Login
apple-1200
pipe-1200
apple-1200
ruby-1200
Microsoft on Tuesday released software updates to fix 60 security vulnerabilities in its Windows operating systems and other software, including a zero-day flaw in all supported Microsoft Office versions on all flavors of Windows that’s seen active exploitation for at least two months now. On a lighter note, Microsoft is officially retiring its Internet Explorer (IE) web browser, which turns 27 years old this year.
Three of the bugs tackled this month earned Microsoft’s most dire “critical” label, meaning they can be exploited remotely by malware or miscreants to seize complete control over a vulnerable system. On top of the critical heap this month is CVE-2022-30190, a vulnerability in the Microsoft Support Diagnostics Tool (MSDT), a service built into Windows.
Dubbed “Follina,” the flaw became public knowledge on May 27, when a security researcher tweeted about a malicious Word document that had surprisingly low detection rates by antivirus products. Researchers soon learned that the malicious document was using a feature in Word to retrieve a HTML file from a remote server, and that HTML file in turn used MSDT to load code and execute PowerShell commands.
“What makes this new MS Word vulnerability unique is the fact that there are no macros exploited in this attack,” writes Mayuresh Dani, manager of threat research at Qualys. “Most malicious Word documents leverage the macro feature of the software to deliver their malicious payload. As a result, normal macro-based scanning methods will not work to detect Follina. All an attacker needs to do is lure a targeted user to download a Microsoft document or view an HTML file embedded with the malicious code.”
Kevin Beaumont, the researcher who gave Follina its name, penned a fairly damning account and timeline of Microsoft’s response to being alerted about the weakness. Beaumont says researchers in March 2021 told Microsoft they were able achieve the same exploit using Microsoft Teams as an example, and that Microsoft silently fixed the issue in Teams but did not patch MSDT in Windows or the attack vector in Microsoft Office.
Beaumont said other researchers on April 12, 2022 told Microsoft about active exploitation of the MSDT flaw, but Microsoft closed the ticket saying it wasn’t a security issue. Microsoft finally issued a CVE for the problem on May 30, the same day it released recommendations on how to mitigate the threat from the vulnerability.
Microsoft also is taking flak from security experts regarding a different set of flaws in its Azure cloud hosting platform. Orca Security said that back on January 4 it told Microsoft about a critical bug in Azure’s Synapse service that allowed attackers to obtain credentials to other workspaces, execute code, or leak customer credentials to data sources outside of Azure.
In an update to their research published Tuesday, Orca researchers said they were able to bypass Microsoft’s fix for the issue twice before the company put a working fix in place.
“In previous cases, vulnerabilities were fixed by the cloud providers within a few days of our disclosure to the affected vendor,” wrote Orca’s Avi Shua. “Based on our understanding of the architecture of the service, and our repeated bypasses of fixes, we think that the architecture contains underlying weaknesses that should be addressed with a more robust tenant separation mechanism. Until a better solution is implemented, we advise that all customers assess their usage of the service and refrain from storing sensitive data or keys in it.”
Amit Yoran, CEO of Tenable and a former U.S. cybersecurity czar, took Microsoft to task for silently patching an issue Tenable reported in the same Azure Synapse service.
“It was only after being told that we were going to go public, that their story changed…89 days after the initial vulnerability notification…when they privately acknowledged the severity of the security issue,” Yoran wrote in a post on LinkedIn. “To date, Microsoft customers have not been notified. Without timely and detailed disclosures, customers have no idea if they were, or are, vulnerable to attack…or if they fell victim to attack prior to a vulnerability being patched. And not notifying customers denies them the opportunity to look for evidence that they were or were not compromised, a grossly irresponsible policy.”
Also in the critical and notable stack this month is CVE-2022-30136, which is a remote code execution flaw in the Windows Network File System (NFS version 4.1) that earned a CVSS score of 9.8 (10 being the worst). Microsoft issued a very similar patch last month for vulnerabilities in NFS versions 2 and 3.
