Unpatched Cisco Zero-Day Vulnerability Actively Targeted

A critical, unpatched security flaw found within Cisco’s IOS XE software has been found and announced by the company. The flaw, that is being tracked as CVE-2023-20198, has been assigned the severity level of 10.0, which is the maximum rating that something can receive on the CVSS scoring system.

The vulnerability is allowing threat agents to create accounts on affected systems with the highest privilege level and gain control of the system. There isn’t a true fix out currently, but Cisco is suggesting to disable the HTTP server feature on internet-facing systems.

Similar vulnerabilities have been seen in other firewall brands such as WatchGuard which impacted several local businesses at the time.  Cyber Defense has long suggested removing administrative based systems from the internet as a best practice and highlight this in penetration test reports. 

Zoom Links Offer Exploitation Point for Organizations

Zoom has offered the ability to create Personal Meeting ID’s (PMI) to allow for quick and easy meetings to be scheduled or created. These IDs have created a personal meeting room that is available around the clock for both you and your clients to access, but because they are a static ID, anyone can gain access to that meeting room if they find out the PMI or receive an embedded passcode link.

Thanks to a security researcher, it has been found that many organizations can have their meetings accessed by threat agents looking to gain private information that could be shared over these meetings through impersonation or joining an ongoing meeting. The solutions to avoiding this are fortunately included in Zoom already and the researcher suggests implementing at least one of the following:

• Require a Passcode to Join

• Only Allow Registered Users

And of course, there is always the choice to disable the Personal Meeting ID for public meetings altogether.

CISA Shares Knowledge of Vulnerabilities and Misconfigurations

CISA launched an initiative this year known as the Ransomware Vulnerability Warning Pilot to bring more attention to known vulnerabilities and hopefully prevent ransomware incidents. This week, they have added new resources to this program, the “Known Exploited Vulnerabilities Catalog” and a “Misconfigurations and Weaknesses List”.

The Known Exploited Vulnerabilities Catalog, or KEV, details existing exploits that CISA has determined and whether or not they are known to have been used in ransomware campaigns. The Misconfiguration and Weaknesses List bolsters the KEV Catalog by including non-CVE based exploits and weaknesses created by misconfigurations.

Defensible Strategies

Learn from those who have been attacked

Genetic Testing Provider 23andMe Facing Lawsuits After Hack

Last month, a threat agent released a large file that included customer data gathered from the genetic testing provider. The company announced that the attack happened by using compromised user credentials to gain access into weakly secured accounts. The original threat agent retracted the document to sell off the data of specific profiles, but other agents have continued to post the original file.

Despite certain users having taken the additional step of implementing user side security measures such as Multi-factor authorization, they still found themselves victims of the breach due to a lack of data safety implemented on 23andMe’s side. This has caused multiple lawsuits to be filed, along with the lack of information regarding the current safety of user data and the lack of information regarding details of the attack itself, and the delay in 23andMe’s reporting of the incident.

This illustrates the value of reporting early and often to manage the reputational impact of a data breach, but to also reduce the liability associated with a data breach. In case of a data breach, it is important to engage a breach coach as soon as possible in the incident response process.  Breach coaches, who are privacy trained attorneys are often included as a part of most cyber liability insurance policies.

2017 Equifax Data Breach Incurs $13.5 Million Fine

In 2017, Equifax was the victim of a data breach that occurred from improper management of data. The Financial Conduct Authority (FCA_ of the United Kingdom determined that the leak happened due to a failure in managing and monitoring of consumer data that had been outsourced to the United States portion of the company.

The FCA also determined that Equifax’s security systems were “plagued with known weaknesses” and that no action was taken to rectify those issues. Due to the negligence and mishandling of data, the FCA has fined Equifax a total of $13.5 Million on top of the $700 million settlement that occurred in the United States. The US courts also required the company to invest a minimum of $1 billion in improving its data security stance.

Apple and Others Push Patch for New Vulnerabilities

On September 7th, a “zero-click” exploitation (meaning an exploit that does not rely on being opened or clicked on by the target) was found within the latest version of iOS and iPadOS. This exploit was used to install spyware on the devices made by the Israeli cyber surveillance company known as NSO Group. Apple quickly addressed this with their newer Rapid Security Response program and pushed an update to both operating systems.

Microsoft also struggled with another new bug within Microsoft Word that would allow threat agents to impersonate users and gain access to sensitive data and systems. Another flaw was found within the Microsoft Streaming Service Proxy, which is something built directly into the Windows 10, 11 and Server operating systems. Both of these vulnerabilities have been patched, and Microsoft urges users to make sure that they are on the latest security update for their OS.

Not to be left out from the big 3, Google also found an issue within Chrome that they say is being exploited. Google has told users to restart Chrome so that the update that was pushed to all users can close the exploit.

Fortinet Patches High-Severity Vulnerability

Fortinet has been dealing with a high severity vulnerability that they are explaining can be used to trigger the execution of malicious JavaScript code, allowing the threat agent to access sensitive data within the website. The biggest concern over something like this is the loss of personal data or even payment data that can be stored within the website.

Another high severity issue was also found within their web application firewall and API protection solution. Fortinet has pushed updates to address both of these vulnerabilities, but has not stated whether they observed either of these exploits being used in attacks.

Microsoft Leaks Large Amounts of Private Data

After three years, it has been discovered that the Microsoft AI Research division has leaked over 38TB of personal data from its employees. The leak was caused by the team using a Shared Access Signature (SAS) that was excessively permissive. SAS tokens can be used to grant access to resources within an organization’s storage, but have been shown to be unsafe due to a lack of monitoring and governance and the ability that they can allow access indefinitely.

The information that was leaked seems to be internal backups of personal information, archived Teams messages, and other information regarding Microsoft services. Microsoft has assured that no customer information was leaked in the incident and that the SAS tokens have been revoked, so that the access is no longer available.

Defensible Strategies

Learn from those who have been attacked

Clorox Battling Product Shortage, Cyber Breach to be Blamed

Clorox had announced in mid-August that they had identified unauthorized activity on their IT systems. Without disclosing the nature of the attack, Clorox moved to proactively shut down some of their systems, which led to a disruption of production for the company. They utilized the time the systems were offline to implement additional protections to secure them, but they also placed several workarounds for offline operations.

The attack disrupted major operations, but Clorox is beginning to bring those systems back online and is ramping up production to get back on track. Clorox worked with law enforcement and third-party cybersecurity experts to determine the scope of the incident, but they are expecting it to have a significant impact on earnings and financial results.

Canadian Government the Target of Pro Russian Group

The Canadian Centre for Cyber Security has released statements stating that they have been receiving DDoS (distributed denial-of-service) attacks from a pro-Russian threat agent. DDoS attacks are generally malicious attempts to disrupt traffic to servers or networks by overwhelming them with a flood of traffic (think of a highway being clogged up by too many vehicles).

The attacks have been primarily in support of Russia’s invasion of Ukraine and are more a nuisance rather than a security risk, but is something that the Canadian agency is warning about. The focus of the attacks have been within Canada’s transportation and financial sectors, but have also targeted other levels within the government.

Microsoft’s Patched Vulnerability Added to Active Exploitation List by CISA

A recently patched flaw in Microsoft’s .NET and Visual Studio has been added to the Known Exploited Vulnerabilities catalog by CISA after evidence of active exploitation was provided. The patch had been released in an earlier Patch Tuesday update, in which Microsoft deemed the flaw with an “Exploitation More Likely” tag.

The flaw, being tracked as CVE-2023-38180, has been deemed as a high severity and CISA and Microsoft are both suggesting to update any affected versions to the latest vendor-provided fix by the end of August 2023. The software versions in question are as followed:

• ASP.NET Core 2.1

• NET 6.0

• NET 7.0

• Microsoft Visual Studio 2022 v.17.2, v17.4, v.17.6

CISA has pointed out that the flaw can be leveraged and pulled off without any additional privileges or user interaction, as well.

US Looking Into Microsoft Exchange Hack

As reported last month, July 2023, a Chinese hacking group was able to breach several organizations worth of email accounts, spanning US and Western European government agencies. These hackers used forged authentication tokens that were stolen and were able to exploit a vulnerability within Outlook.

In response to this event, the US Department of Homeland Security’s Cyber Safety Review Board will be launching an investigation and in-depth review of cloud security practices. They plan on presenting their findings on the understanding of critical events and root causes along with possible remediation practices to better bolster identity management and authentication in cloud and cyber security spaces. The CSRB will work with the current US Administration and CISA to disseminate the knowledge.

Flaw in Power Management Software Puts Data Centers at Risk

Researchers have been discovering vulnerabilities within commonly used applications and devices used to control infrastructure at data centers. Released at a recent security conference, these researchers have shown at least nine different vulnerabilities across two different companies (CyberPower and Dataprobe) that if exploited, could take down not only users, but also power to the data centers themselves.

Data centers have become predominant as reliance upon cloud computing and data hosting increase. These flaws can prove to be incredibly impactful, while even just turning off power for server space can cost potential millions for organizations relying on that data.

Defensible Strategies

Learn from those who have been attacked

Amazon Web Services Distances Itself From 3rd Party Software

After considerable backlash over the addition of a new feature, Amazon has decided to withdraw its association with open source project, Moq. The software library has drawn a lot of criticism regarding its choice to implement a new feature, without notification, that has users worried about data collection.

The new feature in question includes another software, known as SponsorLink, which collects and sends user email addresses to its content delivery network. Users have often raised concern about the software’s ability to collect data that can then be sold, which would be a massive security concern for anyone using the software.

Alongside Amazon, others have noted that they will no longer be using Moq while it has SponsorLink included, some even going so far as to boycott the service, even though the developer behind Moq has since rolled back the new release and removed SponsorLink.

No Safety Risk for Wi-Fi Vulnerability According to Ford

Ford has noted that the vulnerability to Texas Instruments Wi-Fi driver, being tracked as CVE-2023-29468, does not have any safety risk to its vehicle occupants. The vulnerability in question has currently been tied to a Wi-Fi driver that is being used in the Ford SYNC 3 infotainment system.

The car manufacturer has assured that to even take advantage of the exploit, a threat agent would have to have significant expertise and also be physically near to the vehicle while its ignition and Wi-Fi setting is on. Ford has stated that a software patch will be pushed soon, but to those who are still concerned over the exploit to the SYNC 3 found in a few of its vehicles, to simply disable the Wi-Fi settings until the patch has been released.