Security Updates

An aggregated collection of incoming security alerts, advisories, patches, and more so you’re prepared to respond to real-time threats.

Share on facebook
Share on twitter
Share on linkedin
Share on email

Overview

On January 24, 2023, the Cyber Security and Infrastructure Security Agency (CISA) released a report called “Partnering to Safeguard K-12 Organizations from Cybersecurity Threats,” for K-12 institutions to help protect them against cybersecurity threats. Alongside the report, CISA shared a toolkit containing recommendations and resources for building, operating, and maintaining a safe and protected environment for staff, students, and parents.

With the increase in technology and network advances in K-12 schools, there has been an increase in malicious cyber actors and threats targeting these organizations. The U.S. Congress has been aware of these risks and created the K-12 Cybersecurity Act of 2021, known as “The Act”, which brought CISA on to study, develop, and report on any cyber risk that could fall into the elementary and secondary school environment. As a result of CISA’s involvement, the organization released its mandated report with insight into any current threats to K-12 schools and the steps to prevent and mitigate against any future cyber-attacks.

The report’s findings emphasize the importance of deploying multifactor authentication (MFA), mitigating any known vulnerabilities (patching), testing backups, and implementing a cybersecurity training program. Further down the road, this can lead to a strong cyber security plan that also correlates with the NIST Cybersecurity Framework (CSF).

CISA released a Digital Online Toolkit to provide resources and materials for K-12 schools to implement within their environment. The toolkit is available for download and includes three recommendations for building a strong cybersecurity team.

  1. Invest in the most impactful security measures and build toward a mature cybersecurity team
  2. Recognize and actively address resource constraints
  3. Focus on collaboration and information sharing

CISA’s K-12 Report Emphasizes the Importance of the Following Security Practices:

  • Deploying multifactor authentication (MFA)
  • Mitigating any known vulnerabilities within the environment (patching)
  • Establishing and testing backups regularly
  • Develop and execute an Incident Response Plan periodically
  • Creating a strong cybersecurity training program
  • Prioritizing investments in alignment with the full list of CISA’s CPGs, and
  • Developing a unique cybersecurity plan that leverages the NIST CSF CISA ensures these small steps will quickly reduce the malicious cyber threats and vulnerabilities that can infiltrate the educational environment.

CISA also exclaims a strong partnership between K-12 Education, FBI regional cybersecurity personnel, and themselves, will be resourceful for future updates on this topic.

Sources

https://www.congress.gov/bill/117th-congress/senate-bill/1917 – “The Act”
https://www.cisa.gov/sites/default/files/publications/K-12report-24Jan23.pdf – Report PDF
https://www.cisa.gov/partnering-safeguard-k-12-toolkit – The Online Toolkit (download)
https://www.cisa.gov/protecting-our-future-partnering-safeguard-k-12-organizations-cybersecurity-threats – Partnership Announcement

Overview

Apple released new security updates corresponding to vulnerabilities found in various products on January 23rd, 2023. Any device with a vulnerability is at risk of an attacker gaining access.

Those devices include Safari 16.3, iOS 12.5.7, macOS Monterey 12.6.3, macOS Big Sue 11.7.3, watchOS 9.3, iOS 15.7.3, iPadOS 15.7.3, iOS 16.3, iPad 16.3, and macOS Ventura 13.2.By launching the new update released on January 23rd, you can mitigate the vulnerabilities if you are the owner of one or more of the devices listed.

Sources

https://www.cisa.gov/uscert/ncas/current-activity/2023/01/24/apple-releases-security-updates-multiple-products

https://support.apple.com/en-us/HT201222

Overview

MedusaLocker has been using new techniques and tactics of ransomware by targeting any unpatched VPNs for initial access. This is done using the scheduled task “svhost” to encrypt machines and injecting into system processes such as spoolsv.exe and svchost.exe. Commands are run and controls to parts 80, 445, and 2222. MedusaLocker has also been found using TeleLinkSoftHelper’s Employee Monitoring software, and the Pictures and Videos folders on a computer to stage malicious including Nmap, Mimikatz, Netscan, Netpass, and more.Indicators of Compromise (IoCs) include 64.190.63[.]111 and 194.165.17[.]15.Ways to mitigate MedusaLocker include ensuring any VPN appliances are fully patched, blocking the IoC Ips above in your firewall, implementing least privilege for local and domain users, auditing current users to confirm admin rights have not been given to nonrequired users, blocking the listed file names in your antivirus (AV)/EDR solution, adopting MFA for users connecting through VPN, and auditing and removing legacy or unneeded users that have access to VPN. (Blackpoint Cyber Cyber Threat Notice, personal communication, January 23, 2023)

Sources

https://www.cisa.gov/uscert/ncas/alerts/aa22-181a

 

Overview

There are new vulnerabilities discovered on Zoho ManageEngine products related to CVE-2022-47966, which allow for unauthenticated RCE – Remote Code Execution. This is the effect of an outdated Apache Santuario version. Those affected are at risk if a SAML-based Single Sign-On is enabled, or has been enabled at some point. To mitigate this, it is important to patch to the latest version for all devices affected, as stated in the Security Advisory from Zoho ManageEngine below.

Services

https://www.manageengine.com/security/advisory/CVE/cve-2022-47966.html – ManageEngine Security Advisory

https://nvd.nist.gov/vuln/detail/CVE-2022-47966 – NIST CVE-2022-47966

https://www.csoonline.com/article/3685940/attackers-exploiting-critical-flaw-in-many-zoho-manageengine-products.html

Overview

The National Institute of Standards and Technology (NIST) has released the “Cybersecurity Framework 2.0 Concept Paper: Potential Significant Updates to the Cybersecurity Framework,” outlining considered changes to the Cybersecurity Framework (CSF).

The CSF is meant to be a living document that is developed over time. Its purpose is to guide organizations to better understand, manage, reduce, and communicate cybersecurity risks. The evolving nature of the CSF is upheld to keep pace with changing technology and threat trends, adopt lessons learned, and shift common practices to best practices. In turn, the Framework can continue to help organizations effectively manage risk in the ever-changing cybersecurity landscape.

While the framework is a voluntary guide, it is widely used by all sectors around the globe.

The development of the CSF is based heavily on private and public sector input. As such, NIST welcomes public responses to the concept paper to improve the Framework’s effectiveness and better align it with other cybersecurity resources. The organization asks the community to provide feedback by March 3, 2023.

Public involvement has already played a significant role in the process. According to NIST, the concept paper was based on feedback received so far through:

  • Responses to the February 2022 NIST Cybersecurity Request for Information (RFI);
  • A workshop held in August of 2022 attended by nearly 4,000 participants from 100 countries;
  • Feedback received from organizations who’ve used the CSF; and
  • NIST participation at events and meetings around the world.



One notable change proposed in the paper is to expand the Framework’s scope to be more inclusive to organizations beyond critical infrastructure. This means more guidance for organizations like small businesses and educational institutions.

Throughout the process, NIST will pursue stakeholder feedback in other ways through publically held webinars and workshops.

The original CSF 2.0 timeline documented in the concept paper indicates NIST’s goal to have CSF 2.0 ready in the winter of 2024.

Sources

https://www.nist.gov/cyberframework/updating-nist-cybersecurity-framework-journey-csf-20

https://fedscoop.com/nist-working-on-potential-significant-updates-to-cybersecurity-framework/

https://www.nist.gov/system/files/documents/2023/01/19/CSF_2.0_Concept_Paper_01-18-23.pdf

https://www.federalregister.gov/documents/2022/02/22/2022-03642/evaluating-and-improving-nist-cybersecurity-resources-the-cybersecurity-framework-and-cybersecurity

Overview

The Rhadamanthys Stealer is a malvertising campaign, spreading across the internet via Google Ads which redirect users to trojanized versions of installers for many popular software packages (ex from alert: Zoom, AnyDesk, BlueStacks, Notepad++, and Adobe Acrobat.) this malware is a “stealer” type of malware, developed to steal targeted files, system info, cookies, history, autofill’s, passwords, 2FA and password managers, VPNs, Mail Clients and more.The malware utilizes AES 256-bit encryption to communicate with its command and control. There are Indicators of Compromise (IOC) available.

 

Sources

https://socprime.com/blog/rhadamanthys-malware-detection-new-infostealer-spread-via-google-ads-spam-emails-to-target-crypto-wallets-and-dump-sensitive-information/

https://www.pcrisk.com/removal-guides/25643-rhadamanthys-stealer

https://threatmon.io/rhadamanthys-stealer-analysis-threatmon

Overview

Fortinet published critical advisory FG-IR-22-398 / CVE-2022-42475 on Dec 12, 2022. The advisory has since been updated. On January 11, 2023, the company issued a write-up detailing its initial investigation into the malware and additional IoCs found during their ongoing analysis. The exploit has been seen in the wild and its CVSS is now 9.8. This vulnerability is considered critical.While reports indicate attackers are using this exploit to attack large organizations and Government agencies, SMBs should take the time to fix this flaw while they can, and before these attackers turn their sights on smaller organizations.The complexity of this exploit indicates the attackers have an advanced capability, possibly even state-sponsored.There are patches available at Fortiguard.com:

