilege escalation, denial of service (DoS), or information disclosure.
“Potential security vulnerabilities in some Intel Optane SSD and Intel Optane SSD Data Center products may allow escalation of privilege, denial of service or information disclosure,” reported Intel.
Tomi Engdahl says:
Novel Phishing Trick Uses Weird Links to Bypass Spam Filters https://threatpost.com/novel-phishing-trick-uses-weird-links-to-bypass-spam-filters/179587/
A novel form of phishing takes advantage of a disparity between how browsers and email inboxes read web domains.
Tomi Engdahl says:
Nerbian RAT Using COVID-19 Themes Features Sophisticated Evasion Techniques https://www.proofpoint.com/us/blog/threat-insight/nerbian-rat-using-covid-19-themes-features-sophisticated-evasion-techniques
Proofpoint has analyzed a novel malware variant which utilizes significant anti-analysis and anti-reversing capabilities.. The malware, called Nerbian remote access trojan (RAT) leverages COVID-19 and World Health Organization themes to spread.
Tomi Engdahl says:
SaaS App Vanity URLs Can Be Spoofed for Phishing, Social Engineering
https://www.securityweek.com/saas-app-vanity-urls-can-be-spoofed-phishing-social-engineering
Vanity URLs offered by SaaS applications can be spoofed by malicious actors for phishing and social engineering, according to data security and analytics company Varonis.
Varonis researchers have analyzed the vanity URLs for Zoom, Box and Google services, and found that they can all be — or could have been before fixes were implemented — abused for malicious purposes.
A vanity URL is a personalized URL that makes it easier to remember links to files, landing pages and other resources. For example, the app.example.com/s/1234 URL can be personalized to varonis.example.com/s/1234. A vanity URL could also seem more trustworthy to users.
However, Varonis researchers found that SaaS applications often only validate the URI — the “/s/1234” part in the above example — but fail to validate the vanity URL’s subdomain. An attacker can abuse this by changing the subdomain in a link generated by their own SaaS accounts.
https://www.varonis.com/blog/url-spoofing
Tomi Engdahl says:
Chrome 101 Update Patches High-Severity Vulnerabilities
https://www.securityweek.com/chrome-101-update-patches-high-severity-vulnerabilities
Google this week announced the release of a Chrome browser update that resolves a total of 13 vulnerabilities, including nine that were reported by external researchers.
Of the externally reported security holes, seven are use-after-free bugs – these types of vulnerabilities could lead to arbitrary code execution.
Based on severity ratings and the currently listed bug bounties, the most important of these flaws is CVE-2022-1633, a high-severity use-after-free in Sharesheet that was reported by Khalil Zhani, who was awarded a $5,000 reward for the find.
The same researcher reported CVE-2022-1634, a high-severity use-after-free in Browser UI, for which he was awarded $3,000.
CVE-2022-1635, a high-severity use-after-free in Permission Prompts, which was reported by an anonymous researcher, also qualified for a $3,000 bug bounty payout.
As per Google’s policies, however, CVE-2022-1636, a high-severity use-after-free in Performance APIs, reported by Microsoft’s Seth Brenith, is not eligible for a reward.
Google notes in its advisory that it has yet to determine the bug bounties to be handed out for four other high-severity vulnerabilities resolved with this Chrome update.
These include CVE-2022-1637 (inappropriate implementation in Web Contents), CVE-2022-1638 (Heap buffer overflow in V8 Internationalization), CVE-2022-1639 (use-after-free in ANGLE), and CVE-2022-1640 (use-after-free in Sharing).
The ninth vulnerability resolved with this browser update and the seventh use-after-free in the batch is rated “medium severity.” Tracked as CVE-2022-1641, the bug was awarded a $5,000 bounty reward, Google says.
Tomi Engdahl says:
https://www.securityweek.com/healthcare-technology-provider-omnicell-discloses-ransomware-attack
Tomi Engdahl says:
ICS Patch Tuesday: Siemens, Schneider Electric Address 43 Vulnerabilities
https://www.securityweek.com/ics-patch-tuesday-siemens-schneider-electric-address-43-vulnerabilities
The 15 new advisories released by Siemens and Schneider Electric this Patch Tuesday address a total of 43 vulnerabilities, including ones that have been assigned a “critical” severity rating.
Siemens has released 12 advisories covering 35 vulnerabilities. Based on CVSS scores, the most important advisory covers 11 flaws affecting the web server of SICAM P850 and P855 devices.
