Month: February 2022

American logistics and freight forwarding company Expeditors International was hit by a cyberattack over the weekend that paralyzed most of its operations worldwide.ⓘ

Expeditors company has over 18,000 employees worldwide and has annual gross revenue of around $10 billion. The company discovered the attack on February 20, 2022, it doesn’t provide details about the attack and announced to have launched an investigation into the incident.

“Expeditors International of Washington, Inc. (NASDAQ:EXPD) announced that on February 20, 2022, we determined that our company was the subject of a targeted cyber-attack. Upon discovering the incident, we shut down most of our operating systems globally to manage the safety of our overall global systems environment.” reads the announcement published by the company.”The situation is evolving, and we are working with global cybersecurity experts to manage the situation. While our systems are shut down we will have limited ability to conduct operations, including but not limited to arranging for shipments of freight or managing customs and distribution activities for our customers’ shipments.”

The information publicly available on the attack suggests the company was the victim of a ransomware attack and was forced to shut down its network to avoid the threat from spreading.

The attack impacted the company’s operations, including the capability to arrange for shipments of freight or managing customs and distribution activities for our customers’ shipments.

The company hired cybersecurity experts to investigate the security breach and recover from the attack.

The company warned the incident could have a material adverse impact on our business, revenues, results of operations and reputation

“We are incurring expenses relating to the cyber-attack to investigate and remediate this matter and expect to continue to incur expenses of this nature in the future. Depending on the length of the shutdown of our operations, the impact of this cyber-attack could have a material adverse impact on our business, revenues, results of operations and reputation.” concludes the advisory.

By Kushal Arvind Shah and Yonghui Han | February 10, 2022

Affected platforms: Windows and MacOS

Impacted parties: Users of Adobe Illustrator 2022, versions 26.0.2 and earlier

                               Users of Adobe Illustrator 2021, versions 25.4.3 and earlier

                               Users of Adobe Photoshop 2022, versions 23.1 and earlier

                               Users of Adobe Photoshop 2021, versions 22.5.4 and earlier

Impact:  Multiple vulnerabilities leading to Arbitrary Code Execution or Information Disclosure.

Severity level: Critical and Important

Toward the end of 2021, Fortinet security researchers Kushal Arvind Shah and Yonghui Han discovered and reported numerous zero-day vulnerabilities in Adobe Illustrator and Photoshop. This Patch Tuesday (dated Feb 08, 2022), Adobe released several security patches (1 and 2) which fixed 14 of them. These vulnerabilities are identified as CVE-2022-23186, CVE-2022-23188, CVE-2022-23189, CVE-2022-23190, CVE-2022-23191, CVE-2022-23192, CVE-2022-23193, CVE-2022-23194, CVE-2022-23195, CVE-2022-23196, CVE-2022-23197, CVE-2022-23198, CVE-2022-23199, and CVE-2022-23203. All of these vulnerabilities have different root causes pertaining to a multitude of Illustrator and Photoshop Plugins. Due to the severity of these vulnerabilities, we suggest users apply the Adobe patches as soon as possible.

Following are some details on these vulnerabilities. More information can be found on the related Fortinet Zero Day Advisory pages by clicking on the CVE links, below:

CVE-2022-23186

This is an Arbitrary Code Execution vulnerability that exists in the decoding of CorelDraw Drawing (CDR) files in Adobe Illustrator. Specifically, the vulnerability is caused by a malformed CDR file, which causes an Out of Bounds Write memory access due to an improper bounds check. 

A remote attacker may be able to exploit this vulnerability to execute arbitrary code within the context of the application via a crafted CDR file.

Fortinet released IPS signature Adobe.Illustrator.CVE-2022-23186.Arbitrary.Code.Execution for this specific vulnerability to proactively protect our customers.

CVE-2022-23188

This is a Buffer Overflow vulnerability in the Adobe Illustrator ‘MPS’ plugin. Specifically, the vulnerability is caused by a malformed Macintosh Picture Image file (PCT) file, which causes an Out of Bounds Write memory access due to improper bounds check when manipulating a pointer to an allocated buffer.

A remote attacker may be able to exploit this vulnerability to execute arbitrary code within the context of the application via a crafted PCT file.

Fortinet released IPS signature Adobe.Illustrator.CVE-2022-23188.Buffer.Overflow for this specific vulnerability to proactively protect our customers.

CVE-2022-23189

This is a Null-Pointer Dereference vulnerability that exists in the decoding of AutoCAD Drawing (DWG) files in Adobe Illustrator. Specifically, the vulnerability is caused by a malformed DWG file, which causes a NULL pointer dereference. 

Attackers can exploit this vulnerability with a crafted DWG file, potentially leading to an application denial-of-service.

