With only 38 vulnerabilities addressed, May’s Patch Tuesday is the quietest that has been seen for a while. This month's batch of Microsoft security updates includes fixes for 6 critical, 3 publicly disclosed, and 3 vulnerabilities that have been actively exploited in the wild.
This critical vulnerability exists within the Windows Network File System. While not publicly disclosed or exploited in the wild, this vulnerability would allow an attacker to send a specially crafted unauthenticated call to the Network File System, which could lead to the execution of arbitrary code. Mitigations and recommendations for this vulnerability can be found here.
This critical vulnerability in Microsoft SharePoint Server could allow a remote authenticated attacker to execute code. This flaw has not yet been exploited in the wild; we advise applying the latest updates as soon as possible.
An attacker who has physical access or Administrative rights to a target device could install an affected boot policy allowing them to bypass secure boot. This important vulnerability is publicly disclosed and has been reported to be exploited in the wild. Microsoft states “The security update addresses the vulnerability by updating the Windows Boot Manager, but is not enabled by default. Additional steps are required at this time to mitigate the vulnerability.” More information can be found here.
Window Object Linking and Embedding received a critical vulnerability patch after it was publicly disclosed through a coordinated vulnerability disclosure. “requires an attacker to win a race condition and also to take additional actions prior to exploitation to prepare the target environment” reported Microsoft. The most serious of cases would be a successful exploitation through Microsoft Outlook where a specially crafted email could result in the remote execution of code.
An important vulnerability in the Win32k Driver would allow an attacker to elevate their privileges to SYSTEM, the highest available on a Windows machine. This vulnerability is known to be exploited in the wild but isn’t publicly disclosed restricting the information available about this vulnerability.
Microsoft has republished CVE-2013-3900 to inform consumers that EnableCertPaddingCheck is available in all supported versions of Windows 10 and 11. “A remote code execution vulnerability exists in the way that the WinVerifyTrust function handles Windows Authenticode signature verification for portable executable (PE) files. An anonymous attacker could exploit the vulnerability by modifying an existing signed executable file to leverage unverified portions of the file in such a way as to add malicious code to the file without invalidating the signature. An attacker who successfully exploited this vulnerability could take complete control of an affected system. An attacker could then install programs; view, change, or delete data; or create new accounts with full user rights” Microsoft states. More information about this vulnerability can be found here.
For a full list of this month’s updates please see the links below:
Patch Tuesday release notes: https://msrc.microsoft.com/update-guide/releaseNote/2023-May
Security update guide: https://msrc.microsoft.com/update-guide/
By
Samuel Jack
on
10/5/23
Welcome to Ironshare’s Cyber Round-up, where we look back at the events of that last week to cover some of the news, posts, views, and highlights from the world of Security.
In this week’s round-up:
Microsoft has announced a new feature for the M365 admin center, which will allow administrators to enable email notifications for new known issues that are added or updated. This feature will reportedly only be available for admin roles in organisations with the following subscriptions:
Microsoft 365 Enterprise E3/A3/F3, Microsoft 365 Enterprise E5/A5, Windows 10 Enterprise E3/A3, Windows 10 Enterprise E5/A5, Windows 11 Enterprise E3/A3, or Windows 11 Enterprise E5/A5.
Steps on how to do enable these notifications can be found here.
By bleepingcomputer.com
The hospitality industry has suffered a hit from the recent flaws found in the Oracle Hospitality Opera 5 Property Services software. Oracle have assigned a CVSS score of 7.2 and a moderate severity rating which state that exploitation requires an authenticated attacker with highly elevated privileges, however researchers have disputed this and labelled it as an “incorrect assessment” of this vulnerability. The CTO of Assetnote responded to Oracle’s assessment stating that “this vulnerability does not require any authentication to exploit, despite what Oracle claims.”, and believes that this flaw “should have a CVSS score of 10.0”.
By darkreading.com
T-mobile has reported that it is the victim of its second data breach since the start of 2023. This latest attack was reported by T-Mobile on the 28th April, however, they estimate the attack occurred sometime between 24th February and 30th March. “The information obtained for each customer varied, but may have included full name, contact information, account number and associated phone numbers, T-Mobile account PIN, social security number, government ID, date of birth, [and] balance due,” said the company in a letter sent out to victims.
By cybernews.com
The City of Dallas, Texas has reported a ransomware attack by the Royal Ransomware group on the city’s systems. The ransomware attack was reported to have shut down the city’s police communications, IT systems, and website. This led to the city’s court system suspending all jury trials and jury duty until the systems become operational. “Wednesday morning, the City’s security monitoring tools notified our Security Operations Center (SOC) that a likely ransomware attack had been launched within our environment. Subsequently, the City has confirmed that a number of servers have been compromised with ransomware, impacting several functional areas, including the Dallas Police Department Website," explained a media statement from the City of Dallas however no there has been no mention in how long it will take to recover from the attack.
By securityweek.com
Bitmarck, a German IT services provider, has reported that it had to shut down its customer and internal systems to protect customer, patient, and insured individual's data after an early warning system detected an active cyber attack incident over the weekend. “In compliance with our security protocol, we have taken down customer and internal systems from the grid in a controlled manner and conducted an impact analysis” states Bitmarck. No data was thought to have been accessed in the attack and Bitmarck has since started bringing services back online including the digital processing of electronic incapacity certificates and access to electronic patient files. Many significant day-to-day services are still down due to data centers being disconnected from the network since the attack and there is no timeline for when the services will be up and running again.
By theregister.com
The latest Chrome update has arrived and includes fixes for 15 vulnerabilities. All the flaws patched in this update are rated medium-severity or lower, with the most serious being an inappropriate implementation flaw in Prompts. Despite this being a smaller batch of security updates than usual, we recommend updating your Google Chrome browser as soon as possible.
More details on Chrome 113 can be found here.
By securityweek.com
And that’s it for this week’s round-up, please do check in next week for our new batch of security news and posts.
Stay Safe, Secure and Healthy!
Edition #233 – 5th May 2023
By
Joshua Hare
on
4/5/23
Welcome to Ironshare’s Cyber Round-up, where we look back at the events of that last week to cover some of the news, posts, views, and highlights from the world of Security.
In this week’s round-up:
The Ukrainian cyber police have arrested the 36-year-old responsible for selling personal data to Russian citizens. The personal data of more than 300 million people, mostly Ukrainian, was compromised and sold by the culprit. The police were able to find the criminal after buyers payed for the stolen data using a currency prohibited in Ukraine. The arrest was followed by a raid of the attacker’s property, which led to the confiscation of 36 hard drives, computers, and server equipment. Investigation into this equipment is still underway, but the culprit is expected to face up to a five-year sentence.
By bleepingcomputer.com
The RTM Locker operators have developed a new strain of ransomware that targets Linux machines. This new strain is designed to infect Linux, NAS and ESXi hosts, and marks the group’s first venture into Linux focused attacks. It is currently unknown how the group is delivering the ransomware to their victim’s machines but is believed to “single out ESXi hosts by terminating all virtual machines running on a compromised host prior to commencing the encryption process”. We will closely monitor the activities of this new strain and provide updates as we learn more about its capabilities and tendencies.
By thehackernews.com
Googles Authenticator's new update now allows users to sync secrets across devices. This concept sounds great, however the stored secrets that are used to generate OTPs are no longer encrypted as it would be for just one device. This allows both Google and any unwanted party to observe all secrets if they gain access to your Google account or where it is stored by Google. Users are advised to keep this option turned off and only use one device with Google Authenticator till this security issue is resolved.
By cybernews.com
The European Association of Secure Transactions (EAST), comprised of banks and ATM vendors, reported €211 million in losses from a variety of attacks by criminals. The leading cause of loss terminal-related fraud attacks where €200 million was lost in 2022, of which €167 million was believed to originate from card skimming. Interestingly only 31 malware and logical-related attacks were recorded in 2022, down from 52 the previous year. ATM users are advised to conduct a visual and physical check before swiping or inserting a card to help protect against card skimming.
By cybernews.com
A metaverse, a virtual space where individuals can interact in a computer-generated version of the physical world, is the next evolution of the dark web. Researchers have put forth their concerns about this “Darkverse” and its potential security and legal concerns it might have included acting as a haven for criminals and extremists. Research has also identified how this darkverse might make it harder for law enforcement to infiltrate criminal space by requiring that users be inside a designated physical location in a specific time frame to receive an authentication token. Proximity and location-based restrictions for accessing the space could also be introduced making it harder to effectively introduce reactive measures such as sinkholing and URL blocking.
By darkreading.com
This week, Microsoft confirmed that PaperCut servers are being actively exploited as part of ransomware attacks, and are being used to deliver the Cl0p and LockBit ransomware strains. The group responsible for the attacks is being tracked as Lace Tempest, and is believed to be a financially motivated team of cybercriminals with ties to FIN11, TA505, and Evil Corp. Two vulnerabilities in the PaperCut software made these attacks possible (CVE-2023-27350 & CVE-2023-27351), with successful exploitation granting an unauthenticated attacker permission to remotely execute arbitrary code, and access sensitive information on the target system.
By thehackernews.com
And that’s it for this week’s round-up, please do check in next week for our new batch of security news and posts.
Stay Safe, Secure and Healthy!
Edition #232 – 28th April 2023
By
Joshua Hare
on
27/4/23
We’re already a third of the way through 2023, and April’s Patch Tuesday has arrived! The figures are similar to last month with 97 total vulnerabilities being patched. Included in this total are seven critical vulnerabilities two publicly disclosed, and two reported to be exploited in the wild.
April’s Instalment includes patches for the following:
• .NET Core
• Microsoft Bluetooth Driver
• Microsoft Defender for Endpoint
• Microsoft Dynamics
• Microsoft Office
• Microsoft PostScript Printer Driver
• Microsoft Printer Drivers
• Microsoft Windows DNS
• Visual Studio
• Windows Active Directory
• Windows Boot Manager
• Windows Common Log File System Driver
• Windows DHCP Server
• Windows Group Policy
• Windows Internet Key Exchange (IKE) Protocol
• Windows Kerberos
• Windows Kernel
• Windows Network Address Translation (NAT)
• Windows Network File System
• Windows Network Load Balancing
• Windows NTLM
• Windows PGM
• Windows Point-to-Point Protocol over Ethernet (PPPoE)
• Windows Point-to-Point Tunneling Protocol
• Windows Raw Image Extension
• Windows RDP Client
• Windows Registry
• Windows RPC API
• Windows Secure Boot
• Windows Secure Channel
• Windows Transport Security Layer (TLS)
• Windows Win32K
This critical flaw resides in the Windows Message Queuing component, and if exploited could allow a remote attacker to execute arbitrary code on the server side. Exploitation requires an attacker to send a specially crafted malicious MSMQ packet to a MSMQ server. This flaw is only present on systems that have enabled the Windows message queuing service; If message queuing is enabled, and TCP port 1801 is listening on the machine, you are likely at risk. As always, we recommend applying the latest Windows updates as soon as possible.
This critical vulnerability requires an authenticated attacker to leverage a specially crafted RPC call to the DHCP service. Successful exploitation of this flaw could allow a remote attacker to execute code on the target system.
Please note that exploitation of this vulnerability requires access to the restricted network before running an attack.
Layer 2 Tunnelling Protocol is currently affected by two critical remote code execution vulnerabilities that can be exploited by an unauthenticated attacker sending a specially crafted connection request to a RAS server. Attack complexity for this vulnerability is high, and successful exploitation requires the attacker to win a race condition.
This critical vulnerability in Windows PPTP could allow a remote attacker to execute arbitrary code on the target system. This attack can be triggered when a user connects a Windows client to a malicious server; successful exploitation requires an attacker to take additional actions prior to exploitation to prepare the target environment.
This publicly disclosed vulnerability exists in curl, an open-source command line tool that allows the transfer of data using various protocols. If exploited, this vulnerability could allow a remote attacker to execute arbitrary code on the target system. Version 7.87.0 of curl addresses this CVE; we advise all users to update as soon as possible. Alternatively, users can block the execution of curl.exe as a temporary workaround.
Another remote code execution flaw, this time residing in the Raw Image Extension addon for the Microsoft Photos application. The Microsoft Store should automatically update this application to the latest secure version; we advise that all users check if auto updates for the Microsoft Store are enabled, to ensure they are protected against this critical vulnerability.
This important vulnerability exists in the Windows CLFS driver and, if exploited, could allow an attacker to gain system level privileges. This has been actively used by attackers as part of the recent Nokoyawa ransomware attacks.
For a full list of this month’s updates please see the links below:
Patch Tuesday release notes: https://msrc.microsoft.com/update-guide/releaseNote/2023-Apr
Security update guide: https://msrc.microsoft.com/update-guide/
By
Samuel Jack
on
13/4/23
Welcome to Ironshare’s Cyber Round-up, where we look back at the events of that last week to cover some of the news, posts, views, and highlights from the world of Security.
In this week’s round-up:
Last month, the Biden-Harris Administration announced their new Nation Cybersecurity Strategy, with aims to
“Secure the full benefits of a safe and secure digital ecosystem for all Americans.”
This strategy is built around five key pillars, structured to:
• Defend Critical Infrastructure
• Disrupt and Dismantle Threat Actors
• Shape Market Forces to Drive Security and Resilience
• Invest in a Resilient Future
• Forge International Partnerships to Pursue Shared Goals
It is great to see the US Government pushing for a stronger cybersecurity culture, and we hope this has a positive impact that generates awareness for everyone.
The full strategy can be found here.
By whitehouse.gov
With data security concerns coming into the public spotlight recently, Google are trying to ease the minds of Android users with a new data deletion policy. Their recent announcement stated:
“For apps that enable app account creation, developers will soon need to provide an option to initiate account and data deletion from within the app and online.”.
This follows a similar policy rolled out to iOS devices back in June 2022; this is a big step forward for data privacy on Android devices and will allow users to have more control over the data they share.
By thehackernews.com
The Typhon developers have announced a new variant of their info-stealing malware, that has enhanced evasion and anti-virtualisation properties. This new variant has been advertised as Typhon Reborn V2, and has “more comprehensive mechanisms” than the original Typhon malware, which consisted of a clipper, a keylogger, and a crypto-miner. Cybersecurity Intelligence teams, like Cisco Talos, are aware of these advances, and are already looking to actively combat the new variant.
More details on the capabilities of Typhon Reborn V2 can be found here.
By bleepingcomputer.com
The Genesis Market is a major cybercrime website that emerged in 2018, offering criminals stolen device fingerprints captured by information-stealers. This allows attackers to access sensitive systems and services, while the request appears to come from the legitimate user’s device. The marketplace supposedly “held data on account holders from almost all major websites”.
This week, the FBI seized the Genesis Market website, arresting 120 associated criminals in the process. Those who visit the site will now be met with a notice, stating that the website has been seized. All visitors have also been urged contact the FBI with any details on the whereabouts of the site operators, as some of the individuals involved have not yet been caught.
By securityweek.com
ChatGPT has been under the spotlight recently, and not entirely for good reasons. Many are concerned about the privacy of the new OpenAI model, following an evaluation of its compliance with GDPR; as a result of these concerns, Italy have decided to ban ChatGPT indefinitely. This makes them the first western country to ban ChatGPT, with only China, Russia, Iran, and North Korea making the platform unavailable beforehand.
This ban seems justified from the Italian government since their investigations found the platform to be “not sufficiently regulated”. Despite the ban, OpenAI are eager to make the model available in Italy again soon.
By bbc.co.uk
This week, Google announced Chrome 112; this latest version contains fixes for 16 total vulnerabilities, two of which are considered high severity. The first of these is a heap buffer overflow affecting Visuals. Exploitation of this flaw could allow a “compromised renderer to register multiple things with the same FrameSinkId, violating ownership assumptions”.
The second is a use-after-free vulnerability in Frames, that could potentially lead to the execution of arbitrary code on the affected machine.
As always, we advise updating Google Chrome as soon as possible, to ensure you are protected against these high severity vulnerabilities.
By securityweek.com
And that’s it for this week’s round-up, please do check in next week for our new batch of security news and posts.
Stay Safe, Secure and Healthy!
Edition #231 – 7th April 2023
By
Joshua Hare
on
6/4/23
Welcome to Ironshare’s Cyber Round-up, where we look back at the events of that last week to cover some of the news, posts, views, and highlights from the world of Security.
In this week’s round-up:
It is widely believed that if a padlock appears in the search bar of your browser, then the website is safe to visit. This is a common misconception that attackers are taking advantage of. By using HTTPS on phishing web pages, threat actors are able to make their phishing sites more believable, which typically results in more successful attacks. In 2022, 49% of all observed phishing sites were using HTTPS, this was a 56% increase compared to 2021. This is a key example of attackers exploiting a lack of awareness and education; we strongly advise everyone to educate themselves on internet threats, and the dangers of phishing attacks.
By infosecurity-magazine.com
A whitepaper detailing an “adaptable” approach to regulating artificial intelligence (AI) has been published by the UK government. The whitepaper was published on the 29 March and emphasises the Government’s commitment to “unleashing AI’s potential across the economy”. This whitepaper builds on the government’s national AI strategy which was published in September 2021. However, the government noted that it would avoid introducing “heavy-handed legislation which could stifle innovation”.
The official whitepaper can be found here.
By computerweekly.com
Taiwanese Vendor, QNAP, has urged all customers to update their Linux-powered NAS devices, due to a Sudo privilege escalation vulnerability. This high severity flaw is known to affect QTS, QuTS hero, QuTScloud, and QVP operating systems. Users can apply the latest updates from the Control Panel of their NAS console.
More details can be found in the official CVE entry here.
By bleepingcomputer.com
In August 2022, Cisco contacted Netgear about four newly discovered vulnerabilities in in Netgear’s Orbi routers, one of which is considered critical and could lead to command execution. More than 90 days have passed since this disclosure, and so Cisco have publicly released proof-of-concept exploits for the four flaws. While the first three have been patched, the fourth still exists in the latest versions of Netgear’s Orbi mesh wireless system. Netgear has not given any official public statements on the publicising of these flaws, but it is believed that they are actively working on a fix for the fourth bug.
By theregister.com
3CX is currently working to release a software update for their desktop app, following overwhelming concerns of an active supply chain attack. This was reported by multiple cybersecurity vendors, which seemingly started with a
“Trojanized 3CX desktop app – that pulls ICO files appended with Base64 from GitHub and ultimately leads to a third-stage infostealer DLL,”.
This statement comes from SentinelOne, who have contributed heavily to the investigation of this incident. An urgent update is expected soon, and we advise all 3CX users to keep an eye out for its release.
By thehackernews.com
Cybercriminals have started to focus on a Critical IBM File Transfer vulnerability, recently patched by IBM. The Bug is being tracked as CVE-2022-47986 and has been exploited in the wild. Security researchers said,
"We strongly recommend patching on an emergency basis, without waiting for a typical patch cycle to occur,"
The vulnerability carries a 9.8/10 on the CVSS vulnerability-severity scale and exists in Faspex’s version 4.4.2 patch level 1.
By darkreading.com
And that’s it for this week’s round-up, please do check in next week for our new batch of security news and posts.
Stay Safe, Secure and Healthy!
Edition #230 – 31st March 2023
By
Joshua Hare
on
30/3/23
Welcome to Ironshare’s Cyber Round-up, where we look back at the events of that last week to cover some of the news, posts, views, and highlights from the world of Security.
In this week’s round-up:
Cisco has released their semiannual bundle of security advisories for their IOS and IOS XE software. 10 total vulnerabilities have been addressed in this bundled publication, with the top three being exploitable by remote, unauthenticated attackers. Exploitation of these high-severity flaws could potentially lead to denial-of-service, command injection, and privilege escalation on the affected device.
All official advisories for the addressed vulnerabilities can be found here. We strongly recommend any users of Cisco IOS and IOS XE software to apply the latest updates as soon as possible, to ensure they are protected against these known vulnerabilities.
By sec.cloudapps.cisco.com
The Wordfence Team has released fixes for several Reflected Cross-Site Scripting vulnerabilities, which were found to be affecting three major plugins. All Wordfence customers are protected against any exploits targeting these vulnerabilities by the Wordfence firewalls, this includes Wordfence Premium, Wordfence Care and Wordfence Response customers.
More details on the nature of these flaws can be found here.
By wordfence.com
CISA have issued advisories for a total of 49 vulnerabilities in eight industrial control systems. With Siemans, Hitachi, Rockwell Automation, Delta Electronics, Keysights and VISAM products all being affected, we urge all ICS users to update their systems immediately.
Unpatched Industrial Control Systems are not only a security risk, but also a huge health and safety concern, which is why many are pushing for critical infrastructure sectors to consider cybersecurity more carefully.
Many ICS and OT environments lack segmentation on company networks. There is also a concerning amount of OT interfaces accessible from the internet, leaving them exposed to public exploitation. We urge all companies that use Industrial Control Systems to apply the latest updates as soon as possible.
By darkreading.com
Nationwide Building Society has began migrating all of their payments to a new cloud-based solution. They have opted to make this change, which has been called a “generational transformation”, to offer resilience to their customers; Nationwide’s current on-premises system is old and unreliable, so it is great to see them taking this step towards modernising their services. The current plan for this project is to move all inbound payments to the new platform in the summer of 2023, while outbound payments will be migrated some time next year.
By computerweekly.com
Last week we covered the UK Government's ban on TikTok for all Government devices; the US have also implemented similar changes, with some states taking things a step further by blocking access on government networks as well (schools, universities, public libraries etc.). Many TikTok users have come forward to give their opinions on the current security concerns surrounding the popular social media app, and the general consensus appears to be a lack of interest in personal data security. One student believes they are “not important enough” for their data to be stolen or manipulated in any meaningful way, and it appears that this attitude is shared by a lot of the app’s userbase.
Is this general lack of security awareness a big concern? Do you think people need to be taking this TikTok situation more seriously?
By bbc.co.uk
The Department of Justice recently announced that they have seized the RaidForums website. RaidForums is a popular marketplace for cybercriminals to buy and sell hacked data and has become one of the biggest hacker forums in the world over recent years. Three domains were captured as part of this seizure, raidforums[.]com, Rf[.]ws, and Raid[.]lol.
“The takedown of this online market for the resale of hacked or stolen data disrupts one of the major ways cybercriminals profits from the large-scale theft of sensitive personal and financial information,”
Said Assistant Attorney General Kenneth A. Polite, Jr. of the Justice Department’s Criminal Division.
By justice.gov
Ferrari announced earlier this week that they had fell victim to a ransomware attack and have confirmed that customer information has been compromised. The company has distributed emails to all affected customers alerting them of their involvement in the breach; a notice was also published to the Ferrari website confirming some details of the attack. Ferrari’s transparency throughout this incident has been admirable, and we commend them for quickly announcing the involvement of customer data. Ferrari’s operations do not appear to have been impacted by this incident, however investigations are still underway.
There is currently no evidence of payment card information being compromised, and it is believed that this will remain safe. Regardless, we advise all Ferrari customers to proceed with caution, and follow any guidance provided by the firm during this time.
By bleepingcomputer.com
And that’s it for this week’s round-up, please do check in next week for our new batch of security news and posts.
Stay Safe, Secure and Healthy!
Edition #229 – 24th March 2023
By
Joshua Hare
on
23/3/23
Welcome to Ironshare’s Cyber Round-up, where we look back at the events of that last week to cover some of the news, posts, views, and highlights from the world of Security.
In this week’s round-up:
Microsoft’s March Patch Tuesday includes a fix for a critical (CVSS 9.8) vulnerability in Microsoft Outlook.
If exploited, this flaw allows an attacker to send the Net-NTLMv2 hash of the compromised Windows account to a remote URL using specially crafted emails. This would enable the attacker to relay the hash to another service and authenticate as the victim.
This flaw is also being actively exploited by state-sponsored Russian hacker groups and does not require outlook to be running.
We strongly recommend applying the latest updates as soon as possible, to ensure you are protected against this threat.
Welcome to our round-up of the Microsoft Patch Tuesday for March 2023!
This batch of updates appears to be similar to last month, with 80 total vulnerabilities being patched. In this, 9 vulnerabilities classed as critical have been patched along with 2 publicly disclosed and 2 exploited in the wild. There are some very dangerous vulnerabilities addressed this month, the main focus being the privilege escalation flaw in Microsoft Outlook.
We urge all users to apply the latest updates as soon as possible. For more details, please see our round-up of this month’s Patch Tuesday here.
Two members of the crime group Vile have been charged for “wire fraud and conspiracy to commit computer intrusions.”. These allegations were made after the individuals compromised the account of a police officer and were able to access databases containing sensitive information. The duo reportedly used this information to threaten and blackmail family members of the exposed subjects.
A US attorney has condemned the misuse of “the public safety infrastructure that exists to protect our citizens.”, as the Vile members face up to five years in prison.
By darkreading.com
Nord Security, the creators of NordVPN, have open sourced the source code of their Linux VPN client in an effort to be “more transparent and ease user’s security and privacy concerns”. They are also making some of their paid services available for all users, specifically the MeshNet private tunnelling feature.
Nord has commented on these changes by saying:
“We want the input and scrutiny of the coding community and to show you that we have confidence in our own software.”.
They are also encouraging the community to report vulnerabilities through their bug bounty program. Its great to see a company this committed to their users, and the improvement of their product and we are excited to see the impact that these changes have.
By bleepingcomputer.com
The NCSC has released some guidance for users of AI language models, and AI chatbots like ChatGPT. ChatGPT has become one of the “fastest growing consumer applications ever.”, and , as always, this popularity has painted a target on its back. The NCSC are very aware of the risks associated with this new technology, and advises all users to carefully consider the data they choose to share with AI chatbots.
We advise all users of ChatGPT and other AI tools to consider the guidance in this NCSC advisory.
By ncsc.gov.uk
There have been a lot of concerns around the security of TikTok recently, with many believing that more data than necessary is being shared with the Chinese government. As a result of these allegations, the UK have opted to ban TikTok on all government phones. Due to the strong data protection laws in place in the UK the government will allow public use to continue, but consider the risk too great for sensitive government devices. TikTok responded to this news and said the bans are based on "misplaced fears and seemingly driven by wider geopolitics". While this may be the case, it is important that government devices remain protected against any potential data leaks.
By gov.uk
And that’s it for this week’s round-up, please do check in next week for our new batch of security news and posts.
Stay Safe, Secure and Healthy!
Edition #228 – 17th March 2023
By
Joshua Hare
on
16/3/23
March’s Patch Tuesday appears to be similar to last month, with 80 total vulnerabilities being patched. In this, 9 vulnerabilities classed as critical have been patched along with 2 publicly disclosed and 2 exploited in the wild.
• Azure
• Internet Control Message Protocol (ICMP)
• Microsoft Dynamics
• Microsoft Edge
• Microsoft Office
• Microsoft OneDrive
• Microsoft Printer Drivers
• Office for Android
• Remote Access Service Point-to-Point Tunneling Protocol
• Role: DNS Server
• Role: Windows Hyper-V
• Visual Studio
• Windows Accounts Control
• Windows Cryptographic Services
• Windows Defender
• Windows Internet Key Exchange (IKE) Protocol
• Windows Kernel
• Windows Partition Management Driver
• Windows Point-to-Point Protocol over Ethernet (PPPoE)
• Windows Remote Procedure Call
• Windows Resilient File System (ReFS)
• Windows Secure Channel
• Windows SmartScreen
• Windows TPM
• Windows Win32K
Classified as critical and exploited in the wild, this vulnerability can be exploited by sending a specially crafted email to force a connection to a specific URL and transmit the Windows Account’s Net-NTLMv2 hash allowing an attacker to authenticate to services as the victim. Microsoft has reported that the vulnerability is triggered before the email is previewed as it is processed by the email server. This attack has been reported to be used by STRONTIUM, a state-sponsored Russian hacking group.
Attackers have exploited a vulnerability in Windows SmartScreen that would allow the creation of malicious executable files that would bypass Mark of the Web (MOTW) security. Consequently, this would remove future security defences relying on MOTW such as protected view. This has been reported to be used in Magniber ransomware operations by Google’s Threat Analysis Group.
This critical vulnerability would require a malicious certificate to be imported on an affected system. An attacker could upload a certificate to a service that processes or imports certificates, or an attacker could convince an authenticated user to import a certificate on their system, This would then allow for remote code execution. Microsoft has reported a low attack complexity and exploitation more likely.
CVE-2023-1017 would allow malicious TPM commands from a guest VM to a target running Hyper-V, an attacker can cause an out-of-bounds write in the root partition. CVE-2023-1018 is an out-of-bounds read vulnerability that exists in TPM2.0's Module Library allowing a 2-byte read past the end of a TPM2.0 command in the CryptParameterDecryption routine. An attacker who can successfully exploit this vulnerability can read or access sensitive data stored in the TPM. Both these vulnerabilities are classified as critical.
For a full list of this month’s updates please see the links below:
Patch Tuesday release notes: https://msrc.microsoft.com/update-guide/releaseNote/2023-Mar
Security update guide: https://msrc.microsoft.com/update-guide/
By
Samuel Jack
on
15/3/23
Welcome to Ironshare’s Cyber Round-up, where we look back at the events of that last week to cover some of the news, posts, views, and highlights from the world of Security.
In this week’s round-up:
Trend Micro’s latest report details their efforts to prevent cybercrime throughout all of 2022. The globally recognised security vendor shared that they had stopped around “146 billion cyber-threats in 2022”. This was a 55% increase on 2021’s statistics which is an incredible growth in just in one year. Trend Micro’s annual report also contained other security-related details: for example, they announced a “242% increase in the number of blocked malicious files and an 86% increase in backdoor malware detections”. It is great to see vendors investing more time and effort into threat intelligence and security, and we hope that these numbers continue to grow for 2023.
By infosecurity-magazine.com
After a long three months of inactivity, Emotet has returned with its latest malware operation. On Tuesday morning, multiple malicious spam emails were reported, and it has been confirmed that these are Emotet’s attempt to rebuild their botnet. These reports come from the “cybersecurity firm Cofense and the Emotet-tracking group Cryptolaemus.”. The clear pattern with their latest operation appears to be ZIP archives attached to their spam emails. This contains a large Word document that attempts to download the Emotet loader through macros in the document. This method is expected to be largely unsuccessful after the Microsoft update to disable macros by default. Users who have manually enabled macros are advised to be cautious when receiving suspicious emails, and to avoid opening unknown attachments.
