November 9, 2022

Fortify Security Team
Nov 9, 2022

Title: Microsoft Patch Tuesday Fixes 11 Critical Security Vulnerabilities and Six Zero-Days Being Actively Exploited
Date Published: November 9, 2022

https://www.zdnet.com/article/microsoft-patch-tuesday-fixes-11-critical-security-vulnerabilities-and-six-zero-days-being-actively-exploited/

Excerpt: “Microsoft issues 64 patches to address security flaws in products including Windows, Exchange and Office – get updating now. Microsoft has released 64 patches addressing security vulnerabilities across its products including 11 flaws which are classed as critical – and six vulnerabilities which are actively being exploited by cyber attackers. The security flaws impact Microsoft products including Windows, Microsoft Azure, Microsoft Exchange Server, Microsoft Office and more, some of which have been targeted by malicious hackers for months. Two of the critical updates address security vulnerabilities in Microsoft Exchange Server, which have actively been under attack since September – CVE-2022-41028 and CVE-2022-41040. CVE-2022-41040 is a server-side request forgery (SSRF) vulnerability, an exploit that allows attackers to make server-side application requests from an unintended location – for example, allowing them to access internal services without being within the perimeter of the network. CVE-2022-41082 allows remote code execution when PowerShell is accessible to the attacker. Previously, Microsoft had only released mitigations for the vulnerabilities, but now patches are available, which can prevent attackers from exploiting them to access networks – and these should be applied as soon as possible.”

Title: Lockbit Affiliate Uses Amadey Bot Malware to Deploy Ransomware
Date Published: November 8, 2022

https://www.bleepingcomputer.com/news/security/lockbit-affiliate-uses-amadey-bot-malware-to-deploy-ransomware/

Excerpt: “A LockBit 3.0 ransomware affiliate is using phishing emails that install the Amadey Bot to take control of a device and encrypt devices. According to a new AhnLab report, the threat actor targets companies using phishing emails with lures pretending to be job application offers or copyright infringement notices. The LockBit 3.0 payload used in this attack is downloaded as an obfuscated PowerShell script or executable form, running on the host to encrypt files. The Amadey Bot malware is an old strain capable of performing system reconnaissance, data exfiltration, and payload loading. Korean researchers at AhnLab have noticed increased Amadey Bot activity in 2022 and reported finding a new version of the malware in July, dropped via SmokeLoader. The latest version added antivirus detection and auto-avoidance capabilities, making intrusions and dropping payloads stealthier.”

Title: Advanced RAT AgentTesla Most Prolific Malware in October
Date Published: November 9, 2022

https://www.infosecurity-magazine.com/news/advanced-rat-agenttesla-malware/

Excerpt: “Info-stealing malware accounted for the three most widespread variants in October, comprising nearly a fifth (16%) of global detections, according to Check Point. The security vendor’s Global Threat Index for October 2022 is compiled from hundreds of millions of its own threat intelligence sensors, installed across customer networks, endpoints and mobile devices. It revealed that AgentTesla was the most widespread malware, impacting 7% of organizations. The advanced RAT malware works as a keylogger and information stealer capable of collecting the victim’s keystrokes, taking screenshots and exfiltrating credentials, according to the company. In second and third place on the top 10 were SnakeKeylogger (5%), a modular .NET keylogger and credential stealer first detected in November 2020, and info-stealer Lokibot (4%). The latter is distributed mainly by phishing emails and is used to steal data including email credentials and passwords to cryptocurrency wallets and FTP servers, the report claimed. All three moved up in the top 10 list from the previous month, while the likes of prolific Trojan Emotet and info-stealer Formbook slumped.”

