homepage
Menu
Open menu

SANS NewsBites

VMware Software Needs Top Priority Patching; Microsoft Blocking XLLs is a Good Thing; One More Warning About Living Off the Land and Remote Access Attacks

January 27, 2023  |  Volume XXV - Issue #08

Top of the NewsThe Rest of the Week's NewsInternet Storm Center Tech Corner

Top of the News

2023-02-25

VMware Patches vRealize Log Insight Vulnerabilities

VMware has released updates to fix four vulnerabilities in its vRealize Log Insight product. Two of the flaws are critical: a directory traversal vulnerability and a broken access control vulnerability. Both could be exploited to achieve remote code execution. The other fixed flaws are a deserialization vulnerability that could be exploited to create denial of service conditions, and an information disclosure vulnerability.

Editor's Note

There are a lot of software components to the VMware infrastructure. Kinda like SolarWinds, VMware has a high market share in data centers, and those VMware software components are installed with access at the heart of business networks. This means VMware is an obvious high leverage/high priority target for very sophisticated attackers, just as Solar Winds was. This particular log management software vulnerability by itself may not rate as top priority but use VMware’s CVSS score of 9.8 to drive a check on patch levels on all VMware installs.

John Pescatore
John Pescatore

The VMware vRealize issue is yet another string of issues plaguing VMWare. While it may not be as popular as vCenter, it is considered core infrastructure in many companies. Most of these items stay unpatched for years. Patch your VMware kit. When doing Red Team assessments on internal networks, we often find ways into VMware backends as they are often unpatched.

Moses Frost
Moses Frost

Deploy the updated version of vRealize Log Insight. Yes, there is a workaround, and it makes tasks like adding nodes to clusters more manual. Read and understand the entire workaround before moving forward, which will likely take more time than patching.

Lee Neely
Lee Neely

2023-01-25

Microsoft Will Block Excel XLL Add-ins from the Internet

Starting in March, Microsoft will block XLL files coming from the Internet in Office Excel. In its Microsoft 365 roadmap, Microsoft writes that it is making this change "to combat the increasing number of malware attacks in recent months."

2023-01-26

Joint Warning from CISA, NSA, and MS-ISAC on Remote Monitoring and Management Software

In a joint cybersecurity advisory, the Cybersecurity and Infrastructure Security Agency (CISA), National Security Agency (NSA), and Multi-State Information Sharing and Analysis Center (MS-ISAC) warn that threat actors used legitimate remote monitoring and management software to gain access to the networks of multiple federal civilian executive branch agencies. The advisory includes technical details, indicators of compromise, and recommended mitigations.

The Rest of the Week's News

2023-01-26

NIST Releases AI Risk Management Framework 1.0

The US National Institute of Standards and technology (NIXTY) has released the first version of its risk management framework for artificial intelligence (AI). The guidance will be voluntary. Artificial Intelligence Risk Management Framework (AI RMF 1.0) has been created to be useful to organizations of all sizes and in all sectors. NIST will accept comments through the end of February.

Editor's Note

We are not ready for a world with AI yet, but I’m very happy to see NIST working on how we can start to look at the risk around AI. One of the fallacies we have as humans can be to take a non-critical thinking approach to what the machines are outputting. Before we become super awed, we should have a skeptical look at the output to validate that what it is emitting is of good quality. Give this a look through, as you will likely see many security vendors attempting to hook things into AI-based systems to augment the work.

Moses Frost
Moses Frost

While we all get that AI is a learning environment, changing as it goes, what we may miss is that environment or social changes ingested by the system can cause unexpected outcomes. This guidance is intended to help govern and normalize that behavior, as well as address risks of AI systems in practice. NIST is taking feedback on the framework email AIFramerwork@nist.gov

Lee Neely
Lee Neely

Certainly timely. However, one wonders how much "govern, map, measure and manage" helps, since these require experience and skill which few organizations enjoy. Users should keep in mind that AI is a tool, neutral, not magic, but which may invite abuse and misuse. The role of users is to identify the applications, formulate the questions and tasks, evaluate and use the results.

William Hugh Murray
William Hugh Murray

2023-01-26

Most Windows Data Centers Still Vulnerable to CryptoAPI Spoofing Bug

Researchers from Akamai say that most Windows data centers have not patched systems against a critical spoofing vulnerability in CryptoAPI. The US National Security Agency (NSA) and the UK National Cybersecurity Centre (NCSC) disclosed the vulnerability to Microsoft and the issue was patched in August 2022. In the update guide for the vulnerability (CVE-2022-34689), Microsoft writes, “An attacker could manipulate an existing public x.509 certificate to spoof their identity and perform actions such as authentication or code signing as the targeted certificate.”

