Welcome to Ironshare’s Cyber Round-up, where we look back at the events of that last week to cover some of the news, posts, views, and highlights from the world of Security.
In this week’s round-up:
The Lazarus Group, known for its connections to North Korea, has exploited the Python Package Index (PyPI) by uploading malicious packages targeting developer systems. These packages, designed to mimic popular Python packages, leverage typographical errors made by users when installing. With names like ‘pycryptoenv’, ‘pycryptoconf’, ‘quasarlib’, and ‘swapmempool’, the malicious packages were collectively downloaded over 3,000 times before being removed. This attack highlights the importance of vigilance when downloading and installing software components.
By thehackernews.com
Pepco Group, a European discount retailer, reported significant financial losses amounting to approximately 15 million euros due to a phishing attack on its Hungarian business. This incident demonstrates the financial and operational risks posed by cyberattacks and the importance of robust cybersecurity measures to protect against phishing and other forms of social engineering.
It is believed that no customer, supplier, or staff data has been compromised. Investigations are still underway, and not much more information has been shared by Pepco at this stage.
By reuters.com
In a recent cybersecurity incident, Cutout.Pro, an AI photo and video editing service, experienced a significant data breach impacting 20 million users. A hacker publicized the leak on a well-known forum, releasing user emails, hashed passwords, IP addresses, and names. While Cutout.Pro has yet to comment, the breach's exposure raises serious concerns about user privacy and security. We urge all members to update their passwords and remain vigilant against potential phishing attempts.
By bleepingcomputer.com
The National Cyber Security Centre has issued a warning about the evolving tactics of SVR cyber actors targeting cloud services. These adversaries are refining their methods to breach cloud infrastructure, signalling a heightened threat to cloud security. Organizations are encouraged to bolster their defences and stay updated on the latest cybersecurity practices to counteract these sophisticated techniques.
For more information, please refer to the original article on the NCSC website.
By ncsc.gov.uk
Thyssenkrupp, a German industrial engineering and steel production conglomerate, confirmed a ransomware attack on its automotive unit, disrupting factory production. The attack was part of a trend targeting large corporations, especially in the industrial and manufacturing sectors. Despite the disruption, Thyssenkrupp has stated that the situation is under control and has continued to supply its customers.
By securityweek.com
Iranian hackers, identified as UNC1549, have been conducting cyberattacks against aerospace, aviation, and defence sectors in the Middle East using Microsoft Azure infrastructure. The campaign, active since at least June 2022, involves deploying two unique backdoors, MiniBike and MiniBus, for espionage activities in countries including Israel, the UAE, Albania, India, and Turkey. These activities are suspected to be linked to Iran's Islamic Revolutionary Guard Corps and utilize sophisticated tactics like spear-phishing and fake job offers to distribute malware and gather intelligence.
By securityweek.com
Stay Safe, Secure and Healthy!
Edition #270 – 1st March 2024
By
Joshua Hare
on
29/2/24
Welcome to Ironshare’s Cyber Round-up, where we look back at the events of that last week to cover some of the news, posts, views, and highlights from the world of Security.
In this week’s round-up:
Ukrainian authorities have made a significant breakthrough in the fight against LockBit by arresting a father and son linked to the notorious ransomware gang. This operation, part of a larger crackdown on LockBit, highlights Ukraine's commitment to combatting cyber threats. The gang has caused substantial economic damage in recent history and has become one of the most prolific cybercrime groups. This arrest is a crucial step in dismantling their activities and showcases international cooperation in tackling cyber threats.
In addition to this, the National Crime Agency has led an international investigation into the LockBit cybercrime group. This has resulted in the NCA gaining control over LockBit's services, "compromising their entire criminal enterprise.". More details on this operation can be found here.
By reuters.com
Security researchers have uncovered two critical vulnerabilities (tracked as CVE-2023-52160 and CVE-2023-52161) in open-source Wi-Fi software affecting Android, Linux, and ChromeOS devices.
CVE-2023-52160 affects wpa_supplicant versions 2.10 and prior. Successful exploitation of this flaw requires the attacker to possess the SSID of a Wi-Fi network the victim has previously connected to. Additionally, any Wi-Fi clients that are configured to correctly verify the certificate of the authentication server are not affected. wpa_supplicant is used by default on all Android devices, making this a high-profile vulnerability.
CVE-2023-52161 exists in Intel’s iNet Wireless Daemon (IWD) and affects versions 2.12 and prior. If exploited correctly, the attacker could gain unauthorised access to secure networks that would otherwise require a password.
These vulnerabilities underscore the importance of robust security measures in Wi-Fi authentication processes. As always, affected users are prompted to apply the latest updates at the earliest date.
By thehackernews.com
In an innovative move to future-proof its messaging service, Apple has announced an upgrade to iMessage that enhances its encryption standards to resist decryption by quantum computers. This update is pivotal as quantum computing promises to break traditional encryption methods, posing a significant risk to data privacy. Apple's proactive measure ensures that iMessage remains a secure communication platform and highlights Apple's commitment to user privacy.
By reuters.com
South Korean security researchers from Kookmin University have discovered a vulnerability in the Rhysida ransomware, enabling them to decrypt files encrypted by this notorious malware. By exploiting an implementation flaw in Rhysida's encryption key generation process, the team was able to regenerate the random number generator's internal state at the time of infection, allowing for the successful decryption of data. This breakthrough marks the first successful decryption of Rhysida ransomware. A decryption tool has been developed and released to the public through the Korea Internet and Security Agency (KISA), with instructions available in English to ensure broader accessibility.
While this will allow victims to recover their data, the public disclosure of such a recovery tool will alert Rhysida to the flaw in their software, almost guaranteeing the arrival of a patch in the near future. This will unfortunately limit the effectiveness of the decryption tool over time.
By tripwire.com
A China-linked cyber espionage group known as Mustang Panda has intensified its activities in Asia using an advanced variant of the PlugX malware, dubbed DOPLUGS. This campaign has primarily targeted Taiwan and Vietnam through spear-phishing campaigns, in which DOPLUGS is used for initial data gathering before deploying the more complex PlugX backdoor. The upgrades in DOPLUGS, including the use of the Nim programming language and a unique RC4 decryption method, showcase Mustang Panda's evolving tactics aimed at espionage within Asian and European regions.
By thehackernews.com
Stay Safe, Secure and Healthy!
Edition #269 – 23rd February 2024
By
Joshua Hare
on
22/2/24
Welcome to Ironshare’s Cyber Round-up, where we look back at the events of that last week to cover some of the news, posts, views, and highlights from the world of Security.
In this week’s round-up:
GoldPickaxe is the latest malware strain developed by the Chinese threat group GoldFactory and is the first to affect both iOS and Android devices.
A typical GoldPickaxe attack begins with phishing and smishing messages being sent to the victim, tricking them into install fraudulent apps. For Android users, a fraudulent site impersonating the Google Play Store is used, whereas iOS users are led to download a malicious Mobile Device Management profile that allows the attacker to take over their device.
Once the trojan application has been installed, it attempts to capture videos of the victim’s face, images of ID cards, and other device information. It is assumed that this data is sought after for use in banking fraud operations, however this has not been confirmed.
It is worth noting that the malicious app will attempt to lure the user into providing videos of their face and ID cards but cannot access existing Face ID data stored on the device.
“Biometric data stored on the devices’ secure enclaves is still appropriately encrypted and completely isolated from running apps.”.
By bleepingcomputer.com
Fulton County, Georgia, has reported a cyberattack on their systems and the culprit, LockBit, is threatening to publish confidential documents if a ransom isn’t paid. The attack has caused widespread IT outages during the last week of January, affecting phone, court, and tax systems.
Fulton County chair Robb Pitt has stated that there is no evidence that the group stole sensitive personal data belonging to citizens or employees, but the investigation is still at an early stage. Despite this statement, LockBit has released screenshots proving they had gained access to sensitive systems and have stolen sensitive personal data.
“Documents marked as confidential will be made publicly available. We will show documents related to access to the state citizens' personal data,” reads LockBit’s threat.
LockBit have a deadline set for the 16th of February; if the ransom is not paid by this date, data will be leaked. Fulton administration appears to be unwilling to pay the attackers and is instead looking to insurance to aid in the recovery of their systems.
By bleepingcomputer.com
A critical vulnerability in Zoom’s Windows applications, tracked as CVE-2024-24691 (CVSS score of 9.6), has been labelled as an improper input validation flaw that could allow an attacker with network access to elevate their privileges.
The flaw affects the following Zoom Windows Applications:
- Desktop Client for Windows (all version before 5.16.5),
- VDI Client for Windows (all versions before 5.16.10 - excluding 5.14.14 and 5.15.12),
- Rooms Client for Windows (all versions before 5.17.0),
- Meeting SDK for Windows (all versions before 5.16.5)
Multiple other vulnerabilities were addressed in this batch of security updates, including a high-severity privilege escalation flaw, two medium-severity information leak flaws, and more. For full details on all vulnerabilities addressed this week, as well as all affected versions, please consult Zoom’s Security Bulletin.
By securityweek.com
Less than one month after the initial attack, Southern Water has disclosed that 5-10% of its customers had their details stolen, in addition to affected staff. The attack, attributed to the Black Basta group, potentially compromised names, DOBs, national insurance numbers, bank details, and more. Customers will receive notifications and be offered credit monitoring. Investigations have found no further data publication and Southern Water have apologized and collaborated with authorities in their investigation.
By theregister.com
Welcome to our Round-Up of Microsoft's February 2024 Patch Tuesday. A total of 73 vulnerabilities were addressed this month, including: 5 critical, 66 important, 0 publicly disclosed, and 2 actively exploited vulnerabilities. Critical vulnerabilities have been patched for Microsoft Outlook, Exchange Server, Windows 10, and Multiple versions of Windows Server. We advise consulting our round-up of Microsoft’s latest batch of security updates and applying the latest fixes as soon as possible.
And that’s it for this week’s round-up, please do check in next week for our new batch of security news and posts.
Stay Safe, Secure and Healthy!
Edition #268 – 16th February 2024
By
Joshua Hare
on
15/2/24
February’s Patch Tuesday Update patches 73 vulnerabilities across Microsoft’s products, higher than the 49 seen in January. This release patches 5 critical, 66 important, and 2 moderate vulnerabilities with zero publicly disclosed and 2 exploited in the wild.
A critical vulnerability in Microsoft Office allows an attacker to bypass the Office Protected View and open documents in editing mode. This is done by crafting a malicious link that bypasses the Protected View Protocol, which leads to the leaking of local NTLM credential information and allows for remote code execution. Successfully exploiting this vulnerability could allow an attacker to gain elevated privileges, including read, write, and delete functionality. The preview pane is a known attack vector for this attack as the document only needs to be previewed for the exploit to run.
Windows PGM is a multicast protocol implementation in Windows, often referred to as reliable multicast. Information surrounding this vulnerability is limited, Microsoft has noted that this attack is restricted to systems connected to the same network segment as the attacker. If successfully exploited a remote attacker could execute arbitrary code on the target system. A patch for this vulnerability is even provided for Windows Server 2008 which is end of life.
A critical elevation of privilege vulnerability affecting Exchange servers has been patched this month. The vulnerability could allow an attacker to target an NTLM client such as Outlook with an NTLM credentials-leaking type vulnerability. The leaked credentials can then be relayed against the Exchange server to gain privileges as the victim client and to perform operations on the Exchange server on the victim's behalf.
Before the Exchange Server 2019 Cumulative Update 14, Exchange Server did not enable NTLM credentials Relay Protections by default. Without the protection enabled, an attacker can target Exchange Server to relay leaked NTLM credentials from other targets.
This critical vulnerability is related to Windows Hyper-V, a hardware virtualisation service created by Microsoft. Not much is known about this vulnerability other than successful exploitation may allow a Hyper-V guest to affect the functionality of the Hyper-V host. It’s likely Microsoft hasn’t released any more information about this vulnerability to protect customers using Hyper-V.
Microsoft has patched a security feature bypass for Windows SmartScreen that is actively being exploited in the wild. An authorized attacker must send the user a malicious file and convince them to open it. Successful exploitation by a malicious actor injecting code into SmartScreen and gaining code execution could lead to some data exposure, lack of system availability, or both.
This important vulnerability is being actively exploited in the wild. This vulnerability allows an unauthenticated attacker to send a user a specially crafted file that is designed to bypass displayed security checks. However, successful exploitation requires the attacker would have to convince the user to open the malicious shortcut.
For a full list of this month’s updates please see the links below:
Patch Tuesday release notes: https://msrc.microsoft.com/update-guide/releaseNote/2024-Feb
Security update guide: https://msrc.microsoft.com/update-guide/
By
Samuel Jack
on
14/2/24
Welcome to Ironshare’s Cyber Round-up, where we look back at the events of that last week to cover some of the news, posts, views, and highlights from the world of Security.
In this week’s round-up:
The FBI has successfully dismantled the hacking operations of a Chinese state-sponsored group named "Volt Typhoon," which targeted critical US infrastructure such as the power grid and pipelines. FBI Director Christopher Wray informed lawmakers about a campaign executed to shut down the group, accusing China of preparing to cripple key US infrastructure in case of a conflict. The group, first exposed by Microsoft in May, allegedly accessed data on US assets by hacking into hundreds of older office routers. Wray emphasized China's extensive resources in cyber warfare, asserting that their hacking program surpasses that of all other major nations combined, with FBI cyber agents outnumbered 50 to 1 by Chinese counterparts. China has yet to respond to the accusations.
By bbc.co.uk
Ransomware gang LockBit has claimed responsibility for an attack on a Chicago children's hospital, deviating from its previous policy of not targeting nonprofits. Unlike previous cases, the criminals refuse to reverse the attack on Saint Anthony Hospital and are demanding an $800,000 ransom. Cybersecurity experts note that criminal goals evolve, and organizations should not assume immunity from attacks.
The global cybersecurity advisor at ESET stated, “No one remains safe from these attacks whether they are targeted or caught up in larger campaigns. Companies should never believe they are foolproof due to the nature of their business, nor should they reduce the best possible protection they have to offer.".
By theregister.com
Security researchers suspect that the Akira ransomware group may be exploiting a nearly four-year-old Cisco vulnerability (CVE-2020-3259) as an entry point into organizations' systems. In several recent incidents involving Akira and Cisco's AnyConnect SSL VPN, TrueSec found that at least six devices were running versions vulnerable to the flaw, patched in May 2020.
While there is no publicly available exploit code for the Cisco vulnerability, its potential exploitation by Akira suggests either the purchase or development of an exploit, indicating a deep understanding of the flaw. The Akira group has been known to target Cisco VPNs for ransomware attacks.
Researchers recommend organizations check if their Cisco AnyConnect devices are running vulnerable versions and urge businesses to consider initiating broad password resets and implementing multi-factor authentication.
By theregister.com
The U.S. Cybersecurity and Infrastructure Security Agency (CISA) has added a high-severity flaw (CVE-2022-48618) impacting iOS, iPadOS, macOS, tvOS, and watchOS to its Known Exploited Vulnerabilities catalog, indicating evidence of active exploitation. The vulnerability exists in the kernel component and could allow an attacker with arbitrary read and write capabilities to bypass Pointer Authentication. While exploit methods have not been publicised, Apple has said improved checks have been implemented to help combat the vulnerability.
Apple released patches for this flaw on December 13, 2022, but it was not publicly disclosed until January 2024, more than a year later. CISA recommends applying the fixes by February 21, 2024, for all Federal Civilian Executive Branch agencies.
By thehackernews.com
Researchers at Qualys have identified a vulnerability (CVE-2023-6246) in Linux's GNU C Library (glibc) that could allow attackers to gain full root access to a system.
The heap-based buffer overflow is found in the glibc __vsyslog_internal() function, utilized by widely-used syslog() and vsyslog() logging functions. An unprivileged attacker could exploit the flaw by providing specific inputs, potentially leading to remote execution with root privileges. Although triggering the vulnerability remotely is unlikely due to the specific conditions required, its severity is significant, affecting major Linux distributions.
The issue was addressed in glibc 2.38, which also resolved five other security defects identified by Qualys researchers. One other flaw in glibc's qsort() function, leading to memory corruption, was also highlighted, impacting all glibc versions from 1.04 (September 1992) through 2.38 (January 2024).
By securityweek.com
In September 2023, Johnson Controls International suffered a ransomware attack costing the company $27 million in expenses and resulting in a data breach.
The Dark Angels ransomware gang, using encryptors based on leaked source code, was responsible for the attack, claiming to have stolen over 27 TB of confidential data and demanding a $51 million ransom. Johnson Controls confirmed the unauthorized access, data exfiltration, and deployment of ransomware in a recent quarterly report filed with the U.S. Securities and Exchange Commission. The company expects the cost to increase as they assess the stolen data with the help of external cybersecurity experts.
Johnson Controls believes the unauthorized activity has been fully contained, and its digital products and services are now fully available.
By bleepingcomputer.com
And that’s it for this week’s round-up, please do check in next week for our new batch of security news and posts.
Stay Safe, Secure and Healthy!
Edition #267 – 2nd February 2024
By
Joshua Hare
on
1/2/24
Welcome to Ironshare’s Cyber Round-up, where we look back at the events of that last week to cover some of the news, posts, views, and highlights from the world of Security.
In this week’s round-up:
Swedish cloud hosting service provider, Tietoevry, has become the latest victim of the Akira ransomware group. The attack, which occurred late last week, has impacted several of the company’s datacentres, leading to a loss of operations for several of their customers across the country.
Multiple customer websites have been shut down as a result of the incident, and they may be waiting a while until their sites are restored. Tietoevry anticipates a restoration process lasting days to weeks due to the incident's nature and the need to recover customer-specific systems.
By cybernews.com
The Cybersecurity and Infrastructure Security Agency (CISA) has issued an Emergency Directive (24-01) in response to the widespread and active exploitation of vulnerabilities in Ivanti Connect Secure and Ivanti Policy Secure solutions. The vulnerabilities (CVE-2023-46805 and CVE-2024-21887) pose an unacceptable risk to Federal Civilian Executive Branch (FCEB) agencies.
The directive requires agencies running affected products to immediately download and import Ivanti's mitigation XML file, run Ivanti's External Integrity Checker Tool, and take additional steps if indications of compromise are detected. Agencies must also report to CISA a complete inventory of instances of Ivanti Connect Secure and Ivanti Policy Secure products on agency networks, including actions taken and results.
By cisa.gov
Mozilla has released security updates for Firefox and Thunderbird, addressing 15 vulnerabilities, including five rated as high severity. One high-severity flaw (CVE-2024-0741) involves an out-of-bounds write in the ANGLE (Almost Native Graphics Layer Engine) graphics engine used in Firefox and Chrome, potentially leading to denial of service or arbitrary code execution.
Another significant flaw (CVE-2024-0742) is described as a "failure to update user input timestamp," enabling unintentional activation or dismissal of specific browser prompts. Additional noteworthy vulnerabilities include a TLS handshake code problem (CVE-2024-0743), a JavaScript code glitch (CVE-2024-0744), and a stack buffer overflow in WebAudio (CVE-2024-0745). Mozilla also addressed medium-severity issues, one of which could permit an attacker to set an arbitrary URI in the address bar or history. Firefox 122, Thunderbird 115.7, and Firefox ESR 115.7 were released with patches to address these vulnerabilities. No mention has been made of any exploits occurring in the wild for these vulnerabilities, and further details on the resolved issues can be found on Mozilla's security advisories page.
By securityweek.com
The National Cyber Security Centre (NCSC) warns that the number of cyberattacks is likely to increase in the next two years, with artificial intelligence (AI) playing a significant role. Ransomware remains a top cyber threat globally and is expected to worsen with the integration of AI, lowering the entry barrier for less skilled hackers.
The NCSC report notes that AI is already being utilized in malicious cyber activities, enabling novice cybercriminals to conduct more effective operations, particularly in access and information gathering. The report emphasizes the emergence of criminal generative AI (GenAI) and "GenAI-as-a-service," making it accessible to those willing to pay. While the report acknowledges the potential risks of AI in cyberattacks, it also highlights the importance of managing these risks and harnessing AI's potential for defensive purposes.
The National Crime Agency notes that ransomware is likely to remain a significant threat due to its financial rewards and established business model. The British government has invested £2.6 billion ($3.3 billion) to enhance the country's cyber resilience as part of its Cyber Security Strategy.
By cybernews.com
UK utility company, Southern Water, has confirmed that their IT systems were breached, and attackers have stolen a “limited amount of data.”
Responsibility for this attack has been claimed by the Black Basta ransomware group who publicly released a fraction of the 750 GB of stolen data. The publicised data contained identity documents such as passports and driving licenses, documents containing personal information of home addresses, dates of birth, nationalities, email addresses, and corporate car leasing documents.
The root cause of the breach is still unknown and Black Basta has given Southern Water six days to pay the ransom in full; if these conditions are not met, the stolen data will be released to the public in full.
By theregister.com
Fortra has warned that a new authentication bypass in Linoma Software’s GoAnywhere Managed File Transfer (MFT allows attackers to create a new admin user. GoAnywhere MFT is used by many organisations to securely transfer files with customers and other organisations.
The critical vulnerability, tracked as CVE-2024-0204, has a CVSS of 9.8, and is remotely exploitable. While there are no reports of active exploitation, the disclosure of this vulnerability is likely to see proof of exploit code being developed and potential exploitation by threat actors. All versions prior to 7.4.1 are affected, and users are advised to apply the latest updates as soon as possible.
By bleepingcomputer.com
And that’s it for this week’s round-up, please do check in next week for our new batch of security news and posts.
Stay Safe, Secure and Healthy!
Edition #266 – 26th January 2024
By
Joshua Hare
on
25/1/24
Welcome to Ironshare’s Cyber Round-up, where we look back at the events of that last week to cover some of the news, posts, views, and highlights from the world of Security.
