Cyber Month in Review November 2022

The security world is constantly moving and evolving, with vulnerabilities, breaches and new guidance released daily. The volume and complexity can sometimes be overwhelming and challenging to keep track of, so let’s use this article to help summarise some of this month’s highlights so that we can be more cyber-aware.

NCSC Scanning UK Vulnerabilities

The UK’s National Cyber Security Centre (NCSC) has launched its new internet scanning capability this month in an attempt to create a ‘vulnerability view of the UK’ and identify vulnerabilities on all internet-exposed devices hosted in the UK.

The NCSC have stated, “These activities cover any internet-accessible system that is hosted within the UK and vulnerabilities that are common or particularly important due to their high impact” with the collected data further being used to “create an overview of the UK’s exposure to vulnerabilities and track their remediation over time”.
All activity is performed using freely available networking tools, with all connections being made using one or two IP addresses:

• • 18.171.7.246

• • 35.177.10.231

Both IP addresses are assigned to scanner.scanning.service.ncsc.gov.uk.

What Should I Do?

Whilst the scanning activities are being conducted safely with senior technical professionals involved, users can opt-out of their servers being scanned if they wish by contacting scanning@ncsc.gov.uk with a list of the IP addresses they want to be excluded. 

OpenSSL Vulnerabilities

This month, two high-severity vulnerabilities were discovered and patched regarding stack buffer overflow. Identified as CVE-2022-3602 and CVE-2022-3786, the vulnerabilities both affected OpenSSL versions 3.0.0 through to 3.0.6 and were patched in 3.0.7.

Exploiting these vulnerabilities can cause a denial of service through maliciously crafted email addresses via a buffer overflow or lead to remote code execution. Whilst the 3602 CVE, in particular, was originally disclosed as ‘CRITICAL’, post-advisory feedback revealed other factors that would restrict the triggering of the exploit – such as the stack overflow protections that would mitigate the risk of RCE implemented in many modern platforms.

Because this downgrade has made the vulnerability less common globally, it has been updated as ‘HIGH’ instead along with its counterpart instead.

What Should I Do?

Despite the downgrade, the severity is still sufficiently serious that CISA (The US Cybersecurity & Infrastructure Security Agency) have released an advisory encouraging all users and administrators to review their network for any instances of OpenSSL 3.0.0 – 3.0.6 and upgrade to 3.0.7, which should be done as soon as possible to mitigate the threat.

You can find more information on these vulnerabilities here: /news/vulnerabilities.html (openssl.org) with the post advisory review details here: CVE-2022-3786 and CVE-2022-3602: X.509 Email Address Buffer Overflows – OpenSSL Blog.

Azov Ransomware

A new data wiper named ‘Azov Ransomware’ has been seen being heavily distributed this month. Unlike ransomware, which encrypts a victim’s data intending to deny access until a ransom is paid, a data wiper aims to cause permanent loss or destruction of the data instead, with no provided means of recovery.

Using a malware botnet known as ‘SmokeLoader’ to distribute the attack, the wiper scans all drives and encrypts any file that does not have .exe, .dll, and .ini extensions – appending the .azov file extension to the encrypted filenames. Instead of the contact information or a means to recover the data, a note is left that attempts to frame several known cyber security researchers by falsely claiming users should contact them for instructions on how to recover the files.

What Should I Do?

The attack is most commonly distributed via pirated/cracked software that pretends to encrypt the victim’s files. It’s important to ensure your users understand the importance of installing only trusted software and implement application control where possible to ensure all software installed goes through a ‘vetting’ process.

Further guidance on mitigating against malware and ransomware attacks can be found here: 

Mitigating malware and ransomware attacks – NCSC.GOV.UK

With more information about Azov located here: 

Azov Ransomware – Decryption, removal, and lost files recovery (updated) (pcrisk.com)

Citrix ADC & Gateway Auth Bypass

Citrix released an advisory urging its customers to install security updates for a critical authentication bypass vulnerability. The vulnerability and update required is for Citrix ADC and Citrix Gateway and remediates two additional vulnerabilities – one as a remote desktop takeover via phishing and the other allowing user login force protection functionality bypass.

With Rapid7 (a well-known provider of security data and analytic solutions) repeatedly observing attacker interest in high-value targets such as Citrix, the appliances become exploited very quickly. This increases the importance for users to review their impact status and patch if applicable right away.