Title: Citrix Adc and Citrix Gateway Are Affected by a Critical Authentication Bypass Flaw
Date Published: November 8, 2022

https://securityaffairs.co/wordpress/138264/security/citrix-gateway-adc-flaws.html

Excerpt: “Citrix released security updates to address a critical authentication bypass vulnerability in Citrix ADC and Citrix Gateway. Citrix is urging customers to install security updates to address a critical authentication bypass issue, tracked as CVE-2022-27510, in Citrix ADC and Citrix Gateway.The company addressed the following three vulnerabilities:

  • CVE-2022-27510 – The flaw is an authentication bypass using an alternate path or channel, an attacker can trigger it to gain unauthorized access to Gateway user capabilities. The company pointed out that only appliances that are operating as a Gateway (appliances using the SSL VPN functionality or deployed as an ICA proxy with authentication enabled) are impacted.
  • CVE-2022-27513 – The flaw is an insufficient Verification of Data Authenticity, an attacker can exploit the flaw to achieve a remote desktop takeover via phishing attacks. The vulnerability can be exploited only if the appliance is configured as a VPN (Gateway) and the RDP proxy functionality is configured.
  • CVE-2022-27516 – The vulnerability is a user login brute force protection functionality bypass. The flaw can be exploited only if the appliance is configured as a VPN (Gateway) or AAA virtual server with “Max Login Attempts” configuration. “Note that only appliances that are operating as a Gateway (appliances using the SSL VPN functionality or deployed as an ICA proxy with authentication enabled) are affected by the first issue, which is rated as a Critical severity vulnerability.” reads the security bulletin published by Citrix.”

Title: China Likely Amasses 0-Days Via Vulnerability Disclosure Law
Date Published: November 8, 2022

https://www.databreachtoday.com/china-likely-amasses-0-days-via-vulnerability-disclosure-law-a-20436

Excerpt: “The first year of a Chinese law requiring mandatory disclosure to the government of vulnerability reports correlates to a period of increased zero-day exploitation by Beijing-backed hackers. That’s the conclusion from computing giant Microsoft, which says the mandatory disclosure regulation “might enable elements in the Chinese government to stockpile reported vulnerabilities toward weaponizing them.” The disclosure requirement took effect Sept. 1, 2021, as part of a larger Data Security Law tightening regulations around the processing of Chinese data. Vendors that discover vulnerabilities must report them to authorities within two days for inclusion in China’s National Vulnerability Database.U.S. cybersecurity company Recorded Future published research in 2017 uncovering a formal process led by lead civilian intelligence agency the Ministry of State Security that likely evaluates reports of high threat vulnerability for their operational utility before publication in the CNNVD. Even before the law went into effect, a Chinese hacking group that Microsoft dubbed Hafnium used four zero-day exploits to hack on-premises versions of Microsoft Exchange Server. A White House official said victims numbered about 140,000; they included infectious disease researchers, law firms, higher education institutions, defense contractors, think tanks and nongovernmental organizations. The United States and allies in July called the attacks part of a pattern of “irresponsible and destabilizing behavior in cyberspace.” Chinese hackers later in 2021 found yet another Exchange zero-day, Microsoft says. CVE-2021-42321 emerged during the Tianfu Cup, an international cybersecurity summit and hacking competition held Oct. 16 and 17, 2021, in Chengdu, China. Less than a week later, someone had already used it in the wild.”

Title: Experian, T-Mobile Reach Settlements With 40 States Over Past Data Breaches
Date Published: November 8, 2022

https://www.scmagazine.com/analysis/breach/experian-t-mobile-reach-settlements-with-40-states-over-past-data-breaches

Excerpt: “A coalition of 40 U.S. state attorneys general has reached separate settlements with Experian and T-Mobile totaling over $16 million following data breaches in 2012 and 2015 that compromised the personal information of millions of consumers nationwide. According to the terms of the settlements, Experian, one of the big-three credit reporting agencies, will bear a $13.67 million fine for security incidents in 2012 and 2015. T-Mobile will pay $2.43 million for the settlement in connection with the 2015 Experian breach. Both companies have agreed to take steps to improve their security measures. In 2012, a data breach at Experian was revealed following the U.S. Secret Service’s alert that one of the customers at Experian-owned company Court Ventures was an identity thief who posed as a private investigator and obtained consumers’ sensitive personal information. The individual has since pleaded guilty to wire fraud, identity fraud, access device, and computer fraud and abuse, among other charges. Experian did not notify affected consumers of the incident.In 2015, Experian reported another data breach. This time, the hacker compromised a part of Experian’s network where its client, T-Mobile, stored its customer information. The attack affected over 15 million T-Mobile customers who submitted credit applications with the telecommunications company between September 2013 and September 2015. In this case, T-Mobile and Experian notified customers after the breach, with Experian providing two-year credit monitoring services to consumers following the attack. Monday’s settlement resolves the allegations that Experian’s security measures violated state consumer protection laws and breach notification laws. Under terms of the Experian settlements, the company is required to improve security practices, including releasing a comprehensive data breach notification plan and developing an identity theft prevention program to spot potential red flags in customers’ accounts.”

