nGuard

Call us p. 704.583.4088
Client PortalSpeak to An Expert

Cyber risk management

In the Crosshairs: Unraveling Microsoft’s Cybersecurity Saga

In recent weeks, Microsoft has been at the center of numerous cybersecurity incidents, highlighting the ongoing challenges faced by tech giants in maintaining the security of their systems. This article provides a summary of these events, drawing on information from various sources.

Chinese APT Targets Microsoft Outlook
A Chinese Advanced Persistent Threat (APT) group, known as Storm-0558, has been reported to have successfully breached Microsoft Outlook email accounts of more than two dozen organizations worldwide, including U.S. and Western European government agencies. The group exploited a token validation issue to impersonate Azure AD users and gain access to enterprise mail. The intrusion was discovered and reported to Microsoft by U.S. government officials last month, and the company has since mitigated the attack. Such incidents underscore the importance of comprehensive security assessments that proactively address key disciplines, helping organizations identify and mitigate potential vulnerabilities.

Microsoft Teams Exploited to Deliver Malware
In another incident, Microsoft Teams was exploited to deliver malware. The exploit, known as “AutoDeliver,” was used to deliver a remote access trojan (RAT) to victims. The RAT was then used to steal sensitive information from the infected systems. The exploit took advantage of the fact that Microsoft Teams allows for the automatic downloading and execution of arbitrary files shared in a chat. This incident underscores the need for an effective Cyber Security Incident Response strategy to respond to cybersecurity incidents swiftly and efficiently.

Moreover, this case highlights the potential risks associated with social engineering, where users could be tricked into sharing or opening malicious files. It also underscores the value of Red Team Testing, a strategy that uses simulated attacks to identify vulnerabilities. Finally, this incident emphasizes the importance of conducting a thorough Cloud Configuration Security Audit for MS Teams and other Microsoft cloud services. This type of audit can help identify and rectify potential security misconfigurations, further strengthening defenses against similar exploits.

Zero-Day Vulnerabilities Disclosed in July Security Update
Microsoft’s July security update was a significant one, with the company disclosing several zero-day vulnerabilities. These vulnerabilities, if exploited, could allow an attacker to execute arbitrary code, gain elevated privileges, or cause a denial of service. Microsoft has released patches for these vulnerabilities, and users are advised to update their systems as soon as possible. Such vulnerabilities highlight the importance of regular penetration testing to identify potential security gaps and take proactive measures to secure systems.

MS Office Zero-Day Vulnerability
A zero-day vulnerability in Microsoft Office was also disclosed. The vulnerability, tracked as CVE-2023-36884, could allow an attacker to execute arbitrary code on a victim’s system if they open a specially crafted Office document. Microsoft has released a patch for this vulnerability.

Chinese Hackers Breach US Government Email Through Microsoft Cloud
Chinese cyberspies exploited a fundamental gap in Microsoft’s cloud, leading to a targeted hack of unclassified U.S. email accounts. The hackers had access to the email accounts for about a month before the issue was discovered and access cut off. The Microsoft vulnerability was discovered last month by the State Department. This incident highlights the need for robust cloud security measures to secure cloud-based infrastructure to protect against such breaches.

These incidents underscore the importance of maintaining strong cybersecurity practices and keeping software up to date. Microsoft has taken steps to mitigate these issues and continues to work on improving the security of its products. However, these incidents serve as a reminder that even the most robust systems can be vulnerable to attack. As such, organizations and individuals alike must remain vigilant and proactive in their cybersecurity efforts.

TWIC: Barracuda Alert, Fortinet Patch, and VMware ESXi Exploit

In this week’s edition of TWIC (This Week in Cybersecurity), we delve into the most significant stories and developments in the cybersecurity landscape. This week, we’re focusing on three major incidents involving Barracuda, Fortinet, and VMware ESXi.

Barracuda Urges Immediate Replacement of Vulnerable Appliances
Barracuda Networks, a leading provider of cloud-enabled security solutions, has issued an urgent call to its customers to replace vulnerable email security gateway (ESG) appliances immediately. This follows the disclosure of a critical security flaw, which has been exploited since October 2022. The vulnerability existed in a module which initially screens the attachments of incoming emails. Despite a patch being issued last month, Barracuda recommends replacing the compromised appliances as the safest course of action. Three different malware strains have been discovered to date on a subset of appliances allowing for persistent backdoor access, and evidence of data exfiltration was identified on a subset of impacted appliances.

Fortinet’s Patched Critical Flaw May Have Been Exploited
Fortinet recently patched a critical flaw in its FortiOS SSL VPN. However, there are indications that this vulnerability may have already been exploited in attacks impacting various sectors, including government and manufacturing. The heap-based buffer overflow, pre-authentication vulnerability affects FortiOS and FortiProxy SSL-VPN and can allow unauthenticated attackers to gain remote code execution (RCE) via maliciously crafted requests. Fortinet found the flaw in an audit of its SSL-VPN platform after the rampant exploitation of another vulnerability, CVE-2022-42475 — which upon discovery was a zero-day bug — in January.

Chinese Cyberspies Caught Exploiting VMware ESXi Zero-Day
A Chinese cyberespionage group, known as UNC3886, has been observed exploiting a zero-day vulnerability in VMware ESXi to escalate privileges on guest virtual machines. The group has been using malicious vSphere Installation Bundles (VIBs) to install backdoors on ESXi hypervisors and gain command execution, file manipulation, and reverse shell capabilities since September 2022. The group’s malicious actions would impact VMware ESXi hosts, vCenter servers, and Windows virtual machines (VM). The cyberspies also used installation scripts to deploy malicious VIBs to hosts, and exploited CVE-2023-20867 to execute commands and transfer files from the compromised ESXi host to and from guest VMs, without authentication and without a trace.

Conclusion
The cybersecurity landscape is constantly evolving, with new threats and vulnerabilities emerging on a regular basis. These incidents involving Barracuda, Fortinet, and VMware ESXi underscore the importance of maintaining robust security measures and staying abreast of the latest developments.

At nGuard, we offer a range of services designed to help businesses navigate these challenges. Our Cyber Security Incident Response service is equipped to provide immediate assistance in the face of potential security incidents, helping to manage and mitigate risks effectively. Our Vulnerability Management service is designed to identify and manage vulnerabilities in your systems, ensuring that your network remains secure against a variety of threats. Furthermore, our Managed Event Collection service provides continuous monitoring and detection capabilities, enabling swift identification and response to malicious activities in your network.

Remember, in the realm of cybersecurity, staying informed and taking proactive measures is key. At nGuard, we’re committed to helping you navigate the ever-evolving cybersecurity landscape. Contact us today to learn more about how we can assist you in securing your organization.