Executive summary

Cisco has published a security advisory warning regarding an active attack campaign labelled as “ArcaneDoor”. The campaign involves threat actors exploiting vulnerabilities in Cisco Adaptive Security Appliance (ASA) or Cisco Firepower Threat Defense (FTD) to implant previously unknown malware, execute commands and exfiltrate data. Activity is thought to have begun in early January 2024.

What’s the risk to me or my business?

There is a risk that organisations running vulnerable software versions of Cisco ASA or FTD are leaving themselves at risk of allowing an attacker to implant malware, execute commands and exfiltrate data, impacting the confidentiality, integrity and availability of data. There is no current workaround, and Cisco advises to upgrade to a fixed software release immediately.

What can I do?

Black Arrow recommends following Cisco’s advice, and applying patches immediately. Additionally, organisations can also open a case with Cisco Technical Assistance Center, referencing the keyword “ArcaneDoor” to verify the integrity of their Cisco ASA or FTD devices. Further information on this can be found in the advisory provided by Cisco.

Technical Summary

CVE-2024-20353-  a denial of service vulnerability impacting Cisco ASA and FTD software.

CVE-2024-20359- A privilege escalation vulnerability, which could allow an authenticated local attacker to execute code with the highest level of privilege. Administrator level privileges are required to exploit this vulnerability.

Further information can be found below.

The advisories provided by Cisco can be found here:

https://sec.cloudapps.cisco.com/security/center/resources/asa_ftd_attacks_event_response

https://blog.talosintelligence.com/arcanedoor-new-espionage-focused-campaign-found-targeting-perimeter-network-devices/

https://sec.cloudapps.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-asaftd-websrvs-dos-X8gNucD2

https://sec.cloudapps.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-asaftd-persist-rce-FLsNXF4h

Need help understanding your gaps, or just want some advice? Get in touch with us.

#threatadvisory #threatintelligence #cybersecurity

Executive Summary

Apple has recently released multiple patches, covering a number of vulnerabilities, including one actively exploited zero-day. The zero-day vulnerability has been found to affect devices running vulnerable versions of iOS, iPadOS, macOS, tvOS, watchOS and Safari. The actively exploited zero-day allows threat actors to obtain the highest privileges available (kernel privileges) on affected devices. Earlier this month, another actively exploited zero day, CVE-2023-37450, was addressed by Apple through a Rapid Security Response update.

What’s the risk to me or my business?

Exploitation of the vulnerability could allow an attacker unauthorised access to sensitive data, allowing them to manipulate or delete important information, or even take over the entire device, compromising the confidentiality, integrity, and availability of the data held by an exploited device. In some cases, threat actors are exploiting the vulnerability to install spyware on vulnerable devices.

What can I do?

Given the widespread use of Apple devices for both corporate and personal use, it is important to prioritise the application of the released patches to protect devices. Apple has also released patches addressing these vulnerabilities for products that are no longer supported. We recommend updating your devices promptly to these latest versions. Apple has acknowledged active exploitation of these vulnerabilities and as such recommends updating immediately. Organisations who do not use Apple devices, but have a bring your own device policy should consider whether this may include Apple devices.

Apple have addressed the zero-day in the following versions:

• macOS Ventura 13.5

• iOS 16.6

• iPadOS 16.6

• Safari 16.6

• tvOS 16.6

• watchOS 9.6

 Technical Summary

CVE-2023-38606 – Successful exploitation of this flaw could lead to a threat actor obtaining kernel privileges (the highest available). This allows the malicious actor to “modify sensitive kernel state”.

For information on all vulnerabilities addressed can be found in the following links below:

Further information on the iOS and iPadOS vulnerabilities can be found here:

https://support.apple.com/en-us/HT213841

Further information on the Mac vulnerabilities can be found here:

https://support.apple.com/en-us/HT213843

Further information on the Safari vulnerabilities can be found here:

https://support.apple.com/en-gb/HT213847

Further information on the tvOS vulnerabilities can be found here:

https://support.apple.com/en-gb/HT213846

Further information on the watchOS vulnerabilities can be found here:

https://support.apple.com/en-gb/HT213848

Need help understanding your gaps, or just want some advice? Get in touch with us.

#threatadvisory #threatintelligence #cybersecurity

Updated on 02/11/2022 to reflect the updated mitigation from Microsoft

Updated on 04/10/2022 with additional information on Mitigations and risk to Hybrid Cloud setups.

Updated on 05/10/2022 with updated information on Mitigations from Microsoft

Executive Summary

Two zero-day vulnerabilities have been identified which affect Microsoft Exchange on-premises servers. One of the zero-days allow an attacker to remotely trigger the second zero-day, which would allow a malicious actor to remotely execute code on the server. Both vulnerabilities require authentication with the exchange server, meaning that the attacker would need to already have standard user working credentials.

What’s the risk to me or my business?

Successful exploitation of these vulnerabilities would grant an attacker the ability to remotely execute code on the underlying server, allowing them to perform reconnaissance on the environment and exfiltrate data off the network.

What can I do?

Microsoft is currently working on patches for the vulnerabilities and has released mitigations which are detailed below. Microsoft also recommends disabling remote PowerShell access for non-administrator users to further lower the attack surface. Update: Security researchers have identified that affected Exchange servers are still vulnerable with the Microsoft recommended mitigations in place, and recommend using a more specific block URL when applying the Microsoft Mitigation: “(?=.*autodiscover)(?=.*powershell)” Update 2: Microsoft has updated their mitigation guidance and associated scripts. Please see the “Customer Guidance for Reported Zero-Day” linked below for the latest guidance.

Technical Summary

Microsoft Exchange Online users are not affected by this vulnerability. Update: Hybrid setups which combine Exchange Online with Exchange on-premise are vulnerable to exploitation. The first vulnerability CVE-2022-41040, is a Server-Side Request Forgery (SSRF) Vulnerability, which allows an authenticated attacker to remotely trigger the second vulnerability, which is identified as CVE-2022-41082, and allows Remote Code Execution (RCE) through PowerShell.

Further information on the zero-day vulnerabilities can be found here: Warning: New attack campaign utilized a new 0-day RCE vulnerability on Microsoft Exchange Server | Blog | GTSC - Cung cấp các dịch vụ bảo mật toàn diện (gteltsc.vn) with the recommended mitigations are available here Update 2: this link has been updated by Microsoft with the latest guidance: : Customer Guidance for Reported Zero-day Vulnerabilities in Microsoft Exchange Server – Microsoft Security Response Center Update: Information on latest recommended mitigations can be found here: Microsoft Exchange server zero-day mitigation can be bypassed (bleepingcomputer.com)

Need help understanding your gaps, or just want some advice? Get in touch with us.

Executive Summary

Microsoft’s July Patch Tuesday provides updates to address security issues across its product range, including several critical patches. The standout patch in this release is for a Zero-Day flaw, affecting both client and server version of Windows, that is being actively exploited in the wild, and allows an attacker to escalate privileges within a specific Windows component to gain SYSTEM level permissions.

Security updates have also been released for other Microsoft products to tackle different issues, including the Microsoft Edge browser, which also has a Zero-Day patch, Microsoft Office, and all supported versions of Microsoft Windows.

What’s the risk to me or my business?

Security updates are available for all supported versions of Windows. As some of these updates address vulnerabilities that are known to be actively exploited, the updates should be applied as soon as possible, particularly as this release contains a patch for an actively exploited Zero-day.

What can I do?

Apply the available updates from Microsoft as soon as possible, while taking into consideration any potential downtime that these updates may cause.

Technical Summary

The aforementioned Zero-Day exploit, CVE-2022-22047, allows attackers to use privileged escalation within the Windows Client Server Runtime Subsystem (CSRSS) to gain SYSTEM permissions, effectively providing them with unlimited privileged access on a local system, allowing them to disable Endpoint Security Solutions, and allow for further privilege escalation through the installation of malicious software, allowing access to the wider organisational network. Further information on this particular vulnerability is available here: CVE-2022-22047 - Security Update Guide - Microsoft - Windows CSRSS Elevation of Privilege Vulnerability

Several vulnerabilities within the Edge browser have also been addressed, which also includes a Zero-Day flaw that Google had previously disclosed as been actively exploited in the wild earlier this month. This Zero-Day flaw has been marked as CVE-2022-2294, and further information is available here: Chrome Releases: Stable Channel Update for Desktop (googleblog.com)

Further details on other specific updates within this Patch Tuesday can be found here: Microsoft Windows Security Updates July 2022 overview - gHacks Tech News

Need help understanding your gaps, or just want some advice? Get in touch with us.