Hello all,
This week Microsoft made our headline news an inordinate number of times, read on for details.
The volume of news and other can appear overwhelming, the best strategy is to read the Notable Callouts below and then skim the full list of linked news item titles that follow for things that pertain to you or your environment or simply interest you, and then selecting them for more information. So, let’s get to it. And don’t forget, our site, https://red-n-security.com also has searchable archives of past newsletters.
Notable Callouts:
- Apple rolled out software version updates for most current products, patching a critical zero-day in iPhones and Macs dealing with a type confusion in Webkit and fixing over a dozen security items in other areas. The iFruit company also backported a pair of patches for some older products that were fixed last month for current products.
- Cisco patched vulnerabilities in Unified Communications and Contact Center Solutions products that if exploited could result in Remote Code Execution up to root level access. There is no work-around, patch, and patch now if you have this in your enterprise.
- HPE revelated in a Form 8-K SEC filing that they were informed that their Office 365 email accounts had been breached by the “Nobelium, aka Cozy Bear, aka Midnight Blizzard aka APT29” dirt-bag group. It would be nice if this was an isolated incident, but it is not. Read on.
- Jenkins automation server has released patches for several vulnerabilities. There is a critical RCE among them and risk of data deletion, so patch quickly!
- Microsoft revealed that due to a misconfiguration, a forgotten test account was left active with administrator permissions, without 2FA on it, and was successfully hacked via a password spray attack. The same dirt-bags as above with HPE were identified to be behind this attack that went undetected for several months. But it gets worse. Microsoft first said that no evidence showed that other companies were breached. But there’s the HPE event above, which so far has not been confirmed to be related. And yet Microsoft admitted late this week that yes others were affected and that they have been contacting companies that were breached. But wait, there’s more! In response to the attacks, Microsoft has published new guidance on rogue OAuth applications, which is apparently how Cozy Midnight dirt-bag managed to stay embedded in Microsoft’s network undetected for so long. This is getting scary.
- Microsoft in what I hope is an unrelated news item, had much of their Microsoft Teams infrastructure decide to take the day off this past Friday. Workers worldwide were treated to a somewhat quite meetingless and chatless day. Redmond did manage to restore access late in the day on Friday.
- Splunk patched several vulnerabilities in their Enterprise product, including one rated as high. The recommended fix is to upgrade Splunk Enterprise installations to version 9.0.8, 9.1.3 or greater.
In Ransomware, Malware, and Vulnerabilities News:
- Deepfakes are in the news again with Microsoft’s Satya Nadela expressing outrage on NBC Nightly news over deepfake of a certain celebrity engaged in sexual acts, and the need for global “guardrails” around the technology that makes it possible. In a related article, many New Hampshire primary voters received robocalls from “President Biden” urging them to not vote in the primary. I hate to say it, but the technological deep-fake cat is out-of-the-bag, and I don’t see it going back in anytime soon. Criminals will continue criminal behavior despite rules or “guardrails”.
- SEC confirmed that their X account (former Twitter) was hijacked via a SIM swap and due to the lack of 2FA on their account. No comment.
In Other News Events of Note and Interest:
- Lauderdale, FL in a bit of good news, managed to recover $1.2 million dollars that were stolen from them via BEC scam last year. Score one for the good guys!
- Microsoft had their market valuation top $3 trillion dollars last week, making only the second company after Apple to reach that level.
In Cyber Insurance News:
- K-12 Cybersecurity Spending is increasing along with their insurance costs. Based on the incredible number of successful attacks against schools in the past year, this headline is somewhat of a no-brainer. Their security must improve, and insurers must cover their losses.
More than a few of the headlines this week were breaches or takeovers that resulted due to poor security practices. What’s sad is many were preventable. Most would have been stopped by just having 2FA (two factor authentication) enabled on accounts, even if it is just an SMS message (the least secure form of 2FA) it would have been better than nothing. Why is SMS considered least secure? Go back and reread the SEC’s tale of hijack woe. Their SIM was swapped to the threat actor’s phone. So, any SMS 2FA would have gone to the bad guy. But in Microsoft’s case, 2FA would have blocked the password spray attack since even if the dirt-bag got the right password, they would have no way to correctly answer the 2FA challenge. Nearly every account out there has some form of 2FA available to be enabled. Don’t be a victim. As Nike says, “Just do it”.
Viscount Zebulon Wamboldt Pike
Red-N Weekly Cyber Security News
Headline NEWS
- Apple Issues Patch for Critical Zero-Day in iPhones, Macs
- Cisco released a security advisory to address a vulnerability
- HPE: Russian hackers breached its security team’s email accounts
- Critical Jenkins Vulnerability Exposes Servers to RCE Attacks
- Microsoft got hacked by state sponsored group it was investigating
- Microsoft says Russian hackers also targeted other organizations
- Microsoft Shares New Guidance in the Wake of ‘Midnight Blizzard’ Cyberattack
- Microsoft Teams outage causes connection issues, message delays
- High-Severity Vulnerability Patched in Splunk Enterprise
Ransomware, Malware, and Vulnerabilities News
- CISA Director Jen Easterly Targeted in Swatting Incident
- Attack on Swedish datacenter shocks multiple businesses
- Attackers can steal NTLM password hashes via calendar invites
- 23andMe admits it didn’t detect cyberattacks for months
- iOS 17.3 and macOS 14.3 include more than 10 security fixes
- Aviation Leasing Giant AerCap Hit by Ransomware Attack
- AI will increase the number and impact of cyberattacks, intel officers say
- Apache ActiveMQ Flaw Exploited in New Godzilla Web Shell Attacks
- Deepfake voice attacks are here to put detection to the real-world test
- Microsoft CEO Presses For Actions To Control A.I. Deepfakes
- In major gaffe, hacked Microsoft test account was assigned admin privileges
- Blackwood hackers hijack WPS Office update to install malware
- Data of 15 million Trello users scraped and offered for sale
- Atlassian Tightens API After Hacker Scrapes 15M Trello Profiles
- Onslaught of attacks aimed at Ivanti zero-days continues
- Ivanti: VPN appliances vulnerable if pushing configs after mitigation
- Ivanti and Juniper Networks accused of bending the rules with CVE assignments
- SEC Confirms SIM Swap, Lack of 2FA Helped Hacker Hijack Twitter Account
- Clackamas Community College in Oregon cancels classes over cybersecurity incident
- Local governments in Colorado, Pennsylvania and Missouri dealing with ransomware
- Water services giant Veolia North America hit by ransomware attack
- UK water giant admits attackers broke into system as gang holds it to ransom
- Global fintech firm EquiLend offline after recent cyberattack
- Kasseika ransomware uses antivirus driver to kill other antiviruses
- Hackers Targeting Critical Atlassian Confluence Vulnerability Days After Disclosure
- New CherryLoader Malware Mimics CherryTree to Deploy PrivEsc Exploits
- LODEINFO Fileless Malware Evolves with Anti-Analysis and Remote Code Tricks
- Bucks County, PA investigating cybersecurity incident affecting computer-aided dispatch system
- Hacker for Russian cybergang Trickbot that extorted millions sentenced to prison in Cleveland
- Multiple vulnerabilities discovered in widely used security driver
- Kansas public transportation authority hit by ransomware
- QR Code Phishing Soars 587%: Users Falling Victim to Social Engineering Scams
- Google Kubernetes Clusters Suffer Widespread Exposure to External Attackers
- FCC matches its data breach notification policies with US state regulations
- Jason’s Deli says customer data exposed in credential stuffing attack
- loanDepot cyberattack causes data breach for 16.6 million people
- 52% of Serious Vulnerabilities We Find are Related to Windows 10
- CrowdStrike CEO explains why Russian hackers are hard to beat
- “The mother of all breaches”: 26 billion records found online
- New method to safeguard against mobile account takeovers
- Subway’s data torpedoed by LockBit, ransomware gang claims
- WordPress File Manager Plugin Vulnerability Affects +1 Million Websites
- Tesla hacked, 24 zero-days demoed at Pwn2Own Automotive 2024
- North Korean Hackers Employ Generative AI for Cyberattacks
- Black Kite Unveils Monthly Ransomware Dashboards
- 75% of top brands fall victim to fraud in Google Search Ads
- Firefox 122 Patches 15 Vulnerabilities
Other News Events of Note and Interest
- Fort Lauderdale recovers $1.2M stolen last year during cyber scam, officials say
- Some Macs Auto-Updating to macOS Sonoma Without User Permission
- Cool Tool – Windows Firewall Control 6.9.9.2
- Cool Tool – Ventoy 1.0.97 is out with FreeBSD 14.0 support and boot fixes
- Cool Tool – Using Microsoft AD Explorer for common admin tasks
- vCenter Converter 6.6 BETA is now LIVE!
- OpenAI drops prices and fixes ‘lazy’ GPT-4 that refused to work
- Browser alternatives Brave, Arc, add new AI integrations
- DoD’s new memo puts stricter requirements on cloud providers
- Brave to end ‘Strict’ fingerprinting protection as it breaks websites
- CISA Joins ACSC-led Guidance on How to Use AI Systems Securely
- Cryptographers Are Getting Closer to Enabling Fully Private Internet Searches
- NSA admits to buying Americans’ web browsing data from brokers without warrants
- FTC orders Intuit to stop pushing “free” software that isn’t really free
- macOS 14.3 Sonoma is now available with these new features
- X adds support for passkeys on iOS after removing SMS 2FA support last year
- Google Pixel phones are broken again with critical storage permission bug
- Google Messages Photomoji more widely rolling out
- Why Apple’s new Stolen Device Protection feature is important
- I thought software subscriptions were a ripoff until I did the math
- Mozilla is ‘Extremely Disappointed’ With Implementation of Apple’s EU Browser Engine Change
- Nvidia, Microsoft, Google, and others partner with US government on AI research program
- Amazon Offers Free AI Courses, Aiming to Help 2 Million People Build AI Skills by 2025
- Microsoft is now a $3 trillion company
- Microsoft Teams now supports 3D and VR meetings
- Microsoft Teams went down around the world for over eight hours — it’s better now
- Microsoft releases first Windows Server 2025 preview build
- Microsoft introduces new OneDrive experience for personal users
- Microsoft turns off WMIC in Windows 11, plans to remove it from next-gen Windows
- Microsoft confirms Windows 10 Sysprep.exe error 0x80073cf2 after installing KB5032278
- Winodws 11 KB5034204 out with Start menu fixes, File Explorer improvements, and more
- Windows 11 KB5034123 January 2024 update won’t install, users flag installation issues
- Veeam researching support for VMware alternative Proxmox as backup buyers fret about Broadcom