Threat Intelligence Blog

Contact our Experts Now

Subscribe to our Weekly Cyber Threat Intelligence Briefing

Black Arrow Admin 15/03/2023 Black Arrow Admin 15/03/2023

Black Arrow Cyber Advisory 15 March 2023 – Microsoft Releases Patch for Critical Outlook/365 Vulnerability Under Active Exploitation

Executive Summary

This week Microsoft released a patch for a critical actively exploited privilege escalation vulnerability in Microsoft Outlook. The vulnerability is tracked as CVE-2023-23397.

What’s the risk to me or my business?

Successful exploitation of the vulnerabilities could allow an attacker to gain authentication details from a targeted machine. These details can then be relayed to other systems or brute-forced offline, leading to compromise of the account.

Technical Summary:

The vulnerability allows an attacker to craft malicious emails which force a target device to connect to a remote UNC of the attackers choice. A UNC is a path that can be used to access network resources. Upon connection, the Net-NTLMv2 hash, which is a hash of the victim’s password is leaked to the attacker. The attacker can then relay this hash to authenticate as the victim on other services or decode the hash offline. At no point does the email need to be previewed or opened, it is triggered as soon as it is received and processed by the email server.

What can I do?

It is recommended that organisations apply the latest patches as soon as possible as this vulnerability is recorded as actively exploited. In their analysis, Microsoft recorded that this vulnerability was exploited by Strontium, a state-sponsored Russian hacking group. Organisations using strictly off-premises solutions are not impacted.

Further information on CVE-2023-23397 can be found here: https://msrc.microsoft.com/update-guide/vulnerability/CVE-2023-23397

Need help understanding your gaps, or just want some advice? Get in touch with us.

#threatadvisory #threatintelligence #cybersecurity

Black Arrow Admin 12/03/2023 Black Arrow Admin 12/03/2023

Black Arrow Cyber Threat Briefing 10 March 2023

Black Arrow Cyber Threat Briefing 10 March 2023:

-Business Email Compromise Attacks Can Take Just Hours

-Research Reveals ‘Password’ is Still the Most Common Term used by Hackers to Breach Enterprise Networks

-Just 10% of Firms Can Resolve Cloud Threats in an Hour

-MSPs in the Crosshair of Ransomware Gangs

-Stolen Credentials Increasingly Empower the Cyber Crime Underground

-It’s Time to Assess the Potential Dangers of an Increasingly Connected World

-Mounting Cyber Threats Mean Financial Firms Urgently Need Better Safeguards

-Developers Leaked 10m Credentials Including Passwords in 2022

-Cyber Threat Detections Surges 55% In 2022

-European Central Bank Tells Banks to Run Cyber Stress Tests after Rise in Hacker Attacks

-Employees Are Feeding Sensitive Business Data to ChatGPT

-Is Ransomware Declining? Not So Fast Experts Say

-Preventing Corporate Data Breaches Starts With Remembering That Leaks Have Real Victims

-Faced With Likelihood of Ransomware Attacks, Businesses Still Choosing to Pay Up

-Experts See Growing Need for Cyber Security Workers as One in Six Jobs go Unfilled

Welcome to this week’s Black Arrow Cyber Threat Briefing – a weekly digest, collated and curated by our cyber threat intelligence experts to provide senior and middle management with an easy to digest round up of the most notable threats, vulnerabilities, and cyber related news from the last week.

Black Arrow Cyber Advisory 10 March 2023 – Fortinet, Cisco and Veeam Vulnerabilities Roundup

Executive Summary

Fortinet have disclosed 15 security issues across a range of products including 5 “high” rated vulnerabilities and a “critical” vulnerability that allows an unauthenticated attacker to perform denial of service attacks or execute arbitrary code. Cisco has identified a “high vulnerability” with IOS XR software for the ASR 9000 Series routers. Veeam have disclosed a “high vulnerability” that allows an unauthenticated attacker to request encrypted credentials which may lead to gaining access to the backup infrastructure host.

What’s the risk to me or my business?

Successful exploitation of the Cisco vulnerability tracked as CVE-2023-20049 allows the attacker to cause line card exceptions or hard rests which can lead to traffic loss and denial of service conditions.

The following models are vulnerable if they have Bidirectional forwarding detection (BFD) hardware offload enabled.

ASR 9000 Series Aggregation Services Routers only if they have a Lightspeed or Lightspeed-Plus-based line card installed.
ASR 9902 Compact High-Performance Routers
ASR 9903 Compact High-Performance Routers

A successful exploitation of the Critical Fortinet vulnerability tracked as CVE-2023-25610 allows an unauthenticated attacker to execute arbitrary code or perform denial of service (DoS) conditions in an administrative interface.

The following devices are vulnerable to both the RCE and DoS:

FortiOS version 7.2.0 through 7.2.3
FortiOS version 7.0.0 through 7.0.9
FortiOS version 6.4.0 through 6.4.11
FortiOS version 6.2.0 through 6.2.12
FortiOS 6.0 all versions
FortiProxy version 7.2.0 through 7.2.2
FortiProxy version 7.0.0 through 7.0.8
FortiProxy version 2.0.0 through 2.0.12
FortiProxy 1.2 all versions
FortiProxy 1.1 all versions

A full list of vulnerable hardware devices that are impacted by the Denial of Service can be found on the FortiGuard website.

