Apple and Others Push Patch for New Vulnerabilities

On September 7th, a “zero-click” exploitation (meaning an exploit that does not rely on being opened or clicked on by the target) was found within the latest version of iOS and iPadOS. This exploit was used to install spyware on the devices made by the Israeli cyber surveillance company known as NSO Group. Apple quickly addressed this with their newer Rapid Security Response program and pushed an update to both operating systems.

Microsoft also struggled with another new bug within Microsoft Word that would allow threat agents to impersonate users and gain access to sensitive data and systems. Another flaw was found within the Microsoft Streaming Service Proxy, which is something built directly into the Windows 10, 11 and Server operating systems. Both of these vulnerabilities have been patched, and Microsoft urges users to make sure that they are on the latest security update for their OS.

Not to be left out from the big 3, Google also found an issue within Chrome that they say is being exploited. Google has told users to restart Chrome so that the update that was pushed to all users can close the exploit.

Fortinet Patches High-Severity Vulnerability

Fortinet has been dealing with a high severity vulnerability that they are explaining can be used to trigger the execution of malicious JavaScript code, allowing the threat agent to access sensitive data within the website. The biggest concern over something like this is the loss of personal data or even payment data that can be stored within the website.

Another high severity issue was also found within their web application firewall and API protection solution. Fortinet has pushed updates to address both of these vulnerabilities, but has not stated whether they observed either of these exploits being used in attacks.

Microsoft Leaks Large Amounts of Private Data

After three years, it has been discovered that the Microsoft AI Research division has leaked over 38TB of personal data from its employees. The leak was caused by the team using a Shared Access Signature (SAS) that was excessively permissive. SAS tokens can be used to grant access to resources within an organization’s storage, but have been shown to be unsafe due to a lack of monitoring and governance and the ability that they can allow access indefinitely.

The information that was leaked seems to be internal backups of personal information, archived Teams messages, and other information regarding Microsoft services. Microsoft has assured that no customer information was leaked in the incident and that the SAS tokens have been revoked, so that the access is no longer available.

Defensible Strategies

Learn from those who have been attacked

Clorox Battling Product Shortage, Cyber Breach to be Blamed

Clorox had announced in mid-August that they had identified unauthorized activity on their IT systems. Without disclosing the nature of the attack, Clorox moved to proactively shut down some of their systems, which led to a disruption of production for the company. They utilized the time the systems were offline to implement additional protections to secure them, but they also placed several workarounds for offline operations.

The attack disrupted major operations, but Clorox is beginning to bring those systems back online and is ramping up production to get back on track. Clorox worked with law enforcement and third-party cybersecurity experts to determine the scope of the incident, but they are expecting it to have a significant impact on earnings and financial results.

Canadian Government the Target of Pro Russian Group

The Canadian Centre for Cyber Security has released statements stating that they have been receiving DDoS (distributed denial-of-service) attacks from a pro-Russian threat agent. DDoS attacks are generally malicious attempts to disrupt traffic to servers or networks by overwhelming them with a flood of traffic (think of a highway being clogged up by too many vehicles).

The attacks have been primarily in support of Russia’s invasion of Ukraine and are more a nuisance rather than a security risk, but is something that the Canadian agency is warning about. The focus of the attacks have been within Canada’s transportation and financial sectors, but have also targeted other levels within the government.

Microsoft’s Patched Vulnerability Added to Active Exploitation List by CISA

A recently patched flaw in Microsoft’s .NET and Visual Studio has been added to the Known Exploited Vulnerabilities catalog by CISA after evidence of active exploitation was provided. The patch had been released in an earlier Patch Tuesday update, in which Microsoft deemed the flaw with an “Exploitation More Likely” tag.

The flaw, being tracked as CVE-2023-38180, has been deemed as a high severity and CISA and Microsoft are both suggesting to update any affected versions to the latest vendor-provided fix by the end of August 2023. The software versions in question are as followed:

• ASP.NET Core 2.1

• NET 6.0

• NET 7.0

• Microsoft Visual Studio 2022 v.17.2, v17.4, v.17.6

CISA has pointed out that the flaw can be leveraged and pulled off without any additional privileges or user interaction, as well.

US Looking Into Microsoft Exchange Hack

As reported last month, July 2023, a Chinese hacking group was able to breach several organizations worth of email accounts, spanning US and Western European government agencies. These hackers used forged authentication tokens that were stolen and were able to exploit a vulnerability within Outlook.

