Advisories

1.0 Introduction
Recently, VMWare has released "Protecting vSphere From Specialized Malware", addressing malware artefacts known as VirtualPITA (ESXi & Linux), VirtualPIE (ESXi), and VirtualGATE (Windows), which are used to exploit and gain persistent access to instances of ESXi.

2.0  Affected Products
• VMWare ESXi

3.0 Impact

Allows exploitation and gaining persistent access to instances of ESXi.

4.0 Recommendations
Users and administrators employing VMWare ESXi are urged to review the following for more information and to apply recommended mitigations and threat hunting guidance:

• VMware: Protecting vSphere From Specialized Malware:
https://core.vmware.com/vsphere-esxi-mandiant-malware-persistence
• VMware: Knowledge Base 89619 - Mitigation and Threat Hunting Guidance for Unsigned vSphere Installation Bundles (VIBs) in ESXi (including a script to audit ESXi hosts):
https://kb.vmware.com/s/article/89619
• VMWare: vSphere Security Configuration Guides (baseline hardening guidance for VMware vSphere):
https://via.vmw.com/scg

Generally, MyCERT advises users to be updated with the latest security announcements by the vendor and follow best practices and security policies to determine which updates should be applied.

For further enquiries, please contact MyCERT through the following channels:

E-mail: cyber999[at]cybersecurity.my 
Phone: 1-300-88-2999 (monitored during business hours) 
Mobile: +60 19 2665850 (24x7 call incident reporting) 
Business Hours: Mon - Fri 09:00 -18:00 MYT 
Web: https://www.mycert.org.my 
Twitter: https://twitter.com/mycert 
Facebook: https://www.facebook.com/mycert.org.my

5.0    References
• https://www.cisa.gov/uscert/ncas/current-activity/2022/09/29/vmware-releases-guidance-virtualpita-virtualpie-and-virtualgate
• https://core.vmware.com/vsphere-esxi-mandiant-malware-persistence
• https://kb.vmware.com/s/article/89619
• https://via.vmw.com/scg
 

1.0 Introduction
Recently, The Internet Systems Consortium (ISC) has released security advisories that address vulnerabilities affecting multiple versions of the ISC’s Berkeley Internet Name Domain (BIND) 9.

2.0 Impact
A remote attacker could exploit these vulnerabilities to potentially cause denial-of-service conditions.

3.0 Affected Products
• ISC’s Berkeley Internet Name Domain (BIND) 9

4.0 Recommendations
Users and administrators are recommended to review the following ISC advisories: CVE-2022-2906, CVE-2022-3080, CVE-2022-38177, and CVE-2022-38178 and apply the necessary mitigations:
• https://kb.isc.org/v1/docs/cve-2022-2906
• https://kb.isc.org/v1/docs/cve-2022-3080
• https://kb.isc.org/v1/docs/cve-2022-38177
• https://kb.isc.org/v1/docs/cve-2022-38178

Generally, MyCERT advises users of these devices to be updated with the latest security announcements by the vendor and follow best practices and security policies to determine which updates should be applied.

For further inquiries, please contact MyCERT through the following channels:

E-mail: cyber999[at]cybersecurity.my 
Phone: 1-300-88-2999 (monitored during business hours) 
Mobile: +60 19 2665850 (24x7 call incident reporting) 
Business Hours: Mon - Fri 09:00 -18:00 MYT 
Web: https://www.mycert.org.my 
Twitter: https://twitter.com/mycert 
Facebook: https://www.facebook.com/mycert.org.my

5.0    References
• https://www.cisa.gov/uscert/ncas/current-activity/2022/09/22/isc-releases-security-advisories-multiple-versions-bind-9
• https://kb.isc.org/v1/docs/cve-2022-2906
• https://kb.isc.org/v1/docs/cve-2022-3080
• https://kb.isc.org/v1/docs/cve-2022-38177
• https://kb.isc.org/v1/docs/cve-2022-38178
• https://kb.isc.org/docs/aa-00913
 

1.0 Introduction
Two zero-day vulnerabilities affecting Microsoft Exchange Server were reported recently this week. As of writing, Microsoft is already aware of the issue and is working on releasing a fix soon and providing temporary workarounds in the meantime. 

The first vulnerability, identified as CVE-2022-41040, is a Server-Side Request Forgery (SSRF) vulnerability, while the second vulnerability is identified as CVE-2022-41082. 

2.0 Impact
CVE-2022-41040 can enable an authenticated attacker to trigger CVE-2022-41082 remotely in these attacks and CVE-2022-41082 allows remote code execution (RCE) when PowerShell is accessible to the attacker. It should be noted that authenticated access to the vulnerable Exchange Server is necessary to exploit either of the two vulnerabilities successfully. 

3.0 Affected Products
The affected Microsoft products are Microsoft Exchange Server 2013, 2016, and 2019.

4.0 Recommendations
Users and administrators of the affected Microsoft Exchange products are advised to follow and apply the mitigation steps based on the guide below while waiting for a patch to be released by Microsoft. Microsoft Exchange Online Customers do not need to take any action. On-premises Microsoft Exchange customers should review and apply the following URL Rewrite Instructions and block exposed Remote PowerShell ports. 

The current mitigation is to add a blocking rule in “IIS Manager -> Default Web Site -> Autodiscover -> URL Rewrite -> Actions” to block the known attack patterns. 

Microsoft has confirmed that the following URL Rewrite Instructions, which are currently being discussed publicly, are successful in breaking current attack chains. The steps are as below:

• Open the IIS Manager. 
• Expand the Default Web Site. 
• Select Autodiscover. 
• In the Feature View, click URL Rewrite. 

• In the Actions pane on the right-hand side, click Add Rules.  

• Select Request Blocking and click OK. 

• Add String “.*autodiscover\.json.*\@.*Powershell.*” (excluding quotes) and click OK. 

• Expand the rule and select the rule with the Pattern “.*autodiscover\.json.*\@.*Powershell.*” and click Edit under Conditions. 

• Change the condition input from {URL} to {REQUEST_URI}