October 12, 2022

Fortify Security Team
Oct 12, 2022

Title: Claroty Found Hardcoded Cryptographic Keys in Siemens PLCs Using RCE
Date Published: October 12, 2022

https://www.infosecurity-magazine.com/news/claroty-found-cryptographic-keys/

Excerpt: “eam82, the research arm of New York-based industrial cybersecurity firm Claroty, revealed on October 11, 2022, that they managed to extract heavily guarded, hardcoded cryptographic keys embedded within SIMATIC S7-1200/1500s, a range of Siemens programmable logic computers (PLCs), and TIA Portal, Siemens’ automated engineering software platform. They deployed a new remote code execution (RCE) technique targeting the central processing units (CPUs) of SIMATIC S7-1200 and S7-1500 PLCs, for which they used a vulnerability uncovered in previous research on Siemens PLCs (CVE-2020-15782) that enabled them to bypass native memory protections on the PLC and gain read/write privileges. They were able not only to extract the internal, heavily guarded private key used across the Siemens product lines but also to implement the full protocol stack, encrypt and decrypt protected communications and configurations. “An attacker can use these keys to perform multiple advanced attacks against Siemens SIMATIC devices and the related TIA Portal, while bypassing all four of its access-level protections. [They] could [also] use this secret information to compromise the entire SIMATIC S7-1200/1500 product line in an irreparable way,” Team82 warned in the research paper. CVE-2022-38465 has been assigned to the new vulnerability found by Team82, and given a CVSS v3 score of 9.3.”

Title: LockBit affiliates compromise Microsoft Exchange servers to deploy ransomware
Date Published: October 12, 2022

https://securityaffairs.co/wordpress/136968/cyber-crime/microsoft-exchange-lockbit-ransomware.html

Excerpt: “Lockbit ransomware affiliates are compromising Microsoft Exchange servers to deploy their ransomware, experts warn. South-Korean cybersecurity firm AhnLab reported that Lockbit ransomware affiliates are distributing their malware via compromised Microsoft Exchange servers. In July 2022, two servers operated by a customer of the security firm were infected with LockBit 3.0 ransomware. Threat actors initially deployed web shell on a compromised Exchange server, then it took just 7 days to escalate privileges to Active Directory admin and stole roughly 1.3 TB of data before encrypting systems hosted in the network. According to the researchers, the attackers allegedly exploited a zero-day vulnerability in Microsoft Exchange Server. “Looking at the Microsoft Exchange Server vulnerability history, the remote code execution vulnerability was disclosed on December 16, 2021 (CVE-2022-21969), the privilege escalation vulnerability was disclosed in February 2022, and the most recent vulnerability was on June 27. Information Disclosure Vulnerability vulnerability. That is, among the vulnerabilities disclosed after May, there were no reports of vulnerabilities related to remote commands or file creation.” reads the report published by AhnLab. “Therefore, considering that WebShell was created on July 21, it is expected that the attacker used an undisclosed zero-day vulnerability. The experts argued that the attackers likely did not exploit recently disclosed CVE-2022-41040 and CVE-2022-41082 vulnerabilities.”

Title: Critical Open Source vm2 Sandbox Escape Bug Affects Millions
Date Published: October 11, 2022

https://www.darkreading.com/application-security/critical-open-source-vm2-sandbox-escape-bug-affects-millions

Excerpt: “Attackers could exploit the “Sandbreak” security bug, which has earned a 10 out of 10 on the CVSS scale, to execute a sandbox escape, achieve RCE, and run shell commands on a hosting machine.A remote code execution (RCE) vulnerability in a widely used JavaScript sandbox has earned a top rating of 10 on the CVSS vulnerability risk scale; it allows threat actors to execute a sandbox escape and run shell commands on the hosting machine. Researchers from cloud security firm Oxeye discovered the dangerous flaw, which they dubbed “Sandbreak” in vm2, a JavaScript sandbox that has more than 16 million monthly downloads, according to its NPM package manager.”

Title: Fortinet warns that critical authentication bypass flaw has been exploited
Date Published: October 12, 2022

https://www.zdnet.com/article/fortinet-warns-that-critical-authentication-bypass-flaw-has-been-exploited/

Excerpt: “The Cybersecurity and Infrastructure Security Agency (CISA) has added a Fortinet critical flaw to its known exploited vulnerabilities catalog. CISA on Tuesday added the flaw to the KEV catalog, a day after Fortinet revealed an authentication bypass CVE-2022-40684 that it patched last week was already being exploited in the wild. “Fortinet is aware of an instance where this vulnerability was exploited, and recommends immediately validating your systems against the following indicator of compromise in the device’s logs,” Fortinet said. The firm has released updates for FortiOS, FortiProxy and FortiSwitchManager to address the flaw, which affects several of its security appliances. “An authentication bypass using an alternate path or channel vulnerability [CWE-288] in FortiOS, FortiProxy and FortiSwitchManager may allow an unauthenticated atttacker to perform operations on the administrative interface via specially crafted HTTP or HTTPS requests.” However, for customers that can’t apply updates immediately, it has also provided workarounds to disable HTTP/HTTPS administrative interface or limit IP addresses that can reach the administrative interface.”

Title: Google Forms abused in new COVID-19 phishing wave in the U.S.
Date Published: October 12, 2022

https://www.bleepingcomputer.com/news/security/google-forms-abused-in-new-covid-19-phishing-wave-in-the-us/

Excerpt: “COVID-19-themed phishing messages are once again spiking in the U.S. following a prolonged summer hiatus that appears to be over. According to a report by email security company INKY shared with BleepingComputer before publication, the malspam volumes have doubled in September compared to the previous three months and are set to rise even more. In the latest attacks, phishing emails impersonate the U.S. Small Business Administration (SBA) and abuse Google Forms to host phishing pages that steal the personal details of business owners. The SBA ran COVID-19 financial recovery programs in the past, which adds legitimacy to the campaign, especially for previous beneficiaries. However, the organization is currently not running any similar initiatives.”

Title: Amid reports of JP Morgan cyberattack, experts call Killnet unsophisticated, ‘media hungry’
Date Published: October 11, 2022

https://www.scmagazine.com/analysis/cybercrime/amid-reports-of-jp-morgan-cyberattack-experts-call-killnet-unsophisticated-media-hungry

Excerpt: “Russian hacktivist group Killnet, well-known for its flair for publicity, made more news today when it reportedly blocked J.P. Morgan’s infrastructure, but failed to impact the bank’s operations. These reports came one day after Killnet attacked airport websites in 24 states, disrupting service, but causing no real business damage or serious data exfiltration. Security researchers said Killnet’s attacks remain relatively unsophisticated and unchanged, but the group is nonetheless persistent with its DDoS attacks. “While DDoS attacks can be classified as a nuisance, if successful, these attacks can result in websites or services being taken down for long periods of time,” said Ivan Righi, senior cyber threat intelligence analyst at Digital Shadows. “This threat is notably higher for critical sectors, where even short downtimes can have significant consequences.” Killnet was not initially created to be a hacktivist group. Rather, the moniker stems from a tool that hackers could use to launch DDoS attacks, Righi noted. The tool was advertised on the Killnet Telegram channel in January 2022, and then Killnet transformed from a criminal service provider to a hacktivist group with the Russia-Ukraine war.”

Title: A New Wave of PayPal Invoice Scams Using Crypto Disguise
Date Published: October 11, 2022

https://www.infosecurity-magazine.com/news/paypal-invoice-scams-using-crypto/

Excerpt: “A new wave of PayPal invoice scams have been found using blockchain/cryptocurrency-related businesses as their disguise, security researchers from Japanese cybersecurity vendor Trend Micro found on October 09, 2022. While the scammers use a very common method, impersonating PayPal sellers to send random target invoices via PayPal systems saying users have been charged an amount of money and pushing them to click on malicious links, they use the names of famous companies/tokens on different blockchains to do so. Among the examples mentioned by Trend Micro are Stellar XLM, Bitcoin Exchange, Terra Luna Classic, Oasis Network and TrueUSD.”

Title: VMware has yet to fix CVE-2021-22048 flaw in vCenter Server disclosed one year ago
Date Published: October 12, 2022

https://securityaffairs.co/wordpress/136979/hacking/vmware-unpatched-cve-2021-22048.html

Excerpt: “VMware has yet to address the CVE-2021-22048 privilege escalation vulnerability in vCenter Server disclosed in November 2021. VMware warns customers that it has yet to address a high-severity privilege escalation vulnerability, tracked as CVE-2021-22048, in the vCenter Server.The flaw was disclosed in November 2021, it resides in the vCenter Server ‘s IWA (Integrated Windows Authentication) mechanism. The vulnerability can be exploited by an attacker with non-administrative access to vulnerable vCenter Server deployments to elevate privileges to a higher privileged group. “The vCenter Server contains a privilege escalation vulnerability in the IWA (Integrated Windows Authentication) authentication mechanism.” reads the advisory published by the company. “A malicious actor with non-administrative access to vCenter Server may exploit this issue to elevate privileges to a higher privileged group.” The CVE-2021-22048 flaw was reported by CrowdStrike researchers Yaron Zinar and Sagi Sheinfeld on November 10th, 2021. In July 2022, VMware addressed the CVE-2021-22048 vulnerability for the latest available release at the time (vCenter Server 7.0 Update 3f). Unfortunately, the security patches released by the company did not fix the issue and caused the crash of the Secure Token Service triggering an exception in postInstallHook. The security patches were rolled back for the above issue.”

Title: Hospital Chain’s Patient Portals, Other IT Still Offline
Date Published: October 11, 2022

https://www.databreachtoday.com/hospital-chains-patient-portals-other-still-offline-a-20245

Excerpt: “Patient care continues to be disrupted at the U.S.’s fourth-largest hospital system as its response to a cyber incident enters a second week.Patient portals, electronic prescriptions and some other IT systems are still unavailable at an undisclosed number of locations in the CommonSpirit Health network, the largest Catholic health system and the second-largest nonprofit hospital chain in the United States. It consists of 1,500 healthcare medical clinics and hospitals across 21 states. CommonSpirit first disclosed Oct. 4 an “IT security issue” forcing it to reschedule some patient appointments. NBC news reports the issue is ransomware. Ransomware is a mounting threat for the healthcare industry, which attracts cybercriminals by having quantities of sensitive data, an often-earned reputation for poor cybersecurity and the perception that most physicians would rather pay the ransom than disrupt medical care. Cybersecurity firm Sophos reports that two-thirds of the healthcare organizations it surveyed reported a ransomware attack in 2021.”

Title: Microsoft Addresses Zero-Days, but Exchange Server Exploit Chain Remains Unpatched
Date Published: October 11, 2022

https://www.darkreading.com/vulnerabilities-threats/microsoft-zero-days-exchange-server-exploit-chain-remains-unpatched

Excerpt: “The computing giant didn’t fix ProxyNotLogon in October’s Patch Tuesday, but it disclosed a rare 10-out-of-10 bug and patched two other zero-days, including one being exploited. For its October Patch Tuesday update, Microsoft addressed a critical security vulnerability in its Azure cloud service, carrying a rare 10-out-of-10 rating on the CVSS vulnerability-severity scale. The tech giant also patched two “important”-rated zero-day bugs, one of which is being actively exploited in the wild; and further, there may be a third issue, in SharePoint, that’s also being actively exploited. Notably, however, the Microsoft didn’t issue fixes for the two unpatched Exchange Server zero-day bugs that came to light in late September.”

Recent Posts

November 29, 2022

Title: Malicious Android App Found Powering Account Creation Service Date Published: November 28, 2022 https://www.bleepingcomputer.com/news/security/malicious-android-app-found-powering-account-creation-service/ Excerpt: “A fake Android SMS application, with 100,000...

November 28, 2022

Title: Ransomboggs Ransomware Hit Several Ukrainian Entities, Experts Attribute It to Russia Date Published: November 28, 2022 https://securityaffairs.co/wordpress/139028/cyber-warfare-2/ransomboggs-ransomware-targeted-ukraine.html Excerpt: “Several Ukrainian...

November 23, 2022

Title: Microsoft Releases Out-Of-Band Update to Fix Kerberos Auth Issues Caused by a Patch for Cve-2022-37966 Date Published: November 23, 2022 https://securityaffairs.co/wordpress/138869/security/out-of-band-fix-kerberos-issues.html Excerpt: “Microsoft released an...

November 22, 2022

Title: Aurora Infostealer Malware Increasingly Adopted by Cybergangs Date Published: November 21, 2022 https://www.bleepingcomputer.com/news/security/aurora-infostealer-malware-increasingly-adopted-by-cybergangs/ Excerpt: “Cybercriminals are increasingly turning to a...

November 21, 2022

Title: New Ransomware Encrypts Files, Then Steals Your Discord Account Date Published: November 20, 2022 https://www.bleepingcomputer.com/news/security/new-ransomware-encrypts-files-then-steals-your-discord-account/ Excerpt: “The new 'AXLocker' ransomware family is...

November 18, 2022

Title: Phishing Kit Impersonates Well-Known Brands to Target Us Shoppers Date Published: November 17, 2022 https://www.bleepingcomputer.com/news/security/phishing-kit-impersonates-well-known-brands-to-target-us-shoppers/ Excerpt: “A sophisticated phishing kit has been...

November 17, 2022

Title: Iran-Linked Threat Actors Compromise US Federal Network Date Published: November 17, 2022 https://securityaffairs.co/wordpress/138639/apt/iran-compromises-us-federal-network.html Excerpt: “Iran-linked threat actors compromised a Federal Civilian Executive...