FortiOS version 7.2.0 through 7.2.2FortiOS version 7.0.0 through 7.0.8FortiOS version 6.4.0 through 6.4.10FortiOS version 6.2.0 through 6.2.11FortiOS-6K7K version 7.0.0 through 7.0.7FortiOS-6K7K version 6.4.0 through 6.4.9FortiOS-6K7K version 6.2.0 through 6.2.11FortiOS-6K7K version 6.0.0 through 6.0.14

Sources

https://www.fortinet.com/blog/psirt-blogs/analysis-of-fg-ir-22-398-fortios-heap-based-buffer-overflow-in-sslvpnd

https://nvd.nist.gov/vuln/detail/CVE-2022-42475

https://vulcan.io/blog/how-to-fix-cve-2022-42475/

Overview

On January 11, 2023, Cisco security published an advisory for multiple vulnerabilities in the web-based management interface that exists in some of their SMB routers. These vulnerabilities could allow authentication bypass (identified as CVE-2023-20025, CVE-2023-20026, and CVE-2023-20045). These vulnerabilities are critical and have been assigned a critical CVSS score of 9.0. The vulnerability impacts the following Cisco RV Series small business routers: RV016 Multi-WAN VPN Routers RV042 Dual WAN VPN Routers RV042G Dual Gigabit WAN VPN Routers RV082 Dual WAN VPN Routers. According to Cisco, a successful exploit could allow the attacker to bypass authentication and gain root access to the underlying operating system. Cisco has not released software updates to address the vulnerabilities at this time and has declared no intention of patching these flaws. There are no workarounds that address these vulnerabilities, meaning security teams should be on alert and watch these devices carefully. While not an authorized Cisco workaround, disabling remote management and blocking access to ports 443 and 60443 is a workaround that prevents exploitation of the flaws. Cisco ended support for the RV082 and RV016 in 2021, and software maintenance ended for the RV042 and RV042G in the same year – but the hardware will be supported until 2025.

Sources

https://sec.cloudapps.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-sbr042-multi-vuln-ej76Pke5

https://siliconangle.com/2023/01/11/cisco-warns-customers-critical-vulnerabilities-small-business-routers/

https://www.theregister.com/AMP/2023/01/13/cisco_smb_critical_router_flaw_no_fix/

Overview

Flipper Zero is a portable electronic multi-functional pen-testing tool that came out in 2020. It combines hardware tools for hacking with custom, open-source software, that aids in hacking or intercepting numerous wireless signals. The device is capable of cloning ID and Access Cards, radios, keyless entry systems, Internet of Things (IoT) sensors, garage doors, near-field communication (NFC) cards, and other wireless devices that communicate using short-range signals. The tool is being used by cybersecurity professionals, Hackers, and Criminals to compromise networks and it has been seen in the wild during active attacks.

Sources

https://docs.flipperzero.one/ https://www.zdnet.com/article/flipper-zero-geeky-toy-or-serious-security-tool/ https://www.bleepingcomputer.com/news/security/ongoing-flipper-zero-phishing-attacks-target-infosec-community/ https://www.infosecurity-magazine.com/news/phishing-campaign-uses-flipper-zero/ https://www.wired.com/story/what-is-flipper-zero-tiktok/

Overview

Bleeping Computer and other sources reported that a previously unidentified Linux malware has been exploiting vulnerabilities in numerous outdated WordPress plugins and themes through the insertion of malicious JavaScript. This malware targets 32-bit and 64-bit Linux systems and grants the operator remote command abilities, according to a report by antivirus vendor Dr. Web. The trojan uses a set of hardcoded exploits that run continuously until one of them is successful. To defend against this threat, WordPress website admins should update to the latest available versions of the plugins and themes active on their site and replace those that are no longer developed/supported with reputable alternatives


Sources

https://linuxsecurity.com/news/hackscracks/new-linux-malware-uses-30-plugin-exploits-to-backdoor-wordpress-sites#:~:text=A%20previously%20unknown%20Linux%20malware,its%20operator%20remote%20command%20capabilities

https://www.bleepingcomputer.com/news/security/new-linux-malware-uses-30-plugin-exploits-to-backdoor-wordpress-sites/ 

Overview

In September of 2022, GTSC reported a critical infrastructure attack that took place in August of 2022. The investigation revealed that the threat actor used two zero-day vulnerabilities in Microsoft Exchange Server in the attack. The vulnerabilities were later identified as CVE-2022-41040 and CVE-2022-41082. The exploitation of these two vulnerabilities was used to create a backdoor on a vulnerable server and perform lateral movement.

