Welcome to Ironshare’s Cyber Round-up, where we look back at the events of that last week to cover some of the news, posts, views, and highlights from the world of Security.
In this week’s round-up:
A cyberattack on MGM Resorts has resulted in some of its systems being impacted, including its website, online reservations, and in-casino services. “MGM Resorts recently identified a cybersecurity issue affecting some of the Company’s systems” and that it “took prompt action to protect our systems and data, including shutting down certain systems.” Some services such as ATMs have been switched to manual operations while their website instructs customers that it is currently unavailable, and they can make hotel reservations “at any of our destinations” over the phone. The nature of the attack and its technical details are yet to be publicly disclosed by MGM Resorts.
By darkreading.com
N-Ables’s Take Control Agent is a remote management tool to aid in troubleshooting and resolving device issues. Tracked as CVE-2023-27470 with a CVSS of 8.8, a vulnerability present in this software relating to a Time-of-Check to Time-of-Use race condition which could be exploited to delete arbitrary files on a Windows system. The race condition occurs between logging multiple file deletion events, and each delete action from a specific folder named "C:\ProgramData\GetSupportService_N-Central\PushUpdates." "To put it simply, while [Take Control Agent] logged the deletion of aaa.txt, an attacker could swiftly replace the bbb.txt file with a symbolic link, redirecting the process to an arbitrary file on the system," Mandiant security researcher Andrew Oliveau said.
By thehackernews.com
A threat actor, identified as Storm-0324, has been identified by security researchers at Microsoft to be using Teams as a platform for phishing. “Beginning in July 2023, Storm-0324 was observed distributing payloads using an open-source tool to send phishing lures through Microsoft Teams chats,” researchers said. The threat actor has been seen sending links to malicious SharePoint hosted files as well as using TeamsPhisher which can enable “Teams tenant users to attach files to messages sent to external tenants” furthering their campaign. “These Teams-based phishing lures by threat actors are identified by the Teams platform as “EXTERNAL” users if external access is enabled in the organization,” Microsoft reported as well as suspended accounts and tenants associated with fraudulent behaviour and has rolled out enhancements and restrictions to protect customers.
By cybernews.com
This week, we have seen an influx of phishing attacks targeting our customers and associated partners; what makes these attacks so interesting to us is the absence of a traditional link or attachment. Instead, these emails featured QR codes and attempted to bait the user into scanning the code with their mobile phone. This is the key difference that we have found makes quishing attacks so effective - its enhanced ability to evade detection from security measures. We have noticed Office 365 having difficulty spotting these emails due to the absence of a link or attachment to detect.
The attempts we have seen this week utilised the typical urgent approach, with requests such as:
“Please Scan the QR code below with your smartphone camera to view your account statement and balance.”
This may be a serious risk for parties who do not consider the security of corporate and BYOD mobile devices. Mobile device management and protection seems to be a point of weakness for a lot of businesses; with this new phishing method seemingly on the rise, we advise considering the risks that quishing may present to your organisation.
A critical zero-day vulnerability has been found affecting Google Chrome; this was discovered after being actively exploited in the wild and was quickly addressed in an emergency patch for Chrome 116. This zero-day has been labelled as a heap buffer overflow vulnerability in WebP, a compressed image format for use on the Web. Successful exploitation of this flaw could lead to the execution of arbitrary code on the target system.
All Google Chrome users are advised to update their browser to the latest version as soon as possible, to ensure they are protected against this flaw. More details on the nature of this vulnerability can be found here.
By darkreading.com
Welcome to our Round-Up of Microsoft’s Patch Tuesday for September! This month’s batch of security updates includes fixes for 61 total vulnerabilities, 5 of which are considered critical. With two vulnerabilities being actively exploited in the wild, we recommend consulting this round-up, and applying the latest updates to ensure you are protected.
More details on the key vulnerabilities addressed this month can be found here.
And that’s it for this week’s round-up, please do check in next week for our new batch of security news and posts.
Stay Safe, Secure and Healthy!
Edition #251 – 15th September 2023
By
Joshua Hare
on
14/9/23
Welcome to Ironshare’s Cyber Round-up, where we look back at the events of that last week to cover some of the news, posts, views, and highlights from the world of Security.
In this week’s round-up:
The cybercrime group, Gold Melody, has been identified as an initial access broker; The group’s recent activity has been closely monitored by the SecureWorks Counter Threat Unit, who have observed Gold Melody selling access to compromised organisations.
Gold Melody’s current operations involve the utilisation of web shells, publicly available utilities, and remote access trojans to gain access to target systems and setup up reverse tunnels with hard-coded IP addresses. The group’s new direction as an IAB is very clearly financially motivated and relies on the exploitation of known & unpatched vulnerabilities. The main takeaway from these attacks is “the importance of robust patch management.”. While it can be difficult to prepare for unknown threats, ensuring that you are protected against all known vulnerabilities is essential.
By thehackernews.com
Cisco has just made the surprise acquisition of cybersecurity software firm Splunk. Paying a total of $28 billion, this is reportedly Cisco’s largest ever acquisition, and is part of their vision to become the “largest software companies globally” with a heavy focus on cybersecurity, and the protection of organisations worldwide. As part of this deal, Splunk CEO Steele will join Cisco’s executive leadership team, and continue to add to his contributions to Splunk after being in charge for the last year. While this acquisition is not yet complete, both parties are required to pay a termination fee of more than $1 billion should they choose to withdraw from the deal.
By cnbc.com
MGM Resorts have been in the headlines for the last week, following a cyber attack that has crippled their operations. 10 days later, MGM have reported that all computer systems are back online and operational, and issued a statement saying:
“We are pleased that all of our hotels and casinos are operating normally,”
While operations have been restored, the investigation has not yet concluded, and analysts are still working to measure the impact and long-term effects of the incident.
By securityweek.com
The ICC reported that they have been a victim of a cyberattack when “at the end of last week, The ICC’s services detected anomalous activity affecting its information systems,” a statement said. The ICC reports they are currently in the process of investigating and remediating the ongoing incident while “ensuring that the work of the court continues.” Information surrounding the attack such as information accessed, identification of the attackers, and other elements hasn’t been made available by the ICC.
By cybernews.com
Leaked documents from Microsoft have revealed their designs for upcoming consoles, controllers, and games. The leak came from confidential information from the ongoing legal dispute between the Federal Trade Commission and Microsoft. The documents, which were meant to be redacted revealed emails, presentations, and other communications about their future plans. This is a significant blow to Microsoft who also was at the mercy of threat actor Storm-0324 who managed to steal signing keys and gain access to emails of US employees in July.
By cybernews.com
Customers using the T-Mobile app reported seeing other users' information on their accounts. The information included customers' names, phone numbers, addresses, account balances, and credit card details like the expiration dates and the last four digits of their card. T-Mobile reported that there was no cyberattack on their systems and that the was caused by “a temporary system glitch related to a planned overnight technology update involving limited account information for fewer than 100 customers, which was quickly resolved.” However multiple customers have reported this issue up to two weeks before being fixed. This is yet another failing of T-Mobile which has been hit by nine data breaches since 2018 displaying a pattern of lax security implementations.
By bleepingcomputer.com
And that’s it for this week’s round-up, please do check in next week for our new batch of security news and posts.
Stay Safe, Secure and Healthy!
Edition #252 – 22nd September 2023
By
Joshua Hare
on
14/9/23
September’s Patch Tuesday provides fixes for 61 vulnerabilities, a slight reduction of last month’s 76. These are separated into 5 critical, 55 important, and 1 moderate vulnerability patched while 2 were detected to be exploited in the wild and only 1 publicly disclosed.
This important, publicly disclosed, and exploited in the wild vulnerability could allow an attacker to steal NTLM hashes which can be cracked or used in relay or pass-the-hash attacks. This discovery came from the Microsoft Threat Intelligence team who disclosed this vulnerability. The preview pane has been reported to be an attack vector meaning that a victim only has to preview the document to be exploited.
This important vulnerability is the second seen exploited in the wild this month. An attacker may exploit a vulnerability present in Microsoft Streaming Service Proxy, a service related to Microsoft Stream, to elevate their privileges to the highest level in Windows, SYSTEM.
An unauthorized attacker could exploit this critical Internet Connection Sharing (ICS) vulnerability by sending a specially crafted network packet to the Internet Connection Sharing (ICS) Service to conduct remote code execution. This attack is limited to systems connected to the same network segment as the attacker. The attack cannot be performed across multiple networks and would be limited to systems on the same network switch or virtual network.
An attacker who successfully exploited this critical vulnerability could gain Cluster Administrator privileges. This attack can be done through the internet and has a low complexity because an attacker does not require significant prior knowledge of the cluster/system and can achieve repeatable success when attempting to exploit this vulnerability.
Three critical remote code execution vulnerabilities were present in Visual Studio this month. An attacker would need to convince a user to open a maliciously crafted package file in Visual Studio that would exploit the code locally on a victim's machine. This would then allow the attack to execute custom code that was present in that specially crafted file. Exploitation has been deemed less likely by Microsoft for these vulnerabilities.
For a full list of this month’s updates please see the links below:
Patch Tuesday release notes: https://msrc.microsoft.com/update-guide/releaseNote/2023-Sep
Security update guide: https://msrc.microsoft.com/update-guide/
By
Samuel Jack
on
13/9/23
Welcome to Ironshare’s Cyber Round-up, where we look back at the events of that last week to cover some of the news, posts, views, and highlights from the world of Security.
In this week’s round-up:
Google’s latest patch rollout for Android is a notable one, with fixes for multiple security flaws including an actively exploited zero-day. This zero-day, tracked as CVE-2023-35674, has been classified as a high-severity privilege escalation flaw that exists in the Android Framework.
In addition to this flaw, there are three other privilege escalation flaws that were present in Android Framework; all of these were patched as part of this batch of updates and, if exploited, “could lead to local escalation of privilege with no additional execution privileges needed.”.
Full details for this month’s batch of updates can be found here in the Android Security Bulletin for September.
By thehackernews.com
In August, the Electoral Commission announced that the data of 40 million voters had been exposed to “hostile actors”, who were able to gain access to their email systems and databases. This news come shortly after the commission was given an automatic fail on their Cyber Essentials audit.
Cyber Essentials is a cybersecurity certification that requires your organisation to pass a basic test. While this is a voluntary audit, it is an effective way of showing your customers that you are following the “minimum best practice” in cybersecurity. Receiving an automatic fail in this audit shows that the Electoral Commission is severely lacking in security, and it is no surprise that they have now suffered a data breach.
Some of the reasons for the automatic fail were:
- 200 Staff Laptops Running Obsolete and Insecure Software
- Corporate Mobile Phones Were Old Unsupported iPhones That No Longer Receive Security Updates
It is unclear if these vulnerable devices were the cause of this attack, but the news of their failed audit almost certainly paints a target on their back for other cybercriminals.
While the majority of the stolen data was already public, a large portion of it belonged to individuals who had opted out of the public list.
By bbc.co.uk
Back in November 2022, the LastPass password manager service suffered a breach in which the encrypted and plaintext passwords of more than 25 million vaults were leaked. Since this occurred, there have been concerns over the encrypted passwords being cracked; experts fear that this is now starting to happen almost one year on from the attack. It is believed that criminals are using offline attacks to perform uninterrupted brute force attacks on these master passwords, which means it is only a matter of time before they are revealed.
Though it has been 10 months since the attack, it is likely that users are still using the same password; we urge all LastPass users to update their vault’s master password and enable multi-factor authentication. This is best practice for protecting against account compromises, especially in the event of your password potentially being exposed.
