CyFlare System Status Page
Monitoring - Posted Date: 9/16/2022
Published Date:
Source(s): Vectra.AI
Sector: Security Vulnerability
Reported by: Vectra Protect Team
Date(s) Issued:
Subject: An attack path was discovered that would enable malicious actors with file system access to steal credentials for any Microsoft Teams user who is signed in
OVERVIEW: Malicious actors can exploit a vulnerability in the current Microsoft Teams application that could allow access to authentication tokens and accounts with multi-factor authentication enabled
SYSTEMS AFFECTED:
• Windows Operating Systems (all versions)
• Linux Operating Systems (all versions)
• Mac Operating Systems (all versions)

RISK:
Anyone who is currently using the Microsoft Teams desktop application
THREAT SUMMARY:
In August 2022, the Vectra Protect team discovered an attack path that would enable malicious actors access to authentication tokens and accounts even with multi-factor authentication enabled. Microsoft teams is an Electron app, the issue stems from the fact that Electron does not support encryption or protected file locations. The Vectra Protect Team discovered that the Microsoft Teams application stores these access tokens in clear text in an “ldb” file, as well as valid authentication tokens, account information, session data, and marketing tags in the “Cookies” folder. While this vulnerability is severe, it does require a malicious actor to already have access to an internal network to exploit.

A Microsoft spokesperson has stated that this does not meet the bar for immediate servicing as it requires an attacker to already have access to a target network


Mitigations:
Currently the only recommended mitigation is to use the web-based Teams client inside of Microsoft Edge, which has multiple OS-level controls to protect token leaks.


Indicators of Compromise:
Any process other than Teams.exe attempting to access the following file paths:
• [Windows] %AppData%\Microsoft\Teams\Cookies
• [Windows] %AppData%\Microsoft\Teams\Local Storage\leveldb
• [macOS] ~/Library/Application Support/Microsoft/Teams/Cookies
• [macOS] ~/Library/Application Support/Microsoft/Teams/Local Storage/leveldb
• [Linux] ~/.config/Microsoft/Microsoft Teams/Cookies
• [Linux] ~/.config/Microsoft/Microsoft Teams/Local Storage/leveldb


CyFlare Actions Taken:
• Stellar Cyber – BDS: The SOC has created a global ATH rule in order to detect any access to the file paths listed in the indicators of compromise.
• SentinelOne: A custom STAR query is being implemented to detect abnormal access to the file paths listed in the indicators of compromise section
• AlienVault USM Anywhere: AlienVault Open Threat Exchange or OTX has been updated with ‘OTX Pulses’ or information available on related indicators observed from both vendor and community.

Developing Situation:
The SOC will continue to research emerging related threats in the wild or from the cyber community. Furthermore, the SOC will hunt related indicators of compromise, as well as scan for the vulnerabilities within our clients that have the Vulnerability Management Service.

Reference Links:

https://www.vectra.ai/blogpost/undermining-microsoft-teams-security-by-mining-tokens
https://www.bleepingcomputer.com/news/security/microsoft-teams-stores-auth-tokens-as-cleartext-in-windows-linux-macs/
https://www.darkreading.com/vulnerabilities-threats/token-mining-weakness-microsoft-teams-perfect-phish


Should you have any questions or concerns please place a ticket with the SOC using socir@cyflare.com or by calling 877.729.3527 extension 2.

Thank you,
Your CyFlare SOC

Sep 16, 2022 - 23:01 EDT
Monitoring - Posted Date: 9/6/2022

Source(s): US Cybersecurity and Infrastructure Agency (CISA)

Sector: Security Vulnerability

Reported by: CISA

Date(s) Issued: 03 September 2022

Subject: The US Cybersecurity and Infrastructure Security Agency (CISA) is warning that a high-severity security vulnerability in Palo Alto Networks firewalls is being actively exploited in the wild.

OVERVIEW
Threat actors can exploit a bug in the PAN-OS operating system that runs the firewalls, allowing ability to deploy DDoS attacks

SYSTEMS AFFECTED:
PAN-OS operating systems

RISK:
Attackers can exploit the flaw to deploy both reflected and amplified versions of DDoS floods.

THREAT SUMMARY:

A PAN-OS URL filtering policy misconfiguration could allow a network-based attacker to conduct reflected and amplified TCP denial-of-service (RDoS) attacks. The DoS attack would appear to originate from a Palo Alto Networks PA-Series (hardware), VM-Series (virtual) and CN-Series (container) firewall against an attacker-specified target.

To be misused by an external attacker, the firewall configuration must have a URL filtering profile with one or more blocked categories assigned to a security rule with a source zone that has an external facing network interface. This configuration is not typical for URL filtering and, if set, is likely unintended by the administrator.

If exploited, this issue would not impact the confidentiality, integrity, or availability of our products. However, the resulting denial-of-service (DoS) attack may help obfuscate the identity of the attacker and implicate the firewall as the source of the attack.

Mitigation:

For the newly exploited PAN-OS bug, patches are available in the following versions:
• PAN-OS 8.1.23-h1
• PAN-OS 9.0.16-h3
• PAN-OS 9.1.14-h4
• PAN-OS 10.0.11-h1
• PAN-OS 10.1.6-h6
• PAN-OS 10.2.2-h2
• And all later PAN-OS versions for PA-Series, VM-Series and CN-Series firewalls.

