Read Time:11 Second
Beautiful video shot off the California coast.
As usual, you can also use this squid post to talk about the security stories in the news that I haven’t covered.
Read my blog posting guidelines here.
Daily Archives: April 15, 2022
Karakurt data thieves linked to larger Conti hacking group
Read Time:39 Second
An analysis of the cryptocurrency wallets tied to the Karakurt hacker group, combined with their particular methodology for data theft, suggests that the group’s membership overlaps with two other prominent hacking crews, according to an analysis published by cybersecurity firm Tetra Defense.
Tetra’s report details the experience of a client company that was hit with a ransomware attack by the Conti group, and subsequently targeted again by a data theft perpetrated by the Karakurt group. The analysis showed that the Karakurt attack used precisely the same backdoor to compromise the client’s systems as the earlier Conti attack.
“Such access could only be obtained through some sort of purchase, relationship, or surreptitiously gaining access to Conti group infrastructure,” Tetra wrote in its report.
xen-4.14.5-1.fc34
Read Time:22 Second
FEDORA-2022-64b2c02d29
Packages in this update:
xen-4.14.5-1.fc34
Update description:
update to xen-4.14.5
Racy interactions between dirty vram tracking and paging log dirty
hypercalls [XSA-397, CVE-2022-26356]
race in VT-d domain ID cleanup [XSA-399, CVE-2022-26357]
IOMMU: RMRR (VT-d) and unity map (AMD-Vi) handling issues [XSA-400,
CVE-2022-26358, CVE-2022-26359, CVE-2022-26360, CVE-2022-26361]
Microsoft Released Advisory on a Critical Remote Code Execution Vulnerability in RPC (CVE-2022-26809)
Read Time:2 Minute, 32 Second
FortiGuard Labs is aware that Microsoft released a patch and advisory for a critical remote code execution vulnerability in Remote Procedure Call Runtime Library as part of the April Patch Tuesday. Assigned CVE-2022-26809 and a CVSS score of 9.8, successfully exploiting the vulnerability allows an attacker to execute remote code with high privileges on a vulnerable system, leading to a full compromise.Why is this Significant?This is significant because CVE-2022-26809 is rated by Microsoft as “critical” and “Exploitation More Likely” because of its impacts on all supported Windows products and due to the trivial nature of the vulnerability. Because of the potential impact that the vulnerability has, Microsoft released security updates for Windows 7, which reached end-of-life in January 2020. Also, the U.S. Cybersecurity and Infrastructure Security Agency (CISA) issued an advisory urging users and administrators to apply the patch or apply the recommended mitigations.What is CVE-2022-26809?CVE-2022-26809 is a critical remote code execution vulnerability in Remote Procedure Call Runtime Library. The Microsoft advisory states “To exploit this vulnerability, an attacker would need to send a specially crafted RPC call to an RPC host. This could result in remote code execution on the server side with the same permissions as the RPC service,” which allows the attacker to take control of an affected system.Is CVE-2022-26809 being Exploited in the Wild?At the time of this writing, the vulnerability is not reported nor observed to have been exploited in the wild.Has Microsoft Released a Patch for CVE-2022-26809?Yes, Microsoft released a patch on April 12th, 2022 as part of the April MS Tuesday. Due to the potential impact the vulnerability has, Microsoft also released security updates for Windows 7, which is no longer supported.What is the Status of Coverage?FortiGuard Labs has released the following IPS signature in version 20.297:MS.Windows.RPC.CVE-2022-26809.Remote.Code.Execution (default action is set to pass)What Mitigation Steps are Available?Microsoft has provided the following mitigation steps in the advisory:Mitigation refers to a setting, common configuration, or general best-practice, existing in a default state, that could reduce the severity of exploitation of a vulnerability. The following mitigating factors may be helpful in your situation:1. Block TCP port 445 at the enterprise perimeter firewallTCP port 445 is used to initiate a connection with the affected component. Blocking this port at the network perimeter firewall will help protect systems that are behind that firewall from attempts to exploit this vulnerability. This can help protect networks from attacks that originate outside the enterprise perimeter. Blocking the affected ports at the enterprise perimeter is the best defense to help avoid Internet-based attacks. However, systems could still be vulnerable to attacks from within their enterprise perimeter.2. Follow Microsoft guidelines to secure SMB trafficFor the Microsoft guidelines on how to secure SMB traffic, see the Appendix for a link to “Secure SMB Traffic in Windows Server”.