By krebsonsecurity.com
Just Kids Dental alerted authorities due to a security breach on August 8th. This security breach affected a total number of 129,623 potential victims. The targeted data of this breach included names, email addresses, phone numbers, dates of birth, social security numbers, medical records, and health insurance; JKD also stated that “no patient banking or credit card account information was obtained.”. Fortunately, no future misuse of the data is expected but healthcare providers have told the victims and their guardians to remain vigilant against identify theft and fraud.
By cybernews.com
A company that provides high-security fencing for military bases have been attacked by the well-known LockBit ransomware gang, who stole 10 GB of data from the firm. On August 5-6 hackers were seen exploiting a Windows 7 PC to gain access to the company servers and steal data which has now been published on the dark web. It is believed that no classified documents were stored on the system, and the stolen data is not considered high risk.
By grahamcluley.com
Staff and Students at the University of Michigan were warned on Tuesday that they must reset their passwords after a recent security breach. If passwords are not changed by September 12th, UMICH will begin restricting access to accounts. This was communicated to all staff and students in an email sent out by the CISO and CIO; the email stated:
"If you do not change your password, you will not be able to use your UMICH password, including services that use the U-M Weblogin and U-M managed devices. Alumni, retirees and other groups can change their passwords now. Additional information for these groups will be coming soon."
By bleepingcomputer.com
And that’s it for this week’s round-up, please do check in next week for our new batch of security news and posts.
Stay Safe, Secure and Healthy!
Edition #250 – 8th September 2023
By
Joshua Hare
on
7/9/23
Welcome to Ironshare’s Cyber Round-up, where we look back at the events of that last week to cover some of the news, posts, views, and highlights from the world of Security.
In this week’s round-up:
Cybersecurity researchers have discovered a flaw in the Microsoft Entra ID application, that could allow an attacker to elevate their privileges. This exploit requires the attacker to take advantage of an abandoned reply URL and utilise it to “redirect authorization codes to themselves”. Once the codes have been exchanged for access tokens, the criminal can obtain elevated privileges by invoking the Power Platform API via a middle-tier service and altering the environment configurations.
This exploit was responsibly disclosed to Microsoft back in April; a fix was issued almost immediately, meaning this flaw is no longer present.
By thehackernews.com
Mom’s Meals is a popular meal delivery business, specifically for individuals with chronic health conditions. Earlier this week their parent company, PurFoods, announced that the business had suffered a data breach, with more than 1.2 million customers affected. The latest report of this incident mentions the encryption of sensitive files, and unauthorised network access; this suggests that the company suffered a ransomware attack, in which user data was stolen and publicised.
While specific details of the attack have not been released, it was confirmed who is affected, and what data was compromised:
“Affected individuals include those who have received Mom’s Meals packages, including Medicare, Medicaid and self-paying members without an eligible health plan or who don’t qualify for government assistance.”
The stolen information includes customers names, Social Security numbers, payment card information, health information, and more.
While the origin of the attack is still unknown, it is possible this was related to the security consultancy Kroll, who has had access to PurFoods’ credit monitoring service for the last year. Kroll also recently suffered a cyberattack, which could be related.
By techcrunch.com
The National Cyber Security Centre has issued a warning to organisations regarding the use of large language models / AI chatbots - ChatGPT included. Many businesses are excited by the idea of implementing large language models into their work and are starting to integrate them into certain services. While this is an exciting prospect, it is vital to consider the potential risks that come with it. LLMs are still very new, and there is so much that we do not understand about them; if we don’t even understand its full capabilities yet, how can we understand its weaknesses and flaws?
Some issues that have been raised include chatbots saying “upsetting or embarrassing things”. While these kinds of issues are a problem for a business’s reputation, there are almost certainly security vulnerabilities present that are yet to be discovered.
The NCSC is not opposed to the integration of large language models but advises any businesses who wish to do so to do their due diligence and ensure that they are implementing the technology safely and with minimal risk.
By infosecurity-magazine.com
The FBI has taken down the QakBot botnet in their latest significant cybersecurity operation and were even able to remove the malware from all infected machines.
Originally starting out as a banking trojan to steal credentials, QakBot grew into a malware delivery service for conducting ransomware attacks, data theft, and other malicious cyber activities. It was primarily spread through phishing emails and exploit kits before the FBI seized the attacker's server infrastructure, effectively disrupting its operations. By accessing one of QakBot administrator’s devices the FBI was able to capture the encryption keys used to communicate with these command-and-control servers and replace its “supernode” with one developed by law enforcement.
This allowed the FBI to distribute a customer DLL that uninstalled the malware from approximately 700,000 infected devices. "The shellcode unpacks a custom DLL (dynamic link library) executable that contains code that can cleanly terminate the running QakBot process on the host" reported SecureWorks.
No arrests were made in the wake of this incident and although this is a big hit to QakBot’s operations it is unlikely to be the last we will hear from them.
By bleepingcomputer.com
A new attack method being actively exploited has been reported by Japan’s Computer Emergency Response Team (JPCERT).
The technique, known as “MalDoc in PDF”, involves a malicious file that has the structure of a PDF, but can be opened using Microsoft Office as a .doc file causing it to perform malicious behaviours. This can confuse PDF analysis tools, sandboxes, and antivirus software due to the PDF file structure meaning they are unable to detect the malicious contents inside.
JPCERT elaborated on this technique, stating that: “the MalDoc file is created by adding an mht file and macro to a "PDF" file object.”.
According to JPCERT, malicious Word file analysis could be an effective countermeasure to this method as it would be able to detect the macro.
By cybernews.com
Andy Jassy, Amazon's Chief executive, has warned remote workers of plans to return to office working for 3 days a week. The major tech company put a “return to office” policy in place on 1st May, where employees have to be in the office at least 3 days a week; this has forced some workers to relocate to other cities to comply with this request, however many employees are still resisting this change.
30,000 employees are petitioning the company to reconsider its stance on remote working.
“It’s easier to learn, model, practice, and strengthen our culture when we’re in the office together most of the time and surrounded by our colleagues. It’s especially true for new people, and we hired a lot of people in the pandemic,” Jassy stated in a post.
Failure to comply could see workers forced into a “voluntary resignation.”
By cybernews.com
And that’s it for this week’s round-up, please do check in next week for our new batch of security news and posts.
Stay Safe, Secure and Healthy!
Edition #249 – 1st September 2023
By
Samuel Jack
on
31/8/23
Welcome to Ironshare’s Cyber Round-up, where we look back at the events of that last week to cover some of the news, posts, views, and highlights from the world of Security.
In this week’s round-up:
Earlier this year, Duolingo left an API exposed, which led to 2.6 million user records being scraped. The scraped data has since been posted to a hacking forum, and is known to include the real names, usernames, and other non-public information such email addresses.
The inclusion of email addresses in this breach is concerning, because it leaves users susceptible to targeted phishing attacks using information from their profile.
This data was scraped from the exposed API back in January but reports from Bleeping Computer state that this API is still “openly available to anyone on the web”. Questions have been asked as to why this has not been locked down yet, but Duolingo has remained quiet.
By bleepingcomputer.com
The personal details of more than 75,000 Tesla employees was exposed earlier this year, and the company has labelled the incident as an “insider wrongdoing.”. A German newspaper shared news of this breach with Tesla, after they obtained the stolen data from two former Tesla employees. The newspaper agency, Handelsblatt, had no intention of publicly releasing this data, and instead elected to disclose the news to Tesla in private.
An investigation has since been launched and the two former employees have had lawsuits filed against them.
The breach data was reported to include the names, addresses, phone numbers and email addresses of both current and former employees. More details on this incident can be found here.
By cybernews.com
The release of Google Chrome version 117 will include a new feature known as “Safety Check”. Safety Check has a few capabilities that are designed to protect you against potentially malicious browser extensions. Users of Chrome 117 will have this feature notify them if an extension is removed due to policy violation or unpublished by the developer; the third, and most important attribute, will notify the user of any extensions that have been flagged as potential malware. In addition to these notifications, users will now have a dedicated section in their “Privacy and Security” settings that will make it easy to remove any extensions that are harmful.
By infosecurity-magazine.com
Akira ransomware has been found targeting Cisco VPN products as a new method of infiltrating networks, and stealing and encrypting data. The ransomware operation launched in March 2023 with a later addition of a Linux encryptor to target VMware ESXi virtual machines. Sophos first identified abuse of VPN accounts in May when researchers identified that "VPN access using Single Factor authentication” was conducted. Researchers were also unable to identify this Akira brute-forced the VPN account credentials or this they were gathered elsewhere such as from a phishing campaign or sold online. SentinelOne also conducted research into the attack and shared information indicating that Akira could be exploiting an unknown vulnerability bypassing all authentication required. Cisco recommends all customers activate MFA for their VPN accounts in order to provide the best protection possible.
By bleepingcomputer.com
The latest statement from CloudNordic has advised all of their customers that a recent Ransomware attack has "paralyzed CloudNordic completely.” The attack happened on the 18th of August when the attacker shut down all of CloudNordic systems, wiping both customer and company websites and email systems. Nordic has stated that they “cannot and do not want to meet the financial demands of the criminal hackers for ransom” and that “unfortunately, it has proved impossible to recreate more data, and the majority of our customers have thus lost all data with us." CloudNordic has stated it is ready to start bringing customer web and email servers back online, but data previously stored with them will be lost.
By theregister.com
A high severity flaw tracked as CVE-2023-32315 could allow path traversal in Openfire’s administrative console that would allow an unauthenticated attacker to access restricted pages meant for privileged users. The flaw has affected all software versions since April 2015 and was patched earlier in May with the release of versions 4.6.8, 4.7.5, and 4.8.0. "Path traversal protections were already in place to protect against exactly this kind of attack, but didn't defend against certain non-standard URL encoding for UTF-16 characters […] the path traversal protections in place in Openfire were not updated to include protection against this new encoding” reported Openfire XMPP developers. This vulnerability is already known to be exploited in the wild with Shodan reporting of the more than 6,300 Openfire servers up to 50% remain unpatched and vulnerable to this flaw. Users are advised to update to the latest patch immediately to avoid a possible attack.
By thehackernews.com
And that’s it for this week’s round-up, please do check in next week for our new batch of security news and posts.
Stay Safe, Secure and Healthy!
Edition #248 – 25th August 2023
By
Samuel Jack
on
24/8/23
Welcome to Ironshare’s Cyber Round-up, where we look back at the events of that last week to cover some of the news, posts, views, and highlights from the world of Security.
In this week’s round-up:
Earlier this week, Google announced the release of the first quantum resilient FIDO2 security key implementation; This is set to become part of OpenSK and is Google’s latest release that works towards deploying quantum resistant cryptography.
Standard public key cryptography will not be able to withstand attacks from quantum computers and, while quantum attacks are not a threat we currently face, it is only a matter of time until it becomes a reality.
Google’s announcement states that:
“While quantum attacks are still in the distant future, deploying cryptography at Internet scale is a massive undertaking which is why doing it as early as possible is vital.”
It is great to see this kind of proactive approach to security; as we get closer and closer to the practical usage of quantum computers, it is vital that we are prepared to face the certain threats that come with it.
By security.googleblog.com
On Monday, Clorox publicly disclosed that their networks had been accessed by unauthorised actors and, while clean up is in progress, some of their IT systems remain offline. Specific details of this breach have not been disclosed, but it was revealed that the firm has employed the services of third-party cybersecurity teams to assist in investigation and recovery.
Clorox’s latest statement confirmed that:
“systems will remain offline out of an abundance of caution, as we work to add additional protections and hardening measures to further secure them. As a result, some operations are temporarily impaired.”
It is not clear when operations will return to normal, but we expect to learn more information on this incident as the investigation progresses.
