#PatchTuesday ICYMI

Microsoft wraps up 2021 with 64 patched vulnerabilities—including Windows 7 fixes...

1/11
While Log4J may have cast a very long shadow over this month, Microsoft has released fixes for 64 more vulnerabilities in its software products, including 16 Chromium-based bugs in the Edge browser that were already patched in updates pushed since last month. 2/11
Some of the remaining fixes apply to versions of Windows stretching back to the end-of-life’d Windows 7...

There are 17 bugs being patched in Windows 7 this month, including three of this month’s seven critical vulnerabilities—all of which are remote code execution bugs. 3/11
Critical fixes

🔹 Bugs in Windows’ Remote Desktop Client (CVE-2021-43233) allow attackers to target systems running the Remote Desktop Protocol client software integrated into Windows operating systems to execute code on them. This is a network-based attack, leveraging RDP. 4/11
🔹 A vulnerability in Windows’ Encrypted File System (EFS) that also extends back to Windows 7 (CVE-2021-43217)—one that can be triggered regardless of whether or not EFS is in use on the targeted system. 5/11
🔹 Windows 7 Internet Storage Name Service server (CVE-2021-43215), the software component that manages connections on a storage area network over iSCSI. Attackers on a machine connected to the SAN could send a crafted request which could result in remote code execution. 6/11
🔹 Microsoft Office app from the Windows Store (CVE-2021-43905) and the Visual Studio Code code editing tool’s Windows Subsystem for Linux (WSL) extension (CVE-2021-43907). 7/11
🔹 A critical flaw in one of Microsoft’s newest products, Defender for IoT (CVE-2021-42310). This Azure-connected software captures data from IoT devices to detect potential vulnerabilities and security issues. 8/11
🔹 Microsoft’s 4K wireless display adapter (firmware-level vulnerability) requiring a download of an update app. An unauthenticated attacker on the same wireless network as the display could send specially crafted packets to a vulnerable device to execute arbitrary code. 9/11
@Sophos protection:

Below is a list of protection released in response to this advisory to complement any existing protection and generic exploit mitigation capabilities in our products. Additional protection signatures may be released after this article is published. 10/11
See all the details and other bugs of note from @thepacketrat...

news.sophos.com/en-us/2021/12/…

11/11

• • •

Missing some Tweet in this thread? You can try to force a refresh
 

Keep Current with SophosLabs

SophosLabs Profile picture

Stay in touch and get notified when new unrolls are available from this author!

Read all threads

This Thread may be Removed Anytime!

PDF

Twitter may remove this content at anytime! Save it as PDF for later use!

Try unrolling a thread yourself!

how to unroll video
  1. Follow @ThreadReaderApp to mention us!

  2. From a Twitter thread mention us with a keyword "unroll"
@threadreaderapp unroll

Practice here first or read more on our help page!

More from @SophosLabs

17 Dec
NEW on #Log4Shell...

Inside the code: How the Log4Shell exploit works

1/21
The critical vulnerability in Apache’s #Log4j Java-based logging utility (CVE-2021-44248) has been called the “most critical vulnerability of the last decade.”

The flaw has forced developers of many software products to push out updates or mitigations to customers. 2/21
And Log4j’s maintainers have published two new versions since the bug was discovered—the second completely eliminating the feature that made the exploit possible in the first place. 3/21
Read 21 tweets
13 Dec
#Log4Shell Hell: anatomy of an exploit outbreak

A vulnerability in a widely-used Java logging component is exposing untold numbers of organizations to potential remote code attacks and information exposure...

1/16
On December 9, a severe remote code vulnerability was revealed in Apache’s Log4J , a very common logging system used by developers of web and server applications based on Java and other programming languages. 2/16
The vulnerability affects a broad range of services and applications on servers, making it extremely dangerous—and the latest updates for those server applications urgent. 3/16
Read 16 tweets
18 Nov
NEW ransomware actor uses password-protected archives to bypass encryption protection

Calling themselves "Memento team", actors use Python-based ransomware that they reconfigured after setbacks...

1/13
In late October, Sophos MTR’s Rapid Response Team encountered a new ransomware group with an interesting approach to holding victims’ files hostage.

The ransomware used by this group, who identify themselves as “Memento Team,” doesn’t encrypt files. 2/13
Instead, it copies files into password-protected archives, using a renamed freeware version of the legitimate file utility WinRAR—and then encrypts the password and deletes the original files. 3/13
Read 13 tweets
4 Nov
Hey everyone. @threatresearch here with a little news about how my day's been going.

Seems a lot of people are dealing with an outbreak of #BazarBackdoor that starts with an email that sounds like it's coming from someone who is annoyed you didn't report a complaint about you.
We received a LOT of samples of the same-looking email from people who, correctly, recognized this as a phishy-looking spam. The "complaint" was purportedly linked in the email to a PDF.

Narrator: It wasn't a PDF
Rather, the link leads to one of several pages hosted in Microsoft's cloud hosting space. The pages all looked like this one, with a link to download the "Preview PDF" but if you look closer at the link, you'll see it's an "ms-appinstaller:" link. That's new!
Read 17 tweets
3 Sep
NEW: Conti affiliates use ProxyShell Exchange exploit in ransomware attacks ⚠️

In one of the ProxyShell-based attacks observed by Sophos, the Conti affiliates managed to gain access to the target’s network and set up a remote web shell in under a minute...

1/14
ProxyShell represents an evolution of the ProxyLogon attack method. In recent months, the exploit has become a mainstay of ransomware attacker playbooks, including those deploying the new LockFile ransomware first seen in July. 2/14
As attackers have gained experience with the techniques, their dwell time before launching the final ransomware payload on target networks has decreased from weeks to days to hours. 3/14
Read 14 tweets
1 Sep
NEW: Fake pirated software sites serve up malware droppers as a service 🏴‍☠️

During our recent investigation into an ongoing Raccoon Stealer campaign, we found the malware was being distributed by a network of websites acting as a “dropper as a service,”... 1/00 Image
... serving up a variety of other malware packages—often bundling multiple unrelated malware together in a single dropper. These malware included an assortment of clickfraud bots, other information stealers, and even ransomware. 2/00 Image
While the Raccoon Stealer campaign we tracked on these sites took place between January and April, 2021, we continue to see malware and other malicious content distributed through the same network of sites. 3/00 Image
Read 13 tweets

Did Thread Reader help you today?

Support us! We are indie developers!


This site is made by just two indie developers on a laptop doing marketing, support and development! Read more about the story.

Become a Premium Member ($3/month or $30/year) and get exclusive features!

Become Premium

Too expensive? Make a small donation by buying us coffee ($5) or help with server cost ($10)

Donate via Paypal

Or Donate anonymously using crypto!

Ethereum

0xfe58350B80634f60Fa6Dc149a72b4DFbc17D341E copy

Bitcoin

3ATGMxNzCUFzxpMCHL5sWSt4DVtS8UqXpi copy

Thank you for your support!

Follow Us on Twitter!

:(