Executive Summary

An analysis of incident response provided by Tetra defence revealed that the majority (82%) of incidents were initially caused by an external exposure of a known vulnerability on the victim’s network, which highlights the importance of conducting vulnerability scanning to identify systems in use which are vulnerable, and then patching the systems in a timely manner.

What’s the risk to me or my business?

Vulnerability management is a key component to Cyber Security in order to protect the confidentiality, integrity and availability of systems. Unpatched exposed systems can allow an attacker access to a network, allowing for lateral intrusion, bypassing organisational and people controls.

What can I do?

It is important to have appropriate policies and technologies in place to identify and patch known vulnerabilities, in accordance with the usage, exposure and criticality of a vulnerability. The focus, driven by the organisations risk management posture, should be on patching exposed vulnerabilities which are present on an organisations’ systems, instead of just focusing on critical vulnerabilities based on the CVS rating which are not exposed, or from which exploitation is prevented by other security controls within the organisation.

Further details can be found here: Patchable and Preventable Security Issues Lead Causes of Q1 Attacks | Threatpost

Need help understanding your gaps, or just want some advice? Get in touch with us.

Executive Summary

Microsoft is permanently disabling ‘Basic Authentication’ for Exchange Online (M365) in October 2022, which will prevent any users from accessing email on the service if they are using a ‘Basic Authentication’ method. ‘Basic authentication’ allows for legacy applications that do not support ‘Modern Authentication’ to access email on Exchange Online, but comes with several security risks including no full support for multi-factor authentication.

What’s the risk to me or my business?

If any users are currently using ‘Basic Authentication’ to access emails, using protocols such as POP, IMAP and Active Sync, then they will be unable to access email after Microsoft disables this features on October 01 2022. Due to security concerns with ‘Basic Authentication’, organisations should be making every effort to move to ‘Modern Authentication’ for Exchange Online.

What can I do?

Work with your MSP to firstly check which users are still currently using ‘Basic Authentication’, and complete migration work to applications which support ‘Modern Authentication’. Once it has been confirmed that no users are using ‘Basic Authentication’, then this method should be disabled.

Technical Summary

Microsoft has already rolled out updates for many applications including Outlook for Desktop and the various Outlook mobile applications, meaning users may have already moved onto ‘Modern Authentication’. The guidance provided by CISA contains details on how to check for current usage of ‘Basic Authentication’, and putting in an authentication policy, or a conditional access policy to prevent Basic Authentication from being used going forward.

Further details can be found here: Action Recommended: Switch to Modern Authentication in Exchange Online Before Basic Authentication Deprecation (cisa.gov)

Need help understanding your gaps, or just want some advice? Get in touch with us.

Executive Summary

Raspberry Robin is the name given to a worm that is being used to infect Windows devices through removable USB drives. The worm disguises itself as a legitimate folder within the drive, when in fact it contains a malicious shortcut (LNK) file. When opened, it launches privileged processes, bypassing user account control to install itself on the device, and connect to a command and control server. This could then allow for lateral movement on the device or network.

What’s the risk to me or my business?

The worm appears to look legitimate and can bypasses some basic security controls on a device. This could cause an unaware user to infect a system, believing that the file is legitimate. This worm is now being seen more prominently in the wild across multiple organisations.

What can I do?

Work with your MSP to ensure that endpoint protection is enabled on user devices, and that it is scanning removable drives on insertion. Policies should be put into place to prevent software launching from a removable drive. Training should be supplied to users to ensure that they do not plug untrusted USB drives into corporate computers.

Technical Summary

Red Canary originally identified and named the worm, which makes use of legitimate processes built into Windows in order to establish persistence on the end user device and make contact with command and control (C2) infrastructure. These processes include CMD and msiexec.exe (Windows Installer). Additional malware is then downloaded via msiexc.exe, of which include regsvr32.exe, rundll32.exe and dllhost.exe to repeatedly attempt to connect to command and control, often via TOR nodes.

Further details can be found here: Raspberry Robin gets the worm early (redcanary.com)

Need help understanding your gaps, or just want some advice? Get in touch with us.

Executive Summary

Citrix Application Delivery and Management (Citrix ADM), is a web-based software application used for managing Citrix deployments for an organisation.  Two vulnerabilities have been disclosed by Citrix, one of which could allow for a remote, unauthenticated user to reset the administrator password on the server, granting administrator access after a reboot.

What’s the risk to me or my business?