By theregister.com
Discord.io has been propelled into the spotlight, following the exposure of more than 760,000 user records. The leaked data included:
- Usernames
- Discord IDs
- Email Addresses
- Billing Addresses
- Salted and Hashed Passwords
Following the discovery of this breach, Discord.io posted a statement to their website, which stated the following:
“We have decided to take down our site until further notice. We will continue to investigate the possible causes of the breach, and we will take steps to ensure that this does not happen again. This will include a complete rewrite of our website's code, as well as a complete overhaul of our security practices.”
This statement also includes guidance for Discord.io users, as well as details on the cancellation of memberships.
See here for the full statement.
Discord.io is a third-party service that integrates with Discord, allowing users to create custom invitations for their channels and servers.
This service has no official affiliation with Discord and is managed by an independent third-party.
The Cybersecurity and Infrastructure Security Agency (CISA) has issued a warning regarding a significant security vulnerability in Citrix ShareFile that is currently being exploited by malicious actors. Citrix ShareFile is a managed file transfer cloud storage solution that allows users to upload and download files securely but also offers a “Storage zones controller” solution that allows enterprise users to configure their private data storage to host files, whether on-premises or cloud. The critical flaw, tracked as CVE-2023-24489 "has been discovered in the customer-managed ShareFile storage zones controller which, if exploited, could allow an unauthenticated attacker to remotely compromise the customer-managed ShareFile storage zones controller," Citrix explains. CISA urges organizations using Citrix ShareFile to take immediate action to mitigate the risk by applying the available security patches. The agency's advisory emphasizes the urgency of addressing this issue, as attackers are actively taking advantage of the vulnerability.
By bleepingcomputer.com
A sophisticated phishing campaign has sent over 1,000 emails containing malicious QR codes with the aim of stealing Microsoft credentials. The campaign, discovered in May, used PNG image attachments of QR codes and redirect links associated with Bing, Salesforce, Cloudflare, and others. The emails contained messages of urgency by spoofing Microsoft security alerts and claiming that the user needed to update either their account’s MFA or another setting. The links associated with the email or QR code led victims to a phishing site to harvest their Microsoft credentials. Of the over 1,000 emails sent the top US energy company received over 29% of the total after being sent to its employees. the next top 4 affected industries were manufacturing (15%), insurance (9%), technology (7%), and financial services (6%). Unfortunately, the campaign is still ongoing with the volume increased by more than 2,400% since May. Readers are advised to always check the source of emails and not to scan QR codes or click on links from untrusted sources.
By darkreading.com
Cumbria Police have admitted that the names and salaries of all its staff was published on their website. The breach involved the pay and allowances of every police officer and staff member up until March 31st, 2022, but did not include dates of birth and addresses. The breach was brought to the attention of Cumbria Police on 6th March 2023, and was a result of “human error”; The sensitive information was removed from the website on the day it was discovered. This incident was labelled as “low” impact by Cumbria Police, however it is unclear how long the information was accessible for before being removed.
By bitdefender.com
And that’s it for this week’s round-up, please do check in next week for our new batch of security news and posts.
Stay Safe, Secure and Healthy!
Edition #247 – 18th August 2023
By
Samuel Jack
on
17/8/23
Welcome to Ironshare’s Cyber Round-up, where we look back at the events of that last week to cover some of the news, posts, views, and highlights from the world of Security.
In this week’s round-up:
Three individuals have been arrested for involvement in running a Phishing-as-a-Service platform called ‘16Shop’. These arrests were made by Interpol, as part of their successful operation to take down the 16Shop platform. The culprits were responsible for the compromise of more than 70,000 users before being busted this week, with attacks targeting services such as Apple, PayPal, American Express and more. One of the three arrested individuals was found to be the 16Shop site’s primary administrator, who is a 21-year-old Indonesian national. This is yet another example of a new proactive stance on cybersecurity, and it is great to see these active attempts to seek out and shut down cybercrime operations.
By thehackernews.com
The Colorado Department of Higher Education reported on Friday that they have been victim to a ransomware attack during an 8-day period in mid-June. The attack was first detected on the 19th of June when an investigation discovered the attackers copied data from their systems. “CDHE took steps to secure the network and has been working with third-party specialists to conduct a thorough investigation into this incident,” the department stated, and it had “worked to restore systems and return to normal operations.” The data copied in the attack included names, Social Security numbers, student identification numbers, and “other educational records” that ranged from bank statements and bills, used for proof of address, to copies of government IDs, complaints, and police reports. The scope of the affected individuals included anyone that:
• Attended a Colorado public high school between 2004-2020
• Attended a public institution of higher education in Colorado between 2007-2020
• Obtained a Colorado K-12 public school educator license between 2010-2014
• Participated in the Dependent Tuition Assistance Program from 2009-2013
• Participated in the Colorado Department of Education’s Adult Education Initiatives programs between 2013-2017
• Obtained a GED between 2007-2011
The CDHE has not clarified how many individuals were affected by the breach, or whether a ransom was paid.
By therecord.media
Hospital Staffing Solutions, hospitality staffing services in the US, serving more than 1,000 properties. A letter distributed by HSS stated that malicious actors gained access to files containing personal information, “Our review identified files that included your name and one or more of the following: Social Security number, driver’s license number, and/or financial account number.” According to the Maine Attorney General, the data breach exposed 104,660 individuals' data to the hackers. HSS stated that they will be providing victims with free identity protection services for one year, an increasingly common sight with organisations that have had data breaches affecting individuals. Unfortunately for the data already stolen, it is likely to end up on hacking forums, to be sold to cybercriminals for nefarious purposes such as fraud, identity theft, phishing attacks, opening bank accounts, and similar actions with little chance of it even being taken down.
By cybernews.com
A series of zero-day vulnerabilities dubbed ‘BitForge’ have been found to affect various cryptographic protocols used by popular cryptocurrency wallet providers. The affected protocols, GG-18, GG-20, and Lindell 17 are all used by providers such as Coinbase, ZenGo, Binance, and more. If exploited, an attacker could steal currencies straight from a wallet, without any interaction from the owner.
The Fireblocks Cryptography Research Team discovered these vulnerabilities back in May 2023; however, these were not publicly disclosed until this week. It was confirmed in a recent statement that both Coinbase and ZenGo patched these flaws before the date of the public disclosure; despite this, there are still many wallet providers that are vulnerable, including Binance.
Details on the nature of these vulnerabilities can be found here, if you are interested.
By bleepingcomputer.com
On July 18th Citrix published a patch for a critical 9.8 CVSS zero-day vulnerability recorded as CVE-2023-3519. The vulnerability allows for unauthenticated remote code execution (RCE) in Citrix's NetScaler application delivery controller and gateway products. Many security researchers have since publicly disclosed attacks exploiting this vulnerability giving way to an increase in attackers exploiting the vulnerability themselves to install web shells inside of corporate networks and carrying out dozens of exploits already. "It's a complex case, given that Citrix is used in a lot of prominent organizations," says Piotr Kijewski, the CEO at Shadowserver. "We saw quite a few big names that were still vulnerable even a few days ago, including hospitals — these kinds of important institutions. So the potential consequences could be big if somebody attacks these organizations with ransomware a month from now." More compromises are expected to occur in the coming weeks as 7,000 impacted devices are awaiting to be patched. Anyone using these devices are recommended to patch their Citrix devices immediately to be protected from this critical flaw.
This flaw is being tracked as CVE-2023-3519, and details can be found here.
By darkreading.com
Patch Tuesday is here again with a whole host of patches for August. This month sees a reduction in patched vulnerabilities with only 76 being patched, a significant decrease from the 130 reported last month. A total of 6 critical, 68 important, and 2 moderate vulnerabilities were patched while 5 were publicly disclosed and 6 were seen exploited in the wild.
See here for our round-up of this month’s batch of Microsoft security updates!
And that’s it for this week’s round-up, please do check in next week for our new batch of security news and posts.
Stay Safe, Secure and Healthy!
Edition #246 – 11th August 2023
By
Samuel Jack
on
10/8/23
Patch Tuesday is here again with a whole host of patches for August. This month sees a reduction in patched vulnerabilities with only 76 being patched, a significant decrease from the 130 reported last month. A total of 6 critical, 68 important, and 2 moderate vulnerabilities were patched while 5 were publicly disclosed and 6 were seen exploited in the wild.
To exploit these critical vulnerabilities an attacker would be required to trick the victim into joining a Teams meeting which would enable them to perform remote code execution in the context of the victim user. The attacker does not need privileges to attempt to exploit this vulnerability. An attacker who successfully exploits this vulnerability could perform a remote attack that could enable access to the victim's information and the ability to alter information. Successful exploitation could also potentially cause downtime for the client machine. Fortunately both these vulnerabilities haven’t been exploited in the wild or publicly disclosed.
Microsoft Message Queuing (MSMQ) technology enables applications running at different times to communicate across heterogeneous networks and systems that may be temporarily offline by maintaining a message queue of undelivered messages. To exploit this critical vulnerability, an attacker would need to send a specially crafted malicious MSMQ packet to an MSMQ server. This could result in remote code execution on the server side. This vulnerability is yet to be seen in the wild and hasn’t been publicly disclosed by Microsoft.
A vulnerability present in .NET and Visual Studio could allow an attacker to conduct a denial-of-service attack on a target system in a low-complexity attack without special privileges. This has been reported as exploited in the wild however has not been publicly disclosed by Microsoft.
In an email or instant message attack scenario, the attacker could send the targeted user a specially crafted file that is designed to exploit this important remote code execution vulnerability. In any case, an attacker would have no way to force a user to view the attacker-controlled content. Instead, an attacker would have to convince a user to take action. For example, an attacker could entice a user to either click a link that directs the user to the attacker's site or send a malicious attachment. An attacker can plant a malicious file evading Mark of the Web (MOTW) defences which can result in code execution on the victim system. This vulnerability has been publicly disclosed and reported by Microsoft to be exploited in the wild.
For a full list of this month’s updates please see the links below:
Patch Tuesday release notes: https://msrc.microsoft.com/update-guide/releaseNote/2023-Aug
Security update guide: https://msrc.microsoft.com/update-guide/
By
Samuel Jack
on
9/8/23
Welcome to Ironshare’s Cyber Round-up, where we look back at the events of that last week to cover some of the news, posts, views, and highlights from the world of Security.
In this week’s round-up:
A new sophisticated phishing campaign has been found exploiting a zero-day vulnerability in Salesforce’s email service. This campaign features a Meta-themed email, warning the victim that their Facebook account is facing suspension. The interesting part here is the link in the email, which leads the user to a legitimate Facebook terms of service page, before redirecting them to the phishing destination where their credentials will be stolen. The incorporation of this legitimate Facebook link not only aids in fooling the user, but also helps the email to evade security mechanisms. This zero-day allowed threat actors to send emails from an address using thew Salesforce domain, which further convinces the victims that they are viewing a genuine email. Salesforce were notified of this zero-day in late June and have since patched the flaw for all impacted services.
By securityweek.com
The NoName hacker group has been active recently, with their latest campaign focusing on the disruption of top Italian banks. The most recent statement from the Italian National Authority for Cybersecurity reports DDoS attacks against at least 5 different banks. The websites of these major banks were taken offline for a short period, preventing customers from accessing their banking services. The group responsible, NoName, has claimed responsibility for all these recent attacks in their Telegram channel, where they have shared details of the attacks.
By cybernews.com
This week, Microsoft revealed that a recent string of targeted social engineering attacks was orchestrated by the Russian state-sponsored group Midnight Blizzard. These credential theft attempts are being sent via Microsoft Teams chat, and specifically target users belonging to an already compromised 365 tenant. The full attack involves the attacker compromising a Microsoft 365 tenant, setting up a subdomain and posing as a technical support user, and finally using this support account to fool the user into approving an MFA prompt.