By bleepingcomputer.com
A recent hotel phishing scam has been targeting fans of the popular Eurovision song contest. The fans’ data has been put at risk after booking rooms for May’s song contest in Liverpool, and while Booking.com have confirmed that “some accommodation partners had been targeted by phishing emails”, they have denied being breached. It is still unknown to BBC how the customer data was compromised, but all customers have been advised to report any concerns directly to their hotels.
One customer was contacted by the scammer on WhatsApp and feels “really stupid”. They said: “I don’t want to go any more because they’ll know all my details and know I’m away from home, so I cancelled it.”
By bbc.co.uk
BGI Group, the Chinese firm who was reportedly responsible for multiple cyberattacks on the NHS, was awarded a multi-million-pound Covid contract by the government. Science minister, George Freeman, has publicly commented on this, labelling BGI as “hostile actors who wish to use science and technology to undermine us”. Despite these claims, BGI Group have denied being state owned and having any involvements in the attacks.
By dailymail.co.uk
The latest Fortinet update contains fixes for 15 vulnerabilities, as well as one critical flaw that could allow an attacker to take remote control of the affected device. This flaw is known to affect FortiOS and FortiProxy, but it is worth noting that Fortinet are “not aware of any malicious exploitation attempts against this flaw.”. We recommend all users of the affected products to apply the latest updates as soon as possible.
More details on this, including a list of affected versions, can be found here.
By TheHackerNews.com
Unpatched SonicWall gateways are reportedly being targeted by suspected Chinese cybercriminals, who are deploying credential-stealing malware to the target devices. Mandiant have stated that this malware persists through firmware upgrades, and is specifically affecting the SonicWall Secure Mobile Access 100 Series. The latest firmware update, which was released last week, included “additional hardening such as file integrity monitoring and anomalous process identification.”. Th
By theregister.com
And that’s it for this week’s round-up, please do check in next week for our new batch of security news and posts.
Stay Safe, Secure and Healthy!
Edition #227 – 10th March 2023
By
Joshua Hare
on
9/3/23
Welcome to Ironshare’s Cyber Round-up, where we look back at the events of that last week to cover some of the news, posts, views, and highlights from the world of Security.
In this week’s round-up:
Internet safety for children is incredibly important but can sometimes be difficult to do without compromising your relationship with your child. The internet is a very dangerous place and, without supervision, may expose your kids to potential predators and online abuse. There are some apps dedicated to child-safety and are capable of monitoring YouTube searches, blocking certain applications, blocking phone numbers and setting screen-time limits. The Daily Mail has compiled a list of various ways you can help keep your children safe, and we encourage all parents to not be complacent when it comes to the importance of online safety.
By dailymail.co.uk
This week, WH Smith announced that they recently suffered a cyberattack, that resulted in the attackers accessing sensitive company and employee data. While the personal information of current and former employees was leaked, The British retailer confirmed that no customer data had been compromised in the attack. WH Smith’s operations have not been affected by this incident, but they are currently working on implementing ‘special measures’ to protect against future attacks.
By bleepingcomputer.com
With Multi-Factor Authentication becoming increasingly popular, many cybercriminals are directing their focus towards bypassing the seemingly impregnable security measure. Microsoft advertise that MFA can prevent 99% of all account hacks, making it seemingly impossible for attackers to compromise protected accounts. We have seen some bypasses for MFA in the past, specifically related to one-time passwords sent via SMS, but attackers are yet to reliably breach accounts protected through authenticator apps. These cybercriminals appear to be doubling down on developing new attack methods to bypass multi-factor authentication, such as MFA Fatgiue.
By darkreading.com
LastPass have come out with more information about the attack that occurred in December 22 2022. They have said that they have completed an exhaustive investigation and have not seen any threat-actor activity since October 26, 2022. LastPass has said “During the course of our investigation, we have learned a great deal more about what happened and are sharing new findings today. Over the same period, we invested a significant amount of time and effort hardening our security while improving overall security operations.” This latest update contains recommendations for both public and business consumers of the service, which if you are a current customer we recommend you read and take action ASAP.
By blog.lastpass.com
TikTok answers three big cyber-security fears about the app. China have accused the US of exaggerating national security fears about TikTok to suppress the Chinese company. The US government have been given the order to wipe all staff devices of the Chinese app within 30 days. This is because of the concern over cyber-security and data privacy. They narrowly escaped seeing their smash-hit app banned in the US back in 2020. While some researchers claim that TikTok harvests an excessive amount of data, others feel this is no different than any other social media platform.
By bbc.co.uk
US Marshals Service have been hit by a ransomware attack and have leaked sensitive information from the law enforcement agency. Drew Wade, the spokesperson for Marshals Service, described as having impacted a system that “contains law enforcement sensitive information, including returns from legal process, administrative information, and personally identifiable information pertaining to subjects of USMS investigations, third parties, and certain USMS employees.” The real concerning aspect is that information on its witness protection program may have also been exposed.
By theregister.com
And that’s it for this week’s round-up, please do check in next week for our new batch of security news and posts.
Stay Safe, Secure and Healthy!
Edition #226 – 3rd March 2023
By
Joshua Hare
on
2/3/23
Welcome to Ironshare’s Cyber Round-up, where we look back at the events of that last week to cover some of the news, posts, views, and highlights from the world of Security.
In this week’s round-up:
UK startup, CyberSmart, has announced the upcoming release of their new cybersecurity solution. This new technology, targeting small and medium businesses, aims to be an “all-in-one platform providing cybersecurity technology, and cyber insurance if things go wrong.” The firm has a current customer base of 4,000, and has received investment from European VC, Oxx, to fund the £12 million platform. This seems like a promising venture from CyberSmart, and we are excited to see how this product develops in the near future.
By techcrunch.com
Hackers are using a fake ChatGPT apps and websites to push their malware. After recent popularity of OpenAI’s ChatGPT chatbot, threat actors are taking advantage to distribute malware for Windows and Android. ChatGPT gained immense popularity since its launch in November 2022. The popularity made it become the most rapidly growing consumer application in modern history with more than 100 million users by January 2023. OpenAI released a new tool and launched a $20/month paid tier for individuals who want to use the chatbot with no availability restrictions. Over 50 fake apps have been discovered that steal personal and credit card information.
By bleepingcomputer.com
Google delivers a Record-Breaking $12 million in Bug Bounties. Google have addressed more than 2,900 security vulnerabilities in its products last year. This awarded more than $12 million in bug bounty rewards to researchers in a record-breaking cash storm. According to a VRP (Vulnerability Reward Program) report, several VRP segments saw record highs in 2022 which doled out $4.8 million to bug hunters.
By darkreading.com
NSA (National Security Agency) shares guidance on how to secure your home network. This is to help remote workers secure their home networks and defend their devices from attacks. The guide was published by the Defence Department’s intelligence agency on Wednesday. This includes a long list of recommendations, including a short list of highlights urging teleworkers to ensure their devices and software are up to date. Remote workers have also been advised to back up their data often. This is to prevent data loss and to disconnect equipment they are not using if it doesn’t require an active Internet connection at all times.
By bleepingcomputer.com
Fortinet’s latest patch rollout on February 16 contained a fix for a critical remote code execution flaw in their FortiNAC network access control solution. Just days after the release of this patch, attackers are actively exploiting this flaw in the wild. We urge all FortiNAC owners to update their devices to the latest version as soon as possible, to ensure you do not fall victim to these recent exploits.
By securityweek.com
Critical patches have been released for the following versions of ClamAV:
• 0.103.8
• 0.105.2
• 1.0.1
All three patches contain fixes for a critical remote code execution vulnerability that exists in the HFS+ file parser, as well as a potential remote information leak flaw in the DMG file parser. With a CVSS score of 9.8, this RCE flaw makes these updates vital, and we urge all ClamAV users to apply the latest updates as soon as possible.
It is also worth noting that ClamAV version 0.104 has reached end-of-life, and will no longer be receiving updates. Any users running this version are advised to move to a supported version.
By blog.clamav.com
And that’s it for this week’s round-up, please do check in next week for our new batch of security news and posts.
Stay Safe, Secure and Healthy!
Edition #225 – 24th February 2023
By
Joshua Hare
on
23/2/23
This release is slightly smaller than what we saw in January, with a total of 78 vulnerabilities, 9 critical, 0 publicly disclosed and 3 exploited in the wild. This month’s vulnerability classification spread appears to be heavily focused on remote code execution, while the number of elevation of privilege flaws are unusually low, especially compared to last month. Despite these differences, there are still a number of dangerous flaws that have been addressed by Microsoft in this batch of updates.
• Visual Studio
• Azure DevOps
• Microsoft Defender for Endpoint
• Microsoft Defender for IoT
• Microsoft Dynamics
• Microsoft Edge
• Microsoft Exchange Server
• Microsoft Office
• Power BI
• SQL Server
• Windows Active Directory
• Windows Common Log File System Driver
• Windows Cryptographic Services
• Windows Distributed File System (DFS)
• Windows Fax and Scan Service
• Windows Installer
• Windows Protected EAP (PEAP)
• Windows SChannel
• Windows Win32K
This critical vulnerability would allow an attacker to send a malicious e-mail containing an RTF payload or malicious word document that would allow them to gain access to execute commands within Microsoft Word used to open the malicious file. This vulnerability is so severe that even previewing the document in Outlook could initiate the exploit.
Being one of the three vulnerabilities exploited in the wild this important vulnerability would allow an attacker to execute commands with SYSTEM privileges. More information about this vulnerability has been restricted however It is essential that Windows users know this patch will be supplied through the Microsoft store so if auto updates are off a manual download will be needed to protect from this vulnerability.
This important vulnerability can be exploited if an attacker sends a specially crafted document that is capable of bypassing Microsoft Publisher security restrictions for untrusted files which would allow malicious macros to be executed on a system without warning the user. This vulnerability is known to be exploited in the wild and users should be wary of opening documents in Publisher from untrusted sources until updating.
The last vulnerability known to be exploited in the wild is to do with the Windows common log file system driver. This important vulnerability would allow an attacker to gain system privileges if successfully exploited.
Microsoft Exchange Server has received three patches in relation to three remote code execution attacks this month. All three are likely to be exploited in the wild and users are advised to update to protect against potential attacks.
