Security Intelligence Feed Your home for the latest cyber security developments.
Discover recent security findings from our team of expert analysts to better understand and stay ahead of the ever-changing threat landscape.
On 10 May 2022, Microsoft released updates to address 75 vulnerabilities; eight were classified as critical, three were publicly disclosed, and one of them is being exploited. We recommend applying the latest updates as soon as possible.
Exploited Vulnerability
Microsoft noted that threat actors are exploiting a publicly disclosed flaw tracked as CVE-2022-26925. This vulnerability affects Local Security Authority (LSA), a process in Microsoft Windows responsible for enforcing the security policy on the system. An unauthenticated threat actor could call a method on the LSA Remote Procedure Call (RPC) interface and force a domain controller to authenticate using Windows New Technology LAN Manager (NTLM).
Microsoft rated this flaw as “important” and assigned a CVSS risk score of 8.1 out f 10. However, when paired with an NTLM Relay Attack on Active Directory Certificate Services (AD CS), it could lead to Remote Code Execution (RCE); Microsoft assessed that the CVSS score would then increase to 9.8.
This vulnerability affects all servers, but domain controllers should be prioritized when applying security updates.
Critical Vulnerabilities
The most notable of the vulnerabilities that were labelled as critical include:
Publicly Disclosed Vulnerabilities
Two of the vulnerabilities fixed this month have public details available, which increases the likelihood of them being leveraged by threat actors.
Recommendations
We recommend timely patching of the Microsoft vulnerabilities noted as critical and publicly disclosed in order to decrease the likelihood of exploitation.
Microsoft has reported authentication failures after installing the updates on servers used as domain controllers; testing should be conducted prior to patching. We recommend consulting the Known Issues and Microsoft Support Document referenced below prior to applying the updates.
In order to expedite the updates, users should go to Settings > Windows Update > Check for Updates.
References
During March and April 2022, the US Cybersecurity and Infrastructure Security Agency (CISA) added two Windows Print Spooler vulnerabilities to its Known Exploited Vulnerabilities Catalog. We recommend applying the updates and mitigations for all affected systems immediately.
Details
Both Print Spooler vulnerabilities are high-severity and were released on 8 February 2022. The first, tracked as CVE-2022-21999 and known as “SpoolFool“, allows a threat actor to execute arbitrary code with SYSTEM privileges on a vulnerable system. The SpoolFool vulnerability can be used to trick the Print Spooler service to write an arbitrary file in a system folder by using symbolic links. This allows a threat actor to install programs; view, change, or delete data; or create new accounts with administrator rights. The vulnerability is rated with a Common Vulnerability Scoring System 3.1 (CVSS) rating of 7.8, and details on the vulnerability are
The second vulnerability, tracked as CVE-2022-22718, can be leveraged to achieve code execution as SYSTEM. It impacts all versions of Windows missing the February 2022 updates. Microsoft noted that threat actors can exploit it locally in low-complexity attacks without user interaction. The vulnerability is also rated with a CVSS rating of 7.8
Proof-of-concept (POC) exploit code has been published for both CVE-2022-22718 and CVE-2022-21999.
Recommendations
We recommend applying Microsoft’s February security update, that addresses these vulnerabilities, as soon as possible.
To apply updates users should go to Settings > Windows Update > Check for Updates. A system restart will be required to complete the update.
References
CISA Known Exploited Vulnerabilities Catalog
In late March 2022, open-source reporting indicated that threat actors have been targeting a critical vulnerability in Spring applications. We recommend following the mitigation steps below and immediately updating all vulnerable versions of these Spring products.
Details
On 31 March 2022, Spring released an update to fix a critical vulnerability in the Spring Core Java framework. The vulnerability is tracked as CVE-2022-22965 and is known as “SpringShell” or “Spring4Shell”. It is rated with a maximum Base CVSS Score of 10 and affects Spring MVC and Spring WebFlux applications running on Java 9 or greater. The flaw is however only exploitable under specific conditions.
