Threat Intelligence Blog

Subscribe to our Weekly Cyber Threat Intelligence Briefing

Black Arrow Admin 30/03/2023 Black Arrow Admin 30/03/2023

Black Arrow Cyber Alert 30 March 2023 – ACTION REQUIRED: Ongoing Campaign Actively Targeting 3CX Desktop App For Windows

Update 16:20 30/03/2023: Additional information relating to the vulnerable Mac version of the 3CX desktop app has been provided by security researchers. Updates to this alert have been added below.

Executive Summary

A digitally signed and malicious version of the 3CX Voice over Internet Protocol (VoIP) desktop client is reportedly being used as part of an ongoing hacking campaign confirmed against windows devices and believed to be targeting Mac devices. It is believed that this the campaign involves nation state actors.

Update: The campaign has now been confirmed to be exploiting Mac devices.

Technical Summary

Earlier this week, CrowdStrike observed unexpected malicious activity which originated from a legitimately signed 3CXDesktopApp. The attack starts as soon as the MSI installer is downloaded and launched from 3CX’s website or the application is updated. The application itself is not malicious, however, when downloaded and installed, a malicious dll (ffmpeg.dll) is sideloaded which then extracts an encrypted payload from another dll (d3dcompiler_47.dd) and executes it. The malicious activity performed includes communication with attacker controller infrastructure, further payload deployment and hands-on-keyboard attacks, which is when threat actors stop using automated scripts and manually log in to an infected system to execute commands.

Update: For mac devices, the application bypassed Apple’s approval checks and was notarized, meaning it had been marked as safe by Apple and would not be blocked. The application uses libgffmpeg.dylib and attempts to connect to a command and control server. No more information on the specifics of the malcious content is known at current.

What’s the risk to me or my business?

According to 3CX, versions 18.12.407 & 18.12.416 are vulnerable to this attack and should be uninstalled. Organisations using the vulnerable versions of the 3CX desktop application are at a significant risk of data compromise.

Update: In an update to their advisory, for Mac users, the following versions are now confirmed as vulnerable: 18.11.1213, 18.12.402, 18.12.407 & 18.12.416.

Indicators of compromise (IoCs)

Crowdstrike has noted the following domains are in use by the attackers:

akamaicontainer.com
akamaitechcloudservices.com
azuredeploystore.com
azureonlinecloud.com
azureonlinestorage.com
dunamistrd.com
glcloudservice.com
journalide.org
msedgepackageinfo.com
msstorageazure.com
msstorageboxes.com
officeaddons.com
officestoragebox.com
pbxcloudeservices.com
pbxphonenetwork.com
pbxsources.com
qwepoi123098.com
sbmsa.wiki
sourceslabs.com
visualstudiofactory.com
zacharryblogs.com

What can I do?

A new desktop application is being worked on at current by 3CX, however it is not yet available. As such, it is recommended that the web application is used, and the vulnerable versions are uninstalled. Organisations should check for any activity involving the above IoCs. Additionally, organisations may benefit from identifying and monitoring the presence of ffmpeg.dll and d3dcompiler.dll on Windows devices as only a select number of anti-virus vendors have marked these as malicious.

Update: In addition to the above, Organisations may also benefit from identifying and monitoring the presence of libgffmpeg.dylib for Mac devices running vulnerable versions, as only a select number of anti-virus vendors have marked these as malicious. Due to the ongoing investigation, Black Arrow will update this post as soon as new information is identified.

The advisory from 3CX can be found here: https://www.3cx.com/blog/news/desktopapp-security-alert/

VirusTotal results for the ffmpeg.dll and d3dcompiler_47.dll can be found here: https://www.virustotal.com/gui/file/7986bbaee8940da11ce089383521ab420c443ab7b15ed42aed91fd31ce833896

https://www.virustotal.com/gui/file/11be1803e2e307b647a8a7e02d128335c448ff741bf06bf52b332e0bbf423b03

Various cyber security vendors have provided a breakdown of attacks, including indicators of compromise and actions they have taken:

https://www.crowdstrike.com/blog/crowdstrike-detects-and-prevents-active-intrusion-campaign-targeting-3cxdesktopapp-customers/

https://www.sentinelone.com/blog/smoothoperator-ongoing-campaign-trojanizes-3cx-software-in-software-supply-chain-attack/

https://news.sophos.com/en-us/2023/03/29/3cx-dll-sideloading-attack/

https://www.trendmicro.com/en_gb/research/23/c/information-on-attacks-involving-3cx-desktop-app.html

Need help understanding your gaps, or just want some advice? Get in touch with us.

#threatadvisory #threatintelligence #cybersecurity

Black Arrow Admin 29/03/2023 Black Arrow Admin 29/03/2023

Black Arrow Cyber Advisory 29 March 2023 – Microsoft Exchange Online to Start Blocking Emails from Vulnerable On-premises Servers

Executive Summary

Microsoft recently announced their intention to address the risks that stem from emails being sent to Exchange Online from unsupported or unpatched on-premises Microsoft Exchange servers and as a result are now taking a progressive enforcement approach. The approach will begin by throttling messages and escalate, eventually blocking servers until they are removed from service or updated. The enforcement approach will take 90 days from start to finish, once an in scope out of date server is detected. The Exchange team confirmed in the comments of the announcement that the report detailing affected servers will be available within private preview towards the end of April 2023. In May 2023 the first wave of affected customers will see the report, with throttling of inbound messages to Exchange Online starting in June, and blocking of inbound messages in July. The approach is focusing on a small subset of outdated Exchange 2007 servers at current, however Microsoft have stated that this will apply to all on-premises servers in the future.

What’s the risk to me or my business?

An unpatched or unsupported on-premise exchange server is already at significant risk of compromise and after 90 days from initial detection, it will no longer be able to communicate with Exchange Online. Organisations using unpatched or unsupported on-premise servers would be unable to send emails to accounts hosted with Exchange Online, impacting how users can communicate with third parties.

What can I do?