“This vulnerability could allow a remote attacker to execute privileged code on affected systems running NFS. On the surface, the only difference between the patches is that this month’s update fixes a bug in NFSV4.1, whereas last month’s bug only affected versions NSFV2.0 and NSFV3.0,” wrote Trend Micro’s Zero Day Initiative. “It’s not clear if this is a variant or a failed patch or a completely new issue. Regardless, enterprises running NFS should prioritize testing and deploying this fix.”
Beginning today, Microsoft will officially stop supporting most versions of its Internet Explorer Web browser, which was launched in August 1995. The IE desktop application will be disabled, and Windows users who wish to stick with a Microsoft browser are encouraged to move to Microsoft Edge with IE mode, which will be supported through at least 2029.
For a closer look at the patches released by Microsoft today and indexed by severity and other metrics, check out the always-useful Patch Tuesday roundup from the SANS Internet Storm Center. And it’s not a bad idea to hold off updating for a few days until Microsoft works out any kinks in the updates: AskWoody.com usually has the dirt on any patches that may be causing problems for Windows users.
As always, please consider backing up your system or at least your important documents and data before applying system updates. And if you run into any problems with these updates, please drop a note about it here in the comments.
Microsoft today released updates to fix at least 86 security vulnerabilities in its Windows operating systems and other software, including a weakness in all supported versions of Windows that Microsoft warns is actively being exploited. The software giant also has made a controversial decision to put the brakes on a plan to block macros in Office documents downloaded from the Internet.
In February, security experts hailed Microsoft’s decision to block VBA macros in all documents downloaded from the Internet. The company said it would roll out the changes in stages between April and June 2022.
Macros have long been a trusted way for cybercrooks to trick people into running malicious code. Microsoft Office by default warns users that enabling macros in untrusted documents is a security risk, but those warnings can be easily disabled with the click of button. Under Microsoft’s plan, the new warnings provided no such way to enable the macros.
As Ars Technica veteran reporter Dan Goodin put it, “security professionals—some who have spent the past two decades watching clients and employees get infected with ransomware, wipers, and espionage with frustrating regularity—cheered the change.”
But last week, Microsoft abruptly changed course. As first reported by BleepingComputer, Redmond said it would roll back the changes based on feedback from users.
“While Microsoft has not shared the negative feedback that led to the rollback of this change, users have reported that they are unable to find the Unblock button to remove the Mark-of-the-Web from downloaded files, making it impossible to enable macros,” Bleeping’s Sergiu Gatlan wrote.
Microsoft later said the decision to roll back turning off macros by default was temporary, although it has not indicated when this important change might be made for good.
The zero-day Windows vulnerability already seeing active attacks is CVE-2022-22047, which is an elevation of privilege vulnerability in all supported versions of Windows. Trend Micro’s Zero Day Initiative notes that while this bug is listed as being under active attack, there’s no information from Microsoft on where or how widely it is being exploited.
“The vulnerability allows an attacker to execute code as SYSTEM, provided they can execute other code on the target,” ZDI’s Dustin Childs wrote. “Bugs of this type are typically paired with a code execution bug, usually a specially crafted Office or Adobe document, to take over a system. These attacks often rely on macros, which is why so many were disheartened to hear Microsoft’s delay in blocking all Office macros by default.”
Kevin Breen, director of cyber threat research at Immersive Labs, said CVE-2022-22047 is the kind of vulnerability that is typically seen abused after a target has already been compromised.
“Crucially, it allows the attacker to escalate their permissions from that of a normal user to the same permissions as the SYSTEM,” he said. “With this level of access, the attackers are able to disable local services such as Endpoint Detection and Security tools. With SYSTEM access they can also deploy tools like Mimikatz which can be used to recover even more admin and domain level accounts, spreading the threat quickly.”