To prevent denial-of-service (DoS) attacks resulting from this issue from all sources, you can configure your Palo Alto Networks firewalls by enabling one of two zone protection mitigations on all Security zones with an assigned Security policy that includes a URL filtering profile:

1. Packet-based attack protection including both (Packet Based Attack Protection > TCP Drop > TCP SYN with Data) and (Packet Based Attack Protection > TCP Drop > Strip TCP Options > TCP Fast Open)

OR

2. Flood protection (Flood Protection > SYN > Action > SYN Cookie) with an activation threshold of 0 connections.
Developing Situation:

The SOC will continue to research emerging related threats in the wild or from the cyber community. Furthermore, the SOC will hunt related indicators of compromise, as well as scan for the vulnerabilities within our clients that have the Vulnerability Management Service.

Reference Links:
https://nvd.nist.gov/vuln/detail/CVE-2022-0028
https://www.darkreading.com/vulnerabilities-threats/cisa-palo-alto-firewall-bug-active-exploit
https://security.paloaltonetworks.com/CVE-2022-0028

Should you have any questions or concerns please place a ticket with the SOC using socir@cyflare.com or by calling 877.729.3527 extension 2.

Thank you,
Your CyFlare SOC

Sep 06, 2022 - 09:48 EDT
Update - Just a reminder that starting next week on 9/7/22, we will begin the migration process. Please ensure the aforementioned firewalls rules are put in place if outbound communications are restricted. Of course, as always, if you have any issues or questions, please contact your customer success manager or the SOC utilizing the below methods:

1. Create a ticket at https://login.socportal.cloud/
2. Email us at socir@cyflare.com
3. Contact your Customer Success Manager directly
4. Call us at 877-729-3527

Sep 02, 2022 - 14:24 EDT
Monitoring - Dear customer,

At CyFlare, our goal is to protect you 100% of the time. Therefore, in an ongoing effort to enhance our resilience, we will strengthen our cloud infrastructure and architecture. These infrastructure changes will go into effect on September 7, 2022. Customers will be migrated in batches between September 7 and September 30.

When Will the Changes Go Into Effect?
The infrastructure changes will go into effect on September 7, 2022

What Does It Mean For Me?
Between September 7 and September 30, CyFlare will migrate your account to our new infrastructure. Therefore, we ask that you make the following changes before September 7 on your end to ensure no loss of service:

New Firewall Rules To Be Added (do not remove old rules)

The following BDS Firewall Rules will be needed to allow your appliances and the security sensors to communicate outbound. No inbound ports or rules need to be configured.

A. Outbound From the appliance Static IP:

● To destination IP address 91.189.89.90 over TCP port 80
● To destination IP address 91.189.90.173 over TCP port 80

B. Outbound from the sensor and Linux Agent static IP:

Addresses to be added
● 6640-6648 TCP to cm-cyflare.stellarcyber.cloud, 141.148.147.188
● 8443 TCP to cm-cyflare.stellarcyber.cloud, 141.148.147.188
● 8888 TCP to receiver-cyflare.stellarcyber.cloud, 152.70.135.38
● 8472 UDP to 54.176.232.64
● 4789 UDP to 54.176.232.64

C. Outbound from any Windows Servers with SIEM agents deployed:

● TCP on port 8888 to receiver-cyflare.stellarcyber.cloud, 152.70.135.38
● TCP on port 8443 to cm-cyflare.stellarcyber.cloud, 141.148.147.188
● TCP on ports 6640-6648 to cm-cyflare.stellarcyber.cloud, 141.148.147.188

NOTE: IP addresses are provided in case your firewall will not allow an FQDN. Use FQDN where allowed.


After the migration, you will need to use this link to access the XDR Management Platform: https://cyflare.stellarcyber.cloud. Your credentials will remain the same.

What If I Have Questions or Concerns?
Please reach out to us with any questions in the following ways:

1. Create a ticket at https://login.socportal.cloud/
2. Email us at socir@cyflare.com
3. Contact your Customer Success Manager directly
4. Call us at 877-729-3527

Aug 30, 2022 - 13:04 EDT
Monitoring - Posted Date: 8/12/2022

Source(s): Palo Alto Network Unit 42

Sector: Security Vulnerability, Ransomware

Reported by: Palo Alto Network Unit 42

Date(s) Issued:

Subject: BlueSky ransomware

OVERVIEW: Identification of an emerging ransomware family known as “BlueSky” that is speculated to be connected to Conti ransomware group

SYSTEMS AFFECTED: Predominantly windows hosts

RISK: Businesses that are hit with ransomware can face several risks, including financial loss, data loss, and reputational damage

THREAT SUMMARY:
BlueSky ransomware is an emerging family that is utilizing multithreading in order to encrypt files on the host. An analysis of this ransomware shows that it may be connected to the Conti ransomware group.
The initial dropper for this ransomware is dropped by a PowerShell script from “hxxps://kmsauto[.]us/someone/start.ps1”, from there it preforms local privilege escalation techniques to download the final payload. This ransomware uses a multithreaded queue for faster encryption on its host. Encryption is preformed by using Curve25519 to generate a key pair, then uses the hash of this key to generate a file encryption key for the encryption algorithm ChaCha20.
Like with all ransomware, once the files are encrypted a ransom note will be created in order to demand payment to restore the encrypted files. This note is dropped in a directory where it has encrypted the files and will have the file extension “.bluesky”. However, it is strongly discouraged to pay the ransom in these situations, organizations like the Conti ransomware group don’t always restore files once payment is received. Companies that paid a ransom are frequently hit again and for a higher price.

