Advisory

National Infrastructure At Risk: Unraveling The Threat Of Cisco Switch Vulnerabilities

Unraveling the Threat
In the dynamic world of cybersecurity, vulnerabilities can crop up in the most unexpected places. As we’ve seen with the exploitation of an old Cisco flaw by Russian hackers, Cisco’s recent alert about multiple vulnerabilities within its enterprise switch portfolio is a timely reminder of this fact. These vulnerabilities, some of which now have Proof-of-Concept (PoC) exploits available, could pose significant risks to an organization’s security, making it crucial to understand them and proactively strategize to mitigate these risks.

Let’s first unpack the vulnerabilities Cisco has recently patched. These critical vulnerabilities affect Cisco’s FXOS and NX-OS software, enabling attackers to execute arbitrary code as root or create a Denial-of-Service (DoS) condition. The potential fallout from such an attack could be considerable, possibly leading to severe data breaches, operational interruptions, and a damaged reputation.

The gravity of these vulnerabilities becomes apparent when we consider the potential implications of such attacks. An attacker gaining root access essentially translates into total loss of control over the affected systems for the organization. This could lead to unauthorized access to sensitive information, alteration of system configurations, or even the installation of malicious software.

Similarly, a DoS condition can halt operations, causing considerable downtime and affecting business continuity. Even worse, a DoS attack could be used as a distraction, diverting your attention away from more insidious attacks unfolding elsewhere in your network.

Effective Defense Strategies
Addressing such vulnerabilities requires a robust defensive control system, commonly known in the industry as Security Information & Event Management (SIEM). SIEM plays a crucial role in identifying and responding to any anomalous network activities promptly. In the context of the recent Cisco vulnerabilities, a managed SIEM system, such as nGuard’s Managed Event Collection & Correlation (MECC), provides 24/7 system and network surveillance. This continuous monitoring aids in the early detection of potential Proof-of-Concept (PoC) exploit attempts, allowing for timely response measures which limits the potential impact of such threats on your business operations.

As we move further into the problem, regular and rigorous security testing emerges as another essential preventive measure. When dealing with vulnerabilities like those discovered in Cisco’s switches, comprehensive security assessments like penetration testing, wireless security assessments, and social engineering testing could identify potential security gaps before they become exploitable. At nGuard, our expert team conducts such testing to ensure that every nook and cranny of your network infrastructure is secure.

In the unfortunate event that a security breach occurs, an effective incident response is invaluable. Teams trained to handle these scenarios could respond to threats that exploit vulnerabilities in enterprise switches, isolate the threat, minimize damage, recover operations, and boost future resilience. Incident response is another area in which nGuard specializes, offering swift and expert threat response and mitigation.

Moreover, in response to evolving threats like the recent Cisco vulnerabilities, organizations should be proactive in enhancing their security posture. Cybersecurity consulting services can provide the knowledge and expertise necessary to augment your security measures and create a more secure digital infrastructure. This is another domain where nGuard’s experts can provide guidance and insights.

Conclusion
In conclusion, the recently discovered Cisco vulnerabilities underline the constant challenges in today’s cyber landscape. As threats evolve, so too must our defenses. By incorporating vigilant monitoring, rigorous security testing, swift incident response, and strategic cybersecurity consulting into your defense strategy, you can enhance your organization’s cybersecurity posture. Ultimately, staying informed, proactive, and ready to adapt are the keys to navigating the ever-changing cyber landscape safely.

TWiC | SolarWinds Breach Update, Salesforce Data Leak, Merck $1.4B Cyber Insurance Denial Case

In this edition of This Week in Cybersecurity (TWiC), we have updates on the SolarWinds breach, Salesforce data leak and a $1.4 billion cyber insurance denial case involving Merck. The SolarWinds breach, which was discovered by the US Department of Justice six months earlier than originally reported, highlighted the importance of having an incident response plan and cybersecurity partner to help navigate the situation. Meanwhile, misconfigurations in Salesforce Community led to the exposure of sensitive data across various organizations. Finally, a New Jersey appellate court ruled that Merck is entitled to a $1.4 billion payout in a cyber insurance lawsuit, setting a precedent for cyber insurance coverage for non-military companies affected by cyberattacks originating from government or sovereign powers.