After a brief reprieve from patching serious security problems in the Windows Print Spooler service, we are back to business as usual. July’s patch batch contains fixes for four separate elevation of privilege vulnerabilities in Windows Print Spooler, identified as CVE-2022-22022, CVE-2022-22041, CVE-2022-30206, and CVE-2022-30226. Experts at security firm Tenable note that these four flaws provide attackers with the ability to delete files or gain SYSTEM level privileges on a vulnerable system.
Roughly a third of the patches issued today involve weaknesses in Microsoft’s Azure Site Recovery offering. Other components seeing updates this month include Microsoft Defender for Endpoint; Microsoft Edge (Chromium-based); Office; Windows BitLocker; Windows Hyper-V; Skype for Business and Microsoft Lync; and Xbox.
Four of the flaws fixed this month address vulnerabilities Microsoft rates “critical,” meaning they could be used by malware or malcontents to assume remote control over unpatched Windows systems, usually without any help from users. CVE-2022-22029 and CVE-2022-22039 affect Network File System (NFS) servers, and CVE-2022-22038 affects the Remote Procedure Call (RPC) runtime.
“Although all three of these will be relatively tricky for attackers to exploit due to the amount of sustained data that needs to be transmitted, administrators should patch sooner rather than later,” said Greg Wiseman, product manager at Rapid7. “CVE-2022-30221 supposedly affects the Windows Graphics Component, though Microsoft’s FAQ indicates that exploitation requires users to access a malicious RDP server.”
Separately, Adobe today issued patches to address at least 27 vulnerabilities across multiple products, including Acrobat and Reader, Photoshop, RoboHelp, and Adobe Character Animator.
For a closer look at the patches released by Microsoft today and indexed by severity and other metrics, check out the always-useful Patch Tuesday roundup from the SANS Internet Storm Center. And it’s not a bad idea to hold off updating for a few days until Microsoft works out any kinks in the updates: AskWoody.com usually has the lowdown on any patches that may be causing problems for Windows users.
As always, please consider backing up your system or at least your important documents and data before applying system updates. And if you run into any problems with these updates, please drop a note about it here in the comments.
Microsoft today released updates to fix a record 141 security vulnerabilities in its Windows operating systems and related software. Once again, Microsoft is patching a zero-day vulnerability in the Microsoft Support Diagnostics Tool (MSDT), a service built into Windows. Redmond also addressed multiple flaws in Exchange Server — including one that was disclosed publicly prior to today — and it is urging organizations that use Exchange for email to update as soon as possible and to enable additional protections.
In June, Microsoft patched a vulnerability in MSDT dubbed “Follina” that had been used in active attacks for at least three months prior. This latest MSDT bug — CVE-2022-34713 — is a remote code execution flaw that requires convincing a target to open a booby-trapped file, such as an Office document. Microsoft this month also issued a different patch for another MSDT flaw, tagged as CVE-2022-35743.
The publicly disclosed Exchange flaw is CVE-2022-30134, which is an information disclosure weakness. Microsoft also released fixes for three other Exchange flaws that rated a “critical” label, meaning they could be exploited remotely to compromise the system and with no help from users. Microsoft says addressing some of the Exchange vulnerabilities fixed this month requires administrators to enable Windows Extended protection on Exchange Servers. See Microsoft’s blog post on the Exchange Server updates for more details.
“If your organization runs local exchange servers, this trio of CVEs warrant an urgent patch,” said Kevin Breen, director of cyber threat research for Immerse Labs. “Exchanges can be treasure troves of information, making them valuable targets for attackers. With CVE-2022-24477, for example, an attacker can gain initial access to a user’s host and could take over the mailboxes for all exchange users, sending and reading emails and documents. For attackers focused on Business Email Compromise this kind of vulnerability can be extremely damaging.”
The other two critical Exchange bugs are tracked as CVE-2022-24516 and CVE-2022-21980. It’s difficult to believe it’s only been a little more than a year since malicious hackers worldwide pounced in a bevy of zero-day Exchange vulnerabilities to remotely compromise the email systems for hundreds of thousands of organizations running Exchange Server locally for email. That lingering catastrophe is reminder enough that critical Exchange bugs deserve immediate attention.
The SANS Internet Storm Center‘s rundown on Patch Tuesday warns that a critical remote code execution bug in the Windows Point-to-Point Protocol (CVE-2022-30133) could become “wormable” — a threat capable of spreading across a network without any user interaction.
“Another critical vulnerability worth mentioning is an elevation of privilege affecting Active Directory Domain Services (CVE-2022-34691),” SANS wrote. “According to the advisory, ‘An authenticated user could manipulate attributes on computer accounts they own or manage, and acquire a certificate from Active Directory Certificate Services that would allow elevation of privilege to System.’ A system is vulnerable only if Active Directory Certificate Services is running on the domain. The CVSS for this vulnerability is 8.8.”
Breen highlighted a set of four vulnerabilities in Visual Studio that earned Microsoft’s less-dire “important” rating but that nevertheless could be vitally important for the security of developer systems.
“Developers are empowered with access to API keys and deployment pipelines that, if compromised, could be significantly damaging to organizations,” he said. “So it’s no surprise they are often targeted by more advanced attackers. Patches for their tools should not be overlooked. We’re seeing a continued trend of supply-chain compromise too, making it vital that we ensure developers, and their tools, are kept up-to-date with the same rigor we apply to standard updates.”
Greg Wiseman, product manager at Rapid7, pointed to an interesting bug Microsoft patched in Windows Hello, the biometric authentication mechanism for Windows 10. Microsoft notes that the successful exploitation of the weakness requires physical access to the target device, but would allow an attacker to bypass a facial recognition check.
Wiseman said despite the record number of vulnerability fixes from Redmond this month, the numbers are slightly less dire.
“20 CVEs affect their Chromium-based Edge browser and 34 affect Azure Site Recovery (up from 32 CVEs affecting that product last month),” Wiseman wrote. “As usual, OS-level updates will address a lot of these, but note that some extra configuration is required to fully protect Exchange Server this month.”
As it often does on Patch Tuesday, Adobe has also released security updates for many of its products, including Acrobat and Reader, Adobe Commerce and Magento Open Source. More details here.
Please consider backing up your system or at least your important documents and data before applying system updates. And if you run into any problems with these updates, please drop a note about it here in the comments.
Explore the nature of vulnerabilities in this episode of ThreatWise TV.
It’s shaping up to be another big year for vulnerability disclosure. Already the number of Common Vulnerabilities and Exposures (CVEs) disclosed has crossed 18,000 and it’s on track to make this another record-breaking year.
With new CVEs being disclosed daily, it has become increasingly difficult for security teams to stay abreast of the latest risks, let alone quickly determine which ones apply to their network environment. From those, prioritizing which CVEs to patch first adds an additional wrinkle to the process.
If this wasn’t challenging enough, a curve ball that’s often lobbed at security teams are the “breaking news” vulnerabilities— vulnerabilities picked up by the security media, often with much fanfare. The stories surrounding these high-profile vulnerabilities generally carry an implied threat that the CVE in question will throw the doors wide open to attackers if not addressed immediately. What security team hasn’t had someone from the C-suite share an article they’ve read, asking “are we protected from this?”
On the surface, CVEs that appear severe enough to garner media attention do seem like a good place to start when addressing vulnerabilities in your environment. But vulnerabilities are complicated, and what a security researcher manages to do within a controlled environment doesn’t always translate into real-world attacks. In fact, most disclosed vulnerabilities never see active exploitation. And of those that do, not every vulnerability ends up becoming a tool in an attacker’s arsenal. Bad actors generally follow the path of least resistance when they compromise a network, relying on tested exploits long before trying something new and unproven.