Known BlueSky Artifacts:
• A generated user ID by computing MD5 hash over combined Volume Information, Machine GUID, Product ID and Install Date values
• HKCU\Software\\completed
• HKCU\Software\\recoveryblob
• HKCU\Software\\x25519_public

Indicators of Compromise:
• BlueSky Ransomware Payloads

o 2280898cb29faf1785e782596d8029cb471537ec38352e5c17cc263f1f52b8ef
o 3e035f2d7d30869ce53171ef5a0f761bfb9c14d94d9fe6da385e20b8d96dc2fb
o 840af927adbfdeb7070e1cf73ed195cf48c8d5f35b6de12f58b73898d7056d3d
o b5b105751a2bf965a6b78eeff100fe4c75282ad6f37f98b9adcd15d8c64283ec
o c75748dc544629a8a5d08c0d8ba7fda3508a3efdaed905ad800ffddbc8d3b8df
o e75717be1633b5e3602827dc3b5788ff691dd325b0eddd2d0d9ddcee29de364f

• Obfuscated PowerShell Downloader
o 08f491d46a9d05f1aebc83d724ca32c8063a2613250d50ce5b7e8ba469680605

• PowerShell Downloader (decoded)
o 969a4a55bb5cabc96ff003467bd8468b3079f5c95c5823985416c019eb8abe2f

• CVE-2020-0796 SMBGhost Privilege Escalation Exploit
o c4e47cba1c5fedf9ba522bc2d2de54a482e0ac29c98358390af6dadc0a7d65ce

• JuicyPotato
o cf64c08d97e6dfa5588c5fa016c25c4131ccc61b8deada7f9c8b2a41d8f5a32c

• CVE-2021-1732 Privilege Escalation Exploit
o 6c94a1bc67af21cedb0bffac03019dbf870649a182e58cc5960969adf4fbdd48

• URLs
o hxxps://kmsauto[.]us/someone/l.exe
o hxxps://kmsauto[.]us/app1.bin
o hxxps://kmsauto[.]us/server.txt
o hxxps://kmsauto[.]us/encoding.txt
o hxxps://kmsauto[.]us/all.txt
o hxxps://kmsauto[.]us/someone/spooler.exe
o hxxps://kmsauto[.]us/sti/sti.bin
o hxxps://kmsauto[.]us/someone/potato.exe
o hxxps://kmsauto[.]us/someone/ghost.exe
o hxxps://kmsauto[.]us/someone/start.ps1

• Ransom Note URLs
o http://ccpyeuptrlatb2piua4ukhnhi7lrxgerrcrj4p2b5uhbzqm2xgdjaqid.onion

• Registry Paths
o HKCU\Software\\completed
o HKCU\Software\\recoveryblob
o HKCU\Software\\x25519_public

CyFlare Actions Taken:
• Stellar Cyber – BDS: The SOC has implemented custom detections in order to detect any currently known indicators of compromise listed in this advisory.
• SentinelOne: A custom STAR query has been developed to detect any of the currently known hash values listed in the indicators of compromise
• AlienVault USM Anywhere: AlienVault Open Threat Exchange or OTX has been updated with ‘OTX Pulses’ or information available on related indicators observed from both vendor and community.


Developing Situation:
The SOC will continue to research emerging related threats in the wild or from the cyber community. Furthermore, the SOC will hunt related indicators of compromise, as well as scan for the vulnerabilities within our clients that have the Vulnerability Management Service.

Reference Links:
https://unit42.paloaltonetworks.com/bluesky-ransomware/
https://www.cisa.gov/uscert/ncas/alerts/aa21-265a
https://cloudsek.com/threatintelligence/tracking-the-operators-of-the-newly-emerged-bluesky-ransomware/

Should you have any questions or concerns please place a ticket with the SOC using socir@cyflare.com or by calling 877.729.3527 extension 2.

Thank you,
Your CyFlare SOC

Aug 12, 2022 - 09:36 EDT
Monitoring - Posted Date: 8/2/2022

Source(s): SentinelLabs
Sector: Security Vulnerability
Reported by: SentinelLabs
Date(s) Issued: 02 August 2022

Subject: LockBit Ransomware Sideloads Cobalt Strike Through Microsoft Security Tool

OVERVIEW
Threat actors can abuse the command line tool MPCmdRun.exe to decrypt and load Cobalt Strike payloads.

SYSTEMS AFFECTED:
Systems running Windows Defender

RISK:
Threat actors can use the legitimate Windows Defender command line tool MpCmdRun.exe to decrypt and load Cobalt Strike payloads

THREAT SUMMARY:

Overview
On July 28, 2022 SentinelLabs revealed that threat actors have been using the legitimate Windows Defender command line tool MPCmdRun.exe to sideload a malicious mpclient.dll. Once an actor has sufficient privileges they download a malicious DLL, the encrypted payload, and the legitimate tool from their controlled C2 using PowerShell. MpCmdRun.exe is then used to decrypt and load Cobalt Strike payloads.

CyFlare Actions Taken:
• Stellar Cyber – BDS: We have implemented a custom rule to detect command line activity related to this exploit
• SentinelOne: We have implemented a custom STAR query to detect currently known indicators of compromise regarding this vulnerability


Developing Situation:
The SOC will continue to research emerging related threats in the wild or from the cyber community. Furthermore, the SOC will hunt related indicators of compromise, as well as scan for the vulnerabilities within our clients that have the Vulnerability Management Service.


Reference Links:
https://www.sentinelone.com/blog/living-off-windows-defender-lockbit-ransomware-sideloads-cobalt-strike-through-microsoft-security-tool/
https://www.techworm.net/2022/07/lockbit-operator-microsoft-defender-load-cobalt-strike.html

Should you have any questions or concerns please place a ticket with the SOC using socir@cyflare.com or by calling 877.729.3527 extension 2.