For a full list of this month’s updates please see the links below:
Patch Tuesday release notes: https://msrc.microsoft.com/update-guide/releaseNote/2023-Feb
Security update guide: https://msrc.microsoft.com/update-guide/
By
Samuel Jack
on
16/2/23
Welcome to Ironshare’s Cyber Round-up, where we look back at the events of that last week and year to cover some of the news, posts, views, and highlights from the world of Security.
In this week’s round-up:
The UK and US have began retaliating against the Russian cyber criminals responsible for ransomware attacks across the UK. This comes following a recent investigation from the National Crime Agency, which exposed the actors behind the Trickbot, Conti and RYUK ransomware strains. It is evident that the UK and US are no longer willing to act in a defensive manner and want to actively hunt and shut down these international cybercriminal operations; the sanctioning of these Russian crime groups is hopefully only the beginning.
By nationalcrimeagency.gov.uk
A wealth and finance planning firm known as Succession Wealth, are suffering from a recent cyber attack that has affected their operations. Succession are a major firm, with 18,000 clients across the UK and a workforce of around 600; their latest statement on the incident indicates that they are “working to assess and resolve the situation.”. Despite issuing a statement, Succession refused to share more details at this stage, so it is unclear whether user data has been compromised. We expect further updates soon once their investigation has advanced, but for now there is not much more to discuss. We advise that all Succession Wealth customers keep up to date with advisories and statements from the firm, until the situation regarding compromised data has been made clear.
By financialplanningtoday.co.uk
An unidentified threat actor has launched a new campaign in an attempt to steal cryptocurrency from victims. Talos Intelligence has been observing the threat actor and has identified that the campaign is indiscriminate in its attack for financial gain. The attack is known to originate from a phishing email containing a malicious attachment, this email impersonates “CoinPayments”, a legitimate cryptocurrency company. The malicious zipped attachment is masked as a transaction receipt. On downloading the attachment connects to a malicious server to download MortalKombat ransomware and Laplas Clipper malware to the victim's machine. Avoid downloading any attachments from suspicious email addresses to help keep safe. Read more about the campaign here.
By blog.talosintelligence.com
A former Diplomat has claimed to have hacked SNP MP’s email. Craig Murray secured Stewart McDonald’s emails after making a number of inquires but had no involvement in the initial hack. Mr Murray has now vowed to publish material which he deems to be non-personal. Mr Murray also claimed the cache included emails between Mr McDonald and Scotland’s First Minister.
By bbc.co.uk
A new zero-day vulnerability has been present in Apple operating systems and the Safari browser, the vulnerability is to do with the WebKit browser engine that has been reported to be exploited in the wild. The vulnerability is caused by JsonWebToken code accepting asymmetric keys not associated with the specific algorithm which allowed insecure key types for signature verification. "[Apple] is aware of a report that this issue may have been actively exploited” an Apple advisory said. Users are advised to update their devices and safari browser to patch the vulnerability and stay secure.
By theregister.com
Hyundai and KIA are having to rollout an emergency software update on several car models. This easy hack was allowing people to steal the cars. A Hyundai announcement reads "In response to increasing thefts targeting its vehicles without push-button ignitions and immobilizing anti-theft devices in the United States, Hyundai is introducing a free anti-theft software upgrade to prevent the vehicles from starting during a method of theft popularized on TikTok and other social media channels," The hack has been shown on social media such as TikTok as a challenge since July 2022. The videos have shown people how to remove the steering column cover to reveal a USB-A slot that can be used to hotwire the car.
By bleepingcomputer.com
Welcome to our round-up of the Microsoft Patch Tuesday for February 2023!
This release is slightly smaller than what we saw in January, with a total of 78 vulnerabilities, 9 critical, 0 publicly disclosed and 3 exploited in the wild. This month’s vulnerability classification spread appears to be heavily focused on remote code execution, while the number of elevation of privilege flaws are unusually low, especially compared to last month. Despite these differences, there are still a number of dangerous flaws that have been addressed by Microsoft in this batch of updates.
And that’s it for this week’s round-up, please do check in next week for our new batch of security news and posts.
Stay Safe, Secure and Healthy!
Edition #223 – 17th February 2023
By
Joshua Hare
on
16/2/23
Welcome to Ironshare’s Cyber Round-up, where we look back at the events of that last week to cover some of the news, posts, views, and highlights from the world of Security.
In this week’s round-up:
Popular food delivery service, Weee!, has suffered a large scale data breach, that has compromised the personal data of more than 1.1 million customers. The stolen data includes names, email addresses, phone numbers, device types, order notes and more. Weee! Offers their services across 48 US states, making the impact of this attack quite widespread. It was confirmed that no payment card information or credentials were exposed in this breach.
If you are a user of the Weee! Service, you can check if you have been affected by this attack here.
By BleepingComputer.com
SonicWall have issued a warning to their users regarding the recent 22H2 update for Windows 11. Those who have completed the latest update may experience issues with the Web Content Filtering feature of their EDR, Capture Client. Capture Client users may experience “limitations” with the product, until a fix is released. For now, the only workaround for the issue is to “not be upgraded to version 22H2 until Capture Client 3.7.7 for Windows is available.”.
More details on the nature of this issue can be found here.
By BleepingComputer.com
Russian hackers are using Graphiron Malware to steal data from Ukraine. A threat actor linked to Russia has been observed deploying a new information-stealing malware in cyber attacks. The Symantec Threat Hunter Team said in a report “The malware is written in Go and is designed to harvest a wide range of information from the infected computer, including system information, credentials, screenshots, and files,". The group is known as Nodaria, which is tracked by Computer Emergency Response Team of Ukraine. Nodaria started getting attention in January 2022, calling attention to the adversary’s use of SaintBot and OutSteel malware in spear-phishing attacks.
By thehackernews.com
An Australian man has been sentenced to 18-month community correction order and 100 hours of community service for scam related to Optus hack. The hacker managed to steal 9.8 million customer’s personal information including, names, birth dates, physical and email addresses, and phone numbers. For 2.1 million customers, numbers associated with identification documents were also compromised. The attackers leaked the personal information of roughly 10,000 individuals. The attackers asked for a ransom of £1 million in cryptocurrency. If this was not paid, then they would leak more information.
By securityweek.com
A jailbreak trick breaks ChatGPT content safeguards. Already, users have found a way to work around ChatGPT’s Programming Controls. This is supposed to restrict it from creating certain content deemed too violent, illegal, and more. According to a report by CNBC, The Prompt called DAN (Do Anything Now) uses ChatGPT’s token system against it. Although DAN isn’t successful all of the time, a subreddit devoted to the DAN prompt’s ability to work around ChatGPT’s content policies has already made it to 200,000 subscribers.
By darkreading.com
VMWare is warning its users of a recent vulnerability in its ESXi hypervisor. This advisory however was not regarding a new flaw, but a previously disclosed one that attackers are now exploiting to deploy ransomware. The company has provided users with guidance on how to protect against an attack, and how to recover if you have been hit already. These attacks are specifically targeting devices that have not been updated, so we strongly urge all EXSi hypervisor users to apply the latest updates as soon as possible.
By zdnet.com
And that’s it for this week’s round-up, please do check in next week for our new batch of security news and posts.
Stay Safe, Secure and Healthy!
Edition #222 – 10th February 2023
By
Joshua Hare
on
9/2/23
Welcome to Ironshare’s Cyber Round-up, where we look back at the events of that last week and year to cover some of the news, posts, views, and highlights from the world of Security.
In this week’s round-up:
The Department of Justice recently published news of the FBI’s latest cyber-crime retaliation. It was revealed that they have:
“Infiltrated a prolific cyber-crime gang to secretly sabotage their hacking attacks for more than six months.”
In doing this, the FBI have been able to secretly warn future victims of incoming attacks, as well as providing decryption keys to those currently affected by the ransomware. The US’ recent efforts to go on the offensive against cyber-criminals appears to be having a positive impact, and we are interested to see what the FBI are able to achieve in the near future.
By BBC.co.uk
Arnold Clark have confirmed that customer information has been stolen in their recent cyber-attack. The Headquarters in Glasgow was subject to an attack on December 23rd. They were forced to shut down systems across the UK on Christmas Eve. They said that was done as a “purely protective measure”. The car dealership is now emailing all of the affected customers to inform them that personal data stored in the company’s network may have been stolen. This includes names, contact details, dates of birth, vehicle details, ID documents (passports / driving licenses), national insurance number and bank account details. A treasure trove of personal info for attackers and identity thieves.
By news.stv.tv
JD Sports have reported that they have been hit by a cyber-attack that impacts 10 million of their customers. JD have said information that “may have been accessed” by hackers including names, email accounts, addresses, phone numbers, order details and the final four digits of bank cards. JD have been contacting the affected customers. The data related to the attack was from online orders between November 2018 and October 2020. Neil Greenhalgh, chief financial officer of JD Sports, has said “We want to apologise to those customers who may have been affected by this incident.”
By BBC.co.uk
Planet Ice have been hacked with 240,000 skating fans details stolen. Planet Ice, who operate 14 ice rinks around the UK, has revealed that hackers managed to break into its systems and steal the personal details. The first hint fans saw is when their attempted to buy tickets on the website and were met with terse message explaining that Planet Ice’s servers were “experiencing unplanned server downtime.” Planet Ice have been letting all fans know of the breach via their website.
By bitdefender.com
New HeadCrab malware has infected 1,200 Redis servers to mine Monero (cryptocurrency). New malware that was designed to find vulnerable Redis servers online has infected 1,200 devices since September 2021. The intention to build a new botnet that mines for Monero cryptocurrency. This was discovered by Nitzan Yaakov and Asaf Eitani, researchers who work for Aqua Security. It runs in memory and deletes its logs to evade detection from AV scans. Defensive recommendations are included in the post.
By BleepingComputer.com
There has been a recent surge in exploit attempts that leverage a critical vulnerability in Realtek Jungle SDK. These attacks were first spotted in the wild back in August 2022; since then, researchers have observed more than 134 million attempted exploits. The flaw itself allows a remote attacker to execute arbitrary code on the affected system, and is tracked as CVE-2021-35394 with a CVSS score of 9.8. As always, we recommend users of Realtek Jungle SDK upgrade to the latest version to ensure you are protected against this flaw.