This begs the question: how much overlap is there between the most talked about vulnerabilities and those that are widely used in attacks? Moreover, if media attention isn’t a reliable indicator, what else might predict if a vulnerability will be used in an attack?
To answer these questions, we used intelligence tools available from Cisco’s Kenna Security risk-based vulnerability management (RBVM) software. In particular, Kenna.VI+ consolidates a variety of vulnerability intelligence, where a CVE ID lookup can pull back a wealth of information. In addition to this, Kenna.VI+ includes an API that brings in an additional layer of external threat intelligence, enabling further analysis.
We started with a direct comparison of Successful Exploitations and Chatter Count from within Kenna.VI+. The former is a full count of confirmed exploits within the dataset, while the latter is a count of mentions in the news, social media, various forums, and the dark web.
Our first pass at the data included a comparison of the top 50 CVEs in both Successful Exploitations and Chatter Count. However, there were only two CVEs that overlapped. The data showed that many of the top exploited CVEs were old and predated the data in Chatter Count. We quickly decided that this wasn’t a fair comparison.
To get a better look at more relevant CVEs, we limited the dataset to a range of 10 years. Unfortunately, this did not do much to improve things—only three CVEs showed up in both lists.
A more effective approach was to look at CVEs that we know are actively being exploited. The Cybersecurity and Infrastructure Security Agency (CISA) happens to maintain such a list. The Known Exploited Vulnerabilities (KEV) catalog is considered an authoritative compilation of vulnerabilities identified as being actively exploited in the wild.
Running the KEV catalog though Kenna.VI+ resulted in six CVEs that appeared in the top 50 for both lists, with a single overlap in the top 10. This leads us to conclude that the vulnerabilities with the most discussion are not the same as those being actively exploited in the majority of cases.
| CVE | Brief description | |
| 1 | CVE-2017-9841 | PHPUnit vulnerability (used to target popular CMSes) |
| 2 | CVE-2021-44228 | Log4j vulnerability |
| 3 | CVE-2019-0703 | Windows SMB information disclosure vulnerability |
| 4 | CVE-2014-0160 | Heartbleed vulnerability |
| 5 | CVE-2017-9805 | REST plugin in Apache Struts vulnerability |
| 6 | CVE-2017-11882 | Microsoft Office memory corruption vulnerability |
| 7 | CVE-2017-5638 | Apache Struts vulnerability (used in Equifax breach) |
| 8 | CVE-2012-1823 | 10-year-old PHP vulnerability |
| 9 | CVE-2017-0144 | EternalBlue vulnerability |
| 10 | CVE-2018-11776 | Apache Struts RCE vulnerability |
| CVE | Brief description | |
| 1 | CVE-2021-26855 | Microsoft Exchange vulnerability (used in Hafnium attacks) |
| 2 | CVE-2021-40444 | Microsoft MSHTML RCE vulnerability |
| 3 | CVE-2021-26084 | Confluence Server and Data Center vulnerability |
| 4 | CVE-2021-27065 | Microsoft Exchange vulnerability (used in Hafnium attacks) |
| 5 | CVE-2021-34473 | Microsoft Exchange vulnerability (used in Hafnium attacks) |
| 6 | CVE-2021-26858 | Microsoft Exchange vulnerability (used in Hafnium attacks) |
| 7 | CVE-2021-44228 | Log4j vulnerability |
| 8 | CVE-2021-34527 | One of the PrintNightmare vulnerabilities |
| 9 | CVE-2021-41773 | Apache HTTP Server vulnerability |
| 10 | CVE-2021-31207 | One of the ProxyShell vulnerabilities |
Despite the lack of overlap, there are many well-known vulnerabilities at the top of both lists. Heartbleed and EternalBlue appear on the top 10 exploited list, while Hafnium, PrintNightmare, and ProxyShell make the top 10 most talked about CVEs.
