October’s Patch Tuesday instalment addresses 119 vulnerabilities, an increase from the 79 in September. This month sees 4 critical vulnerabilities patched, along with 5 publicly disclosed and 2 exploited in the wild.
An unauthenticated attacker could exploit this critical vulnerability by sending specially crafted requests to the target environment which are processed in an unsafe manner enabling the attacker to execute commands on the server or underlying database. Customers using a vulnerable version of Configuration Manager must install an in-console update to be protected.
For a list of affected versions, and guidance for installing in-console updates, please see Microsoft’s security advisory for this CVE.
A critical vulnerability in Visual Studio Code extension for Arduino could allow remote code execution through a network attack vector stemming from missing authentication for critical functions in the extension.
Microsoft reported it is not planning on patching this vulnerability in Visual Studio Code extension for Arduino as the extension has been deprecated however, the flaw has been fully mitigated by Microsoft. Microsoft’s security advisory clearly states that this CVE is to provide transparency, and there is no action for users to take.
Relating to RDP Server, this critical vulnerability could facilitate server-side remote code execution with the same permissions as the RPC service. This can be achieved by an unauthenticated attacker by sending malformed packets to an RCP host. Microsoft has noted that successful exploitation requires the attacker to win a race condition, reducing the likelihood of abuse.
Relating to RDP Client, two important RCE vulnerabilities could allow an attacker controlling a Remote Desktop Server to trigger remote code execution on the RDP client machine when a victim connects to the attacking server with a vulnerable Remote Desktop Client. Microsoft advises disabling Remote Desktop Services if they are not required. It is also recommended that you install the updates for this vulnerability as soon as possible even if you plan to leave Remote Desktop Services disabled.
This Hyper-V vulnerability relates to Virtual Machines within a Unified Extensible Firmware Interface (UEFI) host machine. It might be possible to bypass the UEFI, which could lead to the compromise of the hypervisor and the secure kernel.
Successful exploitation of this vulnerability requires multiple conditions, such as specific application behaviour, user actions, manipulation of parameters passed to a function, and impersonation of an integrity level token as well as requiring an attacker to reboot the machine. The attacker is also required to first compromise the restricted network before running an attack.,
An attack with LAN access could predict the name of a new domain controller and rename their computer to match, establish a secure channel, and keep it active while renaming their computer back to its original name. Once the new domain controller is promoted, the attacker could use the secure channel to impersonate the domain controller resulting in domain administrator privileges and potentially compromise the entire domain.
Microsoft has reported a vulnerability relating to MSHTML, a software component used to render web pages, which has been publicly disclosed and exploited in the wild. MSHTML is a key component in many Microsoft 365 and Microsoft Office products as well as Internet Explorer 11 and Legacy Microsoft Edge browsers on certain platforms and Windows applications. Specific information surrounding the vulnerability and its classification as spoofing has been restricted by Microsoft.
For a full list of this month’s updates please see the links below:
Patch Tuesday release notes: https://msrc.microsoft.com/update-guide/releaseNote/2024-Oct
Security update guide: https://msrc.microsoft.com/update-guide/
By
Samuel Jack
on
10/10/24
We are pleased to announce that Ironshare has been awarded Certification Body status by the IASME Consortium for both Cyber Essentials and IASME Cyber Assurance certifications. This achievement empowers us to directly support our clients in attaining these crucial cybersecurity certifications, furthering our commitment to enhancing the security posture of businesses across all sectors.
As an accredited IASME Certification Body, Ironshare is now officially authorized to assess and certify organizations against the Cyber Essentials and IASME Cyber Assurance standards. This new capability allows us to provide comprehensive certification services, leveraging our extensive cybersecurity expertise to guide you through every step of the certification journey.
Cyber Essentials is a government-backed certification scheme designed to help organizations protect themselves against a wide range of common cyber attacks. Achieving this certification demonstrates a fundamental level of cyber hygiene, reassuring your customers and stakeholders that you take cybersecurity seriously.
For more information, please visit: https://www.ironshare.co.uk/cyber-essentials
Building upon the Cyber Essentials framework, IASME Cyber Assurance offers a more in-depth assessment that includes aspects such as data privacy, physical security, and staff awareness training. It provides a holistic approach to cybersecurity governance, suitable for organizations seeking to showcase a higher level of security maturity.
For more information, please visit: https://www.ironshare.co.uk/iasme-cyber-assurance
By obtaining these certifications through Ironshare, you benefit from our:
- Personalized Approach: Tailored guidance to meet your specific cybersecurity needs.
- Expert Guidance: Access to our team of seasoned cybersecurity professionals.
- Efficient Certification Process: Streamlined procedures to help you achieve certification promptly.
- Enhanced Credibility: Certifications that boost trust among customers, partners, and regulatory bodies.
Our team works closely with you to identify gaps, implement necessary controls, and ensure compliance with all certification requirements. This not only strengthens your security but also enhances your reputation in the marketplace.
"We are incredibly proud to have achieved IASME Certification Body status," said Stuart Hare, Director at Ironshare. "This milestone reflects our dedication to helping businesses strengthen their cybersecurity defences. By offering certification services for Cyber Essentials and IASME Cyber Assurance, we provide our clients with the tools and recognition they need to operate securely in today's digital landscape."
With our new status, Ironshare becomes a central source for your cybersecurity certification requirements. Our comprehensive services include:
- Initial Consultation: Understanding your current security posture.
- Gap Analysis: Identifying areas that need improvement before certification.
- Remediation Support: Assisting in implementing necessary security controls.
- Certification Assessment: Conducting thorough evaluations to certify compliance.
- Ongoing Support: Providing continued guidance to maintain and improve your cybersecurity measures and certification.
Securing your organization's digital assets has never been more critical. Ironshare invites organizations of all sizes to take advantage of our new certification services. Whether you're beginning your cybersecurity journey or aiming to elevate your existing security measures, we're here to support you every step of the way.
- Phone: +44 121 769 0475
- Email: cyberassurance@ironshare.co.uk
To get certified now, please visit: https://www.ironshare.co.uk/get-started
Learn more about how Ironshare, as an IASME Certification Body, can help safeguard your business and achieve the recognition it deserves.
By
Joshua Hare
on
4/10/24
Welcome to Ironshare’s Cyber Round-up, where we look back at the events of that last week to cover some of the news, posts, views, and highlights from the world of Security.
In this week’s round-up:
The Necro Android malware has infected over 11 million devices via malicious software development kits (SDKs) embedded in legitimate apps on Google Play, such as Wuta Camera and Max Browser. The malware, delivered through these apps, installs various harmful plugins to display adware, commit subscription fraud, and use devices as proxies for malicious traffic. Although some infected apps were removed from the Play Store, Necro also spreads through unofficial modified versions of popular apps like WhatsApp and Spotify. Users are urged to uninstall these apps immediately.
For more details, you can visit the article here.
By bleepingcomputer.com
A security flaw in OpenAI's ChatGPT macOS app allowed attackers to exploit its memory feature to embed long-term spyware. This vulnerability, termed "SpAIware," enabled continuous data theft, capturing user inputs and responses over time, even across new sessions. By manipulating memory, hackers could persistently exfiltrate data, bypassing single-chat limitations. OpenAI patched this issue in version 1.2024.247 after responsible disclosure. Users are advised to regularly check and clear ChatGPT's stored memories to prevent similar attacks.
For more details, visit the full article here.
By thehackernews.com
The Apple Passwords app, introduced in iOS 18 and macOS Sequoia, allows users to manage, create, and share passwords and passkeys across Apple devices. It features strong password generation, password autofill, and iCloud Keychain integration for seamless syncing. The app also alerts users to compromised or weak passwords and offers secure sharing of credentials with trusted contacts. Additionally, it supports multi-factor authentication codes and provides passkeys for a secure, passwordless login experience.
By support.apple.com
The European privacy group None of Your Business (noyb) has filed a complaint against Mozilla, claiming that its new "privacy-preserving attribution" feature in Firefox infringes on users' privacy rights under GDPR. This feature, introduced in July 2024, allows advertisers to track ad performance without collecting individual data. While Mozilla asserts that it enhances privacy compared to traditional tracking, noyb argues it turns Firefox into an ad measurement tool, undermining its reputation as a privacy-friendly browser. The Austrian Data Protection Authority is now investigating the case.
By therecord.media
Police in the UK are investigating a cyberattack on Wi-Fi networks at several major train stations, including Manchester Piccadilly and London terminals. The attack displayed anti-Islam messages on login pages, but no passenger data was compromised. The affected Wi-Fi services, managed by a third party, were suspended. This incident follows another cyberattack on Transport for London earlier in September, which exposed customer details. Investigations are ongoing, with authorities looking into both incidents.
By securityweek.com
The National Institute of Standards and Technology (NIST) has updated its guidelines on password management, advising against some long-standing practices. According to the new guidelines, using a mixture of character types (such as upper- and lower-case letters, numbers, and symbols) and mandating regular password changes are no longer recommended unless a system has been compromised. NIST also discourages the use of knowledge-based authentication (KBA), such as security questions.
