Get Help Now
CONTACT US

Get expert threat analysis weekly. Sign up to receive our Threat Briefing:

    RESOURCES  >   THREAT INTEL BRIEFINGS

    Date: 7/26/2022

    Microsoft 365 Users Receiving “Unusual Sign-In Activity” Alerts With Microsoft-Owned IP Addresses As The Source

    Overview

    On Thursday, July 21, 2022, the Register reported numerous users questioning “unusual sign-in activity” alerts, with Microsoft-owned IP addresses as the source. 

    Potential Impact

    The impact can range from blocking legitimate IP addresses to allowing malicious IP addresses to be utilized by attackers operating in Microsoft Azure. According to the Register: “Following publication of this article, Microsoft sent us this statement: “We are working to resolve a configuration issue causing some customers to receive these notifications in error.” 

    Recommended Actions

    When investigating a potentially malicious IP address, don’t assume that if it’s Microsoft, it must be okay. Use a trusted threat intelligence feed when considering blocking IP addresses. Mistakes made with IP blocking can add significant friction between the Information Security department and the rest of the organization.

    Request Consultation

    For more information, fill out the form below and we will be in touch shortly

      CISA Urges Patching of Currently Exploited Vulnerability in July 2022 Patch Tuesday Release (CVE-2022-22047)

      Overview

      The US Cybersecurity and Infrastructure Agency maintains a published list of Known Exploited Vulnerabilities (KEV) which helps prioritize patching efforts. On July 12, CVE-2022-22-47 was added to this list, allowing federal agencies to patch this vulnerability until August 2, 2022. CISA strongly urges all organizations to patch items on the KEV list.

      Impact

      2022-22047 is a zero-day vulnerability, meaning it was exploited before a patch was released. Windows server and client systems are vulnerable, and according to Microsoft, exploitation can lead to gaining SYSTEM privileges, the highest level of privilege on a local computer.

      Recommended Actions

      The CISA KEV list helps prioritize patching efforts. If your organization utilizes systems with vulnerabilities on this list, apply patches or other mitigations as soon as possible.

      Sources

      https://www.cisa.gov/known-exploited-vulnerabilities-catalog
      https://msrc.microsoft.com/update-guide/en-US/vulnerability/CVE-2022-22047

      QBot Phishing Attacks Using Windows Calculator

      Overview

      QBot malware, a popular Cobalt Strike dropper, has been a go-to attack vector for ransomware gangs. Most commonly delivered via phishing attacks, QBot uses native Windows Dynamic Link Libraries (DLL) to side-load, giving it high levels of stealth and ‘living off the land’ capabilities. Recently, Twitter user ProxyLife, a well-known security researcher, has observed QBot using the Windows Calculator (calc.exe) as a primary side-loading binary.

      Potential Impact

      QBot’s ability to hide from security tools by utilizing native binaries makes it an especially dangerous malware strain for organizations to defend against. Additionally, its chosen post-exploitation objective of installing Cobalt Strike can lead to Command and Control (C2) communications and further post-exploitation actions.

      Recommended Actions

      QBot’s primary attack vector is via phishing emails, often including malicious HTML file attachments that download password-protected ZIP archives containing malicious ISO files. Password-protecting the ZIP archive is an effective measure to prevent content scanning and evade antivirus detections. Organizations can defend against QBot by focusing on its primary delivery vector: malicious phishing emails. Organizations should deploy quality email-security solutions to detect and prevent phishing emails from reaching end users. Additionally, organizations should conduct routine security awareness training to educate users on identifying phishing emails and the best actions to take when a phishing email is identified. Finally, advanced Endpoint Detection and Response (EDR) tools can be used to defend against malware like QBot.

      Sources
      https://www.bleepingcomputer.com/news/security/qbot-phishing-uses-windows-calculator-sideloading-to-infect-devices/?&web_view=true

      New CosmicStrand UEFI Rootkit

      Overview

      Securelist, along with Qihoo 360, has discovered a new, highly sophisticated rootkit affecting UEFI systems named CosmicStrand. This rootkit has been observed affecting Gigabyte and ASUS motherboards, specifically those using the H81 chipset. Security researchers at Qihoo 360 believe this rootkit may have gained most of its foothold on second-hand motherboards from resellers and refurbishment providers. However, this has not been proven, and the organizations should consider this a potential security risk for all Gigabyte or ASUS motherboards.

      Potential Impact

      Rootkits such as CosmicStrand pose a significant technical challenge to detect and defend against, as they burrow themselves in the deepest part of the operating system. This can allow them to hide undetected by many modern endpoint security tools. Although rare, rootkit infection is a serious concern, and affected machines should be considered complete and totally compromised.

      Recommended Actions

      Rootkits are most commonly spread/installed as a post-exploitation action, indicating that an initial compromise has already occurred. Knowing this, an organization’s primary defense should be centered around well-implemented anti-malware practices. This includes advanced Endpoint Detection and Response (EDR) solutions, adequate logging and analysis, and quality security awareness training for end users. Network traffic analysis can also detect Command and Control (C2) communications effectively, identifying compromised assets if endpoint solutions have failed.

      Sources
      https://securelist.com/cosmicstrand-uefi-firmware-rootkit/106973/?web_view=true

      Sonic Wall SQL Injection Vulnerability

      Overview

      SonicWall has published a security advisory for a SQL Injection vulnerability assigned CVE-2022-22280. This vulnerability results in an Improper Neutralization of Special Elements in SQL commands for the SonicWall Global Management System (GMS) product. CVE-2022-22280 has been given a security rating of 9.4, categorizing it as ‘Critical’.

      Potential Impact

      This vulnerability can allow SQL injection from remote systems without requiring authentication or user interaction. Although SonicWall has stated that no active exploitation has been observed in the wild, the threat intelligence community believes malicious actors are quickly developing exploits.

      Recommended Actions

      Currently, there have been no published workarounds for this vulnerability. Instead, requiring a security patch of GMS 9.3.1-SP2-Hotfix-2 can significantly reduce the likelihood of exploitation. Guidance can be found on SonicWall’s official advisory page: https://www.sonicwall.com/support/notices/security-notice-sonicwall-gms-sql-injection-vulnerability/220613083124303/

      Sources
      https://www.digitalshadows.com/blog-and-research/ransomware-in-q2-2022-ransomware-is-back-in-business/

      For strategic clients, your vCISO will add this to your next Office Hours for further discussion. However, if you have an immediate need, concern, or question, please reach out to them directly.

      For non-strategic clients, please reach out to your Advisor for further discussion.

      For those not yet clients of GreyCastle Security, please click the “Contact Us” button below and we’ll be glad to provide assistance as well as answer any questions you might have.


      Let’s Discuss Your Cybersecurity Needs

      Contact Us
      Privacy Settings
      We use cookies to enhance your experience while using our website. If you are using our Services via a browser you can restrict, block or remove cookies through your web browser settings. We also use content and scripts from third parties that may use tracking technologies. You can selectively provide your consent below to allow such third party embeds. For complete information about the cookies we use, data we collect and how we process them, please check our Privacy Policy
      Youtube
      Consent to display content from Youtube
      Vimeo
      Consent to display content from Vimeo
      Google Maps
      Consent to display content from Google
      Spotify
      Consent to display content from Spotify
      Sound Cloud
      Consent to display content from Sound
      Contact Us