The Log4j vulnerability is the only CVE that appears in both lists. This isn’t surprising considering the ubiquity of Log4j in modern software. It’s the second-most exploited vulnerability—far outpacing the CVEs directly below it. This, coupled with its appearance in the chatter list, puts it in a class of its own. In a brief period, it’s managed to outpace older CVEs that are arguably just as well known.
The CVE that recorded the most successful exploitations is a five-year-old vulnerability in PHPUnit. This is a popular unit-testing framework that’s used by many CMSes, such as Drupal, WordPress, MediaWiki, and Moodle.
Since many websites are built with these tools, this exploit can be a handy vector for gaining initial access to unpatched webservers. This also lines up with research we conducted last year, where this vulnerability was one of the most common Snort detections seen by Cisco Secure Firewall.
All four of the Microsoft Exchange Server vulnerabilities used in the Hafnium attacks appear in the most talked about list of CVEs. However, even when you add all four of these CVEs together, they still don’t come anywhere close to the counts seen in the top exploited CVEs.
If media attention is not a good predictor of use for exploitation, then what are the alternatives?
The Common Vulnerability Scoring System (CVSS) is a well-known framework for gauging the severity of vulnerabilities. We looked for CVEs from the KEV catalog that were ranked as “critical”—9.0 and above in the CVSSv3 specification. Examining the entire KEV catalog, 28% of the CVEs have a score of 9.0 or higher. Of the top 50 successfully exploited, 38% had such scores.
This is an improvement, but the CVSSv3 specification was released in 2015. Many CVEs in the KEV catalog predate this—19% of the entire catalog and 28% of the top 50—and have no score.
Using the previous CVSS specification does fill this gap—36% overall and 52% of the top 50 score 9.0 or higher. However, the older CVSS specification comes with its share of issues as well.
Another indicator worth exploring is remote control execution (RCE). A vulnerability with RCE grants an attacker the ability to access and control a vulnerable system from anywhere. It turns out that 45% of the CVEs in our dataset allow for RCE, and 66% of the top 50, making it the most worthwhile indicator analyzed.
Let’s summarize how we’ve honed our approach to determine if media attention and exploitation line up:
| Data set | Exploitation and Chatter lists | Number of CVEs |
| All CVEs | Appears in both top 50 | 2 |
| Appears in both top 50 (last 10 years) | 3 | |
| KEV Catalog | Appears in both top 50 | 6 |
| Appears in both top 10 | 1 |
And here’s a summary of our look at other indicators:
| KEV Catalog | Top 50 exploited | |
| CVSSv3 (9.0+) | 28% | 38% |
| CVSS (9.0+) | 36% | 52% |
| Allows for RCE | 45% | 66% |
All of this analysis provides a clear answer to our original question—the most regularly exploited CVEs aren’t the most talked about. Additional work highlights that monitoring variables like RCE can help with prioritization.
For illustrative purposes we’ve only looked at a few indicators that could be used to prioritize CVEs. While some did better than others, we don’t recommend relying on a single variable in making decisions about vulnerability management. Creating an approach that folds in multiple indicators is a far better strategy when it comes to real-world application of this data. And while our findings here speak to the larger picture, every network is different.
Regardless of which list they appear on, be it Successful Exploitations or Chatter Count, it’s important to point out that all these vulnerabilities are serious. Just because Hafnium has more talk than Heartbleed doesn’t make it any less dangerous if you have assets that are vulnerable to it. The fact is that while CVEs with more talk didn’t make the top of the exploitation list, they still managed to rack up tens of thousands of successful exploitations.
It’s important to know how to prioritize security updates, fixing those that expose you to the most risk as soon as possible. From our perspective, here are some basic elements in the Cisco Secure portfolio that can help.
Kenna Security, a pioneer in risk-based vulnerability management, relies on threat intel and prioritization to keep security and IT teams focused on risks. Using data science, Kenna processes and analyzes 18+ threat and exploit intelligence feeds, and 12.7+ billion managed vulnerabilities to give you an accurate view of your company’s risk. With our risk scoring and remediation intelligence, you get the info you need to make truly data-driven remediation decisions.