The updated guidelines suggest that passwords should be at least eight characters long, with a recommendation for stronger passwords between 15 to 64 characters. Credential Service Providers (CSPs) are also encouraged to allow the inclusion of ASCII and Unicode characters in passwords. These changes align with ongoing trends from both public and private organizations, including the Federal Trade Commission and Microsoft, emphasizing a more modern, user-friendly approach to password security.
By infosecurity-magazine.com
Stay Safe, Secure and Healthy!
Edition #282 – 27th September 2024
By
Joshua Hare
on
26/9/24
September’s Patch Tuesday instalment patches 79 vulnerabilities, a decrease from the 91 in August. This month sees 7 critical vulnerabilities along with 1 publicly disclosed and 4 exploited in the wild patched.
A critical vulnerability within Windows Update has been exploited in the wild. Microsoft has stated that it was aware of a vulnerability in Servicing Stack that has rolled back the fixes for some vulnerabilities affecting Optional Components on Windows 10, version 150. This means that an attacker could exploit these previously mitigated vulnerabilities on Windows 10, version 1507 (Windows 10 Enterprise 2015 LTSB and Windows 10 IoT Enterprise 2015 LTSB) systems that have installed the Windows security update released on March 12, 2024—KB5035858 (OS Build 10240.20526) or other updates released until August 2024. All later versions of Windows 10 are not impacted by this vulnerability.
A second critical vulnerability in SharePoint Server could allow an authenticated attacker with Site Owner permissions or higher to upload a specially crafted file to a targeted SharePoint Server and craft specialized API requests to trigger the deserialization of the file's parameters. This would enable the attacker to perform remote code execution in the context of the SharePoint Server.
In a network-based attack, a critical vulnerability in SharePoint Server could result in remote code execution if the attacker gained a minimum of Site Member permissions. No further information about this vulnerability has been released and there is no evidence of this being used in active attacks.
Two critical vulnerabilities in Azure Stack Hub could result in remote code execution. An authenticated attacker who successfully exploited this vulnerability could gain unauthorized access to system resources, potentially allowing them to perform actions with the same privileges as the compromised process. This could lead to further system compromise and unauthorized actions within the network or other tenants’ applications and content.
Network Address Translation (NAT) permits one public IP address to be shared between multiple devices or private networks. The only information released about this vulnerability is that an attacker would first need to gain access to the restricted target network before attempting to exploit this vulnerability and will then be required to win a race condition.
Azure Web Apps is a cloud computing platform used to host web applications written in various programming languages including .NET, Java, Node. js, Python, and PHP along with providing automatic scaling, load balancing, and high availability. Microsoft reported that an authenticated attacker could exploit an improper authorization vulnerability in Azure Web Apps to elevate privileges over a network and facilitate further malicious actions.
For a full list of this month’s updates please see the links below:
Patch Tuesday release notes: https://msrc.microsoft.com/update-guide/releaseNote/2024-Sep
Security update guide: https://msrc.microsoft.com/update-guide/
By
Samuel Jack
on
12/9/24
August’s Patch Tuesday instalment addresses 91 vulnerabilities, a decrease from the 142 in July. This month sees 7 critical vulnerabilities patched, along with 3 publicly disclosed and 6 exploited in the wild.
This Windows TCP/IP remote code execution vulnerability has been assigned a max severity of Critical. Exploitation requires an unauthenticated attacker to repeatedly send IPv6 packets, that include specially crafted packets, to a Windows machine – if performed successfully, this could enable remote code execution.
Please note that this flaw only affects machines with IPv6 enabled; exploitation is not possible if IPv6 is disabled on the target machine.
The vulnerability assigned to this CVE is in Linux Shim boot. It is being documented in the Security Update Guide to announce that the latest builds of Microsoft Windows address this vulnerability by blocking old, unpatched, Linux boot loaders by applying SBAT (Secure Boot Advanced Targeting) EFI variables in the UEFI library.
To address this security issue, Windows will apply a Secure Boot Advanced Targeting (SBAT) update to block vulnerable Linux boot loaders that could have an impact on Windows security. The SBAT value is not applied to dual-boot systems that boot both Windows and Linux and should not affect these systems. You might find that older Linux distribution ISOs will not boot. If this occurs, work with your Linux vendor to get an update.
For more details on this vulnerability, see this Red Hat Security Advisory: CVE-2023-40547.
These two vulnerabilities in Windows Network Virtualization are considered critical and, if successfully exploited, could enable remote code execution.
To successfully exploit these vulnerabilities, an attacker needs elevated privileges on a compromised machine due to the requirement of manipulating processes beyond the reach of standard user permissions. Exploitation also involves taking advantage of the unchecked return value in the wnv.sys component of Windows Server 2016. By manipulating the content of the Memory Descriptor List (MDL), the attacker could cause unauthorized memory writes or even free a valid block currently in use, leading to a critical guest-to-host escape.
Exploitation of either vulnerability could lead to the attacker gaining the ability to interact with other tenant’s applications and content.
This important RCE flaw in Microsoft Project has been exploited in the wild, making patching a high priority. Exploitation requires the victim to open a malicious Microsoft Office Project file on a system where the "Block macros from running in Office files from the Internet" policy is disabled and VBA Macro Notification Settings are not enabled – this allows the attacker to perform remote code execution.
Microsoft has advised users not to disable the macro blocking policy, and that exploitation requires the user to open and accept macros to run for the project file.
Exploitation of this important RCE flaw requires an unauthenticated attacker to send a specially crafted print task to a shared vulnerable Windows Line Printer Daemon (LPD) service across a network and successful exploitation could result in remote code execution on the server. While this vulnerability has been publicly disclosed, the LPD service is not installed or enabled on Windows by default. Users are advised against installing the Line Printer Daemon service until updates have been performed.
For a full list of this month’s updates please see the links below:
Patch Tuesday release notes: https://msrc.microsoft.com/update-guide/releaseNote/2024-Aug
Security update guide: https://msrc.microsoft.com/update-guide/
By
Samuel Jack
on
15/8/24
Welcome to Ironshare’s Cyber Round-up, where we look back at the events of that last week to cover some of the news, posts, views, and highlights from the world of Security.
In this week’s round-up:
Last year saw a significant increase in ticket scams targeting English Premier League (EPL) football fans, and 2024 has seen more of the same. Research by Lloyds Bank reveals that the number of ticket scams more than doubled during the 2022/23 season, with victims losing an average of £154, although some losses exceeded £1,000. Fraudsters primarily operate on social media platforms such as Facebook, Instagram, and X (formerly Twitter), with over 90% of reported scams originating from these sites. Arsenal and Liverpool fans were identified as the most frequent targets.
These scams exploit the high demand and limited availability of EPL tickets, often luring fans with too-good-to-be-true deals. The typical scam involves advertising fake tickets on social media and requesting payment via bank transfer, which offers little protection for the buyer. Lloyds Bank advises fans to purchase tickets only through official club channels or recognized partners to avoid falling victim to these scams. The bank also calls for greater action from social media companies to combat the prevalence of fraudulent activities on their platforms (Home) (TechRadar) (Home).
By cybernews.com
Security researcher Alon Leviev revealed at Black Hat 2024 that two zero-day vulnerabilities (CVE-2024-38202 and CVE-2024-21302) allow attackers to perform downgrade attacks on Windows 10, 11, and Server systems. These attacks force systems to revert to older, vulnerable versions of software, making them susceptible to previously patched security flaws. This process is undetectable by current security measures, as Windows Update reports the system as fully updated. Microsoft is working on fixes and has issued mitigation advice, though no active exploits have been detected yet.
For more details, you can read the full article here.
By bleepingcomputer.com
A critical security vulnerability, CVE-2024-42219, was identified in 1Password 8 for Mac, potentially allowing malicious software on a local machine to bypass security measures and access vault items and credentials. This flaw, affecting versions prior to 8.10.36, was responsibly disclosed by Robinhood’s Red Team. 1Password has addressed the issue in the latest update, and users are strongly advised to upgrade to the newest version to ensure their data remains secure.
For full details of this vulnerability, please see 1Password’s Support Advisory here.
By support.1password.com
AWS has patched several vulnerabilities in its services, including CloudFormation, Glue, EMR, SageMaker, ServiceCatalog, and CodeStar, which could have been exploited for account takeovers. These flaws, disclosed by Aqua Security at Black Hat USA 2024, involved the predictable naming of S3 buckets, allowing attackers to preemptively create buckets and execute malicious code. This could lead to arbitrary code execution, data exfiltration, and the creation of admin users with elevated privileges. AWS confirmed the issues have been resolved, with no customer action required.
By securityweek.com
UK authorities have successfully shut down an online scam platform called "Russian Coms," which enabled criminals to make fraudulent phone calls with ease. This platform, operating since 2021, was used by criminals to impersonate legitimate entities such as banks to deceive victims into transferring money. The National Crime Agency (NCA) reported that the platform had facilitated 1.3 million calls to UK phone numbers, causing financial losses in the tens of millions of pounds and affecting approximately 170,000 UK victims alone.
