Cybersecurity Updates For Week 7 of 2022

Multiple vulnerabilities in VMware ESXi, Workstation, and Fusion were privately reported to VMware

Multiple vulnerabilities in VMware ESXi, Workstation, and Fusion were privately reported to VMware. Updates are available to remediate these vulnerabilities in affected VMware products.

The individual vulnerabilities documented on this VMSA have severity Important/Moderate but combining these issues may result in higher severity, hence the severity of this VMSA is at severity level Critical.

Read more:
https://www.vmware.com/security/advisories/VMSA-2022-0004.html

Critical Flaw Uncovered in WordPress Backup Plugin Used by Over 3 Million Sites

Patches have been issued to contain a “severe” security vulnerability in UpdraftPlus, a WordPress plugin with over three million installations

Read more:
https://thehackernews.com/2022/02/critical-flaw-uncovered-in-wordpress.html

New Linux Privilege Escalation Flaw Uncovered in Snap Package Manager

Multiple security vulnerabilities have been disclosed in Canonical’s Snap software packaging and deployment system, the most critical of which can be exploited to escalate privilege to gain root privileges.

Read More:
https://thehackernews.com/2022/02/new-linux-privilege-escalation-flaw.html

Other news worth mentioning:

Over 620 Million Ransomware Attacks Detected in 2021
Snyk Acquires Fugue, Enters Cloud Security Market
TRAEFIK UP TO 2.6.0 TLS CONFIGURATION HOST CERTIFICATE VALIDATION
Microsoft Teams Targeted With Takeover Trojans

Cybersecurity Updates For Week 6 of 2022

Argo CD High Severity Vulnerabilit – CVE-2022-24348

Argo CD before 2.1.9 and 2.2.x before 2.2.4 allows directory traversal related to Helm charts because of an error in helmTemplate in repository.go. For example, an attacker may be able to discover credentials stored in a YAML file.

Read more:
https://www.armosec.io/blog/cve-2022-24348-argo-kubernetes/

Windows DNS Server Remote Code Execution Vulnerability – CVE-2022-21984

A remote code execution vulnerability exists in Windows Domain Name System (DNS) servers. An attacker who successfully exploited the vulnerability could run arbitrary code in the context of the Local System Account over the network.

Read more:
https://dirteam.com/sander/2022/02/08/windows-server-2022-suffers-a-windows-dns-server-remote-code-execution-vulnerability-cve-2022-21984/

SAP Critical Vulnerabilities in business applications

SAP released three patches for all impacted systems of a possible security attack while Onapsis helped provide a free open-source vulnerability scanner tool to assist all SAP customers affected to immediately address these issues.

Read More:
https://blogs.sap.com/2022/02/08/sap-partners-with-onapsis-to-identify-and-patch-cybersecurity-vulnerabilities/

Other news worth mentioning:

PrivateLoader: The first step in many malware schemes
Two Arrested for Alleged Conspiracy to Launder $4.5 Billion in Stolen Cryptocurrency
Decryptor Keys Published for Maze, Egregor, Sekhmet Ransomwares
France Rules That Using Google Analytics Violates GDPR Data Protection Law

Cybersecurity Updates For Week 5 of 2022

Out-of-bounds heap read/write vulnerability in VFS module vfs_fruit allows code execution – CVE-2022-44142

All versions of Samba prior to 4.13.17 are vulnerable to an out-of-bounds heap read write vulnerability that allows remote attackers to execute arbitrary code as root on affected Samba installations that use the VFS module vfs_fruit.

Read more:
https://www.samba.org/samba/security/CVE-2021-44142.html

Libexpat CVE-2022-23852 & CVE-2022-23990

Two vulnerabilities have been found in Libexpat, this is a well known used XML parser in devices such as loadbalancers.
So make sure to double check if your vendor is affected and has updated.

Read more:
https://github.com/libexpat/libexpat/blob/master/expat/Changes

Cisco Small Business RV Series Routers Vulnerabilities

Multiple vulnerabilities in Cisco Small Business RV160, RV260, RV340, and RV345 Series, make sure to read the security advisory from ciso and update as soon as possible.

Read More:
https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-smb-mult-vuln-KA9PK6D

Other news worth mentioning:

Google Patches 27 Vulnerabilities With Release of Chrome 98
MICROSOFT ONEDRIVE FOR MACOS LOCAL PRIVILEGE ESCALATION
Critical Flaw Impacts WordPress Plugin With 1 Million Installations
Linux kernel patches “performance can be harmful” bug in video driver

Cybersecurity Updates For Week 4 of 2022

Apple Fixes Zero-Day Vulnerabilities

The latest versions of iOS / iPadOS (15.3) and macOS (11.6.3, 12.2) released on January 26, 2022, Apple patched several vulnerabilities in the OS presumed exploited in the wild to hack iPhone and Mac devices.

