By Jon Munshaw. 
Welcome to this week’s edition of the Threat Source newsletter. 
Many of you readers may be gearing up for a West Coast swing over the next few weeks through San Francisco and Las Vegas for RSA and Cisco Live, respectively. And we’re right behind you!  
Talos...


[[ This is only the beginning! Please visit the blog for the complete entry ]]

_By Jon Munshaw._ 

Welcome to this week’s edition of the Threat Source newsletter. 

Many of you readers may be gearing up for a West Coast swing over the next few weeks through San Francisco and Las Vegas for RSA and Cisco Live, respectively. And we’re right behind you!  

Talos will have plenty of representation at both conferences, including giving lightning talks at the Cisco Secure booth, several features talks and spots, live podcast recordings, and more. To get you ready for RSA, I wanted to highlight a few special things we’re doing at the conference you should know about before you go.  

As always, you can keep posted on our latest plans and talk schedule by following us on Twitter. 

**Main booth** 

Stop by the main Talos and Cisco Secure booth at Moscone North Hall to say hi, ask questions and get the latest information on what we’re up to. 

At the booth, we’ll be premiering a new video series and giving out some of our newest stickers created in the image of our favorite malware “mascots.” Everyone will be jealous if you have one of these on your laptop. 

**Evolving Your Defense: Making Heads or Tails of Threat Actor Trends** 

Nick Biasini and Pierre Cadieux are hosting our sponsored session on June 7 at 9:40 a.m. PT. In this talk, they’ll be breaking down the latest threat actor tactics, techniques and procedures and telling you which ones you should be worried about and what can be ignored. 

**Beers with Talos/Security Stories** 

We’re hosting two live podcasts back-to-back at the Marriott Marquis: Sierra C ballroom from 2 – 5 p.m. PT on June 7. Security Stories and Beers with Talos are getting together to play a game of “Would I lie to you?”  

Talos’ vice president, Matt Watchinski, will be on hand for both episodes, along with other special guests.  

The Beers with Talos episode will cover Talos’ work in Ukraine, and we’ll hear from the audience about their hottest security takes.  

**The one big thing **

A recently discovered zero-day vulnerability in the Microsoft Windows Support Diagnostic Tool (MSDT) made headlines over the past few days. CVE-2022-30190, also known under the name "Follina," exists when MSDT is called using the URL protocol from an application, such as Microsoft Office, Microsoft Word or via an RTF file. An attacker could exploit this vulnerability to gain the ability to run arbitrary code on the targeted system. 

  

> **Why do I care? **
> 
> If an attacker were to successfully exploit this vulnerability, they could execute remote code on the targeted machine. Needless to say, that’s bad. This is just the latest in a string of Microsoft vulnerabilities to make headlines over the past 12 months, including PrintNightmare and multiple Exchange Server issues. If those cases have taught us anything, it’s that attackers aren’t afraid to look for vulnerable Microsoft products to try and gain a foothold on a targeted network or machine.  
> 
> **So now what? **Although a patch hasn't been released yet, Microsoft has provided workarounds and Windows Defender protections for the CVE and malware exploiting this vulnerability. Cisco Talos has also released coverage to protect against this vulnerability, including multiple Snort rules and a ClamAV signature.   

**Other news of note**

Costa Rica’s government was hit with another ransomware attack, this time from the Hive group. Hive took down the country’s health department’s online services earlier this week, adding to the problems Costa Rica is facing after Conti launched a ransomware attack in May. Security experts say there is evidence that Conti and Hive may be working together to extort the Costa Rican government. This is all going on as the Conti group claims it’s shutting down and splitting up into smaller groups. The Hive operators have not yet declared a ransom amount. (Bleeping Computer, Krebs on Security, CSO Online) 

The U.S. Department of Justice seized three domains associated with selling and collecting stolen and leaked personal information. Authorities said the sites, WeLeakInfo, IPStress and OVH Booster all assisted attackers in carrying out denial-of-service attacks. In 2020, the DoJ seized very similar domains, including “weleakinfo.com,” which at the time, offered users the ability to “review and obtain the personal information illegally obtained in over 10,000 data breaches.” (Recorded Future, Department of Justice) 

The FBI recently thwarted an attempted cyber attack on a Boston children’s hospital, according to the agency’s director. Chris Wray, speaking at an event in Boston, received intelligence last summer ahead of time that allowed the agency to stop what he called “one of the most despicable cyberattacks I've seen.” Wray added that the attack came from an Iranian state-sponsored actor. The same hospital faced similar attacks in 2014 and 2019, he said. (ABC News, NBC 10 Boston) 

**Can’t get enough Talos? **

*   Researcher Spotlight: Martin Lee, EMEAR lead, Talos Strategic Communications
*   Threat Roundup for May 20 - 27
*   Talos Takes Ep. #98: Maybe don't panic about that F5 BIG-IP vulnerability

  

**Upcoming events where you can find Talos ****REcon (June 3 – 5, 2022)  
Montreal, Canada ****RSA 2022 (June 6 – 9, 2022)  
San Francisco, California ****Cisco Live U.S. (June 12 – 16, 2022)  
Las Vegas, Nevada ****Most prevalent malware files from Talos telemetry over the past week  **

