Customer Guidance for Reported Zero-day Vulnerabilities in Microsoft Exchange Server
October 6, 2022, updates:
An updated version was released for PowerShell script EOMTv2 to remove an extra space in the script that didn’t impact functionality. Microsoft recommends to download and execute the latest release: EOMTv2.ps1.
Patch Now: Fortinet FortiGate & FortiProxy Contain Critical Vulnerabilities
On October 3, 2022, Fortinet released a software update that addresses vulnerabilities in the current versions of their FortiOS (firewall) and FortiProxy (web proxy) software. The vulnerability has been assigned as CVE-2022-40684, a critical vulnerability that allows remote, unauthenticated attackers to bypass authentication and gain access to the administrative interface of these products with only a specially crafted http(s) request.
Affected products:
FortiOS 7.0.0 to 7.0.6
FortiOS 7.2.0 to 7.2.1
FortiProxy 7.0.0 to 7.0.6 and 7.2.0
Remediation:
On Thursday, October 6, 2022, Fortinet released version 7.0.7 and version 7.2.2, which resolve the vulnerability. If you have Fortinet products managed by a 3rd party, we recommended you check with them to ensure the upgrade will be performed.
Remote Desktop Protocol (RDP) Attacks Decline 89% in Eight Months
Detections of RDP password-guessing attacks declined from 123 billion in the first four months of the year to 13 billion in the period May to August.
Research shows an 89% decline in total RDP attack detections from January to August 2022, and 23% drop-in unique clients reporting attacks over the period. Most of the attacks recorded were aimed at targets in Poland, the US, and Spain, with Russian IPs accounting for most (31%) detections.
Reasons for the decline:
The reasons for the decline remain the same from January to May 2022: less remote work, better countermeasures implemented by security and IT departments, and Russia’s war with Ukraine, which seems to have impacted portions of the attacking infrastructure,” the report explained.
Ransomware Group Bypasses a range of EDR Tools
BlackByte ransomware group used EDR bypass techniques borrowed from the open-source tool EDRSandblast to deactivate the Microsoft-Windows-Threat-Intelligence ETW (Event Tracing for Windows) provider. This is a Windows feature that provides logs about the use of commonly maliciously abused API calls such as NtReadVirtualMemory to inject into another process’s memory.
BlackByte is not the only ransomware group using these advanced techniques to get around existing detection tools, illustrating the continued arms race between attackers and defenders. AvosLocker used a similar method in May, Sophos said.
“If you think of computers as a fortress, for many EDR providers, ETW is the guard at the front gate. If the guard goes down, then that leaves the rest of the system extremely vulnerable. And, because ETW is used by so many different providers, BlackByte’s pool of potential targets for deploying this EDR bypass is enormous,” said Christopher Budd, senior manager for threat research at Sophos.
Recommendations:
Download the updated version that was released for EOMTv2 to remove an extra space in the script that didn’t impact functionality.
Fortinet released version 7.0.7 and version 7.2.2, which resolve the CVE-2022-40684 Please download here: FortiOS Release Notes | FortiGate / FortiOS 7.2.2 | Fortinet Documentation Library
If you have Fortinet products managed by a 3rd party, Kivu recommends you check with them to ensure the upgrade will be performed.
Kivu provides 24/7 endpoint monitoring services which assists our clients with protecting their systems. Contact us today for a free consultation.
For all other inquiries, such as general information on Kivu’s services, please email info@kivuconsulting.com.
Sources
Ransomware Group Bypasses “Enormous” Range of EDR Tools – Infosecurity Magazine (infosecurity-magazine.com)
Comments