[Tech-l] FW: Tech Message: Buckeye Shield

Thor Sage sage at mveca.org
Mon Mar 7 08:48:07 EST 2022 

Additional mailing from CISA below:

Thor Sage
Executive Director
Miami Valley Educational Computer Association
937-767-1468  x3101
[http://www.mveca.org/images/logo.gif]<http://www.mveca.org/>       [i] <https://www.linkedin.com/company/mveca/> [t] <https://twitter.com/mvecarcog>
Not-for-profit Technology Services for Education and Local Governments




News:

-Some CONTI information has a stealthy backdoor to include that in github so be careful!

-On March 3, CISA added a significant number of known exploited vulnerabilities (KEV) to its catalog, and, as directed in Binding Operational Directive (BOD) 22-01, federal agencies are required to mitigate these vulnerabilities within a specified time frame but we HIGHLY encourage all entities to rectify as soon as possible. As America's cyber defense agency, this is a key part of our mission to help our critical infrastructure partners reduce their risk to exploitation by threat actors. (see attachment) https://www.cisa.gov/known-exploited-vulnerabilities-catalog

-If you are worried about visibility into your environment, CISA offers CYHY services (free of charge vulnerability scans and web app scans).

-MFA is another way to protect yourself from many attacks

-HIVE decryption key flaw discovered in order to recover 92% of master key with decryption success rate of 72% of files https://blog.malwarebytes.com/ransomware/2022/02/hive-ransomware-researchers-figure-out-a-method-to-decrypt-files/

-Security researchers warn of phishing attempts against officials helping refugees ( https://www.zdnet.com/article/security-researchers-warn-of-phishing-attempts-against-officials-helping-refugees/ )



Resources:

- https://www.cisa.gov/known-exploited-vulnerabilities-catalog<%20https:/www.cisa.gov/known-exploited-vulnerabilities-catalog>

- https://www.cisa.gov/uscert/sites/default/files/publications/AA22-057A_Destructive_Malware_Targeting_Organizations_in_Ukraine.pdf<%20https:/www.cisa.gov/uscert/sites/default/files/publications/AA22-057A_Destructive_Malware_Targeting_Organizations_in_Ukraine.pdf>



Important Vulnerabilities to address:

-Cisco Releases Security Updates for Multiple Products https://us-cert.cisa.gov/ncas/current-activity/2022/03/03/cisco-releases-security-updates-multiple-products

-NSA Releases Network Infrastructure Security Guidance https://us-cert.cisa.gov/ncas/current-activity/2022/03/03/nsa-releases-network-infrastructure-security-guidance

-Google Releases Security Updates for Chrome (https://www.cisa.gov/uscert/ncas/current-activity/2022/03/02/google-releases-security-updates-chrome )

-BD Viper LT https://us-cert.cisa.gov/ics/advisories/icsma-22-062-02

-BD Pyxis https://us-cert.cisa.gov/ics/advisories/icsma-22-062-01



ALERTS & REPORTING:

-AGAIN don't download the Conti info (some are at risk for stealthy backdoor)



CISA/MS-ISAC ALERTS:

-New Sandworm Malware Cyclops Blink Replaces VPNFilter https://us-cert.cisa.gov/ncas/current-activity/2022/02/23/new-sandworm-malware-cyclops-blink-replaces-vpnfilter



FBI-DHS-DOJ-OTHER ALERTS:

-Joint Advisory: AA22-057A_Destructive_Malware_Targeting_Organizations_in_Ukraine.pdf



Now to the good or interesting news:

-AMERICAN CYBERSECURITY COMPANY EXPERIENCES IT'S INSIDER THREAT MOMENT

https://securityboulevard.com/2022/01/teachable-moment-an-insider-threat-in-your-own-team/



Currently the most actively exploited vulnerabilities:

CE-2017-11882

NO CHANGE (security updates available):  Microsoft Office Memory

Corruption Vulnerability

CVE-2012-0158 MOVED TO 2ND (security update available): Windows Common Controls that allow Remote Code Execution

CVE-2018-11776 MOVED TO 3RD (mitigations listed at http://cwe.mitre.org/data/definitions/20.html) : Apache Struts versions 2.3 to 2.3.34 and 2.5 to 2.5.16 suffer from Remote Code Execution

CVE-2017-0199 NO CHANGE (The update addresses the vulnerability by correcting the way that Microsoft Office and WordPad parses specially crafted files, and by enabling API functionality in Windows that Microsoft Office and WordPad will leverage to resolve the identified issue.) A remote code execution vulnerability exists in the way that Microsoft Office and WordPad parse specially crafted files. An attacker who successfully exploited this vulnerability could take control of an affected system. An attacker could then install programs; view, change, or delete data; or create new accounts with full user rights.