The discovery of CVE-2022-41040 and CVE-2022-41082, dubbed by the cybersecurity community as ProxyNotShell, led Microsoft to release two patches to cover the vulnerabilities.

Blackpoint Cyber notified its partners that it is actively monitoring the CVE-2022-41080 and CVE-2022-41082 vulnerabilities exploited in tandem to bypass previous Microsoft Exchange ProxyNotShell (CVE-2022-41040) mitigations, which allow access to unauthorized internal resources. Previously, the mitigation step issued by the GTSC was to complete the temporary containment measures. However, this new attack chain can be used to bypass the recommended URL request blocking mitigations, making it critical to make sure servers are patched.

To mitigate this risk, organizations are advised to patch systems using Microsoft’s latest November 2022 latest patch releases for all three vulnerabilities.

Sources

Overview

LastPass updated its security incident notice to provide new details about the data breach it has been investigating since November of 2022. The update revealed that the threat actor targeted an employee using information obtained from a data breach that occurred in August of 2022. Using credentials and keys obtained from the employee, the threat actor decrypted storage volumes within their cloud-based storage service. The storage volumes contained basic customer account information and related metadata. While the threat actor was able to copy a backup of customer vault data containing both encrypted and unencrypted data, the encrypted data can only be decrypted with a unique encryption key derived from a user’s master password. It’s believed to be extremely unlikely that the threat actor will successfully crack the master password due to computational limitations– if users followed the recommended password requirements given by LastPass.

In response to the LastPass update, Arctic Wolf issued the following recommendations:

Recommendation #1: Delete Existing SAML Integration If you received an email from LastPass stating that your organization leverages an impacted API-based integration, we strongly recommend following LastPass’ recommendation to delete existing SAML integrations. To view your existing SAML integrations and delete them follow this support guide provided by LastPass: https://support.lastpass.com/help/how-do-i-delete-an-existing-saml-integration

Recommendation #2: Provide User Awareness Training Provide tailored user awareness training to all employees around the LastPass data breach. Ensure users know how to identify a phishing email and where to report it. Furthermore, provide examples on what users could expect and to remind users to remain vigilant when receiving an email from an unknown or external source.

Recommendation #3: Consider Resetting Master Password If a user’s master password is reused or does not meet the minimum password requirements provided by LastPass, reset the user’s master password to prevent potential future impacts if the master password is brute forced or leaked in a credential list.


Sources

Overview

The Department of Homeland Security (DHS) and the Cybersecurity and Infrastructure Security Agency (CISA) amended the Protected Critical Infrastructure Information (PCII) Program regulation with non-substantive, technical edits. The goals of these changes are to improve and modernize aspects of the PCII Program and to help critical infrastructure owners/operators, state and local governments, and other important stakeholders more effectively use the PCII Program.


Sources

https://www.cisa.gov/blog/2022/12/21/cisa-publishes-technical-rule-update-protected-critical-infrastructure-information

Overview

Eufy, a security camera produced by Anker, has been flagged for sending footage to the cloud, after claiming the recorded data is stored on the physical device itself. However, in order to notify users of the footage, a thumbnail is sent which includes images of faces, used for facial recognition, and other data, through the cloud. There is an option to turn off this functionality, but users still found data nonconsensually saved this way. Even when the option is toggled off, the thumbnail data is still accessible through the server.Eufy commented on the incident stating all data is never public and requires a URL to view, along with correct credentials and a time-sensitive link. The only fix as of now is to update the terms of language used with customers and owners of the cameras.

Sources

https://www.macrumors.com/2022/11/29/eufy-camera-cloud-uploads-no-user-consent/

https://www.theverge.com/2022/11/30/23486753/anker-eufy-security-camera-cloud-private-encryption-authentication-storage

Overview

Microsoft completed its investigation regarding the Microsoft Windows Hardware Developer Program-certified drivers that were being used maliciously in post-exploitation activity. The investigation, which was launched in late October of 2022, determined that the activity was limited in nature and no compromise was identified. To protect customers from the threat, Microsoft released Windows Security Updates to revoke the certificate for impacted files, suspended the partners’ seller accounts, and deployed blocking detections (Microsoft Defender 1.377.987.0 and newer).


Source

https://msrc.microsoft.com/update-guide/vulnerability/ADV220005