Microsoft today released updates to fix at least 74 separate security problems in its Windows operating systems and related software. This month's patch batch includes fixes for seven "critical" flaws, as well as a zero-day vulnerability that affects all supported versions of Windows.

**Microsoft** today released updates to fix at least 74 separate security problems in its **Windows** operating systems and related software. This month’s patch batch includes fixes for seven “critical” flaws, as well as a zero-day vulnerability that affects all supported versions of Windows.

By all accounts, the most urgent bug Microsoft addressed this month is CVE-2022-26925, a weakness in a central component of Windows security (the “**Local Security Authority**” process within Windows). CVE-2022-26925 was publicly disclosed prior to today, and Microsoft says it is now actively being exploited in the wild. The flaw affects Windows 7 through 10 and Windows Server 2008 through 2022.

**Greg Wiseman**, product manager for **Rapid7**, said Microsoft has rated this vulnerability as important and assigned it a CVSS (danger) score of 8.1 (10 being the worst), although Microsoft notes that the CVSS score can be as high as 9.8 in certain situations.

“This allows attackers to perform a man-in-the-middle attack to force domain controllers to authenticate to the attacker using NTLM authentication,” Wiseman said. “This is very bad news when used in conjunction with an NTLM relay attack, potentially leading to remote code execution. This bug affects all supported versions of Windows, but Domain Controllers should be patched on a priority basis before updating other servers.”

Wiseman said the most recent time Microsoft patched a similar vulnerability — last August in CVE-2021-36942 — it was also being exploited in the wild under the name “PetitPotam.”

“CVE-2021-36942 was so bad it made CISA’s catalog of Known Exploited Vulnerabilities,” Wiseman said.

Seven of the flaws fixed today earned Microsoft’s most-dire “critical” label, which it assigns to vulnerabilities that can be exploited by malware or miscreants to remotely compromise a vulnerable Windows system without any help from the user.

Among those is CVE-2022-26937, which carries a CVSS score of 9.8, and affects services using the **Windows Network File System** (NFS). **Trend Micro’s Zero Day Initiative** notes that this bug could allow remote, unauthenticated attackers to execute code in the context of the Network File System (NFS) service on affected systems.

“NFS isn’t on by default, but it’s prevalent in environment where Windows systems are mixed with other OSes such as Linux or Unix,” ZDI’s **Dustin Childs** wrote. “If this describes your environment, you should definitely test and deploy this patch quickly.”

Once again, this month’s Patch Tuesday is sponsored by **Windows Print Spooler**, a core Windows service that keeps spooling out the security hits. May’s patches include four fixes for Print Spooler, including two information disclosure and two elevation of privilege flaws.

“All of the flaws are rated as important, and two of the three are considered more likely to be exploited,” said **Satnam Narang**, staff research engineer at **Tenable**. “Windows Print Spooler continues to remain a valuable target for attackers since PrintNightmare was disclosed nearly a year ago. Elevation of Privilege flaws in particular should be carefully prioritized, as we’ve seen ransomware groups like Conti favor them as part of its playbook.”

Other Windows components that received patches this month include **.NET** and **Visual Studio**, **Microsoft Edge** (Chromium-based), **Microsoft Exchange Server**, **Office,** **Windows Hyper-V**, **Windows Authentication Methods**, **BitLocker**, **Remote Desktop Client**, and **Windows Point-to-Point Tunneling Protocol**.

Also today, Adobe issued five security bulletins to address at least 18 flaws in **Adobe CloudFusion**, **Framemaker**, **InCopy**, **InDesign**, and **Adobe Character Animator**. Adobe said it is not aware of any exploits in the wild for any of the issues addressed in today’s updates.

For a more granular look at the patches released by Microsoft today and indexed by severity and other metrics, check out the always-useful Patch Tuesday roundup from the **SANS Internet Storm Center**. And it’s not a bad idea to hold off updating for a few days until Microsoft works out any kinks in the updates: AskWoody.com usually has the skinny on any patches that may be causing problems for Windows users.

As always, please consider backing up your system or at least your important documents and data before applying system updates. And if you run into any problems with these patches, please drop a note about it here in the comments.

Microsoft Patch Tuesday, May 2022 Edition

Microsoft's May 2022 Patch Tuesday contains several bugs in ubiquitous software that could affect millions of machines, researchers warn.

Microsoft squashed 74 security vulnerabilities with its May 2022 Patch Tuesday update, including an important-rated zero-day bug that's being actively exploited in the wild and several that are likely widely present across enterprises.

It also patched seven critical flaws, 65 other important-rated bugs, and one low-severity issue. The fixes run the gamut of the computing giant's portfolio, including: Windows and Windows Components, .NET and Visual Studio, Microsoft Edge (Chromium-based), Microsoft Exchange Server, Office and Office Components, Windows Hyper-V, Windows Authentication Methods, BitLocker, Windows Cluster Shared Volume (CSV), Remote Desktop Client, Windows Network File System, NTFS, and Windows Point-to-Point Tunneling Protocol.

**3 Zero-Days, 1 Actively Exploited**  
The actively exploited bug (CVE-2022-26925) is a Windows LSA-spoofing vulnerability that rates 8.1 out of 10 on the CVSS vulnerability-severity scale – however, Microsoft notes in its advisory that it should be bumped up to critical (CVSS 9.8) if used in Windows NT LAN Manager (NTLM) relay attacks.

