Date: 4/25/2022
On April 20, 2022, CISA (U.S. Cybersecurity & Infrastructure Security Agency) published an international joint advisory warning that “Russia’s invasion of Ukraine could expose organizations both within and beyond the region to increased malicious cyber activity”. The advisory states that “Evolving intelligence indicates that the Russian government is exploring options for potential cyberattacks”.
Russian state-sponsored and/or state-sanctioned threat actor groups have perpetrated a great number of attacks over the last decade, ranging from attacks on Ukraine’s power grid to the copious number of ransomware attacks in 2021. A concerted effort with intent of harming business and government operations in nations perceived by Russa to be enemies can lead to significant disruption to the lives of many people.
Get an incident response retainer with a reputable cybersecurity company. If cyber attacks result in widespread disruption, cybersecurity companies will need to serve customers with existing agreements before taking on new customers. An incident response retainer is the best way to ensure that your business will get help when it is needed. Incident response retainers at GreyCastle Security enable our customers to call experts for short conversations when a particular alert or event is causing consternation among technical staff. The GreyCastle Security Incident Response team has thwarted many attacks before they became serious issues because a customer called to discuss something unusual that was happening in their network. These proactive conversations are effectively the ounce of prevention that are worth a metric ton of cure.
Sources
Russian State-Sponsored and Criminal Cyber Threats to Critical Infrastructure | CISA
Industry is under pressure to keep up its guard on Russian cyber threats – The Washington Post
On 4/6/2022, VMware issued an advisory covering several vulnerabilities, including a critical remote code execution vulnerability for VMware Workspace ONE Access and Identity Manager (CVE-2022-22954). Since that time there have been multiple observations of active exploitation attempts in the wild. Here, we discuss the critical vulnerability and report on indicators of compromise gathered from open sources.
VMware states, “VMware Workspace ONE Access and Identity Manager contain a remote code execution vulnerability due to server-side template injection. VMware has evaluated the severity of this issue to be in the Critical severity range with a maximum CVSSv3 base score of 9.8. … A malicious actor with network access can trigger a server-side template injection that may result in remote code execution.”
The following list of product component versions are affected by CVE-2022-22954:
Product Affected Version
VMware has issued hotfixes for the affected versions. Information on deploying the hotfixes can be found in this knowledge base article from VMware:
https://kb.vmware.com/s/article/88099.
Note, there have been multiple reports from Greynoise, Bad Packets, and Daniel Card of active exploitation attempts of this vulnerability in the wild.
Sources
https://www.vmware.com/security/advisories/VMSA-2022-0011.html
https://kb.vmware.com/s/article/88099
https://nvd.nist.gov/vuln/detail/CVE-2022-22954
Google is issuing fixes for two vulnerabilities in its Chrome web browser, including one flaw that is already being exploited in the wild. The emergency updates the company issued this week impact the almost three billion users of its Chrome browser as well as those using other Chromium-based browsers, such as Microsoft Edge, Brave and Vivaldi.
One of the flaws is a type confusion vulnerability tracked as CVE-2022-1364, a high-severity, zero-day bug that is actively being abused by attackers. With a type-confusion flaw, a program will allocate a resource like a pointer or object using one type but later will access the resource using another, incompatible type. In some languages, like C and C++, the vulnerability can result in out-of-bounds memory access.
This incompatibility can cause a browser to crash or trigger logical errors. It can potentially be exploited to execute arbitrary code. According to the Center for Internet Security, “Depending on the privileges associated with the application, an attacker could view, change, or delete data.”
“Google is aware that an exploit for CVE-2022-1364 exists in the wild,” the company wrote in the alert.
This is the third Chrome critical update for 2022 that also includes a Zero-Day fix. The updates to Chrome and Chromium, which address CVE-2022-1364 and CVE-2022-1096, are already available for deployment; make sure Edge, Brave and other Chromium based browsers are also updated. This is a good time to make sure that you’re actively managing updates to all Chrome and Chromium based browsers in your environment. Include mobile phones in your planning.
The Chrome updates will be applied in the coming days and weeks, with Chrome automatically installing them when the browser is closed and relaunched. Google should be getting used to issuing such emergency fixes. In March, both Google and Microsoft issued updates to fix a vulnerability to the Chromium V8 JavaScript engine that was being actively exploited. That vulnerability, tracked as CVE-2022-1096, also was a high-severity bug in Chrome, Edge and other browsers.
Sources
www.darkreading.com: Google Emergency Update Fixes Chrome Zero-Day
www.theregister.com: Google issues third emergency fix for Chrome this year
chromereleases.googleblog.com: Stable Channel Update for Desktop
CVE-2022-21449 is a vulnerability affecting those using the Elliptic Curve Digital Signature Algorithm (ECDSA) signatures in Java 15, Java 16, Java 17, or Java 18.
