CISA: Just-Disclosed Palo Alto Networks Firewall Bug Under Active Exploit

Lara Seals Managing Editor, News, Dark Reading
August 24, 2022
The US Cybersecurity and Infrastructure Security Agency (CISA) is warning that a high-severity security vulnerability in Palo Alto Networks firewalls is being actively exploited in the wild.

The bug (CVE-2022-0028, with a CVSS severity score of 8.6), exists in the PAN-OS operating system that runs the firewalls, and could allow a remote threat actor to abuse the firewalls to deploy distributed denial-of-service (DDoS) attacks against targets of their choice — without having to authenticate.

Exploitation of the issue can help attackers to cover their tracks and location.

“The DoS attack would appear to originate from a Palo Alto Networks PA-Series (hardware), VM-Series (virtual) and CN-Series (container) firewall against an attacker-specified target,” according to the Palo Alto Networks advisory issued earlier this month.

The bug arises thanks to a URL-filtering policy misconfiguration.

Instances that use a non-standard configuration are at risk; to be exploited, the firewall configuration “must have a URL filtering profile with one or more blocked categories assigned to a security rule with a source zone that has an external facing network interface,” the advisory read.
Exploited in the Wild

Two weeks since that disclosure, CISA said that it has now seen the bug being adopted by cyber adversaries in the wild, and it’s added it to its Known Exploited Vulnerabilities (KEV) catalogue. Attackers can exploit the flaw to deploy both reflected and amplified versions of DoS floods.

Bud Broomhead, CEO at Viakoo, says bugs that can be marshaled into service to support DDoS attacks are in more and more demand.

“The ability to use a Palo Alto Networks firewall to perform reflected and amplified attacks is part of an overall trend to use amplification to create massive DDoS attacks,” he says. “Google’s recent announcement of an attack which peaked at 46 million requests per second, and other record-breaking DDoS attacks will put more focus on systems that can be exploited to enable that level of amplification.”

Article ( https://www.darkreading.com/vulnerabilities-threats/cisa-palo-alto-firewall-bug-active-exploit)

Roy Miehe | MspPortal Partners Inc. | Ceo/President
Security Software Distributor: Bitdefender , Barracuda, RackSpace, Axcient

Apple security updates fix 2 zero-days used to hack iPhones, Macs

By Lawrence Abrams August 17, 2022 06:35 PM

Apple has released emergency security updates today to fix two zero-day vulnerabilities previously exploited by attackers to hack iPhones, iPads, or Macs.

Zero-day vulnerabilities are security flaws known by attackers or researchers before the software vendor has become aware or been able to patch them. In many cases, zero-days have public proof-of-concept exploits or are actively exploited in attacks.

Today, Apple has released macOS Monterey 12.5.1 and iOS 15.6.1/iPadOS 15.6.1 to resolve two zero-day vulnerabilities that are reported to have been actively exploited.

The two vulnerabilities are the same for all three operating systems, with the first tracked as CVE-2022-32894. This vulnerability is an out-of-bounds write vulnerability in the operating system’s Kernel.

The kernel is a program that operates as the core component of an operating system and has the highest privileges in macOS, iPadOS, and iOS.

An application, such as malware, can use this vulnerability to execute code with Kernel privileges. As this is the highest privilege level, a process would be able to perform any command on the device, effectively taking complete control over it.

The second zero-day vulnerability is CVE-2022-32893 and is an out-of-bounds write vulnerability in WebKit, the web browser engine used by Safari and other apps that can access the web.

Apple says this flaw would allow an attacker to perform arbitrary code execution and, as it’s in the web engine, could likely be exploited remotely by visiting a maliciously crafted website.

The bugs were reported by anonymous researchers and fixed by Apple in iOS 15.6.1, iPadOS 15.6.1, and macOS Monterey 12.5.1 with improved bounds checking for both bugs.

The list of devices affected by both vulnerabilities are:

Macs running macOS Monterey
iPhone 6s and later
iPad Pro (all models), iPad Air 2 and later, iPad 5th generation and later, iPad mini 4 and later, and iPod touch (7th generation).

Apple disclosed active exploitation in the wild, however, it did not release any additional info regarding these attacks.

Likely, these zero-days were only used in targeted attacks, but it’s still strongly advised to install today’s security updates as soon as possible.
Seven zero-days patched by Apple this year

In March, Apple patched two more zero-day bugs that were used in the Intel Graphics Driver (CVE-2022-22674) and AppleAVD (CVE-2022-22675) that could also be used to execute code with Kernel privileges.

In January, Apple patched two more actively exploited zero-days that enabled attackers to achieve arbitrary code execution with kernel privileges (CVE-2022-22587) and track web browsing activity and the users’ identities in real-time (CVE-2022-22594).

In February, Apple released security updates to fix a new zero-day bug exploited to hack iPhones, iPads, and Macs, leading to OS crashes and remote code execution on compromised devices after processing maliciously crafted web content.

 

Article (https://www.bleepingcomputer.com/news/security/apple-security-updates-fix-2-zero-days-used-to-hack-iphones-macs/)

Roy Miehe | MspPortal Partners Inc. | Ceo/President
Security Software Distributor: Bitdefender , Barracuda, RackSpace, Axcient
“Where Service and Technical Skills Count”

Windows Vulnerability Could Crack DC Server Credentials Open

Nathan Eddy Contributing Writer, Dark Reading August 16, 2022
Read the Article IMPORTANT
The security flaw tracked as CVE-2022-30216 could allow attackers to perform server spoofing or trigger authentication coercion on the victim.

Researchers have discovered a vulnerability in the remote procedure calls (RPC) for the Windows Server service, which could allow an attacker to gain control over the domain controller (DC) in a specific network configuration and execute remote code.

Malicious actors could also exploit the vulnerability to modify a server’s certificate mapping to perform server spoofing.

Vulnerability CVE-2022-30216, which exists in unpatched Windows 11 and Windows Server 2022 machines, was addressed in July’s Patch Tuesday, but a report from Akamai researcher Ben Barnes, who discovered the vulnerability, offers technical details on the bug.

The full attack flow provides full control over the DC, its services, and data.
Proof of Concept Exploit for Remote Code Execution

The vulnerability was found in SMB over QUIC, a transport-layer network protocol, which enables communication with the server. It allows connections to network resources such as files, shares, and printers. Credentials are also exposed based on belief that the receiving system can be trusted.

The bug could allow a malicious actor authenticated as a domain user to replace files on the SMB server and serve them to connecting clients, according to Akamai. In a proof of concept, researchers exploited the bug to steal credentials via authentication coercion.
Article (https://www.darkreading.com/remote-workforce/windows-vulnerability-could-crack-dc-server-credentials-open)

Roy Miehe | MspPortal Partners Inc. | Ceo/President
Security Software Distributor: Bitdefender , Barracuda, RackSpace, Axcient
“Where Service and Technical Skills Count”

US govt warns Americans of escalating SMS phishing attacks

By Sergiu Gatlan July 29, 2022 11:21 AM

The Federal Communications Commission (FCC) warned Americans of an increasing wave of SMS (Short Message Service) phishing attacks attempting to steal their personal information and money.

Such attacks are also known as smishing or robotexts (as the FCC calls them), and scammers behind them may use various lures to trick you into handing over confidential information.

“The FCC tracks consumer complaints – rather than call or text volume – and complaints about unwanted text messages have risen steadily in recent years from approximately 5,700 in 2019, 14,000 in 2020, 15,300 in 2021, to 8,500 through June 30, 2022,” the US communications watchdog’s Robocall Response Team said [PDF].

“In addition, some independent reports estimate billions of robotexts each month – for example, RoboKiller estimates consumers received over 12 billion robotexts in June.”

False-but-believable smishing baits reported by American consumers to the FCC include claims about unpaid bills, package delivery issues, bank account problems, or law enforcement actions.

Some of the most devious and convincing lures used in text message phishing attacks are links redirecting the targets to landing pages impersonating bank websites and asking them to verify a purchase or unlock frozen credit cards.

FCC smishing signs
Phishing text messages can also be spoofed to make it appear that the sends is someone you’re more likely to trust, such as a government agency like the IRS or companies you may be familiar with.

While some attackers will attempt to steal payment details, others are not as picky and will be happy to steal any personal information they can get their hands on, use in subsequent scams, or sell to other malicious actors.