"\[A\]n unauthenticated attacker could call a method on the LSARPC interface and coerce the domain controller to authenticate to the attacker using NTLM," Microsoft warns in its advisory – a concerning situation considering that domain controllers provide high-level access to privileges.

Now deprecated, NTLM uses a weak authentication protocol that can easily reveal credentials and session keys. In a relay attack, bad actors can capture an authentication and relay it to another server – which they can then use to authenticate to the remote server with the compromised user's privileges.

That said, the bug is tougher to exploit than most, explains Trend Micro Zero Day Initiative (ZDI) researcher Dustin Childs in a Tuesday blog. "The threat actor would need to be in the logical network path between the target and the resource requested (e.g., man-in-the-middle), but since this is listed as under active attack, someone must have figured out how to make that happen."

Tyler Reguly, manager of security R&D at Tripwire, tells Dark Reading that the bug could be related to a previously seen threat known as PetitPotam, which emerged in July to allow attackers to force remote Windows systems to reveal easily crackable password hashes.

"Based on Microsoft’s provided links, this looks to be related to the previous PetitPotam patch," he notes, adding that researchers will be guessing about that. "This is a prime example of where detailed executive summaries that explain what is happening were useful in the past. It would be great if Microsoft could return to providing those on a regular basis," he says.

Microsoft also patched two other zero-days, including a critical bug (CVE-2022-29972, CVSS not available) in Insight Software's Magnitude Simba Amazon Redshift ODBC Driver – "a third-party ODBC data connector used to connect to Amazon Redshift, in Integration Runtime (IR) in Azure Synapse Pipelines, and Azure Data Factory," as ZDI's Childs explains.

He adds, "This update is complicated enough for Microsoft to blog about the bug and how it affects multiple Microsoft services."

The final zero-day (CVE-2022-22713, CVSS 5.6) is an important-rated bug in Windows Hyper-V that could allow denial-of-service (DoS).

**Leading Lights: Critical Microsoft Security Bugs to Patch Now**  
As far as other patches for admins to prioritize this month, some of the critical-rated issues are far-reaching across organizational infrastructure and could affect millions of companies, researchers warn.

"The big news is the critical vulnerabilities that need to be highlighted for immediate action," Chris Hass, director of security at Automox, tells Dark Reading. "This month features vulnerabilities in a number of applications that are prevalent in most enterprise organizations, including NSF, Remote Desktop Client, and Active Directory."

For instance, the critical bug affecting Windows Network File System, or NFS (CVE-2022-26937, CVSS 9.8) could allow unauthenticated remote code-execution (RCE) in the context of the highly privileged NFS service, according to Microsoft's advisory. To boot, its ubiquity is Log4j-like: It "is present in every Windows Server version from 2008 forward," Hass says, "which puts most organizations at risk if action isn't taken quickly."

Further, "these types of vulnerabilities will potentially appeal to ransomware operators as they could lead to the kind of exposure of critical data, often part of a ransom attempt," Kevin Breen, director of cyber threat research at Immersive Labs, tells Dark Reading.

In terms of who should especially prioritize the patch, "NFS isn't on by default, but it's prevalent in environment where Windows systems are mixed with other OSes such as Linux or Unix. If this describes your environment, you should definitely test and deploy this patch quickly," Childs warns.

As for other critical bugs to consider, Breen flags CVE-2022-22017 (CVSS 8.8), an RCE issue in the also-ubiquitous Remote Desktop (RDP) Client.

"With more remote workers than ever, enterprises need to put anything affecting RDP on the radar — especially given its popularity with ransomware actors and access brokers," he warns.

The Active Directory bug (CVE-2022-26923, CVSS 8.8) is found in Domain Services and could allow elevation of privilege thanks to an issue with the issuance of certificates. ZDI, which reported the bug, says that an attacker can gain access to a certificate to authenticate to a DC with a high level of privilege, allowing any domain-authenticated user to become a domain admin if Active Directory Certificate Services are running.

"This is a very common deployment," Childs says. "Considering the severity of this bug and the relative ease of exploit, it would not surprise me to see active attacks using this technique sooner rather than later."

Of less concern, Breen says, are a group of 10 RCE bugs in LDAP (the most severe, CVE-2022-22012, has a CVSS score of 9.8). These "appear particularly threatening; however, they have been marked by Microsoft as 'exploitation less likely' as they require a default configuration unlikely to exist in most environments," he notes. "It's not to say there is no need to patch these, rather a reminder that context is important when prioritizing patches."

**The Worst of the Rest**  
A handful of other vulnerabilities that also stood out to researchers are worth noting here, starting with Windows Print Spooler, which has long presented an attractive bull's-eye for cyberattackers.

"There were several Windows Print Spooler vulnerabilities patched this month, including two information disclosure flaws (CVE-2022-29114, CVE-2022-29140) and two elevation of privilege flaws (CVE-2022-29104, CVE-2022-29132)," Satnam Narang, staff research engineer at Tenable, tells Dark Reading. "All of the flaws are rated as important, and two of the three are considered more likely to be exploited. Windows Print Spooler continues to remain a valuable target for attackers since PrintNightmare was disclosed nearly a year ago. Elevation-of-privilege flaws in particular should be carefully prioritized, as we've seen ransomware groups like Conti favor them as part of its playbook."

