VERT’s Cybersecurity News for the Week of September 26, 2022


All of us at Tripwire’s Vulnerability Exposure and Research Team (VERT) are constantly looking out for interesting stories and developments in the infosec world. Here’s what cybersecurity news stood out to us during the week of September 26th, 2022. I’ve also included some comments on these stories.

Sophos Firewall Zero-Day Exploited in Attacks on South Asian Organizations

UK-based cybersecurity company Sophos has warned customers that a new zero-day vulnerability affecting some of its firewall products has been exploited in attacks, SecurityWeek reports. According to an advisory published on Friday, version 19.0 MR1 (19.0.1) and older of Sophos Firewall are affected by a critical vulnerability that can be exploited for remote code execution.

Sophos Firewall was subject to a zero day that affected versions 19.0 MR1 and prior. This vulnerability allowed attackers to execute code on vulnerable systems. The vulnerability was located in the User Portal and Webadmin components. Sophos has released a patch to fix this issue. It is also recommended to not have the User Portal and Webadmin interface exposed to the internet.

Windows 11 22H2 blocked due to blue screens on some Intel systems

Microsoft is now blocking the Windows 11 22H2 update from being offered on some systems with Intel Smart Sound Technology (SST) audio drivers. The company also put a safeguard hold in place because this known issue triggers blue screens of death (BSODs) on affected systems, BleepingComputer notes.

Be cautious when upgrading to Windows 11 22H2. This update has been known to cause the BSOD on certain systems with Intel Smart Sound Technology audio drivers. This issue exists because there is an incompatibility issue with the Intel Smart Sound Technology on 11th Gen Core processors and Windows 11. It is recommended to not force the update with the Media Creation Tool because this would cause systems to blue screen. Intel Smart Sound Technology Audio Controller with a file name of IntcAudioBus.sys with version 10.29.0.5152 or version 10.30.0.5152 contain this issue. This issue may be patched on your system if you’re running version 10.30.0.5714 or version 10.29.0.5714.

New Microsoft Exchange zero-days actively exploited in attacks

BleepingComputer reports that threat actors are exploiting yet-to-be-disclosed Microsoft Exchange zero-day bugs allowing for remote code execution, according to claims made by security researchers at Vietnamese cybersecurity outfit GTSC, who first spotted and reported the attacks.

Microsoft Exchange is subject to several zero-day vulnerabilities. Security researchers at GTSC noticed bugs that would allow remote code execution. Attackers have been chaining these vulnerabilities to deploy Chinese Chopper web shells. These vulnerabilities have been verified by Zero Day initiative and are being tracked as ZDI-CAN-18333 and ZDI-CAN-1880.

There are two stages to executing code on a vulnerable system:
1. Malicious requests to the ProxyShell (not possible on fully patched systems)
2. Use the previous requests to gain access to the backend to execute code

GTSC suggests that a new rule using the URL Rewrite Rule module could mitigate these vulnerabilities. They suggest blocking requests to the Autodiscover on the Frontend by adding the string “.*autodiscover.json.*@.*Powershell.*“ to the URL Path and using the condition of {REQUEST_URI}.

Keep in Touch with Tripwire VERT

Want more insights from Tripwire VERT before our next cybersecurity news roundup comes out? Subscribe to our newsletter here.

Previous VERT Cybersecurity News Roundups



Source link