Apple has been working hard to keep their OS secure by fixing these vulnerabilities as soon as they are discovered and making sure that their products are not exploitable to hackers. So please make sure to update all of your devices.

Read more:
macOS: https://support.apple.com/en-us/HT213056
iOS / iPadOS: https://support.apple.com/en-us/HT213056

New local privilege escalation found in PwnKit – CVE-2021-4034

Qualys has discovered a vulnerability in Polkit, which is an application that handles privilege requests. This vulnerability has been named PwnKit (CVE-2021-4034) and it has been found to be in Polkit—once known as PolicyKit.

Even this is a local privilege escalation, meaning that someone would need to have access to your machine in order to exploit this. We still recommend you to update this as soon as possible. By having this vulnerability not patches, it means any other security breach will give the attackers by default root access by abusing the PwnKit vulnerability.

Read more:
https://blog.qualys.com/vulnerabilities-threat-research/2022/01/25/pwnkit-local-privilege-escalation-vulnerability-discovered-in-polkits-pkexec-cve-2021-4034

New Linux Kernel exploit – CVE-2022-0185

The vulnerability affects all Linux kernels and containers.

Linux kernel is the heart of any operating system. It is responsible for managing resources and controlling access to hardware, such as the CPU and memory. Containers are a way to create an isolated environment that runs on top of the Linux kernel. This vulnerability in Linux kernel can be exploited by attackers in order to escape from containers and get full control over the node.

It is therefore advisable to update your Linux kernel as soon as possible.

Read More:
https://sysdig.com/blog/cve-2022-0185-container-escape/

Other news worth mentioning:

105 Million Android Users Targeted by Subscription Fraud Campaign
Attackers Connect Rogue Devices to Organizations’ Network with Stolen Office 365 Credential
Millions of Routers, IoT Devices at Risk as Malware Source Code Surfaces on GitHuB
GitLab Unauthenticated Remote Code Execution CVE-2021-22205 Exploited in the Wild

Local privilege escalation vulnerability in Linux

Published: 2021-06-11
CVE-2021-3560

“A flaw was found in polkit. When a requesting process disconnects from dbus-daemon just before the call to polkit_system_bus_name_get_creds_sync starts, the process cannot get a unique uid and pid of the process and it cannot verify the privileges of the requesting process.” The error is not handled correctly and the request is granted access.

As this vulnerability is very easy to exploit patching should be done as soon as possible.

Internally this is being tracked in BF-VLN-2292713 with the highest priority.

Who is reeling in the phish?

…or what happens if a link in a phishing e-mail is clicked?

It is a hard question to answer because attackers usually implement filtering methods. For example:

  • If you have an apple device you get directed to one place
  • If two hours go by before you click the link, its sent to a different place
  • Or if the same link is clicked again, from a different source the request is sent to a legitimate site.

An example…

A few years back the payment of my Spotify account failed a few times due to switching credit cards. In a stressed situation I checked my e-mail on the phone whilst waiting for a takeaway coffee. Another (third one!) failed payment notification from Spotify had arrived. Stressed and frustrated I never thought twice about clicking the link and providing my new credit card number.

Not until a database error page was returned rather than a payment success dito, I understood what (might) have happened.

I blocked my new credit card three days after it was activated, annoying – yes, but the alternative was not really an option.

A few scenarios…

The example above is perhaps the most likely one, where you are redirected to a location somewhere (for ex. a forged site) where an adversary would try to get hold of credit card details.

If its bad, they would mimic Office 365 for example (company branding and all), to try and get hold of valid account credentials. Most often this is to access your e-mail opening up the possibility to reset passwords in other places.

The worst-case scenario is if the attacker get the recipient to download and click on files, for example because C++ libraries supposedly need updating to get site functionality to run properly or a similar plausibel-sounding reason to bait clicks.

Microsoft has recently published warnings about the latest scenario and is providing more technical details on how that happens:
https://www.microsoft.com/security/blog/2021/05/27/new-sophisticated-email-based-attack-from-nobelium/

So, what can be done?

The most important thing to remember is that you should never be afraid to let someone know that you might have clicked on something phishy.