Thankfully, the risks can easily be mitigated by only using supported versions of Exchange and servers operating systems and applying patches in a reasonable time frame; Microsoft have allocated 90 days from initial detection by Exchange Online to administrators each year, to pause throttling and or blocking so that servers can be remediated.

The announcement by Microsoft can be found here: Throttling and Blocking Email from Persistently Vulnerable Exchange Servers to Exchange Online - Microsoft Community Hub

Need help understanding your gaps, or just want some advice? Get in touch with us.

#threatadvisory #threatintelligence #cybersecurity

Black Arrow Admin 29/03/2023 Black Arrow Admin 29/03/2023

Black Arrow Cyber Advisory 29 March 2023 – Apple Patch Multiple Vulnerabilities Across Product Suite, Including One Actively Exploited Vulnerability

Executive Summary

Apple has issued security updates to address multiple vulnerabilities across all of their currently supported devices, plus security updates for some older iOS and Mac devices which no longer receive the latest feature updates. One vulnerability (CVE-2023-23529) has been added to the Cybersecurity & Infrastructure Security Agency’s known exploited vulnerabilities (KEV) catalogue. In addition, patches have been made available for the following products:

Studio Display 16.4: applicable for macOS Ventura 13.3 and later
Safari 16.4: applicable for macOS Big Sur and macOS Monterey
iOS 15.7.4 and iPadOS 15.7.4: applicable for iPhone 6s (all models), iPhone 7 (all models), iPhone SE (1st generation), iPad Air 2, iPad mini (4th generation), and iPod touch (7th generation)
iOS 16.4 and iPadOS 16.4: applicable for iPhone 8 and later, iPad Pro (all models), iPad Air 3rd generation and later, iPad 5th generation and later, and iPad mini 5th generation and later
WatchOS 9.4: applicable for Apple Watch Series 4 and later
tvOS 16.4: applicable for Apple TV 4K (all models) and Apple TV HD
macOS Big Sur 11.7.5: applicable for macOS Big Sur
macOS Monterey 12.6.4: applicable for macOS Monterey
macOS Ventura 13.3: applicable for macOS Ventura

Technical Summary

The aforementioned exploited vulnerability, CVE-2023-23529, is a type confusion issue, which can occur when a piece of code does not verify the type of object handed to it, and uses it without type-checking. As a result, malicious web content can execute code on vulnerable devices.

What’s the risk to me or my business?

Exploitation of this vulnerability can lead to a compromise of data held on the device. As noted in the table, the following devices are vulnerable: iPhone 6s (all models), iPhone 7 (all models), iPhone SE (1st generation), iPad Air 2, iPad mini (4th generation), and iPod touch (7th generation).

What can I do?

Apple users should update their iOS and or iPadOS to version 15.7.4 for devices impacted by the exploited vulnerability (CVE-2023-23529). For the other vulnerabilities, it is recommended that the latest software updates are applied.

More information regarding CVE-2023-23529 be found here: https://support.apple.com/en-gb/HT213673

Details of the other addressed vulnerabilities can be found here: https://support.apple.com/en-gb/HT201222

Need help understanding your gaps, or just want some advice? Get in touch with us.

#threatadvisory #threatintelligence #cybersecurity

Black Arrow Admin 28/03/2023 Black Arrow Admin 28/03/2023

Black Arrow Cyber Advisory 28 March 2023 – Clop Ransomware Victims of GoAnywhere Vulnerability Reach 130

Executive Summary

A vulnerability in Forta’s popular file transfer software GoAnywhere has allowed ransomware group “Clop” to breach around 130 organisations, with more still coming forward. The attacks by Clop have breached a variety of organisations including banks, law firms, energy companies, retailers and even the city of Toronto. Any organisation using a vulnerable version of GoAnywhere is at risk of a breach.

Technical Summary

The vulnerability being exploited is a pre-authentication injection vulnerability which allows an attacker to gain access by injecting malicious code, without having to authenticate themselves. A patch was released for the vulnerability February (GoAnywhere 7.1.2), which at the time was noted as a ‘high’ vulnerability.

What’s the risk to me or my business?

Organisations using a version of GoAnywhere prior to 7.1.2 are at risk of having sensitive data exfiltrated by Clop. Once data has been exfiltrated by Clop, an email is sent to the organisation threatening to sell their data. Additionally, organisations whose supply chain are using a vulnerable version of GoAnywhere may also be at risk.

What can I do?

Organisations using GoAnywhere should check to ensure the patched version 7.1.2 or later has been installed. Organisations should also consider whether any of their supply chain is using GoAnywhere software and if so, what version as this can put the organisation at risk. There is currently no publicly accessible advisory from the software provider; the official advisory requires an account with Forta to access more information.

Need help understanding your gaps, or just want some advice? Get in touch with us.

#threatadvisory #threatintelligence #cybersecurity

Black Arrow Admin 28/03/2023 Black Arrow Admin 28/03/2023

Black Arrow Cyber Advisory 28 March 2023 – DEV-1101 Automated AiTM Phishing Campaigns Bypassing MFA

Executive Summary

Microsoft Threat intelligence team has recently exposed the activities of a threat actor named DEV-1101. This threat actor advertises an open-source phishing kit that can be deployed to automate Adversary-in-the-middle (AiTM) campaigns. The phishing kit has the capability to circumvent multifactor authentication (MFA), evade detection through an antibot database, manage the phishing activity through telegram bots, and mimics services such as Microsoft Office or Outlook.

What’s the risk to me or my business?

If an AiTM phishing campaign is successful, the actor can set up a malicious site that will act as the intended valid website such as Microsoft Office or Microsoft Outlook. Here it can steal the credentials of the user and steal the authenticated session tokens of the MFA. In the most severe situations this can lead to a loss of confidentiality, integrity or availability of affected systems as the attacker has free access to perform any further criminal activity such as stealing, corrupting or and deleting data. Alongside the impact of the compromise, this can also lead to reputational damage and potentially financial penalties.

What can I do?

Black arrow recommends that you always deploy and maintain MFA where possible. While certain certain attacks may be able to circumvent MFA, it is important to remember that strong cyber security controls involve having layers of defences, in this case Conditional Access could be used to supplement the MFA control could reduce the risk of compromise. Organisations should also look to implement continuous monitoring for suspicious and anomalous activity to identify indicators of compromise. Other actions can be to ensure software and operating systems are up to date to avoid common vulnerabilities to be exploited. It is also vital that this is supplemented with end-user training including phishing simulations as this is the ingress point for this type of attack. Users should be encouraged to report any instances of interactions with emails that do not seem right.

Further information on the attack method can be found here:

https://www.microsoft.com/en-us/security/blog/2023/03/13/dev-1101-enables-high-volume-aitm-campaigns-with-open-source-phishing-kit/

Need help understanding your gaps, or just want some advice? Get in touch with us.

#threatadvisory #threatintelligence #cybersecurity

Black Arrow Admin 26/03/2023 Black Arrow Admin 26/03/2023

Black Arrow Cyber Threat Briefing 24 March 2023

Black Arrow Cyber Threat Briefing 24 March 2023:

-Majority of SMBs Lack Dedicated Cyber Experts and Cyber Incident Response Plans

-Controlling Third-Party Data Risk Should Be a Top Cyber Security Priority

-IT Security Spending to Reach Nearly $300 Billion by 2026

-2023 Cyber Security Maturity Report Reveals Organisational Unpreparedness for Cyber Attacks

-Board Cyber Shortage: Don’t Get Caught Swimming Naked

-Should Your Organisation Be Worried About Insider Threats?

-UK Ransomware Incident Volumes Surge 17% in 2022

-Financial Industry Hit by Rising Ransomware Attacks and BEC

-55 zero-day Flaws Exploited Last Year Show the Importance of Security Risk Management

-Security Researchers Spot $36m BEC Attack

-New Victims Come Forward After Mass Ransomware Attack

-Ransomware Gangs’ Harassment of Victims is Increasing

-Wartime Hacktivism is Spilling Over Into the Financial Services Industry

Welcome to this week’s Black Arrow Cyber Threat Briefing – a weekly digest, collated and curated by our cyber experts to provide senior and middle management with an easy to digest round up of the most notable threats, vulnerabilities, and cyber related news from the last week.

Black Arrow Cyber Insight 21 March 2023 – Attackers Mainly Focused on Zero-Days from Microsoft, Google and Apple in 2022

Executive Summary

Mandiant recently published their report on zero-day attacks in 2022. A zero-day attack is an attack that relates to a previously unknown vulnerability and for the third year running, Microsoft, Google and Apple were the most frequently targeted by zero-day attacks. The most exploited avenues of attack were operating systems and browsers.

What’s the risk to me or my business?

A significant number of users include Microsoft, Google and or Apple as part of their supply chain and must therefore be aware of vulnerabilities in these vendors. It is not unusual for an exploited zero-day vulnerability to have a delay between the time it is discovered and the time it is patched; although sometimes a workaround is released in the meantime. The delay between disclosure and patching can potentially contribute to many systems remaining unpatched for months and workarounds can create a false sense of security during this period. An unpatched system leaves an organisation’s data at risk from compromise.

What can I do?

It is increasingly important for organisations to efficiently and effectively prioritise their patching and understand their part in the process; this should include organisations being aware of which systems are awaiting a patch, and of these, which are critical. Organisations who use SaaS solutions typically benefit from the vendor deploying patches but organisations should not become complacent and should, where appropriate, seek assurance that systems are indeed patched up to date.

To be more cyber resilient, organisations should make use of threat intelligence as part of their attack surface management and understanding of actively exploited vulnerabilities.

The report conducted by Mandiant can be found here: https://www.mandiant.com/resources/blog/zero-days-exploited-2022

Need help understanding your gaps, or just want some advice? Get in touch with us.

#threatadvisory #threatintelligence #cybersecurity

Black Arrow Admin 19/03/2023 Black Arrow Admin 19/03/2023

Black Arrow Cyber Threat Briefing 17 March 2023

Black Arrow Cyber Threat Briefing 17 March 2023:

-Almost Half of IT Leaders Consider Security as an Afterthought

-Over $10bn Lost To Online Frauds, with Pig Butchering and Investment Scams Accounting for $3B, Overtaking BEC – FBI Report Says

-Over 721 Million Passwords Were Leaked in 2022

-How Much of a Cyber Security Risk are Suppliers?

-90% of £5m+ Businesses Hit by Cyber Attacks

-Rushed Cloud Migrations Result in Escalating Technical Debt

-17 European Nations Targeted by Russia in 2023 as Espionage Ramping Up

-Microsoft Warns of Large-Scale Use of Phishing Kits

-BEC Volumes Double on Phishing Surge

-The Risk of Pasting Confidential Company Data in ChatGPT

-Ransomware Attacks have Entered a New Phase

-MI5 Launches New Agency to Tackle State-Backed Attacks

-Why Cyber Awareness Training is an Ongoing Process

Black Arrow Cyber Advisory 15 March 2023 – Microsoft Patch Tuesday, Fortinet, Adobe, SAP, Android and Chrome Security Updates Summary

Executive Summary

Security updates have been released for Microsoft, Fortinet, Adobe, SAP, Google Chrome and Android to fix a range of security issues.

Microsoft

Microsoft’s March Patch Tuesday provides updates to address 74 security issues across its product range, including two actively exploited vulnerabilities (CVE-2023-23397 and CVE-2023-24880). The two exploited vulnerabilities include an elevation of privilege vulnerability and a security bypass feature. Also among the updates provided by Microsoft were 9 critical vulnerabilities.

What’s the risk to me or my business?

The actively exploited vulnerabilities could allow an attacker to bypass security features to upload malicious files, remotely execute code and gain SYSTEM privileges; all of which could compromise the confidentiality, integrity and availability of data stored by an organisation.

What can I do?

Security updates are available for all supported versions of Windows impacted. The updates should be applied as soon as possible for the actively exploited vulnerabilities and all other vulnerabilities that have a critical severity rating.

