February 17, 2024

Hello all,

Just in time for Valentine’s Day the cyber community received a generous helping of “love” in the form of software updates and firmware patches on Patch Tuesday this past week. And, as I predicted in our last newsletter, there is a lot to know about and prioritize. Some are rather scary, so read on.

The volume of news and other can appear overwhelming, the best strategy is to read the Notable Callouts below and then skim the full list of linked news item titles that follow for things that pertain to you or your environment or simply interest you, and then selecting them for more information. So, let’s get to it. And don’t forget, our site, https://red-n-security.com has searchable archives of past newsletters.

Notable Callouts:

Adobe released updates on Patch Tuesday as is their custom, and it was a big one with no less than 30 issues addressed, some of which are rated critical. Acrobat and Acrobat Reader have holes that could “lead to arbitrary code execution, application denial-of-service, and memory leak.” Patch quickly.
AMD and Intel unleashed fixes for more than 100 vulnerabilities. AMD’s most notable could lead to privilege escalation, DoS, and code execution. Intel’s mainly focused on drivers for Thunderbolt DCH, Wireless, and their Intel Driver Support Assistant (DSA). Flaws that received fixes could result in privilege escalation, and DoS.
Microsoft Patch Tuesday unveiled 73 items, two of which are considered zero-days, meaning they are already being exploited by the bad guys. The published patches run the gamut of vulnerabilities with elevation of privilege, RCE, DoS, and security feature bypass being among the list of holes plugged. There are a few specific call-outs that need their own mention.
Microsoft Exchange has a zero-day bug that is being exploited actively. It is for an elevation of privilege vulnerability that could result in an NTLM client leaking credentials (such as Outlook). This one is about as bad as it gets. If you have enabled Extended Protection from Microsoft, then Big Redmon has already activated mitigation against this flaw. Yet they still recommend ensuring that your Exchange Server is running the latest Cumulative Update (CU) and provides guidance on checking if you have proper mitigations in place. Don’t delay, prioritize this before the keys to your kingdom are in the hands of the Middle Kingdom.
Microsoft Outlook has a separate critical issue that was patched this week, in addition to potentially being a vector for the Exchange flaw described above. It is a low-complexity attack that can be triggered by simply receiving a specially crafted email. Successful exploitation could result in privilege escalation and Remote Code Execution (RCE). Apply this update immediately if you use Outlook – and who doesn’t?
QNAP – I’d brought this one up last week, but since it hit the news cycle late in the week, other publishers are now taking note, so I’m listing it again. This is to patch a Privilege Escalation flaw in QTS, but thankfully, it appears that it requires authenticated user accounts to exploit and requires presence on the local network. Despite not being pants-on-fire, this should be patched as soon as is practical.
SAP released their Patch Tuesday updates this week, with at least 13 new items fixed, and 3 updated items. The most severe is a note from 2018 that carries a CVSS of 10 out of 10. If you use SAP, check for updates for your products, likely you’ll find some.
SolarWinds, I still get a shudder when I hear that name, has released fixes for five critical RCE’s in their Access Rights Manager. Note that no authentication is needed to exploit three of the flaws. Patch immediately!
VMware, now owned by Broadcom, has been making major changes to delivery, vendors, and licensing. The latest announcement has elicited collective grumbling throughout the IT community. A newly published KB reveals that the free ESXi hypervisor is no more. You can get a trial license which expires, or you can pay an annual fee. Period.

In Ransomware, Malware, and Vulnerabilities News:

Ivanti continues to make news. The most interesting and scary item is a report that their Connect Secure product (renamed from Pulse Secure) is based off a 11-year old CentOS Linux version 6.4 and is using outdated libraries that have been shown to have 973 flaws that have 111 publicly known exploits. I expect that this will not end well for this product.
ALPHV aka Blackcat ransomware dirtbags continue their prolific rein of evil with fresh attacks on victims, this time on Canadian Trans-Northern Pipelines which had 190GB of data stolen. Evil dark kitty also added loanDepot, and Prudential Financial to their breach site and is threatening to release PII for millions of people. In December of last year, the US Government shut down much of the evil cat’s infrastructure, however they quickly recovered and appear to be back with a vengeance. In response, the US Government is now offering a bounty of up to $15 million for information leading to the identification and arrest of this hideous organization’s leadership.
Feds dismantle Russian GRU botnet in a bit of good news, “Uncle Sam was able to prevent Russia’s use of the botnet by firewalling off remote management access, scrubbed the malware from the routers…”

In Other News Events of Note and Interest:

Audacity, an excellent free audio tool, has received an AI upgrade for transcription and noise suppression.
European Court of Human Rights has ruled that it is “illegal to break encryption” and that it “ensures the enjoyment of fundamental rights such as privacy and freedom of expression”. I predict that this will neuter some of the most egregious provisions of EU’s proposed digital identity law (eIDAS 2.0).
European Union’s Digital Services Act (DSA) came into effect this week. It mandates bans on advertising that targets underage users, sexual preferences, religious beliefs and requires that they provide a way to challenge any such action and to lodge complaints. This is relevant for US based companies with 50 or more employees if their content is accessed by EU citizens. I foresee another click to accept cookies major PITA coming like a run-away train to all of us.

In Cyber Insurance News:

How Two Former Spies Cracked The $11 Billion Cyber Insurance Market is a great read about how Coalition Insurance and At-Bay Insurance have been protecting their clients, not merely insuring them. Their proactive approach has enabled them to offer lower premiums and dramatically reduce claims.

There is an old axiom that states “Haste makes waste”. It is first seen in print in Nicholas Udall’s translation of the proverbs of Erasmus – Apophthegmes in 1542. Another one which we are all familiar with is “measure twice, cut once”. This originated as a Russian proverb referring to carpentry and needlework, the obvious implication is that care taken in preparation will prevent errors. Every week we see this 482-year-old truism and undated proverb play out in spectacular failures in cyber news headlines published here and elsewhere. We’re all under ever increasing deadlines and pressure to “get it done”. However, taking a pause, ensuring you have backup, working in a test environment first, and getting another set of eyes to check something over before making a potentially catastrophic error resulting in a breach, is well warranted.

Now go forth and compute safely. As the Latin proverb states, “Praemonitus, Praemunitus” forewarned is forearmed. Keep the shields up!

Headline NEWS

Ransomware, Malware, and Vulnerabilities News

Other News Events of Note and Interest

Cyber Insurance News

Like this: