This Week editor is Lior Rotkovitch.
Another year went by with may more security challenges and the news this week reflect the incidents in the past year and tells us that the security challenge is everywhere.
Exploitation of old and new CVE’s such as log4shell that was published a year ago Dec 2021 and is still actively exploited.
Open-source repositories infected with phishing packages by the thousands, ransomware that thrives on illegal markets and even weaponizing the protection products are just a few examples for the wild ride security industry is experiencing. With all the massive amount software being used the prediction for the new year is just more of every possible attack, much more.
But, as always not all is lost, as we, are a force for Security Incident Mitigation.
Happy holidays, see you next year.
"Despite mitigation, one of the worst bugs in internet history is still prevalent—and being exploited."
"The situation resonates with larger discussions about the software supply chain and the fact that many organizations do not have an adequate accounting of all the software they use in their systems, making it more difficult to identify and patch vulnerable code. Part of the challenge, though, is that even if an organization has a list of all the software it's bought or deployed, those programs can still contain other software components—particularly open-source libraries and utilities like Log4j—that the end customer isn't specifically aware of and didn't intentionally choose. This creates the ripple effect of a vulnerability like Log4Shell as well as the long tail of patching, in which organizations either aren't aware that they have exposure or don't recognize the urgency of investing in upgrades."
"Fortinet on Monday issued emergency patches for a severe security flaw affecting its FortiOS SSL-VPN product that it said is being actively exploited in the wild.
Tracked as CVE-2022-42475 (CVSS score: 9.3), the critical bug relates to a heap-based buffer overflow vulnerability that could allow an unauthenticated attacker to execute arbitrary code via specially crafted requests. The company said it's "aware of an instance where this vulnerability was exploited in the wild," urging customers to move quickly to apply the updates. "
All five security defects are use-after-free flaws, a type of memory safety bug that has been prevalent in Chrome over the past years, and which Google has long-battled to eliminate.
According to Google’s advisory, four of these issues are high-severity bugs, impacting components such as Blink Media, Mojo IPC, Blink Frames, and Aura.
The vulnerabilities have been issued CVE identifiers CVE-2022-4436 to CVE-2022-4439 and are accompanied by CVE-2022-4440, a medium-severity use-after-free.
Google says it has paid $17,500 in bug bounties to the reporting researchers, but the final amount might be higher, as only four out of five rewards have been disclosed.
An attacker in a position to exploit a use-after-free vulnerability may be able to crash the application, corrupt data, or execute arbitrary code on the machine. In Chrome, use-after-free flaws may be used to escape the browser sandbox, which requires the exploitation of additional security defects.
"The China-linked crime gang APT5 is already attacking a flaw in Citrix's Application Delivery Controller (ADC) and Gateway products that the vendor patched today.
Citrix says the flaw, CVE-2022-27518, "could allow an unauthenticated remote attacker to perform arbitrary code execution on the appliance" if it is configured as a SAML service provider or identity provider (SAML SP, SAML IdP).
Unusually, Citrix has a policy of not revealing the Common Vulnerability Scoring System (CVSS) scores for its flaws. CVSS rates flaws on a ten point scale, with anything rated above 9.0 deemed Critical and therefore worthy of urgent attention due to the significant risk of exploitation.
The Register suggests the flaw may be closer to a 10.0 score than a 9.0 rating, because Citrix's announcement of the flaw was quickly followed by publication of a threat hunting guidance [PDF] from the United States' National Security Agency (NSA), which believes a China-linked crime gang known as APT5 (aka UNC2630 and MANGANESE) has already "demonstrated capabilities" to attack Citrix ADCs. "
The latest Apple security update includes a fix for an actively exploited security vulnerability that could allow arbitrary code execution on iPhone 8 and above. The bug, fixed with the iOS 16.1.2 update, is a type confusion issue in the WebKit browser engine. Type confusion occurs when a piece of code doesn't verify the type of object that is passed to it; in this case, it can be be triggered when processing specially crafted content, Apple noted in its advisory.
" High-severity security vulnerabilities have been disclosed in different endpoint detection and response (EDR) and antivirus (AV) products that could be exploited to turn them into data wipers. "This wiper runs with the permissions of an unprivileged user yet has the ability to wipe almost any file on a system, including system files, and make a computer completely unbootable," SafeBreach Labs researcher Or Yair said. "It does all that without implementing code that touches the target files, making it fully undetectable."
"The US Department of Justice has seized 48 Internet domains and charged six suspects for their involvement in running ‘Booter’ or ‘Stresser’ platforms that allow anyone to easily conduct distributed denial of service attacks. Booters are online platforms allowing threat actors to pay for distributed denial-of-service attacks on websites and Internet-connected devices. Essentially, they are "booting" the target off of the Internet. The Dark Web is Getting Darker - Ransomware Thrives on Illegal Markets "
In April 2022, the U.S. Treasury sanctioned the Russia-based Hydra Market. Hydra, the world’s largest dark web market, provided malicious cybercrime and cryptocurrency exchange services to global threat actors. The U.S. and Germany shut Hydra down around the same time.
How the sale and purchase of RaaS works
Costs for joining a RaaS are low, considering the damage the malware does and the large payments it draws from victims.
For example, Venafi reported that a customized version of DarkSide, the same ransomware that criminal hackers used to close Colonial Pipeline, sold for $1,262 on the dark web.
RaaS solutions, related source code, and custom-built RaaS services sell directly on the dark web, using cryptocurrencies like bitcoin to transact the sales. For such a niche enterprise, these RaaS offerings are getting more and more legitimized—some include subscription packages, user instructions, and tech support.
Threat actors involved with these types of operations often purchase access to a network from Initial Access Brokers (IABs). Initial access includes stolen credentials that open access tools, such as Citrix, Microsoft RDP, and Pulse Secure VPN.
It’s easier for criminals to buy compromised credentials than to collect the passwords themselves through phishing or brute-force attacks.
"NuGet, PyPi, and npm ecosystems are the target of a new campaign that has resulted in over 144,000 packages being published by unknown threat actors." "The packages were part of a new attack vector, with attackers spamming the open source ecosystem with packages containing links to phishing campaigns," researchers from Checkmarx and Illustria said in a report published Wednesday.
Google last year launched an open source vulnerability database, and is now providing a front-end for that database, in the form of the OSV-Scanner.
“The OSV-Scanner generates reliable, high-quality vulnerability information that closes the gap between a developer’s list of packages and the information in vulnerability databases,” Google says.
“Our plan for OSV-Scanner is not just to build a simple vulnerability scanner; we want to build the best vulnerability management tool—something that will also minimize the burden of remediating known vulnerabilities,”
"Microsoft has fixed a security vulnerability used by threat actors to circumvent the Windows SmartScreen security feature and deliver Magniber ransomware and Qbot malware payloads.
The VMware ESXi heap out-of-bounds write vulnerability is tracked as CVE-2022-31705 and has received a CVSS v3 severity rating of 9.3.
"A malicious actor with local administrative privileges on a virtual machine may exploit this issue to execute code as the virtual machine's VMX process running on the host," mentions the security advisory.
VMware released security updates to address a critical-severity vulnerability impacting ESXi, Workstation, Fusion, and Cloud Foundation, and a critical-severity command injection flaw affecting vRealize Network Insight. "On ESXi, the exploitation is contained within the VMX sandbox whereas, on Workstation and Fusion, this may lead to code execution on the machine where Workstation or Fusion is installed." Because CVE-2022-31705 is in the USB 2.0 controller (EHCI), the recommended workaround for those who can't apply the security update is to remove the USB controller from their instances.