Microsoft has reminded customers today that Windows Server, version 20H2, will be reaching the end of service (EOS) on August 9, 2022. In a support document published today, Microsoft says that Windows Server 20H2 will reach the mainstream support end date for Datacenter Core and Standard Core users.

Reference: https://www.bleepingcomputer.com/news/microsoft/microsoft-windows-server-20h2-reaches-end-of-service-in-august/

NVIDIA has released a security update for a wide range of graphics card models, addressing four high-severity and six medium-severity vulnerabilities in its GPU drivers. The security update fixes vulnerabilities that can lead to denial of service, information disclosure, elevation of privileges, code execution, etc. Interestingly, apart from the current and recent product lines that are actively supported, NVIDIA’s latest release also covers GTX 600 and GTX 700 Kepler-series cards, whose support ended in October 2021. The GPU maker previously promised to continue providing critical security updates for these products until September 2024, and this driver update honors that promise.

Reference: https://www.bleepingcomputer.com/news/security/nvidia-fixes-ten-vulnerabilities-in-windows-gpu-display-drivers/

Apple has released security updates to address a zero-day vulnerability that threat actors can exploit in attacks targeting Macs and Apple Watch devices. The flaw is an out-of-bounds write issue (CVE-2022-22675) in the AppleAVD (a kernel extension for audio and video decoding) that allows apps to execute arbitrary code with kernel privileges. The bug was reported by anonymous researchers and fixed by Apple in macOS Big Sur 11.6., watchOS 8.6, and tvOS 15.5 with improved bounds checking. The list of impacted devices includes Apple Watch Series 3 or late, Macs running macOS Big Sur, Apple TV 4K, Apple TV 4K (2nd generation), and Apple TV HD.

Reference: https://www.bleepingcomputer.com/news/security/apple-emergency-update-fixes-zero-day-used-to-hack-macs-watches/

A new variant of the macOS malware tracked as UpdateAgent has been spotted in the wild, indicating ongoing attempts on the part of its authors to upgrade its functionalities. The newly discovered Swift-based dropper masquerades as Mach-O binaries named “PDFCreator” and “ActiveDirectory” that, upon execution, establish a connection to a remote server and retrieve a bash script to be executed.

Reference: https://thehackernews.com/2022/05/updateagent-returns-with-new-macos.html

Tracked as CVE-2022-30525, the vulnerability is rated 9.8 for severity and relates to a command injection flaw in select versions of the Zyxel firewall that could enable an unauthenticated adversary to execute arbitrary commands on the underlying operating system.

Reference: https://thehackernews.com/2022/05/watch-out-hackers-begin-exploiting.html

SonicWall “strongly urges” customers to patch several high-risk security flaws impacting its Secure Mobile Access (SMA) 1000 Series line of products that can let attackers bypass authorization and, potentially, compromise unpatched appliances. While the first flaw (an unauthenticated access control bypass rated as high severity) is now tracked as CVE-2022-22282, the other two (a hard-coded cryptographic key and an open redirect, both rated as medium severity) are still waiting for a CVE ID to be issued. “There are no temporary mitigations. SonicWall urges impacted customers to implement applicable patches as soon as possible,” the company says in a security advisory published this week.

Reference: https://www.bleepingcomputer.com/news/security/sonicwall-strongly-urges-admins-to-patch-sslvpn-sma1000-bugs/

Sophos has released a fix for a known issue triggering blue screens of death (aka BSODs) on Windows 11 systems running Sophos Home antivirus software after installing the KB5013943 update. Sophos says the issue is caused by the hmpalert.sys (aka HitManPro.Alert Support) Windows driver used by Sophos Home. The fix for this known bug will apply automatically to all impacted systems, with users prompted to restart their devices as soon as the patch is applied.

Reference: https://www.bleepingcomputer.com/news/software/sophos-antivirus-driver-caused-bsods-after-windows-kb5013943-update/

The European Parliament announced a “provisional agreement” aimed at improving cybersecurity and resilience of both public and private sector entities in the European Union. The revised directive, called “NIS2” (short for network and information systems), is expected to replace the existing legislation on cybersecurity that was established in July 2016. The revamp sets ground rules, requiring companies in energy, transport, financial markets, health, and digital infrastructure sectors to adhere to risk management measures and reporting obligations.

Reference: https://thehackernews.com/2022/05/europe-agrees-to-adopt-new-nis2.html

HTML files remain one of the most popular attachments used in phishing attacks for the first four months of 2022, showing that the technique remains effective against antispam engines and works well on the victims themselves. In phishing emails, HTML files are commonly used to redirect users to malicious sites, download files, or to even display phishing forms locally within the browser. As HTML is not malicious, attachments tend not to be detected by email security products, thus doing a good landing in recipients’ inboxes.

Reference: https://www.bleepingcomputer.com/news/security/html-attachments-remain-popular-among-phishing-actors-in-2022/

CVE’s of the Week

Cisco

CVE-2022-20796 – Score 4.9

CVE-2022-20794 – Score4.3

CVE-2022-20785 – Score 7.8

CVE-2022-20780 – Score 4.3

CVE-2022-20779 – Score 9.3

CVE-2022-20777 – Score 9.0

CVE-2022-20771 – Score 7.8

CVE-2022-20770 – Score 7.8

CVE-2022-20767 – Score 7.8

CVE-2022-20764 – Score 5.5

CVE-2022-20760 – Score 7.8

CVE-2022-20759 – Score 8.5

CVE-2022-20757 – Score 4.3

CVE-2022-20748 – Score 5.0

CVE-2022-20746 – Score 7.1

CVE-2022-20745 – Score 7.8

CVE-2022-20742 – Score 5.8

CVE-2022-20737 – Score 7.0

CVE-2022-20734 – Score 4.9

CVE-2022-20730  Score 5.0

CVE-2022-20729 – Score 4.6

CVE-2022-20715 – Score 7.8

Microsoft

CVE-2022-29131 – Score 9.0

CVE-2022-29130 – Score 9.3

CVE-2022-29129 – Score 9.0

CVE-2022-29128 – Score 9.0

CVE-2022-22014 –  Score 6.5

CVE-2022-22013 – Score 6.5

CVE-2022-22012 – Score 9.3

Fortinet

CVE-2022-23443 – Score 5.0

CVE-2021-43206 – Score 4.3

CVE-2021-41032 – Score 5.5

CVE-2021-41020 – Score 6.5

Today is Microsoft’s May 2022 Patch Tuesday, and with it comes fixes for three zero-day vulnerabilities, with one actively exploited, and a total of 75 flaws. Of the 75 vulnerabilities fixed in today’s update, eight are classified as ‘Critical’ as they allow remote code execution or elevation of privileges. The actively exploited zero-day vulnerability fixed today is for a new NTLM Relay Attack using an LSARPC flaw tracked as ‘CVE-2022-26925 – Windows LSA Spoofing Vulnerability.’

Reference: https://www.bleepingcomputer.com/news/microsoft/microsoft-may-2022-patch-tuesday-fixes-3-zero-days-75-flaws/

Microsoft on Monday disclosed that it mitigated a security flaw affecting Azure Synapse and Azure Data Factory that, if successfully exploited, could result in remote code execution. A malicious actor can weaponize the bug to acquire the Azure Data Factory service certificate and access another tenant’s Integration Runtimes to gain access to sensitive information, effectively breaking tenant separation protections.

Reference: https://thehackernews.com/2022/05/microsoft-mitigates-rce-vulnerability.html

A recently disclosed F5 BIG-IP vulnerability has been used in destructive attacks, attempting to erase a device’s file system and make the server unusable. Last week, F5 disclosed a vulnerability tracked as CVE-2022-1388 that allows remote attackers to execute commands on BIG-IP network devices as ‘root’ without authentication. Due to the critical nature of the bug, F5 urged admins to apply updates as soon as possible. A few days later, researchers began publicly publishing exploits on Twitter and GitHub, with threat actors soon using them in attacks across the Internet.

Reference: https://www.bleepingcomputer.com/news/security/critical-f5-big-ip-vulnerability-exploited-to-wipe-devices/

Two high-severity security vulnerabilities, which went undetected for several years, have been discovered in a legitimate driver that’s part of Avast and AVG antivirus solutions. “These vulnerabilities allow attackers to escalate privileges enabling them to disable security products, overwrite system components, corrupt the operating system, or perform malicious operations unimpeded”.

