Threats

Apple security updates fix 2 zero-days used to hack iPhones, Macs

By Lawrence Abrams August 17, 2022 06:35 PM

Apple has released emergency security updates today to fix two zero-day vulnerabilities previously exploited by attackers to hack iPhones, iPads, or Macs.

Zero-day vulnerabilities are security flaws known by attackers or researchers before the software vendor has become aware or been able to patch them. In many cases, zero-days have public proof-of-concept exploits or are actively exploited in attacks.

Today, Apple has released macOS Monterey 12.5.1 and iOS 15.6.1/iPadOS 15.6.1 to resolve two zero-day vulnerabilities that are reported to have been actively exploited.

The two vulnerabilities are the same for all three operating systems, with the first tracked as CVE-2022-32894. This vulnerability is an out-of-bounds write vulnerability in the operating system’s Kernel.

The kernel is a program that operates as the core component of an operating system and has the highest privileges in macOS, iPadOS, and iOS.

An application, such as malware, can use this vulnerability to execute code with Kernel privileges. As this is the highest privilege level, a process would be able to perform any command on the device, effectively taking complete control over it.

The second zero-day vulnerability is CVE-2022-32893 and is an out-of-bounds write vulnerability in WebKit, the web browser engine used by Safari and other apps that can access the web.

Apple says this flaw would allow an attacker to perform arbitrary code execution and, as it’s in the web engine, could likely be exploited remotely by visiting a maliciously crafted website.

The bugs were reported by anonymous researchers and fixed by Apple in iOS 15.6.1, iPadOS 15.6.1, and macOS Monterey 12.5.1 with improved bounds checking for both bugs.

The list of devices affected by both vulnerabilities are:

Macs running macOS Monterey
iPhone 6s and later
iPad Pro (all models), iPad Air 2 and later, iPad 5th generation and later, iPad mini 4 and later, and iPod touch (7th generation).

Apple disclosed active exploitation in the wild, however, it did not release any additional info regarding these attacks.

Likely, these zero-days were only used in targeted attacks, but it’s still strongly advised to install today’s security updates as soon as possible.
Seven zero-days patched by Apple this year

In March, Apple patched two more zero-day bugs that were used in the Intel Graphics Driver (CVE-2022-22674) and AppleAVD (CVE-2022-22675) that could also be used to execute code with Kernel privileges.

In January, Apple patched two more actively exploited zero-days that enabled attackers to achieve arbitrary code execution with kernel privileges (CVE-2022-22587) and track web browsing activity and the users’ identities in real-time (CVE-2022-22594).

In February, Apple released security updates to fix a new zero-day bug exploited to hack iPhones, iPads, and Macs, leading to OS crashes and remote code execution on compromised devices after processing maliciously crafted web content.

 

Article (https://www.bleepingcomputer.com/news/security/apple-security-updates-fix-2-zero-days-used-to-hack-iphones-macs/)

Roy Miehe | MspPortal Partners Inc. | Ceo/President
Security Software Distributor: Bitdefender , Barracuda, RackSpace, Axcient
“Where Service and Technical Skills Count”

Windows Vulnerability Could Crack DC Server Credentials Open

Nathan Eddy Contributing Writer, Dark Reading August 16, 2022
Read the Article IMPORTANT
The security flaw tracked as CVE-2022-30216 could allow attackers to perform server spoofing or trigger authentication coercion on the victim.

Researchers have discovered a vulnerability in the remote procedure calls (RPC) for the Windows Server service, which could allow an attacker to gain control over the domain controller (DC) in a specific network configuration and execute remote code.

Malicious actors could also exploit the vulnerability to modify a server’s certificate mapping to perform server spoofing.

Vulnerability CVE-2022-30216, which exists in unpatched Windows 11 and Windows Server 2022 machines, was addressed in July’s Patch Tuesday, but a report from Akamai researcher Ben Barnes, who discovered the vulnerability, offers technical details on the bug.

The full attack flow provides full control over the DC, its services, and data.
Proof of Concept Exploit for Remote Code Execution

The vulnerability was found in SMB over QUIC, a transport-layer network protocol, which enables communication with the server. It allows connections to network resources such as files, shares, and printers. Credentials are also exposed based on belief that the receiving system can be trusted.