**SHA 256:** e4973db44081591e9bff5117946defbef6041397e56164f485cf8ec57b1d8934  **MD5:** 93fefc3e88ffb78abb36365fa5cf857c  **Typical Filename:** Wextract    
**Claimed Product:** Internet Explorer    
**Detection Name:** PUA.Win.Trojan.Generic::85.lp.ret.sbx.tg  

**SHA 256:** 125e12c8045689bb2a5dcad6fa2644847156dec8b533ee8a3653b432f8fd5645    **MD5:** 2c8ea737a232fd03ab80db672d50a17a    **Typical Filename:** LwssPlayer.scr      
**Claimed Product:** 梦想之巅幻灯播放器      
**Detection Name:** Auto.125E12.241442.in02    

**SHA 256:** 4b34e3637fa7af93ab628ae5adad2c7f3464053316963297844324a4f649a206   
**MD5:** 3632f27604f5a82cf73b9ade710a1656  **Typical Filename:** mediaget\_installer\_467.exe    
**Claimed Product:** N/A    
**Detection Name:** FileRepPup:MediaGet-tpd  

**SHA 256:** a9f7d7525aad1c7007ae9d1d3fc531a1065b28225c5b7efb7347aaf77d9aba92    
**MD5:** 8f90e544a48d75f42f9d44811320689c   **Typical Filename:** tata communications wholesale retai lpak ncl ethopia napal spice srilanka bd cli bangladesh.wsf    
**Claimed Product:** N/A     
**Detection Name:** Xml.Dropper.Valyria::100.sbx.vioc  

**SHA 256:** 85B936960FBE5100C170B777E1647CE9F0F01E3AB9742DFC23F37CB0825B30B5   **MD5:** 8c80dd97c37525927c1e549cb59bcbf3   **Typical Filename:** Eternalblue-2.2.0.exe     
**Claimed Product:** N/A     
**Detection Name:** Win.Exploit.Shadowbrokers::5A5226262.auto.talos

Threat Source newsletter (June 2, 2022) — An RSA Conference primer

New operational analytics and AI/ML platform drives contextual intelligence and prioritized actions to anticipate risky behaviors, disrupt threats and insure business resilience.

SAN JOSE, Calif. , June 1, 2022 /PRNewswire/ -- Netenrich, a leading security and operations analytics SaaS company, today announced that the company will showcase its new Resolution Intelligence platform® at the 2022 RSA Conference on June 6-9 at the Moscone Center in San Francisco. Netenrich will feature product demos and present platform details in the Google Cloud Security Booth #1943, South Expo Hall.

**Netenrich at RSA 2022  
**Netenrich invites security professionals and conference attendees to learn how they can optimize their security operations with analytics leveraging Google Chronicle. Managed service providers (MSSPs, MSPs, GSIs) benefit by plugging into the data analytics platform to quickly build innovative services and transform their business at service-provider scale.

Netenrich will share the latest advances in security operations, as well as the strategies and solutions security professionals need to secure their data against the most critical issues and behaviors. Visit booth #1943 during the times listed below:

*   Tuesday, June 7 from 10:00 AM – 12:00 PM PDT
*   Wednesday, June 8 from 4:00 PM – 6:00 PM PDT
*   Thursday, June 9 from 10:00 AM – 12:00 PM PDT

**Theater Presentation in booth**

*   Thursday, June 9 at 11:45 AM PDT

**Netenrich + Chronicle Happy Hour**

RSA attendees are invited to the Netenrich + Chronicle Happy Hour at the Monarch club on Wednesday, June 8, from 6 – 9 pm PDT. Come enjoy music, drinks, and live entertainment.

*   RSVP to secure your invite and bring your ID and RSA badge
*   **Monarch, 101 6th Street, San Francisco, CA 94114**

Follow Netenrich on Twitter , LinkedIn, and YouTube

SOURCE Netenrich

Keep up with the latest cybersecurity threats, newly-discovered vulnerabilities, data breach information, and emerging trends. Delivered daily or weekly right to your email inbox.

Subscribe

Netenrich Debuts Resolution Intelligence Secure Digital Operations Platform at RSA 2022

Password management solution delivers proactive, seamless approach to protecting privacy and login credentials for consumers and businesses; Password Management market expected to reach $3 billion by 2026.

**SAN FRANCISCO, June 1, 2022** — Lookout, Inc., a leading provider of endpoint and cloud security solutions, today announced it has acquired SaferPass, an innovative Password Management company that provides secure online identity solutions for both consumers and businesses. By adding Password Management technology to its suite of security solutions, Lookout is expanding on its mission to deliver proactive protection and safeguard customer data for individuals and businesses.

Whether shopping online, banking, or connecting to corporate applications and email, usernames and passwords have become the standard form of authentication to validate a user’s identity and enable access to sensitive information. Passwords can be difficult to use and incredibly insecure, especially in cases where a user has many accounts. On average, people have more than 100 accounts with an associated password to remember. In addition, human-generated passwords are often algorithmically weak; according to the Verizon Data Breach Investigations Report, 81% of data breaches leveraged weak, stolen or reused employee passwords, and every time a password is reused, it opens the door to a potential data breach. Additionally, nearly 64% of people reuse the same passwords across their online accounts. If login credentials are compromised, the consequences can be serious – including personal identity theft or stolen corporate information.