Fortinet released IPS signature Adobe.Illustrator.CVE-2022-23189.Null.Pointer.Dereference for this specific vulnerability to proactively protect our customers.

CVE-2022-23190

This is a Memory Corruption vulnerability that exists in the decoding of Computer Graphics Metafile (CGM) files in Adobe Illustrator. Specifically, the vulnerability is caused by a malformed CGM file, which causes an Out of Bounds Read memory access due to an improper bounds check. The specific vulnerability exists in the ‘Reader_for_CGM’ plugin.

Attackers can exploit this vulnerability for unintended memory reads, potentially leading to a memory data leak via a crafted CGM file.

Fortinet released IPS signature Adobe.Illustrator.CVE-2022-23190.Memory.Corruption for this specific vulnerability to proactively protect our customers.

CVE-2022-23191

This is a Memory Corruption vulnerability that exists in the decoding of Macintosh Picture Image file (PCT) in Adobe Illustrator. Specifically, the vulnerability is caused by a malformed PCT file, which causes an Out of Bounds Read memory access due to an improper bounds check. The specific vulnerability exists in the ‘MPS’ plugin.

Attackers can exploit this vulnerability for unintended memory reads, potentially leading to a memory data leak via a crafted PCT file.

Fortinet released IPS signature Adobe.Illustrator.CVE-2022-23191.Memory.Corruption for this specific vulnerability to proactively protect our customers.

CVE-2022-23192

This is a Memory Corruption vulnerability existing in the decoding of Adobe Illustrator Artwork (AI) files in Adobe Illustrator. Specifically, the vulnerability is caused by a malformed AI file, which causes an Out of Bounds memory access due to an improper bounds check.

Attackers can exploit this vulnerability for unintended memory reads, potentially leading to a memory data leak via a crafted AI file.

Fortinet released IPS signature Adobe.Illustrator.CVE-2022-23192.Memory.Corruption for this specific vulnerability to proactively protect our customers.

CVE-2022-23193

This is a Memory Corruption vulnerability existing in the decoding of Portable Document Format (PDF) files in Adobe Illustrator. Specifically, the vulnerability is caused by a malformed PDF file, which causes an Out of Bounds memory access, due to improper bounds check.

Attackers can exploit this vulnerability for unintended memory reads, potentially leading to a memory data leak, via a crafted PDF file.

Fortinet released IPS signature Adobe.Illustrator.CVE-2022-23193.Memory.Corruption for this specific vulnerability to proactively protect our customers.

CVE-2022-23194

This is a Memory Corruption vulnerability that exists in the decoding of Computer Graphics Metafile (CGM) files in Adobe Illustrator. Specifically, the vulnerability is caused by a malformed CGM file, which causes an Out of Bounds Read memory access due to an improper bounds check. The specific vulnerability exists in the ‘Reader_for_CGM’ plugin.

Attackers can exploit this vulnerability for unintended memory reads, potentially leading to a memory data leak via a crafted CGM file.

Fortinet released IPS signature Adobe.Illustrator.CVE-2022-23194.Memory.Corruption for this specific vulnerability to proactively protect our customers.

CVE-2022-23195

This is a Memory Corruption vulnerability that exists in the decoding of Computer Graphics Metafile (CGM) files in Adobe Illustrator. Specifically, the vulnerability is caused by a malformed CGM file, which causes an Out of Bounds Read memory access due to an improper bounds check. The specific vulnerability exists in the ‘Reader_for_CGM’ plugin.

Attackers can exploit this vulnerability for unintended memory reads, potentially leading to a memory data leak via a crafted CGM file.

Fortinet released IPS signature Adobe.Illustrator.CVE-2022-23195.Memory.Corruption for this specific vulnerability to proactively protect our customers.

CVE-2022-23196

This is a Memory Leak vulnerability that exists in the decoding of CorelDraw Drawing (CDR) files in Adobe Illustrator. Specifically, the vulnerability is caused by a malformed CDR file, which causes an Out of Bounds memory access due to an improper bounds check. 

Attackers can exploit this vulnerability for unintended memory reads, potentially leading to a memory data leak via a crafted CDR file.

Fortinet released IPS signature Adobe.Illustrator.CVE-2022-23196.Memory.Leak for this specific vulnerability to proactively protect our customers.

CVE-2022-23197

This is a Memory Leak vulnerability that exists in the decoding of CorelDraw Drawing (CDR) files in Adobe Illustrator. Specifically, the vulnerability is caused by a malformed CDR file, which causes an Out of Bounds memory access due to an improper bounds check. 

Attackers can exploit this vulnerability for unintended memory reads, potentially leading to a memory data leak via a crafted CDR file.