A successful exploitation of the high Veeam vulnerability tracked as CVE-2023-27532 can allow an unauthenticated attacker to request encrypted credentials which may lead to the attacker gaining access to the backup infrastructure of the host.

This vulnerability affects all Veeam Backups and Replication versions but is resolved in the following:

12 (build 12.0.0.1420 P20230223)
11a (build 11.0.1.1261 P20230227)

What can I do?

Cisco has released software updates that address the vulnerability and should be installed. Alternatively, a workaround has been provided which is to disable all bfd hardware offload features, which can be done by removing all hw-module bfw-hw-offload enable commands and resetting the card.

Fortinet has provided solutions to each of the vulnerabilities it has disclosed, and it is recommended that the patches released for the vulnerabilities are installed.

Veeam has released a patch and should be installed, however they suggest that if you are using an earlier version to upgrade to the current supported version first. Alternatively, if you are using an all-in-one Veeam appliance with no backup infrastructure components, external connections to Port TCP 9401 should be filtered until the patch is installed.

Further information on the vulnerabilities be found here:

Cisco IOS XR software update - https://sec.cloudapps.cisco.com/security/center/resources/security_vulnerability_policy.html#ssu

Cisco IOS XR Software Security Advisory-https://sec.cloudapps.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-bfd-XmRescbT

Fortinet CVE-2023-25610 advisory and solution - https://www.fortiguard.com/psirt/FG-IR-23-001

Fortiguard vulnerability advisory- https://www.fortiguard.com/psirt-monthly-advisory/march-2023-vulnerability-advisories

Veeam advisory - https://www.veeam.com/kb4424

Veeam Solution - https://www.veeam.com/product-lifecycle.html?ad=in-text-link

Need help understanding your gaps, or just want some advice? Get in touch with us.

#threatadvisory #threatintelligence #cybersecurity

Black Arrow Admin 09/03/2023 Black Arrow Admin 09/03/2023

Black Arrow Cyber Advisory 09 March 2023 – Security Flaws in TPM 2.0 Pose Significant Risk

Black Arrow Cyber Advisory 08 March 2023 – Security Flaws in TPM 2.0 Pose Significant Risk

Executive Summary

Security Researchers at Quarkslab have identified two critical vulnerabilities (CVE-2023-1017 and CVE-2023-1018) in The Trusted Platform Module (TPM) firmware; TPMs are used by most modern PCs to make them resistant to tampering and the vulnerabilities could affect billions of devices.

What’s the risk to my business?

Successful exploitation of the vulnerabilities could lead to local information disclosure, including the ability for attackers to make the TPM unavailable leading to denial of service, read sensitive data or escalate privileges. In some cases, an attacker can overwrite protected data in the TPM and go undetected. To be able to exploit the vulnerabilities the attacker would require access to a TPM-command interface to send maliciously crafted-commands to a vulnerable TPM.

What can I do?

The Trusted Computing Group (TCG) have released an updated version of their TPM2.0 library specification: TPM 2.0 library Specifications v1.59 Errata Version 1.4. Once this update has been incorporated within Operating System and Original Equipment Manufacturer (OEM) firmware, it is recommended this updated version is installed. For the meantime, remote attestation may help identify it any changes have been made to the TPM.

Need help understanding your gaps, or just want some advice? Get in touch with us.

#threatadvisory #threatintelligence #cybersecurity

Documentation for the upgrade can be found here: https://trustedcomputinggroup.org/wp-content/uploads/TPM-2.0-Library-Spec-v1.59-Errata-v1.4_pub.pdf

An Advisory from the Trusted Computer Group can be found here: https://trustedcomputinggroup.org/wp-content/uploads/TCGVRT0007-Advisory-FINAL.pdf

CVE-2023-1017 can be found here: https://nvd.nist.gov/vuln/detail/CVE-2023-1017

CVE-2023-1018 can be found here: https://nvd.nist.gov/vuln/detail/CVE-2023-1018

Black Arrow Admin 07/03/2023 Black Arrow Admin 07/03/2023

Black Arrow Cyber Alert 07 March 2023 – ACTION REQUIRED: New Hiatus Hacking Campaign Targets DrayTek Routers to Spy on Businesses

Executive Summary

An ongoing hacking campaign known as “Hiatus” is targeting DrayTek Vigour router models 2960 and 3900 to monitor and steal data from businesses.

What’s the risk to my business?

If exploited successfully, the attacker is able to remotely execute commands on the router, and monitor and control traffic that passes through the router including file-transfer and email communications.

Technical Summary:

Research by Black Lotus Labs has found the campaign involves following:

A Bash script to deploy two executables to the targetdevice, post-exploitation. These are:
- HIATUS Remote Access Trojan
- A variant of ‘tcpdump’ that enables packet capture

Once this script has been executed the ‘HiatusRAT’ and ‘tcpdump’ variant are downloaded to a directory created by the script located at ‘/database/.updata’ and are then executed. The malware will listen on TCP port 8816 and if this port is already in use, the process on that port is terminated so that the malware can use it instead. Once the malware has been sucessfully enabled on this port, a second process collects information about the victim device and sends it to a Command and Control (C2) server operated by the attacker (104.250.58.192); an additional C2 server (46.8.113.227) is also used by the attacker to receive information captured by the packet-capture tool . The packet capture tool observes ports associated with mail server and FTP connections, this include TCP ports 21, 25, 110, 143.