Spring is both a framework and a library. Depending on how it is used, exploitation may require prior authentication to the application. In some non-default configurations of the Spring applications, a threat actor could obtain Remote Code Execution (RCE) by sending a specially crafted request to a vulnerable system. According to 31 March information, for a system to be vulnerable it must be internet-facing and meet the following conditions:
Late March 2022 reporting indicates that the application is not vulnerable if it is deployed in the default configuration, such as a Spring Boot executable jar. Researchers have published proof-of-concept code for exploiting this vulnerability, and reports have emerged that threat actors are scanning the internet to locate vulnerable hosts.
Field Effect Posture
Field Effect has completed an internal review and its products are not vulnerable to this issue. As the situation evolves, Covalence will continue to alert you to the presence of potentially impacted software in your environment. Our teams are working on applying the latest indicators of compromise and detecting any exploitation attempts to ensure our clients and partners are protected from this threat.
Recommendations
We strongly advise that you review the list of conditions provided above to determine if your systems are vulnerable.
We recommend following Spring’s advice and immediately updating the affected software to the latest release.
If you are unable to apply the updates immediately, follow Spring’s Mitigation Alternative advice.
We also recommend monitoring Field Effect Security Intelligence blog updates for any developments regarding the vulnerability.
References
Spring Blog
Mitigation Alternative
CCCS Advisory
CVE-2022-22965
POC
On 25 March 2022, Google released Chrome 99.0.4844.84 for Windows, Mac, and Linux to address a flaw that is being actively exploited by threat actors. We recommend updating to the latest browser version as soon as possible.
Details
The latest Chrome version fixes a high-severity vulnerability in Chrome V8 that is being leveraged by threat actors. V8 is an open-source JavaScript engine developed by the Chromium Project for Google Chrome and other Chromium-based web browsers, including Brave, Amazon Silk, Opera, Vivaldi and Microsoft Edge. V8 is also integrated into various independent projects; such as Couchbase database server, Node.js runtime environment, and Electron desktop application framework. This flaw was also fixed in Microsoft Edge and Brave, however other V8-based browsers may remain vulnerable.
The vulnerability, noted in CVE-2022-1096, received a high-severity rating. It is known as a type confusion weakness. A threat actor could leverage this flaw to perform out-of-bounds memory access, inject and execute arbitrary code.
Browser versions vulnerable to the aforementioned flaw could be exploited, hence increasing your network’s threat surface. The latest versions of Chrome, Edge and Brave are being released worldwide and can be deployed through automatic or manual updates.
Recommendations
We recommend that Windows, Mac, and Linux desktop users of Chrome and Chromium-based browsers manually upgrade now to the latest version by going to Settings -> Help -> About.
The web browser will then automatically check for the new update and install it if available.
We recommend notifying users of this risk and requesting that they restart their browser to ensure the needed security patches are applied.
If software is managed centrally within your organization, we recommend updating this software as soon as possible.
References
On 22 March 2022, identity and access management company Okta published a blog on a security incident affecting a third party provider. The company notified customers who may have been affected and informed them that no corrective actions are needed
Details
On 22 March 2022, Okta announced that they were investigating claims of a data breach by an extortion threat group known as LAPSUS$. The threat actors shared screenshots, taken on 21 January 2022, showing access to an Okta account. Okta reported that the screenshots are related to a late-January security incident, where threat actors obtained remote access to a support engineer’s computer at Sitel, a third-party customer support provider.
Okta stated that the actors had access to SuperUser, an internal management application, for a period of five days. The application is used by Sitel support engineers to perform basic management functions on Okta tenants. The actors attempted to use the account of the Sitel engineer to add a new Multi-factor Authentication (MFA) factor to his Okta account, but did not succeed.
According to the statement from Okta, SuperUser accounts are unable to perform high-privileged functions such as:
Based on the information available on 23 March 2022, Okta reported that “there is no evidence of ongoing malicious activity beyond the activity detected in January”, and no impact to Auth0, HIPAA, or FedRAMP customers. Okta is continuing its investigation, including identifying and contacting those customers that may have been impacted. Okta assessed that Sitel may have accessed the Okta tenant for a maximum of 366 of its customers.
Security Impact
Field Effect has completed an internal review and confirmed that Okta is not used within our environment. Our security team continues to monitor for any event developments and other compromises attributed to this threat actor group.
References