SolarWinds Breach Detected 6 Months Earlier Than Originally Reported

The SolarWinds breach, which saw Russian hackers insert a backdoor into the software maker’s systems, was discovered by the US Department of Justice (DoJ) six months earlier than previously reported. nGuard reported on the breach in January 2021, with a follow-up detailing additional vulnerabilities discovered in February. However, the scale and significance of the breach were not immediately apparent and the DoJ had engaged Microsoft and Mandiant to help determine whether the server had been hacked. Although suspicions were raised that the hackers had breached the DoJ server directly by exploiting a vulnerability in the Orion software, the investigation failed to find any vulnerability in SolarWinds’ code and even SolarWinds’ own engineers could not find any vulnerability in their code that could have led to the breach.

In December 2020, it was publicly announced that at least nine US federal agencies were among those affected by the SolarWinds campaign. The DoJ initially claimed that its chief information officer had discovered the breach on December 24. When breaches like this happen, it’s crucial to have an incident response plan and a cybersecurity partner to help triage the incident. For organizations that are dealing with high-impact events like this, nGuard offers a policy development and incident response serviceconsle that can help them navigate the situation.

One of the most important items for forensic analysis in the aftermath of a breach are logs. nGuard’s Managed Event Collection and Correlation service can help incident response engineers navigate the events and determine the root cause of a breach. However, it’s important to remember that prevention is always better than cure when it comes to cybersecurity. Organizations should make sure they have strong security measures in place, such as firewalls, anti-virus software, and regular patching to reduce the risk of a breach occurring in the first place.

Overall, the SolarWinds breach was a wake-up call on the importance of cybersecurity to organizations around the world. By working with experienced partners like nGuard, organizations can ensure that they are better prepared to detect and respond to breaches when they occur and reduce the risk of serious damage to their systems and reputation.

Salesforce Leaking Sensitive Data

Misconfigurations in Salesforce Community, the cloud-based software product that allows organizations to quickly create websites, have led to the exposure of sensitive data across a variety of organizations from state government, banking and health insurance. Customers can access a Salesforce Community website as either an Authenticated user, which requires a login or guest user, which does not require a login. The guest access role allows unauthenticated users to view specific content and resources without the need to log in. However, the misconfiguration in Salesforce Community allows an unauthenticated user to access records that should only be available after logging in, leading to unauthorized users accessing an organization’s private information and leading to potential data leaks. Organizations such as banks and healthcare providers have been leaking private and sensitive information from their public Salesforce Community websites without being aware of it. Until recently, the state of Vermont had at least five separate Salesforce Community sites that allowed guest access to sensitive data including a Pandemic Unemployment Assistance program that exposed applicant’s full name, Social Security number, address, phone number, email and bank account number. Other organizations, such as Huntington Bank, have had similar issues. The problem arose in August 2021 when security researcher Aaron Costello published a blog post explaining how misconfigurations in Salesforce Community sites could be exploited to reveal sensitive data.

Salesforce provides several tools and information to help check for guest user access, user experience and best practices when configuring the guest profile.

nGuard has been conducting configuration security audits as a part of our wide array of security assessments for over 2 decades. Configuration security audits are system-level analyses of physical systems, network devices, cloud environments, or SaaS solutions like Salesforce where, as appropriate, looks for use of best practices to harden the device or system from unauthorized access or misuse. If you require assistance to check your Salesforce deployment for security best practices and hardening, contact nGuard today.

Merck Entitled to $1.4 Billion Payout in Cyber Insurance Lawsuit

Merck, the pharmaceutical company, may be eligible for a large insurance payout due to the high-profile NotPetya cyberattack according to a ruling by a New Jersey appellate court. The court ruled that the “hostile/warlike action” exclusion clause cannot be applied to a cyberattack on a non-military company, even if it originated from a government or sovereign power. In this case, the hack was tied to Russia as part of its aggression against Ukraine. Merck previously received a $1.4 billion payout after suing insurers who had denied coverage for the NotPetya attack and eight insurers disputed nearly $700 million in coverage in appeal. The case stemmed from a ransomware attack Merck suffered in June 2017 which the U.S. government later attributed the attack to Russia’s military intelligence operations.

Because cyber Insurance requirements continue to evolve, nGuard detailed some of the new requirements in a recent Security Advisory. Often, to be eligible for even the most basic level of coverage your organization needs to be doing security awareness training and testing, internal and external vulnerability scanning, and continuous monitoring.

National Security at Stake: Old Cisco Flaw Exploited by Russian Hackers Raises New Concerns

Introduction
The international cybersecurity community is continually challenged to stay one step ahead of new threats in an ever-changing cyber landscape. Russian hackers exploiting a six-year-old Cisco weakness to target government entities have caused serious national security concerns, according to a recent joint warning from the US and UK cybersecurity agencies. This development emphasizes how vital it is to stay on top of patch management & operating system updates in order to guard against prospective cyberattacks and safeguard critical data. In these situations, nGuard’s all-encompassing cybersecurity solutions can be crucial in protecting businesses and government institutions.

The Old Cisco Flaw Resurfaces with National Security Implications
In their IOS and IOS XE software, Cisco discovered a critical vulnerability (CVE-2017-3881) back in 2017 that might allow an unauthenticated attacker to take over vulnerable devices. Despite Cisco issuing a patch for this vulnerability, some vulnerable devices remained unpatched, enabling Russian hacker group APT28 a chance to take advantage of this long-standing weakness.

Concerns regarding the potential effects on national security have been raised by the exploitation of this Cisco vulnerability because APT28, also known as Fancy Bear, is notorious for attacking many corporations and government entities. Government agencies in the US and the UK have both been compromised, leading the cybersecurity groups in both nations to demand heightened vigilance and stronger security procedures.

This Cisco vulnerability is similar to earlier nGuard advisories on Fortinet vulnerabilities. A Fortinet authentication bypass vulnerability and industrial appliance issues that caused US airport sites to go offline were also the subject of urgent alerts. These occurrences, together with the Cisco fault exploitation, show how crucial it is to address security flaws and maintain strong cybersecurity measures in order to safeguard vital infrastructure and interests in national security.

Conclusion
Russian hackers’ use of the outdated Cisco vulnerability serves as a wake-up call for the international cybersecurity community, with significant ramifications for national security. Organizations and governmental bodies must maintain current security protocols and make investments in cybersecurity solutions to safeguard their systems and sensitive data as cyber threats continue to develop. By doing so, we may reduce the risks posed by knowledgeable hacker groups like APT28 and maintain the security of all nations.

Organizations can assure that their security infrastructure is strong and up-to-date by using nGuard’s Managed Security Services, which provide continuous monitoring, threat detection, and response. Additionally, enterprises can proactively detect and address security flaws with the use of nGuard’s Security Assessments, such as penetration testing and vulnerability assessments, before threat actors like APT28 can take advantage of them.

TWiC | Phishing Kits, FBI Shuts Down Credential Site, WordPress Critical Vulnerability, and Cobalt Strike

In this edition of This Week in Cybersecurity, we will discuss how phishers are using Telegram to sell phishing kits and lure in inexperienced phishers. We will also cover the recent seizure of Genesis Market, a major marketplace for stolen credentials, by the FBI and international law enforcement. Additionally, we will discuss the critical vulnerability in the Elementor Pro website builder plugin for WordPress that has been exploited by unknown attackers. Finally, we will take a look at Microsoft’s legal action to seize domains related to criminal activity involving Cobalt Strike, a popular security testing application that is often abused by cybercriminals. Continue reading to learn more about these important topics and how they may impact your organization’s security posture.

Telegram Used to Sell Phishing Kits

There has been a continued growth of the use of Telegram by phishers to offer a variety of phishing services in the past few years. Phishers use Telegram channels to promote their services to anyone willing to pay. These services can range from creating automated phishing bots, generating phishing pages, collecting data and distributing phishing links. Within this black market, free content for aspiring phishers is also offered, along with free phishing kits and users’ personal data. The reason behind these free offers is to recruit an unpaid workforce or bait inexperienced phishers to bite.

In addition, paid offers for phishers on Telegram include access to phishing tools, guides for creating customized phishing pages, and phishing-as-a-service (PhaaS) subscriptions. nGuard’s wide range of security assessments include Social Engineering. It is important for an organization to test their employees with social engineering techniques to identify potential vulnerabilities and educate them on how to recognize and respond to real-world attacks, ultimately improving the overall security posture of the organization.

FBI and International Law Enforcement Shut Down Stolen Credential Site

Genesis Market, a major marketplace for stolen credentials of all types, was seized by law enforcement as part of Operation Cookie Monster. The marketplace was offering both consumer and corporate account identities, and the admins have not been identified or caught yet. Genesis Market was one of the most popular online shops for account credentials, device fingerprints, and cookies, and it provided access to a wide list of services with user accounts from all over the world. The seizure was possible due to international law enforcement and private sector coordination. Although some of the infrastructure has been taken offline, the platform’s site on the dark web is still reachable. The bot deployed would reside on the compromised computer and send the harvested information in real-time to its buyer. The platform provided access to a wide list of services with user accounts from all over the world and the customers of the market turned a pretty penny from using the stolen digital identities.

Users can check if their accounts were compromised and sold on Genesis Market through a portal from the Dutch Police specifically built for this purpose. During nGuard’s external and internal penetration testing we always check databases for known, leaked credentials and attempt to access user’s accounts and infrastructure should we discover any.