Title: Retail Sector Prepares for Annual Holiday Cybercrime Onslaught
Date Published: November 8, 2022

https://www.darkreading.com/risk/retail-sector-prepares-for-annual-holiday-cybercrime-onslaught

Excerpt: “Retailers and hospitality companies expect to battle credential harvesting, phishing, bots, and various malware variants. For companies in the retail and hospitality sector, the holiday shopping season represents their busiest time of year, both for sales and fighting cybercrime threats. This year is no different, with companies in the sector anticipating that phishing, fraud, credential harvesting, and the ever-evolving malware landscape will cast a shadow over their security posture in the coming months, according to a report published by Retail & Hospitality Information Sharing and Analysis Center (RH-ISAC) this week. The 2022 RH-ISAC Holiday Season Threat Trends Summary report polled analysts and members of the industry group about what their security focus is this season — which is defined as the time between Oct. 1 and Dec. 31, when people tend to do their online shopping for holidays that are celebrated in much of the world — as well as what they experienced in the previous 2020 and 2021 holiday seasons. RH-ISAC associate member Flashpoint also provided research and data for the report.”

Title: Malicious Extension Lets Attackers Control Google Chrome Remotely
Date Published: November 8, 2022

https://www.bleepingcomputer.com/news/security/malicious-extension-lets-attackers-control-google-chrome-remotely/

Excerpt: “A new Chrome browser botnet named ‘Cloud9’ has been discovered in the wild using malicious extensions to steal online accounts, log keystrokes, inject ads and malicious JS code, and enlist the victim’s browser in DDoS attacks. The Cloud9 browser botnet is effectively a remote access trojan (RAT) for the Chromium web browser, including Google Chrome and Microsoft Edge, allowing the threat actor to remotely execute commands. The malicious Chrome extension isn’t available on the official Chrome web store but is instead circulated through alternative channels, such as websites pushing fake Adobe Flash Player updates. This method appears to be working well, as researchers at Zimperium reported today that they have seen Cloud9 infections on systems across the globe. Cloud9 is a malicious browser extension that backdoors Chromium browsers to perform an extensive list of malicious functions and capabilities. The extension consists of three JavaScript files for collecting system information, mining cryptocurrency using the host’s resources, performing DDoS attacks, and injecting scripts that run browser exploits. Zimperium noticed the loading of exploits for the CVE-2019-11708 and CVE-2019-9810 vulnerabilities in Firefox, CVE-2014-6332 and CVE-2016-0189 for Internet Explorer, and CVE-2016-7200 for Edge.
These vulnerabilities are used to automatically install and execute Windows malware on the host, enabling the attackers to conduct even more significant system compromises. However, even without the Windows malware component, the Cloud9 extension can steal cookies from the compromised browser, which the threat actors can use to hijack valid user sessions and take over accounts.”

Title: Vmware Fixes Three Critical Flaws in Workspace ONE Assist
Date Published: November 9, 2022

https://securityaffairs.co/wordpress/138283/security/vmware-workspace-one-assist-critical-bugs.html

Excerpt: “VMware addresses three critical bugs in the Workspace ONE Assist solution that allow remote attackers to bypass authentication and elevate privileges. VMware has released security updates to address three critical vulnerabilities impacting the Workspace ONE Assist product. Remote attackers can exploit the vulnerabilities to bypass authentication and elevate privileges to admin. Workspace ONE Assist allows IT staff to remotely access and troubleshoot devices in real time from the Workspace ONE console. The first issue, tracked as CVE-2022-31685 (CVSSv3 9.8/10), is an authentication bypass flaw, an attacker with network access to Workspace ONE Assist may be able to obtain administrative access without the need to authenticate to the application. The second issue, tracked as CVE-2022-31686 (CVSSv3 9.8/10), is a broken authentication method, an attacker with network access may be able to obtain administrative access without the need to authenticate to the application. The third critical issue fixed by the virtualization giant is a broken authentication control tracked as CVE-2022-31687. An attacker with network access may be able to obtain administrative access without the need to authenticate to the application. The company addressed them with the release of Workspace ONE Assist 22.10 (89993) for Windows customers.”

