All of us at Tripwire’s Vulnerability Exposure and Research Team (VERT) are constantly looking out for interesting stories and developments in the infosec world. Here’s what cybersecurity news stood out to us during the week of February 14, 2022. I’ve also included some comments on these stories.
Microsoft Using New Security Rule to Prevent Windows Credential Theft
On February 13, Bleeping Computer reported that Microsoft is enabling a Microsoft Defender 'Attack Surface Reduction' (ASR) security rule to prevent malicious actors from stealing Windows credentials from the LSASS. The purpose of the rule is to block processes from dumping the memory of LSASS—even if it has administrative privileges. It builds on the functionality of security features like Credential Guard introduced by Microsoft in the past.
Andrew Swoboda | Senior Security Researcher at Tripwire
Windows will soon be able to block the ability to dump password hashes from the Local Security Authority Server Service (LSASS). This could impact Mimikatz's ability to dump hashes. This change would put the services in its own container and prevent other applications from accessing it. This would block an attacker’s ability to use these hashes to further compromise a network.
Adobe Addresses Critical Magento Open Source Vulnerability Exploited in the Wild
It was on February 14 when Adobe rolled out some updates for CVE-2022-24086, a critical-severity vulnerability affecting Magento Open Source. The flaw enabled threat actors with administrative privileges to execute arbitrary code on vulnerable machines, noted Security Affairs. It received a CVSS score of 9.8 out of 10.
Dylan D’Silva | Security Researcher at Tripwire
Some quick research here on Adobe Magento e-Commerce Platform have it ranging anywhere from 9% to 12% of overall market share, making it a very popular platform for e-Commerce. Adobe has confirmed there are active exploits of this vulnerability in the wild, where an "improper input validation" could be exploited by threat actors with admin privileges to gain RCE. The CVE is classified as pre-authentication, meaning it can be exploited without credentials.
Affected products include:
- Adobe Commerce 2.4.3p1 and earlier versions
- Mangeto Open Source 2.4.3p1 and earlier versions are affected
It's important to note that Adobe Commerce 2.3.3 and lower are not effected by this vuln.
Recommendation: Apply the proper Adobe-approved security updates.
Of note, researchers found that a large malware framework called MageCart has been implemented in the wild, affecting 500+ stores. This framework is intended to steal credit card information from compromised eCommerce sites.
Another interesting note of this attack is that it seems to combine a SQL Injection and PHP Object Injection to take over a Magento Store.
Tens of Billions of Brute Forcing and Phishing Attacks Blocked by Microsoft in 2021
In the beginning of February, Security Affairs shared the finding that malicious actors had targeted Office 365 and Azure AD customers with billions of brute forcing and phishing attacks in 2021. Microsoft documented 25.6 billion Azure AD brute force authentication attacks over the course of the year. The volume of phishing attacks targeting Office 365 users during that same period was slightly higher at 35.7 billion.
Dylan D’Silva | Security Researcher at Tripwire
Here is another reminder to be consistently vigilant when it comes to phishing campaigns and to have strong passwords paired with MFA or passwordless solutions.
Detecting 25.6 billion brute-force authentication attacks against Azure AD (which breaks down to ~70 million attacks per day) and 35.7 billion phishing emails captured by Microsoft Defender for O365 (~97.8 million emails per day) are staggering numbers in my opinion. Remember, this is what Microsoft is reporting, not considering statistics from other companies.
What’s concerning is that Microsoft reports only 22% of their customers using Azure AD have implemented strong identity authentication measures as of December 2021.
In addition to the brute force and phishing attempts, Microsoft Defender for Endpoint blocked another 9.6 billion malware threats.
The main message here is to ensure you enable MFA and/or passwordless authentication to help shore up account protection.
Kali Linux 2022.1 Released with Plenty of New Features
Offensive Security has released Kali Linux 2022.1, the first new version of its Linux distribution for the year. The release comes with several new features including the ability to connect to old SSH servers using legacy SSH protocols and ciphers, wrote Bleeping Computer on February 14. It also comes tools added from Project Discovery.
Samantha Zeigler | Security Researcher at Tripwire
New tools being added to Kali Linux give cyber security professionals more versatility in their use of this operating system. Kali Linux is typically used for penetration testing, malware analysis, and other testing. The new ways to configure the OS to integrate with older SSH platforms increases the usability of the platform for security researchers, saving time and improving cybersecurity as a whole.
Hotpatching Announced for Windows Server Azure VMs
Admins now have a new way of installing Windows security updates on their Server Azure virtual machines (VMs). As Bleeping Computer reported on February 17, Microsoft is rolling out the ability for admins to use hotpatching with these servers. This practice involves updating the in-memory code of running processes instead of requiring a reboot.
Andrew Swoboda | Senior Security Researcher at Tripwire
Windows Server Azure Edition core virtual machines are gaining the ability to hot patch. This would allow systems to remain available without rebooting the system. Hot patching should maintain parity with the mainstream operating system patches received from Windows update. However, if a patch is received via Windows Update, the system will need to restart to apply patches.