SaferPass delivers a robust, innovative solution for identity and password management to both consumers and businesses, enabling users to securely manage their passwords, banking and other sensitive information across devices. The SaferPass solution provides an encrypted digital vault that stores secure login information used to access services through mobile apps and web browsers. In addition to keeping a user’s identity, credentials and sensitive data safe, the product helps create strong, unique passwords through a password generator tool that ensures the individual is not using the same password in multiple places and that their password has not been compromised in a previous breach.

According to Mordor Intelligence, the Password Management market on its own, was valued at over $1.2 billion in 2020 and is expected to reach over $3 billion by 2026.

“We are pleased to welcome the SaferPass team to Lookout, and excited to combine our respective solutions to deliver better value to consumers and businesses alike,” said Jim Dolce, Lookout CEO. “Today, every password owned by an employee is a potential access point to organizations both small and large. At the same time, large scale data breaches have leaked billions of consumer emails and passwords on the dark web, putting individuals at risk of identity theft and financial fraud. The SaferPass team shares our vision for providing seamless security solutions that address all access points and protect personal and corporate data wherever it may reside. This is an exciting next step in Lookout’s evolution.”

The acquisition of SaferPass broadens the Lookout portfolio of security solutions and expands the opportunity for its carrier ecosystem and channel partners – it also expands Lookout’s footprint in Central Europe through its new location in Bratislava, Slovakia. SaferPass will now operate under the Lookout brand and leadership and the SaferPass team will be fully integrated into the Lookout organization. The financial terms of this transaction have not been disclosed.

****Additional Resources****

*   To learn more about Lookout for SMBs and Consumers, visit: https://protection.lookout.com/
*   To learn more about the Lookout Security Platform, visit: https://www.lookout.com/products/platform
*   Sign up for a free trial of Lookout.

Follow the Lookout blog and join the conversation on LinkedIn and Twitter.

Lookout Acquires SaferPass To Address The Rising Threat Of Identity Theft

Vectra offers a free of charge security assessment for your cloud tenant.

SAN JOSE, Calif. , June 1, 2022 /PRNewswire/ -- Vectra AI, a leader in AI-driven threat detection and response for hybrid and multi-cloud enterprises, today announced the launch of Vectra Protect, a posture management tool designed to discover and mitigate security risks in Microsoft 365 (M365). Vectra Protect combines 50,000+ hours of expert research and development with automation to analyze an organization's M365 security posture and provide customized implementation plans to remediate risk. To ensure all organizations, regardless of security staffing or resources, can have access to the solution, Vectra is extending a free sign-up for an Azure Active Directory scan until September 30, 2022.

With the accelerated use of M365 collaboration tools, which now have over 270 million users, cyber attackers are actively targeting access management tools like Azure AD to enter other SaaS tools and enterprise network assets. They then establish a foothold to launch ransomware attacks, steal intellectual property and gain unauthorized access to sensitive user data. With its scanning engine, Vectra Protect combines insights from the M365 Graph API with PowerShell module data to provide a truly holistic view into the integrity of every identity in an organization's M365 environment. As the only scan designed to uncover identity security issues in M365, Vectra Protect provides organizations with:

*   **Quick, actionable remediation insights:** With its multi-stage methodology, the scan provides organizations with actionable results within hours. Rather than hindering the security team with more alerts, the scan creates a comprehensive risk mitigation map that provides a path to implementation with clear guidance on risk and operational impact.
*   **Tailored cloud support:** Organizations can gain insight into the severity of vulnerabilities, material changes to their configuration state, the operational impact of the required solution, and the steps for remediation aligned to their applicable industry standards and regulatory requirements.
*   **Configuration correction and compliance:** Vectra Protect delves deep into the configuration complexities of M365, highlighting misconfigurations with clear context to guide companies to complete risk resolution and provide security teams with the proof they need to show their policies are effective and compliant.
*   **Confidence in collaboration:** By understanding areas where risks and configuration issues persist, organizations can fulfill the promises of cloud technology without creating unmanaged risk. Organizations can gain efficiencies in implementing and using SaaS tools like M365 by eliminating default settings and aligning operations, information technology, security, and audit teams on security priorities.

"Azure AD has become a large attack vector as cybercriminals look to exploit the lack of security controls and solutions currently available for the tool," said Aaron Turner, CTO of SaaS Protect at Vectra AI. "Organizations must understand that Microsoft's default security settings are not specifically tailored to their business operations or industry, which introduces waves of unnecessary risk. Combining this with the constant changes in M365, both internally and externally, leaves a host of potential vulnerabilities and configuration issues that organizations are responsible for correcting. Vectra Protect helps unravel this complexity to deliver the visibility and assurance organizations need to protect these essential business tools."

The free Vectra Protect for Azure AD scan, a value up to $50,000, will be readily available to any M365 customer operating in any M365 environment\*. The scan focuses on a common foothold for unauthorized access and risk: access management in the active directory. Turner will be showcasing the technology and enumerating how to protect the M365 tenant and hunt for threats during RSAC 2022 in San Francisco, CA. You can register for his session here.

For more details about Vectra Protect for Azure AD and to request a free scan, please visit: https://www.vectra.ai/azure-ad-scan

\*Exclusions apply.

**About Vectra AI  
**Vectra® is a leader in cyber threat detection and response for hybrid and multi-cloud enterprises. The Vectra platform uses AI to detect threats at speed across public cloud, identity, SaaS applications, and data centers. Only Vectra optimizes AI to detect attacker methods—the TTPs at the heart of all attacks—rather than simplistically alerting on "different". The resulting high-fidelity threat signal and clear context enables cybersecurity teams to respond to threats sooner and to stop attacks in progress faster. Organizations worldwide rely on Vectra for cybersecurity resilience in the face of dangerous cyber threats and to prevent ransomware, supply chain compromise, identity takeovers, and other cyberattacks from impacting their businesses. For more information, visit vectra.ai.

Help Organizations to Mitigate Risk in Microsoft 365 with 'Vectra Protect'

Rising threat of data breaches and ransomware attacks drives need for complete and accurate real-time information about devices and their risks.

ANTA CLARA, Calif., June 1, 2022 /PRNewswire/ -- Ordr has raised an additional $40 million to meet the growing need for organizations to understand, manage, and secure the growing number of connected devices in their environment, including Internet of Medical Things (IoMT), Internet of Things (IoT), and Operation Technology (OT). The funding round was co-led by Battery Ventures and Ten Eleven Ventures, with participation from new investor Northgate Capital and continuing investors Wing Venture Capital, Unusual Ventures, Kaiser Permanente Ventures, and Mayo Clinic. Other investors in Ordr's Series C include Silicon Valley entrepreneurs René Bonvanie, former CMO of Palo Alto Networks, Dan Warmenhoven, former Chairman and CEO of NetApp, and Dominic Orr, former Chairman and CEO of Aruba Networks. With this funding, Ordr has raised more than $90 million to date.

Ordr addresses two key enterprise initiatives associated with a growing reliance on and adoption of connected devices: **digital transformation** and **Zero Trust**. Each new device connection increases an organization's attack surface, along with the potential for a breach or ransomware attack. In industries such as healthcare and manufacturing, a cyberattack impacting an IoT device can easily disrupt the entire business or become a life-threatening situation. For organizations to move quickly from "detection" to "response" requires insights into the compromised device, where it's located, and what policies can be applied.

Ordr has raised an additional $40 million in Series C funding.

Ordr offers complete and accurate asset visibility, automates and enforces Zero Trust policies, and accelerates incident response by hours with insights into devices and risks. As a result, Ordr experienced more than **140% year-over-year growth** in new customer revenue in its most recent quarter ending on March 31, 2022, is **deployed in 3 of the world's top 6 hospitals**, and has been adopted across more than **150 manufacturing sites**.

"Ordr has built a platform that not only solves an important market issue - the need to definitively understand and protect what is connecting to your organization's network - but is truly scalable to keep pace with the speed of today's businesses. We've worked with Ordr's team and seen firsthand how well they've executed against aggressive goals. This additional funding will accelerate Ordr's market leadership and success in the market," said Dharmesh Thakker, general partner at Battery Ventures.

"We believe the connected device security market needs a strong, open, and independent player that prioritizes customer success, focuses on time-to-value, and integrates with all the key components of a customer's security and network infrastructure. This funding validates our best-in-class approach and solidifies our leadership in the market," said Greg Murphy, Ordr CEO.

Ordr plans to use the Series C funding to accelerate its sales and marketing efforts, especially in vertical markets such as **healthcare**, where the company has been named a market leader in the Healthcare IoT security industry by analyst firm KLAS Research for three consecutive years. The company will also look to further capitalize on steadily increasing demand from **manufacturing and financial services**, expand its channel and partnership programs, and accelerate investments in customer success.

"In order to advance their digital transformation goals, every organization needs to enable the visibility and security of connected devices, including IoT, IoMT, and OT. Ordr is a much-needed innovator in the market, with the ability to not only deliver granular visibility into devices, risks, and behaviors, but also automate and enforce Zero Trust policies to secure these devices from attacks," said Justin Stebbins, partner, Northgate Capital.

"As an early investor in the company, I have witnessed Ordr's impressive product evolution and growing traction within critical sectors, including healthcare, manufacturing, education, and extended enterprise IoT. They have developed one of the most scalable and technically robust platforms in the market, and some of the world's leading organizations depend on it to fulfill important security needs and deliver business insights. The time is right to accelerate the company's mission to be the leader in connected device security. We believe in their success and look forward to the next chapter." said Alex Doll, Founder and Managing Partner of Ten Eleven Ventures.

Since its last round of funding, Ordr has experienced tremendous growth, coinciding with an increased understanding of the organizational risk represented by unknown connected devices. Some additional highlights since the last funding round include:

*   Named a KLAS Research Healthcare IoT Security Market Leader for an unprecedented three years in a row.
*   Named a Representative Vendor in the 2022 Gartner Market Guide for Medical Device Security Solutions for the second year in a row.
*   Continued product innovation and market leadership in the healthcare industry with the launch of Clinical Defender, streamlining management of connected medical devices.
*   Enhanced the company's integrations with Cisco, making it even easier for Cisco customers to roll out Ordr across their network environments.
*   Launched the Ransom-Aware Rapid Assessment to help companies quickly and accurately assess their ransomware risks.
*   Successfully achieved SOC2 compliance to keep customer data secure.