The operation offered crime-as-a-service, including features like encrypted calls, voice alteration, and even hold music, for a monthly fee. Authorities have arrested three individuals believed to be key figures behind the platform, highlighting the increasing use of technology in perpetrating fraud on a large scale. This shutdown follows previous actions against similar platforms, indicating an ongoing effort to combat cybercrime despite its persistent and evolving nature.
By reuters.com
Stay Safe, Secure and Healthy!
Edition #281 – 9th August 2024
By
Joshua Hare
on
8/8/24
Welcome to Ironshare’s Cyber Round-up, where we look back at the events of that last week to cover some of the news, posts, views, and highlights from the world of Security.
In this week’s round-up:
CrowdStrike is facing legal challenges from both customers and investors following a problematic update that led to widespread system failures on approximately 8.5 million Windows devices. The update, which caused a "Blue Screen of Death" error, affected industries such as aviation and healthcare, with Delta Airlines experiencing significant disruptions and financial losses between $350 million and $500 million. The Plymouth County Retirement Association has filed a class-action lawsuit against CrowdStrike, alleging misleading statements about product reliability. Despite these issues, CrowdStrike's liability might be limited by software licenses and insurance policies.
For more details, you can read the full article here.
By securityweek.com
A ransomware attack has disrupted services for nearly 300 small banks in India by targeting C-Edge Technologies, a key banking technology service provider. This attack, which occurred on July 24, forced banks to suspend ATM and online services, affecting customers across the country. C-Edge Technologies, a banking software provider, handles essential banking operations such as check clearing and online transactions. Authorities are working to restore services, while C-Edge is reportedly collaborating with cybersecurity experts to resolve the issue.
By reuters.com
On July 30, 2024, a subset of Microsoft's global customers experienced connectivity issues with certain services, including Azure App Services, Application Insights, Azure IoT Central, Azure Log Search Alerts, Azure Policy, the Azure portal, and parts of Microsoft 365 and Microsoft Purview. The root cause was an unexpected usage spike stemming from a Distributed Denial-of-Service (DDoS) attack, which resulted in Azure Front Door (AFD) and Azure Content Delivery Network (CDN) components underperforming. Microsoft's initial defense mechanisms against the DDoS attack inadvertently worsened the situation due to an implementation error in their defensive strategy.
After identifying the issue, Microsoft made network configuration changes to bolster DDoS protection. These changes mitigated the majority of the impact, though some customers still faced reduced service availability. An updated approach was adopted to aid the remaining affected customers and, as of 20:48 on July 30th, the issue was reported as fully mitigated.
By azure.status.microsoft.com
A new Android malware named BingoMod has been identified, which can wipe devices after stealing money from victims' bank accounts. The malware is distributed via SMS phishing, posing as a legitimate security app, and is capable of stealing up to 15,000 EUR per transaction. It uses Accessibility Services to gain control, intercepting login credentials and SMS messages. BingoMod's on-device fraud technique uses real-time remote access to bypass security systems. It also has capabilities to remove security apps and wipe data remotely.
You can read more in the full article here.
By bleepingcomputer.com
Google Chrome has introduced app-bound encryption to enhance cookie protection on Windows, addressing vulnerabilities where information-stealing malware could exploit cookies. Unlike the existing Data Protection API, which doesn't safeguard against malicious apps executing code, this new approach tightly binds an app's identity to encrypted data, preventing unauthorized access by other applications. This change, which applies to cookies with Chrome 127, aims to be expanded to other data types. Although beneficial, the update does not support environments with roaming profiles, prompting organizations to adjust accordingly.
By thehackernews.com
Stay Safe, Secure and Healthy!
Edition #280 – 2nd August 2024
By
Joshua Hare
on
1/8/24
Welcome to Ironshare’s Cyber Round-up, where we look back at the events of that last week to cover some of the news, posts, views, and highlights from the world of Security.
In this week’s round-up:
Fujitsu confirmed that a cyberattack in March resulted in the exposure of customer data. The attack involved sophisticated malware that spread from a single compromised computer to 49 others, evading detection and exfiltrating sensitive information. Fujitsu promptly isolated the affected systems and initiated an investigation with external experts. While no ransomware was involved, the malware managed to copy files containing personal and business-related information belonging to their customers. Fujitsu has since implemented enhanced security measures and monitoring to prevent future incidents.
For more details, you can read the full article here.
By bleepingcomputer.com
Ticketmaster recently notified its customers about a significant data breach that compromised the personal information of millions of users. The breach was executed by the hacker group ShinyHunters, which claims to have stolen data from 560 million customers. The compromised data includes names, addresses, phone numbers, emails, and partial credit card details. ShinyHunters is selling the stolen database on the dark web for $500,000.
The breach, which affected customers who bought tickets in North America, was discovered in late May 2024. Ticketmaster's notification to customers has been criticized for lacking detailed information. The company has advised impacted customers to monitor their bank accounts for suspicious activity and to be cautious of unsolicited messages. They are also offering a free 12-month identity monitoring service to those affected. Authorities, including the FBI and Australian National Office of Cyber Security, are investigating the incident.
For more details, you can read Ticketmaster’s full data security incident notice here.
By cybernews.com
A flaw in the ChatGPT app for macOS left user chat histories exposed in plaintext, making them accessible to anyone with unauthorized access to the computer. Discovered by software engineer Pedro José Pereira Vieito, the issue stemmed from the app not being sandboxed and storing data in an unprotected location. OpenAI has since released a new version of the app that encrypts conversations properly. This incident underscores the importance of not rushing to adopt new software and the need for robust security measures in AI applications.
By bitdefender.com
GitLab has released updates to address a critical security vulnerability (CVE-2024-6385) that allows an unauthorised attacker to run pipeline jobs as an arbitrary user, affecting versions 15.8 to 17.1.1 of GitLab CE/EE. This flaw, with a CVSS score of 9.6, follows a similar issue patched last month. Additionally, GitLab fixed a medium-severity vulnerability (CVE-2024-5257) enabling developers with specific permissions to alter group namespace URLs. Users are advised to update to the latest versions: 17.1.2, 17.0.4, and 16.11.6 to mitigate these risks.
By thehackernews.com
Google is expanding its passkey support to high-risk users, including executives and members of civil society, through its Advanced Protection Program (APP). This initiative aims to enhance security by enabling passwordless authentication via passkeys, which use biometric data or PINs instead of traditional passwords. The rollout is part of a broader strategy to protect users against phishing and other cyberattacks by eliminating the vulnerabilities associated with passwords. Passkeys offer a more secure and convenient way to access accounts, as they are resistant to phishing and reduce the risk of data breaches.
This technology is already being used extensively, with over 400 million Google accounts leveraging passkeys for authentication. Google's move aligns with industry trends, as other tech giants like Apple and Microsoft also support passwordless authentication methods to enhance user security and convenience.
By darkreading.com
Welcome to Ironshare’s Round-Up of Microsoft’s Patch Tuesday for July 2024! July’s instalment addresses 142 vulnerabilities, an increase from the 91 seen in June. This month brings updates for 5 critical vulnerabilities along with 2 publicly disclosed and 2 exploited in the wild.
Stay Safe, Secure and Healthy!
Edition #279 – 12th July 2024
By
Joshua Hare
on
11/7/24
July’s Patch Tuesday instalment addresses 142 vulnerabilities, an increase from the 91 seen in June. This month brings updates for 5 critical vulnerabilities along with 2 publicly disclosed and 2 exploited in the wild.
CVE-2024-38077 is one of three RCE vulnerabilities relating to Windows Remote Desktop Licensing. With a CVSS score of 9.8, this critical vulnerability could allow any unauthenticated attacker to execute arbitrary code by sending a specially crafted message to an affected server.
“In all cases, Microsoft strongly recommends that you install the updates for this vulnerability as soon as possible even if you plan to leave Remote Desktop Licensing Service disabled”.
This critical RCE vulnerability relates to the Windows Imaging Component, which provides a framework for working with images and image metadata. Microsoft has reported that only an authenticated attacker can exploit the vulnerability by uploading a malicious TIFF file to a server. It is also worth noting that exploitation does not require administrative or other elevate privileges; any authenticated attacker can exploit this vulnerability.
This important vulnerability in Windows Hyper-V could allow an authenticated attacker to execute code with system privileges. Microsoft has noted that this vulnerability has been seen exploited in the wild but hasn’t released further information into who is exploiting this vulnerability, how, or how widespread the attack is.
The second important flaw to be exploited in the wild is a spoofing vulnerability affecting Windows’ MSHTML Platform, used for rendering HTML pages for the Internet Explorer web browser. Microsoft has stated an attacker could exploit this flaw by sending a malicious file to a user and persuading them to execute it.
An authenticated attacker with Site Owner permissions or higher could upload a specially crafted file to an affected SharePoint Server and craft specialised API requests to trigger deserialization of file's parameters. This would enable the attacker to perform remote code execution in the context of the SharePoint Server.
If successfully exploited, this important vulnerability in .NET and VS could allow an unauthorised attacker to execute arbitrary code on the target system. An attacker could exploit this by closing an http/3 stream while the request body is being processed leading to a race condition. Attack complexity for this vulnerability is high, and may require the attacker to gather knowledge about the target environment and make preparations to improve exploit reliability.
For a full list of this month’s updates please see the links below:
Patch Tuesday release notes: https://msrc.microsoft.com/update-guide/releaseNote/2024-Jul
Security update guide: https://msrc.microsoft.com/update-guide/
By
Samuel Jack
on
10/7/24
Welcome to Ironshare’s Cyber Round-up, where we look back at the events of that last week to cover some of the news, posts, views, and highlights from the world of Security.
In this week’s round-up:
A new phishing campaign exploits the Windows Search protocol via HTML attachments in emails. These attachments use the search-ms URI to initiate Windows searches for malicious files on remote servers. The phishing emails contain ZIP files with HTML documents that automatically redirect to these malicious URLs, posing as legitimate invoices. The Windows Search protocol displays a fake "Downloads" interface, leading victims to execute harmful batch scripts. To mitigate this threat, users are recommended to delete specific registry entries associated with the search-ms protocol, however Trustwave are advising that doing so will also impact legitimate applications that use the Windows search protocol.
For more details, read the full article here.
By bleepingcomputer.com
AWS Identity and Access Management (IAM) now supports passkeys for multi-factor authentication (MFA), enhancing security and usability. Based on FIDO standards, passkeys use public key cryptography, providing strong, phishing-resistant authentication. Users can now secure their AWS accounts using passkeys with built-in authenticators like Touch ID and Windows Hello, or hardware security keys. This feature is available in all AWS regions except China, allowing seamless, secure sign-ins across devices. For more details, visit the AWS announcement.
In addition to this, starting in mid-2024, AWS will require multi-factor authentication (MFA) for root users of AWS Organizations management accounts. Customers affected by this change will be notified when signing in to the console.
This requirement will expand to additional scenarios throughout 2024, with AWS planning to mandate MFA for standalone accounts as well. This initiative aims to strengthen account security by adding an extra layer of protection to prevent unauthorized access. AWS are also providing resources and guides to help customers implement MFA effectively.
By aws.amazon.com
Google has issued a warning about a critical security flaw in Pixel firmware, identified as CVE-2024-32896, which has been exploited as a zero-day vulnerability. This flaw allows for privilege escalation and has been “under limited, targeted exploitation.”. An update is now available for all supported Pixel devices, which will address this critical vulnerability. Affected users are advised to apply the latest updates at the earliest opportunity.
By thehackernews.com
Apple has released visionOS 1.2 to patch a significant vulnerability, CVE-2024-27812, in its Vision Pro virtual reality headset. This flaw, potentially the first specific to spatial computing, could be exploited via specially crafted web content, leading to denial-of-service (DoS). The update addresses nearly two dozen vulnerabilities, most of which are common across other Apple operating systems. Cybersecurity researcher Ryan Pickren, who reported the issue, notes it as a groundbreaking spatial computing hack. Further details are pending Apple’s approval for disclosure.
By securityweek.com
Microsoft has decided to disable the Windows Recall feature by default on Copilot+ PCs following public outcry over privacy and security concerns. The feature, which creates a searchable digital memory of user activity, was criticized for its potential vulnerability to malware and inadequate data protection. In response, Microsoft will now require users to opt-in explicitly and has enhanced security measures, including requiring Windows Hello enrollment for access and adding encryption to the search index database.
“If you don’t proactively choose to turn it on, it will be off by default,” Microsoft stated.
By securityweek.com
Microsoft's Patch Tuesday instalment for June 2024 includes patches for 51 vulnerabilities, a decrease from the 61 fixes seen in May. This batch of security updates addresses fewer vulnerabilities compared to the previous month, with only 1 critical, and 1 publicly disclosed flaw patched.
Stay Safe, Secure and Healthy!
Edition #278 – 14th June 2024
By
Joshua Hare
on
13/6/24
Microsoft's Patch Tuesday instalment for June 2024 includes patches for 51 vulnerabilities, a decrease from the 61 fixes seen in May. This batch of security updates addresses fewer vulnerabilities compared to the previous month, with only 1 critical, and 1 publicly disclosed flaw patched.
The only critical vulnerability this month affects Microsoft Message Queueing, a messaging protocol that ensures reliable message delivery between applications, even when they are temporarily offline. To exploit this vulnerability, an attacker would need to send a specially crafted malicious MSMQ packet to a MSMQ server. Successful exploitation could allow an unauthenticated attacker and would allow an attacker to execute arbitrary code on the Server. MSMQ is disabled by default and must be enabled for a system to be vulnerable.
This important denial of service vulnerability was the only publicly disclosed flaw this month. The vulnerability affects DNSSEC validation. An attacker could exploit standard DNSSEC protocols intended for DNS integrity by using excessive resources on a resolver, causing a denial of service for legitimate users. An official fix is now available for this flaw and should be applied as soon as possible.
This important vulnerability in Windows Wi-Fi Driver could enable remote code execution if exploited correctly. An unauthenticated attacker could exploit this vulnerability by sending a malicious networking packet to an adjacent system that employs a Wi-Fi networking adapter. Successful exploitation requires the attacker to be within proximity of the target system to send and receive radio transmissions.
Another remote code execution vulnerability, this time in Microsoft Office. Successful exploitation of this flaw requires a user to open a malicious email with an affected version of Microsoft Outlook and then perform specific actions to trigger the vulnerability. The attacker is also required to win a race condition to be successful, making attack complexity high for this flaw. Microsoft has also noted that the preview pane is an attack vector, however additional user interaction is required. An official fix is available for this vulnerability, and should be applied at the earliest opportunity.
For a full list of this month’s updates please see the links below:
Patch Tuesday release notes: https://msrc.microsoft.com/update-guide/releaseNote/2024-Jun
Security update guide: https://msrc.microsoft.com/update-guide/
By
Samuel Jack
on
12/6/24
Welcome to Ironshare’s Cyber Round-up, where we look back at the events of that last week to cover some of the news, posts, views, and highlights from the world of Security.
In this week’s round-up:
The FBI has recovered over 7,000 decryption keys from the LockBit ransomware group and is urging victims to contact them to recover encrypted data for free. This follows "Operation Cronos," an international effort that led to the seizure of 34 servers in February 2024, aiding in the creation of a free LockBit 3.0 decryptor. Despite these efforts, LockBit remains active, targeting victims and leaking data. The U.S. State Department offers significant rewards for information leading to the arrest of LockBit leaders and affiliates.
By bleepingcomputer.com
Several London hospitals, including those under King’s College and Guy’s and St Thomas’ hospital trusts, have had to cancel operations and appointments due to a ransomware attack on Synnovis, a pathology laboratory services provider. The cyberattack has disrupted all Synnovis IT systems, significantly impacting services like blood transfusions. NHS England's London region is working with the National Cyber Security Centre to assess and manage the situation. This incident underscores the ongoing vulnerability of healthcare systems to ransomware attacks.
For more details, you can read the full article here.
By securityweek.com
Russian hacker group NoName claimed responsibility for a cyberattack on Santa Barbara Systems, a General Dynamics subsidiary in Spain, which refurbishes Leopard tanks for Ukraine. The group executed a distributed denial-of-service (DDoS) attack, causing the company to temporarily disconnect its website. Despite the attack, General Dynamics reported no compromised systems and confirmed ongoing investigations. This incident aligns with NATO's assertion that Russia has intensified hybrid attacks on companies and infrastructure in member states. Spain recently pledged significant military support for Ukraine, including Leopard 2A4 tanks.
By reuters.com
A recent internal leak at Google has unveiled a significant number of privacy breaches over the past six years. The database, obtained by 404 Media, contains thousands of reports detailing privacy and security incidents involving various Google products, from Street View capturing license plate images to children's voices being recorded through Google's voice services. The incidents, reported by Google employees between 2013 and 2018, include both minor and severe breaches, such as the exposure of over a million email addresses on Socratic.org and unauthorized access to YouTube admin accounts to leak Nintendo game videos. Despite these breaches, the database also shows Google's internal efforts to investigate and address these concerns, although the lack of public disclosure raises questions about the company's transparency practices
By cybernews.com
Stay Safe, Secure and Healthy!
Edition #277 – 7th June 2024
By
Joshua Hare
on
6/6/24
Welcome to Ironshare’s Cyber Round-up, where we look back at the events of that last week to cover some of the news, posts, views, and highlights from the world of Security.
In this week’s round-up:
Operation Endgame, coordinated by Europol, is the largest-ever international operation against botnets, targeting the dropper malware ecosystem. This extensive effort involved law enforcement from multiple countries and resulted in the dismantling of significant infrastructures used by criminals to deploy malware, including banking Trojans and ransomware. The operation, which included arrests and the seizure of servers, disrupted the activities of cybercriminals who used droppers to spread malware across millions of computers worldwide. This collaboration highlights the effectiveness of joint actions in combating large-scale cyber threats.
For more details, you can read the full article here.
By europol.europa.eu
The BBC experienced a data breach on May 21, affecting around 25,000 current and former employees enrolled to the BBC Pension Scheme. The breach compromised personal information such as names, National Insurance numbers, birth dates, sex, and home addresses but pension portal credentials remain safe. The BBC has notified the affected individuals and assured that there is no evidence of data misuse. The incident has been reported to the UK's Information Commissioner’s Office and the Pensions Regulator. The BBC has advised vigilance against unsolicited communications.