This new Java vulnerability originates in an improper implementation of the ECDSA signature verification algorithm and essentially allows an attacker to potentially intercept communication and messages that should have otherwise been encrypted, such as SSL communication, authentication processes, and more. It has a CVSS of 7.5.
Oracle released a patch for the vulnerability on Wednesday after security company ForgeRock informed the OpenJDK vulnerability team about the issue.
This is a “patch now” vulnerability and is a good cryptographic system being rendered useless by a bad implementation error.
Elliptic Curve cryptography isn’t the problem, it’s how it was implemented in Java.
Do not be put off by the lower CVSS score of 7.5 as this vulnerability has broad potential.
April 20, 2022: Oracle have issued a Critical Patch Update Advisory, which fixes this vulnerability.
ForgeRock offers two workarounds for this vulnerability. Please see the link under Sources below.
Sources
https://backstage.forgerock.com/knowledge/kb/article/a90257583
The Record by Recorded Future: https://bit.ly/36Ixa3x
Cybercriminals can build specially crafted ransomware for the small price of $100 a month, which is slightly expensive compared to other malware. The ransomware is known to be stealthy and targets autofill data including passwords, credit card information as well as cookies and search history from Chrome-based, Edge, and Firefox-based web browsers.
Prynt can steal data from messaging apps as well as VPN credentials. Working with the autofill data and using keyword searching techniques, threat actors obtain relevant information on banking and cryptocurrency. Cryptocurrency is of greater concern, as the malware locates cryptocurrency wallet directories and leverages this information to steal the funds within them. In addition, tools that take data copied to the clipboard, clippers, copy wallet addresses, and replace it with the actor’s address.
Considering that Prynt is threatening and can lead to massive financial losses and other data breaches, it is always critical to remember to enable multifactor authentication to strengthen the integrity of your accounts. Furthermore, it is also vital not to utilize autofill features and to have strong passwords.
Sources
New powerful Prynt Stealer malware sells for just $100 per month (bleepingcomputer.com)
The FBI published an alert regarding the BlackCat variant of ransomware. The FBI states that about 60 organizations worldwide have been impacted by this Ransomware-as-a-service (RaaS) since November 2021. BlackCat ransomware has been linked to DarkSide/BlackMatter, who was responsible for Colonial Pipeline Company ransomware attack in May 2021.
BlackCat ransomware actors have been known to exfiltrate data prior to the encryption of files. Furthermore, this variant is written in the Rust programming language, which allows attackers to take advantage of lower detection ratio static analysis tools that do not adapt to all programming languages.
BlackCat actors have been recently observed gaining access through external facing SonicWALL devices. Organizations should ensure public facing devices are patched and all remote access is secured with multifactor authentication. Long term recommendations to mitigate the impact of a ransomware attack include offline backups and strict network segmentation.
Sources
https://thehackernews.com/2022/04/fbi-warns-of-blackcat-ransomware-that.html
For strategic clients, your vCISO will add this to your next Office Hours for further discussion. However, if you have an immediate need, concern, or question, please reach out to them directly.
For non-strategic clients, please reach out to your Advisor for further discussion.
Offerings
Industries
Compliance
Copyright © 2023 GreyCastle Security. All Rights Reserved
Copyright © 2022 GreyCastle Security. All Rights Reserved
Ho Chin is Chief Financial Officer at GreyCastle Security. In this role, Ho leads Finance, HR, IT and Professional Development. As part of the executive leadership team, Ho works to establish the company’s overall strategy and ensure proper execution of the supporting initiatives pertaining to the above areas of responsibility.
Prior to joining GreyCastle Security, Ho led finance and administrative functions at multiple private equity and venture-backed portfolio companies across multiple industries. Ho holds a bachelor’s degree in Accounting from Pennsylvania State University in Centre County, Pennsylvania and a master’s degree in Business Administration from the Wharton School of Business at the University of Pennsylvania in Philadelphia, Pennsylvania.
Dan Kalil is Chief Executive Officer (CEO) and Board Chairman at GreyCastle Security. In this role, Dan provides vision, leadership and strategies that drive GreyCastle Security’s position as an industry leader. With an emphasis on customer success, Dan’s profitable growth model leverages a customer-centric business approach that balances employee wellbeing and social responsibility.
Prior to becoming CEO, Dan served as the company’s Chief Strategy Officer, during which he supported multiple acquisitions and helped the organization achieve substantial sales growth. In addition to serving as CEO at GreyCastle Security, Dan continues to hold the position of Chief Commercial Officer (CCO) at Assured information Security (AIS) in Rome, New York, a company he co-founded in 2001.
Over the course of the last 22 years, Dan has been committed to advancing the state of cybersecurity and has played an instrumental role in the identification and development of critical, next-generation cyber capabilities. He has held positions in almost every facet of cybersecurity, beginning as a computer forensic examiner and progressing through the management and executive leadership ranks. In addition to co-founding AIS, Dan has facilitated multiple cybersecurity startups, raised investment capital and has served in various lead and support roles toward the acquisition of five companies in the last eight years.