More details on these attacks can be found here.
By thehackernews.com
Flipper Zero is a small multi-functional device used for cybersecurity and penetration testing purposes. It can interact with a plethora of systems through multiple different radio frequencies, and can also be used for as remote keyless systems, proximity cards and readers as well as having Bluetooth and IR capabilities. The fake site under the domain flipperzero[.]at closely aligns itself with the legitimate site flipperzero.one utilising the same website theme, copyright information, and even links to the legitimate Terms of Use and Privacy Pages. Attempts to collect a free flipper zero are met with a request to enter personal information such as name, address, and email address. Flipper Devices have responded to the news of these phishing sites by confirming that they are not affiliated with them at all; it was also revealed that Flipper Devices are working hard to take the fake site down and protect their customers. Unfortunately, the phishing site is still active as of today, so we urge everyone to proceed with caution, and be sure to only visit the legitimate 'flipperzero.one'.
By bleepingcomputer.com
American apparel brand, Hot Topic, has reported suspicious login activity for multiple “hot topic rewards” accounts. Investigation into these suspicious logins found that credential-stuffing attacks have been launched against their website and mobile application. The unknown threat actor used information likely bought off the dark web to gain access to customer accounts. It is possible the threat actor was able to collect names, email addresses, order history, phone numbers, mailing addresses, and birthdays from the breached accounts. Hot Topic is currently working alongside cybersecurity experts to implement new measures to protect its website and mobile platforms from credential-stuffing attacks as well as emailing users with instructions to reset their password and encouraging strong, unique passwords for its customer accounts.
By darkreading.com
Ninja Forms, a plug used on around 900,000 sites, could allow a hacker to steal sensitive information input into website forms. The most critical vulnerability allowed users who were website subscribers or contributors to export all data that other users have entered via the site's forms. Originally discovered by Patchstack in June 2023, they reported the vulnerability to the plugin’s developer Saturday Drive for it to be patched however Patchstack has said the latest patch, Ninja Forms version 3.6.26, is incomplete and still leaves websites open to a data breach. Websites are recommended to disable the plugin where possible or update to the latest version for better protection.
By bitdefender.com
And that’s it for this week’s round-up, please do check in next week for our new batch of security news and posts.
Stay Safe, Secure and Healthy!
Edition #245 – 4th August 2023
By
Samuel Jack
on
3/8/23
Welcome to Ironshare’s Cyber Round-up, where we look back at the events of that last week to cover some of the news, posts, views, and highlights from the world of Security.
In this week’s round-up:
North Korean hacker group, Lazarus, has claimed its latest victim in Alphapo: a crypto payment provider for online platforms such as gambling and e-commerce sites. The attack occurred on Sunday, 23rd July, and Alphapo saw an initial loss of approximately $23 million; following investigation, the stolen amount was found to be close to $60 million. This total was made up of various cryptocurrencies, including 2.5K ETH, 5 million USDT, and more. While the group has not claimed responsibility for this attack, the techniques and characteristics of the theft align very closely with Lazarus’ typical style.
By bleepingcomputer.com
Eurostar, the UK to Europe rail service, is introducing a new facial recognition biometric system, provided by iProov. This solution, known as SmartCheck, will be first implemented at London St. Pancras Station to “automate gate check-in processes and UK exit checks.” This solution is aimed to simplify the check-in process for passengers, by allowing them to register their tickets, passports, and faces using their mobile; this allows for a simple, quick checkpoint where your face can be verified before admission.
While this sounds like a good step in the interest of efficiency, it does raise some security concerns, and the solution will of course have to comply with GDPR. In compliance with GDPR, biometric and other personal data is required to be deleted within 48 hours of usage and cannot be shared with third parties. Details on the potential security risks of SmartCheck can be found here.
By cybernews.com
Police in Norway are currently investigating a cyberattack that has impacted the IT systems of multiple Norwegian government ministries. A total of 12 ministries were affected by the attack, however it was confirmed that the following were unaffected: Norway’s Office of the Prime Minister, foreign ministry, defense ministry, and justice ministry. This attack was made possible by a now-patched vulnerability in a government supplier; government security specialist’s have however refused to provide more details on this.
By therecord.media
The U.S. Securities and Exchange Commission plan to introduce a new rule that would require all U.S. publicly traded companies to disclose details of a cyber attack within 4 days of discovery. While this disclosure law will be mandatory, it was stated that the disclosure may be “delayed by an additional period of up to 60 days should it be determined that giving out such specifics would pose a substantial risk to national security or public safety.”. These changes aim to benefit companies and investors, and will make the cyberattack announcement process more consistent for all involved.
By thehackernews.com
The founder of one of Russia’s largest cybersecurity firms, Iyla Sachkov, has been jailed by the Russian government; the CEO has reportedly been sentenced to 14 years with charges of treason. It was revealed that Sachkov was detained two years ago and has been in custody ever since. His detention was classified until recently, and the public was not made aware until this week. This news was confusing for many, due to his positive work in bringing down many large-scale cybercriminal operations, however multiple actions since this work have put him in the bad books of the Russian government. These actions include criticism of the Kremlin, sharing information on Russian operations with the US, and more.
By krebsonsecurity.com
Decoy Dog emerged recently as the latest Remote Access Trojan to gain visibility, and quite a few threat actors have utilised it in attacks over the last few months. We have recently seen a new version of Decoy Dog get released, with new built-up persistence features; the Infoblox threat intelligence team has revealed that “at least three different cybercrime groups are using this new and improved version”, and it is believed that hundreds of devices have already been compromised. It is unclear if there is a pattern in the targets of these attacks, but it is believed that a nation-state actor is behind the production of this RAT; this could indicate a stronger focus on critical infrastructure of value to these nation-state actors.
By darkreading.com
And that’s it for this week’s round-up, please do check in next week for our new batch of security news and posts.
Stay Safe, Secure and Healthy!
Edition #244 – 28th July 2023
By
Samuel Jack
on
27/7/23
Welcome to Ironshare’s Cyber Round-up, where we look back at the events of that last week to cover some of the news, posts, views, and highlights from the world of Security.
In this week’s round-up:
Kevin Mitnick, the world-famous hacker turned security consultant, has sadly passed away at the age of 59.
Mitnick became infamous in the mid-90s, when he was named the world's "most wanted" hacker for a two-year spree of computer fraud, and the theft of thousands of files and credit card numbers. After serving a five-year sentence, the reformed cybercriminal became a security advisor, and led a fruitful career in cybersecurity consultancy.
Mitnick unfortunately lost his battle with pancreatic cancer last Sunday but will always be remembered for his fiction-like journey in the world of cybersecurity.
Well known commercial spyware vendors, Intellexa and Cytrox, have been added to the US government’s Entity list due to a “possible threat to national security”. The vendors that occupy this list are subject to export restrictions, as part of the “ongoing crackdown against commercial surveillance technology”.
Intellexa recently came into the spotlight when they were found to be the creator of the Predator Android spyware; It is also believed that Cytrox is part of Intellexa and was responsible for the packaging and sale of zero-day exploits.
These discoveries were made largely by The Citizen Lab and Talos Intelligence, who worked together to research Intellexa’s recent activity. Talos Intelligence’s report of the PREDATOR spyware, and Intellexa’s involvement, can be found here.
By theregister.com
A WhatsApp Outage on the 19th of July caused major disruptions globally to both organisations and individuals due to a heavy dependency on the platform by its users. DownDetector, an online platform for tracking service disruptions, saw an influx in users reporting they are unable to communicate using WhatsApp. It is yet unknown the cause of this outage as both WhatsApp and Meta have failed to comment on this however said they are aware of the outage and are providing relief to concerned users. "We're working quickly to resolve connectivity issues with WhatsApp and will update you here as soon as possible," Meta said in a statement.
By bleepingcomputer.com
Security researchers have seen an increase in dark web forums and marketplaces selling OpenAI credentials. In the past 6 months, the dark web and telegram mentioned ChatGPT more than 27,000 times. Threat actors are stealing credentials using stealer malware and selling the information on dark web marketplaces. A report from June by Group-IB stated that illicit marketplaces on the dark web sold logs containing more than 100,000 ChatGPT accounts.
By bleepingcomputer.com
Estee Lauder, the second largest cosmetics company in the world, was the latest victim of a cyber-attack involving the critical zero-day MOVEit vulnerability. The company released a statement about a “cybersecurity incident” involving an “unauthorized third party that has gained access to some of the Company’s systems.” Estee Lauder reported that they took systems offline and consulted with cybersecurity experts after being made aware of a breach. “Based on the current status of the investigation, the Company believes the unauthorized party obtained some data from its systems, and the Company is working to understand the nature and scope of that data, The incident has caused, and is expected to continue to cause, disruption to parts of the Company’s business operations,” Estee Lauder stated. The ransomware group Clop is responsible for MOVEit's zero-day attack on many organisations, with experts predicting over 230 affected, and have reported to have stolen 131GB of data as well as archived data from Estee Lauder.
By cybernews.com
Adobe’s latest batch of security updates includes a vital fix for an actively exploited critical vulnerability in ColdFusion. This flaw has been labelled an “instance of improper access control that could result in a security bypass”, and is known to affect the following versions:
- ColdFusion 2023 (Update 2 and earlier)
- ColdFusion 2021 (Update 8 and earlier)
- ColdFusion 2018 (Update 18 and earlier)
Adobe confirmed in their latest statement that the flaw “has been actively exploited in the wild in limited attacks targeting Adobe ColdFusion.”
Users of Adobe ColdFusion are strongly recommended to update to the latest version as soon as possible. More details on this CVE, and the other flaws addressed in this batch, can be found here.
By thehackernews.com
Microsoft’s Patch Tuesday for July is a big one compared to recent months, with a total of 130 vulnerabilities being patched. This total includes fixes for 9 critical and 121 important, 2 publicly disclosed vulnerabilities and 6 vulnerabilities exploited in the wild.
For an overview of this month’s batch of Microsoft updates, visit our latest blog post here.
And that’s it for this week’s round-up, please do check in next week for our new batch of security news and posts.
Stay Safe, Secure and Healthy!
Edition #243 – 21st July 2023
By
Samuel Jack
on
20/7/23
July’s Patch Tuesday has been a big one for Microsoft compared to recent months with a total of 130 vulnerabilities being patched divided between 9 critical and 121 important vulnerabilities. This release of Patch Tuesday is also accompanied by 2 publicly disclosed vulnerabilities and 6 vulnerabilities exploited in the wild.
A remote code execution vulnerability in Microsoft Message Queuing (MSMQ) component in Windows would allow a remote unauthenticated attacker to send malicious MSMQ packets to a vulnerable MSMQ server leading to arbitrary code execution. A mitigation of this is that the Message Queueing service needs to be enabled on the vulnerable server for this exploit to be successful. This vulnerability is not publicly disclosed or exploited in the wild but boasts an impressive CVSS of 9.8 making it a critical vulnerability.
Three Remote Code Execution vulnerabilities have been reported in Windows Routing and Remote Access Service that allows router and VPN gateway capabilities, each scoring a CVSS of 9.8. exploiting these vulnerabilities requires an attacker to send specially crafted packets to a vulnerable server. Fortunately, RRAS is not installed on Windows operating systems by default so those who haven’t installed and enabled the service aren’t affected by this attack.