In this week’s round-up:
Have I Been Pwned has added close to 71 million new email addresses to its database. HIBP is a data breach notification service that is constantly updating its site with the latest breach information, and, in this case, their source was the Naz.API dataset, which contains stolen email address and password pairs for many different services.
HIBP has stated that the emails recovered from this list will be recorded under ‘Naz.API’ but will not advise individuals exactly what service(s) their information was stolen from. To check if your credentials have been exposed in this dataset, visit haveibeenpwned and enter your email address.
All users present in Naz.API’s list are advised to reset the password for all accounts associated with their compromised email address. Since the accounts in this dataset were stolen using information-stealing malware, there is also a risk of crypto wallets being compromised; if your stolen account is in use for any cryptocurrency sites, we advise transferring to a new wallet as soon as possible.
By bleepingcomputer.com
CVE-2023-0519 is a zero-day out-of-bounds memory access vulnerability in the V8 JavaScript and WebAssembly engine in the Chrome browser.
"By reading out-of-bounds memory, an attacker might be able to get secret values, such as memory addresses, which can be bypass protection mechanisms such as ASLR in order to improve the reliability and likelihood of exploiting a separate weakness to achieve code execution instead of just denial of service," MITRE's Common Weakness Enumeration has reported.
Information about the threat actors and the nature of the attacks have been withheld by Google in to limit further exploitation. Users are advised to update to version 120.0.6099.224/225 for Windows, 120.0.6099.234 for macOS, and 120.0.6099.224 for Linux to mitigate potential threats.
Users of Chromium-based browsers such as Microsoft Edge, Brave, Opera, and Vivaldi are also advised to apply the fixes as and when they become available.
By thehackernews.com
Foxsemicon, a semiconductor firm in Taiwan, is the latest organisation to be hit by the LockBit ransomware gang. On the 17th of January Foxsemicon’s website was hijacked by the gang and displayed a message threatening to release the personal information of its employees and customers.
The website has since been recovered and the firm has stated they are working with security experts to resolve the situation. Foxsemicon has not disclosed any information about what information has been accessed or the ransom demanded by LockBit.
By cybernews.com
Security researchers have discovered a large botnet called Bigpanzi, operated by an eight-year-old cybercrime syndicate, responsible for infecting potentially millions of smart TVs and set-top boxes. At the peak of the campaign, at least 170,000 bots were running daily, infecting Android-based TVs and streaming hardware through pirated apps and firmware updates.
Researchers noted the potential for Bigpanzi-controlled devices to broadcast violent, terroristic, or pornographic content and despite ongoing efforts to trace Bigpanzi, its operations are believed to have recently shifted to a separate botnet for more lucrative cybercrimes.
By theregister.com
The National Cyber Security Centre are kicking of 2024 with a new initiative titled the ‘Cyber League’, which aims to “bring together a trusted community of NCSC and industry experts to work on the biggest cyber threats facing the UK.”.
Those in the UK’s cybersecurity industry are encouraged to volunteer and join the Cyber League but are required to have “relevant cyber experience and knowledge.”.
The NCSC Director of Operations has commented on this initiative by saying:
“Cyber defence is a giant, complex and ever changing puzzle, with critical knowledge, skills and innovation spread widely across industry and government. Only through working together can we achieve our collective aim of making the UK the safest place to live and work online.”
By ncsc.gov.uk
The National Institute of Standards and Technology (NIST) has released draft guidance on measuring and improving information security programs. The two-volume document, titled NIST Special Publication (SP) 800-55 Revision 2: Measurement Guide for Information Security, aims to help organizations develop effective information security measurement programs.
The first volume, directed towards information security specialists, provides guidance on prioritizing, selecting, and evaluating specific measures to assess existing security measures. The second volume, intended for the C-suite, outlines how organizations can create and implement an information security measurement program over time.
NIST are asking for feedback and comments on this new guidance, which is a positive sign of their desire to help businesses grow and improve their security posture.
By nist.gov
And that’s it for this week’s round-up, please do check in next week for our new batch of security news and posts.
Stay Safe, Secure and Healthy!
Edition #265 – 19th January 2024
By
Joshua Hare
on
18/1/24
Welcome to Ironshare’s first Cyber Round-up of 2024, where we look back at the events of that last week to cover some of the news, posts, views, and highlights from the world of Security.
In this week’s round-up:
As of the 9th of January 2024 Microsoft Exchange Server 2019 will no longer receive bug fixes and design changes, however it will continue to receive security updates to patch the latest vulnerabilities. Now in the extended support phase of its lifecycle, Microsoft Exchange Server 2019 is scheduled to go end-of-life on the 14th of October 2025.
Microsoft is yet to release a newer version of Exchange Server and no end-of-life guidance has been provided to customers.
Microsoft Exchange Product Marketing Manager Scott Schnoll stated "There are still two more [cumulative updates] for Exchange Server 2019: CU14 and CU15. CU14 is in its final stages of testing and validation and will be released as soon as that's finished. CU15 will be released later this year."
By bleepingcomputer.com
Fidelity National Financial, an American provider of title insurance and settlement services to the real estate and mortgage industries, reported that hackers had gained access to their IT network back in November.
The ransomware gang, ALPHV, claimed responsibility for the attack on their dark web site, before it was taken down by the FBI in December. Before their site was seized, ALPHV revealed a sample of the information that was stolen in the attack.
FNF has yet to describe the cybersecurity incident as a ransomware attack and has failed to respond to requests for such information. Further investigation into the attack on FNF did reveal the following:
"We determined that an unauthorized third-party accessed certain FNF systems, deployed a type of malware that is not self-propagating, and exfiltrated certain data […] The company has no evidence that any customer-owned system was directly impacted in the incident, and no customer has reported that this has occurred. The last confirmed date of unauthorized third-party activity in the company's network occurred on November 20, 2023."
The latest news on this incident is that the personal information of 1.3 million customers was stolen; FNF has reached out to all those affected offering credit monitoring and identity services.
By theregister.com
Cybersecurity firm, Mandiant, has revealed that their X (Formerly Twitter) account was taken over by a crypto gang. In what is believed to be a brute-force attack, the Drainer-as-a-service gang gained access to the account for a few hours, before Mandiant reclaimed control. During their time in control, the attacker distributed links for a cryptocurrency drainer phishing page to Mandiant’s 123K followers.
The blame for this incident is shared between Mandiant and X; in their latest statement, the cybersecurity firm took responsibility for the account compromise, but also shifted some blame onto X’s configuration of MFA (Multi-Factor Authentication).
“Normally, 2FA would have mitigated this, but due to some team transitions and a change in X’s 2FA policy, we were not adequately protected. We've made changes to our process to ensure this doesn't happen again,”
By bleepingcomputer.com
Microsoft is starting off the year with this January Patch Tuesday release, which addresses 49 total vulnerabilities. The release includes fixes for 2 critical and 47 important vulnerabilities. Microsoft has reported that no vulnerabilities have been publicly disclosed or exploited in the wild this month.
See here for our round-up of the top critical & important vulnerabilities addressed this month.
Many Windows 10 users have reported issues with installing some of this month’s updates, specifically update KB5034441 for BitLocker. This update addresses an important encryption bypass vulnerability that could allow an attacker to access encrypted data.
Unfortunately, this update is consistently failing for a large number of users, who are met with 0x80070643 errors after restarting their devices. To address the vulnerability, this update installs a new version of the Windows Recovery Environment (WinRE), however the recovery partition created by Windows is too small to support the new WinRE file.
For those who want an immediate fix for this, Microsoft has suggested manually creating a larger Windows Recovery Partition to accommodate the new update; we do expect Microsoft to address this issue soon, however, should you prefer to wait for an official fix.
By bleepingcomputer.com
And that’s it for this week’s round-up, please do check in next week for our new batch of security news and posts.
Stay Safe, Secure and Healthy!
Edition #264 – 12th January 2024
By
Joshua Hare
on
11/1/24
Microsoft is starting off the year with this January Patch Tuesday release, which addresses 49 total vulnerabilities. The release includes fixes for 2 critical and 47 important vulnerabilities. Microsoft has reported that no vulnerabilities have been publicly disclosed or exploited in the wild this month.
An authenticated attacker could exploit this vulnerability by establishing a machine-in-the-middle (MITM) attack or other local network spoofing technique, then sending a malicious Kerberos message to the client victim machine to spoof itself as the Kerberos authentication server.
This critical vulnerability, with a CVSS score of 9.0, would require an attacker to first gain access to the restricted network before running an attack.
With a CVSS of 7.5, this critical vulnerability could allow an attacker to conduct remote code execution on a system running Windows Hyper-V. To successfully exploit this vulnerability the attacker must first gain access to the restricted network and win a race condition.
This important vulnerability could allow an authenticated attacker with SharePoint Site Owner privileges to remotely execute arbitrary code. Despite the authentication requirement, Microsoft reports that exploitation of this flaw is quite likely.
This important vulnerability exposes a potential avenue for attackers to carry out a machine-in-the-middle (MITM) attack, allowing them to intercept and potentially modify TLS traffic between the client and server. Exploitation of this vulnerability could lead to the decryption of sensitive information during transmission.
An important vulnerability in FBX could allow an attacker to remotely execute code on the target system. The ability to insert FBX files has been disabled in Word, Excel, PowerPoint, and Outlook for Windows and Mac and versions of Office that had this feature enabled will no longer have access to it. This includes Office 2019, Office 2021, Office LTSC for Mac 2021, and Microsoft 365. 3D models in Office documents that were previously inserted from an FBX file will continue to work as expected unless the Link to File option was chosen at insert time.
For a full list of this month’s updates please see the links below:
Patch Tuesday release notes: https://msrc.microsoft.com/update-guide/releaseNote/2024-Jan
Security update guide: https://msrc.microsoft.com/update-guide/
By
Samuel Jack
on
10/1/24
Welcome to Ironshare’s first Cyber Round-up of 2024, where we look back at the events of that last week to cover some of the news, posts, views, and highlights from the world of Security.
In this week’s round-up:
Xerox has released a public statement detailing a recent compromise of their U.S. branch’s IT systems, in which personal information may have been exposed. XBS provides business services and technology such as printers, copiers, supply services, and consultation services.
INC Ransom claimed responsibility for this attack when XBS was added to their extortion portal on December 29th with claims that sensitive and confidential documents were accessed from the victim’s systems. Samples of data leaked by INC Ransom include email communications, payment details, invoices, filled-out request forms, and purchase orders.
Xerox has stated "The event was limited to XBS U.S. We are actively working with third-party cybersecurity experts to conduct a thorough investigation into this incident and are taking necessary steps to further secure the XBS IT environment."
Xerox has assured that all affected individuals will be notified.
By bleepingcomputer.com
Fallon Ambulance Services, a subsidiary of Transformative Healthcare, has suffered a ransomware attack that exposed the personal information of almost half a million people. The attack occurred when the ALPHV ransomware group accessed Fallon’s data storage archive which Transformative Healthcare said, “complied with legal obligations.”