One of these bugs is critical and it allows an unauthenticated attacker to execute arbitrary code or launch a denial-of-service (DoS) attack. The five high-severity vulnerabilities covered by the advisory can lead to DoS attacks, code execution, traffic capturing and interfering with device functionality, cross-site scripting (XSS) attacks, or access to a device’s management interface.
Critical and high-severity vulnerabilities have also been found in Desigo PXC3, PXC4, PXC5 and DXR2 devices. These flaws can be exploited for arbitrary code execution, and password spraying or credential stuffing attacks.
High-severity code execution issues have been identified in Simcenter Femap, JT2Go and Teamcenter Visualization, and various Siemens industrial products that use the cURL library.
Tomi Engdahl says:
Venäjä ei murtanut Ukrainan selkärankaa eikä sen nettiyhteyttä – Nato-jäsenyyteen valmistautuvan Suomen verkoissa “tyyntä myrskyn edellä”
https://yle.fi/uutiset/3-12439958
Suomi on valmistautunut häirintään. Jos sabotaasi tai myrsky katkoo sähköt suomalaiselta tukiasemalta, akuista riittää virtaa vähintään kolmeksi tunniksi. Monissa Euroopan maissa akkuja ei ole ollenkaan.
Tomi Engdahl says:
Kyberturvakeskus: Suomen tilanne vielä normaali
https://etn.fi/index.php/13-news/13561-kyberturvakeskus-suomen-tilanne-vielae-normaali
Suomen lähestyvän NATO-hakemuksen odotetaan nostattavan suurenkin kyberhyökkäyksien aallon Venäjältä. Tällä hetkellä tilanne on kuitenkin normaali. Viestintäverkot toimivat normaalisti, korosti Kyberturvakeskus aamuisessa tilannekatsauksessaan.
Kyberhäiriöiden määrä on meilläkin ollut kasvussa tasaisesti vuodesta 2019 lähtien. Vuosina 2020 ja 2021 häiriöiden määrä kasvoi jo kovaa vauhtia, siis kauan ennen Venäjän hyökkäystä Ukrainaan. Vuositasolla meillä tulee noin 20 tuhatta kyberhäiriötä, jotka päätyvät asiantuntijoiden analysoitavaksi.
Koko volyymi on tietysti aivan eri luokkaa. Automaattiseen käsittelyyn tulee vuodessa nykytasolla lähes 300 tuhatta tapausta. Niistä suurin osa on lieviä. Vakavia tapauksia on hyvin vähän. Paljon enemmän on vakavia tapauksia, jotka onnistutaan ennalta ehkäisemään.
Tomi Engdahl says:
https://etn.fi/index.php/13-news/13562-emotet-jatkaa-haittojen-kaerjessae
Tomi Engdahl says:
Intel Patches High-Severity Vulnerabilities in BIOS, Boot Guard
https://www.securityweek.com/intel-patches-high-severity-vulnerabilities-bios-boot-guard
Intel on Tuesday announced the release of patches for multiple vulnerabilities across its product portfolio, including a series of high-severity vulnerabilities in the BIOS firmware of several processor models.
A total of nine documented high-severity issues impact multiple Intel Xeon, Pentium Silver, Rocket Lake Xeon, Core, and Core X series processors, the tech giant notes in an advisory.
The most severe of these are four bugs that could lead to elevation of privilege via local access. Tracked as CVE-2021-0154, CVE-2021-0153, CVE-2021-33123, and CVE-2021-0190, the issues have a CVSS score of 8.2.
The remaining five high-severity flaws detailed in the advisory could lead to escalation of privilege via local access as well, but have slightly lower CVSS scores. Intel’s advisory also documents two medium-severity issues.
Intel also announced the release of patches for a high-severity bug in Boot Guard and Trusted Execution Technology (TXT). Tracked as CVE-2022-0004 (CVSS score of 7.3), the bug could be exploited to elevate privileges on a vulnerable system.
“Hardware debug modes and processor INIT setting that allow override of locks for some Intel Processors in Intel Boot Guard and Intel TXT may allow an unauthenticated user to potentially enable escalation of privilege via physical access,” the company notes in an advisory.
Tomi Engdahl says:
Hundreds of Thousands of Konica Printers Vulnerable to Hacking via Physical Access
https://www.securityweek.com/konica-minolta-printers-vulnerable-hacking-physical-access
Researchers at Atos-owned cybersecurity consulting firm SEC Consult analyzed Konica Minolta printers to determine what could be achieved by an attacker who has physical access to a device. The answer: a lot!
The analysis was conducted in late 2019 and it targeted Konica Minolta bizhub C3300i and C3350i multi-function printers (MFPs).
SEC Consult said the vendor was responsive and produced firmware and operating system patches in early 2020, but details are only being disclosed now because the COVID-19 pandemic prevented the delivery of the fixes to devices. While a remote firmware update mechanism is being rolled out, the patches in many cases need to be manually installed by a service technician.
SEC Consult found that an attacker who has physical access to the targeted device’s touchscreen terminal could escape the sandbox and gain root access to the underlying operating system.
The analysis resulted in the discovery of three vulnerabilities. One of them, tracked as CVE-2022-29586, allows an attacker who can connect an external USB keyboard to the printer to escape the regular user interface displayed in the terminal. The researchers found that some sections of the interface were actually a Chromium browser running in “kiosk mode,” which could be escaped by pressing the F12 key, which opens up the developer console.
Since this Chromium instance was running with root privileges — this issue has been assigned CVE-2022-29587 — an attacker could gain elevated permissions and abuse the developer console to read and write arbitrary files to the system. The files that could be accessed included files that stored administrator passwords in clear text (CVE-2022-29588).
Someone call the patch manager
12.05.2022
How COVID-19 left hundreds of thousands of printers vulnerable
https://sec-consult.com/blog/detail/someone-call-the-patch-manager/
The SEC Consult Vulnerability Lab identified a sandbox breakout vulnerability in multiple Konica Minolta bizhub MFP printers end of 2019, that could be exploited via physical access to a printer’s touchscreen terminal. An attacker is able to get full read and write access to the printer’s operating system and stored data as root. This can be used to manipulate and compromise the printer and its users in many ways. Konica Minolta reacted in an exemplary manner and fixed the vulnerabilities immediately at the beginning of 2020. They also kept the updates coming continuously during our responsible disclosure. Due to the large number of affected devices (hundreds of thousands of devices according to the vendor) and the need to apply the firmware update manually by service technicians, the process took quite some time, especially during the COVID-19 pandemic with multiple lockdowns hindering the technicians to go on-site.
This blog post describes the vulnerabilities and patches, a practical example of the attack as well as a word about the responsible disclosure timeline. Furthermore, a technical security advisory has been published as well containing the affected models and fixed firmware versions.
Sandbox Escape with Root Access & Clear-text passwords in Konica Minolta bizhub MFP Printer Terminals
https://sec-consult.com/vulnerability-lab/advisory/sandbox-escape-with-root-access-clear-text-passwords-in-konica-minolta-bizhub-mfp-printer-terminals/
Multiple Konica Minolta MFP bizhub devices, as well as devices from other manufacturers with the same firmware, are vulnerable to a sandbox breakout via the internal browser that displays the help menus. The browser itself is started with root privileges, which allows access to the complete file system. A file in the file system contained the administrator password for the printer’s web interface in plain text.
Vendor description
“Konica Minolta is a Japanese multinational technology company headquartered in Marunouchi, Chiyoda, Tokyo, with offices in 49 countries worldwide. The company manufactures business and industrial imaging products, including copiers, laser printers, multi-functional peripherals (MFPs) and digital print systems for the production printing market. Konica Minolta’s Managed Print Service (MPS) is called Optimised Print Services. The company also makes optical devices, including lenses and LCD film; medical and graphic imaging products, such as X-ray image processing systems, colour proofing systems, and X-ray film; photometers, 3-D digitizers, and other sensing products; and textile printers.”
Business recommendation
Konica Minolta provided a patch of the firmware and operating system very quickly at the start of the year 2020. For most of the devices this firmware update must be manually applied by service technicians as a remote service platform for remote firmware updates is not fully rolled out yet. Multiple COVID-19 lockdowns delayed this patching process of over hundreds of thousands of devices drastically.
In case you didn’t receive an update yet, approach your Konica Minolta contact.
Tomi Engdahl says:
Hackers are actively exploiting at flaw found in ALL versions of Windows and you need to take action now…
https://www.forbes.com/sites/gordonkelly/2022/05/11/microsoft-windows-10-windows-11-zero-day-hack-critical-threat-level-update-windows-now/?sh=733ab98e54cb
Microsoft has announced that all major versions of Windows are vulnerable to a new zero-day attack. The company confirms there has been “exploitation detected” and you need to take action now.
Microsoft disclosed the new threat as part of its May 2022 ‘Patch Tuesday’ update, which contains fixes for 75 flaws across its products and platforms, including three zero-day vulnerabilities (1,2,3). Of the three, the big news is CVE-2022-26925, which has been actively exploited and impacts Windows 7, Windows 8.1, Windows 10, Windows 11 and all Windows Server versions.
As it stands, Microsoft is limiting information about this zero-day and has only described it in general terms as well as confirming it has been exploited in the wild: “Publicly Disclosed: Yes. Exploited: Yes. Latest Software Release: Exploitation Detected.”
The big takeaway of CVE-2022-26925 is it has the potential to allow hackers to gain elevated privileges right up to the identity of a domain controller. This is the holy grail for hackers because it gives them the rights to perform any action on your PC. In isolation, Microsoft has assigned the flaw as carrying a CVSS severity rating of 8.1/10, but this can rise to 9.8/10 when used in conjunction to attack other computers and servers on a network.
Tomi Engdahl says:
Näin sinä voit varautua mahdollisen Nato-jäsenyyden aiheuttamiin kyberuhkiin – listaamme kuusi tapaa
https://yle.fi/uutiset/3-12440524
Tavallisen ihmisen kannattaa varautua mahdollisiin kyberhyökkäyksiin huolehtimalla riittävästä kotivarasta. Yle keräsi asiantuntijoilta vinkkejä mahdollisiin uhkiin varautumiseen.
Tomi Engdahl says:
Poliisi on keskeyttänyt Savonia-ammattikorkeakoulun tietomurron tutkinnan – henkilötietoja vietiin helmikuussa noin 700 opiskelijalta
https://yle.fi/uutiset/3-12442864
Vietyjen henkilötietojen suuresta määrästä huolimatta tietomurron tekijää ei ole saatu selville eikä todennäköisesti saadakaan.
Tomi Engdahl says:
Microsoft: May Windows updates cause AD authentication failures https://www.bleepingcomputer.com/news/microsoft/microsoft-may-windows-updates-cause-ad-authentication-failures/
Microsoft is investigating a known issue causing authentication failures for some Windows services after installing updates released during the May 2022 Patch Tuesday. This comes after Windows admins started sharing reports of some policies failing after installing this month’s security updates with “Authentication failed due to a user credentials mismatch. Either the user name provided does not map to an existing account or the password was incorrect.” errors. The issue impacts client and server Windows platforms and systems running all Windows versions, including the latest available releases (Windows 11 and Windows Server 2022).
Tomi Engdahl says:
F5 BIG-IP vulnerability is now being used to disable servers https://blog.malwarebytes.com/exploits-and-vulnerabilities/2022/05/f5-big-ip-vulnerability-is-now-being-used-to-disable-servers/
As we reported a few days ago, a F5 BIG-IP vulnerability listed as
CVE-2022-1388 is actively being exploited. But now researchers have noticed that attackers aren’t just taking control of the vulnerable servers but also making them unusable by destroying the device’s file system. While destroying the file system of the device may seem worse than data exfiltration or planting a backdoor at first glance, some researchers are saying it may be a blessing in disguise. The group is making the vulnerable devices unavailable for threat actors that are trying to utilize the more monetizable attack vectors.
Tomi Engdahl says:
Zyxel silently fixes critical RCE vulnerability in firewall products https://www.bleepingcomputer.com/news/security/zyxel-silently-fixes-critical-rce-vulnerability-in-firewall-products/
Threat analysts who discovered a vulnerability affecting multiple Zyxel products report that the network equipment company fixed it via a silent update pushed out two weeks ago. More specifically, security researchers at Rapid7 found the flaw, which is now tracked as
CVE-2022-30525 (CVSS v3 score: 9.8 critical), and disclosed it to Zyxel on April 13, 2022. As the technical details of the vulnerability have been released and it is now supported by Metasploit, all admins should update their devices immediately before threat actors begin to actively exploit the flaw. also:
https://www.rapid7.com/blog/post/2022/05/12/cve-2022-30525-fixed-zyxel-firewall-unauthenticated-remote-command-injection/
Tomi Engdahl says:
Backdoor in public repository used new form of attack to target big firms https://arstechnica.com/information-technology/2022/05/backdoor-in-public-repository-used-new-form-of-attack-to-target-big-firms/
A backdoor that researchers found hiding inside open source code targeting four German companies was the work of a professional penetration tester. The tester was checking clients’ resilience against a new class of attacks that exploit public repositories used by millions of software projects worldwide. But it could have been bad. Very bad.