To responsibly protect a network, it’s important to monitor all assets that connect to it and ensure they’re kept up to date. Duo Device Trust can check the patch level of devices for you before they’re granted access to connect to corporate applications or sensitive data. You can even block access and enable self-remediation for devices that are found to be non-compliant.
How about remote workers? By leveraging the Network Visibility Module in Cisco Secure Client as a telemetry source, Cisco Secure Cloud Analytics can capture endpoint-specific user and device context to supply visibility into remote worker endpoint status. This can bolster an organization’s security posture by providing visibility on remote employees that are running software versions with vulnerabilities that need patching.
Lastly, for some “lateral thinking” about vulnerability management, take a look at this short video of one of our Advisory CISOs, Wolfgang Goerlich. Especially if you’re a fan of the music of the 1920s…
We’d love to hear what you think. Ask a Question, Comment Below, and Stay Connected with Cisco Secure on social!
Cisco Secure Social Channels
Microsoft Corp. is investigating reports that attackers are exploiting two previously unknown vulnerabilities in Exchange Server, a technology many organizations rely on to send and receive email. Microsoft says it is expediting work on software patches to plug the security holes. In the meantime, it is urging a subset of Exchange customers to enable a setting that could help mitigate ongoing attacks.
In customer guidance released Thursday, Microsoft said it is investigating two reported zero-day flaws affecting Microsoft Exchange Server 2013, 2016, and 2019. CVE-2022-41040, is a Server-Side Request Forgery (SSRF) vulnerability that can enable an authenticated attacker to remotely trigger the second zero-day vulnerability — CVE-2022-41082 — which allows remote code execution (RCE) when PowerShell is accessible to the attacker.
Microsoft said Exchange Online has detections and mitigation in place to protect customers. Customers using on-premises Microsoft Exchange servers are urged to review the mitigations suggested in the security advisory, which Microsoft says should block the known attack patterns.
Vietnamese security firm GTSC on Thursday published a writeup on the two Exchange zero-day flaws, saying it first observed the attacks in early August being used to drop “webshells.” These web-based backdoors offer attackers an easy-to-use, password-protected hacking tool that can be accessed over the Internet from any browser.
“We detected webshells, mostly obfuscated, being dropped to Exchange servers,” GTSC wrote. “Using the user-agent, we detected that the attacker uses Antsword, an active Chinese-based opensource cross-platform website administration tool that supports webshell management. We suspect that these come from a Chinese attack group because the webshell codepage is 936, which is a Microsoft character encoding for simplified Chinese.”
GTSC’s advisory includes details about post-compromise activity and related malware, as well as steps it took to help customers respond to active compromises of their Exchange Server environment. But the company said it would withhold more technical details of the vulnerabilities for now.
In March 2021, hundreds of thousands of organizations worldwide had their email stolen and multiple backdoor webshells installed, all thanks to four zero-day vulnerabilities in Exchange Server.
Granted, the zero-day flaws that powered that debacle were far more critical than the two detailed this week, and there are no signs yet that exploit code has been publicly released (that will likely change soon). But part of what made last year’s Exchange Server mass hack so pervasive was that vulnerable organizations had little or no advance notice on what to look for before their Exchange Server environments were completely owned by multiple attackers.
Microsoft is quick to point out that these zero-day flaws require an attacker to have a valid username and password for an Exchange user, but this may not be such a tall order for the hackers behind these latest exploits against Exchange Server.
Steven Adair is president of Volexity, the Virginia-based cybersecurity firm that was among the first to sound the alarm about the Exchange zero-days targeted in the 2021 mass hack. Adair said GTSC’s writeup includes an Internet address used by the attackers that Volexity has tied with high confidence to a China-based hacking group that has recently been observed phishing Exchange users for their credentials.
