Good morning and welcome to today's briefing. We have a lot of updates and none more relevant than Microsoft since their AD Authentication issues from last week's patch Tuesday. We have some updates for VMware, WordPress, QNAP, SOnicwall and Apple. We then go through some security news, breaches and Security conscious articles. We then finish with some Security funnies!
>> Patches & Updates
Microsoft emergency updates fix Windows AD authentication issues
“Microsoft has released emergency out-of-band (OOB) updates to address Active Directory (AD) authentication issues after installing Windows Updates issued during the May 2022 Patch Tuesday on domain controllers.
The company has been working on a fix for this known issue causing authentication failures for some Windows services since May 12.
"After installing updates released May 10, 2022 on your domain controllers, you might see authentication failures on the server or client for services such as Network Policy Server (NPS), Routing and Remote access Service (RRAS), Radius, Extensible Authentication Protocol (EAP), and Protected Extensible Authentication Protocol (PEAP)," Microsoft explained.
"An issue has been found related to how the mapping of certificates to machine accounts is being handled by the domain controller."
The OOB Windows updates released today are available only via the Microsoft Update Catalog and will not be offered through Windows Update.”
Active attacks against VMware flaws prompts emergency update directive
““Based on this activity, CISA expects malicious cyber actors to quickly develop a capability to exploit CVE-2022-22972 and CVE-2022-22973, which were disclosed by VMware on May 18, 2022,” an alert from the agency warns.
In a related advisory issued by VMware on Wednesday (May 18), the vendor explained that it had patched an authentication bypass vulnerability (CVE-2022-22972) and a local privilege escalation vulnerability (CVE-2022-22973) involving VMware Workspace ONE Access, VMware Identity Manager, VMware vRealize Automation, VMware Cloud Foundation, and vRealize Suite Lifecycle Manager.
The CVE-2022-22954 vulnerability, already under active attack, involves a server-side template injection vulnerability in VMware Workspace ONE Access and Identity Manager that poses a remote code execution risk. The flaw earned a CVSS score of 9.8, close to the maximum possible.”
Critical Vulnerability in Premium WordPress Themes Allows for Site Takeover
“One of the flaws—tracked as CVE-2022-1654 and rated as 9.9, or critical on the CVSS–allows for “any authenticated attacker, including a subscriber or customer-level attacker, to gain administrative privileges and completely take over any site running either the Jupiter Theme or JupiterX Core Plugin,” he wrote. The plugin is required to run the JupiterX theme.
Affected versions of the themes are: Jupiter Theme 6.10.1 or earlier, and JupiterX Core Plugin 2.0.7 or earlier.”
QNAP Urges Users to Update NAS Devices to Prevent Deadbolt Ransomware Attacks
“The intrusions are said to have targeted TS-x51 series and TS-x53 series appliances running on QTS 4.3.6 and QTS 4.4.1, according to its product security incident response team.
"QNAP urges all NAS users to check and update QTS to the latest version as soon as possible, and avoid exposing their NAS to the internet," QNAP said in an advisory.
This development marks the third time QNAP devices have come under assault from DeadBolt ransomware since the start of the year.”
SonicWall Releases Patches for New Flaws Affecting SSLVPN SMA1000 Devices
“SonicWall has published an advisory warning of a trio of security flaws in its Secure Mobile Access (SMA) 1000 appliances, including a high-severity authentication bypass vulnerability.
The weaknesses in question impact SMA 6200, 6210, 7200, 7210, 8000v running firmware versions 12.4.0 and 12.4.1. The list of vulnerabilities is below -
CVE-2022-22282 (CVSS score: 8.2) - Unauthenticated Access Control Bypass
CVE-2022-1702 (CVSS score: 6.1) - URL redirection to an untrusted site (open redirection)
CVE-2022-1701 (CVSS score: 5.7) - Use of a shared and hard-coded cryptographic key
Successful exploitation of the aforementioned bugs could allow an attacker to gain unauthorized access to internal resources and even redirect potential victims to malicious websites.”
Apple patches zero-day kernel hole and much more – update now!
“Apple’s latest security updates have arrived.
All still-supported flavours of macOS (Monterey, Big Sur and Catalina), as well as all current mobile devices (iPhones, iPads, Apple TVs and Apple Watches), get patches.
Additionally, programmers using Apple’s Xcode development system get an update too.”
Netgear fixes bad Orbi firmware update that locked admin console
“Netgear is pushing out fixes for a bad Orbi firmware update released earlier this month that prevents users from accessing the device's admin console.
On April 27th, Netgear released firmware update 188.8.131.52 for the Orbi RBR750, Orbi RBS750, Orbi RBR850, and Orbi RBS850 mesh Wi-Fi systems.”
>> Security News
SharePoint RCE bug resurfaces three months after being patched by Microsoft
“A security researcher found a fresh way to exploit a recently patched deserialization bug in Microsoft SharePoint and stage remote code execution (RCE) attacks.
The flaw, a variant on an issue that was patched in February, uses the site creation features of SharePoint, Microsoft’s intranet platform, to upload and run malicious files on the server.”
Facebook account takeover: Researcher scoops $40k bug bounty for chained exploit
“Meta has fixed a series of bugs that could have allowed a malicious actor to take over a user’s Facebook account, paying their finder a $44,625 bug bounty.
Security researcher Youssef Sammouda was able to hijack the accounts of Facebook users who signed up using a Gmail account and use a Gmail OAuth id_token/code to log in to the site.
And, he tells The Daily Swig, the same technique could have been used any other account: “Due to the complexity of developing such an exploit to do exactly that, I only submitted the exploit for the scenario that resulted in taking over Facebook accounts that authenticated with Google,” he says.”
Firefox debuts improved process isolation to reduce browser attack surface
“Mozilla’s Firefox has introduced improved security mechanisms to reduce the browser attack surface.
On May 12, Mozilla security engineering manager Gian-Carlo Pascutto confirmed that the changes were included in Firefox 100, released to the stable channel on May 3.”
Spanish police dismantle phishing gang that emptied bank accounts
“The Spanish police have announced the arrest of 13 people and the launch of investigations on another seven for their participation in a phishing ring that stole online bank credentials.
The threat actors used phishing lures to trick their victims into believing they received an alert from their bank and proceeded to steal their account credentials.
Having access to banking accounts, the adversaries used their victims' money to make online purchases, direct transfers to "money mule" accounts, or request personal loans.“
Canada to ban Huawei and ZTE and tell telcos to rip out 5G and 4G equipment
“Following the steps of its Five Eyes partners, Canada has moved to ban Huawei and ZTE from its telco networks.
"The government of Canada is ensuring the long term safety of our telecommunications infrastructure. As part of that, the government intends to prohibit the inclusion of Huawei and ZTE products and services in Canada's telecommunications systems," Minister of Innovation, Science and Industry François-Philippe Champagne said.”
>> Security Breaches
>> Security Conscious
Closing the Gap Between Application Security and Observability
“When it’s all said and done, application security pros may come to look upon the Log4Shell vulnerability as a gift.
Potentially one of the most devastating software flaws ever found, Log4Shell has justified scrutiny of modern security methods. It also turns out too many people continue to think about security strictly in terms of fortifying network perimeters.
But in the still burgeoning age of cloud computing, Log4Shell also exposed the significant gap that exists between application security and observability. It’s still not widely known that observability makes systems safer.”
DevSecOps and cybersecurity skills are top priorities for enterprise IT – report
“Enterprise IT personnel believe cybersecurity skills are their teams’ most important technical capabilities, according to a new report from the DevOps Institute.
Ninety-two percent of respondents to the ‘Upskilling IT 2022’ survey identified security proficiencies as either ‘critical’ or ‘important’ to the execution of their team’s duties.
Next on the league table of ‘must-have technical skills’ was demonstrable knowledge of cloud computing technologies, followed by container orchestration, modern computing technology and architectures, and application technologies.”
>> Security Funnies
Stay safe. Stay cautious.
To be kept in the loop quicker, join the Spiceworks Unofficial Discord (https://discord.gg/V7ggSA2
) and keep an eye out on the #security-news channel. New SOC (Security Operations Center) briefings will always post in both the General IT Security and Cybersecurity groups.
Which was the most impactful for you?