To defend against SMS phishing attacks, FCC recommends taking the following measures:

Do not respond to texts from unknown numbers or any others that appear suspicious.
Never share sensitive personal or financial information by text.
Be on the lookout for misspellings or texts that originate with an email address.
Think twice before clicking any links in a text message. If a friend sends you a text with a suspicious link that seems out of character, call them to ensure they weren’t hacked.
If a business sends you a text you weren’t expecting, look up their number online and call them back.
Remember that government agencies almost never initiate contact by phone or text.
Report texting scam attempts to your wireless service provider by forwarding unwanted texts to 7726 (or “SPAM”).
File a complaint with the FCC.

Article (https://www.bleepingcomputer.com/news/security/us-govt-warns-americans-of-escalating-sms-phishing-attacks/)

Roy Miehe | MspPortal Partners Inc. | Ceo/President
Security Software Distributor: Bitdefender , Barracuda, RackSpace, Axcient
“Where Service and Technical Skills Count”

Cyberspies use Google Chrome extension to steal emails undetected

Folks I have warned you stop using Chrome..Firefox with DuckDuckgo.com

By Sergiu Gatlan July 28, 2022
A North Korean-backed threat group tracked as Kimsuky is using a malicious browser extension to steal emails from Google Chrome or Microsoft Edge users reading their webmail.

The extension, dubbed SHARPEXT by Volexity researchers who spotted this campaign in September, supports three Chromium-based web browsers (Chrome, Edge, and Whale) and can steal mail from Gmail and AOL accounts.

The attackers install the malicious extension after compromising a target’s system using a custom VBS script by replacing the ‘Preferences’ and ‘Secure Preferences’ files with ones downloaded from the malware’s command-and-control server.

Once the new preferences files are downloaded on the infected device, the web browser automatically loads the SHARPEXT extension.

“The malware directly inspects and exfiltrates data from a victim’s webmail account as they browse it,” Volexity said Thursday.

“Since its discovery, the extension has evolved and is currently at version 3.0, based on the internal versioning system.”

As Volexity further revealed today, this latest campaign aligns with previous Kimsuky attacks as it also deploys the SHARPEXT “in targeted attacks on foreign policy, nuclear and other individuals of strategic interest” in the United States, Europe, and South Korea.

Article (https://www.bleepingcomputer.com/news/security/cyberspies-use-google-chrome-extension-to-steal-emails-undetected/)

Roy Miehe | MspPortal Partners Inc. | Ceo/President
Security Software Distributor: Bitdefender , Barracuda, RackSpace, Axcient

Microsoft 365 outage knocks down admin center in North America

By Sergiu Gatlan July 28, 2022 01:12 PM 0

Microsoft is investigating an ongoing incident impacting administrators in North America who report seeing blank pages and 404 errors when trying to access the Microsoft 365 admin center.

This outage could affect any admin in North America, as the company revealed on the Microsoft 365 Service health status page.

“The majority of affected admins report that a blank page renders when attempting to access the admin center, and no perceivable error message is presented,” Microsoft said.

“A limited number of admins report that a 404 error or ‘Loading chunk (number) failed’ is shown intermittently.”

Redmond is working on discovering the issue that triggered this incident and trying to find a potential fix to address its impact on North American admins.

“We’re reviewing networking data to determine the source of impact, as well as determining if a potential fix is available to remediate impact,” the company added.

We’ve received reports from some admins in North America that they’re unable to access the Microsoft 365 admin center. Additional information can be found at https://t.co/lbjX5hSWLp or under MO406459 in the Microsoft 365 admin center.
— Microsoft 365 Status (@MSFTExchange Online, Outlook365Status) July 28, 2022

Today’s incident follows a massive outage that hit multiple Microsoft 365 services with Teams integrations last week.

As the company revealed in a preliminary post-incident report, last week’s outage was triggered by a faulty Enterprise Configuration Service (ECS) deployment that triggered cascading failures and availability impact worldwide.

Exchange Online and Outlook were hit by a second outage that prevented customers from signing into their accounts and accessing and receiving emails.

