Monthly Advisory • 10 MIN READ

August Threat Advisory – Top 5

by Eleanor Barlow • Aug 2022

SecurityHQ’s Monthly Threat Report, Drawn from Recent Advisories of August 2022.

UK Water Supply Company Suffered Clop Ransomware Attack

Threat Reference: Global

Risks: Ransomware

Advisory Type: Threat Intel

Priority: Elevated

Security researchers have noticed clop ransomware attack against UK water supply company. Clop ransomware group claim to have access of every system including SCADA which can control the chemicals in water. Attackers had access to 5 terabytes of data but did not encrypt the files they had access to. As a proof of this attack, they have posted sensitive information via screenshots containing information such as passport, and water filtration flow diagrams.

TTPs Used:

1. Initially, a spear phishing email is sent to the victim containing malicious binary executable attachment.

2. Once executed, the malicious file further drops various tools to get initial foothold and to perform lateral movement in the network.

3. Use of Tinymet tool as command-and-control.

4. Once connected to command-and-control server, the attacker deployed ransomware on affected system to encrypt the data.

Recommendation

• Avoid handling files or URL links in emails, chats, or shared folders from untrusted sources.

• Provide phishing awareness training to your employees/contractors.

• Keep Anti-malware solutions at endpoint and network level always updated.

• Deploy Endpoint Detection & Response (EDR) tools to detect latest malwares and suspicious activities on endpoints.

• Block executables and uncommon extensions like html files on email gateways.

Microsoft Release August 2022 Patch Tuesday for 121 Flaws Including 2 Zero-days

Threat Reference: Global

Risks: Remote Code Execution, Privilege Escalation

Advisory Type: Updates/Patches

Priority: Standard

Microsoft has released August 2022 Patch Tuesday to fix 121 vulnerabilities which includes 17 Critical severity vulnerabilities. Successful exploitation of this vulnerabilities could result in Remote Code Execution (RCE) and Privilege Escalation.

Notable Vulnerabilities include Microsoft Windows Support Diagnostic Tool (MSDT) Remote Code Execution Vulnerability and Microsoft Exchange Information Disclosure Vulnerability and allows an attacker to read targeted email messages.

Affected Products include .NET Core, Active Directory Domain Services, Azure Batch Node Agent, Azure Real Time Operating System, Azure Site Recovery, Azure Sphere,  Microsoft ATA Port Driver, Microsoft Bluetooth Driver, Microsoft Edge (Chromium-based), Microsoft Exchange Server, Microsoft Office, Microsoft Office Excel, Microsoft Office Outlook, Microsoft Windows Support Diagnostic Tool (MSDT), Remote Access Service Point-to-Point Tunnelling Protocol, Role: Windows Fax Service, Role: Windows Hyper-V, System Center Operations Manager, Visual Studio, Windows Bluetooth Service, Windows Canonical Display Driver, Windows Cloud Files Mini Filter Driver, Windows Defender Credential Guard, Windows Digital Media, Windows Error Reporting, Windows Hello, Windows Internet Information Services, Windows Kerberos, Windows Kernel, Windows Local Security Authority (LSA), Windows Network File System, Windows Partition Management Driver, Windows Point-to-Point Tunnelling Protocol, Windows Print Spooler Components, Windows Secure Boot, Windows Secure Socket Tunnelling Protocol (SSTP), Windows Storage Spaces Direct, Windows Unified Write Filter, Windows WebBrowser Control, Windows Win32K

Recommendation

• Keep applications and operating systems running at the current released patch level.

• Run software with the least privileges.

VMware Patched Multiple Vulnerabilities, Including Critical Authentication Bypass Security Flaw

Threat Reference: Global

Risks: Privilege Escalation, Remote Code Execution.

Advisory Type: Updates/Patches

Priority: Standard

VMware has fixed multiple vulnerabilities including a critical authentication bypass vulnerability. This vulnerability allows any unauthenticated attacker to gain administrative privilege affecting multiple VMware products.

Affected Products include, VMware Workspace ONE Access (Access), VMware Workspace ONE Access Connector (Access Connector), VMware Identity Manager (vIDM), VMware Identity Manager Connector (vIDM Connector), VMware vRealize Automation (vRA), VMware Cloud Foundation, and vRealize Suite Lifecycle Manager.

Notable vulnerabilities include, URL Injection Vulnerability, JDBC Injection Remote Code Execution Vulnerability, SQL injection Remote Code Execution Vulnerability, Local Privilege Escalation Vulnerability, Local Privilege Escalation Vulnerability, Path traversal vulnerability, Cross-site scripting (XSS) vulnerability, Local Privilege Escalation Vulnerability, and JDBC Injection Remote Code Execution Vulnerability.

Recommendation

It is recommended to update all the affected products to its latest available patch version.

Palo Alto Released Security Update to Fix High Severity Vulnerability in PAN-OS.

Threat Reference: Global

Risks: Denial-of-Service (DOS)

Advisory Type: Updates/Patches

Priority: Standard

Palo Alto Networks released a security update to fix high severity vulnerability in the Palo Alto PAN-OS. The vulnerability exists due to URL filtering policy misconfiguration in PAN-OS. Successful exploitation of the vulnerability can allow a network-based attacker to conduct a reflected and amplified TCP denial-of-service (RDoS) attack, this could allow an attacker to obfuscate his identity and implicate the firewall as the source of the attack.

Affected Versions include PAN-OS 8.1 earlier than 8.1.23-h1, PAN-OS 9.0 earlier than 9.0.16-h3, PAN-OS 9.1 earlier than 9.1.14-h4, PAN-OS 10.0 earlier than 10.0.11-h1, PAN-OS 10.1 earlier than 10.1.6-h6, and PAN-OS 10.2 earlier than 10.2.2-h2.

Recommendation

It is recommended to update the affected products to their latest available versions/patch level.

Apple Fixed Two Zero-day Vulnerabilities Affecting MacOS, iOS and iPadOS Devices

Threat Reference: Global

Risks: Updates & Patches

Advisory Type:  Arbitrary Code Execution, Privilege Escalation, Zero-day

Priority: Standard

Apple released a security update to fix two zero-day vulnerabilities exploited in the wild. Successful exploitation of these vulnerabilities leads to arbitrary code execution with kernel privileges on compromised devices.

An out-of-bound vulnerability would allow an attacker to perform arbitrary code execution by visiting a maliciously crafted website. An application can use this vulnerability to execute arbitrary code with kernel privileges.

Recommendation

It is recommended to update Apple devices to the latest available versions (iOS 15.6.1, iPad OS 15.6.1 and macOS Monterey 12.5.1).

Having conducted incident response investigations across a wide range of industries, SecurityHQ are best placed to work with businesses large and small, and across numerous technical environments to reduce the impact of a cyber security incident. For more information on these threats, speak to an expert here.

For complete visibility of your digital world, download datasheet here.