Tech giant Apple on Monday rolled out updates to remediate a zero-day flaw in iOS and iPadOS that it said has been actively exploited in the wild.
The weakness, given the identifier CVE-2022-42827, has been described as an out-of-bounds write issue in the Kernel, which could be abused by a rogue application to execute arbitrary code with the highest privileges.
Successful exploitation of

Tech giant Apple on Monday rolled out updates to remediate a zero-day flaw in iOS and iPadOS that it said has been actively exploited in the wild.

The weakness, given the identifier CVE-2022-42827, has been described as an out-of-bounds write issue in the Kernel, which could be abused by a rogue application to execute arbitrary code with the highest privileges.

Successful exploitation of out-of-bounds write flaws, which typically occur when a program attempts to write data to a memory location that's outside of the bounds of what it is allowed to access, can result in corruption of data, a crash, or execution of unauthorized code.

The iPhone maker said it addressed the bug with improved bounds checking, while crediting an anonymous researcher for reporting the vulnerability.

As is usually the case with actively exploited zero-day flaws, Apple refrained from sharing more specifics about the shortcoming other than acknowledging that it's "aware of a report that this issue may have been actively exploited."

CVE-2022-42827 is the third consecutive Kernel-related out-of-bounds memory vulnerability to be patched by Apple after CVE-2022-32894 and CVE-2022-32917, the latter two of which have also been previously reported to be weaponized in real-world attacks.

The security update is available for iPhone 8 and later, iPad Pro (all models), iPad Air 3rd generation and later, iPad 5th generation and later, and iPad mini 5th generation and later.

With the latest fix, Apple has closed out eight actively exploited zero-day flaws and one publicly-known zero-day vulnerability since the start of the year -

*   **CVE-2022-22587** (IOMobileFrameBuffer) – A malicious application may be able to execute arbitrary code with kernel privileges
*   **CVE-2022-22594** (WebKit Storage) – A website may be able to track sensitive user information (publicly known but not actively exploited)
*   **CVE-2022-22620** (WebKit) – Processing maliciously crafted web content may lead to arbitrary code execution
*   **CVE-2022-22674** (Intel Graphics Driver) – An application may be able to read kernel memory
*   **CVE-2022-22675** (AppleAVD) – An application may be able to execute arbitrary code with kernel privileges
*   **CVE-2022-32893** (WebKit) – Processing maliciously crafted web content may lead to arbitrary code execution
*   **CVE-2022-32894** (Kernel) – An application may be able to execute arbitrary code with kernel privileges
*   **CVE-2022-32917** (Kernel) – An application may be able to execute arbitrary code with kernel privileges

Aside from CVE-2022-42827, the update also addresses 19 other security vulnerabilities, including two in Kernel, three in Point-to-Point Protocol (PPP), two in WebKit, and one each in AppleMobileFileIntegrity, Core Bluetooth, IOKit, Sandbox, and more.

Found this article interesting? Follow THN on Facebook, Twitter __ and LinkedIn to read more exclusive content we post.

Apple Releases Patch for New Actively Exploited iOS and iPadOS Zero-Day Vulnerability

Endless vulnerabilities. Massive hacking campaigns. Slow and technically tough patching. It's time to say goodbye to on-premise Exchange.

Once, reasonable people who cared about security, privacy, and reliability ran their own email servers. Today, the vast majority host their personal email in the cloud, handing off that substantial burden to the capable security and engineering teams at companies like Google and Microsoft. Now, cybersecurity experts argue that a similar switch is due—or long overdue—for corporate and government networks. For enterprises that use on-premise Microsoft Exchange, still running their own email machine somewhere in a closet or data center, the time has come to move to a cloud service—if only to avoid the years-long plague of bugs in Exchange servers that has made it nearly impossible to keep determined hackers out.

