Patch Tuesday May 2022 – Microsoft Pledges Fixes and Improvements for Azure Synapse Pipeline and Azure Data Factory

Patch Tuesday May – Highlights

As part of Patch Tuesday May, Microsoft has pledged to release improvements for both Azure Synapse Pipeline and Azure Data Factory. This announcement came shortly after Microsoft disclosed CVE-2022-29972, a vulnerability affecting a Magnitude Simba Amazon Redshift ODBC driver. Microsoft’s currently working alongside a third party to remedy the aforementioned vulnerability and to develop infrastructure improvements for Synapse Pipeline and Data Factory.

Patch Tuesday May – Highlights

Most of Microsoft’s monthly patching effort is focused on the remediation of the Simba Amazon Redshift ODBC driver vulnerability. For those of you unfamiliar with the product, Redshift ODBC and its ‘peer’ JDBC are data access interfaces for various relational databases. Also called connectors, these products allow you to access via SQL-92 all the data stored in Redshift warehouses, map data type in Amazon Redshift and ANSI SQL, provide logging and ODBC tracing, and, of course, establish connections between various BI (Business Intelligence Tools) and the data residing in your Amazon Redshift data warehouse.

According to the threat report issued by Microsoft’s Security Response Center, the vulnerability was first identified and mitigated on the 15th of April 2022. The culprit was a defective ODBC driver developed by an undisclosed third party. As to its purpose, the driver was supposed to facilitate the connection between Amazon’s Redshift, Azure Data Factory Integration Runtime, and Azure Synapse pipelines. The ensuing investigation revealed that no customers have been affected by CVE-2022-29972.

As to the vulnerability itself, CVE Details provides some insight – one of the ODBC driver’s authentication components was discovered to harbor an argument injection bug that would have allowed a threat actor or even a local user to run arbitrary code on the machine. The defect seems to affect version 1.4.14 through, 1.4.22 through 1.4.x, all the way up to version 1.4.52).

For the time being, no workarounds or hotfixes are available. Per Microsoft’s recommendations, IT admins are advised to limit access to the connector and wait until an official fix or patch becomes available.

Additional Cybersecurity Advice & Conclusions

Not much going around in May in terms of patching. Microsoft’s mostly focused on delivering a functional fix to the Synapse and Data Factory issues. In the meantime, here are some things you can try in order to stay protected.

  • Suspicious activity. If your company’s running any kind of SIEM, you may want to conduct some probing for suspicious activity.
  • Automatic patching. The best way to ensure that all your applications and software are up to date (and in a timely fashion) is through automated patching. Heimdal™ Security’s Patch & Asset Management can help you fast-track your patching/updating processes, regardless of whether it’s Windows, Linux, 3rd party, OS-specific, proprietary or optional improvements.
  • Pen-testing. You may want to conduct some on-site pen-testing to determine if other Azure-related components are vulnerable. If your team can’t cover this area, it would be a good idea to hire an outside team to carry out these tests.

Additional resources:

If you liked this article, follow us on LinkedInTwitterFacebookYoutube, and Instagram for more cybersecurity news and topics.

Concept photo of DNS security by Heimdal

DNS Security 101: The Essentials You Need to Know to Keep Your Organization Safe

All you need to find out about DNS security. Ways to secure your company-owned DNS server.

Threat-Hunting Journal April 2022 – Easter Edition

Top Malware(s) Detections: 1st of April – 28th of April
Which one of the following could lead to the spread of a malicious program?

A New Ransomware Variant Dubbed ‘Cheers’ Was Discovered

The Linux-based Ransomware Variant Is Compromising ESXi Servers.

VMware ESXi is a hypervisor created by VMware that is of the enterprise-class and type-1 varieties. It is used for installing and servicing virtual machines.

ESXi is a type-1 hypervisor, which means that it is not a software program that is put on an operating system; rather, it incorporates and integrates essential OS components, such as a kernel, inside itself. This makes it unique from other types of hypervisors.

The virtualization platform is widely employed by huge enterprises all over the globe; hence, encrypting these platforms often results in a significant interruption to the operations of a company.

What Happened?

Cheers is the name of a new piece of ransomware that has been discovered in the cybercrime world. This ransomware has begun its activities by focusing on unprotected VMware ESXi systems.

Researchers working for Trend Micro have identified a new strain of the Cheers ransomware, which they refer to as “Cheerscrypt.”

We recently observed multiple Linux-based ransomware detections that malicious actors launched to target VMware ESXi servers, a bare-metal hypervisor for creating and running several virtual machines (VMs) that share the same hard drive storage. We encountered Cheerscrypt, a new ransomware family, that has been targeting a customer’s ESXi server used to manage VMware files.

In the past, ESXi servers were also attacked by other known ransomware families such as LockBitHive, and RansomEXX as an efficient way to infect many  computers with ransomware.


Once a VMware ESXi server has been compromised, the threat actors will launch the encryptor. This will cause the encryptor to automatically enumerate the running virtual machines and shut them down.

During the process of encrypting files, the ransomware looks especially for files with the following extensions:.log,.vmdk,.vmem,.vswp, and.vmsn., as ESXi snapshots, log files, swap files, paging files, and virtual disks are all connected with these file extensions.

The “.Cheers” extension will be added to the end of the filename of each and every encrypted file, but the process of renaming files occurs before encryption does. This means that if access permission to rename a file is refused, the encryption will fail, but the file will still be changed even if the access permission is denied.

In order to generate a secret key for the SOSEMANUK stream cipher, the encryption method makes use of a pair of public and private keys. This key is then embedded in each encrypted file. To prevent the private key from being recovered and used again, it is erased once it has been used to produce the secret key.

While the ransomware is searching directories for data to encrypt, it will write ransom notes in each folder. These ransom notes will be called “How To Restore Your Files.txt.”


As BleepingComputer explained, these ransom notes provide details on what happened to the victim’s files as well as links to the Tor data leak sites and ransom negotiation sites used by the ransomware campaign.

ESXi is widely used in enterprise settings for server virtualization. It is therefore a popular target for ransomware attacks. As mentioned, compromising ESXi servers has been a scheme used by some notorious cybercriminal groups because it is a means to swiftly spread ransomware to many devices. Organizations should thus expect malicious actors to upgrade their malware arsenal and breach as many systems and platforms as they can for monetary gain.


Make sure you follow us on LinkedInTwitterFacebookYoutube, and Instagram for more cybersecurity news and topics.

Supply Chain Risk Management SCRM Heimdal

Supply Chain Risk Management (SCRM) Explained

Why SCRM Is Important for Your Organization.

SpiceJet Suffers Ransomware Attack

The Attack Resulted in Delayed Departures of the Flights Scheduled for Wednesday Morning.