This vulnerability allows remote attackers to execute arbitrary code on affected installations of Adobe InDesign. User interaction is required to exploit this vulnerability in that the target must visit a malicious page or open a malicious file.
Daily Archives: June 15, 2022
ZDI-22-848: Adobe InDesign Font Parsing Heap-based Buffer Overflow Remote Code Execution Vulnerability
This vulnerability allows remote attackers to execute arbitrary code on affected installations of Adobe InDesign. User interaction is required to exploit this vulnerability in that the target must visit a malicious page or open a malicious file.
ZDI-22-849: Adobe InDesign Font Parsing Out-Of-Bounds Write Remote Code Execution Vulnerability
This vulnerability allows remote attackers to execute arbitrary code on affected installations of Adobe InDesign. User interaction is required to exploit this vulnerability in that the target must visit a malicious page or open a malicious file.
ZDI-22-850: Adobe InDesign SVG File Parsing Out-Of-Bounds Write Remote Code Execution Vulnerability
This vulnerability allows remote attackers to execute arbitrary code on affected installations of Adobe InDesign. User interaction is required to exploit this vulnerability in that the target must visit a malicious page or open a malicious file.
ZDI-22-851: Adobe InDesign Font Parsing Out-Of-Bounds Write Remote Code Execution Vulnerability
This vulnerability allows remote attackers to execute arbitrary code on affected installations of Adobe InDesign. User interaction is required to exploit this vulnerability in that the target must visit a malicious page or open a malicious file.
ZDI-22-852: Adobe Animate SVG File Parsing Out-Of-Bounds Write Remote Code Execution Vulnerability
This vulnerability allows remote attackers to execute arbitrary code on affected installations of Adobe Animate. User interaction is required to exploit this vulnerability in that the target must visit a malicious page or open a malicious file.
Microsoft Patch Tuesday, June 2022 Edition
Microsoft on Tuesday released software updates to fix 60 security vulnerabilities in its Windows operating systems and other software, including a zero-day flaw in all supported Microsoft Office versions on all flavors of Windows that’s seen active exploitation for at least two months now. On a lighter note, Microsoft is officially retiring its Internet Explorer (IE) web browser, which turns 27 years old this year.
Three of the bugs tackled this month earned Microsoft’s most dire “critical” label, meaning they can be exploited remotely by malware or miscreants to seize complete control over a vulnerable system. On top of the critical heap this month is CVE-2022-30190, a vulnerability in the Microsoft Support Diagnostics Tool (MSDT), a service built into Windows.
Dubbed “Follina,” the flaw became public knowledge on May 27, when a security researcher tweeted about a malicious Word document that had surprisingly low detection rates by antivirus products. Researchers soon learned that the malicious document was using a feature in Word to retrieve a HTML file from a remote server, and that HTML file in turn used MSDT to load code and execute PowerShell commands.
“What makes this new MS Word vulnerability unique is the fact that there are no macros exploited in this attack,” writes Mayuresh Dani, manager of threat research at Qualys. “Most malicious Word documents leverage the macro feature of the software to deliver their malicious payload. As a result, normal macro-based scanning methods will not work to detect Follina. All an attacker needs to do is lure a targeted user to download a Microsoft document or view an HTML file embedded with the malicious code.”
Kevin Beaumont, the researcher who gave Follina its name, penned a fairly damning account and timeline of Microsoft’s response to being alerted about the weakness. Beaumont says researchers in March 2021 told Microsoft they were able achieve the same exploit using Microsoft Teams as an example, and that Microsoft silently fixed the issue in Teams but did not patch MSDT in Windows or the attack vector in Microsoft Office.
Beaumont said other researchers on April 12, 2022 told Microsoft about active exploitation of the MSDT flaw, but Microsoft closed the ticket saying it wasn’t a security issue. Microsoft finally issued a CVE for the problem on May 30, the same day it released recommendations on how to mitigate the threat from the vulnerability.
Microsoft also is taking flak from security experts regarding a different set of flaws in its Azure cloud hosting platform. Orca Security said that back on January 4 it told Microsoft about a critical bug in Azure’s Synapse service that allowed attackers to obtain credentials to other workspaces, execute code, or leak customer credentials to data sources outside of Azure.
In an update to their research published Tuesday, Orca researchers said they were able to bypass Microsoft’s fix for the issue twice before the company put a working fix in place.