By TheHackerNews.com
January has been a dramatic month for security updates, with iOS, Android, Windows, Chrome, and more all receiving important patches. To start things off, Apple released version 16.3 for iOS, which provided fixes for multiple code execution flaws. Microsoft also released a larger-than-usual Patch Tuesday rollout, with 98 total security fixes; the worst of which were elevation of privilege vulnerabilities in Windows Kernel. There were also some vital security updates for Mozilla Firefox and Android, which we strongly urge users to apply as soon as possible.
By Wired.co.uk
Earlier this week, VMware confirmed the validity of exploit code that was publicised for its vRealize Log Insight product. The exploit code focuses on three major vulnerabilities (CVSS 9.8) affecting the appliance, which VMware have labelled a “matter of urgency”.
“VMware described the flaws as directory traversal and broken access control issues with dangerous implications.”
Mitigation techniques, details and impacted versions can all be found in this official security advisory. VMware urges all users to implement their mitigations as soon as possible.
By SecurityWeek.com
And that’s it for this week’s round-up, please do check in next week for our new batch of security news and posts.
Stay Safe, Secure and Healthy!
Edition #221 – 3rd February 2023
By
Joshua Hare
on
2/2/23
Welcome to Ironshare’s Cyber Round-up, where we look back at the events of that last week and year to cover some of the news, posts, views, and highlights from the world of Security.
In this week’s round-up:
Two groups of threat actors, SEABORGIUM (Russia-based), and TA453 (Iran-based), have launched spear-phishing campaigns that are impacting organisations in the UK. Reports suggest these attacks are being carried out for “information-gathering purposes.”, and are most commonly targeting organisations in the academia, defence, and government sectors; other reports have shown that individuals such as politicians and journalists have also been hit. In response to these attacks, the NCSC has published a security advisory detailing the “techniques and tactics” employed by the threat actors, as well as recommendations for mitigating the risk of an attack.
For more details on these campaigns, we advise reading this official advisory from the NCSC.
By NCSC.gov.uk
The UK has suffered heavily in the early weeks of 2023; while Royal Mail continue their recovery from the recent cyber incident, Yum Brands falls victim to ransomware. Yum Brands is most commonly known as the owner of KFC and Pizza Hut, two of the largest fast-food chains in the UK. News of this attack was publicised earlier this week, and the company is “actively engaged in fully restoring effected systems”; it is believed that no customer data was compromised in this attack.
Yum! Brands official statement on the recent attack can be found here.
By DigitalJournal.com
The IoT Security Foundation’s latest report covers the vulnerability disclosure policies of IoT product sellers. This is the fifth report from IoT Security Foundation, and while it shows good improvements since 2018, vulnerability disclosure practices are still lacking for a large number of businesses. In 2022, just 27.1% of businesses had a disclosure policy. Understandably, this is a constantly evolving practice, and there has been steady 4-5% increase per year since these reports began, however this is still “far below the near-100% the researchers would like to see.”.
The full IoTSF report can be downloaded and viewed here.
By iotsecurityfoundation.org
Popular password vault vendor, Bitwarden, has been heavily criticised recently over news of their flawed encryption scheme that is in place to protect user’s encryption keys. A recent report from Wladimir Palant suggests that their seemingly impressive 100,001 server-side PBKDF2 hash iterations were “ineffective”, and, on top of this, older accounts were stuck with the original 5,000. The public backlash from this news has only gotten worse since the recent LastPass breach, with customers hoping that Bitwarden would learn from the failures of their competitors.
Bitwarden’s response to the recent backlash was also questioned by users, stating that:
“They [Bitwarden] give no indication on the timeline for this change and are vague about whether existing accounts will automatically be upgraded to the new, higher default.”
Reports suggest that “Bitwarden is treating this criticism as a feature request”; while this is not the ideal response that the community were expecting, It hopefully means that changes are on the way.
By Portswigger.com
Arnold Clark have been hit by a cyber-attack. Information such as addresses, passports and national insurance numbers has been leaked over the festive period. The Mail has reported that the international hacking ring Play is now threating Arnold Clark with a huge dump of customer data onto the Dark Web after leaking some of the details taken from the attack. Newspapers have reported that 15 gigabytes of data have been posted. The hackers are intending to upload 467 gigabytes more unless a multi-million-pound ransom is paid in cryptocurrency.
By am-online.com
Over 4,500 WordPress sites have been hacked to redirect customers to sketchy ad pages. This is part of a long-running operation that has been going on since 2017. According to GoDaddy the infections involve the injection of obfuscated JavaScript hosted on a malicious domain named “track[.]violetlovelines[.]com”. The latest operation has said to been going on since December 26, 2022. This has impacted more than 3,600 sites while another set of attacks recorded in September 2022 affected more than 7,000 sites.
By TheHackerNews.com
Federal agencies have been hacked using legitimate and reliable remote desktop tools. CISA, the NSA, and MS-ISAC have been warned today that attackers are increasingly using legitimate remote monitoring and management software for malicious purposes. More concerning is that CISA discovered malicious activity within the networks of multiple federal civilian executive branch agencies using the EINSTEIN intrusion detection system after the release of a silent push report in October 2022. The attackers have been sending phishing emails to the federal staff’s government and personal email addresses since at least mid-June 2022.
By BleepingComputer.com
Riot Games recently disclosed news of a cyber incident that saw source code for two of their biggest games stolen; League of Legends, and Teamfight Tactics. Source code also appears to have been stolen from their anticheat platform, which has sparked concerns that new cheats may emerge for their games. Riot's twitter thread very clearly states that:
"there is no indication that player data or personal information was obtained".
Their latest tweet also states that a ransom note was received, but Riot's response made it certain that they will not be paying this.
More details on the impact of this attack can be found in Riot Games' 7 part twitter thread.
And that’s it for this week’s round-up, please do check in next week for our new batch of security news and posts.
Stay Safe, Secure and Healthy!
Edition #220 – 27th January 2023
By
Joshua Hare
on
26/1/23
Welcome to Ironshare’s Cyber Round-up, where we look back at the events of that last week and year to cover some of the news, posts, views, and highlights from the world of Security.
In this week’s round-up:
President Joe Biden is in the process of approving a new cybersecurity policy, that would allow for further protection of businesses, and the capability to “retaliate against those hackers with our own cyberattacks.”. This new “National Cybersecurity Strategy” is based on two significant changes to those implemented by Biden’s predecessors. The first big change is in the mandating regulations for American industries, and the second big change authorises U.S agencies to launch offensive cyberattacks against foreign governments and criminals. A large part of the new Biden paper focuses on “purely defensive measures” and seems to be a lot more focused than policies pushed by previous presidents. It is exciting to see cybersecurity becoming increasingly important to governments and we are intrigued to see what happens next.
By Slate.com
Royal Mail are still recovering from a recent cyberattack that hindered their overseas shipping. While they have not revealed too much about the “cyber incident”, Royal Mail has confirmed that they have restarted their overseas posting operations in “limited volumes”. The slow restart means that no new parcels will be accepted, but any currently being held by Royal Mail are starting to be sent. It is unclear whether Royal Mail plan to disclose details of the incident, but many researchers speculate they may have suffered a ransomware attack; if this was the case, we expect that the affected customers will be contacted at some point in the near future.
By BBC.co.uk
Today, members of the national Computer Emergency Response Team for Ukraine, have met with their counterparts in the National Cyber Security Centre to hold talks on the current conflict and opportunities for building resilience in cyberspace. This is the first UK visit since the start of the conflict. The key figures in Ukraine’s defence against Russian hostility have held meetings in London, discussing the latest developments experienced during the conflicts. The Ukraine delegation this week have also appeared at the CyberThreat conference in front of an audience of experts, where they joined the National Cyber Security Centre’s Director of Operations, Paul Chichester, for a fireside discussion to share some of their recent insights.
By NCSC.co.uk
MailChimp have disclosed a new breach after multiple employees got hacked. MailChimp suffered the breach after hackers accessed an internal customer support and account administration tool. MailChimp have said that the hackers gained access to the employee’s credentials after conducting a social engineering attack. The attack was first detected on January 11th after MailChimp detected the unauthorized person accessing their support tools.
By BleepingComputer.com
Thousands of Sophos firewalls are still vulnerable to hijacking. More than 4,000 public-facing Sophos firewalls remain vulnerable to a critical remote code execution bug disclosed last year. The flaw, CVE-2022-3236 had already been exploited as a zero day. The vulnerability can be exploited to gain control of a device. The exploited devices can then be commandeered to probe and attack the network. Sophos did issue a hotfix for some versions of the firewall, and then released a formal update that squashed the bug in December 2022. Companies running these devices should ensure that they are updated promptly.
By TheRegister.com
Researchers at Orca Security have released information on four Azure Services that are vulnerable to Server Side Request Forgery attacks (SSRF). The services are Azure Functions, Azure Digital Twins, Azure Machine Learning and Azure API Management. Exploiting these SSRF flaws could have allowed an attacker to retrieve access tokens and execute remote code. Microsoft have confirmed that these vulnerabilities have since been fixed. The Orca Security blog contains more detail.
By Orca.security
And that’s it for this week’s round-up, please do check in next week for our new batch of security news and posts.
Stay Safe, Secure and Healthy!
Edition #219 – 19th January 2023
By
Joshua Hare
on
19/1/23
Welcome to Ironshare’s Cyber Round-up, where we look back at the events of that last week to cover some of the news, posts, views, and highlights from the world of Security.
In this week’s round-up:
Royal Mail has advised people to temporarily stop sending mail overseas, due to a recent cyber incident that has caused “severe disruption”. The Royal Mail team are currently focused on restoring operations and have stated that domestic deliveries within the UK are completely unaffected.
“We are aware of an incident affecting Royal Mail Group Ltd and are working with the company, alongside the National Crime Agency, to fully understand the impact.”
Some news reports suggest that the firm were hit by a ransomware attack, but details are currently unknown.
By BBC.co.uk
A report into the use of GTP-3 language models can be abused to produce malicious content was released by WithSecure. The report detailed how the language model can be abused to produce “phishing and spear-phishing, harassment, social validation for scams, the appropriation of a written style, the creation of deliberately divisive opinions, using the models to create prompts for malicious text, and fake news.” This information is concerning as it shows GTP-3 language models can provide cyber criminals with a tool to help scale their current operations or create targeted communications easier and more convincing. Consequently, service providers and individuals will continue to have greater difficulty in identifying fake or malicious content written by AI in the future.