Like calling the credit card company or… contacting your CyberSOC or SIRT staff!

That is the only way anyone can help.

The phish should have been stopped in the mail filters. Installation of malware should have been stopped by anti-malware systems. However, a complete IT environment is sometimes like a Swiss cheese model with different holes in different places and different owners and responsibilities and given the right situation and the right parameters sometimes something will get through.

Eventually someone is going to click something!

Even IT security professionals…

Showing a laptop being updated

Supply chain attacks and Zero-days

The year 2021 has seen several high profiled vulnerabilities being actively exploited in big
and popular software, including Microsoft Exchange and Solar Winds Orion.
Experience shows that in some cases it is too late to patch even after a few days.
Many organizations work with the guideline of patching within 30 days, if the vendor states the
update is of important nature. This is an attempt to verify that the patch does not cause any
adverse effects. The need for a vigilant Vulnerability Management process that continuously triage
published vulnerabilities is becoming clear.

Some of the issues published lately is Supply chain attacks, where an attacker manipulates
products or product delivery mechanisms prior to receipt by a final consumer or exploiting
previously unknown vulnerabilities (so called Zero Days). Defending against these attacks is in
some cases not possible, or at least demands such a high level of security that it often is difficult
to stay productive and profitable. Seemingly in some cases it seems like the best an organization
can do is to not be the weakest link and the easiest target.

It is important to prepare for an attack and have a plan for incident response. Perform exercises.
Deploy a security framework in order to engage in continuous improvement of the security
posture.

0-days in Microsoft exchange servers


Published: 2021-03-02
CVE-2021-26855
CVE-2021-26857
CVE-2021-26858 
CVE-2021-27065 

“Microsoft has detected multiple 0-day exploits being used to attack on-premises versions of Microsoft Exchange Server in limited and targeted attacks. In the attacks observed, the threat actor used these vulnerabilities to access on-premises Exchange servers which enabled access to email accounts, and allowed installation of additional malware to facilitate long-term access to victim environments.”

As these vulnerabilities are currently being exploited and used in targeted attacks, patching should be done as soon as possible.
Along with attack details and information about these vulnerabilities, Microsoft also published how to scan exchange log files for indicators of compromise, which is also recommended to do.

Update 2020-03-07: There are currently many published exploits for this vulnerability. Patching this vulnerability is not enough, one must also investigate for potential breaches.

Internally this is being tracked in BF-VLN-2229454.

Centreon IT monitoring software and Russian Sandworm hackers

Basefarm has become aware of published news telling of Russian-accredited advanced persistent threat actors, given the name of Sandworm, having exploited Centreon IT monitoring software. Basefarm is aware that some news report mention Orange as on the customer-list of Centreon and while Basefarm is owned by Orange Business Services we would like to make it very clear that Basefarm does not use Centreon software.

From an article: “The French national cyber-security agency has linked a series of attacks that resulted in the breach of multiple French IT providers over a span of four years to the Russian-backed Sandworm hacking group.” and “… it is not yet clear if the attackers exploited a vulnerability in the exposed Centreon software or the victims were compromised through a supply chain attack.”.

If Basefarm is made aware of any Centreon installations hosted within its manged hosting then Basefarm will work together with such a customer.

Microsoft Windows Multiple Security Updates Affecting TCP/IP | CVE-2021-24074, CVE-2021-24094, and CVE-2021-24086

Published: 2021-02-09
MITRE CVE-2021-24074
MITRE CVE-2021-24094
MITRE CVE-2021-24086

“Microsoft released a set of fixes affecting Windows TCP/IP implementation that include two Critical Remote Code Execution (RCE) vulnerabilities (CVE-2021-24074, CVE-2021-24094) and an Important Denial of Service (DoS) vulnerability (CVE-2021-24086). The two RCE vulnerabilities are complex which make it difficult to create functional exploits, so they are not likely in the short term. We believe attackers will be able to create DoS exploits much more quickly and expect all three issues might be exploited with a DoS attack shortly after release. Thus, we recommend customers move quickly to apply Windows security updates this month.”

CVSS Base Score is 9.8, 9.8 and 7.5.

All have potential workarounds that should have a minimal operational impact.

Currently there is no exploit in the wild. If an exploit is published this vulnerability will become critical to mitigate as fast as possible.

We are tracking this internally as BF-VLN-2216447 with the highest priority and is currently evaluating this vulnerability and how to best handle it and ensure operational stability for all our customers.

For further general details we point to the Microsoft Security Response Center blog post about the topic.