Title: Conti Affiliates Black Basta, BlackByte Continue to Attack Critical Infrastructure
Date Published: November 8, 2022

https://www.infosecurity-magazine.com/news/black-basta-blackbyte-attack-eu/

Excerpt: “Between the end of February and mid-July 2022, 81 victim organizations were listed on the BlackByte and Black Basta data leak sites. Of those, 41% were based in Europe, and many are part of critical infrastructure sectors, including energy, government, transportation, pharmaceuticals, facilities, food and education. The remaining 59% were primarily located in the US and included several victims, including a manufacturer of agricultural machinery, a small regional grocery chain and several construction firms. The new data comes from the threat response unit (TRU) at eSentire, which shared the findings with Infosecurity ahead of publication. “What stands out is that the US companies that were attacked by these two ransomware gangs during this time frame, for the most part, are not part of critical infrastructure sectors,” the report reads. “And yet, the European-based victim organizations are definitely in critical infrastructure segments including transportation, energy, government facilities, pharmaceuticals, food and education.” According to Keegan Keplinger, research and reporting lead at eSentire, organizations in Europe and other parts of the globe have attracted the interest of the Conti ransomware group, which only appeared to shut down in May 2022. “In typical ransomware branding fashion, Conti did not shut down; rather, they moved their operation into other ransomware brands, including Black Basta and BlackByte,” Keplinger told Infosecurity. “As pioneers of the ransomware intrusion model, the Conti ransomware group is known for their Russian-state affiliations, corporate organizational structure, and a tendency to target critical infrastructure in western, NATO-aligned countries, especially the US.” However, the security expert added that in the summer of 2021, US President Joe Biden began applying pressure on Russian President Vladimir Putin, threatening sanctions and retaliation.”

Recent Posts

November 29, 2022

Title: Malicious Android App Found Powering Account Creation Service Date Published: November 28, 2022 https://www.bleepingcomputer.com/news/security/malicious-android-app-found-powering-account-creation-service/ Excerpt: “A fake Android SMS application, with 100,000...

November 28, 2022

Title: Ransomboggs Ransomware Hit Several Ukrainian Entities, Experts Attribute It to Russia Date Published: November 28, 2022 https://securityaffairs.co/wordpress/139028/cyber-warfare-2/ransomboggs-ransomware-targeted-ukraine.html Excerpt: “Several Ukrainian...

November 23, 2022

Title: Microsoft Releases Out-Of-Band Update to Fix Kerberos Auth Issues Caused by a Patch for Cve-2022-37966 Date Published: November 23, 2022 https://securityaffairs.co/wordpress/138869/security/out-of-band-fix-kerberos-issues.html Excerpt: “Microsoft released an...

November 22, 2022

Title: Aurora Infostealer Malware Increasingly Adopted by Cybergangs Date Published: November 21, 2022 https://www.bleepingcomputer.com/news/security/aurora-infostealer-malware-increasingly-adopted-by-cybergangs/ Excerpt: “Cybercriminals are increasingly turning to a...

November 21, 2022

Title: New Ransomware Encrypts Files, Then Steals Your Discord Account Date Published: November 20, 2022 https://www.bleepingcomputer.com/news/security/new-ransomware-encrypts-files-then-steals-your-discord-account/ Excerpt: “The new 'AXLocker' ransomware family is...

November 18, 2022

Title: Phishing Kit Impersonates Well-Known Brands to Target Us Shoppers Date Published: November 17, 2022 https://www.bleepingcomputer.com/news/security/phishing-kit-impersonates-well-known-brands-to-target-us-shoppers/ Excerpt: “A sophisticated phishing kit has been...

November 17, 2022

Title: Iran-Linked Threat Actors Compromise US Federal Network Date Published: November 17, 2022 https://securityaffairs.co/wordpress/138639/apt/iran-compromises-us-federal-network.html Excerpt: “Iran-linked threat actors compromised a Federal Civilian Executive...