What can I do?

It is not currently known how the DrayTek routers have been initially compromised and Draytek have not yet released a security update to resolve any associated known vulnerability. The following actions can be taken to help mitigate and identify if a device has been impacted:

Prevent outbound network traffic on TCP port 8816, to disable the malware’s outbound communication.
Block network traffic to or from the following IP addresses: 104.250.58.192 and 46.8.113.227
Check the following location on vulnerable devices for any files in that location, as this would be an indicator of compromise (IoC): ‘database’ and ‘/database/.updata’
Configure continuous security monitoring to detect anomalous activity that may be indicative of a compromise.

Further indicators of compromise can be found here: https://github.com/blacklotuslabs/IOCs/blob/main/Hiatus_IoCs.txt

Need help understanding your gaps, or just want some advice? Get in touch with us.

#threatadvisory #threatintelligence #cybersecurity

A link to the report from Black Lotus Labs can be found here: https://blog.lumen.com/new-hiatusrat-router-malware-covertly-spies-on-victims/?utm_source=press+release&utm_medium=referral

Black Arrow Admin 07/03/2023 Black Arrow Admin 07/03/2023

Black Arrow Cyber Alert 07 March 2023 – Black Lotus UEFI Bootkit Malware Bypasses Secure Boot

Executive Summary

A new UEFI bootkit called BlackLotus (not to be confused with Black Lotus Labs) has become the first publicly known malware with the capability of bypassing secure boot defences, rendering it a serious threat. A bootkit is a malicious program designed to load as early as possible during the boot process, before other security components are loaded and BlackLotus does this by targeting the UEFI which is low level firmware, responsible for booting up most modern computers.

What’s the risk to my business?

Successful exploitation allows an attacker to effectively control the computer and allow them to remotely execute code and gain the highest level of privilege. Successful exploitation requires the attacker to either have remote privileged access, or physical access to the target computer.

Technical Summary

The bootkit exploits CVE-2022-21894, which is a Secure Boot vulnerability. Although patched by Microsoft in January, the vulnerable signed binaries are not on the UEFI revocation list which flags boot files that should not be trusted and as such the malware can run on “patched” systems. Once the bootkit has run successfully, it is engineered to communicate with a command-and-control server, allowing the bootkit to retrieve additional user-mode or kernel-mode malware.

What can I do?

There is currently no known patch and the bootkit can run even on fully patched Windows 11 systems which have Secure Boot enabled. Security controls to mitigate this vulnerability from being exploited should focus on preventing an attacker from obtaining remote privileged access to the device through secure identity and access management, or to prevent unauthorised individuals from having physical access to the device. Black Arrow will continue to monitor the situation, and this alert will be updated when more information is made available.

Need help understanding your gaps, or just want some advice? Get in touch with us.

#threatadvisory #threatintelligence #cybersecurity

Research on BlackLotus malware can be found here: https://www.welivesecurity.com/2023/03/01/blacklotus-uefi-bootkit-myth-confirmed/

Details for CVE-2023-21716 can be found here: https://msrc.microsoft.com/update-guide/en-US/vulnerability/CVE-2023-21716

Black Arrow Admin 07/03/2023 Black Arrow Admin 07/03/2023

Black Arrow Cyber Advisory 07 March 2023 – Microsoft Word Proof of Concept Exploit Released for Recently Patched RCE Vulnerability

Executive Summary

CVE-2023-21716 is a Microsoft Word critical remote code execution vulnerability discovered last year, which has been patched in Microsoft’s February patch Tuesday. Security Researcher Joshua Drake has released a Proof of Concept (PoC) for the vulnerability and it’s so small it can fit in a tweet. The PoC requires the victim to simply just preview or open a malicious file, which could arrive in a multitude of ways, such as an email.

What’s the risk to my business?

Successful exploitation allows an attacker to remotely execute code, impacting the confidentiality, integrity and availability of the data held by an organisation.

What can I do?

The vulnerability was patched as part of Microsoft’s February patch Tuesday, so only unpatched versions of Microsoft Office Word remain vulnerable. It is therefore recommended to apply the patches if not done so already. Additionally, the impact can be mitigated by enabling protected view in Microsoft Office Word, which is enabled by default. Protected view is a read-only mode where most editing functions are disabled.

Need help understanding your gaps, or just want some advice? Get in touch with us.

#threatadvisory #threatintelligence #cybersecurity

The proof of concept can be found here: https://qoop.org/publications/cve-2023-21716-rtf-fonttbl.md

Details for CVE-2023-21716 can be found here: https://msrc.microsoft.com/update-guide/en-US/vulnerability/CVE-2023-21716

Black Arrow Admin 04/03/2023 Black Arrow Admin 04/03/2023

Black Arrow Cyber Threat Briefing 03 March 2023

Black Arrow Cyber Briefing 03 March 2023:

-It’s Time to Evaluate Your Security Education Plan Amongst the Rise in Social Engineering Attacks

-Mobile Users are More Susceptible to Phishing Attacks

-Phishing as a Service Stimulates Cyber Crime

-Attacker Breakout Time Drops to Just 84 Minutes

-Attackers are Developing and Deploying Exploits Faster Than Ever

-Old Vulnerabilities are Haunting Organisations and Aiding Attackers

-Scams Drive Nearly $9bn Fraud Surge in 2022

-Economic Pressure are Increasing Cyber Security Risks and a Recession Would Only Further This

-Cyber Security in This Era of Polycrisis

-Russian Ransomware Projects Rebranded to Avoid Western Sanctions

-Ransomware Attacks Ravaged Big Names in February

-Firms Who Pay Ransom Subsidise New Attacks

-How the Ukraine War Opened a Fault Line in Cyber Crime

Welcome to this week’s Black Arrow Cyber Threat Briefing – a weekly digest, collated and curated by our cyber experts to provide senior and middle management with an easy to digest round up of the most notable threats, vulnerabilities, and cyber related news from the last week.