In February 2022, Volexity warned that this same Chinese hacking group was behind the mass exploitation of a zero-day vulnerability in the Zimbra Collaboration Suite, which is a competitor to Microsoft Exchange that many enterprises use to manage email and other forms of messaging.
If your organization runs Exchange Server, please consider reviewing the Microsoft mitigations and the GTSC post-mortem on their investigations.
Microsoft today released updates to fix at least 85 security holes in its Windows operating systems and related software, including a new zero-day vulnerability in all supported versions of Windows that is being actively exploited. However, noticeably absent from this month’s Patch Tuesday are any updates to address a pair of zero-day flaws being exploited this past month in Microsoft Exchange Server.
The new zero-day flaw– CVE-2022-41033 — is an “elevation of privilege” bug in the Windows COM+ event service, which provides system notifications when users logon or logoff. Microsoft says the flaw is being actively exploited, and that it was reported by an anonymous individual.
“Despite its relatively low score in comparison to other vulnerabilities patched today, this one should be at the top of everyone’s list to quickly patch,” said Kevin Breen, director of cyber threat research at Immersive Labs. “This specific vulnerability is a local privilege escalation, which means that an attacker would already need to have code execution on a host to use this exploit. Privilege escalation vulnerabilities are a common occurrence in almost every security compromise. Attackers will seek to gain SYSTEM or domain-level access in order to disable security tools, grab credentials with tools like Mimkatz and move laterally across the network.
Indeed, Satnam Narang, senior staff research engineer at Tenable, notes that almost half of the security flaws Microsoft patched this week are elevation of privilege bugs.
Some privilege escalation bugs can be particularly scary. One example is CVE-2022-37968, which affects organizations running Kubernetes clusters on Azure and earned a CVSS score of 10.0 — the most severe score possible.
Microsoft says that to exploit this vulnerability an attacker would need to know the randomly generated DNS endpoint for an Azure Arc-enabled Kubernetes cluster. But that may not be such a tall order, says Breen, who notes that a number of free and commercial DNS discovery services now make it easy to find this information on potential targets.
Late last month, Microsoft acknowledged that attackers were exploiting two previously unknown vulnerabilities in Exchange Server. Paired together, the two flaws are known as “ProxyNotShell” and they can be chained to allow remote code execution on Exchange Server systems.
Microsoft said it was expediting work on official patches for the Exchange bugs, and it urged affected customers to enable certain settings to mitigate the threat from the attacks. However, those mitigation steps were soon shown to be ineffective, and Microsoft has been adjusting them on a daily basis nearly each day since then.
The lack of Exchange patches leaves a lot of Microsoft customers exposed. Security firm Rapid7 said that as of early September 2022 the company observed more than 190,000 potentially vulnerable instances of Exchange Server exposed to the Internet.
“While Microsoft confirmed the zero-days and issued guidance faster than they have in the past, there are still no patches nearly two weeks out from initial disclosure,” said Caitlin Condon, senior manager of vulnerability research at Rapid7. “Despite high hopes that today’s Patch Tuesday release would contain fixes for the vulnerabilities, Exchange Server is conspicuously missing from the initial list of October 2022 security updates. Microsoft’s recommended rule for blocking known attack patterns has been bypassed multiple times, emphasizing the necessity of a true fix.”
Adobe also released security updates to fix 29 vulnerabilities across a variety of products, including Acrobat and Reader, ColdFusion, Commerce and Magento. Adobe said it is not aware of active attacks against any of these flaws.
For a closer look at the patches released by Microsoft today and indexed by severity and other metrics, check out the always-useful Patch Tuesday roundup from the SANS Internet Storm Center. And it’s not a bad idea to hold off updating for a few days until Microsoft works out any kinks in the updates: AskWoody.com usually has the lowdown on any patches that may be causing problems for Windows users.
As always, please consider backing up your system or at least your important documents and data before applying system updates. And if you run into any problems with these updates, please drop a note about it here in the comments.
FreshRSS 