The latest reminder of that struggle arrived earlier this week, when Taiwanese security researcher Orange Tsai published a blog post laying out the details of a security vulnerability in Microsoft Exchange. Tsai warned Microsoft about this vulnerability as early as June of 2021, and while the company responded by releasing some partial fixes, it took Microsoft 14 months to fully resolve the underlying security problem. Tsai had earlier reported a related vulnerability in Exchange that was massively exploited by Chinese state-sponsored hackers known as Hafnium, who last year penetrated more than 30,000 targets, by some counts. Yet according to the timeline described in Tsai’s post this week, Microsoft repeatedly delayed fixing the newer variation of that same vulnerability, assuring Tsai no fewer than four times that it would patch the bug before pushing off a full patch for months longer. When Microsoft finally released a fix, Tsai wrote, it still required manual activation and lacked any documentation for four more months.

Meanwhile, another pair of actively exploited vulnerabilities in Exchange that were revealed last month still remain unpatched after researchers showed that Microsoft’s initial attempts to fix the flaws had failed. Those vulnerabilities were just the latest in a years-long pattern of security bugs in Exchange’s code. And even when Microsoft does release Exchange patches, they’re often not widely implemented, due to the time-consuming technical process of installing them.

The result of those compounding problems, for many who have watched the hacker-induced headaches of running an Exchange server pile up, is a clear enough message: An Exchange server is, itself, a security vulnerability, and the fix is to get rid of it.

“You need to move off of on-premise Exchange forever. That’s the bottom line,” says Dustin Childs, the head of threat awareness at security firm Trend Micro’s Zero Day Initiative (ZDI), which pays researchers for finding and reporting vulnerabilities in commonly used software and runs the Pwn2Own hacking competition. “You’re not getting the support, as far as security fixes, that you would expect from a really mission-critical component of your infrastructure.”

Aside from the multiple vulnerabilities Orange Tsai exposed and the two actively exploited unpatched bugs revealed last month, Childs points to another 20 security flaws in Exchange that a researcher reported to ZDI, which ZDI, in turn, reported to Microsoft two weeks ago, and which remain unpatched. “Exchange right now has a very broad attack surface, and it just hasn’t had a lot of really comprehensive work done on it in years from a security perspective,” says Childs.

Childs points to two other ZDI discoveries of Exchange vulnerabilities, one in 2018 and another in 2020, that were actively exploited by hackers even after the bugs were reported to Microsoft and patched. Security podcast _Risky Business_ went so far as to title a recent episode “It’s Exchangehog Day,” in a reference to the dreary cycle of vulnerability revelations and subsequent patching the servers require.

When WIRED reached out to Microsoft for comment on its Exchange security issues, Aanchal Gupta, the corporate vice president of Microsoft Security Response Center (MSRC), responded with an exhaustive list of measures the company has taken to mitigate, patch, and harden on-premise Exchange servers. He noted that Microsoft quickly released updates in response to Tsai's findings to partially block the vulnerabilities he exposed before the company released the full fix in August. Gupta further wrote that  MSRC “worked around the clock” to help customers update their Exchange servers in the midst of last year's Hafnium attacks, released numerous security updates for Exchange over the year, and even launched an Exchange Emergency Mitigation service, which helps customers automatically apply security mitigations to block known attacks on Exchange servers even before a full patch is available.

Still, Gupta agreed that most customers should move from on-premise Exchange servers to Microsoft's cloud-based email service, Exchange Online. “We strongly recommend customers migrate to the cloud to take advantage of real-time security and instant updates to help keep their systems protected from the latest threats,” Gupta said in an emailed statement. “Our work to support on-premises customers to move to a supported and up-to-date version continues, and we strongly advise customers who cannot keep these systems up to date to migrate to the cloud.”

If email administrators are, in fact, having trouble keeping Exchange fully patched, Trend Micro's Childs says that's due largely to the complexity of actually installing Exchange updates, both because of the age of its code and the risks of breaking functionality by changing interdependent mechanisms in the software. Security researcher Kevin Beaumont, for instance, recently live-tweeted his own experience of updating an Exchange server, documenting countless bugs, crashes, and hiccups in the process, which took him nearly three hours, despite the fact the server had last been updated just a few months earlier. “It’s a difficult and arduous process, so even though there are active attacks, people just don’t patch their on-premise Exchange,” says Childs. “So there are patched bugs that are taking forever to get fixed, and also unpatched bugs that have yet to get fixed.”

Another problem compounding on-premise Exchange’s security woes arises from the fact that vulnerabilities found in its software are often particularly easy to exploit. Exchange bugs aren’t any more common than, say, vulnerabilities in Microsoft’s Remote Desktop Protocol, says Marcus Hutchins, an analyst for security firm Kryptos Logic. But they’re far more reliable to use because, despite the fact that an Exchange server hosts email locally, it’s accessed through a web service. And passing commands through an online interface to a web server is a far more reliable form of hacking than methods like so-called memory corruption vulnerabilities, which have to alter data in a lower-level and less predictable portion of a targeted machine. “It’s basically very fancy web exploitation,” says Hutchins. “It’s not something that’s going to crash the server if you do it wrong. It’s very stable and simple.”

That exploitability is compounded by what seems to be Microsoft’s increasing inattention to maintaining the security of on-premise Exchange in favor of its cloud-based email service, 365 Exchange Online. As Beaumont pointed out earlier this month, Microsoft itself recommended that customers disable “legacy” authentication for Exchange—using industry jargon for outdated and often unsupported features—without acknowledging that there was no alternative form of authentication available.

That’s a strong hint that Microsoft itself thinks of on-premise Exchange servers on the whole as de facto “legacy” products, says Jake Williams, a former National Security Agency hacker who leads threat intelligence at cybersecurity firm Scythe. Microsoft no doubt wants customers to switch to its cloud-based service he says, and seems to have shifted its security resources accordingly. “It’s clear the depth on the on-premise Exchange team is not where it was a few years ago and hasn’t kept up with the security landscape,” says Williams. “It’s pretty stark.”

Williams acknowledges that some users may prefer or even require that their email be hosted locally rather than in the cloud for legal or privacy issues. But many enterprises that rely on the security of controlling the Exchange server themselves need to reckon with the fact they’re likely introducing more risks than they’re avoiding. “I tell customers, ‘I get it, you want to run on-prem for control reasons,’” says Williams. “But you have to start evaluating this as a liability. And that’s because Microsoft is not putting effort and resources into patching.”

“The proof is in the pudding,” Williams adds. “This code base is not getting the love that it clearly and desperately needs.” And if Microsoft isn’t giving that love to your Exchange server, perhaps Exchange no longer deserves your love, either.

Your Microsoft Exchange Server Is a Security Liability

SolarWinds Platform was susceptible to the Deserialization of Untrusted Data. This vulnerability allows a remote adversary with Orion admin-level account access to SolarWinds Web Console to execute arbitrary commands.

CVE-2022-36957: Published | Zero Day Initiative

CVE-2022-38108: Published | Zero Day Initiative

Users with Node Management rights were able to view and edit all nodes due to Insufficient control on URL parameter causing insecure direct object reference (IDOR) vulnerability in SolarWinds Platform 2022.3 and previous.

**SolarWinds Platform RC documentation** - The following content is a draft for a **SolarWinds Platform Release Candidate**. All content subject to change. Some links might not function yet.

RC date: October 19, 2022

These release notes describe the new features, improvements, and fixed issues in SolarWinds Platform 2022.4. They also provide information about upgrades and describe workarounds for known issues.

Learn more

*   For information on latest hotfixes, see SolarWinds Platform Hotfixes.
*   For release notes for previous SolarWinds Platform versions, see Previous Version documentation.
*   For information about requirements, see SolarWinds Platform 2022.4 System Requirements.
*   For information about working with the SolarWinds Platform, see the SolarWinds Platform Administrator Guide.

