March 2, 2024 - Red N Security

Hello all,

This was a quieter week after the digital blizzard of news from the prior one However, there is still plenty to know about, be concerned about, and even fret about. And as always there are moments of sunshine breaking through the digital storms, so read on.

The volume of news and other can appear overwhelming, the best strategy is to read the Notable Callouts below and then skim the full list of linked news item titles that follow for things that pertain to you or your environment or simply interest you, and then selecting them for more information. So, let’s get to it. And don’t forget, our site, https://red-n-security.com also has searchable archives of past newsletters.

Notable Callouts:

Sixty Nine Percent of Organizations in Europe and the Middle East were infected by Ransomware in 2023 according to Proofpoint’s 2024 State of the Phish! And nearly 60% were infected more than once. That’s mind-blowing! Ryan Kalember, chief strategy officer, Proofpoint, commented: “Cybercriminals know that humans can be easily exploited, either through negligence, compromised identity or – in some instances –malicious intent.” We must do better.
CISCO patched two high-severity and two medium-severity vulnerabilities in their data-center class FXOS and NX-OS devices. Most were to mitigate DDoS or similar, one was to block remote ACL protection bypass. If you have these in your environment, patch them so the bad-guys don’t ruin your week.
ConnectWise – Thanks to ConnectWise’s comprehensive response and the tech industry’s rapid, heroic action, a nightmare scenario of massive compromise was avoided. Unfortunately, there were a good number of ScreenConnect instances that did not get patched and are still running a vulnerable version. I can only surmise that the lights are on, but nobody is home. We now must perform due diligence and kick out or block any client devices in our networks that have a vulnerable ScreenConnect version installed. Otherwise, it could be a beachhead into your company.
Ivanti is still under attack, as reported by both CISA and Mandiant. Many ConnectSecure gateways were compromised before the patch process was worked out and the Ivanti internal tools are not detecting it. It appears that Initial Access Brokers (IAB) have set the stage for future evil waiting to be done. If you have this in use, and haven’t done so, follow Ivanti’s recommendation to completely wipe and reload, and then do comprehensive audits of your internal devices looking for RAT’s, Proxies, and similar.
Lazarus Group is a Nation State dirt-bag organization that is highly efficient and prolific. They’ve jumped on a vulnerability that Microsoft patched in February’s Patch Tuesday releases. This one is rather critical as it allows an easy path to achieve full control of infected devices. Make sure that you patch CVE-2024-21338 as soon as is practical.
NIST – the National Institute of Standards and Technology has released their long-anticipated version 2.0 of the Cybersecurity Framework. The most notable change is the addition of a new pilar or function to the current five of: Identify, Protect, Detect, Respond, and Recover. The new addition is an inner ring named Govern “…which emphasizes that cybersecurity is a major source of enterprise risk and a consideration for senior leadership.”
SubdoMailing is a new rapidly expanding attack that uses forgotten or poorly protected subdomains to use as mail-from domains. Major corporations are being successfully abused. Among the more than 8,000 observed domains are the likes of eBay, VMware, McAfee, CBS, and more. Since they use legitimate, compromised domains, “…emails appear to come from trusted domains and bypass all the industry-standard email-security measures typically in place to block suspicious messages…”. A special website has been created to check domains to see if they are vulnerable and potentially being exploited. Check yours. And educate your users that even if the source appears legitimate, it could still be malicious.
Undersea Internet Cables were apparently damaged by Houthis terrorists in what is a chilling reminder that our interconnected world is just one inhuman scum away from having major disruptions if they find the right place to do damage. What would your organization do if it was essentially cut off from the Internet for weeks at a time? Now is the time to have those conversations, not when it happens.
Zyxel patched a Remote Code Execution flaw and other bugs, fixing at least four separate CVEs in “multiple firewall and access point products and urged users to apply mitigations with urgency.” If you use their products, don’t wait. Do it now!

In Ransomware, Malware, and Vulnerabilities News:

Vishing, Smishing, and Phishing attacks are up 1,265% since the unleashing of Chat-GPT on the world. It isn’t just you, there really is a LOT more malicious garbage targeting your technology.
Change Healthcare remains in the news. It has been over a week and pharmacies and providers are still struggling to process orders and payments. It will get bad for some soon as they will begin to run out of emergency cash reserves to keep their operations alive. And if the evil scum’s assertion that they exfiltrated 6TB of data proves to be true, the breach implications are staggering! The entire US Library of Congress’ data is only about 15TB.

In Other News Events of Note and Interest:

Unitee a Chinese robotics firm you’ve probably never heard of just released a video of their Terminator T600. Oh wait, no. They made the H1, a humanoid robot, that broke “world speed records”. This thing’s walking speed is definitely faster than mine. Please don’t connect it to Skynet.
Leap Year – you’d think that by now all software companies would know that every fours years an extra day is added to the calendar and have a solution to handle that regular event. Well, you’d be wrong. Apparently, Citrix, Sophos, and others were caught off-guard that such a thing was possible and their software malfunctioned this past week on Thursday.

In Cyber Insurance News:

Who is liable for lost money in a cyber scam? A valuable article that describes the coverages available and what to look for so that you are not left out-of-pocket in the event a malfeasant individual manages to convince someone to move money to them (Such as happened to Seminole County Florida public schools, to the tune of $1.3 million).

One of the frustrations of working in the security world is the continually shrinking patching window and the mindset that doesn’t accept downtime during the day. Let me explain. It is amply clear from news that is shared here every week that one of the primary means of compromise is due to unpatched or unmitigated vulnerabilities. Yet the greatest hurdle that defenders face is being allowed to apply patches in a timely manner – being allowed to do so in a timeframe that allows them to have some semblance of a normal life. Defenders are expected to be available during the working day, but also to mitigate, patch, and remediate solely during ever shrinking after-hours windows. Users are quick to complain if they cannot check their email or get into their CRM, but forget that if a successful breach happens, their email or CRM could be down for weeks while restoration takes place. Just ask the Toronto Public Library system if they’d have preferred to be down one day in the week vs. having been down for 4 months. Or ask Fulton County Georgia, which was successfully attacked in January and still has many systems down, if a one day a month downtime would have been more palatable. The attack surface, speed to exploitation, and methodologies have rapidly changed, but our methods of dealing with them have largely remained the same. We must have a shift in culture to be security focused and accept downtime to mitigate and prevent issues, not just downtime to recover from successful attacks.

Headline NEWS

Ransomware, Malware, and Vulnerabilities News

Other News Events of Note and Interest

Cyber Insurance News