Get Help Now
CONTACT US

Get expert threat analysis weekly. Sign up to receive our Threat Briefing:

    RESOURCES  >   THREAT INTEL BRIEFINGS

    Date: 12/20/2022

    Threat Actors Sign Malicious Drivers With Microsoft Certificates

    Overview

    In a security advisory released by Microsoft on December 13, 2022, Microsoft disclosed that “drivers certified by Microsoft Windows Hardware Developer Program were being used maliciously in post-exploitation activity.” The advisory attributes this activity to “abuse of several developer program accounts” yet goes on paradoxically to state that “no compromise has been identified,” according to the advisory.

    Potential Impact

    This abuse was discovered by Mandiant and Sophos in the course of ransomware incident response. It is common for incident responders to ignore signed drivers and software during triage efforts, as most malicious software is unsigned. The fact that these drivers were signed with Microsoft certificates makes their detection quite difficult.

    Recommended Actions

    This news, combined with findings recently published by Google (as described in Wired magazine) indicating that a number of compromised “platform certificates” had been used to sign into malicious Android apps, suggests that detection of malicious activity will not get easier in 2023.  

    Ensure that software patches are applied soon after release.Keep security detection and prevention technologies up-to-date and train staff on their proper usage.Augment security staff by acquiring an incident response retainer with a reputable information security company. Use this retainer when suspicious activity cannot be explained by in-house staff.

    Request Consultation

    For more information, fill out the form below and we will be in touch shortly

      Number of Employees - select one:
      Industry - select one:

      Veeam Backup and Replication Vulnerabilities Being Exploited

      Overview

      The U.S. Cybersecurity and Infrastructure Security Agency (CISA) has recently added two vulnerabilities impacting Veeam Backup software to the catalog of known exploited vulnerabilities. These vulnerabilities are tracked as CVE-2022-26500 and CVE-2022-26501, and both have a CVSS score of 9.8.

      Potential Impact

      These vulnerabilities are caused by the Veeam Distribution Service, which listens on TCP port 9380 by default, allowing unauthenticated users to access internal API functions. This would allow an unauthenticated attacker who has positioned themselves on an internal network the ability to remotely execute code. As with many ransomware attacks, threat actors look to encrypt or delete backups, and these vulnerabilities may be leveraged to achieve this task.

      Recommended Actions

      Ensure patches have been applied. Patches are available for both vulnerabilities in 11a (build 11.0.1.1261 P20220302) and 10a (build 10.0.1.4854 P20220304). Furthermore, ensure that an offline copy of backups is maintained so that data can be restored in the event of Veeam backup corruption.  

      Sources

      https://www.veeam.com/kb4288

      https://thehackernews.com/2022/12/cisa-alert-veeam-backup-and-replication.html

      Microsoft SmartScreen Vulnerability Targeted

      Overview

      On December 13, 2022, Microsoft published CVE-2022-44698, a vulnerability in the SmartScreen application that allows for bypassing inbuilt security features in the Windows Operating System. Although this vulnerability was patched on Tuesday, threat actor groups have been seen actively exploiting this vulnerability in the wild.

      Potential Impact

      The primary attack is threat actors using malicious JavaScript files to deliver malware, such as Magniber and Qbot. These files are often sent via phishing campaigns. Bypassing the inbuilt security features allows threat actors to create easy footholds in environments without proper security-in-depth approaches.

      Recommended Actions

      Organizations are urged to ensure that December’s Patch Tuesday updates have been adequately deployed across the environment’s Windows footprint. Additionally, deploying security-specific software on top of the built-in Windows features can allow organizations to better control and prevent attacks like these.

      Sources

      https://cyware.com/news/hackers-exploit-bug-in-windows-security-feature-to-drop-ransomware-76479fa7

      https://msrc.microsoft.com/update-guide/en-US/vulnerability/CVE-2022-44698

      Citrix and Fortinet Zero-Days Actively Targeted

      Overview

      The Chinese state actor group APT5 has been seen exploiting zero-day vulnerabilities in Citrix and Fortinet products. These vulnerabilities include Citrix’s CVE-2022-27518 and Fortinet’s CVE-2022-42475. APT5 has been actively targeting internet-exposed Citrix and Fortinet systems that are improperly patched, specifically across Southeast Asia, Europe, and the United States.

      Potential Impact

      These vulnerabilities allow threat actors to perform arbitrary code execution on the appliance, which gives threat actors a powerful initial access avenue. APT5 specifically heavily leans on establishing footholds that are hard to detect and focuses on operating under the radar. Once discovered APT5 has been seen to ‘go dark’ and stop malicious actions for an extended period of time, only to come back with modified tactics and additional emphasis on evasion.

      Recommended Actions

      An organization should ensure that any internet-exposed system is adequately patched and monitored for malicious activity. This is especially true with these recent Citrix and Fortinet vulnerabilities. Additionally, an up-to-date asset inventory can assist in preventing the overlooking of devices that are externally accessible. This includes proper decommissioning policies and procedures.

      Sources

      https://cyware.com/news/chinese-attackers-target-citrix-and-fortinet-zero-days-in-the-wild-93abff0d

      https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-27518

      https://www.fortiguard.com/psirt/FG-IR-22-398

      For strategic clients, your vCISO will add this to your next Office Hours for further discussion. However, if you have an immediate need, concern, or question, please reach out to them directly.

      For non-strategic clients, please reach out to your Advisor for further discussion.

      For those not yet clients of GreyCastle Security, please click the “Contact Us” button below and we’ll be glad to provide assistance as well as answer any questions you might have.


      Let’s Discuss Your Cybersecurity Needs

      Contact Us  
      Privacy Settings
      We use cookies to enhance your experience while using our website. If you are using our Services via a browser you can restrict, block or remove cookies through your web browser settings. We also use content and scripts from third parties that may use tracking technologies. You can selectively provide your consent below to allow such third party embeds. For complete information about the cookies we use, data we collect and how we process them, please check our Privacy Policy
      Youtube
      Consent to display content from - Youtube
      Vimeo
      Consent to display content from - Vimeo
      Google Maps
      Consent to display content from - Google
      Spotify
      Consent to display content from - Spotify
      Sound Cloud
      Consent to display content from - Sound
      Contact Us