On Thursday, December 22, 2022, LastPass updated their security incident notice to include additional details around the data breach they began investigating in November 2022. According to their notice, the threat actor used information obtained in an earlier, August 2022, data breach to target an employee and obtain credentials and keys used to decrypt storage volumes within their cloud-based storage service.

As 2022 comes to an end, I’m prouder than ever of the steps that every team member at Arctic Wolf has taken to protect and delight our customers as we steadily advance toward our mission of ending cyber risk.

Challenge Accepted is a podcast from Arctic Wolf that has informative and insightful discussions around the real-world challenges organizations face on their security journey. Hosted by Arctic Wolf’s VP of Strategy Ian McShane and Chief Information Security Officer (CISO) Adam Marrè, the duo draw upon their years of security operations experience to share their thoughts and opinions on issues facing today’s security leaders.

On Wednesday, December 21, 2022, security researchers shared that they observed ransomware threat actors using a new exploit chain that bypasses the ProxyNotShell URL rewrite mitigations that were shared by Microsoft in September and October. This new exploit chain works by abusing CVE-2022-41080 & CVE-2022-41082 and leads to remote code execution on affected Exchange servers through Outlook Web Access (OWA).

“It’s about doing good and doing it exceedingly well.” This was how Daniel Thanos, Head of Arctic Wolf Labs, described the work of Arctic Wolf Labs when accepting the award for Open-Source Tool Creator of the Year, as voted by the SANS Insitute community at the 2022 Difference Makers Awards. This prestigious awards program “honors individuals and teams in the cyber security community who have made a measurable and significant difference in security.”

Like many industries, the federal government and the Department of Defense (DoD) are more digital, more dispersed, and work with more third parties than ever before. This shift means that information the departments deal with, referred to as controlled unclassified information, needs to be protected due to its high value. Enter “Safeguarding covered defense information and cyber incident reporting,” which is part of the Defense Federal Acquisition Regulation Supplement (DFARS) requirements.

In a coordinated disclosure with Microsoft on December 13th, 2022, security researchers with Mandiant, SentinelOne, and Sophos published evidence of a threat actor technique where malicious crafted drivers were invoked using a valid cryptographic signature. The malicious drivers were observed attempting to terminate a list of security products and evade detection.

On December 13th, 2022, Citrix disclosed a critical remote code execution vulnerability (CVE-2022-27518) affecting several versions of Citrix ADC and Citrix Gateway. Citrix strongly advises affected customers to update to a supported version as soon as possible. While no public proof-of-concept exploit code is available for this vulnerability, Citrix has observed several instances of targeted exploitation.

As part of Microsoft’s September 2022 Security Update, Microsoft released security updates to remediate CVE-2022-37958–an information disclosure vulnerability in SPNEGO NEGOEX that impacted all Windows versions 7 or newer. On December 13, Microsoft reclassified the vulnerability as Critical severity after security researchers discovered that the vulnerability could allow threat actors to remotely execute code pre-authentication.

On the 12th of December 2022, Fortinet published an advisory regarding an actively exploited remote code execution vulnerability affecting FortiOS through the SSL VPN service. Fortinet has stated that they are aware of at least one instance where this vulnerability was successfully exploited in the wild, though other undocumented cases may exist. The threat actors leveraged the vulnerability to deploy malicious files on the filesystem of affected devices.

On Friday, September 23rd, 2022, Sophos disclosed a critical code injection vulnerability impacting Sophos Firewall. This vulnerability, assigned CVE-2022-3236, affects Sophos Firewall versions v19.0 MR1 (19.0.1) and older and could lead to remote code execution. In order for a threat actor to exploit this vulnerability, WAN access would need to be enabled for the Webadmin and User Portal consoles.

In today’s world of remote work, business trips, and home offices, cybercrime doesn’t just occur within the four walls of an office. Bad actors can strike at all hours and utilize any and every vulnerability to gain access to valuable networks and assets — no matter where the device may be or what the user may be using it for. For example, look at the May Cisco breach.

Security technology is all but ubiquitous. No matter the industry or size, almost every organization employs security technology to keep their systems, assets, and data safe. But, if your industry is retail or healthcare — or you’re a small shop that sells bagels on the town square — your organization may not have the best grip on what your security stack should contain, or if your current one is meeting your security and business needs.

November has turned cold in much of the Northern Hemisphere, and there was plenty of cold comfort to go around in the world of cybersecurity. Our latest round-up looks at a massive company that can’t stop getting breached, another one scrambling to correct an unforced error, a worst-case scenario for the blending of church and state, and a depressing report on just how much money ransomware gangs are pulling in. Let’s get ready for a dip into the chilly waters of cybercrime.

State and local governments are facing a never-ending wave of ransomware and other cyber attacks. 2020 saw 44 percent of global ransomware attacks targeting municipalities, with a full third of municipalities targeted that year—and that number doubled in 2021, with 6 out of 10 state or local governments experiencing an attack. In these attacks, data is often encrypted, meaning that financial gain for the attackers leads to chaos and disruption for the government and the public.

As we approach the one-year anniversary of the Log4Shell vulnerability (CVE-2021-44228), Arctic Wolf Labs decided to look back on the impact that this critical vulnerability had (and continues to have) on organizations and assess the long tail of activity we’ve seen with threat actors continuing to use the exploit.

Email is embedded into the everyday lives of U.S. adults. For starters, the average person receives over 100 emails a day. To sort through all of that, workers spend an average of five hours a day checking their email. With this communication tool demanding so much of our attention, it’s no wonder cybercriminals use it as a preferred method for carrying out major attacks.