Security Intelligence Feed Your home for the latest cyber security developments.

On 10 May 2022, Microsoft released updates to address 75 vulnerabilities; eight were classified as critical, three were publicly disclosed, and one of them is being exploited. We recommend applying the latest updates as soon as possible.

Exploited Vulnerability

Microsoft noted that threat actors are exploiting a publicly disclosed flaw tracked as CVE-2022-26925. This vulnerability affects Local Security Authority (LSA), a process in Microsoft Windows responsible for enforcing the security policy on the system. An unauthenticated threat actor could call a method on the LSA Remote Procedure Call (RPC) interface and force a domain controller to authenticate using Windows New Technology LAN Manager (NTLM).

Microsoft rated this flaw as “important” and assigned a CVSS risk score of 8.1 out f 10. However, when paired with an NTLM Relay Attack on Active Directory Certificate Services (AD CS), it could lead to Remote Code Execution (RCE); Microsoft assessed that the CVSS score would then increase to 9.8.

This vulnerability affects all servers, but domain controllers should be prioritized when applying security updates.

Critical Vulnerabilities

The most notable of the vulnerabilities that were labelled as critical include:

• CVE-2022-26937 – an RCE in Windows Network File System (NFS), a non-default Windows component. Unauthenticated threat actors could use it to execute code in the context of the service on systems running NFS versions prior to 4.1. CVSS: 9.8
• CVE-2022-22012 and CVE-2022-29130 are both RCE flaws in Windows Lightweight Directory Access Protocol (LDAP) requiring a non-default configuration. The MaxReceiveBuffer LDAP policy has to be set to a value higher than the default value in order for it to be exploitable. CVSS: 9.8
• CVE-2022-21972 and CVE-2022-23270 are both RCE vulnerabilities in a Point-to-Point Tunneling protocol affecting Windows OS and Server. Successful exploitation requires a malicious party to win a race condition. An unauthenticated attacker could send a specially crafted connection request to a remote access server (RAS) server, which could lead to RCE on the RAS server machine. CVSS: 8.1
• CVE-2022-26923 is a privilege escalation vulnerability in the Active Directory (AD) Domain Server. An issue with certificate issuance could be exploited to authenticate to a domain controller with a high level of privilege. A domain-authenticated user able to include crafted data in a certificate request can become a domain admin if AD Certificate Services are running on the domain. CVSS: 8.8

Publicly Disclosed Vulnerabilities

Two of the vulnerabilities fixed this month have public details available, which increases the likelihood of them being leveraged by threat actors.

• CVE-2022-22713 is a Denial-of-Service vulnerability in Windows Hyper-V on Windows 10 on X64-based systems and Windows Server 2019. Hyper-V (Viridian) is a technology that allows users to create virtual computer environments. Microsoft rated the flaw as “Important” and assigned a CVSS risk score of 5.6. Exploitation requires prior authentication and manipulation with an unknown input.
• On 9 May, Microsoft released an advisory on a publicly disclosed vulnerability affecting Azure Data Factory and Azure Synapse Pipelines through a third-party Open Database Connectivity (ODBC) driver. The vulnerability, tracked as CVE-2022-29972, could allow remote commands across Integration Runtimes (IR) infrastructure – a compute infrastructure that provides data integration capabilities across network environments.
  • Threat actors could use the vulnerability to access and control other customers’ workspaces; this may include access to sensitive data, such as Azure service keys, API tokens, and passwords to other services. CVSS: 8.1.
  • Azure Data Factory or Azure Synapse pipeline customers hosted in the Azure cloud (Azure Integration Runtime) do not need to take any action. The same is true for those who host on-premises (Self-Hosted Integration Runtime) with auto-updates turned on. However, customers using Azure Data Factory with Self-hosted IRs (SHIRs) with no auto-update need to download the latest version (5.17.8154.2) from Microsoft’s Download Center.

Recommendations

We recommend timely patching of the Microsoft vulnerabilities noted as critical and publicly disclosed in order to decrease the likelihood of exploitation.

Microsoft has reported authentication failures after installing the updates on servers used as domain controllers; testing should be conducted prior to patching. We recommend consulting the Known Issues and Microsoft Support Document referenced below prior to applying the updates.

In order to expedite the updates, users should go to Settings > Windows Update > Check for Updates.

References

Microsoft Updates

CVE-2022-26925

ADV210003

Known Issues

Microsoft Support Document

During March and April 2022, the US Cybersecurity and Infrastructure Security Agency (CISA) added two Windows Print Spooler vulnerabilities to its Known Exploited Vulnerabilities Catalog. We recommend applying the updates and mitigations for all affected systems immediately.

Details

Both Print Spooler vulnerabilities are high-severity and were released on 8 February 2022. The first, tracked as CVE-2022-21999 and known as “SpoolFool“, allows a threat actor to execute arbitrary code with SYSTEM privileges on a vulnerable system. The SpoolFool vulnerability can be used to trick the Print Spooler service to write an arbitrary file in a system folder by using symbolic links. This allows a threat actor to install programs; view, change, or delete data; or create new accounts with administrator rights. The vulnerability is rated with a Common Vulnerability Scoring System 3.1 (CVSS) rating of 7.8, and details on the vulnerability are

The second vulnerability, tracked as CVE-2022-22718, can be leveraged to achieve code execution as SYSTEM. It impacts all versions of Windows missing the February 2022 updates. Microsoft noted that threat actors can exploit it locally in low-complexity attacks without user interaction. The vulnerability is also rated with a CVSS rating of 7.8

Proof-of-concept (POC) exploit code has been published for both  CVE-2022-22718 and CVE-2022-21999.

Recommendations

We recommend applying Microsoft’s February security update, that addresses these vulnerabilities, as soon as possible.

To apply updates users should go to Settings > Windows Update > Check for Updates. A system restart will be required to complete the update.

References

CVE-2022-21999

CVE-2022-22718

POC for CVE-2022-22718

CISA Known Exploited Vulnerabilities Catalog

 

 

 

 

 

 

In late March 2022, open-source reporting indicated that threat actors have been targeting a critical vulnerability in Spring applications. We recommend following the mitigation steps below and immediately updating all vulnerable versions of these Spring products.

Details

On 31 March 2022, Spring released an update to fix a critical vulnerability in the Spring Core Java framework. The vulnerability is tracked as CVE-2022-22965 and is known as “SpringShell” or “Spring4Shell”. It is rated with a maximum Base CVSS Score of 10 and affects Spring MVC and Spring WebFlux applications running on Java 9 or greater. The flaw is however only exploitable under specific conditions.

Spring is both a framework and a library. Depending on how it is used, exploitation may require prior authentication to the application. In some non-default configurations of the Spring applications, a threat actor could obtain Remote Code Execution (RCE) by sending a specially crafted request to a vulnerable system. According to 31 March information, for a system to be vulnerable it must be internet-facing and meet the following conditions:

• Use Spring Framework versions 5.3.0 to 5.3.17, 5.2.0 to 5.2.19, and older versions
• Use Java Development Kit (JDK) version 9 or higher
• Run Apache Tomcat as the Servlet container that is packaged as a traditional Web Archive (WAR) (versus a Spring Boot executable jar)
• Have a dependency on Spring Web MVC or Spring WebFlux

Late March 2022 reporting indicates that the application is not vulnerable if it is deployed in the default configuration, such as a Spring Boot executable jar. Researchers have published proof-of-concept code for exploiting this vulnerability, and reports have emerged that threat actors are scanning the internet to locate vulnerable hosts.

Field Effect Posture

Field Effect has completed an internal review and its products are not vulnerable to this issue. As the situation evolves, Covalence will continue to alert you to the presence of potentially impacted software in your environment. Our teams are working on applying the latest indicators of compromise and detecting any exploitation attempts to ensure our clients and partners are protected from this threat.

Recommendations

We strongly advise that you review the list of conditions provided above to determine if your systems are vulnerable.
We recommend following Spring’s advice and immediately updating the affected software to the latest release.
If you are unable to apply the updates immediately, follow Spring’s Mitigation Alternative advice.
We also recommend monitoring Field Effect Security Intelligence blog updates for any developments regarding the vulnerability.

References
Spring Blog
Mitigation Alternative
CCCS Advisory
CVE-2022-22965
POC

On 25 March 2022, Google released Chrome 99.0.4844.84 for Windows, Mac, and Linux to address a flaw that is being actively exploited by threat actors. We recommend updating to the latest browser version as soon as possible.

Details

The latest Chrome version fixes a high-severity vulnerability in Chrome V8 that is being leveraged by threat actors. V8 is an open-source JavaScript engine developed by the Chromium Project for Google Chrome and other Chromium-based web browsers, including Brave, Amazon Silk, Opera, Vivaldi and Microsoft Edge. V8 is also integrated into various independent projects; such as Couchbase database server, Node.js runtime environment, and Electron desktop application framework. This flaw was also fixed in Microsoft Edge and Brave, however other V8-based browsers may remain vulnerable.

The vulnerability, noted in CVE-2022-1096, received a high-severity rating. It is known as a type confusion weakness. A threat actor could leverage this flaw to perform out-of-bounds memory access, inject and execute arbitrary code.

Browser versions vulnerable to the aforementioned flaw could be exploited, hence increasing your network’s threat surface. The latest versions of Chrome, Edge and Brave are being released worldwide and can be deployed through automatic or manual updates.

Recommendations

We recommend that Windows, Mac, and Linux desktop users of Chrome and Chromium-based browsers manually upgrade now to the latest version by going to Settings -> Help -> About.
The web browser will then automatically check for the new update and install it if available.
We recommend notifying users of this risk and requesting that they restart their browser to ensure the needed security patches are applied.
If software is managed centrally within your organization, we recommend updating this software as soon as possible.

References

Chrome Update
Microsoft Edge Update
Brave Update

On 22 March 2022, identity and access management company Okta published a blog on a security incident affecting a third party provider. The company notified customers who may have been affected and informed them that no corrective actions are needed

Details

On 22 March 2022, Okta announced that they were investigating claims of a data breach by an extortion threat group known as LAPSUS$. The threat actors shared screenshots, taken on 21 January 2022, showing access to an Okta account. Okta reported that the screenshots are related to a late-January security incident, where threat actors obtained remote access to a support engineer’s computer at Sitel, a third-party customer support provider.

Okta stated that the actors had access to SuperUser, an internal management application, for a period of five days. The application is used by Sitel support engineers to perform basic management functions on Okta tenants. The actors attempted to use the account of the Sitel engineer to add a new Multi-factor Authentication (MFA) factor to his Okta account, but did not succeed.

According to the statement from Okta, SuperUser accounts are unable to perform high-privileged functions such as:

•  to create or delete users
•  to download customer databases
• to access Okta source code repositories

Based on the information available on 23 March 2022, Okta reported that “there is no evidence of ongoing malicious activity beyond the activity detected in January”, and no impact to Auth0, HIPAA, or FedRAMP customers. Okta is continuing its investigation, including identifying and contacting those customers that may have been impacted. Okta assessed that Sitel may have accessed the Okta tenant for a maximum of 366 of its customers.

Security Impact

Field Effect has completed an internal review and confirmed that Okta is not used within our environment. Our security team continues to monitor for any event developments and other compromises attributed to this threat actor group.

References

Okta Blog