Get Help Now
CONTACT US

Get expert threat analysis weekly. Sign up to receive our Threat Briefing:

    RESOURCES  >   THREAT INTEL BRIEFINGS

    Date: 7/11/2022

    Follina Exploitation Observed in the Wild

    Overview

    Malicious actors continue to target CVE-2022-30190, which involves unauthenticated remote code execution affecting the Windows Support Diagnostic Tool (MSDT). This was addressed on June 14, 2022, as part of monthly Windows updates. This vulnerability is now being exploited to deploy Rozena backdoor. 

    Potential Impact

    The starting point to Rozena backdoor is a malicious Office document delivered via social engineering campaigns that can establish remote shell connections to attacker-controlled systems. Once that connection is established, PowerShell commands and following stage payloads, including batch files that establish persistence by Windows Registry modification and downloads a harmless Word document as a decoy.

    Recommended Actions

    Awareness and user education continues to be an essential effort to mitigate incidents stemming from malicious emails. Users and administrators should ensure Windows systems are kept up to date (especially the June Windows updates). Administrators should consider blocking zip email attachments or other attachments that rarely have legitimate business purposes. 

    Request Consultation

    For more information, fill out the form below and we will be in touch shortly

      Fortinet Addressing Vulnerabilities, Including Path Traversal and Privilege Escalation

      Overview

      Fortinet addressed multiple vulnerabilities affecting endpoint security products. This includes path traversal vulnerabilities in the management interface of FortiDeceptor that creates virtual machines to serve as honeypots for network intruders (CVE-2022-30302). Other vulnerabilities include privilege escalation via directory traversal attack in FortiClient for Windows and unprotected MySQL root account in FortiNAC.

      Potential Impact

      Attempts at exploiting these vulnerabilities would require authenticated access. Furthermore, there have been no reports of exploitation in the wild up to this point. Administrators should be aware that exploitation could potentially lead to device compromise if exploits become publicly available. 

      Recommended Actions

      Review security advisories published by Fortinet and apply the latest updates and patches. A list of advisories for July 2022 can be found here: https://www.fortiguard.com/psirt-monthly-advisory/july-2022-vulnerability-advisories

      Sources

      https://www.fortiguard.com/psirt-monthly-advisory/july-2022-vulnerability-advisories
      https://portswigger.net/daily-swig/fortinet-patch-batch-remedies-multiple-path-traversal-vulnerabilities

      China Suffers Massive Billion Record Breach – Cause? Simple Human Error

      Overview

      In what may be the most significant data breach in human history, an attacker offers to sell the data of a billion Chinese citizens. According to Wired magazine, a management dashboard was publicly exposed, allowing attackers with “basic technical skills” to download information without a password.

      Potential Impact

      Considering the massive and well-known government surveillance program imposed upon the Chinese civilians, this breach will likely have a high impact on the Chinese citizenry. Identity theft, phishing, and extortion will all be facilitated if this data gets into the hands of motivated attackers.

      Recommended Actions

      Securing data in the cloud is challenging. Misconfiguration of cloud services is an all-too-common source of data exposure. Applications and data storage need to be carefully planned by well-trained people and supported by rigorous change control measures. We suggest you join GreyCastle Security’s webinar on Managing Cloud Computing Cybersecurity on Thursday, July 14, to gain insight on standard cloud attack methods and security considerations. Click here to register today – https://greycastlesecurity.zoom.us/webinar/register/1116575532756/WN_f8dyR9L-Tiih63fLTwVd-Q

      Sources
      https://www.wired.com/story/chinese-police-exposed-1-billion-peoples-data/#:~:text=Chinese%20Police%20Database%20Breached%20Exposing%20Information%20of%201,attempted%20to%20extort%20the%20department%20for%20about%20%24200%2C000
      https://www.nytimes.com/2022/07/05/business/china-police-data-breach.html

      Data From More Than 650 Healthcare Organizations Exposed by Third-Party Business Associate

      Overview

      According to sources such as Cyware and Hipaajournal.com, a February 2022 ransomware attack on “Professional Finance Company,” a debt collection firm based in Greeley, Colorado, resulted in the exposure of data belonging to 657 healthcare organizations.

      Impact

      Exposed data included sensitive personal information, including names, addresses, payment information, social security numbers, and patients’ birth dates. Data such as this is more than enough to launch identity theft attacks against the victims.

      Recommended Actions

      Security programs must address all aspects of information handling for cloud services, on-premises implementations, and third-party data exchange. GreyCastle Security recommends reviewing all contracts to address cybersecurity concerns appropriately.

      Sources
      https://www.hipaajournal.com/657-healthcare-providers-affected-by-ransomware-attack-on-professional-finance-company/
      https://cyware.com/news/over-650-healthcare-organizations-affected-by-the-quantum-ransomware-attack-d0e776bb/

      For strategic clients, your vCISO will add this to your next Office Hours for further discussion. However, if you have an immediate need, concern, or question, please reach out to them directly.

      For non-strategic clients, please reach out to your Advisor for further discussion.

      For those not yet clients of GreyCastle Security, please click the “Contact Us” button below and we’ll be glad to provide assistance as well as answer any questions you might have.


      Let’s Discuss Your Cybersecurity Needs

      Contact Us
      Privacy Settings
      We use cookies to enhance your experience while using our website. If you are using our Services via a browser you can restrict, block or remove cookies through your web browser settings. We also use content and scripts from third parties that may use tracking technologies. You can selectively provide your consent below to allow such third party embeds. For complete information about the cookies we use, data we collect and how we process them, please check our Privacy Policy
      Youtube
      Consent to display content from Youtube
      Vimeo
      Consent to display content from Vimeo
      Google Maps
      Consent to display content from Google
      Spotify
      Consent to display content from Spotify
      Sound Cloud
      Consent to display content from Sound
      Contact Us