Tomi Engdahl says:
Ransomware the final nail in coffin for small university https://www.theregister.com/2022/05/12/ransomware_dangerous_enough_to_close/
Lincoln College shuttering after 157 years, ransomware attack from Iran final straw. The ransomware assault that hit in December 2021 originated in Iran, college president David Gerlach told the Chicago Tribune. According to Lincoln’s closure letter, the attack hindered access to all institutional data, interrupted admissions and took retention, fundraising and recruitment systems offline.
Tomi Engdahl says:
Malware Builder Leverages Discord Webhooks https://threatpost.com/malware-discord-webhooks/179605/
On April 23rd, 2022, a Discord user with the handle “Portu” began advertising a new password-stealing malware builder. Four days later, threat analysts from Uptycs discovered the first sample of a Portu-inspired malware sample in the wild researchers dubbed “KurayStealer.” According to researchers, the malware has been used to target Discord users
Tomi Engdahl says:
Researcher stops REvil ransomware in its tracks with DLL-hijacking exploit https://portswigger.net/daily-swig/researcher-stops-revil-ransomware-in-its-tracks-with-dll-hijacking-exploit
The REvil ransomware has a vulnerability that can be exploited to deactivate the malware before it encrypts files on an infected computer, a security researcher has found.
Tomi Engdahl says:
Phishing Campaign Delivering Three Fileless Malware: AveMariaRAT / BitRAT / PandoraHVNC Part I https://www.fortinet.com/blog/threat-research/phishing-campaign-delivering-fileless-malware
Fortinet’s FortiGuard Labs captured a phishing campaign that was delivering three fileless malware onto a victim’s device. Once executed, they are able to steal sensitive information from that device. In this analysis, I’ll reveal how the phishing campaign manages to transfer the fileless malware to the victim’s device, what mechanism it uses to load, deploy, and execute the fileless malware in the target process, and how it maintains persistence on the victim’s device.
Tomi Engdahl says:
DEA Investigating Breach of Law Enforcement Data Portal https://krebsonsecurity.com/2022/05/dea-investigating-breach-of-law-enforcement-data-portal/
The U.S. Drug Enforcement Administration (DEA) says it is investigating reports that hackers gained unauthorized access to an agency portal that taps into 16 different federal law enforcement databases. The login page for esp.usdoj.gov (above) suggests that authorized users can access the site using a “Personal Identity Verification” or PIV card, which is a fairly strong form of authentication used government-wide to control access to federal facilities and information systems at each user’s appropriate security level. However, the EPIC portal also appears to accept just a username and password, which would seem to radically diminish the security value of requiring users to present (or prove possession of) an authorized PIV card. Indeed, KT said the hacker who obtained this illicit access was able to log in using the stolen credentials alone, and that at no time did the portal prompt for a second authentication factor.
Tomi Engdahl says:
I/O 2022: Android 13 security and privacy (and more!) https://security.googleblog.com/2022/05/io-2022-android-13-security-and-privacy.html
Every year at I/O we share the latest on privacy and security features on Android. But we know some users like to go a level deeper in understanding how we’re making the latest release safer, and more private, while continuing to offer a seamless experience. So let’s dig into the tools we’re building to better secure your data, enhance your privacy and increase trust in the apps and experiences on your devices.
Tomi Engdahl says:
Costa Rica Declares Emergency in Ongoing Cyberattack
https://www.securityweek.com/costa-rica-declares-emergency-ongoing-cyberattack
After a month of crippling ransomware attacks, Costa Rica has declared a state of emergency. In theory, the measure usually reserved to deal with natural disasters or the COVID-19 pandemic would free up the government to react more nimbly to the crisis.
President Rodrigo Chaves, who was sworn in Sunday, made the emergency declaration one of his first acts. It was published Wednesday, but Chaves has not named the members of the National Emergency Commission.
The declaration refers to the attack Costa Rica is suffering at the hands of “cybercriminals” and “cyberterrorists.”
The Russian-speaking Conti gang had claimed responsibility for the attack. Last week the U.S. State Department offered a $10 million reward for information leading to the identification or location of Conti leaders.
Tomi Engdahl says:
https://www.securityweek.com/balkanid-raises-6m-intelligent-iga-technology
Tomi Engdahl says:
Brian Krebs / Krebs on Security:
The DEA is investigating reports that hackers gained access to its Law Enforcement Inquiry and Alerts system that taps into 16 federal law enforcement databases
DEA Investigating Breach of Law Enforcement Data Portal
https://krebsonsecurity.com/2022/05/dea-investigating-breach-of-law-enforcement-data-portal/
The U.S. Drug Enforcement Administration (DEA) says it is investigating reports that hackers gained unauthorized access to an agency portal that taps into 16 different federal law enforcement databases. KrebsOnSecurity has learned the alleged compromise is tied to a cybercrime and online harassment community that routinely impersonates police and government officials to harvest personal information on their targets.
