Get Help Now
CONTACT US

RESOURCES  >   THREAT INTEL BRIEFINGS

Date: 4/25/2022

US Government Warns of Potential Increase in Critical Infrastructure Cyber Attacks by Russia

Overview

On April 20, 2022, CISA (U.S. Cybersecurity & Infrastructure Security Agency) published an international joint advisory warning that “Russia’s invasion of Ukraine could expose organizations both within and beyond the region to increased malicious cyber activity”.  The advisory states that “Evolving intelligence indicates that the Russian government is exploring options for potential cyberattacks”.  

Potential Impact

Russian state-sponsored and/or state-sanctioned threat actor groups have perpetrated a great number of attacks over the last decade, ranging from attacks on Ukraine’s power grid to the copious number of ransomware attacks in 2021.  A concerted effort with intent of harming business and government operations in nations perceived by Russa to be enemies can lead to significant disruption to the lives of many people.

Recommended Actions

Get an incident response retainer with a reputable cybersecurity company.  If cyber attacks result in widespread disruption, cybersecurity companies will need to serve customers with existing agreements before taking on new customers.  An incident response retainer is the best way to ensure that your business will get help when it is needed.  Incident response retainers at GreyCastle Security enable our customers to call experts for short conversations when a particular alert or event is causing consternation among technical staff.   The GreyCastle Security Incident Response team has thwarted many attacks before they became serious issues because a customer called to discuss something unusual that was happening in their network.  These proactive conversations are effectively the ounce of prevention that are worth a metric ton of cure.

Sources
Russian State-Sponsored and Criminal Cyber Threats to Critical Infrastructure | CISA
Industry is under pressure to keep up its guard on Russian cyber threats – The Washington Post

Active Exploitation of VMware Workspace ONE and Identity Manager RCE Vulnerability

Overview

On 4/6/2022, VMware issued an advisory covering several vulnerabilities, including a critical remote code execution vulnerability for VMware Workspace ONE Access and Identity Manager (CVE-2022-22954). Since that time there have been multiple observations of active exploitation attempts in the wild. Here, we discuss the critical vulnerability and report on indicators of compromise gathered from open sources.

Potential Impact

VMware states, “VMware Workspace ONE Access and Identity Manager contain a remote code execution vulnerability due to server-side template injection. VMware has evaluated the severity of this issue to be in the Critical severity range with a maximum CVSSv3 base score of 9.8. … A malicious actor with network access can trigger a server-side template injection that may result in remote code execution.”

The following list of product component versions are affected by CVE-2022-22954:

Product Affected Version

  • VMware Workspace ONE Access Appliance 21.08.0.1
  • VMware Workspace ONE Access Appliance 21.08.0.0
  • VMware Workspace ONE Access Appliance 20.10.0.1
  • VMware Workspace ONE Access Appliance 20.10.0.0
  • VMware Identity Manager Appliance 3.3.6
  • VMware Identity Manager Appliance 3.3.5
  • VMware Identity Manager Appliance 3.3.4
  • VMware Identity Manager Appliance 3.3.3
  • VMware vRealize Automation 7.6
Recommended Actions

VMware has issued hotfixes for the affected versions. Information on deploying the hotfixes can be found in this knowledge base article from VMware:

https://kb.vmware.com/s/article/88099.

Note, there have been multiple reports from Greynoise, Bad Packets, and Daniel Card of active exploitation attempts of this vulnerability in the wild.

Sources
https://www.vmware.com/security/advisories/VMSA-2022-0011.html
https://kb.vmware.com/s/article/88099
https://nvd.nist.gov/vuln/detail/CVE-2022-22954

Chrome Updates to Fix Actively Exploited Flaw

Overview

Google is issuing fixes for two vulnerabilities in its Chrome web browser, including one flaw that is already being exploited in the wild. The emergency updates the company issued this week impact the almost three billion users of its Chrome browser as well as those using other Chromium-based browsers, such as Microsoft Edge, Brave and Vivaldi.

Potential Impact

One of the flaws is a type confusion vulnerability tracked as CVE-2022-1364, a high-severity, zero-day bug that is actively being abused by attackers. With a type-confusion flaw, a program will allocate a resource like a pointer or object using one type but later will access the resource using another, incompatible type. In some languages, like C and C++, the vulnerability can result in out-of-bounds memory access.

This incompatibility can cause a browser to crash or trigger logical errors. It can potentially be exploited to execute arbitrary code. According to the Center for Internet Security, “Depending on the privileges associated with the application, an attacker could view, change, or delete data.”

“Google is aware that an exploit for CVE-2022-1364 exists in the wild,” the company wrote in the alert.

General Recommended Actions

This is the third Chrome critical update for 2022 that also includes a Zero-Day fix. The updates to Chrome and Chromium, which address CVE-2022-1364 and CVE-2022-1096, are already available for deployment; make sure Edge, Brave and other Chromium based browsers are also updated. This is a good time to make sure that you’re actively managing updates to all Chrome and Chromium based browsers in your environment. Include mobile phones in your planning.