By bleepingcomputer.com
Cooler Master recently disclosed a data breach that exposed sensitive customer information. The breach was discovered during routine security monitoring that revealed unauthorized access to their systems. The compromised data includes personal details such as names, email addresses, phone numbers, and physical addresses of customers. Cooler Master has urged affected individuals to be vigilant against targeted phishing attacks and to monitor their accounts for any suspicious activity.
In response to the breach, Cooler Master is enhancing its security measures to prevent future incidents and is offering identity protection services to those impacted. The company has not provided specific details on the number of customers affected but has communicated its commitment to safeguarding user data and improving its cybersecurity infrastructure.
By cybernews.com
Okta has issued a warning about credential stuffing attacks targeting its Customer Identity Cloud's cross-origin authentication feature. These attacks use stolen username and password combinations from previous breaches, phishing, or malware. Okta advises customers to inspect their logs for suspicious activity and suggests resetting passwords if compromised. To mitigate risks, Okta recommends adopting passwordless authentication methods, enforcing strong password policies, using multi-factor authentication (MFA), disabling unused cross-origin authentication, restricting permitted origins, and enabling breached password detection.
By securityweek.com
Cybersecurity researchers have identified active exploitation of critical vulnerabilities in several WordPress plugins, allowing attackers to create unauthorized administrator accounts. These vulnerabilities, including CVE-2023-6961, CVE-2023-40000, and CVE-2024-2194, are linked to unauthenticated stored cross-site scripting (XSS) due to inadequate input sanitization. The attack involves injecting malicious JavaScript to set up backdoors and tracking scripts. To mitigate risks, WordPress site owners should update plugins and check for suspicious admin accounts and malware. Exploitation attempts largely originate from IPs associated with AS IP Volume Inc., particularly from the Netherlands.
By thehackernews.com
Stay Safe, Secure and Healthy!
Edition #276 – 31st May 2024
By
Joshua Hare
on
30/5/24
Welcome to Ironshare’s Cyber Round-up, where we look back at the events of that last week to cover some of the news, posts, views, and highlights from the world of Security.
In this week’s round-up:
LastPass is now encrypting URLs within user vaults to enhance security and privacy. Historically, URLs were unencrypted due to performance constraints on older devices. With advancements in technology, LastPass can now encrypt these URLs without affecting user experience. This change, rolling out in phases starting in June 2024, will further protect sensitive account details and uphold LastPass’s “zero-knowledge architecture”. Users and admins will receive instructions on the transition process, ensuring seamless encryption of all URL fields by the end of 2024. For more details, read the full announcement here.
By blog.lastpass.com
A critical security flaw in Veeam Backup Enterprise Manager (CVE-2024-29849) with a CVSS score of 9.8 allows unauthenticated attackers to bypass authentication and log in as any user. Veeam has also disclosed three other vulnerabilities, including NTLM relay (CVE-2024-29850), an NTLM hash theft (CVE-2024-29851), and log-reading (CVE-2024-29852) flaws. All vulnerabilities are fixed in version 12.1.2.172, and the company urges users to update to the latest version to mitigate these risks.
By thehackernews.com
Microsoft's new Windows 11 Recall feature, announced during an AI event, has sparked significant privacy concerns. The feature takes periodic screenshots of the active window that can be analyzed by an AI model to help you ‘recall’ information you have viewed in the last 3 months, storing all data locally. Although Microsoft claims the data is encrypted and stored only on the user's device, experts worry about potential exploitation by hackers and unauthorized users. The UK’s Information Commissioner’s Office is discussing the idea with Microsoft to understand their plans to protect the recorded information and ensure it is not being misused. Critics argue that this feature introduces substantial privacy and security risks, likening it to a built-in keylogger.
By bleepingcomputer.com
Aston Villa Football Club (AVFC) exposed the personally identifiable information of 135,770 individuals by leaving an Amazon Web Services (AWS) S3 bucket publicly accessible. Discovered by the Cybernews research team on March 13, 2024, the exposed data includes full names, dates of birth, home addresses, phone numbers, email addresses, membership details, and purchase information. This exposure leaves fans vulnerable to spear phishing, identity theft, and the potential for sophisticated social engineering attacks exploiting the leaked data.
Cybernews has advised AVFC to monitor access logs for unauthorized access and recommends encrypting sensitive data to prevent future breaches. Fans are urged to be cautious of any suspicious emails or SMS messages in the near future to protect themselves from targeted phishing attempts and other security risks.
By cybernews.com
The National Cyber Security Centre (NCSC) is now offering guidance on protecting your organisation against Business Email Compromise (BEC) risks. Business Email Compromise is a form of cybercrime where attackers manipulate organisations into transferring funds or sensitive data via fraudulent emails, often by impersonating executives or trusted business partners.
Key takeaways from this guidance include implementing multi-factor authentication, training staff to recognize phishing attempts, verifying payment requests through secondary channels, and maintaining up-to-date software defenses. The NCSC emphasizes the importance of a comprehensive approach combining technical defenses and user awareness to effectively safeguard against these sophisticated attacks.
For more detailed information, you can visit the NCSC blog here.
By ncsc.gov.uk
Stay Safe, Secure and Healthy!
Edition #275 – 24th May 2024
By
Joshua Hare
on
23/5/24
Microsoft's May Patch Tuesday instalment offers patches for 61 total vulnerabilities, a decrease from the 150 seen in April. Of these, only 1 critical vulnerability was patched with 2 publicly disclosed, and 2 exploited in the wild.
The only critical vulnerability to be patched this month targets Microsoft SharePoint Server and, if exploited successfully, allows an authenticated attacker with site owner permission to perform remote code execution. The attacker is required to upload a specially crafted file to the targeted SharePoint Server and craft specialized API requests to trigger deserialization of a file's parameters. While attack complexity for this vulnerability is low, the attacker is required to have highly elevated privileges before exploitation is possible. An official fix is available for this flaw, which should be patched as soon as possible.
This actively exploited, important, vulnerability exists in Windows MSHTML, a core component that is used to render browser-based content. This flaw bypasses OLE mitigations in Microsoft 365 and Microsoft Office which protect users from vulnerable COM/OLE controls, allowing an unauthenticated attacker to gain code execution.
To successfully exploit this vulnerability, an attacker would have to entice the victim to load a malicious file onto a vulnerable system and then convince the user to manipulate the specially crafted file. Max severity for this flaw is important.
This important, publicly disclosed vulnerability in Visual Studio could result in denial-of-service if exploited correctly. Microsoft has noted that the “successful exploitation of this vulnerability requires an attacker to invest time in repeated exploitation attempts through sending constant or intermittent data” based on CWE-362: Concurrent Execution using Shared Resource with Improper Synchronization ('Race Condition') however further information is limited.
For a full list of this month’s updates please see the links below:
Patch Tuesday release notes: https://msrc.microsoft.com/update-guide/releaseNote/2024-May
Security update guide: https://msrc.microsoft.com/update-guide/
By
Samuel Jack
on
16/5/24
Welcome to Ironshare’s Cyber Round-up, where we look back at the events of that last week to cover some of the news, posts, views, and highlights from the world of Security.
In this week’s round-up:
Google has released an emergency security update for Chrome to fix CVE-2024-4947, the third zero-day vulnerability exploited within a week. This high-severity flaw, caused by a type confusion in the V8 JavaScript engine, was reported by Kaspersky researchers and can lead to arbitrary code execution. This update follows the recent patches for CVE-2024-4671 and CVE-2024-4761, highlighting ongoing security challenges for Chrome. The update is available now for all users on Mac, Windows, and Linux; Microsoft is also working on a fix for Edge.
By bleepingcomputer.com
Cybercriminals are increasingly using fake DocuSign templates to carry out phishing attacks, targeting organizations to steal credentials and sensitive data. These scams exploit the familiarity and trust users have with DocuSign, an electronic signature service, by sending emails that appear to be legitimate DocuSign notifications. The emails often contain links to malicious websites designed to steal login credentials.
To protect against these scams, users should be cautious of unexpected DocuSign emails, verify the sender's email address, and avoid clicking on links directly from emails. Instead, they should access documents by logging into DocuSign's official website. Organizations should also invest in comprehensive security awareness training to educate their users, specifically on the threat of email phishing attacks.
By darkreading.com
Dell has reported a data breach affecting approximately 49 million customers. The breach involved the unauthorized access of customer names, physical addresses, and Dell order information, including details about purchased hardware, service tags, item descriptions, and warranty information. Notably, financial details, email addresses, and phone numbers were not compromised.
The breach was discovered after a threat actor attempted to sell the stolen data on a hacking forum and while Dell claims that the breach does not pose significant risks due to the nature of the data involved, cybersecurity experts warn that the exposed information could still be used for targeted attacks, such as phishing.
Dell is currently working with law enforcement and a third-party forensics firm to investigate the incident and has advised affected customers to be cautious of any suspicious communications that appear to be from Dell, particularly those requesting software installations or password changes.
