Microsoft has reminded customers today that Windows Server, version 20H2, will be reaching the end of service (EOS) on August 9, 2022. In a support document published today, Microsoft says that Windows Server 20H2 will reach the mainstream support end date for Datacenter Core and Standard Core users.

Reference: https://www.bleepingcomputer.com/news/microsoft/microsoft-windows-server-20h2-reaches-end-of-service-in-august/

NVIDIA has released a security update for a wide range of graphics card models, addressing four high-severity and six medium-severity vulnerabilities in its GPU drivers. The security update fixes vulnerabilities that can lead to denial of service, information disclosure, elevation of privileges, code execution, etc. Interestingly, apart from the current and recent product lines that are actively supported, NVIDIA’s latest release also covers GTX 600 and GTX 700 Kepler-series cards, whose support ended in October 2021. The GPU maker previously promised to continue providing critical security updates for these products until September 2024, and this driver update honors that promise.

Reference: https://www.bleepingcomputer.com/news/security/nvidia-fixes-ten-vulnerabilities-in-windows-gpu-display-drivers/

Apple has released security updates to address a zero-day vulnerability that threat actors can exploit in attacks targeting Macs and Apple Watch devices. The flaw is an out-of-bounds write issue (CVE-2022-22675) in the AppleAVD (a kernel extension for audio and video decoding) that allows apps to execute arbitrary code with kernel privileges. The bug was reported by anonymous researchers and fixed by Apple in macOS Big Sur 11.6., watchOS 8.6, and tvOS 15.5 with improved bounds checking. The list of impacted devices includes Apple Watch Series 3 or late, Macs running macOS Big Sur, Apple TV 4K, Apple TV 4K (2nd generation), and Apple TV HD.

Reference: https://www.bleepingcomputer.com/news/security/apple-emergency-update-fixes-zero-day-used-to-hack-macs-watches/

A new variant of the macOS malware tracked as UpdateAgent has been spotted in the wild, indicating ongoing attempts on the part of its authors to upgrade its functionalities. The newly discovered Swift-based dropper masquerades as Mach-O binaries named “PDFCreator” and “ActiveDirectory” that, upon execution, establish a connection to a remote server and retrieve a bash script to be executed.

Reference: https://thehackernews.com/2022/05/updateagent-returns-with-new-macos.html

Tracked as CVE-2022-30525, the vulnerability is rated 9.8 for severity and relates to a command injection flaw in select versions of the Zyxel firewall that could enable an unauthenticated adversary to execute arbitrary commands on the underlying operating system.

Reference: https://thehackernews.com/2022/05/watch-out-hackers-begin-exploiting.html

SonicWall “strongly urges” customers to patch several high-risk security flaws impacting its Secure Mobile Access (SMA) 1000 Series line of products that can let attackers bypass authorization and, potentially, compromise unpatched appliances. While the first flaw (an unauthenticated access control bypass rated as high severity) is now tracked as CVE-2022-22282, the other two (a hard-coded cryptographic key and an open redirect, both rated as medium severity) are still waiting for a CVE ID to be issued. “There are no temporary mitigations. SonicWall urges impacted customers to implement applicable patches as soon as possible,” the company says in a security advisory published this week.

Reference: https://www.bleepingcomputer.com/news/security/sonicwall-strongly-urges-admins-to-patch-sslvpn-sma1000-bugs/

Sophos has released a fix for a known issue triggering blue screens of death (aka BSODs) on Windows 11 systems running Sophos Home antivirus software after installing the KB5013943 update. Sophos says the issue is caused by the hmpalert.sys (aka HitManPro.Alert Support) Windows driver used by Sophos Home. The fix for this known bug will apply automatically to all impacted systems, with users prompted to restart their devices as soon as the patch is applied.

Reference: https://www.bleepingcomputer.com/news/software/sophos-antivirus-driver-caused-bsods-after-windows-kb5013943-update/

The European Parliament announced a “provisional agreement” aimed at improving cybersecurity and resilience of both public and private sector entities in the European Union. The revised directive, called “NIS2” (short for network and information systems), is expected to replace the existing legislation on cybersecurity that was established in July 2016. The revamp sets ground rules, requiring companies in energy, transport, financial markets, health, and digital infrastructure sectors to adhere to risk management measures and reporting obligations.

