Security

Security

CISA: Just-Disclosed Palo Alto Networks Firewall Bug Under Active Exploit

Lara Seals Managing Editor, News, Dark Reading
August 24, 2022
The US Cybersecurity and Infrastructure Security Agency (CISA) is warning that a high-severity security vulnerability in Palo Alto Networks firewalls is being actively exploited in the wild.

The bug (CVE-2022-0028, with a CVSS severity score of 8.6), exists in the PAN-OS operating system that runs the firewalls, and could allow a remote threat actor to abuse the firewalls to deploy distributed denial-of-service (DDoS) attacks against targets of their choice — without having to authenticate.

Exploitation of the issue can help attackers to cover their tracks and location.

“The DoS attack would appear to originate from a Palo Alto Networks PA-Series (hardware), VM-Series (virtual) and CN-Series (container) firewall against an attacker-specified target,” according to the Palo Alto Networks advisory issued earlier this month.

The bug arises thanks to a URL-filtering policy misconfiguration.

Instances that use a non-standard configuration are at risk; to be exploited, the firewall configuration “must have a URL filtering profile with one or more blocked categories assigned to a security rule with a source zone that has an external facing network interface,” the advisory read.
Exploited in the Wild

Two weeks since that disclosure, CISA said that it has now seen the bug being adopted by cyber adversaries in the wild, and it’s added it to its Known Exploited Vulnerabilities (KEV) catalogue. Attackers can exploit the flaw to deploy both reflected and amplified versions of DoS floods.

Bud Broomhead, CEO at Viakoo, says bugs that can be marshaled into service to support DDoS attacks are in more and more demand.

“The ability to use a Palo Alto Networks firewall to perform reflected and amplified attacks is part of an overall trend to use amplification to create massive DDoS attacks,” he says. “Google’s recent announcement of an attack which peaked at 46 million requests per second, and other record-breaking DDoS attacks will put more focus on systems that can be exploited to enable that level of amplification.”

Article ( https://www.darkreading.com/vulnerabilities-threats/cisa-palo-alto-firewall-bug-active-exploit)

Roy Miehe | MspPortal Partners Inc. | Ceo/President
Security Software Distributor: Bitdefender , Barracuda, RackSpace, Axcient

Apple security updates fix 2 zero-days used to hack iPhones, Macs

By Lawrence Abrams August 17, 2022 06:35 PM

Apple has released emergency security updates today to fix two zero-day vulnerabilities previously exploited by attackers to hack iPhones, iPads, or Macs.

Zero-day vulnerabilities are security flaws known by attackers or researchers before the software vendor has become aware or been able to patch them. In many cases, zero-days have public proof-of-concept exploits or are actively exploited in attacks.

Today, Apple has released macOS Monterey 12.5.1 and iOS 15.6.1/iPadOS 15.6.1 to resolve two zero-day vulnerabilities that are reported to have been actively exploited.

The two vulnerabilities are the same for all three operating systems, with the first tracked as CVE-2022-32894. This vulnerability is an out-of-bounds write vulnerability in the operating system’s Kernel.

The kernel is a program that operates as the core component of an operating system and has the highest privileges in macOS, iPadOS, and iOS.

An application, such as malware, can use this vulnerability to execute code with Kernel privileges. As this is the highest privilege level, a process would be able to perform any command on the device, effectively taking complete control over it.

The second zero-day vulnerability is CVE-2022-32893 and is an out-of-bounds write vulnerability in WebKit, the web browser engine used by Safari and other apps that can access the web.

Apple says this flaw would allow an attacker to perform arbitrary code execution and, as it’s in the web engine, could likely be exploited remotely by visiting a maliciously crafted website.

The bugs were reported by anonymous researchers and fixed by Apple in iOS 15.6.1, iPadOS 15.6.1, and macOS Monterey 12.5.1 with improved bounds checking for both bugs.

The list of devices affected by both vulnerabilities are:

Macs running macOS Monterey
iPhone 6s and later
iPad Pro (all models), iPad Air 2 and later, iPad 5th generation and later, iPad mini 4 and later, and iPod touch (7th generation).

Apple disclosed active exploitation in the wild, however, it did not release any additional info regarding these attacks.

Likely, these zero-days were only used in targeted attacks, but it’s still strongly advised to install today’s security updates as soon as possible.
Seven zero-days patched by Apple this year

In March, Apple patched two more zero-day bugs that were used in the Intel Graphics Driver (CVE-2022-22674) and AppleAVD (CVE-2022-22675) that could also be used to execute code with Kernel privileges.

In January, Apple patched two more actively exploited zero-days that enabled attackers to achieve arbitrary code execution with kernel privileges (CVE-2022-22587) and track web browsing activity and the users’ identities in real-time (CVE-2022-22594).

In February, Apple released security updates to fix a new zero-day bug exploited to hack iPhones, iPads, and Macs, leading to OS crashes and remote code execution on compromised devices after processing maliciously crafted web content.

 

Article (https://www.bleepingcomputer.com/news/security/apple-security-updates-fix-2-zero-days-used-to-hack-iphones-macs/)

Roy Miehe | MspPortal Partners Inc. | Ceo/President
Security Software Distributor: Bitdefender , Barracuda, RackSpace, Axcient
“Where Service and Technical Skills Count”

Windows Vulnerability Could Crack DC Server Credentials Open

Nathan Eddy Contributing Writer, Dark Reading August 16, 2022
Read the Article IMPORTANT
The security flaw tracked as CVE-2022-30216 could allow attackers to perform server spoofing or trigger authentication coercion on the victim.

Researchers have discovered a vulnerability in the remote procedure calls (RPC) for the Windows Server service, which could allow an attacker to gain control over the domain controller (DC) in a specific network configuration and execute remote code.

Malicious actors could also exploit the vulnerability to modify a server’s certificate mapping to perform server spoofing.

Vulnerability CVE-2022-30216, which exists in unpatched Windows 11 and Windows Server 2022 machines, was addressed in July’s Patch Tuesday, but a report from Akamai researcher Ben Barnes, who discovered the vulnerability, offers technical details on the bug.

The full attack flow provides full control over the DC, its services, and data.
Proof of Concept Exploit for Remote Code Execution

The vulnerability was found in SMB over QUIC, a transport-layer network protocol, which enables communication with the server. It allows connections to network resources such as files, shares, and printers. Credentials are also exposed based on belief that the receiving system can be trusted.

The bug could allow a malicious actor authenticated as a domain user to replace files on the SMB server and serve them to connecting clients, according to Akamai. In a proof of concept, researchers exploited the bug to steal credentials via authentication coercion.
Article (https://www.darkreading.com/remote-workforce/windows-vulnerability-could-crack-dc-server-credentials-open)

Roy Miehe | MspPortal Partners Inc. | Ceo/President
Security Software Distributor: Bitdefender , Barracuda, RackSpace, Axcient
“Where Service and Technical Skills Count”

US govt warns Americans of escalating SMS phishing attacks

By Sergiu Gatlan July 29, 2022 11:21 AM

The Federal Communications Commission (FCC) warned Americans of an increasing wave of SMS (Short Message Service) phishing attacks attempting to steal their personal information and money.

Such attacks are also known as smishing or robotexts (as the FCC calls them), and scammers behind them may use various lures to trick you into handing over confidential information.

“The FCC tracks consumer complaints – rather than call or text volume – and complaints about unwanted text messages have risen steadily in recent years from approximately 5,700 in 2019, 14,000 in 2020, 15,300 in 2021, to 8,500 through June 30, 2022,” the US communications watchdog’s Robocall Response Team said [PDF].

“In addition, some independent reports estimate billions of robotexts each month – for example, RoboKiller estimates consumers received over 12 billion robotexts in June.”

False-but-believable smishing baits reported by American consumers to the FCC include claims about unpaid bills, package delivery issues, bank account problems, or law enforcement actions.

Some of the most devious and convincing lures used in text message phishing attacks are links redirecting the targets to landing pages impersonating bank websites and asking them to verify a purchase or unlock frozen credit cards.

FCC smishing signs
Phishing text messages can also be spoofed to make it appear that the sends is someone you’re more likely to trust, such as a government agency like the IRS or companies you may be familiar with.

While some attackers will attempt to steal payment details, others are not as picky and will be happy to steal any personal information they can get their hands on, use in subsequent scams, or sell to other malicious actors.

To defend against SMS phishing attacks, FCC recommends taking the following measures:

Do not respond to texts from unknown numbers or any others that appear suspicious.
Never share sensitive personal or financial information by text.
Be on the lookout for misspellings or texts that originate with an email address.
Think twice before clicking any links in a text message. If a friend sends you a text with a suspicious link that seems out of character, call them to ensure they weren’t hacked.
If a business sends you a text you weren’t expecting, look up their number online and call them back.
Remember that government agencies almost never initiate contact by phone or text.
Report texting scam attempts to your wireless service provider by forwarding unwanted texts to 7726 (or “SPAM”).
File a complaint with the FCC.

Article (https://www.bleepingcomputer.com/news/security/us-govt-warns-americans-of-escalating-sms-phishing-attacks/)

Roy Miehe | MspPortal Partners Inc. | Ceo/President
Security Software Distributor: Bitdefender , Barracuda, RackSpace, Axcient
“Where Service and Technical Skills Count”

Cyberspies use Google Chrome extension to steal emails undetected

Folks I have warned you stop using Chrome..Firefox with DuckDuckgo.com

By Sergiu Gatlan July 28, 2022
A North Korean-backed threat group tracked as Kimsuky is using a malicious browser extension to steal emails from Google Chrome or Microsoft Edge users reading their webmail.

The extension, dubbed SHARPEXT by Volexity researchers who spotted this campaign in September, supports three Chromium-based web browsers (Chrome, Edge, and Whale) and can steal mail from Gmail and AOL accounts.

The attackers install the malicious extension after compromising a target’s system using a custom VBS script by replacing the ‘Preferences’ and ‘Secure Preferences’ files with ones downloaded from the malware’s command-and-control server.

Once the new preferences files are downloaded on the infected device, the web browser automatically loads the SHARPEXT extension.

“The malware directly inspects and exfiltrates data from a victim’s webmail account as they browse it,” Volexity said Thursday.

“Since its discovery, the extension has evolved and is currently at version 3.0, based on the internal versioning system.”

As Volexity further revealed today, this latest campaign aligns with previous Kimsuky attacks as it also deploys the SHARPEXT “in targeted attacks on foreign policy, nuclear and other individuals of strategic interest” in the United States, Europe, and South Korea.

Article (https://www.bleepingcomputer.com/news/security/cyberspies-use-google-chrome-extension-to-steal-emails-undetected/)

Roy Miehe | MspPortal Partners Inc. | Ceo/President
Security Software Distributor: Bitdefender , Barracuda, RackSpace, Axcient

Microsoft 365 outage knocks down admin center in North America

By Sergiu Gatlan July 28, 2022 01:12 PM 0

Microsoft is investigating an ongoing incident impacting administrators in North America who report seeing blank pages and 404 errors when trying to access the Microsoft 365 admin center.

This outage could affect any admin in North America, as the company revealed on the Microsoft 365 Service health status page.

“The majority of affected admins report that a blank page renders when attempting to access the admin center, and no perceivable error message is presented,” Microsoft said.

“A limited number of admins report that a 404 error or ‘Loading chunk (number) failed’ is shown intermittently.”

Redmond is working on discovering the issue that triggered this incident and trying to find a potential fix to address its impact on North American admins.