“In previous cases, vulnerabilities were fixed by the cloud providers within a few days of our disclosure to the affected vendor,” wrote Orca’s Avi Shua. “Based on our understanding of the architecture of the service, and our repeated bypasses of fixes, we think that the architecture contains underlying weaknesses that should be addressed with a more robust tenant separation mechanism. Until a better solution is implemented, we advise that all customers assess their usage of the service and refrain from storing sensitive data or keys in it.”
Amit Yoran, CEO of Tenable and a former U.S. cybersecurity czar, took Microsoft to task for silently patching an issue Tenable reported in the same Azure Synapse service.
“It was only after being told that we were going to go public, that their story changed…89 days after the initial vulnerability notification…when they privately acknowledged the severity of the security issue,” Yoran wrote in a post on LinkedIn. “To date, Microsoft customers have not been notified. Without timely and detailed disclosures, customers have no idea if they were, or are, vulnerable to attack…or if they fell victim to attack prior to a vulnerability being patched. And not notifying customers denies them the opportunity to look for evidence that they were or were not compromised, a grossly irresponsible policy.”
Also in the critical and notable stack this month is CVE-2022-30136, which is a remote code execution flaw in the Windows Network File System (NFS version 4.1) that earned a CVSS score of 9.8 (10 being the worst). Microsoft issued a very similar patch last month for vulnerabilities in NFS versions 2 and 3.
“This vulnerability could allow a remote attacker to execute privileged code on affected systems running NFS. On the surface, the only difference between the patches is that this month’s update fixes a bug in NFSV4.1, whereas last month’s bug only affected versions NSFV2.0 and NSFV3.0,” wrote Trend Micro’s Zero Day Initiative. “It’s not clear if this is a variant or a failed patch or a completely new issue. Regardless, enterprises running NFS should prioritize testing and deploying this fix.”
Beginning today, Microsoft will officially stop supporting most versions of its Internet Explorer Web browser, which was launched in August 1995. The IE desktop application will be disabled, and Windows users who wish to stick with a Microsoft browser are encouraged to move to Microsoft Edge with IE mode, which will be supported through at least 2029.
For a closer look at the patches released by Microsoft today and indexed by severity and other metrics, check out the always-useful Patch Tuesday roundup from the SANS Internet Storm Center. And it’s not a bad idea to hold off updating for a few days until Microsoft works out any kinks in the updates: AskWoody.com usually has the dirt on any patches that may be causing problems for Windows users.
As always, please consider backing up your system or at least your important documents and data before applying system updates. And if you run into any problems with these updates, please drop a note about it here in the comments.
Syslogk: Linux Rootkit with Hidden Backdoor Payload
FortiGuard Labs is aware of a report that a new rootkit for Linux that appears to be still in development was discovered. Namaed “Syslogk”, the rootkit is based on Adore-Ng, an old open-source kernel rootkit for Linux. Syslogk is hides directories containing malicious files and does not load the hidden Rekoobe backdoor malware until specifically-crafted magic packets are received.Why is this Significant?This is significant because “Syslogk” is a Linux rootkit that is in development as such it may be used in real attacks in near future. The rootkit contains a new variant of Rekoobe backdoor that will be launched only upon receiving specifically crafted magic packets from the threat actor.What is Syslogk?Syslogk is a Linux rootkit that is reportedly based on an old open-source Linux kernel rootkit called “Adore-Ng”.Syslogk rootkit is installed as kernel modules in the affected system and intercepts legitimate Linux commands in order to hide its files, folders, or processes. It can hide directories containing the malicious files dropped on the compromised machine, hides processes and network traffic, and remotely starts or stop payloads on demand. The rootkit is also capable of inspecting all TCP traffic. The rootkit also loads hidden Rekoobe backdoor only when it receives specifically-crafted magic packets from the threat actor.What is Rekoobe?Rekoobe is a Linux backdoor that is reportedly based on TinySHell, an open-source Unix backdoor. Rekoobe refers to its Command-and Control (C2) server and performs malicious activities based on remote commands it receives.What is the Status of Coverage?FortiGuard Labs provides the following coverage against Syslogk rootkit:Linux/Rootkit_Agent.BY!trFortiGuard Labs provides the following coverage against Rekoobe backdoor:Linux/Rekoobe.BLinux/Rekoobe.B!trLinux/Rekoobe.B!tr.bdrLinux/Rekoobe.D!trLinux/Rekoobe.F!trLinux/Rekoobe.N!trLinux/Agnt.A!trLinux/Agent.B!trLinux/Agent.BX!tr.bdrLinux/Agent.DL!trLinux/Agent.JO!trLinux/Agent.LF!trW32/Rekoobe.F!trW32/Multi.MIBSUN!tr.bdrELF/Rosta.487B.fam!tr.bdrAdware/AgentAdware/RekoobePossibleThreat
Active Exploitation of Confluence vulnerability (CVE-2022-26134)
FortiGuard Labs is aware that an unauthenticated remote code execution vulnerability in Confluence (CVE-2022-26134) continues to be exploited to deploy malware in the field. Deployed malware reportedly includes Cerber2021 ransomware, Hezb, coinminers and Dark.IoT. The vulnerability was patched on June 3rd, 2022. Why is this Significant?This is significant because CVE-2022-26134 is a newly patched Confluence vulnerability that continues to be exploited in the field and various malware were deployed to the affected systems upon successful exploitation.What is CVE-2022-26134?CVE-2022-26134 is a critical vulnerability affects Confluence Server and Data Center which the latest patch has not yet been applied. The vulnerability relates to an Object-Graph Navigation Language (OGNL) injection that could allow an unauthenticated user to execute arbitrary code on the compromised system.Atlassian released a fix on June 3rd, 2022.FortiGuard Labs previously published a Threat Signal on the subject. See the Appendix for a link to “New Confluence Vulnerability (CVE-2022-26134) Exploited in the Wild”.What Malware were Deployed to the Compromised Servers?Malware such as Cerber2021 ransomware, Dark.IoT and coinminers such as Kinsing and XMRig miner are known to be deployed to the affected servers.What is the Status of Coverage?FortiGuard Labs detects the malicious samples that were known to be deployed through CVE-2022-21634 with the following AV signatures:W32/Filecoder.1104!tr.ransomELF/BitCoinMiner.HF!trELF/Mirai.A!trLinux/Agent.PZ!trLinux/CVE_2021_4034.G!trRiskware/CoinMinerAdware/MinerFortiGuard Labs released the following IPS signature against CVE-2022-26134 in version 21.331:Atlassian.Confluence.OGNL.Remote.Code.ExecutionInitially, the signature’s default action was set to “pass”, however the action was changed to “drop” from version 21.333.
McAfee’s Digital Wellness Delivers Online Protection As An Employee Benefit
The topic most top of mind today for HR professionals is keeping and acquiring great talent. One of the most important elements of doing both is providing a desirable and meaningful set of employee benefits.
Digital Wellness is a New Pillar in the Employee Benefits Space
The idea of Digital Wellness isn’t exactly brand new, but the world we’ve lived in for the past few years has cemented it into one of the main pillars of employee benefits, joining the traditional big three of Financial, Mental and Physical Wellness.
Employees Are Spending the Majority of Their Time Online
One of the main reasons Digital Wellness has become essential is that so many people have had to both live and work exclusively online for an extended period of time – spending 8+ hours a day on personal things in addition to all those hours they spend working via the web. Things like banking, telehealth and shopping to name a few.
84% claim internet banking is the most important channel while interacting with their bank1
75% have used telehealth services in the past 12 months2
49% of consumers are buying online more3 and 41% of those are shopping daily or weekly via mobile or smartphone4
There’s almost no aspect of life that isn’t touched by the internet for most people, especially when adding their work environment into the mix.
Remote Work Isn’t Going Away
In addition to all the regular life they live online, employees have become accustomed to working remotely, even if it’s just part of the time.
36.2 million workers are predicted to be working remotely by 2025 – an 87% increase
from pre-pandemic levels5
59% of respondents in a study by Owl Labs said they would be more likely to choose an employer who offered remote work5
32% said they would quit their job if they were not able to continue working remotely5
With these kinds of stats, it’s hardly surprising that 74% of employers plan to maintain some sort of remote/hybrid workforce into the foreseeable future6.
Cybercriminals are Taking Full Advantage of All the Extra Traffic
The digital world has become a veritable smorgasbord for hungry cyber criminals. In fact, there’s been a 400% increase in cybercrime just over the last couple of years7. To put it in perspective, here are a few sobering statistics that happen on a daily basis:
3 billion phishing emails are sent by scammers8
24,000 malicious mobile apps are blocked on average9
6.85 million accounts are hacked10
Unfortunately, all this means that people are in a constant battle to protect themselves from cyber risk.
When Employees are at Risk, Their Employers are at Risk
With everyone going about their daily activities and working whenever and wherever they happen to be at the time, it’s probably no surprise that more than half of employees are using their personal devices for work11. It’s just too convenient not to. However, when you also realize that 95% of breaches are caused by human error12, this intersection between personal life and work-life becomes risky for both the employees and their employers. It’s no wonder that companies with a large number of employees working remotely have seen a 24% increase in breaches since the pandemic began13.
Cyber Risk has Placed Huge Financial Strains on Companies
When companies’ networks are breached it causes their customers to be vulnerable, risking a huge blow to their reputation and invoking serious fines and penalties due to compliance failures. And trying to get cyber insurance to protect against financial loss has become increasingly more difficult. A recent article by the Wall Street Journal reported that cyber insurance premiums rose 92% in 2021 and the hoops companies have to jump through are much more stringent to be eligible for the coverage – things like providing cyber education and ensuring they’re taking stronger steps to protect their network and customer data14.
In addition to the direct financial impact of cyber threats, there’s also the loss of human capital. It can take up to six months and up to 200 hours of a person’s time to address and correct identity theft15. If employees are focusing on digital healing, it’s a fair bet they’re not focusing as closely on their work.
To Achieve Digital Wellness, Employees – and Their Employers, Need Two Things
Preventative care is the first step toward Digital Wellness, and it consists of three, simple parts.
Knowledge is power as they say, so cyber education is key. For example, if an employee can identify those 3 billion phishing emails sent daily, they are much less likely to be wooed into clicking on dangerous links, and if they understand how important it is to create strong and unique passwords, they can help protect themselves even if they’re found in a data breach.
Ward off threats by installing device protection to safeguard people’s access points to the internet. This means protecting all devices (PCs, Macs, smartphones, tablets, and smart home devices) against digital dangers like viruses/malware, unsecured network connections (thanks but no thanks, random coffeeshop Wi-Fi!), and spoofed/unsafe websites.
Take back control of employees’ privacy and data. How? It can be done by doing things like installing a virtual private network (VPN) that encrypts unsecured Wi-Fi networks to make them safe from prying eyes, proactively monitoring the dark web for identity breaches and by identifying and cleaning up all the unneeded profiles that have been piling up over the years.
Restorative care is the second step in the Digital Wellness journey. If a digital threat sneaks through even after all the careful preventive care, it’s important to quickly remedy the situation.
Kick uninvited cyber criminals out as soon as they’ve been discovered by removing viruses, malware, ransomware, etc. from each infected device as rapidly as possible.
Identity stolen? Do a credit freeze then work on restoring your reputation by combating things like fraudulent unemployment claims, unauthorized lines of credit and unlawful home title transfers.
Leverage financial restoration options to fix your damaged credit score and make your pocketbook whole again through cyber breach insurance.
It’s Never Been More Important to Offer a Digital Wellness Solution as an Employee Benefit
Great benefits that have real meaning for employees are key to helping retain and acquire amazing talent. Providing an all-in-one and easy-to-use Digital Wellness solution designed to safeguard against compromised devices, privacy leaks, identity theft and other frustrating, time-consuming issues not only provides peace of mind for employees but also directly – and positively, impacts a company’s bottom line. Choosing a trusted cyber protection solution like McAfee for your Digital Wellness benefit will give your employees a brand they love and your company the advantage of 30+ years of experience protecting people from digital threats.
For more information on McAfee Digital Wellness, visit www.mcafee.com/employee-benefits-info or send an email to EmployeeBenefits@McAfee.com.
Footnotes –
Capgemini and Efma, World Retail Banking Report 2021
2021 McAfee Consumer Research Emerging Tech Trends Survey, December 2021
McAfee’s 2020 Holiday Season: State of Today’s Digital e-Shopper survey
PWC December 2021 Global Consumer Insights Pulse Survey
Statistics on Remote Workers that Will Surprise You – May 11, 2022
Gartner CFO Survey 2020
The Hill. “FBI seeks spike in cybercrime reports during coronavirus pandemic.” April 2020
Zdnet.com – “Three billion phishing emails are sent every day. But one change could make life much harder for scammers” March 2021
TechJury- “How Many Cyber Attacks Happen Per Day in 2022?” May 2022
4. WCNC Charlotte – “How strong is your password? A professional hacker says probably not strong enough” June 2021
IBM – Work from Home Study, 2020
The Wall Street Journal. “Human Error Often the Culprit in Cloud Data Breaches.” August 2019
Gartner. “Designing Security for Remote-Work First Enterprises”
Wall Street Journal “Cyber Daily: Cyber Insurance Became Much Pricier in 2021” May 2022
The Economist – “How to protect yourself against the theft of your identity
The post McAfee’s Digital Wellness Delivers Online Protection As An Employee Benefit appeared first on McAfee Blog.