More information on this breach can be found here.
By techcrunch.com
The UK's National Cyber Security Centre (NCSC) has announced measures to support entities at high risk of cyberattacks ahead of the upcoming election. This includes providing tailored guidance and resources to political parties, candidates, and election administrators to bolster their cybersecurity defenses. The initiative aims to safeguard democratic processes from potential threats and ensure the integrity of the election. The NCSC emphasizes the importance of proactive measures and vigilance in the face of increasing cyber threats targeting the electoral system.
For more details, you can read the full article here.
By ncsc.gov.uk
A total of 61 vulnerabilities were addressed by Microsoft this month, including: 1 critical, 2 publicly disclosed, and 2 actively exploited vulnerabilities. The only critical vulnerability to be patched this month targets Microsoft SharePoint Server and, if exploited successfully, allows an authenticated attacker with site owner permission to perform remote code execution.
For more details on this critical flaw, and other important fixes included in this release, we advise reading Ironshare’s round-up of Microsoft’s Patch Tuesday for May 2024.
Stay Safe, Secure and Healthy!
Edition #274 – 17th May 2024
By
Joshua Hare
on
16/5/24
Welcome to Ironshare’s Cyber Round-up, where we look back at the events of that last week to cover some of the news, posts, views, and highlights from the world of Security.
In this week’s round-up:
LastPass has reported an ongoing phishing campaign leveraging a phishing kit called CryptoChameleon, which uses LastPass branding to deceive users. The kit enables criminals to create fake login pages to steal user credentials.
The campaign, now utilizing new phishing sites like "tickets-lastpass[.]com," primarily uses SMS and direct calls to direct victims to these sites. LastPass is actively working to take down these sites and advises customers to ignore unsolicited communications and never share their passwords.
By blog.lastpass.com
Ring customers are set to receive a total of $5.6 million as a settlement from a privacy breach lawsuit. This follows claims that Amazon employees and contractors accessed users' private video feeds without permission, leading to security concerns. After complaints of inadequate security measures that allowed unauthorized access to customer video feeds and account information, The Federal Trade Commission (FTC) are issuing refunds for all affected customers.
“The FTC is sending 117,044 PayPal payments to consumers who had certain types of Ring devices, such as indoor cameras, during periods when the FTC alleges unauthorized users may have had access to customer videos. Consumers should redeem their PayPal payment within 30 days.” – FTC
You can find out more about this settlement in The Federal Trade Commission’s official statement, here.
By bleepingcomputer.com
The UK's National Cyber Security Centre (NCSC) has issued an alert regarding exploitation of vulnerabilities in Cisco firewall platforms. Cisco are aware that the two vulnerabilities, CVE-2024-20353 and CVE-2024-20359, are being actively exploited, posing a significant security risk. If successfully exploited, an attacker could gain control of the affected device with root-level privileges.
These flaws only affect Cisco devices running Adaptive Security Appliance (ASA) and Firepower Threat Defense (FTD) software. Users are urged to apply the latest security updates as soon as possible to protect their systems.
To address the active exploitation, these vulnerabilities have been abused by unknown state-sponsored hackers to conduct espionage. The campaign, named ArcaneDoor by Cisco Talos, involved deploying custom malware, including the “Line Runner” and “Line Dancer” backdoors, to modify configurations, conduct reconnaissance, capture network traffic, and potentially enable lateral movement.
Talos claim that "Perimeter network devices are the perfect intrusion point for espionage-focused campaigns,”, which is supported by a recent trend of attacks against Fortinet, Ivanti, and Palo Alto devices.
By ncsc.gov.uk
A new phishing campaign exploits Autodesk Drive to target corporate users with emails containing malicious PDF links. These emails, appearing legitimate by mimicking sender signatures, direct recipients to phishing sites where they are prompted to enter Microsoft account credentials. The attackers then distribute phishing emails to the contacts of compromised email accounts and have even recreated the malicious documents in multiple languages to spread their campaign to multiple countries.
The email links all appear to use the autode[.]sk URL shortener which, when clicked, directs the user to a PDF hosted on Autodesk Drive. The document contains the sender’s name and the company they work for, to further deceive the user, as well as a button to ‘VIEW DOCUMENT’. This link then redirects to the fake Microsoft sign-in where the user’s credentials are stolen.
All Autodesk users are advised to be on the lookout for signs of phishing; specifically, emails containing an autode[.]sk link.
By securityweek.com
The WP Automatic plugin for WordPress has been hit by millions of SQL injection attacks targeting a critical vulnerability identified as CVE-2024-27956. This flaw has been exploited to create unauthorized admin accounts and plant backdoors on over 30,000 websites, significantly compromising security. PatchStack disclosed this issue, which affects plugin versions before 3.9.2.0. Administrators are urged to update to version 3.92.1 or later to protect their sites.
By bleepingcomputer.com
Stay Safe, Secure and Healthy!
Edition #273 – 26th April 2024
By
Joshua Hare
on
25/4/24
Welcome to Ironshare’s Cyber Round-up, where we look back at the events of that last week to cover some of the news, posts, views, and highlights from the world of Security.
In this week’s round-up:
Google has launched Chrome Enterprise Premium, an upgraded version of its browser for organizations that offers enhanced security features for a monthly fee per user. This new version adds threat and data protection, improved control options, and better reporting capabilities, aimed at strengthening endpoint security at the browser level. With features such as context-based access controls, support for multiple TCP protocols, and AI-powered threat protection, Chrome Enterprise Premium is designed to offer robust security measures for modern enterprises. Some early adopters, including companies like Snap and Roche, have reported significant & immediate benefits from implementing the new browser version.
By bleepingcomputer.com
Fortinet has issued an urgent patch for a critical vulnerability in FortiClientLinux, identified as CVE-2023-45590 with a CVSS score of 9.4. The flaw allows for arbitrary code execution and is caused by improper control of code generation; it is worth noting that exploitation requires the victim to visit a malicious website, making successful social engineering a must.
This vulnerability affects versions 7.0.3 to 7.0.4, and 7.06 to 7.10 of FortiClientLinux versions. Upgrading to version 7.0.11 is advised. Users of FortiClientLinux version 7.2.0 are advised to upgrade to 7.2.1 or above.
There is no evidence of the vulnerabilities being exploited in the wild, but updating is strongly advised to mitigate risks.
By cybernews.com
Microsoft resolved a security issue where internal files and credentials were exposed due to an unprotected Azure cloud storage server. Discovered by SOCRadar researchers, the server contained critical data for Microsoft’s Bing search engine, including passwords and keys, which could potentially lead to more significant data breaches. Microsoft addressed the issue upon notification, but the duration of exposure remains unclear. It is unclear whether Microsoft has reset the involved credentials, and it is unknown whether the exposed data was discovered or accessed by any threat actors. This incident is part of a series of security challenges Microsoft has faced in recent times and serves as a minor setback in the company’s effort to rebuild trust with their customers.
By techcrunch.com
Apple has issued warnings to iPhone users across 92 countries about targeted mercenary spyware attacks aiming to compromise their devices. These highly sophisticated and well-funded attacks, often associated with entities like NSO Group's Pegasus, primarily target individuals due to their significant roles or the sensitive information they possess. All observed attacks so far have been targeted, with journalists, politicians, and diplomats being the most likely victims; if Apple believes you are a potential target of this spyware campaign, you will likely receive an email with the following message:
"Apple detected that you are being targeted by a mercenary spyware attack that is trying to remotely compromise the iPhone associated with your Apple ID -xxx-,"
Apple advises the following actions to protect against such attacks:
- Enabling lockdown mode on the device
- Updating your device to the latest version
- Seek assistance from experts (for example, the Digital Security Helpline)
By bleepingcomputer.com
Bitdefender's research into LG's WebOS TV operating system revealed several vulnerabilities in versions 4 through 7 that allowed root access by bypassing authorization mechanisms. These issues, affecting over 91,000 devices accessible via the Internet, include adding extra users without authorization, executing commands as root, and exploiting vulnerabilities in system services and API endpoints.
The disclosure process for these flaws began in November 2023, with patches released by March 2024. The security of IoT devices is often overlooked; this investigation highlights the importance of securing IoT devices against unauthorized access and control.
For more details, you can read the full report on Bitdefender's website.
By bitdefender.com
Microsoft’s Patch Tuesday instalment for April addresses a total of 150 vulnerabilities, considerably more than last month’s release. Despite being a huge batch of updates, there are only 3 critical vulnerabilities patched this month, as well as 1 publicly disclosed, and 2 actively exploited flaws.
The most notable flaws addressed this month include: Microsoft Defender for IoT Remote Code Execution, Defender SmartScreen Security Feature Bypass, Proxy Driver Spoofing, and more.
Read Ironshare’s Round-Up of Microsoft’s April Patch Tuesday here.
Stay Safe, Secure and Healthy!
Edition #272 – 12th April 2024
By
Joshua Hare
on
11/4/24
Microsoft’s Patch Tuesday instalment for April addresses a total of 150 vulnerabilities, considerably more than last month’s release. Despite being a huge batch of updates, there are only 3 critical vulnerabilities patched this month, as well as 1 publicly disclosed, and 2 actively exploited flaws.
Six remote code execution vulnerabilities have been patched this month relating to Microsoft Defender for IoT. Of the six, three of these vulnerabilities are of critical severity with varying attack vectors.
Two of the critical vulnerabilities (CVE-2024-29053 & CVE-2024-21323) can be exploited via path traversal, while the third (CVE-2024-21322) requires the attacker to be an existing administrator of the web application. More details on the exploitability of these flaws can be found in Microsoft’s update guides linked above.
Microsoft also advises regular validation and audits of administrative groups to mitigate malicious or unauthorised usage of privileged accounts.
This important security feature bypass vulnerability exists in Microsoft Defender SmartScreen. To successfully exploit this flaw, the victim needs to be tricked into running a specially crafted malicious file. Likely attack scenarios include instant messages or email attachments. In this case, the attacker has no way to force the user to open the file and must rely on social engineering tactics to entice the user to click a link or open the attachment.
This important elevation of privilege vulnerability impacts Microsoft Azure Kubernetes Service Confidential Container and could be exploited by unauthenticated attackers to steal credentials and affect resources beyond the security scope managed by AKS Confidential Containers.
To exploit this vulnerability the attacker must access the untrusted AKS Kubernetes node and AKS Confidential Container to take over confidential guests and containers beyond the network stack it might be bound to.
It is also worth noting that the attacker does not need to be authenticated in order to successfully exploit this flaw, as the attacker can move the same workload onto a machine they have root privileges. Microsoft’s update guide also includes actions that can be taken to protect against this vulnerability; AKSCC admins are advised to follow this guidance to mitigate the risk of an attack.
This important proxy driver spoofing vulnerability was discovered by Sophos X-Ops back in December 2023, and was recently reported to Microsoft. Sophos discovered a malicious executable, Catalog.exe, that was signed with a valid Microsoft Hardware Publisher Certificate. Further analysis of the file identified the original requesting publisher as Hainan YouHu Technology Co. Ltd, who are known as the publisher of the LaiXi screen mirroring software.
Sophos researcher Andreas Klopsch stated: "We have no evidence to suggest that the LaiXi developers deliberately embedded the malicious file into their product, or that a threat actor conducted a supply chain attack to insert it into the compilation/building process of the LaiXi application,"
Following the report by Sophos, Microsoft added the associated files to their revocation list, and pushed the update as part of their April Patch Tuesday rollout. Microsoft have confirmed that the flaw is being actively exploited in the wild, and was publicly disclosed; as always, updates should be applied as soon as possible to protect against exploitation of this vulnerability.
For a full list of this month’s updates please see the links below:
Patch Tuesday release notes: https://msrc.microsoft.com/update-guide/releaseNote/2024-Apr
Security update guide: https://msrc.microsoft.com/update-guide/
By
Samuel Jack
on
10/4/24
This month’s Patch Tuesday release sees 60 total vulnerabilities being patched, distributed between 2 critical and 58 important, with zero vulnerabilities publicly disclosed or actively exploited.
This critical vulnerability affecting Windows Hyper-V could allow a remote attacker to execute arbitrary code on the target host. Exploitation of this flaw requires an authenticated attacker on a guest VM to send specially crafted file operation requests on the VM to hardware resources on the VM which could result in remote code execution on the host server.
However, it is noted that successful exploitation requires an attacker to know specific information about the environment and take prior actions, but no further information has been provided.
A vulnerability present in Azure Kubernetes Service could allow an unauthenticated attacker to steal credentials and affect resources beyond the security scope managed by Azure Kubernetes Service Confidential Containers (AKSCC). Attack complexity for this vulnerability is high, as the attacker is required to prepare the target environment to improve exploit reliability.
This important vulnerability could allow an authenticated attacker to prevent Microsoft Defender from starting. A fix for this flaw will be automatically applied by the Windows Defender Antimalware Platform, meaning a manual update is not required.
Despite being issued automatically; Microsoft are urging users to verify that this update has been installed.
You can check this by following these instructions:
1. Open the Windows Security program. For example, type Security in the Search bar, and select the Windows Security program.
2. In the navigation pane, select Virus & threat protection.
3. Under Virus & threat protection updates in the main window, select Check for updates.
4. Select Check for updates again.
5. In the navigation pane, select Settings, and then select About.
6. Examine the Platform Version number. The update was successfully installed if the Malware Protection Platform version number or the signature package version number matches or exceeds the version number that you are trying to verify as installed.
This important vulnerability in Microsoft Exchange Server could allow an unauthenticated attacker to load a malicious DLL which could lead to remote code execution. Successful exploitation of this flaw requires placing a specially crafted file onto an online directory or in a local network location and then convincing the user to open it to run the DLL.
For a full list of this month’s updates please see the links below:
Patch Tuesday release notes: https://msrc.microsoft.com/update-guide/releaseNote/2024-Mar
Security update guide: https://msrc.microsoft.com/update-guide/
By
Samuel Jack
on
13/3/24
Welcome to Ironshare’s Cyber Round-up, where we look back at the events of that last week to cover some of the news, posts, views, and highlights from the world of Security.
In this week’s round-up:
Apple has issued emergency updates to address two severe iOS zero-day vulnerabilities, identified as CVE-2024-23225 and CVE-2024-23296, which are being actively exploited to compromise iPhones at the kernel level.
These vulnerabilities, involving memory corruption within the iOS Kernel and the RTKit component, could lead to complete system compromise, including unauthorized access to location data, the device's camera and microphone, and messages. Security experts have emphasized the critical nature of these flaws, as they allow attackers to bypass Apple's stringent kernel memory protections, posing significant risks to user privacy and data security.
We urge all Apple users to update their devices to the following versions to ensure that they are protected against these zero-days: iOS 17.4, iPadOS 17.4, iOS 16.76, and iPad 16.7.6.
By darkreading.com
In an effort to combat the rising issue of account hijackings, United States officials have called on Meta to take stronger actions against unauthorized access to Facebook and Instagram accounts.
New York Attorney General, Letitia James, has been one of Meta’s primary critics, claiming that attackers are “winning the war and running rampant on Meta,”.
Many states have reported huge increases in complaints relating to social media account compromises, and Meta is being urged to “spend more money to prevent account takeovers, including through increased staffing, and to work more closely with people whose accounts are hacked.”.
By reuters.com
Hackers are exploiting misconfigured and vulnerable servers running Apache Hadoop YARN, Docker, Atlassian Confluence, and Redis services as part of a growing malware campaign. This activity, dubbed ‘Spinning YARN’, has been persistent since December 2023, and is focused on delivering a cryptocurrency miner and establishing a reverse shell for persistent remote access. The attackers exploit common misconfigurations and vulnerabilities to conduct Remote Code Execution (RCE) attacks and spread the malware to new hosts.
Security researchers have highlighted the need for administrators to properly configure and secure their servers against such attacks, which not only compromise the integrity of the affected systems but also use valuable resources for cryptocurrency mining.
By thehackernews.com
The U.S. Department of Justice has announced an indictment against Linwei (Leon) Ding, a former Google engineer, for allegedly stealing Google's AI technology secrets and transferring them to Chinese companies. Ding is accused of stealing over 500 files related to Google's supercomputing technologies used for AI, including details on GPU and TPU chips, software for chip communication, and the Cluster Management System. Arrested in California, Ding faces a maximum penalty of 10 years in prison and a $250,000 fine for each count of trade secret theft.
By bleepingcomputer.com
The NCSC have published their latest infographic, named ‘Connected Places’, which outlines their principles for building and designing ‘smart city’ infrastructure.
The NCSC have stated that “These principles will help ensure the security of your connected place and its underlying infrastructure, so that it is both resilient to cyber attack and easier to manage.”.
The infographic follows three primary guidelines, which are:
- Understanding your connected place
- Designing your connected place
- Managing your connected place
These principles are “ideal for leaders looking to promote good cyber security practises across their workforce and local community.”. More details, as well as the Connected Places Infographic, can be found here.
By ncsc.gov.uk
Stay Safe, Secure and Healthy!
Edition #271 – 8th March 2024
By
Joshua Hare
on
7/3/24
We now live in a rapidly evolving digital & technology driven world, where cyber threats loom large and the stakes for protecting sensitive data have never been higher. Cybersecurity is not just a concern for large enterprises; it's a critical issue for businesses of all sizes, where small to medium-sized businesses (SMBs) are often the most vulnerable targets.
Among the vast number of cybersecurity practices, vulnerability management emerges as a crucial, yet often overlooked, component for SMBs. This blog delves into the significance of vulnerability management for small to medium businesses, outlining its benefits, challenges, and the actions you can take for effective implementation.
Vulnerability management is the process of identifying, assessing, treating, and reporting on security vulnerabilities in systems and the software that runs on them. This is a proactive approach, designed to fortify the defences of an organization's IT infrastructure; it ensures that potential avenues for cyberattacks are identified and rectified before they can be exploited.
Its reported that 48% of SMBs in the UK experienced a cyber security incident in 2023, with 25% of those, suffering from multiple cyber incidents.