The Chrome updates will be applied in the coming days and weeks, with Chrome automatically installing them when the browser is closed and relaunched. Google should be getting used to issuing such emergency fixes. In March, both Google and Microsoft issued updates to fix a vulnerability to the Chromium V8 JavaScript engine that was being actively exploited. That vulnerability, tracked as CVE-2022-1096, also was a high-severity bug in Chrome, Edge and other browsers. 

Sources
www.darkreading.com: Google Emergency Update Fixes Chrome Zero-Day
www.theregister.com: Google issues third emergency fix for Chrome this year
chromereleases.googleblog.com: Stable Channel Update for Desktop

Cryptographic Java Bug Should Immediately Be Addressed

Overview

CVE-2022-21449 is a vulnerability affecting those using the Elliptic Curve Digital Signature Algorithm (ECDSA) signatures in Java 15, Java 16, Java 17, or Java 18.

This new Java vulnerability originates in an improper implementation of the ECDSA signature verification algorithm and essentially allows an attacker to potentially intercept communication and messages that should have otherwise been encrypted, such as SSL communication, authentication processes, and more. It has a CVSS of 7.5. 

Oracle released a patch for the vulnerability on Wednesday after security company ForgeRock informed the OpenJDK vulnerability team about the issue.

Potential Impact

This is a “patch now” vulnerability and is a good cryptographic system being rendered useless by a bad implementation error.

Elliptic Curve cryptography isn’t the problem, it’s how it was implemented in Java. 

Do not be put off by the lower CVSS score of 7.5 as this vulnerability has broad potential. 

General Recommended Actions

April 20, 2022: Oracle have issued a Critical Patch Update Advisory, which fixes this vulnerability.

ForgeRock offers two workarounds for this vulnerability.  Please see the link under Sources below. 

Sources
https://backstage.forgerock.com/knowledge/kb/article/a90257583
The Record by Recorded Future:  https://bit.ly/36Ixa3x

Another Inexpensive Ransomware solution – Prynt Stealer 

Overview

Cybercriminals can build specially crafted ransomware for the small price of $100 a month, which is slightly expensive compared to other malware. The ransomware is known to be stealthy and targets autofill data including passwords, credit card information as well as cookies and search history from Chrome-based, Edge, and Firefox-based web browsers.

Potential Impact

Prynt can steal data from messaging apps as well as VPN credentials. Working with the autofill data and using keyword searching techniques, threat actors obtain relevant information on banking and cryptocurrency. Cryptocurrency is of greater concern, as the malware locates cryptocurrency wallet directories and leverages this information to steal the funds within them. In addition, tools that take data copied to the clipboard, clippers, copy wallet addresses, and replace it with the actor’s address.

Recommended Actions

Considering that Prynt is threatening and can lead to massive financial losses and other data breaches, it is always critical to remember to enable multifactor authentication to strengthen the integrity of your accounts. Furthermore, it is also vital not to utilize autofill features and to have strong passwords. 

Sources
New powerful Prynt Stealer malware sells for just $100 per month (bleepingcomputer.com)

FBI Issues Alert on BlackCat Ransomware

Overview

The FBI published an alert regarding the BlackCat variant of ransomware. The FBI states that about 60 organizations worldwide have been impacted by this Ransomware-as-a-service (RaaS) since November 2021. BlackCat ransomware has been linked to DarkSide/BlackMatter, who was responsible for Colonial Pipeline Company ransomware attack in May 2021.

Potential Impact

BlackCat ransomware actors have been known to exfiltrate data prior to the encryption of files. Furthermore, this variant is written in the Rust programming language, which allows attackers to take advantage of lower detection ratio static analysis tools that do not adapt to all programming languages.

Recommended Actions

BlackCat actors have been recently observed gaining access through external facing SonicWALL devices. Organizations should ensure public facing devices are patched and all remote access is secured with multifactor authentication. Long term recommendations to mitigate the impact of a ransomware attack include offline backups and strict network segmentation.

Sources
https://thehackernews.com/2022/04/fbi-warns-of-blackcat-ransomware-that.html

For strategic clients, your vCISO will add this to your next Office Hours for further discussion. However, if you have an immediate need, concern, or question, please reach out to them directly.

For non-strategic clients, please reach out to your Advisor for further discussion.

Let’s Discuss Your Cybersecurity Needs

Contact Us

 

Privacy Settings
We use cookies to enhance your experience while using our website. If you are using our Services via a browser you can restrict, block or remove cookies through your web browser settings. We also use content and scripts from third parties that may use tracking technologies. You can selectively provide your consent below to allow such third party embeds. For complete information about the cookies we use, data we collect and how we process them, please check our Privacy Policy
Youtube
Consent to display content from Youtube
Vimeo
Consent to display content from Vimeo
Google Maps
Consent to display content from Google
Spotify
Consent to display content from Spotify
Sound Cloud
Consent to display content from Sound
Contact Us