Security News

The US Cybersecurity and Infrastructure Security Agency has just put out a bulletin numbered AA22-074A, with the dramatic title Russian State-Sponsored Cyber Actors Gain Network Access by Exploiting Default Multifactor Authentication Protocols and "PrintNightmare" Vulnerability. Re-enrolled the account into the 2FA system, as though the original user were reactivating it.

The U.S. Cybersecurity & Infrastructure Security Agency has added fifteen additional flaws to its list of actively exploited vulnerabilities known to be used in cyberattacks. Since threat actors have been observed targeting these flaws in the attacks, failing to address the security issues means risking a network compromise that can lead to a catastrophic data breach or ransomware attack.

"As early as May 2021, Russian state-sponsored cyber actors took advantage of a misconfigured account set to default protocols at a non-governmental organization, allowing them to enroll a new device for MFA and access the victim network," the agencies said. The attack was pulled off by gaining initial access to the victim organization via compromised credentials - obtained by means of a brute-force password guessing attack - and enrolling a new device in the organization's Duo MFA. It's also noteworthy that the breached account was un-enrolled from Duo due to a long period of inactivity, but had not yet been disabled in the NGO's Active Directory, thereby allowing the attackers to escalate their privileges using the PrintNightmare flaw and disable the MFA service altogether.

The U.S. Cybersecurity and Infrastructure Security Agency has updated the alert on Conti ransomware with indicators of compromise consisting of close to 100 domain names used in malicious operations. Originally published on September 22, 2021, the advisory includes details observed by CISA and the Federal Bureau of Investigation in Conti ransomware attacks targeting organizations in the U.S. The updated cybersecurity advisory contains data from the U.S. Secret Service.

The Cybersecurity and Infrastructure Security Agency has ordered federal civilian agencies to patch two critical Firefox security vulnerabilities exploited in attacks within the next two weeks. According to a binding operational directive issued in November, Federal Civilian Executive Branch Agencies agencies are now required to secure their systems against these vulnerabilities, with CISA giving them until March 21st to apply patches.

The U.S. Cybersecurity and Infrastructure Security Agency this week added 95 more security flaws to its Known Exploited Vulnerabilities Catalog, taking the total number of actively exploited vulnerabilities to 478. "These types of vulnerabilities are a frequent attack vector for malicious cyber actors and pose significant risk to the federal enterprise," the agency said in an advisory published on March 3, 2022.

The U.S. Cybersecurity and Infrastructure Security Agency has added 95 vulnerabilities to its list of actively exploited security issues, the largest number since issuing the binding operational directive last year. As per BOD 22-01 for reducing the risk from known exploited vulnerabilities, federal agencies are given a little over three weeks to patch the newly added 95 security flaws, the due date for most of them being March 24th. For 27 of the vulnerabilities, there is a shorter deadline for patching, March 17th, mainly because they are more recent and affect systems that give access to sensitive information or allow moving to devices on the network.

The U.S. Cybersecurity and Infrastructure Security Agency expanded its Known Exploited Vulnerabilities Catalog to include a recently disclosed zero-day flaw in the Zimbra email platform citing evidence of active exploitation in the wild. Tracked as CVE-2022-24682, the issue concerns a cross-site scripting vulnerability in the Calendar feature in Zimbra Collaboration Suite that could be abused by an attacker to trick users into downloading arbitrary JavaScript code simply by clicking a link to exploit URLs in phishing messages.

The Cybersecurity and Infrastructure Security Agency and the Federal Bureau of Investigation warned US organizations that data wiping attacks targeting Ukraine could spill over to targets from other countries. Although the two malware strains have only been deployed against Ukrainian networks so far, the threat actors deploying them could also accidentally hit other targets, and US organizations should be ready to prevent such devastating attacks.

The U.S. Cybersecurity and Infrastructure Security Agency last week published an industrial control system advisory related to multiple vulnerabilities impacting Schneider Electric's Easergy medium voltage protection relays. "Successful exploitation of these vulnerabilities may disclose device credentials, cause a denial-of-service condition, device reboot, or allow an attacker to gain full control of the relay," the agency said in a bulletin on February 24, 2022.