By TheRegister.com
Between July 2021 and June 2022, 45% of all data stolen by hackers was that of customers and employees while source code stands at 6.7% while proprietary information is at 6.5%. surprisingly, across the same period credit card information and password details dropped by 64% compared to the previous year. This is thought to be due to an increase in basic security measures being more widely adopted by both organisations and individuals, especially in multi-factor authentication, making account compromise more difficult. “in the long term, PII data is the most valuable to cyber-criminals. With enough stolen PII, they can engage in full-on identity theft which is hugely profitable and very difficult to prevent. Credit cards and passwords can be changed the second there is a breach, but when PII is stolen, it can be years before it is weaponized by hackers” Terry Ray, SVP and field CTO at Imperva.
By InfoSecurity-Magazine.com
Some schools have been hit by cyber-attacks. Highly confidential documents have been leaked from 14 schools. One of the schools called Pates Grammar School was targeted by a hacking group called Vice Society. The documents include children’s SEN information, child passport scans, staff pay scales and contract details, taken in 2021 and 2022. The hackers responsible have been behind a high-profile string of attacks on schools across the UK and USA. Vice Society have allegedly stole 500 gigabytes of data from the entire Los Angeles Unified School District. Vice Society will ask for money before leaking the documents if the payment is not made.
By BBC.co.uk
Hackers are actively exploiting a critical Control Web Panel (aka CentOS Web Panel) RCE vulnerability. This vulnerability enables elevated privileges and unauthenticated remote code execution on susceptible servers. Tracked as CVE-2022-44877. The bug impacts all versions of the software before 0.9.8.1147 and was patched on October 25, 2022. CentOS Web Panel is a popular server administration tool for enterprise-based Linux systems. CentOS Web Panel allows remote attackers to execute arbitrary OS commands.
By TheHackerNews.com
Welcome to our round-up of the Microsoft Patch Tuesday for January 2023!
Starting the year off with January’s Patch Tuesday, it appears this is a much bigger batch of updates compared to December. A total of 98 vulnerabilities have been fixed in the latest instalment, with 11 critical, 1 publicly disclosed and 1 exploited in the wild. While 98 vulnerabilities is higher than we are used to seeing from Microsoft's monthly rollout, it has been a quiet month for public disclosures and active exploitation.
And that’s it for this week’s round-up, please do check in next week for our new batch of security news and posts.
Stay Safe, Secure and Healthy!
Edition #218 – 13th January 2023
By
Joshua Hare
on
12/1/23
Starting the year off with January’s Patch Tuesday, it appears this is a much bigger batch of updates compared to December. A total of 98 vulnerabilities have been fixed in the latest instalment, with 11 critical, 1 publicly disclosed and 1 exploited in the wild. While 98 vulnerabilities is higher than we are used to seeing from Microsoft's monthly rollout, it has been a quiet month for public disclosures and active exploitation.
• Microsoft Bluetooth Driver
• Microsoft Exchange Server
• Microsoft Local Security Authority Server (lsasrv)
• Microsoft Office
• Visual Studio Code
• Windows BitLocker
• Windows Credential Manager
• Windows Kernel
• Windows LDAP - Lightweight Directory Access Protocol
• Windows Malicious Software Removal Tool
• Windows MSCryptDImportKey
• Windows NTLM
• Windows Point-to-Point Tunneling Protocol
• Windows Print Spooler Components
• Windows RPC API
• Windows Secure Socket Tunneling Protocol (SSTP)
• Windows Task Scheduler
• Windows Virtual Registry Provider
Listed as critical, an unauthenticated attacker could bypass authentication and make an anonymous connection. This vulnerability has been reported by Microsoft to have low complexity and be easy to exploit. Further information about this vulnerability has been restricted due to its low complexity and potential impact.
These critical vulnerabilities could allow for an unauthenticated attacker to conduct remote code execution on a windows machine. An attacker would need to send a specially crafted malicious SSTP packet to an SSTP server however a race condition must be won for successful exploitation.
With a CVSS of 8.8, this important vulnerability has been seen to be exploited in the wild. This vulnerability would allow an attacker to escape a sandbox environment, leading to privilege escalation. "An attacker who successfully exploited this vulnerability could gain SYSTEM privileges" reports Microsoft’s advisory however specifics around the vulnerability haven’t been disclosed.
This important publicly disclosed vulnerability would allow an attacker to execute RPC functions that are restricted to privileged accounts only. This required the attacker to send a specially crafted malicious script that executes an RPC call to an RPC host. This could result in the elevation of privilege on the server.
Print spooler continues to be a problem for Microsoft as consecutive months have gone by with new vulnerabilities being patched. The latest vulnerabilities are all important elevation of privilege vulnerabilities that would allow an attacker to gain greater control over a system.
Two vulnerabilities have been identified and patched to do with privilege escalation on Microsoft Exchange Server. These two vulnerabilities are a result of an incomplete patch from CVE-2022-41123 in November. As a result, a successful attack would result in SYSTEM privileges to the attacker.
January 2023 marks the end of extended support for Windows 7and Windows 8.1. Both operating systems have received their final update this month and will no longer be supported by Microsoft, this means any machines running these operating systems may increase an organization’s exposure to security risks. We advise any organisations using machines running Windows 7 or 8.1 to update immediately to Windows 10 or 11 to continue to receive security updates for their machines.
Patch Tuesday release notes: https://msrc.microsoft.com/update-guide/releaseNote/2023-Jan
Security update guide: https://msrc.microsoft.com/update-guide/
By
Samuel Jack
on
11/1/23
Welcome to the first 2023 edition of the Ironshare Cyber Round-up where we look back at the events of that last week and year to cover some of the news, posts, views, and highlights from the world of Security.
In this week’s round-up:
UK Newspaper, The Guardian, are expected to keep their offices closed for the next month. According to a statement from the GMG (Guardian Media Group) Chief Executive, the group is struggling with the fallout of the recent attack and needed an extended period to focus on recovery; GMG plan to spend the next 30 days applying important fixes while “reducing the strain on our networks”. The attack is understood to have occurred on the 20th of December, and the business is believed to be back to operations by the beginning of February.
By ComputerWeekly.com
It is far too common for organisations to leave their security in the hands of an IT team, believing that their users play no part in the security and integrity of their operations. A recent study showed that:
“approx. 30% of employees do not think they play a role in maintaining their company’s cyber security posture”.
This could not be more wrong. There is only so much that technology can do to protect your organisation; educating your users on the dangers of cyber and helping them understand how they can stay safe is essential to creating a strong,security-focused culture.
Key steps to creating a strong cyber culture can be found here.
By Forbes.com
NCSC has revealed the top government email impersonation scams have been taken down in 2022. The public have been encouraged to keep reporting all suspicious emails after 6.4 million reports were received in 2022. Cyber security experts have revealed today that they have removed the top six government impersonation scams in 2022. The public have been urged to stay alert for scammers using exploitative tactics as we head into 2023.
By NCSC.gov.uk
Twitter are in a data protection probe after 400 million user details up for sale. Twitter are being investigated after a hacker has claimed to have private details linked to more than 400 million accounts. Ryushi, the hacker is demanding £166,000 to hand over the data. It had been reported that some celebrities are included in the 400 million.
By BBC.co.uk
ALPHV has recently disclosed sensitive data on its website from a victim that failed to pay its ransom. When leaking the information ALPHV also created a cloned website impersonating that of the victim which was hosted on a similarly named domain. This cloned website held information to do with various documents, from memos to staff, payment forms, employee info, data on assets and expenses, financial data for partners, and passport scans. This unusual method is thought to publicise their breach, damage the company's reputation, and a warning to future victims if they do not pay the ransom.
By BleepingComputer.com
Just two days before Christmas Arnold Clark was forced to shut down its internal network as a precautionary measure from a suspected cyber-attack. The car dealership was warned by external cyber security consultants of suspicious traffic on its network on 23rd December. The action to shut down its network was a “purely protective measure” which resulted in telephone booking services and other technical systems becoming unavailable.Arnold Clark stated it was able to protect the data of customers, third-party providers, and its own systems. Security partners have been assisting the car dealership in reviewing its infrastructure and re-enabling its systems in a phased and secure manner.
By News.STV.tv
Five Guys was yet another victim of a cyber-attack after a“smash-and-grab” operation is thought to have taken place. "Unauthorized access to files" was discovered on 17th September, after a review of the files which were accessed was completed on 8th December Five Guys determined that the files contained information submitted during the employment process.There are concerns about the future implications of this data being leaked such as identity theft on the victims of this attack. Five Guys has stated that they are working with law enforcement and a cyber security firm however have been less than engaging with the public about the attack.
By DarkReading.com
And that’s it for the round-up for this year, please do check in for our new batch of security news and posts.
Happy New Year!
Stay Safe, Secure and Healthy!
Edition #218 – 6th January 2023
By
Samuel Jack
on
5/1/23
Welcome to the Christmas 2022 edition of the Ironshare Cyber Round-up where we look back at the events of that last week and year to cover some of the news, posts, views, and highlights from the world of Security.
In general this year started where 2021 left off, more of pretty much everything; phishing, ransomware, cryptocurrency crashes and attacks, DDoS and of course data breaches.
In late January the notorious Emotet Malware infrastructure was the target of Europol, where the combined weight of numerous law enforcement agencies,gained control and performed a takedown of one of the most effective cybercrime malware delivery services.
In true Emotet form though it reappeared later in 2022 to continue its activities, pushing payloads such as Blackcat Ransomware. At the moment it appears they too have broken up for the holidays, but don’t be fooled we expect them back in the news soon enough.
MFA Bombing (aka MFA Fatigue or MFA Spamming) gained greater traction as a threat to orgs. This involves exploiting the human weakness in MFA, by delivering a barrage of MFA push requests to the user, who gets so fed up with denying them they finally click the approve button, giving the cyber criminals access to their systems.
Big firms such as Uber, Microsoft and Cisco all had administrators who fell victim to these MFA based attacks. As more organisations include MFA to protect their user identities, it was inevitable that MFA became more of a target for the bad guys.
Vulnerabilities continue to rise year on year, this shouldn’t be a huge surprise as we witnessed increases in the number of security researchers flocking to find flaws in products and services. Bug Bounties or Vulnerability Disclosure programmes have now become a prominent feature in the industry.
As 2022 comes to an end we are closing in on a new record of around 25,000 CVEs.
Microsoft Exchange Server continued to take the punches as new and old vulnerabilities exploited servers globally. While some systems were still not patch for ProxyShell which arrived in late 2021, the new very distant cousin ProxyNotShell arose and was actively exploited pretty quickly.
Microsoft Office suffered with the Follina MS Diagnostic Tool zero-day flaw, while Log4j just fails to go away with lots of systems remaining unpatched from this critical remote code vulnerability.
A new threat actor group emerged in late 2021 called Lapsus$,who have caused havoc for numerous companies throughout the year, these have included some big names; Microsoft, Uber, Okta, Nvidia and Rockstar games to name a few. Numerous arrests have been made, but Whether they continue to embarrass companies in 2023, time will tell.
2022 has been another busy year for the Ironshare Team, as we helped more customers to secure their organisations. This ranged from small businesses who needed to grasp the fundamentals of cyber security, to large organisations needing assistance with cyber strategy and delivery of complex solutions. The team has grown, the brand has had a face lift and the new website is now live.
We look forward to another positive year in 2023, with the hope that the cyber industry can continue to get another step closer to stopping the bad guys.
In this week’s Christmas round-up:
Here is a friendly reminder for festive shoppers about being cyber aware when online. Cyber security and law enforcement partners are urging bargain hunters to bolster their cyber security in the approach to & during the festive season after new figures revealed victims of online shopping scams lost on average £1,000 per person in the same period last year. One victim lost£500 when attempting to buy shoes on a social media platform, and another lost£145 trying to make a similar purchase.
By ncsc.gov.uk
On the 21st December, the FBI warned the public that cybercriminals are using search engine advertisement to impersonate people and brands. The cyber criminals are taking users to malicious sites that host ransomware and are stealing user’s login credentials and financial information.The cyber criminals are purchasing advertisements that appear within the internet search results using a similar domain to an actual business or service. When the users are searching for a business or service these advertisements are appearing at the very top of the search results. As always be careful what you click and check out the link for some useful advice.
By ic3.gov
The Guardian have been hit by a serious ransomware attack.The incident occurred on Tuesday night and has affected parts of the company’s technology infrastructure. This has also disrupted the behind-the-scenes services. The Guardian have still been publishing online with stories continuing to be published to the Guardian website and app. The hackers have access to a computer system and are making demands to restore services. Anna Bateson, and the editor-in-chief, Katharine Viner, told staff: “As everyone knows, there has been a serious incident which has affected our IT network and systems in the last 24 hours. We believe this to be a ransomware attack but are continuing to consider all possibilities.”
By theguardian.com
Okta, an identity and access management company, has been a victim of a cyber attack after its source code was stolen. This was caused by the unknown hackers accessing Okta Workforce Identity Cloud code repositories located on GitHub. Subsequently, a copy of Okta’s source code was stolen.GitHub alerted Okta to the unauthorised access of its repository and temporarily restricted access to the repository while Okta examined recent code commits to ensure no illegitimate changes were made to its source code. It has been stated that Okta’s services and customer information have not been affected by the attack and that "Okta does not rely on the confidentiality of its source code for the security of its services".
By thehackernews.com
State-level or state-sponsored cyber attacks can cause serious consequences for individuals, organisations, and countries. Cyberattacks on this level can be done to: collect intelligence, disrupt critical infrastructure, interfere with political processes, or for military operations.These attacks can be launched by using malware, phishing, denial of service,supply chain attacks, and more. Defending against such attacks at a state level needs strong cyber security measures, monitoring, and incident response plan as well as investing in research and working with international partners. More Information about the reasons to conduct a state-level cyber attack, their methods, and defensive strategies can be found here.
By ukdefencejournal.org.uk
Play are a new ransomware group that were first seen in June 2022 and have been very active for the last six months. Their latest campaign utilises two ProxyNotShell vulnerabilities in Microsoft Exchange that, if exploited correctly, allows an attacker to gain access to the victim’s environment. While these flaws were patched by Microsoft in November, they are still actively being used as part of this major ransomware campaign, alongside some unknown Outlook Web App exploits that are now being investigated by CrowdStrike.
Crowd Strike’s extensive research into these new exploits can be found here.
By duo.com
SPNEGO is a GSSAPI mechanism you use to secure messages when a client application wants to authenticate to a remote server. This was previously discovered to have a vulnerability in September marked by Microsoft As an information disclosure vulnerability, this has recently been changed after a security researcher discovered that the mechanism was vulnerable to a remote code execution attack causing a reclassification to critical. This Vulnerability resides in SPNEGO Extended Negotiation (NEGOEX) Security Mechanism affecting any Windows application protocol that authenticates, such as Server Message Block (SMB) or Remote Desktop Protocol (RDP). All systems running this service should update to the latest version to protect against this attack.
By securityintelligence.com
WordPress sites are one of the biggest targets for threat actors due to the large number of plugins that require constant updates. Most site owners do not update their plugins as much as they should, making them easy targets for attackers looking to exploit known vulnerabilities. One of the biggest flaws that are present in WordPress plugins is Server Side Request Forgery, which is an easily exploitable vulnerability that allows the attacker to gain control over the target server.
In the past we have seen SSRF vulnerabilities in plugins such as Google Web Stories, which is used across a large number of WordPress sites. To help protect against these dangerous flaws, Wordfence has compiled some guidance for users to follow; this guidance includes details on how to protect your sites, prevent SSRF vulnerability creation and more.
If you are interested in learning more about how you can protect your WordPress site, we recommend consulting this Wordfence advisory.
By wordfence.com
And that’s it for the round-up for this year, please do check in for our new batch of security news and posts.
We wish you all a very Merry Christmas and a prosperous New Year.
See you all in January 2023.
Stay Safe, Secure and Healthy!
Edition #217 – 23rd December 2022
By
Joshua Hare
on
23/12/22
Welcome to Ironshare’s Cyber Round-up, where we look back at the events of that last week and year to cover some of the news, posts, views, and highlights from the world of Security.
In this week’s round-up:
The Cisco Talos team have released a report covering all of the major security events covered during 2022. This report, titled the “Talos Year in Review”, discusses the cyber threat landscape and the top threats that have emerged during 2022, as well as some of the high-profile events such as Talos’ support for Ukraine’s critical infrastructure, and the infamous Log4j vulnerabilities.
This report can be downloaded from the Talos Intelligence blog and features a clever summary of the team’s activities over the course of 2022. We recommend reading this for some great statistics on the current threat landscape.
By blog.talosintelligence.com
On December 1st, 2022, a list of emails and referral links of CoinTracker users online were leaked. No more information was leaked and there is no additional action that any users need to take at this time. The Breach has affected one of their service providers, which is now resolved. Their own data base was not compromised. All user’s that were leaked have received a email. This attack does not give anyone access to the user accounts but does increase the likelihood of phishing emails. If you received the email, be cautious of any emails you are getting just in case, they are phishing attacks.
By Databreaches.net
The cyber-attack that hit Irish Health Service Executive has officially reached a cost of over €80 million (€83.75 is the exact number). The missive come months after the Department of Health suggested the attack could end up costing up to €100 million. The attack was conducted by Russia-based state actors, and it was reported that it was caused by a malicious Microsoft Excel file delivered via a phishing email.
By Infosecurity-Magazine.com
Intersport, a sports retail giant, is one of the latest victims of a ransomware attack. Stores located in France were forced to alert shoppers that the attack was preventing the use of cash registers, loyalty card, and gift card services. Hive ransomware group have taken responsibility for the attack which took place on 23rd November and published data related to the breach on a leak website. It is unknown at this time whether Hive have encouraged Intersport to pay, if the ransom has been paid or just left unanswered.
By Bitdefender.com
MirrorFace has been targeting Japanese politicians with its MirrorStealer malware. The campaign has seen the deployment of this information stealer and backdoor to connect back to their command-and-control server against high-profile political targets through crafted spear phishing emails. The emails impersonate a PR agent asking for the attached video to be submitted to their social media or a member of the Japanese ministry with fake documents attached. These both result in the execution of a malware dropper used to collect MirrorStealer malware and install it on the target's devices.
By BleepingComputer.com
Citrix have discovered a critical zero-day affecting multiple versions of their ADC and Gateway devices. This zero-day allows a remote unauthenticated attack to execute arbitrary code on the target system and has been actively exploited my state-sponsored attackers in an attempt to access select corporate networks.
The vulnerability is known to affect the following versions:
We recommend that all users update their devices as soon as possible to ensure they are not at risk of exploitation.
By BleepingComputer.com
Welcome to our monthly round-up of Microsoft’s December 2022 Patch Tuesday. This batch of security updates includes fixes for Microsoft Azure, Microsoft Office, PowerShell & more. 7 critical vulnerabilities were patched this month, making immediate updates very important. We advise looking into the latest fixes and applying the necessary updates as soon as possible.
And that’s it for this week’s round-up, please do check in next week for our new batch of security news and posts.
Stay Safe, Secure and Healthy!
Edition #216 – 16th December 2022
Why not follow us on social media:
By
Joshua Hare
on
15/12/22
December’s Patch Tuesday contains fixes for 44 vulnerabilities, with 7 critical, 2 publicly disclosed and 1 exploited in the wild. This Patch Tuesday is quieter than what we have seen over the past couple of months, with a big decrease in the number of vulnerabilities.
Being the only known vulnerability to be exploited in the wild, this moderate vulnerability would allow an attacker can craft a malicious file that would evade Mark of the Web defences. This file would result in an error with SmartScreen causing security warnings to not be displayed to users. This was known to be used by QBot trojan and Magniber Ransomware to bypass Microsoft’s security systems.
This publicly disclosed moderate vulnerability could allow an attacker to access SYSTEM privileges by exploiting DirectX Graphics Kernel. Weak mitigation of this vulnerability is that an attacker would have to win a race condition for a successful exploit. This vulnerability only affects Windows 11 Version 22H2 for ARM64- and x64-based systems.
This critical vulnerability could allow an attacker to escape the PowerShell Remoting Session configuration and run unapproved commands. This vulnerability is complex to exploit and would require the attack to win a race condition.
For a full list of this month’s updates please see the links below:
Patch Tuesday release notes: https://msrc.microsoft.com/update-guide/releaseNote/2022-Dec
Security update guide: https://msrc.microsoft.com/update-guide/
By
Samuel Jack
on
14/12/22
No results found.