Cyber Thursday: Cyber Advisors Security Updates March

The conflict in Eastern Europe has global implications, including with respect to global cyber security.  The concepts of Advanced Persistent Threat (APT) and foreign threat actors have taken on a very real and current meaning and will continue to impact the world in various ways for years to come. From a purely cyber security perspective, the most important takeaway: We recommend staying focused on fundamentals of Information Security such as following Change Management, patching systems, Security Training & Awareness, having a solid Passphrase (Password) policy, and implementing two-factor authentication -- it is critical to stick to the fundamentals of Information Security. If there was ever a day to start securing your network, today is that day. 

Cyber Thursday is not just dedicated to Microsoft Patch Tuesday, it is also about emerging threats. This Cyber Thursday edition highlights not only the Microsoft patches, but various topics such as:

• Ukraine's CERT warning 
• Conti (threat actor group) 
• Supply Chain vulnerabilities impacting ATM, Medical, and IoT devices 
• Azure AutoWarp 
• Microsoft's Patch Tuesday fixes addressing Critical vulnerabilities 
• Linux OS vulnerability (Dirty Pipe) 

Ukraine's Computer Emergency Response Team (CERT-UA) has warned of new phishing attacks aimed at Ukraine and European Allies amid Russia's invasion of Ukraine. Various threat actor groups are conducting campaigns that involve sending messages from compromised accounts containing links to attacker-controlled credential harvesting pages. This is an opportunity for all types of threat actors to blend into the chaos and attack via proxy. 

A ransomware group known as Conti has been exposed by a security researcher in Ukraine who leaked several years of internal chat logs and sensitive data tied to the threat actor group. This came after a 'warning' message was issued by Conti which publicly backed Russia and threatened to retaliate against the critical infrastructure of an enemy. The leaks include information on how Conti dealt with its internal breaches, how they abused commercial security services, and the exposure of known affiliates (Ryuk, Wizard Spiders, Maze, and Diavol) and other threat groups associated with Russia.  

Emotet is known as a ‘crimeware-as-a-service’ platform. Members of Emotet use different variations of malicious documents in phishing campaigns affecting victims in multiple sectors. Risks of these infections are particularly acute, as security researchers observed Cobalt Strike (known as a commercial adversary simulation software) beacons from infected hosts shortly after the initial compromise. Emotet also has a known relationship with operatives of Conti. Red Canary assesses that the initial chain of Emotet and Cobalt Strike may point to Conti. Given the nature of observed follow-on activity and the pervasive nature of this threat, Red Canary is closely tracking changes in Emotet tactics, techniques, and procedures (TTPs). In the future, our team at Cyber Advisors will further break down these emerging threat insights and how they may apply to your industry. For the time being here is the source to Red Canary’s Intelligence Insights. Come back next month for a breakdown of March 2022 adversary TTPs.

A group of vulnerabilities known as "Access:7" have been dubbed Critical Supply Chain vulnerabilities which are impacting ATM, medical, and IoT (Internet of Things) affecting more than 150+ device models with 100+ different manufacturers. Of the 100 impacted device vendors, 55% belong to the healthcare sector, followed by IoT (24%), IT (8%), financial services (5%), and manufacturing (4%) industries. No less than 54% of the customers with devices running Axeda machine cloud platform have been identified in the healthcare sector. To mitigate the flaws and prevent possible exploitation, users are recommended to upgrade to Axeda agent version 6.9.1 build 1046, 6.9.2 build 1049, or 6.9.3 build 1051. 

Further details are unveiling the (now addressed) critical vulnerability in MS Azure.  It permitted unauthorized access to other Azure customer accounts, posing risk to several entities such as telecommunications, car manufacturers, banking, and accounting firms. This is known as 'AutoWarp' and impacts all Azure Automation services having the 'Managed Identity' feature enabled.  

Microsoft (MS) has released its monthly Patch Tuesday (March 2022) addressing 71 flaws and three (3) Critical rated zero-day vulnerabilities; of which the vulnerability categories include: 

• 29 Remote Code Execution (RCE) Vulnerabilities 
• 25 Elevation of Privilege Vulnerabilities 
• 6 Information Disclosure Vulnerabilities 
• 3 Security Feature Bypass Vulnerabilities 
• 4 Denial of Service Vulnerabilities 
• 3 Spoofing Vulnerabilities 
• 21 Edge - Chromium Vulnerabilities 

A zero-day vulnerability is classified if it is publicly disclosed or exploited actively 'in the wild' with no fix available. 

• CVE-2022-21990 - Remote Desktop (RDP) Client Remote Code Execution Vulnerability 
• CVE-2022-24459 - Windows Fax and Scan Service Elevation of Privilege Vulnerability 
• CVE-2022-24512 - .NET and Visual Studio Remote Code Execution Vulnerability 

Microsoft stated that there are proof-of-concept exploits for Windows Fax/Scan Service and RDP client CVEs. More likely to be exploited are Server Message Block version 3 (SMBv3) RCEs and an MS Exchange RCE.  

• CVE-2022-24508 - Windows SMBv3 Client/Server Remote Code Execution Vulnerability 
• CVE-2022-23277 - Microsoft Exchange Server Remote Code Execution Vulnerability 

Microsoft Defender for Endpoint is addressing the ability of attackers to spoof information between the client and the service (CVE-2022-23278). This vulnerability impacts all platforms and the updates Microsoft has released should be deployed just like any other security update. 

Adversaries continue to poke at software looking for unpatched systems and leveraging this attack vector to gain access into unauthorized systems. Cyber Advisors strongly recommends having a Patch Management program that includes (at minimum) quarterly vulnerability (internal and external) scanning to gain a better understanding of risk and exposure. Ransomware attack vectors fully take advantage of these unpatched weaknesses, especially within third-party application/software and outdated protocols. 

HP, Cisco, and Google have contributed to updates released in March of 2022. See references for further information. 

Windows 10 and 11 Updates (KBs) 

• Windows 10 KB5011487 and KB5011485 
• Windows 11 KB5011493 

To wrap up our spotlight, a Linux vulnerability which allows an attack to overwrite data in arbitrary read-only files has been issued as CVE-2022-0847.  Operating System bugs and application-level vulnerabilities such as these can allow attackers to elevate privileges and move laterally inside a network, execute code and take over devices. The vulnerability affects Linux Kernel 5.8 and later versions but was fixed in Linux 5.16.11, 5.15.25, and 5.10.102. 

References: 

• https://www.bleepingcomputer.com/news/microsoft/windows-10-kb5011487-and-kb5011485-updates-released/ 
• https://www.bleepingcomputer.com/news/microsoft/microsoft-march-2022-patch-tuesday-fixes-71-flaws-3-zero-days/ 
• https://thehackernews.com/2022/03/critical-access7-supply-chain.html 
• https://www.ptc.com/en/support/article/CS363561 
• https://www.zdnet.com/article/dirty-pipe-linux-vulnerability-discovered-fixed/ 
• https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit/?id=9d2231c5d74e13b2a0546fee6737ee4446017903 
• https://source.android.com/security/bulletin/2022-03-01 
• https://tools.cisco.com/security/center/publicationListing.x 
• https://redcanary.com/blog/intelligence-insights-february-2022/?utm_source=twitter&utm_medium=social&utm_content=derivative