Thank you,
Your CyFlare SOC

Aug 02, 2022 - 18:18 EDT
Monitoring - A fix has been implemented and we are monitoring the results.
Aug 02, 2022 - 18:16 EDT
Investigating - SentinelOne released SP1 version of its 22.1 GA codebase on June 16, 2022. By policy, the CyFlare MDR service releases agent updates to customers after vendor releases have been internally reviewed for impact and have been in the field for a month.

This ensures a stable agent release for our customers.

Our Technical Operations Center will be scheduling the agent upgrades during the weekend of August 26th with a maintenance window on August 27th starting at 0000 and ending at 0500 (midnight to 5 AM Eastern). For those agents that are not connected at the time of the upgrade, they will be upgraded the next time they report into the management platform.

This process is generally non-intrusive, and there is nothing required from our partners or customers, during this time. If you experience any issues, please open a ticket so we can investigate and provide a quick resolution.

In our Trust Post on March 1, 2022 we notified you about the opportunity for you to “opt out” of this automatic upgrade process. If you have already opted out, we have your choice on file. If you haven’t opted out but wish to now, please open a ticket through our ticketing portal with the following subject line: " – Upgrade Process: Opt Out.” We will mark your account accordingly.

Please note that if you choose to do so, you will need to open a ticket to request an upgrade when you are ready.

Cyflare appreciates the opportunity to be your trusted MDR provider.

Aug 02, 2022 - 09:22 EDT
Monitoring - Emerging Threat Advisory

Posted Date: 07/12/2022

Published Date: 07/13/2022

Source: Known reputed Security Agencies/Reports/Articles

Sector: All – including Government agencies

Reported by: ARS Technica Blog post and Lenovo Support
CVE: CVE-2022-1890, CVE-2022-1891 and CVE-2022-1892

DATE(S) ISSUED: 07/13/2022

SUBJECT: Vulnerabilities that could allow undetectable infections affect 70 Lenovo laptop models

OVERVIEW:

The vulnerabilities can be exploited to achieve arbitrary code execution in the early phases of the platform boot, possibly allowing the attackers to hijack the OS execution flow and disable some important security features. These vulnerabilities were caused by insufficient validation of DataSize parameter passed to the UEFI Runtime Services function GetVariable. An attacker could create a specially crafted NVRAM variable, causing buffer overflow of the Data buffer in the second GetVariable call.
THREAT INTELLIGENCE: Per recent updates on Lenovo, the vulnerability is actively being exploited in attacks – targets are unknown now.

SYSTEMS AFFECTED:
• Laptop model lines are:
• Yoga
• ThinkBook
• IdeaPad
• ThinkPad

RISK:
Government and their entities: High Impact
Businesses and their entities: High Impact

TECHNICAL SUMMARY:

Lenovo has assigned a medium severity rating to the vulnerabilities, which are tracked CVE-2022-1890, CVE-2022-1891, and CVE-2022-1892 and affect the ReadyBootDxe, SystemLoadDefaultDxe, and SystemBootManagerDxe drivers, respectively.
CVE-2022-1890: A buffer overflow has been identified in the ReadyBootDxe driver in some Lenovo notebook products which may allow an attacker with local privileges to execute arbitrary code.
CVE-2022-1891: A buffer overflow has been identified in the SystemLoadDefaultDxe driver in some Lenovo notebook products which may allow an attacker with local privileges to execute arbitrary code.
CVE-2022-1892: A buffer overflow has been identified in the SystemBootManagerDxe driver in some Lenovo notebook products which may allow an attacker with local privileges to execute arbitrary code.
RECOMMENDATIONS:

1. Search for your product by name or machine type.
2. Click Drivers & Software on the left menu panel.
3. Click on Manual Update to browse by Component type.
4. Compare the minimum fix version for your product from the applicable product table below with the latest version posted on the support site.
PC Products and Software: https://support.lenovo.com/us/en/solutions/ht504759
Server and Enterprise Software: https://support.lenovo.com/us/en/solutions/lnvo-lxcaupd and https://datacentersupport.lenovo.com/us/en/documents/lnvo-center

REFERENCES:
https://arstechnica.com/information-technology/2022/07/vulnerabilities-allowing-permanent-infections-affect-70-lenovo-laptop-models/
https://support.lenovo.com/sk/en/product_security/len-91369

Jul 20, 2022 - 16:25 EDT
Monitoring - Posted Date: 7/8/2022

Source(s): Kaspersky

Sector: Security Vulnerability

Reported by: Kaspersky

Date(s) Issued: 30 June 2022

Subject: IIS Backdoor vulnerability

OVERVIEW
The SessionManager backdoor enables threat actors to keep persistent, update-resistant and rather stealth access to the IT infrastructure of a targeted organization.

SYSTEMS AFFECTED:
Microsoft Exchange servers vulnerable to ProxyLogon-type exploits

RISK:
The SessionManager backdoor enables threat actors to keep persistent, update-resistant and rather stealth access to the IT infrastructure of a targeted organization.

THREAT SUMMARY:
SessionManager IIS Backdoor
On June 30,2022 Kaspersky researchers discovered backdoor that was set up as a malicious module within IIS. This backdoor is deployed by threat actors who previously exploited of the ProxyLogon-type vulnerabilities in Microsoft Exchange servers. Once dropped into the victim’s system, cybercriminals behind the backdoor can gain access to company emails, update further malicious access by installing other types of malware.


