Blog

Ironshare's latest posts ready to view and share.

Security Guidance

Microsoft Patch Tuesday: November 2024

Microsoft Patch Tuesday: November 2024

November’s Patch Tuesday instalment patches 90 vulnerabilities, an increase from the 119 in October. This month sees 4 critical vulnerabilities along with 3 publicly disclosed and 2 exploited in the wild patched.

CVE-2024-43451: NTLM Hash Disclosure Spoofing Vulnerability

This publicly disclosed and actively exploited vulnerability exposes the NTLMv2 hashes to an attacker. This requires minimal interaction with a malicious file by a user such as selecting (single-click), inspecting (right-click), or performing an action other than opening or executing could trigger this vulnerability Microsoft has warned. This could ultimately lead to the attacker gaining unauthorised access to facilitate further attacks.

CVE-2024-49039: Windows Task Scheduler Elevation of Privilege Vulnerability

The second actively exploited vulnerability this month related to the Windows task scheduler. Unauthenticated attackers would need to run a specially crafted application on the target system to exploit the vulnerability and elevate their privileges to a medium integrity level, gaining the right to execute RPC functions restricted to privileged accounts only.

CVE-2024-49019: Active Directory Certificate Services Elevation of Privilege Vulnerability

Another publicly disclosed vulnerability this month could allow attackers to gain domain administrator privileges. Specifically, Microsoft has reported that any certificates created using its version 1 template with the source of subject name set to "Supplied in the request" and enroll permissions greater than its default restricted level is at risk if the template is not secured according to the best practices.

CVE-2024-43625: Microsoft Windows VMSwitch Elevation of Privilege Vulnerability

a Critical RCE in Windows VMSwitch could allow an attack to gain SYSTEM privileges. This requires an attacker accessing a low-privilege Hyper-V guest to send a specific series of networking requests to the VMswitch driver triggering a use after free vulnerability in the Hyper-V host which grants host privileges, ultimately allowing arbitrary code execution. Microsoft has reported that successful exploitation of this vulnerability requires an attacker to gather information specific to the environment and take additional actions prior to exploitation to prepare the target environment.

CVE-2024-43639: Windows Kerberos Remote Code Execution Vulnerability

A critical vulnerability in Kerberos could allow an authenticated attacker using a specially crafted application to leverage a cryptographic protocol vulnerability in Windows Kerberos to perform remote code execution against the target. While critical, Microsoft has graded this “Exploitation Less Likely.”

CVE-2024-38255, CVE-2024-43459, CVE-2024-43462, CVE-2024-48993 to CVE-2024-49018: 29 SQL Server Native Client Remote Code Execution Vulnerabilities

Affecting the SQL Server Native Client, these important vulnerabilities can be exploited by convincing an authenticated user to connect to a malicious SQL server database using an affected driver and the database returning malicious data that could cause arbitrary code execution on the client.

For a full list of this month’s updates please see the links below:

Patch Tuesday release notes: https://msrc.microsoft.com/update-guide/releaseNote/2024-Nov

Security update guide: https://msrc.microsoft.com/update-guide/

By

Samuel Jack

on

14/11/24

Cyber Essentials

The Benefits of Cyber Essentials

Summary

(TL;DR)

Cyber Essentials is a UK government-backed certification that helps your business protect itself from common cyber threats.

In summary, Cyber Essentials can help your organization to:

  • build customer trust,
  • improve your reputation,
  • win certain contracts,
  • lower your insurance costs.

It’s a smart, affordable step to keep your business safe and competitive.

Why Your Business Should Get Cyber Essentials Certification

Businesses of all sizes are at risk of cyber-attacks, from small firms to big corporations. Cyber Essentials is a UK government-supported certification that helps companies protect themselves against everyday online threats. Here’s why getting Cyber Essentials certification could benefit your business.

1. Protects Against Common Cyber Threats

Cyber Essentials helps your business put basic protections in place to guard against common threats, such as malware and phishing attacks. These are simple but effective defences that can prevent major problems like data breaches and financial losses.

82% of scheme users surveyed are confident that the technical controls provide protection against common cyber threats, while 80% say that the controls help to mitigate cyber security risks within the organisation.

2. Builds Customer Trust

When your business has Cyber Essentials certification, it shows customers that you take cybersecurity seriously. They’ll feel more comfortable trusting you with their personal information, which can give you an edge over competitors who don’t have the same certification.

3. Improves Your Business Reputation

A cyber-attack can hurt your business’s reputation, sometimes for good. By achieving Cyber Essentials certification, you show that you’re taking steps to protect your data and your customers’ data, which helps build a positive image for your brand.

4. Opens Up New Business Opportunities

Some clients, especially government organizations, require suppliers to have Cyber Essentials certification. By getting certified, you’ll be eligible for a wider range of contracts, which can help your business grow.

5. Reinforces Your Business Against Cyber Attacks

Cyber Essentials focuses on five key security controls:

  • firewalls,
  • secure configuration,
  • security update management,
  • user access control,
  • malware protection.

Implementing these basic steps makes your business much stronger against cyber threats.

6. Helps You Meet Legal and Regulatory Requirements

With Cyber Essentials, your business is more likely to meet legal or regulatory requirements around data protection, like GDPR. Meeting these requirements can help you avoid fines and protect your business from legal issues.

7. Lowers Cyber Insurance Costs

Having Cyber Essentials certification can reduce the cost of cyber insurance. Many insurers see certified businesses as lower risk, so they offer better prices or higher coverage, saving you money in the long run.

Organisations having a turnover of less than £20 million, that achieve Cyber Essentials certification, are eligible for free Cyber Insurance. This requires the whole organisation to be included in the scope of the assessment, and has a value of £25,000 of liability.

8. Raise Employee Awareness and Builds a Security Culture

Although the certification focuses on key technology controls, the process often helps with educating your staff about cybersecurity basics. This encourages organisations to create a culture where everyone understands their role in keeping the business secure, making it less likely for human error to cause a security breach.

9. Affordable Investment with High Returns

Cyber Essentials is a relatively low-cost certification with clear steps for businesses to follow. The cost is often outweighed by the benefits of better security, increased customer trust, and new business opportunities.

10. Prepares You for Future of Better Security

Cyber Essentials is just the beginning. Once you’ve got the basics in place, you can work towards more advanced maturity and certifications, such as Cyber Essentials Plus or Cyber Assurance certifications (IASME / ISO), as your business grows and your needs expand.

The Bottom Line

Cyber Essentials certification is a straightforward, affordable step that helps businesses protect themselves from common threats, improve customer trust, and open up new business opportunities. It’s a simple yet powerful tool to keep your business safe and competitive in today’s digital world.

Ironshare’s assessors can guide you through the entire Cyber Essentials journey, to help you understand the questions and recommend practical steps to meet the certification requirements. By following the guidance we ensure that you reach your cyber goals and achieve this valuable certification.

Upon successful completion, a passing certificate will automatically be issued by Blockmark, to showcase your new certification status.

For more information head over to our Cyber Essentials page or Get in touch to start your certification.

By

Stuart Hare

on

12/11/24

Security Guidance

Microsoft Patch Tuesday: October 2024

Microsoft Patch Tuesday: October 2024

October’s Patch Tuesday instalment addresses 119 vulnerabilities, an increase from the 79 in September. This month sees 4 critical vulnerabilities patched, along with 5 publicly disclosed and 2 exploited in the wild.

CVE-2024-43468: Microsoft Configuration Manager Remote Code Execution Vulnerability

An unauthenticated attacker could exploit this critical vulnerability by sending specially crafted requests to the target environment which are processed in an unsafe manner enabling the attacker to execute commands on the server or underlying database. Customers using a vulnerable version of Configuration Manager must install an in-console update to be protected.

For a list of affected versions, and guidance for installing in-console updates, please see Microsoft’s security advisory for this CVE.

CVE-2024-43488: Visual Studio Code extension for Arduino Remote Code Execution Vulnerability

A critical vulnerability in Visual Studio Code extension for Arduino could allow remote code execution through a network attack vector stemming from missing authentication for critical functions in the extension.

Microsoft reported it is not planning on patching this vulnerability in Visual Studio Code extension for Arduino as the extension has been deprecated however, the flaw has been fully mitigated by Microsoft. Microsoft’s security advisory clearly states that this CVE is to provide transparency, and there is no action for users to take.

CVE-2024-43582: Remote Desktop Protocol Server Remote Code Execution Vulnerability

Relating to RDP Server, this critical vulnerability could facilitate server-side remote code execution with the same permissions as the RPC service. This can be achieved by an unauthenticated attacker by sending malformed packets to an RCP host. Microsoft has noted that successful exploitation requires the attacker to win a race condition, reducing the likelihood of abuse.

CVE-2024-43533 and CVE-2024-43599: Remote Desktop Client Remote Code Execution Vulnerabilities

Relating to RDP Client, two important RCE vulnerabilities could allow an attacker controlling a Remote Desktop Server to trigger remote code execution on the RDP client machine when a victim connects to the attacking server with a vulnerable Remote Desktop Client. Microsoft advises disabling Remote Desktop Services if they are not required. It is also recommended that you install the updates for this vulnerability as soon as possible even if you plan to leave Remote Desktop Services disabled.

CVE-2024-20659: Windows Hyper-V Security Feature Bypass Vulnerability

This Hyper-V vulnerability relates to Virtual Machines within a Unified Extensible Firmware Interface (UEFI) host machine. It might be possible to bypass the UEFI, which could lead to the compromise of the hypervisor and the secure kernel.

Successful exploitation of this vulnerability requires multiple conditions, such as specific application behaviour, user actions, manipulation of parameters passed to a function, and impersonation of an integrity level token as well as requiring an attacker to reboot the machine. The attacker is also required to first compromise the restricted network before running an attack.,

CVE-2024-38124: Windows Netlogon Elevation of Privilege Vulnerability

An attack with LAN access could predict the name of a new domain controller and rename their computer to match, establish a secure channel, and keep it active while renaming their computer back to its original name. Once the new domain controller is promoted, the attacker could use the secure channel to impersonate the domain controller resulting in domain administrator privileges and potentially compromise the entire domain.

CVE-2024-43573: Windows MSHTML Platform Spoofing Vulnerability

Microsoft has reported a vulnerability relating to MSHTML, a software component used to render web pages, which has been publicly disclosed and exploited in the wild. MSHTML is a key component in many Microsoft 365 and Microsoft Office products as well as Internet Explorer 11 and Legacy Microsoft Edge browsers on certain platforms and Windows applications. Specific information surrounding the vulnerability and its classification as spoofing has been restricted by Microsoft.

For a full list of this month’s updates please see the links below:

Patch Tuesday release notes: https://msrc.microsoft.com/update-guide/releaseNote/2024-Oct

Security update guide: https://msrc.microsoft.com/update-guide/

By

Samuel Jack

on

10/10/24

Products and Services

Ironshare Achieves IASME Certification Body Status for Cyber Essentials and IASME Cyber Assurance

Ironshare Achieves IASME Certification Body Status for Cyber Essentials and IASME Cyber Assurance

We are pleased to announce that Ironshare has been awarded Certification Body status by the IASME Consortium for both Cyber Essentials and IASME Cyber Assurance certifications. This achievement empowers us to directly support our clients in attaining these crucial cybersecurity certifications, furthering our commitment to enhancing the security posture of businesses across all sectors.

What This Means for Ironshare and Our Clients

As an accredited IASME Certification Body, Ironshare is now officially authorized to assess and certify organizations against the Cyber Essentials and IASME Cyber Assurance standards. This new capability allows us to provide comprehensive certification services, leveraging our extensive cybersecurity expertise to guide you through every step of the certification journey.

Understanding Cyber Essentials and IASME Cyber Assurance

Cyber Essentials is a government-backed certification scheme designed to help organizations protect themselves against a wide range of common cyber attacks. Achieving this certification demonstrates a fundamental level of cyber hygiene, reassuring your customers and stakeholders that you take cybersecurity seriously.

For more information, please visit: https://www.ironshare.co.uk/cyber-essentials

Building upon the Cyber Essentials framework, IASME Cyber Assurance offers a more in-depth assessment that includes aspects such as data privacy, physical security, and staff awareness training. It provides a holistic approach to cybersecurity governance, suitable for organizations seeking to showcase a higher level of security maturity.

For more information, please visit: https://www.ironshare.co.uk/iasme-cyber-assurance

Benefits to Our Customers

By obtaining these certifications through Ironshare, you benefit from our:

- Personalized Approach: Tailored guidance to meet your specific cybersecurity needs.

- Expert Guidance: Access to our team of seasoned cybersecurity professionals.

- Efficient Certification Process: Streamlined procedures to help you achieve certification promptly.

- Enhanced Credibility: Certifications that boost trust among customers, partners, and regulatory bodies.

Our team works closely with you to identify gaps, implement necessary controls, and ensure compliance with all certification requirements. This not only strengthens your security but also enhances your reputation in the marketplace.

"We are incredibly proud to have achieved IASME Certification Body status," said Stuart Hare, Director at Ironshare. "This milestone reflects our dedication to helping businesses strengthen their cybersecurity defences. By offering certification services for Cyber Essentials and IASME Cyber Assurance, we provide our clients with the tools and recognition they need to operate securely in today's digital landscape."

Why Choose Ironshare for Your Certification Needs

With our new status, Ironshare becomes a central source for your cybersecurity certification requirements. Our comprehensive services include:

- Initial Consultation: Understanding your current security posture.

- Gap Analysis: Identifying areas that need improvement before certification.

- Remediation Support: Assisting in implementing necessary security controls.

- Certification Assessment: Conducting thorough evaluations to certify compliance.

- Ongoing Support: Providing continued guidance to maintain and improve your cybersecurity measures and certification.

Take the Next Step Toward Enhanced Cybersecurity

Securing your organization's digital assets has never been more critical. Ironshare invites organizations of all sizes to take advantage of our new certification services. Whether you're beginning your cybersecurity journey or aiming to elevate your existing security measures, we're here to support you every step of the way.

Contact Us Today

- Phone: +44 121 769 0475

- Email: cyberassurance@ironshare.co.uk

To get certified now, please visit: https://www.ironshare.co.uk/get-started

Learn more about how Ironshare, as an IASME Certification Body, can help safeguard your business and achieve the recognition it deserves.

By

Joshua Hare

on

4/10/24

Cyber Round-up
News

Cyber Round-up for 27th September

Cyber Round-up for 27th September

Welcome to Ironshare’s Cyber Round-up, where we look back at the events of that last week to cover some of the news, posts, views, and highlights from the world of Security.

In this week’s round-up:

Security News

Necro Android Malware Infects 11 Million Devices Through Google Play and Modded Apps

The Necro Android malware has infected over 11 million devices via malicious software development kits (SDKs) embedded in legitimate apps on Google Play, such as Wuta Camera and Max Browser. The malware, delivered through these apps, installs various harmful plugins to display adware, commit subscription fraud, and use devices as proxies for malicious traffic. Although some infected apps were removed from the Play Store, Necro also spreads through unofficial modified versions of popular apps like WhatsApp and Spotify. Users are urged to uninstall these apps immediately.

For more details, you can visit the article here.

By bleepingcomputer.com

ChatGPT macOS Flaw Exposes Users to Spyware Threat

A security flaw in OpenAI's ChatGPT macOS app allowed attackers to exploit its memory feature to embed long-term spyware. This vulnerability, termed "SpAIware," enabled continuous data theft, capturing user inputs and responses over time, even across new sessions. By manipulating memory, hackers could persistently exfiltrate data, bypassing single-chat limitations. OpenAI patched this issue in version 1.2024.247 after responsible disclosure. Users are advised to regularly check and clear ChatGPT's stored memories to prevent similar attacks.

For more details, visit the full article here.

By thehackernews.com

Streamlining Password and Passkey Management with Apple's Passwords App

The Apple Passwords app, introduced in iOS 18 and macOS Sequoia, allows users to manage, create, and share passwords and passkeys across Apple devices. It features strong password generation, password autofill, and iCloud Keychain integration for seamless syncing. The app also alerts users to compromised or weak passwords and offers secure sharing of credentials with trusted contacts. Additionally, it supports multi-factor authentication codes and provides passkeys for a secure, passwordless login experience.

By support.apple.com

Mozilla Faces Privacy Complaint Over Firefox's New Ad-Tracking Feature

The European privacy group None of Your Business (noyb) has filed a complaint against Mozilla, claiming that its new "privacy-preserving attribution" feature in Firefox infringes on users' privacy rights under GDPR. This feature, introduced in July 2024, allows advertisers to track ad performance without collecting individual data. While Mozilla asserts that it enhances privacy compared to traditional tracking, noyb argues it turns Firefox into an ad measurement tool, undermining its reputation as a privacy-friendly browser. The Austrian Data Protection Authority is now investigating the case.

By therecord.media

UK Police Investigate Cyberattack Targeting Train Station Wi-Fi Networks

Police in the UK are investigating a cyberattack on Wi-Fi networks at several major train stations, including Manchester Piccadilly and London terminals. The attack displayed anti-Islam messages on login pages, but no passenger data was compromised. The affected Wi-Fi services, managed by a third party, were suspended. This incident follows another cyberattack on Transport for London earlier in September, which exposed customer details. Investigations are ongoing, with authorities looking into both incidents.

By securityweek.com

New NIST Guidelines Abandon Traditional Password Practices for Enhanced Security

The National Institute of Standards and Technology (NIST) has updated its guidelines on password management, advising against some long-standing practices. According to the new guidelines, using a mixture of character types (such as upper- and lower-case letters, numbers, and symbols) and mandating regular password changes are no longer recommended unless a system has been compromised. NIST also discourages the use of knowledge-based authentication (KBA), such as security questions.

The updated guidelines suggest that passwords should be at least eight characters long, with a recommendation for stronger passwords between 15 to 64 characters. Credential Service Providers (CSPs) are also encouraged to allow the inclusion of ASCII and Unicode characters in passwords. These changes align with ongoing trends from both public and private organizations, including the Federal Trade Commission and Microsoft, emphasizing a more modern, user-friendly approach to password security.

By infosecurity-magazine.com

Stay Safe, Secure and Healthy!

Edition #282 – 27th September 2024

By

Joshua Hare

on

26/9/24

Security Guidance

Microsoft Patch Tuesday: September 2024

Microsoft Patch Tuesday: September 2024

September’s Patch Tuesday instalment patches 79 vulnerabilities, a decrease from the 91 in August. This month sees 7 critical vulnerabilities along with 1 publicly disclosed and 4 exploited in the wild patched.

CVE-2024-43491: Microsoft Windows Update Remote Code Execution Vulnerability

A critical vulnerability within Windows Update has been exploited in the wild. Microsoft has stated that it was aware of a vulnerability in Servicing Stack that has rolled back the fixes for some vulnerabilities affecting Optional Components on Windows 10, version 150. This means that an attacker could exploit these previously mitigated vulnerabilities on Windows 10, version 1507 (Windows 10 Enterprise 2015 LTSB and Windows 10 IoT Enterprise 2015 LTSB) systems that have installed the Windows security update released on March 12, 2024—KB5035858 (OS Build 10240.20526) or other updates released until August 2024. All later versions of Windows 10 are not impacted by this vulnerability.

CVE-2024-43464: Microsoft SharePoint Server Remote Code Execution Vulnerability

A second critical vulnerability in SharePoint Server could allow an authenticated attacker with Site Owner permissions or higher to upload a specially crafted file to a targeted SharePoint Server and craft specialized API requests to trigger the deserialization of the file's parameters. This would enable the attacker to perform remote code execution in the context of the SharePoint Server.

CVE-2024-38018: Microsoft SharePoint Server Remote Code Execution Vulnerability

In a network-based attack, a critical vulnerability in SharePoint Server could result in remote code execution if the attacker gained a minimum of Site Member permissions. No further information about this vulnerability has been released and there is no evidence of this being used in active attacks.

CVE-2024-38216 & CVE-2024-38220: Azure Stack Hub Elevation of Privilege Vulnerabilities

Two critical vulnerabilities in Azure Stack Hub could result in remote code execution. An authenticated attacker who successfully exploited this vulnerability could gain unauthorized access to system resources, potentially allowing them to perform actions with the same privileges as the compromised process. This could lead to further system compromise and unauthorized actions within the network or other tenants’ applications and content.

CVE-2024-38119: Windows Network Address Translation (NAT) Remote Code Execution Vulnerability

Network Address Translation (NAT) permits one public IP address to be shared between multiple devices or private networks. The only information released about this vulnerability is that an attacker would first need to gain access to the restricted target network before attempting to exploit this vulnerability and will then be required to win a race condition.

CVE-2024-38194: Azure Web Apps Elevation of Privilege Vulnerability

Azure Web Apps is a cloud computing platform used to host web applications written in various programming languages including .NET, Java, Node. js, Python, and PHP along with providing automatic scaling, load balancing, and high availability. Microsoft reported that an authenticated attacker could exploit an improper authorization vulnerability in Azure Web Apps to elevate privileges over a network and facilitate further malicious actions.

For a full list of this month’s updates please see the links below:

Patch Tuesday release notes: https://msrc.microsoft.com/update-guide/releaseNote/2024-Sep

Security update guide: https://msrc.microsoft.com/update-guide/

By

Samuel Jack

on

12/9/24

Security Guidance

Microsoft Patch Tuesday: August 2024

Microsoft Patch Tuesday: August 2024

August’s Patch Tuesday instalment addresses 91 vulnerabilities, a decrease from the 142 in July. This month sees 7 critical vulnerabilities patched, along with 3 publicly disclosed and 6 exploited in the wild.