This important, publicly disclosed, and exploited in the wild vulnerability has been investigated by Microsoft due to it being exploited in targeted attacks by threat actor Storm-0978, a Russian-based cybercriminal group. An attacker could create a specially crafted Microsoft Office document that enables them to perform remote code execution on the victim's machine, the malicious file would need to be opened to start a remote code execution exploit. Customers who use Microsoft Defender for Office are protected from attachments that attempt to exploit this vulnerability prior to this patch.
If a victim receives a specially crafted URL from an attacker and they open it, it will be able to bypass the Windows SmartScreen security feature prompt when downloading or opening a file from the internet. This important vulnerability is known to be actively exploited and was discovered by Microsoft’s threat intelligence centre.
This is the second vulnerability this month that has been seen exploited in the wild. With a CVSS of 8.8, this important vulnerability would allow an attacker to bypass the Microsoft Outlook Security Notice prompt when a user clicks on a specially crafted URL to be compromised by the attacker, similar to CVE-2023-32049. This can be exploited through the Preview Pane however “additional user interaction” is needed reports Microsoft.
For a full list of this month’s updates please see the links below:
Patch Tuesday release notes: https://msrc.microsoft.com/update-guide/releaseNote/2023-Jul
Security update guide: https://msrc.microsoft.com/update-guide/
By
Samuel Jack
on
19/7/23
Welcome to Ironshare’s Cyber Round-up, where we look back at the events of that last week to cover some of the news, posts, views, and highlights from the world of Security.
In this week’s round-up:
Due to overwhelming privacy concerns, Meta’s Twitter competitor, Threads, will not be releasing in the EU. Ireland’s Data Protection Commission revealed this in a recent report, which stated that the service would not be made available to countries within the European Union “at this point”. There has been no official statement on plans for a future rollout but expect the application to be unavailable at least for the foreseeable future.
These privacy concerns were initially raised over the amount of data being collected by Meta, but the latest update from Instagram’s chief executive indicates that the launch has been delayed due to “complexities with complying with some of the laws coming into effect next year,”.
By thehackernews.com
Recent reports have discovered the use of malvertising, in advertisements on Bing and Google when searching for “WinSCP download" (or similar), an open-source Windows file transfer application. The malicious advertisements forward the victim to a website cloned from a legitimate site called winsccp[.]com as a method to encourage the user to download the software onto their machine.
From this point, an ISO file is downloaded from an infected WordPress webpage, containing an executable called setup.exe which performs tasks to maintain persistence on the machine and loads an obfuscated version of Cobalt Strike beacon that connects to a command-and-control server. Ultimately, this will lead to the malware collecting information about the permissions, device, and environment and collecting files of interest. Other steps include dropping a KillAV BAT script onto the device to disable or bypass anti-virus and installing the AnyDesk remote management tool to further maintain persistence.
By trendmicro.com
Users of the solar power monitoring system, SolarView, are being urged to update their application following the active exploitation of three critical RCE flaws, all of which have been assigned a CVSS scores of 9.8 out of 10. Palo Alto researchers first discovered that the Mirai gang were exploiting these vulnerabilities to expand their botnet, but it has now been confirmed that a number of amateur hackers are also taking advantage of the critical bugs.
It is believed that, if exploited correctly, “the attacker is able to leverage control of the compromised monitoring system to do greater damage or get deeper into the environment.”. This comes from a statement given by the senior technical engineer at Vulcan Cyber, Mike Parkin.
It has also been reported that “Less than one-third of 600 internet-facing SolarView systems found on Shodan are patched”.
All three vulnerabilities were addressed in version 8.00 of SolarView, and we urge all users to apply the latest update as soon as possible. More details on the research into these vulnerabilities can be found here.
By darkreading.com
Mozilla have release Firefox 115 this week, which includes fixes for several high-severity vulnerabilities. The most notable of these flaws are two use-after-free flaws in the WebRTC certificate generation and SpiderMonkey (Firefox’s JavaScript engine). Mozilla have urged all Firefox users to update their browser to version 115 as soon as possible, to ensure you are protected against these high-severity bugs.
By infosecurity-magazine.com
Fortinet, a cyber security company providing hardware and software solutions, has warned its customers of a critical vulnerability related to their FortiGate firewalls. Tracked as CVE-2023-27997 and with a CVSS of 9.8 out of 10 this vulnerability relates to a heap-based buffer overflow vulnerability [CWE-122] in FortiOS and FortiProxy SSL-VPN may allow a remote attacker to execute arbitrary code or commands via specifically crafted requests. Fortinet reported that this “may have been exploited in a limited number of cases” and was “targeted at government, manufacturing, and critical infrastructure.” There are 490,000 known FortiGate SSL VPN interfaces exposed to the internet, 69% of which are unpatched. All organisations using a FortiGate firewall are advised to update immediately to the latest patch to be protected from this critical vulnerability.
By therecord.media
Tracked as CVE-2023-3269, StackRot is a serious vulnerability involving Linux kernel’s memory management subsystem which manages virtual memory, paging and memory allocation, and mapping files into the processes address space. The vulnerability specifically involves the kernel's handling of stack expansion within its memory management system where a weakness in its “maple tree” (a new data structure used for virtual memory areas) allowed for a use-after-free attack that could be used to elevate privileges. StackRot impacts all kernel configurations on Linux versions 6.1 to 6.4 however a patch is available, and users are advised to update to be protected from this vulnerability.
By bleepingcomputer.com
And that’s it for this week’s round-up, please do check in next week for our new batch of security news and posts.
Stay Safe, Secure and Healthy!
Edition #242 – 7th July 2023
By
Samuel Jack
on
6/7/23
Welcome to Ironshare’s Cyber Round-up, where we look back at the events of that last week to cover some of the news, posts, views, and highlights from the world of Security.
In this week’s round-up:
Microsoft has warned users of a recent increase in detections of credential stealing attacks, and it appears that the Russian state-affiliated group, Midnight Blizzard, are responsible. Midnight Blizzard, previously known as Nobelium, are most famous for their involvement in the 2020 SolarWinds supply chain compromise, and, since their exposure, have shown no signs of slowing down. Microsoft stated that “These credential attacks use a variety of password spray, brute-force, and token theft techniques,”. This isn’t the only ongoing campaign from Russian hacker groups, and only emphasises their persistence.
By thehackernews.com
8Base is a highly active ransomware group, who primarily targets small businesses with their double extortion tactics. June 2023 has been the groups most active period since their arrival in March 2022, with approximately 30 victims this month alone. VMware investigated these attacks and found that 8Base’s attacks share a lot of similarities with RansomHouse, sparking conversation around them potentially being a copycat. This is difficult to determine due to the large number of tools and variants used, and lack of signature ransomware. 8Base has made their mark as the second most active group of the summer, with attacks on a variety of sectors including automotive, business, construction, finance, healthcare and more.
By securityweek.com
The UK Cyber Essentials scheme has sparked concerns from many companies, due to its current ‘one-size-fits-all’ approach to certification. These concerns are largely coming from small to medium businesses, who feel that some of the required controls are unrealistic, or irrelevant to organisations of their size. These thoughts appear to be shared by many, and it would be nice to see more flexibility for companies of different types, sizes, and sectors. A DSIT evaluation of the cyber essentials scheme highlights the “different challenges to implementing cyber security measures”, and how these vary based on organisation type, size, and sector. These thoughts appear to be shared by many, and it would be nice to see improvements to the tailoring, flexibility, and scalability of the Cyber Essentials Scheme.
By infosecurity-magazine.com
Less than a month after Diablo IV was released to PlayStation, Xbox, and PC that game suffered a DDoS attack on its servers hosted by the developer Blizzard. The attack caused outages for close to 12 hours as some gamers were prevented from connecting to the servers. This attack was only made worse by the fact that the game's Single Player mode also relies on the user connecting to these servers, increasing frustrations. It remains unknown who conducted the attack and whether the attack stopped because mitigation methods were put in place by Blizzard, or the attackers ceased their attack.
By grahamcluley.com
A bug with File Explorer on machines running Windows 11 and Windows Server would cause it to freeze. The bug occurs when a user views an item's effective access permissions by clicking the "View effective access" button under Properties > Security > Advanced to check a shared file or folder's effective permissions, they may see a message stating "Computing effective access...." without displaying the query results. The process explorer.exe will continue to run even after closing the advanced security settings dialogue causing it to freeze. This bug is unlikely to affect customer environments and individuals using Windows 11. For Windows 11 22H2 users the latest update has patched this bug however for Windows 11 21H2 and Windows Server 2022 users impacted by this known issue, advising them to reboot their systems or sign out. "If you have attempted to view effective access, you can mitigate the CPU usage issue by restarting your device or by signing out for the affected user," Microsoft said.
By bleepingcomputer.com
MOVEit, a product used to transfer data, as well as provide automation services, analytics, and failover options was discovered to have a zero-day used by Russia-linked Cl0p ransomware gang to steal data from tens of organisations. New York City Department of Education was one of the organisations to be targeted by the group which exposed the personal details of 45,000 of the city’s students. The department patched the flaw within hours of being aware of it and took its servers offline like many other organisations. “Roughly 19,000 documents were accessed without authorization. The types of data impacted include Social Security Numbers and employee ID numbers […] The FBI is investigating the broader breach that has impacted hundreds of entities; we are currently cooperating with both the NYPD and FBI as they investigate,” the DOE said.
By cybernews.com
And that’s it for this week’s round-up, please do check in next week for our new batch of security news and posts.
Stay Safe, Secure and Healthy!
Edition #241 – 30th June 2023
By
Samuel Jack
on
29/6/23
Welcome to Ironshare’s Cyber Round-up, where we look back at the events of that last week to cover some of the news, posts, views, and highlights from the world of Security.
In this week’s round-up:
The US State Department is desperate to track down the operators of the Cl0p ransomware gang. Their most recent advisory states that a reward of up to $10 million will be offered to those willing to share data on Cl0p, or any other similar cybercriminal gangs. This “Reward for Justice” has been advertised in hopes of insiders coming forward with useful information; the department is aware that coming forward may prove dangerous for any insiders involved and has thus encouraged any information to shared be via encrypted messaging systems such as WhatsApp or Telegram.
By grahamcluley.com
Between June 2022 and May 2023 over 100,000 accounts for ChatGPT have been found on dark web marketplaces. This discovery made by Group-IB reported that information stealer malware logs containing ChatGPT accounts were being sold and that most logs containing ChatGPT accounts have been breached by the notorious Raccoon info stealer, followed by Vidar, and RedLine. Group-IB has explicitly stated that the logs are from commodity malware reporting credentials back to their operators and not from a data breach relating to ChatGPT. "Logs containing compromised information harvested by info stealers are actively traded on dark web marketplaces […] additional information about logs available on such markets includes the lists of domains found in the log as well as the information about the IP address of the compromised host," Group-IB said. It is recommended that users follow password best practices and secure their accounts with two-factor authentication to prevent account takeover attacks.
By thehackernews.com
Microsoft has released a statement saying that the early June disruptions to its services, including Outlook, Teams, SharePoint Online, OneDrive and Azure Cloud Computing Platform, were the result of a distributed denial of service attack. While initially reluctant to publicise the cause of the disruptions they have since said that the hacktivist group “Anonymous Sudan” was to blame after they flooded Microsoft with junk traffic and claimed responsibility for its attack on its Telegram channel. Microsoft has since labelled this group as storm-1359, using a designator it assigns to groups whose affiliation it has not yet established however some security groups believe it to be of Russian Origin. Security Researcher Jake Williams stated “We know some resources were inaccessible for some, but not others. This often happens with DDoS of globally distributed systems,” Microsoft’s apparent unwillingness to provide an objective measure of customer impact “probably speaks to the magnitude.” The attack was sustained over a week-long period however services are now operational.
