nGuard

Call us p. 704.583.4088
Client PortalSpeak to An Expert

patch management

National Security at Stake: Old Cisco Flaw Exploited by Russian Hackers Raises New Concerns

Introduction
The international cybersecurity community is continually challenged to stay one step ahead of new threats in an ever-changing cyber landscape. Russian hackers exploiting a six-year-old Cisco weakness to target government entities have caused serious national security concerns, according to a recent joint warning from the US and UK cybersecurity agencies. This development emphasizes how vital it is to stay on top of patch management & operating system updates in order to guard against prospective cyberattacks and safeguard critical data. In these situations, nGuard’s all-encompassing cybersecurity solutions can be crucial in protecting businesses and government institutions.

The Old Cisco Flaw Resurfaces with National Security Implications
In their IOS and IOS XE software, Cisco discovered a critical vulnerability (CVE-2017-3881) back in 2017 that might allow an unauthenticated attacker to take over vulnerable devices. Despite Cisco issuing a patch for this vulnerability, some vulnerable devices remained unpatched, enabling Russian hacker group APT28 a chance to take advantage of this long-standing weakness.

Concerns regarding the potential effects on national security have been raised by the exploitation of this Cisco vulnerability because APT28, also known as Fancy Bear, is notorious for attacking many corporations and government entities. Government agencies in the US and the UK have both been compromised, leading the cybersecurity groups in both nations to demand heightened vigilance and stronger security procedures.

This Cisco vulnerability is similar to earlier nGuard advisories on Fortinet vulnerabilities. A Fortinet authentication bypass vulnerability and industrial appliance issues that caused US airport sites to go offline were also the subject of urgent alerts. These occurrences, together with the Cisco fault exploitation, show how crucial it is to address security flaws and maintain strong cybersecurity measures in order to safeguard vital infrastructure and interests in national security.

Conclusion
Russian hackers’ use of the outdated Cisco vulnerability serves as a wake-up call for the international cybersecurity community, with significant ramifications for national security. Organizations and governmental bodies must maintain current security protocols and make investments in cybersecurity solutions to safeguard their systems and sensitive data as cyber threats continue to develop. By doing so, we may reduce the risks posed by knowledgeable hacker groups like APT28 and maintain the security of all nations.

Organizations can assure that their security infrastructure is strong and up-to-date by using nGuard’s Managed Security Services, which provide continuous monitoring, threat detection, and response. Additionally, enterprises can proactively detect and address security flaws with the use of nGuard’s Security Assessments, such as penetration testing and vulnerability assessments, before threat actors like APT28 can take advantage of them.

Beware: New Zero-Touch Exploit Targeting Microsoft Outlook Users

Microsoft Outlook users should be aware of a new critical vulnerability that has been discovered by Microsoft Threat Intelligence analysts. CVE-2023-23397 is a privilege elevation/authentication bypass vulnerability that affects all versions of Outlook for Windows. The vulnerability has a 9.8 CVSS rating and is considered a zero-touch exploit, meaning that it requires low complexity to abuse and does not require any user interaction.

According to security researchers, threat actors are exploiting this vulnerability by sending malicious emails, which do not even need to be opened. The vulnerability is triggered when an attacker sends a message with an extended MAPI property with a UNC path to an SMB share on a threat actor-controlled server on an untrusted network.


The attacker remotely sends a malicious calendar invite represented by .msg — the message format that supports reminders in Outlook — to trigger the vulnerable API endpoint PlayReminderSound using “PidLidReminderFileParameter” (the custom alert sound option for reminders).

Once the victim connects to the attacker’s SMB server, the connection to the remote server sends the user’s NTLM negotiation message automatically, which the attacker can use for authentication against other systems that support NTLM authentication. This could result in a NTLM relay attack to gain access to other services or even a full compromise of domains if the compromised users are admins.



It is important to note that all supported versions of Microsoft Outlook for Windows are affected by this vulnerability. Other versions of Microsoft Outlook, such as Android, iOS, Mac, as well as Outlook on the web and other M365 services, are not affected as they do not support NTLM authentication.

Security experts are warning that this vulnerability is trivial to deploy and “will likely be leveraged imminently by actors for espionage purposes or financial gain.” The earliest evidence of exploitation, attributed to Russian military intelligence, dates back to April 2022 against government, logistics, oil/gas, defense, and transportation industries located in Poland, Ukraine, Romania, and Turkey.

To mitigate the risk of exploitation, Microsoft has released a patch as part of their March 2023 Monthly Security Update, and users are advised to apply the patch immediately. Additionally, security administrators can reduce the risk of exploitation by blocking TCP 445/SMB outbound from their network, disabling the WebClient service, adding users to the Protected Users Security Group, and enforcing SMB signing on clients and servers to prevent a relay attack.

If you are concerned about your organization’s security, we recommend running the Microsoft-provided PowerShell script to scan emails, calendar entries, and task items for the “PidLidReminderFileParameter” property. This will help you locate problematic items that have this property and subsequently remove or delete them permanently.

In light of this critical vulnerability, it is important for organizations to take proactive measures to safeguard their systems and data. nGuard offers a range of cybersecurity services that can help organizations stay ahead of emerging threats like CVE-2023-23397. Our Penetration Testing services can help identify vulnerabilities in your systems and provide recommendations for patching and securing them. Our Strategic Assessment services can assist with patch management, ensuring that your systems are up to date with the latest security patches and updates. Don’t wait until it’s too late to protect your organization from cyber threats. Contact nGuard today to learn how we can help you secure your systems and data.