CVE-2024-38063: Windows TCP/IP Remote Code Execution Vulnerability

This Windows TCP/IP remote code execution vulnerability has been assigned a max severity of Critical. Exploitation requires an unauthenticated attacker to repeatedly send IPv6 packets, that include specially crafted packets, to a Windows machine – if performed successfully, this could enable remote code execution.

Please note that this flaw only affects machines with IPv6 enabled; exploitation is not possible if IPv6 is disabled on the target machine.

Redhat: CVE-2023-40547 Shim - RCE in HTTP boot support may lead to secure boot bypass

The vulnerability assigned to this CVE is in Linux Shim boot. It is being documented in the Security Update Guide to announce that the latest builds of Microsoft Windows address this vulnerability by blocking old, unpatched, Linux boot loaders by applying SBAT (Secure Boot Advanced Targeting) EFI variables in the UEFI library.

To address this security issue, Windows will apply a Secure Boot Advanced Targeting (SBAT) update to block vulnerable Linux boot loaders that could have an impact on Windows security. The SBAT value is not applied to dual-boot systems that boot both Windows and Linux and should not affect these systems. You might find that older Linux distribution ISOs will not boot. If this occurs, work with your Linux vendor to get an update.

For more details on this vulnerability, see this Red Hat Security Advisory: CVE-2023-40547.

CVE-2024-38159, CVE-2024-38160: Windows Network Virtualization Remote Code Execution Vulnerability

These two vulnerabilities in Windows Network Virtualization are considered critical and, if successfully exploited, could enable remote code execution.

To successfully exploit these vulnerabilities, an attacker needs elevated privileges on a compromised machine due to the requirement of manipulating processes beyond the reach of standard user permissions. Exploitation also involves taking advantage of the unchecked return value in the wnv.sys component of Windows Server 2016. By manipulating the content of the Memory Descriptor List (MDL), the attacker could cause unauthorized memory writes or even free a valid block currently in use, leading to a critical guest-to-host escape.

Exploitation of either vulnerability could lead to the attacker gaining the ability to interact with other tenant’s applications and content.

CVE-2024-38189: Microsoft Project Remote Code Execution Vulnerability

This important RCE flaw in Microsoft Project has been exploited in the wild, making patching a high priority. Exploitation requires the victim to open a malicious Microsoft Office Project file on a system where the "Block macros from running in Office files from the Internet" policy is disabled and VBA Macro Notification Settings are not enabled – this allows the attacker to perform remote code execution.

Microsoft has advised users not to disable the macro blocking policy, and that exploitation requires the user to open and accept macros to run for the project file.

CVE-2024-38199: Windows Line Printer Daemon (LPD) Service Remote Code Execution Vulnerability

Exploitation of this important RCE flaw requires an unauthenticated attacker to send a specially crafted print task to a shared vulnerable Windows Line Printer Daemon (LPD) service across a network and successful exploitation could result in remote code execution on the server. While this vulnerability has been publicly disclosed, the LPD service is not installed or enabled on Windows by default. Users are advised against installing the Line Printer Daemon service until updates have been performed.

                         

For a full list of this month’s updates please see the links below:

Patch Tuesday release notes: https://msrc.microsoft.com/update-guide/releaseNote/2024-Aug

Security update guide: https://msrc.microsoft.com/update-guide/

By

Samuel Jack

on

15/8/24

Cyber Round-up
News

Cyber Round-up for 9th August

Cyber Round-up for 9th August

Welcome to Ironshare’s Cyber Round-up, where we look back at the events of that last week to cover some of the news, posts, views, and highlights from the world of Security.

In this week’s round-up:

Security News

Premier League Fans Alerted to Surge in Ticket Scams Ahead of New Season

Last year saw a significant increase in ticket scams targeting English Premier League (EPL) football fans, and 2024 has seen more of the same. Research by Lloyds Bank reveals that the number of ticket scams more than doubled during the 2022/23 season, with victims losing an average of £154, although some losses exceeded £1,000. Fraudsters primarily operate on social media platforms such as Facebook, Instagram, and X (formerly Twitter), with over 90% of reported scams originating from these sites. Arsenal and Liverpool fans were identified as the most frequent targets.

These scams exploit the high demand and limited availability of EPL tickets, often luring fans with too-good-to-be-true deals. The typical scam involves advertising fake tickets on social media and requesting payment via bank transfer, which offers little protection for the buyer. Lloyds Bank advises fans to purchase tickets only through official club channels or recognized partners to avoid falling victim to these scams. The bank also calls for greater action from social media companies to combat the prevalence of fraudulent activities on their platforms (Home) (TechRadar) (Home).

By cybernews.com

New Zero-Day Vulnerabilities Allow Windows Downgrade Attacks, Rendering Systems Vulnerable

Security researcher Alon Leviev revealed at Black Hat 2024 that two zero-day vulnerabilities (CVE-2024-38202 and CVE-2024-21302) allow attackers to perform downgrade attacks on Windows 10, 11, and Server systems. These attacks force systems to revert to older, vulnerable versions of software, making them susceptible to previously patched security flaws. This process is undetectable by current security measures, as Windows Update reports the system as fully updated. Microsoft is working on fixes and has issued mitigation advice, though no active exploits have been detected yet.

For more details, you can read the full article here.

By bleepingcomputer.com

Security Flaw Discovered in 1Password 8 for Mac: Urgent Update Required

A critical security vulnerability, CVE-2024-42219, was identified in 1Password 8 for Mac, potentially allowing malicious software on a local machine to bypass security measures and access vault items and credentials. This flaw, affecting versions prior to 8.10.36, was responsibly disclosed by Robinhood’s Red Team. 1Password has addressed the issue in the latest update, and users are strongly advised to upgrade to the newest version to ensure their data remains secure.

For full details of this vulnerability, please see 1Password’s Support Advisory here.

By support.1password.com

Critical AWS Vulnerabilities Patched to Prevent Account Takeovers

AWS has patched several vulnerabilities in its services, including CloudFormation, Glue, EMR, SageMaker, ServiceCatalog, and CodeStar, which could have been exploited for account takeovers. These flaws, disclosed by Aqua Security at Black Hat USA 2024, involved the predictable naming of S3 buckets, allowing attackers to preemptively create buckets and execute malicious code. This could lead to arbitrary code execution, data exfiltration, and the creation of admin users with elevated privileges. AWS confirmed the issues have been resolved, with no customer action required.

By securityweek.com

UK Authorities Dismantle Global Fraud Platform 'Russian Coms'

UK authorities have successfully shut down an online scam platform called "Russian Coms," which enabled criminals to make fraudulent phone calls with ease. This platform, operating since 2021, was used by criminals to impersonate legitimate entities such as banks to deceive victims into transferring money. The National Crime Agency (NCA) reported that the platform had facilitated 1.3 million calls to UK phone numbers, causing financial losses in the tens of millions of pounds and affecting approximately 170,000 UK victims alone.

The operation offered crime-as-a-service, including features like encrypted calls, voice alteration, and even hold music, for a monthly fee. Authorities have arrested three individuals believed to be key figures behind the platform, highlighting the increasing use of technology in perpetrating fraud on a large scale. This shutdown follows previous actions against similar platforms, indicating an ongoing effort to combat cybercrime despite its persistent and evolving nature.

By reuters.com

Stay Safe, Secure and Healthy!

Edition #281 – 9th August 2024

By

Joshua Hare

on

8/8/24

Cyber Round-up
News

Cyber Round-up for 2nd August

Cyber Round-up for 2nd August

Welcome to Ironshare’s Cyber Round-up, where we look back at the events of that last week to cover some of the news, posts, views, and highlights from the world of Security.

In this week’s round-up:

Security News

CrowdStrike Faces Legal Challenges Over Disastrous Software Update

CrowdStrike is facing legal challenges from both customers and investors following a problematic update that led to widespread system failures on approximately 8.5 million Windows devices. The update, which caused a "Blue Screen of Death" error, affected industries such as aviation and healthcare, with Delta Airlines experiencing significant disruptions and financial losses between $350 million and $500 million. The Plymouth County Retirement Association has filed a class-action lawsuit against CrowdStrike, alleging misleading statements about product reliability. Despite these issues, CrowdStrike's liability might be limited by software licenses and insurance policies.

For more details, you can read the full article here.

By securityweek.com

Ransomware Attack Disrupts Services of Hundreds of Small Indian Banks

A ransomware attack has disrupted services for nearly 300 small banks in India by targeting C-Edge Technologies, a key banking technology service provider. This attack, which occurred on July 24, forced banks to suspend ATM and online services, affecting customers across the country. C-Edge Technologies, a banking software provider, handles essential banking operations such as check clearing and online transactions. Authorities are working to restore services, while C-Edge is reportedly collaborating with cybersecurity experts to resolve the issue.

By reuters.com

Microsoft Azure and Microsoft 365 Experience Global Service Disruptions Due to DDoS Attack

On July 30, 2024, a subset of Microsoft's global customers experienced connectivity issues with certain services, including Azure App Services, Application Insights, Azure IoT Central, Azure Log Search Alerts, Azure Policy, the Azure portal, and parts of Microsoft 365 and Microsoft Purview. The root cause was an unexpected usage spike stemming from a Distributed Denial-of-Service (DDoS) attack, which resulted in Azure Front Door (AFD) and Azure Content Delivery Network (CDN) components underperforming. Microsoft's initial defense mechanisms against the DDoS attack inadvertently worsened the situation due to an implementation error in their defensive strategy.

After identifying the issue, Microsoft made network configuration changes to bolster DDoS protection. These changes mitigated the majority of the impact, though some customers still faced reduced service availability. An updated approach was adopted to aid the remaining affected customers and, as of 20:48 on July 30th, the issue was reported as fully mitigated.

By azure.status.microsoft.com

New Android Malware 'BingoMod' Drains Bank Accounts and Wipes Devices

A new Android malware named BingoMod has been identified, which can wipe devices after stealing money from victims' bank accounts. The malware is distributed via SMS phishing, posing as a legitimate security app, and is capable of stealing up to 15,000 EUR per transaction. It uses Accessibility Services to gain control, intercepting login credentials and SMS messages. BingoMod's on-device fraud technique uses real-time remote access to bypass security systems. It also has capabilities to remove security apps and wipe data remotely.

You can read more in the full article here.

By bleepingcomputer.com

Google Chrome Enhances Cookie Security with App-Bound Encryption

Google Chrome has introduced app-bound encryption to enhance cookie protection on Windows, addressing vulnerabilities where information-stealing malware could exploit cookies. Unlike the existing Data Protection API, which doesn't safeguard against malicious apps executing code, this new approach tightly binds an app's identity to encrypted data, preventing unauthorized access by other applications. This change, which applies to cookies with Chrome 127, aims to be expanded to other data types. Although beneficial, the update does not support environments with roaming profiles, prompting organizations to adjust accordingly.

