SANS NewsBites

Patch All Apple Software; Only Update MSI Products from MSI Site; Have You Tested Switchover Back to All Work at Home; Put Adoption of RPKI in Your Plans

April 11, 2023  |  Volume XXV - Issue #29

Top of the News


2023-04-10

Apple Releases Patches for Two Zero-Days

On Friday, April 7, Apple released updates to address two actively-exploited vulnerabilities in iOS, iPadOS, macOS, and Safari. The IOSurfaceAccelerator out-of-bounds write vulnerability (CVE-2023-28206) could be exploited to execute code at the kernel level; the WebKit use-after-free vulnerability (CVE-2023-28205) could lead to code execution when processing maliciously crafted web content. On Monday, April 10, Apple released updates to backport the fixes to older versions of the affected operating systems. The US Cybersecurity and Infrastructure Security Agency (CISA) has added the Apple issues to its Known Exploited Vulnerabilities (KEV) catalog. Federal Civilian Executive Branch Agencies (FCEB) have until May 1 to update.

Editor's Note

You probably saw the update Friday with the innocuous looking CVEs, impacting macOS 13, Safari, iOS and iPadOS. Since then, Apple released macOS 12.6.5 & 11.7.6 as well as iOS 15.5.7, which should be hitting your "this is a big deal" alert before you even heard about this being a Zero-Day or the addition to the KEV catalog. Hopefully you can just push the update to your ADE devices and turn your attention to your macOS updates.

Lee Neely
Lee Neely

Given that both these vulnerabilities lead to remote code execution, the best defense is to patch. The good news is that Apple provides for free, new versions of their operating system. This has the effect of Apple users updating their devices more frequently. As we look to envision ‘secure by design,’ one component will have to be an automated patch management process for users.

Curtis Dukes
Curtis Dukes

2023-04-10

Micro-Star International Discloses Cyberattack

Micro-Star International (MSI) has acknowledged that it “recently suffered a cyberattack on part of its information systems.” MSI, which manufactures laptops, graphics cards, motherboards, and other products, is urging users to obtain firmware/BIOS updates only from the official MSI website.


2023-04-10

Rochester, Minnesota Public Schools Cancelled Classes After Cyberattack

The public school system in Rochester, Minnesota cancelled classes on Monday, April 10 due to a cyberattack. Rochester Public Schools detected anomalous activity on its network late last week. Students and staff could not access their Google accounts and phone systems were not operating. A school system in Minneapolis was hit with a ransomware attack in February.


2023-04-10

Netherlands Government Adopting Resource Public Key Infrastructure

All government organizations in the Netherlands will be required to implement Resource Public Key Infrastructure (RPKI) to protect their networks from Border Gateway Protocol (BGP) hijacking. The Netherlands’ Government-wide Policy Consultation on Digital Government (OBDO) is requiring all government-owned information and communications technology to adopt RPKI by the end of 2024.

The Rest of the Week's News


2023-04-10

CISA Adds Veritas Backup Exec Vulnerabilities to KEV Catalog

The US Cybersecurity and Infrastructure Security Agency (CISA) has added three Veritas Backup Exec vulnerabilities to its Known Exploited Vulnerabilities (KEV) catalog. The vulnerabilities – a file access vulnerability (CVE-2021-27876), an improper authentication vulnerability (CVE-2021-27877), and a command execution vulnerability (CVE-2021-27878) – have been used in ransomware attacks. Federal Civilian Executive Branch Agencies (FCEB) have until April 28 to update.

Editor's Note

This vulnerability has been abused by attackers for a while now to deploy ransomware. A patch has been available for about two years, so about time to get it applied.

Johannes Ullrich
Johannes Ullrich

While the patch for this was released in March of 2021, and a Metasploit module exploiting these vulnerabilities was released in September 2022, Mandiant is just now seeing active exploits of the flaws. If you're using Backup Exec, make sure that you're at version 21.2 or later. Don't assume.