ALPHV are thought to have retained access to the company’s systems from late February 2023 until late April and, during this period, 911,757 people were exposed; the stolen information included victims’ driver’s license numbers and other IDs.
“After an extensive review of the event, we identified that the activity appears to have occurred as early as February 17th, 2023, through April 22nd, 2023 and that files were obtained by an unauthorized party that may have contained personal information,” reads Transformative Healthcare‘s breach notification.
By cybernews.com
LastPass, a password management service, has announced that they will now be enforcing a length of at least 12 characters for all master passwords (the password used to access your vault).
“This policy will be implemented via a phased rollout to our customer base, with email notifications being sent to our Free, Premium and Families customers first, followed by our Teams and Business customers towards the end of January 2024" reports Mike Kosak, LastPass senior principal intelligence analyst.
Users who already have a password longer than 12 characters won't be required to change their password. LastPass will also be enforcing MFA re-enrolment for federated business customers during this period.
By darkreading.com
On Wednesday, Google released 2024’s first batch of security updates for Chrome which contains fixes for six vulnerabilities, four of which are of high-severity and were discovered by external researchers.
The bugs addressed include a heap buffer overflow flaw in ANGLE, and three use-after-free vulnerabilities in ANGLE, WebAudio, and WebGPU.
As always, we recommend users of Google Chrome update their browsers to the latest version to ensure they are protected against these flaws.
By chromereleases.googleblog.com
Telecoms provider, Orange, has suffered a cyberattack after an individual known as ‘Snow’ gained unauthorised access to their RIPE NCC account. The RIPE NCC (Network Coordination Centre) is the regional internet registry for Europe, the Middle East, and parts of Central Asia.
This attack has had an impact on Orange’s services in Spain, with many users reporting major outages and a loss of internet connectivity. Despite the impact on their Spanish userbase, Orange has confirmed that no customer data was compromised in the attack.
Strangely, it appears that the hacker did not have malicious intents, and claims their goal was to “prevent an actual bad threat actor from finding the account and compromising it.”. No ransom was demanded, and no client data was accessed; the hacker even claims that the service disruptions were accidental too.
Access to the RIPE account has since been restored, and all services are back in operation; RIPE NCC are continuing their investigations to determine if any other account holders have been compromised.
By securityweek.com
And that’s it for this week’s round-up, please do check in next week for our new batch of security news and posts.
Stay Safe, Secure and Healthy!
Edition #263 – 5th January 2024
By
Joshua Hare
on
4/1/24
Welcome to Ironshare’s Cyber Round-up, where we look back at the events of that last week to cover some of the news, posts, views, and highlights from the world of Security.
In this week’s round-up:
Players of the hugely popular tactical shooter, Counter-Strike 2, were warned to avoid playing following the discovery of a serious security flaw. This vulnerability was found in the game’s Panorama user interface and allows the game’s input fields to accept HTML code.
If exploited successfully, an attacker could inject HTML content into the game client, opening the possibility for a number of attacks, including remote IP logging, DDoS attacks, impacting network performance of platers, and more.
Valve recognised this as a serious issue and released a hotfix patch quickly. “Post-update, any HTML content inputted by players will now be sanitized to regular strings,”.
By bitdefender.com
The healthcare industry was one of the primary targets for cybercriminals in 2023, with a documented 273% increase in large cyberattacks involving ransomware. In response to this recent surge in attacks, the White House is in talks with the Department of Health and Human Services, with plans to “develop minimum standards to protect the healthcare sector from ransomware, and other malicious cyber activity,”.
The department has outlined this new cyber framework in a recent concept paper that aims to lay out goals, support, and accountability measures for hospitals.
Healthcare services have been far too easy to exploit this year, and there is a clear lack of protection in place. This plan from the White House will hopefully improve security for this critical sector and help keep hospitals and other facilities operational and secure.
By cybersecuritydive.com
Two WordPress plugins, Elementor and Backup Migration, are currently vulnerable to severe remote code execution flaws.
Elementor is a popular website builder plugin with more than 5 million active installations. Versions 3.17.3 and earlier are currently affected by an authenticated arbitrary file upload flaw, that allows any attacker with edit post permissions to remotely execute arbitrary code. A full patch for this vulnerability was rolled out in v3.18.2.
Backup Migration allows backups to be created of WordPress sites and has over 90,000 active installations. Tracked as CVE-2023-6553, with a CVSS of 9.8, this vulnerability resides in the /includes/backup-heart.php file that the plugin uses and could allow an unauthenticated attacker to submit specially-crafted requests to remotely execute arbitrary code on the server hosting the affected WordPress instance. 1.3.7, and all versions prior, are currently affected by this vulnerability; we advise site admins to update to version 1.3.8 of the Backup Migration plugin as soon as possible.
By securityweek.com
Insomniac Games, the studio behind the Spider-Man video games, claims to have suffered a serious ransomware attack.
The ransomware gang, Rhysida, has claimed responsibility for the attack, and has reportedly stolen “exclusive, unique, and impressive data” from the developers, with screenshots including confidential internal emails, copies of passports and personal ID cards, and images of game assets or gameplay.
Rhysida has requested a payment of 50 BTC, around £1.7 million, to be paid by the 20th of December. It is currently unknown whether Insomniac plan to pay the ransom, but their data will be made available for bidding on a dark web forum if Rhysida’s demands are not met by the deadline.
By cybernews.com
A bug in Google Drive has reportedly caused many user’s files to disappear. Reports have suggested that this bug only affects files uploaded after May 2023, but until now there has been seemingly no way to recover lost files.
Google reported that the bug was the result of synchronisation issues and only affected “a limited subset” of individuals using the desktop Drive app versions v84.0.0.0 - 84.0.4.0.
"This issue did not impact any file changes that had already synced and were visible on the Drive mobile app or within the Drive UI on the web."
The fix offered by Google allows users to recover their lost files from backups, however some users have reported that this was unsuccessful leaving some users unable to retrieve their lost documents.
By bleepingcomputer.com
With 38 vulnerabilities addressed this month, Microsoft’s December Patch Tuesday is the smallest release of the year. This batch of security updates is compiled of 7 critical and 31 important vulnerabilities, one of which was publicly disclosed. While 0 flaws are being actively exploited, we advise reading this round-up of Microsoft’s Patch Tuesday and applying updates as soon as possible.
And that’s it for this week’s round-up, please do check in next week for our new batch of security news and posts.
Stay Safe, Secure and Healthy!
Edition #262 – 15th December 2023
By
Joshua Hare
on
14/12/23
Microsoft’s December Patch Tuesday provides fixes for 38 vulnerabilities, a surprisingly low number for 2023’s standards. This month’s batch of updates includes fixes for 7 critical and 31 important vulnerabilities with just 1 being publicly disclosed, and none reported as exploited in the wild.
The only publicly disclosed vulnerability this month is known to affect certain models of AMD CPUs.
“This is a division-by-zero error on some AMD processors that can potentially return speculative data resulting in loss of confidentiality […] developers can mitigate this issue by ensuring that no privileged data is used in division operations prior to changing privilege boundaries. AMD believes that the potential impact of this vulnerability is low because it requires local access.", as per an AMD Security Bulletin.
AMD has failed to provide proper fixes to address this important vulnerability and has only offered mitigation advice. Microsoft’s security patch provides protection to computers using affected AMD CPUs on all supported Windows versions.
Two critical remote code execution vulnerabilities present in ICS were patched this month. Internet Connection Sharing (ICS) is a Windows service that permits one Internet-connected computer to share its connection with other computers on a local area network (LAN).
CVE-2023-35630 requires the attacker to modify an option- >length field in a DHCPv6 DHCPV6_MESSAGE_INFORMATION_REQUEST input message.
CVE-2023-35641 reportedly requires an attacker to send a maliciously crafted DHCP message to a server that runs the Internet Connection Sharing service.
Both vulnerabilities require the attacker to be on the same network segment as the target system, meaning the attack cannot be performed across multiple networks (for example, a WAN) and would be limited to systems on the same network.
This important vulnerability present in Outlook requires a victim to open a specially crafted file delivered via email or hosted on a malicious website. An attacker would have no way to force users to visit the website, meaning phishing tactics are likely required to convince users to click a link. Exploiting this vulnerability could lead to the disclosure of NTLM hashes, however the preview pane is known to not be an attack vector.
MSHTML is responsible for rendering and displaying HTML content in various applications, including web browsers and email clients. The critical vulnerability, CVE-2023-35628, requires an attacker to send a malicious link to the victim via email. In the worst-case email-attack scenario, an attacker could send a specially crafted email to the user without requiring the victim to open, read, or click on the link resulting in the attacker executing remote code on the victim's machine.
A critical spoofing vulnerability in Microsoft’s Power Platform Connector could allow an attacker to “manipulate a malicious link, application, or file to disguise it as a legitimate link or file to trick the victim.”. This would require the victim to click on a specially crafted URL to be compromised by the attacker.
For a full list of this month’s updates please see the links below:
Patch Tuesday release notes: https://msrc.microsoft.com/update-guide/releaseNote/2023-Dec
Security update guide: https://msrc.microsoft.com/update-guide/
By
Samuel Jack
on
13/12/23
Welcome to Ironshare’s Cyber Round-up, where we look back at the events of that last week to cover some of the news, posts, views, and highlights from the world of Security.
In this week’s round-up:
Meta has started to roll out end-to-end encryption for personal calls and messages in their Messenger app. Messenger initially implemented “secret conversations” which was an opt-in chat option that provided end-to-end encryption since 2016. Mark Zuckerberg, who announced a "privacy-focused vision for social networking" in 2019 reported a redesign of the platform to provide better privacy for its users. After years of work, Meta have "rebuilt the app from the ground up, in close consultation with privacy and safety experts," as shared by Loredana Crisan, in a post shared on X. Encryption will be enabled by default for all users, and will not require any interaction to get working.
By thehackernews.com
Four critical remote code execution vulnerabilities impacting Confluence, Jira, and Bitbucket servers, and a companion app for macOS have been addressed. All the vulnerabilities received a CVSS of at least 9.0 out of 10.0 based on Atlassian's internal assessment. The four RCE CVEs patched were:
• CVE-2023-22522: Template Injection vulnerability allows an authenticated attacker, including one with anonymous access, to inject unsafe user input into a Confluence page.
• CVE-2023-22523: Allows an attacker to perform privileged RCE on machines with the Assets Discovery agent installed. The vulnerability exists between the Assets Discovery application and the Assets Discovery agent.
• CVE-2023-22524: An attacker could utilize WebSockets to bypass Atlassian Companion’s blocklist and MacOS Gatekeeper to allow the execution of code.
• CVE-2022-1471: RCE in SnakeYAML library impacting multiple versions of Jira, Bitbucket, and Confluence products.
We advise all users of the affected Atlassian products to apply the latest updates as soon as possible.
By bleepingcomputer.com
CVE-2023-45866 is a Bluetooth authentication bypass vulnerability allowing attackers to connect to Apple, Android, and Linux devices and inject keystrokes to run arbitrary commands, according to a software engineer at drone technology firm SkySafe. Exploitation doesn’t require any special hardware, and the attack can be pulled off from a Linux machine using a regular Bluetooth adapter, says Marc Newlin, who found the flaw. Google reported "Fixes for these issues that affect Android 11 through 14 are available to impacted OEMs. All currently supported Pixel devices will receive this fix via December OTA updates." Linux distros including Ubuntu, Debian, Fedora, Gentoo, Arch, Alpine, and Ubuntu remain vulnerable. The vulnerability also affects macOS and iOS when Bluetooth is enabled, and a Magic Keyboard has been paired with the vulnerable phone or computer.
By theregister.com
Nissan’s Oceania division is currently dealing with heavy business impact believed to have been caused by a cyberattack. Investigations are underway and, while not much is known about the incident, it has been confirmed that the company’s operations in New Zealand and Australia have been affected.
Nissan are providing their customers with updates via their website, and are looking to restore their systems as soon as possible; the latest update stated:
“Nissan is working with its global incident response team and relevant stakeholders to investigate the extent of the incident and whether any personal information has been accessed,”.
If there are any signs of sensitive information being compromised, we will provide updates here.
By cybernews.com
The NCSC has announced today the launch of a new scheme, dedicated to helping organisations practise and understand their own cyber incident response plans. The Director of Operations at the NCSC believes that:
“the first time you try out your cyber incident response plan shouldn’t be on the day you are attacked. So, if you do only one thing on a regular basis, incident exercising should be it.”
This philosophy has led to the creation of this scheme, which aims to give companies the opportunity to engage in both table-top, and live-play exercises to test and practise the IR plans. The Cyber Incident Exercising scheme will be delivered by those on the NCSC’s list of ‘Assured Service Providers’, which can be found here.
This is an amazing idea that gives UK businesses an opportunity to be more in touch with their security culture and better understand their own processes.
By ncsc.gov.uk
Microsoft have announced the appointment of Igor Tsyganskiy as their new CISO, after reassigning his predecessor to an advisory role. Bret Arsenault has served the role of Chief Information Security Officer for the last 14 years, which makes his sudden replacement a surprise to many.
Microsoft’s Executive Vice President, Charlie Bell, has vouched for Tsyganskiy, labelling him as a “technologist and dynamic leader with a storied career in high-scale/high-security, demanding environments,”.
We are hoping that these changes will benefit the company and help with the delivery of their new ‘Secure Future Initiative’. The changes promised by this initiative are much needed after the mess faced in 2023, and Microsoft seem hopeful that Tsyganskiy is the man to guide them through these improvements.
By securityweek.com
And that’s it for this week’s round-up, please do check in next week for our new batch of security news and posts.
Stay Safe, Secure and Healthy!
Edition #261 – 8th December 2023
By
Samuel Jack
on
7/12/23
Welcome to Ironshare’s Cyber Round-up, where we look back at the events of that last week to cover some of the news, posts, views, and highlights from the world of Security.
In this week’s round-up:
The UK has released the first global guidelines for the secure development of AI technology, with endorsement from agencies in 17 other countries, including the US. Developed by the UK's National Cyber Security Centre (NCSC) in collaboration with the US's Cybersecurity and Infrastructure Security Agency (CISA), these guidelines focus on four key pillars of security: secure design, secure development, secure deployment, and secure operation and maintenance.
These guidelines address the need for international cooperation and have received support from cybersecurity agencies around the world. With the rapid development of AI technology, incorporating new security measures is hugely important, and utilising the strengths of industry experts is promising for the future of AI.
By ncsc.gov.uk
This week, Google released an emergency security update to address another zero-day vulnerability found in the Chrome browser. The flaw exists in Chromes graphics engine, Skia, and has been described by Google as a high-severity integer overflow flaw. While it was confirmed that an exploit exists in the wild, not much more has been shared about this vulnerability.
This update also addresses five other high-severity vulnerabilities, including use-after-free issues and out-of-bounds memory access flaws. We advise applying the latest patch as soon as possible.
By securityweek.com
Berglund Management Group, a Virginia-based motor dealer, has revealed a data breach potentially impacting over 50,000 individuals in the United States. The compromised data is believed to include names and Social Security numbers, though Berglund assures there is no evidence of misuse.
The company, which had initially detected unauthorized activity in its network in May, completed its investigation in October. Berglund has enhanced its security measures and is providing affected individuals with free credit monitoring services.
By cybernews.com
Due to technical issues with their planning application portal, Reading Borough Council has advised site visitor to disable HTTPS within their browser. Safari users were also advised to use Google Chrome to access the website as Safari has no option to turn of HTTPS. By removing HTTPS any visitors attempting to access the portal would have their credentials exposed in plaintext, potentially allowing hackers to collect login details. The post has since been taken down and the council and "Apologies for the incorrect information that was tweeted." The planning portal is now back online providing secure connections through HTTPS.
By theregister.com
A “severe design flaw” in Google Workspace's domain-wide delegation feature could allow threat actors to elevate their privileges and obtain unauthorised access by exploiting Workspace APIs. To exploit this weakness, the attacker must have pre-existing access to an account that is capable of creating new private keys within the target Google Cloud Platform.
"Such exploitation could result in theft of emails from Gmail, data exfiltration from Google Drive, or other unauthorized actions within Google Workspace APIs on all of the identities in the target domain," stated technical report produced from cybersecurity firm Hunters.
By thehackernews.com
Dollar Tree, an American discount retail franchise, was impacted by a third-party data breach that affected 1,977,486 people. Zeroed-In Technologies suffered the security incident between 7th-8th August 2023, in which threat actors managed to steal personal information relating to Dollar Tree employees.
"While the investigation was able to determine that these systems were accessed, it was not able to confirm all of the specific files that were accessed or taken by the unauthorized actor," reads the letters sent to affected individuals.
Names, dates of birth, and Social Security numbers were all stolen in the breach while affected individuals will be enrolled on a twelve-month identity protection and credit monitoring service.
By bleepingcomputer.com
And that’s it for this week’s round-up, please do check in next week for our new batch of security news and posts.
Stay Safe, Secure and Healthy!
Edition #260 – 1st December 2023
By
Samuel Jack
on
30/11/23
Welcome to Ironshare’s Cyber Round-up, where we look back at the events of that last week to cover some of the news, posts, views, and highlights from the world of Security.
In this week’s round-up:
The British Library has confirmed that last month’s outages were the result of a ransomware attack that resulted in the theft of sensitive internal data. The attack occurred back in October, but at the time it was reported only as a “major technology outage”, which saw their website, phone lines, and on-site services crippled. The Rhysida ransomware gang appears to be the culprit behind this attack, who are threatening to publicise the stolen data if their ransom demands are not met. The gang are currently hoping for payment of $740,000 in bitcoin, but no payment has been made by the victim yet. The contents of the stolen data is still unknown, but the British Library is still advising user’s and employees to reset their passwords immediately.
By techcrunch.com
A critical vulnerability (CVE-2023-46604) in Apache ActiveMQ has been exploited by the Kinsing malware, posing a significant threat to Linux systems. Kinsing commonly uses vulnerable web applications to infiltrate systems and spread across networks; the currently vulnerable Apache ActiveMQ is widely used across many Linux-based systems, making it an ideal avenue for exploitation.
A patch is available for the affected versions of ActiveMQ; we strongly urge all users of the software to apply the latest updates as soon as possible. The official update advisory for CVE-2023-46604 can be found here.
By infosecurity-magazine.com
The US Department of Justice has announced that Binance, the world's largest cryptocurrency exchange, and its CEO Changpeng Zhao have pleaded guilty to multiple financial crimes.
Binance will pay $10 billion in fines and settlements for failing to register as a money services business in the US, violating the Bank Secrecy Act by neglecting anti-money laundering measures, and breaching the International Emergency Economic Powers Act by allowing US users to transact with individuals in sanctioned countries, including transferring nearly $1 billion to individuals believed to reside in Iran.
The Justice Department highlighted that Binance prioritized profits and knowingly and willfully committed these crimes, including facilitating trades to users in Syria, Russia, and Russian-controlled parts of Ukraine. The exchange aimed to gain market share and profit quickly by operating as an unlicensed exchange, knowing it would lose market share if cut off from US users.
By theregister.com
Welltok, which provides online services for the US healthcare sector, has warned they were involved in a data breach that has exposed the data of 8.5 million US patients. The data breach was made possible by a vulnerability in their file transfer program, MOVEit. Similar to the prevalent MOVEit attacks seen earlier this year, the system was actively exploited by the attackers and was used to steal data sensitive data.
Welltok reported the data breach in October stating:
“The following types of information may have impacted: name and address, telephone number, email address. The type of information at issue varies for each person. For a small group of impacted clients, Social Security Numbers, Medicare/Medicaid ID Numbers, or certain Health Insurance information such as plan or group name, were also implicated. For other individuals, certain health information such as a provider name, prescription name, or treatment code may have been included.”
The U.S. Department of Health and Human Services also confirmed that 8,493,379 people were impacted by the breach, making it the second largest MOVEit related breach recorded this year.
By bleepingcomputer.com
As part of a new bug bounty program Microsoft will be offering up to $20,000 for the discovery of vulnerabilities in its defender products
“The Microsoft Defender Bounty Program invites researchers across the globe to identify vulnerabilities in Defender products and services and share them with our team,” the company says.
Participants are expected to receive 4500 to $20,000 depending on the impact and report quality with up to $8,000 for RCE vulnerabilities and $3,000 for spoofing and tampering vulnerabilities.
By securityweek.com
A pro-Russian APT group, known as Storm-0978 or RomCom, has been reportedly using weaponized Office documents to exploit a Windows Search remote code execution vulnerability. Successful exploitation allows an attacker to bypass the Windows Mark of the Web security feature, disabling the ‘protected view’ of Office documents. This allows a malicious .docx file to request the download of external RTF files without any restriction allowing the attacker to connect the computer to a hacker-controlled SMB server. This process ultimately results in the theft of the victim’s NTLM credentials.
This attack requires the exploitation of two vulnerabilities, one security bypass and one RCE flaw (CVE-2023-36884 & CVE-2023-36584). More details on the attack, and a full list of IoCs, can be found here.
By cybersecuritynews.com
And that’s it for this week’s round-up, please do check in next week for our new batch of security news and posts.
Stay Safe, Secure and Healthy!
Edition #259 – 24th November 2023
By
Joshua Hare
on
23/11/23
November's Patch Tuesday offers fixes for 58 vulnerabilities, a significantly lower figure than last month's 104. The vulnerabilities patched are shared between 4 critical and 54 important vulnerabilities with 3 publicly disclosed and exploited in the wild recorded.
This critical vulnerability allows an unauthenticated attacker to search and discover credentials contained in log files that have been stored in open-source repositories. An attacker that successfully exploits this vulnerability could recover plaintext passwords and usernames from log files created by the affected CLI commands and published by Azure DevOps and/or GitHub Actions. Customers who are affected by this flaw are advised to update their Azure CLI version to 2.53.1 or above.