By thehackernews.com

Stay Safe, Secure and Healthy!

Edition #280 – 2nd August 2024

By

Joshua Hare

on

1/8/24

Cyber Round-up
News

Cyber Round-up for 12th July

Cyber Round-up for 12th July

Welcome to Ironshare’s Cyber Round-up, where we look back at the events of that last week to cover some of the news, posts, views, and highlights from the world of Security.

In this week’s round-up:

Security News

Fujitsu Confirms March Cyberattack Exposed Customer Data

Fujitsu confirmed that a cyberattack in March resulted in the exposure of customer data. The attack involved sophisticated malware that spread from a single compromised computer to 49 others, evading detection and exfiltrating sensitive information. Fujitsu promptly isolated the affected systems and initiated an investigation with external experts. While no ransomware was involved, the malware managed to copy files containing personal and business-related information belonging to their customers. Fujitsu has since implemented enhanced security measures and monitoring to prevent future incidents.

For more details, you can read the full article here.

By bleepingcomputer.com

Massive Ticketmaster Data Breach Exposes Personal Information of 560 Million Customers

Ticketmaster recently notified its customers about a significant data breach that compromised the personal information of millions of users. The breach was executed by the hacker group ShinyHunters, which claims to have stolen data from 560 million customers. The compromised data includes names, addresses, phone numbers, emails, and partial credit card details. ShinyHunters is selling the stolen database on the dark web for $500,000.

The breach, which affected customers who bought tickets in North America, was discovered in late May 2024. Ticketmaster's notification to customers has been criticized for lacking detailed information. The company has advised impacted customers to monitor their bank accounts for suspicious activity and to be cautious of unsolicited messages. They are also offering a free 12-month identity monitoring service to those affected. Authorities, including the FBI and Australian National Office of Cyber Security, are investigating the incident.

For more details, you can read Ticketmaster’s full data security incident notice here.

By cybernews.com

ChatGPT macOS App Vulnerability Exposed Chat Histories in Plaintext

A flaw in the ChatGPT app for macOS left user chat histories exposed in plaintext, making them accessible to anyone with unauthorized access to the computer. Discovered by software engineer Pedro José Pereira Vieito, the issue stemmed from the app not being sandboxed and storing data in an unprotected location. OpenAI has since released a new version of the app that encrypts conversations properly. This incident underscores the importance of not rushing to adopt new software and the need for robust security measures in AI applications.

By bitdefender.com

GitLab Release Urgent Patch for Flaw Allowing Unauthorised Pipeline Jobs

GitLab has released updates to address a critical security vulnerability (CVE-2024-6385) that allows an unauthorised attacker to run pipeline jobs as an arbitrary user, affecting versions 15.8 to 17.1.1 of GitLab CE/EE. This flaw, with a CVSS score of 9.6, follows a similar issue patched last month. Additionally, GitLab fixed a medium-severity vulnerability (CVE-2024-5257) enabling developers with specific permissions to alter group namespace URLs. Users are advised to update to the latest versions: 17.1.2, 17.0.4, and 16.11.6 to mitigate these risks.

By thehackernews.com

Google Enhances Security for High-Risk Users with Passkey Support

Google is expanding its passkey support to high-risk users, including executives and members of civil society, through its Advanced Protection Program (APP). This initiative aims to enhance security by enabling passwordless authentication via passkeys, which use biometric data or PINs instead of traditional passwords. The rollout is part of a broader strategy to protect users against phishing and other cyberattacks by eliminating the vulnerabilities associated with passwords. Passkeys offer a more secure and convenient way to access accounts, as they are resistant to phishing and reduce the risk of data breaches.

This technology is already being used extensively, with over 400 million Google accounts leveraging passkeys for authentication. Google's move aligns with industry trends, as other tech giants like Apple and Microsoft also support passwordless authentication methods to enhance user security and convenience.

By darkreading.com

Microsoft Patch Tuesday: July 2024

Welcome to Ironshare’s Round-Up of Microsoft’s Patch Tuesday for July 2024! July’s instalment addresses 142 vulnerabilities, an increase from the 91 seen in June. This month brings updates for 5 critical vulnerabilities along with 2 publicly disclosed and 2 exploited in the wild.

Stay Safe, Secure and Healthy!

Edition #279 – 12th July 2024

By

Joshua Hare

on

11/7/24

Security Guidance

Microsoft Patch Tuesday: July 2024

Microsoft Patch Tuesday: July 2024

July’s Patch Tuesday instalment addresses 142 vulnerabilities, an increase from the 91 seen in June. This month brings updates for 5 critical vulnerabilities along with 2 publicly disclosed and 2 exploited in the wild.

CVE-2024-38077: Windows Remote Desktop Licensing Service Remote Code Execution Vulnerability

CVE-2024-38077 is one of three RCE vulnerabilities relating to Windows Remote Desktop Licensing. With a CVSS score of 9.8, this critical vulnerability could allow any unauthenticated attacker to execute arbitrary code by sending a specially crafted message to an affected server.

“In all cases, Microsoft strongly recommends that you install the updates for this vulnerability as soon as possible even if you plan to leave Remote Desktop Licensing Service disabled”.

CVE-2024-38060: Windows Imaging Component Remote Code Execution Vulnerability

This critical RCE vulnerability relates to the Windows Imaging Component, which provides a framework for working with images and image metadata. Microsoft has reported that only an authenticated attacker can exploit the vulnerability by uploading a malicious TIFF file to a server. It is also worth noting that exploitation does not require administrative or other elevate privileges; any authenticated attacker can exploit this vulnerability.

CVE-2024-38080: Windows Hyper-V Elevation of Privilege Vulnerability

This important vulnerability in Windows Hyper-V could allow an authenticated attacker to execute code with system privileges. Microsoft has noted that this vulnerability has been seen exploited in the wild but hasn’t released further information into who is exploiting this vulnerability, how, or how widespread the attack is.

CVE-2024-38112: Windows MSHTML Platform Spoofing Vulnerability

The second important flaw to be exploited in the wild is a spoofing vulnerability affecting Windows’ MSHTML Platform, used for rendering HTML pages for the Internet Explorer web browser. Microsoft has stated an attacker could exploit this flaw by sending a malicious file to a user and persuading them to execute it.

CVE-2024-38023: Microsoft SharePoint Server Remote Code Execution Vulnerability

An authenticated attacker with Site Owner permissions or higher could upload a specially crafted file to an affected SharePoint Server and craft specialised API requests to trigger deserialization of file's parameters. This would enable the attacker to perform remote code execution in the context of the SharePoint Server.

CVE-2024-35264: .NET and Visual Studio Remote Code Execution Vulnerability

If successfully exploited, this important vulnerability in .NET and VS could allow an unauthorised attacker to execute arbitrary code on the target system. An attacker could exploit this by closing an http/3 stream while the request body is being processed leading to a race condition. Attack complexity for this vulnerability is high, and may require the attacker to gather knowledge about the target environment and make preparations to improve exploit reliability.

For a full list of this month’s updates please see the links below:

Patch Tuesday release notes: https://msrc.microsoft.com/update-guide/releaseNote/2024-Jul

Security update guide: https://msrc.microsoft.com/update-guide/

By

Samuel Jack

on

10/7/24

Cyber Round-up
News

Cyber Round-up for 14th June

Cyber Round-up for 14th June

Welcome to Ironshare’s Cyber Round-up, where we look back at the events of that last week to cover some of the news, posts, views, and highlights from the world of Security.

In this week’s round-up:

Security News

Phishing Campaign Utilises Windows Search Protocol to Distribute Malicious Scripts

A new phishing campaign exploits the Windows Search protocol via HTML attachments in emails. These attachments use the search-ms URI to initiate Windows searches for malicious files on remote servers. The phishing emails contain ZIP files with HTML documents that automatically redirect to these malicious URLs, posing as legitimate invoices. The Windows Search protocol displays a fake "Downloads" interface, leading victims to execute harmful batch scripts. To mitigate this threat, users are recommended to delete specific registry entries associated with the search-ms protocol, however Trustwave are advising that doing so will also impact legitimate applications that use the Windows search protocol.

For more details, read the full article here.

By bleepingcomputer.com

AWS Announces Enhanced MFA and Passkey Authentication Measures for 2024

AWS Identity and Access Management (IAM) now supports passkeys for multi-factor authentication (MFA), enhancing security and usability. Based on FIDO standards, passkeys use public key cryptography, providing strong, phishing-resistant authentication. Users can now secure their AWS accounts using passkeys with built-in authenticators like Touch ID and Windows Hello, or hardware security keys. This feature is available in all AWS regions except China, allowing seamless, secure sign-ins across devices. For more details, visit the AWS announcement.

In addition to this, starting in mid-2024, AWS will require multi-factor authentication (MFA) for root users of AWS Organizations management accounts. Customers affected by this change will be notified when signing in to the console.

This requirement will expand to additional scenarios throughout 2024, with AWS planning to mandate MFA for standalone accounts as well. This initiative aims to strengthen account security by adding an extra layer of protection to prevent unauthorized access. AWS are also providing resources and guides to help customers implement MFA effectively.

By aws.amazon.com

Google Alerts Users to Critical Pixel Firmware Vulnerability Exploited as Zero-Day

Google has issued a warning about a critical security flaw in Pixel firmware, identified as CVE-2024-32896, which has been exploited as a zero-day vulnerability. This flaw allows for privilege escalation and has been “under limited, targeted exploitation.”. An update is now available for all supported Pixel devices, which will address this critical vulnerability. Affected users are advised to apply the latest updates at the earliest opportunity.

By thehackernews.com

Apple Fixes Critical Vision Pro Vulnerability in Landmark Spatial Computing Security Update

Apple has released visionOS 1.2 to patch a significant vulnerability, CVE-2024-27812, in its Vision Pro virtual reality headset. This flaw, potentially the first specific to spatial computing, could be exploited via specially crafted web content, leading to denial-of-service (DoS). The update addresses nearly two dozen vulnerabilities, most of which are common across other Apple operating systems. Cybersecurity researcher Ryan Pickren, who reported the issue, notes it as a groundbreaking spatial computing hack. Further details are pending Apple’s approval for disclosure.

By securityweek.com

Microsoft Disables Controversial Windows Recall Feature Amid Privacy Concerns

Microsoft has decided to disable the Windows Recall feature by default on Copilot+ PCs following public outcry over privacy and security concerns. The feature, which creates a searchable digital memory of user activity, was criticized for its potential vulnerability to malware and inadequate data protection. In response, Microsoft will now require users to opt-in explicitly and has enhanced security measures, including requiring Windows Hello enrollment for access and adding encryption to the search index database.