CVE-2017-8759 MOVED UP (The security update addresses the vulnerability by correcting how .NET validates untrusted input.) An unspecified vulnerability exists within the WSDL parser module in Microsoft .NET Framework 4.7 and earlier that, when exploited, allows an attacker to remotely execute arbitrary code.

CVE-2014-1761 NEW! (security patch available:  Microsoft MS14-017 Related Patches)

An improper enforcement of a data structure vulnerability exists when handling RTF documents in Microsoft Word 2013 and earlier that, when exploited, allows an attacker to remotely execute arbitrary code. Exploit code is publicly available. Further, Microsoft reports that the vulnerability is being exploited in the wild. Mitigation options include workarounds and a vendor fix.

CVE-2018-0802 NEW! (The security update addresses the vulnerability by removing Equation Editor functionality) A stack-based buffer overflow vulnerability exists in the font name component within the eqnedt32.exe file in Microsoft Office 2016 and prior that, when exploited, allows an attacker to remotely execute arbitrary code. Proof-of-concept (PoC) code is publicly available and Microsoft reports there is exploitation in the wild. Mitigation options include a vendor fix. Exploitation Rating: Confirmed

CVE-2010-3333 DROPPED (security update available - MS 10-087 patches and mitigation) Stack based buffer overflow in older versions of Microsoft Office

Microsoft recommends the following workarounds as a technique to mitigate the possibility of exploitation:Read e-mails in plain text:Reading e-mail messages in plain text format can prevent the e-mail attack vector.For complete details on how to implement this workaround, visit the following website: Microsoft Security AdvisoryUse Microsoft Office File Block policy:Use Microsoft Office File Block policy to block the opening of RTF documents from untrusted sources. For complete details on how to implement this workaround, visit the following website: Microsoft Security Advisory



*If you would like to be removed from this distro, please let me know. If you have candid feedback, I welcome that as well.



________________________________________

Very respectfully,

Terin D. Williams

Cybersecurity Advisor, Region 5 (OH)

Cybersecurity and Infrastructure Security Agency

614.314.7793 | terin.williams at cisa.dhs.gov<mailto:terin.williams at cisa.dhs.gov>



[cid:image001.png at 01D831F8.AAA12E90]<https://gcc01.safelinks.protection.outlook.com/?url=https%3A%2F%2Fwww.cisa.gov%2F&data=04%7C01%7Ced.weisenbach%40education.ohio.gov%7C4af489bb9342434d069508d8eee54c33%7C50f8fcc494d84f0784eb36ed57c7c8a2%7C0%7C0%7C637522015919357696%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C1000&sdata=lHyq1sZtgaST%2F6D6eTGtcofV6GA9pxLbASQzD1kNyVg%3D&reserved=0>

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://listserv.mveca.org/pipermail/tech-l/attachments/20220307/d57d5eaa/attachment-0001.htm>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: image001.png
Type: image/png
Size: 12501 bytes
Desc: image001.png
URL: <http://listserv.mveca.org/pipermail/tech-l/attachments/20220307/d57d5eaa/attachment-0001.png>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: image002.jpg
Type: image/jpeg
Size: 3184 bytes
Desc: image002.jpg
URL: <http://listserv.mveca.org/pipermail/tech-l/attachments/20220307/d57d5eaa/attachment-0003.jpg>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: image003.jpg
Type: image/jpeg
Size: 1229 bytes
Desc: image003.jpg
URL: <http://listserv.mveca.org/pipermail/tech-l/attachments/20220307/d57d5eaa/attachment-0004.jpg>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: image004.jpg
Type: image/jpeg
Size: 1197 bytes
Desc: image004.jpg
URL: <http://listserv.mveca.org/pipermail/tech-l/attachments/20220307/d57d5eaa/attachment-0005.jpg>

More information about the Tech-l mailing list