Blog

Ironshare's latest posts ready to view and share.

Cyber Round-up

Cyber Round-up for 15th July

Cyber Round-up for 15th July

Welcome to Ironshare’s Cyber Round-up, where we look back at the events of that last week and year to cover some of the news, posts, views, and highlights from the world of Security. 

In this week’s round-up:

Security News

10,000 Organisations Targeted in AiTM Phishing Attacks

Microsoft announced this week that a huge phishing campaign had been spotted. It appears the attacks have hit more than 10,000 organisations since its arrival in September 2021; reports suggest that these attacks involve “hijacking Office 365’s authentication process even on accounts secured with multi-factor authentication”. The method used in this campaign has been named adversary-in-the-middle (AiTM) and involves setting up a proxy server between a victim and targeted site to steal credentials.

There are a lot of details about this campaign, as well as an extensive list of indicators of compromise (IOC). We recommend consulting this list and checking for any sightings within your environments. The list of IOCs, as well as further details on this campaign, can be found here.

By TheHackerNews.com

Windows Autopatch: The New Automatic Patching Solution

Windows Autopatch is a new service that has been released by Microsoft to manage the updates of devices and virtual machines. This service offers more granular updates compared to the dedicated monthly updates currently in place such as Patch Tuesday which means devices and virtual machines are at a reduced risk of being exploited by new vulnerabilities. Access to this service requires either a Windows Enterprise E3 or E5 account as well as being enrolled on Azure AD and Microsoft Intune. Additionally, Microsoft has stated that this service won’t prevent glitches or bricking caused by bad patches.

By TheRegister.com

UK NCSC & ICO Urge Businesses to Stop Paying Ransoms                      

Ransomware is still the largest online threat the UK faces, and it shows no sign of slowing down. Recent studies have shown that more and more businesses are paying ransoms to recover their data, which is contributing massively to the funding of future attacks. Over the last 5 years, cybecrime has cost UK businesses billions of pounds, and the NCSC and ICO are desperately trying to discourage the payment of these ransoms. In their statement on the matter, the two organisations said they believe ransom payments “further incentivise criminals”, while not guaranteeing the return of your data and files. Solicitors have been seen advising affected clients to pay the attackers, but we strongly encourage the opposite.

The NCSC & ICO’s official statement on the situation can be found here. This includes their appeal for assistance in spreading their beliefs regarding ransom payments, as well as additional details on the constant rise in ransomware attacks.

By Portswigger.net

Hacker Posts Offensive Material after Breaching Disney Social Media Accounts

Disneyland Resort’s Instagram and Facebook accounts were under the control of a hacker last Thursday just after 12 pm. The spree of posts uploaded contained racist material, declared he was working on “Covid 20”, and that people should hide before he released the “new deadly virus”. All claims by the hacker are false and shouldn’t be trusted. A statement released by Disney has stated:

"Disneyland Resort’s Facebook and Instagram accounts were compromised early this morning. We worked quickly to remove the reprehensible content, secure our accounts, and our security teams are conducting an investigation."

By BitDefender.com

$540 Million Stolen From Axie Infinity

Axie Infinity is a video game where players collect and mint NFTs which represent axolotl-inspired digital pets known as Axies. The game uses Ethereum-based cryptocurrencies using Ronin Bridge. The hack occurred in late March 2022, a senior engineer was deceived by hackers impersonating a fake company offering the engineer a job. In doing so the engineer downloaded a fake offer document disguised as a PDF which acted as trojan malware creating access for the hackers to internal systems. With this, the hackers were able to access the crypto wallet and transfer funds. The U.S. Treasury Department has implicated Lazarus Group, a hacker group with close relations to the North Korean state.

By TheHackerNews.com

Vulnerabilities & Updates

AWS Kubernetes Authentication Vulnerability Patched

Amazon has identified and patched a vulnerability in an Amazon Elastic Kubernetes Service plugin. The vulnerability relates to a plugin called IAM Authenticator which authenticates users who are trying to access a Kubernetes Cluster. Amazon stated that the vulnerability only occurred when the IAM Authenticator was configured to use the AccessKeyID template parameter. This would allow duplicate parameter names which can be used to elevate privileges. All existing EKS clusters have been patched while the new IAM Authenticator has been patched securing all environments across Amazon Web Service, new or old.

You can find AWS’ official advisory for this vulnerability here.

If you are interested in the nature of this flaw and details of how it can be exploited, we recommend this writeup by Lightspin.

By TechRadar.com

Microsoft Patch Tuesday: July 2022

Microsoft’s Patch Tuesday for July has arrived and includes fixes for 84 total vulnerabilities. 4 of these are critical remote code execution flaws, with one actively exploited zero-day being patched as well. We recommend looking into our round-up of this month’s batch of Microsoft updates for any flaws affecting systems you may use. As always, we recommend applying the latest updates as soon as they are made available to ensure you are protected against known threats and vulnerabilities.

And that’s it for this week’s round-up, please do check in next week for our new batch of security news and posts.

Stay Safe, Secure and Healthy!

Edition #197 – 15th July 2022        

Why not follow us on social media:

By

Joshua Hare

on

14/7/22

Security Guidance
Security Advisory Archives

Microsoft Patch Tuesday: July 2022

Microsoft Patch Tuesday: July 2022

Microsoft’s July Patch Tuesday has arrived. This month’s batch of security updates contains fixes for 84 total vulnerabilities, including four criticals and one actively exploited zero-day. There are some key flaws addressed in this rollout, such as privilege escalation, remote code execution and security feature bypasses; we recommend looking into the advisories provided by Microsoft and applying the latest updates as soon as possible.

July’s instalment includes patches for some key software such as:

  • Azure Storage Library
  • Microsoft Defender for Endpoint
  • Microsoft Edge
  • Microsoft Office
  • Role: DNS Server
  • Role: Windows Hyper-V
  • Skype for Business
  • Windows Active Directory
  • Windows BitLocker
  • Windows Kernel
  • Windows Shell
  • XBox

CVE-2022-22038: Windows Remote Procedure Call Runtime Remote Code Execution Vulnerability

This critical vulnerability exists in the Windows Remote Procedure Call Runtime and could allow a remote attacker to execute arbitrary code on the target system. The CVSS metric states that complexity for this attack is high, meaning the threat actor would need to “invest time in repeated exploitation” in order to succeed.

CVE-2022-30221: Microsoft Graphics Component Remote Code Execution Vulnerability

This is another critical remote code execution vulnerability that resides in the Windows Graphics Component. To exploit this vulnerability, the target user is required to connect to a malicious RDP server where code could be executed in the context of the user. Unlike the previous flaw, attack complexity for this vulnerability is low and can be successfully exploited much easier.

CVE-2022-22029: Windows Network File System Remote Code Execution Vulnerability

CVE-2022-22039: Windows Network File System Remote Code Execution Vulnerability

The final two critical vulnerabilities both exist in Windows Network File System, and allow an attacker to remotely execute code on the target system. Exploitation for both flaws requires an unauthenticated specially crafted call to an NFS service. Attack complexity for both flaws is high, with CVE-2022-22039 requiring the attacker to win a race condition.

For a full list of this month’s updates please see the links below:

Patch Tuesday release notes: https://msrc.microsoft.com/update-guide/releaseNote/2022-Jul

Security update guide: https://msrc.microsoft.com/update-guide/

By

Joshua Hare

on

13/7/22

Cyber Round-up

Cyber Round-up for 8th July

Cyber Round-up for 8th July

Welcome to Ironshare’s Cyber Round-up, where we look back at the events of that last week and year to cover some of the news, posts, views, and highlights from the world of Security. 

In this week’s round-up:

Security News

Hacking Groups Switch Over to Brute Ratel Toolkit

Cobalt Strike has been widely used by red team penetration testers for years and has become one of the most popular toolkits for both testers and ransomware actors. A new post-exploitation toolkit known as Brute Ratel has emerged and has been picked up by many red team testers as their preferred option over Cobalt Strike. To prevent malicious use of the toolkit, the creator has limited its availability to legitimate licensed businesses. Unsurprisingly, ransomware groups have begun creating fake businesses to slyly get their hands on the new tool. This has generated some concern around the verification process for buyers, however Brute Ratel’s creator is yet to comment on the situation.

By BleepingComputer.com

Preparing to Face Russian Cyber Threat

The Russian invasion of Ukraine included some severe cyber attacks, and while these attacks have not impacted the UK, proactivity in bolstering cyber defenses is highly recommended. There is currently no signs of an immediate threat to UK organisations, but being prepared for the possibility of cyber warfare is a top priority. The NCSC has published new guidelines for strengthening security posture in response to the recent attacks launched against Ukraine, which we recommend all UK businesses follow and act on. This guidance provides steps that can be taken to heighten your security in a “sustainable way”.

This advisory can be found here.

By NCSC.gov.uk

Billion-Record Database Leaked on Breach Forum

A threat actor known as HackerDan has emerged on a news and discussion forum, claiming to be in possession of a database containing billions of records of Chinese civilians. The database reportedly contains the names, national ID number addresses and more, as well as police records and delivery instructions and addresses for drivers. The validity of this stolen information has been verified by various media outlets, and HackerDan is looking to sell the database for 10 bitcoin (approximately $200,000). The Shanghai government and police department have remained quiet about this leak, but sources suggest that this could be one of the “largest cybersecurity breaches ever recorded”.

By TheRegister.com

Apple Lockdown Mode Blocks Spyware Attacks

A new Apple security feature protects users from spyware attacks by blocking some functions and preventing calls from unknown users. The new “Lockdown Mode” is designed to protect high-risk users, following the recent spyware attacks on some politicians, activists, and journalists. The feature is expected to be available for iPhones, iPads, and Macs, and will arrive in the autumn of 2022. Apple are constantly impressing us with constant security updates and features, and we are excited to see where they go next.

By BBC.co.uk

HackerOne Employee Steals Bug Reports

A HackerOne employee has gone rogue, stealing vulnerability reports from their bug bounty platform with intentions to sell them for personal profit. The employee was discovered to be contacting affected customers about vulnerabilities that were already listed on the HackerOne platform, in an attempt to claim the bounties. After a short investigation, the threat actor was identified and their access privileges were revoked. HackerOne have also sent out an email notifying all customers of the rogue employee’s actions; this included a list of all vulnerability disclosures accessed by the employee.

By BleepingComputer.com

Marriott International Suffers Another Data Breach

The well-known hotel group, Marriott International, has reported yet another data breach. It has not been long since they were last hit, but news has quickly spread of a recent attack that saw 20 gigabytes of sensitive guest data stolen. The database reportedly included confidential guest and employee information, including payment card details. It appears this attack was initiated through social engineering targeting an employee of a Marriott hotel in Maryland. The attacker was not able to gain access to Marriott’s core network in this attack.

By TechCrunch.com

AMD Hit by Ransomware Attack

AMD are currently investigating a data breach, after receiving a ransom note from a group claiming to have stolen 450gb of data. The attackers claim that they exploited weak password practices to access AMD networks, with passwords such as “password” And “123456” being used by employees. The culprits, RansomHouse, are currently holding AMD ransom, but the amount they are demanding has not been revealed.

By BitDefender.com

British Army YouTube & Twitter Accounts Hacked

The Twitter and YouTube accounts of the British Army has been compromised, with suspicious behaviour displayed on both. Cryptocurrency related videos were recently posted on YouTube, while Twitter users noticed posts from the Army relating to NFTs. An investigation has been launched into this incident and an army spokesperson has stated it would be “inappropriate to comment further”. We do not currently know who is responsible for this attack and not much else is known, but we surmise it is likely the result of poor password hygiene, reuse/credential stuffing or a lack of multi-factor authentication .

By BBC.co.uk

And that’s it for this week’s round-up, please do check in next week for our new batch of security news and posts.

Stay Safe, Secure and Healthy!

Edition #196 – 8th July 2022          

Why not follow us on social media:

By

Joshua Hare

on

7/7/22

Cyber Round-up

Cyber Round-up for 1st July

Cyber Round-up for 1st July

Welcome to Ironshare’s Cyber Round-up, where we look back at the events of that last week and year to cover some of the news, posts, views, and highlights from the world of Security. 

