Security News

May 2022 Patch Tuesday is here, and Microsoft has marked it by releasing fixes for 74 CVE-numbered vulnerabilities, including one zero-day under active attack and two publicly known vulnerabilities. First and foremost, we have CVE-2022-26925, an "Important" spoofing vulnerability in Windows Local Security Authority that may turn into a "Critical" one if combined with NTLM relay attacks.

Microsoft has addressed an actively exploited Windows LSA spoofing zero-day that unauthenticated attackers can exploit remotely to force domain controllers to authenticate them via the Windows NT LAN Manager security protocol. The vulnerability, tracked as CVE-2022-26925 and reported by Bertelsmann Printing Group's Raphael John, has been exploited in the wild and seems to be a new vector for the PetitPotam NTLM relay attack.

Microsoft has released the Windows 11 KB5013943 cumulative update with security updates, improvements, and fixes for screen flickers in Safe Mode and a bug causing some NET 3.5 apps not to open. KB5013943 is a mandatory cumulative update as it contains the May 2022 Patch Tuesday security updates for vulnerabilities discovered in previous months.

Microsoft has released Windows 10 KB5013945 and KB5013942 cumulative updates for versions 21H2, version 21H1, version 20H2, and 1909 to fix security vulnerabilities and resolve bugs. This update is not available for May 2020 Update if you use the consumer edition, but the same update will be offered on devices using enterprise or education SKUs.

Kaspersky uncovers fileless malware inside Windows event logs. The cybersecurity company published a blog on May 4 detailing that, for the first time ever, hackers have placed shellcode into Windows event logs, hiding Trojans as fileless malware.

Security researchers have noticed a malicious campaign that used Windows event logs to store malware, a technique that has not been previously documented publicly for attacks in the wild. The method enabled the threat actor behind the attack to plant fileless malware in the file system in an attack filled with techniques and modules designed to keep the activity as stealthy as possible.

A new malicious campaign has been spotted taking advantage of Windows event logs to stash chunks of shellcode for the first time in the wild. The adversary simulation software modules are then used as a launchpad to inject code into Windows system processes or trusted applications.

Trend Micro antivirus has fixed a false positive affecting its Apex One endpoint security solution that caused Microsoft Edge updates to be tagged as malware and the Windows registry to be incorrectly modified. As users further revealed, the Trend Micro Apex One flagged the browser updates as Virus/Malware: TROJ FRS.VSNTE222 and Virus/Malware: TSC GENCLEAN. Fix and workaround available.

Trend Micro has fixed a false positive issue affecting its Apex One endpoint security solution leading to Microsoft Edge updates being tagged as malware and Windows registry changes. As users further revealed, the Trend Micro Apex One flagged the browser updates as Virus/Malware: TROJ FRS.VSNTE222 and Virus/Malware: TSC GENCLEAN. Fix and workaround available.

Wormable malware dubbed Raspberry Robin has been active since last September and is wriggling its way through USB drives onto Windows machines to use Microsoft Standard Installer and other legitimate processes to install malicious files, researchers have found. Eventually the worm installs malicious dynamic link library files found on the infected USB. While researchers first noticed Raspberry Robin as early as September 2021, most of the activity observed by Red Canary occurred during January of this year, researchers said.