**New features and improvements in SolarWinds Platform**

Return to top

SolarWinds Platform 2022.4 offers the following improvements compared to previous releases of SolarWinds Platform.

*   SolarWinds Platform 2022.4 provides SWIS Verbs for managing common credentials, such as Orion.Credential.CreateCredentials & Orion.Credential.UpdateCredentials for creating/editing the credentials.
    
*   SolarWinds Platform 2022.4 supports the Kerberos protocol for WMI authentication.
    

**New customer installation**

Return to top

For information about installing SolarWinds Platform, see SolarWinds Installer.

**How to upgrade**

Use the SolarWinds Installer to upgrade your entire SolarWinds Platform deployment (all SolarWinds Platform products and any scalability engines) to the current versions.

You must be on Orion Platform 2020.2.1 or later to upgrade to SolarWinds Platform 2022.4. If you are on Orion Platform 2019.4 or earlier, first upgrade to 2020.2.6 and then upgrade to SolarWinds Platform 2022.4.

**Before you upgrade from 2020.2.x**

*   Before upgrading from Orion Platform 2020.2.6 and earlier to SolarWinds Platform 2022.3 or later, make sure the database user you use to connect to your SQL Server has the **db create** privilege. **Without this privilege, the upgrade will not complete.**
    
*   Legacy syslog and traps functionality has been retired and replaced with new log analysis functionality. Currently configured legacy rules and history will automatically be migrated during the upgrade.
*   Some upgrade situations from the Orion Platform to the SolarWinds Platform are not supported and the installer will stop the upgrade automatically.
    *   If you have a SQL Server older than 2016.
    *   If you have an Orion Platform product version 2019.4 or earlier.

**Fixed issues**

Return to top

SolarWinds Platform 2022.3 fixes the following issues.

 

Case Number

Description

614891, 787724, 980418, 986820

The issue where last month data was not interpreted correctly in PerfStack was addressed.

614233, 762559, 804478, 837222, 899624, 920603, 933885, 942223, 1059644, 1169810, 1171661, 1179118

The issue where report schedules with SAML accounts could not be created was addressed.

683517, 875616

The issue where Centralized Upgrade did not work with a proxy was resolved.

1067814, 1151313

The issue where the child status participation in node status was incorrect in fast polls was addressed.

936171, 946582, 1067460, 1131341

The issues with bulk assigning values on filtered rows were addressed.

802569

The issue where JobEngine Workers started slowly on computers without Internet access was addressed.

1144845, 1161775

The issue where configuration failed when installation location changed was addressed.

233154, 319006, 328477, 458287, 688246

The issues with CredentialManagerService slow methods were addressed.

778743

The issue where a Nexus switch was incorrectly recognized as Cisco was addressed.

973342, 977343

The issue where machine types for Cisco devices were only recognized as Cisco was addressed.

1102730

The issue where child status was not updated properly was addressed.

949509

The issue where collector log was flooded when processing Agent Node uptime was addressed.

761222

The unhandled exception in the Poller Checker tool was addressed.

1187140

The issue where the HA service stopped after the upgrade was addressed.

1187140

The issue where Observability templates were not delivered to the system was addressed.

636868

The issue where database maintenance failed to execute a procedure were addressed.

1144505

The issue where database maintenance job completed with errors caused by calling a legacy procedure was addressed.

928393

The issues with OIDs for Antaira Technologies, LLC and corresponding icons were addressed.

554483, 692820

The issue where main poller was used on bulk actions from Node Management for sending any requests to nodes was addressed.

893718

The issue where capacity forecast for CPU/memory was not calculated was addressed.

1184046

The issue where scalability engines installation failed because of a free tool installed in the SolarWinds folder was addressed.

**CVEs**

SolarWinds would like to thank our Security Researchers below for reporting on the issue in a responsible manner and working with our security, product, and engineering teams to fix the vulnerability.

    

CVE-ID

Vulnerability Title

Description

Severity

Credit

CVE-2022-36966

Insecure Direct Object Reference Vulnerability

Users with Node Management rights were able to view and edit all nodes due to Insufficient control on URL parameter causing insecure direct object reference (IDOR) vulnerability in SolarWinds Platform 2022.3.

5.9 Medium

Asim Liaquat

CVE-2022-36957

SolarWinds Platform Deserialization of Untrusted Data

This vulnerability allows a remote adversary with Orion admin-level account access to SolarWinds Web Console to execute arbitrary commands on the Main Poller of affected versions of the SolarWinds Platform.

7.2 High

Piotr Bazydlo (@chudypb) of Trend Micro Zero Day Initiative

CVE-2022-36958

SolarWinds Platform Deserialization of Untrusted Data

This vulnerability allows a remote adversary with valid access to SolarWinds Web Console to execute arbitrary commands on the Main Poller of affected versions of the SolarWinds Platform.

8.8 High

Piotr Bazydlo (@chudypb) of Trend Micro Zero Day Initiative

CVE-2022-38108

SolarWinds Platform Deserialization of Untrusted Data

This vulnerability allows a remote adversary with Orion admin-level account access to SolarWinds Web Console to execute arbitrary commands on the Main Poller of affected versions of the SolarWinds Platform.

7.2 High

Piotr Bazydlo (@chudypb) of Trend Micro Zero Day Initiative

**End of life**

Return to top

For modules based on Orion Platform 2020.2.6 and earlier, SolarWinds is announcing future end-of-life plans for your convenience. As always, SolarWinds recommends you upgrade to the latest version of your products at your earliest convenience.

   

Version

EOL Announcements

EOE Effective Dates

EOL Effective Dates

2020.2.6

**April 18, 2023**: End-of-Life (EoL) announcement – Customers on SolarWinds Platform 2020.2.6 should begin transitioning to the latest version of SolarWinds Platform.

**May 18, 2023**: End-of-Engineering (EoE) – Service releases, bug fixes, workarounds, and service packs for SolarWinds Platform 2020.2.6 will no longer be actively supported by SolarWinds.

**May 18, 2024**: End-of-Life (EoL) – SolarWinds will no longer provide technical support for SolarWinds Platform 2020.2.6

2020.2.5

**January 18, 2023**: End-of-Life (EoL) announcement – Customers on SolarWinds Platform 2020.2.5 should begin transitioning to the latest version of SolarWinds Platform.

**February 17, 2023**: End-of-Engineering (EoE) – Service releases, bug fixes, workarounds, and service packs for SolarWinds Platform 2020.2.5 will no longer be actively supported by SolarWinds.

**February 17, 2024**: End-of-Life (EoL) – SolarWinds will no longer provide technical support for SolarWinds Platform 2020.2.5.

2020.2.4

**October 19, 2022**: End-of-Life (EoL) announcement – Customers on SolarWinds Platform 2020.2.4 should begin transitioning to the latest version of SolarWinds Platform.

**November 18, 2022**: End-of-Engineering (EoE) – Service releases, bug fixes, workarounds, and service packs for SolarWinds Platform 2020.2.4 will no longer be actively supported by SolarWinds.

**November 18, 2023**: End-of-Life (EoL) – SolarWinds will no longer provide technical support for SolarWinds Platform 2020.2.4.

2020.2.1

**October 19, 2022**: End-of-Life (EoL) announcement – Customers on SolarWinds Platform 2020.2.1 should begin transitioning to the latest version of SolarWinds Platform.

**November 18, 2022**: End-of-Engineering (EoE) – Service releases, bug fixes, workarounds, and service packs for SolarWinds Platform 2020.2.1 will no longer be actively supported by SolarWinds.

**November 18, 2023**: End-of-Life (EoL) – SolarWinds will no longer provide technical support for SolarWinds Platform 2020.2.1.

2020.2

**October 19, 2022**: End-of-Life (EoL) announcement – Customers on NSolarWinds Platform 2020.2 should begin transitioning to the latest version of SolarWinds Platform.