The bug could allow a malicious actor authenticated as a domain user to replace files on the SMB server and serve them to connecting clients, according to Akamai. In a proof of concept, researchers exploited the bug to steal credentials via authentication coercion.
Article (https://www.darkreading.com/remote-workforce/windows-vulnerability-could-crack-dc-server-credentials-open)

Roy Miehe | MspPortal Partners Inc. | Ceo/President
Security Software Distributor: Bitdefender , Barracuda, RackSpace, Axcient
“Where Service and Technical Skills Count”

Microsoft investigates ongoing Exchange Online, Outlook outage

By Sergiu Gatlan July 18, 2022 10:26 AM
Microsoft is investigating an ongoing outage impacting Microsoft 365 services after customers have reported experiencing issues while trying to sign into, access, and receive emails on the outlook.com portal and via Exchange Online.

“We’re investigating an issue with users accessing or experiencing degraded functionality when using Exchange Online and http://outlook.com services,” Microsoft said in a tweet via the company’s official Twitter account for updates on Microsoft 365 services.

Admins were also told that they could find more information regarding these ongoing problems in the admin center under EX401976 and OL401977.

“We suspect there may be unexpected network drops which are contributing to the degraded experience and are reviewing diagnostic logs to understand why,” the company added.

While Redmond did not reveal the scale of the issue, thousands of reports have been submitted in the past 24 hours on DownDetector by Outlook and Exchange Online users who have either been unable or experienced difficulties when trying to log in or email.
Article

Roy Miehe | MspPortal Partners Inc. | Ceo/President
Security Software Distributor: Bitdefender , Barracuda, RackSpace, Axcient
“Where Service and Technical Skills Count”

Microsoft: Phishing bypassed MFA in attacks against 10,000 orgs

Microsoft: Phishing bypassed MFA in attacks against 10,000 orgs
By Sergiu Gatlan July 12, 2022 01:02 PM

Microsoft says a massive series of phishing attacks has targeted more than 10,000 organizations starting with September 2021, using the gained access to victims’ mailboxes in follow-on business email compromise (BEC) attacks.

The threat actors used landing pages designed to hijack the Office 365 authentication process (even on accounts protected by multifactor authentication (MFA) by spoofing the Office online authentication page.

In some of the observed attacks, the potential victims were redirected to the landing pages from phishing emails using HTML attachments that acted as gatekeepers ensuring the targets were being sent via the HTML redirectors.

After stealing the targets’ credentials and their session cookies, the threat actors behind these attacks logged into the victims’ email accounts. They subsequently used their access in business email compromise (BRC) campaigns targeting other organizations.

“A large-scale phishing campaign that used adversary-in-the-middle (AiTM) phishing sites stole passwords, hijacked a user’s sign-in session, and skipped the authentication process even if the user had enabled multifactor authentication (MFA),” the Microsoft 365 Defender Research Team and Microsoft Threat Intelligence Center (MSTIC) said.

“The attackers then used the stolen credentials and session cookies to access affected users’ mailboxes and perform follow-on business email compromise (BEC) campaigns against other targets.”

Article (https://www.bleepingcomputer.com/news/security/microsoft-phishing-bypassed-mfa-in-attacks-against-10-000-orgs/)

Roy Miehe | MspPortal Partners Inc. | Ceo/President Security Software Distributor: Bitdefender , Barracuda, RackSpace, Axcient
“Where Service and Technical Skills Count”

Barracuda is the play from a security standpoint

Google patches new Chrome zero-day flaw exploited in attacks Attack details not revealed

he zero-day bug fixed today (tracked as CVE-2022-2294) is a high severity heap-based buffer overflow weakness in the WebRTC (Web Real-Time Communications) component, reported by Jan Vojtesek of the Avast Threat Intelligence team on Friday, July 1.

The impact of successful heap overflow exploitation can range from program crashes and arbitrary code execution to bypassing security solutions if code execution is achieved during the attack.

Although Google says this zero-day vulnerability was exploited in the wild, the company is yet to share technical details or a any info regarding these incidents.

“Access to bug details and links may be kept restricted until a majority of users are updated with a fix,” Google said.

“We will also retain restrictions if the bug exists in a third party library that other projects similarly depend on, but haven’t yet fixed.”

With this delayed release of more info on the attacks, Chrome users should have enough time to update and prevent exploitation attempts until Google provides additional details.

Fourth ChRome zero-day fixed this year

Roy Miehe | MspPortal Partners Inc. | Ceo/President

Security Software Distributor: Bitdefender , Barracuda, RackSpace, Axcient

“Where Service and Technical Skills Count”

 

Microsoft has revealed that this week’s Microsoft 365 worldwide outage

By Sergiu Gatlan June 22, 2022 07:23 AM

Microsoft has revealed that this week’s Microsoft 365 worldwide outage was caused by an infrastructure power outage that led to traffic management servicing failovers in multiple regions.

Starting on Monday, June 20, at 11:00 PM UTC, customers began experiencing and reporting several issues while trying to access and use Microsoft 365 services.
Microsoft reveals cause behind this week’s Microsoft 365 outage

According to Microsoft, problems encountered during the incident included delays and failures when accessing some Microsoft 365 services.

Customer reports also shared info on continuous re-login requests, emails not getting delivered after being stuck in queues, and the inability to access Exchange Online mailboxes despite trying all available connection methods.

The affected services included the Microsoft Teams communication platform, the Exchange Online hosted email platform, SharePoint Online, Universal Print, and the Graph API.

Microsoft’s response while investigating the root cause behind the outage also brought to light some issues related to how the company fails to share new incident-related info with customers.

Even though Microsoft told customers they could find out more about this incident from the admin center under EX394347 and MO394389, user reports suggest that those incident tickets were not showing up, effectively keeping the customers in the dark.

This is the reason we will not sell O365..We do not want to support the product. MspPortal Partners has a relationship with RackSpace hosting email, we have a 99.9 uptime..nothing is perfect but we/RackSpace is far superior to O365

Roy Miehe | MspPortal Partners Inc. | Ceo/President

Security Software Distributor: Bitdefender , Barracuda, RackSpace, Axcient

“Where Service and Technical Skills Count”

CISA say beware and alert with Goolge and Microsoft

Google-

CISA Recommends Organizations Update to the Latest Version of Google Chrome
Google last week reported seven vulnerabilities in the browser, four of which it rated as high severity.
CISA: Flaws Allow Attackers to Take Control of Affected Systems

The US Cybersecurity and Infrastructure Agency (CISA) Friday urged users and administrators to update to a new version of Chrome that Google released last week to fix a total of seven vulnerabilities in its browser.

In an advisory, Google described four of the flaws — three of which were reported to the company by external researchers — as presenting a high risk for organizations. The company said it had decided to restrict access to bug details until most users have updated to the new version of Chrome (102.0.5005.115).

Microsoft Releases June 2022 Security Updates
06/14/2022 02:53 PM EDT

Original release date: June 14, 2022

Microsoft has released updates to address multiple vulnerabilities in Microsoft software. An attacker can exploit some of these vulnerabilities to take control of an affected system.

CISA encourages users and administrators to review Microsoft’s June 2022 Security Update Summary and Deployment Information and apply the necessary updates.

This product is provided subject to this Notification and this Privacy & Use policy.

Roy Miehe | MspPortal Partners Inc. | Ceo/President

Security Software Distributor: Bitdefender , Barracuda, RackSpace, Axcient

“Where Service and Technical Skills Count”

Technical Advisory: CVE-2022-30190 Zero-day Vulnerability “Follina” in Microsoft Support Diagnostic Tool

Quick Overview by Bitdefender

On Monday, May 30, 2022, Microsoft issued CVE-2022-30190, a zero-day remote code execution (RCE) vulnerability in the Microsoft Support Diagnostic Tool (MSDT). The first detections in the wild indicate that this vulnerability is triggered remotely from Microsoft Office documents. 

This is a critical issue as cybercriminals often choose Office documents as a popular tactic to infect victims with their malicious content. This vulnerability (referred to as “Follina”) only requires users to open a single document and no further interactions are necessary before the system is compromised. The end-user doesn’t even need to open the document in certain situations (document with RTF extension and the preview pane enabled). 

A CVE has been assigned by Microsoft, but there is no patch available as of May 31st, 2022. This is a critical issue, as it is not mitigated by disabling macros and Protected View offers only limited protection. 

It is important to note that this vulnerability is related to the Microsoft Support Diagnostic Tool (MSDT), not necessarily to Microsoft Office. Office has been used to weaponize this vulnerability in the wild, but it is not needed to trigger this vulnerability. There are also other methods to trigger this vulnerability. There are effectively two vulnerabilities: 1) Microsoft Office template injection trusting the MS-MSDT protocol and 2) the MS-MSDT protocol allowing malicious code execution.

All MspPortal Partners receive notices ASAP on security news

Article

Roy Miehe | MspPortal Partners Inc. | Ceo/President

Security Software Distributor: Bitdefender , Barracuda, RackSpace, Axcient

“Where Service and Technical Skills Count”

New Microsoft Zero-Day Attack Underway

Microsoft Releases Workaround Guidance for MSDT “Follina” Vulnerability
Original release date: May 31, 2022
New Microsoft Zero-Day Attack Underway
“Follina” vulnerability in Microsoft Support Diagnostic Tool (MSDT) affects all currently supported Windows versions and can be triggered via specially crafted Office documents.

Microsoft has released workaround guidance to address a remote code execution (RCE) vulnerability—CVE-2022-30190, known as “Follina”—affecting the Microsoft Support Diagnostic Tool (MSDT) in Windows. A remote, unauthenticated attacker could exploit this vulnerability to take control of an affected system. Microsoft has reported active exploitation of this vulnerability in the wild.

CISA urges users and administrators to review Microsoft’s Guidance for CVE-2022-30190 Microsoft Support Diagnostic Tool Vulnerability and apply the necessary workaround.

Roy Miehe | MspPortal Partners Inc. | Ceo/President

Security Software Distributor: Bitdefender , Barracuda, RackSpace, Axcient

“Where Service and Technical Skills Count”

New Chaos Malware Variant Ditches Wiper for Encryption

New Chaos Malware Variant Ditches Wiper for Encryption
Tara Seals
Managing Editor, News, Dark Reading

Article

The Chaos malware-builder, which climbed up as a wiper from the underground murk nearly a year ago, has shape-shifted with a rebranded binary dubbed Yashma that incorporates fully fledged ransomware capabilities.

That’s according to researchers at BlackBerry, who say that Chaos is on track to become a significant threat to businesses of every size.

Chaos began life last June purporting to be a builder for a .NET version of the Ryuk ransomware – a ruse its operators leaned into hard, even using Ryuk branding on its user interface. However, a Trend Micro analysis at the time showed that binaries created with this initial version shared very little heritage with the well-known ransomware baddie. Instead, the sample was “more akin to a destructive trojan than to traditional ransomware,” the firm noted – mainly overwriting files and rendering them unrecoverable.

Inside the Chaos
Chaos targets more than 100 default file extensions for encryption and also has a list of files it avoids targeting, including .DLL, .EXE, .LNK, and .INI – presumably to prevent crashing a victim’s device by locking up system files.

In each folder affected by the malware, it drops the ransom note as “read_it.txt.”

“This option is highly customizable within all iterations of the builder, giving malware operators the ability to include any text they want as the ransom note,” according to BlackBerry’s analysis. “In all versions of Chaos Ransomware Builder, the default note stays relatively unchanged, and it includes references to the Bitcoin wallet of the apparent creator of this threat.”

Over time, the malware has added more sophisticated capabilities, such as the ability to:

  • Delete shadow copies
  • Delete backup catalogs
  • Disable Windows recovery mode
  • Change the victim’s desktop wallpaper
  • Customizable file-extension lists
  • Better encryption compatibility
  • Run on startup
  • Drop the malware as a different process
  • Sleep prior to execution
  • Disrupt recovery systems
  • Propagate the malware over network connections
  • Choose a custom encryption file-extension
  • Disable the Windows Task Manager

  • Roy Miehe | MspPortal Partners Inc. | Ceo/President

    Security Software Distributor: Bitdefender , Barracuda, RackSpace, Axcient

    “Where Service and Technical Skills Count”