CyFlare Actions Taken:
• Stellar Cyber – BDS: Stellar Cyber’s Machine Learning-IDS engine, as well as built-in threat intelligence is also consistently updated with the latest threats identified by the open-source cyber threat intelligence community.
• SentinelOne: We have implemented a custom STAR query to detect currently known indicators of compromise regarding this vulnerability. This vulnerability is also being analyzed by the SentinelOne Analysis team.

If a malicious module is identified, we recommend the following template of actions (merely deleting the malicious module file will not be enough to get rid of it):
• Take a volatile memory snapshot on the currently running system where IIS is executed. Request assistance from forensics and incident response experts if required.
• Stop the IIS server, and ideally disconnect the underlying system from publicly reachable networks.
• Back up all files and logs from your IIS environment, to retain data for further incident response. Check that the backups can be opened or extracted successfully.
• Using IIS Manager or the appcmd command tool, remove every reference of the identified module from apps and server configurations. Manually review associated IIS XML configuration files to make sure any reference to the malicious modules have been removed – manually remove the references in XML files otherwise.
• Update the IIS server and underlying operating system to make sure no known vulnerabilities remain exposed to attackers.
• Restart the IIS server and bring the system online again.

Developing Situation:
The SOC will continue to research emerging related threats in the wild or from the cyber community. Furthermore, the SOC will hunt related indicators of compromise, as well as scan for the vulnerabilities within our clients that have the Vulnerability Management Service.


Reference Links:
https://www.kaspersky.com/about/press-releases/2022_kaspersky-discovers-poorly-detected-backdoor-targeting-governments-and-ngos-around-the-globe
https://securelist.com/the-sessionmanager-iis-backdoor/106868/#:~:text=Indicators%20of%20Compromise
https://devco.re/blog/2021/08/06/a-new-attack-surface-on-MS-exchange-part-1-ProxyLogon/
https://thehackernews.com/2022/07/new-sessionmanager-backdoor-targeting.html

Should you have any questions or concerns please place a ticket with the SOC using socir@cyflare.com or by calling 877.729.3527 extension 2.

Thank you,
Your CyFlare SOC

Jul 08, 2022 - 11:25 EDT
Monitoring - Published Date: 7/5/2022
Source(s): Chrome Security
Sector: Security Vulnerability
Reported by: Google Chrome
Date(s) Issued: 7/4/2022
Subject CVE-2022-2294 – Google Chrome WebRTC Heap Buffer Overflow

OVERVIEW
WebRTC heap based buffer overflow allowing Remote Code execution and DoS related to Google Chrome Browser.
Buffer overflows often can be used to execute arbitrary code, which is usually outside the scope of a program's implicit security policy.
Besides important user data, heap-based overflows can be used to overwrite function pointers that may be living in memory, pointing it to the attacker's code.

SYSTEMS AFFECTED:
The vulnerability has been proved in Windows and Android Google Chrome.

RISK:

Potential for remote code execution, denial of service (DoS) just by visiting a malicious site, as well as decreased browser performance.

THREAT SUMMARY:

Little is known at this time in regards to the technical details behind the zero-day exploitation. We will continue to monitor and provide additional updates as more is known.


Recommendations:
• Go to settings in Chrome Browser  About Chrome  Check for Updates  Click on RELAUNCH to apply security fix.
• Chrome Browser should be on Version 103.0.5060.114 (Official Build) (64-bit) post update.

References:
https://www.bleepingcomputer.com/news/security/google-patches-new-chrome-zero-day-flaw-exploited-in-attacks/
https://chromereleases.googleblog.com/2022/07/extended-stable-channel-update-for.html?utm_source=syndication
Developing Situation:
The SOC will continue to research emerging related threats in the wild or from the cyber community. Furthermore, the SOC will hunt related indicators of compromise.
We have several detections in place to verify malicious connections as well as emerging threat hunting and will continue to update IOC’s as more information is released in relation to this zero-day.
Should you have any questions or concerns please place a ticket with the SOC using socir@cyflare.com or by calling 877.729.3527 extension 2.

Thank you,
Your CyFlare SOC

Jul 05, 2022 - 18:51 EDT
Monitoring - Published Date: 6/3/2022
Source(s): Nao_Sec, Microsoft Security Response Center
Sector: Security Vulnerability
Reported by: Nao_sec, Microsoft Security Response Center, SentinelLabs
Date(s) Issued:
Subject CVE-2022-30190 Microsoft Support Diagnostic Tool Vulnerability

OVERVIEW

A remote code execution vulnerability exists when MSDT is called using the URL protocol from a calling application such as Word

SYSTEMS AFFECTED:

The vulnerability has been proved in Office 2013, 2016, 2019, 2021, Office ProPlus and Office 365.

RISK:

Remote Code execution in Office Products


THREAT SUMMARY:
Follina — a Microsoft Office code execution vulnerability

On May 27th 2022 Nao_sec identified this zero day vulnerability in Office products. This document used the Word remote template feature to retrieve an HTML file from a remote webserver, which then would use the ms-msdt MSProtocol to load and execute malicious PowerShell code. This vulnerability has been successfully tested in Office 2013, 2016, 2019, 2021, Office ProPlus and Office 365.

CyFlare Actions Taken:

• Stellar Cyber – BDS: Stellar Cyber’s Machine Learning-IDS engine, as well as built-in threat intelligence is also consistently updated with the latest threats identified by the open-source cyber threat intelligence community.

• SentinelOne: SentinelOne currently detects the execution of known “Follina” samples exploiting the CVE-2022-30190, they have also provided ‘Deep Visibility’ queries that the SOC will leverage to search for related indicators of compromise across customer’s SentinelOne environments.