WordPress Site Builder Elementor Pro Has Critical Vulnerability Exploited

Unknown attackers are exploiting a recently patched security vulnerability in the Elementor Pro website builder plugin for WordPress. Versions 3.11.6 and earlier are affected, with the flaw described as a case of broken access control. The issue was addressed in version 3.11.7, which was released on March 22. Successful exploitation of the high-severity flaw enables an authenticated attacker to take over a WordPress site with WooCommerce enabled. After doing so, a malicious user can set the default user role to administrator, creating an account that has administrator privileges. The attackers are also likely to redirect the site to a malicious domain or upload a malicious plugin or backdoor to further exploit the site. Users are urged to update to 3.11.7 or 3.12.0.

WordPress is one of the most popular Content Management Systems (CMS) used by millions of websites worldwide. However, it is also one of the most targeted platforms for cyber-attacks. While WordPress is a powerful and flexible platform, it requires careful maintenance and attention to security best practices to keep it secure. nGuard commonly tests WordPress sites during external penetration testing, continuously monitors them with ongoing vulnerability management scans, and collecting logs through our managed event collection and correlation service. Regular penetration testing and vulnerability scanning, and log analysis can help ensure the ongoing security and integrity of a WordPress site, protecting against data breaches, financial losses, and reputational damage.

Microsoft Taking Down Illegal Versions of Cobalt Strike

Microsoft’s Digital Crimes Unit and the Health Information Sharing & Analysis Center have taken legal action to seize domains related to criminal activity involving cracked copies of the security testing application, Cobalt Strike. In January of 2021, nGuard wrote a detailed advisory on what Cobalt Strike is and what it is capable of. The tool is often abused by cybercriminals to carry out attacks ranging from financially motivated cybercrime to high-end state-aligned attacks. The court order names a range of entities and groups the companies allege misuse their technologies, including the LockBit and Conti ransomware groups, as well as a series of cybercrime operations. The legal order targets 16 anonymous “John Doe” actors engaged in a range of criminal behavior, from ransomware activity to malware distribution and development. This action builds on Microsoft’s pioneering use of domain seizure to disrupt the technical infrastructure malicious hackers rely on. It is likely only a first step to challenge illicit use of the hacking tool, as malicious actors will likely be able to retool their infrastructure. To simulate the same attacks executed by these malicious groups, nGuard’s Red Team Testing also uses tools like Cobalt Strike on network and system defenses. Having a Red Team assessment conducted will help enable better security by allowing your security teams to identify vulnerabilities and improve their defenses against potential attacks.

Beware: New Zero-Touch Exploit Targeting Microsoft Outlook Users

Microsoft Outlook users should be aware of a new critical vulnerability that has been discovered by Microsoft Threat Intelligence analysts. CVE-2023-23397 is a privilege elevation/authentication bypass vulnerability that affects all versions of Outlook for Windows. The vulnerability has a 9.8 CVSS rating and is considered a zero-touch exploit, meaning that it requires low complexity to abuse and does not require any user interaction.

According to security researchers, threat actors are exploiting this vulnerability by sending malicious emails, which do not even need to be opened. The vulnerability is triggered when an attacker sends a message with an extended MAPI property with a UNC path to an SMB share on a threat actor-controlled server on an untrusted network.

The attacker remotely sends a malicious calendar invite represented by .msg — the message format that supports reminders in Outlook — to trigger the vulnerable API endpoint PlayReminderSound using “PidLidReminderFileParameter” (the custom alert sound option for reminders).

Once the victim connects to the attacker’s SMB server, the connection to the remote server sends the user’s NTLM negotiation message automatically, which the attacker can use for authentication against other systems that support NTLM authentication. This could result in a NTLM relay attack to gain access to other services or even a full compromise of domains if the compromised users are admins.

It is important to note that all supported versions of Microsoft Outlook for Windows are affected by this vulnerability. Other versions of Microsoft Outlook, such as Android, iOS, Mac, as well as Outlook on the web and other M365 services, are not affected as they do not support NTLM authentication.

Security experts are warning that this vulnerability is trivial to deploy and “will likely be leveraged imminently by actors for espionage purposes or financial gain.” The earliest evidence of exploitation, attributed to Russian military intelligence, dates back to April 2022 against government, logistics, oil/gas, defense, and transportation industries located in Poland, Ukraine, Romania, and Turkey.

To mitigate the risk of exploitation, Microsoft has released a patch as part of their March 2023 Monthly Security Update, and users are advised to apply the patch immediately. Additionally, security administrators can reduce the risk of exploitation by blocking TCP 445/SMB outbound from their network, disabling the WebClient service, adding users to the Protected Users Security Group, and enforcing SMB signing on clients and servers to prevent a relay attack.

If you are concerned about your organization’s security, we recommend running the Microsoft-provided PowerShell script to scan emails, calendar entries, and task items for the “PidLidReminderFileParameter” property. This will help you locate problematic items that have this property and subsequently remove or delete them permanently.

In light of this critical vulnerability, it is important for organizations to take proactive measures to safeguard their systems and data. nGuard offers a range of cybersecurity services that can help organizations stay ahead of emerging threats like CVE-2023-23397. Our Penetration Testing services can help identify vulnerabilities in your systems and provide recommendations for patching and securing them. Our Strategic Assessment services can assist with patch management, ensuring that your systems are up to date with the latest security patches and updates. Don’t wait until it’s too late to protect your organization from cyber threats. Contact nGuard today to learn how we can help you secure your systems and data.

TWiC | U.S. House Data Leak, ICS Attacks, FortiOS Vulnerability, Cyber Insurance

FBI Investigating Data Breach Affecting U.S. House of Representatives Members and Staff

The Federal Bureau of Investigation (FBI) is investigating a data breach affecting members and staff of the U.S. House of Representatives. The breach saw account and sensitive personal information belonging to them and their families stolen from the servers of DC Health Link, which administers their health care plans.

While US House Chief Administrative Officer Catherine L. Szpindor has said, “it was unclear how many people had been affected by the breach.” A sample of the data reportedly posted on a hacking forum showed details of around 170,000 people. The information included names, dates of birth, addresses, email addresses, phone numbers, and Social Security numbers. At least one threat actor has reportedly put the data up for sale.

nGuard’s MECC (Managed Event Collection and Correlation) can help protect against malicious attacks by collecting and analyzing log data from various sources. MECC can then alert security teams to potential threats and provide them with the information they need to investigate and respond to an ongoing or potential attack. Should your organization fall victim to an attack like this, call nGuard to help with our Cyber Security Incident Response services.

New FortiOS and FortiProxy Critical Vulnerabilities

Fortinet has released patches to address 15 security flaws, including one critical vulnerability in FortiOS and FortiProxy that could allow an attacker to take control of affected systems. The buffer underwrite flaw (CVE-2023-25610) is rated 9.3 out of 10 for severity and was discovered by Fortinet’s internal security teams. The vulnerability could enable a remote, unauthenticated attacker to execute arbitrary code on the device or cause a denial-of-service attack. Fortinet has not yet seen any malicious exploitation attempts against the flaw, but users are urged to apply the patches quickly, as prior flaws in software have been actively abused in the wild. Workarounds include disabling the HTTP/HTTPS administrative interface or limiting IP addresses that can reach it. Just last week, nGuard wrote about another Fortinet critical vulnerability that was actively being exploited. As this continues to develop, nGuard has a number of solutions that can help your organization stay ahead of the curve, including internal penetration testing and vulnerability management.

Over 40% of Industrial Control Systems (ICS) Were Attacked in 2022

Over 40% of industrial control systems (ICS) computers globally experienced malicious attacks in 2022, according to Kaspersky research into telemetry statistics. The report highlighted growth in Russia, which saw a 9% increase in malicious activity in 2022, but Ethiopia was the top target overall with 59% of its ICS footprint seeing malicious activity.

Kaspersky noted that blocked malicious scripts and phishing pages targeting ICS were particularly common threats, seeing an 11% rise from 2021. The percentage of ICS computers experiencing malicious activity varied from 40.1% in Africa and Central Asia to 14.2% and 14.3% respectively in Western and Northern Europe. nGuard has been helping protect Industrial control systems, SCADA networks, and critical infrastructure for over 20 years with security assessments, penetration testing, incident response, and managed SIEM services.

Low-coverage Cyber Insurance Plans Help Meet Compliance and Contractual Requirements

As the cyber insurance market experiences a surge in claims for ransomware attacks, insurance carriers and brokers have started imposing tighter rules on the companies that can qualify for coverage, raising prices and reducing the amount of coverage offered per policy. nGuard recently wrote about requirements needed to obtain cyber insurance. Policy coverages have significantly dropped in recent times, with some as low as $5m, and some companies cannot purchase as much insurance as they would like. However, some contracts and compliance regulations require that a company have a cyber insurance policy, which can pose a problem for those that lose coverage. Basic policies are now available for more organizations to obtain affordable coverage, allowing them to avoid a breach of compliance and fulfill contractual obligations.