The Cybersecurity and Infrastructure Security Agency (CISA) has added three more security flaws to its list of bugs exploited in attacks, including a Bitbucket Server RCE and two Microsoft Exchange zero-days.
CISA's Known Exploited Vulnerabilities (KEV) catalog now includes two Microsoft Exchange zero-days (CVE-2022-41040 and CVE-2022-41082) exploited in limited, targeted attacks, according to Microsoft.
While Microsoft hasn't yet released security updates to address this pair of actively exploited bugs, it shared mitigation measures requiring customers to add an IIS server blocking rule that would block attack attempts.
"Microsoft is also monitoring these already deployed detections for malicious activity and will take necessary response actions to protect customers. [..] We are working on an accelerated timeline to release a fix," Microsoft said earlier today.
The third security flaw CISA added to its KEV list today (tracked as CVE-2022-36804) is a critical severity command injection vulnerability in Atlassian's Bitbucket Server and Data Center, with publicly available proof of concept exploit code.
Attackers can gain remote code execution by exploiting the flaw via malicious HTTP requests. Still, they must have access to a public repository or read permissions to a private one.
This RCE vulnerability impacts all Bitbucket Server and Data Center versions after 6.10.17, including 7.0.0 and up to 8.3.0.
BinaryEdge and GreyNoise confirmed that attackers have been scanning and attempting to exploit CVE-2022-36804 in the wild [1, 2] since at least September 20th.
We at @SolveCyberRisk @binaryedgeio have been observing active scanning and exploitation of the just announced CVE-2022-36804 - This CVE affects Atlassian Bitbucket, go patch: https://t.co/YYG1qY9uUg pic.twitter.com/Jy12W9ZB3E
— Tiago Henriques (@Balgan) September 23, 2022
Federal agencies ordered to mitigate
All Federal Civilian Executive Branch Agencies (FCEB) agencies apply patches or mitigation measures for these three actively exploited bugs after being added to CISA's KEV catalog as required by a binding operational directive (BOD 22-01) from November.
The federal agencies were given three weeks, until October 21st, to ensure that exploitation attempts would be blocked.
The U.S. cybersecurity agency also strongly urged all private and public sector organizations worldwide to prioritize patching these vulnerabilities, although BOD 22-01 only applies to U.S. FCEB agencies.
Applying patches ASAP will help them decrease the attack surface potential attackers could target in breach attempts.
"These types of vulnerabilities are a frequent attack vector for malicious cyber actors and pose significant risk to the federal enterprise," CISA explained on Thursday.
Since the BOD 22-01 binding directive was issued last year, CISA has added more than 800 security flaws to its catalog of bugs exploited in attacks while requiring federal agencies to address them on a tighter schedule.
Comments
lonegull - 1 year ago
Be interested to find out how much oversight there is with CISA mandates and the percentage of compliance. Since President Reagan's Administration there has been a constant fight to secure Federal Government and national IT security (from Pres. Reagan seeing the movie WarGames). The FBI on 9/11 was running PCs that were unable to connect/use a mouse or run modern O/S or software, an obsolete mainframe and multiple databases incompatible with each other. The Government retired a 30+ year old mainframe a few years back and the IRS still runs one nearly that old vital to processing tax returns.
After 9/11 the NSA hacked and backdoored anything and everything they could, hacked common antivirus software to spy on citizens, yet Kaspersky the one they (NSA) couldn't hack is the one that is supposedly our biggest danger. But zero proof has been produced and U.K Intelligence, the E.U, France, Germany and Belgium investigated and found no evidence of spying. How do you conclude a software product you don't understand is spying when you can't even make it spy for you?