ThreatAdvice September 9, 2022

CISA Orders Agencies to Patch Chrome, D-Link Flaws Used in Attacks

CISA has recently added 12 security flaws to its list of bugs exploited in attacks. These new flaws include two critical D-Link vulnerabilities and two (now-patched) zero-days in Google Chrome and the Photo Station QNAP software. The Google Chrome zero-day (CVE-2022-3075) was patched on September 2nd via an emergency security update after the company was made aware of in-the-wild exploitation.

On Monday, QNAP network-attached storage (NAS) appliance maker warned customers that it patched a zero-day bug in the Photo Station software, tracked as CVE-2022-27593, and actively exploited in widespread DeadBolt ransomware attacks. The two critical D-Link security flaws (CVE-2022-28958 and CVE-2022-26258) are being targeted by the Mirai-based Moobot botnet to gain remote code execution and take over unpatched devices.

Federal agencies have been given until September 29th to ensure that exploitation attempts would be blocked and products are patched, per binding operational directive (BOD 22-01), which was published in November. Although DHS' BOD 22-01 only applies to U.S. FCEB agencies, the cybersecurity agency also strongly urges U.S. organizations in the private and public sectors to make patching these bugs a priority.

Mitigation:
Companies should check inventory and assets to ensure that the following CVE’s are patched: