Cyber Security Weekly Briefing, 13–20 May

Telefónica Tech    20 May, 2022
Person working with a computer

VMware fixes critical vulnerabilities in several of its products

VMware has issued a security advisory to fix a critical authentication bypass vulnerability affecting several of its products. Identified as CVE-2022-22972 and CVSSv3 9.8, the flaw involves an authentication bypass that affects local domain users and would allow an attacker with network access to the user interface to gain administrator access without authentication.

VMware has also released patches for a second serious local privilege escalation vulnerability (CVE-2022-22973 – CVSSv3 7.8) that could allow a threat actor to upgrade their permissions to ‘root’. Both bugs affect VMware Workspace ONE Access (Access), VMware Identity Manager (vIDM), VMware vRealize Automation (vRA), VMware Cloud Foundation and vRealize Suite Lifecycle Manage products.

The publication of these flaws has also prompted entities such as CISA to issue emergency advisories to multiple federal agencies this week, urging them to immediately upgrade or remove VMware products from their networks before next Monday, due to an increased risk of attacks.

For its part, VMware has provided patch download links and installation instructions on its knowledge base website, as well as workarounds in case an immediate upgrade is not possible.

More info:

* * *

​​New campaign against SQL servers

Microsoft’s Security Intelligence team has shared on its Twitter profile a new campaign they have recently discovered, which is reportedly targeting SQL servers and is known to use the LOLBin sqlps.exe. Brute-force attacks have been observed to be used for initial access to the SQL server.

In addition, they describe that once the server is compromised, the threat actor uses sqlps.exe, a Windows tool used for start-up and PowerShell use in relation to SQL instances, to achieve persistence by executing reconnaissance commands and changing the server’s start-up mode to LocalSystem.

Attackers also use sqlps.exe to take control of the server by creating a new account with administrator permissions, allowing them to inject payloads into the system.


* * *

Increased activity of XorDDoS malware

Microsoft researchers have published an analysis of the so-called XorDDoS trojan targeting Linux systems, in which they claim to have detected an increase in activity over the last six months. XorDDoS, active since at least 2014, owes its name to the XOR encryption used for its communications with the Command & Control server, as well as to its most characteristic type of attack, namely distributed denial of service (DDoS).

To this end, XorDDoS usually focuses its activity on compromising Internet of Things (IoT) devices to generate its botnet for DDoS attacks. Microsoft’s analysis details that devices infected with XorDDDoS are later compromised with the Tsunami backdoor, which in turn deploys the XMRing crypto-ominator.

Among the TTPs employed by XorDDoS, the use of brute force against accessible SSH services stands out as the main entry vector to obtain root permissions on the compromised machine. It also has modules designed to evade security systems, hiding its activity, which makes it harder to detect. Microsoft provides recommendations to try to fight this threat.

More info:

* * *

CISA exposes commonly used entry vectors

CISA, together with authorities in the United States, Canada, New Zealand, the Netherlands, the United Kingdom and the United States, has issued a warning about security controls and practices that are commonly used as initial access during compromises of potential victims.

They note that cybercriminals often exploit poor security configurations (misconfigured or unprotected), weak controls and other bad practices as part of their tactics to compromise systems. Some of the most commonly used Tactics, Techniques and Procedures (TTPs) are: exploiting a publicly exposed application [T1190], external remote services [T1133], phishing [T1566], exploiting a trust relationship [T1199] or exploiting valid accounts [T1078].

In order to avoid these techniques, the advisory summarizes a series of recommended practices to protect systems from these possible attacks, highlighting access control, credential reinforcement, establishing centralized log management, the use of antivirus, detection tools, operating exposed services with secure configurations, as well as keeping software up to date.


Leave a Reply

Your email address will not be published.