By apnews.com
Google tweeted an alert to all WhatsApp users on Android devices to update the app due to a bug allowing access to the device's microphone. WhatsApp has admitted that the bug caused “erroneous” privacy indicators and notifications in the Android Privacy Dashboard. Affected users reported privacy concerns related to WhatsApp where the app was accessing the microphone even when the app was supposed to be inactive. This mainly affected Samsung and Pixel phones and microphone activity was visible through the green dot indicator which shows when the camera or microphone is in use.
By cybernews.com
Apple’s latest iOS security update is an important one, with fixes being released for remote code execution flaws that have been actively exploited in the wild. Apple has described these vulnerabilities as “memory corruption issues in the kernel and WebKit”, that allow an app to execute arbitrary code with kernel privileges.
These flaws were addressed in iOS 16.5.1, iOS 15.7.7, and iPadOS 15.7.7. Apple has attributed the discovery of the vulnerabilities to Kaspersky, who reported that the flaws were used by an APT attacker “launching zero-click iMessage exploits”.
By securityweek.com
A high-severity flaw was recently found in the Cisco Secure Client software, with Proof-of-Concept exploit code already publicly available. Successful exploitation of this vulnerability could allow an attacker to elevate privileges on the affected system.
This flaw was fixed in version 4.10MR7 of the AnyConnect Secure Mobility Client for Windows, and 5.0MR2 of the Cisco Secure Client for Windows.
We advise all users of the Cisco Secure Client or AnyConnect Client to update to the latest version as soon as possible.
By bleepingcomputer.com
And that’s it for this week’s round-up, please do check in next week for our new batch of security news and posts.
Stay Safe, Secure and Healthy!
Edition #240 – 23rd June 2023
By
Samuel Jack
on
22/6/23
Welcome to Ironshare’s Cyber Round-up, where we look back at the events of that last week to cover some of the news, posts, views, and highlights from the world of Security.
In this week’s round-up:
A number of GitHub accounts have been flagged for malicious activity, after they were discovered to be distributing malware disguised as proof-of-concept exploits for zero-days. The fake repositories claim to include PoC’s for zero-day flaws in Discord, Microsoft Exchange Server, and Google Chrome.
It appears that a lot of effort went into making these fraudulent accounts believable, with full profiles being constructed, all claiming to belong to High Sierra Cyber Security; a company that does not exist.
A list of all known malicious repositories can be found here, as well as the accounts of the perpetrators.
By thehackernews.com
A Telegram bot has been found distributing the private data of vaccinated Indian citizens, which was reportedly stolen from the CoWIN vaccination tracking app. The bot, known as “hak4learn”, allegedly offers the personal data of a user in exchange for their phone number or Aadhaar national ID number. If the ID or number matches a record in the stolen database, the user receives their name, passport number, and date of birth in return. The app currently has more than 1 billion registered users, however the current leak is believed to include several hundred million records.
Local news outlets have tested the bot’s accuracy and were able to access the private information of multiple Indian politicians. The incident is currently being investigated by the Computer Emergency Response Team, but not much is known about how the data was leaked. We expect to see updates on this incident soon.
By wired.com
Enlisted, a free-to-play FPS game, has been the source of a ransomware operation targeting Russian players. Although free to play the game is banned in Russia under national bans on popular FPS titles forcing Russian players to seek illegitimate downloads. A ransomware gang has been using this opportunity to distribute infected copies of the game to install ransomware on computers. When users run the game's installer the Crypter python ransomware launcher gets executed and identifies directories and files to target which are then encrypted using AES-256 and receive the extension “.wncry”. The victim is left with a ransom note demanding them to chat with a Telegram bot, which will report a crypto wallet to send the ransom to in exchange for the decryption key.
By bleepingcomputer.com
During the leadup to the Russian invasion of Ukraine, multiple cyber attacks on the Ukrainian Government using WhisperGate left computer systems inoperable. The entity responsible has since been identified as Cadet Blizzard, a Russian APT. Reports say this APT commonly gains initial access through known vulnerabilities with web servers such as Microsoft Exchange. The APT then moves laterally to avoid detection, collect credentials, elevate privileges establish web shells to maintain persistence and ultimately steal data and infect devices with malware. Cadet Blizzard hasn't just limited its attack to Ukraine, it has attacked targets elsewhere in Europe, Central Asia, and even Latin America as well as targeting IT service providers and software supply chain manufacturers, NGOs, emergency services, and law enforcement. “Their goal is destruction, so organizations absolutely need to be equally worried about them, as they would with other actors, and take proactive measures like turning on cloud protections, reviewing authentication activity, and enabling multifactor authentication (MFA) to protect against them," comments Sherrod DeGrippo, director of threat intelligence strategy at Microsoft.
By darkreading.com
An ex-Samsung executive was recently arrested in South Korea on suspicion of stealing secret information relating to Samsungs chip technology. The former executive, who also worked as a vice president for SK Hynix, was accused of stealing the data to build a rival factory along with six other people, including an inspection company employee accused of leaking architectural plans of the Samsung chip factory. The plan failed due to funding issues in 2018. "We will sternly deal with any leakage of our technology abroad and strongly respond to illegal leak of domestic companies' core technologies in semiconductor, automobile, and shipbuilding sectors, among others," a national police official said in a statement.
By cybernews.com
UNC3886 is a group of Chinese cyberespionage spies, who’s most recent activity involves exploitation of a new VMware ESXi zero-day. This vulnerability, if exploited correctly, allows an attacker to elevate their privileges on guest VMs. The group has been seen stealing credentials and deploying backdoors on target VMware ESXi hosts, vCenter servers, and Windows VMs.
This flaw is currently flagged as ‘low severity’, as exploitation requires existing root access to an affected EXSi server. More details on this zero-day can be found here.
By securityweek.com
Welcome to our Round-Up of June’s Microsoft Patch Tuesday! This month’s batch of security updates includes fixes for 78 total vulnerabilities, 6 of which are considered critical. While none of the addressed flaws have been publicly disclosed, or exploited in the wild, there are some key updates that we recommend applying as soon as possible.
For more information on the critical vulnerabilities patched this month, please see our dedicated Patch Tuesday round-up.
And that’s it for this week’s round-up, please do check in next week for our new batch of security news and posts.
Stay Safe, Secure and Healthy!
Edition #239 – 16th June 2023
By
Samuel Jack
on
15/6/23
June’s Patch Tuesday addresses a total of 78 vulnerabilities being patched divided between 6 critical, 70 important, 1 moderate, and 1 low vulnerabilities. This month also reports zero publicly disclosed and exploited in the wild vulnerabilities.
A vulnerability in relation to Microsoft SharePoint Server scored a CVSS of 9.8, firmly marking it as critical. This vulnerability can allow an attacker who has gained access to spoofed JWT authentication tokens can use them to execute a network attack which bypasses authentication and allows them to gain access to the privileges of an authenticated user such as an administrator.
With a CVSS of 8.0 and 8.8 respectively these important vulnerabilities could allow for remote code execution on an Exchange server. CVE-2023-28310 would allow an authenticated attacker who is on the same intranet as the Exchange server can achieve remote code execution via a PowerShell remoting session. CVE-2023-32031 could allow an authenticated attacker to trigger malicious code in the context of the server's account through a network call. While the attacker will need to be authenticated for both attacks Microsoft has labelled these vulnerabilities as more likely to be exploited.
This important vulnerability scoring 8.8 could allow an attacker with control of a Remote Desktop Server to trigger remote code execution on the RDP client machine when a victim connects to the attacking server with the vulnerable Remote Desktop Client. The flaw lies in the Remote Desktop Client component of Windows operating systems and the Remote Desktop Client for Windows Desktop application.
All three remote code execution vulnerabilities were given a critical severity and a CVSS of 9.8. They all can be exploited when the Windows message queuing service is running in a PGM Server environment, an attacker could send a specially crafted file over the network to achieve remote code execution and attempt to trigger malicious code. Only machines that have the Windows messaging queuing service will be vulnerable to this attack.
Microsoft has announced that Windows 10 21h2 has reached its end of life for Home, Pre, Pro Education, and Pro for Workstation editions. This will mean machines running these will need to upgrade so that they may continue to receive vital security updates. Read more about the announcement here.
https://learn.microsoft.com/en-us/lifecycle/announcements/windows-10-21h2-end-of-servicing
For a full list of this month’s updates please see the links below:
Patch Tuesday release notes: https://msrc.microsoft.com/update-guide/releaseNote/2023-Jun
Security update guide: https://msrc.microsoft.com/update-guide/
By
Samuel Jack
on
14/6/23
Welcome to Ironshare’s Cyber Round-up, where we look back at the events of that last week to cover some of the news, posts, views, and highlights from the world of Security.
In this week’s round-up:
The LockBit ransomware group has claimed a total of 24 victims in a 24-hour period. Security researchers were active throughout the day, documenting all of the attacks as they were reported. The long list of victims includes Pittsburg Unified School District, a Virginia healthcare centre, a municipality in Iceland known as Dalvíkurbyggð, and many more. The target organisation’s have been handed ransom deadlines by LockBit and threaten to publish vital data if ignored.
By cybernews.com
Microsoft have been charged for the illegal collection and retention of Xbox user data, specifically children whose data has been captured without parental consent. Microsoft will soon be limited on the information they are permitted to keep, which should “make it abundantly clear that kids’ avatars, biometric data, and health information are not exempt from COPPA (Children’s Online Privacy Protection Rule).” As a result of these actions, Microsoft are required to pay a sum of $20 million to the US Federal Trade Commission. There is also speculation that the collected data has been frequently shared with third parties, which is also being investigated.
By thehackernews.com
Getwid, a collection of Gutenberg blocks that extend the library of existing core WordPress blocks, has received an update addressing a newly discovered server side request forgery flaw. Identified by security researcher Ramuel Gall, the vulnerability has a CVSS of 8.8 and is related to the get_remote_content REST API endpoint in versions up to, and including, 1.8.3.
This flaw could allow an authenticated attacker with subscriber-level permissions or higher to create web requests to arbitrary locations from the web application and query or modify information from internal services.
Technical details have been responsibly disclosed by WordFence and users of Getwid are advised to update to 1.8.4 or higher to be protected from this vulnerability.
By wordfence.com
ChatGPT has been in the cybersecurity spotlight recently, especially with its new capabilities to create bespoke phishing emails and assist in hacking operations. The most recent concern with ChatGPT is its ability to create malicious polymorphic code; code that changes its structure to evade traditional signature-based malware detection, and even advanced EDR (Endpoint Detection & Response).
A proof-of-concept has been developed, in which a seemingly benign executable makes a call to ChatGPT requesting dynamically generated mutating versions of malicious code at each call; this process results in the creation of exploits that are difficult for many tools to detect.
“The malware ChatGPT can be tricked into producing is far from ground-breaking but as the models get better, consume more sample data and different products come onto the market, AI may end up creating malware that can only be detected by other AI systems for defense. What side will win at this game is anyone's guess.”
Said Mackenzie Jackson, developer advocate at cybersecurity company GitGuardian.
By csoonline.com
A weakness in Hondas API for its e-commerce platform allows unauthorised password resets for user accounts. This flaw is believed to affect the platform’s power equipment, marine, lawn, and garden divisions, but has no impact on their automobiles and motorcycles. Successful exploitation of this flaw allowed security researcher Eaton Works to access administrator accounts with access to the business's internal network. The exposed data included:
• 21,393 customer orders across all dealers from August 2016 to March 2023
• 1,570 dealer websites.
• 3,588 dealer accounts.
• 1,090 dealer emails.
• 11,034 customer emails.
• Potentially Stripe, PayPal, and Authorize.net private keys if provided by dealers
• Internal financial reports.