Breen also highlighted two other important-rated bugs as patching priorities:

*   CVE-2022-29108, a remotely executable flaw in Sharepoint that could likely be abused by an attacker seeking to move laterally across an organization. "Requiring authenticated access to exploit, it could be used by a threat actor to steal confidential information or inject documents with malicious code or macros that could be part of a wider attack chain," Breen warns.
*   A bug in Azure Data Factory (no CVE assigned) is remotely exploitable and can expose an enterprise’s confidential data, according to Breen.

Virsec CTO and co-founder Satya Gupta says that overall, the broader context of Microsoft's patching trends is important to consider for defenders. Specifically, in the last year, more than a third of the patches (1,330, or 36%) are for RCE issues.

"This of course represents a massive opportunity for malicious actors to compromise nearly any customer," he says. "In total, several of May's vulnerabilities represent a Log4j level of exposure, particularly if you consider what it would take to patch millions of servers."

What to Patch Now: Actively Exploited Windows Zero-Day Threatens Domain Controllers

Company delivers new vulnerability management offering to help resource-constrained organizations combat increasing attacks on mission-critical SAP applications .

BOSTON, May 10, 2022 – Onapsis, the leader in business-critical application cybersecurity and compliance, today announced the release of Onapsis Assess Baseline. In a world where business-critical applications are under attack every day, this new offering accelerates organizations’ abilities to kickstart their SAP vulnerability management programs by better aligning with the SAP Security Baseline.

The exponential growth of targeted ransomware and the increased threat of cyber warfare due to global conflict means that organizations must re-evaluate how they secure their most critical systems. Amid this evolving, more aggressive threat landscape, companies struggle to keep up with patching the growing number of vulnerabilities exploited by threat actors to gain access to their business-critical applications. Onapsis Assess Baseline empowers companies of any size to accelerate time-to-value by simplifying deployment with a new SaaS-based, zero-footprint model and focusing on a core, targeted set of critical vulnerabilities as first steps on their journey to ensure cybersecurity, compliance, and availability of their SAP applications. When organizations are ready to take on more, Onapsis Assess Baseline offers easy expansion to additional scope for vulnerability management as well as capabilities for continuous threat monitoring and application security testing.

**Key Organizational Benefits with Onapsis Assess Baseline:**

Reduce Implementation Overhead with an Accelerated Deployment: Whether in their own cloud, on-premises, or through Onapsis’ SaaS platform, Assess Baseline offers quick deployment and implementation with zero footprint scanning.

Accelerate Time-to-Value for SAP Vulnerability Management: Onapsis SaaS users can scan with Assess Baseline against the SAP-recommended security baseline requirements for an organization’s SAP systems within hours. The scans deliver powerful context around critical vulnerabilities, instructions on how to mitigate, and confidence that patches were applied, saving valuable resource time.

Technology that Scales and Grows When You’re Ready: Deploy where you want. Scan across the entire SAP landscape. Start small and target the most critical systems first, get them aligned to a baseline, and then expand the security scope across the organization on your terms.

“Securing business-critical applications has always been challenging, but there’s a larger bullseye on the backs of organizations today - more than ever before - as sophisticated threat actors increasingly target Enterprise Resource Planning (ERP) systems,” said Mariano Nunez, CEO of Onapsis. “We have successfully helped the world’s largest and most sophisticated organizations integrate their business applications into their cybersecurity and compliance programs. Now, Assess Baseline makes it easy for customers who are getting started with their SAP application security programs to quickly and effectively jumpstart protecting the applications that power their businesses.”

The Onapsis Platform secures the critical SAP applications that keep the global economy running. The platform is purpose-built to deliver impactful vulnerability management, advanced threat detection, custom code inspection, and automated compliance that enables global organizations to accelerate their business and digital transformation initiatives. The Onapsis Platform is deeply informed by the latest threat intelligence and security guidance from the Onapsis Research Labs. This market-leading team has discovered more than 800 zero-day vulnerabilities and is responsible for multiple critical global CERT alerts.

“Today’s threat landscape requires a holistic approach to securing business-critical SAP applications such as ERP software,” said Steve Biskie, national ERP risk and automation services leader with RSM US LLP.

“It is exciting to see Onapsis continuing to innovate its solutions to assist companies on their security maturity journey. The new Baseline license can help pave the way for more organizations to have an entry point into vulnerability management for SAP applications that could help keep their critical data and applications safe and compliant.”

Attending the SAP Sapphire conference? Visit the Onapsis booth to learn more: #PA219

To schedule a time to speak with an Onapsis expert while at Sapphire, please visit: https://onapsis.com/sapphire-22

**About Onapsis**

Onapsis protects the business-critical applications that run the global economy, from the core to the cloud. The company’s cybersecurity and compliance solution offering, The Onapsis Platform, uniquely delivers vulnerability management, threat detection and response, change assurance, and continuous compliance for business-critical applications from leading vendors such as SAP, Oracle, Salesforce, and other SaaS platforms.

Onapsis is headquartered in Boston, MA, with offices in Heidelberg, Germany and Buenos Aires, Argentina, and proudly serves more than 300 of the world’s leading brands, including 20% of the Fortune 100, 6 of the top 10 automotive companies, 5 of the top 10 chemical companies, 4 of the top 10 technology companies, and 3 of the top 10 oil and gas companies.