An HMAC can be used to determine whether a message sent over an insecure channel has been tampered with, provided that the sender and receiver share a secret key. Successful exploitation requires the attacker to first have to log on to the system; from here, they can gain SYSTEM privileges by running a specially crafted application that could exploit the vulnerability and taking control of the affected system. If a successful attack was performed from a low-privilege Hyper-V guest, the attacker could traverse the guest's security boundary to execute code on the Hyper-V host execution environment.
This Microsoft Office security feature bypass vulnerability allows an attacker to send a PowerPoint document to their victim and allow it to be opened in editing mode rather than protected view. This could allow malicious macros to run without interference from the protected view feature. Successful exploitation requires the end user to interact and open the malicious file themselves; for this reason, the vulnerability is considered of important severity and not higher.
Windows SmartScreen functions as a security measure within Microsoft Windows operating systems, designed to safeguard against potential threats from malicious software and harmful websites. This important, actively exploited in-the-wild, vulnerability allows an attacker to bypass Windows Defender SmartScreen checks and their associated prompts. Exploitation would require the victim to click on a specially crafted Internet Shortcut (.URL) or a hyperlink pointing to an Internet Shortcut file.
ASP.NET is a widely used web development framework for building web applications on the.NET platform. This publicly disclosed important vulnerability could be exploited if HTTP requests to .NET 8 RC 1 running on IIS InProcess hosting model are cancelled. Threads counts would increase and an OutOfMemoryException is possible. If successfully exploited this vulnerability might result in a total loss of availability.
Desktop Window Manager (DWM) is a core system file in Microsoft Windows. It is responsible for producing each component visible on a laptop or PC. If successfully exploited, this important, exploited in the wild, and publicly disclosed vulnerability has the potential to enable an attacker to obtain SYSTEM privileges.
For a full list of this month’s updates please see the links below:
Patch Tuesday release notes: https://msrc.microsoft.com/update-guide/releaseNote/2023-Nov
Security update guide: https://msrc.microsoft.com/update-guide/
By
Samuel Jack
on
15/11/23
Welcome to Ironshare’s Cyber Round-up, where we look back at the events of that last week to cover some of the news, posts, views, and highlights from the world of Security.
In this week’s round-up:
QNAP has addressed two critical vulnerabilities affecting the operating systems of their NAS devices. The first of these flaws, if exploited successfully, could allow a remote attacker to execute arbitrary code on the target device. The flaw is known to affect devices running QTS, QuTS hero, and QuTScloud, and is being tracked as CVE-2023-23368 (CVSS Score: 9.8).
Exploitation of the second vulnerability could also lead to remote code execution capabilities, and affects QTS, Multimedia Console, and the Media Streaming add-on. Tracked as CVE-2023-23369, this flaw has a CVSS score of 9.0.
We strongly urge all users of QNAP devices to apply the latest updates as soon as possible.
For a full list of affected and fixed versions, please see these advisories for CVE-2023-23368 & CVE-2023-23369.
By thehackernews.com
Veeam has released patches for four vulnerabilities, two of which are critical, that are currently affecting their Veeam ONE Software.
With a CVSS Score of 9.9, the first flaw could allow a remote attacker to execute arbitrary code. This vulnerability can be exploited by an unauthenticated attacker and is being tracked as CVE-2023-38547.
The second critical flaw allows a user with insufficient privileges to access and obtain the hashed password of the Veeam ONE Reporting Service. Sporting a CVSS Score of 9.8, this flaw is being tracked as CVE-2023-38548.
The third flaw allows an attacker to obtain an administrator’s access token, but requires both power-user privileges for the attacker, and interaction from the target admin. Because of these hard-to-meet requirements, CVE-2023-38549 is considered a medium-severity vulnerability.
Lastly, there is a minor flaw (CVE-2023-41723) that could allow read-only users to access Veeam ONE’s dashboard schedule; this was fixed in the latest patch.
As far as we know, these flaws have not been actively exploited in the wild, but patching should still be a priority. Hotfixes were released to address these four flaws for versions 11, 12, and 13. We advise all users to apply the latest updates as soon as possible.
By securityweek.com
Four zero-day vulnerabilities have been discovered in Microsoft Exchange; successful exploitation of these flaws could lead to remote code execution, or the theft of sensitive data. Trend Micro’s Zero Day Initiative originally reported these vulnerabilities to Microsoft in early September, but Microsoft engineers did not consider them serious enough to address immediately.
This week, two months after the initial discovery, Trend Micro decided to publicly disclose these zero-days with their own tracking IDs (ZDI-23-1578, ZDI-23-1579, ZDI-23-1580, ZDI-23-1581). Trend Micro’s team reportedly disagreed with Microsoft’s unwillingness to respond quickly and took action themselves.
All four of these vulnerabilities require authentication to exploit, which brings their CVSS scores down dramatically; this is likely why Microsoft chose to postpone fixes. We recommend consulting the ZDI advisories (linked above) for full details.
By bleepingcomputer.com
ChatGPT, the large language model-based chatbot developed by OpenAI, suffered intermittent outages late Wednesday due to “abnormal traffic” to the service. OpenAI reported that the service received an unusually high amount of traffic which caused periodic outages to users and API integrations. While OpenAI hasn’t said that the traffic was part of a cyberattack on its systems they have referenced that it bears signs of a DDoS attack causing their systems to be overloaded with requests.
By forbes.com
The NCSC has put out a public warning to internet users warning them of the “Enhanced” online scams in the run-up to Black Friday. The warning advises users to be vigilant due to the threat of AI-generated scams being used online allowing cyber criminals to commit online fraud.
The use of AI to assist in scams is expected to increase and be present across emails, fake adverts, and bogus websites all advertising black Friday deals to victims. Last year, £10 million pounds was lost to cyber criminals around Black Friday and this is only expected to increase as AI generates more accurate and professional-looking content to dupe victims into giving away their financial details or download malware on an increasingly large scale.
By ncsc.gov.uk
Japan Aviation Electronics (JAE), a contractor for the Japanese defence sector, was attacked by the ransomware gang ALPHV, also known as BlackCat. JAE confirmed that a cyberattack had taken place as an external party accessed some systems without authorization.
“We are currently investigating the status of damage and restoring operations, but some systems have been suspended, and there have been some delays in sending and receiving emails,” JAE reported.
No information has been shared regarding the type of data that may have been accessed and JAE noted that there is no indication information was leaked.
By cybernews.com
And that’s it for this week’s round-up, please do check in next week for our new batch of security news and posts.
Stay Safe, Secure and Healthy!
Edition #258 – 10th November 2023
By
Joshua Hare
on
9/11/23
Welcome to Ironshare’s Cyber Round-up, where we look back at the events of that last week to cover some of the news, posts, views, and highlights from the world of Security.
In this week’s round-up:
The latest feature update for Windows 11, 23H2, has arrived. This update contains some exciting new features but is also accompanied by some currently unfixed bugs.
Firstly, the biggest talking point for 23H2 is the introduction of Windows Copilot. Copilot is Windows’ new AI assistant that is designed to help you with your daily operations; this AI can rewrite content from documents in a summarised format, execute actions, interact with your applications and more. While this new feature has generated a lot of hype and excitement, it has reportedly missed the mark upon arrival. Despite its promising capabilities, Copilot is often misinterpreting the requests of users, and not producing the desired responses in its current state. There has also been a bug reported by many users in which desktop icons will randomly move and jitter when two or more monitors are being used at once. We expect this to be an incredibly powerful tool once these issues have been ironed out.
Accompanying Copilot in this new feature update is an overhaul to File Explorer, with some new components that will help users to organise and manage their File Explorer windows.
With passkey management, and a shift towards a passwordless experience too, this feature update is one to be excited about. With Microsoft already working on bug fixes for 23H2, we hope to see the features introduced in this update really flourish soon.
Popular skincare brand, Clinique, revealed this week that their Spanish branch had suffered a data breach, exposing the personal information of more than 700K customers. Responsibility for this attack was claimed by an individual on a data leak forum, who claims the stolen data includes the full names, addresses, emails, phone numbers, and more, for around 200,000 users. The attacker also claims to have accessed a dataset of more than 600,000 email addresses, although this number has not yet been verified.
Fortunately, no passwords seem to have been leaked, but the scale of this breach is still a concern.
The attacker was supposedly able to access the data through a flaw in Clinique’s loyalty program, more details on this are not currently known. We will await a statement from Clinique and provide more information on this attack when it becomes available.
By cybernews.com
Scarred Manticore, an Iranian hacking group with ties to Iran's Ministry of Intelligence and Security (MOIS), has been found running a sophisticated cyber espionage campaign targeting financial, government, military, and telecommunications sectors in the Middle East for at least a year. This discovery was made by Israeli cybersecurity firm Check Point, who stated:
"Scarred Manticore has been pursuing high-value targets for years, utilizing a variety of IIS-based backdoors to attack Windows servers,"
Scarred Manticore has been seen using a previously unknown malware framework called LIONTAIL and a web forwarder tool called LIONHEAD as part of these attacks.
By thehackernews.com
The Russian-linked ransomware group LockBit has reported they have infected Boeing’s Systems on their data leak site. The group stated they have a vast amount of Boeing’s data that will be publicised should the company refuse to comply with its ransom request by November 2nd at 1:23 pm UTC.
“For now, we will not send lists or samples to protect the company BUT we will not keep it like that until the deadline […] All available data will be published!" LockBit posted.
Technical details surrounding how the attack took place and the amount of data exfiltrated have been kept quiet by both parties with Boeing spokesperson stating, “we are assessing this claim” and LockBit posting “For now, we will not send lists or samples to protect the company BUT we will not keep it like that until the deadline.” More information surrounding the attack will likely be released in the future.
By cybernews.com
Cisco has addressed a total of 27 vulnerabilities in their latest patched for their Adaptive Security Appliance (ASA), Firepower Management Center (FMC), and Firepower Threat Defence (FTD) products.
Cisco’s semi-annual bundled publication reported on 22 of these vulnerabilities with 8 critical vulnerabilities: 5 related to denial-of-service and 3 related to command injection. The most severe vulnerability to be patched, tracked as CVE-2023-20048, could allow command injection in FMC due to “insufficient authorization of configuration commands that are sent through the web service interface” stated Cisco.
By securityweek.com
Global IT company, Accenture, has acquired Innotec Security, a Spain-based cybersecurity company with a focus on cybersecurity-as-a-service. This venture will add “500 cybersecurity professionals to Accenture Security’s workforce of 20,000 professionals globally.”. With an influx of demand for security services in Europe, Accenture believes the acquisition of Innotec will drastically improve their capabilities to provide managed security services within the region.
By newsroom.accenture.com
And that’s it for this week’s round-up, please do check in next week for our new batch of security news and posts.
Stay Safe, Secure and Healthy!
Edition #257 – 3rd November 2023
By
Joshua Hare
on
2/11/23
Welcome to Ironshare’s Cyber Round-up, where we look back at the events of that last week to cover some of the news, posts, views, and highlights from the world of Security.