In response to this event, the US Department of Homeland Security’s Cyber Safety Review Board will be launching an investigation and in-depth review of cloud security practices. They plan on presenting their findings on the understanding of critical events and root causes along with possible remediation practices to better bolster identity management and authentication in cloud and cyber security spaces. The CSRB will work with the current US Administration and CISA to disseminate the knowledge.

Flaw in Power Management Software Puts Data Centers at Risk

Researchers have been discovering vulnerabilities within commonly used applications and devices used to control infrastructure at data centers. Released at a recent security conference, these researchers have shown at least nine different vulnerabilities across two different companies (CyberPower and Dataprobe) that if exploited, could take down not only users, but also power to the data centers themselves.

Data centers have become predominant as reliance upon cloud computing and data hosting increase. These flaws can prove to be incredibly impactful, while even just turning off power for server space can cost potential millions for organizations relying on that data.

Defensible Strategies

Learn from those who have been attacked

Amazon Web Services Distances Itself From 3rd Party Software

After considerable backlash over the addition of a new feature, Amazon has decided to withdraw its association with open source project, Moq. The software library has drawn a lot of criticism regarding its choice to implement a new feature, without notification, that has users worried about data collection.

The new feature in question includes another software, known as SponsorLink, which collects and sends user email addresses to its content delivery network. Users have often raised concern about the software’s ability to collect data that can then be sold, which would be a massive security concern for anyone using the software.

Alongside Amazon, others have noted that they will no longer be using Moq while it has SponsorLink included, some even going so far as to boycott the service, even though the developer behind Moq has since rolled back the new release and removed SponsorLink.

No Safety Risk for Wi-Fi Vulnerability According to Ford

Ford has noted that the vulnerability to Texas Instruments Wi-Fi driver, being tracked as CVE-2023-29468, does not have any safety risk to its vehicle occupants. The vulnerability in question has currently been tied to a Wi-Fi driver that is being used in the Ford SYNC 3 infotainment system.

The car manufacturer has assured that to even take advantage of the exploit, a threat agent would have to have significant expertise and also be physically near to the vehicle while its ignition and Wi-Fi setting is on. Ford has stated that a software patch will be pushed soon, but to those who are still concerned over the exploit to the SYNC 3 found in a few of its vehicles, to simply disable the Wi-Fi settings until the patch has been released.

Microsoft and Apple Squash Some Security Bugs

This last Tuesday, July 11th, Microsoft took aim at closing out some security loopholes and bugs found within its operating system and other services. A few of these were acknowledged to be undergoing active exploitation. Four of these exploits were considered to have a high CVSS score, which indicates the severity, or “badness”, of the exploits. One notable exploit that had been discovered through outside sources seems to be missing from this update, and experts advise to expect an out of cycle update from Microsoft that users should be ready to implement.

On the Apple side of things, one of the newer security measures instituted by the company, the Rapid Security Response system, pushed an update that was aimed at some zero day exploits the company had found. The update was, however, pulled when a bug was noticed that caused some websites not to load correctly. Just a few days later, the Rapid Security Response pushed another update, this one remaining, and as of now, has not shown to contain the original bug.

WordPress Targeted Through External Plugin

WordPress hosted websites have been undergoing a series of attacks by threat agents who are taking advantage of a security vulnerability via a payment plugin, known as WooCommerce. The plugin, that has been developed by Automattic and that has more than 600,000 active installations, has been patched, but numerous versions of the plugin are still susceptible to the exploit.

A third party has noted that over 157,000 sites were targeted over 1.3 million times in what is being noted as demonstrating “significantly more sophistication than similar attacks”. Users of the WooCommerce plugin via WordPress are being urged to immediately update to the latest version of the plugin, 5.6.2.

Adobe Dealing With Another Critical Flaw, this time for ColdFusion

Adobe ColdFusion has been the target of ongoing attacks by threat agents in attempts to gain remote access to devices via webshells, malicious scripts designed to penetrate servers. The attacks have been executed via two exploits that were found to work in tandem to give the threat agents access to the servers.

Adobe has rolled out a patch that addresses one of the two exploits, but assures that both are needed in order for the threat agents to execute the attack, so updating one cripples the other as an exploit. They also suggest locking down installations of ColdFusions via admins to increase security and defense against similar attacks.

Defensible Strategies

Learn from those who have been attacked

Linux Under Growing Ransomware Attacks

Linux has never had a large presence within the the office or home side of workstations, making it not as popular of a target for threat agents when it comes to attacks. Linux, however, does make up a very large portion of web servers and other device types that most users are not dealing with on a daily basis.