**November 18, 2022**: End-of-Engineering (EoE) – Service releases, bug fixes, workarounds, and service packs for SolarWinds Platform 2020.2 will no longer be actively supported by SolarWinds.

**November 18, 2023**: End-of-Life (EoL) – SolarWinds will no longer provide technical support for SolarWinds Platform 2020.2.

See the End of Life Policy for information about SolarWinds product lifecycle phases. For supported versions and EoL announcements for all SolarWinds products, see Currently supported software versions.

**End of support**

Return to top

This version of SolarWinds Platform no longer supports the following platforms and features.

 

Type

Details

Microsoft Windows Server 2012 R2

Windows Server 2012 R2 is not supported in SolarWinds Platform 2022.4.

SolarWinds recommends that you upgrade the operating system of your SolarWinds Platform server to Windows Server 2016 or later. See SolarWinds Platform 2022.4 System Requirements.

**Legal notices**

Return to top

© 2022 SolarWinds Worldwide, LLC. All rights reserved.

This document may not be reproduced by any means nor modified, decompiled, disassembled, published or distributed, in whole or in part, or translated to any electronic medium or other means without the prior written consent of SolarWinds. All right, title, and interest in and to the software, services, and documentation are and shall remain the exclusive property of SolarWinds, its affiliates, and/or its respective licensors.

SOLARWINDS DISCLAIMS ALL WARRANTIES, CONDITIONS, OR OTHER TERMS, EXPRESS OR IMPLIED, STATUTORY OR OTHERWISE, ON THE DOCUMENTATION, INCLUDING WITHOUT LIMITATION NONINFRINGEMENT, ACCURACY, COMPLETENESS, OR USEFULNESS OF ANY INFORMATION CONTAINED HEREIN. IN NO EVENT SHALL SOLARWINDS, ITS SUPPLIERS, NOR ITS LICENSORS BE LIABLE FOR ANY DAMAGES, WHETHER ARISING IN TORT, CONTRACT OR ANY OTHER LEGAL THEORY, EVEN IF SOLARWINDS HAS BEEN ADVISED OF THE POSSIBILITY OF SUCH DAMAGES.

The SolarWinds, SolarWinds & Design, Orion, and THWACK trademarks are the exclusive property of SolarWinds Worldwide, LLC or its affiliates, are registered with the U.S. Patent and Trademark Office, and may be registered or pending registration in other countries. All other SolarWinds trademarks, service marks, and logos may be common law marks or are registered or pending registration. All other trademarks mentioned herein are used for identification purposes only and are trademarks of (and may be registered trademarks) of their respective companies.

CVE-2022-36966: SolarWinds Platform 2022.4  Release Notes

SolarWinds Platform was susceptible to the Deserialization of Untrusted Data. This vulnerability allows a remote adversary with valid access to SolarWinds Web Console to execute arbitrary commands.

**Security Advisory Summary**

SolarWinds Platform was susceptible to the Deserialization of Untrusted Data. This vulnerability allows a remote adversary with valid access to SolarWinds Web Console to execute arbitrary commands.

**Affected Products**

*   SolarWinds Platform 2022.3 and earlier
*   Orion Platform 2020.2.6 HF5 and earlier

**Fixed Software Release**

*   SolarWinds Platform 2022.4 RC1

**Acknowledgments**

*   Piotr Bazydlo (@chudypb) of Trend Micro Zero Day Initiative

CVE-2022-36958: SolarWinds Trust Center Security Advisories | CVE-2022-36958

Vice Society has a superpower that’s allowed it to quietly carry out attacks on schools and hospitals around the world: mediocrity.

a ransomware attack on the Los Angeles Unified School District in the first week of September crippled digital operations across the system, which includes more than 1,000 schools and serves roughly 600,000 students. Two weeks after the initial attack, as the district worked to recover and restore its systems, the hackers said that they would leak the 500 gigabytes of data they claimed to have stolen from LAUSD if the school system didn't pay a ransom. 