Technical Summary

The following is a breakdown of the actively exploited vulnerabilities which affected Microsoft Operating Systems:

CVE-2023-23397: A vulnerability which allows specially crafted emails to force a victim device to connect to an external location of attacker control, providing the attacker with the victims’ authentication details. The email does not need to be read in the preview pane as the vulnerability is triggered when it is received and processed by the email server.

Please see our earlier advisory on this particular actively exploited vulnerability.

CVE-2023-24880: A vulnerability that allows an attacker to craft a malicious file which evades mark of the web (MOTW) security features and is actively being exploited in ransomware attacks.

Along with Microsoft’s patch Tuesday, the following vendors have also addressed vulnerabilities this month:

Fortinet

As reported in our blog previously, Fortinet disclosed 15 vulnerabilities this month; this includes the actively exploited vulnerability CVE-2022-41328. This vulnerability is a path transversal vulnerability in FortiOS which can allow a privileged actor to read and write files via crafted command line interface commands. The vulnerability is actively being exploited against governments and large organisations.

Adobe

This month, Adobe released fixes for 105 vulnerabilities across Adobe Creative Cloud Desktop, ColdFusion, Dimension, Experience Manager, Illustrator and Photoshop. At current, Adobe is not aware of any of these vulnerabilities being actively exploited. The vulnerabilities include remote code execution, memory leak, privilege escalation and security bypass.

SAP

Sap have released fixes for 21 vulnerabilities, including code injection and improper access control vulnerabilities. A total of 9 vulnerabilities were given the “Hot News” priority, which is the highest priority according to SAP.

Google

-Android

Android addressed 60 vulnerabilities this month. Amongst the vulnerabilities are two critical remote code execution vulnerabilities CVE-2023-20951 and CVE-2023-20954.

-Chrome

Google addressed 40 vulnerabilities in the Chrome Web Browser, with 8 vulnerabilities rated as high-severity.

Further details of the updates within Microsoft’s March patch Tuesday can be found here: https://www.ghacks.net/2023/03/14/microsoft-windows-security-updates-march-2023-what-you-need-to-know-before-installation/

Further details of CVE-2023-23397 can be found here: https://msrc.microsoft.com/update-guide/en-US/vulnerability/CVE-2023-23397

Further details of CVE-2023-24880 can be found here: https://msrc.microsoft.com/update-guide/en-US/vulnerability/CVE-2023-24880

Further details of CVE-2022-41328 can be found here: https://www.fortinet.com/blog/psirt-blogs/fg-ir-22-369-psirt-analysis

Further details of the vulnerabilities addressed by Fortinet can be found here: https://www.fortiguard.com/psirt-monthly-advisory/march-2023-vulnerability-advisories

Further details of the vulnerabilities addressed by SAP can be found here: https://dam.sap.com/mac/app/e/pdf/preview/embed/ucQrx6G?ltr=a&rc=10

Further details of the vulnerabilities addressed by Adobe Creative Cloud Desktop can be found here: https://helpx.adobe.com/security/products/creative-cloud/apsb23-21.html

Further details of the vulnerabilities addressed in Adobe ColdFusion can be found here: https://helpx.adobe.com/security/products/coldfusion/apsb23-25.html

Further details of the vulnerabilities addressed in Adobe Dimension can be found here: https://helpx.adobe.com/security/products/dimension/apsb23-20.html

Further details of the vulnerabilities addressed in Adobe Experience Manager can be found here: Adobe Security Bulletin

Further details of the vulnerabilities addressed in Adobe Illustrator can be found here: https://helpx.adobe.com/security/products/illustrator/apsb23-19.html

Further details of the vulnerabilities addressed in Adobe Photoshop can be found here: https://helpx.adobe.com/security/products/photoshop/apsb23-23.html

Further details of the vulnerabilities addressed in Adobe Substance 3D Stager can be found here: https://helpx.adobe.com/security/products/substance3d_stager/apsb23-22.html

Further details of the Android vulnerabilities can be found here: https://source.android.com/docs/security/bulletin/2023-03-01#2023-03-05-security-patch-level-vulnerability-details

Further details of the vulnerabilities addressed by Google can be found here: https://chromereleases.googleblog.com/2023/03/stable-channel-update-for-desktop.html

Need help understanding your gaps, or just want some advice? Get in touch with us.

#threatadvisory #threatintelligence #cybersecurity

Black Arrow Admin 15/03/2023 Black Arrow Admin 15/03/2023

Black Arrow Cyber Advisory 15 March 2023 – Microsoft Releases Patch for Critical Outlook/365 Vulnerability Under Active Exploitation

Executive Summary

This week Microsoft released a patch for a critical actively exploited privilege escalation vulnerability in Microsoft Outlook. The vulnerability is tracked as CVE-2023-23397.

What’s the risk to me or my business?

Successful exploitation of the vulnerabilities could allow an attacker to gain authentication details from a targeted machine. These details can then be relayed to other systems or brute-forced offline, leading to compromise of the account.

Technical Summary:

The vulnerability allows an attacker to craft malicious emails which force a target device to connect to a remote UNC of the attackers choice. A UNC is a path that can be used to access network resources. Upon connection, the Net-NTLMv2 hash, which is a hash of the victim’s password is leaked to the attacker. The attacker can then relay this hash to authenticate as the victim on other services or decode the hash offline. At no point does the email need to be previewed or opened, it is triggered as soon as it is received and processed by the email server.

What can I do?

It is recommended that organisations apply the latest patches as soon as possible as this vulnerability is recorded as actively exploited. In their analysis, Microsoft recorded that this vulnerability was exploited by Strontium, a state-sponsored Russian hacking group. Organisations using strictly off-premises solutions are not impacted.

Further information on CVE-2023-23397 can be found here: https://msrc.microsoft.com/update-guide/vulnerability/CVE-2023-23397

Need help understanding your gaps, or just want some advice? Get in touch with us.

#threatadvisory #threatintelligence #cybersecurity

Black Arrow Admin 12/03/2023 Black Arrow Admin 12/03/2023

Black Arrow Cyber Threat Briefing 10 March 2023

Black Arrow Cyber Threat Briefing 10 March 2023:

-Business Email Compromise Attacks Can Take Just Hours

-Research Reveals ‘Password’ is Still the Most Common Term used by Hackers to Breach Enterprise Networks

-Just 10% of Firms Can Resolve Cloud Threats in an Hour

-MSPs in the Crosshair of Ransomware Gangs

-Stolen Credentials Increasingly Empower the Cyber Crime Underground

-It’s Time to Assess the Potential Dangers of an Increasingly Connected World

-Mounting Cyber Threats Mean Financial Firms Urgently Need Better Safeguards

-Developers Leaked 10m Credentials Including Passwords in 2022

-Cyber Threat Detections Surges 55% In 2022

-European Central Bank Tells Banks to Run Cyber Stress Tests after Rise in Hacker Attacks

-Employees Are Feeding Sensitive Business Data to ChatGPT

-Is Ransomware Declining? Not So Fast Experts Say

-Preventing Corporate Data Breaches Starts With Remembering That Leaks Have Real Victims

-Faced With Likelihood of Ransomware Attacks, Businesses Still Choosing to Pay Up

-Experts See Growing Need for Cyber Security Workers as One in Six Jobs go Unfilled

Welcome to this week’s Black Arrow Cyber Threat Briefing – a weekly digest, collated and curated by our cyber threat intelligence experts to provide senior and middle management with an easy to digest round up of the most notable threats, vulnerabilities, and cyber related news from the last week.

Black Arrow Cyber Advisory 10 March 2023 – Fortinet, Cisco and Veeam Vulnerabilities Roundup

Executive Summary

Fortinet have disclosed 15 security issues across a range of products including 5 “high” rated vulnerabilities and a “critical” vulnerability that allows an unauthenticated attacker to perform denial of service attacks or execute arbitrary code. Cisco has identified a “high vulnerability” with IOS XR software for the ASR 9000 Series routers. Veeam have disclosed a “high vulnerability” that allows an unauthenticated attacker to request encrypted credentials which may lead to gaining access to the backup infrastructure host.

What’s the risk to me or my business?

Successful exploitation of the Cisco vulnerability tracked as CVE-2023-20049 allows the attacker to cause line card exceptions or hard rests which can lead to traffic loss and denial of service conditions.

The following models are vulnerable if they have Bidirectional forwarding detection (BFD) hardware offload enabled.

ASR 9000 Series Aggregation Services Routers only if they have a Lightspeed or Lightspeed-Plus-based line card installed.
ASR 9902 Compact High-Performance Routers
ASR 9903 Compact High-Performance Routers

A successful exploitation of the Critical Fortinet vulnerability tracked as CVE-2023-25610 allows an unauthenticated attacker to execute arbitrary code or perform denial of service (DoS) conditions in an administrative interface.

The following devices are vulnerable to both the RCE and DoS:

FortiOS version 7.2.0 through 7.2.3
FortiOS version 7.0.0 through 7.0.9
FortiOS version 6.4.0 through 6.4.11
FortiOS version 6.2.0 through 6.2.12
FortiOS 6.0 all versions
FortiProxy version 7.2.0 through 7.2.2
FortiProxy version 7.0.0 through 7.0.8
FortiProxy version 2.0.0 through 2.0.12
FortiProxy 1.2 all versions
FortiProxy 1.1 all versions

A full list of vulnerable hardware devices that are impacted by the Denial of Service can be found on the FortiGuard website.

A successful exploitation of the high Veeam vulnerability tracked as CVE-2023-27532 can allow an unauthenticated attacker to request encrypted credentials which may lead to the attacker gaining access to the backup infrastructure of the host.

This vulnerability affects all Veeam Backups and Replication versions but is resolved in the following:

12 (build 12.0.0.1420 P20230223)
11a (build 11.0.1.1261 P20230227)

What can I do?

Cisco has released software updates that address the vulnerability and should be installed. Alternatively, a workaround has been provided which is to disable all bfd hardware offload features, which can be done by removing all hw-module bfw-hw-offload enable commands and resetting the card.

Fortinet has provided solutions to each of the vulnerabilities it has disclosed, and it is recommended that the patches released for the vulnerabilities are installed.

Veeam has released a patch and should be installed, however they suggest that if you are using an earlier version to upgrade to the current supported version first. Alternatively, if you are using an all-in-one Veeam appliance with no backup infrastructure components, external connections to Port TCP 9401 should be filtered until the patch is installed.

Further information on the vulnerabilities be found here:

Cisco IOS XR software update - https://sec.cloudapps.cisco.com/security/center/resources/security_vulnerability_policy.html#ssu

Cisco IOS XR Software Security Advisory-https://sec.cloudapps.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-bfd-XmRescbT

Fortinet CVE-2023-25610 advisory and solution - https://www.fortiguard.com/psirt/FG-IR-23-001

Fortiguard vulnerability advisory- https://www.fortiguard.com/psirt-monthly-advisory/march-2023-vulnerability-advisories

Veeam advisory - https://www.veeam.com/kb4424

Veeam Solution - https://www.veeam.com/product-lifecycle.html?ad=in-text-link

Need help understanding your gaps, or just want some advice? Get in touch with us.

#threatadvisory #threatintelligence #cybersecurity

Black Arrow Admin 09/03/2023 Black Arrow Admin 09/03/2023

Black Arrow Cyber Advisory 09 March 2023 – Security Flaws in TPM 2.0 Pose Significant Risk

Black Arrow Cyber Advisory 08 March 2023 – Security Flaws in TPM 2.0 Pose Significant Risk

Executive Summary

Security Researchers at Quarkslab have identified two critical vulnerabilities (CVE-2023-1017 and CVE-2023-1018) in The Trusted Platform Module (TPM) firmware; TPMs are used by most modern PCs to make them resistant to tampering and the vulnerabilities could affect billions of devices.

What’s the risk to my business?

Successful exploitation of the vulnerabilities could lead to local information disclosure, including the ability for attackers to make the TPM unavailable leading to denial of service, read sensitive data or escalate privileges. In some cases, an attacker can overwrite protected data in the TPM and go undetected. To be able to exploit the vulnerabilities the attacker would require access to a TPM-command interface to send maliciously crafted-commands to a vulnerable TPM.

What can I do?

The Trusted Computing Group (TCG) have released an updated version of their TPM2.0 library specification: TPM 2.0 library Specifications v1.59 Errata Version 1.4. Once this update has been incorporated within Operating System and Original Equipment Manufacturer (OEM) firmware, it is recommended this updated version is installed. For the meantime, remote attestation may help identify it any changes have been made to the TPM.

Need help understanding your gaps, or just want some advice? Get in touch with us.

#threatadvisory #threatintelligence #cybersecurity

Documentation for the upgrade can be found here: https://trustedcomputinggroup.org/wp-content/uploads/TPM-2.0-Library-Spec-v1.59-Errata-v1.4_pub.pdf

An Advisory from the Trusted Computer Group can be found here: https://trustedcomputinggroup.org/wp-content/uploads/TCGVRT0007-Advisory-FINAL.pdf

CVE-2023-1017 can be found here: https://nvd.nist.gov/vuln/detail/CVE-2023-1017

CVE-2023-1018 can be found here: https://nvd.nist.gov/vuln/detail/CVE-2023-1018

Black Arrow Admin 07/03/2023 Black Arrow Admin 07/03/2023

Black Arrow Cyber Alert 07 March 2023 – ACTION REQUIRED: New Hiatus Hacking Campaign Targets DrayTek Routers to Spy on Businesses

Executive Summary

An ongoing hacking campaign known as “Hiatus” is targeting DrayTek Vigour router models 2960 and 3900 to monitor and steal data from businesses.

What’s the risk to my business?

If exploited successfully, the attacker is able to remotely execute commands on the router, and monitor and control traffic that passes through the router including file-transfer and email communications.

Technical Summary:

Research by Black Lotus Labs has found the campaign involves following:

A Bash script to deploy two executables to the targetdevice, post-exploitation. These are:
- HIATUS Remote Access Trojan
- A variant of ‘tcpdump’ that enables packet capture

Once this script has been executed the ‘HiatusRAT’ and ‘tcpdump’ variant are downloaded to a directory created by the script located at ‘/database/.updata’ and are then executed. The malware will listen on TCP port 8816 and if this port is already in use, the process on that port is terminated so that the malware can use it instead. Once the malware has been sucessfully enabled on this port, a second process collects information about the victim device and sends it to a Command and Control (C2) server operated by the attacker (104.250.58.192); an additional C2 server (46.8.113.227) is also used by the attacker to receive information captured by the packet-capture tool . The packet capture tool observes ports associated with mail server and FTP connections, this include TCP ports 21, 25, 110, 143.

What can I do?

It is not currently known how the DrayTek routers have been initially compromised and Draytek have not yet released a security update to resolve any associated known vulnerability. The following actions can be taken to help mitigate and identify if a device has been impacted:

Prevent outbound network traffic on TCP port 8816, to disable the malware’s outbound communication.
Block network traffic to or from the following IP addresses: 104.250.58.192 and 46.8.113.227
Check the following location on vulnerable devices for any files in that location, as this would be an indicator of compromise (IoC): ‘database’ and ‘/database/.updata’
Configure continuous security monitoring to detect anomalous activity that may be indicative of a compromise.

Further indicators of compromise can be found here: https://github.com/blacklotuslabs/IOCs/blob/main/Hiatus_IoCs.txt

Need help understanding your gaps, or just want some advice? Get in touch with us.

#threatadvisory #threatintelligence #cybersecurity

A link to the report from Black Lotus Labs can be found here: https://blog.lumen.com/new-hiatusrat-router-malware-covertly-spies-on-victims/?utm_source=press+release&utm_medium=referral

Black Arrow Admin 07/03/2023 Black Arrow Admin 07/03/2023

Black Arrow Cyber Alert 07 March 2023 – Black Lotus UEFI Bootkit Malware Bypasses Secure Boot

Executive Summary

A new UEFI bootkit called BlackLotus (not to be confused with Black Lotus Labs) has become the first publicly known malware with the capability of bypassing secure boot defences, rendering it a serious threat. A bootkit is a malicious program designed to load as early as possible during the boot process, before other security components are loaded and BlackLotus does this by targeting the UEFI which is low level firmware, responsible for booting up most modern computers.

What’s the risk to my business?

Successful exploitation allows an attacker to effectively control the computer and allow them to remotely execute code and gain the highest level of privilege. Successful exploitation requires the attacker to either have remote privileged access, or physical access to the target computer.

Technical Summary

The bootkit exploits CVE-2022-21894, which is a Secure Boot vulnerability. Although patched by Microsoft in January, the vulnerable signed binaries are not on the UEFI revocation list which flags boot files that should not be trusted and as such the malware can run on “patched” systems. Once the bootkit has run successfully, it is engineered to communicate with a command-and-control server, allowing the bootkit to retrieve additional user-mode or kernel-mode malware.

What can I do?

There is currently no known patch and the bootkit can run even on fully patched Windows 11 systems which have Secure Boot enabled. Security controls to mitigate this vulnerability from being exploited should focus on preventing an attacker from obtaining remote privileged access to the device through secure identity and access management, or to prevent unauthorised individuals from having physical access to the device. Black Arrow will continue to monitor the situation, and this alert will be updated when more information is made available.

Need help understanding your gaps, or just want some advice? Get in touch with us.

#threatadvisory #threatintelligence #cybersecurity

Research on BlackLotus malware can be found here: https://www.welivesecurity.com/2023/03/01/blacklotus-uefi-bootkit-myth-confirmed/

Details for CVE-2023-21716 can be found here: https://msrc.microsoft.com/update-guide/en-US/vulnerability/CVE-2023-21716

Black Arrow Admin 07/03/2023 Black Arrow Admin 07/03/2023

Black Arrow Cyber Advisory 07 March 2023 – Microsoft Word Proof of Concept Exploit Released for Recently Patched RCE Vulnerability

Executive Summary

CVE-2023-21716 is a Microsoft Word critical remote code execution vulnerability discovered last year, which has been patched in Microsoft’s February patch Tuesday. Security Researcher Joshua Drake has released a Proof of Concept (PoC) for the vulnerability and it’s so small it can fit in a tweet. The PoC requires the victim to simply just preview or open a malicious file, which could arrive in a multitude of ways, such as an email.

What’s the risk to my business?

Successful exploitation allows an attacker to remotely execute code, impacting the confidentiality, integrity and availability of the data held by an organisation.

What can I do?

The vulnerability was patched as part of Microsoft’s February patch Tuesday, so only unpatched versions of Microsoft Office Word remain vulnerable. It is therefore recommended to apply the patches if not done so already. Additionally, the impact can be mitigated by enabling protected view in Microsoft Office Word, which is enabled by default. Protected view is a read-only mode where most editing functions are disabled.

Need help understanding your gaps, or just want some advice? Get in touch with us.

#threatadvisory #threatintelligence #cybersecurity

The proof of concept can be found here: https://qoop.org/publications/cve-2023-21716-rtf-fonttbl.md

Details for CVE-2023-21716 can be found here: https://msrc.microsoft.com/update-guide/en-US/vulnerability/CVE-2023-21716

Black Arrow Admin 04/03/2023 Black Arrow Admin 04/03/2023

Black Arrow Cyber Threat Briefing 03 March 2023

Black Arrow Cyber Briefing 03 March 2023:

-It’s Time to Evaluate Your Security Education Plan Amongst the Rise in Social Engineering Attacks

-Mobile Users are More Susceptible to Phishing Attacks

-Phishing as a Service Stimulates Cyber Crime

-Attacker Breakout Time Drops to Just 84 Minutes

-Attackers are Developing and Deploying Exploits Faster Than Ever

-Old Vulnerabilities are Haunting Organisations and Aiding Attackers

-Scams Drive Nearly $9bn Fraud Surge in 2022

-Economic Pressure are Increasing Cyber Security Risks and a Recession Would Only Further This

-Cyber Security in This Era of Polycrisis

-Russian Ransomware Projects Rebranded to Avoid Western Sanctions

-Ransomware Attacks Ravaged Big Names in February

-Firms Who Pay Ransom Subsidise New Attacks

-How the Ukraine War Opened a Fault Line in Cyber Crime

Black Arrow Cyber Advisory 03 March 2023 – Cisco IP Phone 6800, 7800, 7900, and 8800 Series Web User Interface Vulnerabilities

Executive Summary

Multiple Vulnerabilities in the web-based management interface for the Cisco IP Phones: 6800, 7800, 7900, and 8800 have been identified. The vulnerabilities are tracked as CVE-2023-20078 and CVE-2023-20079.

What’s the risk to me or my business?

Successful exploitation of the vulnerabilities could allow an attacker to remotely execute code or cause a denial of service (DoS). The vulnerabilities are not dependent on each other and can therefore be executed without requiring the other one.

What can I do?

There are no workarounds, and it is recommended that the patches for the vulnerabilities released by CISCO are installed.

The following models and firmware versions are impacted:

· IP Phone 6800 Series with Multiplatform Firmware version earlier than 11.3.7SR1

· IP Phone 7800 Series with Multiplatform Firmware version earlier than 11.3.7SR1

· IP Phone 8800 Series with Multiplatform Firmware version earlier than 11.3.7SR1

Due to the following products having reached the end of life process, there is no patch available:

· Cisco Unified IP Phone 7900 Series

· Cisco Unified IP Conference Phone 8831

· Cisco Unified IP Conference Phone 8831 with Multiplatform Firmware

Further information on the vulnerabilities be found here:

https://sec.cloudapps.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-ip-phone-cmd-inj-KMFynVcP

Need help understanding your gaps, or just want some advice? Get in touch with us.

#threatadvisory #threatintelligence #cybersecurity

Black Arrow Admin 01/03/2023 Black Arrow Admin 01/03/2023

Black Arrow Cyber Alert 01/03/2023 – ACTION REQUIRED: LastPass Security Incident Update

Black Arrow Cyber Alert 01/03/2022 – ACTION REQUIRED: LastPass Security Incident Update

Executive Summary

Yesterday (28 February 2023), LastPass provided an update on their recent security incident that was disclosed on 22 December 2022. LastPass explained how information stolen in a breach that had taken place in August 2022 was then used to conduct a separate breach in December 2022; the latter breach then allowed access to the LastPass encrypted Amazon S3 buckets.

LastPass also revealed more about how the incidents happened. In the first incident the threat actor did not have the decryption keys and they were unable to decrypt some data. The threat actor identified that a DevOps engineer had access to the decryption key and as a result the DevOps engineer’s home computer was targeted. Through exploiting a vulnerable third-party software package, the threat actor was able to install a keylogger and capture the engineers’ master password as it was entered. Once the engineer had authenticated with multi factor authentication (MFA), the threat actor then had access to the LastPass corporate vault.

What’s the risk to my business?

The incident has resulted in a significant amount of data being accessed[1]. LastPass has stated that the compromised backup of the customer base was dated 14 August 2022 and that any accounts created after that date are not affected. A full list, including descriptions is available from LastPass; a summary of main items is presented below:

Business customers - General

MFA seeds
Splunk Security Information and Event Management (SIEM) integration secrets
“Push” site credentials
SCIM, Enterprise API and SAML keys
Billing addresses
Company name
Tax id
Email address
End user name
IP address of trusted devices
Telephone number
Mobile device unique identifier
Number of iterations that a customer was configured to use

Business customers - Non federated

Hashes of temporary and account recovery one-time passwords
MFA API integration secrets
One-time password seeds

Business Customers - Federated

Split knowledge component “K2” keys

What can I do?

Recommended actions depend on whether the user environment is federated or not. Federated users are users who are authenticated with an identify provider such as Azure Directory, which then allows the user to access LastPass. Non-federated users will access LastPass using a LastPass username and password. The recommended actions are as follows:

Federated users

For federated environments, organisations should consider de-federating and re-federating all users, and request users to rotate all vault credentials based on the organisation’s risk tolerance. If credentials are to be rotated, critical credentials should be prioritised.

Non-federated users

Where non-federated users have employed the use of MFA, administrators should clear all MFA shared secrets[2] as this will destroy all LastPass sessions and require the user to log back in and re-enable MFA. Where MFA is not in use, we strongly recommend it is enforced as soon as possible. Administrators should also consider requiring users to reset their master passwords[3].

General

To maximise security for your users, LastPass recommend reviewing iteration count settings and recommend that users change to 600,000 iterations[4] which is the recommended number by OWASP.

A super administrator or “break-glass” account is a privileged account reserved for unrestricted emergency access. Where a super administrator or “break glass” administrator account is present, it is recommended by LastPass that at least one of these is not federated and has a master password and strong iteration account as per LastPass guidance. Where the password is not strong, it should be reset immediately. It is recommended that MFA also be reset, to reduce the risk of compromise.

Additional considerations include the review of vault item password policies, user security scores, security of shared folders and monitoring of the dark web.

As always, organisations should remain vigilant as threat actors may use this event to conduct phishing campaigns.

Need help understanding your gaps, or just want some advice? Get in touch with us.

#threatadvisory #threatintelligence #cybersecurity

[1] https://support.lastpass.com/help/what-data-was-accessed

[2] https://support.lastpass.com/help/reset-mfa-settings-for-google-authenticator-microsoft-authenticator-and-grid

[3] https://support.lastpass.com/help/enterprise-admin-management-of-master-passwords-lp010025

[4] https://support.lastpass.com/help/security-bulletin-recommended-actions-for-business-administrators

Black Arrow Admin 26/02/2023 Black Arrow Admin 26/02/2023

Black Arrow Cyber Threat Briefing 24 February 2023

Black Arrow Cyber Briefing 24 February 2023:

-Employees Bypass Cyber Security Guidance to Achieve Business Objectives

-Three Quarters of Businesses Braced for Serious Email Attack this Year

-The Cost of Living Crisis is Triggering a Wave of Workplace Crime

-Fighting Ransomware with Cyber Security Audits

-Record Levels of Fraud Impacting 90% of Payment Compliance Teams

-CISOs Struggle with Stress and Limited Resources

-Cyber Threats and Regulations Mount for Financial Industry

-HardBit Ransomware Wants Insurance Details to Set the Perfect Price

-Social Engineering is Becoming Increasingly Sophisticated

-A Fifth of Brits Have Fallen Victim to Online Scammers

-Cyber Attacks Hit Data Centres to Steal Information From Companies

-Phishing Fears Ramp Up on Email, Collaboration Platforms

-The War in Ukraine has Shaken up the Cyber Criminal Eco-system

-Police Bust €41m Email Scam Gang

Threat Intelligence Blog

Top Cyber Stories of the Last Week

Majority of SMBs Lack Dedicated Cyber Experts and Cyber Incident Response Plans

Controlling Third-Party Data Risk Should be a Top Cyber Security Priority

IT Security Spending to Reach Nearly $300 Billion by 2026

2023 Cyber Security Maturity Report Reveals Organisational Unpreparedness for Cyber Attacks

Board Cyber Shortage: Don’t Get Caught Swimming Naked

Should your Organisation be Worried about Insider Threats?

UK Ransomware Incident Volumes Surge 17% in 2022

Financial Industry Hit by Rising Ransomware Attacks and BEC

55 zero-day Flaws Exploited Last Year Show the Importance of Security Risk Management

Security Researchers Spot $36m BEC Attack

New Victims Come Forward After Mass Ransomware Attack

Ransomware Gangs’ Harassment of Victims is Increasing

Wartime Hacktivism is Spilling Over into the Financial Services Industry

Threats

Ransomware, Extortion and Destructive Attacks

Phishing & Email Based Attacks

BEC – Business Email Compromise

Other Social Engineering; Smishing, Vishing, etc

2FA/MFA

Malware

Mobile

Botnets

Denial of Service/DoS/DDOS

Internet of Things – IoT

Data Breaches/Leaks

Organised Crime & Criminal Actors

Cryptocurrency/Cryptomining/Cryptojacking/NFTs/Blockchain

Insider Risk and Insider Threats

Fraud, Scams & Financial Crime

Deepfakes

Insurance

Supply Chain and Third Parties

Software Supply Chain

Cloud/SaaS

Hybrid/Remote Working

Identity and Access Management

API

Open Source

Passwords, Credential Stuffing & Brute Force Attacks

Social Media

Training, Education and Awareness

Regulations, Fines and Legislation

Governance, Risk and Compliance

Models, Frameworks and Standards

Backup and Recovery

Data Protection

Careers, Working in Cyber and Information Security

Law Enforcement Action and Take Downs

Privacy, Surveillance and Mass Monitoring

Artificial Intelligence

Spyware, Cyber Espionage & Cyber Warfare, including Russian Invasion of Ukraine

Nation State Actors

Vulnerability Management

Vulnerabilities

Tools and Controls

Reports Published in the Last Week

Other News

Sector Specific

Top Cyber Stories of the Last Week

Almost Half of IT Leaders Consider Security as an Afterthought

Over $10bn Lost to Online Frauds, with Pig Butchering and Investment Scams Accounting for $3B, Overtaking BEC – FBI Report Says

Over 721 Million Passwords were Leaked in 2022

How Much of a Cyber Security Risk are Suppliers?

90% of £5m+ Businesses Hit by Cyber Attacks

Rushed Cloud Migrations Result in Escalating Technical Debt

Microsoft: 17 European Nations Targeted by Russia in 2023 as Espionage Ramping Up

Microsoft Warns of Large-Scale Use of Phishing Kits

BEC Volumes Double on Phishing Surge

The Risk of Pasting Confidential Company Data in ChatGPT

Ransomware Attacks have Entered a Heinous New Phase

MI5 Launches New Agency to Tackle State-Backed Attacks

Why Cyber Awareness Training is an Ongoing Process

Threats

Ransomware, Extortion and Destructive Attacks

Phishing & Email Based Attacks

BEC – Business Email Compromise

2FA/MFA

Malware