July 15, 2023

Hello all,

The Red-N Weekly Cyber Security News newsletter Notable Callouts are below. It has been a whirlwind of vulnerabilities and patches this past week with a nice A to Z ranging from Adobe to Zune – yes, Zune. Read on. And, as usual, the complete weekly report is online at https://red-n-security.com (below) where you’ll also find a searchable archive.

Notable Callouts:

• Adobe participates in the Patch Tuesday cycle and released critical patches for InDesign and ColdFusion. Update quickly.
• Aerohive/ExtremeNetworks access points are vulnerable to fully unauthenticated Remote Code Execution. Patch them now if you have them.
• BlackLotus ransomware’s UEFI malware source code was leaked onto GitHub. The unfortunate result will be in other threat actors incorporating their evil work.
• Cisco has patched a critical vulnerability in their SD_WAN vManage The vulnerability is nearly as bad as gets with a score of 9.1 out of 10.
• Citrix Secure Access Gateway client has a flaw that allows for LPE. Upgrade immediately by pushing out a new version from the gateway, or by updating the client devices.
• Fortinet didn’t want to let more than a couple of months go by without a critical RCE. This time in FortiOS and FortiProxy.
• Honeywell, someone we don’t often see in vulnerability news, has multiple flaws that require patching with one being described as, “anyone with access to the network is able to impersonate both the controller and the server” and other patches as well.
• Microsoft is dominating this week’s Red-N Cyber Security news, partially due to massive Patch Tuesday release with five zero-days, an announced zero-day with no patch, and partially due to a major news item that nation-state threat actors gained access to dozens of Microsoft tenants. There is some non-vulnerability news from big Redmon too. They have renamed Azure AD to Entra Identity (funny how Microsoft autocorrect wants to change Entra to Entrap). With the name change, in what could be a game-changer for SMBs, they announced that they are getting into the Security Service Edge And Microsoft Office is getting a new default font. Calibri is out and Aptos (aka Bierstadt) is in. I think I’ll stick with Calibri for now.
• SAP has patched critical vulnerabilities in ECC and HANNA
• Siemens and Schneider Electric, in a sign of the heating up IoT and OT attack space, have released patches for 50 vulnerabilities. This includes a “critical’ flaw that could be used to acquire admin access and take full control.” Patch judiciously.
• SonicWALL has been quiet for a few months. Their on-prem GMS requires immediate patching to mitigate a critical auth bypass bug.
• Technicolor TG670 DSL gateway routers (Thompson Broadband) that could be weaponized by an authenticated user to gain full administrative control of the devices due to hard coded credentials.
• US Government agencies were among those compromised in the aforementioned Microsoft tenant breach. It was a full account compromise. The ramifications from this are going to be shaking out for quite some time.
• Zimbra mail server has a zero-day that has not received a patch yet, but they have published mitigation guidance and are urging all admins to immediately take action.
• Zune you read that right, Zune, which has long been discontinued just received a little love from Microsoft by having a compatibility issue with Windows 11 patched recently.

• In Ransomware, Malware, and Vulnerabilities News, Microsoft is still unsure, or more likely unwilling to disclose, how Azure AD’s signing key was compromised/stolen. And the unpatched zero-day in MS-Office does have some published workarounds but apply with caution as you may break some functionality that users depend on.

• In Other News Events of Note and Interest, Microsoft’s announcement of getting into the Security Edge space has caused stocks of companies that specialize in that area to tumble. ConnectWise has announced integration of network monitoring into their RMM software.

• In Cyber Insurance News, a good reminder to law firms that they need to consider cyber-insurance. Especially in light of last week’s Red-N Security Newsletter’s mention of how law firms are increasingly being targeted by malicious individuals.

The term hacker has taken on a very negative connotation in most people’s minds. Likely that is due to continual negative press about “hackers”. And I suppose that some of that acrimony is justified due to the rise of computer criminals using that moniker. However, the original term did not carry that meaning. In light of that, I heard a definition once that I think works well for both good and bad “hackers”.

A hacker is someone who sees a thing, or process, or computer program doing something, and gets it to do another.

May you hack wisely, responsibly, and ethically!