In this week’s round-up:
CVE-2023-20198 & CVE-2023-20273
Cisco has updated their advisory for the two critical vulnerabilities that were recently found affecting Cisco IOS XE devices. With both flaws being actively exploited in the wild, it is critical that all organisations using these devices apply the latest patch as a priority.
To help UK organisations address this threat, the NCSC has compiled the must-know information into an easily digestible format. The top recommendations for mitigating these vulnerabilities are:
“Check for compromise using the detection steps and indicators of compromise (IoCs) detailed in the Cisco advisory.
If you believe you have been compromised and are in the UK, you should report it to the NCSC.
Disable the HTTP Server feature on all internet-facing devices, or restrict access to trusted networks.
Install the latest version of Cisco IOS XE. More information is on the Cisco website. Organisations should monitor that advisory for the latest information and software updates.”
By ncsc.gov.uk
The latest IBM study has shown that AI language models, including ChatGPT, are capable of writing sophisticated phishing emails that are close to perfect. IBM composed human-written, and ChatGPT-written phishing emails, and distributed these to 1,600 employees of an unnamed company. Of the 800 employees who received a human-written email, 14% were fooled; the ChatGPT pool on the other hand had an 11% catch rate. While human composed phishing emails are still more successful, the possibility of using AI language models to construct phishing emails is concerning and will only become more effective with time.
Full details of the study can be found here.
By cybernews.com
A new side-channel attack developed by academic researchers at the University of Michigan and Ruhr University Bochum has been able to steal information from Safari with “near-perfect accuracy.” The attack, named iLeakage, can bypass currently implemented side-channel protections implemented in all browser vendors by applying a timeless and architecture-agnostic method based on race conditions. Researchers discovered they were capable of stealing information from Safari by speculatively reading and leaking any 64-bit pointers in the address space Safari browser uses for the rendering process. Mitigation measures can be applied to devices vulnerable to this attack which can be read here.
By bleepingcomputer.com
Last month, the Wordfence Threat Intelligence team publicly disclosed a complete list of vulnerabilities currently affecting the AI ChatBot WordPress plugin. Despite being fixed in patch 4.9.1, some of the flaws reemerged in the following version; these have all been readdressed 4.9.3, and all users of the AI ChatBot plugin are advised to upgrade to this version as soon as possible.
The biggest vulnerability addressed in this patch was a critical Unauthenticated SQL Injection flaw which has a CVSS score of 9.8 and is being tracked as CVE-2023-5204.
A full list of the addressed vulnerabilities, and details, can be found in this Wordfence article.
By wordfence.com
Okta, A world leader in identity and access management services, suffered an intrusion on the 20th of October 2023. This breach specifically targeted their customer support system, and Okta have reported that “around 1 percent” of its customer base was affected.
1Password, an Okta customer, said they had warned the company of suspicious activity on the 29th of September, which was ultimately related to this incident. BeyondTrust and Cloudflare also reported similar activity to Okta.
A TrustedSec security consultant commented on this incident, saying: “What I find surprising in this case is that, after the 2022 breach, you'd think Okta would be on high alert for any externally exposed systems or personnel who may be targeted—and yet something has happened again,”.
1Password, BeyondTrust, and Cloudflare have all taken proactive measures to block intrusions before their customers were affected and highlighted their concerns to Okta weeks in advance of this attack.
By wired.com
And that’s it for this week’s round-up, please do check in next week for our new batch of security news and posts.
Stay Safe, Secure and Healthy!
Edition #256 – 27th October 2023
By
Samuel Jack
on
26/10/23
Welcome to Ironshare’s Cyber Round-up, where we look back at the events of that last week to cover some of the news, posts, views, and highlights from the world of Security.
In this week’s round-up:
Earlier this year, Google announced that it would be offering their new “passkey” technology as an authentication alternative to standard passwords. This new feature was originally with the intention of eventually replacing passwords. This week, Google announced that passkeys would become the default authentication method for all accounts, with passwords being relegated to a secondary option.
Many Google users may be unfamiliar with passkeys and how they work. Your passkey will live on your smartphone; when attempting to sign in on your computer, you will be prompted to unlock your phone – this will then grant you access on your computer. The idea is to eventually eliminate the use of passwords entirely, and use this new technology to replace passwords, security questions, multi-factor authentication, and more.
If you are still curious and want to know more about how passkeys work, please see this Google article that answers all the questions you may have about the feature.
By wired.com
The Web User Interface for Cisco’s IOS XE software is currently affected by a critical vulnerability that, if successfully exploited, allows an attacker to create an account with privilege level 15 access. This flaw is already being actively exploited in the wild and affects any physical or virtual devices that have the IOS XE Web UI exposed to the internet. With this flaw only affecting devices that have the HTTP or HTTPS Server feature enabled for IOS XE, Cisco have made the following recommendation:
“Cisco strongly recommends that customers disable the HTTP Server feature on all internet-facing systems. To disable the HTTP Server feature, use the no ip http server or no ip http secure-server command in global configuration mode. If both the HTTP server and HTTPS server are in use, both commands are required to disable the HTTP Server feature.”
For a more detailed breakdown of these mitigation steps, please consult this Cisco Security Advisory (CVE-2023-20198).
By blog.talosintelligence.com
Meta announced this week that they will now support the use of multiple WhatsApp accounts on a single device. Until now, individuals that use WhatsApp for work and personal purposes were forced to choose between carrying two phones, or constantly switching accounts. With this new feature, users will be able to configure a second account in the WhatsApp settings and easily move between the two.
More details on the privacy and configuration options for this feature can be found here.
By bleepingcomputer.com
A vulnerability in Atlassian Confluence Data Center and Server tracked as CVE-2023-22515 and with the highest CVSS score of 10, has been seen actively being exploited in the wild by the nation-state threat actor tracked as Storm-0062. If successfully exploited, the vulnerability can allow attackers to create admin accounts and modify configurations. A joint cyber security advisory from CISA, FBI, and Multi-State Information Sharing and Analysis Center has warned all users to apply the necessary patch to be protected.
The advisory reads:
"On October 5, 2023, CISA added this vulnerability to its Known Exploited Vulnerabilities Catalogue based on evidence of active exploitation […] Due to the ease of exploitation, CISA, FBI, and MS-ISAC expect to see widespread exploitation of unpatched Confluence instances in government and private networks."
All users should update to the latest version and manually determine if any admin accounts have been unknowingly created.
By theregister.com
WinRAR, a popular file archiver tool, has been exploited by Russian-backed threat actors. Google’s Threat Analysis Group (TAG) has reported observation of multiple threat actors exploiting the vulnerability (tracked as CVE-2023-38831 since early 2023).
The vulnerability causes “extraneous temporary file expansion when processing crafted archives, combined with a quirk in the implementation of Windows’ ShellExecute when attempting to open a file with an extension containing spaces. The vulnerability allows attackers to execute arbitrary code when a user attempts to view a benign file” reports TAG.
Campaigns from multiple threat actors have been identified attempting to exploit this vulnerability on the victim’s machines however an update is available and is advised so that the user can be protected from this attack.
By blog.google
The Noth Korea-linked Lazarus Group has been observed targeting job seekers in the defence and nuclear industry via fake interviews to get victims to download malware-infected Virtual Network Computing (VNC) applications. This application acts as a backdoor and dropper to help further compromise a victim’s machine.
"The threat actor tricks job seekers on social media into opening malicious apps for fake job interviews," reported Kaspersky while Mandiant said “Different threat groups share tooling and code, North Korean threat activity continues to adapt and change to build tailored malware for different platforms, including Linux and macOS".
By thehackernews.com
And that’s it for this week’s round-up, please do check in next week for our new batch of security news and posts.
Stay Safe, Secure and Healthy!
Edition #255 – 20th October 2023
By
Joshua Hare
on
19/10/23
Welcome to Ironshare’s Cyber Round-up, where we look back at the events of that last week to cover some of the news, posts, views, and highlights from the world of Security.
In this week’s round-up:
Security News
The BianLian cybercrime group has publicly claimed responsibility for the recent attack on Air Canada, that resulted in the theft of personal information and private records.
BianLian’s confession stated that 210GB of data was exfiltrated during the attack, which includes technical documents, backups, employee data, and vendor and supplier information. The criminal’s plan was to leverage the stolen records to extort money from Air Canada, but these attempts were unsuccessful; as an additional incentive for the airline, BianLian has threatened to publicise the stolen data if payment is not made.
Air Canada is currently standing their ground and refusing to negotiate with the threat actors; their latest statement has confirmed that no customer data was compromised but is advising everyone to enable multi-factor authentication as a precaution.
By bitdefender.com
A few weeks ago, the FBI announced that they had crippled the core infrastructure being used to operate the QakBot malware loader. This takedown was a huge success for the FBI, with more than 700,000 infected computers being claimed by the malware over the last 15 years.
Despite the FBI’s efforts, the QakBot operators have remained active. The Cisco Talos Threat Intelligence team has discovered new infrastructure being used by the attackers to power their infection attempts and phishing campaigns.
It was unclear whether the attackers would retire after their operations were dismantled, but it appears they have used the recent downtime to rebuild and continue with their existing campaigns.
By cybernews.com
The National Cyber Security Centre’s (NCSC) latest post focuses on “Mastering Your Supply Chain” and includes a collection of resources designed to introduce businesses to supply chain risk and guidance. The article also includes links to free learning modules that do not require any registration or login. Additionally, the NCSC has built these resources to cater to the needs of everyone, regardless of your level of expertise.
This is a great collection of information and educational content that we strongly advise all businesses to consider.
By ncsc.gov.uk
A malicious caching plugin for WordPress has been posing as a legitimate plugin to get users to download it. The plugin secretly houses a backdoor that is capable of managing plugins and hiding from active ones on a compromised website, replacing content, or redirecting certain users to malicious locations. Along with these capabilities, the malware was also able to create a user account called “superadmin” with admin-level permissions as well as remove the account and any traces of it. "Taken together, these features provide attackers with everything they need to remotely control and monetize a victim site, at the expense of the site’s own SEO rankings and user privacy," reports WordFence.
By bleepingcomputer.com
The US Cybersecurity and Infrastructure Security Agency (CISA) has warned users of Adobe Acrobat Reader about a vulnerability that is being actively exploited. Tracked as CVE-2023-21608, the vulnerability stems from a use-after-free bug within the software that is capable of remote code execution with the current user's privileges. The threat actors taking advantage of this vulnerability are yet to be known however a proof-of-concept exploit has been available since late January 2023. Fortunately, a patch has been made available since January 2023 by Adobe and the CISA is advising all users to update to the latest version of Adobe Acrobat Reader to avoid becoming a victim.
By thehackernews.com
A zero-day vulnerability in Confluence Data Center and Server, a tool for collaborative working developed by Atlassian, has been actively exploited by a threat actor labelled as Storm-0062 with links to China's Ministry of State Security. The zero-day, tracked as CVE-2023-22515 and with the maximum CVSS score of 10.0, is related to a “Broken Access Control Vulnerability in Confluence Data Center and Server” allowing unauthorized access to resources and the creation of administrator accounts. A patch is currently available however mitigation methods such as temporarily restricting external access or blocking /setup/* endpoint access at the network level have been proposed if an immediate update is not possible. Read more about the zero-day from Confluence here.