• Rapid7: InsightIDR customers have a new detection rule added to their library to identify attacks related to this vulnerability: Suspicious Process - Microsoft Office App Spawns MSDT.exe

Workarounds:

Disabling MSDT URL protocol prevents troubleshooters being launched as links including links throughout the operating system. Troubleshooters can still be accessed using the Get Help application and in system settings as other or additional troubleshooters. Follow these steps to disable:

1. Run Command Prompt as Administrator.
2. To back up the registry key, execute the command “reg export HKEY_CLASSES_ROOT\ms-msdt filename“
3. Execute the command “reg delete HKEY_CLASSES_ROOT\ms-msdt /f”.

How to undo the workaround

1. Run Command Prompt as Administrator.
2. To restore the registry key, execute the command “reg import filename”

Developing Situation:

The SOC will continue to research emerging related threats in the wild or from the cyber community. Furthermore, the SOC will hunt related indicators of compromise, as well as scan for the vulnerabilities within our clients that have the Vulnerability Management Service.



Reference Links:
Follina — a Microsoft Office code execution vulnerability | by Kevin Beaumont | May, 2022 | DoublePulsar
* https://doublepulsar.com/follina-a-microsoft-office-code-execution-vulnerability-1a47fce5629e

Guidance for CVE-2022-30190 Microsoft Support Diagnostic Tool Vulnerability – Microsoft Security Response Center
* https://msrc-blog.microsoft.com/2022/05/30/guidance-for-cve-2022-30190-microsoft-support-diagnostic-tool-vulnerability/

Staying Ahead of CVE-2022-30190 (Follina) - SentinelOne
* https://www.sentinelone.com/blog/staying-ahead-of-cve-2022-30190-follina/

CVE-2022-30190: "Follina" Microsoft Support Diagnostic Tool Vulnerability | Rapid7 Blog
* https://www.rapid7.com/blog/post/2022/05/31/cve-2022-30190-follina-microsoft-support-diagnostic-tool-vulnerability/

New Microsoft Office zero-day used in attacks to execute PowerShell (bleepingcomputer.com)
* https://www.bleepingcomputer.com/news/security/new-microsoft-office-zero-day-used-in-attacks-to-execute-powershell/


Should you have any questions or concerns please place a ticket with the SOC using socir@cyflare.com or by calling 877.729.3527 extension 2.

Thank you,
Your CyFlare SOC

Jun 03, 2022 - 09:51 EDT
Monitoring - Source(s): Microsoft Threat Intelligence Center, SentinelLabs, Symantec
Sector: Security Vulnerability
Reported by: Microsoft Threat Intelligence Center (MTIC), SentinelLabs

Subject: Emerging threats: WhisperGate, HermeticWiper, and Party ticket which were used by threat actors leading up to the recent Russia Ukraine conflict

OVERVIEW
Leading up to the current Russia-Ukraine conflict, threat actors deployed the following malware that was designated to target and destroy computer systems in Ukraine: WhisperGate, HermeticWiper, and PartyTicket.

SYSTEMS AFFECTED:
• Windows Operating System (all versions)
• Windows Server (all versions)

RISK:
Sectors targeted so far: Financial, defense, aviation, and IT services

THREAT SUMMARY:
Conti Ransomware group:
Conti, a Russian tied ransomware-as-a-service, pledged their support to the Russian government. This group announced that any cyberattack or war activities against Russia would result in a counterattack at any critical infrastructures of an enemy. However, after making this statement an external or internal actor to the group leaked information regarding the organization's internal activities including the source code of their locker software. This leaked source code could be used by less experienced criminals to create their own ransomware. This situation is ongoing and any relevant indicators of compromise from the analysis of the source code will be updated in our tools***

Mitigations****:
Mitigations
CISA, FBI, and NSA recommend that network defenders apply the following mitigations to reduce the risk of compromise by Conti ransomware attacks.
Use multi-factor authentication.
• Require multi-factor authentication to remotely access networks from external sources. Implement network segmentation and filter traffic.
• Implement and ensure robust network segmentation between networks and functions to reduce the spread of ransomware. Define a demilitarized zone that eliminates unregulated communication between networks.
• Filter network traffic to prohibit ingress and egress communications with known malicious IP addresses.
• Enable strong spam filters to prevent phishing emails from reaching end users. Implement a user training program to discourage users from visiting malicious websites or opening malicious attachments. Filter emails containing executable files to prevent them from reaching end users.
• Implement a URL blocklist and/or allow the list to prevent users from accessing malicious websites. Scan for vulnerabilities and keep software updated.
• Set antivirus/antimalware programs to conduct regular scans of network assets using up-to-date signatures.
• Upgrade software and operating systems, applications, and firmware on network assets in a timely manner. Consider using a centralized patch management system. Remove unnecessary applications and apply controls.
• Remove any application not deemed necessary for day-to-day operations. Conti threat actors leverage legitimate applications- such as remote monitoring and management software and remote desktop software applications to aid in the malicious exploitation of an organization's enterprise.
• Investigate any unauthorized software, particularly remote desktop or remote monitoring and management software.
• Implement application allow listing, which only allows systems to execute programs known and permitted by the organization's security policy. Implement software restriction policies (SRPs) or other controls to prevent programs from executing from common ransomware locations, such as temporary folders supporting popular Internet browsers or compression/decompression programs.
• Implement execution prevention by disabling macro scripts from Microsoft Office files transmitted via email. Consider using Office Viewer software to open Microsoft Office files transmitted via email instead of full Microsoft Office suite applications.
• See the joint Alert, Publicly Available Tools Seen in Cyber Incidents Worldwide developed by CISA and the cybersecurity authorities of Australia, Canada, New Zealand, and the United Kingdom for guidance on detection and protection against malicious use of publicly available tools.
- Implement endpoint and detection response tools.
• Endpoint and detection response tools allow a high degree of visibility into the security status of endpoints and can help effectively protect against malicious cyber actors.
- Limit access to resources over the network, especially by restricting RDP.
• After assessing risks, if ROP is deemed operationally necessary, restrict the originating sources and require multi-factor authentication.
- Secure user accounts.
• Regularly audit administrative user accounts and configure access controls under the principles of least privilege and separation of duties.
• Regularly audit logs to ensure new accounts are legitimate users.