Black Arrow Cyber Advisory 03 March 2023 – Cisco IP Phone 6800, 7800, 7900, and 8800 Series Web User Interface Vulnerabilities

Executive Summary

Multiple Vulnerabilities in the web-based management interface for the Cisco IP Phones: 6800, 7800, 7900, and 8800 have been identified. The vulnerabilities are tracked as CVE-2023-20078 and CVE-2023-20079.

What’s the risk to me or my business?

Successful exploitation of the vulnerabilities could allow an attacker to remotely execute code or cause a denial of service (DoS). The vulnerabilities are not dependent on each other and can therefore be executed without requiring the other one.

What can I do?

There are no workarounds, and it is recommended that the patches for the vulnerabilities released by CISCO are installed.

The following models and firmware versions are impacted:

· IP Phone 6800 Series with Multiplatform Firmware version earlier than 11.3.7SR1

· IP Phone 7800 Series with Multiplatform Firmware version earlier than 11.3.7SR1

· IP Phone 8800 Series with Multiplatform Firmware version earlier than 11.3.7SR1

Due to the following products having reached the end of life process, there is no patch available:

· Cisco Unified IP Phone 7900 Series

· Cisco Unified IP Conference Phone 8831

· Cisco Unified IP Conference Phone 8831 with Multiplatform Firmware

Further information on the vulnerabilities be found here:

https://sec.cloudapps.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-ip-phone-cmd-inj-KMFynVcP

Need help understanding your gaps, or just want some advice? Get in touch with us.

#threatadvisory #threatintelligence #cybersecurity

Black Arrow Admin 01/03/2023 Black Arrow Admin 01/03/2023

Black Arrow Cyber Alert 01/03/2023 – ACTION REQUIRED: LastPass Security Incident Update

Black Arrow Cyber Alert 01/03/2022 – ACTION REQUIRED: LastPass Security Incident Update

Executive Summary

Yesterday (28 February 2023), LastPass provided an update on their recent security incident that was disclosed on 22 December 2022. LastPass explained how information stolen in a breach that had taken place in August 2022 was then used to conduct a separate breach in December 2022; the latter breach then allowed access to the LastPass encrypted Amazon S3 buckets.

LastPass also revealed more about how the incidents happened. In the first incident the threat actor did not have the decryption keys and they were unable to decrypt some data. The threat actor identified that a DevOps engineer had access to the decryption key and as a result the DevOps engineer’s home computer was targeted. Through exploiting a vulnerable third-party software package, the threat actor was able to install a keylogger and capture the engineers’ master password as it was entered. Once the engineer had authenticated with multi factor authentication (MFA), the threat actor then had access to the LastPass corporate vault.

What’s the risk to my business?

The incident has resulted in a significant amount of data being accessed[1]. LastPass has stated that the compromised backup of the customer base was dated 14 August 2022 and that any accounts created after that date are not affected. A full list, including descriptions is available from LastPass; a summary of main items is presented below:

Business customers - General

MFA seeds
Splunk Security Information and Event Management (SIEM) integration secrets
“Push” site credentials
SCIM, Enterprise API and SAML keys
Billing addresses
Company name
Tax id
Email address
End user name
IP address of trusted devices
Telephone number
Mobile device unique identifier
Number of iterations that a customer was configured to use

Business customers - Non federated

Hashes of temporary and account recovery one-time passwords
MFA API integration secrets
One-time password seeds

Business Customers - Federated

Split knowledge component “K2” keys

What can I do?

Recommended actions depend on whether the user environment is federated or not. Federated users are users who are authenticated with an identify provider such as Azure Directory, which then allows the user to access LastPass. Non-federated users will access LastPass using a LastPass username and password. The recommended actions are as follows:

Federated users

For federated environments, organisations should consider de-federating and re-federating all users, and request users to rotate all vault credentials based on the organisation’s risk tolerance. If credentials are to be rotated, critical credentials should be prioritised.

Non-federated users

Where non-federated users have employed the use of MFA, administrators should clear all MFA shared secrets[2] as this will destroy all LastPass sessions and require the user to log back in and re-enable MFA. Where MFA is not in use, we strongly recommend it is enforced as soon as possible. Administrators should also consider requiring users to reset their master passwords[3].

General

To maximise security for your users, LastPass recommend reviewing iteration count settings and recommend that users change to 600,000 iterations[4] which is the recommended number by OWASP.