Patch Rolled out for High-Severity Vulnerability Affecting Cisco Secure Email
The same day that it reported on Microsoft's hotpatching feature, Bleeping Computer wrote how Cisco had patched a high-severity vulnerability tracked as CVE-2022-20653. The flaw affected a component that Cisco Secure Email uses to check incoming messages for spam and other threats. Attackers can exploit the vulnerability to produce a denial-of-service (DoS) condition on affected devices.
Andrew Swoboda | Senior Security Researcher at Tripwire
Improper DNS error handling caused Cisco Secure Email gateways to become unresponsive. A successful exploit can cause denial of service conditions when an appliance is configured to use DNS-based authentication and named entities (DANE). This feature is not enabled by default; it has to be configured by an administrator. It appears that once the vulnerability is exploited, an attacker could cause a persistent DoS condition.
Malicious Actors Spent 70 Days Inside ICRC's Network
According to SecurityWeek, malicious actors infiltrated the network of International Committee of the Red Cross (ICRC) on November 9, 2021 by exploiting an authentication bypass flaw in Zoho’s ManageEngine ADSelfService Plus. Once inside the network, they used various tools to conceal their presence. These efforts helped the attackers to remain undetected for 70 days, dwell time which enabled the malicious actors to steal some of the ICRC's data.
Dylan D’Silva | Security Researcher at Tripwire
This is another reminder that almost no entity is safe when it comes to breaches and data exposure. It's also a reminder of why strong Cybersecurity/IT policies around vulnerability and patch management are important.
In this case, the International Red Cross suffered a breach in which malicious actors exfiltrated sensitive data for 70 days before the attack was discovered, affecting 500K+ people. The attackers gained access by exploiting a critical-severity authentication bypass flaw in their deployed web-based, end-user password reset management platform (Zoho’s ManageEngine ADSelfService Plus). Exploited via a Metasploit Module, it leverages a REST API authentication bypass vulnerability to upload a JAR and execute it as the user running the program.
Digging further, the good news is that Zoho has provided guidance on how to remediate the flaw, and it provides a full exploit analysis. (See: https://www.manageengine.com/products/self-service-password/kb/how-to-fix-authentication-bypass-vulnerability-in-REST-API.html. Note that builds up to 6113 are affected).
Focusing back to the impact on the Red Cross, the attackers posed as legitimate users and hid their presence to steal sensitive data. What’s more, they discovered it was a targeted attack, as code was created and executed on specific Red Cross Servers.
One additional interesting piece to note is that while there has been no contact with the attackers and no ransom demand received, the Red Cross is willing to communicate with the attackers to highlight the need to respect humanitarian action.
Two additional thoughts:
- Any organization using the affected build versions of Zoho’s ManageEngine ADSelfService Plus needs to prioritize applying the recommended fix from Zoho.
- With Red Cross being a healthcare industry-adjacent organization, this incident highlights the need for all organizations, including those in healthcare, to prioritize protection of both PII (Personal Identifying Information) and PHI (Protected Health Information).
Top Brands Abused in Latest Wave of Trickbot Attacks
On February 16, the operators of Trickbot launched a new campaign in which they misused the brand reputations of 60 well-known organizations to target their customers. Many of the targeted brands were retailers, banks, and other financial institutions, wrote ZDNet. Cryptocurrency exchanges and tech firms featured in the attacks, as well.
Samantha Zeigler | Security Researcher at Tripwire
Trickbot aims to convince users to interact with their software in order to steal their passwords. They have code in place to steal input and saved passwords and to then send them to a remote server. Unfortunately, the prevalence of malware is not likely to decline anytime soon, so be vigilant about sites you interact with and change passwords any time you think you may have been compromised.
Microsoft Teams Chats Misused by Attackers to Spread Malware
Beginning in January, researchers observed malicious actors inserting an executable called "User Centric" into the chats of compromised Microsoft Teams accounts. If executed, the malware writes data to the system registry, installs a DLL, and establishes persistence. Bleeping Computer explained on February 17 how those responsible for the malware attacks had likely used phishing or similar techniques to access the Teams accounts.
Andrew Swoboda | Senior Security Researcher at Tripwire
Teams is being used to spread malicious files that take control of user’s systems. People tend to trust others that use the same collaboration software. This trust allows for malicious file to spread and allow these malicious actors to gain access to more systems. Initially gaining access to Teams seems to be from stealing credentials or another phishing campaign.
New Tool Can Reverse Pixelation to Reveal Original Text
A security researcher developed an open-source tool that allowed them to retrieve pixelated text in its original form. Dubbed "Unredcater," this tool potentially allows digital attackers to recover information pixelated by journalists and content creators. In response, the security researcher is urging people to "use black bars covering the whole text. Never use anything else. No pixelation, no blurring, no fuzzing, no swirling," as quoted by The Hacker News.
Andrew Swoboda | Senior Security Researcher at Tripwire
Redacting information should not use pixelation but solid-colored boxes. Pixelation leaves room for people to reconstruct the data and use the redacted information. It is best to cover sensitive information with solid colors and remove the chance of recovering sensitive information.
Keep in Touch with Tripwire VERT
Want more insights from Tripwire VERT before our next cybersecurity news roundup comes out? Subscribe to our newsletter here.