CySec News
Today is Microsoft’s May 2022 Patch Tuesday, and with it comes fixes for three zero-day vulnerabilities, with one actively exploited, and a total of 75 flaws. Of the 75 vulnerabilities fixed in today’s update, eight are classified as ‘Critical’ as they allow remote code execution or elevation of privileges. The actively exploited zero-day vulnerability fixed today is for a new NTLM Relay Attack using an LSARPC flaw tracked as ‘CVE-2022-26925 – Windows LSA Spoofing Vulnerability.’
Microsoft on Monday disclosed that it mitigated a security flaw affecting Azure Synapse and Azure Data Factory that, if successfully exploited, could result in remote code execution. A malicious actor can weaponize the bug to acquire the Azure Data Factory service certificate and access another tenant’s Integration Runtimes to gain access to sensitive information, effectively breaking tenant separation protections.
Reference: https://thehackernews.com/2022/05/microsoft-mitigates-rce-vulnerability.html
A recently disclosed F5 BIG-IP vulnerability has been used in destructive attacks, attempting to erase a device’s file system and make the server unusable. Last week, F5 disclosed a vulnerability tracked as CVE-2022-1388 that allows remote attackers to execute commands on BIG-IP network devices as ‘root’ without authentication. Due to the critical nature of the bug, F5 urged admins to apply updates as soon as possible. A few days later, researchers began publicly publishing exploits on Twitter and GitHub, with threat actors soon using them in attacks across the Internet.
Two high-severity security vulnerabilities, which went undetected for several years, have been discovered in a legitimate driver that’s part of Avast and AVG antivirus solutions. “These vulnerabilities allow attackers to escalate privileges enabling them to disable security products, overwrite system components, corrupt the operating system, or perform malicious operations unimpeded”.
Reference: https://thehackernews.com/2022/05/researchers-disclose-10-year-old.html
GitHub announced today that all users who contribute code on its platform (an estimated 83 million developers in total) will be required to enable two-factor authentication (2FA) on their accounts by the end of 2023. Active contributors who will have to enable 2FA include but are not limited to GitHub users who commit code, use Actions, open or merge pull requests, or publish packages. Developers can use one or more 2FA options, including physical security keys, virtual security keys built into devices like phones and laptops, or Time-based One-Time Password (TOTP) authenticator apps.
Today, GitHub has launched a new public beta to notably improve the two-factor authentication (2FA) experience for all npm user accounts. Myles Borins, Open Source Product Manager at GitHub, said that the code hosting platform now allows npm accounts to register “multiple second factors, such as security keys, biometric devices, and authentication applications.” It has also introduced a new 2FA configuration menu that allows users to manage registered keys and recovery codes.
Cisco has addressed several security flaws found in the Enterprise NFV Infrastructure Software (NFVIS), a solution that helps virtualize network services for easier management of virtual network functions (VNFs). Two of them, rated critical and high severity, can be exploited by attackers to run commands with root privileges or to escape the guest virtual machine (VM) and fully compromise NFVIS hosts. Cisco’s Product Security Incident Response Team (PSIRT) says there is no proof-of-concept exploit code and no ongoing exploitation in the wild.
QNAP has released several security advisories today, one of them for a critical security issue that allows remote execution of arbitrary commands on vulnerable QVR systems, the company’s video surveillance solution hosted on a NAS device. The vulnerability is tracked as CVE-2022-27588 and has a critical severity score of 9.8. It impacts QVR versions older than 5.1.6 build 20220401.
Trend Micro antivirus has fixed a false positive affecting its Apex One endpoint security solution that caused Microsoft Edge updates to be tagged as malware and the Windows registry to be incorrectly modified. According to hundreds of customer reports that started streaming in earlier this week on the company’s forum and on social networks, the false positive affected update packages stored in the Microsoft Edge installation folder. As users further revealed, the Trend Micro Apex One flagged the browser updates as Virus/Malware: TROJ_FRS.VSNTE222 and Virus/Malware: TSC_GENCLEAN.
The European Union (EU) wants to see greater standardization across European cybersecurity legislation and regulations, according to the bloc’s cybersecurity agency. The EU sees standards as vital to increasing security across the bloc, as well as ensuring that cybersecurity measures are consistent between member states. This, the European Commission argues, will make it easier for both security vendors and businesses in general to work across borders. EU-wide standards are envisaged for both product certification and legislation on computer misuse.
Reference: https://portswigger.net/daily-swig/eu-targets-standardization-as-key-to-bloc-wide-cyber-resilience
Security researchers have noticed a malicious campaign that used Windows event logs to store malware, a technique that has not been previously documented publicly for attacks in the wild. The method enabled the threat actor behind the attack to plant fileless malware in the file system in an attack filled with techniques and modules designed to keep the activity as stealthy as possible.
Reference: https://www.bleepingcomputer.com/news/security/hackers-are-now-hiding-malware-in-windows-event-logs/
On April 26, 2022, a new Emotet campaign was spotted in the wild, where the usual Office delivery system was replaced with LNK files, in a clear response to the VBA protection launched by Microsoft. Researchers found 139 distinct LNK files that are part of the same campaign, delivering two distinct payloads that share the same C2 infrastructure.
Reference: https://otx.alienvault.com/pulse/627a83c015db5d4d97dc6779
In February 2022 has been observed a technique of putting the shellcode into Windows event logs for the first time “in the wild” during the malicious campaign. It allows the “fileless” last stage Trojan to be hidden from plain sight in the file system. Such attention to the event logs in the campaign isn’t limited to storing shellcodes. Dropper modules also patch Windows native API functions, related to event tracing (ETW) and anti-malware scan interface (AMSI), to make the infection process stealthier.
Reference: https://securelist.com/a-new-secret-stash-for-fileless-malware/106393/
CVE’s of the Week
CISCO
CVE-2022-20744 – Score 4.0
CVE-2022-20743 – Score 9.0
CVE-2022-20740 – Score 4.3
CVE-2022-20629 – Score 3.5
CVE-2022-20628 – Score 3.5
CVE-2022-20627 – Score 3.5