“We’re reviewing networking data to determine the source of impact, as well as determining if a potential fix is available to remediate impact,” the company added.

We’ve received reports from some admins in North America that they’re unable to access the Microsoft 365 admin center. Additional information can be found at https://t.co/lbjX5hSWLp or under MO406459 in the Microsoft 365 admin center.
— Microsoft 365 Status (@MSFTExchange Online, Outlook365Status) July 28, 2022

Today’s incident follows a massive outage that hit multiple Microsoft 365 services with Teams integrations last week.

As the company revealed in a preliminary post-incident report, last week’s outage was triggered by a faulty Enterprise Configuration Service (ECS) deployment that triggered cascading failures and availability impact worldwide.

Exchange Online and Outlook were hit by a second outage that prevented customers from signing into their accounts and accessing and receiving emails.

Article (https://www.bleepingcomputer.com/news/microsoft/microsoft-365-outage-knocks-down-admin-center-in-north-america/)

Roy Miehe | MspPortal Partners Inc. | Ceo/President
Security Software Distributor: Bitdefender , Barracuda, RackSpace, Axcient

Microsoft Teams outage also takes down Microsoft 365 services

By Sergiu Gatlan July 21, 2022
What initially started like a minor Microsoft Teams outage has also taken down multiple Microsoft 365 services with Teams integration, including Exchange Online, Windows 365, and Office Online.

“We’ve received reports of users being unable to access Microsoft Teams or leverage any features,” the company revealed on its official Microsoft 365 Status Twitter account more than 8 hours ago.

Two hours later, Redmond said the issue causing the connection problems was a recent deployment that featured a broken connection to an internal storage service.

However, Teams was not the only product impacted by the outage since users also began reporting failures to connect to various Microsoft 365 services.

Microsoft confirmed the issues saying that the subsequent Microsoft 365 outage only affected services that came with Teams integration.

“We’ve identified downstream impact to multiple Microsoft 365 services with Teams integration, such as Microsoft Word, Office Online and SharePoint Online,” Microsoft explained.
As the company further detailed on its Microsoft 365 Service health status page, affected customers experienced issues with one or more of the following services:

Microsoft Teams (Access, chat, and meetings)
Exchange Online (Delays sending mail)
Microsoft 365 Admin center (Inability to access)
Microsoft Word within multiple services (Inability to load)
Microsoft Forms (Inability to use via Teams)
Microsoft Graph API (Any service relying on this API may be affected)
Office Online (Microsoft Word access issues)
SharePoint Online (Microsoft Word access issues)
Project Online (Inability to access)
PowerPlatform and PowerAutomate (Inability to create an environment with a database)
Autopatches within Microsoft Managed Desktop
Yammer (Impact to Yammer experiments)
Windows 365 (Unable to provision Cloud PCs)

Roy Miehe | MspPortal Partners Inc. | Ceo/President
Security Software Distributor: Bitdefender , Barracuda, RackSpace, Axcient
“Where Service and Technical Skills Count”

Article (https://www.bleepingcomputer.com/news/microsoft/microsoft-teams-outage-also-takes-down-microsoft-365-services/)

Microsoft investigates ongoing Exchange Online, Outlook outage

By Sergiu Gatlan July 18, 2022 10:26 AM
Microsoft is investigating an ongoing outage impacting Microsoft 365 services after customers have reported experiencing issues while trying to sign into, access, and receive emails on the outlook.com portal and via Exchange Online.

“We’re investigating an issue with users accessing or experiencing degraded functionality when using Exchange Online and http://outlook.com services,” Microsoft said in a tweet via the company’s official Twitter account for updates on Microsoft 365 services.

Admins were also told that they could find more information regarding these ongoing problems in the admin center under EX401976 and OL401977.

“We suspect there may be unexpected network drops which are contributing to the degraded experience and are reviewing diagnostic logs to understand why,” the company added.