Reference: https://thehackernews.com/2022/05/researchers-disclose-10-year-old.html

GitHub announced today that all users who contribute code on its platform (an estimated 83 million developers in total) will be required to enable two-factor authentication (2FA) on their accounts by the end of 2023. Active contributors who will have to enable 2FA include but are not limited to GitHub users who commit code, use Actions, open or merge pull requests, or publish packages. Developers can use one or more 2FA options, including physical security keys, virtual security keys built into devices like phones and laptops, or Time-based One-Time Password (TOTP) authenticator apps.

Reference: https://www.bleepingcomputer.com/news/security/github-to-require-2fa-from-active-developers-by-the-end-of-2023/

Today, GitHub has launched a new public beta to notably improve the two-factor authentication (2FA) experience for all npm user accounts. Myles Borins, Open Source Product Manager at GitHub, said that the code hosting platform now allows npm accounts to register “multiple second factors, such as security keys, biometric devices, and authentication applications.” It has also introduced a new 2FA configuration menu that allows users to manage registered keys and recovery codes.

Reference: https://www.bleepingcomputer.com/news/security/github-announces-enhanced-2fa-experience-for-npm-accounts/

Cisco has addressed several security flaws found in the Enterprise NFV Infrastructure Software (NFVIS), a solution that helps virtualize network services for easier management of virtual network functions (VNFs). Two of them, rated critical and high severity, can be exploited by attackers to run commands with root privileges or to escape the guest virtual machine (VM) and fully compromise NFVIS hosts. Cisco’s Product Security Incident Response Team (PSIRT) says there is no proof-of-concept exploit code and no ongoing exploitation in the wild.

Reference: https://www.bleepingcomputer.com/news/security/cisco-fixes-nfvis-bugs-that-help-gain-root-and-hijack-hosts/

QNAP has released several security advisories today, one of them for a critical security issue that allows remote execution of arbitrary commands on vulnerable QVR systems, the company’s video surveillance solution hosted on a NAS device. The vulnerability is tracked as CVE-2022-27588 and has a critical severity score of 9.8. It impacts QVR versions older than 5.1.6 build 20220401.

Reference: https://www.bleepingcomputer.com/news/security/qnap-fixes-critical-qvr-remote-command-execution-vulnerability/

Trend Micro antivirus has fixed a false positive affecting its Apex One endpoint security solution that caused Microsoft Edge updates to be tagged as malware and the Windows registry to be incorrectly modified. According to hundreds of customer reports that started streaming in earlier this week on the company’s forum and on social networks, the false positive affected update packages stored in the Microsoft Edge installation folder. As users further revealed, the Trend Micro Apex One flagged the browser updates as Virus/Malware: TROJ_FRS.VSNTE222 and Virus/Malware: TSC_GENCLEAN.

Reference: https://www.bleepingcomputer.com/news/security/trend-micro-antivirus-modified-windows-registry-by-mistake-how-to-fix/

The European Union (EU) wants to see greater standardization across European cybersecurity legislation and regulations, according to the bloc’s cybersecurity agency. The EU sees standards as vital to increasing security across the bloc, as well as ensuring that cybersecurity measures are consistent between member states. This, the European Commission argues, will make it easier for both security vendors and businesses in general to work across borders. EU-wide standards are envisaged for both product certification and legislation on computer misuse.

Reference: https://portswigger.net/daily-swig/eu-targets-standardization-as-key-to-bloc-wide-cyber-resilience

Security researchers have noticed a malicious campaign that used Windows event logs to store malware, a technique that has not been previously documented publicly for attacks in the wild. The method enabled the threat actor behind the attack to plant fileless malware in the file system in an attack filled with techniques and modules designed to keep the activity as stealthy as possible.

Reference: https://www.bleepingcomputer.com/news/security/hackers-are-now-hiding-malware-in-windows-event-logs/

On April 26, 2022, a new Emotet campaign was spotted in the wild, where the usual Office delivery system was replaced with LNK files, in a clear response to the VBA protection launched by Microsoft. Researchers found 139 distinct LNK files that are part of the same campaign, delivering two distinct payloads that share the same C2 infrastructure.

Reference: https://otx.alienvault.com/pulse/627a83c015db5d4d97dc6779

In February 2022 has been observed a technique of putting the shellcode into Windows event logs for the first time “in the wild” during the malicious campaign. It allows the “fileless” last stage Trojan to be hidden from plain sight in the file system. Such attention to the event logs in the campaign isn’t limited to storing shellcodes. Dropper modules also patch Windows native API functions, related to event tracing (ETW) and anti-malware scan interface (AMSI), to make the infection process stealthier.

Reference: https://securelist.com/a-new-secret-stash-for-fileless-malware/106393/

CVE’s of the Week

CISCO

CVE-2022-20744 – Score 4.0

CVE-2022-20743 – Score 9.0

CVE-2022-20740 – Score 4.3

CVE-2022-20629 – Score 3.5

CVE-2022-20628 – Score 3.5

CVE-2022-20627 – Score 3.5

CYSEC NEWS

Tracked as CVE-2021-41379 and discovered by security researcher Abdelhamid Naceri, the elevation of privilege flaw affecting the Windows Installer software component was originally resolved as part of Microsoft’s Patch Tuesday updates for November 2021 However, in what’s a case of an insufficient patch, Naceri found that it was not only possible to bypass the fix implemented by Microsoft but also achieve local privilege escalation via a newly discovered zero-day bug.

Reference: https://thehackernews.com/2021/11/warning-hackers-exploiting-new-windows.html

Web hosting giant GoDaddy on Monday disclosed a data breach that resulted in the unauthorized access of data belonging to a total of 1.2 million active and inactive customers, making it the third security incident to come to light since 2018.

Reference: https://thehackernews.com/2021/11/godaddy-data-breach-exposes-over-1.html

VMware has shipped updates to address two security vulnerabilities in vCenter Server and Cloud Foundation that could be abused by a remote attacker to gain access to sensitive information. The more severe of the issues concerns an arbitrary file read vulnerability in the vSphere Web Client. Tracked as CVE-2021-21980, the bug has been rated 7.5 out of a maximum of 10 on the CVSS scoring system, and impacts vCenter Server versions 6.5 and 6.7 “A malicious actor with network access to port 443 on vCenter Server may exploit this issue to gain access to sensitive information,” the company noted in an advisory published on November 23, crediting ch0wn of Orz lab for reporting the flaw.

Reference: https://thehackernews.com/2021/11/vmware-warns-of-newly-discovered.html

At least 9.3 million Android devices have been infected by a new class of malware that disguises itself as dozens of arcade, shooter, and strategy games on Huawei’s AppGallery marketplace to steal device information and victims’ mobile phone numbers.

Reference: https://thehackernews.com/2021/11/over-9-million-android-phones-running.html

A now-patched vulnerability affecting Oracle VM VirtualBox could be potentially exploited by an adversary to compromise the hypervisor and cause a denial-of-service (DoS) condition.

Reference: https://thehackernews.com/2021/11/researchers-detail-privilege-escalation.html

Security researchers have discovered a new remote access trojan (RAT) for Linux that keeps an almost invisible profile by hiding in tasks scheduled for execution on a non-existent day, February 31st. “The CronRAT adds a number of tasks to crontab with a curious date specification: 52 23 31 2 3. These lines are syntactically valid, but would generate a run time error when executed. However, this will never happen as they are scheduled to run on February 31st,” Sansec Researchers explain.

Reference: https://www.bleepingcomputer.com/news/security/new-linux-malware-hides-in-cron-jobs-with-invalid-dates/

Threat actors have recently begun to compromise internal Microsoft Exchange servers using the ProxyShell and ProxyLogin vulnerabilities to perform phishing attacks. Once they gain access to a server, they use the internal Microsoft Exchange servers to perform reply-chain attacks against employees using stolen corporate emails.

Reference: https://www.bleepingcomputer.com/news/security/ikea-email-systems-hit-by-ongoing-cyberattack/

Free unofficial patches have been released to protect Windows users from a local privilege escalation (LPE) zero-day vulnerability in the Mobile Device Management Service impacting Windows 10, version 1809 and later. The security flaw resides under the “Access work or school” settings, and it bypasses a patch released by Microsoft in February to address an information disclosure bug tracked as CVE-2021-24084.

