data breach

In the Crosshairs: Unraveling Microsoft’s Cybersecurity Saga

In recent weeks, Microsoft has been at the center of numerous cybersecurity incidents, highlighting the ongoing challenges faced by tech giants in maintaining the security of their systems. This article provides a summary of these events, drawing on information from various sources.

Chinese APT Targets Microsoft Outlook
A Chinese Advanced Persistent Threat (APT) group, known as Storm-0558, has been reported to have successfully breached Microsoft Outlook email accounts of more than two dozen organizations worldwide, including U.S. and Western European government agencies. The group exploited a token validation issue to impersonate Azure AD users and gain access to enterprise mail. The intrusion was discovered and reported to Microsoft by U.S. government officials last month, and the company has since mitigated the attack. Such incidents underscore the importance of comprehensive security assessments that proactively address key disciplines, helping organizations identify and mitigate potential vulnerabilities.

Microsoft Teams Exploited to Deliver Malware
In another incident, Microsoft Teams was exploited to deliver malware. The exploit, known as “AutoDeliver,” was used to deliver a remote access trojan (RAT) to victims. The RAT was then used to steal sensitive information from the infected systems. The exploit took advantage of the fact that Microsoft Teams allows for the automatic downloading and execution of arbitrary files shared in a chat. This incident underscores the need for an effective Cyber Security Incident Response strategy to respond to cybersecurity incidents swiftly and efficiently.

Moreover, this case highlights the potential risks associated with social engineering, where users could be tricked into sharing or opening malicious files. It also underscores the value of Red Team Testing, a strategy that uses simulated attacks to identify vulnerabilities. Finally, this incident emphasizes the importance of conducting a thorough Cloud Configuration Security Audit for MS Teams and other Microsoft cloud services. This type of audit can help identify and rectify potential security misconfigurations, further strengthening defenses against similar exploits.

Zero-Day Vulnerabilities Disclosed in July Security Update
Microsoft’s July security update was a significant one, with the company disclosing several zero-day vulnerabilities. These vulnerabilities, if exploited, could allow an attacker to execute arbitrary code, gain elevated privileges, or cause a denial of service. Microsoft has released patches for these vulnerabilities, and users are advised to update their systems as soon as possible. Such vulnerabilities highlight the importance of regular penetration testing to identify potential security gaps and take proactive measures to secure systems.

MS Office Zero-Day Vulnerability
A zero-day vulnerability in Microsoft Office was also disclosed. The vulnerability, tracked as CVE-2023-36884, could allow an attacker to execute arbitrary code on a victim’s system if they open a specially crafted Office document. Microsoft has released a patch for this vulnerability.

Chinese Hackers Breach US Government Email Through Microsoft Cloud
Chinese cyberspies exploited a fundamental gap in Microsoft’s cloud, leading to a targeted hack of unclassified U.S. email accounts. The hackers had access to the email accounts for about a month before the issue was discovered and access cut off. The Microsoft vulnerability was discovered last month by the State Department. This incident highlights the need for robust cloud security measures to secure cloud-based infrastructure to protect against such breaches.

These incidents underscore the importance of maintaining strong cybersecurity practices and keeping software up to date. Microsoft has taken steps to mitigate these issues and continues to work on improving the security of its products. However, these incidents serve as a reminder that even the most robust systems can be vulnerable to attack. As such, organizations and individuals alike must remain vigilant and proactive in their cybersecurity efforts.

TWIC: Barracuda Alert, Fortinet Patch, and VMware ESXi Exploit

In this week’s edition of TWIC (This Week in Cybersecurity), we delve into the most significant stories and developments in the cybersecurity landscape. This week, we’re focusing on three major incidents involving Barracuda, Fortinet, and VMware ESXi.

Barracuda Urges Immediate Replacement of Vulnerable Appliances
Barracuda Networks, a leading provider of cloud-enabled security solutions, has issued an urgent call to its customers to replace vulnerable email security gateway (ESG) appliances immediately. This follows the disclosure of a critical security flaw, which has been exploited since October 2022. The vulnerability existed in a module which initially screens the attachments of incoming emails. Despite a patch being issued last month, Barracuda recommends replacing the compromised appliances as the safest course of action. Three different malware strains have been discovered to date on a subset of appliances allowing for persistent backdoor access, and evidence of data exfiltration was identified on a subset of impacted appliances.

