Security | Threat Detection | Cyberattacks | DevSecOps | Compliance

In a coordinated disclosure with Microsoft on December 13th, 2022, security researchers with Mandiant, SentinelOne, and Sophos published evidence of a threat actor technique where malicious crafted drivers were invoked using a valid cryptographic signature. The malicious drivers were observed attempting to terminate a list of security products and evade detection.

On December 13th, 2022, Citrix disclosed a critical remote code execution vulnerability (CVE-2022-27518) affecting several versions of Citrix ADC and Citrix Gateway. Citrix strongly advises affected customers to update to a supported version as soon as possible. While no public proof-of-concept exploit code is available for this vulnerability, Citrix has observed several instances of targeted exploitation.

As part of Microsoft’s September 2022 Security Update, Microsoft released security updates to remediate CVE-2022-37958–an information disclosure vulnerability in SPNEGO NEGOEX that impacted all Windows versions 7 or newer. On December 13, Microsoft reclassified the vulnerability as Critical severity after security researchers discovered that the vulnerability could allow threat actors to remotely execute code pre-authentication.

On the 12th of December 2022, Fortinet published an advisory regarding an actively exploited remote code execution vulnerability affecting FortiOS through the SSL VPN service. Fortinet has stated that they are aware of at least one instance where this vulnerability was successfully exploited in the wild, though other undocumented cases may exist. The threat actors leveraged the vulnerability to deploy malicious files on the filesystem of affected devices.

On Friday, September 23rd, 2022, Sophos disclosed a critical code injection vulnerability impacting Sophos Firewall. This vulnerability, assigned CVE-2022-3236, affects Sophos Firewall versions v19.0 MR1 (19.0.1) and older and could lead to remote code execution. In order for a threat actor to exploit this vulnerability, WAN access would need to be enabled for the Webadmin and User Portal consoles.

In today’s world of remote work, business trips, and home offices, cybercrime doesn’t just occur within the four walls of an office. Bad actors can strike at all hours and utilize any and every vulnerability to gain access to valuable networks and assets — no matter where the device may be or what the user may be using it for. For example, look at the May Cisco breach.

Security technology is all but ubiquitous. No matter the industry or size, almost every organization employs security technology to keep their systems, assets, and data safe. But, if your industry is retail or healthcare — or you’re a small shop that sells bagels on the town square — your organization may not have the best grip on what your security stack should contain, or if your current one is meeting your security and business needs.

November has turned cold in much of the Northern Hemisphere, and there was plenty of cold comfort to go around in the world of cybersecurity. Our latest round-up looks at a massive company that can’t stop getting breached, another one scrambling to correct an unforced error, a worst-case scenario for the blending of church and state, and a depressing report on just how much money ransomware gangs are pulling in. Let’s get ready for a dip into the chilly waters of cybercrime.

As we approach the one-year anniversary of the Log4Shell vulnerability (CVE-2021-44228), Arctic Wolf Labs decided to look back on the impact that this critical vulnerability had (and continues to have) on organizations and assess the long tail of activity we’ve seen with threat actors continuing to use the exploit.