The Onapsis Platform is powered by the Onapsis Research Labs, the team responsible for the discovery and mitigation of more than 800 zero-day vulnerabilities in business-critical applications. The reach of our threat research and platform is broadened through leading consulting and audit firms such as Accenture, Deloitte, IBM, PwC, and KPMG — making Onapsis solutions the standard in helping organizations protect their cloud, hybrid, and on-premises business-critical information and processes.

For more information, connect with us on Twitter or LinkedIn, or visit us at https://onapsis.com/.

Onapsis Announces New Offering to Jumpstart Security for SAP Customers

War in Ukraine and ransomware trends top the agenda at this year’s NCSC conference

War in Ukraine and ransomware trends top the agenda at this year’s NCSC conference

More than 2.7 million scams were removed from the internet in 2021 thanks to an expansion of the UK government’s Active Cyber Defence (ACD) program.

Led by GCHQ’s National Cyber Security Centre (NCSC), successful ACD action has increased by a factor of four over the past 12 months.

This is according to preliminary figures in the latest ACD annual report, which was released today (May 10) on the first day of the NCSC-organized CyberUK conference.

**Behind the scenes**

During a directors’ panel session at CyberUK today, Ian Levy, technical director of NCSC, said the volume of scams blocked by the agency has increased by a factor of almost four, thanks in part to the inclusion of new categories of fraud.

For example, the NCSC has started blocking extortion-based scams against individuals and parcel delivery firms, along with ‘celebrity endorsed investment scams’.

**RECOMMENDED** Russia behind cyber-attack on satellite internet network that disrupted Ukrainian infrastructure

Themes used by scammers included fake coronavirus vaccines and vaccine passports. One campaign was even discovered to be impersonating the CEO of the NCSC, Lindy Cameron.

For example, the NCSC removed more than 1,400 NHS-themed phishing campaigns last year – an 11-fold increase on 2020.

The ACD program – which works alongside the disruption of cybercrime forums such as the recent takedown of Hydra – to “increase costs and reduce opportunities for cybercriminals”, according to the NCSC.

Levy added that the agency was working with telecommunications providers to make it more difficult for criminals to spoof the phone number of reputable firms, a trick sometimes used by scammers to make frauds more credible.

**Eastern front**

The preliminary results from the annual report on the ACD program were released on the first day of CyberUK 2022. The full version is due to be published next week.

Other key topics topping the agenda at the event included Russia’s invasion of Ukraine and the ongoing threat from ransomware.

Read more of the latest cybercrime news from around the world

Western government agencies including GCHQ have blamed Russia for a series of attacks in the run up to and during its invasion of Ukraine.

These have included the deployment of destructive wiper-style malware, as well as the February 24 attack against ViaSat – an attack primarily aimed at the Ukrainian military that also hit wind farms in central Europe and internet users outside Ukraine.

“We’ve seen spill over from some of the attacks on Ukraine but nothing on the scale of NotPetya,” commented the NCSC’s Lindy Cameron.

NCSC operations director Paul Chichester added that the war in Ukraine has been accompanied by the “most offensive set of cyber operations one country has launched against another country” and the only reason they have not had a bigger effect is because of the “resilience of Ukraine”.

**Disrupting cybercrime**

The war in Ukraine has been accompanied by a raft of sanctions, including banking restrictions against Russia.

These restrictions have impeded the ability of Russian-based cybercriminals to buy or rent internet infrastructure as well as their ability to cash out the proceeds of ransomware scams, according to senior NSA advisor Rob Joyce.

UK government officials were reluctant to endorse these findings while private sector experts told _The Daily Swig_ it was too early to say definitively whether the war in Ukraine was disrupting cybercrime infrastructure.

“For the most part it’s business as usual for cybercriminals,” Zeki Turedi, CrowdStrike’s EMEA CTO, told _The Daily Swig_.

Much is written about attacks leveraging zero-day vulnerabilities, but the main modus-operandi of cybercriminals remains scanning the networks and cloud-environments of enterprises for known vulnerabilities, according to Turedi.

Turedi said: “There’s been a huge increase in attacks against low hanging fruit” such VPNs, firewalls and web apps.

This year’s CyberUK is taking place in Newport, Wales. _The Daily Swig_ will be back with more coverage throughout the week.

**YOU MIGHT ALSO LIKE** EU targets standardization as key to bloc-wide cyber-resilience

UK government blocked four times as many cyber-scams in 2021 than previous year, CyberUK delegates told

Adobe Photoshop versions 22.5.6 (and earlier)and 23.2.2 (and earlier) are affected by a use-after-free vulnerability that could result in arbitrary code execution in the context of the current user. Exploitation of this issue requires user interaction in that a victim must open a malicious file.

Security update available for Adobe Photoshop | APSB22-20

**Bulletin ID**

**Date Published**

**Priority**

APSB22-20

April 12,  2022        

3

**Summary**

Adobe has released an update for Photoshop for Windows and macOS. This update resolves multiple critical vulnerabilities  Successful exploitation could lead to arbitrary code execution  
in the context of the current user.     
                   

**Affected Versions**

22.5.6 and earlier versions       

23.2.2 and earlier versions

**Solution**

Adobe categorizes these updates with the following priority ratings and recommends users update their installation to the newest version via the Creative Cloud desktop app’s update mechanism.  For more information, please reference this help page.    

**Product**

**Updated versions**

**Platform**

**Priority**

Photoshop 2021  

22.5.7

Windows and macOS  

3  

Photoshop 2022

23.3

Windows and macOS

3

For managed environments, IT administrators can use the Admin Console to deploy Creative Cloud applications to end users. Refer to this help page for more information.

**Vulnerability details**

**Vulnerability Category**

**Vulnerability Impact**

**Severity**

**CVSS base score**   

**CVSS vector**  

**CVE Number**

Out-of-bounds Write (CWE-787)  

Arbitrary code execution  

Critical

7.8

CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H  

CVE-2022-28270  

Use After Free (CWE-416)  

Arbitrary code execution  

Critical

7.8

CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H  

CVE-2022-28271  

Out-of-bounds Write (CWE-787)  

Arbitrary code execution  

Critical

7.8

CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H  

CVE-2022-28272  

Out-of-bounds Write (CWE-787)  

Arbitrary code execution  

Critical

7.8

CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H  

CVE-2022-28273  

Out-of-bounds Read (CWE-125)  

Arbitrary code execution  

Critical

7.8

CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H  

CVE-2022-28274  

Out-of-bounds Write (CWE-787)  

Arbitrary code execution  

Critical

7.8

CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H  

CVE-2022-28275  

Out-of-bounds Write (CWE-787)  

Arbitrary code execution  

Critical

7.8

CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H  

CVE-2022-28276  

Out-of-bounds Write (CWE-787)  

Arbitrary code execution  

Critical

7.8

CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H  

CVE-2022-28277  

Out-of-bounds Write (CWE-787)  

Arbitrary code execution  

Critical

7.8

CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H  

CVE-2022-28278  

Use After Free (CWE-416)  

Arbitrary code execution  

Critical

7.8

CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H  

CVE-2022-28279  

Out-of-bounds Write (CWE-787)  

Arbitrary code execution  

Critical

7.8

CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H  

CVE-2022-24105  

Improper Input Validation (CWE-20)  

Arbitrary code execution  

Critical

7.8

CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H  

CVE-2022-24098  

Out-of-bounds Write (CWE-787)  

Arbitrary code execution  

Critical

7.8

CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H  

CVE-2022-23205  

Out-of-bounds Read (CWE-125)  

Memory Leak  

Moderate

3.3

CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:L/I:N/A:N  

CVE-2022-24099  

**Acknowledgments**

Adobe would like to thank the following researcher for reporting this issue and for working with Adobe to help protect our customers:   

*   Mat Powell of Trend Micro Zero Day Initiative - CVE-2022-28272, CVE-2022-28273, CVE-2022-28274, CVE-2022-28275, CVE-2022-28276, CVE-2022-28277, CVE-2022-28278, CVE-2022-23205, CVE-2022-28279 and CVE-2022-24099  
    
*   Francis Provencher {PRL} working with Trend Micro Zero Day Initiative - CVE-2022-28270 and CVE-2022-28271  
    
*   Tran Van Khang - khangkito (VinCSS) working with Trend Micro Zero Day Initiative - CVE-2022-24105 and CVE-2022-24098

For more information, visit https://helpx.adobe.com/security.html, or email PSIRT@adobe.com.

CVE-2022-28279: Adobe Security Bulletin

Researcher to reveal fresh details at Black Hat Asia on a tenacious cyber-espionage group attacking specific military, law enforcement, aviation, and other entities in Central and South Asia.

It's one of the more prolific yet lesser-known nation-state hacking groups in the world, and it's not out of China or Russia. The so-called SideWinder (aka Rattlesnake or T-APT4) group has been on a tear over the past two years, launching more than 1,000 targeted attacks.

Noushin Shabab, senior security researcher with Kaspersky, has been tracking SideWinder since 2017 and will share her latest findings on this cyber-espionage team at Black Hat Europe in Singapore this month.

"They have been very persistent in their attacks in terms of targeting specific victims over and over, with new malware and newly registered domains," Shabab says. "So even if the target has suspected that a previous attempt had malicious intentions — like with spear-phishing emails and so on — the threat actor has tried to use a new infection vector and use a new domain to try their luck, over and over."

SideWinder also has upped its game when it comes to hiding its tracks and deflecting detection — as well as in thwarting researchers. The threat group now executes a more complex attack chain that uses multiple layers of malware, additional obfuscation, and memory-resident malware that leaves no evidence of its presence, she says. Although other well-oiled and advanced threat groups also continue to add new methods of camouflaging their activity, Noushin says, SideWinder stands apart for her with its dogged persistence and high volume of activity.

"I think what truly makes them stand out among other APT \[advanced persistent threat\] actors is the large toolset they have with many different malware families, lots of new spear-phishing documents, and a very large infrastructure," she says. "I haven't seen 1,000 attacks from a single APT" from another group thus far, she adds. 

Shabab has tracked SideWinder's activity since April 2020, but Kaspersky first reported on SideWinder in January 2018 and believes it's been around since at least 2012. The security firm traditionally avoids attributing threat actors to specific nation-states, but Shabab says her firm's initial research into SideWinder showed the group is tied to an India-based company that was advertising malware analysis and penetration testing services on its website. 

"We found some context between that company and that threat actor," she says. However, she notes that "over the years, \[SideWinder\] attribution became more challenging."