Despite its importance and the increasing threat levels, SMBs face several challenges in implementing an effective vulnerability management program:
In 2023 a mind blowing 26,447 vulnerabilities were discovered and registered by researchers worldwide, increasing by over 1,500 on the previous year.
Taking into account the importance and challenges listed above, defining a strategy for some SMBs might be a daunting prospect. Below are some guidelines that can get your business moving in the right direction.
Identify Your Assets & Risks: A really important starting point should always be understanding and cataloguing your assets. Assets can be PCs, Laptops, Servers, network equipment, mobile devices, printers, and IoT devices etc. Why is this important? If you know what have, you can protect it. Create an asset list and identify risks associated with these devices before moving on. See our previous blog for more information on this topic:
Cyber Basics: Identify & Assess your Risks (ironshare.co.uk)
Prioritize and Plan: Its key to understand that you can't fix everything at once. Prioritize identified vulnerabilities based on the risk they pose to your business and plan remediation efforts accordingly.
Creating a policy to define activities and outcomes, helps your teams to deal with vulnerabilities when they are identified. This policy should state that updates are mandatory and where possible (and practical) update automatically.
Automate Where Possible: Automation is your friend; leveraging vulnerability management tools that automate the scanning and assessment process, allows you to focus on the most critical issues, closing gaps before they are exploited.
Educate and Train Staff: Remember, Cybersecurity is not just an IT issue; it's a business-wide concern that should be driven from the top of the organisation. Educating your staff on best practices and the importance of cybersecurity can help mitigate risks. Ensuring that staff update their own devices can help protect your business systems and data.
Regularly Review and Update Your Cybersecurity Measures: Cyber threats evolve, rapidly, and so should your cybersecurity strategies. Regular reviews and updates to your vulnerability management program and tools are essential to maintaining strong and effective defences.
Partner with Experts: You have got this far, but this may still not be something you feel confident with tackling yourself, or you just don’t have the resources. Consider partnering with cybersecurity experts or managed service providers who can offer the specialized knowledge and resources needed to bolster your vulnerability management efforts.
(Shameless plug) Ironshare's Vulnerability Management services may be just what you need, so why not get in contact with us and see if we can help :)
For small to medium-sized businesses, the implementation of a robust vulnerability management program is not just a cybersecurity best practice; it's a critical business necessity.
In the face of growing cyber threats, the ability to identify, assess, and mitigate vulnerabilities promptly, can mean the difference between safeguarding your business's future and becoming a statistic in the growing list of cyberattack victims.
Recognizing the importance of vulnerability management and taking the proactive steps above to integrate it into your cybersecurity strategy, SMBs can protect their assets, ensure business continuity, and foster trust among their customers and partners.
By
Stuart Hare
on
7/3/24
Welcome to Ironshare’s Cyber Round-up, where we look back at the events of that last week to cover some of the news, posts, views, and highlights from the world of Security.
In this week’s round-up:
The Lazarus Group, known for its connections to North Korea, has exploited the Python Package Index (PyPI) by uploading malicious packages targeting developer systems. These packages, designed to mimic popular Python packages, leverage typographical errors made by users when installing. With names like ‘pycryptoenv’, ‘pycryptoconf’, ‘quasarlib’, and ‘swapmempool’, the malicious packages were collectively downloaded over 3,000 times before being removed. This attack highlights the importance of vigilance when downloading and installing software components.
By thehackernews.com
Pepco Group, a European discount retailer, reported significant financial losses amounting to approximately 15 million euros due to a phishing attack on its Hungarian business. This incident demonstrates the financial and operational risks posed by cyberattacks and the importance of robust cybersecurity measures to protect against phishing and other forms of social engineering.
It is believed that no customer, supplier, or staff data has been compromised. Investigations are still underway, and not much more information has been shared by Pepco at this stage.
By reuters.com
In a recent cybersecurity incident, Cutout.Pro, an AI photo and video editing service, experienced a significant data breach impacting 20 million users. A hacker publicized the leak on a well-known forum, releasing user emails, hashed passwords, IP addresses, and names. While Cutout.Pro has yet to comment, the breach's exposure raises serious concerns about user privacy and security. We urge all members to update their passwords and remain vigilant against potential phishing attempts.
By bleepingcomputer.com
The National Cyber Security Centre has issued a warning about the evolving tactics of SVR cyber actors targeting cloud services. These adversaries are refining their methods to breach cloud infrastructure, signalling a heightened threat to cloud security. Organizations are encouraged to bolster their defences and stay updated on the latest cybersecurity practices to counteract these sophisticated techniques.
For more information, please refer to the original article on the NCSC website.
By ncsc.gov.uk
Thyssenkrupp, a German industrial engineering and steel production conglomerate, confirmed a ransomware attack on its automotive unit, disrupting factory production. The attack was part of a trend targeting large corporations, especially in the industrial and manufacturing sectors. Despite the disruption, Thyssenkrupp has stated that the situation is under control and has continued to supply its customers.
By securityweek.com
Iranian hackers, identified as UNC1549, have been conducting cyberattacks against aerospace, aviation, and defence sectors in the Middle East using Microsoft Azure infrastructure. The campaign, active since at least June 2022, involves deploying two unique backdoors, MiniBike and MiniBus, for espionage activities in countries including Israel, the UAE, Albania, India, and Turkey. These activities are suspected to be linked to Iran's Islamic Revolutionary Guard Corps and utilize sophisticated tactics like spear-phishing and fake job offers to distribute malware and gather intelligence.
By securityweek.com
Stay Safe, Secure and Healthy!
Edition #270 – 1st March 2024
By
Joshua Hare
on
29/2/24
Welcome to Ironshare’s Cyber Round-up, where we look back at the events of that last week to cover some of the news, posts, views, and highlights from the world of Security.
In this week’s round-up:
Ukrainian authorities have made a significant breakthrough in the fight against LockBit by arresting a father and son linked to the notorious ransomware gang. This operation, part of a larger crackdown on LockBit, highlights Ukraine's commitment to combatting cyber threats. The gang has caused substantial economic damage in recent history and has become one of the most prolific cybercrime groups. This arrest is a crucial step in dismantling their activities and showcases international cooperation in tackling cyber threats.
In addition to this, the National Crime Agency has led an international investigation into the LockBit cybercrime group. This has resulted in the NCA gaining control over LockBit's services, "compromising their entire criminal enterprise.". More details on this operation can be found here.
By reuters.com
Security researchers have uncovered two critical vulnerabilities (tracked as CVE-2023-52160 and CVE-2023-52161) in open-source Wi-Fi software affecting Android, Linux, and ChromeOS devices.
CVE-2023-52160 affects wpa_supplicant versions 2.10 and prior. Successful exploitation of this flaw requires the attacker to possess the SSID of a Wi-Fi network the victim has previously connected to. Additionally, any Wi-Fi clients that are configured to correctly verify the certificate of the authentication server are not affected. wpa_supplicant is used by default on all Android devices, making this a high-profile vulnerability.
CVE-2023-52161 exists in Intel’s iNet Wireless Daemon (IWD) and affects versions 2.12 and prior. If exploited correctly, the attacker could gain unauthorised access to secure networks that would otherwise require a password.
These vulnerabilities underscore the importance of robust security measures in Wi-Fi authentication processes. As always, affected users are prompted to apply the latest updates at the earliest date.
By thehackernews.com
In an innovative move to future-proof its messaging service, Apple has announced an upgrade to iMessage that enhances its encryption standards to resist decryption by quantum computers. This update is pivotal as quantum computing promises to break traditional encryption methods, posing a significant risk to data privacy. Apple's proactive measure ensures that iMessage remains a secure communication platform and highlights Apple's commitment to user privacy.
By reuters.com
South Korean security researchers from Kookmin University have discovered a vulnerability in the Rhysida ransomware, enabling them to decrypt files encrypted by this notorious malware. By exploiting an implementation flaw in Rhysida's encryption key generation process, the team was able to regenerate the random number generator's internal state at the time of infection, allowing for the successful decryption of data. This breakthrough marks the first successful decryption of Rhysida ransomware. A decryption tool has been developed and released to the public through the Korea Internet and Security Agency (KISA), with instructions available in English to ensure broader accessibility.
While this will allow victims to recover their data, the public disclosure of such a recovery tool will alert Rhysida to the flaw in their software, almost guaranteeing the arrival of a patch in the near future. This will unfortunately limit the effectiveness of the decryption tool over time.
By tripwire.com
A China-linked cyber espionage group known as Mustang Panda has intensified its activities in Asia using an advanced variant of the PlugX malware, dubbed DOPLUGS. This campaign has primarily targeted Taiwan and Vietnam through spear-phishing campaigns, in which DOPLUGS is used for initial data gathering before deploying the more complex PlugX backdoor. The upgrades in DOPLUGS, including the use of the Nim programming language and a unique RC4 decryption method, showcase Mustang Panda's evolving tactics aimed at espionage within Asian and European regions.
By thehackernews.com
Stay Safe, Secure and Healthy!
Edition #269 – 23rd February 2024
By
Joshua Hare
on
22/2/24
No results found.