Dan has a bachelor’s degree in Cybersecurity and a master’s degree in Cybersecurity from Utica College in Utica, New York.
Michael Stamas is an entrepreneur, board member, Vice President and a founder of GreyCastle Security. With more than two decades of experience in the technology sector, Mike pairs his management and business development skills with a deep understanding of cybersecurity. Mike brings a unique brand of risk-based advising to GreyCastle clients and prospects.
Mike holds certifications in numerous security and technology related areas, including the Department of Homeland Security and other security technologies like Symantec, Cisco and Microsoft.
Mike plays an active role in his community and serves as a board member and Vice President of InfraGard Albany as well as an advisory board position with the Capital Region YMCA.
Mike has been recognized for his numerous achievements through various honors including the Albany Business Review’s prestigious 40 Under 40 award.
Dan Maynard serves as GreyCastle Security’s Chief Operating Officer, where he currently leads Sales, Marketing and Legal.
Dan has enjoyed a 30+ year career in the Information Technology and Telecommunications industry, during which time he has held various leadership positions for organizations such as Rochester Tel/RCI, Citizens Communications (Frontier), PAETEC Communications, IntegraOptics, tw telecom/Level3 and Centurylink.
In addition to various voice and data technology platforms, he possesses a strong background in leadership development, sales and marketing leadership, transformational leadership and strategic planning. Dan has a thirst for knowledge and as a committed lifelong learner, he encourages and supports professional development initiatives for his teams and continues his involvement with Vistage International.
Dan holds a bachelor’s degree in Biology from Lafayette College in Easton, Pennsylvania, where he was selected as a member of their Athletic Hall of Fame in 2016.
When not at work, Dan enjoys traveling, golfing, attending Utica Comets hockey games and relaxing in the Adirondacks on beautiful Canada Lake with family and friends.
Dan Didier is the Vice President of Solutions and board member at GreyCastle Security.
Dan has been a cybersecurity practitioner for more than 20 years and uses his knowledge and experience to develop cybersecurity solutions that ensure readiness and preparedness.
Dan received his bachelor’s degree in Telecommunications from SUNY Polytechnic Institute in Utica, New York, and graduated Summa Cum Laude with a master’s degree in Information Assurance from Norwich University in Northfield, Vermont.
Our Computer Incident Response Teams (CIRTs) have responded to hundreds of breaches, intrusions, malware infections, thefts, employee investigations, fraud cases and other incidents. Our highly-certified experts have extensive experience in command, coordination and correction of incidents in nearly every industry throughout North America, from local businesses to Fortune 500 international conglomerates.
Francesca LoPorto-Brandow is Director of Culture at GreyCastle Security. In this role, Francesca leads all social responsibility efforts and partnerships and develops effective strategies that promote organizational-wide behaviors and attitudes consistent with a culture of safety, inclusion, teamwork, motivation and high-performance.
Prior to this role, Francesca was Director of People & Culture at GreyCastle and with her leadership, the company’s culture has been recognized by Inc. Magazine as a Nationally recognized Best Workplace, Albany Business Review Best Places to Work and Albany Times Union Top Workplaces.
Before joining GreyCastle Security, Francesca worked as an OD consultant and focused on strategic culture change at The Kaleel Jamison Consulting Group, Inc. for more than six years. There, she facilitated client education sessions, coached leaders and teams, developed and executed consulting interventions and served as strategy project leader on various client engagements. Her work has taken her into Fortune 100 companies and across borders including Panama, Singapore and beyond.
Francesca is a Lean Six Sigma–certified Green Belt, a proud YWCA-GCR board member and in 2013, she coordinated and emceed the inaugural TEDx Troy—a livestream of TEDCity 2.0. Since 2012, she has coordinated and emceed the Troy 100 Forum, a biannual forum for government, religious and community leaders to discuss issues vital to the future of Troy, New York.
Bilingual in English and Italian, Francesca holds a bachelor’s degree in Management and Technology from the Rensselaer Polytechnic Institute’s Lally School of Management & Technology. She was awarded Cybersecurity Recruiter of the year North America in 2017 by the Cybersecurity Excellence Awards.
Jamie Aiello is Senior Vice President of Services and Product Management at GreyCastle Security. In this position, Jamie is responsible for leading a high performing and well-balanced team that is ultimately responsible for the identification, selection, execution and successful performance of our company’s diverse portfolio of cybersecurity offerings.
Prior to joining GreyCastle Security, Jamie has held leadership positions with Annese and Associates, ConvergeOne and BlueSky IT Partners with a focus on delivering cost effective information technology solutions for companies across multiple verticals.
Jamie holds a bachelor’s degree in Political Science from Le Moyne College in Syracuse, New York, a master’s degree in Business Administration from Gardner-Webb University in Boiling Springs, North Carolina and a master’s degree in Computer Information Systems from University of Phoenix in Phoenix, Arizona.