"Data privacy and security are imperative IT initiatives within the healthcare industry with connected device security in particular as a critical need given the increase in connected devices in health care facilities. Kaiser Permanente Ventures is pleased to continue its investment in Ordr as a key technology leader in this space, to help protect connected devices automatically, preemptively and at scale across the enterprise," said Chris Stenzel, executive managing director, Kaiser Permanente Ventures.

Continuing the momentum of the past year, Ordr today also strengthened its executive team with the addition of Paul Davis as the company's new vice president of customer success. Paul has decades of experience in customer-facing roles at Axis Security, Splunk, Cisco, and other leading organizations. At Ordr, he will be responsible for managing customer relationships and ensuring the successful implementation and use of Ordr technology.

**About Ordr**

Ordr makes it easy to secure every connected device, from traditional IT devices to newer and more vulnerable IoT, IoMT, and OT. Ordr Systems Control Engine uses deep packet inspection and advanced machine learning to discover every device, profile its risk and behavior, map all communications and protect it with automated policies. Organizations worldwide trust Ordr to provide real-time asset inventory, address risk and compliance and accelerate IT initiatives. Ordr is backed by top investors including Battery Ventures, Wing Venture Capital, Ten Eleven Ventures, Northgate Capital, Kaiser Permanente Ventures, and Unusual Ventures.

For more information, visit www.ordr.net and follow Ordr on Twitter and LinkedIn.

SOURCE Ordr

Ordr Secures $40 Million in Series C Funding to Answer Increased Demand for Connected Device Security

A recently discovered zero-day vulnerability in the Microsoft Windows Support Diagnostic Tool (MSDT) made headlines over the past few days. CVE-2022-30190, also known under the name "Follina," exists when MSDT is called using the URL protocol from an application, such as Microsoft Office, Microsoft...


[[ This is only the beginning! Please visit the blog for the complete entry ]]

A recently discovered zero-day vulnerability in the Microsoft Windows Support Diagnostic Tool (MSDT) made headlines over the past few days. CVE-2022-30190, also known under the name "Follina," exists when MSDT is called using the URL protocol from an application, such as Microsoft Office, Microsoft Word or via an RTF file. An attacker could exploit this vulnerability to gain the ability to run arbitrary code on the targeted system.

Although a patch hasn't been released yet, Microsoft has provided workarounds and Windows Defender protections for the CVE and malware exploiting this vulnerability. Cisco Talos has also released coverage to protect against this vulnerability, the full details of which are available below.

The most direct workaround is to disable the MSDT URL protocol by launching the command prompt as administrator and running the following commands:

*   To back up the existing registry values, run "reg export HKEY\_CLASSES\_ROOT\\ms-msdt filename" where filename is the name of the backup you will be creating.
*   To implement the workaround, run "reg delete HKEY\_CLASSES\_ROOT\\ms-msdt /f"
*   To undo the work around, run "reg import filename" where filename is the name assigned in the steps above.

**Ongoing exploitation**

Cisco Talos is aware of ongoing exploitation in the wild, so users are encouraged to test and implement the workaround as quickly as possible to mitigate risk.

An example of a maldoc exploiting this vulnerability consists of configuring the external references of the maldoc to point to the exploit payload, which, in this case, is written inHTML.

The HTML hosted on the remote location contains the actual exploit.

Using the ms-msdt schema and troubleshooting package "PCWDiagnostic," the attacker can launch arbitrary code on the infected endpoint.

  
**Coverage**

Ways our customers can detect and block this threat are listed below.

Cisco Secure Endpoint (formerly AMP for Endpoints) is ideally suited to prevent the execution of the malware detailed in this post. Try Secure Endpoint for free here.

Cisco Secure Web Appliance web scanning prevents access to malicious websites and detects malware used in these attacks.

Cisco Secure Email (formerly Cisco Email Security) can block malicious emails sent by threat actors as part of their campaign. You can try Secure Email for free here.

Cisco Secure Firewall (formerly Next-Generation Firewall and Firepower NGFW) appliances such as Threat Defense Virtual, Adaptive Security Appliance and Meraki MX can detect malicious activity associated with this threat.

Cisco Secure Malware Analytics (Threat Grid) identifies malicious binaries and builds protection into all Cisco Secure products.

Umbrella, Cisco's secure internet gateway (SIG), blocks users from connecting to malicious domains, IPs and URLs, whether users are on or off the corporate network. Sign up for a free trial of Umbrella here.

Cisco Secure Web Appliance (formerly Web Security Appliance) automatically blocks potentially dangerous sites and tests suspicious sites before users access them.

Additional protections with context to your specific environment and threat data are available from the Firewall Management Center.

Cisco Duo provides multi-factor authentication for users to ensure only those authorized are accessing your network.

Open-source Snort Subscriber Rule Set customers can stay up to date by downloading the latest rule pack available for purchase on Snort.org.