Fortinet’s Patched Critical Flaw May Have Been Exploited
Fortinet recently patched a critical flaw in its FortiOS SSL VPN. However, there are indications that this vulnerability may have already been exploited in attacks impacting various sectors, including government and manufacturing. The heap-based buffer overflow, pre-authentication vulnerability affects FortiOS and FortiProxy SSL-VPN and can allow unauthenticated attackers to gain remote code execution (RCE) via maliciously crafted requests. Fortinet found the flaw in an audit of its SSL-VPN platform after the rampant exploitation of another vulnerability, CVE-2022-42475 — which upon discovery was a zero-day bug — in January.

Chinese Cyberspies Caught Exploiting VMware ESXi Zero-Day
A Chinese cyberespionage group, known as UNC3886, has been observed exploiting a zero-day vulnerability in VMware ESXi to escalate privileges on guest virtual machines. The group has been using malicious vSphere Installation Bundles (VIBs) to install backdoors on ESXi hypervisors and gain command execution, file manipulation, and reverse shell capabilities since September 2022. The group’s malicious actions would impact VMware ESXi hosts, vCenter servers, and Windows virtual machines (VM). The cyberspies also used installation scripts to deploy malicious VIBs to hosts, and exploited CVE-2023-20867 to execute commands and transfer files from the compromised ESXi host to and from guest VMs, without authentication and without a trace.

Conclusion
The cybersecurity landscape is constantly evolving, with new threats and vulnerabilities emerging on a regular basis. These incidents involving Barracuda, Fortinet, and VMware ESXi underscore the importance of maintaining robust security measures and staying abreast of the latest developments.

At nGuard, we offer a range of services designed to help businesses navigate these challenges. Our Cyber Security Incident Response service is equipped to provide immediate assistance in the face of potential security incidents, helping to manage and mitigate risks effectively. Our Vulnerability Management service is designed to identify and manage vulnerabilities in your systems, ensuring that your network remains secure against a variety of threats. Furthermore, our Managed Event Collection service provides continuous monitoring and detection capabilities, enabling swift identification and response to malicious activities in your network.

Remember, in the realm of cybersecurity, staying informed and taking proactive measures is key. At nGuard, we’re committed to helping you navigate the ever-evolving cybersecurity landscape. Contact us today to learn more about how we can assist you in securing your organization.

TWiC | U.S. House Data Leak, ICS Attacks, FortiOS Vulnerability, Cyber Insurance

FBI Investigating Data Breach Affecting U.S. House of Representatives Members and Staff

The Federal Bureau of Investigation (FBI) is investigating a data breach affecting members and staff of the U.S. House of Representatives. The breach saw account and sensitive personal information belonging to them and their families stolen from the servers of DC Health Link, which administers their health care plans.

While US House Chief Administrative Officer Catherine L. Szpindor has said, “it was unclear how many people had been affected by the breach.” A sample of the data reportedly posted on a hacking forum showed details of around 170,000 people. The information included names, dates of birth, addresses, email addresses, phone numbers, and Social Security numbers. At least one threat actor has reportedly put the data up for sale.

nGuard’s MECC (Managed Event Collection and Correlation) can help protect against malicious attacks by collecting and analyzing log data from various sources. MECC can then alert security teams to potential threats and provide them with the information they need to investigate and respond to an ongoing or potential attack. Should your organization fall victim to an attack like this, call nGuard to help with our Cyber Security Incident Response services.

New FortiOS and FortiProxy Critical Vulnerabilities

Fortinet has released patches to address 15 security flaws, including one critical vulnerability in FortiOS and FortiProxy that could allow an attacker to take control of affected systems. The buffer underwrite flaw (CVE-2023-25610) is rated 9.3 out of 10 for severity and was discovered by Fortinet’s internal security teams. The vulnerability could enable a remote, unauthenticated attacker to execute arbitrary code on the device or cause a denial-of-service attack. Fortinet has not yet seen any malicious exploitation attempts against the flaw, but users are urged to apply the patches quickly, as prior flaws in software have been actively abused in the wild. Workarounds include disabling the HTTP/HTTPS administrative interface or limiting IP addresses that can reach it. Just last week, nGuard wrote about another Fortinet critical vulnerability that was actively being exploited. As this continues to develop, nGuard has a number of solutions that can help your organization stay ahead of the curve, including internal penetration testing and vulnerability management.

Over 40% of Industrial Control Systems (ICS) Were Attacked in 2022

Over 40% of industrial control systems (ICS) computers globally experienced malicious attacks in 2022, according to Kaspersky research into telemetry statistics. The report highlighted growth in Russia, which saw a 9% increase in malicious activity in 2022, but Ethiopia was the top target overall with 59% of its ICS footprint seeing malicious activity.