This vulnerability in Honda’s API has since been resolved as of 3rd April 2023.
By bleepingcomputer.com
A new critical vulnerability has been discovered in the Cisco Expressway series and TelePresence Video Communication Server (VCS). With a CVSS score of 9.6, this flaw allows a read-only administrator to elevate their privileges to read-write on affected devices. This is possible due to an issue in the way password change requests are handled, allowing read-only admins to request a password change for any user account on the target system, and ultimately impersonate them. Cisco has released a patch addressing this vulnerability, and revealed that they are not aware of any active exploitation. We advise all users of the Cisco Expressway series, and TelePresence VCS, to apply the latest patch as soon as possible.
By securityweek.com
And that’s it for this week’s round-up, please do check in next week for our new batch of security news and posts.
Stay Safe, Secure and Healthy!
Edition #238 – 9th June 2023
By
Samuel Jack
on
8/6/23
Welcome to Ironshare’s Cyber Round-up, where we look back at the events of that last week to cover some of the news, posts, views, and highlights from the world of Security.
In this week’s round-up:
RaidForums used to be a popular website for sharing leaked data; the site has been inactive for some time, but recently returned to the headlines following the exposure of more than 470K of its users. This leak contains the usernames, passwords, and email addresses of RaidForum members; ironically, this is the exact data that RaidForum became known for exchanging. The validity of this data was confirmed by trusted researchers, but it is still unclear where this data was found.
By cybernews.com
A recent study of U.S. clinics and hospitals has found that less than one in five are sufficiently protected against basic phishing threats. Of the 2,000 clinics and hospitals included in the survey, only 359 could confidently say that security policies were in place to catch and report phishing emails. Healthcare institutions have become a huge target for cybercriminals over the last few years, making cybersecurity more important than ever. With the majority of these institutions not even implementing basic anti-spoofing records, there is justified concerns over the safety of data and operations of the U.S healthcare industry.
By securitymagazine.com
Toyota investigated its original data leak on May 12th, they admitted leaving its primary cloud service publicly available for over a decade, putting more than 2 million clients at risk. They blamed that a human error caused their cloud system to accidentally be set to public rather than private. The most recent leak saw the same issue happen again, “As we believe that this incident was also caused by insufficient dissemination and enforcement of data handling rules, since our last announcement, we have implemented a system to monitor cloud configurations,” Toyota said in a statement. According to Toyota, the latest leak includes user data such as address, name, phone number, email address, customer ID, vehicle registration number, and vehicle identification number. Toyota has said that the details accessible vary for each customer and have estimated that their cloud system was accessible from October 2016 to May 2023.
By cybernews.com
Security researchers at Doctor Web, a Russian antimalware company, discovered spyware code in over 100 applications on the Google Play Store. The applications identified are known to contain a module labelled as “SpinOk” which is advertised as an SDK. The module aims to keep users interested through mini-games, tasks, and alleged prizes but in reality connects to a command and control server and sends data such as device information, files, copy or substitute clipboard content. “This allows the module’s operators to obtain confidential information and files from a user’s device—for example, files that can be accessed by apps with Android.Spy.SpinOk built into them. For this, the attackers would need to add the corresponding code into the HTML page of the advertisement banner,” Doctor Web explains. In total, 420 million downloads of the affected applications have been reported with the highest, Noizz and Zapya, having over 100 million each.
A full list of the identified applications by Doctor Web can be found here.
By securityweek.com
The latest update to Kali Linux brings some interesting features to the open-source OS. A new pre-built Hyper-V version of Kali Linux 2023.2 provides an out-of-the-box experience for Hyper-V users with an enhanced sessions mode which allows easier resizing of the desktop and sharing of local devices such as USB drives and printers. The new tools added to Kali Linux’s already vast portfolio are:
• Cilium-cli - Install, manage & troubleshoot Kubernetes clusters
• Cosign - Container Signing
• Eksctl - Official CLI for Amazon EKS
• Evilginx - Standalone man-in-the-middle attack framework used for phishing login credentials along with session cookies, allowing for the bypass of 2-factor authentication
• GoPhish - Open-Source Phishing Toolkit
• Humble - A fast security-oriented HTTP headers analyzer
• Slim(toolkit) - Don’t change anything in your container image and minify it
• Syft - Generating a Software Bill of Materials from container images and filesystems
• Terraform - Safely and predictably create, change, and improve infrastructure
• Tetragon - eBPF-based Security Observability and Runtime Enforcement
• TheHive - A Scalable, Open Source and Free Security Incident Response Platform
• Trivy - Find vulnerabilities, misconfigurations, secrets, SBOM in containers, Kubernetes, code repositories, clouds and more
• Wsgidav - Generic and extendable WebDAV server based on WSGI
Along with these tools more generic improvements have been made to the audio and GUI. Read more about the latest update here.
By kali.org
WordPress have released an automatic update in response to a critical vulnerability found in the Jetpack Plugin. This was a high priority patch, due to the plugin being present on more than 5 million sites. This flaw, if exploited, would allow an author to “manipulate any files in the WordPress installation.”. The vulnerability was discovered during a recent internal audit and has reportedly been present in the plugin since November 2012. Fortunately, there have been no signs of active exploitation in the wild. No action is required from site owners, since WordPress has force installed the patch for all sites running the plugin.
By thehackernews.com
And that’s it for this week’s round-up, please do check in next week for our new batch of security news and posts.
Stay Safe, Secure and Healthy!
Edition #237 – 2nd June 2023
By
Samuel Jack
on
1/6/23
Welcome to Ironshare’s Cyber Round-up, where we look back at the events of that last week to cover some of the news, posts, views, and highlights from the world of Security.
In this week’s round-up:
A cyber attack on Thomas Hardye School in Dorchester has left it unable to use emails or accept payments. The attack on the school’s IT services saw ransomware take control, the school has reported they are unable to pay the ransom requested and are working with the National Cyber Security Centre and police in order to resolve the issue. The school is continuing to say open and student education will remain unaffected by the attack.
The National Cyber Security Centre has joined the US, Australia, Canada, and New Zealand in an advisory to help organisations detect China state-sponsored activity being carried out against critical national infrastructure networks. The advisory highlights recent activity targeting networks across critical infrastructure in the US and how the techniques could be used against other countries. The actor (Volt Typhoon) has been observed taking advantage of built-in network administration tools on targets’ systems to evade detection after an initial compromise. The advisory reports potential indicators of compromise to help security teams to identify malicious activity. “It is vital that operators of critical national infrastructure take action to prevent attackers hiding on their systems, as described in this joint advisory with our international partners. We strongly encourage providers of UK essential services to follow our guidance to help detect this malicious activity and prevent persistent compromise.” Stated Paul Chichester, NCSC Director of Operations.
In February 2018 Oxford Biomedica reported unauthorized access was gained to part of the organization's computer systems. This was part of a cyber attack that resulted in ransomware being uploaded to its IT systems. A payment of £300,000 in Bitcoin was requested to stop the ransomware attack by the hackers. Ashley Liles, a cyber security analyst at Oxford Biomedica investigated the attack alongside colleagues and the police. It was later discovered that he attempted to steal the ransomware payments meant for the hackers by using an almost identical email to the hackers and changing the payment details. A raid on his home led to the seizure of multiple devices and his arrest. Liles continued to deny any involvement, despite contradicting evidence to his claim. He has since admitted his involvement and will be sentenced at Reading Crown Court on July 11.
The Graph for Understanding Artificial Composition (GUAC) has been released in beta to help organisations secure their software supply chains. The open-source framework is available as an API for developers to integrate their own tools and policy engines. This will help aggregate software security metadata from multiple sources into a visual representation that maps relationships between software, allowing organisations to understand how different software interacts and affects one another. “Graph for Understanding Artifact Composition gives you organized and actionable insights into your software supply chain security position, GUAC ingests software security metadata, like SBOMs, and maps out the relationship between software so that you can fully understand your software security position." Google reports. Ultimately this will tackle high-profile supply chain attacks, generate a patch plan, and swiftly respond to security compromises.
GitLab is a web-based Git repository for developer teams that need to manage their code remotely. A severe flaw in GitLab Scoring the maximum CVSS of 10.0 and tracked as CVE-2023-2825 has received a patch in the latest update. A security researcher reported the vulnerability to the project's HackerOne bug bounty program and is understood to arise from a path traversal problem that allows an unauthenticated attacker to read arbitrary files on the server when an attachment exists in a public project nested within at least five groups. This could expose sensitive data such as custom software code, credentials, tokens, and files. "We strongly recommend that all installations running a version affected by the issues described below are upgraded to the latest version as soon as possible," reads GitLab's security bulletin. All users are advised to update to version 16.0.1 as soon as possible to stay protected from this critical flaw.
A flaw tracked as CVE-2023-21492 has been described by Samsung as a kernel pointer exposure issue related to log files. This has been reported to allow a privileged local attacker to bypass the Address Space Layout Randomization (ASLR) exploit mitigation technique. This vulnerability has since been patched in Samsung's May 2023 security update and said that certain devices running Android 11, 12, and 13 were affected. The US’s Cybersecurity and Infrastructure Security Agency (CISA) added this vulnerability to its known exploited vulnerabilities as Google’s Threat Analysis Group says that it has likely been exploited by a commercial spyware vendor since 2021.
And that’s it for this week’s round-up, please do check in next week for our new batch of security news and posts.
Stay Safe, Secure and Healthy!
Edition #236 – 26th May 2023
By
Samuel Jack
on
25/5/23
Welcome to Ironshare’s Cyber Round-up, where we look back at the events of that last week to cover some of the news, posts, views, and highlights from the world of Security.
In this week’s round-up:
A new ransomware operation, utilising the MalasLocker strain, has been seen targeting Zimbra servers with intent to “steal emails and encrypt files”. The first sighting of this operation in action was in March 2023, and since then there have been multiple reports of attacks on Zimbra forums. What makes these attacks unique is the unusual demands stated in the ransom note. The ransomware operators are demanding that their victims send their money to any non-profit charity that they approve of.
The ransom note states:
“Unlike traditional ransomware groups, we’re not asking you to send us money. We just dislike corporations and economic inequality.”.
The MalasLocker data leak site is currently home to the stolen data of more than 170 victims; the site’s homepage also displays their opposition of corporations as a clear driving factor for their operations.
By bleepingcomputer.com
Recent tension between Taiwan and China appears to have sparked an influx of cyber attacks. The Trellix Advanced Research Center covered this surge of attacks in a recent report, detailing a dramatic rise in malicious emails targeting Taiwan, and a 15x increase in detections of the PlugX remote access trojan. The primary goal of these attacks is to steal sensitive information and disrupt major sectors in the small island country.
Trellix also shared their thoughts on the situation, stating that “geopolitical conflicts are one of the main drivers for cyber attacks” over the last few years.
By thehackernews.com
Researchers have identified multiple methods attackers could use on Microsoft Teams to allow users to be phished or to deliver malware. Teams’ Tabs can point to applications, websites, and files however, an attacker could create a tab to a malicious website and name it as “files” and reposition it to the default teams’ file tab. This could potentially trick users especially since the URL is only presented to the user in the tabs settings menu. Alternatively, a hacker could simply point their tab to a malicious file. If the user is accessing Teams via the desktop or Web client, Teams will automatically download the file to the user's device. An attacker could also sabotage auto-generated meeting links in calendar invites to malicious ones through API calls, this would be hard to identify for people due to the length and almost random-seeming links generated for teams meetings.
Teams is often used as a platform to share sensitive information and documents, thus when an account is accessed by an attacker there is a risk of a data breach. “We have seen thousands of organizations experience Teams account takeover, which subsequently led to financial fraud, brand abuse, sabotage, data theft, and other risks. According to multiple studies, the average cost of an account takeover incident can cost thousands to millions of dollars” reported security researchers.
