Welcome to Ironshare’s Cyber Round-up, where we look back at the events of that last week and year to cover some of the news, posts, views, and highlights from the world of Security.
In this week’s round-up:
As we get closer and closer to Christmas, the NCSC understands how important it is to be safe when shopping online. Their most recent guide covers how to shop online in a secure way that will reduce the chances of you falling victim to an attack. The key points covered in this advisory are carefully choosing where to shop, using a credit card to guarantee refunds in the event of a scam, securing your accounts, and avoiding suspicious phishing attempts. We strongly advise everyone to read this guidance to ensure you are safe during this busy period of online shopping.
The official NCSC guide can be found here.
By ncsc.gov.uk
MSI Afterburner is an overclocking utility that is compatible with many popular graphics cards. Attackers have recently taken advantage of the software’s popularity by creating a fake website that appears to download MSI Afterburner. Despite looking legitimate, this site instead downloads an information-stealer and an XMR miner, allowing the attacker to mine cryptocurrencies when the device is idle, and even potentially steal account credentials. Users looking to install MSI Afterburner are advised to be careful when visiting the download site, and to carefully inspect the website before clicking any links.
By BleepingComputer.com
A nascent and legitimate penetration testing framework known as Nighthawk is likely to gain threat actors attention for its Cobalt Strike-like capabilities. Proofpoint said it detected the use of the software in mid-September 2022 with several test emails sent using generic subject lines such as “Just checking in” and “Hope this works2.” So far there are no indications that a leaked or cracked version of Nighthawk is being weaponized by threat actors in the wild, but opportunities are highly likely.
By Amp.TheHackerNews.com
The Netherlands is one of the most digitised countries in the world. Dutch people work, live, shop and meet ever more digitally, making reducing digital security risks a priority. The Netherlands government has drawn up a new national cyber security strategy that aims to provide digital protection in Dutch society. Cyber threats are ever-present and increasing, with criminals and state actors threatening organisations of all types.
By ComputerWeekly.com
Datadog security researchers recently discovered a serious flaw in Amazon’s AWS AppSync service. This flaw has been labelled as a “cross-tenant vulnerability” that allows attackers to traverse across multiple organisations and access their resources. Amazon have since issued a statement and believes that “No customers were affected by this issue, and no customer action is required.”. The vulnerability has now been patched by Amazon, who has thanked Datadog for their work in discovering this issue.
By TheRecord.media
Microsoft is rolling out fixes for the Kerberos network authentication protocol on Windows Servers after it was broken by November Patch Tuesday updates. Updates that were released on November 8th, were planned to fix security issues in Kerberos on Domain Controllers, but have actually resulted in breaking network and identity security requests using Kerberos authentication. Impacted users have been unable to access remote desktop connections, shared folders and printer connections that all rely on domain user authentication. Microsoft has now released out of band and cumulative updates to address these issues.
By TheRegister.com
And that’s it for this week’s round-up, please do check in next week for our new batch of security news and posts.
Stay Safe, Secure and Healthy!
Edition #213 – 25th November 2022
Why not follow us on social media:
By
Joshua Hare
on
24/11/22
Welcome to Ironshare’s Cyber Round-up, where we look back at the events of that last week and year to cover some of the news, posts, views, and highlights from the world of Security.
In this week’s round-up:
The well-publicised collapse of FTX has sparked many justified complaints from clients, who have suffered massive losses as a result. FTX founder, Sam Bankman-Fried, reportedly transferred $10 billion from the company over to a trading company called Alameda Research. This was done in secret by the founder, and approximately $1.7 billion of the client funds are currently unaccounted for. So far, SBF has not commented on the missing funds, but has stated he is working on “piecing together” the incident, and writing up a “more complete post on the play by play.”. This has been a huge headline this week, so I am sure we will hear more details on the situation soon.
By Reuters.com
Commons Speaker Sir Lindsay Hoyle has prompted all MPs to “avoid using their phones for sensitive conversations or even having it in the same room.”. This urgent warning comes after the hacking of Liz Truss’ phone last month; this attack saw sensitive information, intended for foreign officials, being obtained by threat actors. The MPs have been warned by the Speaker via a letter, while the government work on ways to increase security and implement new measures to counter the espionage attempts.
By BBC.co.uk
RapperBot, an adaptation of the Mirai malware botnet, has resurfaced and is being used as part of a new campaign. So far, the malware is being used to infect IoT devices, that are then partaking in DDoS attacks on certain game servers. This new variant of RapperBot differs slightly to what we are used to, and utilises a Telnet self-propagation mechanism, similar to the original Mirai malware. Telnet is a clear text, insecure, remote management protocol; ensuring that this is disabled across all devices, including IoT, is the best step in preventing infection.
By BleepingComputer.com
Iranian cyberspies have exploited Log4j to break into a US government network. The Iranian state-sponsored cyber criminals used a Log4j flaw to illegally mine for cryptocurrency, steal credentials and change passwords, and snoop around for several months undetected. On Wednesday an alert was posted where the US cybersecurity agency said it detected the advanced persistent threat (APT) activity on an unarmed federal civilian executive branch (FCEB) organization’s network in April. During the investigation, incident responders determined that the criminals gained initial access in February by exploiting Log4Shell. This is the vulnerability in the widely used Apache Log4j open-source logging library discovered back in November 2021. While the criminals had access, they installed XMRig on the server to mine cryptocurrency and then moved on to a VMware VDI-KMS host before downloading a Microsoft-signed tool for system administrators along with Mimikatz to steal credentials.
By TheRegister.com
Two World Cup apps reportedly pose serious privacy and security risks. European data protection regulators have been lining up to warn about the risks posed by Qatar’s World Cup apps for visitors. On Tuesday, Germany’s data protection commissioner said data collected by two Qatari apps that visitors are being asked to download “goes much further” than the apps’ privacy notices indicate. “One of the apps collects data on whether and with which number a telephone call is made.” And “The other app actively prevents the device on which it is installed from going into sleep mode. It is also obvious that the data used by the apps not only remain locally on the device but are also transmitted to a central server.”
By Politico.eu
Despite the guidance and best practice, an alarming proportion of businesses hit with ransomware simply pay to make it go away. It’s a problem that both cyber security officials and the wider industry are grappling with as they race to establish why businesses continue to pay ransoms, and how to fix this problem. In just one survey of many, Databarracks found that in response to a ransomware attack, 44% of organisations questioned admitted to paying up. Just 34% recovered from backups while a further 22% used ransomware decryption tools.
By ITPro.co.uk
A critical vulnerability has been found in Spotify’s Backstage. The flaw exists in “software templates”, a third-party module of the Backstage developer portal and has been given a CVSS score of 9.8. If leveraged, an attacker could potentially execute arbitrary commands on the application. This reportedly works by taking advantage of a vm2 sandbox escape that was discovered back in October. This flaw was patched in version 1.5.1 of Backstage.
By TheHackerNews.com
And that’s it for this week’s round-up, please do check in next week for our new batch of security news and posts.
Stay Safe, Secure and Healthy!
Edition #212 – 18th November 2022
Why not follow us on social media:
By
Joshua Hare
on
17/11/22
Welcome to Ironshare’s Cyber Round-up, where we look back at the events of that last week and year to cover some of the news, posts, views, and highlights from the world of Security.
In this week’s round-up:
Microsoft has reported an annual increase in attacks against critical infrastructure jumping from 20% in June 2021 to 40% in June 2022. In their 2022 Digital Defense Report, the tech giant has noted that this is largely due to Russia’s cyber offensive against Ukraine and the espionage of its allies. 90% of Russian attacks detected by Microsoft were targeting NATO member states, and 48% of these attacks targeted IT firms based in NATO countries. Increases in cyber-attacks originating from other countries such as Iran, North Korea, and China were also spotted throughout the course of the past year.
By Blogs.Microsoft.com
The UK, Canada, and Singapore are teaming up to improve the security of internet connected devices. The growing interconnectivity of devices is a threat to the security, privacy, and safety of consumers. The coordinated efforts of these countries will help produce “international standards and industry guidance, to foster innovation, and to encourage approaches that incorporate internationally recognised security requirements and avoid fragmentation.”
By Gov.uk
Research into the cost of cyber insurance policies has discovered that the premiums for cyber insurance have steeply increased since late 2019. In the US the cost of cyber insurance has been seen rising by 100% year on year by the end of 2021 but had declined to 79% in the second quarter and 48% for the third quarter of this year. Cyber attacks often cause millions of dollars in financial loss to businesses and insurers were making losses on their products in 2018 and 2019. Insurers have also been recorded as being more selective with the customers they will take on as well as excluding certain types of incidents from their policy.
By FT.com
A notorious fraudster called Ramon Abbas, nicknamed Hushpuppi, has been jailed for 11 years in the US for “conducting business email compromise scams, online bank heists and other cyber-enabled fraud that financially ruined scores of victims and provided assistance to the North Korean regime." During court, he admitted attempting to steal more than $1.1m from someone who wanted to fund a new children's school in Qatar and "several other cyber and business email compromise schemes that cumulatively caused more than $24 million in losses" reported the US justice department. Ramon Abbas was ordered to pay $1.7 million in restitution to two victims and sentenced to 135 months in federal prison.
By BBC.co.uk
The American Cybersecurity and Infrastructure Security Agency have put out three alerts about industrial control systems discovered to be vulnerable to multiple critical flaws. ETIC Telecom's Remote Access Server has been found to “allow an attacker to obtain sensitive information and compromise the vulnerable device and other connected machines" warns CISA. The second alert was about three flaws in Nokia's ASIK AirScale 5G Common System Module (CVE-2022-2482, CVE-2022-2483, and CVE-2022-2484) which could be used for arbitrary code execution and stoppage of secure boot functionality. The final alert was about Delta Industrial Automation's DIALink products which could be used to plant malicious code on targeted appliances.
By TheHackerNews.com
Welcome to our monthly round-up of Microsoft's November 2022 Patch Tuesday. This batch of security updates includes fixes for Microsoft Exchange Server, Visual Studio, BitLocker & more. 10 critical vulnerabilities were patched this month, making immediate updates very important. We advise looking into the latest fixes and applying the necessary updates as soon as possible.
And that’s it for this week’s round-up, please do check in next week for our new batch of security news and posts.
Stay Safe, Secure and Healthy!
Edition #211 – 11th November 2022
Why not follow us on social media:
By
Samuel
on
10/11/22
November’s Microsoft Patch Tuesday is met with only 66 total vulnerabilities, but don’t let that mislead you into thinking this was a quiet month. With a massive 10 critical vulnerabilities as well as 2 publicly disclosed and 6 exploited in the wild it seems this month has much to offer.
November’s instalment includes patches for some key services such as:
This important vulnerability has been found on a popular windows component for hackers, this is the 9th time the Windows Print Spooler component will be patched in 12 months. the latest vulnerability for the windows printer spooler is privilege escalation and has been recorded as being exploited in the wild.
Windows mark of the web is a security feature used to determine files that have been downloaded from untrusted sources. An important vulnerability in this service has led to malicious files bypassing this security feature which would later bypass other security features such as the protected view in Microsoft office. This vulnerability has been publicly disclosed and seen in the wild.
This critical exploited in the wild vulnerability is due to weaknesses in windows scripting languages that would allow for remote code execution for the Jscript9 scripting language. If a user visits a website that is hosted or compromised by an attacker that has been specially crafted, then the attacker could conduct remote code execution on the visitor’s device.