2023-01-26

Google Updates Chrome

Google has updated the Stable channel for Chrome to version to 109.0.5414.119 for Mac and Linux and 109.0.5414.119/.120 for Windows. The newest version of the browser includes fixes for six vulnerabilities. Four of the flaws were submitted by external researchers. These include use after free vulnerabilities in WebTransport, WebRTC, and GuestView, and a type confusion vulnerability in ServiceWorker API.

2023-01-26

Hive Takedown

An international law enforcement effort has disrupted the infrastructure of the Hive ransomware group. Authorities have seized US-based servers and have shut down two of the group’s data leak sites. The takedown effort was aided by FBI agents who infiltrated the Hive network and maintained a presence on their servers for seven months.

2023-01-26

CISA Publishes Cybersecurity Toolkit for K-12 Schools

The US Cybersecurity and Infrastructure Security Agency (CISA) has released a report and a toolkit to help K-12 schools better protect their systems from cybersecurity threats. The report makes three recommendations: investing in most impactful security measures and building toward a mature cybersecurity plan; recognizing and actively address resource constraints; and focusing on collaboration and information sharing. The toolkit includes suggested actions and resources to help schools adopt the recommendations.

2023-01-25

Microsoft 365 Outage Resolved

Microsoft says that network configuration issues were responsible for an outage on Wednesday, January 25, that affected multiple Microsoft 365 services, including Microsoft Teams, Exchange Online, Outlook, SharePoint Online, OneDrive for Business, Microsoft Graph, PowerBi, M365 Admin Portal, Microsoft Intune, Microsoft Defender for Cloud Apps, and Microsoft Defender for Identity. Microsoft said the issues were resolved after they rolled back a network change; affected services now appear to be available.

2023-01-26

German Infrastructure DDoSed

The websites of some German airports, financial institutions, and government agencies were targeted with distributed denial-of-service (DDoS) attacks earlier this week. The attacks are believed to be the work of Russian hacktivists. Germany’s Federal office for Information Security (BSI) says that some websites were made unavailable, but there were no service disruptions.

Internet Storm Center Tech Corner

Live Linux IR with UAC

https://isc.sans.edu/diary/Live+Linux+IR+with+UAC/29480

First Malicious OneNote Document

https://isc.sans.edu/diary/A+First+Malicious+OneNote+Document/29470

Apple Patch Summary

https://isc.sans.edu/diary/Apple+Updates+almost+Everything+Patch+Overview/29472

Bitwarden Phishing

https://community.bitwarden.com/t/phishing-website-bitwardenlogin-com/49704

https://www.reddit.com/r/Bitwarden/comments/10k2aj5/google_search_ads_showing_fake_bitwarden_web/

BitWarden Server Side Iterations

https://palant.info/2023/01/23/bitwarden-design-flaw-server-side-iterations/

Guidance for Securing Remote Monitoring and Management Software

https://media.defense.gov/2023/Jan/25/2003149873/-1/-1/0/JOINT_CSA_RMM.PDF

PY#RATION Attack Campaign Leverages Fernet Encryption and Websockets

https://www.securonix.com/blog/security-advisory-python-based-pyration-attack-campaign/

Skyhigh Security Secure Web Gateway: XSS in Single Sign On Plugin

https://www.redteam-pentesting.de/en/advisories/rt-sa-2022-002/-skyhigh-security-secure-web-gateway-cross-site-scripting-in-single-sign-on-plugin

Windows Crypto API Vuln PoC

https://github.com/akamai/akamai-security-research/tree/main/PoCs/CVE-2022-34689

ManageEngine News

https://github.com/vonahisec/CVE-2022-47966-Scan

BIND Patches

https://kb.isc.org/docs/cve-2022-3094

Microsoft Blocking XLL Files Downloaded From Internet

https://www.microsoft.com/en-us/microsoft-365/roadmap?filters=&searchterms=115485

Microsoft Azure-Based Kerberos Attacks Crack Open Cloud Accounts

https://www.darkreading.com/cloud/microsoft-azure-kerberos-attacks-open-cloud-accounts

Lexmark Vulnerabilities

https://publications.lexmark.com/publications/security-alerts/CVE-2023-23560.pdf

VMware VRealize Update

https://www.vmware.com/security/advisories/VMSA-2023-0001.html

KSMBD Vulnerability

https://sysdig.com/blog/cve-2023-0210-linux-kernel-unauthenticated-remote-heap-overflow/

Packet Tuesday: Neighbor Advertisements

https://www.youtube.com/watch?v=CoaZjuuY1do