On May 8, KrebsOnSecurity received a tip that hackers obtained a username and password for an authorized user of esp.usdoj.gov, which is the Law Enforcement Inquiry and Alerts (LEIA) system managed by the DEA.
KrebsOnSecurity shared information about the allegedly hijacked account with the DEA, the Federal Bureau of Investigation (FBI), and the Department of Justice, which houses both agencies. The DEA declined to comment on the validity of the claims, issuing only a brief statement in response.
“DEA takes cyber security and information of intrusions seriously and investigates all such reports to the fullest extent,” the agency said in a statement shared via email.
ANALYSIS
The login page for esp.usdoj.gov (above) suggests that authorized users can access the site using a “Personal Identity Verification” or PIV card, which is a fairly strong form of authentication used government-wide to control access to federal facilities and information systems at each user’s appropriate security level.
However, the EPIC portal also appears to accept just a username and password, which would seem to radically diminish the security value of requiring users to present (or prove possession of) an authorized PIV card. Indeed, KT said the hacker who obtained this illicit access was able to log in using the stolen credentials alone, and that at no time did the portal prompt for a second authentication factor.
It’s not clear why there are still sensitive government databases being protected by nothing more than a username and password, but I’m willing to bet big money that this DEA portal is not only offender here. The DEA portal esp.usdoj.gov is listed on Page 87 of a Justice Department “data inventory,” which catalogs all of the data repositories that correspond to DOJ agencies.
If we assume for the moment that state-sponsored foreign hacking groups can gain access to sensitive government intelligence in the same way as teenage hacker groups like LAPSUS$, then it is long past time for the U.S. federal government to perform a top-to-bottom review of authentication requirements tied to any government portals that traffic in sensitive or privileged information.
I’ll say it because it needs to be said: The United States government is in urgent need of leadership on cybersecurity at the executive branch level — preferably someone who has the authority and political will to eventually disconnect any federal government agency data portals that fail to enforce strong, multi-factor authentication.
I realize this may be far more complex than it sounds, particularly when it comes to authenticating law enforcement personnel who access these systems without the benefit of a PIV card or government-issued device (state and local authorities, for example). It’s not going to be as simple as just turning on multi-factor authentication for every user, thanks in part to a broad diversity of technologies being used across the law enforcement landscape.
But when hackers can plunder 16 law enforcement databases, arbitrarily send out law enforcement alerts for specific people or vehicles, or potentially disrupt ongoing law enforcement operations — all because someone stole, found or bought a username and password — it’s time for drastic measures.
Tomi Engdahl says:
Destructive attacks via critical F5 BIG-IP vulnerability
https://borncity.com/win/2022/05/13/zerstrerische-angriffe-ber-kritische-f5-big-ip-schwachstelle/
Tomi Engdahl says:
https://www.bleepingcomputer.com/news/security/bpfdoor-stealthy-linux-malware-bypasses-firewalls-for-remote-access/
Tomi Engdahl says:
https://www.bleepingcomputer.com/news/security/hackers-are-now-hiding-malware-in-windows-event-logs/
Tomi Engdahl says:
https://www.techrepublic.com/article/kaspersky-fileless-malware-windows-event-logs/
Tomi Engdahl says:
https://www.forbes.com/sites/gordonkelly/2022/05/11/microsoft-windows-10-windows-11-zero-day-hack-critical-threat-level-update-windows-now/
Tomi Engdahl says:
https://www.bleepingcomputer.com/news/microsoft/microsoft-may-2022-patch-tuesday-fixes-3-zero-days-75-flaws/
Tomi Engdahl says:
https://www.bleepingcomputer.com/news/microsoft/microsoft-fixes-new-ntlm-relay-zero-day-in-all-windows-versions/
Tomi Engdahl says:
https://www.foxla.com/news/key-fob-hacking-how-thieves-can-hack-into-your-car-and-tips-to-stop-it
Tomi Engdahl says:
https://www.xda-developers.com/a-couple-versions-of-windows-are-no-longer-supported-after-today/
Tomi Engdahl says:
https://www.techradar.com/news/this-dangerous-new-malware-is-attacking-windows-devices-via-infected-usb-drives