The following ClamAV signatures are available to detect malware related to this threat:

**Win.Exploit.CVE\_2022\_30190-9951234-1**

**IOCs****Hashes**

4a24048f81afbe9fb62e7a6a49adbd1faf41f266b5f9feecdceb567aec096784  
8e986c906d0c6213f80d0224833913fa14bc4c15c047766a62f6329bfc0639bd  
fe300467c2714f4962d814a34f8ee631a51e8255b9c07106d44c6a1f1eda7a45  
710370f6142d945e142890eb427a368bfc6c5fe13a963f952fb884c38ef06bfa  
d61d70a4d4c417560652542e54486beb37edce014e34a94b8fd0020796ff1ef7

**Malicious URLs**

hxxps\[://\]www\[.\]xmlformats\[.\]com/office/word/2022/wordprocessingDrawing/RDF842l\[.\]html  
hxxps\[://\]www\[.\]sputnikradio\[.\]net/radio/news/3134\[.\]html  
hxxps\[://\]exchange\[.\]oufca\[.\]com\[.\]au/owa/auth/15\[.\]1\[.\]2375/themes/p3azx\[.\]html

Threat Advisory: Zero-day vulnerability in Microsoft diagnostic tool MSDT could lead to code execution

Who knew you could connect Moses to threat intelligence?   By Jon Munshaw. 
When the security community usually thinks about the origins of cybersecurity and threat intelligence, the conversation may quickly center around the codebreakers in World War II or the Creeper software developed...


[[ This is only the beginning! Please visit the blog for the complete entry ]]

_By Jon Munshaw._ 

When the security community usually thinks about the origins of cybersecurity and threat intelligence, the conversation may quickly center around the codebreakers in World War II or the Creeper software developed in the 1970s. 

Martin Lee likes to go all the way back to Biblical times and Moses. 

“The Book of Numbers is the first account of threat intelligence,” Lee, Talos’ Strategic Communications EMEAR lead, said in a recent interview.  

The Book of Numbers, one of the books of the Old Testament, tells the story of Moses sending scouts out to spy for potential dangers that await the group he’s leading. In this story, Moses is trying to collect as much information as possible to learn about what threats, and opportunities, his group will face along their travels. 

Lee also likes to reference Julius Caesar, who wrote his personal correspondence in cipher. Even the most powerful man on Earth feared the interception of his messages by enemies. It's remarkable how little has changed in 2,000 years, he says. These are the types of stories and examples Lee likes to bring into his customer engagements in his role at Talos. As a strategic communications lead, he spends much of his time talking about Talos and the work our researchers do for Cisco customers, government agencies and other high-profile organizations. Often, this information must be distilled down in a way that makes sense for everyone from the security frontlines up to the C-Suite. 

That’s why he likes leaning on the history of threat intelligence when talking about the current state of cybersecurity. He also writes about the lessons from thousands of years ago in a textbook he’s currently working on covering the history of threat intelligence through to current intelligence-gathering methods used in cyber security. 

Lee is no stranger to writing, he often writes blog posts for Talos, too, like his recent overview of quantum computing and what it could mean for the future of cybersecurity. He can even dip into the recent past to influence his security opinions, having worked in security since 2003. 

Prior to that, though, he was planning to spend his career in biomedicine research. Lee went to college to become a human viral geneticist, studying for a doctorate program in Paris, France and accepting a post-doctoral position at the University of Oxford in England. But before he could progress in that role, he decided to pivot to computer science. 

“I discovered the early internet, and I thought, ‘This is going to be the biggest invention of my life, and either I’ll jump now, or I’ll regret it for the rest of my life,’” he said. 

At first in the mid-1990s, he started writing websites as part of the dot com boom, eventually taking a job writing spam filters. It wasn’t too big of a change, Lee said, because when defending against spam, it’s all about looking for patterns, which is something he was familiar with studying genetics in college.  

“To me, having a background in life science and biomedicine, cybersecurity to me looks like a public health problem,” he said. “Inside of security, we’re a lot like how medicine was in the 19th century.  There’s a willingness to improve outcomes, but we’ve yet to find out how to cure the disease. There’s no lack of tools or large-scale data, but we need to better understand exactly what the problem is and how to fix it.” 

While working on detection content, Lee noticed there was a disconnect between the malware research team and the sales team at his company. While the sales team understood the importance of the burgeoning cybersecurity industry at the time, there was little awareness of the work of the detection writers and why their work was important to the company’s clients.  

“I started getting involved with briefing the sales team and explaining why our product was different and why it was better,” he said, the exact skillset he brings into each of his executive briefings. 

Lee joined Cisco in 2013, eventually making his way to Talos. He mainly works remotely from his home in the U.K., but he enjoys traveling to conferences and talking in person and looks forward to restarting a regular travel schedule. With Talos, he can keep his schedule flexible, which allows him to travel to other countries and events. 

It also gives him the flexibility to embrace some of his other loves: running and photography. Unlike the many hours Lee spends with computers every day, he prefers combining modern digital photography with hand-making prints using a traditional Victorian chemical process — he has a darkroom set up in his home to create his own photographic paper and has even showcased his work at various art shows. 

Lee started taking running seriously about seven years ago when a former colleague invited him to a running club. He had always enjoyed running and jogging for exercise, but he soon started taking it in a more serious way, training for marathons and other long distances. 

His biggest test came earlier this year when he ran the Chester Ultra 50, an extreme race in Northwestern England that can take even the most seasoned runners more than 10 hours to finish. Unfortunately, Lee had to drop out after 36.5 miles (that’s almost a marathon-and-a-half for those of you keeping score at home). He chronicled the journey over on his personal YouTube page, which you can watch below. 

“I ran up until, basically, my legs fell off. I discovered how far I could run, which is great. I don’t view it as a failure whatsoever,” he said. “I dared, I tried. And I found my limits. Next time I’m going to train harder, and I’m going to run further.” 