By cybersecuritynews.com
With 104 vulnerabilities addressed this month, Microsoft’s October Patch Tuesday is the second biggest release of the year. This batch of security updates is compiled of 13 critical and 91 important vulnerabilities, two of which have been publicly disclosed. With 3 flaws being actively exploited, we advise reading this round-up of Microsoft’s October Patch Tuesday and applying updates as soon as possible.
And that’s it for this week’s round-up, please do check in next week for our new batch of security news and posts.
Stay Safe, Secure and Healthy!
Edition #254 – 13th October 2023
By
Joshua Hare
on
12/10/23
With 104 vulnerabilities addressed this month, Microsoft’s October Patch Tuesday is the second biggest release of the year. This batch of security updates is compiled of 13 critical and 91 important vulnerabilities, two of which have been publicly disclosed. With 3 flaws being actively exploited, we advise reading this round-up of Microsoft’s October Patch Tuesday, and applying updates as soon as possible.
This important vulnerability has been seen to be exploited in the wild and has been publicly disclosed. An attacker could make a specially crafted network call to the target Skype for Business server, which could cause the parsing of an HTTP request made to an arbitrary address. This could disclose IP addresses or port numbers or both to the attacker. An attacker who successfully exploited the vulnerability could view certain sensitive information but not all resources within the impacted component may be divulged to the attacker which could provide access to internal networks.
An important vulnerability present in WordPad could lead to the disclosure of NTLM hashes if exploited correctly. An attacker would first have to log on to the system or convince a local user to open a malicious file, then run a specially crafted application that could exploit the vulnerability and take control of an affected system. This has been seen exploited in the wild and has been publicly disclosed.
A new important zero-day attack actively exploited since August has been patched this month. This abuses the HTTP/2’s stream cancellation feature to continuously send and cancel requests exhausting target system resources and could lead to denial-of-service. While this isn’t possible to patch by Microsoft there have been mitigation steps provided such as disabling HTTP/2 and rate limiting.
Two critical vulnerabilities were present in this month's Patch Tuesday relating to Microsoft's Message Queuing service. The most dangerous, CVE-2023-35349, could allow an unauthenticated attacker to remotely execute code on the target server while CVE-2023-36697 relies on an authenticated domain user to remotely execute code on the target server. The attacker needs to convince a user on the target machine to connect to a malicious server or compromise a legitimate MSMQ server host and make it run as a malicious server.
This critical vulnerability could lead to a contained execution environment escape. Successfully exploitation of this vulnerability relies on complex memory-shaping techniques and the attacker must be authenticated as a guest mode user to escape the virtual machine.
A total of nine critical vulnerabilities have been patched for the layer 2 tunnelling protocol. An unauthenticated attacker could send a specially crafted protocol message to a Routing and Remote Access Service (RRAS) server, which could lead to remote code execution (RCE) on the RAS server machine. Successful exploitation of this vulnerability requires an attacker to win a race condition.
For a full list of this month’s updates please see the links below:
Patch Tuesday release notes: https://msrc.microsoft.com/update-guide/releaseNote/2023-Oct
Security update guide: https://msrc.microsoft.com/update-guide/
By
Samuel Jack
on
11/10/23
Welcome to Ironshare’s Cyber Round-up, where we look back at the events of that last week to cover some of the news, posts, views, and highlights from the world of Security.
In this week’s round-up:
A large number of LastPass users have reported receiving phishing emails over the last month. This appears to be part of a widespread phishing campaign, targeting LastPass employees and customers. Initially, all of the reported emails came from the sender marketing@sbito.co[.]th, and included a link to a themed phishing page. Shortly after learning of this campaign, LastPass worked with Fortra’s PhishLabs to take down the domains being used in the attacks. While this was successful, it wasn’t long before a second wave of attacks hit, utilising a new email address and scam page.
The second set of domains was taken down quickly, and no attempts to continue the campaign have been observed. We expect LastPass and PhishLabs remain vigilant for any signs of this campaign returning.
By cybernews.com
The latest announcement from Amazon Web Services states the organisation’s plans to enforce Multifactor Authentication for all user accounts. This change is expected to begin roll out in mid-2024, with a focus on root users. Once this change has been implemented for root users, AWS are expected to extend this mandate to all users.
The announcement from Amazon stated:
“We recommend that everyone adopts some form of MFA, and additionally encourage customers to consider choosing forms of MFA that are phishing-resistant, such as security keys.”.
It is great to see organisations enforcing MFA as this will surely have a positive security impact for all AWS customers.
By darkreading.com
Tech giant Sony recently disclosed news of a data breach, in which the personal information of more than 6500 people was compromised. This total included current and former workers, and their US resident family members. The Cl0p ransomware group has claimed responsibility for this attack, as Sony was added to their list of victims on their dark web portal. This attack was reportedly made possible by a zero-day affecting the MOVEit file transfer platform. The latest statement from Sony says that “This event was limited to Progress Software’s MOVEit Transfer platform and did not impact any of our other systems”.
The exact information that was compromised was censored and is not currently public knowledge. Current and former Sony workers are being advised to monitor their payment card activity for any signs of potential fraud or unauthorised transactions.
By cybersecuritynews.com
A ransomware attack on KNP Logistics Group’s IT systems in June which affected the company’s key systems, processes, and financial information has caused it to go into administration. The attack damaged KNP’s financial position and ability to secure additional investment and funding. Joint administrator, Mr. Mittal, reported "Despite being one of the UK's largest privately owned logistics group, KNP fell victim of a ransomware attack earlier this year that caused significant disruption. Against a backdrop of challenging market conditions and without being able to secure urgent investment due to the attack, the business was unable to continue. We will support all affected staff through this difficult time."
By bbc.com
Apple has released a patch to help protect iPhone and iPad users from a vulnerability being actively exploited. The vulnerability, tracked as CVE-2023-42824, results from a weakness in the XNU kernel that allows attackers to escalate privileges on iPhones and iPads. "Apple is aware of a report that this issue may have been actively exploited against versions of iOS before iOS 16.6," Apple said in a statement. This is the 17th zero-days fix Apple has pushed out since the start of the year.
By bleepingcomputer.com
A new android trojan seen targeting banking, e-wallet, and crypto wallet applications in Asia Pacific countries has been detected by Group-IB. The trojan, thought to have been operating since June 2023, abuses Android’s accessibility services to interact with targeted apps and extract personal information, stealing banking app credentials, intercept SMS messages, and other actions. If the user grants full permissions to the trojan it is also capable of viewing bank account balances, capturing multi factor authentication codes, and logging keystrokes, as well as facilitating device remote access. This has seen being distributed on websites impersonating the Google Play Store and corporate websites in Vietnam and requires users to enable “install from unknown sources” in the device's settings. "One of the main features of GoldDigger is its use of an advanced protection mechanism […] This presents a challenge in triggering malicious activity in sandboxes or emulators." Reported Group-IB.
By thehackernews.com
And that’s it for this week’s round-up, please do check in next week for our new batch of security news and posts.
Stay Safe, Secure and Healthy!
Edition #253 – 6th October 2023
By
Samuel Jack
on
5/10/23
Welcome to Ironshare’s Cyber Round-up, where we look back at the events of that last week to cover some of the news, posts, views, and highlights from the world of Security.
In this week’s round-up:
Google’s AI Chatbot, Bard, was recently updated with a feature that allows users to share their chats with others, using a shared link. While this feature does allow for public sharing, chat URLs showing up in Google searches was neither intended, nor expected. Without warning, Google Search began indexing the shared links created for these chats, resulting in them mistakenly appearing in organic listings on search engines. Google revealed that these shared links are for “a specific prompt and Bard’s response or an entire chat,”.
This was an unexpected issue, and Google are currently working to ‘re-educate’ the chatbot to help it better understand the importance of privacy. This education should result in links being visitable if the specific URL is browsed to and ensure that these links do not show up in organic search listings.
By theregister.com
Mozilla has just released version 118 of Firefox; this release includes fixes for nine total vulnerabilities, six of which have been classified as high severity.
As well as security fixes, Firefox will also receive several new features, including the automated translation of web content, improved anonymity for Web Audio, add-on suggestions for users in the US, and more.
We advise updating your browser as soon as possible, to ensure you are protected against the high-severity flaws currently affecting Firefox. For more details on the vulnerabilities addressed in this patch, see here.
By cybersecuritynews.com
OpenAI’s ChatGPT has previously been restricted to data from before September 2021. This prevented the AI chatbot from commenting on any events that occurred after this date and was not able to provide any information from the last two years. This latest update has lifted this restriction, allowing ChatGPT to access live news and comment on current affairs. The feature is currently only available for premium users, but will soon be made available for all users.
Another feature that was announced, but not yet implemented, is the introduction of voice conversations.
By bbc.co.uk
This week, Google were alerted to a high-severity buffer overflow vulnerability that was being actively exploited in the wild. Tracked as CVE-2023-5217, this flaw exists in the VP8 encoding of libvpx video codec library. The resulting impact could range from denial of service to full-blown remote code execution in the user's Chrome browser.
This was found by Google’s TAG researchers, who observed an attacker utilising the exploit to install spyware on user's devices. This is the second zero-day in two weeks after CVE-2023-4863 was discovered in which a buffer overflow vulnerability was identified in WebP code library.
Google has since produced a patch to protect against CVE-2023-5217 and recommends all users update to the latest version to protect against both of these vulnerabilities.
By bleepingcomputer.com
A newly seen phishing campaign impersonating the Red Cross, a nonprofit humanitarian organization, has been discovered by NSFOCUS Security Labs. During the investigation, NSFOCUS reported that the campaign was of a “high technical level and cautious attack attitude” and “part of the attacker's targeted strike on specific targets.”
Orchestrated by AtlasCross, this phishing campaign utilises malicious macros in a Microsoft document, that appears to be related to blood donation. When launched, the macros in the false document will work to extract system metadata to a remote server.
Not much is known about the group behind the attack, due to target scope being very limited; despite this, NSFOCUS has confirmed that “the attack processes they employ are highly robust and mature.”.
More details on the nature of these attacks can be found here. This includes a more in-depth breakdown of the data exfiltration, and IoCs that are related to the campaign.
By thehackernews.com
Intel is currently being investigated as part of an EU antitrust case, in which they have been accused of illegally excluding rivals from the EU market and blocked Advanced Micro Devices from competing back in 2009. Further investigation also showed that Intel had paid HP, Acer, and Lenovo to cease or delay products between November 2002 and December 2006. "The General Court confirmed that Intel's naked restrictions amounted to an abuse of a dominant market position under EU competition rules," the European Commission reported. As a result of this case, the U.S. chipmaker has been fined $400 million (376M Euros).
By cybernews.com
And that’s it for this week’s round-up, please do check in next week for our new batch of security news and posts.
Stay Safe, Secure and Healthy!
Edition #253 – 29th September 2023
By
Joshua Hare
on
28/9/23
No results found.