Reference: https://thehackernews.com/2022/05/europe-agrees-to-adopt-new-nis2.html

HTML files remain one of the most popular attachments used in phishing attacks for the first four months of 2022, showing that the technique remains effective against antispam engines and works well on the victims themselves. In phishing emails, HTML files are commonly used to redirect users to malicious sites, download files, or to even display phishing forms locally within the browser. As HTML is not malicious, attachments tend not to be detected by email security products, thus doing a good landing in recipients’ inboxes.

Reference: https://www.bleepingcomputer.com/news/security/html-attachments-remain-popular-among-phishing-actors-in-2022/

CVE’s of the Week

Cisco

CVE-2022-20796 – Score 4.9

CVE-2022-20794 – Score4.3

CVE-2022-20785 – Score 7.8

CVE-2022-20780 – Score 4.3

CVE-2022-20779 – Score 9.3

CVE-2022-20777 – Score 9.0

CVE-2022-20771 – Score 7.8

CVE-2022-20770 – Score 7.8

CVE-2022-20767 – Score 7.8

CVE-2022-20764 – Score 5.5

CVE-2022-20760 – Score 7.8

CVE-2022-20759 – Score 8.5

CVE-2022-20757 – Score 4.3

CVE-2022-20748 – Score 5.0

CVE-2022-20746 – Score 7.1

CVE-2022-20745 – Score 7.8

CVE-2022-20742 – Score 5.8

CVE-2022-20737 – Score 7.0

CVE-2022-20734 – Score 4.9

CVE-2022-20730  Score 5.0

CVE-2022-20729 – Score 4.6

CVE-2022-20715 – Score 7.8

Microsoft

CVE-2022-29131 – Score 9.0

CVE-2022-29130 – Score 9.3

CVE-2022-29129 – Score 9.0

CVE-2022-29128 – Score 9.0

CVE-2022-22014 –  Score 6.5

CVE-2022-22013 – Score 6.5

CVE-2022-22012 – Score 9.3

Fortinet

CVE-2022-23443 – Score 5.0

CVE-2021-43206 – Score 4.3

CVE-2021-41032 – Score 5.5

CVE-2021-41020 – Score 6.5

Today is Microsoft’s May 2022 Patch Tuesday, and with it comes fixes for three zero-day vulnerabilities, with one actively exploited, and a total of 75 flaws. Of the 75 vulnerabilities fixed in today’s update, eight are classified as ‘Critical’ as they allow remote code execution or elevation of privileges. The actively exploited zero-day vulnerability fixed today is for a new NTLM Relay Attack using an LSARPC flaw tracked as ‘CVE-2022-26925 – Windows LSA Spoofing Vulnerability.’

Reference: https://www.bleepingcomputer.com/news/microsoft/microsoft-may-2022-patch-tuesday-fixes-3-zero-days-75-flaws/

Microsoft on Monday disclosed that it mitigated a security flaw affecting Azure Synapse and Azure Data Factory that, if successfully exploited, could result in remote code execution. A malicious actor can weaponize the bug to acquire the Azure Data Factory service certificate and access another tenant’s Integration Runtimes to gain access to sensitive information, effectively breaking tenant separation protections.

Reference: https://thehackernews.com/2022/05/microsoft-mitigates-rce-vulnerability.html

A recently disclosed F5 BIG-IP vulnerability has been used in destructive attacks, attempting to erase a device’s file system and make the server unusable. Last week, F5 disclosed a vulnerability tracked as CVE-2022-1388 that allows remote attackers to execute commands on BIG-IP network devices as ‘root’ without authentication. Due to the critical nature of the bug, F5 urged admins to apply updates as soon as possible. A few days later, researchers began publicly publishing exploits on Twitter and GitHub, with threat actors soon using them in attacks across the Internet.

Reference: https://www.bleepingcomputer.com/news/security/critical-f5-big-ip-vulnerability-exploited-to-wipe-devices/

Two high-severity security vulnerabilities, which went undetected for several years, have been discovered in a legitimate driver that’s part of Avast and AVG antivirus solutions. “These vulnerabilities allow attackers to escalate privileges enabling them to disable security products, overwrite system components, corrupt the operating system, or perform malicious operations unimpeded”.

Reference: https://thehackernews.com/2022/05/researchers-disclose-10-year-old.html

GitHub announced today that all users who contribute code on its platform (an estimated 83 million developers in total) will be required to enable two-factor authentication (2FA) on their accounts by the end of 2023. Active contributors who will have to enable 2FA include but are not limited to GitHub users who commit code, use Actions, open or merge pull requests, or publish packages. Developers can use one or more 2FA options, including physical security keys, virtual security keys built into devices like phones and laptops, or Time-based One-Time Password (TOTP) authenticator apps.

Reference: https://www.bleepingcomputer.com/news/security/github-to-require-2fa-from-active-developers-by-the-end-of-2023/

Today, GitHub has launched a new public beta to notably improve the two-factor authentication (2FA) experience for all npm user accounts. Myles Borins, Open Source Product Manager at GitHub, said that the code hosting platform now allows npm accounts to register “multiple second factors, such as security keys, biometric devices, and authentication applications.” It has also introduced a new 2FA configuration menu that allows users to manage registered keys and recovery codes.

Reference: https://www.bleepingcomputer.com/news/security/github-announces-enhanced-2fa-experience-for-npm-accounts/

Cisco has addressed several security flaws found in the Enterprise NFV Infrastructure Software (NFVIS), a solution that helps virtualize network services for easier management of virtual network functions (VNFs). Two of them, rated critical and high severity, can be exploited by attackers to run commands with root privileges or to escape the guest virtual machine (VM) and fully compromise NFVIS hosts. Cisco’s Product Security Incident Response Team (PSIRT) says there is no proof-of-concept exploit code and no ongoing exploitation in the wild.

Reference: https://www.bleepingcomputer.com/news/security/cisco-fixes-nfvis-bugs-that-help-gain-root-and-hijack-hosts/

QNAP has released several security advisories today, one of them for a critical security issue that allows remote execution of arbitrary commands on vulnerable QVR systems, the company’s video surveillance solution hosted on a NAS device. The vulnerability is tracked as CVE-2022-27588 and has a critical severity score of 9.8. It impacts QVR versions older than 5.1.6 build 20220401.

Reference: https://www.bleepingcomputer.com/news/security/qnap-fixes-critical-qvr-remote-command-execution-vulnerability/

Trend Micro antivirus has fixed a false positive affecting its Apex One endpoint security solution that caused Microsoft Edge updates to be tagged as malware and the Windows registry to be incorrectly modified. According to hundreds of customer reports that started streaming in earlier this week on the company’s forum and on social networks, the false positive affected update packages stored in the Microsoft Edge installation folder. As users further revealed, the Trend Micro Apex One flagged the browser updates as Virus/Malware: TROJ_FRS.VSNTE222 and Virus/Malware: TSC_GENCLEAN.

Reference: https://www.bleepingcomputer.com/news/security/trend-micro-antivirus-modified-windows-registry-by-mistake-how-to-fix/

The European Union (EU) wants to see greater standardization across European cybersecurity legislation and regulations, according to the bloc’s cybersecurity agency. The EU sees standards as vital to increasing security across the bloc, as well as ensuring that cybersecurity measures are consistent between member states. This, the European Commission argues, will make it easier for both security vendors and businesses in general to work across borders. EU-wide standards are envisaged for both product certification and legislation on computer misuse.

Reference: https://portswigger.net/daily-swig/eu-targets-standardization-as-key-to-bloc-wide-cyber-resilience

Security researchers have noticed a malicious campaign that used Windows event logs to store malware, a technique that has not been previously documented publicly for attacks in the wild. The method enabled the threat actor behind the attack to plant fileless malware in the file system in an attack filled with techniques and modules designed to keep the activity as stealthy as possible.

Reference: https://www.bleepingcomputer.com/news/security/hackers-are-now-hiding-malware-in-windows-event-logs/

On April 26, 2022, a new Emotet campaign was spotted in the wild, where the usual Office delivery system was replaced with LNK files, in a clear response to the VBA protection launched by Microsoft. Researchers found 139 distinct LNK files that are part of the same campaign, delivering two distinct payloads that share the same C2 infrastructure.

Reference: https://otx.alienvault.com/pulse/627a83c015db5d4d97dc6779

In February 2022 has been observed a technique of putting the shellcode into Windows event logs for the first time “in the wild” during the malicious campaign. It allows the “fileless” last stage Trojan to be hidden from plain sight in the file system. Such attention to the event logs in the campaign isn’t limited to storing shellcodes. Dropper modules also patch Windows native API functions, related to event tracing (ETW) and anti-malware scan interface (AMSI), to make the infection process stealthier.

Reference: https://securelist.com/a-new-secret-stash-for-fileless-malware/106393/

CVE’s of the Week

CISCO

CVE-2022-20744 – Score 4.0

CVE-2022-20743 – Score 9.0

CVE-2022-20740 – Score 4.3

CVE-2022-20629 – Score 3.5

CVE-2022-20628 – Score 3.5

CVE-2022-20627 – Score 3.5