Threat Intelligence Blog

Contact our Experts Now

Subscribe to our Weekly Cyber Threat Intelligence Briefing

Black Arrow Admin 21/03/2023 Black Arrow Admin 21/03/2023

Black Arrow Cyber Insight 21 March 2023 – Attackers Mainly Focused on Zero-Days from Microsoft, Google and Apple in 2022

Executive Summary

Mandiant recently published their report on zero-day attacks in 2022. A zero-day attack is an attack that relates to a previously unknown vulnerability and for the third year running, Microsoft, Google and Apple were the most frequently targeted by zero-day attacks. The most exploited avenues of attack were operating systems and browsers.

What’s the risk to me or my business?

A significant number of users include Microsoft, Google and or Apple as part of their supply chain and must therefore be aware of vulnerabilities in these vendors. It is not unusual for an exploited zero-day vulnerability to have a delay between the time it is discovered and the time it is patched; although sometimes a workaround is released in the meantime. The delay between disclosure and patching can potentially contribute to many systems remaining unpatched for months and workarounds can create a false sense of security during this period. An unpatched system leaves an organisation’s data at risk from compromise.

What can I do?

It is increasingly important for organisations to efficiently and effectively prioritise their patching and understand their part in the process; this should include organisations being aware of which systems are awaiting a patch, and of these, which are critical. Organisations who use SaaS solutions typically benefit from the vendor deploying patches but organisations should not become complacent and should, where appropriate, seek assurance that systems are indeed patched up to date.

To be more cyber resilient, organisations should make use of threat intelligence as part of their attack surface management and understanding of actively exploited vulnerabilities.

The report conducted by Mandiant can be found here: https://www.mandiant.com/resources/blog/zero-days-exploited-2022

Need help understanding your gaps, or just want some advice? Get in touch with us.

#threatadvisory #threatintelligence #cybersecurity

Black Arrow Admin 19/03/2023 Black Arrow Admin 19/03/2023

Black Arrow Cyber Threat Briefing 17 March 2023

Black Arrow Cyber Threat Briefing 17 March 2023:

-Almost Half of IT Leaders Consider Security as an Afterthought

-Over $10bn Lost To Online Frauds, with Pig Butchering and Investment Scams Accounting for $3B, Overtaking BEC – FBI Report Says

-Over 721 Million Passwords Were Leaked in 2022

-How Much of a Cyber Security Risk are Suppliers?

-90% of £5m+ Businesses Hit by Cyber Attacks

-Rushed Cloud Migrations Result in Escalating Technical Debt

-17 European Nations Targeted by Russia in 2023 as Espionage Ramping Up

-Microsoft Warns of Large-Scale Use of Phishing Kits

-BEC Volumes Double on Phishing Surge

-The Risk of Pasting Confidential Company Data in ChatGPT

-Ransomware Attacks have Entered a New Phase

-MI5 Launches New Agency to Tackle State-Backed Attacks

-Why Cyber Awareness Training is an Ongoing Process

Welcome to this week’s Black Arrow Cyber Threat Briefing – a weekly digest, collated and curated by our cyber experts to provide senior and middle management with an easy to digest round up of the most notable threats, vulnerabilities, and cyber related news from the last week.

Black Arrow Cyber Advisory 15 March 2023 – Microsoft Patch Tuesday, Fortinet, Adobe, SAP, Android and Chrome Security Updates Summary

Executive Summary

Security updates have been released for Microsoft, Fortinet, Adobe, SAP, Google Chrome and Android to fix a range of security issues.

Microsoft

Microsoft’s March Patch Tuesday provides updates to address 74 security issues across its product range, including two actively exploited vulnerabilities (CVE-2023-23397 and CVE-2023-24880). The two exploited vulnerabilities include an elevation of privilege vulnerability and a security bypass feature. Also among the updates provided by Microsoft were 9 critical vulnerabilities.

What’s the risk to me or my business?

The actively exploited vulnerabilities could allow an attacker to bypass security features to upload malicious files, remotely execute code and gain SYSTEM privileges; all of which could compromise the confidentiality, integrity and availability of data stored by an organisation.

What can I do?

Security updates are available for all supported versions of Windows impacted. The updates should be applied as soon as possible for the actively exploited vulnerabilities and all other vulnerabilities that have a critical severity rating.

Technical Summary

The following is a breakdown of the actively exploited vulnerabilities which affected Microsoft Operating Systems:

CVE-2023-23397: A vulnerability which allows specially crafted emails to force a victim device to connect to an external location of attacker control, providing the attacker with the victims’ authentication details. The email does not need to be read in the preview pane as the vulnerability is triggered when it is received and processed by the email server.

Please see our earlier advisory on this particular actively exploited vulnerability.

CVE-2023-24880: A vulnerability that allows an attacker to craft a malicious file which evades mark of the web (MOTW) security features and is actively being exploited in ransomware attacks.

Along with Microsoft’s patch Tuesday, the following vendors have also addressed vulnerabilities this month:

Fortinet

As reported in our blog previously, Fortinet disclosed 15 vulnerabilities this month; this includes the actively exploited vulnerability CVE-2022-41328. This vulnerability is a path transversal vulnerability in FortiOS which can allow a privileged actor to read and write files via crafted command line interface commands. The vulnerability is actively being exploited against governments and large organisations.

Adobe

This month, Adobe released fixes for 105 vulnerabilities across Adobe Creative Cloud Desktop, ColdFusion, Dimension, Experience Manager, Illustrator and Photoshop. At current, Adobe is not aware of any of these vulnerabilities being actively exploited. The vulnerabilities include remote code execution, memory leak, privilege escalation and security bypass.

