//Week in review - 12 Aug 2022


“Malvertising” is a term that has gained some attention this week as it grows in use to infiltrate networks and devices. (also known as a browser-in-browser (BitB) attack.

The term refers to malicious advertising, a practice that uses online advertising that appears genuine that requires very little or even no interaction from the user.

To help understand and combat such campaigns, National Cyber Security News Today provides an examination of the potential threat and, how to safeguard against it.

AusCERT wanted to remind folk that the deadline for the .au. direct domain availability, and its implications, are fast approaching.

As per the ACSC alert, Australians have until 20 September 2022 to seek priority allocation of an .au direct domain name that matches their existing domain name.

AusCERT published a blog on the changes to assist members to understand potential threats and provide our members with an analysis of the situation.

Lastly, we wanted to acknowledge World Youth Day, a UN initiative that focuses on education, employment, the environment, delinquency, girls and young women, HIV/AIDS and intergenerational relations as well as conflict resolution and social justice, to name a few, held each year on August 12 (today!).

Organizations Warned of Critical Vulnerabilities in NetModule Routers
Date: 2022-08-10
Author: Security Week

Flashpoint is warning organizations of two newly identified critical vulnerabilities in NetModule Router Software (NRSW) that could be exploited in attacks.
Acquired by Belden earlier this year, NetModule provides IIoT and industrial routers, vehicle routers, and other types of wireless M2M connectivity products.
All of NetModule’s routers run the Linux-based NRSW by default, and can be managed remotely using a remote management platform.

Cisco hacked by Yanluowang ransomware gang, 2.8GB allegedly stolen
Date: None
Author: Bleeping Computer

Cisco confirmed today that the Yanluowang ransomware group breached its corporate network in late May and that the actor tried to extort them under the threat of leaking stolen files online.
The company revealed that the attackers could only harvest and steal non-sensitive data from a Box folder linked to a compromised employee’s account.

Meraki firewalls blocked Office365 traffic as attempted intrusion
Date: 2022-08-11
Author: iTnews

Microsoft Office365 users behind Cisco Meraki firewalls found themselves unable to reach their services, after the security vendor inadvertently blocked legitimate traffic.
The firewalls were identifying legitimate traffic as an attempted denial-of-service attack against Windows IIS, as reported in this Reddit post.
“We use Meraki firewalls and starting this morning Meraki was blocking valid Microsoft IPs in the Security Center. The SNORT rule details were ‘Microsoft Windows IIS denial-of-service attempt” and the destination IPs were Microsoft’,” the post states.
SNORT is an open source signature-based intrusion prevention system.

Patch Wednesday fixes two-year-old Dogwalk vulnerability
Date: 2022-08-10
Author: iTnews

Microsoft has fixed a remote code execution vulnerability in its MSDT diagnostics tool for Windows, first reported to the company two years ago and rediscovered in May this year.
The fix is part of this month’s Patch Wednesday, and was named Dogwalk by security researchers.
Although researcher Imre Rad reported the bug to Microsoft in January 2020, and despite the vulnerability raising its head again this year, the software giant initially declined to fix the issue.

New GwisinLocker ransomware encrypts Windows and Linux ESXi servers
Date: 2022-08-06
Author: Bleeping Computer

A new ransomware family called ‘GwisinLocker’ targets South Korean healthcare, industrial, and pharmaceutical companies with Windows and Linux encryptors, including support for encrypting VMware ESXi servers and virtual machines.
The new malware is the product of a lesser-known threat actor dubbed Gwisin, which means “ghost” in Korean. The actor is of unknown origin but appears to have a good knowledge of the Korean language.

Dark web investigation uncovers ransomware marketplace
Date: 2022-08-05
Author: Cyber Security Connect

A new Venafi dark web investigation has uncovered 475 webpages of sophisticated ransomware products and services, with ransomware-as-a-service (RaaS) being the most accessible for procurement.
The research was conducted between November 2021 and March 2022 in partnership with criminal intelligence provider Forensic Pathways. Over 35 million dark web URLs were analysed, including marketplaces and forums, using the Forensic Pathways dark search engine.
The researchers found that many strains of ransomware being sold have been successfully used in high-profile attacks, with 87 per cent of the ransomware found on the dark web capable of delivering malicious macros in order to infect targeted systems. These include Babuk, GoldenEye, Darkside/BlackCat, Egregor, HiddenTear and WannaCry.