This vulnerability could lead to a remote user gaining privileged access to the system which facilitates Citrix deployments, which in turn could be used to access business data through these servers leading to further compromise.

What can I do?

Contact your Managed Service Provider to confirm if Citrix ADM (Hosted) is currently being used to manage Citrix deployments for you organisation and confirm if the vulnerability is being managed and patched in line with Citrix guidance. It is important to note that the Citrix ADM Service, which is the cloud solution, is not affected by this vulnerability. Only hosted solutions are affected.

Technical Summary

Only limited technical details have been supplied by Citrix so far relating to the two vulnerabilities. CVE-2022-27511, which currently does not have a CVS rating, allows a remote, unauthenticated user to corrupt a system which can lead to the reset of the administrator password on reboot, which they can then login with using the default credentials over SSH.

CVE-2022-27512, which also does not currently have a CVS rating, allows temporary disruption to the ADM license service, which can prevent new licences from being issued or renewed from the Citrix ADM.

Further details can be found here: Citrix Application Delivery Management Security Bulletin for CVE-2022-27511 and CVE-2022-27512

Need help understanding your gaps, or just want some advice? Get in touch with us.

Executive Summary

Microsoft’s June Patch Tuesday provides updates across all Windows platforms to address critical security issues. This includes updates that address a critical zero-day flaw which allows remote malicious access to the Microsoft Windows Support Diagnostic Tool (MSDT) through Microsoft Office, which has commonly been named ‘Follina’.

Internet Explorer is also set to officially retire today, meaning that going forward any legacy applications will need to be accessed using Microsoft Edge’s Internet Explorer Mode.

Security updates have also been released for other Microsoft products to tackle different issues.

What’s the risk to me or my business?

Security updates are available for all supported versions of Windows. As some of these updates address vulnerabilities that are known to be actively exploited, the updates should be applied as soon as possible.

What can I do?

Apply the available updates from Microsoft as soon as possible, while taking into consideration any potential downtime that these updates may cause.

If legacy applications are still present that require Internet Explorer, then access to these should be advised through Microsoft Edge’s Internet Explorer Mode. As these applications are very likely to be unsupported themselves, steps should be taken to either move away from the legacy applications, or to establish firm risk-based controls for protection and use of the applications.

Technical Summary

CVE-2022-30190 relate to the ‘Follina’ vulnerability. The timeline for the actual disclosure of this issue to Microsoft is not completely clear, there are reports that the issue was originally identified within a university dissertation back in August 2020, with multiple occasions after that where the issue had been reported to Microsoft without a formal CVE being raised. Microsoft has now raised a formal CVE: CVE-2022-30190 - Security Update Guide - Microsoft - Microsoft Windows Support Diagnostic Tool (MSDT) Remote Code Execution Vulnerability and has supplied mitigation steps: Guidance for CVE-2022-30190 Microsoft Support Diagnostic Tool Vulnerability – Microsoft Security Response Center. As a high-level summary, the exploit works by having word download template information from an external source over the internet, which contains malicious code that can execute the MSDT software, which in itself can execute PowerShell commands.

Further details on specific updates within this months Patch Tuesday can be found here: Microsoft Windows Security Updates June 2022 overview - gHacks Tech News

Information on Microsoft Edge’s Internet Explorer Mode can be found here: What is Internet Explorer mode? | Microsoft Docs

Need help understanding your gaps, or just want some advice? Get in touch with us.

Executive Summary

Executive Summary

A critical flaw has been discovered within Zyxel Firewall products, allowing for a malicious user to bypass the Authentication requirement on the device, enabling unauthorised privileged access. The bug impacts several Zyxel Firewall Network Access Control (NAC) systems as detailed within the technical summary. The bug, achieves a 9.8 on the Common Vulnerability Scoring System (CVSS).

What’s the risk to my business?

Due to the severity of the bug, and the ability for attackers to gain unauthorised privileged access to critical perimeter defence, the risk to businesses operating affected Zyxel Firewalls is high.

What can I do?

The bug has been reported, and a patch has been issued. Businesses operating these devices are urged to implement as soon as possible.

Technical Summary

Zyxel have issued a patch for bug CVE-2022-0342, which was disclosed on 03/28/2022. Zyxel’s investigation has only been focused on devices within their warranty and support period. The following Zyxel products are confirmed to be affected, with the appropriate patches listed:

·       USG/ZyWALL, running version ZLD V4.20 to ZLD V4.70 | Fixed in Patch ZLD V4.71

·       USG FLEX, running version ZLD V4.50 to ZLD V5.20 | Fixed in Patch ZLD V5.21 Patch 1

·       ATP, running version ZLD V4.32 to ZLD V5.20 | Fixed in Patch ZLD V5.21 Patch 1

·       VPN, running version ZLD V4.30 to ZLD V5.20 | Fixed in Patch ZLD V5.21

·       NSG, running version V1.20 to V1.33 Patch 4 | Fixed in Hotfix V1.33p4_WK11, available from vendor. Fix will be included in standard patch V1.33 Patch 5 when released in May 2022.

Need help understanding your gaps, or just want some advice? Get in touch with us.

#threatadvisory #threatintelligence #cybersecurity

Executive Summary

Ransomware specifically designed to target VMware systems has been found to be in use by malicious attackers. VMware systems have been a prime target for attackers, as many different services which organisations rely on run on these systems. By compromising these systems, all of the hosted services can also be impacted.

What’s the risk to me or my business?

This attack works by shutting down virtual machines running on a VMware system, and encrypting them before demanding a ransom. If the ransom is not paid within three days, then there is a further threat to release the data which the attacker has exfiltrated. This requires an attacker to be able to gain prior access to the system, and to enable ‘Shell’ access to run the malicious script.

What can I do?

Ensure that appropriate security measures are applied to these critical systems, to prevent an attacker from being able to access them. This includes up to date patching of the systems, and appropriate network segregation to prevent end user devices from being able to access the systems. Ensure that Shell access to the server is not left enabled.

The adoption of a security framework such as NIST CSF would greatly assist with applying appropriate controls to prevent this type of attack.

Technical Summary

Trend Micro has conducted the research into this specific strain of ransomware. This strain works by accessing VMware Servers using Secure Shell (SSH), and running a script which shuts down all active virtual machines in order to encrypt them, with the file extension ‘.cheers’. It is worth noting that the renaming of the files happens before the encryption starts, so it is possible that a file is renamed but is in fact not encrypted due to a permissions issue on the account logged in via SSH.

A full break down of the attack can be read here: New Linux-Based Ransomware Cheerscrypt Targets ESXi Devices (trendmicro.com)

Need help understanding your gaps, or just want some advice? Get in touch with us.

#threatadvisory #threatintelligence #cybersecurity

Executive Summary

Microsoft has detected a significant increase in malware targeted at Linux systems to create botnets which can be used for distributed denial-of-service (DDOS) and other types of attack. Internet-of-Things (IoT) or Smart Devices often use a Linux operating system to run their service. These are often not patched regularly, if at all, making them a target for this type of attack. Cloud service providers also often use Linux based operating systems.

What’s the risk to me or my business?

While IoT/Smart Devices are normally associated with home use, there has been an increase of their usage in business locations. As these devices are often not as well supported by the manufacturer for security updates, and use internet connectivity for function, they are a prime target for attackers. Once a device has been compromised and added to a botnet, it could be used to bring targeted services down via a DDOS attack or could be used to compromise other devices through brute force attacks.

What can I do?

It is important to keep all devices and systems used updated to patch vulnerabilities which enable the attacks described above to take place. It is also important to have Anti-Virus and endpoint management enabled on these devices where supported. IoT/Smart Devices pose their own challenge with this, as it is often not immediately clear who is responsible for updating the device (the vendor or user), and if security updates will be provided by the vendor. It is also not always possible for services such as Anti-Virus and endpoint management to be installed on these devices.

The following list are good practice points for mitigating the risk that IoT/Smart devices pose:

1.       Separation: Ensure that IoT/Smart devices do not sit on the same network as corporate devices. This layer of separation may be logical using network technologies such as VLANs with access control lists, or physical separation with different network infrastructure for the devices. This will help to prevent a compromised device from being used to gain access to corporate systems.

2.       Inventory: Take inventory and track what IoT/Smart devices are in use, with justification on their function. It is important to keep track of support information for these devices to establish if updates are still being published by the manufacturer, and when it is a good time to replace the devices if updates are no longer supported.

3.       Updates: While most IoT/Smart devices will automatically update when an update is published by the vendor, this is not always the case. It is important to check how frequently updates are applied to the devices, and if this is something which needs to be done manually by the device administrator. At end of manufacturer support for updates, it is important to consider replacing the device.

4.       Monitoring: It is important to monitor the activity of a IoT device, to establish a baseline on expected connectivity for the service it provides. This can then be used to provide alerts for anomalous activity outside of this baseline as an indicator of compromise, making it quick to lock down and remove a device from the network.

5.       Physical Protection: Take steps to physically protect the IoT device from tampering. These devices may contain USB ports designed for delivering updates or debugging errors, but these ports could also potentially be used to install malware.

6.       Account Protection: Ensure that the accounts used to access and administer the devices are appropriately secured, following the relevant corporate Identity and Access Management policies and Password policies. These accounts often allow access to the device via the internet, which if compromised could be a potential route into the network bypassing boundary perimeters.

Technical Summary

The specific attack identified by Microsoft is a Linux Trojan named XorDdos. This is not new malware and was originally discovered in 2014. Research shows that once compromised, these devices are often infected with additional malware used for different purposes.

Further technical details can be found here: Rise in XorDdos: A deeper look at the stealthy DDoS malware targeting Linux devices - Microsoft Security Blog. Further information on IoT best practices can be found here: Internet of Things (IoT) security best practices | Microsoft Docs, Code of Practice for consumer IoT security - GOV.UK (www.gov.uk), Ten best practices for securing the Internet of Things in your organization | ZDNet

Need help understanding your gaps, or just want some advice? Get in touch with us.

#threatadvisory #threatintelligence #cybersecurity

Executive Summary

VMware is a large supplier of virtualisation products which are used to run a variety of different services. They announced on 18/05/2022 that updates have been released for multiple products in their range to address two different vulnerabilities. The United States Cybersecurity and Infrastructure Security Agency (CISA) are advising US Civilian Government agencies to patch affected products, or disconnect those that cannot be patched by 5PM EDT on 23/05/2022.

What’s the risk to me or my business?

As VMware are one of the primary suppliers of virtual infrastructure, it is highly likely that some business services will be hosted on machines running VMware software. One of the vulnerabilities would allow an attacker with network access to the user interface of an affected product to obtain administrative access without the need to authenticate. As business services may be hosted on VMware infrastructure, this could impact Confidentiality, Integrity, or Availability for these services.

What can I do?

As patches have been released, it is important that these are applied as soon as possible, particularly as some of the vulnerabilities are now being actively exploited.

Discuss with you Managed Service Provider (MSP) whether any of your devices or services are impacted, and when they can expect to be patched. While VMware has supplied workaround to help mitigate the issue if it cannot be immediately patched, it is strongly noted that the work arounds do not remove the vulnerabilities and may introduce additional unforeseen issues.

Technical Summary

The following is a break down of the different vulnerabilities with the affected VMware products.

CVE-2022-22972: Critical severity range with maximum CVSSv3 base score of 9.8, malicious actor with network access to the UI may be able to obtain administrative access without the need to authenticate. Affected VMware products:

·         VMware Workspace One Access

·         Identity Manager

·         vRealize Automation

CVE-2022-22973: Important severity range with maximum CVSSv3 base core of 7,8, malicious actor with local access to the system can escalate privileges to ‘root’.

·         VMware Workspace ONE Access and Identity Manager

The following VMware products deploy the above affected components.

• VMware Cloud Foundation

• vRealize Suite Lifecycle Manager

Further technical information including a response patch matrix and workarounds can be found here: VMSA-2022-0014 (vmware.com), VMSA-2022-0014: Questions & Answers | VMware

Need help understanding your gaps, or just want some advice? Get in touch with us.

Executive Summary

A set of five vulnerabilities named “TLStorm 2.0” have been discovered, affecting some network switches produced by Aruba and Avaya. The vulnerabilities could allow a malicious party to remotely execute code on the devices, allowing access to data flowing through the device or configuration control of the device which could lead to further attacks.

What’s the risk to me or my business?

Network switches are the backbone of IT infrastructure that allows data to flow from different devices. These switches also provide the ability to segregate data, such as having a separate guest and corporate network. If exploited, these vulnerabilities could allow a malicious attacker to bypass a guest network and gain access to the corporate network, which exposes corporate infrastructure to further attacks. There is currently evidence these vulnerabilities are being used in the wild.

What can I do?

Confirm with your managed service provider if affected devices are in use within your organisation, and if the appropriate patches have been supplied to the devices. It is important to remember all network devices when considering software and firmware patching, not just Windows endpoints. Other mitigation steps include limiting the potential attack service by denying management portal access on guest network ports or limiting this specifically to a dedicated management port.

Technical Summary

There are a total of five vulnerabilities disclosed affecting Avaya and Aruba switches. Only four of these vulnerabilities were given CVE’s, as the fifth vulnerability was only found on a discontinued product line. All the vulnerabilities relate to the NanoSSL library, and it’s implementation by the vendors on the network switches. It’s worth noting that the library itself does not contain the vulnerabilities, these vulnerabilities are present due to the vendor not following the correct implementation guidelines for the library.

Avaya - CVE-2022-29860, CVE-2022-29861

·         ERS3500 Series

·         ERS3600 Series

·         ERS4900 Series

·         ERS5900 Series

Aruba - CVE-2022-23677 and CVE-2022-23676

·         Aruba 5400R Series

·         Aruba 3810 Series

·         Aruba 2920 Series

·         Aruba 2930F Series

·         Aruba 2930M Series

·         Aruba 2530 Series

·         Aruba 2540 Series

Further details can be found here, under “Technical Overview”: TLStorm 2.0 - Armis

Need help understanding your gaps, or just want some advice? Get in touch with us.

Executive Summary

A privileged escalation hacking tool has been publicly disclosed, which allows an attacker to use the PowerShell to step through a process leading to local administrator access. Known as “KrbRelayUp” takes advantage of default configuration settings for Windows Domain environments, and the ability for local accounts to access Microsoft PowerShell. This attack requires a low-privilege account to be compromised, and could lead to further privilege escalation including compromising a domain administrator account.

What’s the risk to me or my business?

As the requirements for this attack are credentials to a low privileged account, and default configuration for Windows Active Directory, it is a likely path for an attacker to use once they have compromised an account in order to gain privileged access. This vulnerability affects any environments using either Local Domain Controllers, or a Hybrid between Azure and On-Premises Active Directory.

What can I do?

Contact your Managed Service Provider and request that tools such as “PSExec” and “PowerShell” are blocked for standard users, who would not require access to these tools typically used for administration purposes. Other mitigation options include enforcing “LDAP Signing” within active directory environments, however it is important to test the impact that making these changes may have on a production environment to avoid unexpected outcomes.

Technical Summary

The attack follows the following steps:

1.       Compromise/have access to low-privileged credentials linked to a Local Active Directory environment.

2.       Create a new machine account and add this to the domain.

3.       Obtain the SID for the machine account.

4.       Use the KrbRelay software to abuse the attribute “msDS-AllowedToActOnBehalfOfOtherIdentity” of the targeted computer account.

5.       Obtain privileged Silver Ticket for the local machine through Rebeus by performing a Resource-based Constrained Delegation attack (RBCD).

6.       Use the Silver Ticket to authenticate with local service manager, creating a new service as NT/System. This service now has local administrator access.

Further details can be found here:

GitHub - Dec0ne/KrbRelayUp: KrbRelayUp - a universal no-fix local privilege escalation in windows domain environments where LDAP signing is not enforced (the default settings). Privilege Escalation using KrbRelay and RBCD · GitHub

Need help understanding your gaps, or just want some advice? Get in touch with us.

Executive Summary

As part of Microsoft’s Patch Tuesday, several high and critical vulnerabilities have been patched, of which at least four critical vulnerabilities affect all supported versions of Windows (Clients and Servers). These include ‘wormable’ vulnerabilities, meaning that the vulnerability can be exploited by a malicious program which can replicate itself across a network.

Security updates have also been released for other Microsoft products including Edge, Office and Active Directory Domain Services.

What’s the risk to me or my business?

Security updates are available for all supported versions of Windows, including Windows 7 to Windows 11, and Windows Server 2008 R2 to Windows Server 2022. As some of these updates address vulnerabilities that are known to be actively exploited, the updates should be applied as soon as possible.

What can I do?

Apply the available updates from Microsoft as soon as possible, while taking into consideration any potential downtime that these updates may cause.

Technical Summary

CVE-2022-24491 and CVE-2022-24497 relate to the previously mentioned ‘wormable’ vulnerability, which have CVSS scores of 9.8. They are Remote Code Execution vulnerabilities within the Windows Network File System (NFS). Further details on the individual updates and each affected Windows version can be found here: Microsoft Windows Security Updates April 2022 overview - gHacks Tech News

Need help understanding your gaps, or just want some advice? Get in touch with us.