SAP

Sap have released fixes for 21 vulnerabilities, including code injection and improper access control vulnerabilities. A total of 9 vulnerabilities were given the “Hot News” priority, which is the highest priority according to SAP.

Google

-Android

Android addressed 60 vulnerabilities this month. Amongst the vulnerabilities are two critical remote code execution vulnerabilities CVE-2023-20951 and CVE-2023-20954.

-Chrome

Google addressed 40 vulnerabilities in the Chrome Web Browser, with 8 vulnerabilities rated as high-severity.

Further details of the updates within Microsoft’s March patch Tuesday can be found here: https://www.ghacks.net/2023/03/14/microsoft-windows-security-updates-march-2023-what-you-need-to-know-before-installation/

Further details of CVE-2023-23397 can be found here: https://msrc.microsoft.com/update-guide/en-US/vulnerability/CVE-2023-23397

Further details of CVE-2023-24880 can be found here: https://msrc.microsoft.com/update-guide/en-US/vulnerability/CVE-2023-24880

Further details of CVE-2022-41328 can be found here: https://www.fortinet.com/blog/psirt-blogs/fg-ir-22-369-psirt-analysis

Further details of the vulnerabilities addressed by Fortinet can be found here: https://www.fortiguard.com/psirt-monthly-advisory/march-2023-vulnerability-advisories

Further details of the vulnerabilities addressed by SAP can be found here: https://dam.sap.com/mac/app/e/pdf/preview/embed/ucQrx6G?ltr=a&rc=10

Further details of the vulnerabilities addressed by Adobe Creative Cloud Desktop can be found here: https://helpx.adobe.com/security/products/creative-cloud/apsb23-21.html

Further details of the vulnerabilities addressed in Adobe ColdFusion can be found here: https://helpx.adobe.com/security/products/coldfusion/apsb23-25.html

Further details of the vulnerabilities addressed in Adobe Dimension can be found here: https://helpx.adobe.com/security/products/dimension/apsb23-20.html

Further details of the vulnerabilities addressed in Adobe Experience Manager can be found here: Adobe Security Bulletin

Further details of the vulnerabilities addressed in Adobe Illustrator can be found here: https://helpx.adobe.com/security/products/illustrator/apsb23-19.html

Further details of the vulnerabilities addressed in Adobe Photoshop can be found here: https://helpx.adobe.com/security/products/photoshop/apsb23-23.html

Further details of the vulnerabilities addressed in Adobe Substance 3D Stager can be found here: https://helpx.adobe.com/security/products/substance3d_stager/apsb23-22.html

Further details of the Android vulnerabilities can be found here: https://source.android.com/docs/security/bulletin/2023-03-01#2023-03-05-security-patch-level-vulnerability-details

Further details of the vulnerabilities addressed by Google can be found here: https://chromereleases.googleblog.com/2023/03/stable-channel-update-for-desktop.html

Need help understanding your gaps, or just want some advice? Get in touch with us.

#threatadvisory #threatintelligence #cybersecurity

Black Arrow Admin 15/03/2023 Black Arrow Admin 15/03/2023

Black Arrow Cyber Advisory 15 March 2023 – Microsoft Releases Patch for Critical Outlook/365 Vulnerability Under Active Exploitation

Executive Summary

This week Microsoft released a patch for a critical actively exploited privilege escalation vulnerability in Microsoft Outlook. The vulnerability is tracked as CVE-2023-23397.

What’s the risk to me or my business?

Successful exploitation of the vulnerabilities could allow an attacker to gain authentication details from a targeted machine. These details can then be relayed to other systems or brute-forced offline, leading to compromise of the account.

Technical Summary:

The vulnerability allows an attacker to craft malicious emails which force a target device to connect to a remote UNC of the attackers choice. A UNC is a path that can be used to access network resources. Upon connection, the Net-NTLMv2 hash, which is a hash of the victim’s password is leaked to the attacker. The attacker can then relay this hash to authenticate as the victim on other services or decode the hash offline. At no point does the email need to be previewed or opened, it is triggered as soon as it is received and processed by the email server.

What can I do?

It is recommended that organisations apply the latest patches as soon as possible as this vulnerability is recorded as actively exploited. In their analysis, Microsoft recorded that this vulnerability was exploited by Strontium, a state-sponsored Russian hacking group. Organisations using strictly off-premises solutions are not impacted.

Further information on CVE-2023-23397 can be found here: https://msrc.microsoft.com/update-guide/vulnerability/CVE-2023-23397

Need help understanding your gaps, or just want some advice? Get in touch with us.

#threatadvisory #threatintelligence #cybersecurity

Black Arrow Admin 12/03/2023 Black Arrow Admin 12/03/2023

Black Arrow Cyber Threat Briefing 10 March 2023

Black Arrow Cyber Threat Briefing 10 March 2023:

-Business Email Compromise Attacks Can Take Just Hours

-Research Reveals ‘Password’ is Still the Most Common Term used by Hackers to Breach Enterprise Networks

-Just 10% of Firms Can Resolve Cloud Threats in an Hour

-MSPs in the Crosshair of Ransomware Gangs

-Stolen Credentials Increasingly Empower the Cyber Crime Underground

-It’s Time to Assess the Potential Dangers of an Increasingly Connected World

-Mounting Cyber Threats Mean Financial Firms Urgently Need Better Safeguards

-Developers Leaked 10m Credentials Including Passwords in 2022

-Cyber Threat Detections Surges 55% In 2022

-European Central Bank Tells Banks to Run Cyber Stress Tests after Rise in Hacker Attacks

-Employees Are Feeding Sensitive Business Data to ChatGPT

-Is Ransomware Declining? Not So Fast Experts Say

-Preventing Corporate Data Breaches Starts With Remembering That Leaks Have Real Victims

-Faced With Likelihood of Ransomware Attacks, Businesses Still Choosing to Pay Up

-Experts See Growing Need for Cyber Security Workers as One in Six Jobs go Unfilled

Welcome to this week’s Black Arrow Cyber Threat Briefing – a weekly digest, collated and curated by our cyber threat intelligence experts to provide senior and middle management with an easy to digest round up of the most notable threats, vulnerabilities, and cyber related news from the last week.