Kaspersky noted that blocked malicious scripts and phishing pages targeting ICS were particularly common threats, seeing an 11% rise from 2021. The percentage of ICS computers experiencing malicious activity varied from 40.1% in Africa and Central Asia to 14.2% and 14.3% respectively in Western and Northern Europe. nGuard has been helping protect Industrial control systems, SCADA networks, and critical infrastructure for over 20 years with security assessments, penetration testing, incident response, and managed SIEM services.

Low-coverage Cyber Insurance Plans Help Meet Compliance and Contractual Requirements

As the cyber insurance market experiences a surge in claims for ransomware attacks, insurance carriers and brokers have started imposing tighter rules on the companies that can qualify for coverage, raising prices and reducing the amount of coverage offered per policy. nGuard recently wrote about requirements needed to obtain cyber insurance. Policy coverages have significantly dropped in recent times, with some as low as $5m, and some companies cannot purchase as much insurance as they would like. However, some contracts and compliance regulations require that a company have a cyber insurance policy, which can pose a problem for those that lose coverage. Basic policies are now available for more organizations to obtain affordable coverage, allowing them to avoid a breach of compliance and fulfill contractual obligations.

TWiC | This Week in Cybersecurity

Over the past week there have been many hot topics in cybersecurity. This edition of This Week in Cybersecurity includes stories covering Microsoft patching the Follina Zero-Day, Apple M1 Kernel security flaws, a record-breaking DDoS attack, a Kaiser Permanente data breach, and US military hackers conducting offensive activities in support of Ukraine. Check out the details below.

Cloudflare Saw Record-Breaking DDoS Attack Peaking at 26 Million Request Per Second: Cloudflare disclosed that it had acted to prevent a record-setting 26 million requests per second (RPS) distributed denial-of-service (DDoS) attack last week, making it the largest HTTPS DDoS attack detected to date. In late April 2022, it said it staved off a 15.3 million RPS HTTPS DDoS attack aimed at a customer operating a crypto launchpad. According to the company’s DDoS attack trends report for Q1 2022, volumetric DDoS attacks over 100 gigabits per second surged by up to 645% quarter-on-quarter.
Microsoft Patches ‘Follina’ Zero-Day Flaw in Monthly Security Update: Microsoft has issued a patch for the recently disclosed and widely exploited “Follina” zero-day vulnerability in the Microsoft Support Diagnostic Tool as part of its scheduled security update for June. It’s a good idea for organizations to keep Microsoft’s recommended mitigations for the flaw in place even after they install the MSDT update. Applying the patch will protect users but the patch only fixed the code injection vulnerability in msdt.exe. The diagnostic tool itself will still launch if a user opens an affected document. For more information on this vulnerability, check out nGuard’s last Security Advisory: Microsoft Zero-Day with No Patch! This vulnerability will be commonly exploited via phishing attempts. Social Engineering simulations and Social Engineering Awareness Training can assist your organizations employees in identifying these types of attacks.
Kaiser Permanente data breach exposes health data of 69K people: Kaiser Permanente, one of America’s leading not-for-profit health plans and health care providers, has recently disclosed a data breach that exposed the health information of more than 69,000 individuals. The company revealed in a notice published on its website that an attacker accessed an employee’s email account containing patients’ protected health information on April 5, 2022, without authorization. Sensitive info exposed in the attack includes:
- The patients’ first and last names
- Medical record numbers
- Dates of service
- Laboratory test result information
Design Weakness Discovered in Apple M1 Kernel Protections: Security researchers released details about a new attack they designed against Apple’s M1 processor chip that can undermine a key security feature that protects the operating system kernel from memory corruption attacks. The work offers a tangible example of how the one-two punch of hardware vulnerabilities and low-level software flaws can provide ample opportunities for attackers to run rampant in the kernel.
US military hackers conducting offensive operations in support of Ukraine, says head of Cyber Command: General Nakasone, the head of US Cyber Command, confirmed for the first time that the US was conducting offensive hacking operations in support of Ukraine in response to the Russian invasion. Speaking in Tallinn, Estonia, the general, who is also director of the National Security Agency, told Sky News that he is concerned “Every single day” about the risk of a Russian cyber attack targeting the US and said that the hunt forward activities were an effective way of protecting both America as well as allies.