While Redmond did not reveal the scale of the issue, thousands of reports have been submitted in the past 24 hours on DownDetector by Outlook and Exchange Online users who have either been unable or experienced difficulties when trying to log in or email.
Article

Roy Miehe | MspPortal Partners Inc. | Ceo/President
Security Software Distributor: Bitdefender , Barracuda, RackSpace, Axcient
“Where Service and Technical Skills Count”

UPDATE 1-Amazon.com’s Ring gave police data without user consent 11 times in 2022

WASHINGTON, July 13 (Reuters) – Amazon.com’s Ring doorbell unit, which makes videos of the outside of an owner’s home, gave footage to law enforcement without the user’s consent 11 times so far this year, the company said.

Amazon said it provided the video under emergency circumstances. Senator Edward Markey, a lawmaker interested in privacy, on Wednesday released a letter from Amazon on the topic that was a response to his inquiry to the company.

“In each instance, Ring made a good-faith determination that there was an imminent danger of death or serious physical injury to a person requiring disclosure of information without delay,” wrote Brian Huseman, vice president of public policy for Amazon.

The company also said that it had 2,161 law enforcement agencies on its Neighbors Public Safety Service, which allows police and others to ask Ring owners for footage.

“Increasing law enforcement reliance on private surveillance creates a crisis of accountability,” Markey said in a statement.

Amazon’s Ring said in a statement that it followed the law.

“The law authorizes companies like Ring to provide information to government entities if the company believes that an emergency involving danger of death or serious physical injury to any person, such as a kidnapping or an attempted murder, requires disclosure without delay,” the company said in a statement.

In the letter, Huseman declined to specify when Ring technology can capture audio and how sensitive the audio recordings are. Users can easily disable audio.

He also declined to pledge to make end-to-end encryption the default for Ring data. End-to-end encryption is available although it would disable some features.

Markey said that he was concerned that Amazon and other tech companies would begin using biometric data in their systems and noted that he and others had introduced a bill aimed at restricting law enforcement access to such information. Hold Your Breath
(Reporting by Diane Bartz; Editing by Cynthia Osterman)

In closing you might want to remove SPYING DEVICES this is one of them

Microsoft: Phishing bypassed MFA in attacks against 10,000 orgs

Microsoft: Phishing bypassed MFA in attacks against 10,000 orgs
By Sergiu Gatlan July 12, 2022 01:02 PM

Microsoft says a massive series of phishing attacks has targeted more than 10,000 organizations starting with September 2021, using the gained access to victims’ mailboxes in follow-on business email compromise (BEC) attacks.

The threat actors used landing pages designed to hijack the Office 365 authentication process (even on accounts protected by multifactor authentication (MFA) by spoofing the Office online authentication page.

In some of the observed attacks, the potential victims were redirected to the landing pages from phishing emails using HTML attachments that acted as gatekeepers ensuring the targets were being sent via the HTML redirectors.

After stealing the targets’ credentials and their session cookies, the threat actors behind these attacks logged into the victims’ email accounts. They subsequently used their access in business email compromise (BRC) campaigns targeting other organizations.

“A large-scale phishing campaign that used adversary-in-the-middle (AiTM) phishing sites stole passwords, hijacked a user’s sign-in session, and skipped the authentication process even if the user had enabled multifactor authentication (MFA),” the Microsoft 365 Defender Research Team and Microsoft Threat Intelligence Center (MSTIC) said.

“The attackers then used the stolen credentials and session cookies to access affected users’ mailboxes and perform follow-on business email compromise (BEC) campaigns against other targets.”

Article (https://www.bleepingcomputer.com/news/security/microsoft-phishing-bypassed-mfa-in-attacks-against-10-000-orgs/)

Roy Miehe | MspPortal Partners Inc. | Ceo/President Security Software Distributor: Bitdefender , Barracuda, RackSpace, Axcient
“Where Service and Technical Skills Count”

Barracuda is the play from a security standpoint