After the school system refused to pony up, the hackers released the trove, which contained sensitive data of students who had attended LAUSD between 2013 and 2016, including their Social Security numbers, financial and tax information, health details, and even legal records. And as LAUSD set up a hotline for worried families and scrambled to deal with the fallout, the hacking group behind the attack moved on, seemingly without making any money off the incident. 

That's Vice Society for you.

The apparently Russian-speaking group is a prolific ransomware actor that has hit an array of educational institutions since emerging at the end of 2020. But in addition to focusing on schools, Vice Society is notorious for targeting health care facilities and hospitals—a sector long-plagued by ransomware attacks, but one that some hacking groups pledged not to target at the height of the Covid-19 pandemic. Amidst a nonetheless brutal wave of North American hospital ransomware attacks in 2020, though, Vice Society's activity has been just unremarkable enough to keep the group out of the spotlight.

“We would probably think of them as a second- or maybe third-tier group overall, compared to big names like LockBit, Hive, and Black Cat,” says Allan Liska, an analyst for the security firm Recorded Future who specializes in ransomware. “But the bulk of their victims are either in the education or health care sectors, and their attacks make up a significant chunk of the total known attacks in those categories for 2021 and 2022 so far. They loom large in those two sectors.”

Vice Society is, in many ways, an unremarkable ransomware gang. The group relies on exploiting known vulnerabilities like PrintNightmare to gain access to victims' systems and may sometimes buy a foot in the door from criminal actors known as “initial access" brokers. Once inside a network, Vice Society uses automated scripts and takes advantage of an organization's own network management tools to conduct standard reconnaissance and exfiltrate data. Then the group deploys prepackaged ransomware. 

Shortly after the LAUSD attack, the United States Cybersecurity and Infrastructure Security Agency and the FBI published an alert about Vice Society, noting that the group is “disproportionately targeting the education sector with ransomware attacks.” The agencies added that “Vice Society is an intrusion, exfiltration, and extortion hacking group … \[The\] actors do not use a ransomware variant of unique origin."

In addition to its technically unremarkable attacks, Vice Society has also hit targets around the world, spreading its victimes between North America, South America, and Europe. 

Throughout 2021, Vice Society's health care targets included Barlow Respiratory Hospital in California, Eskenazi Health in Indiana, Centre Hospitalier D'Arles in France, United Health Centers in California, and a dental company in Brazil. The group also attacked New Zealand's Waikato District Health Board that summer, which, among other impacts, resulted in the cancellation of two Air New Zealand flights; the airline couldn't obtain proof of negative Covid-19 tests for crew members because the health department's digital systems were down.

Vice Society also targeted schools and universities in 2021 and seems to have favored this sector more and more as the United States and other countries devote more resources to ransomware enforcement and hone mitigation techniques. In the wake of high-profile 2021 attacks, like the Colonial Pipeline ransomware incident, prominent Russian-speaking actors faced infrastructure takedowns, indictments, and even rare Russian arrests for their brazen crimes. 

Vice Society may view education as a quieter and less well funded category where it can fly under the radar. For example, the group hit the Austrian Medical University of Innsbruck in June and Linn-Mar Community School District in Iowa at the beginning of August—neither of which many people would flag as major, obvious targets. The Bluets maternity hospital in Paris accused the group last week of a ransomware attack on its systems. Vice Society has not taken credit so far for the hack.

“They’re a perfect example of the success of mediocrity in the ransomware ecosystem,” says Claire Tills, a researcher for the security firm Tenable who has studied Vice Society's tactics and organization. “You have the top-tier groups developing their own zero days and acting all polished and professional. But meanwhile, Vice Society is just chugging along, not really innovating, stealing tools from other folks, but they have just enough stability to launch attacks, get paid, keep moving."

