All of us at Tripwire’s Vulnerability Exposure and Research Team (VERT) are constantly looking out for interesting stories and developments in the infosec world. Here’s what cybersecurity news stood out to us during the week of September 26th, 2022. I’ve also included some comments on these stories.
Sophos Firewall Zero-Day Exploited in Attacks on South Asian Organizations
UK-based cybersecurity company Sophos has warned customers that a new zero-day vulnerability affecting some of its firewall products has been exploited in attacks, SecurityWeek reports. A Friday advisory stated that versions 19.0 MR1 (19.0.1), and earlier of Sophos Firewall were affected by a critical flaw that could be used for remote code execution.
Sophos Firewall version 19.0MR1 and older were subject to a zero-day attack. The vulnerability enabled attackers to execute malicious code on compromised systems. This vulnerability was found in Webadmin and User Portal components. Sophos released a patch for this vulnerability. Also, it is recommended that the User Portal or Webadmin interfaces are not exposed to the Internet.
windows-11-22h2-blocked-due-to-blue-screens-on-some-intel-systems”>windows 11 22H2 blocked due to blue screens on some Intel systems
Microsoft is now blocking the windows 11 22H2 update from being offered on some systems with Intel Smart Sound Technology (SST) audio drivers. The company also put a safeguard hold in place because this known issue triggers blue screens of death (BSODs) on affected systems, windows-11-22h2-blocked-due-to-blue-screens-on-some-intel-systems/amp/” target=”_blank” rel=”noreferrer noopener”>BleepingComputer notes.
Be cautious when upgrading to windows 11 22H2. Some systems equipped with Intel Smart Sound Technology sound drivers may experience BSOD after the update. This issue exists because there is an incompatibility issue with the Intel Smart Sound Technology on 11th Gen Core processors and windows 11. The Media Creation Tool should not be used to force an update. This could cause the system to turn blue. This issue is found in Intel Smart Sound Technology Audio Controllers that have a file named IntcAudioBus.sys. These files are either version 10.29.0.5152, or 10.30.0.5152. This issue may be patched on your system if you’re running version 10.30.0.5714 or version 10.29.0.5714.
New Microsoft Exchange zero-days actively exploited in attacks
BleepingComputer reports that threat actors are exploiting yet-to-be-disclosed Microsoft Exchange zero-day bugs allowing for remote code execution, according to claims made by security researchers at Vietnamese cybersecurity outfit GTSC, who first spotted and reported the attacks.
Microsoft Exchange has several zero-day weaknesses. GTSC Security Researchers discovered vulnerabilities that allow remote code execution. These vulnerabilities were used by attackers to create Chinese Chopper webshells. Zero Day Initiative has verified these vulnerabilities and they are now being tracked under ZDICAN-18333 and ZDICAN-1880.
There are two stages to executing code on a vulnerable system:
1. Malicious requests to the ProxyShell (not possible on fully patched systems)
2. Use the previous requests to gain access to the backend to execute code
GTSC suggests that a new rule using the URL Rewrite Rule module could mitigate these vulnerabilities. They suggest blocking requests to the Autodiscover on the Frontend by adding the string “.*autodiscover.json.*@.*Powershell.*“ to the URL Path and using the condition of {REQUEST_URI}.
Keep in Touch with Tripwire VERT
Want more insights from Tripwire VERT before our next cybersecurity news roundup comes out? Get our newsletter.