Whisper Gate:
On January 15, 2022, Microsoft Threat Intelligence Center announced the identification of this malware operation used to target Ukrainian organizations. This malware has two stages, The two-stage malware overwrites the Master Boot Record (MBR) on victim systems with a ransom note. This ransom note will contain a Bitcoin wallet and Tox ID. The malware will execute when the device is powered down. It overwrites the MBR of the system, rendering it inoperable. Whether the ransom is paid or not, the malware will execute and overwrite the MBR.

Indicators of Compromise:
Indicator #1: a196c6b8ffcb97ffb276d04f354696e2391311 db3841ae16c8c9f56f36a38e92
Indicator #1 Type: SHA-256
Indicator #1 Description: Hash of destructive malware stage1.exe

Indicator #2: dcbbae5a1c61dbbbb7dcd6dc5dd1eb1169f5329958d38b58c3fd9384081c9b78
Indicator #2 Type: SHA-256
Indicator #2 Description: Hash of stage2.exe

Indicator #3: cmd.exe /Q /c start c:\stage1.exe 1 > \\ 127.0.0.1\ADMIN$\_[TIMESTAMP] 2>&1
Indicator #3 Type: Command line
Indicator #3 Description: Example lmpacket command line showing the execution of the destructive malware. The working directory has varied in observed intrusions.

Hermetic Wiper:
February 23, 2022, researchers disclosed this was being used against Ukraine organizations. This malware is named after the digital certificate used to sign the sample ‘Hermetica Digital Ltd’. This malware contains 32 and 64-bit driver files compressed by Lempel-Ziv algorithm. Driver file names are generated using the Process ID of the wiper. The driver is loaded into the wiper’s process memory space, decompressed, and written to disk at “C:\Windows\System32\drivers\.sys” Once run this is like the WhisperGate malware in the sense that it damages the Master Boot Record (MBR). HermeticWiper enumerates a range of Physical Drives multiple times, from 0-100. For each Physical Drive, the \\.\EPMNTDRV\ device is called for a device number. The malware focuses on corrupting the first 512 bytes of the Master Boot Record for every Physical Drive.

Indicators of Compromise:

Indicator #1 Name: Win32/Ki11Disk.NCV
Indicator #1 File Category: Trojan
Indicator #1 File Hash: 912342F1C840A42F6B74132FSA7C4FFE7D40FB77
61B25D11392172E587D8DA3045812A66C3385451
Indicator #1 Source: ESET research

Indicator #2 Name: HermeticWiper
Indicator #2 File Category: Win32EXE
Indicator #2 File Hash: 912342fle 840a42f6b7413218a7c4fie7d40fb77
Indicator #2 Source: ISentinelLabs

Indicator #3 Name: HermeticWiper
Indicator #3 File Category: Win32EXE
Indicator #3 File Hash: 61b25d11392172e587d8daJ045812a66c3385451
Indicator #3 Source: ISentinelLabs

Indicator #4 Name: RCDATA_DRV_X64
Indicator #4 File Category: ms-compressed
Indicator #4 File Hash: a952e288alead66490b3275a807f52e5
Indicator #4 Source: ISentinellabs

Indicator #5 Name: IRCDATA_DRV_xs6
Indicator #5 File Category: lms- compressed
Indicator #5 File Hash: 231b3385acl 7e41c5bblblfcb59599c4
Indicator #5 Source:ISentinellabs

Indicator #6 Name: IRCDATA_DRV_XP_X64
Indicator #6 File Category: lms-compressed
Indicator #6 File Hash: 095al 678021b034903c85dd5acb447ad
Indicator #6 Source:ISentinellabs

Indicator #7 Name: RCDATA_DRV_XP_X86
Indicator #7 File Category: ms-compressed
Indicator #7 File Hash: eb845b7a16ed82bd248e395d9852f467
Indicator #7 Source:ISentinellabs

Indicator #8 Name: Trojan.Killdisk
Indicator #8 File Category: Trojan.Killdisk
Indicator #8 File Hash: lbc44-eef75779e3caleefb8ff5a64807dbc942ble4a2672d77b9f6928d292591
Indicator #8 Source: lsymantec threat, Hunter treama

Indicator #9 Name: Trojan.Killdisk
Indicator #9 File Category: Trojan.Killdisk
Indicator #9 File Hash: 0385eea b00e946a302 b24a91dea4187cl210597b8e17cd9e2230450f5ece21da
Indicator #9 Source: !Symantec threat, Hunter treama

Indicator #10 Name: Trojan.Killdisk
Indicator #10 File Category: Trojan.Killdisk
Indicator #10 File Hash: a64c3e0522fad787b95bfb6a30c3aed1b5786e69e88e023c062ec7e5cebf4d3e
Indicator #10 Source: !Symantec trhreat Hunter treama

Indicator #11 Name: Ransomware
Indicator #11 File Category: Trojan.Killdisk
Indicator #11 File Hash: 4dc13bb83a16d4ff9865a51b3e4d24112327c526c1392e14d56f20d6f4eaf382
Indicator #11 Source: !Symantec threat Hunter

PartyTicket:
Discovered by Symantec researchers on February 24th. This is decoy ransomware used alongside the deployment of HermeticWiper. Function naming convention and ransom note after the execution of this ransomware shows intent for taunting the US government. File names used by the ransomware included client.exe, cdir.exe, cname.exe, connh.exe, and intpub.exe. It appears likely that the ransomware was used as a decoy or distraction from the wiper attacks.