The most severe of the exchange server vulnerabilities patched this month was CVE-2022-41080. With a CVSS of 8.8 and the confirmation from Microsoft that this vulnerability is likely to be exploited, technical details surrounding the vulnerability haven’t been disclosed.
The other exchange vulnerability seen this month are:
For a full list of this month’s updates please see the links below:
Patch Tuesday Release Notes: https://msrc.microsoft.com/update-guide/releaseNote/2022-Nov
Security Update Guide: https://msrc.microsoft.com/update-guide/
By
Samuel Jack
on
9/11/22
Welcome to Ironshare’s Cyber Round-up, where we look back at the events of that last week and year to cover some of the news, posts, views, and highlights from the world of Security.
In this week’s round-up:
GCHQ’s National Cyber Security Centre (NCSC) recently released a report that covered their work and achievements over the last year. In this report, it was revealed that the NCSC were responsible for defending against sixty “nationally significant” cyber attacks in the last 12 months. While the specifics of these attacks were not discussed, there were some mentions of ransomware attacks against the NHS, and South Staffordshire water utility company. This report also talks about the “growing focus” of supporting Ukraine, and how the NCSC has contributed to the repelling of Russian cyberattacks.
By News.Sky.com
Since the pandemic, the number of remote workers in small businesses has skyrocketed. While this isn’t necessarily a bad step, it has left many firms vulnerable to attacks that they are not prepared to defend against. According to a recent study by Barracuda Networks, small businesses are currently three times more likely to be targeted by an attack than larger organisations.
“[Small businesses] are the lifeblood of the United States, and we need a wake-up call.”.
Almost 50% of Americans are employed by small businesses and, without them, the economy would collapse. Cybersecurity experts are desperately trying to bring this issue into the spotlight, in hopes that small firms will reach out for help and begin taking steps towards a more secure future. Experts have highlighted the important of identifying critical data and creating response plans to use in the case of a security incident. These small improvements could make a huge difference; security is not about doing everything all at once, it’s about taking small steps forward and constantly improving.
By BBC.co.uk
Thomson Reuters has notified customers of an exposed server with unprotected business data on it. A spokesperson for the company told the record that the issue involved an ElasticSearch server used with their ONESOURCE Global Trade product. The spokesperson has said that the server contained logs of customers’ searches on the platform. “We have proactively notified the small subset of customers who may have had data logged on that server. We have also addressed and mitigated the misconfiguration.” Cybernews said evidence for the server showed that the open instance “was used as a logging server to collect vast amounts of data gathered through user-client interaction, “with some data samples logged as recently as October 26. Thomson Reuters have collected and exposed thousands of gigabytes of data that Cybernews researchers believe is worth millions of dollars on underground criminal forums because of the potential access it could give to other systems.
By TheRecord.media
On Tuesday 1st November, Dropbox disclosed that it was the victim of a phishing campaign that allowed unidentified threat actors to gain unauthorized access to 130 of its source code repositories on GitHub. Dropbox is a cloud storage, data backup, and document signing services, among others, which has over 17.37 million paying users and 700 million registered users as of August 2022. The repositories included copies of third-party libraries slightly modified for use by Dropbox. The breach resulted in the access of some API keys used by Dropbox developers as well as “a few thousand names and email addresses belonging to Dropbox employees, current and past customers, sales leads, and vendors.”
By TheHackerNews.com
It has been reported that the personal phone of former U.K. Prime Minister, Liz Truss, was hacked by cyber-spies working for the Kremlin. It has been reported that private messages between Liz Truss, the former U.K. Prime Minister, and international foreign ministers, relating to the war in Ukraine during her time as Foreign Secretary, fell into the hands of cyber-spies suspected of working for the Kremlin. Some of the messages sent included “detailed discussions about arms shipments. The newspaper claims that details of the phone hacking were “suppressed by Boris Johnson, who was Prime Minister at the time, and the Cabinet Secretary, Simon Case.
By Forbes.com
OpenSSL version 3.0.7 was released on Tuesday, the 1st of November, and included fixes for two serious security vulnerabilities. These two flaws were initially thought to be a single critical remote code execution vulnerability, however this was later found to be two separate flaws that are very difficult to exploit. Because of this, they have been downgraded to “high”. Despite this, we still strongly recommend updating to OpenSSL 3.0.7 as soon as possible.
OpenSSL 3.0.x is the only currently affected version; all other versions of OpenSSL are not at risk.
By SentinelOne.com
A recently discovered security flaw in the Samsung Galaxy app store was allowing attackers to remotely execute commands on target mobile phones. This flaw has been identified as a cross-site scripting vulnerability that can be leveraged by exploiting certain deeplinks in the app. This flaw has now been patched, so we strongly advise updating your Samsung devices as soon as possible.
More details for this vulnerability can be found in this security advisory.
By SecurityAffairs.co
And that’s it for this week’s round-up, please do check in next week for our new batch of security news and posts.
Stay Safe, Secure and Healthy!
Edition #210 – 4th November 2022
Why not follow us on social media:
By
Joshua Hare
on
3/11/22
Welcome to Ironshare’s Cyber Round-up, where we look back at the events of that last week and year to cover some of the news, posts, views, and highlights from the world of Security.
In this week’s round-up:
During the last Conservative leadership election, there were concerns over the security of the online voting system. The NCSC reported on this stating that the system “could be vulnerable to outside interference”. This time, the Conservative party chairman has said that they are “satisfied that the online voting system will be secure”. The process seems to be a little different this year, with voters being sent a paper ballot as an alternative; voters are now required to use two security codes sent by mail before being able to vote online. There are still some fears over its security, with the Chief Executive of Oxford Information labs claiming it is “highly unlikely that they will have the resources needed to handle the cyber security satisfactorily”.
By BBC.co.uk
SonicWall are widely known as a trusted publisher of ransomware threat intelligence, and their latest reports show exactly why security professionals are so concerned. SonicWall’s threat data for the third quarter of 2022 shows that there was an average of 1,014 ransomware attempts per customer, with 91% of IT leaders naming financially motivated attacks as their primary concern. There has been a 31% decline in ransomware attempts worldwide when compared to 2021, however this quarter alone exceeds the numbers seen in four of the last 5 years. With how easily executable ransomware attacks are becoming it is very unlikely this volume will decrease any time soon; this shows just how difficult it is to be a security professional in 2022, as the demand for cybersecurity continues to rise.
By prnewswire.com
Interserve, a UK construction group, has been fined £4.4 million for failing to implement adequate cyber security measures, resulting in a significant data breach. Interserve failed to stop a phishing email that an employee downloaded, and subsequent anti-virus alerts were not investigated appropriately causing 283 systems and 16 accounts to be compromised. The attack also stole information on up to 113,000 employees and encrypted all current and former employees’ information; Bank account details, national insurance numbers, ethnic origin, sexual orientation, and religion were included in the stolen data. The Information Commissioner’s Office reported that Interserve used outdated software and protocols, lacked appropriate employee security training, and had insufficient risk assessments. “Leaving the door open to cyber-attackers is never acceptable, especially when dealing with people’s most sensitive information. The biggest cyber-risk businesses face is not from hackers outside of their company but from complacency within their company.” stated John Edwards, the UK information commissioner.
By TheGuardian.com
The Australian Institute of Company Directors faced an embarrassing reality after their live-streamed LinkedIn Cybersecurity event was the victim of a scammer. Due to “technical issues” the event failed to start on time. During this time an account uploaded a link into the comments section imitating a link from Everbrite stating the online event has moved location, upon access the site requested card information to access the new event. The AICD warned about the link and requested viewers not to click links in the chat window and then proceeded to post its link in the chat window. The event was soon cancelled. “The AICD apologises sincerely for the unacceptable issues with the LinkedIn Live event," said AICD Managing Director and CEO Mark Rigotti. "We recognise this experience has fallen well below the high standards our members rightly expect of the AICD.”
By BitDefender.com
Vice Society, formally identified as DEV-0832, has been seen to be using ransomware to target the education sector (primarily in the US) due to weaker security measures in place. Previously Vice Society has used BlackCat and QuantumLocker payloads, but the latest campaign utilises a Zeppelin variant. Their initial method of compromise is thought to be exploiting vulnerable web applications and using compromised accounts. After the ransomware is deployed and the data exfiltrated, a ransom is sent to the victim to pay or face their information being posted on the Vice Society’s [.]onion site. The group has gone to significant degrees to stop remediation methods. Microsoft has reported Vice Society has compromised two domain administrator accounts and had the passwords of over 150,000 users reset, locking out legitimate users before deploying the ransomware.
By Microsoft.com
A North Korean espionage-focused actor known as Kimsuky has been observed using three different Android malware strains to target users located in its southern counterpart. The South Korean cybersecurity company S2W has named the malware families FastFire, FastViewer, and FastSpy. “FastFire is disguised as a Google security plugin, the FastViewer malware is disguised as a Hancom Office Viewer, and FastSpy disguises itself as a remote access tool based on AndroSpy.” This was said by researchers Lee Sebin and Shin Yeongjae. Kimsuky is believed to be tasked by the North Korean regime with a global intelligence-gathering mission, disproportionately targeting individuals and organizations in South Korea, Japan, and the U.S.
By TheHackerNews.com
The Cisco Product Security Incident Response Team discovered a pair of vulnerabilities in October 2022, both of which have seen attempted exploitation in the wild. Both flaws exist in the AnyConnect Secure Mobility Client for Windows, which is used as a Secure VPN service for remote work. One of the flaws allows an attacker to exploit the service to execute code with SYSTEM-level privileges, the other is an uncontrolled search path vulnerability and exists in the installer component of the client. Both of these vulnerabilities were addressed in the latest update for AnyConnect; all users are advised to apply this update as soon as possible.
By TheRegister.com
On Monday, Apple released security updates that has fixed the ninth zero-day vulnerability used in attacks against iPhones since the start of the year. Apple has revealed in a advisory that they are aware of reports saying the security flaw “may have been actively exploited.” The bug (CVE-2022-42827) is an out-of-bounds write issue reported by an anonymous researcher and caused by software writing data outside the boundaries of the current memory buffer. This could result in things like data corruption, application crashes, or code execution because of undefined or unexpected results (also known as memory corruption) resulting in subsequent data written to the buffer.
By BleepingComputer.com
And that’s it for this week’s round-up, please do check in next week for our new batch of security news and posts.
Stay Safe, Secure and Healthy!
Edition #209 – 28th October 2022
Why not follow us on social media:
By
Joshua Hare
on
27/10/22
Welcome to Ironshare’s Cyber Round-up, where we look back at the events of that last week and year to cover some of the news, posts, views, and highlights from the world of Security.
In this week’s round-up:
Team82 has found a new technique capable of extracting hardcoded cryptographic keys from certain Siemens PLC products. If these techniques were employed by an attacker, they could use the stolen keys to gain “full control over every PLC per affected Siemens product line.”. The disclosure of this exploit to Siemens has led to a new TLS management system in TIA Portal v17 being introduced. This has been implemented to ensure that communication between Siemens PLCs and engineer workstations is encrypted.
Siemens has published an advisory for the affected products. This covers key updates and solutions that we advise looking into.
Operational Technology ( Industrial Control Systems ) is an often overlooked area when it comes to cyber security, with targeted attacks on the increase. Always remember to include OT assets in your security programme.
By Claroty.com
We have recently seen a rise in Supply Chain Attacks across the UK, and the NCSC has responded with new guidance on how to protect against this threat. This new guidance aims to “help organisations effectively assess and gain confidence in the cyber security of their supply chains.”. The NCSC are desperate to generate awareness for this rising issue; currently just 1 in 10 businesses are reviewing the security of their immediate suppliers. The guidance, aimed towards risk managers and cyber security professionals, will hopefully draw the attention of at-risk businesses, and reduce the number of organisations being affected by supply chain attacks.
You can find the official NCSC guidance here.
By NCSC.gov.uk
Source code for Intel’s Alder Lake CPUs has been leaked on both 4chan and GitHub. Intel confirmed the leak to be authentic a week after its occurrence, however the party responsible for the leak has not yet been identified. The stolen data includes the UEFI code of Alder Lake, as well as tools and files from other vendors such as Insyde Software. Further details have not yet been released, and while the original GitHub repository was removed, copies were made and are still circulating.
By TheHackerNews.com
FormBook’s prevalence over the last few months has earned it the top spot on Check Point’s Most Wanted Malware list for September. The Vidar infostealer has also burst into the top ten following a fake Zoom campaign that had massive impact very recently. The second and third spots for this month are occupied by the XMRig open source cryptominer, and the AgentTesla RAT. Check Point’s report also contains a list of geographical distribution of attacks.
The full report from Check Point Research can be found here.
By Infosecurity-Magazine.com
The research team at Forescout have analysed more than 19 million connected devices across 5 industries. This project aimed to reveal the riskiest devices across all industries, with a clear top 5 being listed in their findings. The top 5 connected devices for IT, Internet of Things (IoT), Operational Technology (OT) and Internet of Medical Things (IoMT) were all revealed, with Routers, IP cameras, Programmable logic controllers, and DICOM workstations topping the lists respectively. This research clearly shows that IT devices are still the primary target when it comes to malware attacks, but attackers are starting to branch out as IoT, and OT become very high priority targets.
Key research findings from this Forescout project can be found here.
By HelpNetSecurity.com
Administrators are being warned to update their Fortinet products as soon as possible following the discovery of a critical vulnerability; if exploited, an attacker could bypass authentication on the affected products. Fortinet have confirmed that FortiGate firewalls, FortiProxy web proxies, and FortiSwitch Manager (FSWM) are all affected by this vulnerability, which has been addressed in the latest patch release. We advise applying the latest updates as soon as possible to ensure you are not at risk of exploitation.
By BleepingComputer.com
Microsoft’s Patch Tuesday for October has been released, addressing 84 total vulnerabilities, 13 of which are considered critical. Flaws affecting Azure Directory Domain Services, Azure Arc, Microsoft Office and more. Please see our round-up of this month’s Patch Tuesday for more details.
And that’s it for this week’s round-up, please do check in next week for our new batch of security news and posts.
Stay Safe, Secure and Healthy!
Edition #208 – 14th October 2022
Why not follow us on social media:
By
Joshua Hare
on
13/10/22
With the October Microsoft Patch Tuesday release here, it seems like there’s a lot to digest. With 84 total vulnerabilities, the key figure for this month is the 13 critical vulnerabilities that were patched. Luckily, both publicly disclosed and exploited in the wild remain low with 2 and 1 respectively.
October’s instalment includes patches for some key services such as:
Scoring a CVSS of 8.8, this critical vulnerability would allow an attacker to remotely execute code on a SharePoint server. fortunately, this could only occur if the attacker was authenticated to the target site and had permission to use the Manage List within SharePoint. Three additional less severe remote code execution vulnerabilities with SharePoint were patched this month: CVE-2022-41037, CVE-2022-41036, and CVE-2022-38053
COM+ is the primary unit of administration and security for Component Services, exploiting this vulnerability would allow an attacker to gain system privileges. Exploiting this vulnerability would need the attacker to exploit a remote code execution vulnerability. This is the only vulnerability seen to be exploited in the wild this month.
Achieving the highest possible threat score, this 10.0 critical vulnerability is within the cluster connect feature of the Azure Arc-enabled Kubernetes cluster. Microsoft has stated exploitation is unlikely as an attacker would need to know the randomly generated external DNS endpoint for a cluster. If this is achieved then an unauthenticated attacker could become a cluster admin.
For a full list of this month’s updates please see the links below:
Patch Tuesday release notes: https://msrc.microsoft.com/update-guide/releaseNote/2022-Oct
Security update guide: https://msrc.microsoft.com/update-guide/
By
Samuel Jack
on
13/10/22
Welcome to Ironshare’s Cyber Round-up, where we look back at the events of that last week and year to cover some of the news, posts, views, and highlights from the world of Security.
In this week’s round-up:
At the end of last week, we started to get indications across the online infosec & cyber community, that not one, but two zero-day flaws were currently being exploited in Microsoft Exchange Server. This is another in a long line of critical vulnerabilities seen in Microsoft Exchange over the last year or so.
If you run or manage on-premises Exchange servers we advise you focus your immediate attention on these exploited vulnerabilities.
Check out our post here for more information.
By ironshare.co.uk
An ex-employee of a Hawaii-based finance company who was positioned in an IT admin role, attempted to disrupt the company’s business in order to be rehired with a higher wage. Casey K Umetsu accessed the company’s domain registrar using unrevoked credentials, deliberately changed the firm’s DNS records to misdirect the business’s web and email traffic, and locked the company out of its domain name registrar account. The man thought, in doing so the company would be forced into a position to rehire him, however the company instead sought the assistance of the FBI. “Umetsu criminally abused the special access privileges given to him by his employer to disrupt its network operations for personal gain,” said US Attorney Clare E. Connors. Casey K Umetsu pleaded guilty to the charges and is expected to be sentenced in January. He faces punishment of up to 10 years in prison, a maximum fine of $250,000, and up to three years of supervised release.
BY tripwire.com
The General Data Protection Regulation brought in by the European Union in 2018 was designed to increase the overall protection of personal data being stored by businesses as well as enhance individuals’ rights to their data. The UK is planning to introduce a new system to be more straightforward for businesses to navigate. “No longer will our businesses be shackled by lots of unnecessary red tape,” said the UK Secretary of State for Digital, Culture, Media and Sport, Michelle Donelan. “We will be replacing GDPR with our own business and consumer-friendly British data protection system.” The backlash has been growing against the new reform especially as information about the new system is yet to be disclosed by the UK government. UK Businesses operating with the EU are expected to be compliant with both the GDPR and the new reform causing concern that the new system will put additional pressure on businesses.
By personneltoday.com
Microsoft has recently launched its #BeCyberSmart campaign to help provide companies with tips on how to keep their employees safe online. The most common cyber attacks seen in 2021 were malware (22%) and phishing (20%). With this, Microsoft is advising people to check the sender's email addresses for an unrelated or incorrectly spelled email and not to click on links or email attachments from unknown senders. Other key preventative measures are enabling multi-factor authentication, running well-trusted antivirus software, installing system updates and using a password manager. Stay up to date and secure by reading the #BeCyberSmart tips.
By Microsoft.com
With cybersecurity awareness month starting many companies have shown their appreciation for the importance of awareness around cybersecurity. AWS, Cisco, Netflix and SAP are such companies trying to inspire others to do the same. From creating a “security first” culture to providing resources to help get people into a career in cybersecurity these companies are paving the way in increasing awareness. Each hopes that providing the correct support and engagement will increase overall security and protect against growing threats. Read more about what AWS, Cisco, Netflix and SAP are doing to protect their organisations through awareness here.
By darkreading.com
G4S has been put under pressure after information about current and former Australian employees were stolen and posted online. The cyber attack occurred when an unauthorised third party “or malware program” gained access to G4S internal systems. Information such as employee names, addresses, dates of birth, contact details, police and medical checks, tax file numbers, bank account details, superannuation information, Medicare numbers and licence details were stolen and in some cases payslips, health information shared with the company, and details about Workcover claims or incident reports. Employees affected in the cyber attack have been notified and informed how to replace their identity documents however G4S has refused to offer to pay for the replacements or provide credit monitoring of its affected employees.
By theguardian.com
Red Hot Cyber has reported that documents relating to Ferrari have been leaked online. Documents such as repair manuals and datasheets were discovered as RansomEXX claimed to have hacked Ferrari. In an email sent between Ferrari and Red Hot Cyber, it was reported that there is no evidence of a ransomware attack or any disruption to its services. Dario Esposito, responsible for governing communication at Ferrari stated that “The Company is working to identify the source of the event and take all necessary actions.”
By Spiceworks.com
And that’s it for this week’s round-up, please do check in next week for our new batch of security news and posts.
Stay Safe, Secure and Healthy!
Edition #207 – 30th September 2022
Why not follow us on social media:
By
Samuel Jack
on
6/10/22
At the end of last week, we started to get indications across the online infosec & cyber community, that not one, but two zero-day flaws were currently being exploited in Microsoft Exchange Server.
Friday morning UK time, we woke to find that two new vulnerabilities had been issued by Microsoft overnight:
GTSC a Vietnamese security firm, were responsible for discovering the vulnerabilities, after their security incident response activities discovered that critical services were under attack, with MS Exchange specifically being targeted. These attacks occurred in August 2022 with GTSC submitting the vulns to the Zero Day Initiative immediately, so they could engage Microsoft and ensure that patches and workarounds could be issued ASAP.
In response Microsoft issued initial guidance for customers on the MSRC blog and although no patches currently exist, numerous workarounds are available.
Additionally, Microsoft posted an article on Friday to their security blog, which provided further guidance on methods for analysing attacks using these vulnerabilities.
Cyber Extraordinaire, Kevin Beaumont (aka @GossiTheDog) dubbed the new 0-days 'ProxyNotShell' kick-starting a thread on his twitter feed, with the information available. The name being based on the flaws similarities to the previous critical zero-day ProxyShell we saw in Exchange approximately 12 months ago.
https://twitter.com/GossiTheDog/status/1575762721353916417
At time of writing the following versions are noted as being impacted by these vulnerabilities:
Contrary to initial reports (where Microsoft stated that customers using Exchange Online were not impacted), hybrid deployments that were part of an on-prem migration to Exchange online are impacted and should be addressed.
Immediately investigate and analyse your on-premises and hybrid Exchange environments to identify impacted services and start measures to protect your business.
Follow Microsoft's defined guidelines for dealing with these vulnerabilities.
Ensure that all security products are up to date with the latest signatures and IOCs to detect presence of these flaws and their exploits (where available). For example Microsoft, Cisco and Trend Micro (to name just a few) have added detection coverage into their security products.
Where you have the capability, perform threat hunting to identify and defend against these threats.
If you are a Palo Alto Cortex XSOAR customer, see the link below, where Unit 42 have made a playbook available to rapidly automate the mitigation process.
We will not outline any of the specific detailed steps required here, but instead, please refer to the numerous useful links that can be found throughout and at the bottom of this article for information.
Please keep up to date with new guidance related to this topic, as this is likely to change as the events unfold.
UPDATE: Please note that there are now multiple reports that certain mitigation's such as the URL rewrite can be trivially bypassed, so should be dismissed as viable workarounds.
https://msrc-blog.microsoft.com/2022/09/29/customer-guidance-for-reported-zero-day-vulnerabilities-in-microsoft-exchange-server/
WARNING: NEW ATTACK CAMPAIGN UTILIZED A NEW 0-DAY RCE VULNERABILITY ON MICROSOFT EXCHANGE SERVER - gteltsc.vn/blog
ProxyNotShell— the story of the claimed zero days in Microsoft Exchange - Kevin Beaumont
Analyzing attacks using the Exchange vulnerabilities CVE-2022-41040 and CVE-2022-41082 - Microsoft
CVE-2022-41040 - Server-Side Request Forgery (SSRF) vulnerability - Microsoft
CVE-2022-41082 - Remote Code Execution (RCE) Vulnerability - Microsoft
Microsoft warns of actively exploited vulnerabilities in Exchange Server - Cisco Talos
By
Stuart Hare
on
3/10/22
Welcome to Ironshare’s Cyber Round-up, where we look back at the events of that last week and year to cover some of the news, posts, views, and highlights from the world of Security.
In this week’s round-up:
A newly proposed National Centre of Excellence for Cyber Security with a focus on operational technologies is planned to be accepted by the Scarborough Council. The £237,000 project aims to develop partnerships with government, industry, and academic institutions, providing “new opportunities, products, services and solutions to new and existing business” and supply “new, innovative, and in demand cyber security skills”. A planned facility called FabLab+ is expected to be built and “will have a pivotal role in providing a focus for activity”. With these developments, the Cyber Security Cluster Strategy will engage with 120 organizations to increase cyber security awareness, training, and career opportunities. 25 small to medium businesses will also be helped by the strategy to “implement the steps needed to protect their business and customers from the most common cyberattacks”.
By TheScarboroughNews.co.uk
The UK Government has brought forth plans to build a cyber academy. The £50 million cyber academy will aim to create world-class cyber experts, both domestically and internationally, as well as benefit international partners, such as the US, through exchanging knowledge and ideas in cyberspace operations. The Commander of Strategic Command, General Sir Jim Hockenhull, stated “Strategic Command is committed to ensuring our personnel have the cyber skills needed to maintain a competitive edge against our adversaries. The Defence Cyber Academy will allow us to expand the training opportunities we offer and share these with our international allies. This new development will help us share our expertise and better conduct the integrated operations needed in a modern battlespace.”
By Gov.uk
The Australian telecommunication giant Optus has disclosed that data for around 10 million customers' has been stolen, approximately 40% of Australia’s population. This massive data breach has resulted in current and former customers’ data being stolen including names, birth dates, home addresses, phone and email contacts, passport and driving licence numbers. Optus has stressed that no payment details or account passwords have been compromised. The breach is thought to have originated overseas and has caused scrutiny of Australia’s data and privacy laws. Following the initial breach, an unknown party has submitted a sample of around 100 stolen records from Optus and requested $1.5m for the records not to be leaked, the sample submitted has been verified as legitimate.
By BBC.co.uk
The Ukrainian Military Intelligence Service are considering the possibility that Russia have plans to unleash “massive cyberattacks”. It is believed that these attacks will target the infrastructure of Ukraine and its allies in the near future; disruptions in the energy industry is to be expected.
Also, according to the Ukrainian government, “The Kremlin intends to increase the intensity of DDoS attacks on the critical infrastructure of Ukraine’s closest allies, primarily Poland and the Baltic countries,”. Ukraine has warned its allies of the possibility of these cyberattacks and allied governments are expected to bolster their defences in preparation.
By BleepingComputer.com
Around 85 total applications, 75 on the Google Play Store and 10 on the Apple Store, have been identified as part of an Ad Fraud campaign that was launched back in 2019. Before being removed, these apps amassed more than 13 million installs, meaning this campaign had a huge impact prior to its discovery. The latest variant of the campaign, Scylla, has been described as a “significant step up in sophistication from previous variants”, with the apps being designed to commit multiple kinds of ad fraud. It is rare that malicious applications make there way on to the Apple App Store, making this campaign stand out from most.
By TheHackerNews.com
TAP Air Portugal recently announced that they were subject to a cyberattack at the hands of the Ragnar Locker gang. This disclosure occurred back in August, but it was originally believed that no customer data had been compromised. Contrary to this announcement, the Ragnar Locker gang have released a sample of the five million records they were able to access. The stolen data included dates of birth, email addresses, genders, nationalities, physical addresses and more. It is also believed that the personal data of the Portuguese president was compromised as part of this attack.
TAP Air Portugal have advised all customers to change their passwords as soon as possible.
By BitDefender.com
This week has been a scare to many, with rumours of a WhatsApp Zero-Day exploit circulating. In truth, there were two security flaws found in WhatsApp, both of which could potentially lead to remote code execution. While these are serious flaws, they are not Zero-Days, as they were discovered internally by WhatsApp and patched immediately. Despite this twist, these are still serious vulnerabilities, both of which now have fixes. We advise updating your application as soon as possible (if you have not done so already) to ensure you are protected against these RCE flaws.
By NakedSecurity.sophos.com
And that’s it for this week’s round-up, please do check in next week for our new batch of security news and posts.
Stay Safe, Secure and Healthy!
Edition #207 – 30th September 2022
Why not follow us on social media:
By
Joshua Hare
on
29/9/22
The September Microsoft Patch Tuesday has arrived, addressing a total of 63 vulnerabilities, a significant decrease from the 121 seen last month. Only 5 have been scored as critical with 2 publicly disclosed and 1 being exploited in the wild.
September's instalment includes patches for some key services such as:
This important vulnerability has been publicly disclosed and has been seen in the wild. With a CVSS of 7.8, successful exploitation of this vulnerability would allow an attacker to gain system privileges. Some measures need to be met before this can occur; an attacker would need access to the target system and the ability to run code upon it before this can be exploited.
Known as Spectre-BHB, this vulnerability affects Windows 11 for ARM64-based Systems and is the second publicly disclosed vulnerability this month. Known since March 2022 to researchers, the exploitation can cause speculation caused by mispredicted branches that can be used to cause cache allocation, which can then be used to infer information that should not be accessible.
Scoring a worrying CVSS of 9.8 this critical remote code execution vulnerability in the Windows TCP/IP service could allow an unauthenticated attacker to send a specially crafted IPv6 packet to a Windows node where IPSec is enabled, which could enable a remote code execution exploitation on that machine. As this vulnerability can be exploited over a network without any authentication it has the potential to be wormable. This means malware can exploit this vulnerability and it does not require human interaction to spread its attack surface to another vulnerable system. Luckily, only systems with the IPSec service running and IPv6 enabled are vulnerable to this attack.
For a full list of this month’s updates please see the links below:
Patch Tuesday release notes: https://msrc.microsoft.com/update-guide/releaseNote/2022-Sep
Security update guide: https://msrc.microsoft.com/update-guide/
By
Joshua Hare
on
22/9/22
Welcome to Ironshare’s Cyber Round-up, where we look back at the events of that last week and year to cover some of the news, posts, views, and highlights from the world of Security.
In this week’s round-up:
The NCSC has created a package of useful information focusing on increasing the security of online retailers, hospitality, and utility services. The package focuses on aspects such as authentication methods for users and malware takedown guidance.
NCSC Deputy Director for Economy and Society Sarah Lyons said “Businesses have a major role to play in protecting online shoppers which is why we’ve produced new guidance to help them do so. Following this guidance will allow businesses to help keep their customers safe online as well as protect themselves from potentially crippling cyber-attacks.”
The public is also encouraged to forward any suspicious emails to the NCSC’s Suspicious Email Reporting Service (SERS) at report@phishing.gov.uk, and to forward any suspicious text messages to 7726.
By NCSC.gov.uk
Campaigners are requesting reform of the Computer Misuse Act 1990 to allow cybersecurity activities that should be legally defensible. A Consensus by experts in the field has also agreed that cybersecurity activities such as responsible vulnerability research and disclosure, proportionate threat intelligence, best practice internet scanning, enumeration, use of open directory listings, and honeypots should be legally allowed. The consensus “would form the core basis of a new legal environment for cybersecurity professionals based on a statutory defence,” and “will enable the UK’s cybersecurity sector to more effectively protect the UK as part of the whole-of-society effort, whilst ensuring cybercriminals can still be prosecuted”, said the CyberUp campaign in a report they published.
By PortSwigger.net
Uber was a victim of a cyberattack, information released around the attack has reported that an attacker had accessed several internal systems including the companies google workspace account allowing them to download messages and tools used to manage some invoices. Leaked screenshots also show the attack got access to Uber's AWS account, SentinelOne security dashboard, VMware vSphere control panel, and other critical IT infrastructure. It was also said that the attacker got access to private source code repositories and internal documents. Uber believes that the attack perpetrated by the hacker group Lapsus$ which has been hacking many high-profile companies this past year. Uber has reported that no customer and driver data was accessed as well as the databases storing customer banking information.
By TheRegister.com
GTA 6 has had its source code and videos leaked after an attack on Rockstar Games. The source code and videos were leaked after the hacker breached Rockstar Game’s slack server and confluence wiki. The videos and source code were first leaked 17th September, where a threat actor called ‘teapotuberhacker’ shared the link to a RAR archive containing 90 stolen videos. The videos have revealed things like the location of the game, NPC tracking and camera angles. The hacker has claimed to have stolen “GTA 5 and 6 source code and assets, GTA 6 testing build,” but is trying to extort Rockstar Games to prevent further data from being released. The threat actor has said that he will accept offers for the source code and assets that are over $10,000.
By BleepingComputer.com
Optus have confirmed they have been hit by a cyberattack that has compromised customer information. The information that may have been compromised includes customers’ names, date of birth, phone numbers and emails. For some customers, addresses and ID document numbers, such as driver’s licenses and passport numbers, have been exposed. The company has stated that they have shut down the cyberattack and is working with the Australian Cyber Security Centre on the issue. Ms Bayer Rosmarin said “We are devastated to discover that we have been subject to a cyberattack that has resulted in the disclosure of our customers’ personal information to someone who shouldn’t see it”.
By ABC.net.au
Many Atlassian Confluence Servers are still vulnerable to a now-patched critical flaw that attackers are actively exploiting to deploy crypto miners. This flaw is being tracked as CVE-2022-26134, and with a CVSS score of 9.8 we highly recommend applying the latest patch as soon as possible. While this flaw was addressed back in June 2022, there are still many unpatched servers vulnerable to a plethora of attacks, including but not limited to the deployment of remote access trojans (RATs), ransomware, and crypto miners/information stealers.
By TheHackerNews.com
A well-known vulnerability in the Profanity vanity key generator has been exploited in a major attack, almost 8 months after its disclosure. The flaw, which was patched back in January of 2022, was exploited as part of the Wintermute hack; the attack resulted in a loss of around $162.5 million in cryptocurrency for the currency maker. It is believed that “most of the Profanity wallets were secretly hacked”, meaning the attack could be even more serious than what is currently known. All Profanity users are advised to move their assets to a different wallet as soon as possible to avoid the possibility of an imminent loss of funds.
By CoinTelegraph.com
Microsoft's Patch Tuesday for September has been released, addressing 63 total vulnerabilities, 5 of which are considered critical. Flaws affecting Azure Arc, Microsoft Edge, Microsoft Office and more have all been addressed this month, so we advise applying the latest updates as soon as possible, using you standard processes for patch management and testing. Please see our round-up of this month's Patch Tuesday for more details.
And that’s it for this week’s round-up, please do check in next week for our new batch of security news and posts.
Stay Safe, Secure and Healthy!
Edition #206 – 23rd September 2022
Why not follow us on social media:
By
Joshua Hare
on
22/9/22
Welcome to Ironshare’s Cyber Round-up, where we look back at the events of that last week and year to cover some of the news, posts, views, and highlights from the world of Security.
In this week’s round-up:
Holiday Inn’s Parent company Intercontinental Hotels Group has confirmed that it was a victim of a cyber-attack. An investigation is underway into “unauthorised access” on numerous internal systems and the nature, extent and impact of the incident. Speculation around the attack has generated rumours about ransomware however no official confirmation has been given. IHG has reported that there has been no loss of customer data. Just last month Holiday Inn in Istanbul was breached by LockBit ransomware, it is unknown whether these attacks are connected at the current moment in time. In a statement, the company said: "We will be supporting hotel owners and operators as part of our response to the ongoing service disruption. IHG's hotels are still able to operate and to take reservations directly."
By BBC.co.uk
The Federal Bureau of Investigations has issued a plea to all cryptocurrency decentralised finance platforms to boost their security or face the risk of a cyber-attack. This comes after $100 million was stolen from blockchain bridge firm Harmony, approximately $150 million stolen from hot wallets at cryptocurrency exchange BitMart and $130 million worth of tokens stolen from Cream Finance. A report produced by Chainalysis discovered that $1.3 billion was stolen in cryptocurrency between January and March 2022, 97% of that from decentralised finance platforms. The FBI has requested that decentralised finance platforms introduce real-time analytics and monitoring to prevent attacks, test code rigorously to identify vulnerabilities more quickly, and respond to suspicious activity to help stay secure from a growing number of attacks.
By Tripwire.com
The American Internal Revenue Service has managed to leak information about approximately 120,000 taxpayers who have filled in the 990-T form as part of their tax returns. The 900-T form is used to report unrelated business income paid to a tax-exempt entity which is confidential and only meant to be seen by the IRS unless for a non-profit organisation in which case it is publicly available for three years. The IRS accidentally publicly disclosed information for both charities and individuals who have filled out the 900-T form. "The IRS recently discovered that some machine-readable (XML) Form 990-T data made available for bulk download section on the Tax Exempt Organization Search (TEOS) should not have been made public," the IRS stated. The Wall Street Journal reported on the breach and declared that approximately 120,000 taxpayers were leaked. The information leaked included names, contact information, and reported income for those IRA’s. the information has since been removed and the IRS will notify affected taxpayers.
By BleepingComputer.com
The Google Play Store has been known for harbouring malware in the form of applications for years with failed measures put in place by Google to guarantee the safety of applications being allowed on there. SharkBot is an Android banking trojan that is capable of siphoning cookies for banking sites, injecting fake overlays to harvest bank account credentials, logging keystrokes, intercepting SMS messages, and carrying out fraudulent fund transfers using the Automated Transfer System. "This new dropper doesn't rely on Accessibility permissions to automatically perform the installation of the dropper Sharkbot malware," NCC Group's Fox-IT said in a report. "Instead, this new version asks the victim to install the malware as a fake update for the antivirus to stay protected against threats." The two known applications acting as droppers for this malware are:
Mister Phone Cleaner with more than 50,000 downloads
Kylhavy Mobile Security with more than 10,000 downloads
If either of these applications has been installed it is recommended to:
By TheHackerNews.com
A new Remote Access Trojan called MagicRAT is thought to have been produced and being used by Lazarus group, a north Korean state-sponsored hacking unit. MagicRAT installs itself into the \ProgramData\WindowsSoftwareToolkit file directory to disguise itself as part of the operating system. Once it’s established a connection to a c2 server it can allow Lazarus group to open a remote shell for arbitrary command execution as well as the ability to rename, move and delete files on the endpoint. Some other capabilities are screen capture, keylogging, self-delete, port forwarding and USB dumping through the TigerRAT malware that can be installed on the device once connected to the c2 server.
By Blog.TalosIntelligence.com
The French clothing company, Damart, are being extorted for $2 million after a cyberattack orchestrated by the Hive ransomware gang. Damart have more than 130 stores worldwide. Their systems have been encrypted and operations have been disrupted since August 15. A report from Valéry Marchive, has leaked that the hackers are not willing to negotiate and want Damartex to pay the full ransom. Damart have informed the national police of the incident, which makes it unlikely that the Hive will receive a payment. At the moment, it is unknown if Hive have managed to steal any data during the network intrusion.
By BleepingComputer.com
It hasn’t been long since Google released fixes for 24 Chrome vulnerabilities, yet another security update has landed. This update is even more important than the last as it addresses a zero-day that is already being actively exploited in the wild. CVE-2022-3075, is related to an insufficient data validation issue within the runtime libraries known as Mojo. The zero-day was only disclosed to google on August 30th. We recommend installing this emergency update ASAP, which will take Chrome to version 105.0.5195.102 across Windows, Mac, and Linux platforms.
By Forbes.com
Networking solutions provider Zyxel has released a patch addressing a critical vulnerability impacting the firmware of multiple NAS models. This flaw has been given a CVSS score of 9.8/10 and is a format string vulnerability impacting Zyxel NAS326 firmware versions earlier than V5.21(AAZF.12)C0. The way an attacker could exploit the vulnerability is by sending specially crafted UDP packets to the affected products. This could allow the attacker to execute arbitrary code on the impacted device. So far, the investigation has identified only three NAS models that are affected and which are within their support lifetime.
By SecurityWeek.com
And that’s it for this week’s round-up, please do check in next week for our new batch of security news and posts.
Stay Safe, Secure and Healthy!
Edition #205 – 9th September 2022
Why not follow us on social media:
By
Samuel Jack
on
8/9/22
Welcome to Ironshare’s Cyber Round-up, where we look back at the events of that last week and year to cover some of the news, posts, views, and highlights from the world of Security.
In this week’s round-up:
Advanced, an organisation providing IT services to the NHS is still being affected by a ransomware attack launched on the 4th of August. Seven servers were affected during the attack which offered services for patient check-ins, medical notes, and the NHS 111 service. With four weeks already passed and some NHS systems still down doctors and nurses have been forced to record patient interactions on paper rather than the digital service that would be used. "Because we can't send notifications to GP practices, except by methods that don't work because they require a lot of manual handling, and we haven't got the staff to actually do the manual handling" reported Dr. Fay Wilso. Since 22nd August NHS 111 services have been coming back online however Advanced has announced that some other services may take up to 12 weeks to become operational again. This unfortunately is the harsh reality for a lot of organisations not adequately prepared to deal with a cyber attack.
By BBC.co.uk
A new campaign by hackers has been spotted by Securonix researchers which involves hiding malware in images created from the James Webb Telescope. The campaign labelled GO#WEBBFUSCATOR uses a malicious file attached to an email that is sent to the victim. The file called “Geos-Rates.docx” contains a macro that downloads an image taken from the James Webb space telescope. Within this image is a base64-encoded executable that establishes a DNS connection to a command-and-control server and sends encrypted queries.
By BleepingComputer.com
As of the Telecommunications (security) Act 2021 the UK government is allowed to introduce new standards to bolster cyber security across mobile and broadband networks. This includes hardware and software present on phone masts as well as inside telephone exchanges. The government telecoms supply chain review brought worrying results as telecoms suppliers are currently responsible for developing their security standards, often showing little incentive to adopt the best security practices. The new standards developed by the NCSC and Ofcom hope to improve the security of telecom businesses to follow the best security practices. This includes:
Providers are expected to introduce these changes by March 2024 or be met with fines of up to 10% of turnover and £100,000 per day for continued failure to align to these new standards.
By Gov.uk
On August 25th, LastPass have shared that they detected some very unusual activity within parts of the LastPass development environment. After further investigation, LastPass discovered that this incident involved no access to customer data or encrypted password vaults.
They have determined that an unauthorized party gained access to parts of the LastPass development environment, this was through a single compromised developer account. They took portions of source code and some proprietary LastPass technical information. LastPass have now said that their products and services are operating normally.
To respond to the incident, LastPass have “deployed containment and mitigation measures, and engaged a leading cybersecurity and forensics firm”.
By Blog.LastPass.com
On 20th December, Gloucester City Council’s services were disrupted after malware was sent to a council member via email. At the time, the website’s benefits, house sales and planning application sections were all affected. Jeremy Hilton said the council needs to “get its act together”.
The council have fixed most of the issues but are yet to restore operations for its planning portal. The Gloucester City Council’s website says, “it is not currently possible to view historic planning applications on our website and not able to email or post plans to customers”. They have said the website will be updated as soon as they have more information.
By BBC.co.uk
On 26th August, The U.S Cybersecurity and Infrastructure Security Agency (CISA) added 10 new actively exploited vulnerabilities to its Known Exploited Vulnerabilities (KEV) Catalog. Among the 10 added to the list, there is one high-severity flaw “affecting industrial automation software from Delta Electronics”. CISA have stated that the affected product is end-of-life and “should be disconnected if still in use”. Attackers are becoming quicker and more active with their use of newer known vulnerabilities, so we urge all users to keep their systems and services updated.
By TheHackerNews.com
A new high severity TikTok vulnerability has been discovered, specifically affecting Android Users, that could allow an attacker to take over your account with ease. This “one-click exploit” potentially affects millions of users and gives attackers the ability to execute weaponizable functions within the TikTok app. TikTok have since worked with Microsoft to resolve the issue. While this vulnerability has now been fixed, it is unsure how many of the 1.5 billion userbase were affected; there is no evidence that this had been actively exploited, however caution is advised.
By TheVerge.com
An exploit has been discovered that could allow an attacker to execute code on GitHub Pages by exploiting the build process. Joren Vrancken has been credited with discovering and reporting the vulnerability and was awarded $4,000 for his work. Vrancken claims that this bug bounty was “fun”, and claimed the techniques used were “Hack the Box-esque”. This vulnerability has now been patched and the bug is no longer present.
More details on this finding can be found here.
By PortSwigger.com
And that’s it for this week’s round-up, please do check in next week for our new batch of security news and posts.
Stay Safe, Secure and Healthy!
Edition #204 – 2nd September 2022
Why not follow us on social media:
By
Joshua Hare
on
1/9/22
Welcome to Ironshare’s Cyber Round-up, where we look back at the events of that last week and year to cover some of the news, posts, views, and highlights from the world of Security.
In this week’s round-up:
The National Cybersecurity alliance is a non-profit organisation helping to promote cybersecurity, privacy, education and awareness. In an effort to push awareness on phishing they have teamed up with Amazon to create a public service website with enjoyable video content. They used the weight of Prime Video and big stars Michael B. Jordan and Tessa Thompson to promote the service. The PSA focuses on staying secure online, including changing passwords if phished, strong passwords and multi-factor authentication to protect user accounts. Along with these methods of protection, Ironshare recommend that accounts should not share the same password to avoid a hacker breaching multiple accounts across different services.
Check out the site here: https://protectconnect.com/en/index.html
By AboutAmazon.com
General Bytes, manufacturer of Bitcoin ATMs, has confirmed that they were recently hit by a cyberattack. The attack was made possible by a zero-day vulnerability that has been present in CAS (Crypto Application Server) software since version 2020-12-08, which allowed the attacker to remotely create an administrator account on their servers. General Bytes are still unsure how many servers were compromised in this manner, but the breach led to the attacker forwarding coins to his wallet from certain Bitcoin ATMs.
More details on this attack can be found in General Byte’s advisory here.
By TheHackerNews.com
Threat Group, TA558, has recently put a heavy focus on the travel and hospitality industries when it comes to their attacks, with active campaigns relating to fake reservations for flights and hotels. The group was very active back in 2018 with a similar campaign, however security researchers warn that TA558 have stepped up their game with their latest work. In the past, they utilised malicious Word documents in their attacks, but have recently pivoted towards ISO and RAR files; researchers believe this is due to Microsoft disabling macros by default in Office products. We urge everyone to keep an eye open for scams and phishing attempts and to verify the sender of all emails before clicking any links or attachments.
By ThreatPost.com
Twitter’s previous head of security Peiter Zatko has reported on concerning issues inside twitter. The ex-head of security declared that twitter’s internal “production environment” was unsecure and "it was impossible to protect the production environment. All engineers had access. There was no logging of who went into the environment or what they did.... Nobody knew where data lived or whether it was critical, and all engineers had some form of critical access to the production environment." Among this, multiple other security concerns were uncovered such as misleading the government of its security vulnerabilities, not appropriately deleting user data as well as misleading regulators about whether it deletes the data as it is required to do and employees working for foreign government's intelligence service. By whistleblowing Peiter Zatko has said that he is doing what he was hired to do, “I signed on to do it and believe I'm still performing that mission"
By Edition.cnn.com
A new attack method has been spotted across WordPress sites getting users to install malware. An unknown threat actor has been compromising weak protected WordPress sites and inserting obfuscated JavaScript. This will produce a fake Cloudflare protection DDoS screen which requests visitors to click on a button which downloads “security_install.iso” on the visitor’s machine. They are then requested to open the file and enter the personal verification number into the site to gain access. In the background a powershell command runs and installs NetSupport RAT, a remote access trojan and Racoon Stealer, a credential stealing trojan. If you suspect a site has been compromised contact the organisation running the site or WordPress directly to report the issue and protect other visitors accessing the site.
By BleepingComputer.com
Apple has released iOS 15.6.1, which fixes two key vulnerabilities that are already being actively exploited. The first is a flaw that exists in the iPhone Kernel and could allow applications to execute code with kernel privileges. The second is a flaw in WebKit which allowed an attacker to execute arbitrary code. We strongly advise updating your iOS devices as soon as possible, since these vulnerabilities are already being exploited.
By Forbes.com
Back in 2021, a critical command injection flaw was found in Hikvision cameras; recent reports have shown that more than 80,000 cameras are still vulnerable. This vulnerability boasts a CVSS score of 9.8 out of 10, and is being actively exploited by governments and hacker groups alike. We strongly recommend all Hikvision users to keep their devices up to date and keep on top of patch releases.
By TheRecord.media
And that’s it for this week’s round-up, please do check in next week for our new batch of security news and posts.
Stay Safe, Secure and Healthy!
Edition #203 – 26th August 2022
Why not follow us on social media:
By
Joshua Hare
on
25/8/22
Welcome to Ironshare’s Cyber Round-up, where we look back at the events of that last week and year to cover some of the news, posts, views, and highlights from the world of Security.
In this week’s round-up:
The Brazilian Federal Police have launched a new investigation into attacks linked to the Lapsus$ Group, with eight total search and seizure warrants being carried out on Tuesday alone. This investigation was authorised as a response to the attacks on the country’s Ministry of Health late last year; an official police statement claims that “the attacker infiltrated nine other local entities – including the Ministry of the Economy and the National Electric Energy Agency.”. Some Lapsus$ Group members were found to be as young as 16, with seven members being arrested in the UK back in March. The group has remained active since these arrests with consistent posts regarding a recent data breach at Globant.
By TheRecord.media
The ransomware group known as CIOp is the latest group to stir up a storm. The group managed to gain access to the South Staffordshire water network although the group claimed to have hacked a different water company. It is unclear how the group wrongly identified the network they hacked into. Although the group's usual attacks include ransomware this time they stole identification documents to use as leverage over South Staffordshire Water to pay the ransom, preventing release of the documents as well as steps to access their network. South Staffordshire Water has assured customers that they are still supplying safe water, “this is thanks to the robust systems and controls over water supply and quality we have in place at all times as well as the quick work of our teams to respond to this incident and implement the additional measures we have put in place on a precautionary basis.". This is a big bullet dodged for part of the UK's Critical National Infrastructure.
By News.Sky.com
Last year, China announced that under-18s would be limited to three hours of video games a week; this sparked a lot of controversy, with children desperate to overcome the restrictions. It is no surprise that cybercriminals were eager to capitalise on this opportunity to exploit a young audience, with some scammers offering these kids extended access in exchange for money. One case saw a 15-year-old pay the scammers 3,800 yuan (about 560 USD) which was taken from their parent’s mobile phone. This has become increasingly common in China, as parents are warned to keep an eye on their children’s access to payment information.
By Bitdefender.com
Cybercriminals continue to find new ways to exploit Android devices and have developed a new dropper app known as BugDrop to do so. BugDrop was specifically designed to bypass the new Android security features introduced in the newest version of the OS. The features included in the latest version supposedly make it harder for malicious software to request Accessibility Services privileges, however malicious actors appear to have already found a way around this.
By TheHackerNews.com
A new 5-year strategy has been launched by the UK Government to “enhance maritime technology, innovation and security and reduce environmental damage”. The strategy's cyber enhancement focuses on:
By Gov.uk
SEABORGIUM, a Russian-originating hacking group Microsoft has tracked since 2017, is now firmly in the sights of Microsoft Threat Intelligence Center (MSTIC). SEABORGIUM’s campaigns involve persistent phishing and credential theft leading to intrusion and data theft. Their objectives strongly align with Russia’s interests and are often seen to be espionage and information collection driven rather than financial which is more widely seen in this environment. Microsoft has reported they are actively disrupting SEABORGIUM’s efforts through raising awareness, detecting and tracking their abuse of Microsoft services, notifying impacted customers and partnering with abuse teams in Microsoft to disable compromised accounts. Microsoft has issued customer action to help protect themselves stating:
By Microsoft.com
A critical vulnerability has been discovered in Realtek’s RTL819x system on a chip, which are used in millions of networking devices worldwide. This flaw, identified as CVE-2022-27255, is a stack-based buffer overflow flaw with a CVSS score of 9.8. While this vulnerability was identified and patched back in March, there are still millions of devices still vulnerable, and with exploit code now being released it is vital that affected devices are updated immediately.
By BleepingComputer.com
Palo Alto, a company offering cybersecurity solutions, has identified a vulnerability allowing a denial-of-service attack to be conducted. The vulnerability tracked as CVE-2022-0028 scored an 8.6 out of 10 CVSS and is known to affect PAN-OS, Palo Alto’s bespoke operating system for their security products. The vulnerability is an issue with the URL filtering that could allow an attacker to conduct a denial-of-service attack connected to the network. Panorama M-Series or Panorama virtual appliances, and Palo Alto Networks have issued a fix for cloud-based firewalls and Prism Access customers. PAN-OS 10.1.6-H6 and all later versions for its PA-Series, VM-Series and CN-Series are available to patch while PAN-OS 8.1.23-h1, PAN-OS 9.0.16-h3, PAN-OS 9.1.14-h4, PAN-OS 10.0.11-h1, and PAN-OS 10.2.2-h2 will have just received a fix for the vulnerability.
By TheRegister.com
And that’s it for this week’s round-up, please do check in next week for our new batch of security news and posts.
Stay Safe, Secure and Healthy!
Edition #202 – 19th August 2022
Why not follow us on social media:
By
Joshua Hare
on
18/8/22
Welcome to Ironshare’s Cyber Round-up, where we look back at the events of that last week and year to cover some of the news, posts, views, and highlights from the world of Security.
In this week’s round-up:
Earlier this month, Twilio discovered that an unknown attacker had gained access to customer account information. The unauthorised individual managed to gain access after stealing employee credentials in a “sophisticated social engineering attack” that fooled multiple Twilio employees. Twilio’s initial statement says they believe in transparency and communication, which has been shown through their efforts to keep customers in the loop.
Twilio have followed through on their plan to provide customers with an overview of the incident, as well as regular updates for any changes. The most recent update states that 125 Twilio customers were affected by the attack, all of which have been notified. It was also confirmed that no passwords, authentication tokens, or API keys were accessed by the threat actors.
By Twilio.com
Chris Krebs, the former CISA director, has voiced his opinions on the state of cyber security in the US, and is calling for the government to create “a new agency focused solely on digital risk management services”. Krebs believes that there is a severe lack of focus on security, privacy, and trust in the US, and is striving to make a difference where others are failing. This is not the first time Krebs has called for the US government to make a change; for the last couple of years, he has been crying out for them to notice the rapidly growing threat of ransomware.
Krebs believe the US is “not where we need to be.” and stated that “Americans are suffering as a result”. It is great to see these high prevalence issues being brought into the spotlight and we hope changes are made soon to help combat the rise of cybercrime and maintain the trust and privacy of people everywhere.
By TheRegister.com
Talos intelligence has released detailed insights into how the cyber-attack that occurred on the 24th of May 2022 happened. It was discovered that a Cisco employee’s credentials were compromised after an attacker accessed a personal Google account where the credentials were being synchronized from their browser. The attacker continued with multiple phishing attacks impersonating various trusted organizations to convince the victim to accept a multi-factor authentication push notification generated from the attacker trying to log in to its VPN service. The attacker ultimately succeeded in achieving an MFA push accept, granting them access to the VPN. The attacker was removed from Cisco’s systems and repeated attempts to regain access were unsuccessful.
A Q&A can be found here: https://tools.cisco.com/security/center/resources/corp_network_security_incident
By Blog.TalosIntelligence.com
Advanced, a company providing services to the NHS, spotted a cyber-attack against services on the 4th of August. The attack was reported to have affected the system used to refer patients for care, including ambulances being dispatched, out-of-hours appointment bookings and emergency prescriptions. The NCA has said they are aware of the attack on Advanced and working with them to identify the attackers.
"A security issue was identified yesterday, which resulted in loss of service," said Advanced boss Simon Short. "We can confirm that the incident is related to a cyber-attack and as a precaution, we immediately isolated all our health and care environments." Advanced has stated it could take over a week to get the systems fully operational again.
By BBC.co.uk
7-Eleven stores located in Denmark were shut down on Monday due to a cyberattack. This disrupted the payment and checkout systems across the country. On the morning of 8th august 7-Eleven posted on their Facebook that they have been “exposed to a hacker attack”. An employee has said on a reddit post “working at 7-Eleven at Strøget and our checkout system does not work, all the country’s 7-Eleven run with the same system, so all 7-Eleven in demark are closed right now”. At the moment there are no further details on the cyberattack, but we understand ransomware was involved in the attack.
By BleepingComputer.com
Twitter patches a serious zero-day exploit that has been actively exploited in the wild. The zero-day allowed an attacker to exploit a vulnerability related to logging in to an account. The vulnerability allowed anyone to submit emails and phone numbers into the log-in form and retrieve their associated ID, this could then be linked to their Twitter page and their public information scraped. This vulnerability was used by an attacker to collect information on 5.4 million separate user accounts. A sample of these accounts has previously been verified by Bleeping Computer, Twitter has started to alert its users whose information has been scraped during the data breach. It is important to note the zero-day only scraped phone numbers, emails and associated IDs; No passwords were leaked during the data breach.
By BleepingComputer.com
Slack, an office-based messaging platform, has reported that a vulnerability to do with its service had exposed salted hashed passwords. The vulnerability occurred during creating or revoking shared invitation links for workspaces. "When a user performed either of these actions, Slack transmitted a hashed version of their password to other workspace members" reported Slack. 0.5% of users have been forced to reset their passwords and Slack has advised all users to activate two-factor authentication to protect against account takeover.
By TheHackerNews.com
Microsoft’s Patch Tuesday for August has arrived and includes fixes for 121 total vulnerabilities. 17 of these are critical, with one actively exploited flaw being patched as well. We recommend looking into our round-up of this month’s batch of Microsoft updates for any flaws affecting systems you may use. As always, we recommend applying the latest updates as soon as they are made available to ensure you are protected against known threats and vulnerabilities.
And that’s it for this week’s round-up, please do check in next week for our new batch of security news and posts.
Stay Safe, Secure and Healthy!
Edition #201 – 12th August 2022
Why not follow us on social media:
By
Joshua Hare
on
11/8/22
Patch Tuesday is back. With a grand total of 121 vulnerabilities; 17 Critical, 2 publicly disclosed and 1 exploited in the wild, this looks to be the busiest patch Tuesday we have had in months. Elevation of privilege and remote code execution continue to be the leaders in classification with 64 and 31 respectively. With such a high number of total vulnerabilities as well as the proportion that are critical it is unusual to see publicly disclosed and exploited in the wild so low.
August’s instalment includes patches for some key software such as:
CVE-2022-34713: Microsoft Windows Support Diagnostic Tool (MSDT) Remote Code Execution Vulnerability
With a CVSS of 7.8 and labelled as important. This is the only vulnerability this month to be publicly disclosed and seen in the wild. This vulnerability requires a user to open a specially crafted file. In an email attack scenario, an attacker could exploit the vulnerability by sending the specially crafted file to the user and convincing the user to open the file. In a web-based attack scenario, an attacker could host a website (or leverage a compromised website that accepts or hosts user-provided content) containing a specially crafted file designed to exploit the vulnerability.
CVE-2022-30134: Microsoft Exchange Information Disclosure Vulnerability
This important vulnerability is the second vulnerability to be publicly disclosed. With a score of 7.8, this vulnerability could allow an attacker to read targeted email messages if the victim is persuaded to connect to a malicious server. Customers vulnerable to this issue would need to enable Extended Protection in order to prevent this attack.
CVE-2022-34691: Active Directory Domain Services Elevation of Privilege Vulnerability
This critical vulnerability with a score of 8.8 could allow an authenticated user could manipulate attributes on computer accounts they own or manage, and acquire a certificate from Active Directory Certificate Services that would allow elevation of privilege to System.
31 Elevation of Privilege Vulnerabilities: Azure Site Recovery
Azure Site Recovery is a service that is used for disaster recovery. With a massive 31 separate vulnerabilities to do with this service scoring from 4.4 to 8.1, this offers a serious threat to organisations using this service.
For a full list of this month’s updates please see the links below:
Patch Tuesday release notes: https://msrc.microsoft.com/update-guide/releaseNote/2022-Aug
Security update guide: https://msrc.microsoft.com/update-guide/
By
Joshua Hare
on
10/8/22
Welcome to Ironshare’s Cyber Round-up, where we look back at the events of that last week and year to cover some of the news, posts, views, and highlights from the world of Security.
In this week’s round-up:
Cybersecurity giant, Proofpoint, have released their research into the security of universities in the United States, United Kingdom and Australia. Their findings show that cybersecurity measures are severely lacking for most universities, with 97% failing to block impersonation from attackers. Email fraud and spoofing is a serious issue and is growing rapidly, making email security an absolute necessity for all organisations. In addition to this statistic, Proofpoint also revealed that only 1 of the 30 Australian universities was utilising a Reject policy, and 5 of the top ten universities in the US had no DMARC record at all. Email is still an incredibly common attack vector and should be a priority when securing your business, regardless of size.
By Proofpoint.com
Bromford housing association has released a statement regarding a recent cyber attack that has caused disruption. As a precaution, the housing association has shut down its systems while the incident is investigated. Their CIO has commented on the situation, claiming there was “no evidence the hackers had been successful”. While this is good news, there is still work being done to return operations to normality.
By BBC.co.uk
Microsoft has announced that they will be issuing threat intelligence access to enterprise security operation centers. This change aims to help organisations with tracking threats and identifying gaps in their security. In their announcement, Microsoft unveiled two band new services in Defender Threat Intelligence and Defender External Attack Surface Management; the goal of these releases is to enable organisations to “proactively protect themselves by seeing the same data Microsoft cybersecurity experts see”.
By TheRegister.com
Two schools in England were at the mercy of yet another cyber-attack. Wootton Upper School and Kimberley College, which are both owned by the Wotton Academy Trust were affected by a cyber attack after a hacker breached the trust's network and reportedly stole information relating to students’ home addresses, banking details and medical records. The hacker has expressed his desire to make this information public unless a ransom of £500,000 is paid for the information to remain private.
A statement by the hacker said, “If Wootton management decides to move on with their plan and refuse to negotiate, we are going to release all of the stolen data online for everyone to see”, “All of your child’s private information will be online for everyone and for free.”
Executive principal Michael Gleeson has expressed that they are working with “specialist third party experts” however no verdict has been made if the ransom is going to be paid.
By TheRecord.media
The Solana blockchain is the latest victim of attacks on cryptocurrency. An exploit has caused funds located in a hot wallet to be sapped by hackers. An estimated 8,000 wallets have been breached with funds being drained. An exploit is somehow allowing a hacker to obtain the ability to sign transactions themselves rather than the user. Solana’s core code has been reviewed and engineers have stated that the exploit is not to do with its code, but rather the software used by several software wallets. The exploit being used is still unknown and is being used to drain victims’ hot wallets, users are advised to move their funds to a cold wallet and make transactions from a cold wallet instead.
By Coindesk.com
Security giant Norton has been given the go-ahead by the UK government to acquire Avast. Both companies offer solutions for malware prevention and detection, VPN and other cyber security services. The Competition and Markets Authority watchdog investigated the potential acquisitions as it could leave consumers a limited market but concluded that "After gathering further information from the companies involved and other industry players, we are currently satisfied that this deal won't worsen the options available to consumers."
By SecurityWeek.com
Apple has released version 15.6 for iOS and iPadOS. This update fixes 39 different security flaws, including a code execution vulnerability in Apple File System. Flaws in the kernel, WebKit browser engine, IOMobileFrameBuffer, Audio, iCloud Photo Library and more have been addressed. We recommend updating your iOS devices as soon as possible to ensure you are up to date with key security patches.
By Wired.co.uk
VMWare is urging its users to update to its latest version to avoid being the victim of a critical Authentication bypass vulnerability. Tracked as CVE-2022-31656 with a CVSS of 9.8 this vulnerability is still awaiting proof of concept but has been reported that a hacker with network access to the UI may be able to obtain administrative access without the need to authenticate.
The official VMWare Security Advisory can be found here.
By ThreatPost.com
And that’s it for this week’s round-up, please do check in next week for our new batch of security news and posts.
Stay Safe, Secure and Healthy!
Edition #200 – 5th August 2022
Why not follow us on social media:
By
Samuel Jack
on
4/8/22
Welcome to Ironshare’s Cyber Round-up, where we look back at the events of that last week and year to cover some of the news, posts, views, and highlights from the world of Security.
In this week’s round-up:
The LockBit ransomware group recently launched an attack on Italy’s tax agency. After investigating the incident, the company claimed that there was “no evidence of a breach”. LockBit claim to have stolen 78GB of data and have warned that the data will be leaked if a payment is not made within 6 days. Along with this statement, screenshots were also shared of the stolen files to prove the existence of a breach. The tax agency is currently working with Italy’s National Cybersecurity Agency to continue the investigation and learn more about the incident.
By TheRecord.media
Tens of millions of people were affected by the huge T-Mobile data breach last year. The mobile communications giant recently issued a statement about the impact the breach had on their customers. They said: “Customers are first in everything we do and protecting their information is a priority”. In response to the incident, T-Mobile have agreed to pay $350 million to cover payments to class members, including legal and admin fees.
By Edition.cnn.com
The Premier League app, most commonly used for its Fantasy Premier League feature, has introduced two-factor authentication ahead of the upcoming 2022/23 season. This is an incredible step forward for the app’s security, and will play a massive role in reducing the number of account takeovers. With more than nine million players last season, we are glad to hear the news of this implementation, and the EPL’s commitment to improving security.
By Portswigger.net
The fresh report released by Unit 42 helps, businesses, governments and other organisations to understand the threat landscape for the past year. Unit 42 has analysed more than 600 incident response cases and accumulated the results into one report.
For the cases analysed 37% of incidents recorded that their initial access was caused by phishing, a massive figure, but not a surprise, organisations should be training their employees to identify and report phishing attempts. Even the most robust email security can’t stop all email phishing attempts and other methods such as SMS and phone calls should be understood as a possible attack vector for a hacker.
31% of cases reported that initial access was caused by a software vulnerability. A robust update policy should be in place to ensure devices (including network and IoT devices) are updated to remove existing security vulnerabilities and to reduce the length of vulnerability exposure from time of release to time of patching.
Initial access to 9% of cases was down to the brute force of the credentials or passwords, a simple password policy to enforce strong, complex, unique passwords, removal of default passwords from accounts and devices (yet again, including network and IoT devices) and MFA would help to reduce this this threat.
Simply, the proper creation and enforcement of a password and update policy alongside employee training could protect against 77% of initial access attempts and keep organisations safe. Businesses aren’t the only entities at risk, individuals are too. To help you stay secure remember to check emails, SMS, phone calls and website for scams or credential theft. Keeping devices up to date and using strong, complex, unique passwords & MFA for devices and accounts will help to protect you in this digital world.
If you want to read more about Unit 42’s 2022 Incident Response Report, please see here.
By unit42.paloaltonetworks.com
Remote Desktop Protocol continues to be a security nightmare and Windows 11 brute force protection is a welcomed addition to its security features. RDP is used to allow one computer to control another through screen mirroring and overriding controls. This is mainly used by IT support to access the device remotely for management & troubleshooting. RDP is often not disabled or weakly configured making it a common method of entry. Hackers can abuse this relationship by brute-forcing the password when trying to RDP to a computer. A successful RDP connection would give a hacker full control of the device. Windows 11 will now come with a default brute force protection configuration that automatically locks accounts for 10 minutes after 10 invalid sign-in attempts. This vastly reduces the effectiveness of a brute force attack on an RDP client. Hackers will have to move to dictionary attacks due to the significantly reduced number of attempts that can do at any one time however an effective password policy should significantly reduce this threat.
By TheHackerNews.com
Questions for Confluence, an app designed to allow employees to ask and answer questions as well as surf business wikis, has been in the limelight. The application has a password programmed into itself (hardcoded) for a user account called disabledsystemuser. This account is available from installation and is designed to be used by IT technicians and support staff. A hacker leaked the hardcoded password for this account on Twitter a day after the vulnerability was made public. The company has warned to search for the account using:
• User: disabledsystemuser
• Username: disabledsystemuser
• Email: dontdeletethisuser@email.com
The company stated:
"A remote, unauthenticated attacker with knowledge of the hardcoded password could exploit this to log into Confluence and access any pages the confluence-users group has access to,"
"It is important to remediate this vulnerability on affected systems immediately."
The account should be disabled or removed to protect organisations from information being leaked.
By arstechnica.com
A hacker is selling the email addresses and phone numbers of 5.4 million Twitter accounts on a hacker forum. The hacker, known as ‘Devil’, used a vulnerability in the android client for Twitter which he could feed emails and phone numbers into and retrieve the Twitter ID which would identify the account it belongs to. Twitter has claimed they are investigating the hack and the validity of the claims made by the hacker. A sample of accounts identified was shared with Bleeping Computer and authenticated to be accurate. Although the breach doesn’t allow the hacker to log into the account the phone numbers of celebrities, businesses and high-profile user accounts are contained within the document.
By BleepingComputer.com
SonicWall have released an advisory for the recent critical SQL injection flaw, found in the GMS (Global Management System) and Analytics On-Prem products. This critical vulnerability has been given a severity rating of 9.4 and does not require user interaction or authentication to exploit. It’s low attack complexity also contributes to it’s high severity, however SonicWall does not believe it has been actively exploited yet. All SonicWall customers are recommended to apply the latest security updates as soon as possible to ensure they are protected against this flaw.
By BleepingComputer.com
And that’s it for this week’s round-up, please do check in next week for our new batch of security news and posts.
Stay Safe, Secure and Healthy!
Edition #199 – 29th July 2022
Why not follow us on social media:
By
Samuel Jack
on
28/7/22
Welcome to Ironshare’s Cyber Round-up, where we look back at the events of that last week and year to cover some of the news, posts, views, and highlights from the world of Security.
In this week’s round-up:
The Albanian government was forced to shut down their website following a recent cyber attack. The attack has been described as “synchronized and sophisticated”, and reportedly began impacting government services on Saturday night. It appears the website is still offline and we are unsure when it will be back in operation. The government is working with several cyber security companies, including Microsoft, to contain and mitigate the attack.
By TheRecord.media
The official Google Play Store has once again been found distributing malicious apps containing spyware. Reports suggest that three million android users may have already been infected and potentially lost money as a result of these apps; the malware in use has been name Autolycos, which shares similarities to the Joker spyware. There are multiple apps currently being used to spread Autolycos, such as Funny Camera by KellyTech and Razer Keyboard & Theme by rxcheldiolola. We strongly recommend avoiding these apps entirely. We also advise Android users to only install apps they fully reviewed and use an anti-malware product to protect your devices and data.
By Tripwire.com
Identity services provider Okta has recently had a big focus on understanding their security and improving it to prevent attacks similar to the Lapsus$ incident last year. Despite this, they appear to be facing some serious flaws that could allow attackers to extract plaintext passwords. This was found by security researchers at Authomize, but after raising the issue with Okta, it was made clear that these “are features, not bugs”. This raises the concern that the company is intentionally exposing plain text credentials within their applications.
This statement from Okta appears to avoid addressing the issues raised, which is a big concern considering their recent history of attacks.
By DarkReading.com
The FBI has issued a warning regarding cryptocurrency-themed applications designed to steal from investors. They have observed the activity of these criminals, who have been seen in contact with U.S. investors attempting to gain their trust. Their goal is to convince the victims to download a malicious mobile app; the scheme has reportedly caused losses of around $42.7 million since October 2021. The FBI are working to protect U.S. investors from these kinds of attacks and have made a number of recommendations to help financial institutions stay protected.
By TheHackerNews.com
APT29 has been recorded to be using the online storage services Google Drive and Dropbox to collect user information and download Cobalt Strike malware to compromise a device. Recent victims of APT29 have received spear phishing emails containing an HTML or PDF file including a link that downloads an ISO file containing steps to exfiltrate user information to an online storage service. Cobalt Strike is then downloaded from an online storage service for device takeover and establishes a connection to a command and control server controlled by APT29. The utilisation of online storage services helps to mask the attack as many organisations deem these legitimate for use and integrate these services into their operations.
By Unit42.PaloAltoNetworks.com
Programmable Logic Controllers and Human-Machine Interface are terms usually corresponding to industrial processes. Password cracking tools are legal and are used to help recover lost or unknown passwords. Some password cracking tools for PLCs and HIMs have been found to be harbouring trojan malware. The malware reported is Sality, which is capable of terminating security software running on the device and integrating the device into the Sality botnet for crypto mining and distributed password cracking. The malware also monitors the clipboard of the device for cryptocurrency wallets and exchanges this with the attacker’s cryptocurrency wallet, which, could potentially make an unsuspecting user transfer cryptocurrency to the incorrect address.
By Dragos.com
Belgium’s ministry of foreign affairs has publicly stated that Chinese state-backed hackers have conducted an attack on the FPS Interior and the Belgian Defence. The groups named by the Belgium government that are responsible for the attack are APT27, APT30, APT31 and Gallium/Softcell/UNSC 2814. China has countered the claims saying that the Belgium government refuses to deliver evidence that can back up its claims.
By BleepingComputer.com
MV720 is a model of GPS tracker for cars and other vehicles that have been reported to have severe vulnerabilities that are easily exploitable by hackers. The Cybersecurity and Infrastructure Security Agency have put out an ICS Advisory to alert all users to the potential of being hacked through the device. The cellular-enabled MV720 uses a Sim card to transmit status and location updates as well as to receive SMS messages issuing commands. The key vulnerabilities identified are:
CVE-2022-2107: hard-coded password vulnerability in the MiCODUS API server. Allows a remote attacker to log into the web server and send SMS commands to a target's GPS tracker. This allows an attacker to gain control of any tracker, access and track vehicle location in real-time, cut off fuel and disarm alarms or other features provided by the gadget.
CVE-2022-2141: broken authentication mechanisms could allow an attacker to send SMS commands to the tracking device without authentication.
A default password vulnerability was also present for the device but wasn’t assigned a CVE. All devices are shipped with the default password “123456” and users aren’t enforced to change this. This could allow an attacker easy access to the device if the default password wasn’t changed.
CISA advisories for these flaws can be found here.
By TheRegister.com
And that’s it for this week’s round-up, please do check in next week for our new batch of security news and posts.
Stay Safe, Secure and Healthy!
Edition #198 – 22nd July 2022
Why not follow us on social media:
By
Joshua Hare
on
21/7/22
Welcome to Ironshare’s Cyber Round-up, where we look back at the events of that last week and year to cover some of the news, posts, views, and highlights from the world of Security.
In this week’s round-up:
Microsoft announced this week that a huge phishing campaign had been spotted. It appears the attacks have hit more than 10,000 organisations since its arrival in September 2021; reports suggest that these attacks involve “hijacking Office 365’s authentication process even on accounts secured with multi-factor authentication”. The method used in this campaign has been named adversary-in-the-middle (AiTM) and involves setting up a proxy server between a victim and targeted site to steal credentials.
There are a lot of details about this campaign, as well as an extensive list of indicators of compromise (IOC). We recommend consulting this list and checking for any sightings within your environments. The list of IOCs, as well as further details on this campaign, can be found here.
By TheHackerNews.com
Windows Autopatch is a new service that has been released by Microsoft to manage the updates of devices and virtual machines. This service offers more granular updates compared to the dedicated monthly updates currently in place such as Patch Tuesday which means devices and virtual machines are at a reduced risk of being exploited by new vulnerabilities. Access to this service requires either a Windows Enterprise E3 or E5 account as well as being enrolled on Azure AD and Microsoft Intune. Additionally, Microsoft has stated that this service won’t prevent glitches or bricking caused by bad patches.
By TheRegister.com
Ransomware is still the largest online threat the UK faces, and it shows no sign of slowing down. Recent studies have shown that more and more businesses are paying ransoms to recover their data, which is contributing massively to the funding of future attacks. Over the last 5 years, cybecrime has cost UK businesses billions of pounds, and the NCSC and ICO are desperately trying to discourage the payment of these ransoms. In their statement on the matter, the two organisations said they believe ransom payments “further incentivise criminals”, while not guaranteeing the return of your data and files. Solicitors have been seen advising affected clients to pay the attackers, but we strongly encourage the opposite.
The NCSC & ICO’s official statement on the situation can be found here. This includes their appeal for assistance in spreading their beliefs regarding ransom payments, as well as additional details on the constant rise in ransomware attacks.
By Portswigger.net
Disneyland Resort’s Instagram and Facebook accounts were under the control of a hacker last Thursday just after 12 pm. The spree of posts uploaded contained racist material, declared he was working on “Covid 20”, and that people should hide before he released the “new deadly virus”. All claims by the hacker are false and shouldn’t be trusted. A statement released by Disney has stated:
"Disneyland Resort’s Facebook and Instagram accounts were compromised early this morning. We worked quickly to remove the reprehensible content, secure our accounts, and our security teams are conducting an investigation."
By BitDefender.com
Axie Infinity is a video game where players collect and mint NFTs which represent axolotl-inspired digital pets known as Axies. The game uses Ethereum-based cryptocurrencies using Ronin Bridge. The hack occurred in late March 2022, a senior engineer was deceived by hackers impersonating a fake company offering the engineer a job. In doing so the engineer downloaded a fake offer document disguised as a PDF which acted as trojan malware creating access for the hackers to internal systems. With this, the hackers were able to access the crypto wallet and transfer funds. The U.S. Treasury Department has implicated Lazarus Group, a hacker group with close relations to the North Korean state.
By TheHackerNews.com
Amazon has identified and patched a vulnerability in an Amazon Elastic Kubernetes Service plugin. The vulnerability relates to a plugin called IAM Authenticator which authenticates users who are trying to access a Kubernetes Cluster. Amazon stated that the vulnerability only occurred when the IAM Authenticator was configured to use the AccessKeyID template parameter. This would allow duplicate parameter names which can be used to elevate privileges. All existing EKS clusters have been patched while the new IAM Authenticator has been patched securing all environments across Amazon Web Service, new or old.
You can find AWS’ official advisory for this vulnerability here.
If you are interested in the nature of this flaw and details of how it can be exploited, we recommend this writeup by Lightspin.
By TechRadar.com
Microsoft’s Patch Tuesday for July has arrived and includes fixes for 84 total vulnerabilities. 4 of these are critical remote code execution flaws, with one actively exploited zero-day being patched as well. We recommend looking into our round-up of this month’s batch of Microsoft updates for any flaws affecting systems you may use. As always, we recommend applying the latest updates as soon as they are made available to ensure you are protected against known threats and vulnerabilities.
And that’s it for this week’s round-up, please do check in next week for our new batch of security news and posts.
Stay Safe, Secure and Healthy!
Edition #197 – 15th July 2022
Why not follow us on social media:
By
Joshua Hare
on
14/7/22
Microsoft’s July Patch Tuesday has arrived. This month’s batch of security updates contains fixes for 84 total vulnerabilities, including four criticals and one actively exploited zero-day. There are some key flaws addressed in this rollout, such as privilege escalation, remote code execution and security feature bypasses; we recommend looking into the advisories provided by Microsoft and applying the latest updates as soon as possible.
July’s instalment includes patches for some key software such as:
CVE-2022-22038: Windows Remote Procedure Call Runtime Remote Code Execution Vulnerability
This critical vulnerability exists in the Windows Remote Procedure Call Runtime and could allow a remote attacker to execute arbitrary code on the target system. The CVSS metric states that complexity for this attack is high, meaning the threat actor would need to “invest time in repeated exploitation” in order to succeed.
CVE-2022-30221: Microsoft Graphics Component Remote Code Execution Vulnerability
This is another critical remote code execution vulnerability that resides in the Windows Graphics Component. To exploit this vulnerability, the target user is required to connect to a malicious RDP server where code could be executed in the context of the user. Unlike the previous flaw, attack complexity for this vulnerability is low and can be successfully exploited much easier.
CVE-2022-22029: Windows Network File System Remote Code Execution Vulnerability
CVE-2022-22039: Windows Network File System Remote Code Execution Vulnerability
The final two critical vulnerabilities both exist in Windows Network File System, and allow an attacker to remotely execute code on the target system. Exploitation for both flaws requires an unauthenticated specially crafted call to an NFS service. Attack complexity for both flaws is high, with CVE-2022-22039 requiring the attacker to win a race condition.
For a full list of this month’s updates please see the links below:
Patch Tuesday release notes: https://msrc.microsoft.com/update-guide/releaseNote/2022-Jul
Security update guide: https://msrc.microsoft.com/update-guide/
By
Joshua Hare
on
13/7/22
No results found.
