Monthly Advisory • 10 MIN READ
July Threat Advisory – Top 5
by Eleanor Barlow • Jul 2022
SecurityHQ’s Monthly Threat Report, Drawn from Recent Advisories of July 2022.
New Ransomware APT group dubbed “RedAlert” targeting Windows and Linux VMware ESXi Servers.
Threat Reference: Global
Risks: Ransomware
Advisory Type: Threats
Priority: Standard
Security researchers observed a new ransomware attack known as RedAlert or “N13V” encrypting Windows and Linux VMWare servers in corporate networks.
Initially, a Linux encryptor is created to target VMware ESXi servers with command-line options that allow the actors to shut down any running virtual machines before encrypting files. Then, the threat actors utilize NTRUEncrypt public-key encryption algorithm for encryption and encrypts log files, swap files, virtual disks and memory files appending a .crypt658 extension.
The ransomware drops a custom ransom note named HOW_TO_RESTORE, containing details of stolen data, with a link to a ransom payment site for the victim.
Recommendation
1. Deploy Endpoint Detection & Response (EDR) tools to detect latest malware and suspicious activities on endpoints.
2. Ensure antivirus and anti-malware solutions are set to automatically update and conduct regular scans so that your operating systems operate efficiently.
3. Use robust access management to restrict unwarranted access and reduce the number of access points through which malware can enter your organization/Network.
4. Train your employees on how to identify and avoid ransomware pitfalls. Watch this video for tips and tricks to protect employees.
Newly Discovered Malware Used by APT Groups to Backdoor Microsoft Exchange Servers.
Threat Reference: Global
Risks: Malware/Backdoor
Advisory Type: Threats
Priority: Standard
The malware known as SessionManager is a newly discovered malware used by APT groups to backdoor Microsoft Exchange Servers. SessionManager can drop and manage arbitrary files, conduct remote code execution and gain connection to the endpoints of victim’s systems and manipulate network traffic.
Recommendation
1. Deploy Endpoint Detection & Response (EDR) tools to detect latest malware and suspicious activities on endpoints.
2. Update the Anti-malware solutions at endpoint and perimeter level solutions to include the mentioned IOCs.
3. Analyse Endpoint solutions – EDR, AV, Email Anti-malware solution logs for the presence of mentioned IOCs.
4. Avoid handling files or URL links in emails, chats, or shared folders from untrusted sources.
5. Provide phishing awareness training to your employees/contractors.
Adobe Patches Multiple Critical Vulnerabilities in X4 Adobe Products.
Threat Reference: Global
Risks: Arbitrary Code Execution
Advisory Type: Updates/Patches
Priority: Standard
Adobe released security updates to patch Multiple critical vulnerabilities in 4 of their products.
Affected Products include Adobe Acrobat and Reader, Adobe Photoshop, Adobe After Effects, and Adobe Commerce.
Successful exploitation of these vulnerabilities could result in Arbitrary Code Execution.
Recommendation
- Update concerned products with the latest available versions/Patch level.
Cisco has Released Patch to Fix Critical and High Vulnerabilities in Multiple Cisco Products.
Threat Reference: Global
Risks: Arbitrary Code Execution, Denial of Service and Null Byte Poisoning.
Advisory Type: Updates/Patches
Priority: Standard
Cisco has released patches for critical and high vulnerabilities that can allow an attacker to overwrite arbitrary files or conduct null byte poisoning attacks on the affected device.
The following list provides some important vulnerabilities and their level of criticality.
- Critical – Cisco Expressway Series and Cisco TelePresence VCS Arbitrary File Overwrite Vulnerability.
- Critical – Cisco Expressway Series and Cisco TelePresence VCS Null Byte Poisoning Vulnerability.
- High – Cisco Smart Software Manager On-Prem Denial of Service Vulnerability.
- Medium – Cisco Unified Communications Products Timing Attack Vulnerability.
Recommendation
- Update the affected products to their latest available versions/patch level.
Microsoft Released July 2022 Patch Tuesday for 84 Vulnerabilities Including x1 Zero Day.
Threat Reference: Global
Risks: Remote Code Execution, Privilege Escalation, Denial of Service, Security Feature Bypass
Advisory Type: Updates/Patches
Priority: Standard
Microsoft released their July 2022 Patch Tuesday, to fix 84 vulnerabilities. This includes x4 Critical vulnerabilities, 80 Important vulnerabilities, including one Zero-day vulnerability. Successful exploitation of these vulnerabilities could result in Remote Code Execution (RCE), Denial of Service (DoS) and Privilege Escalation, as well as Security Feature Bypass.
Affected Products include AMD CPU Branch, Azure Site Recovery, Azure Storage Library, Microsoft Defender for Endpoint, Microsoft Edge (Chromium-based), Microsoft Graphics Component, Microsoft Office, Open-Source Software, Role: DNS Server, Role: Windows Fax Service, Role: Windows Hyper-V, Skype for Business and Microsoft Lync, Windows Active Directory, Windows Advanced Local Procedure Call, Windows BitLocker, Windows Boot Manager, Windows Client/Server Runtime Subsystem, Windows Connected Devices Platform Service, Windows Credential Guard, Windows Fast FAT Driver, Windows Fax and Scan Service, Windows Group Policy, Windows IIS, Windows Kernel, Windows Media, Windows Network File System, Windows Performance Counters, Windows Point-to-Point Tunnelling Protocol, Windows Portable Device Enumerator Service, Windows Print Spooler Components, Windows Remote Procedure Call Runtime, Windows Security Account Manager, Windows Server Service, Windows Shell, Windows Storage, Xbox .
Notable Vulnerabilities and their level of criticality:
- Critical – Windows Graphics Component Remote Code Execution Vulnerability.
- Critical – Windows Network File System Remote Code Execution Vulnerability.
- Critical -Windows Network File System Remote Code Execution Vulnerability.
- Critical – Remote Procedure Call Runtime Remote Code Execution Vulnerability.
- Important – Azure Site Recovery Elevation of Privilege Vulnerability.
- Important -Windows Security Account Manager (SAM) Denial of Service Vulnerability.
Recommendation for Permanent Fix
• Keep applications and operating systems running at the current released patch level.
• Run software with the least privileges.
Having conducted incident response investigations across a wide range of industries, SecurityHQ are best placed to work with businesses large and small, and across numerous technical environments to reduce the impact of a cyber security incident. For more information on these threats, speak to an expert here.
Or if you suspect a security incident, you can report an incident here.