CISA Gives Warning of Active "‘Roundcube” Email Attacks

On February 12th, the United State’s Cybersecurity and Infrastructure Security Agency (CISA) gave a warning about a medium severity security flaw that was added to their Known Exploited Vulnerabilities (KEV). The vulnerability was added after evidence was found of active exploitation and is being tracked as CVE-2023-43770 with a CVSS score of 6.1.

The exploitation utilizes plain text messages to deploy a malicious link reference and lead to information disclosure from the web based email service. Roundcube has addressed the flaw with a new version, 1.6.3, which was released in September of last year, but those users who have not updated to this version are still vulnerable to this exploit.

New FortiOS Zero Day Exploit Announced

Earlier this month, Fortinet announced that it patched a critical remote code execution vulnerability that had been found in their FortiOS platform. The exploit, which is being tracked as CVE-2024-21762, was announced by Fortinet, with them stating that it may have been exploited in the wild. The impacted versions of OS are as follows:

• 6.0

• 6.2

• 6.4

• 7.0

• 7.2

• 7.4

Patches have been released for all versions EXCEPT the 6.0 version, and Fortinet is suggesting to users utilizing that version to upgrade to the latest build, 7.6, which is not affected by the vulnerability.

While Fortinet did not release details of potential attacks involving the vulnerability, it was released alongside information that some customers have yet to patch two other, older vulnerabilities that have been actively exploited by threat agents in China

Malware ‘Pikabot” Makes Resurgence

Threat agents have made significant changes to an existing malware known as Pikabot, that has reduced the complexity of the code. The security researchers that have been tracking Pikabot noted that this is a devolution of the malware which has streamlined itself to avoid efforts to be analyzed.

Pikabot, alongside another loader called DarkGate have both emerged as attractive replacements for threat agents that are using older malware software to gain access to a target’s network. These developments have come to light during a current cloud account takeover campaign that has seen hundreds of compromised user accounts in dozens of Microsoft Azure environments affected, especially those belonging to senior executives.

Defensible Strategies

Learn from those who have been attacked

Romanian Hospitals Offline After Ransomware Attack

After a ransomware attack over the weekend of February 10th, dozens of hospitals and healthcare facilities were knocked offline. The ransomware attack targeted the Hipocrate Information System by deploying the Backmydata ransomware, which encrypted data pertaining to the healthcare facilities.

Romania’s National Cyber Security Directorate (DNSC) announced that most of the impacted hospitals have fresh backups of their data, which will allow for fast restoration of all systems, but currently, the hospitals have isolated the impacted systems. According to a cancer treatment organization that was affected, all of their servers were shut down and they had to register over 180 patient admissions on paper.

Situations like these show why it is important to have a Business Continuity and Disaster Recovery Plan (BC/DR) in place. If you need help reviewing your BC/DR or have any questions about getting one set in place, please feel free to reach out!

Generative AI and Cybersecurity in 2024

Last year, generative AI saw the rise from a headline grabbing novelty to an indispensable tool for increasing productivity. Cybersecurity experts have now had a full year observing how threat agents and cyber criminals are using this to bolster their attacks and have started to report on the most common ways they have seen AI used.

Threat agents are using generative AI in a few ways to expand their attack repertoire, including marrying the two types of phishing through social engineering. In the past, threat agents would have to choose between broad phishing attempts and catching few vulnerable targets, or taking a more hands-on approach and actively researching the target in something known as ‘whale phishing’. Generative AI has given threat agents the ability to join these two together, allowing for tonally convincing messages on a mass scale.

There have also been attempts to create ‘unstoppable’ malware using AI, though nothing has come of that at this time. AI has been used to review source code of open sources software though, and find not only disclosed vulnerabilities, but some unknown ones as well.

WordPress Plugin Containing Vulnerabilities Found in over 300,000 Websites

According to security researchers, there were two flaws found inside of a Mailer Plugin associated with WordPress hosted websites discovered in the month of December. The researchers stated that the flaws affected over 300,000 websites and were discovered within a few weeks of each other. One flaw allowed for the hijacking of the password reset function through the plugin’s authentication API and the other allowed for threat agents to insert dangerous or malicious code into the webpages.

WordPress was notified with the findings and proof-of-concept code that demonstrated how the flaws could be exploited, and to the benefit of everyone, WordPress worked over the holiday break and released an update that addressed these flaws (version 2.8.8 of POST SMTP Mailer Plug). The researchers have noted only 53% of the plugin installations are currently running the latest updated version, leaving those who have not vulnerable.

Incidents like this show why it is imperative to both keep your software and any associated plugins up to date, but also why it is important to make sure to audit your third party risk management practices/plans. If you need any help with this, please feel free to reach out to Cyber Defense!

Critical Password Reset Vulnerability at GitLab Patched

GitLab has resolved a critical authentication vulnerability that was found, allowing threat agents to hijack password reset emails. The vulnerability was found to affect all GitLab accounts that allowed logins with username and passwords. Even accounts that had two-factor authentication (2FA) were subject to password reset, but not the full takeover, as the vulnerability did not allow access to the 2FA tokens.

The initial vulnerability was focused around an option that allowed users to reset their account passwords with a secondary email, but the flaw created an instance where that secondary email did not need to be verified, allowing the threat agents to use non-account associated email addresses to receive the reset email. GitLab has updated all instances of their software to close out this vulnerability, but they still suggest that all users update to the latest version and enable 2FA on all accounts.

Windows SmartScreen Bypass Exploited In Attacks

Trend Micro released a report showing that a recent vulnerability within Windows SmartScreen is actively being exploited in attacks. The exploit is being used by threat agents to use social phishing techniques to have unknowing users click on a URL that then does not trigger the Windows Defender SmartScreen checks and allows for the delivery of malicious code.

According to Microsoft the security defect has been patched, but Trend Micro reports that it is actively being used in a malicious campaign to deliver a malware strain that can harvest information to be leveraged against the company being affected. The malware not only steals data from web browsers and various messaging applications, it also takes screenshots of and gathers system information to be leveraged by the threat agents.

Vulnerabilities like these show why, despite systems in place to protect us from phishing attempts, nothing can replace knowledge and best practices when it comes to dealing with sensitive information and outside sources. If you have any questions, or would like to take a look into having your employees trained against situations like these, please reach out!

Defensible Strategies

Learn from those who have been attacked

Operation Triangulation Deemed Most Sophisticated iPhone Hack

A hidden hardware function in iPhones was found to be the center of what Kaspersky’s security researchers are calling the most sophisticated hack they have seen involving Apple. This vulnerability was used to spy on an undisclosed key political figure and the unknown threat agent didn’t go after mass deployment, even though they utilized the exploit for roughly four years.

The exploit, similar to the Pegasus attacks that plagued iPhone users a few years ago, relied on iMessage to backdoor the iPhone, but also relied on the usage of three other vulnerabilities, of which one was the hidden hardware function similar to that of a developer debug program. The researchers were not able to determine how the threat agent was able to find this exploit, as the hardware function does not seem to have been documented anywhere and could have been included in the phone on accident.

Apple has since patched out the exploits that made Operation Triangulation possible, so most people should have no worries, but researchers point towards examples like these as reminders that despite Apple’s reputation of being more secure, threat agents will never stop trying to get into personal devices to leverage information.

SonicWall Firewalls Found to be Vulnerable to Potential Attacks

Security researchers have found over 178,000 next gen firewalls from SonicWall that have had their management interface exposed online. This seems to be the result of security flaws CVE-2022-22274 and CVE-2023-0656, that are caused by the same exploitation and code path as each other, just in different places along that path.

These exploits allow for remote code execution (RCE) attacks, which allow threat agents to execute malware on a remote device either over public or private networks. In the instance that the threat agent can’t get full control though, they are also able to push the firewall into maintenance mode, causing disruption of service issues.

SonicWall’s Product Security Incident Response Team has attested that they have no knowledge of an active exploit, but to make sure to update to the latest firmware versions as soon as possible.