This Week in Cyber 14th October 2022

Microsoft Releases October 2022 Updates – 84 flaws fixed

Microsoft has released updates to address 39 privilege escalation, 2 security bypass, 20 RCE, 11 information disclosure, 8 DoS, and 4 spoofing vulnerabilities, 13 of which are rated as critical. Fixes include two publicly disclosed zero days, one of which is being actively exploited with no previous official fix available (CVE-2022-41033) which allows escalation to SYSTEM level privileges if successfully exploited. It’s worth noting that patches for the two actively exploited Exchange vulnerabilities we discussed last week (CVE-2022-41040 and CVE-2022-41082) have not yet been released. Latest mitigations released by Microsoft are available here.

Critical Vulnerability Discovered in vm2 Sandbox

Vm2 is an incredibly popular JavaScript based sandbox application with around 17 million downloads per month. Sandboxes are generally used to test software or forms of malware in a safe environment, as to not damage a key system or possibly a network. This vulnerability, tracked as CVE-2022-36067, is a critical flaw with the highest score of 10/10 on the National Vulnerability Database and allows for ‘vm escape’, an exploit that allows an attacker to break out of the virtual environment and execute code on the main system. This can lead to lateral movement across the rest of the network. This vulnerability was patched in August 2022, with GitHub releasing an advisory at the end of September for users to patch it as soon as possible. With 17 million new downloads a month, it’s very important that the latest version (3.9.11 or higher) is immediately installed as this removes the vulnerability.

Caffeine – The phishing-as-a-service platform

Researchers at Mandiant have been investigating a phishing-as-a-service platform called Caffeine, which provides malicious actors with all the tools necessary for a phishing campaign. The uniqueness of this platform is that just about anyone with an email can sign up to this service which is very uncommon for this type of service. Caffeine is generally low cost and provides potential threat actors with self-service mechanisms to craft customised phishing kits, dynamically generate URLs for malicious payloads, manage intermediary redirect pages, and track campaign email activity. This service has made it even easier for unskilled threat actors to harvest data, cause denial of services and penetrate secure networks without needing to know that much about phishing at all. Phishing is routinely the most common threat vector for businesses year on year and it is crucial to have phishing awareness training as part of an effective cyber security strategy.  

Critical Bug in Siemens SIMATIC PLCs Could Let Attackers Steal Cryptographic Keys

Claroty have released a report in which they detail multiple vulnerabilities found in Siemens SIMATIC programmable logical controller (PLC). This vulnerability has the ability to allow the attacker read and write privileges as well as stealing cryptographical keys. There are multiple versions that have been affected that can be found in the documentation for CVE-2022-38465. PLC’s can largely be found in industrial settings and power the vast majority of assembly lines, machines and robotic devices. If the PLC is compromised, then this can cause costly denial of service attacks and possibly affect the health and safety for employees.  Siemens is recommending customers to use legacy PG/PC and HMI communications only in trusted network environments and secure access to TIA Portal and CPU to prevent unauthorized connections.