“If you don’t proactively choose to turn it on, it will be off by default,” Microsoft stated.

By securityweek.com

Microsoft Patch Tuesday: June 2024

Microsoft's Patch Tuesday instalment for June 2024 includes patches for 51 vulnerabilities, a decrease from the 61 fixes seen in May. This batch of security updates addresses fewer vulnerabilities compared to the previous month, with only 1 critical, and 1 publicly disclosed flaw patched.

Stay Safe, Secure and Healthy!

Edition #278 – 14th June 2024

By

Joshua Hare

on

13/6/24

Security Guidance

Microsoft Patch Tuesday: June 2024

Microsoft Patch Tuesday: June 2024

Microsoft's Patch Tuesday instalment for June 2024 includes patches for 51 vulnerabilities, a decrease from the 61 fixes seen in May. This batch of security updates addresses fewer vulnerabilities compared to the previous month, with only 1 critical, and 1 publicly disclosed flaw patched.

CVE-2024-30080: Microsoft Message Queuing (MSMQ) Remote Code Execution Vulnerability

The only critical vulnerability this month affects Microsoft Message Queueing, a messaging protocol that ensures reliable message delivery between applications, even when they are temporarily offline. To exploit this vulnerability, an attacker would need to send a specially crafted malicious MSMQ packet to a MSMQ server. Successful exploitation could allow an unauthenticated attacker and would allow an attacker to execute arbitrary code on the Server. MSMQ is disabled by default and must be enabled for a system to be vulnerable.

CVE-2023-50868: NSEC3 closest encloser proof can exhaust CPU

This important denial of service vulnerability was the only publicly disclosed flaw this month. The vulnerability affects DNSSEC validation. An attacker could exploit standard DNSSEC protocols intended for DNS integrity by using excessive resources on a resolver, causing a denial of service for legitimate users. An official fix is now available for this flaw and should be applied as soon as possible.

CVE-2024-30078: Windows Wi-Fi Driver Remote Code Execution Vulnerability

This important vulnerability in Windows Wi-Fi Driver could enable remote code execution if exploited correctly. An unauthenticated attacker could exploit this vulnerability by sending a malicious networking packet to an adjacent system that employs a Wi-Fi networking adapter. Successful exploitation requires the attacker to be within proximity of the target system to send and receive radio transmissions.

CVE-2024-30101: Microsoft Office Remote Code Execution Vulnerability

Another remote code execution vulnerability, this time in Microsoft Office. Successful exploitation of this flaw requires a user to open a malicious email with an affected version of Microsoft Outlook and then perform specific actions to trigger the vulnerability. The attacker is also required to win a race condition to be successful, making attack complexity high for this flaw. Microsoft has also noted that the preview pane is an attack vector, however additional user interaction is required. An official fix is available for this vulnerability, and should be applied at the earliest opportunity.

For a full list of this month’s updates please see the links below:

Patch Tuesday release notes: https://msrc.microsoft.com/update-guide/releaseNote/2024-Jun

Security update guide: https://msrc.microsoft.com/update-guide/

By

Samuel Jack

on

12/6/24

Cyber Round-up
News

Cyber Round-up for 7th June

Cyber Round-up for 7th June

Welcome to Ironshare’s Cyber Round-up, where we look back at the events of that last week to cover some of the news, posts, views, and highlights from the world of Security.

In this week’s round-up:

Security News

FBI Recovers 7,000 Decryption Keys to Aid Victims of LockBit Ransomware

The FBI has recovered over 7,000 decryption keys from the LockBit ransomware group and is urging victims to contact them to recover encrypted data for free. This follows "Operation Cronos," an international effort that led to the seizure of 34 servers in February 2024, aiding in the creation of a free LockBit 3.0 decryptor. Despite these efforts, LockBit remains active, targeting victims and leaking data. The U.S. State Department offers significant rewards for information leading to the arrest of LockBit leaders and affiliates.

By bleepingcomputer.com

Ransomware Attack Disrupts London Hospitals, Forcing Cancellations of Operations and Appointments

Several London hospitals, including those under King’s College and Guy’s and St Thomas’ hospital trusts, have had to cancel operations and appointments due to a ransomware attack on Synnovis, a pathology laboratory services provider. The cyberattack has disrupted all Synnovis IT systems, significantly impacting services like blood transfusions. NHS England's London region is working with the National Cyber Security Centre to assess and manage the situation. This incident underscores the ongoing vulnerability of healthcare systems to ransomware attacks.

For more details, you can read the full article here.

By securityweek.com

Russian Hackers Target Spanish Defense Firm Supplying Tanks to Ukraine

Russian hacker group NoName claimed responsibility for a cyberattack on Santa Barbara Systems, a General Dynamics subsidiary in Spain, which refurbishes Leopard tanks for Ukraine. The group executed a distributed denial-of-service (DDoS) attack, causing the company to temporarily disconnect its website. Despite the attack, General Dynamics reported no compromised systems and confirmed ongoing investigations. This incident aligns with NATO's assertion that Russia has intensified hybrid attacks on companies and infrastructure in member states. Spain recently pledged significant military support for Ukraine, including Leopard 2A4 tanks.

By reuters.com

Google's Internal Data Leak Reveals Extensive Privacy Breaches Over Six Years

A recent internal leak at Google has unveiled a significant number of privacy breaches over the past six years. The database, obtained by 404 Media, contains thousands of reports detailing privacy and security incidents involving various Google products, from Street View capturing license plate images to children's voices being recorded through Google's voice services. The incidents, reported by Google employees between 2013 and 2018, include both minor and severe breaches, such as the exposure of over a million email addresses on Socratic.org and unauthorized access to YouTube admin accounts to leak Nintendo game videos. Despite these breaches, the database also shows Google's internal efforts to investigate and address these concerns, although the lack of public disclosure raises questions about the company's transparency practices

By cybernews.com

Stay Safe, Secure and Healthy!

Edition #277 – 7th June 2024

By

Joshua Hare

on

6/6/24

Cyber Round-up
News

Cyber Round-up for 31st May

Cyber Round-up for 31st May

Welcome to Ironshare’s Cyber Round-up, where we look back at the events of that last week to cover some of the news, posts, views, and highlights from the world of Security.

In this week’s round-up:

Security News

Operation Endgame Dismantles Global Botnet and Malware Infrastructure

Operation Endgame, coordinated by Europol, is the largest-ever international operation against botnets, targeting the dropper malware ecosystem. This extensive effort involved law enforcement from multiple countries and resulted in the dismantling of significant infrastructures used by criminals to deploy malware, including banking Trojans and ransomware. The operation, which included arrests and the seizure of servers, disrupted the activities of cybercriminals who used droppers to spread malware across millions of computers worldwide. This collaboration highlights the effectiveness of joint actions in combating large-scale cyber threats.

For more details, you can read the full article here.

By europol.europa.eu

BBC Data Breach Exposes Personal Information of 25,000 Employees

The BBC experienced a data breach on May 21, affecting around 25,000 current and former employees enrolled to the BBC Pension Scheme. The breach compromised personal information such as names, National Insurance numbers, birth dates, sex, and home addresses but pension portal credentials remain safe. The BBC has notified the affected individuals and assured that there is no evidence of data misuse. The incident has been reported to the UK's Information Commissioner’s Office and the Pensions Regulator. The BBC has advised vigilance against unsolicited communications.

By bleepingcomputer.com

Cooler Master Suffers Data Breach Exposing Customer Information

Cooler Master recently disclosed a data breach that exposed sensitive customer information. The breach was discovered during routine security monitoring that revealed unauthorized access to their systems. The compromised data includes personal details such as names, email addresses, phone numbers, and physical addresses of customers. Cooler Master has urged affected individuals to be vigilant against targeted phishing attacks and to monitor their accounts for any suspicious activity.

In response to the breach, Cooler Master is enhancing its security measures to prevent future incidents and is offering identity protection services to those impacted. The company has not provided specific details on the number of customers affected but has communicated its commitment to safeguarding user data and improving its cybersecurity infrastructure.

By cybernews.com

Okta Alerts Users to Credential Stuffing Threats on Cross-Origin Authentication

Okta has issued a warning about credential stuffing attacks targeting its Customer Identity Cloud's cross-origin authentication feature. These attacks use stolen username and password combinations from previous breaches, phishing, or malware. Okta advises customers to inspect their logs for suspicious activity and suggests resetting passwords if compromised. To mitigate risks, Okta recommends adopting passwordless authentication methods, enforcing strong password policies, using multi-factor authentication (MFA), disabling unused cross-origin authentication, restricting permitted origins, and enabling breached password detection.

By securityweek.com

Active Exploitation of WordPress Plugin Vulnerabilities, Urgent Updates Advised

Cybersecurity researchers have identified active exploitation of critical vulnerabilities in several WordPress plugins, allowing attackers to create unauthorized administrator accounts. These vulnerabilities, including CVE-2023-6961, CVE-2023-40000, and CVE-2024-2194, are linked to unauthenticated stored cross-site scripting (XSS) due to inadequate input sanitization. The attack involves injecting malicious JavaScript to set up backdoors and tracking scripts. To mitigate risks, WordPress site owners should update plugins and check for suspicious admin accounts and malware. Exploitation attempts largely originate from IPs associated with AS IP Volume Inc., particularly from the Netherlands.

By thehackernews.com

Stay Safe, Secure and Healthy!

Edition #276 – 31st May 2024

By

Joshua Hare

on

30/5/24

Cyber Round-up
News

Cyber Round-up for 24th May

Cyber Round-up for 24th May

Welcome to Ironshare’s Cyber Round-up, where we look back at the events of that last week to cover some of the news, posts, views, and highlights from the world of Security.

In this week’s round-up:

Security News

LastPass Introduces URL Encryption for Enhanced Security

LastPass is now encrypting URLs within user vaults to enhance security and privacy. Historically, URLs were unencrypted due to performance constraints on older devices. With advancements in technology, LastPass can now encrypt these URLs without affecting user experience. This change, rolling out in phases starting in June 2024, will further protect sensitive account details and uphold LastPass’s “zero-knowledge architecture”. Users and admins will receive instructions on the transition process, ensuring seamless encryption of all URL fields by the end of 2024. For more details, read the full announcement here.

By blog.lastpass.com

Critical Security Flaws in Veeam Backup Enterprise Manager Expose Systems to Authentication Bypass

A critical security flaw in Veeam Backup Enterprise Manager (CVE-2024-29849) with a CVSS score of 9.8 allows unauthenticated attackers to bypass authentication and log in as any user. Veeam has also disclosed three other vulnerabilities, including NTLM relay (CVE-2024-29850), an NTLM hash theft (CVE-2024-29851), and log-reading (CVE-2024-29852) flaws. All vulnerabilities are fixed in version 12.1.2.172, and the company urges users to update to the latest version to mitigate these risks.

