Monthly Advisory • 10 MIN READ

September Threat Advisory – Top 5

by Eleanor Barlow • Sep 2022

SecurityHQ’s Monthly Threat Report, Drawn from Recent Advisories of September 2022.

Uber Reportedly Suffered Security Incident, Resulting in Leak of Critical Information

Threat Reference: Global

Risks: Threats

Advisory Type: Account Takeover, Identity Theft

Priority: Standard

On Thursday the 16th of September at 05:25am, Uber announced via Twitter that they were responding to a cyber security incident. The adversary using the alias of “Nwave” posted on the company’s corporate Slack channel to announce the hack.

Initial sources suggest that the attacker used social engineering techniques to gain access to internal systems through VPN. The attacker has published a statement to suggest that they have access to an internal network share, which contained various PowerShell scripts. One of the PowerShell scripts is believed to have contained the username and password of an admin user, which provided access to crucial cloud platforms including AWS and GSuite, this being where Uber stores its source code and customer data.

The attacker has shared several screenshots of Uber’s internal environment, including their GDrive, VCenter, sales metrics, Slack, and even their SentinelOne EDR portal.

Recommendations to Avoid a Breach Like This:

  1. Implement Multifactor Authentication.
  2. Enable MFA with TOTP and restricted access from specific IPs for accessing Cloud Services.
  3. Monitor anomalous logins/activities on 24×7 basis.
  4. Ensure your internal and Cloud IT Infrastructure is monitored 24×7 by dedicated SOC.
  5. Provide Social Engineering awareness training to your employees/contractors.

Apple Fixed Zero-day Vulnerability Affecting MacOS, iOS and iPadOS Devices

Threat Reference: Global

Risks: Arbitrary Code Execution, Zero-Day

Advisory Type: Updates/Patches

Priority: Standard

Apple released a security update to fix arbitrary code execution vulnerability, which might allow an attacker to gain access to a vulnerable device.

Affected Devices:

• iPhone 6s and later

• iPad Pro (all models)

• iPad Air 2 and later

• iPad 5th generation and later

• iPad mini 4 and later

• iPod touch 7th generation.

• Mac running macOS Big Sur 11.7

• macOS Monterey 12.6

Recommendation

• Update all the affected products to its latest available patch version.

Critical Privilege Escalation Zero-day Vulnerability in “WPGateway” WordPress Plugins Exploited in the Wild

Threat Reference: Global

Risks: Zero-Day

Advisory Type: Zero-Day Exploits

Priority: Elevated

Researchers identified a critical unauthenticated privilege escalation vulnerability in WPGateway premium plugins for WordPress. Successful exploitation of the vulnerability allows an unauthenticated attacker to add a rogue user with admin privileges to completely take over the WordPress site running the vulnerable WPGateway plugin.

The most common Indicator of compromise (IOCs) is a malicious administrator with the username of rangex added under the dashboard.

Recommendations

  1. Uninstall the WPGateway plugins until a patch is made available.
  2. Check for any malicious administrator users in your WordPress dashboard.

Google Released a Patch to Fix High Severity Zero-Day Vulnerability in Chrome Exploited in the Wild

Threat Reference: Global

Risks: Zero-Day

Advisory Type: Zero-Day Exploits

Priority: Standard

Google has released Chrome version 105.0.5195.102 for Windows, Mac, and Linux operating system to fix High severity zero-day vulnerability exploited in the wild.

Recommendation

  • It is recommended to update google chrome to latest released version.

Microsoft Released September 2022 Patch Tuesday for 63 Flaws Including 5 Zero-Days

Threat Reference: Global

Risks: Remote Code Execution, Privilege Escalation

Advisory Type: Updates/Patches

Priority: Standard

Microsoft has released September 2022 Patch Tuesday to fix 63 vulnerabilities which includes 5 Critical severity vulnerabilities. Successful exploitation of this vulnerabilities could result in Remote Code Execution (RCE) and Privilege Escalation.

Notable Vulnerabilities in:

• Windows Common Log File System Driver Elevation of Privilege Vulnerability.

• Windows Internet Key Exchange (IKE) Protocol Extensions Remote Code Execution Vulnerability.

Affected Product:

• .NET and Visual Studio

• .NET Framework

• Azure Arc

• Cache Speculation

• HTTP.sys

• Microsoft Dynamics

• Microsoft Edge (Chromium-based)

• Microsoft Graphics Component

• Microsoft Office

• Microsoft Office SharePoint

• Microsoft Office Visio

• Microsoft Windows ALPC

• Microsoft Windows Codecs Library

• Network Device Enrolment Service (NDES)

• Role: DNS Server

• Role: Windows Fax Service

• SPNEGO Extended Negotiation

• Visual Studio Code

• Windows Common Log File System Driver

• Windows Credential Roaming Service

• Windows Defender

• Windows Distributed File System (DFS)

• Windows DPAPI (Data Protection Application Programming Interface)

• Windows Enterprise App Management

• Windows Event Tracing

• Windows Group Policy

• Windows IKE Extension

• Windows Kerberos

• Windows Kernel

• Windows LDAP – Lightweight Directory Access Protocol

• Windows ODBC Driver

• Windows OLE

• Windows Photo Import API

• Windows Print Spooler Components

• Windows Remote Access Connection Manager

• Windows Remote Procedure Call

• Windows TCP/IP

• Windows Transport Security Layer (TLS)           

Recommendations

  1. Keep applications and operating systems running at the current released patch level.
  2. Run software with the least privileges.

Having conducted incident response investigations across a wide range of industries, SecurityHQ are best placed to work with businesses large and small, and across numerous technical environments to reduce the impact of a cyber security incident. For more information on these threats, speak to an expert here.

Or if you suspect a security incident, you can report an incident here.