SideWinder mostly targets military and law enforcement entities in Central and South Asia, but it's also hit foreign affairs, defense, aviation, IT, and legal firms in Asia. Pakistan and Sri Lanka are its main focus of late, according to Kaspersky's research, and it's recently targeted government and related organizations in Afghanistan, China, and Nepal, according to previous research from Trend Micro and from Anomaly.

Kaspersky also follows another cyber-spying threat group, dubbed Sidecopy, that copies SideWinder's tactics and techniques on occasion, often pivoting to the newest infection vector SideWinder has adopted. Unlike some other security research teams, Kaspersky considers Sidecopy separate from SideWinder. It's seen Sidecopy target organizations mainly in India and Afghanistan.

**No Zero-Days Required  
**SideWinder's main initial attack vector consists of sending convincing-looking spear-phishing emails with malware-rigged document attachments to its carefully curated targets. The hacking group doesn't deploy any zero-day exploits, but instead mostly weaponizes known Windows or Android vulnerabilities, including old Microsoft Office flaws, according to Shabab.

That said, in January 2020, researchers at Trend Micro revealed that they had discovered SideWinder exploiting a zero-day local privilege-escalation vulnerability that affected hundreds of millions of Android phones when it was first published (CVE-2019-2215).

SideWinder often switches gears if its first attempts don't infect its victims. Shabab has seen the APT abuse the Windows file shortcut feature to mask the malware, for example.

"The interesting thing is we have seen them be quite careful and innovative in the way they approach victims," she says. 

On at least two occasions, she says, SideWinder sent empty document attachments with the spear-phishing emails. The document had no content, but a malicious payload was inside. "After a short while, they send a letter \[in an email\] that apologizes for the empty document they had sent earlier. But that second email had a different malicious payload inside the document," she says. "They were trying everything to make sure they get a foothold into the victim's system."

SideWinder also swaps domains regularly for its command-and-control servers as well as for its download servers. That's mostly to ensure that if a domain gets detected, it still has a way to get to its targets, Shabab explains. Spreading activity across different domains in the attacks is less likely to raise suspicion as well.

Kaspersky's research shows that SideWinder mainly targets Windows for now, but it did find some malicious mobile apps last year when the firm investigated the group's infrastructure domains and servers. 

"But looking at their large attack infrastructure and large malware family sets they have for Windows, it doesn't seem mobile is their main focus," Shabab says.  

**Black Hat Talk  
**Shabab will share technical details in her session at Black Hat Asia next week, entitled "SideWinder Uncoils to Strike." Those will include how the hacking team has evolved its obfuscation methods for hiding its malware, and folding it into multistage infection chains. She says that investigating SideWinder's attack methods required her to decrypt several layers of encryption and thousands of obfuscation scripts. And "for each one, the decryption key was different," she says.

Shabab plans to provide recommendations on how to use SideWinder indicators of compromise along with specific security defense advice on defending against this APT group. Because it mostly achieves initial infections via known vulns and legitimate features in Windows (such as Microsoft Office), patching and the usual best security practices are key. That means hardening applications with whitelisting or firewall rules, which can help halt additional malicious malware modules from SideWinder's servers, she says.

"It's not very difficult to stop the attack" initially, she says. But if SideWinder gets past that first hurdle and infects the machine in the first phase of the attack, eradicating the attack gets exponentially harder. She adds: "They have lots of techniques to stay undetected longer and stay persistent."

1,000+ Attacks in 2 Years: How the SideWinder APT Sheds Its Skin

A close look at a new type of network, known as a Cloud Area Network.

A close look at a new type of network, known as a Cloud Area Network.

In an article I wrote over a year ago called “Securing the New Normal of Network Access,” I presented four access scenarios that modern organizations needed to enable users to stay securely connected and protected in the new normal of a work-from-anywhere world.

Of course, “new” is a relative term, as is “normal.” When that article was published, in late 2020, Covid was relatively new, vaccines had not yet been introduced, and many organizations were still working out work-from-home kinks.

Today, two years into the pandemic and into the whirlwind digital transformation it helped accelerate, networking advancements may soon leapfrog over the access grid that illustrated my earlier networking model. In this grid, I showed the need to be able to connect users – from within or outside of traditional office environments – to applications and resources – located within traditional datacenters or, increasingly, in the cloud.

For my out-to-in scenario, with remote workers accessing on-site networks, for instance, Zero Trust Network Access (ZTNA) represented a vast improvement over the traditional tool many organizations were opting for, vulnerable VPNs. Too many VPNs are still in use, but more organizations are moving to secure remote access to their networks by implementing ZTNA – a positive development.

**The “Everyone/thing-to-Everyone/thing, Securely” Solution**

So-called SASE – Secure Access Service Edge – capabilities, such as ZTNA and isolation-powered Secure Web Gateways (SWGs), have been increasingly adopted over the past year to support the full range of access scenarios in a single cloud-delivered platform. This, of course, represents a great step forward.

But what if, instead of integrating many access solutions into a single platform, a new networking technology could simplify everyone-and-everything-access-to-everyone-and-everything-else even further by making connecting easier and by having Zero Trust security baked-in as part of its DNA? Such a development would be a vast and welcome upgrade to the good old reliable LAN, making it fit for the cloud age. Policies would enable every user to simply and securely, under relevant permissions, and regardless of location, access the physical servers, cloud storage and apps that they need to stay productive in our perimeter-less world, as well as securely connecting with other users and the web.

The steady move to the cloud that AWS kicked off a decade ago has turned into a flood. With available bandwidth growing by 50% every year, and networking and security professionals in short supply, forward-looking organizations are seeking simpler solutions that require minimal in-house equipment and management resources.

Yet two factors are keeping organizational networking earth-bound. The first is that on-premises corporate data centers have not disappeared, and branch offices need fast, reliable access to the data and apps in those centers. And of course, security is the second.

**Magical (Networking) History Tour**

The WAN, which has long been essential for distributed organizations, is a technology whose days are numbered. With bandwidth plentiful, QoS guarantees can no longer justify investment in costly MPLS circuits. The issue of secure internet access is equally problematic. Backhauling internet traffic to the corporate network where security appliances reside reduces quality, increases latency, and is simply inefficient.

Increasingly, organizations are turning to software-defined WANs (SD-WANs) as more efficient, less costly alternatives. SD-WANs use IPsec encryption and tunneling (or in more modern versions, WireGuard encryption) technologies to enable private communication between branch offices and corporate data centers, over the public internet. SD-WAN routers must be installed at each office.

SD-WANs represent a significant improvement over traditional WANs, since eliminating the need for dedicated leased lines yields considerable savings. In addition, local branch routers integrate security controls, enabling secure internet access directly from branches.

**Expanding the Limits of WAN**

Once we can create a network that enables secure access via the public internet, it should be able to handle any user who needs to connect to any device, user or app, anywhere – assuming, of course, permissions are in place. Authorized users should be able to securely access corporate data centers from home, a branch office or the beach. They should be able to securely reach each other, public cloud apps, websites and private clouds, too.

In short, once physical lines are no longer needed, the traditional WAN model becomes obsolete. But while SD-WANs expanded the WAN concept to internet-enabled access, they do not take full advantage of cloud capabilities, since they _still_ require on-premises security controls, at branch offices.

**Rethinking Organization Networks for the Cloud Era**

This is exactly the conceptual leap behind a new type of network, known as a Cloud Area NetworkTM (CAN). CANs replace the old hub-and-spoke model with an overlay network mesh concept that enables any-to-any communication between users, devices, data centers, and web apps.

Think of a CAN as comprising virtual ethernet cables, with secure tunneling creating a cloud security fabric that operates atop the public internet. A lightweight agent on each device enables connection to an overlay network that provides a dedicated, cloud-agnostic IP address for the device. Alternatively, a branch-level connector can integrate the full LAN into the CAN.

In addition to providing dedicated IP addresses, the overlay network integrates Zero Trust security functions that are essential for applying least-privilege access controls and keeping malicious content from reaching and infecting user devices, on-premises and cloud storage, and even SaaS apps. For instance, cloud firewall and isolation-powered SWG functionality are built into the network to prevent zero-day malware on compromised websites from penetrating devices that are part of the CAN. Anti-phishing technology prevents threats like credential theft, and integrated data sharing controls and DLP technology ensure that data remains where it belongs.

Similarly, built-in ZTNA and identity and access management (IAM) capabilities allow strict access controls to be applied in the cloud, so each user’s access is limited to resources they’re authorized to use.

The long-touted move to the cloud is in high gear. The technology is ripe, bandwidth is abundant. Now the network – both connectivity and security – just needs to catch up. And that’s exactly what the Cloud Area Network is poised to accomplish.

**David Canellos is president and CEO of Ericom Software.**

_**Enjoy additional insights from Threatpost’s InfoSec Insider community by**_ _**visiting past contributions**__**.**_

CANs Reinvent LANs for an All-Local World

Attackers could use the flaw to steal credentials with no authentication required

Attackers could use the flaw to steal credentials with no authentication required

Developers have patched a critical vulnerability in Snipe-IT that could be exploited to send users malicious password reset requests.

Grokability’s Snipe-IT is a cloud-based, open source project for user asset management.

The popular system has been designed to replace sometimes clunky and ineffective Excel spreadsheets and accounts for roughly 3.4 million users, as well as over 6.7 million managed assets.

**RECOMMENDED** Zero-day bug in uClibc library could leave IoT devices vulnerable to DNS poisoning attacks

Snipe-IT’s GitHub repository has over 200 contributors and over 2,100 forks at the time of writing. Adopters can choose to have their Snipe-IT builds hosted by Grokability or they can manage it themselves.

On May 2, the project disclosed CVE-2022-23064, a critical vulnerability that has been awarded a CVSS severity score of 8.8.

**Server-side woes**

The vulnerability is described as a host header injection bug. Host header issues occur when server communication is handled in an unsafe way and can lead to a variety of problems including web cache poisoning, server-side request forgery (SSRF), or SQL injection attacks.

In Snipe-IT’s case, CVE-2022-23064 allowed attackers to send crafted host headers to the reset password request functionality of the system.

Target users could be sent password reset links that would, once clicked, lead them to an attacker-controlled server rather than a trusted domain managed by Snipe-IT users.

Read more of the latest security research news from around the world

The developers say that it would then be possible to steal password reset tokens, leading to account hijacking.

According to White Source, an example attack scenario is an attacker selecting ‘I forgot my password’ and submitting the selected victim’s username.