In 2022, ransomware attacks to Linux, however, increased by 75% as threat agents realize that disrupting these devices causes many pain points for users and companies that utilize web services hosted by Linux servers. Organizations are being encouraged to take steps now to step up the security for Linux based equipment such as:

• Endpoint protection

• Patch management

• Data backups

• Access control

• Awareness

• Resilience testing

• Procedure testing

Disruptions to Linux operations have the potential to be beyond the scale of what has been seen so far, so security of these devices are imperative.

Microsoft Discloses Email Breached by Chinese Hackers

On July 11th, Microsoft announced via a blog post that it had discovered that certain customers’ email systems, including unspecified government agencies, had been breached by Chinese threat agents to gather intelligence. Microsoft noted that they had been investigating unusual activity, but the threat agents were still able to manipulate credentials to gain access to accounts.

The U.S. Department of Homeland Security noticed the activity as well and notified both Microsoft and CISA to have the issues patched by Microsoft and close out the security vulnerabilities. Both CISA and Microsoft noted that while these attacks were well resourced and seemed to be more focused on espionage, these are still things that can affect regular end users.

Email Authorization Changed By Google

Google has fixed an issue that was reported to them by a security architect by the name of Chris Plummer. The issue allowed a scammer to impersonate delivery service giant UPS through an exploit that fooled the Brand Indicators for Message Identification (BIMI). This email authentication service is used by Google and others to protect brands from spoofing and phishing attacks claiming to be trusted organizations, but has a loophole that was found via a third-party security vulnerability.

Google has since replaced BIMI with a new and more robust authentication requirement know as DomainKeys Identified Mail (DKIM). The email that initially caused the bug to come to light fortunately did not contain any malicious intent, but exploits like these can lead to many dangerous outcomes.

Fortinet Patches VPN Vulnerability Found in FortiGate

Fortinet recently released a patch for a critical vulnerability that targeted their FortiGate firewall SSL. This vulnerability was discovered by a French IT Security firm, Lexfo, who disclosed it to Fortinet. The vulnerability allowed for threat agents to gain access to an organization’s network through the SSL VPN and make changes to the firewall’s settings. This allows the agents to gather information and lock things down from the people who actually use the system.

According to the researchers, the flaw was found on every SSL VPN offered through Fortinet. Fortinet has been involved with many vulnerabilities that have been exploited by threat agents and currently has 10 products on CISA’s Known Exploited Vulnerabilities Catalog.

Azure Down, As Claims of DDoS Attacks Enrapture Microsoft Services

On June 9th, the web portal for the cloud service Azure, provided by Microsoft, was made unavailable as itself and other Microsoft services under went DDoS attacks. Distributed Denial-of-Service (or DDoS) attacks are generally malicious attempts to disrupt traffic to servers or networks by overwhelming them with a flood of traffic (think of a highway being clogged up by too many vehicles).

The attack is being claimed to be by a Sudanese threat agent in a supposed protest to U.S. companies and their involvement in Sudanese internal affairs, but security researchers believe this to be a ruse and point more towards a Russian attack on major internet infrastructure.

Microsoft has not confirmed the reason that the services went down, but as of June 12th, the web portal and services are back up and running.

Defensible Strategies

Learn from those who have been attacked

AI Software by NVIDIA Manipulated to Leaking Data

An AI software by chipmaker NVIDIA, known as the NeMo Framework, has been found to reveal private information after being coerced and manipulated to ignore safety restraints programmed into it. The AI has been designed to be used by companies to help with providing responses to questions in a similar manner as a customer service representative would.

Researchers were able to manipulate the language models the AI used to break through the guardrails set up so that the artificial intelligence wouldn’t move on from specific subjects. This allowed the researchers to get personally identifiable information from the database the AI was situated in for the test.

With AI becoming more prevalent, companies such as NVIDIA, Google, and Microsoft work to build public trust, but instances like these show that there is still threat and knowledge to be gained before handing the reigns over to AI.

Swiss Government Faces Possible Data Breach in Cyberattack

Government officials for Switzerland announced on June 8th that some governmental operational data may have been stolen. They believe this due to an attack at a tech firm the country works with to provide software to internal departments.

The company involved, Xplain, were targets of a ransomware attack that gave access to the company’s internal information and contrary to prior reports, this may have included operational data of the Swiss army and customs department.

Ransomware attacks are on the rise that affect not only companies, but also governments and universities and show why an increase in proper security training are imperative.