The American Cybersecurity and Infrastructure Security Agency (CISA) maintains a helpful overview of known vulnerabilities that attackers exploit. On April 5, the agency added four new security vulnerabilities to this overview. Here you can find out what it is, what the risks are and how you can protect yourself against them.
Spring4Shell vulnerability allows remote code execution
What happened?
The “Spring4Shell” vulnerability (CVE-2022-22965) is currently bothering cybersecurity experts. The open-source framework Spring provides tools and utilities for enterprise applications based on the Java programming language. Spring helps reduce the effort required to build the applications.
On March 31, the company confirmed the zero-day vulnerability and released a patch that should fix the problem.
However, the American security company Sonatype noted this week that despite the release of the patch, more than 80% of recent downloads are potentially vulnerable versions. Apparently, programs from companies that use Spring and are used worldwide are affected. Carnegie Mellon University’s Computer Emergency Response Team (CERT) has published a list of companies that have been affected.
Cybersecurity firm Kasada also found that cybercriminals use automated vulnerability scanner tools to test thousands of URLs and find out which systems have not yet been patched.
A spokesperson for the telecommunications company assured BleepingComputer that no sensitive information or customer data was stolen as part of the cyberattack. The cybercriminals only managed to access internal operating software, which is not related to confidential information. No evidence was found that data or trade secrets had been tapped.
The incident was uncovered by in-house monitoring tools that documented the intrusion of the unauthorized actors through stolen credentials. According to T-Mobile, the criminals’ access was quickly cut off, and the compromised credentials used were immediately deactivated. The company’s systems and processes have been cleaned up and are working as intended.
The cyber incident was brought to the fore by independent investigative journalist Brian Krebs, who was the first to report on the cyber incident. He was able to analyze leaked Telegram chat messages between members of the Lapsus$ gang and determine that the attackers had managed to steal internal source code from T-Mobile and then penetrate the systems.
What can I do?
In addition to Spring4Shell, CISA cataloged two vulnerabilities (CVE-2022-22675 and CVE-2022-22674) disclosed by Apple on April 1 that affect its most-used iPhone, iPad, and Mac devices.
What happened?
In the CVE-2022-22675 vulnerability, the audio and video decoding component affects AppleAVD. This vulnerability can also lead to the execution of remote codes.
In combination with the second vulnerability CVE-2022-22674, which allows the macOS kernel memory to be read, cybercriminals could also obtain sensitive information about their potential victims.
Apple stated that both vulnerabilities have been fixed. However, there is a risk that the vulnerabilities have already been exploited.
What can I do?
The iOS and iPad security updates (iOS 15.4.1 and macOS Monterey 12.3.1) are available for iPhone 6S and later, all iPad Pro models, all iPad Air 2 and later models, iPad 5th generation and later, iPad Mini 4 and later, and iPod Touch (7th generation). If you use one of these devices, you should install the updates as soon as possible and not wait for an automatic security update from Apple:
CISA’s overview has also been expanded to include the CVE-2021-45382 vulnerability. It affects the router models DIR-810L, DIR-820L/LW, DIR-826L, DIR-830L and DIR-836L from D-Link. The vulnerability also opens the door to remote code execution.
What happened?
There are no more updates available for these devices – the last one was released on December 19, 2021 – as they are so-called end-of-life devices. The products have reached the end of their service life and are no longer maintained. Accordingly, vulnerabilities develop in these devices and thus become a popular target for attack – especially since the devices are constantly switched on and connected to the Internet. Compromised routers are often used by cybercriminals to disguise their location while launching attacks.
What can I do?
D-Link itself advises to retire and replace the aforementioned models. In order for companies to comply with the Binding Operational Directive 22-01, this must be done before April 25, 2022.