python-ujson-5.2.0-1.fc36
Read Time:31 Second
FEDORA-2022-569b6b45e2
Packages in this update:
python-ujson-5.2.0-1.fc36
Update description:
Update to 5.2.0 (close RHBZ#2072241, fix CVE-2021-45958)
Added
Support parsing NaN, Infinity and -Infinity
Support dynamically linking against system double-conversion library
Add env var to control stripping debug info
Add JSONDecodeError
Fixed
Fix buffer overflows (CVE-2021-45958)
Upgrade Black to fix Click
simplify exception handling on integer overflow
Remove dead code that used to handle the separate int type in Python 2
Fix exceptions on encoding list or dict elements and non-overflow errors on int handling getting silenced
Bitdefender enters native XDR market with new offering
Read Time:1 Minute, 13 Second
Cybersecurity software maker Bitdefender threw its hat into the extended detection and response (XDR) ring Thursday with a native offering it’s calling GravityZone XDR. The product is designed to get security teams up and running out of the box, with features that include:
Rapid, cross-correlation threat detection, which uses leading-edge mathematics and threat behavior models to detect advanced threats, initial attack stages, and anomalous application and identity behaviors
Automated threat identification and prioritization, which uses a built-in incident advisor for root cause and threat context analysis, allowing security teams of any size and skillset to view threat detections, understand a threat’s impact on operations, and take recommended actions to contain or eliminate threats—all from a single view
Recommended threat response actions that can be resolved across endpoints, identities, email, cloud, and applications, with a single click
Bitdefender also worked on making these features easy to use. “Security technology can seem overwhelming to a security analyst, let alone a layperson, so we built the user interface hand-in-hand with our customers through an early access program,” explains Bitdefender vice president for product and technical marketing Amy Blackshaw. “Customers partnered with us day in, day out, not just on capabilities and problems they were trying to solve, but on how they wanted to consume information from a UI and UX perspective. What that has led to is a very intuitive design.”
Why you should patch the latest critical Windows RPC vulnerability right now
Read Time:54 Second
Among the over 100 vulnerabilities fixed by Microsoft this week during its monthly patch cycle is one that has the security community very worried. It’s a critical remote code execution (RCE) vulnerability located in the Windows Remote Procedure Call (RPC) runtime.
The flaw, tracked as CVE-2022-26809, can be exploited over the network with no user interaction, possibly using multiple protocols as a trigger. It’s the kind of vulnerability that gave life to major botnets in the past as some Windows processes use RPC to communicate with each other over networks.
“Patching is your only real fix for this vulnerability,” Johannes Ullrich, founder of the SANS Internet Storm Center, said in an advisory. “Don’t delay it. Patch now and apply the entire April update. It fixes several other critical flaws that may have a similar impact inside your network (e.g., the NFS [Network File System] flaw). You can’t ‘turn off’ RPC on Windows if you are wondering. It will break stuff. RPC does more than SMB [Server Message Block].”
Top 10 Malware March 2022
Read Time:6 Second
In March 2022, the Top 10 stayed consistent with the previous month with malware changing spots in the Top 10.
Adversary3 v1.0 / Malware vulnerability intel tool for third-party attackers / updated
Read Time:8 Second
Posted by malvuln on Apr 14
Adversary3 has been updated with a bunch of new malware vulnz.
https://github.com/malvuln/Adversary3
Thanks,
Malvuln (aka hyp3rlinx)
Email-Worm.Win32.Pluto.b / Insecure Permissions
Read Time:20 Second
Posted by malvuln on Apr 14
Discovery / credits: Malvuln – malvuln.com (c) 2022
Original source:
https://malvuln.com/advisory/60a7d5e2d446110d84ef65f6a37af0eb.txt
Contact: malvuln13 () gmail com
Media: twitter.com/malvuln
Threat: Email-Worm.Win32.Pluto.b
Vulnerability: Insecure Permissions
Description: The malware writes a dir and PE files with insecure
permissions to c drive granting change (C) permissions to the authenticated
user group. Standard users can rename the…