In this week’s round-up:

Security News

Russian Cyber Attack On Lithuania Causing Further Tension

A non-state-affiliated Russian hacker group called killnet has claimed responsibility for an attack on Lithuanian transport and media websites as well as state institutions such as the Lithuanian tax service causing it to pause its operations. The locations were hit with a DDoS attack that caused the services to be overwhelmed with network traffic most likely originating from a botnet. Killnet has declared within their Telegram channel that the attack was in retaliation to Lithuania limiting the transport of goods between Russia and Kaliningrad, a piece of Russian-owned land situated between Lithuania and Poland with no border touching Russia’s. Lithuania has stated that they are only enforcing European Union sanctions on goods coming from Russia.

By News.Sky.com

Clarion Housing Group Victim Of Cyber Attack

Clarion, which owns and manages 125,000 houses across the UK, was targeted by cybercriminals. That attack has affected some email, IT systems and phones lines for the company and stated “We rapidly engaged the help of our cyber security partner and they have been helping us to investigate what happened and get us back up and running, but we can’t say for sure when this will be.” An investigation is ongoing to state if customer information and banking details have been stolen during the attack, but Clarion has said “We take data protection very seriously and once we have established what has happened, we will advise if you need to do anything.”

By cambstimes.co.uk

Wiltshire Farm Foods And Apetito Suffer Cyber Attack

Apetito and its subsidiary Wiltshire farm food are the most recent UK organisations to be at the mercy of cybercriminals. The sophisticated attack on the 26th of June evaded Apetito security systems and disrupted its IT systems. Apetito has reported that it is working with law enforcement to investigate and resolve the attack. The aftermath of the attack has caused disruption to deliveries and was unable to contact customers due to not having access to customer telephone numbers. Wiltshire Farm Foods reassured customers that their payment details are safe as they are not stored on their systems.

By FoodManufacture.co.uk

Ransomware Remains As Biggest Threat to Cybersecurity

Things change extremely quickly in the cybersecurity world, but one thing that has been guaranteed in recent times is the huge impact of ransomware attacks. The CEO of the NCSC commented on this, stating that “Even with a war raging in Ukraine – the biggest global cyber threat we still face is ransomware”. This shows how severe the problem is becoming, with attack numbers growing every year. Ransomware techniques are rapidly becoming more advanced and difficult to prevent, but the NCSC’s Active Cyber Defence Program has been working hard to actively disrupt cyberattacks.

By ZDNet.com

Migration Orgs Targeted in New Evilnum Operation

The Evilnum hacker group appears to be showing signs of life after a short break and has quickly returned with a new APT operation. The timing of their return is no coincidence as it began targeting migration organisations as Russia’s invasion of Ukraine began; the victims seem to be receiving “malicious emails containing macro-laden documents”. This operation has incorporated new tactics and techniques that have not been used by Evilnum in the past; details of their updated attack techniques can be found here.

By BleepingComputer.com

Personal Details of Japanese Residents Compromised

A Japanese worker has accidentally caused a massive breach in confidentiality, after misplacing a USB stick containing the personal details of almost half a million Amagasaki residents. The USB stick was stolen, along with the man’s bag, while he was drinking in a local restaurant. The stolen details includes names, birth dates, addresses of all city residents, tax details, bank account numbers and social security information. Fortunately, the stolen USB is reportedly encrypted and requires a password, and although it has been claimed that the data has not been accessed, it is unclear how they could known this. Apologies have been issued by city officials after they “profoundly harmed the public’s trust in the administration of the city.”.

By BBC.com

Vulnerabilities & Updates

Linux Vulnerability PwnKit Reportedly Exploited In The Wild

A vulnerability labelled as PwnKit has been reported to be exploited in the wild. The vulnerability is tracked as CVE-2021-4034 and has been known since January 2022 and poses a serious threat to users of Linux machines. The vulnerability resides in a service called PolKit which controls privileges on the system. Successful exploitation of this vulnerability would allow a hacker to run arbitrary code with administrative rights and compromise the host.

By TheHackerNews.com

CWE’s Top Software Weaknesses of 2022

CWE have compiled a list of the top 25 dangerous software weaknesses for 2022. This acts as an informative resource for software users to understand and mitigate risks. This list is updated every year, and the biggest flaws that have moved up the list are Race Condition, Code Injection, Uncontrolled Resource Consumption, Command Injection, and NULL Pointer Dereference flaws. Some of these are new additions this year, while others have simply moved their way up the list. We advise any software developers, architects or security researchers to utilise this resource and take advantage of its guidance.

By CWE.Mitre.org

And that’s it for this week’s round-up, please do check in next week for our new batch of security news and posts.

Stay Safe, Secure and Healthy!

Edition #195 – 1st July 2022

Why not follow us on social media:

By

Joshua Hare

on

30/6/22

Cyber Round-up

Cyber Round-up for 24th June

Cyber Round-up for 24th June

Welcome to Ironshare’s Cyber Round-up, where we look back at the events of that last week and year to cover some of the news, posts, views, and highlights from the world of Security. 

In this week’s round-up:

Security News

Strava Fitness-Tracker Used to Spy on Israeli Military

The Strava fitness-tracking app has recently been used to spy on members of the Israeli military. This was discovered by an Israeli open-source intelligence operation, who believes the app was used to track movements between secret bases and observe overseas activity. This has the potential to be very dangerous, since undercover members may be discovered or identified.

By BitDefender.com

RIG Exploit Kit Used to Deliver New Malware

In the past, the well-known RIG Exploit Kit has been primarily used to deliver the Raccoon Stealer, however recent activity has shown that the operators have chosen a new malware for their latest campaign. Since January 2022, RIG operators have been using the exploit kit to deliver the Dridex financial trojan; another campaign that began in April has also been spotted using the RedLine Stealer. Many different variants have been spotted in the first half of 2022 and we expect to see more in the near future. This latest switch has been triggered by the death of a key team member in the Russia-Ukraine war.

By TheHackerNews.com

1.5 Million Customers Affected by Flagstar Bank Breach

Flagstar Bank recently disclosed news of a data breach that occurred back in December 2021. The announcement claims that the personal data of 1.5 million customers has been compromised, including full names and social security numbers. Affected users are being offered two years of identity monitoring and protection services for free. Not much more is known about the incident, but it appears that Flagstar’s response has been positive; despite this, there is still cause for concern since this is their second major security incident in the last year and they could of informed impacted customers earlier.

By BleepingComputer.com

UK Deliveries Impacted by Yodel Cyber Incident

Yodel have announced they are experiencing service disruption due to a recent cyber incident. Their latest statement claims they are “working to restore our operations as quickly as possible”, but also stated that order tracking is currently unavailable, and deliveries may be delayed. While no payment information has been leaked, there is the possibility that other personal data may have been stolen; this is being investigated now.

By InfoSecurity-Magazine.com

ToddyCat APT Hits Microsoft Exchange Servers

ToddyCat, a new advanced persistent threat, has been identified as the culprit of a series of attacks hitting Microsoft Exchange Servers. The attacks are primarily targeting government and military installations in Asia and Europe and appear to “leverage two passive backdoors within the Exchange Server environment with malware called Samurai and Ninja”. This reportedly allows the attacker to completely take over the target hardware.

More details on the nature of these attacks can be found here.

By ThreatPost.com

Vulnerabilities & Updates

Vulnerabilities Found in Siemens Industrial Control System

New research conducting by Claroty has revealed fifteen vulnerabilities in Siemens SINEC network management system. If exploited correctly, these flaws could allow a remote attacker to execute code on the affected system. These vulnerabilities are especially dangerous since they affect devices primarily used in industrial automation; this means there is also a potential risk to human life. All versions prior to V1.0 SP2 Update 1 are affected; we recommend all Siemens users update their systems as soon as possible.

By TheRecord.media

Cisco Warns of Flaws in Security Appliances

Cisco recently revealed four new vulnerabilities in their security products, one of which is high severity and exists in email and web security appliances. While there is no trace of this flaw being exploited in the wild, it could allow an attacker to steal sensitive information like user credentials from a LDAP external authentication server. This is accompanied by three medium severity vulnerabilities; some fixes have been released for earlier versions of affected products, however some will not be available until August and December.

More details on fix releases for the affected appliances can be found here.

By TheRegister.com

And that’s it for this week’s round-up, please do check in next week for our new batch of security news and posts.

Stay Safe, Secure and Healthy!

Edition #194 – 24th June 2022       

Why not follow us on social media:

By

Joshua Hare

on

23/6/22

Cyber Round-up

Cyber Round-up for 17th June

Cyber Round-up for 17th June

Welcome to Ironshare’s Cyber Round-up, where we look back at the events of that last week and year to cover some of the news, posts, views, and highlights from the world of Security. 

In this week’s round-up:

Security News

Phishing Campaigns Using Reverse Tunnelling and URL Shorteners Evade Detection

Cybercriminals are beginning to incorporate new techniques into their phishing campaigns to make them more successful and harder to detect. The latest trend in phishing is utilising reverse tunnelling and URL shorteners to evade detection; if done correctly, the attacker will leave no trace. These methods involve the misuse of legitimate services to bypass phishing countermeasures and do not require exploitation of a vulnerability. Reverse tunnelling attacks are becoming increasingly popular; this calls for improvement to the monitoring of reverse tunnel services to help detect these techniques and prevent future attacks.

By Portswigger.net

Abertay University Opens £18 Million Cyber Security Centre

Abertay University has been praised for its efforts to improve Cyber Security. Its newly opened Cyber Security centre cost £18M and will be available for use by students, academics, and businesses, with the NHS National Services Scotland cyber-security wing as their first official client. Students at Abertay University will be given the chance to learn cyber security from industry professionals, providing them with the best education available.

By BBC.co.uk

2000 Scammers Arrested Along With $50 Million Seized By Interpol

Interpol, an international organization that facilitates worldwide police cooperation and crime control, conducted its “first light 2022” operation. Interpol and 76 supporting countries helped in this operation which focused on organisations conducting social engineering attacks such as telephone deception, romance scams, business email compromise (BEC) scams, and related money laundering. The operation lasted from March 2022 to May 2022 resulting in:

•             1,770 physical locations raided worldwide

•             3,000 suspects identified

•             2,000 operators, fraudsters, and money launderers arrested

•             4,000 bank accounts frozen

•             $50 million worth of illicit funds intercepted

By BleepingComputer.com

26M Request Per Second DDoS Attack Prevented

This week, Cloudflare announced that they had prevented a new record-breaking DDoS (distributed denial-of-service) attack. At its peak the attack was sending 26 million requests per second from a botnet of more than 5,000 devices. It appears each device was sending approximately 5200 RPS at the height of the attack. Investigations revealed that the customer’s website received a flood of around 212 million HTTPS requests in a 30 second timeframe, making this the largest HTTPS DDoS attack ever seen.

By TheHackerNews.com

New Linux Malware Is Near Impossible to Detect

Security researchers have identified a new Linux malware that is supposedly “nearly impossible to detect”. The malware, named Symbiote, is unlike most Linux malware; rather than being an executable file, Symbiote is a shared object library that loads itself into all running processes to infect them. This allows an attacker to gain remote access, rootkit functionality, and steal credentials. The evasive tactics used by this malware make it very difficult to detect, and researchers are unsure how frequently it is being used; this also means that standard antivirus tools are unable to detect Symbiote, so all Linux devices are vulnerable.

By ThreatPost.com

Vulnerabilities & Updates

Internet Explorer 11 Reaches End Of Life For Some Windows 10 Editions

Internet Explorer was first released in 1995 on Windows Plus! upgrade pack for Windows 95. Multiple upgrades have been made since its initial release with the current version called Internet Explorer 11. Microsoft has reported that Internet Explorer will reach the end of life for some editions of Windows 10. As of 15th June, Internet Explorer will no longer receive feature or security updates making it incredibly important that affected users move to a more secure browser such as Microsoft Edge or Chrome. If users need Internet Explorer to access websites no longer supported by modern browsers the "Internet Explorer mode" in Microsoft Edge will allow users to access websites while using a secure browser.

By TheRegister.com

Ransomware Groups Exploiting Atlassian Confluence Zero-Day

Last month, it was revealed that all supported versions of Atlassian Confluence Server and Data Centre are vulnerable to a new remote code execution zero-day. Since the disclosure of this vulnerability, ransomware groups have begun actively exploiting it in their attacks. An official patch was released on the 3rd of June and all users are recommended to apply the latest patches as soon as possible to ensure protection against an attack.

More details and remediation steps can be found here.

By TheRecord.media

Microsoft Patch Tuesday: June 2022

Microsoft's Patch Tuesday for June 2022 has arrived, and includes fixes for 55 total vulnerabilities, 3 of which are considered critical. While this is a smaller patch release than we are used to from Microsoft, it still includes some important updates for key software such as Azure, Visual Studio, Office, Windows Defender and more.

More details on this batch of security updates can be found here in Ironshare's round-up of the June 2022 Patch Tuesday release.

And that’s it for this week’s round-up, please do check in next week for our new batch of security news and posts.

Stay Safe, Secure and Healthy!

Edition #193 – 17th June 2022        

Why not follow us on social media:

By

Joshua Hare

on

16/6/22

Security Guidance

Microsoft Patch Tuesday: June 2022

Microsoft Patch Tuesday: June 2022

This month appears to be a quiet Patch Tuesday, with only 55 new vulnerabilities being patched; 3 critical, 1 publicly disclosed and 1 exploited in the wild. This is a decrease of 18 total vulnerabilities compared to last month's release.

June’s instalment includes patches for some key software such as:

  • Visual Studio
  • Azure
  • Intel
  • Microsoft Edge
  • Microsoft Office
  • Role: Windows Hyper-V
  • SQL Server
  • Windows App Store
  • Windows Defender
  • Windows Installer
  • Windows Kernel
  • Windows PowerShell

CVE-2022-30190: Microsoft Windows Support Diagnostic Tool (MSDT) Remote Code Execution Vulnerability

This remote code execution vulnerability exists when MSDT is called using the URL protocol from a calling application such as Word. An attacker who successfully exploits this vulnerability can run arbitrary code with the privileges of the calling application. The attacker can then install programs, view, change, delete data, or create new accounts in the context allowed by the user’s rights. Although not classified as critical this is the only vulnerability that has been publicly disclosed and has been seen in the wild.

CVE-2022-30136: Windows Network File System Remote Code Execution Vulnerability

This critical vulnerability could allow a hacker to trigger remote code execution. By sending a specially crafted packet call to a Network File System (NFS) a hacker could submit code to be executed by the system all while being unauthenticated. This vulnerability is more likely to be exploited due to not having to be authenticated by a system holding potentially sensitive data.

CVE-2022-30139: Windows Lightweight Directory Access Protocol (LDAP) Remote Code Execution Vulnerability

This critical vulnerability affects an unknown part of the component LDAP. The manipulation of an unknown input can lead to a privilege escalation vulnerability. Exploitation is known to be difficult but can be initiated remotely by a hacker. Simple authentication is necessary for this vulnerability to be exploited potentially providing some protection against novice hackers. This vulnerability is only exploitable if the MaxReceiveBuffer LDAP policy is set to a value higher than the default value. Systems with the default value of this policy would not be vulnerable.

CVE-2022-30163: Windows Hyper-V Remote Code Execution Vulnerability

The last critical vulnerability would require the hacker to win a race condition. a successful attack could allow a hacker to traverse the guest's security boundary to execute code on the Hyper-V host execution environment.

For a full list of this month’s updates please see the links below:

Patch Tuesday release notes: https://msrc.microsoft.com/update-guide/releaseNote/2022-Jun

Security update guide: https://msrc.microsoft.com/update-guide/

By

Joshua Hare

on

15/6/22

Cyber Round-up

Cyber Round-up for 10th June

Cyber Round-up for 10th June

Welcome to Ironshare’s Cyber Round-up, where we look back at the events of that last week and year to cover some of the news, posts, views, and highlights from the world of Security. 

In this week’s round-up:

Security News

Verizon employee database stolen by a hacker                  

Verizon is the latest company to be at the mercy of hackers. According to an interaction between the undisclosed hacker and a journalist called Lorenzo Franceschi-Bicchierai, the hacker used social engineering techniques to impersonate an internal support engineer and persuade an employee to allow remote access to their corporate device. With this access, the hacker used an internal corporate tool to scrape data from the employee database using a script. The stolen information contained the full name, email address, corporate ID number, and phone number of hundreds of Verizon staff members. The hacker has put forward a ransom of $250,000 to Verizon to not publicly leak the information stolen. A Verizon spokesperson has said “A fraudster recently contacted us threatening to release readily available employee directory information in exchange for payment from Verizon. We do not believe the fraudster has any sensitive information and we do not plan to engage with the individual further. As always, we take the security of Verizon data very seriously and we have strong measures in place to protect our people and systems.”

By BitDefender.com

41 Domains Seized By Microsoft Used in Spear-phishing attacks

Microsoft recently reported that it has seized 41 domains that were being used as command-and-control servers for an advanced spear-phishing operation. The operation was led by an Iranian threat actor labelled as Bohrium, and saw fake social media profiles, mostly portraying recruiters, being used to harvest personal data. An email was then sent to the victim containing malicious emails to download malware onto the victim’s device.

By TheHackerNews.com

Mandiant investigates Breach claims

The cyber security company Mandiant has investigated claims reported by the LockBit ransomware gang that they breached Mandiant’s’ network and stole data. LockBit has threatened that it will leak all the 356,841 stolen files online. Mandiant has said that it “is aware of these LockBit-associated claims. At this point, we do not have any evidence to support their claims. We will continue to monitor the situation as it develops.”

Since initial reports, it has become clear that LockBit have not breached Mandiant at all, and instead were using this as a campaign to distance themselves from the Evil Corp group, who Mandiant had recently reported had moved to LockBit's Ransomware as a service to avoid sanctions imposed by the US.

By Bleeping Computer.com

Concern For Black Basta Ransomware Group Attacks

Black Basta, a new ransomware group first seen in April has been witnessed using the Qbot trojan. Qbot was first seen infecting systems 14 years ago and is capable of keylogging, exfiltrating cookies, and lifting online banking details and other credentials. Qbot has evolved since 2008 to detection-evasion and context-aware delivery tactics, as well as phishing capabilities that include e-mail hijacking, among others. “The seriousness and efficiency of the collaboration cannot be underestimated” Garret Grajek, CEO of security firm YouAttest said. The way Black Basta is leveraging Qbot is unique and seems to be an effective way of stealing information from companies.

By ThreatPost.com

Apple App Store Users Protected from $1.5 billion in fraud

Apple has reported that it protected millions of its app store users from being defrauded, with calculations estimating $1.5 billion. Over 1.6 million apps and updates were ceased by Apple’s fraud prevention analysis that was deemed as untrustworthy or risky. Both Apple’s and Google’s app stores have seen many apps attempting to swindle money through subscriptions as well as hiding features or adding additional features into apps after launch that would breach guidelines.

By TripWire.com

New Emotet Variant Stealing Card Information from Chrome

A newly seen variant of Emotet has been reported, the new variant contains a module used to steal bank card information from Google Chrome. The new variant can also exfiltrate data to multiple command-and-control servers. The new variant will still allow for self-propagation and as a loader to download more malware onto a system. Emotet is mainly delivered via email campaigns designed to make the user install the malware from the malicious email.

By TheHackerNews.com

Vulnerabilities & Updates

Follina Office zero-day vulnerability

Follina - A zero-day vulnerability has been recently discovered in Microsoft Word. A specially crafted word document can use the Word remote template feature allowing for the retrieval of an HTML file from a remote web server using MSDT (Microsoft Support Diagnostic Tool). This file can be manipulated to allow bespoke code to run, resulting in a remote code execution attack. The worrying aspect about this exploit is that the victim only needs the preview pane open in the file explorer for the remote code execution to occur, even the protected view when the document is open is vulnerable. Kevin Beaumont's blog DoublePulsar.com contains more details about this threat. He has also made a custom detection rule query for Defender for Endpoint which is available via GitHub.

By DoublePulsar.com

And that’s it for this week’s round-up, please do check in next week for our new batch of security news and posts.

Stay Safe, Secure and Healthy!

Edition #192 – 10th June 2022       

Why not follow us on social media:

By

Samuel Jack

on

9/6/22

Cyber Round-up

Cyber Round-up for 27th May

Cyber Round-up for 27th May

Welcome to Ironshare’s Cyber Round-up, where we look back at the events of that last week and year to cover some of the news, posts, views, and highlights from the world of Security. 

In this week’s round-up:

Security News

Ransomware Attack Leaves Airline Passengers Stranded

An Indian airline recently reported that an attempted ransomware attack halted all flights, leaving many passengers unable to travel home. The airline, SpiceJet, confirmed that many flights were delayed or cancelled as a result of the attack on their infrastructure; however, a recent statement claims that the situation has been contained and the airline is now “operating normally”. There seems to still be a few minor delays for some flights, but the attack does not seem to have had a major impact on business operations.

By BitDefender.com

Ransomware Attacks Rise Over Last 12 Months

The 2022 edition of Verizon’s Data Breach Investigations Report featured an assessment of around 24,000 security incidents, including more than 5,000 data breaches. The numbers from this report reveal that ransomware attacks have risen in popularity over the last twelve months, with an increase of 13% compared to 2021.

This report covers a lot more than just ransomware statistics. You can find details on the rest of the report here.

By PortSwigger.net

Personal Information Exposed in General Motors Cyber-Attack

The major automobile manufacturer, General Motors, recently revealed that they had suffered a cyber attack that exposed the personal information of their customers. The incident occurred last month and was identified as a credential-stuffing attack, in which the attacker used username and password combinations discovered in a previous breach. Be aware that General Motors have not suffered a direct breach; credential-stuffing attacks are made possible by users reusing their passwords for multiple unrelated services.

We strongly advise the use of password managers to help keep track of your passwords and avoid reuse. Incidents like this can be completely avoided through good password practice; for guidance and information on best practices, please consult our helpful infographics found here.

By InfoSecurity-Magazine.com

142 Million Customer Records Stolen from MGM Resorts

More than 142 million customer records were recently stolen from MGM Resorts and were dumped on instant-messaging service Telegram. The files contained around 8.7GB of data, including details of celebrities such as Jack Dorsey and Justin Bieber. It appears that the stolen data contained full names, postal addresses, unique email address and phone numbers, and dates of birth; while no payment details or passwords were stolen, the data could be used for identity theft.

By TheRegister.com

INTERPOL And Unit 42 Tracks Down Scammer

Unit 42, a division of Palo Alto Networks, has been working in collaboration with INTERPOL in an attempt to stop a Nigerian scammer. Since 2015 a scammer going by the name of SilverTerrier has been conducting business email compromises to gather money or assets for their own gain. In May 2021 an operation began to capture this scammer however, they fled Nigeria in 2021 outside the reach of INTERPOL. In March 2022 the scammer returned to Nigeria and was arrested. Email compromises are a rising threat to businesses and should take appropriate actions to secure themselves from such attacks.

By Unit42.PaloAltoNetworks.com

XorDdos Malware Rise Recorded By Microsoft

A botnet malware called XorDdos has seen a 254% increase in activity over the last 6 months according to Microsoft’s latest research. XorDdos affects devices running Linux distributions and has recently been targeting Docker servers with exposed ports. XorDdos has been used to deploy the Tsunami trojan which then installs XMRig coin miner. The recent rise of XorDdos has led it to be the most prevalent malware targeting Linux systems in 2021, accounting for 22% of all IoT malware observed in the wild.

By TheHackerNews.com

Vulnerabilities & Updates

Zoom Zero-Click RCE Patched

Researchers recently discovered a remote code execution flaw in the popular video-conferencing service, Zoom. The vulnerability, affecting Windows, macOS, iOS and Android, is being tracked as CVE-2022-22787 and is said that “User interaction is not required for a successful attack. The only ability an attacker needs is to be able to send messages to the victim over Zoom chat using the XMPP protocol”. This would allow a hacker to send a specially crafted package to another user to force their client to connect to a malicious server allowing the hacker to send spoofed messages. Please update Zoom ASAP to prevent potential user and business impact.

By ThreatPost.com

And that’s it for this week’s round-up, please do check in next week for our new batch of security news and posts.

Stay Safe, Secure and Healthy!

Edition #191 – 27th May 2022

Why not follow us on social media:

By

Joshua Hare

on

26/5/22

Cyber Round-up

Cyber Round-up for 20th May

Cyber Round-up for 20th May

Welcome to Ironshare’s Cyber Round-up, where we look back at the events of that last week and year to cover some of the news, posts, views, and highlights from the world of Security. 

In this week’s round-up:

Security News

PRODAFT’s Investigation of Wizard Spider Gang

The PRODAFT Threat Intelligence team has produced a technical report of the Russian-linked cybercrime gang, Wizard Spider. Wizard Spider are known for being the group behind the Conti, Ryuk, and Trickbot malware attacks and have grown to be one of the most high-profile criminal groups in the world. PRODAFT’s report provides “unprecedented visibility into the structure, background, and motivations of Wizard Spider.” and gives an in-depth analysis of their operations as what has been describe as “corporate-like”.

The full report from PRODAFT can be found here.

By TheRegister.com

Malicious Mobile Apps Identified as Credential Stealers

A number of Google Play Store apps have been identified as malicious, with some designed to steal user credentials for platforms such as Facebook. Other apps, that appear to be cryptocurrency miners, have been seen stealing private keys mnemonic phrases used to recover cryptocurrency wallets.

We strongly advise all android users to be cautious and avoid these applications; some known malicious apps have been identified here, so this list may give you an idea of what you should be looking out for.

By TrendMicro.com

Council Leaks Details of SEND Students

Central Bedfordshire Council in the UK has been labelled as “incompetent” after failing to redact the personal information of pupils with special educational needs. The details were published on a public website by Council staff, who have released a statement apologising for the incident. The council claims they are “making changes to its procedures to avoid a repeat of the incident in the future”. We hope the safeguarding of personal information is taken more seriously from now on, and that staff are trained on the importance of data confidentiality.

By GrahamCluley.com

BlackByte Ransomware Attacks Spreading Across the Globe

The BlackByte group has become increasingly popular recently due to its ransomware-as-a-service activities. BlackByte offer their services to criminals all around the world, and have been linked to attacks everywhere, from North America to Europe and parts of Asia. Their attacks typically begin with phishing attempts or exploitation of unpatched services, most notably the recent SonicWall VPN and ProxyShell flaws. With one of the largest ransomware groups in the world primarily targeting unpatched systems, we advise everyone around the world to keep up with security updates and patch management.

By Blog.TalosIntelligence.com

Europe Agrees To NIS2 Directive to Harden Security

Cyber security has been a constant battle in the digital age, and the European Parliament has endorsed plans to introduce the Networks and Information Security 2 (NIS2) directive to boost cyber security efforts across Europe. This newly revised directive aims to build upon its predecessor, NIS, by requiring energy, transport, financial markets, health, and digital infrastructure sectors to appropriately introduce and maintain defined risk management measures reporting security incidents. Failure to conduct these actions appropriately could incur a monetary charge. Along with this "The directive will formally establish the European Cyber Crises Liaison Organization Network, EU-CyCLONe, which will support the coordinated management of large-scale cybersecurity incidents," the Council of the European Union said.

By TheHackerNews.com

Authorities Thwart Russian Cyber Attack During Eurovision Final

This year Italy hosted Eurovision 2022, with a spectacular display from the Ukrainian band Kalush Orchestra. Sadly, things were not so joyous behind the scenes. During the grand final on Saturday, pro-Russian hacking group Killnet and their affiliate Legion were caught attempting to hack infrastructure used by Eurovision. Italian authorities became aware of the attack before it began as police infiltrated telegram channels used by the hackers to plan their attack. A successful attack could have meant broadcast outages or vote manipulation, however planning from the Italian authorities thwarted this attack before any damage could be done.

By BitDefender.com

Vulnerabilities & Updates

Vulnerability Found in Tatsu Builder WordPress Plugin

Tatsu Builder Plugin, a front-end and fully visual page builder has been exploited by hackers. The vulnerability stated as CVE-2021-25094 is a remote code execution vulnerability that has been reported to be exploited to inject dropper malware onto a website. Approximately 20,000 to 50,000 utilise the Tatsu builder plugin with around a quarter still vulnerable. Users are advised to install the latest update to be protected from this attack.

More details on this flaw can be found here.

By Wordfence.com

Bluetooth Low Energy Vulnerability Exploited

A flaw discovered by the NCC Group has shown that Bluetooth low energy isn’t as secure as originally thought. BLE uses proximity as a means of authenticating the user if near another device, NCC Group has created a proof of concept that exploiting this trust could allow hackers to bypass known protection mechanisms. BLE is used for things such as smart locks and automobiles, being able to exploit this potentially means these devices could be put at risk. People are advised to disable passive unlock functions and disable Bluetooth on mobile devices when not needed.

By TechRepublic.com

And that’s it for this week’s round-up, please do check in next week for our new batch of security news and posts.

Stay Safe, Secure and Healthy!

Edition #190 – 20th May 2022

Why not follow us on social media:

By

Samuel Jack

on

19/5/22

Security Guidance

Microsoft Patch Tuesday: May 2022

Microsoft Patch Tuesday: May 2022

Included in the latest Patch Tuesday are 73 new vulnerability patches; 6 critical, 2 publicly disclosed and 1 exploited in the wild. This is a decrease of 44 compared to last month's Patch Tuesday release.

May’s instalment includes patches for some key software such as:

  • .NET and Visual Studio
  • Microsoft Edge
  • Microsoft Exchange Server
  • Microsoft Office
  • Microsoft Office Excel
  • Microsoft Office SharePoint
  • Role: Windows Fax Service
  • Role: Windows Hyper-V
  • Visual Studio
  • Windows Active Directory
  • Windows Remote Desktop

Important Notes

CVE-2022-26925: Windows LSA Spoofing Vulnerability

This is an important vulnerability affecting Windows Local Security Authority, part of the Windows Client Authentication Architecture which authenticates and creates a logon Session to the Local Computer. This could allow a hacker to produce a man-in-the-middle attack on domain controllers to authenticate the hacker. This vulnerability has been reported to be publicly disclosed and exploited in the wild.

CVE-2022-26937: Windows Network File System Remote Code Execution Vulnerability

With a critical CVSS of 9.8, a hacker could remotely execute code with a system using the windows NFS service by sending a specially crafted call all while remaining unauthenticated. This could allow a hacker a foothold to access a system by deploying a backdoor. Luckily, this vulnerability hasn’t been seen in the wild nor is it publicly disclosed.

CVE-2022-26923: Active Directory Domain Services Elevation of Privilege Vulnerability

Another critical vulnerability in this month's line-up, with a CVSS of 8.8 exploiting this vulnerability would allow an authenticated user to manipulate attributes on computer accounts they own or manage and acquire a certificate from Active Directory Certificate Services that would allow elevation of privilege.

CVE-2022-22713: Windows Hyper-V Denial of Service Vulnerability

This important vulnerability with a CVSS of 5.6 would allow a hacker to manipulate an input to a Hyper-V component causing a Denial of Service. Successful exploitation of this vulnerability requires a hacker to win a race condition. This vulnerability has been publicly disclosed.

For a full list of this month’s updates please see the links below:

Patch Tuesday release notes: https://msrc.microsoft.com/update-guide/releaseNote/2022-May/

Security update guide: https://msrc.microsoft.com/update-guide/

By

Samuel Jack

on

16/5/22

Cyber Round-up

Cyber Round-up for 13th May

Cyber Round-up for 13th May

Welcome to Ironshare’s Cyber Round-up, where we look back at the events of that last week and year to cover some of the news, posts, views, and highlights from the world of Security. 

In this week’s round-up:

Security News

BIG-IP Critical Vulnerability Allowing Device Wipe

A critical vulnerability in F5’s BIG-IP, a collection of hardware and software designed around application availability, access control, and security solutions has been at the mercy of hackers after a critical vulnerability has been exploited in the wild. The critical vulnerability allows hackers to execute commands on BIG-IP network devices as an administrator without authentication. This attack has been used to initiate webshells, steal SSH keys, enumerate system information and attempts have been made to wipe the network devices. F5 has recommended all users update to the newest version immediately.

By BleepingComputer.com

REvil Ransomware Gang Returns With New Samples Found

After six months of inactivity, it appears that the REvil ransomware gang has returned, with analysts finding multiple new samples associated with the group. While it has not been confirmed that the group is back, we do know that the developer of these samples has access to REvil source code. REvil were one of the pioneers of double extortion attacks, so their return may cause trouble for a lot of people. We will keep an eye out for any signs of their return and provide updates when we learn more.

By TheHackerNews.com

UK Government Destroy Stolen Credit Card Details

Hundreds of thousands of credit cards were stolen by criminals across the UK, which could have potentially led to a loss of tens of millions of pounds. Fortunately, UK government hackers were quick to act on this and were able to avoid any fraudulent use by destroying the stolen credit card details. Not much has been revealed about this operation, however we do know that the UK government has been actively tackling criminals online; this strategy is proof that their strategies have been hugely successful in the prevention of cybercrime.

By News-sky-com

AGCO Hit By Ransomware

AGCO, a producer of agricultural machinery, has been hit by ransomware. AGCO has reported that it was the victim of a ransomware attack affecting some of its production facilities causing workers to be sent home. An investigation is underway to identify and remediate the ransomware. AGCO has not said whether it is prepared to pay the ransom or how much it is. The manufacturer said that business operations will be “adversely affected for several days” and may take longer to fully recover.

By GrahamCluley.com

Recent Cyberattacks Target MM.Finance and Fortress DeFi Platforms

DeFi platforms MM.Finance and Fortress have both reported cyberattacks that drained millions of dollars’ worth of cryptocurrency. MM.Finance has reported losses of more than $2 Million, while Fortress claims to have lost about $3 Million. These companies have requested that no assets are supplied while they investigate the incidents; as soon as more information is available we will provide updates here.

More details on the Fortress attack can be found here.

For information on the MM.Finance attack click here.

By TheRecord.media

Vulnerabilities & Updates

Emergency Google Android Update Addresses 36 Security Flaws

All Android users are advised to update their devices as soon as possible, as the latest security update contains fixes for 36 vulnerabilities. 11 of these flaws are unique to the Google Pixel, with two critical vulnerabilities allowing a remote attacker to execute arbitrary code on the target device.

More details on these vulnerabilities can be found here and as always, we recommend upgrading to the latest version immediately.

By Forbes.com

Application Errors Caused by Windows 11 KB5013943 Updates

Microsoft’s Patch Tuesday for May 2022 dropped this week, featuring fixes for a number of key vulnerabilities. One of the most important things to mention about this months batch of security updates is the issues it has caused in Windows 11. The KB5013943 update for Windows 11 has reportedly been breaking .NET applications, causing users to be unable to open them. Guidance on how to fix this issue can be found here.

As well as this, you can find Microsoft’s official security update guide for May 2022 Patch Tuesday here.

By BleepingComputer.com

And that’s it for this week’s round-up, please do check in next week for our new batch of security news and posts.

Stay Safe, Secure and Healthy!

Edition #189 – 13th May 2022

Why not follow us on social media:

By

Joshua Hare

on

12/5/22

Cyber Round-up

Cyber Round-up for 6th May

Cyber Round-up for 6th May

Welcome to Ironshare’s Cyber Round-up, where we look back at the events of that last week and year to cover some of the news, posts, views, and highlights from the world of Security. 

In this week’s round-up:

Security News

NCSC Warns of Malicious App Risk

The latest report from the NCSC warns people of the danger of malicious apps available on app stores. The UK’s National Cyber Security Centre believes there is “more for app stores to do” when it comes to security and made it clear that this threat affects many devices such as laptops, PCs, smart TVs, IoT devices and more, not just smartphones. The NCSC are asking app stores to “commit to a new code of practice”, which will detail a revised set of security and privacy requirements that will allow flaws to be discovered and fixed much quicker.

By BBC.co.uk

The White House Announces Quantum Technology Support in the US

The nations of the world are all in a race to develop and support quantum technology, which is believed to enable massive advancements in various areas of science, specifically artificial intelligence. The White House announced this week that they are now prepared to support quantum technology, as well as implementing new cyber security measures to defend against the supercomputers it may facilitate.

It is believed that “quantum computers will soon reach a sufficient size and level of sophistication needed to break much of the cryptography that currently secures digital communications on the internet.”

While the advancement of such technologies is exciting, it does present many new risks, so it is important that the US has a plan to address this.

By Reuters.com

Breast Cancer Charity Exposes Users

Breastcancer.org was recently discovered to have a misconfigured Amazon S3 Bucket which allowed data to be left exposed to the public. The bucket is believed to have contained 350,000 files; around 150GB of data. 50,000 user avatars were also at risk, with most featuring images of the users. Along with these images, sensitive data such as camera model, brand and most critically GPS location data wasn’t stripped meaning home addresses could potentially be exposed if GPS location data was on the photograph. These kind of breaches are likely to have a greater impact on the patients than on the organisation.

By HackRead.com

Vulnerabilities & Updates

Multiple Flaws Found in Cisco Enterprise NFV Infrastructure Software

Multiple vulnerabilities have been discovered in Cisco Enterprise NFC Infrastructure Software. An attacker exploiting these flaws would be able to escape from a guest VM to the host machine and execute arbitrary code at the root level. This could also allow the attacker to leak data from the host back to the VM. These flaws are known to affect Cisco Enterprise NFVIS using the default configuration and as always, we recommend applying the latest patches to ensure you are protected against these vulnerabilities.

More details on the individual vulnerabilities can be found here.

By Tools.Cisco.com

Major Updates for iOS, Android and Chrome Flaws

Apple have released iOS 15.4.1 just two weeks after the launch of 15.4, due to a vulnerability in AppleAVD allowing privilege escalation. This would allow a hacker full control over your device if executed correctly. The update also fixes a battery drain issue that was reportedly affecting some iPhones.

MacOS Monterey 12.3.1 has also been released to patch this flaw, along with a vulnerability relating to the Intel graphics driver which would allow an app to read kernel memory.

Android also released an update to patch 44 vulnerabilities in its mobile operating system along with 5 more specific vulnerabilities relating to Google’s Pixel smartphones. The most severe would allow local privilege escalation without any user interaction.

Google Chrome has received an update to patch two new flaws, one of which is a high severity vulnerability being actively exploited in the wild.

Oracle, Microsoft, Mozilla and WordPress have also pushed out big security updates to keep their services secure from hackers.

By Wired.co.uk

Unpatched Critical Vulnerability Found in uClibc

Security researchers have publicly disclosed a vulnerability in uClibc, a library for the C programming language that is used in lots of IoT devices around the world to develop software. This vulnerability could allow an attacker to conduct DNS poisoning and redirect traffic from a network to a controlled server to record traffic, steal information or manipulate data. The maintainer of uClibc was “unable to find a fix” and is currently working with security professionals and the public security community in the hopes of fixing this flaw. 

By TheRecord.media

BIG-IP iControl REST Vulnerability

A new vulnerability has been discovered that could allow an unauthenticated attacker to bypass iControl REST authentication and access the BIG-IP system to execute arbitrary code. Exploitation could also lead to the creation/deletion of files and allow the attacker to disable services. While mitigation techniques are available, we recommend upgrading to the latest fixed version as soon as possible.

More details on this can be found here.

By support.f5.com

And that’s it for this week’s round-up, please do check in next week for our new batch of security news and posts.

Stay Safe, Secure and Healthy!

Edition #188 – 6th May 2022

Why not follow us on social media:

By

Joshua Hare

on

5/5/22

Cyber Round-up

Cyber Round-up for 29th April

Cyber Round-up for 29th April

Welcome to Ironshare’s Cyber Round-up, where we look back at the events of that last week and year to cover some of the news, posts, views, and highlights from the world of Security. 

In this week’s round-up:

Security News

New RIG Exploit Kit Campaign Utilises RedLine Stealer

A RIG Exploit Kit campaign has been discovered recently, which appears to be exploiting a Memory Corruption vulnerability in Internet Explorer to deliver the RedLine Stealer malware. RedLine Stealer has been described as “a low-cost password stealer sold on underground forums” and allows an attacker to perform reconnaissance on the target system and extract data such as passwords, payment card information and crypto wallets. As always, we recommend keeping up to date with patches to ensure you are not at risk from known vulnerabilities.

By bitdefender.com

15 Million rps DDoS Attack Blocked by Cloudflare

This month, Cloudflare systems detected a HTTPS DDoS attack sending 15.3 million requests-per-second; this is the largest HTTPS DDoS attack ever recorded, and Cloudflare managed to successfully block it. The attack targeted one of their customers and lasted around 15 seconds before being blocked automatically by Cloudflare’s autonomous detection and mitigation systems. The ability to block attacks of this scale without human interaction is very impressive and shows Cloudflare’s true intention to build a better internet.

By blog.cloudflare.com

Proofpoint Detects New Emotet Delivery Techniques

Recent activity from Emotet has been detected by Proofpoint, who have observed new delivery techniques being tested. This activity was scarce and only a few emails were detected, however they did appear to use different methods. The emails were very simple and contained zip files hosted on OneDrive; the subject was often one word such as “Salary” and was sent from a compromised account. While current Emotet activity is relatively low volume, we still advise looking out for potential indicators.

IOCs for the recent campaign can be found here, as well as more details for those interested in the new techniques.

By proofpoint.com

T-Mobile Hit By LAPSUS$ Breach

T-Mobile is the latest company to be hit by the relentless hacker group LAPSUS$. It was reported that stolen credentials were used to access internal systems potentially allowing LAPSUS$ to freely conduct SIM swapping attacks. T-Mobile stated, "The systems accessed contained no customer or government information or other similarly sensitive information, and we have no evidence that the intruder was able to obtain anything of value" however leaked chats reveal that T-Mobile’s Slack and Bitbucket accounts were compromised, and 30,000 source code repositories were stolen. This is yet another attack by LAPSUS$ on a high-profile organisation; Impresa, NVIDIA, Samsung, Vodafone, Ubisoft, Microsoft, Okta, and Globant were all previous victims of the groups exploits.

By TheHackerNews.com

BlackCat Ransomware Hits More Than 60 Organisations Worldwide

The FBI has published a report stating that at least 60 organisations worldwide have been hit by the BlackCat ransomware since November 2021. BlackCat has been seen targeting Windows, Linux and VMWare ESXI systems, while issuing ransom payments ranging from a few hundred thousand to three million dollars.

The FBI report, which you can find here, contains details on the nature of the attack, as well as indicators of compromise you should be aware of. 

By SecurityAffairs.co

Vulnerabilities & Updates

New Nimbuspwn Vulnerabilities Allow Privilege Escalation on Linux Systems

A collection of vulnerabilities, being tracked as Nimbuspwn, reportedly allow local attackers to gain root privileges on Linux systems; this could lead to the deployment of malware and could even be utilised in ransomware attacks. These flaws exist in networkd-dispatcher, the component responsible for connection status changes, and have been identified as directory traversal, symlink race, and time-of-check-time-of-use vulnerabilities. There is currently no fix for Nimbuspwn, however we advise all Linux users to keep an eye out for the next patch and update their systems as soon as possible.

More details on these vulnerabilities can be found here.

By BleepingComputer.com

Google Reports Sophisticated Zero-Day Exploits For iOS and iMessage

Project Zero, Google’s security research team, was reported to have discovered vulnerabilities in iMessage and iOS sandbox in 2021. The iMessage vulnerability hasn’t been publicly disclosed and information surrounding it has been kept secret, but the vulnerability is thought to be “an impressive work of art” and the “most technically sophisticated exploit” Project Zero has ever seen. This comes as no surprise since it was reported that the flaw was used in the NSO Pegasus Spyware for “zero-click” exploitation.

The second vulnerability was found in the iOS sandbox feature and reportedly stops third-party applications from being able to read other application data and making changes to the device. The vulnerability was a sandbox escape that allows a third-party application access to greater rights than it was given and to freely access data stored on the device and change device configurations.

By Forbes.com

And that’s it for this week’s round-up, please do check in next week for our new batch of security news and posts.

Stay Safe, Secure and Healthy!

Edition #187 – 29th April 2022

Why not follow us on social media:

By

Samuel Jack

on

28/4/22

Cyber Round-up

Cyber Round-up for 22nd April

Cyber Round-up for 22nd April

Welcome to Ironshare’s Cyber Round-up, where we look back at the events of that last week and year to cover some of the news, posts, views, and highlights from the world of Security. 

In this week’s round-up:

Security News

Russian Hackers Responsible for Energy Plant Cyber Attacks Named by FBI

Four Russian hackers have been named by the FBI for their involvement in the hacking of energy companies around the world. Most recently, the hackers have been linked to an attack on a petro-chemical plant in Saudi Arabia, which “had the capability to cause significant impact” and could have potentially resulted in many people being killed. The four men have also been accused of breaking into US infrastructure and targeting UK energy companies; while these were not as serious as the attacks in Saudi Arabia, it has put the hackers on the FBI’s radar.

By News.Sky.com

Downing Street Systems Infected with Spyware

A Canadian investigative group has been looking into an incident regarding the Pegasus spyware, which has reportedly made its way onto Downing Street and Foreign Office computer systems. This spyware was made by the NSO Group and is often used to help government agencies investigate terrorism. The incident has been linked to operators in the UAE, however the NSO Group has denied these allegations and claim to have no involvement.

By BBC.co.uk

iCloud Hackers Stole $650,000 from Victim's Cryptocurrency Wallet

Users of Metamask, a cryptocurrency wallet maker, are being warned about using Apple’s iCloud for backups, after hackers stole $650,000 worth of cryptocurrency. User, Domenic Lacovone, disclosed that he was a victim of hackers impersonating Apple Support Staff using social engineering techniques. Lacovone received multiple spoofed messages and phone calls requesting for him to reset his Apple ID password, after he did, he received another phone call requesting the one-time verification code he received when changing the password. This allowed the hackers to gain access to his Apple iCloud data containing app data from Metamask including recovery phrase, passwords and private keys, before gaining access to Domenic’s Metamask account. It appears that this data is uploaded to iCloud by default and users are advised to check their iCloud backups settings.

By BitDefender.com

Beanstalk Cryptocurrency loses $182 million to hackers

Beanstalk is a decentralised finance project providing an approach to balancing the supply and demand of different cryptocurrencies. All users contribute to a money pool called “the silo” in return for tokens called “beans”. A governance mechanism exists where users could vote on changes to code, their votes would be in proportion to their held share of tokens. Flash loans allow users to borrow large amounts of cryptocurrency for a short period of time usually to provide liquidity or take advantage of price opportunities, but are known to be used for criminal purposes. Hackers took out a flash loan of $1 billion in cryptocurrency and brought Beans to hold a super-majority stake. Code was then executed transferring funds to the wallet of the attackers, allowing them to pay back the loans and take a net total of $80 million in cryptocurrency. This complex attack took less than 13 seconds to complete, and Beanstalk founders have said that it is “highly unlikely” they will get a bailout. Many users are unhappy with this situation and have lost tens of thousands of invested cryptocurrencies.

By TheVerge.com

Funky Pigeon Reports “Cybersecurity Incident”

Funky Pigeon, a business allowing people to create and send celebration cards, was recently hit by a cyberattack. Funky Pigeon has said all customer banking details are safe as they are processed “via accredited third-parties and is securely encrypted”. They also stated they are currently looking into other personal data that may have been compromised, such as names, addresses, e-mail addresses and personalised card and gift designs which may have been accessed. Beyond this, Funky Pigeon has failed to offer any more information on the attack and cards remain unavailable for purchase until systems are restored and the breach investigated and patched.

By GrahamCluley.com

Vulnerabilities & Updates

Java Encryption Flaw Allows Credential Forging

A vulnerability was recently found in Java JDK that could allow an attacker to easily forge counterfeit credentials. This flaw exists in the implementation of some encryption operations within the Java Development Kit and affects versions 15 and later. A patch for this vulnerability was made available on the 19th April; we highly recommend applying the latest update for both Oracle Java and OpenJDK to ensure you are not at risk of exploitation.

By Portswigger.net

Windows Print Spooler Flaw Being Actively Exploited

The CISA list of actively exploited flaws recently gained three new additions, one of which is a privilege escalation bug existing in the Windows Print Spooler. This vulnerability, tracked as high severity, currently impacts all versions of Windows and was addressed in the February 2022 Patch Tuesday. Proof-of-concept was released for this flaw, and exploitation is very simple with no user interaction required. The other two additions to CISA’s list are a cross-site scripting flaw in the Zimbra Collaboration Suite and a WhatsApp VOIP Stack Buffer Overflow vulnerability.

More details on these can be found here and, as always, we recommend applying the latest updates available as soon as possible.

By BleepingComputer.com

Log4Shell AWS Patch Vulnerable to Exploits

AWS has recently revealed several solutions that look for vulnerable Java applications or containers and patch them automatically. These solutions were specifically designed in response to the Log4Shell flaw and can be implemented in any cloud or on-prem environment, not just AWS. While this sounds like a great idea, Amazon are already encountering issues, some of which were discovered by Unit 42. Unit 42 found that installing the patching service to a server or cluster will allow every container in the cluster to exploit it and take over the host. In addition, if the patch is installed to a Kubernetes cluster, all containers are able to escape. Anyone who has installed one of these hot patches is advised to upgrade to the new fixed version, to ensure you do not encounter any of the issues detailed above.

By Unit42.PaloAltoNetworks.com

And that’s it for this week’s round-up, please do check in next week for our new batch of security news and posts.

Stay Safe, Secure and Healthy!

Edition #186 – 22nd April 2022

Why not follow us on social media:

By

Samuel Jack

on

21/4/22

News

Microsoft Patch Tuesday: April 2022

Microsoft Patch Tuesday: April 2022

Microsoft’s Patch Tuesday has much to offer this month, with a grand total of 117 new vulnerabilities being patched separated between 9 critical and 108 important. While the vulnerability total is relatively high to what we have seen in recent months only 1 vulnerability has been publicly disclosed and 1 reported to be exploited in the wild.

April’s instalment includes fixes for some key software such as:

  • Active Directory Domain Services
  • Microsoft Office Excel
  • Microsoft Office SharePoint
  • Power BI
  • Skype for Business
  • Visual Studio
  • Windows App Store
  • Windows Defender
  • Windows File Explorer
  • Windows PowerShell
  • Windows RDP
  • Windows SMB
  • YARP reverse proxy

Important Notes

CVE-2022-24521: Windows Common Log File System Driver Elevation of Privilege Vulnerability

This important vulnerability with a CVSS of 7.8 has been reported by Microsoft to be seen in the wild. Windows CLFS is a general-purpose logging service that logs user and kernel mode actions. By exploiting the Windows CLFS driver hackers can elevate their privilege allowing the execution of arbitrary code in kernel mode avoiding any security restrictions in place.

CVE-2022-26904: Windows User Profile Service Elevation of Privilege Vulnerability

Windows user profile service is a shared service in SharePoint Server that allows the creation and administration of user profiles that can be accessed from multiple locations. This important vulnerability has been publicly disclosed offering a CVSS of 7.0 and would allow a hacker to execute arbitrary code at a higher privilege to get access to more resources. This attack is of a high complexity and is considered to be less likely to occur.

CVE-2022-26809: Remote Procedure Call Runtime Remote Code Execution Vulnerability

RPC allows a client to request a service from a program located on a server, Microsoft has identified and patched a Critical vulnerability with this service. Exploiting RPC would allow for a hacker to execute arbitrary code on a target allowing for the potential of data theft, implanting malware or total system takeover. This vulnerability has a CVSS of 9.8 making it an extremely dangerous vulnerability to be exploited.

A notice has been issued with this update, any systems running Windows 10 version 20H2 will reach the end of life on 10th May 2022. All users are advised to update to the latest version to avoid being at risk.

For a full list of this month’s updates please see the links below:

Patch Tuesday release notes: https://msrc.microsoft.com/update-guide/releaseNote/2022-Apr

Security update guide: https://msrc.microsoft.com/update-guide/

By

Samuel Jack

on

13/4/22

Cyber Round-up

Cyber Round-up for 8th April

Cyber Round-up for 8th April

Welcome to Ironshare’s Cyber Round-up, where we look back at the events of that last week and year to cover some of the news, posts, views, and highlights from the world of Security. 

In this week’s round-up:

Security News

LAPSUS$ Added to FBI’s Most Wanted List

The Federal Bureau of Investigation has put out a public alert to ask for help in uncovering the members of the infamous cybercrime gang LAPSUS$. It has been documented that LAPSUS$ has now stolen data from Microsoft, NVIDIA, Ubisoft, Samsung, Globant and Okta. Although the FBI is seeking help to identify the members in LAPSUS$ no monetary award has been offered.

By GrahamCluley.com

Mailchimp Data Breach Compromises Hundreds Of Accounts

Mailchimp, an email marketing service, has been the most recent victim of a data breach. The company reported that an unauthorised hacker accessed company data through the use of an “internal tool” used by its customer support and account administration team. It has been reported that around 300 Mailchimp accounts could be compromised, with 102 of these having their audience data stolen. API keys were also stolen in the attack, but Mailchimp has assured customers that these have been disabled and changed, making the stolen keys worthless to the hackers.

By TechCrunch.com

The Works Suffers Cyber Attack

The Works, a book, arts & crafts store, has been a victim of a cyber attack. The Works was alerted to the incident due to its security firewall and has disabled access to its systems while a security team investigates the attack. Operations have been reported to be severely impacted, with emails down and internal systems offline, while some stores are closed and others are only accepting cash. The Works has reassured its customers that no bank details have been stolen in the attack, but longer delivery times are to be expected while the investigation takes place.

By BitDefender.com

Isle of Wight Electric Vehicle Chargers Hacked

The Isle of Wight Council has apologised to the users of its electric charging points, after it was discovered that a hacker had managed to gain access and redirect a website link. The chargers are meant to display GeniePoint’s website on a front-facing monitor, however this had been changed so that monitor would show a site hosting obscene sexual material. The problem has since been resolved and the affected charging points are due to be replaced with "new charge points over the next few months".

By BBC.co.uk

Inverse Finance Loses $15 Million In Hack

Inverse Finance, a Decentralised finance platform, has publicly stated that it was a victim of a hack resulting in the theft of $15 million worth of different cryptocurrencies. The hacker was able to manipulate the price of its native token, INV. With this, the hacker could mislead the system and offer themselves huge loans with low collateral. A report by PeckShield has disclosed that the initial deposit of the hacker was $3 million in Ethereum cryptocurrency and that the funds sent and received were to a wallet that had used Tornado Cash to hide its transactions. Inverse Finance has said all customers impacted by the price manipulation will be repaid in full.

By ZYCrypto.com

Takedown of Kremlin Backed Cyclops Blink Botnet

The US Justice Department has released details of a court authorised takedown of the Cyclops Blink Botnet. The botnet is known to be part of the Sandworm cyber gang that has worked for the Russian Federation's GRU espionage nerve centre. The task force carrying out the takedown removed malicious code from thousands of firewall devices being used as command-and-control servers. This severed ties between the cyber gang and the compromised machines used for its botnet. With the command-and-control servers down, the task force hasn’t yet aimed its sight into removing Cyclops Blink malware from individual devices being used as bots, they have only recorded the infected devices acting as command-and-control servers.

By TheRegister.com

Vulnerabilities & Updates

Two Zero-Day Vulnerabilities Patched For Apple Devices

A recent update released by Apple has patched two zero-day vulnerabilities discovered by anonymous security researchers. The two vulnerabilities are reportedly being actively exploited in the wild, which has pressured Apple to release a quick patch. The vulnerabilities reported are an out-of-bounds write issue with AppleAVD media decoder allowing for the execution of arbitrary code and an out-of-bounds read issue with Intel graphics driver which may lead to the disclosure of kernel memory. Any users of Mac, iPhone and iPad devices are advised to update to stay protected.

By TheRecord.media

And that’s it for this week’s round-up, please do check in next week for our new batch of security news and posts.

Stay Safe, Secure and Healthy!

Edition #185 – 8th April 2022

Why not follow us on social media:

By

Samuel Jack

on

7/4/22

Cyber Round-up

Cyber Round-up for 1st April

Cyber Round-up for 1st April

Welcome to Ironshare’s Cyber Round-up, where we look back at the events of that last week and year to cover some of the news, posts, views, and highlights from the world of Security. 

In this week’s round-up:

Security News

Lapsus$ Return from Vacation

The Lapsus$ data extortion group announced this week that they were “officially back from a vacation” and didn’t waste any time in posting 70GB of data stolen from the software development firm, Globant. Among the exfiltrated data was images of customer admin credentials, as well as Globant’s source code. Last week during the group’s “vacation”, City of London police arrested seven individuals believed to be associated with Lapsus$; we expect there to be a lot more activity in the coming weeks and we will continue to update you when we learn more.

By ThreatPost.com

VMware Horizon Servers Targeted in Log4j Attacks

It has been 4 months since the Log4j vulnerabilities were disclosed, but this does not mean that attacks have slowed down. VMware Horizon servers have been a massive target for attackers looking to exploit Log4j, with researchers believing that “the current wave of attacks against VMware Horizon are a precursor to ransomware attacks”. An updated version of VMware Horizon server was released back in December 2021, which protects against the vulnerabilities being exploited here; those currently using unpatched servers are advised to upgrade to the latest version as soon as possible.

By DarkReading.com

Okta Cyber Attack Update

In last week’s blog we reported on the disclosure of a cyber-attack on Okta. Aside from knowing the incident happened two months before the public disclosure of the breach, most information was withheld. A report released on the 22nd march by Sitel, which supplied Okta with contract workers for its customer support, discovered that a support engineer’s laptop had been compromised by a Lapsus$ member. This access was used to steal Okta’s customer data. Okta has noted that the service engineers are only allocated access to data specific to their job role, they are unable to create or delete users, download customer databases or access our source code repositories. Okta also mentioned that they have since found that up to 366 of its clients were affected by the breach in some capacity and they will continue to strengthen its security.

By Okta.com

1/3 of UK Businesses Hit by Cyber Attacks

Data collected by the Department of Digital, Culture, Media & Sport (DCMS) has reported almost a third of businesses in the UK are receiving cyber attacks on a weekly basis. With this newfound information, the NCSC is encouraging organisations to improve their security; this includes incorporating the cyber essentials scheme for SMBs and the board toolkit for larger organisations. Along with the rise of cyber attacks on UK organisations, 82% of UK senior managers see cyber security as “fairly high” or higher for business priorities, an increase of 5% since last year.

By ITPro.co.uk

UK Alert for Businesses Using Russian Services and Products

An Alert sent out from the UK Government has warned to avoid and replace Russian owned products and services. With the UK backing Ukraine in its defence against Russia, it wouldn’t be unrealistic to expect that Russia could leverage is services and products to retaliate against the UK. Products like Kaspersky AV and other cloud enabled products where the supply chain includes Russia have been under scrutiny, as Russian companies have a legal obligation to assist the Russian Federal Security Service. This could compromise the data confidentiality, integrity and availability of UK businesses using Russian products.

By NCSC.gov.uk

Microsoft And Google Increase Cloud Security

Both Microsoft and Google have announced they are acquiring companies to increase cloud security for its users. Currently, Google is in the process of acquiring Mandiant, a cyber security company offering threat intelligence services and more than 600 consultants reporting on thousands of security breaches every year. Research generated from its intelligence analysts feed into Mandiant to help organisations better defend against new threats. Microsoft has recently acquired two cyber security companies, CloudKnox Security, a provider of cloud infrastructure entitlement management, and RiskIQ, a threat intelligence and attack surface management service. These acquisitions aim to increase the security of cloud services that both Google and Microsoft Provide.

By CNBC.com

Vulnerabilities & Updates

Zero-Day Found in New Spring Java Framework

A new zero-day vulnerability has been discovered in the Spring Core Java framework and could allow remote attackers to execute arbitrary code on applications. The zero-day, named ‘Spring4Shell’, is supposedly caused by “unsafe deserialization of passed arguments.” and requires rather specific configuration to be exploited.

More details on this vulnerability can be found here, along with details on the configuration requirements for the exploit.

By BleepingComputer.com

Honda Flaw Allows Hackers to Lock and Unlock Cars

A Proof-of-concept was recently released for a vulnerability affecting the Remote Keyless System in Honda Civics. This flaw only affects Civics made between 2016 and 2020, and could allow an attacker to lock, unlock and start the vehicles. Despite this proof-of-concept being released, Honda have announced they have no intention of updating the older vehicles affected by this.

A detailed breakdown of this vulnerability can be found here on GitHub.

By TheRecord.media

And that’s it for this week’s round-up, please do check in next week for our new batch of security news and posts.

Stay Safe, Secure and Healthy!

Edition #184 – 1st April 2022

Why not follow us on social media:

By

Joshua Hare

on

31/3/22

Cyber Round-up

Cyber Round-up for 25th March

Cyber Round-up for 25th March

Welcome to Ironshare’s Cyber Round-up, where we look back at the events of that last week and year to cover some of the news, posts, views, and highlights from the world of Security. 

In this week’s round-up:

Security News

US Prepared for Russian Cyber Attacks

President Joe Biden has warned of the growing cyber threat posed by Russia and stated that the US are prepared to use “every tool to prevent and respond to such a move”. Biden suspects that Moscow may launch cyber attacks in response to the sanctions set following the invasion of Ukraine; as a result, all US companies have been advised to “accelerate efforts to lock their digital doors”. So far, intelligence has very accurately predicted the movements and actions of Russia, so this statement could indicate that large scale cyber attacks are imminent.

By BBC.co.uk

HubSpot Security Incident

Earlier this month, a HubSpot employee account was compromised, which led to the attacker extracting data from a number of customer portals. The owners of the compromised portals have all been notified by HubSpot, who also stated how seriously they take the security and privacy of their customer’s data. Investigations are still ongoing, but more details, as well as frequently asked questions, can be found here in the meantime. If you are concerned customer, or seeking guidance following the compromise, we advise visiting this page to learn more.

By HubSpot.com

37GB of Microsoft Source Code Leaked by Lapsus$

Lapsus$ has recently emerged as one of the most active data extortion groups around and has taken credit for a number of impactful cyber attacks this year, including NVIDIA, Samsung, Ubisoft and more. This time, the group claims to have come into possession of source code for Bing, Cortana, and many other Microsoft projects. This was all supposedly found after gaining access to Microsoft’s Azure DevOps server. Lapsus$ have posted a 9GB 7zip archive online but is expected to be in possession of approximately 37GB of stolen data. Not much is known about the group, but they have made a name for themselves following a string of high-profile attacks. We expect to see much more activity from them in the near future.

By BleepingComputer.com

Okta Discloses Data Breach News Two Months After Discovery

Many customers are unhappy with Okta’s lack of urgency in revealing this data breach. The breach occurred back in January, and reports suggest that Okta were made aware of it a few weeks later; despite this, customers are just now finding out about the incident. If this delay wasn’t bad enough, it wasn’t until hacker group Lapsus$ claimed responsibility and posted evidence of the breach that Okta issued a statement. The breach occurred through the compromise of a third party customer support provider, and while it appears the breach was contained, it is still unacceptable that customers were kept in the dark.

Okta are confident that there is “no longer a security risk” and believe the hack wasn’t impactful. Despite this, security professionals are “outraged by the lack of disclosure from Okta”. Even the CEO of Cloudflare has claimed he is looking into alternatives for their single sign-on needs.

The situation continues to evolve; Okta's investigation continues and with lots of customers resetting credentials for their users, we should watch this space.

By Forbes.com

Google Finds Initial Access Broker Affiliated with Ransomware Gangs

Google’s Threat Analysis Group recently uncovered an Initial Access Broker who appears to be working closely with the Russian group responsible for the Conti and Diavol ransomware attacks. The broker, known as Exotic Lily, is now actively exploiting a critical vulnerability in the Windows MSHTML platform and is utilising the exploit in a recent string of phishing campaigns. These campaigns reportedly send 5,000 scam emails a day, targeting more than 600 organisations around the world.

By TheHackerNews.com

Vulnerabilities & Updates

SQL Injection Flaw in UTM Appliance Patched by Sophos

Sophos recently released a patch for a critical vulnerability in the all-in-one Universal Threat Management appliances. This SQL injection flaw exists in the Mail Manager component of the UTM appliance and could allow an attacker to execute arbitrary code on the target device. Users are advised to upgrade to version 9.710 to ensure they are protected against exploitation of this vulnerability. In this same update, a few other important flaws received fixes.

In this same update, a few other important flaws received fixes. More details on these can be found here.

By PortSwigger.net

HP Printers Vulnerable to Remote Code Execution

HP’s latest security advisory covers three critical vulnerabilities affecting hundreds of different printer models, including LaserJet Pro, Pagewide Pro, OfficeJet and more. Exploitation of these flaws could allow a remote attacker to execute arbitrary code on the target device. We advise all owners of HP printers to upgrade to the latest firmware version.

For more details on these flaws and the affected versions, see the official HP advisory here.

By BleepingComputer.com

And that’s it for this week’s round-up, please do check in next week for our new batch of security news and posts.

Stay Safe, Secure and Healthy!

Edition #183 – 25th March 2022

Why not follow us on social media:

By

Joshua Hare

on

24/3/22

Cyber Round-up

Cyber Round-up for 18th March

Cyber Round-up for 18th March

Welcome to Ironshare’s Cyber Round-up, where we look back at the events of that last week and year to cover some of the news, posts, views, and highlights from the world of Security. 

In this week’s round-up:

Security News

Guernsey Warns of Rise in Cyber Attacks

The channel island of Guernsey has given a public alert to its citizens and businesses on the increase in cyber-attacks it has been receiving. Collectively, the Channel Islands see more than 10 million potential cyberattacks a month, with the figure expected to increase with tensions between Ukraine and Russia continuing. The advisory warned citizens to be wary of scam emails and to not interact with suspicious sources. The alert also advised about sending personally identifiable information or banking details to untrusted organisations or individuals, especially if being pressured into doing so.

By BBC.co.uk

Nvidia Hacked By LAPSUS$ Reveals Company-Wide Weak Login Credentials

The Nvidia data breach last month generated some unwanted attention for the tech company. The attack, orchestrated by the hacking group LAPSUS$, appears to have resulted in the theft of around one terabyte of data; this stolen data supposedly includes the Source code of GPU chips, email addresses and password hashes. The most interesting aspect of this attack is the analysis done on leaked passwords by Specops Software. This investigation revealed the top 10 base words being used are:

  • nvidia
  • nvidia3d
  • mellanox
  • ready2wrk
  • welcome
  • password
  • mynvidia3d
  • nvda
  • qwerty
  • September

This shows that weak passwords are still being utilised, even in multi-billion-pound organisations, and how a well-structured and enforced password policy can enhance identity protection across an organisation.

By GrahamCluley.com

Ubisoft “Cyber Security Incident” Suspects LAPSUS$ Involvement

LAPSUS$ seems to be making many enemies over the last few months, most recently with their cyberattack on Ubisoft. The “cyber security incident” reportedly impaired systems, services and games, however Ubisoft have clearly stated that “there is no evidence any player personal information was accessed or exposed as a by-product of this incident”. Despite this statement, it is still unclear how the attack happened.

Ubisoft have since issued a company-wide password reset and have confirmed that games and services are now functioning normally. The cybercriminal group known as LAPSUS$ have taken credit for the attack in a Telegram group chat and declared they weren’t aiming for Ubisoft’s customer information; while we know who was responsible for the attack, it is still unclear why or how it was carried out.

We will provide updates on this incident once more information is made publicly available.

By TheVerge.com

Ransomware Variants Dominate Q4 2022

In the last quarter of 2021, it has been reported that 34 different ransomware variants were observed across as many as 722 separate ransomware attacks, with the most prevalent being:

  • LockBit 2.0 (29.7%)
  • Conti (19%)
  • PYSA (10.5%)
  • Hive (10.1%)

With an increase of 110 and 129 attacks from the third and second quarters of 2021, this only shows the growing trend of ransomware and how hacking groups are creating new variations to evade security measures. Nearly a quarter of all ransomware attacks in the last quarter were aimed at the consumer and industry products sector, with an astonishing increase of 22.2% from the previous quarter.

By TheHackerNews.com

Hosted GoDaddy Infected Sites Increase

As of the 15th March 2022, a noticeable spike in infected GoDaddy sites has been reported by Wordfence. 298 sites have been found to be infected with a backdoor since 11th March, 281 of these are believed to be hosted by GoDaddy. The backdoor in question has been in use since 2015 and is added to the start of the wp-config.php file of the target site. Owners of sites hosted by GoDaddy’s Managed WordPress platform are advised to scan their wp-config.php for signs of infection.

Guidance on how you can find this backdoor can be found here.

By Wordfence.com

Vulnerabilities & Updates

WordPress Update Defends Against XSS and Prototype Pollution Vulnerabilities

The latest WordPress security update, 5.9.2, includes fixes for one high severity and two medium severity vulnerabilities. The high severity XSS vulnerability affecting versions 5.9.0 and 5.9.1 allows malicious JavaScript to be inserted into WordPress posts as a contributor level user or higher. WordFence has pushed a firewall rule to defend customers against this attack until sites update to the newest version. The two medium severity prototype pollution vulnerabilities affect all previous versions of WordPress and could allow the execution of arbitrary JavaScript in a user’s session, once the user has clicked a malicious link created by the attacker. It is recommended that all WordPress users update to keep safe from these vulnerabilities.

By Wordfence.com

And that’s it for this week’s round-up, please do check in next week for our new batch of security news and posts.

Stay Safe, Secure and Healthy!

Edition #182 – 18th March 2022

Why not follow us on social media:

By

Joshua Hare

on

17/3/22

Cyber Round-up

Cyber Round-up for 11th March

Cyber Round-up for 11th March

Welcome to Ironshare’s Cyber Round-up, where we look back at the events of that last week and year to cover some of the news, posts, views, and highlights from the world of Security. 

In this week’s round-up:

Security News

UK Data Centres Offered Security Guidance by NCSC and CPNI

The NCSC and the CPNI have come together for the first time, to provide guidance on how to secure data centres. The document is designed to help users and operators of data centres understand threats that they might face and even includes mitigation techniques for them to use. This security strategy will allow data centres across the country to be more aware of the dangers and consequences of hackers and provide suitable protective measures that go beyond the current legislation.

By NCSC.gov.uk

Gloucester City Council Hack Fix Faces Financial Concerns

In December, Gloucester City Council was a victim of a cyber-attack where a system breach affected online services. The hack, which has been linked to Russian hackers, gained the attention of the NCSC and the NCA, who are helping the council bring its core systems back online and identify the perpetrators. The council’s reserve of £380,000 and an additional £250,000 from a government grant is thought to not be enough to cover the repair of the attack. Jeremy Hilton, leader of the Liberal Democratic group has said “I suspect the £630,000 already put aside is not nearly enough. I expect many council services to continue to suffer.” It is important to understand the need for cyber security and the potential financial losses a cyber-attack of this nature can cause.

By BBC.co.uk

Ukrainian Government Agencies Targeted In Cyber-Attacks

A recent string of cyber-attacks against Ukrainian government agencies has been reported. The attacks have reportedly been targeting government agency devices using the MicroBackdoor malware, a piece of software that utilises command and control capabilities to steal information, initiate a ransomware attack, or even move across the network and infect other devices.

Other reports across eastern Europe have reported sightings of a new data-wiper malware called HermeticWiper infecting machines and destroying information. These kinds of cyber-attacks are expected to become more frequent and damaging as tension between Russia and Ukraine continues to escalate.

By Portswigger.net

190GB of Data Stolen in Samsung Galaxy Hack

Samsung recently announced that a group of cybercriminals, known as Lapsus$, had successfully breached their systems, and were able to steal 190GB of confidential code. According to the attackers the stolen data contains “Galaxy biometric authentication algorithms and bootloader source code”. We do not currently have an exact timeline of the breach, but it was initially discovered on 4th March after Lapsus$ revealed its plans to leak Samsung’s data. The breach was later confirmed by Samsung on 7th March; not much more is known about the attack or the group behind it at this point in time, but we will provide updates when more information is made publicly available.

By Forbes.com

Vulnerabilities & Updates

Two Zero-Day Bugs Patched for Mozilla Firefox

Firefox has recently patched two vulnerabilities that are known to be actively exploited in the wild. The out-of-band patch was pushed to users in order to protect their machines from hackers utilising the use after free vulnerabilities. These two vulnerabilities are:

•             CVE-2022-26485 – Removing an XSLT parameter during processing could lead to an exploitable use-after-free

•             CVE-2022-26486 – An unexpected message in the WebGPU IPC framework could lead to a use-after-free and exploitable sandbox escape

We recommend that any Firefox users update immediately to be protected from these actively exploited vulnerabilities.

By TheHackerNews.com

AutoWarp Vulnerability Discovered in Azure Automation Service

A critical vulnerability found to be present in Azure Automation Service has been discovered by Orca Security. The vulnerability known as AutoWarp allows an attacker to gain unauthorised access to other Azure customer accounts also using Azure Automation Service. The flaw allowed interaction with an internal server that manages other customers; through this, authentication tokens could be stolen to authenticate to other account, potentially allowing for full control over resources and data belonging it. If you have used Azure Automation Service before and have the managed identity feature enabled (enabled by default), then you were likely vulnerable to this exploit. Microsoft have since worked with Orca to swiftly fix the issue.

By Orca.Security

Amazon Echo Vulnerabilities Generate Privacy Concerns

Researchers have found multiple flaws with Amazon's Echo devices. The Bluetooth speakers integrated within the device can be connected to and used to command Alexa to carry out instructions such as purchase products or unlock doors.

When the wakeup word is said, the device turns down its volume, however researchers have found a flaw which they are calling the “full volume vulnerability” that allowed them to bypass this feature and issue commands. Verbal confirmation is required after a sensitive request, but it was found that making the device say “yes” 6 seconds after the command would bypass this, allowing an attacker to send much longer commands.

The one limitation of this attack is that the Amazon echo would need to be readied in advance or an attacker being near the device and connecting to it through Bluetooth.

By BitDefender.com

And that’s it for this week’s round-up, please do check in next week for our new batch of security news and posts.

Stay Safe, Secure and Healthy!

Edition #181 – 11th Match 2022

Why not follow us on social media:

By

Samuel Jack

on

10/3/22

Security Guidance

Microsoft Patch Tuesday: 9th March 2022

Microsoft Patch Tuesday: 9th March 2022

The latest instalment of Microsoft Patch Tuesday has much to offer, with 71 new vulnerabilities being patched alongside the 21 addressed for Microsoft Edge earlier this month. Included in this issue of Patch Tuesday are 3 critical vulnerabilities, with the remaining 68 were labelled as important. While 3 of the flaws have been publicly disclosed, none appear to have been exploited in the wild.

This month's release covers security updates for key components including:

  • Microsoft 365 Apps
  • Windows Defender
  • .NET
  • Remote Desktop Client
  • Visual Studio
  • Microsoft Intune
  • HEVC Video Extension

Important Notes

CVE-2022-22006: HEVC Video Extensions Remote Code Execution Vulnerability

With a CVSS of 7.8, this critical remote code execution vulnerability exists in the HEVC Video Extension product and can only be exploited by an authenticated user. Exploitation requires the victim to open a video file containing malicious code; this allows the code to execute on the target machine.

CVE-2022-24501: VP9 Video Extensions Remote Code Execution Vulnerability

Similar to the previous vulnerability this leverages a video format to use as a means of executing arbitrary code. This critical vulnerability also scores 7.8. Unlike in the previous vulnerability, this video format is supported by modern browsers making it an easier method for users to execute.

CVE-2022-23277: Microsoft Exchange Server Remote Code Execution Vulnerability

This critical vulnerability scoring 8.8 could allow an authenticated attacker to utilise the elevated permissions of another account through the use of objects in memory being handled incorrectly allowing for code execution. 

CVE-2022-21990: Remote Desktop Client Remote Code Execution Vulnerability

Although not labelled as critical by Microsoft, with a CVSS score of 8.8, this vulnerability shouldn’t be overlooked. This vulnerability requires the target to actively connect to a malicious RDP server, typically through social engineering; from here the attacker to execute code through a vulnerability within the remote desktop client. This vulnerability has been seen in the wild and is known to be utilised to gain access to a system and infect it with ransomware. 

For a full list of this month’s updates please see the links below:

Patch Tuesday release notes: https://msrc.microsoft.com/update-guide/releaseNote/2022-Mar

Security update guide: https://msrc.microsoft.com/update-guide/

Follow us on social media:

By

Samuel Jack

on

10/3/22

Cyber Round-up

Cyber Round-up for 25th February

Cyber Round-up for 25th February

Welcome to Ironshare’s Cyber Round-up, where we look back at the events of that last week and year to cover some of the news, posts, views, and highlights from the world of Security. 

In this week’s round-up:

Security News

NCSC Warns Sandworm’s Cyclops Blink Replaces VPNFilter

The NCSC have posted an advisory to warn that the hacker group Sandworm has been found to be behind the creation of the malware labelled Cyclops Blink. The malware, which has been active since 2019, but is suspected to be a replacement for the previous malware the hacker group created called VPNFilter. Cyclops Blink is aimed at businesses and organisations using WatchGuard Devices however it’s thought to be capable of compiling in other architectures and firmware. The malware’s modular framework is designed to allow the hacker group to install and execute files on the device, as well as implementing new modules with additional capabilities for the hackers to utilise.

If you are running WatchGuard firewalls it is highly recommended to review the advisory, follow the guidance and remediate any issues found immediately. The analysis report can be found here.

By NCSC.gov.uk

Researchers Find Hive Ransomware Encryption Flaw

Hive ransomware has been around since June 2021 and has been aimed at infecting both organisations and individuals. The ransomware uses a variety of different infection methods such as email, vulnerable RDP servers and compromised VPN credentials to install itself on a device. In the fight against cyber criminals, security researchers have found that Hive has a flaw in its encryption algorithm allowing for the recovery of a decryption key. They stated, "We were able to recover the master key for generating the file encryption key without the attacker's private key, by using a cryptographic vulnerability identified through analysis."

By TheHackerNews.com

EU Countries Deliver Cyber Security To Ukraine

With the ongoing relations between Russia and Ukraine, Russia is expected to launch complex cyber-attacks against Ukraine’s key infrastructure. The EU’s Cyber Rapid Response Teams have reported  providing aid to Ukraine through the use of best practice principles and incident response.

By portswigger.net

Islamic Republic of Iran Broadcasting Hit By Wiper Malware

An inquiry into the use of wiper malware against the IRIB in January has found the use of custom backdoors and scripts. The attack against the broadcaster was “a targeted attack” disrupting the broadcasting of radio and television while also discrediting the current leader of Iran. During the attack, propaganda of the opposing organisation, the MKO, was shown to viewers. The wiper malware managed to clear files, drives and the master boot record of the devices infected.

By SecurityAffairs.co

NSCS Offering Free Cyber Security Guidance To The Construction Sector

Construction companies are usually a high-value target for cyber criminals due to the sensitive information they hold and their lack of security measures. With the UK’s push to improve cyber security nationwide the NSCS is giving guidance to help secure the construction sector. The advice being given is aimed at preventative measures those businesses should take to secure their hardware and sensitive information from hackers and increase knowledge about common cyber-attacks such as phishing and ransomware.

By pbctoday.co.uk

Ransomware Attack Reportedly Hit Expeditors

Expeditors, a logistics and freight shipping company, has reportedly been hit by a cyber-attack. The $10 billion business has been forced to shut down global operations due to the attack. There has been no official statement from Expeditors as to the type of cyber-attack but anonymous sources say it was due to a ransomware attack. There is no period reported of when the business will resume its operations but has said they will continue to be until they can securely reboot from backups.

By BleepingComputer.com

Vulnerabilities & Updates

UpdraftPlus WordPress Plugin Vulnerability

A new vulnerability found in the WordPress plugin UpdraftPlus has put 3 million websites at risk. The plugin is aimed at providing admins a means of backing up installations including user credentials. The vulnerability allowed security tokens to be leaked allowing a hacker the means of authentication and therefore access to the backups containing usernames, hashed passwords and other sensitive information. Due to its critical nature, all instances of UpdraftPlus have been automatically updated by WordPress themselves, to the newest version, protecting customers against this vulnerability.

By searchenginejournal.com

And that’s it for this weeks round-up, please do check in next week for our new batch of security news and posts.

Stay Safe, Secure and Healthy!

Edition #180 – 25th February 2022

Why not follow us on social media:

By

Samuel Jack

on

24/2/22

Cyber Round-up

Cyber Round-up for 18th February

Cyber Round-up for 18th February

Welcome to Ironshare’s Cyber Round-up, where we look back at the events of that last week and year to cover some of the news, posts, views, and highlights from the world of Security. 

In this week’s round-up:

Security News

Governments Cautious Of High Impact Ransomware Increase.

With ransomware attacks becoming more frequent and sophisticated in design it has required governments to act to protect organisations, businesses and individuals. A recent collaboration between United States’ Cybersecurity and Infrastructure Security Agency (CISA), the UK’s National Cyber Security Centre (NCSC), and the Australian Cyber Security Centre are allowing these organisations to better understand the methods and techniques being used by cyber criminals using ransomware to extort. The report produced by the collaboration concluded that cyber criminals seem to be:

  • Targeting poorly-defended cloud infrastructure to steal data, encrypt information, and – in some cases – deny access to backup systems.
  • Targeting managed service providers (MSPs), impacting all of an MSP’s clients at once.
  • Attacking industrial processes by either affecting connected business systems or developing code to interfere with critical infrastructure.
  • Attacking the software supply chain and using it as a method to access multiple victims through a single initial compromise.
  • Targeting organisations on holidays and weekends, where they might have more impact and there are fewer IT support personnel in place to handle emergencies.

By Tripwire.com

Digital Anxiety More Prevalent In WFH Employees

A new study conducted by F-Secure has concluded that Employees that have worked from home throughout the pandemic are more likely to experience digital anxiety compared to their in-office counterparts. The study looked at how individuals feel about security and privacy on their devices and while using the internet. 67% of remote workers were worried compared to 58% for their counterparts. The issues that were most concerning to the participants in the study were:

  • 65% of those who work from home said the internet is becoming a more dangerous place.
  • 63% of remote workers said concerns about data privacy have changed how they use the internet.
  • 71% of remote workers said they worry that new internet connected devices—such as wearable's and connected home appliances—could lead to a violation of their privacy.
  • 70% of remote workers felt increasingly uncomfortable connecting to public WiFi due to security risks.

By HelpnetSecurity.com

Emotet New Attack Vector Infecting Businesses

A new attack method for the much unloved Emotet Malware has been reported by Unit42. Emotet has been recorded trying to infect devices through the use of malicious email attachments. Emotet can make this email seem more legitimate by thread hijacking that allows the creation of fake replies to emails that seem legitimate. This email contains an attachment to an excel document that contains a macro that users are asked to enable. If enabled it will download Emotet from an attacker owned server onto the device. The attachment in the email are often a zip file that contains a password protected excel sheet - the password will be noted in the email. This is an attempt to bypass email attachment scanning tools as it can’t be read. More detail are available in the above link.

By Unit42.palaltonetworks.com

TrickBot Targeting Top Brand’s Customers

The Trickbot trojan has been discovered in a new campaign by cyber criminals, once again attempting to steal login and banking credentials from customers of major organisations. TrickBot has been active previously, however this variant has the ability to - use a new web inject module, spread malware inside a network and steal application credentials that are sent to a command and control server. TrickBot overall has seen more than 140,000 successful infections since early 2021 and researchers noted that it’s back to taking first place in malware prevalence lists.

By ThreatPost.com

Windows Server Hotpatching Now Available

Microsoft recently made a big announcement regarding Hotpatching, their newest feature of Azure Automanage for Windows Server. Hotpatching presents a “new way to install updates on a Windows Server 2022 Datacenter: Azure Edition (Core) VM that doesn’t require a reboot after installation.”. The idea of this feature is to maximise availability, allow for faster update deployment and ensure better protection due to the fast installation of updates.

More details on this new feature can be found here.

By TechCommunity.Microsoft.com

Vulnerabilities & Updates

Magneto Zero-Day Exploited In The Wild

A new zero-day vulnerability has been detected for Magneto, an open-source application developer and distributor. The same vulnerability is also known to affect Adobe Commerce. The vulnerability is actively being utilised by cyber criminals to run arbitrary code, offering a score of 9.8 out of 10 due to a security weakness in input validation. A patch has been released and any users are advised to update to avoid being exploited.

By TheHackerNews.com

Zero-Day Actively Exploited In Chrome

Yet another zero-day has been discovered in Chrome and it is being actively utilised by cyber criminals. The vulnerability has not been publicly released but has been declared as a use after free flaw in Animation. The vulnerability has been given a rating of Critical and a patch has been released mitigating the vulnerability. Users are advised to update to the latest version of Google Chrome ASAP.

By Blog.MalwareBytes.com

And that is it for this week's round-up, please do not forget to tune in for new instalments every week.

Stay Safe, Secure and Healthy!

Edition #179 – 18th February 2022

Why not follow us on social media:

By

Samuel Jack

on

17/2/22

Search

Filter

Clear all
Thank you! Your submission has been received!
Oops! Something went wrong while submitting the form.
search icon

No results found.

Ironshare is a provider of Information and Cyber Security services.

we went with; wizard pi