Indicators of Compromise:

Indicator #1 Name: PartyTicket SHA-1
Indicator #2 Name: Win32 EXE f32d'791ec9e6385a91b45942c230f52aff1 626df

CyFlare Actions Taken:
• XDRaaS: Request submitted to the vendor to update the ‘Emerging Threat’ security detection by adding provided Yara rules to the tool’s IDS Engine to trigger on recent related activity observed, if not preemptively added/updated already. The Machine Learning-IDS engine, as well as built-in threat intelligence, is also consistently updated with the latest threats identified by the open-source cyber threat intelligence community.
https://github.com/SentineLabs/yara/blob/main/APT_ZZ_Unknown_HermeticWiper.yar
• SentinelOne: SentinelLabs provided a list of Yara detection rules, as well as ‘Deep Visibility’ queries that the SOC will leverage to search for related indicators of compromise across customers’ SentinelOne environments.
• AlienVault USM Anywhere: AlienVault Open Threat Exchange or OTX has been updated with ‘OTX Pulses’ or information available on related indicators observed from both vendor and community. Any OTX indicators, such as those related to emerging Russian Cyber-attacks will trigger security alarms if observed in any customer’s environment. https://otx.alienvault.com/pulse/621802d015d213ff12c78818
• Sophos: Sophos released recent news articles & blog posts highlighting the emerging activity related to Russia’s invasion of Ukraine, as well as general best-practice cyber security tips. Moreover, the Austrian IT-Security testing lab – “AV-Comparatives” has tested the protection of recently-emerged Hermetic Wiper malware across multiple vendors. Sophos was one enterprise endpoint security vendor tested and identified as having full detection for Hermetic Wiper malware variants and was able to protect systems effectively against its multiple variants.

Developing Situation:
With a full-scale invasion now underway in Ukraine, the likelihood of further cyberattacks from Russia remains high. The SOC will continue to research emerging related threats in the wild or from the cyber community. Furthermore, the SOC will hunt related indicators of compromise, as well as scan for the vulnerabilities within our clients that have the Vulnerability Management Service.


Reference Links:
https://www.cisa.gov/uscert/ncas/alerts/aa21-265a
https://www.cisa.gov/uscert/ncas/alerts/aa22-057a
https://www.securityweek.com/conti-ransomware-source-code-leaked
https://www.sentinelone.com/labs/hermetic-wiper-ukraine-under-attack/
https://symantec-enterprise-blogs.security.com/blogs/threat-intelligence/ukraine-wiper-malware-russia
https://www.microsoft.com/security/blog/2022/01/15/destructive-malware-targeting-ukrainian-organizations/
https://cluster25.io/2022/02/24/ukraine-analysis-of-the-new-disk-wiping-malware/
https://github.com/SentineLabs/yara/blob/main/APT_ZZ_Unknown_HermeticWiper.yar
https://medium.com/@andreabocchetti88/thehermeticwiper-new-data-wiping-malware-hits-ukraine-3f8383f43792
https://news.sophos.com/en-us/2022/02/22/cyberthreats-during-russian-ukrainian-tensions-what-can-we-learn-from-history-to-be-prepared/
https://www.darkreading.com/threat-intelligence/7-steps-to-take-right-now-to-prepare-for-cyberattacks-by-russia
https://www.av-comparatives.org/av-comparatives-tests-anti-virus-software-protection-against-the-hermetic-wiper-malware/

Should you have any questions or concerns please place a ticket with the SOC using socir@cyflare.com or by calling 877.729.3527 extension 2.

Thank you,
Your CyFlare SOC

Mar 08, 2022 - 21:36 EST
Breach Detection Service ? Operational
90 days ago
100.0 % uptime
Today
Rochester SOC Internet & Phones Operational
90 days ago
100.0 % uptime
Today
CyFlare Support Desk Platform ? Operational
90 days ago
100.0 % uptime
Today
Operational
Degraded Performance
Partial Outage
Major Outage
Maintenance
Major outage
Partial outage
No downtime recorded on this day.
No data exists for this day.
had a major outage.
had a partial outage.
Past Incidents
Sep 28, 2022

No incidents reported today.

Sep 27, 2022

No incidents reported.

Sep 26, 2022

No incidents reported.

Sep 25, 2022

No incidents reported.

Sep 24, 2022

No incidents reported.

Sep 23, 2022

No incidents reported.

Sep 22, 2022

No incidents reported.

Sep 21, 2022

No incidents reported.

Sep 20, 2022

No incidents reported.

Sep 19, 2022

No incidents reported.

Sep 18, 2022

No incidents reported.

Sep 17, 2022

No incidents reported.

Sep 16, 2022

Unresolved incident: CyFlare SOC Advisory – Microsoft Teams Vulnerability.

Sep 15, 2022

No incidents reported.

Sep 14, 2022

No incidents reported.