Please see Security Advisories for the week ending April 22, 2022
- Spring Framework Vulnerability (CVE-2022-22965) in Veritas Products
- FBI Releases IOCs Associated with BlackCat/ALPHV Ransomware
- Cisco Releases Security Updates for Multiple Products
- Drupal Releases Security Updates
- Oracle Releases April 2022 Critical Patch Update
- Russian State-Sponsored and Criminal Cyber Threats to Critical Infrastructure
- CISA Releases Secure Cloud Business Applications (SCuBA) Guidance Documents for Public Comment
_______________________________
Spring Framework Vulnerability (CVE-2022-22965) in Veritas Products
Situation
The Spring Framework Remote Code Execution vulnerability via Data Binding on JDK 9+ (CVE-2022-22965) has been identified in multiple Veritas Appliance Products. Products affected are: Access Appliance, Flex Appliance, NetBackup Appliance, and NetBackup Flex Scale Appliance.
Problem
The Spring Framework vulnerability is a critical level vulnerability that affects java JDK 9.
Implication
An attacker can load an arbitrary malicious class that results in RCE on the server.
Need
Update the affected products to the latest version.
For more information: https://www.veritas.com/content/support/en_US/security/VTS22-006
________________________________
FBI Releases IOCs Associated with BlackCat/ALPHV Ransomware
Situation
The Federal Bureau of Investigation (FBI) has released a flash report detailing indicators of compromise (IOCs) associated with attacks involving BlackCat/ALPHV, a Ransomware-as-a-Service that has compromised at least 60 entities worldwide.
Problem
BlackCat/ALPHV ransomware leverages previously compromised user credentials to gain initial access to the victim system. Once the malware establishes access, it compromises Active Directory user and administrator accounts. The malware uses Windows Task Scheduler to configure malicious Group Policy Objects (GPOs) to deploy ransomware. Initial deployment of the malware leverages PowerShell scripts, in conjunction with Cobalt Strike, and disables security features within the victim’s network. BlackCat/ALPHV ransomware also leverages Windows administrative tools and Microsoft Sysinternals tools during compromise.
Implication
An attacker could exploit a vulnerability to take control of a network and perform a Ransomware attack on a organization. These detailed indicators of compromise can give an organization the information required to stay up to date to prevent and mitigate an attack.
Need
CISA and the FBI encourages users and administrators to review the IOCs and technical details in FBI Flash CU-000167-MW (linked below) and apply the recommended mitigations.
More Information can be found by following the links below:
https://www.ic3.gov/Media/News/2022/220420.pdf
________________________________
Cisco Releases Security Updates for Multiple Products
Situation
Cisco has released security updates to address vulnerabilities in multiple Cisco products.
Problem
The vulnerabilities reside in Cisco products from:
Cisco VIM, Cisco Umbrella Virtual Appliance for both VMWare ESXi and Hyper-V running a software version earlier than 3.3.2.
Cisco RoomOS Software in Cloud-Aware On-Premises operation, which is cloud based.
Cisco TelePresence CE Software if they are running vulnerable releases and have H.323 Mode enabled.
Implication
An attacker could exploit some of these vulnerabilities to take control of an affected system.
Need
CISA encourages users and administrators to review the following Cisco advisories and apply the necessary updates:
- Cisco Virtualized Infrastructure Manager Privilege Escalation Vulnerability
- Cisco Umbrella Virtual Appliance Static SSH Host Key Vulnerability
- Cisco TelePresence Collaboration Endpoint and RoomOS Software H.323 Denial of Service Vulnerability
More Information can be found by following the links below:
https://tools.cisco.com/security/center/publicationListing.x
________________________________
Drupal Releases Security Updates
Situation
Drupal has released security updates to address vulnerabilities affecting Drupal 9.2 and 9.3
Problem
Drupal 9.2 – Drupal core’s form API has a vulnerability where certain contributed or custom modules’ forms may be vulnerable to improper input validation. This could allow an attacker to inject disallowed values or overwrite data.
Drupal 9.3 – Drupal 9.3 implemented a generic entity access API for entity revisions. However, this API was not completely integrated with existing permissions, resulting in some possible access bypass for users who have access to use revisions of content generally, but who do not have access to individual items of node and media content.
Implication
An attacker could exploit these vulnerabilities to take control of an affected system.
Need
Install the latest version:
- If you are using Drupal 9.3, update to Drupal 9.3.12.
- If you are using Drupal 9.2, update to Drupal 9.2.18.
More Information can be found by following the links below:
https://www.cisa.gov/uscert/ncas/current-activity/2022/04/21/drupal-releases-security-updates
https://www.drupal.org/sa-core-2022-008
https://www.drupal.org/sa-core-2022-009
________________________________
Oracle Releases April 2022 Critical Patch Update
Situation
Oracle has released 520 security patches for Oracle products. These updates address critical vulnerabilities found in multiple Oracle products.
Problem
Oracle has patched a large number of critical vulnerabilities in their major products including Oracle Financial, Oracle Communications, Oracle Database Server, Oracle Java SE, Fusion Middleware, Oracle Secure Backup, and much more.
Implication
A remote attacker could exploit some of these vulnerabilities to take control of an affected system.
Need
Oracle strongly recommend to patch these critical vulnerabilities as soon as possible.
For additional information and a list of vulnerabilities and the products affected please visit the link below.
Oracle Patch Update:
https://www.oracle.com/security-alerts/cpuapr2022.html
CISA Advisory
________________________________
Russian State-Sponsored and Criminal Cyber Threats to Critical Infrastructure
Situation
The cybersecurity authorities of the United States, Australia, Canada, New Zealand, and the United Kingdom have released a joint Cybersecurity Advisory (CSA)
Problem
Russia’s invasion of Ukraine could expose organizations both within and beyond the region to increased malicious cyber activity from Russian state-sponsored cyber actors or Russian-aligned cybercrime groups.
Implication
Russia continues to target critical infrastructure, including underwater cables and industrial control systems, in the United States and in allied and partner countries, as compromising such infrastructure improves—and in some cases can demonstrate—its ability to damage infrastructure during a crisis. The Assessment states that “Russia almost certainly considers cyber-attacks an acceptable option to deter adversaries, control escalation, and prosecute conflicts.”
Need
U.S., Australian, Canadian, New Zealand, and UK cybersecurity authorities urge critical infrastructure network defenders to prepare for and mitigate potential cyber threats by hardening their cyber defenses as recommended in the joint CSA.
More Information can be found by following the links below:
https://www.cisa.gov/uscert/ncas/alerts/aa22-011a – Provides an overview of Russian state-sponsored cyber operations and commonly observed tactics, techniques, and procedures.
https://www.cisa.gov/uscert/russia
https://www.cisa.gov/shields-up
https://www.cisa.gov/uscert/shields-technical-guidance
________________________________
CISA Releases Secure Cloud Business Applications (SCuBA) Guidance Documents for Public Comment
Situation
CISA has released draft versions of two guidance documents—along with a request for comment (RFC)—that are a part of the recently launched Secure Cloud Business Applications (SCuBA) project.
Problem
Threat actors have demonstrated and continue to develop sophisticated capabilities with the intent to compromise federal government networks, whether on traditional or cloud-based environments.
Implication
CISA’s SCuBA project aims to develop consistent, effective, modern, and manageable security that will help secure agency information assets stored within cloud operations.
Need
CISA encourages interested parties to review the RFC guidance documents and provide comment.
More Information can be found by following the links below:
https://www.cisa.gov/executive-order-improving-nations-cybersecurity