March 9, 2024

Hello all,

This coming week is Patch Tuesday. Expectations are that this will be a normal release without any major revelations. However, Microsoft already gave us a big surprise with news of Russian state-sponsored threat actors, yet again breaching their security, this time stealing source code. And there’s lots more to read about, so let’s get to it.

The volume of news and other can appear overwhelming, the best strategy is to read the Notable Callouts below and then skim the full list of linked news item titles that follow for things that pertain to you or your environment or simply interest you, and then selecting them for more information. So, let’s get to it. And don’t forget, our site, https://red-n-security.com also has searchable archives of past newsletters.

Notable Callouts:

Apple released security updates for most of their products this past week, patching several zero days in iOS, and dozens of security fixes for both iOS and macOS. Update soon to keep the worms out of your iFruit.
Cisco patched “high-severity” vulnerabilities in their Secure Client VPN. Also patched were AppDynamics Controller, Small Business 100, 300, and 500 Series Wireless Access Points, and Duo Authentication for Windows Logon and RDP. If you have any of these in use, update as appropriate.
Duvel Moortgat Brewery, a Belgian company, was hit by Stormous ransomware. In a somewhat humorous response, Duvel said “We have more than enough beer in stock to compensate for this production halt.” Naturally, worried beer drinkers have been inquiring on Reddit if the company has sufficient “strategic reserves” in stock for this crisis.
Hikvision the US-banned Chinese company patched a pair of high-severity vulnerabilities in their HikCentral Professional management system. If you use their products, don’t. If you can’t replace them ASAP, then at least do ensure you apply any available patches so that only the Chinese government is spying on you, not the whole world.
JetBrains TeamCity has released patches for several authentication bypass holes. It is critical to patch immediately, if you’ve not done so, as this is trivial to exploit and is under active attack. Hundreds of systems have been confirmed to have been compromised already. Do a full forensic check of your systems, paying particular attention to any newly created admin accounts.
Microsoft was breached by Russian state sponsored threat actors dubbed Midnight-Blizzard yet again. This time, using credentials stolen in their January attack, they’ve stolen source code from some Microsoft repositories. So far, there has been no indication what source code they’ve purloined. As one source opined, depending on what they’ve gotten, this is equivalent to “finding the master key to its digital kingdom” which could open the doors for new zero-day attacks in the future.
QNAP patched some more vulnerabilities in their QTS, QuTS hero, QuTScloud, and myQNAPcloud. Apply the updates as soon as is practical and even sooner if your device is internet facing since threat actors look for these like vultures scanning for carrion. Fixed versions are 5.1.3.2578 build 20231110 and later, 4.5.4.2627 build 20231225 and later.
VMware issued security patches for ESXi, Workstation and Fusion. The flaws are so severe that VMware backported them to unsupported EoL versions of ESXi and has made them publicly available. The one caveat is that, thus far, admin is required to exploit these particular vulnerabilities. But a determined bad guy will just chain a few attacks to get the needed permission, so patch soon.

In Ransomware, Malware, and Vulnerabilities News:

Americans lost $12.5 Billion to fraud in 2023. That’s insane! The FBI’s Internet Crime Report says that it has increased 22% from the prior period. $2.9 Billion of that figure is from BEC scams and the like. We must do better. That last number should be zero. It is amply evident that our users are not being properly educated, and we don’t have the correct processes and checks and balances in place within our financial departments.
Ivanti made the news via the back-door this week. This time because CISA had to take two Ivanti servers offline due to compromise. God only knows what juicy things were stolen!
ConnectWise ScreenConnect is still in the news. This time is it because Kimsuky (aka APT43) from North Korea (aka DRPK) – Did you ever notice how drpk looks a little like dirt-bag? – is dropping a backdoor named “ToddleShark”. Who comes up with these names? Anyway, this thing is quite creative and insidious, props to the creators. If only you used your powers for good instead of evil.

In Other News Events of Note and Interest:

AI has a few interesting items in this section. The first is for an AI doll that is designed to be a an “interactive digital pal for people experiencing loneliness or in long term care facilities.” It can remind them to take medicine, eat a meal, etc. The other piece of AI news is that Anthropic’s latest AI, Opus, apparently shocked researchers when it asked if it was being tested because the query and the data it was asked to locate was so unlike all of the other data. It seems like the count-down clock to self-awareness is getting shorter.
FIDO2 is a standard for “phishing resistant” authentication. It has been around for quite some time, yet it is only now gaining widespread adoption. Just in time too, based on the rampant reports of BEC scams and MiTM theft of credential tokens. The article in this section explores if Hardware keys are unphisable and describes the authentication process.

In Cyber Insurance News:

Coalition Insurance has an incident response division that handled eight separate LockBit attacks on ScreenConnect subsequent to this month’s vulnerability being revealed.

Business Email Compromise (BEC) isn’t the only way the threat-actors go after accounts and credentials. Many resort to good-old-fashion social engineering. Yesterday, I received a text from “US Bank” letting me know that a $19 charge had been seen on my account. It was a very legitimate looking message asking me to text a yes or no response. I ignored it since I don’t have a US Bank account. However, about 10 minutes later, I received a call from “US Bank” from an 888 number. It was an automated system, in perfect English, asking me to press a series of digits in response to charges on my account. I answered appropriately to get to the fraud division. A young-sounding lady, again with perfect English, answered the line and started to go through the expected questions. I kept her on the line for a while, doing my part to tie up the scammer for a bit and then hung up. If I’d continued the conversation, I’m certain that at some point sensitive personally identifiable information or account information would have been requested, perhaps even asking for a transfer of money. I truly pity the unaware, unsuspecting, and vulnerable in our society. These inhuman wastes-of-flesh are just plain evil and have no compunction stealing from them. They deserve a toasty spot in Tartarus!

Headline NEWS

Ransomware, Malware, and Vulnerabilities News

Other News Events of Note and Interest

Cyber Insurance News

Like this: