Welcome to the Christmas 2022 edition of the Ironshare Cyber Round-up where we look back at the events of that last week and year to cover some of the news, posts, views, and highlights from the world of Security.
In general this year started where 2021 left off, more of pretty much everything; phishing, ransomware, cryptocurrency crashes and attacks, DDoS and of course data breaches.
In late January the notorious Emotet Malware infrastructure was the target of Europol, where the combined weight of numerous law enforcement agencies,gained control and performed a takedown of one of the most effective cybercrime malware delivery services.
In true Emotet form though it reappeared later in 2022 to continue its activities, pushing payloads such as Blackcat Ransomware. At the moment it appears they too have broken up for the holidays, but don’t be fooled we expect them back in the news soon enough.
MFA Bombing (aka MFA Fatigue or MFA Spamming) gained greater traction as a threat to orgs. This involves exploiting the human weakness in MFA, by delivering a barrage of MFA push requests to the user, who gets so fed up with denying them they finally click the approve button, giving the cyber criminals access to their systems.
Big firms such as Uber, Microsoft and Cisco all had administrators who fell victim to these MFA based attacks. As more organisations include MFA to protect their user identities, it was inevitable that MFA became more of a target for the bad guys.
Vulnerabilities continue to rise year on year, this shouldn’t be a huge surprise as we witnessed increases in the number of security researchers flocking to find flaws in products and services. Bug Bounties or Vulnerability Disclosure programmes have now become a prominent feature in the industry.
As 2022 comes to an end we are closing in on a new record of around 25,000 CVEs.
Microsoft Exchange Server continued to take the punches as new and old vulnerabilities exploited servers globally. While some systems were still not patch for ProxyShell which arrived in late 2021, the new very distant cousin ProxyNotShell arose and was actively exploited pretty quickly.
Microsoft Office suffered with the Follina MS Diagnostic Tool zero-day flaw, while Log4j just fails to go away with lots of systems remaining unpatched from this critical remote code vulnerability.
A new threat actor group emerged in late 2021 called Lapsus$,who have caused havoc for numerous companies throughout the year, these have included some big names; Microsoft, Uber, Okta, Nvidia and Rockstar games to name a few. Numerous arrests have been made, but Whether they continue to embarrass companies in 2023, time will tell.
2022 has been another busy year for the Ironshare Team, as we helped more customers to secure their organisations. This ranged from small businesses who needed to grasp the fundamentals of cyber security, to large organisations needing assistance with cyber strategy and delivery of complex solutions. The team has grown, the brand has had a face lift and the new website is now live.
We look forward to another positive year in 2023, with the hope that the cyber industry can continue to get another step closer to stopping the bad guys.
In this week’s Christmas round-up:
Here is a friendly reminder for festive shoppers about being cyber aware when online. Cyber security and law enforcement partners are urging bargain hunters to bolster their cyber security in the approach to & during the festive season after new figures revealed victims of online shopping scams lost on average £1,000 per person in the same period last year. One victim lost£500 when attempting to buy shoes on a social media platform, and another lost£145 trying to make a similar purchase.
By ncsc.gov.uk
On the 21st December, the FBI warned the public that cybercriminals are using search engine advertisement to impersonate people and brands. The cyber criminals are taking users to malicious sites that host ransomware and are stealing user’s login credentials and financial information.The cyber criminals are purchasing advertisements that appear within the internet search results using a similar domain to an actual business or service. When the users are searching for a business or service these advertisements are appearing at the very top of the search results. As always be careful what you click and check out the link for some useful advice.
By ic3.gov
The Guardian have been hit by a serious ransomware attack.The incident occurred on Tuesday night and has affected parts of the company’s technology infrastructure. This has also disrupted the behind-the-scenes services. The Guardian have still been publishing online with stories continuing to be published to the Guardian website and app. The hackers have access to a computer system and are making demands to restore services. Anna Bateson, and the editor-in-chief, Katharine Viner, told staff: “As everyone knows, there has been a serious incident which has affected our IT network and systems in the last 24 hours. We believe this to be a ransomware attack but are continuing to consider all possibilities.”
By theguardian.com
Okta, an identity and access management company, has been a victim of a cyber attack after its source code was stolen. This was caused by the unknown hackers accessing Okta Workforce Identity Cloud code repositories located on GitHub. Subsequently, a copy of Okta’s source code was stolen.GitHub alerted Okta to the unauthorised access of its repository and temporarily restricted access to the repository while Okta examined recent code commits to ensure no illegitimate changes were made to its source code. It has been stated that Okta’s services and customer information have not been affected by the attack and that "Okta does not rely on the confidentiality of its source code for the security of its services".
By thehackernews.com
State-level or state-sponsored cyber attacks can cause serious consequences for individuals, organisations, and countries. Cyberattacks on this level can be done to: collect intelligence, disrupt critical infrastructure, interfere with political processes, or for military operations.These attacks can be launched by using malware, phishing, denial of service,supply chain attacks, and more. Defending against such attacks at a state level needs strong cyber security measures, monitoring, and incident response plan as well as investing in research and working with international partners. More Information about the reasons to conduct a state-level cyber attack, their methods, and defensive strategies can be found here.
By ukdefencejournal.org.uk
Play are a new ransomware group that were first seen in June 2022 and have been very active for the last six months. Their latest campaign utilises two ProxyNotShell vulnerabilities in Microsoft Exchange that, if exploited correctly, allows an attacker to gain access to the victim’s environment. While these flaws were patched by Microsoft in November, they are still actively being used as part of this major ransomware campaign, alongside some unknown Outlook Web App exploits that are now being investigated by CrowdStrike.
Crowd Strike’s extensive research into these new exploits can be found here.
By duo.com
SPNEGO is a GSSAPI mechanism you use to secure messages when a client application wants to authenticate to a remote server. This was previously discovered to have a vulnerability in September marked by Microsoft As an information disclosure vulnerability, this has recently been changed after a security researcher discovered that the mechanism was vulnerable to a remote code execution attack causing a reclassification to critical. This Vulnerability resides in SPNEGO Extended Negotiation (NEGOEX) Security Mechanism affecting any Windows application protocol that authenticates, such as Server Message Block (SMB) or Remote Desktop Protocol (RDP). All systems running this service should update to the latest version to protect against this attack.
By securityintelligence.com
WordPress sites are one of the biggest targets for threat actors due to the large number of plugins that require constant updates. Most site owners do not update their plugins as much as they should, making them easy targets for attackers looking to exploit known vulnerabilities. One of the biggest flaws that are present in WordPress plugins is Server Side Request Forgery, which is an easily exploitable vulnerability that allows the attacker to gain control over the target server.
In the past we have seen SSRF vulnerabilities in plugins such as Google Web Stories, which is used across a large number of WordPress sites. To help protect against these dangerous flaws, Wordfence has compiled some guidance for users to follow; this guidance includes details on how to protect your sites, prevent SSRF vulnerability creation and more.
If you are interested in learning more about how you can protect your WordPress site, we recommend consulting this Wordfence advisory.
By wordfence.com
And that’s it for the round-up for this year, please do check in for our new batch of security news and posts.
We wish you all a very Merry Christmas and a prosperous New Year.
See you all in January 2023.
Stay Safe, Secure and Healthy!
Edition #217 – 23rd December 2022
Stuart Hare is a Technologist with a passion for helping people in all aspects of IT & Cyber Security. Stuart is the Founder of Ironshare, an Information and Cyber Security company providing consultancy and managed services.
Samuel is a Security Analyst with Ironshare, an Information and Cyber Security company providing Security consultancy and managed services.
Joshua is working as a Managed Service Lead with Ironshare, an Information and Cyber Security company providing Security consultancy and managed services.