Lee Neely
Lee Neely

With these vulnerabilities and the two by Apple, the KEV catalog now has 913 entries. That’s 913 entries over the last 18 months. Maybe that’s a small number, maybe it’s a large number. One does wonder though, about the effectiveness of the catalog given no linkage to FCEB Agency compliance, other than periodic GAO or IG cybersecurity audits.

Curtis Dukes
Curtis Dukes

2023-04-07

Amazon Bans Sale of Flipper Zero After Tagging it as a “Restricted Product”

Amazon has banned the sale of the Flipper Zero pen-testing device on its platform because it has been identified as a card-skimmer. Amazon is not the only entity with concerns about Flipper Zero: Brazil’s National Telecommunications Agency has been seizing shipments of the devices to that country.


2023-04-10

FBI: Don’t Use Public Device Charging Stations

The US Federal Bureau of Investigation (FBI) tweeted a reminder urging people not to use public charging stations for their mobile devices because “Bad actors have figured out ways to use public USB ports to introduce malware and monitoring software onto devices.“ Known as ”Juice Jacking,” the Federal Communications Commission (FCC) published a warning about it in October 2021.


2023-04-07

CISA Publishes Seven Industrial Control System Vulnerability Advisories

The US Cybersecurity and Infrastructure Security Agency (CISA) has published seven advisories about vulnerabilities in various Industrial Control System (ISC) products including Industrial Control Links ScadaFlex II SCADA Controllers; JTEKT Screen Creator Advance 2 and JTEKT Kostac PLC; Korenix Jetwave; Hitachi Energy MicroSCADA System Data Manager SDM600; mySCADA myPRO; and Rockwell Automation FactoryTalk Diagnostics. CISA has also released an advisory about vulnerabilities in Nexx Smart Home devices (see story below).


2023-04-07

Nexx’s Solution to Vulnerability in Smart Home Devices: Disable Internet Access

Nexx’s response to reports that its smart home devices are vulnerable to hacking is to disable Internet access to those devices, requiring customers to use Bluetooth to communicate with their Nexx Garage, Nexx Gate, and Nexx Plug products. Instead of being able to control these devices remotely from wherever they are, users will now, at least temporarily, need to be within 30-50 feet of them.


2023-04-10

SD Worx Suffers Cyberattack

SD Worx, an Antwerp, Belgium-based HR and payroll services company, has shut down IT systems serving its customers in Ireland and the UK following a cyberattack. SD Worx is investigating the incident, and says that it was not a ransomware attack.

Internet Storm Center Tech Corner

Apple Patching Two 0-Day Vulnerabilities in iOS and macOS

https://isc.sans.edu/diary/Apple+Patching+Two+0Day+Vulnerabilities+in+iOS+and+macOS/29726

Apple Updates for Older Operating Systems

https://support.apple.com/en-us/HT201222

Microsoft Netlogon: Potential Upcoming Impacts of CVE-2022-38023

https://isc.sans.edu/diary/Microsoft+Netlogon+Potential+Upcoming+Impacts+of+CVE202238023/29728

KB5021130: How to manage the Netlogon protocol changes related to CVE-2022-38023

https://support.microsoft.com/en-us/topic/kb5021130-how-to-manage-the-netlogon-protocol-changes-related-to-cve-2022-38023-46ea3067-3989-4d40-963c-680fd9e8ee25

Another Malicious HTA File Analysis - Part 2

https://isc.sans.edu/diary/Another+Malicious+HTA+File+Analysis+Part+2/29676

Detecting Suspicious API Usage with YARA Rules

https://isc.sans.edu/diary/Detecting+Suspicious+API+Usage+with+YARA+Rules/29724

MSI Attack May Affect BIOS Updates

https://www.msi.com/news/detail/MSI-Statement-141688

VM2 Sandbox Escape

https://github.com/patriksimek/vm2/security/advisories/GHSA-7jxr-cg7f-gpgv

https://gist.github.com/seongil-wi/2a44e082001b959bfe304b62121fb76d