By darkreading.com
US-based marketer and distributor, Sysco, has announced that their systems were breached in March of 2023. While the full extent of the attack is still unknown, Sysco were able to confirm that the social security numbers of more than 126K employees (current and former) were exposed. The company confirmed that business operations were not impacted by the attack, and they are working with law enforcement to investigate the incident. All affected employees have been promised identity theft protection and credit monitoring services for the next two years.
By cybernews.com
Cisco has released patches for multiple critical vulnerabilities present in their small business switches. Although fixes have been made available, Cisco has expressed concern due to proof-of-concept exploits that have been made publicly available.
An attacker can exploit these flaws by sending specially crafted requests to the web interface, which can potentially lead to the execution of arbitrary code with root privileges It is also worth noting that this code execution does not require authentication.
Updates are now available for the following devices:
250 series smart switches
350 series managed switches
350X and 550X series stackable managed switches
Business 250 series smart switches
Business 350 series managed switches.
Please note that multiple vulnerable small business switches are end-of-life and, as a result, will not be receiving security fixes. We urge all users to apply the latest updates as soon as possible; those with end-of-life products should also consider upgrading to a newer, supported model.
By securityweek.com
Security researchers have discovered and disclosed a vulnerability in Essential Addons For Elementor, a popular WordPress Plugin with more than one million installations. This flaw, if exploited, could allow an attacker to reset the passwords of any accounts belonging to a site running this plugin. This is possible due to password reset requests not being validated properly with a password reset key. Attackers can easily enter a valid username, obtain a valid nonce value from the site and reset the user's password.
WordFence has also reported a significant increase in readme.txt probing attempts for Essential Addons for Elementor following the disclosure of the vulnerability. Their recent report states that they have blocked 6,900 attempted exploits concerning this vulnerability.
We recommended updating the Essential Addons For Elementor to 5.7.2 or later to stay protected from this attack.
By wordfence.com
And that’s it for this week’s round-up, please do check in next week for our new batch of security news and posts.
Stay Safe, Secure and Healthy!
Edition #235 – 19th May 2023
By
Joshua Hare
on
18/5/23
By now most of us are familiar with multi-factor authentication (MFA) - aka 2-factor authentication (2FA) or 2-step verification (2SV). In summary, MFA is a security measure that requires users to provide multiple forms of authentication in order to access a particular system or device. This can include something you know - entering a password, something you have - providing a code from a security token or mobile app, or something you are - using biometric authentication (fingerprint or facial recognition).
MFA has become a mandatory security control for many organisations and systems, which has made account compromise more difficult for the bad guys. Inevitably this means the bad guys are adjusting their focus to try and exploit weaknesses in these security technologies.
One such weakness is MFA bombing (aka MFA Fatigue) - a tactic used by attackers since approx. 2020 to overwhelm individuals who use multi-factor authentication as a security measure.
MFA bombing is a type of attack where an attacker sends a large number of authentication requests to a user's MFA-protected device. The goal of the attack is to overwhelm the user with so many requests that they become confused or frustrated, and either provide the attacker with the necessary authentication information or simply give up and disable MFA on their device.
One common way attackers carry out MFA bombing is by using automated tools to send a large number of authentication requests to the user's device. These tools are designed to simulate the actions of a legitimate user, making it difficult for the user to distinguish the real requests from the fake ones.
Another tactic attackers may use is to send fake authentication requests from a variety of different sources. This can include using multiple accounts on different social media platforms, or using different phone numbers to send text messages containing authentication codes. By using a variety of different sources, the attacker can make it more difficult for the user to identify the fake requests and ignore them.
Nothing focuses the mind more in this industry than a live security incident impacting business systems and data. And nothing makes big tech security companies implement new resolutions faster than when these incidents happen to them.
Last year we saw a peak in MFA bombing attacks targeting users and companies that included big tech. Successful MFA Bombing attacks resulted in full account compromise of VIPs and privileged administrators, impacting systems at Uber, Okta, Microsoft and Cisco to name a few.
Hacking groups such as Lapsu$ and Russian nation-state actors Cozy Bear, have been known to use this technique to compromise the MFA protected accounts of users and admins across the globe.
Looking through the numerous posts on this subject, you will find the typical responses to most account security problems - for example:
• Ensure strong complex passwords
• Always use unique passwords - Dont reuse passwords on multiple accounts
• Educate your users in these MFA bypass techniques
• Dont approve MFA push prompts that you haven't initiated
All these are valid recommendations, but dont help if your credentials have been breached or the bad guys are bombing your mobile with push requests at 3am and you just want it to stop.
Well you'll be pleased to know there are other more preventative options available from certain MFA providers.
Duo refer to this attack method as Push Phishing and has various new & improved tools in the products arsenal to help protect against these attacks.
Verified Duo Push enhances the standard push notification by adding a verification code to the process. With Verified Push enabled, an authenticating user will be presented with an onscreen code that needs to be input to successfully login. The push notification will be sent to the users device, where they will input the onscreen code to complete authentication or alternatively report this is a fraudulent request if the user is not trying to login at that time.
This process prevents the user from accidentally approving login requests, if they are not trying authenticate.
Verified Push can be configured to use between 3 and 6 digits for the verification code.
To enable Verified Duo Push, login into the Duo console and navigate to:
Authenticators Policy Settings > Authentication Methods.
Check the box to enable Verified Duo Push and select the number of digits (defaults to 3) that you want your users to enter. Dont forget to save your policy on exit.
In addition Duo Advantage or Premier users have the option to use Risk-based factor Selection. This authentication method offers greater security than a standard push, without the constant impact to normal user experience.
This feature automatically detects anomalies and known attack patterns, through analysis of authentication requests, then adapts to enforce a greater level of multifactor security. WebAuthn FIDO2 security keys, hardware tokens, passcodes and of course Verified Push can all be used as valid higher methods of authentication when risky behaviour is detected.
As an example, you may choose to enable Verified Duo Push by default on all VIP or Admin users in your organisation, but standard users could be enabled for Risk-based Factor Selection.
More information about Duo Authentication Methods and Verified Push can be found here.
If you're a Microsoft MFA customer then dont worry there is also an option for you.
In a similar way to Cisco Duo, Microsoft has also added a verification code to their authentication push requests, known as Number Matching.
Microsoft Number Matching is available in the following scenarios:
• Multifactor authentication
• Self-service password reset
• Combined SSPR and MFA registration during Authenticator app set up
• AD FS adapter
• NPS extension
You can enable the Number matching experience by signing into the Azure AD portal & navigating to:
Security > Authentication Methods > Microsoft Authenticator Settings
The good news is that Microsoft will begin rolling out tenant wide changes for all users of Microsoft Authenticator Push Notifications from the 8th May 2023, to ensure Number Matching is enabled by default. Unfortunately though there will not be an option to disable the experience once the rollout has completed.
MFA Bombing or MFA Fatigue is an increasing threat to organisations, with more hacking groups moving to this option in order to bypass MFA security controls and compromise accounts.
Several big tech companies have been victims of these attacks, some of which have resulted in fairly significant impact to the business, brand, intellectual property and reputation.
The protection options mentioned above from Cisco and Microsoft, highlight only a couple of vendors who are moving in this direction. For instance Okta, and more are bound to follow their lead.
Don't become the next MFA Bombing victim - review, test and utilise these new features to help protect your users from this threat.
If you would like to know more about these MFA solutions for your organisation, please get in touch with us here at Ironshare and we will be happy to assist.
By
Stuart Hare
on
12/5/23
Welcome to Ironshare’s Cyber Round-up, where we look back at the events of that last week to cover some of the news, posts, views, and highlights from the world of Security.
In this week’s round-up:
The National Cyber Security Centre and other agencies from the US, Canada, Australia, and New Zealand have issued a joint advisory about the technical details of Snake malware and its variants. Snake malware has been used for over two decades by Russia’s Federal Security Services and is capable of collecting sensitive information from specific targets, such as government networks, research facilities, and journalists. The joint advisory has suggested mitigation measures to help defend against the threat. Paul Chichester, NCSC Director of Operations, said: “The advisory lifts the lid on a highly sophisticated espionage tool used by Russian cyber actors, helping to expose the tactics and techniques being used against specific targets around the world. We strongly encourage organisations to read the technical information about Snake malware and implement the mitigations to help detect and defend against this advanced threat.”
By ncsc.gov.uk
Microsoft has warned that Iran nation-state groups have been seen exploiting a vulnerability in PaperCut MF and NG. Mango Sandstrom, linked to Iran’s Ministry of Intelligence and Security, and Mint Sandstorm, part of the Islamic Revolutionary Guard Corps, have joined in with other groups such as Lace Tempest in using this vulnerability for financial gain. The vulnerability is classified as CVE-2023-27350 with a CVSS of 9.8 and if exploited would allow an unauthenticated attacker to execute arbitrary code with SYSTEM privileges. A patch has since been released to protect vulnerable servers, all organisations are advised to update immediately to versions 20.1.7, 21.2.11, and 22.0.9 and later to be protected from these attacks.
By thehackernews.com
Capita, an international business process outsourcing and professional services company based in London, was the victim of a cyber attack in late March when a Russian ransomware gang gained access to its internal infrastructure for over a week and accessed 4% of its servers. Capita has reported that there is evidence to support that information was stolen during the attack and is currently working with security experts and the NCSC to understand and recover from the attack. "Capita expects to incur exceptional costs of approximately £15m to £20m associated with the cyber incident, comprising specialist professional fees, recovery and remediation costs, and investment to reinforce Capita's cyber security environment," the company said.
By theregister.com
The Korean National Police Agency recently announced that the Seoul National University Hospital has suffered an attack at the hands of North Korean hackers. The attack occurred in May 2021, but was not publicised until this month. The KNPA has released a lot of information on the incident and while law enforcement has not accused a specific group, local media believe the Kimsuky hacking group are responsible. Personal information of around 831,000 individuals was stolen by the attackers; approximately 17,000 of these records belonged to current and former employees, with the rest being linked to hospital patients.
As a result of this attack, the KNPA have expressed their desire to “actively respond to organised cyber-attacks backed by national governments”, and plan to do this by “mobilising all our security capabilities” and “collaboration with related agencies.”
By bleepingcomputer.com
For the last 12 months, the ‘Greatness’ phishing-as-a-service has been widely used in phishing campaigns, specifically to target Microsoft 365 customers and accounts. Greatness is known to exclusively use M365 phishing pages to scam its victims, and possesses capabilities such as IP filtering, MFA bypass, and the ability to integrate with Telegram bots. These campaigns have primarily affected the US, but attacks have also been reported in the UK, Australia, Canada, and South Africa.
All Microsoft 365 users are advised to keep an eye open for suspicious emails and login pages; it is important to note that Greatness’ landing pages have been reported as using the victim’s organisation logo / background images. It is vital that users do not mistake this branding for legitimacy, and to proceed with caution when signing into their accounts.
By securityweek.com
Welcome to our round-up of the Microsoft Patch Tuesday for May 2023!
This batch of updates is the smallest of the year so far, with 38 total vulnerabilities being patched. In this, 6 vulnerabilities classed as critical have been patched along with 3 publicly disclosed and 3 exploited in the wild.
We urge all users to apply the latest updates as soon as possible. For more details, please see our round-up of this month’s Patch Tuesday here.
And that’s it for this week’s round-up, please do check in next week for our new batch of security news and posts.
Stay Safe, Secure and Healthy!
Edition #234 – 12th May 2023
By
Joshua Hare
on
11/5/23
No results found.