A super administrator or “break-glass” account is a privileged account reserved for unrestricted emergency access. Where a super administrator or “break glass” administrator account is present, it is recommended by LastPass that at least one of these is not federated and has a master password and strong iteration account as per LastPass guidance. Where the password is not strong, it should be reset immediately. It is recommended that MFA also be reset, to reduce the risk of compromise.

Additional considerations include the review of vault item password policies, user security scores, security of shared folders and monitoring of the dark web.

As always, organisations should remain vigilant as threat actors may use this event to conduct phishing campaigns.

Need help understanding your gaps, or just want some advice? Get in touch with us.

#threatadvisory #threatintelligence #cybersecurity

[1] https://support.lastpass.com/help/what-data-was-accessed

[2] https://support.lastpass.com/help/reset-mfa-settings-for-google-authenticator-microsoft-authenticator-and-grid

[3] https://support.lastpass.com/help/enterprise-admin-management-of-master-passwords-lp010025

[4] https://support.lastpass.com/help/security-bulletin-recommended-actions-for-business-administrators

Black Arrow Admin 26/02/2023 Black Arrow Admin 26/02/2023

Black Arrow Cyber Threat Briefing 24 February 2023

Black Arrow Cyber Briefing 24 February 2023:

-Employees Bypass Cyber Security Guidance to Achieve Business Objectives

-Three Quarters of Businesses Braced for Serious Email Attack this Year

-The Cost of Living Crisis is Triggering a Wave of Workplace Crime

-Fighting Ransomware with Cyber Security Audits

-Record Levels of Fraud Impacting 90% of Payment Compliance Teams

-CISOs Struggle with Stress and Limited Resources

-Cyber Threats and Regulations Mount for Financial Industry

-HardBit Ransomware Wants Insurance Details to Set the Perfect Price

-Social Engineering is Becoming Increasingly Sophisticated

-A Fifth of Brits Have Fallen Victim to Online Scammers

-Cyber Attacks Hit Data Centres to Steal Information From Companies

-Phishing Fears Ramp Up on Email, Collaboration Platforms

-The War in Ukraine has Shaken up the Cyber Criminal Eco-system

-Police Bust €41m Email Scam Gang

Black Arrow Cyber Threat Briefing 17 February 2023

Black Arrow Cyber Threat Briefing 17 February 2023:

-High Risk Users May be Few, but the Threat They Pose is Huge

-The Cost of Cyber Security Insurance is Soaring so Firms Need to Take Prevention More Seriously

-Cyber Attacks Worldwide Increased to an All-Time Record Breaking High

-Most Organisations Make Cyber Security Decisions Without Insights

-Ransomware Attackers Finding New Ways to Weaponise Old Vulnerabilities

-Are Executives Fluent in IT Security Speak? 5 Reasons Why the Communication Gap is Wider Than You Think

-Business Email Compromise Groups Target Firms with Multilingual Impersonation Attacks

-EU Countries Told to Step up Defence Against State Hackers

-Cyber Criminals Exploit Fear and Urgency to Trick Consumers

-How to Manage Third Party and Supply Chain Cyber Security Risks that are Too Costly to Ignore

-Russian Spear Phishing Campaign Escalates Efforts Towards Critical UK, US and European Targets

-5 Biggest Risks of Using Third Party Managed Service Providers

-Cyber Crime as a Service: A Subscription Based Model in the Wrong Hands

Black Arrow Cyber Advisory 16/02/2023 – Citrix Releases Security Updates Addressing Vulnerabilities in Workspace Apps, Virtual Apps and Desktops Products

Executive Summary

This week Citrix released security updates for vulnerabilities affecting its’ Workspace Apps, Virtual Apps and Desktops products. The vulnerabilities are tracked as CVE-2023-24483, CVE-2023-24484, CVE-2023-24486 and CVE-2023-2286.

What’s the risk to me or my business?

Successful exploitation of the vulnerabilities could allow an attacker to escalate privileges and permissions from a standard user to system level. An attacker could also take over another users session and cause log files to be written to a directory which a standard user would not have permission to write to. For the exploitations to be successful, the attacker requires local access as a standard user to the Virtual Desktop Application.

What can I do?

For organisations using vulnerable versions of Workspace Apps, Virtual Apps and Desktop products, it is strongly recommended to install the patched versions as soon as possible. The affected versions are as below:

Citrix Virtual Apps and Desktops (CVE-2023-24483):

Current release versions before 2212
Long term service release (LTSTR) versions 2203 LTSR before CU2
1912 LTSR before CU6

Citrix Workspace App for Windows (CVE-2023-24484 and CVE-2023-24485):

Citrix Workspace App versions before 2212
Citrix Workspace App 2203 LTSR before CU2
Citrix Workspace App 1912 LTSR before CU7 Hotfix 2 (19.12.7002)

Citrix Workspace App for Linux (CVE-2023-2486)

All supported versions of Citrix Workspace app for Linux before 2302

Further information on CVE-2023-24483 can be found here: https://support.citrix.com/article/CTX477616/citrix-virtual-apps-and-desktops-security-bulletin-for-cve202324483

Further information on CVE-2023-24484 and CVE-2023-24485 can be found here: https://support.citrix.com/article/CTX477617/citrix-workspace-app-for-windows-security-bulletin-for-cve202324484-cve202324485

Further information on CVE-2023-2486 can be found here: https://support.citrix.com/article/CTX477618/citrix-workspace-app-for-linux-security-bulletin-for-cve202324486

Need help understanding your gaps, or just want some advice? Get in touch with us.

