This has happened before.
Microsoft Exchange Server (the service/server that sends, forwards, and receives eMail) has vulnerabilities that allow attackers to take control of that service.
Thus we should use caution and investigation to eMails more so than in the past.
Last time this happened many eMails were forged, email distribution lists were exploited, and people lost money.
Lenovo is a computer manufacturer. Lenovo has sold a very large number of desktops, laptops, tablets, and other devices.
The EMERGENCY patch addresses 6 high severity flaws. So Important.
The flaws can be abused to steal sensitive data, escalate privilege, be used in botnets for denial of service attacks, and/or allow arbitrary code execution.
The Common Vulnerability and Exposures fixed/addressed by this emergency security patch:
CVE-2021-28216 pointer flaw in TianoCore EDK II BIOS Elevation of privilege & arbitrary code execution
CVE-2022-40134 Information leak flaw in SMI Set BIOS password SMI handler allows SMM memory reading
CVE-2022-40135 information leak vulnerability in Smart USB SMI Handler allows SMM memory reading
CVE-2022-40136 information leak flaw in SMI handler used for configuring platform settings over WMI allows SMM memory reading
CVE-2022-40137 buffer overflow in WMI SMI handler allows for arbitrary code execution
American Megatrends security enhancements No CVE
The fixes for the above flaws are part of the latest BIOS update. Keeping your BIOS updated is one of the many updates users of todays complex cyber environments. Updates to Windows, macOS, apps, browsers, routers, wireless access points, smart phones, streaming devices, smartTVs, etc.
Lenovo states: Advise to update the BIOS update immediately. More patches/updates to be released by the end of September and some in October.
If your Lenovo devices utilizes UEFI instead, Lenovo has patched these CVEs.
CVE-2022-1890, CVE-2022-1891, and CVE-2022-1892. Usually UEFI flaws are more difficult to exploit, but exploitable.
To patch your affected device's BIOS navigate to Drivers & Software portal at Lenovo's web site.
Choose Manual Update.
Actions to take today to protect against ransom operations:
• Keep systems and software updated and prioritize remediating known exploited vulnerabilities.
• Enforce MFA.
• Make offline backups of your data.
This joint Cybersecurity Advisory (CSA) is the result of an analytic effort among the Federal Bureau of Investigation (FBI), the Cybersecurity and Infrastructure Security Agency (CISA), the National Security Agency (NSA), U.S. Cyber Command (USCC) - Cyber National Mission Force (CNMF), the Department of the Treasury (Treasury), the Australian Cyber Security Centre (ACSC), the Canadian Centre for Cyber Security (CCCS), and the United Kingdom’s National Cyber Security Centre (NCSC) to highlight continued malicious cyber activity by advanced persistent threat (APT) actors that the authoring agencies assess are affiliated with the Iranian Government’s Islamic Revolutionary Guard Corps (IRGC). Note: The IRGC is an Iranian Government agency tasked with defending the Iranian Regime from perceived internal and external threats. Hereafter, this advisory refers to all the coauthors of this advisory as "the authoring agencies."
This advisory updates joint CSA Iranian Government-Sponsored APT Cyber Actors Exploiting Microsoft Exchange and Fortinet Vulnerabilities in Furtherance of Malicious Activities, which provides information on these Iranian government-sponsored APT actors exploiting known Fortinet and Microsoft Exchange vulnerabilities to gain initial access to a broad range of targeted entities in furtherance of malicious activities, including ransom operations. The authoring agencies now judge these actors are an APT group affiliated with the IRGC.
Since the initial reporting of this activity in the FBI Liaison Alert System (FLASH) report APT Actors Exploiting Fortinet Vulnerabilities to Gain Access for Malicious Activity from May 2021, the authoring agencies have continued to observe these IRGC-affiliated actors exploiting known vulnerabilities for initial access. In addition to exploiting Fortinet and Microsoft Exchange vulnerabilities, the authoring agencies have observed these APT actors exploiting VMware Horizon Log4j vulnerabilities for initial access. The IRGC-affiliated actors have used this access for follow-on activity, including disk encryption and data extortion, to support ransom operations.
The IRGC-affiliated actors are actively targeting a broad range of entities, including entities across multiple U.S. critical infrastructure sectors as well as Australian, Canadian, and United Kingdom organizations. These actors often operate under the auspices of Najee Technology Hooshmand Fater LLC, based in Karaj, Iran, and Afkar System Yazd Company, based in Yazd, Iran. The authoring agencies assess the actors are exploiting known vulnerabilities on unprotected networks rather than targeting specific targeted entities or sectors.
This advisory provides observed tactics, techniques, and indicators of compromise (IOCs) that the authoring agencies assess are likely associated with this IRGC-affiliated APT. The authoring agencies urge organizations, especially critical infrastructure organizations, to apply the recommendations listed in the Mitigations section of this advisory to mitigate risk of compromise from these IRGC-affiliated cyber actors.
For a downloadable copy of IOCs, see AA22-257A.stix.
For more information on Iranian state-sponsored malicious cyber activity, see CISA’s Iran Cyber Threat Overview and Advisories webpage and FBI’s Iran Threat webpage.
Download the PDF version of this report: pdf, 836 kb
Apple released important security Updates fir iOS and macOS.
Updates for actively exploited flaws.
iOS 15.7, iPadOS 15.7, macOS Monterey 12.6 and macOS Big Sur 11.7.
iOS 16.0 as scheduled to start being offered today.