This is a mindset he and his Talos colleagues must bring to cybersecurity every day. There could be times when you fall short of your goal, or you go until you simply can’t anymore. But the importance is to have resiliency, to continue to learn and improve from every experience. 

“There’s a gulf of understanding between the people who are full-on in the issues and the people who need to understand what the problem and solutions are,” he said. “A lot of my career has been trying to bridge that gap.” 

If you’d like to hear from Martin or anyone else on our strategic communications team, please reach out to your Cisco sales representative and request an executive briefing. Or look for Martin on any future episodes of the EMEAR Talos Threat Update with Hazel Burton.

Researcher Spotlight: Martin Lee, EMEAR lead, Talos Strategic Communications 

Plus: Google patches 36 Android vulnerabilities, Cisco fixes three high-severity issues, and VMWare closes two “serious” flaws.

May has been another busy month of security updates, with Google’s Chrome browser and Android operating system, Zoom, and Apple’s iOS releasing patches to fix serious vulnerabilities.

Meanwhile, things have not run smoothly for Microsoft, which was forced to issue an out-of-band update after a disastrous Patch Tuesday during the month. And Cisco, Nvidia, Zoom, and VMWare all issued patches for pressing flaws.

Here’s what you need to know.

Apple iOS and iPadOS 15.5, macOS Big Sur 11.6.6, tvOS 15.5, watchOS 8.6

With Apple due to announce iOS 16 at its Worldwide Developers Conference in June, the iPhone maker released probably its last major iOS 15 point update in May. It came with new features, but iOS and iPadOS 15.5 also fixed 34 security vulnerabilities, some of which are serious.

Security issues fixed in iOS 15.5 include flaws in the Kernel as well as in the WebKit browser engine, according to Apple’s support page. Thankfully, none of the issued patches in iOS and iPad 15.5 are being used in attacks, according to the company, but that doesn’t mean they won’t be if you don’t update now.

Meanwhile, users of macOS, tvOS, and the Apple Watch should update their devices ASAP, as Apple also issued an emergency update to patch an issue it believes is already being used in attacks. The flaw in Apple AVD, labeled CVE-2022-22675, could allow an app to execute code with Kernel privileges. Issues in the Kernel are as bad as it gets, so it’s worth checking and updating your devices right away.

Microsoft’s Flubbed May Patch Tuesday

Microsoft’s May Patch Tuesday was something of a disaster for the diligent businesses that installed it straight away.

On May 10, the firm issued security updates to fix 75 vulnerabilities, eight labeled as serious and three that were being exploited by attackers. The issues fixed in May’s Patch Tuesday were important, but there were soon problems for some Microsoft users, who reported authentication failures after installing the latest updates. It impacted people using the client and server Windows platforms and systems running all Windows versions, including Windows 11 and Windows Server 2022.

In a bid to fix the problem, the firm was forced to issue an out-of-band update for Windows 10, Windows 11, and Windows Server 2008, 2012, 2016, 2019, and 2022 on May 20. The update won’t install automatically—you need to download it from Microsoft's update catalog.

Firefox 100.0.2

In early May, Mozilla released Firefox 100, including nine security fixes for its Firefox browser, of which seven were rated as high severity. But later in May, ethical hackers at the Pwn20wn competition in Vancouver were able to demonstrate how attackers could execute JavaScript code on devices running the latest Mozilla software. Mozilla fixed the issues in another update, Firefox 100.0.2, Firefox ESR 91.9.1, Firefox for Android 100.3, and Thunderbird 91.9.1. Click those update buttons.

Android

May’s Android security update is a big one, patching 36 vulnerabilities including an issue already being exploited by attackers. The already exploited flaw is a privilege escalation bug in the Linux Kernel known as “The Dirty Pipe.”

The flaw, which impacts newer Android devices running Android 12 and later, was disclosed by Google in February, but it’s taken a while to reach devices.

You Need to Update iOS, Chrome, Windows, and Zoom ASAP

May has been another busy month of security updates, with Google’s Chrome browser and Android operating system, Zoom, and Apple’s iOS releasing patches to fix serious vulnerabilities.

Meanwhile, things have not run smoothly for Microsoft, which was forced to issue an out-of-band update after a disastrous Patch Tuesday during the month. And Cisco, Nvidia, Zoom, and VMWare all issued patches for pressing flaws.

Here’s what you need to know.

Apple iOS and iPadOS 15.5, macOS Big Sur 11.6.6, tvOS 15.5, watchOS 8.6

With Apple due to announce iOS 16 at its Worldwide Developers Conference in June, the iPhone maker released probably its last major iOS 15-point update in May. It came with new features, but iOS and iPadOS 15.5 also fixed 34 security vulnerabilities, some of which are serious.

Security issues fixed in iOS 15.5 include flaws in the Kernel, as well as in the WebKit browser engine, according to Apple’s support page. Thankfully, none of the issued patches in iOS and iPad 15.5 are being used in attacks, according to the company, but that doesn’t mean they won’t be if you don’t update now.

Meanwhile, users of macOS, tvOS, and the Apple Watch should update their devices ASAP, as Apple also issued an emergency update to patch an issue it believes is already being used in attacks. The flaw in Apple AVD, labeled CVE-2022-22675, could allow an app to execute code with Kernel privileges. Issues in the Kernel are as bad as it gets, so it’s worth checking and updating your devices right away.