#threatadvisory #threatintelligence #cybersecurity

Black Arrow Admin 15/02/2023 Black Arrow Admin 15/02/2023

Black Arrow Cyber Advisory 15/02/2023 – Microsoft Patch Tuesday – 75 patches and Three Actively Exploited Vulnerabilities

Executive summary

Microsoft’s February Patch Tuesday provides updates to address 75 security issues across its product range, including three actively exploited zero-days.

Of the 75 vulnerabilities, nine are rated Critical and 66 are rated Important in severity. 37 out of 75 bugs are classified as remote code execution (RCE) flaws.

The three exploited zero-day vulnerabilities include a security bypass vulnerability, remote execution vulnerability and an elevation of privileges vulnerability. Also among the updates provided by Microsoft were 9 critical vulnerabilities.

What’s the risk to me or my business?

The actively exploited vulnerabilities could allow an attacker to bypass security features to upload malicious files, remotely execute code and gain SYSTEM privileges; all of which could compromise the confidentiality, integrity and availability of data stored by an organisation.

What can I do?

Security updates are available for all supported versions of Windows impacted. The updates should be applied as soon as possible for the actively exploited vulnerabilities and all other vulnerabilities that have a critical severity rating.

Technical Summary

The following is a breakdown of the actively exploited vulnerabilities which affected Microsoft Operating Systems:

CVE-2023-21715: A vulnerability which allows a local user with authentication to bypass Microsoft Office macro policies used to block untrusted or malicious files.

CVE-2023-21823: A remote code execution vulnerability which allows an attacker to execute code with system privileges, effectively providing them with unlimited permission. Microsoft Store will automatically update affected customers, providing automatic updates are enabled in the Store.

CVE-2023-23376: A vulnerability which allows a successful attacker to gain SYSTEM privileges, effectively providing them with unlimited permission.

Further details on other specific updates within this patch Tuesday can be found here: https://www.ghacks.net/2023/02/14/microsoft-windows-security-updates-february-2023-overview/

Further details about CVE-2023-21715 can be found here: https://msrc.microsoft.com/update-guide/en-US/vulnerability/CVE-2023-21715

Further details about CVE-2023-21823 can be found here: https://msrc.microsoft.com/update-guide/en-US/vulnerability/CVE-2023-21823

Further details about CVE-2023-23376 can be found here: https://msrc.microsoft.com/update-guide/en-US/vulnerability/CVE-2023-23376

Black Arrow Admin 12/02/2023 Black Arrow Admin 12/02/2023

Black Arrow Cyber Threat Briefing 10 February 2023

Black Arrow Cyber Threat Briefing 10 February 2023:

-Companies Banned from Paying Hackers After Attacks on Royal Mail and Guardian

-Fraud Set to Be Upgraded as a Threat to National Security

-98% of Attacks are Not Reported by Employees to their Employers

-UK Second Most Targeted Nation Behind America for Ransomware

-Financial Institutions are Suffering from Increasingly Sophisticated Cyber Attacks

-An Email Attack Can End Up Costing You Over $1 Million

-Cyber Crime Shows No Signs of Slowing Down

-Surge of Swatting Attacks Targets Corporate Executive and Board Members

-Phishing Surges Ahead, as ChatGPT and Artificial Intelligence Loom

-Pro-Russian Hacktivist Group is Only Getting Started, Experts Warn

-Crypto Investors Lost Nearly $4 Billion to Hackers in 2022

-PayPal and Twitter Abused in Turkey Relief Donation Scams

-Mysterious Leak of Booking.com Reservation Data is Being Used to Scam Customers

Black Arrow Cyber Advisory 06/02/2023 – New Wave of Ransomware Exploiting VMware ESXi Hypervisors - updated 09/02/2023 and 10/02/2023

Black Arrow Cyber Advisory 06/02/2023 – New Wave of Ransomware Exploiting VMware ESXi Hypervisors

Updated 10/02/2023

Reports indicate that at least 18,500 ESXi servers are still vulnerable to VMware bug behind initial ransomware spree, after last week’s ransomware infections hit more than 3,800 organisations across the United States, France, Italy and more.

Updated 09/02/2023

It has now been found that there is a second wave of the ransomware campaign and reports from administrators are that they are being breached, even though SLP was disabled. There is also a script released by the Cybersecurity and Infrastructure Agency (CISA) which will attempt to recover files from an impacted VMware ESXi hypervisor. It should be noted however, that it will likely not work if the VMware ESXi hypervisor was hit by the second wave of ransomware.

CISA’s advice and link to their recovery script can be found here: https://www.cisa.gov/uscert/ncas/current-activity/2023/02/08/cisa-and-fbi-release-esxiargs-ransomware-recovery-guidance

Executive Summary

A large ransomware campaign is targeting VMware ESXi hypervisors around the world, according to the French government’s computer emergency readiness team (CERT-FR). Although not officially confirmed by VMware, multiple sources report that the ransomware exploits a vulnerability known as CVE-2021-21974, which is a heap-overflow vulnerability in which exploitation can result in remote code execution. A patch was made available by VMware in February 2021.

What’s the risk to me or my business?

According to VMware, the malicious actor needs to reside within the same network segment as VMware ESXi and have access to port 427 to be able to exploit CVE-2021-21974 and remotely execute code. This exploit only impacts organisations with VMware ESXi where OpenSLP services are in use. OpenSLP is an open-source implementation of the Service Location Protocol (SLP), which is used to allow networking applications to discover the existence, location and configuration of network services within enterprise networks. The impacted versions of VMware ESXi are as follows:

· ESXi 7.x versions earlier than ESXi70U1c-17325551

· ESXi 6.7.x versions earlier than ESXi670-202102401-SG

· ESXi 6.5.x versions earlier than ESXi650-202102101-SG

What can I do?

Organisations should look to apply the available patches from VMware as soon as possible. It is recommended that organisations disable the SLP service on ESXi hypervisors that have not been patched for the mean time. Where a patch has been applied recently, a system scan should be performed to detect any indicators of compromise.

Further information on the vulnerability can be found through the original security advisory from VMware, which was published in February 2021: https://www.vmware.com/security/advisories/VMSA-2021-0002.html

Need help understanding your gaps, or just want some advice? Get in touch with us.

#threatadvisory #threatintelligence #cybersecurity

Black Arrow Admin 09/02/2023 Black Arrow Admin 09/02/2023

Black Arrow Cyber Advisory 09/02/2023 – Reminder of Heightened Risk of Phishing Campaigns Taking Advantage of Tragic Events

Black Arrow Cyber Informational 09/02/2023 – Reminder of Heightened Risk of Phishing Campaigns Taking Advantage of Tragic Events

Executive Summary

Following the recent tragic events in Turkey and Syria this is a reminder that whenever there are catastrophes, natural disasters or other notable or particularly newsworthy events malicious actors will take advantage of these events to push related phishing emails or launch other attacks.

What’s the risk to me or my business?

Threat actors will take advantage of events of this nature, often to try to exploit the good nature and charitable intentions of people and organisations. Each event creates opportunities for threat actors to conduct phishing campaigns. These campaigns can include impersonation of those impact, smishing (SMS phishing), fake charitable pages, malicious links within emails and much more.

What can I do?

We recommend staying extra vigilant. This can be done by verifying charities and or companies through official websites, verifying phone numbers for charities, avoiding suspicious links in emails and checking individuals are who they claim to be.

Information on registered UK charities can be found here: https://register-of-charities.charitycommission.gov.uk/charity-search/

Black Arrow Admin 05/02/2023 Black Arrow Admin 05/02/2023

Black Arrow Cyber Threat Briefing 03 February 2023

Black Arrow Cyber Threat Briefing 03 February 2023:

-Business Leaders Need a Hands-on Approach to Stop Cyber Crime, Says Spy Chief

-Rising ‘Firebrick Ostrich’ BEC Group Launches Industrial Scale Cyber Attacks

-The Corporate World is Losing its Grip on Cyber Risk

-Microsoft Reveals Over 100 Threat Actors are Deploying Ransomware in Attacks

-Greater Incident Complexity, a Shift in How Threat Actors Use Stolen Data Will Drive the Cyber Threat Landscape in 2023

-The Threat from Within: 71% of Business Leaders Surveyed Think Next Cyber Security Breach Will come from the Inside

-98% of Organisations Have a Supply Chain Relationship That Has Been Breached

-New Survey Reveals 40% of Companies Experienced a Data Leak in the Past Year

-Russian Hackers Launch Cyber Attack on Germany in Leopard Tank Retaliation

-Financial Services Targeted in 28% of UK Cyber Attacks Last Year

-Phishing Attacks are Getting Scarily Sophisticated. Here’s what to Watch Out For

-City of London on High Alert After Ransomware Attack

-Ransomware Conversations: Why the CFO is Pivotal to Discussing and Preparing for Risk

-JD Sports Warns of 10 Million Customers Put at Risk in Cyber Attack

Cyber Security Must be Owned by the Board - ICAS Magazine February 2023

Often a Finance Director or Chief Financial Officer has responsibility for the biggest risk to the organisation’s survival, when cyber security is nestled within IT in their reporting structure. The risks are high when the FD/CFO does not have the specialist guidance and knowledge in cyber security to lead the Board in exercising strong governance. Our co-founder Bruce McDougall CA and experienced cyber security specialist talks with the editor of CA Magazine from ICAS - The Professional Body of CAs about how fellow finance leaders can help avoid the catastrophic effects of a cyber security incident.

Often a Finance Director or Chief Financial Officer has responsibility for the biggest risk to the organisation’s survival, when cyber security is nestled within IT in their reporting structure.

The risks are high when the FD/CFO does not have the specialist guidance and knowledge in cyber security to lead the Board in exercising strong governance.

Our co-founder Bruce McDougall CA and experienced cyber security specialist talks with the editor of CA Magazine from ICAS - The Professional Body of CAs about how fellow finance leaders can help avoid the catastrophic effects of a cyber security incident.

