September 20, 2022 - Red Dot Security

Header image for the Red Dot Weekly Cyber Security News https://reddotsecurity.news

Hello all,

Happy Fall! Another week of lots of excitement in our world of cyber defense. The biggest news is that Apple somehow lost versions 19 – 25 of their operating system, going right to version 26. And several firewall vendors have had a bad week with vulnerabilities, zero-days, and a data breach. There were also some nice wins by Cloudflare, Google, Microsoft and the US Government.

This email and video commentary is from the RedDotSecurity.news website that contains a plethora of links to other items, not mentioned here, that are worth skimming to see if they interest you or pertain to your particular environment or of those you support. There is a lot more than what is provided in these opening comments. So, on to the headline news.

Headline NEWS:

Apple made the news several times this week. The first is that they backported the fix for their actively exploited zero-day image processing defect to many older devices. This applies to iOS 15.8.5 / 16.7.12, and iPadOS 15.8.5 / 16.7.12. Apple iOS 26 was unleashed onto the public, offering multiple security fixes for defects, and improved security via a new Memory Integrity Enforcement (MIE) process. Apple’s newest devices, such as the iPhone 17, will also receive something named Enhanced Memory Tagging Extension (EMTE). Not everyone is happy with this new operating system version, so read the reviews prior to upgrading, because downgrades are not easy.
Chaos Mesh has four critical defects in Controller Manager, named Chaotic Deputy, which enable attackers to achieve Remote Code Execution (RCE), potentially resulting in takeover of the Kubernetes cluster. Patch to the latest version as soon as possible.
Greenshot is a stalwart screen capture utility that is loved by millions. Recently it received an updated version, and it seems that someone immediately broke it, finding a defect which can enable malware to run in the context of the Greenshot process. Upgrade to the latest version to plug this hole.
GoAnywhere is a file transfer utility by Fortra has been discovered to have a “deserialization vulnerability” which could result in command injection. The fix is to update to the latest version.
Google Chrome V8 engine required another trip to the mechanic. A critical vulnerability was found which should be patched immediately since it is already under active exploitation. Since they share the underlying codebase, watch for updates in other Chromium based browsers, which should be coming soon.
SonicWall apparently had a brick or two missing in their cloud backup’s wall. An unnamed threat actor managed to exfiltrate firewall configurations, including secrets and credentials. While the threat actor apparently didn’t make away with every configuration stored in the cloud, it is quite extensive. SonicWall, which is still investigating, has been contacting customers that they know were affected. Meanwhile, affected organizations must go through the fire-drill of resetting all of the secrets and local credentials on the affected units. Instructions are available at SonicWall’s support site. The vendor has a webinar scheduled for Monday afternoon to provide details and a question-and-answer time. I’m going to make some popcorn. This could be quite entertaining,
TP-Link has some routers under zero-day exploitation attack. This defect is in the Customer Premises Equipment WAN Management Protocol (CWMP), also known as TR-069. If you have TP-Link routers anywhere in your care, check for updates and apply any you find. If your device is EOL, replace it as soon as is humanly possible.
WatchGuard doesn’t make news too often, but when it does, it is a doozy. This past week they revealed a critical defect in Firebox firewalls. The vulnerability is in the IKEv2 VPN, however WatchGuard has warned that even if you don’t currently use this, if you’ve ever used it you could be vulnerable. If you have any Firebox firewalls that you manage, update as soon as you can. This Remote Code Execution defect is not currently known to be exploited, but ransomware operators love firewall flaws, so it is only a matter of time.

In Ransomware, Malware, and Vulnerabilities News:

Jaguar Land Rover is now entering their third week of work stoppage due to a ransomware attack against them by Scattered Lapsus$ Hunters. The disruption is now having significant ripple effects on suppliers and vendors, forcing them to scale back or to halt operations. This underscores the truly evil, malevolent nature of the inhuman scum that perpetrate these terroristic acts upon hundreds, if not thousands of people who are just trying to earn a living, whose workplaces slow down or shut down as a result. In most cases, if you aren’t working you aren’t getting paid. I’m all for branding these groups as terrorists and treating them as such.

In Other News Events of Note and Interest:

Tik Tok Sale appears to be back on track. Oracle, Silver Lake and Andreessen Horowitz are part of consortium that would purchase an 80% stake in the viral Chinese spyware firm, including their proprietary algorithms which enabled the service achieve such rabid popularity worldwide. It is unclear at this time who would control the other 20%.

Musings:

I’ve been told by some that all I ever bring is bad news, in that vein, I present what I’m considering nominating as the theme song for cyber defenders worldwide. This musical masterpiece was a trope that was a reoccurring bit on the show Hee-Haw.

Gloom, despair, and agony on me
Deep, dark depression, excessive misery
If it weren’t for bad luck, I’d have no luck at all
Gloom, despair, and agony on me

If you’ve been reading or watching RedDotSecurity.news for a while, you’ll know that the above isn’t true; every week we do have wins, sometimes big ones. However, it is important to always…

Headline NEWS

Ransomware, Malware, and Vulnerabilities News

Other News Events of Note and Interest

Like this: