Hello all,
Last week I warned about a new zero-day in Microsoft SharePoint on-premises that had just become public knowledge. It escalated quickly, not necessarily with threat actor activity, but with news articles and cyber professionals everywhere urging action. With potentially tens of thousands of vulnerable targets it looked like it would be a free-for-all. However, it seems that only a few Chinese advanced persistent threat actors got in on the action before patches started getting deployed. The last number I heard was that only 400 or so SharePoint servers were known to have been exploited. That’s not to say that it wasn’t bad, with some high-profile targets getting hit, but it could have been much worse.
If not for the SharePoint news, it actually would have been a somewhat quiet news week for a change with only the normal level of interesting and evil happening out in the world and reported on the interwebs.
Headline NEWS:
- Microsoft SharePoint Server on-Premises has a lovely defect that allows for remote unauthenticated attackers to modify code. There are several article links in our Headline News that go into more detail. However, this is what it sounds like, a threat actor can gain access to a server and eventually get full control over it. An emergency patch is now available, and if you have an on-premises SharePoint server, you are urged to apply it as soon as possible, then check for signs of compromise.
- SonicWall has identified a critical Remote Code Execution defect in the some of their SMA 100 series of VPN appliances. If you have a SMA 210, 410, or 500V, you are urged to upgrade to firmware version 10.2.2.1-90sv or higher before threat actors begin exploiting this defect. If any exploitation is suspected, contact SonicWall for mitigation guidance.
In Ransomware, Malware, and Vulnerabilities News:
- Clorox is suing their former outsourced service desk, Cognizant, for simply handing over credentials to a threat actor when asked. In 2023 Clorox suffered a Scattered Spider attack that ultimately ended up costing them $380 million in recovery and loss of business. There are recordings of the threat actors calling into the service desk, that clearly reveal how spectacularly Cognizant failed in protecting Clorox’s account security. “I don’t have a password, so I can’t connect,” the hacker says in one call. The agent replies, “Oh, ok. Ok. So let me provide the password to you ok?”. For their part Cognizant has said, “Clorox hired Cognizant for a narrow scope of help desk services which Cognizant reasonably performed. Cognizant did not manage cybersecurity for Clorox.” I’m sorry to disagree, but it seems to me that not following documented, established, verification procedures and handing the keys to the kingdom to anyone who asks isn’t “reasonable”, it is negligence.
In Other News Events of Note and Interest:
- VMware perpetual license clients were promised by Broadcom CEO Hock Tan stating that clients would have “free access to zero-day security patches for supported versions of vSphere” so customers “are able to use perpetual licenses in a safe and secure fashion.”. There have been eleven zero-day and high-severity defects revealed in the past few months, and despite asking for the patches, perpetual license holders are mired in Broadcom red-tape and have not been provided with the needed patches. Some have been waiting since May, only to be told that, “A separate patch delivery cycle will also be available for non-entitled customers and will follow at a later date.” What that may be is anyone’s guess since Broadcom hasn’t provided any additional information.
Musings:
Threat actors, for the most part, are based on the other side of the world and tend to attack when most of the western world is asleep or at least done with their working day. That got me to thinking about a very neglected and overlooked feature of Active Directory that has existed forever – logon hours. I think it is high-time that setting and enforcing logon-hours becomes standard practice in organizations. There would be two immediate benefits resulting from this one simple action. Employees would truly be off-the-clock when their shift expires. Talk about restoring work-life balance, you are physically unable to log in until your scheduled working hours! And threat actors would be stymied because their attempts to access accounts outside of working hours would be met with failure. This would force their activity into the working-day when more cyber defenders are present, which would result in better defense. A win for employees and for security overall!
Keep the shields up.
Viscount Jan Broucinek
Red Dot Security News
Headline NEWS
- Microsoft Pushes Emergency Patches for SharePoint Amid Exploit
- SharePoint vulnerability actively exploited: Microsoft rolls out emergency patches
- Microsoft SharePoint under ‘active exploitation,’ Homeland Security’s CISA says
- Microsoft SharePoint Server Attacks Are ‘Close-To-Worst-Case Scenario’
- Hundreds of organizations breached by SharePoint mass-hacks
- SonicWall Post- Authentication Arbitrary File Upload Vulnerability – SMA 100 Series
- SonicWall urges admins to patch critical RCE flaw in SMA 100 devices
Ransomware, Malware, and Vulnerabilities News
- Contract lapse leaves critical infrastructure cybersecurity sensor data unanalyzed at national lab
- Hegseth moves to oust ‘Chinese labor’ from Pentagon cloud services, orders wider review
- Microsoft ends use of China-based engineers on DoD systems
- UK may back down on demand for backdoor access to Apple users’ encrypted data
- UK to lead crackdown on cyber criminals with ransomware measures
- BlackSuit ransomware extortion sites seized in Operation Checkmate
- US Sanctions Firm Behind N. Korean IT Scheme; Arizona Woman Jailed for Running Laptop Farm
- CISA and FBI warn of escalating Interlock ransomware attacks
- CISA Orders Urgent Patching After Chinese Hackers Exploit SharePoint Flaws in Live Attacks
- CISA warns of hackers exploiting SysAid vulnerabilities in attacks
- CISA Warns: SysAid Flaws Under Active Attack Enable Remote File Access and SSRF
- China warns citizens to beware backdoored devices, on land and under the sea
- China behind vast global hack involving multiple US agencies
- US lawmakers ask tech giants to respond to subsea cable concerns amid risk from China, Russia
- How China’s growing cyber-hacking capabilities have raised alarm around the world
- After $380M hack, Clorox sues its “service desk” vendor for simply giving out passwords
- Lawsuit says Clorox hackers got passwords simply by asking
- Cisco: Maximum-severity ISE RCE flaws now exploited in attacks
- Mitel warns of critical MiVoice MX-ONE authentication bypass flaw
- Veeam Recovery Orchestrator users locked out after MFA rollout
- Weak Password Let Ransomware Gang Destroy 158-Year-Old Company
- A U.S. startup is selling your hacked, stolen data to anyone with $50
- Microsoft Links Ongoing SharePoint Exploits to Three Chinese Hacker Groups
- What to know about ToolShell, the SharePoint threat under mass exploitation
- US Nuclear Weapons Agency Breached in Microsoft SharePoint Hack
- Google Sues 25 Chinese Entities Over BADBOX 2.0 Botnet Affecting 10M Android Devices
- First Known LLM-Powered Malware From APT28 Hackers Integrates AI Capabilities into Attack Methodology
- 7-Zip Vulnerability Lets Malicious RAR5 Files Crash Systems
- NPM package ‘is’ with 2.8M weekly downloads infected devs with malware
- Developers Beware of npm Phishing Email That Steal Your Login Credentials
- Toptal caught serving malware after GitHub compromise
- PHP PDO Flaw Allows Attackers to Inject Malicious SQL Commands
- Critical Vulnerability in JavaScript Library Exposes Millions of Apps to Code Execution Attacks
- Grafana Vulnerabilities Allow User Redirection to Malicious Sites and Code Execution in Dashboards
- Livewire Security Vulnerability
- Microsoft Copilot Rooted to Gain Unauthorized Root Access to its Backend System
- Microsoft’s AppLocker Flaw Allows Malicious Apps to Run and Bypass Restrictions
- Copilot Vision on Windows 11 sends data to Microsoft servers
- Coyote malware abuses Windows accessibility framework for data theft
- Coyote Trojan First to Use Microsoft UI Automation in Bank Attacks
- New ZuRu Malware Variant Weaponizes Termius SSH Client to Attack macOS Users
- Fire Ant Exploits VMware Flaws to Compromise ESXi Hosts and vCenter Environments
- UNC3944 Attacking VMware vSphere and Enabling SSH on ESXi Hosts to Reset ‘root’ Passwords
- Critical VMware Tools VGAuth Vulnerabilities Enable Full System Access for Attackers
- Vulnerable firmware for Gigabyte motherboards could allow bootkit installation
- Ubiquiti UniFi Devices Vulnerability Allows Attackers to Inject Malicious Commands