What Should I Do?

The bulletin only applies to customer-managed Citrix ADC and Gateway appliances, so there’s no action for customers using Citrix-managed cloud services. To read more about the vulnerabilities and the affected versions, please visit the Citrix advisory located here: Citrix Gateway and Citrix ADC Security Bulletin for CVE-2022-27510 CVE-2022-27513 and CVE-2022-27516.

CISA guidance on MFA

The Cybersecurity and Infrastructure Agency in the US (CISA) has published additional guidance for organisations on multi-factor authentication (MFA). Recent breaches have been attributed to MFA fatigue and other MFA bypass measures, such as Uber’s breach – detailed in our September review. It is strongly recommended that IT admins review their current methodology and implement phishing-resistance MFA to protect themselves against phishing and other known threats, which will only increase.

What Should I Do?

The factsheets in the CISA notice below list the different MFA types from strongest to weakest, with the second discussing the risks around ‘push fatigue’ and how measures such as number-matching can help reduce this risk. The guidance which links to these two factsheets can be found here: CISA Releases Guidance on Phishing-Resistant and Numbers Matching Multifactor Authentication | CISA

.NET Core 3.1 End of Life next month!

Microsoft have warned users that the long-term support (LTS) release of .NET Core 3.1 will reach end-of-support on December 13, 2022. Therefore, customers are urged to upgrade to .NET 6 (LTS) or .NET 7 as soon as possible to ensure associated apps receive continued protection/patching from security vulnerabilities. Any upgrade should involve .NET 7, which will be supported for 18 months, or .NET 6 (LTS) otherwise.

What Should I Do?

You can find details for searching and upgrading your .NET in the Microsoft article here: .NET Core 3.1 will reach End of Support on December 13, 2022 – .NET Blog (microsoft.com).

It is also important to note that the upgrade may have some breaking changes that affect you. The .NET 6 compatibility guide should be consulted beforehand here: Breaking changes in .NET 6 – .NET | Microsoft Learn with .NET 7’s compatibility guide here: Breaking changes in .NET 7 – .NET | Microsoft Learn.

Patch Tuesday (MoTW Bypass fixed)

This month’s patch Tuesday released patches for 62 vulnerabilities, nine rated as critical. Whilst not critical, one such vulnerability fixed was a bug that prevented Mark of the Web flags (MoTW) from propagating to files allowing them to bypass MoTW, “resulting in a limited loss of integrity and availability of security features such as Protected View”.

For those who don’t know, Mark of the Web, is a security feature that flags files originating from the internet, ensuring that such files are opened in Protected View in Microsoft Office and prompting with a warning to confirm the document is trusted. This final step is a helpful last resort that helps save many users against phishing/malware attacks.

What Should I Do?

With the vulnerability being exploited in the wild, this update has likely proven to be a damaging blow against attackers – but only so far as businesses install the patch! Patch Tuesday is an essential date for any security-minded IT admin. You should establish a process for installing the patches as soon as possible to ensure your network security with no more than 14 days since the patch release.

You can find more details on the MoTW vulnerability in particular here: Microsoft fixes Windows zero-day bug exploited to push malware (bleepingcomputer.com) with the higher level patch Tuesday details here: Microsoft patches 62 vulnerabilities, including Kerberos, and Mark of the Web, and Exchange…sort of – Sophos News.

Conclusion

With the .NET 3.1’s end of life and OpenSSL vulnerabilities being patched, there are some important actions required from IT admins this month. Thankfully the NCSC’s scanning project and CISA’s new MFA guidance show that security professionals are not alone but should ensure such guidance is acted on to protect our networks and ensure continual improvement. As always, it is important to reiterate that this article has not included ALL security news or vulnerabilities disclosed this month. You should be aware of and research VMWare’s critical auth bypass in Workspace ONE, F5’s RCE flaws in BIG-IP and BIG-IQ, Kaspersky’s VPN withdrawal from Russia, and Atlassian’s critical command injection bug.

If you have been caught off-guard by some of this month’s developments, look at your security processes and see what changes you can make. Just 20 minutes of research each day can help you keep on top of the significant security trends and alerts which help protect your business and keep you cyber-aware!  

If you have any more questions or worries, please do not hesitate to get in touch and see what CyberLab can do to help you and your security posture. Book your consultation today.