Researchers view the group's attack on the Los Angeles Unified School District as significant because LAUSD is a major target, and it made more of a splash than most of Vice Society's other hacks. Tills notes that the group may not have understood the scale and prominence of the school district it was taking on or may have chosen the target deliberately as a test of whether it was ready to up its game and focus on larger victims. But the apparent failure to secure payment and scrutiny that came from the incident may have warned the group off of such visible attacks.

“They're focusing on not necessarily big targets. Not everyone is aware of how bad and how devastating these attacks are, because they are so regional and they don't necessarily break into the mainstream,” Recorded Future's Liska says. “You may not want to be Conti and take down a whole country’s health care system, because if you do, you’re going to draw the ire of these countries.”

By focusing on lesser-known schools, Tenable's Tills warns, Vice Society may be able to maintain its low profile and continue its streak if defenders and law enforcement don't make mid-tier ransomware groups a higher priority. 

“Vice Society has taken the approach of knowing that the education sector isn’t doing great emotionally or financially,” Tills says. "Schools are under so much pressure after being closed on and off for two years, and ransomware actors know that the more stressed people are, the more likely they are to make suboptimal decisions. The group's success makes them sustainable, but they're still kind of written off. So they're not getting raided or arrested that we’ve seen so far. They're a really good example of what we as an industry are not paying enough attention to.”

The Vice Society Ransomware Gang Thrives in a Crucial Blind Spot

OpenCATS v0.9.6 was discovered to contain a reflected cross-site scripting (XSS) vulnerability via the email parameter in the Check Email function.

Permalink

**1** contributor

**Users who have contributed to this file**

**Cross Site Scripting vulnerability in the OpenCats 'email' parameter of Check Email functionality**

OpenCats version 0.9.6 PHP7.2 suffers from reflected XSS vulnerability. This allows attackers arbitrary JavaScript injection, which compromises secure session between client and server.

**PoC**

    GET /index.php?m=toolbar&callback=<script>alert`xss`</script>&a=checkEmailIsInSystem&email=<script>alert(document.domain)</script>

CVE-2022-43018: opencats_zero-days/XSS_in_checkEmail.md at main · hansmach1ne/opencats_zero-days

OpenCATS v0.9.6 was discovered to contain a reflected cross-site scripting (XSS) vulnerability via the indexFile component.

Permalink

**Name already in use**

A tag already exists with the provided branch name. Many Git commands accept both tag and branch names, so creating this branch may cause unexpected behavior. Are you sure you want to create this branch?

Go to file

*   Go to file

*   Copy path
*   Copy permalink

**1** contributor

**Users who have contributed to this file**

Cross Site Scripting vulnerability in the OpenCats 'indexFile'.

OpenCats version 0.9.6 PHP7.2 suffers from reflected XSS vulnerability. This allows attackers arbitrary JavaScript injection, which compromises secure session between client and server.

**PoC**

    GET //ajax.php?f=getPipelineJobOrder&joborderID=1&page=0&entriesPerPage=1&sortBy=dateCreatedInt&sortDirection=desc&indexFile=15)"></a><script>alert`xss`</script>&isPopup=0

CVE-2022-43017: opencats_zero-days/XSS_in_indexFile.md at main · hansmach1ne/opencats_zero-days

OpenCATS v0.9.6 was discovered to contain a reflected cross-site scripting (XSS) vulnerability via the joborderID parameter.

Permalink

**1** contributor

**Users who have contributed to this file**

**Cross Site Scripting vulnerability in the OpenCats 'joborderID'.**

OpenCats version 0.9.6 PHP7.2 suffers from reflected XSS vulnerability. This allows attackers arbitrary JavaScript injection, which compromises secure session between client and server.

**PoC**

    GET /ajax.php?f=getPipelineJobOrder&joborderID=1)"></a> <script>alert`xss`</script>&page=0&entriesPerPage=1&sortBy=dateCreatedInt&sortDirection=desc&indexFile=index.php&isPopup=0

Tag

#zero_day