Microsoft’s Flubbed May Patch Tuesday

Microsoft’s May Patch Tuesday was something of a disaster for the diligent businesses that installed it straight away.

On May 10, the firm issued security updates to fix 75 vulnerabilities, eight labeled as serious and three that were being exploited by attackers. The issues fixed in May’s Patch Tuesday were important, but there were soon problems for some Microsoft users, who reported authentication failures after installing the latest updates. It impacted people using the client and server Windows platforms and systems running all Windows versions, including Windows 11 and Windows Server 2022.

In a bid to fix the problem, the firm was forced to issue an out-of-band update for Windows 10, Windows 11, and Windows Server 2008, 2012, 2016, 2019, and 2022 on May 20. The update won’t install automatically—you need to download it from Microsoft’s update catalog.

Firefox 100.0.2

In early May, Mozilla released Firefox 100, including nine security fixes for its Firefox browser, of which seven were rated as high severity. But later in May, ethical hackers at the Pwn20wn competition in Vancouver were able to demonstrate how attackers could execute JavaScript code on devices running the latest Mozilla software. Mozilla fixed the issues in another updateFirefox 100.0.2, Firefox ESR 91.9.1, Firefox for Android 100.3, and Thunderbird 91.9.1. Click those update buttons.

Android

May’s Android security update is a big one, patching 36 vulnerabilities, including an issue already being exploited by attackers. This exploited flaw is a privilege escalation bug in the Linux Kernel known as “The Dirty Pipe.”

The flaw, which impacts newer Android devices running Android 12 and later, was disclosed by Google in February, but it has taken a while to reach devices.

The most serious flaw gives attackers a way to remotely execute code on systems that many organizations use to move data in critical ICS environments, security vendor says.

A pair of critical flaws in industrial Internet of Things data platform vendor Open Automation Software (OAS) are threatening industrial control systems (ICS), according to Cisco Talos.

They're part of a group of eight vulnerabilities in OAS software that the vendor patched this week.  

Among the flaws is one (CVE-2022-26082) that gives attackers the ability to remotely execute malicious code on a targeted machine to disrupt or alter its functioning; another (CVE-2022-26833) enables unauthenticated use of a REST application programming interface (API) for configuration and viewing data on systems. 

In its advisory, Cisco Talos described the remote code execution (RCE) vulnerability as having a severity score of 9.1 on a 10-point scale and the API-related flaw as having a score of 9.4.

The remaining flaws exist in different components of OAS Platform V16.00.0112. They were assessed as being less severe (with vulnerability-severity ratings that range from 4.9 to 7.5), and included information disclosure issues, a denial-of-service flaw, and vulnerabilities that allow attackers to make unauthorized configuration changes and other modifications on vulnerable systems.   

"Cisco Talos worked with Open Automation Software to ensure that these issues are resolved, and an update is available for affected customers, all in adherence to Cisco’s vulnerability disclosure policy," its advisory noted. The company recommended that organizations using the vulnerable software ensure that proper network segmentation is in place to minimize the access that an attacker, who exploited the vulnerabilities, would have on the compromised network.

OAS's Open Automation Software Platform is primarily designed to let organizations in industrial IoT environments move data between different platforms — for instance, from an Allen Bradley programmable logic controller (PLC) to a Siemens PLC. Central to the platform is a technology the company calls Universal Data Connect that enables data to flow from and between IoT devices, PLCs, applications, and databases. OAS describes its technology as also being useful for logging data in ICS environments and putting then in open formats, and for aggregating data from disparate sources. OAS has customers from across multiple industry verticals including power and utilities, chemical, construction, transportation, and oil and gas.

**Critical Flaws**

The RCE execution vulnerability (CVE-2022-26082) that Cisco Talos discovered exists in a secure file transfer functionality in the OAS Platform V16.00.0112. An attacker can exploit the vulnerability by sending a sequence of properly formatted configuration messages to the OAS Platform to upload an arbitrary file. Cisco said the issue had to do with missing authentication for a critical function. 

"The easiest way to mitigate attempts to exploit this vulnerability is to prevent access to the configuration port (TCP/58727 by default) when not actively configuring the OAS Platform," Cisco Talos said.

The REST API-related vulnerability (CVE-2022-26833) that Cisco discovered and reported to OAS also stems from improper authentication. The flaw exists in OAS Platform V16.00.0121 and gives unauthenticated attackers a way to use the REST API to make malicious changes to the platform. Attackers can trigger the flaw by sending a series of specially crafted HTTP requests to the software. 

To mitigate the risk from this flaw, Cisco recommended that organizations create custom security groups and user accounts with only the needed permissions and then restrict access to these accounts.   

Researchers have been discovering a steadily growing number of vulnerabilities in ICS and operational technology (OT) environments in recent years. A study that industrial cybersecurity vendor Claroty released earlier this year showed vulnerabilities impacting these environments increased 52% in 2021 to 1,439, compared to 942 in 2020. About 63% of the flaws were remotely exploitable. 

The number of vulnerabilities reported last year was some 110% more than the 683 flaws reported in ICS technologies in 2018. Vulnerabilities were reported for the first time in products from 21 of the 82 ICS vendors that were affected by flaws last year.

Tag

#cisco