Threat Source newsletter (Oct. 13, 2022) — Cybersecurity Awareness Month is all fun and memes until someone gets hurt

Why do I care? 

Many of the critical vulnerabilities included in this month’s security release could lead to remote code execution, which is usually the worst of the worst when it comes to vulnerabilities. One of the most notable vulnerabilities Microsoft fixed this month is CVE-2022-41038, a remote code execution issue in Microsoft SharePoint. There are several other SharePoint vulnerabilities included in this month’s Patch Tuesday, though this seems the most severe, as Microsoft continues it to be “more likely” to be exploited. 

So now what?

Patch all your Microsoft hardware and software as soon as possible in accordance with the guidance the company provides on its update page. Talos has also released several Snort rules to protect against the exploitation of many of these vulnerabilities. 

Top security headlines from the week

The Killnet Russian state-sponsored threat actor took credit for several high-profile cyber attacks this week, including the disruption of websites belonging to major American airports and state governments. The group posted on Telegram that it was behind a distributed denial-of-service attack on several airports’ sites, including Los Angeles International, Chicago O'Hare and Hartsfield-Jackson International in Atlanta, some of the largest in the U.S. However, no flight operations were disrupted. Prior to that, they also carried out DDoS attacks against state government-run websites in Colorado, Connecticut, Kentucky and Mississippi, including local election committees. Killnet also took responsibility for disrupting bank JP Morgan’s infrastructure, though the bank denied it experienced any negative effects from the attack. (NPR, SC Magazine, StateScoop)  

Microsoft updated its mitigations for the so-called “ProxyNotShell” zero-day vulnerabilities in Exchange Server after security researchers found the initial recommendations could be bypassed. However, there was no formal patch for the issues in this week’s Patch Tuesday as some had expected. An attacker could exploit the flaws to achieve remote code execution on the underlying server. Microsoft also says it's investigating a possibly different vulnerability in Exchange Server that’s being exploited in the wild, though they aren’t ruling out that the new report could be connected to ProxyNotShell. (The Hacker News, The Register, The Record) 

Facebook warned more than a million users that their login credentials could have been stolen if they downloaded one of 400 malicious apps on the Google Play and Apple app stores. The malicious apps disguised themselves as mobile games, photo editing or fitness tracking apps, among others, according to Facebook. Users who may have logged into Facebook through the malicious app could have had their information stolen. Facebook has already notified the users affected, warning them to enable two-factor authentication on their accounts and change their passwords. Forty-seven of the apps existed on the Apple store, while the remainder were Android-based. (CNET, Engadget) 

Can’t get enough Talos? 

Upcoming events where you can find Talos 

Most prevalent malware files from Talos telemetry over the past week