Windows devices with newest CPUs are susceptible to data damage
Date: 2022-08-08
Author: Bleeping Computer

Microsoft has warned today that Windows devices with the newest supported processors are susceptible to “data damage” on Windows 11 and Windows Server 2022.
“Windows devices that support the newest Vector Advanced Encryption Standard (AES) (VAES) instruction set might be susceptible to data damage,” the company revealed today.
Devices affected by this newly acknowledged known issue use AES-XTS (AES XEX-based tweaked-codebook mode with ciphertext stealing) or AES-GCM (AES with Galois/Counter Mode) block cipher modes on new hardware.

Over 60% of Organizations Expose SSH to the Internet
Date: 2022-08-05
Author: Infosecurity Magazine

A majority of global organizations are exposing sensitive and insecure protocols to the public internet, potentially increasing their attack surface, according to ExtraHop.
The vendor analyzed a range of enterprise IT environments to benchmark cybersecurity posture based on open ports and sensitive protocol exposure.
It found that 64% of those studied have at least one device exposing SSH, which could allow attackers to probe it for remote access.

Microsoft’s big Patch Tuesday fixes exploited zero-day flaw and 120 more bugs
Date: 2022-08-10
Author: ZDNet

Microsoft has released patches for 141 flaws in its August 2022 Patch Tuesday update including two previously undisclosed (zero-day) flaws, of which one is actively being exploited.
The total patch count for the August 2022 Patch Tuesday Update actually includes 20 flaws in Edge that Microsoft had previously released fixes for, leaving 121 flaws affecting Windows, Office, Azure, .NET Core, Visual Studio and Exchange Server.
The Zero Day Initiative noted that the volume of fixes released this month is “markedly higher” than what is normally expected in an August release. “It’s almost triple the size of last year’s August release, and it’s the second largest release this year,” the bug hunting group said.

Hackers Exploit Twitter Vulnerability to Exposes 5.4 Million Accounts
Date: 2022-08-06
Author: The Hacker News

Twitter on Friday revealed that a now-patched zero-day bug was used to link phone numbers and emails to user accounts on the social media platform.
“As a result of the vulnerability, if someone submitted an email address or phone number to Twitter’s systems, Twitter’s systems would tell the person what Twitter account the submitted email addresses or phone number was associated with, if any,” the company said in an advisory.

Slack Resets Passwords After a Bug Exposed Hashed Passwords for Some Users
Date: 2022-08-06
Author: The Hacker News

Slack said it took the step of resetting passwords for about 0.5% of its users after a flaw exposed salted password hashes when creating or revoking shared invitation links for workspaces.
“When a user performed either of these actions, Slack transmitted a hashed version of their password to other workspace members,” the enterprise communication and collaboration platform said in an alert on 4th August.

ESB-2022.3942 – Intel Data Center Manager: CVSS (Max): 9.0

Intel reports that a vulnerability in the Intel Data Center Manager may allow escalation of privilege or denial of service.

ESB-2022.3975 – OpenShift Container Platform 4.11.0: CVSS (Max): 9.8

Security updates for Red Hat OpenShift Container Platform 4.11 contain packages and images that fix several bugs and add enhancements.

ESB-2022.3966 – Adobe Commerce and Magento Open Source: CVSS (Max): 9.1

Adobe’s most recent update for Adobe Commerce and Magento Open Source resolves critical , important and moderate vulnerabilities which , if exploited could lead to arbitrary code execution, privilege escalation and security feature bypass.

ESB-2022.3962 – ALERT Open AMT Cloud Toolkit: CVSS (Max): 9.9

Intel has released updates to mitigate a potential vulnerability in the Open AMT Cloud Toolkit software which , if exploited could allow escalation of privilege.

ASB-2022.0182 – ALERT Windows 7 and Windows Server 2008: CVSS (Max): 9.8

Microsoft’s security patch update for August 2022 resolves 29 vulnerabilities across Windows 7 and Windows Server 2008. Microsoft reports this vulnerability is publicly disclosed and actively exploited and recommends updating the software with the version made available.

ASB-2022.0181 – ALERT Microsoft Windows: CVSS (Max): 9.8*

Microsoft’s security patch update for August 2022 contain fixes for 61 vulnerabilities in Windows, Windows RT and Windows 7. Microsoft reports this vulnerability is publicly disclosed and actively exploited and recommends updating the software with the version made available.

ESB-2022.3764.2 – UPDATE ALERT VMware products: CVSS (Max): 9.8

Multiple vulnerabilities were reported in VMware Workspace ONE Access, Access Connector, Identity Manager, Identity Manager Connector and vRealize Automation. VMware recommends that these critical vulnerabilities should be patched or mitigated immediately.

Stay safe, stay patched and have a good weekend!

The AusCERT team