Microsoft Office RCE Follina MSDT Attack Detection and Workaround

Cybersecurity and Infrastructure Security Agency (CISA) has issued an alert on addressing the Zero-day remote code execution (RCE) vulnerability—CVE-2022-30190, known as "Follina"—affecting the Microsoft Support Diagnostic Tool (MSDT) in Windows.

Log4j Vulnerabilities

On Dec. 9, 2021, a remote code execution (RCE) vulnerability CVE-2021-44228 in Apache log4j 2 was identified, and attackers are already actively exploiting this vulnerability. On Dec. 14, 2021, a second vulnerability CVE-2021-45046 was announced and fixed in logvj2 v2.16.0.

LockBit Ransomware Encrypts Windows Domains

A new version of the LockBit 2.0 ransomware has been identified that automates the encryption of a Windows domain using Active Directory group policies. LockBit threat actors are actively exploiting existing vulnerabilities in the Fortinet FortiOS and FortiProxy products, identified as CVE-2018-13379, in order to gain initial access to specific victim networks.

Recommended Hardening for On-Premises-Self-Hosted EventTracker Customers

This advisory is intended for organizations that self-host the EventTracker Console. Attackers have been very active recently targeting on-premises hosted software. Accordingly, organizations that host Netsurion’s EventTracker on their own premises are urged to review the  EventTracker Hardening Guide  and implement these recommendations to reduce their attack surface.

Windows Elevation of Privilege Vulnerability (HiveNightmare | SeriousSAM)

Microsoft (CVE-2021-36934) issued an alert (on July 20, 2021) about the Windows Elevation of Privilege Vulnerability which provides non-privileged user access to system files on affected versions.

Ongoing Potential Attack Against Kaseya VSA Components

Kaseya announced a notification about a potential attack against the VSA that has been limited to a small number of on-premise customers.

NOBELIUM Email-Based Attack Prevention & Detection Solution

Microsoft Threat Intelligence Center (MSTIC) has uncovered a wide-scale malicious email campaign operated by NOBELIUM, the threat actor behind the attacks against SolarWinds, the SUNBURST backdoor, TEARDROP malware, GoldMax malware, and other related components. The campaign, initially observed and tracked by Microsoft since January 2021, evolved over a series of waves demonstrating significant experimentation.

Hafnium Detection and Monitoring Solution

Microsoft has detected multiple zero-day exploits being used to attack on-premises versions of Microsoft Exchange Server in limited and targeted attacks. In the attacks observed, the threat actor used these vulnerabilities to access on-premises Exchange servers which enabled access to email accounts and allowed installation of additional malware to facilitate long-term access to victim environments.

Advisory & Monitoring Solution for Active Exploitation of SolarWinds Software

Cybersecurity and Infrastructure Security Agency (CISA) has issued an alert on Active exploitation of SolarWinds Orion Platform software versions 2019.4 HF 5 through 2020.2.1 HF 1, released between March 2020 and June 2020. Read Our Official Statement on the Active SolarWinds Exploit.

ADV200006 | Windows Remote Code Execution Vulnerability Advisory

Microsoft has released an out-of-band security advisory to address two critical remote code execution vulnerabilities in Adobe Type Manager Library. Microsoft is also aware of limited, targeted attacks that attempt to leverage this vulnerability.