Reference: https://www.bleepingcomputer.com/news/security/new-windows-10-zero-day-gives-admin-rights-gets-unofficial-patch/

Microsoft has confirmed a new issue impacting Windows Server devices preventing the Microsoft Defender for Endpoint security solution from launching on some systems. The enterprise endpoint security platform (previously known as Microsoft Defender Advanced Threat Protection or Defender ATP) might fail to start or run on devices with a Windows Server Core installation. The known issue only impacts devices where customers have installed KB5007206 or later updates on Windows Server 2019 and KB5007205 or later updates on Windows Server 2022.

Reference: https://www.bleepingcomputer.com/news/microsoft/microsoft-defender-for-endpoint-fails-to-start-on-windows-server/

Microsoft describes Super Duper Secure Mode as “a browsing mode in Microsoft Edge where the security of your browser takes priority, providing you an extra layer of protection when browsing the web.” “We quietly released Super Duper Secure Mode to stable (96.0.1054.29),” said Johnathan Norman, Microsoft Edge Vulnerability Research Lead.

Reference: https://www.bleepingcomputer.com/news/microsoft/microsoft-edge-adds-super-duper-secure-mode-to-stable-channel/

HAVE ANY QUESTIONS?
Do not hesitate to contact us!

Address: Mesogeion Ave. 41, 11524 Athens, Greece
Phone: (+30) 211 800 5 800
Email: info@devoq.gr
Website: www.devoq.gr

CYSEC NEWS

WordPress has taken the rare step of force-updating the UpdraftPlus plugin on all sites to fix a high-severity vulnerability allowing website subscribers to download the latest database backups, which often contain credentials and PII. The vulnerability affects UpdraftPlus versions 1.16.7 to 1.22.2, and the developers fixed it with the release of 1.22.3 or 2.22.3 for the (paid) Premium version.

Reference: https://www.bleepingcomputer.com/news/security/wordpress-force-installs-updraftplus-patch-on-3-million-sites/

Security researchers have created exploit code for CVE-2022-24086, the critical vulnerability affecting Adobe Commerce and Magento Open Source that Adobe patched in an out-of-band update last Sunday. The vulnerability, which Adobe saw being “exploited in the wild in very limited attacks,” received a severity score of 9.8 out of 10, and adversaries exploiting it can achieve remote code execution on affected systems without the need to authenticate. Earlier today, Adobe updated its security advisory for CVE-2022-24086 adding a new issue that is now tracked as CVE-2022-24087, which has the same severity score and can lead to the same result when leveraged in attacks.

Reference: https://www.bleepingcomputer.com/news/security/researchers-create-exploit-for-critical-magento-bug-adobe-updates-advisory/

Cisco has addressed a high severity vulnerability that could allow remote attackers to crash Cisco Secure Email appliances using maliciously crafted email messages The security flaw (tracked as CVE-2022-20653) was found in DNS-based Authentication of Named Entities (DANE), a Cisco AsyncOS Software component used by Cisco Secure Email to check emails for spam, phishing, malware, and other threats. While the security vulnerability can be exploited remotely by unauthenticated attackers, Cisco says the vulnerable DANE email verification component is not enabled by default. Admins can check if DANE is configured by going to the Mail Policies > Destination Controls > Add Destination web UI page and confirming whether the DANE Support option is toggled on. Cisco has also confirmed that CVE-2022-20653 does not impact Web Security Appliance (WSA) and Secure Email and Web Manager or devices without the DANE feature enabled. The company also provided a workaround requiring customers to configure bounce messages from Cisco ESA instead of from downstream dependent mail servers to block exploitation attempts.

Reference: https://www.bleepingcomputer.com/news/security/hackers-can-crash-cisco-secure-email-gateways-using-malicious-emails/

VMware on Tuesday patched several high-severity vulnerabilities impacting ESXi, Workstation, Fusion, Cloud Foundation, and NSX Data Center for vSphere that could be exploited to execute arbitrary code and cause a denial-of-service (DoS) condition.

Reference: https://thehackernews.com/2022/02/vmware-issues-security-patches-for-high.html

Microsoft announced the general availability of hotpatching for Windows Server Azure Edition core virtual machines allowing admins to install Windows security updates on supported VMs without requiring server restarts. The feature works with newly deployed Azure virtual machines running Windows Server 2022 Datacenter: Azure Edition Core Gen2 images and is available in all global Azure regions.

