Share this page!

Sophos X-Ops Profile picture
Twitter logo
Aug 10 6 tweets 2 min read
The real excitement in this month’s 121-CVE #PatchTuesday collection wasn’t the size of the haul; it was the part where Microsoft took us all the way back to 2019 for a moment.

1/6
Remember Follina, the MSDT issue that rolled onstage in late May? Turns out that vulnerability (CVE-2022-30190) has a cousin. An *older* cousin. 2/6
Researcher Imre Rad reported to the company back in December 2019. We explain in today’s blog post how it is you’re only hearing about it in August 2022. 3/6
Beyond that excitement, our coverage spotlights an interesting vuln situation among bootloaders, and reassures Azure admins that they’re not going crazy – volume really is up. Way up. 4/6
Windows takes the greatest number of patches, with 61; Azure follows with 44, and seven other product lines make up the balance. There are two Advisories this month. 5/6
Our blog provides more information on all these matters, as well as the protections @Sophos is adding to address this month’s crop. 6/6

Check out the article from @agunn_at_work here...
news.sophos.com/en-us/2022/08/…

• • •

Missing some Tweet in this thread? You can try to force a refresh
 

Keep Current with Sophos X-Ops

Sophos X-Ops Profile picture

Stay in touch and get notified when new unrolls are available from this author!

Read all threads

This Thread may be Removed Anytime!

PDF

Twitter may remove this content at anytime! Save it as PDF for later use!

Try unrolling a thread yourself!

how to unroll video
  1. Follow @ThreadReaderApp to mention us!

  2. From a Twitter thread mention us with a keyword "unroll"
@threadreaderapp unroll

Practice here first or read more on our help page!

More from @SophosXOps

Sophos X-Ops Profile picture
Aug 11
NEW: Excel 4.0 macros, also known as XLM 4.0 macros, have been around for a long time – 30 years! They’ve become very popular with threat actors as an alternative to VBA macros. 1/14
These macros are specific to Excel and are commonly used by organizations, but can easily be weaponized. Add in a wide variety of obfuscation techniques, and it’s no wonder that threat actors love them. 2/14
The Knotweed threat actor used Excel 4.0 macros in 2021 (microsoft.com/security/blog/…).

Ransomware actors are also heavy users.

As were Trickbot, Zloader, Qakbot, Dridex, and more. 3/14
Read 14 tweets
Sophos X-Ops Profile picture
Aug 10
3 attackers, 2 weeks – 1 entry point...

Lockbit, Hive, and BlackCat attack an automotive supplier in this triple #ransomware attack.

After gaining access via RDP, all three threat actors encrypted files, in an investigation complicated by event log clearing and backups.

1/17
In May 2022, an automotive supplier was hit with three separate ransomware attacks. All three threat actors abused the same misconfiguration – a firewall rule exposing Remote Desktop Protocol (RDP) on a management server – but used different ransomware strains and tactics. 2/17
The first ransomware group, identified as Lockbit, exfiltrated data to the Mega cloud storage service, used Mimikatz to extract passwords, and distributed their ransomware binary using PsExec. 3/17
Read 17 tweets
Sophos X-Ops Profile picture
Aug 9
NEW: Multiple attackers increase pressure on victims, complicate incident response

Sophos’ latest Active Adversary report explores the issue of organizations being hit multiple times by attackers...

1/17
There’s a well-worn industry phrase about the probability of a cyberattack: “It’s not a matter of if, but when.”

Some of the incidents @Sophos recently investigated may force the industry to consider changing this: The question is not if, or when – but how many times? 2/17
In an issue we highlighted in our Active Adversary Playbook 2022, we’re seeing organizations being hit by multiple attackers. 3/17
Read 17 tweets
Sophos X-Ops Profile picture
Mar 30
NEW: Reconstructing PowerShell scripts from multiple Windows event logs

On the trail of malicious #PowerShell artifacts too large to be contained in a single log? Help is on the way.

1/19
Adversaries continue to abuse PowerShell to execute malicious commands and scripts. It's easy to understand its popularity among attackers: Not only is it present on all versions of Windows by default (and crucial to so many Windows applications that few disable it)... 2/19
... this powerful interactive CLI and scripting environment can execute code in-memory without malware ever touching the disk. This poses a problem for defenders and researchers alike. 3/19
Read 19 tweets
Sophos X-Ops Profile picture
Mar 29
NEW on #Log4Shell...

Horde of miner bots and backdoors leveraged #Log4J to attack VMware Horizon servers

1/14
In the wake of December 2021 exposure of a remote code execution vulnerability (dubbed “Log4Shell”) in the ubiquitous Log4J Java logging library, we tracked widespread attempts to scan for and exploit the weakness—particularly among cryptocurrency mining bots. 2/14
The vulnerability affected hundreds of software products, making it difficult for some organizations to assess their exposure. 3/14
Read 14 tweets
Sophos X-Ops Profile picture
Mar 3
NEW 🧵on Conti...

We published some news this week about Conti. In brief, a #Conti affiliate infiltrated the network of a healthcare provider that a different #ransomware threat actor had already penetrated.

The technical debt in healthcare is dangerous.

1/23
But Conti, in particular, attracts a particularly aggressive group of affiliates. And we have another, previously untold, Conti-adjacent story about one of their ransomware affiliates.

It serves as a cautionary tale that not all attackers are necessarily after a ransom. 2/23
This past January we were contacted by a customer in the Middle East to investigate a malware incident that began in mid-December, 2021. The target, in the financial services industry, discovered lateral movement and backdoors in their network the week before new year's day. 3/23
Read 23 tweets

Did Thread Reader help you today?

Support us! We are indie developers!

This site is made by just two indie developers on a laptop doing marketing, support and development! Read more about the story.

Become a Premium Member ($3/month or $30/year) and get exclusive features!

Become Premium

Don't want to be a Premium member but still want to support us?

Make a small donation by buying us coffee ($5) or help with server cost ($10)

Donate via Paypal

Or Donate anonymously using crypto!

Ethereum

0xfe58350B80634f60Fa6Dc149a72b4DFbc17D341E copy

Bitcoin

3ATGMxNzCUFzxpMCHL5sWSt4DVtS8UqXpi copy

Thank you for your support!

Follow Us on Twitter!

:(