- Hard-Coded Credentials Found in HPE Instant On Devices Allow Admin Access
- Enterprise printer security fails at every stage
- ExpressVPN bug leaked user IPs in Remote Desktop sessions
- ExpressVPN updates Windows app to fix vulnerability
- 3,500 Websites Hijacked to Secretly Mine Crypto Using Stealth JavaScript and WebSocket Tactics
- 750,000 Impacted by Data Breach at The Alcohol & Drug Testing Service
- Cybercrime forum Leak Zone publicly exposed its users’ IP addresses
- Hacker plants three strains of malware in a Steam Early Access game called Chemia
- Ivanti Zero-Days Exploited to Drop MDifyLoader and Launch In-Memory Cobalt Strike Attacks
- UK warns Russian Fancy Bear hackers are targeting Microsoft 365 accounts
- Credential Theft and Remote Access Surge as AllaKore, PureRAT, and Hijack Loader Proliferate
- Snake Keylogger Evades Windows Defender and Scheduled Tasks to Harvest Login Credentials
- Lumma infostealer malware returns after law enforcement disruption
- US Department of Education Site Mimicked in Phishing Scheme
- Web-Inject Campaign Debuts Fresh Interlock RAT Variant
- Ring denies breach after users report suspicious logins
- Trading Platform WOO X pauses withdrawals after $14 million breach
- Poor Passwords Tattle on AI Hiring Bot Maker Paradox.ai
- Tea app hacked: 13,000 photos leaked after 4chan call to action
- Anne Arundel Dermatology data breach impacts 1.9 million people
- Allianz Life says ‘majority’ of customers’ personal data stolen in cyberattack
- Dior begins sending data breach notifications to U.S. customers
- Dell confirms breach of test lab platform by World Leaks extortion group
- Dell Says Data Leaked by Hackers Is Fake
- Major German media group falls victim to hacker attack
- Thomasville, NC still rebuilding computer network after ransomware attack
- After BlackSuit is taken down, new ransomware group Chaos emerges
- Post SMTP plugin flaw exposes 200K WordPress sites to hijacking attacks
Other News Events of Note and Interest
- Cool Tool: Proton’s new privacy-first AI assistant encrypts all chats, keeps no logs
- Portable printer creates edible art with ease
- You Can Now Build ‘Portal to Your Subconscious’ To Turn Dreams Into Videos
- 8 Bit Mechanical Computer Built From Knex
- And now for our annual ‘Tape is still not dead’ update
- The Internet Archive is now an official federal documents library
- Age verification requirements have landed in the UK – how the internet will change, and what about your privacy?
- Google leaks its full Pixel 10 lineup
- Google’s shortened goo.gl links will stop working next month
- Trello update: Atlassian commits to product overhaul, despite customer backlash
- Brave browser blocks Windows Recall from screenshotting your browsing activity
- You can now lock your Windows 11 PC from your Android phone
- Your body can be fingerprinted and tracked using Wi-Fi signals
- Researchers uncover secretive Russian spy unit by studying its commemorative badges
- Building secure messaging is hard: A nuanced take on the Bitchat security debate
- Cursor’s New Bugbot Is Designed to Save Vibe Coders From Themselves
- OpenAI says ChatGPT users send over 2.5 billion prompts every day
- Can LLMs Do Accounting?
- Thoughts on America’s AI Action Plan
- ChatGPT is rolling out ‘personality’ toggles to become your assistant
- Surprising no one, new research says AI Overviews cause massive drop in search clicks
- Linux users are about to face another major Microsoft Secure Boot issue
- Transfer your files and settings to a new Windows PC
- Microsoft 365 installs via Windows Store will stop getting updates
- Microsoft: Windows Server KB5062557 causes cluster, VM issues
- Windows 11 gets new Black Screen of Death, auto recovery tool
- Windows 11 gets file system fixes, printer improvements, and stability patches in KB5062663
- Microsoft scraps the new Windows 11 system tray after user criticism
- Microsoft fixes bug behind incorrect Windows Firewall errors
- Windows 10 KB5062649 fixes Extended Security bug, unresponsive systems, and more
- VMware prevents some perpetual license holders from downloading patches
- EU cloud gang challenges Broadcom’s $61B VMWare buy in court