Fortinet released IPS signature Adobe.Illustrator.CVE-2022-23197.Memory.Leak for this specific vulnerability to proactively protect our customers.

CVE-2022-23198

This is a Null-Pointer Dereference vulnerability that exists in the decoding of CorelDraw Drawing (CDR) files in Adobe Illustrator. Specifically, the vulnerability is caused by a malformed CDR file, which causes a NULL pointer dereference. 

Attackers can exploit this vulnerability with a crafted CDR file, potentially leading to an application denial-of-service.

Fortinet released IPS signature Adobe.Illustrator.CVE-2022-23198.Null.Pointer.Dereference for this specific vulnerability to proactively protect our customers

CVE-2022-23199

This is a Null-Pointer Dereference vulnerability that exists in the decoding of CorelDraw Drawing (CDR) files in Adobe Illustrator. Specifically, the vulnerability is caused by a malformed CDR file, which causes a NULL pointer dereference. 

Attackers can exploit this vulnerability with a crafted CDR file, potentially leading to an application denial-of-service.

Fortinet released IPS signature Adobe.Illustrator.CVE-2022-23199.NULL.Pointer.Dereference for this specific vulnerability to proactively protect our customers

CVE-2022-23203

This is a Buffer Overflow vulnerability existing in the decoding of Universal 3D (U3D) files in Adobe Photoshop. Specifically, the vulnerability is caused by a malformed U3D file, which causes an Out of Bounds memory access due to improper bounds check. The specific vulnerability exists in the ‘U3D’ plugin.

A remote attacker may be able to exploit this vulnerability to execute arbitrary code within the context of the application via a crafted U3D file.

Fortinet released IPS signature Adobe.Photoshop.CVE-2022-23203.Arbitrary.Code.Execution for this specific vulnerability to proactively protect our customers.

While it’s certainly wise to make the initial fixes to strengthen your defenses, these actions need to be applied on a regular basis

A new report on how to protect your networks from attack can be a helpful document that covers a lot of different bases within the cybersecurity landscape. The report, Proactive Preparation and Hardening to Protect Against Destructive Attacks, was written by several cybersecurity analysts “based on front-line expertise with helping organizations prepare, contain, eradicate, and recover from potentially destructive threat actors and incidents,” in the words of the authors.

It contains hundreds of tips for protecting Windows deployments, including command-line strings, adjusting various group policy parameters, and other very practical tips that could indicate potential compromised systems.

While reading the report is sobering because of its enormity of vision, that same vision is also tremendously useful and can serve as a blueprint for how IT and security managers can prepare for the inevitable attack, no matter if you’re the size of General Motors or the corner flower shop. The report covers several specific areas that require strengthening.

Active Directory hardening and backups

Organizations should verify that backups (recommended are system state backups, and the report shows the commands to initiate and verify such backups) for domain controllers and critical assets are available and protected against unauthorized access or modification. The report also has loads of suggestions on malware “tells” that security managers can look for, such as unauthorized users accessing backup media or shadow copies being deleted (a common event that precedes a ransomware attack).

Network segmentation

Organizations should have both physical and logical separation between IT domains and operational technology processes and controls. This means having separate AD forests and network segments, along with IP protocols and ports that could bridge the divide between the two domains. One common indication of potential compromise is where a failed login is attempted across domains, whereby an attacker is attempting to reuse credentials to move around your infrastructure.

Disable administrative access wherever possible

Auditing and limiting this access is another security mechanism, since many organizations have created far too many accounts with a wide collection of permissions. The report suggests using registry key modifications, stopping certain service accounts (or using group policies to get this under control), and provides the necessary commands to track and lock down these accounts, along with detecting and preventing abuses of other privileged accounts.

---

Further reading:
Why SMBs should include access revocation in their employee separation process
Avast finds employees connecting personal devices to SMB networks

---

RDP hardening

As we wrote about earlier this year, the Remote Desktop Protocol (RDP) can be a major way for attackers to enter your networks. Organizations should periodically scan their public IP address ranges to ensure that all systems do not have any open ports 445 and 3389. The link above has other suggestions to lock down this vulnerability, and the report also has additional proactive measures, such as using network-level authentication settings in group policies and using RDP’s restricted admin mode.

We suggest reading through the full report to explore the full collection of tips and research that it contains. Before you get overwhelmed, though, you should realize that the report shows how you need to be making these changes and looking for possible compromised systems on a regular basis after you’ve implement these “hardening” activities.

Many organizations don’t have regular follow ups to see if changes to their network infrastructure or securing the accounts of former employees are actually done. While it’s certainly wise to make the initial fixes to strengthen your defenses, these actions need to be applied on a regular basis. 

Publish with permission from Avast Business