Article (https://www.bleepingcomputer.com/news/microsoft/microsoft-365-outage-knocks-down-admin-center-in-north-america/)

Roy Miehe | MspPortal Partners Inc. | Ceo/President
Security Software Distributor: Bitdefender , Barracuda, RackSpace, Axcient

For MspPortal Partners only

Starting August 3rd we will be  spinning up partner requests for 30 day trials of Bitdefender new additions of there XDR release.

probably the most comprehensive release ever. Security on steroids

If you wish to set up a trial please send me a email

Roy Miehe | MspPortal Partners Inc. | Ceo/President

Security Software Distributor: Bitdefender , Barracuda, RackSpace, Axcient

“Where Service and Technical Skills Count”

 

Microsoft Teams outage also takes down Microsoft 365 services

By Sergiu Gatlan July 21, 2022
What initially started like a minor Microsoft Teams outage has also taken down multiple Microsoft 365 services with Teams integration, including Exchange Online, Windows 365, and Office Online.

“We’ve received reports of users being unable to access Microsoft Teams or leverage any features,” the company revealed on its official Microsoft 365 Status Twitter account more than 8 hours ago.

Two hours later, Redmond said the issue causing the connection problems was a recent deployment that featured a broken connection to an internal storage service.

However, Teams was not the only product impacted by the outage since users also began reporting failures to connect to various Microsoft 365 services.

Microsoft confirmed the issues saying that the subsequent Microsoft 365 outage only affected services that came with Teams integration.

“We’ve identified downstream impact to multiple Microsoft 365 services with Teams integration, such as Microsoft Word, Office Online and SharePoint Online,” Microsoft explained.
As the company further detailed on its Microsoft 365 Service health status page, affected customers experienced issues with one or more of the following services:

Microsoft Teams (Access, chat, and meetings)
Exchange Online (Delays sending mail)
Microsoft 365 Admin center (Inability to access)
Microsoft Word within multiple services (Inability to load)
Microsoft Forms (Inability to use via Teams)
Microsoft Graph API (Any service relying on this API may be affected)
Office Online (Microsoft Word access issues)
SharePoint Online (Microsoft Word access issues)
Project Online (Inability to access)
PowerPlatform and PowerAutomate (Inability to create an environment with a database)
Autopatches within Microsoft Managed Desktop
Yammer (Impact to Yammer experiments)
Windows 365 (Unable to provision Cloud PCs)

Roy Miehe | MspPortal Partners Inc. | Ceo/President
Security Software Distributor: Bitdefender , Barracuda, RackSpace, Axcient
“Where Service and Technical Skills Count”

Article (https://www.bleepingcomputer.com/news/microsoft/microsoft-teams-outage-also-takes-down-microsoft-365-services/)

Barracuda RMM 12 SP6 MR1 update to our cloud instances

Barracuda  will be releasing Barracuda RMM 12 SP6 MR1 to our cloud instances starting on July 29, 2022. This release includes several new features, including upgrading Firewall rules for users of Avast Antivirus and the ability to send an MFA code to a mobile device using SMS.

A maintenance window is required for this upgrade during which all services will be unavailable. Please plan accordingly using the schedule outlined below.
Barracuda Cloud Maintenance Window:

US07 Friday, July 29 from 0000 – 0200 UTC-0500 for MspPortal Partners

Roy Miehe | MspPortal Partners Inc. | Ceo/President
Security Software Distributor: Bitdefender , Barracuda, RackSpace, Axcient
“Where Service and Technical Skills Count”

Microsoft investigates ongoing Exchange Online, Outlook outage

By Sergiu Gatlan July 18, 2022 10:26 AM
Microsoft is investigating an ongoing outage impacting Microsoft 365 services after customers have reported experiencing issues while trying to sign into, access, and receive emails on the outlook.com portal and via Exchange Online.

“We’re investigating an issue with users accessing or experiencing degraded functionality when using Exchange Online and http://outlook.com services,” Microsoft said in a tweet via the company’s official Twitter account for updates on Microsoft 365 services.

Admins were also told that they could find more information regarding these ongoing problems in the admin center under EX401976 and OL401977.

“We suspect there may be unexpected network drops which are contributing to the degraded experience and are reviewing diagnostic logs to understand why,” the company added.

While Redmond did not reveal the scale of the issue, thousands of reports have been submitted in the past 24 hours on DownDetector by Outlook and Exchange Online users who have either been unable or experienced difficulties when trying to log in or email.
Article

Roy Miehe | MspPortal Partners Inc. | Ceo/President
Security Software Distributor: Bitdefender , Barracuda, RackSpace, Axcient
“Where Service and Technical Skills Count”