To view the article online: https://www.icas.com/members/ca-magazine/ca-magazine-articles/black-arrow-cyber-consulting-co-founder-bruce-mcdougall-ca-stresses-why-cybersecurity-must-be-owned-by-the-board

Black Arrow Admin 01/02/2023 Black Arrow Admin 01/02/2023

Black Arrow Cyber Advisory 01/02/2023 – Attackers Using Microsoft’s Verified Publisher Status to Steal Data

Executive Summary

On the 15 December Microsoft became aware of a consent phishing campaign, which involved threat actors fraudulently impersonating legitimate companies when enrolling in the Microsoft Cloud Partner Program (MCPP). The threat actors then used the fraudulent accounts to add a ‘verified publisher’ status to OAuth (open authorisation) apps, which then tricked users into granting permissions and allowing the fraudulent OAuth applications to access their data. As these applications appear to be verified, and are hosted within the Microsoft ecosystem, it makes it much more difficult for end users to identify fraudulent applications.

What’s the risk to me or my business?

Microsoft’s investigation determined that once consent was given to these fraudulent applications, the applications were then able to exfiltrate email from the affected users Microsoft tenant.

What can I do?

According to Microsoft, all fraudulent applications have been disabled and impacted customers have been notified with the following subject line “Review the suspicious application disabled in your [tenant name] tenant”. For those impacted, the advice is to investigate the disabled fraudulent applications by checking the applications permissions as well as Azure AD audit logs for activity relating to the application. It is strongly recommended that users do not grant permissions to unprompted applications with their Microsoft Account, as this would allow the application to be granted access to that users data. If the legitimate application is already a part of the users tenant, then further permissions should not be required.

Further information from Microsoft can be found here: https://msrc-blog.microsoft.com/2023/01/31/threat-actor-consent-phishing-campaign-abusing-the-verified-publisher-process/

Microsoft’s advice to mitigating consent phishing can be found here: https://learn.microsoft.com/en-us/azure/active-directory/manage-apps/protect-against-consent-phishing

Need help understanding your gaps, or just want some advice? Get in touch with us.

#threatadvisory #threatintelligence #cybersecurity

Threat Intelligence Blog

Top Cyber Stories of the Last Week

Business Email Compromise Attacks Can Take Just Hours

Research Reveals ‘Password’ is Still the Most Common Term used by Hackers to Breach Enterprise Networks

Just 10% of Firms Can Resolve Cloud Threats in an Hour

MSPs in the Crosshairs of Ransomware Gangs

Stolen Credentials Increasingly Empower the Cyber Crime Underground

It’s Time to Assess the Potential Dangers of an Increasingly Connected World

Mounting Cyber Threats Mean Financial Firms Urgently Need Better Safeguards

Insider Threat: Developers Leaked 10m Credentials Including Passwords in 2022

Cyber Threat Detections Surges 55% In 2022

European Central Bank Tells Banks to Run Cyber Stress Tests after Rise in Hacker Attacks

Employees Are Feeding Sensitive Business Data to ChatGPT

Is Ransomware Declining? Not So Fast Experts Say

Preventing Corporate Data Breaches Starts with Remembering that Leaks have Real Victims

Faced With Likelihood of Ransomware Attacks, Businesses Still Choosing to Pay Up

Experts See Growing Need for Cyber Security Workers as One in Six Jobs go Unfilled

Threats

Ransomware, Extortion and Destructive Attacks

Phishing & Email Based Attacks

BEC – Business Email Compromise

Other Social Engineering; Smishing, Vishing, etc

2FA/MFA

Malware

Mobile

Denial of Service/DoS/DDOS

Internet of Things – IoT

Data Breaches/Leaks

Organised Crime & Criminal Actors

Cryptocurrency/Cryptomining/Cryptojacking/NFTs/Blockchain

Insider Risk and Insider Threats

Fraud, Scams & Financial Crime

Deepfakes

Insurance

Dark Web

Supply Chain and Third Parties

Software Supply Chain

Cloud/SaaS

Attack Surface Management

Asset Management

Encryption

API

Open Source

Passwords, Credential Stuffing & Brute Force Attacks

Social Media

Training, Education and Awareness

Regulations, Fines and Legislation

Governance, Risk and Compliance

Models, Frameworks and Standards

Data Protection

Careers, Working in Cyber and Information Security

Law Enforcement Action and Take Downs

Privacy, Surveillance and Mass Monitoring

Artificial Intelligence

Misinformation, Disinformation and Propaganda

Spyware, Cyber Espionage & Cyber Warfare, including Russian Invasion of Ukraine

Nation State Actors

Vulnerability Management

Vulnerabilities

Tools and Controls

Other News

Sector Specific

Top Cyber Stories of the Last Week

It’s Time to Evaluate Your Security Education Plan with the Rise in Social Engineering Attacks

Mobile Users are More Susceptible to Phishing Attacks

Phishing as a Service Stimulates Cyber Crime

Attacker Breakout Time Drops to Just 84 Minutes

Attackers are Developing and Deploying Exploits Faster Than Ever

Old Vulnerabilities are Haunting Organisations and Aiding Attackers

Scams Drive Nearly $9bn Fraud Surge in 2022

Economic Pressure are Increasing Cyber Security Risks and a Recession Would Only Further This

Cyber Security in this Era of Polycrisis

Russian Ransomware Projects Rebranded to Avoid Western Sanctions

Ransomware Attacks Ravaged Big Names in February

Firms Who Pay Ransoms Subsidise New Attacks

How the Ukraine War Opened a Fault Line in Cyber Crime

Threats

Ransomware, Extortion and Destructive Attacks

Phishing & Email Based Attacks

BEC – Business Email Compromise