Reference: https://www.bleepingcomputer.com/news/microsoft/microsoft-announces-hotpatching-for-windows-server-azure-vms/

Researchers at Avanan, a Check Point company that secures cloud email and collaboration platforms, found that hackers started to drop malicious executable files in conversations on Microsoft Teams communication platform. The attacks started in January and the company detected thousands of them. From the data available, most attacks were recorded at organizations in the Great Lakes region in the U.S., local media outlets in particular. In a report today, Avanan says that the threat actor inserts in a chat an executable file called “User Centric” to trick the user into running it. Once executed, the malware writes data into the system registry installs DLLs and establishes persistence on the Windows machine.

Reference: https://www.bleepingcomputer.com/news/security/hackers-slip-into-microsoft-teams-chats-to-distribute-malware/

Xenomorph, like Alien and ERMAC, is yet another example of an Android banking trojan that’s focused on circumventing Google Play Store’s security protections by masquerading as productivity apps such as “Fast Cleaner” to trick unaware victims into installing the malware.

Reference: https://thehackernews.com/2022/02/xenomorph-android-banking.html

An analysis of SMS phone-verified account (PVA) services has led to the discovery of a rogue platform built atop a botnet involving thousands of infected Android phones, once again underscoring the flaws with relying on SMS for account validation.

Reference: https://thehackernews.com/2022/02/hackers-exploit-bug-in-sms-verification.html

FortiGuard Labs has identified a campaign operated by Moses Staff, a geo-political motivated threat group believed to be sponsored by the Iranian government. After tracking this campaign for the last several months FortiGuard Labs found that the group has been using a custom multi-component toolset for the purpose of conducting espionage against its victims. This campaign exclusively targets Israeli organizations. Close examination reveals that the group has been active for over a year, much earlier than the group’s first official public exposure, managing to stay under the radar with an extremely low detection rate. FortiGuard Labs covers the Techniques, Tactics, and Procedures (TTPs) used by Moses Staff and reveal a new backdoor used by them to download files, execute payloads, and exfiltrate data from target networks, along with threat intelligence data on their activities.

Reference: https://otx.alienvault.com/pulse/620ce6762c243df4fb194d83

In the first month of 2022, the Apache Log4j2 vulnerability outbreak that began in December has also come to an end, and the number of related attack sources has decreased significantly. However, the number of cloud server attack source IPs of old vulnerabilities, such as Docker Remote API unauthorized access vulnerability and Fortinet FortiOS unauthorized arbitrary file reading vulnerability, suddenly increased significantly compared with December.

Reference: https://otx.alienvault.com/pulse/6213b203dd1fae0e1c1e389c

In this intrusion (from November 2021), a threat actor gained its initial foothold in the environment through the use of Qbot (a.k.a. Quakbot/Qakbot) malware. Soon after execution of the Qbot payload, the malware established C2 connectivity and created persistence on the beachhead. Successful exploitation of the Zerologon vulnerability (CVE-2020-1472) allowed the threat actors to obtain domain admin privileges. This level of access was abused to deploy additional Cobalt Strike beacons and consequently pivot to other sensitive hosts within the network. The threat actor then exfiltrated sensitive documents from the environment before being evicted from the network.

Reference: https://otx.alienvault.com/pulse/6213b41428f6075711b0261d

As early as Dec. 21, 2021, Unit 42 observed a new infection method for the highly prevalent malware family Emotet. Emotet is high-volume malware that often changes and modifies its attack patterns. This latest modification of the Emotet attack follows suit. The new attack delivers an Excel file through email, and the document contains an obfuscated Excel 4.0 macro. When the macro is activated, it downloads and executes an HTML application that downloads two stages of PowerShell to retrieve and execute the final Emotet payload.

Reference: https://otx.alienvault.com/pulse/620d05df6542c4412e8ff9f7

HAVE ANY QUESTIONS?
Do not hesitate to contact us!

Address: Mesogeion Ave. 41, 11524 Athens, Greece
Phone: (+30) 211 800 5 800
Email: info@devoq.gr
Website: www.devoq.gr