The request would be intercepted after clicking ‘email password reset’, and the host header would then be modified. If the would-be victim clicks the email link, complete with a modified base URL, the reset token is then logged and compromised.

**Protect your targets**

While user interaction is required to trigger a cyber-attack, no authentication or privileges are required to exploit the flaw.

Snipe-IT versions 3.0-alpha to v5.3.7 are vulnerable. Users are urged to upgrade to at least version v5.3.8.

One of the latest builds available – v.5.4.3 (v.5.4.4 was released on May 4) – also includes a patch to resolve a potential cross-site scripting (XSS) vulnerability in user requestable results.

Speaking to _The Daily Swig_, Grokability CTO Brady Wetherington said there is no evidence of any in-the-wild exploits. Furthermore, “our hosted platform was never vulnerable to the exploit, due to its configuration”.

**YOU MIGHT ALSO LIKE** State Bar of Georgia reels from cyber-attack

Serious Snipe-IT bug exploitable to send password reset email traps

All active GitHub users who contribute code will be required to enable at least one form of two-factor authentication by the end of 2023.

Security experts have been banging the multifactor authentication (MFA) drum for years, encouraging users to move away from solely relying on the username/password combination to secure their most sensitive accounts. Now GitHub is done with encouraging: By the end of 2023, all users who contribute code to GitHub-hosted repositories must have one or more forms of two-factor authentication (2FA) enabled, the company says.

Zero-day attacks and sophisticated exploits are scary, but social engineering and credential theft pose bigger headaches for enterprise defenders. User credentials grant attackers full access to the application and the associated data, or in case of a code repository like GitHub, visibility into source code as well as the ability to maliciously modify the code.

"This places not only the individuals and organizations associated with the compromised accounts at risk, but also any users of the affected code," says Mike Hanley, GitHub's CSO. The downstream effects of an attacker seizing control of a popular code repository is staggering, as "it can be downloaded tens of thousands of times, or hundreds of thousands of times," he says.

Attacks against the software supply chain jumped by more than 300% in 2021, Aqua Security said in January.

GitHub’s decision increases the complexity of account takeovers, says Andrew Hay, COO at LARES Consulting. "It has been proven time and time again that multifactor authentication provides an additional layer of protection to a user's account without exponentially complicating the login process," he says.

**Raising the Bar  
**Considering the sheer number of developers and active repositories on GitHub.com, this move has the potential to significantly enhance the security of the software supply chain. The company says the shift to 2FA will impact 83 million developers.

Hanley has said in the past that GitHub’s sheer size puts the company in a strong position to boost the security of the entire software ecosystem. By implementing new security features, GitHub is raising the bar on things developers and project maintainers have to do.

"Strong password management, privileged access security, and MFA will make it difficult for attackers to be successful at gaining an initial foothold," says Joseph Carson, chief security scientist and advisory CISO at Delinea. "This will likely force them to look for an easier target elsewhere."

**Move to Mandatory Enrollment  
**GitHub has offered 2FA in some form since 2013. Recognizing that attackers are increasingly targeting JavaScript packages on the npm registry, GitHub enrolled all the maintainers of the top 100 npm packages with mandatory 2FA back in February. Even so, adoption has lagged. Currently, only 16.5% of active GitHub users and 6.44% of npm users have enabled one or more forms of 2FA on their accounts, the company says.

The numbers are dismal but not wholly unexpected. Back in 2018, Google noted that seven years after introducing 2FA for Gmail, less than 10% of active accounts had enabled the feature. More than three-quarters (78%) of organizations with Microsoft Active Directory (AD) currently do not employ MFA for their user accounts, Microsoft said in its quarterly Cyber Signals report earlier this year. Microsoft has said repeatedly that "99.9% of breaches would be prevented if you just implemented MFA."

GitHub has taken other steps to improve security beyond relying on just the username and password. Earlier, GitHub deprecated basic authentication for Git operations and GitHub’s REST API, and now require email-based device verification. Since March, all npm accounts require enhanced login verification. The company launched 2FA for GitHub Mobile on iOS and Android back in January.

GitHub will allow multiple methods, including hardware security keys and mobile push notifications approved directly from the GitHub app.

GitHub already gives enterprise customers the ability to require developers to use 2FA to access enterprise repositories. When enforcement takes effect, there may be some issues if GitHub winds up removing users who do not have 2FA enabled from enterprise repositories, Hay notes. "It may lead to some calls to the support desk if a user finds that they can no longer access the code repositories they once had access to," he says.

**Delayed Enforcement  
**The shift to mandatory 2FA will occur in phases. All maintainers of the top 500 packages will be enrolled in mandatory 2FA on May 31. Maintainers of high-impact npm packages — which GitHub defined as those with more than 500 dependents or one million weekly downloads — will be enrolled in mandatory 2FA in the third quarter of 2022. The long lead time — more than a year out — will help GitHub "make sure we get this right" in terms of ensuring the user experience with the command line and the web interface, Hanley says.

Carson notes that recent advancements have made MFA "far less burdensome" to users. The most common mistake in enterprise deployments is to add MFA to existing authentication schemes rather than strengthening (and potentially replacing) them. MFA should be used to make logging in more efficient, as well as more secure.

"It is important to make authentication easier and the experience positive where possible," Carson says. "Otherwise users will find ways around the security control making them much weaker."

Tag

#zero_day