Viscount Zebulon Wamboldt Pike
Red-N Weekly Cyber Security News

Headline NEWS

• Aerohive/ExtremeNetworks access points fully unauthenticated RCE
• Adobe Patch Tuesday: Critical Flaws Haunt InDesign, ColdFusion
• BlackLotus Windows UEFI malware source code leaked on GitHub
• Cisco Flags Critical SD-WAN Vulnerability
• Citrix Secure Access Client Flaw Let Attackers Execute Remote Code
• Fortinet warns of critical RCE flaw in FortiOS, FortiProxy devices
• Honeywell Experion DCS Critical Security Flaws Uncovered
• Microsoft’s July 2023 Patch Tuesday Addresses 130 CVEs
• Microsoft Discloses 5 Zero-Days in Voluminous July Security Update – one remains unpatched
• Microsoft Entra expands into Security Service Edge and Azure AD becomes Microsoft Entra ID
• Microsoft Warns of Office Zero-Day Attacks, No Patch Available
• Meet Microsoft Office’s new default font: Aptos
• SAP Patches Critical Vulnerability in ECC and S/4HANA Products
• Siemens & Schneider Electric Releases Patch for 50 vulnerabilities
• SonicWall warns admins to patch critical auth bypass bugs immediately in on prem GMS
• Technicolor Routers’ Hardcoded Accounts Allow Full Takeover
• US Government Exchange Online email accounts accessed by hackers
• Zimbra urges admins to manually fix zero-day exploited in attacks
• Zune “still (totally unsupported and still discontinued)” just had a compatibility issue fixed by Microsoft

Ransomware, Malware, and Vulnerabilities News

• Ransomware Extortion Skyrockets in 2023, Reaching $449.1 Million and Counting
• Microsoft still unsure how hackers stole Azure AD signing key
• MS Office Zero-Day Vulnerability Exploited For Espionage – Detection and Mitigation CVE-2023-36884
• 95% of all malicious Internet traffic can be blamed on botnets
• Malware delivery via USB drives significantly increases
• Rogue Azure AD Guests Can Steal Data via Power Apps
• How a Cloud Flaw Gave Chinese Spies a Key to Microsoft’s Kingdom
• New Attack Drops LokiBot Malware Via Malicious Macros in Word Docs
• Former Contractor Employee Charged for Hacking California Water Treatment Facility
• NYC schools officials were warned of cybersecurity flaws before student data breach
• Company recalls 190,000 portable chargers following fire on plane
• New Phishing Attack Spoofs Microsoft 365 Authentication System
• Two Apps Hosted on Google Play Caught Sending User Data to Chinese Servers
• White House publishes National Cybersecurity Strategy Implementation Plan
• Demo: Brute-forcing a macOS user’s real name from a browser using mDNS
• Tailing Big Head Ransomware’s Variants, Tactics, and Impact
• Old certificate, new signature: Open-source tools forge signature timestamps on Windows drivers
• New SOHO Router Botnet AVrecon Spreads to 70,000 Devices Across 20 Countries
• Delaware’s, Kent County struggling to respond to cyberattack
• Law firms under cyberattack
• Hayward, CA hacked: City suffers cyberattack, turns off website
• New ShadowVault malware steals financial details, logins, more
• North Carolina town working to restore systems after cyber threat
• Popular fanfiction platform AO3 goes down in wave of DDoS attacks
• Razer investigates data breach claims, resets user sessions
• Owner of BreachForums pleads guilty in federal court to three counts
• Apple Pulls iOS 16.5.1 and macOS 13.4.1 Rapid Security Response Updates Due to Safari Bug
• Rail cybersecurity must be bolstered against ransomware attacks, IT/OT integration, geopolitical tensions
• Trinidad and Tobago facing outages after cyberattack
• Graphican: Flea Uses New Backdoor in Attacks Targeting Foreign Ministries
• Critical Infrastructure Services Firm Ventia Takes Systems Offline Due to Cyberattack
• HCA Healthcare data breach: About 11M patients affected
• Gates Corporation, a Denver, CO-based manufacturer, hit by ransomware
• The Spies Who Loved You: Infected USB Drives to Steal Secrets
• Florida teen accused of running dark web cybercrime operation shut down, suspects facing charges
• WordPress plugin installed on 1 million+ sites logged plaintext passwords
• Cyber Extortion Cases Surge 39% Annually
• APT35 Develops Mac Bespoke Malware
• What’s up with Emotet? A summary of activity since resurgence in 2021
• Amaturo Sonoma Media Group, broadcasting company, recovering from cyberattack
• CISA, FBI, MS-ISAC, and CCCS issued joint warning over increased activity of TrueBot malware
• VMware warns of exploit available for critical vRealize RCE bug
• PoC Exploit Published for Recent Ubiquiti EdgeRouter Vulnerability
• StackRot: Linux Bug so bad Linus Dives Into Code to Fix It
• Defend Against the Latest Active Directory Certificate Services Threats
• Chinese Hackers Deploy Microsoft-Signed Rootkit to Target Gaming Sector
• Hackers exploit Windows policy to load malicious kernel drivers
• Microsoft Revokes Malicious Drivers in Patch Tuesday Culling
• Flaw in Revolut payment systems exploited to steal $20 million
• WormGPT Cybercrime Tool Heralds an Era of AI Malware vs. AI Defenses
• Owncast, EaseProbe security vulnerabilities revealed
• Harvard University web flaw exposed it to remote attacks
• CVSS 4.0 released, to help assess real-time threat and impact of vulnerabilities
• Rockwell Automation exploit spurs fears of critical infrastructure security
• Zero-day deploys remote code execution vulnerability via Word documents
• Google’s Bard poses ransomware risk, say researchers
• E-commerce Fraud Surges By Over 50% Annually
• Scam Page Volumes Surge 304% Annually

Other News Events of Note and Interest

• Palo Alto Networks and Zscaler tumble as Microsoft expands in security
• Windows Insider Build Lets You Repair System With Windows Update
• Windows 11 update is reportedly slowing down PCs and breaking internet connections
• ConnectWise brings core and advanced network monitoring and management to RMM
• Kaseya Ransomware Victim Speaks Out: From ‘The Abyss’ To Recovery With Aid From MSP Community
• Rufus fixes Windows ISO crash, warns for vulnerable UEFI bootloaders, adds FFU, ZIP64
• Proton is releasing a native encrypted file-syncing app for Windows
• macOS Sonoma Brings Apple Password Manager to Third-Party Browsers
• Lucky backup might save 100 days of data for InfluxData’s GCP Belgium users
• 100x Faster Than Wi-Fi: Light-Based Networking Standard Released
• Microsoft strikes $2 billion AI partnership with KPMG
• States Outlaw Noncompete Agreements
• The EU’s Product Liability Directive could kill open source
• Google’s medical AI chatbot is already being tested in hospitals
• VA CIO: ‘Historic’ pay raise coming for IT workforce, as Special Salary Rate goes into effect in July
• Inside the Mind of the Hacker: Report Shows Speed and Efficiency in Adopting New Technologies
• Israeli cybersecurity startup comes out of stealth with $30 million in funding
• Central bankers lay out digital currency cyber threat
• ‘Windows Update Restored’ Site Provides Updates for Classic Windows Versions
• Solar storms are increasing, but don’t lose sleep over an ‘internet apocalypse’
• New Mozilla Feature Blocks Risky Add-Ons on Specific Websites to Safeguard User Security
• Anthropic, an OpenAI rival, opens Claude 2 AI chatbot to the public
• The 5 Most Common Conditional Access Misconfiguration
• Microsoft PC Manager: Keep track of your computer’s health
• Microsoft July Patch Tuesday Brings Moment 3 Features to Windows 11
• Microsoft: Windows 11 21H2 reaching end of service in October
• Now anyone can put their Android app on Windows 11
• Honeywell to Buy Israeli Cybersecurity Business Scadafence
• Government-issued digital money gets closer
• Mark Zuckerberg’s Threads Hits 100 Million Users Faster Than ChatGPT
• Enable Windows LAPS with Azure AD

Cyber Insurance News

• Cyber insurance startup Coalition acquires privacy assistant Jumbo
• 7 Ways to Be an Adult in the Softening Cyber Insurance Market
• Practice Innovations: Law firms need to consider cyber-insurance — even if they don’t understand it
• Sophos Announces Partnership With Cysurance
• Conning: Fork in the Road for Cyber Insurance Market?