Black Arrow Cyber Advisory 10 March 2023 – Fortinet, Cisco and Veeam Vulnerabilities Roundup

Executive Summary

Fortinet have disclosed 15 security issues across a range of products including 5 “high” rated vulnerabilities and a “critical” vulnerability that allows an unauthenticated attacker to perform denial of service attacks or execute arbitrary code. Cisco has identified a “high vulnerability” with IOS XR software for the ASR 9000 Series routers. Veeam have disclosed a “high vulnerability” that allows an unauthenticated attacker to request encrypted credentials which may lead to gaining access to the backup infrastructure host.

What’s the risk to me or my business?

Successful exploitation of the Cisco vulnerability tracked as CVE-2023-20049 allows the attacker to cause line card exceptions or hard rests which can lead to traffic loss and denial of service conditions.

The following models are vulnerable if they have Bidirectional forwarding detection (BFD) hardware offload enabled.

ASR 9000 Series Aggregation Services Routers only if they have a Lightspeed or Lightspeed-Plus-based line card installed.
ASR 9902 Compact High-Performance Routers
ASR 9903 Compact High-Performance Routers

A successful exploitation of the Critical Fortinet vulnerability tracked as CVE-2023-25610 allows an unauthenticated attacker to execute arbitrary code or perform denial of service (DoS) conditions in an administrative interface.

The following devices are vulnerable to both the RCE and DoS:

FortiOS version 7.2.0 through 7.2.3
FortiOS version 7.0.0 through 7.0.9
FortiOS version 6.4.0 through 6.4.11
FortiOS version 6.2.0 through 6.2.12
FortiOS 6.0 all versions
FortiProxy version 7.2.0 through 7.2.2
FortiProxy version 7.0.0 through 7.0.8
FortiProxy version 2.0.0 through 2.0.12
FortiProxy 1.2 all versions
FortiProxy 1.1 all versions

A full list of vulnerable hardware devices that are impacted by the Denial of Service can be found on the FortiGuard website.

A successful exploitation of the high Veeam vulnerability tracked as CVE-2023-27532 can allow an unauthenticated attacker to request encrypted credentials which may lead to the attacker gaining access to the backup infrastructure of the host.

This vulnerability affects all Veeam Backups and Replication versions but is resolved in the following:

12 (build 12.0.0.1420 P20230223)
11a (build 11.0.1.1261 P20230227)

What can I do?

Cisco has released software updates that address the vulnerability and should be installed. Alternatively, a workaround has been provided which is to disable all bfd hardware offload features, which can be done by removing all hw-module bfw-hw-offload enable commands and resetting the card.

Fortinet has provided solutions to each of the vulnerabilities it has disclosed, and it is recommended that the patches released for the vulnerabilities are installed.

Veeam has released a patch and should be installed, however they suggest that if you are using an earlier version to upgrade to the current supported version first. Alternatively, if you are using an all-in-one Veeam appliance with no backup infrastructure components, external connections to Port TCP 9401 should be filtered until the patch is installed.

Further information on the vulnerabilities be found here:

Cisco IOS XR software update - https://sec.cloudapps.cisco.com/security/center/resources/security_vulnerability_policy.html#ssu

Cisco IOS XR Software Security Advisory-https://sec.cloudapps.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-bfd-XmRescbT

Fortinet CVE-2023-25610 advisory and solution - https://www.fortiguard.com/psirt/FG-IR-23-001

Fortiguard vulnerability advisory- https://www.fortiguard.com/psirt-monthly-advisory/march-2023-vulnerability-advisories

Veeam advisory - https://www.veeam.com/kb4424

Veeam Solution - https://www.veeam.com/product-lifecycle.html?ad=in-text-link

Need help understanding your gaps, or just want some advice? Get in touch with us.

#threatadvisory #threatintelligence #cybersecurity

Black Arrow Admin 09/03/2023 Black Arrow Admin 09/03/2023

Black Arrow Cyber Advisory 09 March 2023 – Security Flaws in TPM 2.0 Pose Significant Risk

Black Arrow Cyber Advisory 08 March 2023 – Security Flaws in TPM 2.0 Pose Significant Risk

Executive Summary

Security Researchers at Quarkslab have identified two critical vulnerabilities (CVE-2023-1017 and CVE-2023-1018) in The Trusted Platform Module (TPM) firmware; TPMs are used by most modern PCs to make them resistant to tampering and the vulnerabilities could affect billions of devices.

What’s the risk to my business?

Successful exploitation of the vulnerabilities could lead to local information disclosure, including the ability for attackers to make the TPM unavailable leading to denial of service, read sensitive data or escalate privileges. In some cases, an attacker can overwrite protected data in the TPM and go undetected. To be able to exploit the vulnerabilities the attacker would require access to a TPM-command interface to send maliciously crafted-commands to a vulnerable TPM.

What can I do?

The Trusted Computing Group (TCG) have released an updated version of their TPM2.0 library specification: TPM 2.0 library Specifications v1.59 Errata Version 1.4. Once this update has been incorporated within Operating System and Original Equipment Manufacturer (OEM) firmware, it is recommended this updated version is installed. For the meantime, remote attestation may help identify it any changes have been made to the TPM.

Need help understanding your gaps, or just want some advice? Get in touch with us.

#threatadvisory #threatintelligence #cybersecurity

Documentation for the upgrade can be found here: https://trustedcomputinggroup.org/wp-content/uploads/TPM-2.0-Library-Spec-v1.59-Errata-v1.4_pub.pdf

An Advisory from the Trusted Computer Group can be found here: https://trustedcomputinggroup.org/wp-content/uploads/TCGVRT0007-Advisory-FINAL.pdf

CVE-2023-1017 can be found here: https://nvd.nist.gov/vuln/detail/CVE-2023-1017

CVE-2023-1018 can be found here: https://nvd.nist.gov/vuln/detail/CVE-2023-1018

Black Arrow Admin 07/03/2023 Black Arrow Admin 07/03/2023

Black Arrow Cyber Alert 07 March 2023 – ACTION REQUIRED: New Hiatus Hacking Campaign Targets DrayTek Routers to Spy on Businesses

Executive Summary

An ongoing hacking campaign known as “Hiatus” is targeting DrayTek Vigour router models 2960 and 3900 to monitor and steal data from businesses.

What’s the risk to my business?

If exploited successfully, the attacker is able to remotely execute commands on the router, and monitor and control traffic that passes through the router including file-transfer and email communications.

Technical Summary:

Research by Black Lotus Labs has found the campaign involves following:

A Bash script to deploy two executables to the targetdevice, post-exploitation. These are:
- HIATUS Remote Access Trojan
- A variant of ‘tcpdump’ that enables packet capture

Once this script has been executed the ‘HiatusRAT’ and ‘tcpdump’ variant are downloaded to a directory created by the script located at ‘/database/.updata’ and are then executed. The malware will listen on TCP port 8816 and if this port is already in use, the process on that port is terminated so that the malware can use it instead. Once the malware has been sucessfully enabled on this port, a second process collects information about the victim device and sends it to a Command and Control (C2) server operated by the attacker (104.250.58.192); an additional C2 server (46.8.113.227) is also used by the attacker to receive information captured by the packet-capture tool . The packet capture tool observes ports associated with mail server and FTP connections, this include TCP ports 21, 25, 110, 143.

What can I do?

It is not currently known how the DrayTek routers have been initially compromised and Draytek have not yet released a security update to resolve any associated known vulnerability. The following actions can be taken to help mitigate and identify if a device has been impacted:

Prevent outbound network traffic on TCP port 8816, to disable the malware’s outbound communication.
Block network traffic to or from the following IP addresses: 104.250.58.192 and 46.8.113.227
Check the following location on vulnerable devices for any files in that location, as this would be an indicator of compromise (IoC): ‘database’ and ‘/database/.updata’
Configure continuous security monitoring to detect anomalous activity that may be indicative of a compromise.

Further indicators of compromise can be found here: https://github.com/blacklotuslabs/IOCs/blob/main/Hiatus_IoCs.txt

Need help understanding your gaps, or just want some advice? Get in touch with us.

#threatadvisory #threatintelligence #cybersecurity

A link to the report from Black Lotus Labs can be found here: https://blog.lumen.com/new-hiatusrat-router-malware-covertly-spies-on-victims/?utm_source=press+release&utm_medium=referral

Black Arrow Admin 07/03/2023 Black Arrow Admin 07/03/2023

Black Arrow Cyber Alert 07 March 2023 – Black Lotus UEFI Bootkit Malware Bypasses Secure Boot

Executive Summary

A new UEFI bootkit called BlackLotus (not to be confused with Black Lotus Labs) has become the first publicly known malware with the capability of bypassing secure boot defences, rendering it a serious threat. A bootkit is a malicious program designed to load as early as possible during the boot process, before other security components are loaded and BlackLotus does this by targeting the UEFI which is low level firmware, responsible for booting up most modern computers.

What’s the risk to my business?

Successful exploitation allows an attacker to effectively control the computer and allow them to remotely execute code and gain the highest level of privilege. Successful exploitation requires the attacker to either have remote privileged access, or physical access to the target computer.

Technical Summary

The bootkit exploits CVE-2022-21894, which is a Secure Boot vulnerability. Although patched by Microsoft in January, the vulnerable signed binaries are not on the UEFI revocation list which flags boot files that should not be trusted and as such the malware can run on “patched” systems. Once the bootkit has run successfully, it is engineered to communicate with a command-and-control server, allowing the bootkit to retrieve additional user-mode or kernel-mode malware.

What can I do?

There is currently no known patch and the bootkit can run even on fully patched Windows 11 systems which have Secure Boot enabled. Security controls to mitigate this vulnerability from being exploited should focus on preventing an attacker from obtaining remote privileged access to the device through secure identity and access management, or to prevent unauthorised individuals from having physical access to the device. Black Arrow will continue to monitor the situation, and this alert will be updated when more information is made available.

Need help understanding your gaps, or just want some advice? Get in touch with us.

#threatadvisory #threatintelligence #cybersecurity

Research on BlackLotus malware can be found here: https://www.welivesecurity.com/2023/03/01/blacklotus-uefi-bootkit-myth-confirmed/

Details for CVE-2023-21716 can be found here: https://msrc.microsoft.com/update-guide/en-US/vulnerability/CVE-2023-21716

Black Arrow Admin 07/03/2023 Black Arrow Admin 07/03/2023

Black Arrow Cyber Advisory 07 March 2023 – Microsoft Word Proof of Concept Exploit Released for Recently Patched RCE Vulnerability

Executive Summary

CVE-2023-21716 is a Microsoft Word critical remote code execution vulnerability discovered last year, which has been patched in Microsoft’s February patch Tuesday. Security Researcher Joshua Drake has released a Proof of Concept (PoC) for the vulnerability and it’s so small it can fit in a tweet. The PoC requires the victim to simply just preview or open a malicious file, which could arrive in a multitude of ways, such as an email.

What’s the risk to my business?

Successful exploitation allows an attacker to remotely execute code, impacting the confidentiality, integrity and availability of the data held by an organisation.

What can I do?

The vulnerability was patched as part of Microsoft’s February patch Tuesday, so only unpatched versions of Microsoft Office Word remain vulnerable. It is therefore recommended to apply the patches if not done so already. Additionally, the impact can be mitigated by enabling protected view in Microsoft Office Word, which is enabled by default. Protected view is a read-only mode where most editing functions are disabled.

Need help understanding your gaps, or just want some advice? Get in touch with us.

#threatadvisory #threatintelligence #cybersecurity

The proof of concept can be found here: https://qoop.org/publications/cve-2023-21716-rtf-fonttbl.md

Details for CVE-2023-21716 can be found here: https://msrc.microsoft.com/update-guide/en-US/vulnerability/CVE-2023-21716

Black Arrow Admin 04/03/2023 Black Arrow Admin 04/03/2023

Black Arrow Cyber Threat Briefing 03 March 2023

Black Arrow Cyber Briefing 03 March 2023:

-It’s Time to Evaluate Your Security Education Plan Amongst the Rise in Social Engineering Attacks

-Mobile Users are More Susceptible to Phishing Attacks

-Phishing as a Service Stimulates Cyber Crime

-Attacker Breakout Time Drops to Just 84 Minutes

-Attackers are Developing and Deploying Exploits Faster Than Ever

-Old Vulnerabilities are Haunting Organisations and Aiding Attackers

-Scams Drive Nearly $9bn Fraud Surge in 2022

-Economic Pressure are Increasing Cyber Security Risks and a Recession Would Only Further This

-Cyber Security in This Era of Polycrisis

-Russian Ransomware Projects Rebranded to Avoid Western Sanctions

-Ransomware Attacks Ravaged Big Names in February

-Firms Who Pay Ransom Subsidise New Attacks

-How the Ukraine War Opened a Fault Line in Cyber Crime

Black Arrow Cyber Advisory 03 March 2023 – Cisco IP Phone 6800, 7800, 7900, and 8800 Series Web User Interface Vulnerabilities

Executive Summary

Multiple Vulnerabilities in the web-based management interface for the Cisco IP Phones: 6800, 7800, 7900, and 8800 have been identified. The vulnerabilities are tracked as CVE-2023-20078 and CVE-2023-20079.

What’s the risk to me or my business?

Successful exploitation of the vulnerabilities could allow an attacker to remotely execute code or cause a denial of service (DoS). The vulnerabilities are not dependent on each other and can therefore be executed without requiring the other one.

What can I do?

There are no workarounds, and it is recommended that the patches for the vulnerabilities released by CISCO are installed.

The following models and firmware versions are impacted:

· IP Phone 6800 Series with Multiplatform Firmware version earlier than 11.3.7SR1

· IP Phone 7800 Series with Multiplatform Firmware version earlier than 11.3.7SR1

· IP Phone 8800 Series with Multiplatform Firmware version earlier than 11.3.7SR1

Due to the following products having reached the end of life process, there is no patch available:

· Cisco Unified IP Phone 7900 Series

· Cisco Unified IP Conference Phone 8831

· Cisco Unified IP Conference Phone 8831 with Multiplatform Firmware

Further information on the vulnerabilities be found here:

https://sec.cloudapps.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-ip-phone-cmd-inj-KMFynVcP

Need help understanding your gaps, or just want some advice? Get in touch with us.

#threatadvisory #threatintelligence #cybersecurity

Black Arrow Admin 01/03/2023 Black Arrow Admin 01/03/2023

Black Arrow Cyber Alert 01/03/2023 – ACTION REQUIRED: LastPass Security Incident Update

Black Arrow Cyber Alert 01/03/2022 – ACTION REQUIRED: LastPass Security Incident Update

Executive Summary

Yesterday (28 February 2023), LastPass provided an update on their recent security incident that was disclosed on 22 December 2022. LastPass explained how information stolen in a breach that had taken place in August 2022 was then used to conduct a separate breach in December 2022; the latter breach then allowed access to the LastPass encrypted Amazon S3 buckets.

LastPass also revealed more about how the incidents happened. In the first incident the threat actor did not have the decryption keys and they were unable to decrypt some data. The threat actor identified that a DevOps engineer had access to the decryption key and as a result the DevOps engineer’s home computer was targeted. Through exploiting a vulnerable third-party software package, the threat actor was able to install a keylogger and capture the engineers’ master password as it was entered. Once the engineer had authenticated with multi factor authentication (MFA), the threat actor then had access to the LastPass corporate vault.

What’s the risk to my business?

The incident has resulted in a significant amount of data being accessed[1]. LastPass has stated that the compromised backup of the customer base was dated 14 August 2022 and that any accounts created after that date are not affected. A full list, including descriptions is available from LastPass; a summary of main items is presented below:

Business customers - General

MFA seeds
Splunk Security Information and Event Management (SIEM) integration secrets
“Push” site credentials
SCIM, Enterprise API and SAML keys
Billing addresses
Company name
Tax id
Email address
End user name
IP address of trusted devices
Telephone number
Mobile device unique identifier
Number of iterations that a customer was configured to use

Business customers - Non federated

Hashes of temporary and account recovery one-time passwords
MFA API integration secrets
One-time password seeds

Business Customers - Federated

Split knowledge component “K2” keys

What can I do?

Recommended actions depend on whether the user environment is federated or not. Federated users are users who are authenticated with an identify provider such as Azure Directory, which then allows the user to access LastPass. Non-federated users will access LastPass using a LastPass username and password. The recommended actions are as follows:

Federated users

For federated environments, organisations should consider de-federating and re-federating all users, and request users to rotate all vault credentials based on the organisation’s risk tolerance. If credentials are to be rotated, critical credentials should be prioritised.

Non-federated users

Where non-federated users have employed the use of MFA, administrators should clear all MFA shared secrets[2] as this will destroy all LastPass sessions and require the user to log back in and re-enable MFA. Where MFA is not in use, we strongly recommend it is enforced as soon as possible. Administrators should also consider requiring users to reset their master passwords[3].

General

To maximise security for your users, LastPass recommend reviewing iteration count settings and recommend that users change to 600,000 iterations[4] which is the recommended number by OWASP.

A super administrator or “break-glass” account is a privileged account reserved for unrestricted emergency access. Where a super administrator or “break glass” administrator account is present, it is recommended by LastPass that at least one of these is not federated and has a master password and strong iteration account as per LastPass guidance. Where the password is not strong, it should be reset immediately. It is recommended that MFA also be reset, to reduce the risk of compromise.

Additional considerations include the review of vault item password policies, user security scores, security of shared folders and monitoring of the dark web.

As always, organisations should remain vigilant as threat actors may use this event to conduct phishing campaigns.

Need help understanding your gaps, or just want some advice? Get in touch with us.

#threatadvisory #threatintelligence #cybersecurity

[1] https://support.lastpass.com/help/what-data-was-accessed

[2] https://support.lastpass.com/help/reset-mfa-settings-for-google-authenticator-microsoft-authenticator-and-grid

[3] https://support.lastpass.com/help/enterprise-admin-management-of-master-passwords-lp010025

[4] https://support.lastpass.com/help/security-bulletin-recommended-actions-for-business-administrators

Black Arrow Admin 26/02/2023 Black Arrow Admin 26/02/2023

Black Arrow Cyber Threat Briefing 24 February 2023

Black Arrow Cyber Briefing 24 February 2023:

-Employees Bypass Cyber Security Guidance to Achieve Business Objectives

-Three Quarters of Businesses Braced for Serious Email Attack this Year

-The Cost of Living Crisis is Triggering a Wave of Workplace Crime

-Fighting Ransomware with Cyber Security Audits

-Record Levels of Fraud Impacting 90% of Payment Compliance Teams

-CISOs Struggle with Stress and Limited Resources

-Cyber Threats and Regulations Mount for Financial Industry

-HardBit Ransomware Wants Insurance Details to Set the Perfect Price

-Social Engineering is Becoming Increasingly Sophisticated

-A Fifth of Brits Have Fallen Victim to Online Scammers

-Cyber Attacks Hit Data Centres to Steal Information From Companies

-Phishing Fears Ramp Up on Email, Collaboration Platforms

-The War in Ukraine has Shaken up the Cyber Criminal Eco-system

-Police Bust €41m Email Scam Gang

Black Arrow Cyber Threat Briefing 17 February 2023

Black Arrow Cyber Threat Briefing 17 February 2023:

-High Risk Users May be Few, but the Threat They Pose is Huge

-The Cost of Cyber Security Insurance is Soaring so Firms Need to Take Prevention More Seriously

-Cyber Attacks Worldwide Increased to an All-Time Record Breaking High

-Most Organisations Make Cyber Security Decisions Without Insights

-Ransomware Attackers Finding New Ways to Weaponise Old Vulnerabilities

-Are Executives Fluent in IT Security Speak? 5 Reasons Why the Communication Gap is Wider Than You Think

-Business Email Compromise Groups Target Firms with Multilingual Impersonation Attacks

-EU Countries Told to Step up Defence Against State Hackers

-Cyber Criminals Exploit Fear and Urgency to Trick Consumers

-How to Manage Third Party and Supply Chain Cyber Security Risks that are Too Costly to Ignore

-Russian Spear Phishing Campaign Escalates Efforts Towards Critical UK, US and European Targets

-5 Biggest Risks of Using Third Party Managed Service Providers

-Cyber Crime as a Service: A Subscription Based Model in the Wrong Hands

Black Arrow Cyber Advisory 16/02/2023 – Citrix Releases Security Updates Addressing Vulnerabilities in Workspace Apps, Virtual Apps and Desktops Products

Executive Summary

This week Citrix released security updates for vulnerabilities affecting its’ Workspace Apps, Virtual Apps and Desktops products. The vulnerabilities are tracked as CVE-2023-24483, CVE-2023-24484, CVE-2023-24486 and CVE-2023-2286.

What’s the risk to me or my business?

Successful exploitation of the vulnerabilities could allow an attacker to escalate privileges and permissions from a standard user to system level. An attacker could also take over another users session and cause log files to be written to a directory which a standard user would not have permission to write to. For the exploitations to be successful, the attacker requires local access as a standard user to the Virtual Desktop Application.

What can I do?

For organisations using vulnerable versions of Workspace Apps, Virtual Apps and Desktop products, it is strongly recommended to install the patched versions as soon as possible. The affected versions are as below:

Citrix Virtual Apps and Desktops (CVE-2023-24483):

Current release versions before 2212
Long term service release (LTSTR) versions 2203 LTSR before CU2
1912 LTSR before CU6

Citrix Workspace App for Windows (CVE-2023-24484 and CVE-2023-24485):

Citrix Workspace App versions before 2212
Citrix Workspace App 2203 LTSR before CU2
Citrix Workspace App 1912 LTSR before CU7 Hotfix 2 (19.12.7002)

Citrix Workspace App for Linux (CVE-2023-2486)

All supported versions of Citrix Workspace app for Linux before 2302

Further information on CVE-2023-24483 can be found here: https://support.citrix.com/article/CTX477616/citrix-virtual-apps-and-desktops-security-bulletin-for-cve202324483

Further information on CVE-2023-24484 and CVE-2023-24485 can be found here: https://support.citrix.com/article/CTX477617/citrix-workspace-app-for-windows-security-bulletin-for-cve202324484-cve202324485

Further information on CVE-2023-2486 can be found here: https://support.citrix.com/article/CTX477618/citrix-workspace-app-for-linux-security-bulletin-for-cve202324486

Need help understanding your gaps, or just want some advice? Get in touch with us.

#threatadvisory #threatintelligence #cybersecurity

Black Arrow Admin 15/02/2023 Black Arrow Admin 15/02/2023

Black Arrow Cyber Advisory 15/02/2023 – Microsoft Patch Tuesday – 75 patches and Three Actively Exploited Vulnerabilities

Executive summary

Microsoft’s February Patch Tuesday provides updates to address 75 security issues across its product range, including three actively exploited zero-days.

Of the 75 vulnerabilities, nine are rated Critical and 66 are rated Important in severity. 37 out of 75 bugs are classified as remote code execution (RCE) flaws.

The three exploited zero-day vulnerabilities include a security bypass vulnerability, remote execution vulnerability and an elevation of privileges vulnerability. Also among the updates provided by Microsoft were 9 critical vulnerabilities.

What’s the risk to me or my business?

What can I do?

Technical Summary

The following is a breakdown of the actively exploited vulnerabilities which affected Microsoft Operating Systems:

CVE-2023-21715: A vulnerability which allows a local user with authentication to bypass Microsoft Office macro policies used to block untrusted or malicious files.

CVE-2023-21823: A remote code execution vulnerability which allows an attacker to execute code with system privileges, effectively providing them with unlimited permission. Microsoft Store will automatically update affected customers, providing automatic updates are enabled in the Store.

CVE-2023-23376: A vulnerability which allows a successful attacker to gain SYSTEM privileges, effectively providing them with unlimited permission.

Further details on other specific updates within this patch Tuesday can be found here: https://www.ghacks.net/2023/02/14/microsoft-windows-security-updates-february-2023-overview/

Further details about CVE-2023-21715 can be found here: https://msrc.microsoft.com/update-guide/en-US/vulnerability/CVE-2023-21715

Further details about CVE-2023-21823 can be found here: https://msrc.microsoft.com/update-guide/en-US/vulnerability/CVE-2023-21823

Further details about CVE-2023-23376 can be found here: https://msrc.microsoft.com/update-guide/en-US/vulnerability/CVE-2023-23376

Black Arrow Admin 12/02/2023 Black Arrow Admin 12/02/2023

Black Arrow Cyber Threat Briefing 10 February 2023

Black Arrow Cyber Threat Briefing 10 February 2023:

-Companies Banned from Paying Hackers After Attacks on Royal Mail and Guardian

-Fraud Set to Be Upgraded as a Threat to National Security

-98% of Attacks are Not Reported by Employees to their Employers

-UK Second Most Targeted Nation Behind America for Ransomware

-Financial Institutions are Suffering from Increasingly Sophisticated Cyber Attacks

-An Email Attack Can End Up Costing You Over $1 Million

-Cyber Crime Shows No Signs of Slowing Down

-Surge of Swatting Attacks Targets Corporate Executive and Board Members

-Phishing Surges Ahead, as ChatGPT and Artificial Intelligence Loom

-Pro-Russian Hacktivist Group is Only Getting Started, Experts Warn

-Crypto Investors Lost Nearly $4 Billion to Hackers in 2022

-PayPal and Twitter Abused in Turkey Relief Donation Scams

-Mysterious Leak of Booking.com Reservation Data is Being Used to Scam Customers

Black Arrow Cyber Advisory 06/02/2023 – New Wave of Ransomware Exploiting VMware ESXi Hypervisors - updated 09/02/2023 and 10/02/2023

Black Arrow Cyber Advisory 06/02/2023 – New Wave of Ransomware Exploiting VMware ESXi Hypervisors

Updated 10/02/2023

Reports indicate that at least 18,500 ESXi servers are still vulnerable to VMware bug behind initial ransomware spree, after last week’s ransomware infections hit more than 3,800 organisations across the United States, France, Italy and more.

Updated 09/02/2023

It has now been found that there is a second wave of the ransomware campaign and reports from administrators are that they are being breached, even though SLP was disabled. There is also a script released by the Cybersecurity and Infrastructure Agency (CISA) which will attempt to recover files from an impacted VMware ESXi hypervisor. It should be noted however, that it will likely not work if the VMware ESXi hypervisor was hit by the second wave of ransomware.

CISA’s advice and link to their recovery script can be found here: https://www.cisa.gov/uscert/ncas/current-activity/2023/02/08/cisa-and-fbi-release-esxiargs-ransomware-recovery-guidance

Executive Summary

A large ransomware campaign is targeting VMware ESXi hypervisors around the world, according to the French government’s computer emergency readiness team (CERT-FR). Although not officially confirmed by VMware, multiple sources report that the ransomware exploits a vulnerability known as CVE-2021-21974, which is a heap-overflow vulnerability in which exploitation can result in remote code execution. A patch was made available by VMware in February 2021.

What’s the risk to me or my business?

According to VMware, the malicious actor needs to reside within the same network segment as VMware ESXi and have access to port 427 to be able to exploit CVE-2021-21974 and remotely execute code. This exploit only impacts organisations with VMware ESXi where OpenSLP services are in use. OpenSLP is an open-source implementation of the Service Location Protocol (SLP), which is used to allow networking applications to discover the existence, location and configuration of network services within enterprise networks. The impacted versions of VMware ESXi are as follows:

· ESXi 7.x versions earlier than ESXi70U1c-17325551

· ESXi 6.7.x versions earlier than ESXi670-202102401-SG

· ESXi 6.5.x versions earlier than ESXi650-202102101-SG

What can I do?

Organisations should look to apply the available patches from VMware as soon as possible. It is recommended that organisations disable the SLP service on ESXi hypervisors that have not been patched for the mean time. Where a patch has been applied recently, a system scan should be performed to detect any indicators of compromise.

Further information on the vulnerability can be found through the original security advisory from VMware, which was published in February 2021: https://www.vmware.com/security/advisories/VMSA-2021-0002.html

Need help understanding your gaps, or just want some advice? Get in touch with us.

#threatadvisory #threatintelligence #cybersecurity

Black Arrow Admin 09/02/2023 Black Arrow Admin 09/02/2023

Black Arrow Cyber Advisory 09/02/2023 – Reminder of Heightened Risk of Phishing Campaigns Taking Advantage of Tragic Events

Black Arrow Cyber Informational 09/02/2023 – Reminder of Heightened Risk of Phishing Campaigns Taking Advantage of Tragic Events

Executive Summary

Following the recent tragic events in Turkey and Syria this is a reminder that whenever there are catastrophes, natural disasters or other notable or particularly newsworthy events malicious actors will take advantage of these events to push related phishing emails or launch other attacks.

What’s the risk to me or my business?

Threat actors will take advantage of events of this nature, often to try to exploit the good nature and charitable intentions of people and organisations. Each event creates opportunities for threat actors to conduct phishing campaigns. These campaigns can include impersonation of those impact, smishing (SMS phishing), fake charitable pages, malicious links within emails and much more.

What can I do?

We recommend staying extra vigilant. This can be done by verifying charities and or companies through official websites, verifying phone numbers for charities, avoiding suspicious links in emails and checking individuals are who they claim to be.

Information on registered UK charities can be found here: https://register-of-charities.charitycommission.gov.uk/charity-search/

Threat Intelligence Blog

Top Cyber Stories of the Last Week

Almost Half of IT Leaders Consider Security as an Afterthought

Over $10bn Lost to Online Frauds, with Pig Butchering and Investment Scams Accounting for $3B, Overtaking BEC – FBI Report Says

Over 721 Million Passwords were Leaked in 2022

How Much of a Cyber Security Risk are Suppliers?

90% of £5m+ Businesses Hit by Cyber Attacks

Rushed Cloud Migrations Result in Escalating Technical Debt

Microsoft: 17 European Nations Targeted by Russia in 2023 as Espionage Ramping Up

Microsoft Warns of Large-Scale Use of Phishing Kits

BEC Volumes Double on Phishing Surge

The Risk of Pasting Confidential Company Data in ChatGPT

Ransomware Attacks have Entered a Heinous New Phase

MI5 Launches New Agency to Tackle State-Backed Attacks

Why Cyber Awareness Training is an Ongoing Process

Threats

Ransomware, Extortion and Destructive Attacks

Phishing & Email Based Attacks

BEC – Business Email Compromise

2FA/MFA

Malware

Mobile

Botnets

Denial of Service/DoS/DDOS

Internet of Things – IoT

Data Breaches/Leaks

Organised Crime & Criminal Actors

Cryptocurrency/Cryptomining/Cryptojacking/NFTs/Blockchain

Insider Risk and Insider Threats

Fraud, Scams & Financial Crime

Impersonation Attacks

Deepfakes

AML/CFT/Sanctions

Dark Web

Supply Chain and Third Parties

Software Supply Chain

Cloud/SaaS

Hybrid/Remote Working

Attack Surface Management

Identity and Access Management

Encryption

Passwords, Credential Stuffing & Brute Force Attacks

Social Media

Malvertising

Training, Education and Awareness

Regulations, Fines and Legislation

Governance, Risk and Compliance

Models, Frameworks and Standards

Data Protection

Law Enforcement Action and Take Downs

Privacy, Surveillance and Mass Monitoring

Artificial Intelligence

Misinformation, Disinformation and Propaganda

Spyware, Cyber Espionage & Cyber Warfare, including Russian Invasion of Ukraine

Nation State Actors

Vulnerabilities

Tools and Controls

Other News

Sector Specific

Top Cyber Stories of the Last Week

Business Email Compromise Attacks Can Take Just Hours

Research Reveals ‘Password’ is Still the Most Common Term used by Hackers to Breach Enterprise Networks

Just 10% of Firms Can Resolve Cloud Threats in an Hour

MSPs in the Crosshairs of Ransomware Gangs

Stolen Credentials Increasingly Empower the Cyber Crime Underground

It’s Time to Assess the Potential Dangers of an Increasingly Connected World

Mounting Cyber Threats Mean Financial Firms Urgently Need Better Safeguards

Insider Threat: Developers Leaked 10m Credentials Including Passwords in 2022

Cyber Threat Detections Surges 55% In 2022

European Central Bank Tells Banks to Run Cyber Stress Tests after Rise in Hacker Attacks

Employees Are Feeding Sensitive Business Data to ChatGPT

Is Ransomware Declining? Not So Fast Experts Say

Preventing Corporate Data Breaches Starts with Remembering that Leaks have Real Victims

Faced With Likelihood of Ransomware Attacks, Businesses Still Choosing to Pay Up

Experts See Growing Need for Cyber Security Workers as One in Six Jobs go Unfilled

Threats

Ransomware, Extortion and Destructive Attacks

Phishing & Email Based Attacks

BEC – Business Email Compromise

Other Social Engineering; Smishing, Vishing, etc