Multiple vulnerabilities have been discovered in Microsoft products, the most severe of which could allow for remote code execution in the context of the logged-on user. Depending on the privileges associated with the user, an attacker could then install programs; view, change, or delete data; or create new accounts with full user rights. Users whose accounts are configured to have fewer user rights on the system could be less impacted than those who operate with administrative user rights.
Affected Systems:
Risk
Remediation Recommendations
Ensure all Microsoft products have the latest version(s) installed
Enact the Principle of Least Privilege (limit higher-level privileges to only the users that need it)
References
Researchers at Halcyon warn that a new ransomware campaign is abusing AWS’s Server-Side Encryption with Customer Provided Keys (SSE-C) to encrypt data in Amazon S3 buckets. The attacks don't exploit any AWS vulnerabilities; the threat actors simply use stolen or publicly disclosed AWS keys with permission to write and read S3 objects. The attacker then generates a local encryption key and encrypts the victim's data. Halcyon notes, "AWS CloudTrail logs only an HMAC of the encryption key, which is insufficient for recovery or forensic analysis." In the cases observed by Halcyon, the attackers mark the encrypted files for deletion in seven days and place a ransom note with a Bitcoin address in the affected directory.
AWS provided the following statement in response to Halcyon's findings: "AWS helps customers secure their cloud resources through a shared responsibility model. Anytime AWS is aware of exposed keys, we notify the affected customers. We also thoroughly investigate all reports of exposed keys and quickly take any necessary actions, such as applying quarantine policies to minimize customer risks without disrupting their IT environment. We encourage all customers to follow security, identity, and compliance best practices. If a customer suspects they may have exposed their credentials; they can start by following the steps listed in this post."
Multiple vulnerabilities have been discovered in Adobe products, the most severe of which could allow for arbitrary code execution. Successful exploitation of the most severe of these vulnerabilities could allow for arbitrary code execution in the context of the logged-on user.
Affected Systems:
Risk
Remediation Recommendations
Ensure all versions of all Adobe products are updated to their latest versions
Enact the Principle of Least Privilege (limit higher-level privileges to only the users that need it)
References
Multiple vulnerabilities have been discovered in Oracle products, the most severe of which could allow for remote code execution.
Affected Systems:
Risk:
Remediation Recommendations
References
Ransomware actors are impersonating tech support in Microsoft Teams calls to trick employees into granting remote access, according to researchers at Sophos. The researchers note that two separate threat actors "operated their own Microsoft Office 365 service tenants as part of their attacks and took advantage of a default Microsoft Teams configuration that permits users on external domains to initiate chats or meetings with internal users."
The threat actors first send thousands of spam emails to the targeted employee, then contact the employee via Microsoft Teams posing as tech support and offering instructions to stop the barrage of spam. During the Teams call, the attacker tricks into allowing a remote screen control session through Teams. The attacker then uses this access to install malware.