By thehackernews.com

Privacy Concerns Arise Over Microsoft's Windows 11 Recall Feature

Microsoft's new Windows 11 Recall feature, announced during an AI event, has sparked significant privacy concerns. The feature takes periodic screenshots of the active window that can be analyzed by an AI model to help you ‘recall’ information you have viewed in the last 3 months, storing all data locally. Although Microsoft claims the data is encrypted and stored only on the user's device, experts worry about potential exploitation by hackers and unauthorized users. The UK’s Information Commissioner’s Office is discussing the idea with Microsoft to understand their plans to protect the recorded information and ensure it is not being misused. Critics argue that this feature introduces substantial privacy and security risks, likening it to a built-in keylogger.

By bleepingcomputer.com

Aston Villa FC Data Breach Exposes Personal Information of Over 135,000 Fans

Aston Villa Football Club (AVFC) exposed the personally identifiable information of 135,770 individuals by leaving an Amazon Web Services (AWS) S3 bucket publicly accessible. Discovered by the Cybernews research team on March 13, 2024, the exposed data includes full names, dates of birth, home addresses, phone numbers, email addresses, membership details, and purchase information. This exposure leaves fans vulnerable to spear phishing, identity theft, and the potential for sophisticated social engineering attacks exploiting the leaked data.

Cybernews has advised AVFC to monitor access logs for unauthorized access and recommends encrypting sensitive data to prevent future breaches. Fans are urged to be cautious of any suspicious emails or SMS messages in the near future to protect themselves from targeted phishing attempts and other security risks.

By cybernews.com

NCSC’s Guidance for Protecting Your Organisation from Business Email Compromise

The National Cyber Security Centre (NCSC) is now offering guidance on protecting your organisation against Business Email Compromise (BEC) risks. Business Email Compromise is a form of cybercrime where attackers manipulate organisations into transferring funds or sensitive data via fraudulent emails, often by impersonating executives or trusted business partners.

Key takeaways from this guidance include implementing multi-factor authentication, training staff to recognize phishing attempts, verifying payment requests through secondary channels, and maintaining up-to-date software defenses. The NCSC emphasizes the importance of a comprehensive approach combining technical defenses and user awareness to effectively safeguard against these sophisticated attacks.

For more detailed information, you can visit the NCSC blog here.

By ncsc.gov.uk

Stay Safe, Secure and Healthy!

Edition #275 – 24th May 2024

By

Joshua Hare

on

23/5/24

Security Guidance

Microsoft Patch Tuesday: May 2024

Microsoft Patch Tuesday: May 2024

Microsoft's May Patch Tuesday instalment offers patches for 61 total vulnerabilities, a decrease from the 150 seen in April. Of these, only 1 critical vulnerability was patched with 2 publicly disclosed, and 2 exploited in the wild.

CVE-2024-30044: Microsoft SharePoint Server Remote Code Execution Vulnerability

The only critical vulnerability to be patched this month targets Microsoft SharePoint Server and, if exploited successfully, allows an authenticated attacker with site owner permission to perform remote code execution. The attacker is required to upload a specially crafted file to the targeted SharePoint Server and craft specialized API requests to trigger deserialization of a file's parameters. While attack complexity for this vulnerability is low, the attacker is required to have highly elevated privileges before exploitation is possible. An official fix is available for this flaw, which should be patched as soon as possible.

CVE-2024-30040: Windows MSHTML Platform Security Feature Bypass Vulnerability

This actively exploited, important, vulnerability exists in Windows MSHTML, a core component that is used to render browser-based content. This flaw bypasses OLE mitigations in Microsoft 365 and Microsoft Office which protect users from vulnerable COM/OLE controls, allowing an unauthenticated attacker to gain code execution.

To successfully exploit this vulnerability, an attacker would have to entice the victim to load a malicious file onto a vulnerable system and then convince the user to manipulate the specially crafted file. Max severity for this flaw is important.

CVE-2024-30046: Visual Studio Denial of Service Vulnerability

This important, publicly disclosed vulnerability in Visual Studio could result in denial-of-service if exploited correctly. Microsoft has noted that the “successful exploitation of this vulnerability requires an attacker to invest time in repeated exploitation attempts through sending constant or intermittent data” based on CWE-362: Concurrent Execution using Shared Resource with Improper Synchronization ('Race Condition') however further information is limited.

For a full list of this month’s updates please see the links below:

Patch Tuesday release notes: https://msrc.microsoft.com/update-guide/releaseNote/2024-May

Security update guide: https://msrc.microsoft.com/update-guide/

By

Samuel Jack

on

16/5/24

Cyber Round-up
News

Cyber Round-up for 17th May

Cyber Round-up for 17th May

Welcome to Ironshare’s Cyber Round-up, where we look back at the events of that last week to cover some of the news, posts, views, and highlights from the world of Security.

In this week’s round-up:

Security News

Google Patches Third Actively Exploited Chrome Zero-Day in One Week

Google has released an emergency security update for Chrome to fix CVE-2024-4947, the third zero-day vulnerability exploited within a week. This high-severity flaw, caused by a type confusion in the V8 JavaScript engine, was reported by Kaspersky researchers and can lead to arbitrary code execution. This update follows the recent patches for CVE-2024-4671 and CVE-2024-4761, highlighting ongoing security challenges for Chrome. The update is available now for all users on Mac, Windows, and Linux; Microsoft is also working on a fix for Edge.  

By bleepingcomputer.com

Cybercriminals Exploit Fake DocuSign Templates to Steal Credentials

Cybercriminals are increasingly using fake DocuSign templates to carry out phishing attacks, targeting organizations to steal credentials and sensitive data. These scams exploit the familiarity and trust users have with DocuSign, an electronic signature service, by sending emails that appear to be legitimate DocuSign notifications. The emails often contain links to malicious websites designed to steal login credentials.

To protect against these scams, users should be cautious of unexpected DocuSign emails, verify the sender's email address, and avoid clicking on links directly from emails. Instead, they should access documents by logging into DocuSign's official website. Organizations should also invest in comprehensive security awareness training to educate their users, specifically on the threat of email phishing attacks.

By darkreading.com

Dell Data Breach Exposes Information of 49 Million Customers

Dell has reported a data breach affecting approximately 49 million customers. The breach involved the unauthorized access of customer names, physical addresses, and Dell order information, including details about purchased hardware, service tags, item descriptions, and warranty information. Notably, financial details, email addresses, and phone numbers were not compromised.

The breach was discovered after a threat actor attempted to sell the stolen data on a hacking forum and while Dell claims that the breach does not pose significant risks due to the nature of the data involved, cybersecurity experts warn that the exposed information could still be used for targeted attacks, such as phishing.

Dell is currently working with law enforcement and a third-party forensics firm to investigate the incident and has advised affected customers to be cautious of any suspicious communications that appear to be from Dell, particularly those requesting software installations or password changes.

More information on this breach can be found here.

By techcrunch.com

NCSC Offers Cyber Defence Service for High-Risk Groups Ahead of UK Election

The UK's National Cyber Security Centre (NCSC) has announced measures to support entities at high risk of cyberattacks ahead of the upcoming election. This includes providing tailored guidance and resources to political parties, candidates, and election administrators to bolster their cybersecurity defenses. The initiative aims to safeguard democratic processes from potential threats and ensure the integrity of the election. The NCSC emphasizes the importance of proactive measures and vigilance in the face of increasing cyber threats targeting the electoral system.

For more details, you can read the full article here.

By ncsc.gov.uk

Microsoft Patch Tuesday: May 2024

A total of 61 vulnerabilities were addressed by Microsoft this month, including: 1 critical, 2 publicly disclosed, and 2 actively exploited vulnerabilities. The only critical vulnerability to be patched this month targets Microsoft SharePoint Server and, if exploited successfully, allows an authenticated attacker with site owner permission to perform remote code execution.

For more details on this critical flaw, and other important fixes included in this release, we advise reading Ironshare’s round-up of Microsoft’s Patch Tuesday for May 2024.

Stay Safe, Secure and Healthy!

Edition #274 – 17th May 2024

By

Joshua Hare

on

16/5/24

Cyber Round-up
News

Cyber Round-up for 26th April

Cyber Round-up for 26th April

Welcome to Ironshare’s Cyber Round-up, where we look back at the events of that last week to cover some of the news, posts, views, and highlights from the world of Security.

In this week’s round-up:

Security News

Phishing Campaign Uses LastPass Branding to Deceive Users

LastPass has reported an ongoing phishing campaign leveraging a phishing kit called CryptoChameleon, which uses LastPass branding to deceive users. The kit enables criminals to create fake login pages to steal user credentials.

The campaign, now utilizing new phishing sites like "tickets-lastpass[.]com," primarily uses SMS and direct calls to direct victims to these sites. LastPass is actively working to take down these sites and advises customers to ignore unsolicited communications and never share their passwords.

By blog.lastpass.com

FTC Refunds 117,000 Ring Customers Following Privacy Breach

Ring customers are set to receive a total of $5.6 million as a settlement from a privacy breach lawsuit. This follows claims that Amazon employees and contractors accessed users' private video feeds without permission, leading to security concerns. After complaints of inadequate security measures that allowed unauthorized access to customer video feeds and account information, The Federal Trade Commission (FTC) are issuing refunds for all affected customers.

“The FTC is sending 117,044 PayPal payments to consumers who had certain types of Ring devices, such as indoor cameras, during periods when the FTC alleges unauthorized users may have had access to customer videos. Consumers should redeem their PayPal payment within 30 days.” – FTC

You can find out more about this settlement in The Federal Trade Commission’s official statement, here.

By bleepingcomputer.com

Cisco Firewall Platform Vulnerabilities Are Being Actively Exploited – Urgent Patching Required

The UK's National Cyber Security Centre (NCSC) has issued an alert regarding exploitation of vulnerabilities in Cisco firewall platforms. Cisco are aware that the two vulnerabilities, CVE-2024-20353 and CVE-2024-20359, are being actively exploited, posing a significant security risk. If successfully exploited, an attacker could gain control of the affected device with root-level privileges.

These flaws only affect Cisco devices running Adaptive Security Appliance (ASA) and Firepower Threat Defense (FTD) software. Users are urged to apply the latest security updates as soon as possible to protect their systems.

To address the active exploitation, these vulnerabilities have been abused by unknown state-sponsored hackers to conduct espionage. The campaign, named ArcaneDoor by Cisco Talos, involved deploying custom malware, including the “Line Runner” and “Line Dancer” backdoors, to modify configurations, conduct reconnaissance, capture network traffic, and potentially enable lateral movement.

Talos claim that "Perimeter network devices are the perfect intrusion point for espionage-focused campaigns,”, which is supported by a recent trend of attacks against Fortinet, Ivanti, and Palo Alto devices.

By ncsc.gov.uk

Latest Microsoft Phishing Campaign Uses Malicious PDF Files Hosted on Autodesk Drive

A new phishing campaign exploits Autodesk Drive to target corporate users with emails containing malicious PDF links. These emails, appearing legitimate by mimicking sender signatures, direct recipients to phishing sites where they are prompted to enter Microsoft account credentials. The attackers then distribute phishing emails to the contacts of compromised email accounts and have even recreated the malicious documents in multiple languages to spread their campaign to multiple countries.

The email links all appear to use the autode[.]sk URL shortener which, when clicked, directs the user to a PDF hosted on Autodesk Drive. The document contains the sender’s name and the company they work for, to further deceive the user, as well as a button to ‘VIEW DOCUMENT’. This link then redirects to the fake Microsoft sign-in where the user’s credentials are stolen.

All Autodesk users are advised to be on the lookout for signs of phishing; specifically, emails containing an autode[.]sk link.

By securityweek.com

Vulnerability in WP Automatic Plugin Affects More Than 30,000 WordPress Websites

The WP Automatic plugin for WordPress has been hit by millions of SQL injection attacks targeting a critical vulnerability identified as CVE-2024-27956. This flaw has been exploited to create unauthorized admin accounts and plant backdoors on over 30,000 websites, significantly compromising security. PatchStack disclosed this issue, which affects plugin versions before 3.9.2.0. Administrators are urged to update to version 3.92.1 or later to protect their sites.

By bleepingcomputer.com

Stay Safe, Secure and Healthy!

Edition #273 – 26th April 2024

By

Joshua Hare

on

25/4/24

Cyber Round-up
News

Cyber Round-up for 12th April

Cyber Round-up for 12th April

Welcome to Ironshare’s Cyber Round-up, where we look back at the events of that last week to cover some of the news, posts, views, and highlights from the world of Security.

In this week’s round-up:

Security News

Chrome Enterprise Premium – Google’s New Browser for Organisations

Google has launched Chrome Enterprise Premium, an upgraded version of its browser for organizations that offers enhanced security features for a monthly fee per user. This new version adds threat and data protection, improved control options, and better reporting capabilities, aimed at strengthening endpoint security at the browser level. With features such as context-based access controls, support for multiple TCP protocols, and AI-powered threat protection, Chrome Enterprise Premium is designed to offer robust security measures for modern enterprises. Some early adopters, including companies like Snap and Roche, have reported significant & immediate benefits from implementing the new browser version.

By bleepingcomputer.com

Urgent Patching Required for Critical FortiClientLinux Vulnerability

Fortinet has issued an urgent patch for a critical vulnerability in FortiClientLinux, identified as CVE-2023-45590 with a CVSS score of 9.4. The flaw allows for arbitrary code execution and is caused by improper control of code generation; it is worth noting that exploitation requires the victim to visit a malicious website, making successful social engineering a must.

This vulnerability affects versions 7.0.3 to 7.0.4, and 7.06 to 7.10 of FortiClientLinux versions. Upgrading to version 7.0.11 is advised. Users of FortiClientLinux version 7.2.0 are advised to upgrade to 7.2.1 or above.

There is no evidence of the vulnerabilities being exploited in the wild, but updating is strongly advised to mitigate risks.

By cybernews.com

Unprotected Azure Storage Server Exposes Microsoft Employee Passwords

Microsoft resolved a security issue where internal files and credentials were exposed due to an unprotected Azure cloud storage server. Discovered by SOCRadar researchers, the server contained critical data for Microsoft’s Bing search engine, including passwords and keys, which could potentially lead to more significant data breaches. Microsoft addressed the issue upon notification, but the duration of exposure remains unclear. It is unclear whether Microsoft has reset the involved credentials, and it is unknown whether the exposed data was discovered or accessed by any threat actors. This incident is part of a series of security challenges Microsoft has faced in recent times and serves as a minor setback in the company’s effort to rebuild trust with their customers.

By techcrunch.com

iPhone Users Across 92 Countries Targeted by Mercenary Spyware Attacks

Apple has issued warnings to iPhone users across 92 countries about targeted mercenary spyware attacks aiming to compromise their devices. These highly sophisticated and well-funded attacks, often associated with entities like NSO Group's Pegasus, primarily target individuals due to their significant roles or the sensitive information they possess. All observed attacks so far have been targeted, with journalists, politicians, and diplomats being the most likely victims; if Apple believes you are a potential target of this spyware campaign, you will likely receive an email with the following message:

"Apple detected that you are being targeted by a mercenary spyware attack that is trying to remotely compromise the iPhone associated with your Apple ID -xxx-,"

Apple advises the following actions to protect against such attacks:

- Enabling lockdown mode on the device

- Updating your device to the latest version

- Seek assistance from experts (for example, the Digital Security Helpline)

By bleepingcomputer.com

LG webOS Vulnerabilities Put Smart TVs At Risk

Bitdefender's research into LG's WebOS TV operating system revealed several vulnerabilities in versions 4 through 7 that allowed root access by bypassing authorization mechanisms. These issues, affecting over 91,000 devices accessible via the Internet, include adding extra users without authorization, executing commands as root, and exploiting vulnerabilities in system services and API endpoints.

The disclosure process for these flaws began in November 2023, with patches released by March 2024. The security of IoT devices is often overlooked; this investigation highlights the importance of securing IoT devices against unauthorized access and control.

For more details, you can read the full report on Bitdefender's website.

By bitdefender.com

Microsoft Patch Tuesday: April 2024

Microsoft’s Patch Tuesday instalment for April addresses a total of 150 vulnerabilities, considerably more than last month’s release. Despite being a huge batch of updates, there are only 3 critical vulnerabilities patched this month, as well as 1 publicly disclosed, and 2 actively exploited flaws.

The most notable flaws addressed this month include: Microsoft Defender for IoT Remote Code Execution, Defender SmartScreen Security Feature Bypass, Proxy Driver Spoofing, and more.

Read Ironshare’s Round-Up of Microsoft’s April Patch Tuesday here.

Stay Safe, Secure and Healthy!

Edition #272 – 12th April 2024

By

Joshua Hare

on

11/4/24

Security Guidance

Microsoft Patch Tuesday: April 2024

Microsoft Patch Tuesday: April 2024

Microsoft’s Patch Tuesday instalment for April addresses a total of 150 vulnerabilities, considerably more than last month’s release. Despite being a huge batch of updates, there are only 3 critical vulnerabilities patched this month, as well as 1 publicly disclosed, and 2 actively exploited flaws.

CVE-2024-21322, CVE-2024-21323, CVE-2024-21324, CVE-2024-29053, CVE-2024-29054, CVE-2024-29055: Microsoft Defender for IoT Remote Code Execution Vulnerability

Six remote code execution vulnerabilities have been patched this month relating to Microsoft Defender for IoT. Of the six, three of these vulnerabilities are of critical severity with varying attack vectors.

Two of the critical vulnerabilities (CVE-2024-29053 & CVE-2024-21323) can be exploited via path traversal, while the third (CVE-2024-21322) requires the attacker to be an existing administrator of the web application. More details on the exploitability of these flaws can be found in Microsoft’s update guides linked above.

Microsoft also advises regular validation and audits of administrative groups to mitigate malicious or unauthorised usage of privileged accounts.

CVE-2024-29988: SmartScreen Prompt Security Feature Bypass Vulnerability

This important security feature bypass vulnerability exists in Microsoft Defender SmartScreen. To successfully exploit this flaw, the victim needs to be tricked into running a specially crafted malicious file. Likely attack scenarios include instant messages or email attachments. In this case, the attacker has no way to force the user to open the file and must rely on social engineering tactics to entice the user to click a link or open the attachment.

CVE-2024-29990: Microsoft Azure Kubernetes Service Confidential Container Elevation of Privilege Vulnerability

This important elevation of privilege vulnerability impacts Microsoft Azure Kubernetes Service Confidential Container and could be exploited by unauthenticated attackers to steal credentials and affect resources beyond the security scope managed by AKS Confidential Containers.

To exploit this vulnerability the attacker must access the untrusted AKS Kubernetes node and AKS Confidential Container to take over confidential guests and containers beyond the network stack it might be bound to.

It is also worth noting that the attacker does not need to be authenticated in order to successfully exploit this flaw, as the attacker can move the same workload onto a machine they have root privileges. Microsoft’s update guide also includes actions that can be taken to protect against this vulnerability; AKSCC admins are advised to follow this guidance to mitigate the risk of an attack.

CVE-2024-26234: Proxy Driver Spoofing Vulnerability

This important proxy driver spoofing vulnerability was discovered by Sophos X-Ops back in December 2023, and was recently reported to Microsoft. Sophos discovered a malicious executable, Catalog.exe, that was signed with a valid Microsoft Hardware Publisher Certificate. Further analysis of the file identified the original requesting publisher as Hainan YouHu Technology Co. Ltd, who are known as the publisher of the LaiXi screen mirroring software.

Sophos researcher Andreas Klopsch stated: "We have no evidence to suggest that the LaiXi developers deliberately embedded the malicious file into their product, or that a threat actor conducted a supply chain attack to insert it into the compilation/building process of the LaiXi application,"

Following the report by Sophos, Microsoft added the associated files to their revocation list, and pushed the update as part of their April Patch Tuesday rollout. Microsoft have confirmed that the flaw is being actively exploited in the wild, and was publicly disclosed; as always, updates should be applied as soon as possible to protect against exploitation of this vulnerability.

For a full list of this month’s updates please see the links below:

Patch Tuesday release notes: https://msrc.microsoft.com/update-guide/releaseNote/2024-Apr

Security update guide: https://msrc.microsoft.com/update-guide/

By

Samuel Jack

on

10/4/24

Security Guidance

Microsoft Patch Tuesday: March 2024

Microsoft Patch Tuesday: March 2024

This month’s Patch Tuesday release sees 60 total vulnerabilities being patched, distributed between 2 critical and 58 important, with zero vulnerabilities publicly disclosed or actively exploited.

CVE-2024-21407: Windows Hyper-V Remote Code Execution Vulnerability

This critical vulnerability affecting Windows Hyper-V could allow a remote attacker to execute arbitrary code on the target host. Exploitation of this flaw requires an authenticated attacker on a guest VM to send specially crafted file operation requests on the VM to hardware resources on the VM which could result in remote code execution on the host server.

However, it is noted that successful exploitation requires an attacker to know specific information about the environment and take prior actions, but no further information has been provided.

CVE-2024-21400: Microsoft Azure Kubernetes Service Confidential Container Elevation of Privilege Vulnerability

A vulnerability present in Azure Kubernetes Service could allow an unauthenticated attacker to steal credentials and affect resources beyond the security scope managed by Azure Kubernetes Service Confidential Containers (AKSCC). Attack complexity for this vulnerability is high, as the attacker is required to prepare the target environment to improve exploit reliability.

CVE-2024-20671: Microsoft Defender Security Feature Bypass Vulnerability

This important vulnerability could allow an authenticated attacker to prevent Microsoft Defender from starting. A fix for this flaw will be automatically applied by the Windows Defender Antimalware Platform, meaning a manual update is not required.

Despite being issued automatically; Microsoft are urging users to verify that this update has been installed.

You can check this by following these instructions:

1. Open the Windows Security program. For example, type Security in the Search bar, and select the Windows Security program.

2. In the navigation pane, select Virus & threat protection.

3. Under Virus & threat protection updates in the main window, select Check for updates.

4. Select Check for updates again.

5. In the navigation pane, select Settings, and then select About.

6. Examine the Platform Version number. The update was successfully installed if the Malware Protection Platform version number or the signature package version number matches or exceeds the version number that you are trying to verify as installed.

CVE-2024-26198: Microsoft Exchange Server Remote Code Execution Vulnerability

This important vulnerability in Microsoft Exchange Server could allow an unauthenticated attacker to load a malicious DLL which could lead to remote code execution. Successful exploitation of this flaw requires placing a specially crafted file onto an online directory or in a local network location and then convincing the user to open it to run the DLL.

For a full list of this month’s updates please see the links below:

Patch Tuesday release notes: https://msrc.microsoft.com/update-guide/releaseNote/2024-Mar

Security update guide: https://msrc.microsoft.com/update-guide/

By

Samuel Jack

on

13/3/24

Cyber Round-up
News

Cyber Round-up for 8th March

Cyber Round-up for 8th March

Welcome to Ironshare’s Cyber Round-up, where we look back at the events of that last week to cover some of the news, posts, views, and highlights from the world of Security.

In this week’s round-up:

Security News

Apple Rushes to Patch Critical iOS Zero-Days

Apple has issued emergency updates to address two severe iOS zero-day vulnerabilities, identified as CVE-2024-23225 and CVE-2024-23296, which are being actively exploited to compromise iPhones at the kernel level.

These vulnerabilities, involving memory corruption within the iOS Kernel and the RTKit component, could lead to complete system compromise, including unauthorized access to location data, the device's camera and microphone, and messages. Security experts have emphasized the critical nature of these flaws, as they allow attackers to bypass Apple's stringent kernel memory protections, posing significant risks to user privacy and data security.

We urge all Apple users to update their devices to the following versions to ensure that they are protected against these zero-days: iOS 17.4, iPadOS 17.4, iOS 16.76, and iPad 16.7.6.

By darkreading.com

US States Call on Meta to Strengthen Defences Against Account Hijackings

In an effort to combat the rising issue of account hijackings, United States officials have called on Meta to take stronger actions against unauthorized access to Facebook and Instagram accounts.

New York Attorney General, Letitia James, has been one of Meta’s primary critics, claiming that attackers are “winning the war and running rampant on Meta,”.

Many states have reported huge increases in complaints relating to social media account compromises, and Meta is being urged to “spend more money to prevent account takeovers, including through increased staffing, and to work more closely with people whose accounts are hacked.”.

By reuters.com

Spinning YARN Cryptomining Campaign Targets Misconfigured Servers

Hackers are exploiting misconfigured and vulnerable servers running Apache Hadoop YARN, Docker, Atlassian Confluence, and Redis services as part of a growing malware campaign. This activity, dubbed ‘Spinning YARN’, has been persistent since December 2023, and is focused on delivering a cryptocurrency miner and establishing a reverse shell for persistent remote access. The attackers exploit common misconfigurations and vulnerabilities to conduct Remote Code Execution (RCE) attacks and spread the malware to new hosts.

Security researchers have highlighted the need for administrators to properly configure and secure their servers against such attacks, which not only compromise the integrity of the affected systems but also use valuable resources for cryptocurrency mining.

By thehackernews.com

Former Google Engineer Arrested for Stealing AI Tech Secrets

The U.S. Department of Justice has announced an indictment against Linwei (Leon) Ding, a former Google engineer, for allegedly stealing Google's AI technology secrets and transferring them to Chinese companies. Ding is accused of stealing over 500 files related to Google's supercomputing technologies used for AI, including details on GPU and TPU chips, software for chip communication, and the Cluster Management System. Arrested in California, Ding faces a maximum penalty of 10 years in prison and a $250,000 fine for each count of trade secret theft.

By bleepingcomputer.com

NCSC Announces Their New ‘Connected Places’ Infographic

The NCSC have published their latest infographic, named ‘Connected Places’, which outlines their principles for building and designing ‘smart city’ infrastructure.

The NCSC have stated that “These principles will help ensure the security of your connected place and its underlying infrastructure, so that it is both resilient to cyber attack and easier to manage.”.

The infographic follows three primary guidelines, which are:

- Understanding your connected place

- Designing your connected place

- Managing your connected place

These principles are “ideal for leaders looking to promote good cyber security practises across their workforce and local community.”. More details, as well as the Connected Places Infographic, can be found here.

By ncsc.gov.uk

Stay Safe, Secure and Healthy!

Edition #271 – 8th March 2024

By

Joshua Hare

on

7/3/24

Security Guidance

The Essential Role of Vulnerability Management for Small to Medium Businesses

The Essential Role of Vulnerability Management for Small to Medium Businesses

We now live in a rapidly evolving digital & technology driven world, where cyber threats loom large and the stakes for protecting sensitive data have never been higher. Cybersecurity is not just a concern for large enterprises; it's a critical issue for businesses of all sizes, where small to medium-sized businesses (SMBs) are often the most vulnerable targets.

Among the vast number of cybersecurity practices, vulnerability management emerges as a crucial, yet often overlooked, component for SMBs. This blog delves into the significance of vulnerability management for small to medium businesses, outlining its benefits, challenges, and the actions you can take for effective implementation.

Understanding Vulnerability Management

Vulnerability management is the process of identifying, assessing, treating, and reporting on security vulnerabilities in systems and the software that runs on them. This is a proactive approach, designed to fortify the defences of an organization's IT infrastructure; it ensures that potential avenues for cyberattacks are identified and rectified before they can be exploited.

Why is Vulnerability Management Important for SMBs

  • Protection Against Cyber Threats: SMBs are increasingly targeted by cybercriminals due to the expectation that these businesses will have weaker security measures. Effective vulnerability management can significantly reduce the risk of data breaches, ransomware attacks, and other cyber threats.
  • Regulatory Compliance: Many industries require businesses to adhere to strict data protection standards (such as GDPR, PCI-DSS, SOX or HIPAA, etc.). Regular vulnerability assessments helps to ensure achieving compliance, avoiding potential fines and legal issues.
  • Business Continuity: A single cyberattack can disrupt business operations, leading to financial losses and damage to reputation. By identifying and addressing vulnerabilities, SMBs can ensure that their operations remain smooth and resilient against cyber incidents.
  • Competitive Advantage: Demonstrating a commitment to cybersecurity can often serve as a competitive advantage, building trust with customers and partners who are increasingly concerned about data privacy and security.
  • Certification: Managing vulnerabilities across the estate can help achieve certifications, such as Cyber Essentials, which can be a pre-requisite of working with UK Government depts, increasing your business opportunities.  
Its reported that 48% of SMBs in the UK experienced a cyber security incident in 2023, with 25% of those, suffering from multiple cyber incidents.

Challenges for SMBs

Despite its importance and the increasing threat levels, SMBs face several challenges in implementing an effective vulnerability management program:

  • Resource Constraints: Typically the primary challenge is limited budgets and IT staff which makes it very difficult to prioritize and implement comprehensive cybersecurity measures.
  • Lack of Expertise: Many SMBs lack the specialized knowledge required to conduct thorough vulnerability assessments and manage cybersecurity risks.
  • Keeping Pace with Evolving Threats: The cybersecurity landscape is constantly changing, with new vulnerabilities emerging regularly. Staying ahead of these developments requires continuous monitoring and adaptation.
In 2023 a mind blowing 26,447 vulnerabilities were discovered and registered by researchers worldwide, increasing by over 1,500 on the previous year.

Strategies for Effective Vulnerability Management

Taking into account the importance and challenges listed above, defining a strategy for some SMBs might be a daunting prospect. Below are some guidelines that can get your business moving in the right direction.

Identify Your Assets & Risks: A really important starting point should always be understanding and cataloguing your assets. Assets can be PCs, Laptops, Servers, network equipment, mobile devices, printers, and IoT devices etc. Why is this important? If you know what have, you can protect it. Create an asset list and identify risks associated with these devices before moving on. See our previous blog for more information on this topic:

Cyber Basics: Identify & Assess your Risks (ironshare.co.uk)

Prioritize and Plan: Its key to understand that you can't fix everything at once. Prioritize identified vulnerabilities based on the risk they pose to your business and plan remediation efforts accordingly.

Creating a policy to define activities and outcomes, helps your teams to deal with vulnerabilities when they are identified. This policy should state that updates are mandatory and where possible (and practical) update automatically.

Automate Where Possible: Automation is your friend; leveraging vulnerability management tools that automate the scanning and assessment process, allows you to focus on the most critical issues, closing gaps before they are exploited.

Educate and Train Staff: Remember, Cybersecurity is not just an IT issue; it's a business-wide concern that should be driven from the top of the organisation. Educating your staff on best practices and the importance of cybersecurity can help mitigate risks. Ensuring that staff update their own devices can help protect your business systems and data.

Regularly Review and Update Your Cybersecurity Measures: Cyber threats evolve, rapidly, and so should your cybersecurity strategies. Regular reviews and updates to your vulnerability management program and tools are essential to maintaining strong and effective defences.

Partner with Experts: You have got this far, but this may still not be something you feel confident with tackling yourself, or you just don’t have the resources. Consider partnering with cybersecurity experts or managed service providers who can offer the specialized knowledge and resources needed to bolster your vulnerability management efforts.

(Shameless plug) Ironshare's Vulnerability Management services may be just what you need, so why not get in contact with us and see if we can help :)

Conclusion

For small to medium-sized businesses, the implementation of a robust vulnerability management program is not just a cybersecurity best practice; it's a critical business necessity.

In the face of growing cyber threats, the ability to identify, assess, and mitigate vulnerabilities promptly, can mean the difference between safeguarding your business's future and becoming a statistic in the growing list of cyberattack victims.

Recognizing the importance of vulnerability management and taking the proactive steps above to integrate it into your cybersecurity strategy, SMBs can protect their assets, ensure business continuity, and foster trust among their customers and partners.

By

Stuart Hare

on

7/3/24

Search

Filter

Clear all
Thank you! Your submission has been received!
Oops! Something went wrong while submitting the form.
search icon

No results found.

Ironshare is a provider of Information and Cyber Security services.

we went with; wizard pi