September 6, 2024 - Red Dot Security

Hello all,

Most of us in the United States celebrated Labor Day, and the unofficial end of Summer with a much-deserved day off from work. It was a welcome respite to enjoy the company of friends, family, and if you were so inclined, the eating of burgers and hotdogs. Even though much of the year has now passed, the cyber-landscape remains relatively the same, defenders are still doing their best and evil people are continuing to do their worst. So far, the holy grail of AI stopping attacks hasn’t quite come to fruition, but there are glimmers of hope on the horizon along with plenty of sad reports. So, let’s get to the news from this past week and read all about it.

As usual, my commentary is followed by a plethora of links to other items that are worth skimming to see if they interest you or pertain to your particular environment or of those you support.

Headline NEWS:

Cisco has released a couple of updates that are rather important. One is for their Smart Licensing Utility to close a backdoor of an “undocumented” hard-coded admin account. A what!? Yeah, an admin account, and this isn’t the first time they’ve had to fix such an issue. It sounds like something a developer was working on was forgotten before it went to release. This software defect is as serious as it gets. If you’re using this apply the fix immediately!
Microsoft Windows Proof of Concept (PoC) code has been made available for a Windows Kernel Privilege Escalation vulnerability. This particular defect was patched by Redmon in last month’s Patch Tuesday updates. If you haven’t applied the patches by now, it may be too late, but hey, better late than never. Do it now!
Progress Software makers of LoadMaster just released an emergency fix for a remote code execution (RCE) defect. This one has a severity value of 10 out of 10. So, if you use Load Master, (even out of support versions) stop what you’re doing and apply the new add-on package immediately! Then after doing so, follow their security hardening guidelines.
SonicWall warned last week about a critical access control defect in SonicOS that affects Gen 5 – 7 firewalls. Toward the latter part of this past week SonicWall reissued the alert and said that active exploitation of the vulnerability has been observed. Further, it was determined that SSLVPNs that use local credentials on Gen 5 and Gen 6 versions are severely impacted. Guidance is to update the firewall software, and then ensure that MFA is enabled on all SSLVPN accounts and then require password resets of all users. Additionally, as a part of this issue (which is best practice anyway) you should, “restrict firewall management access to trusted sources or disable WAN management access from the internet.” Do not wait to apply the patches and mitigations, rampant threat actor probing is underway, and exploitation is happening.
Veeam Software has fixed 18 high and critical severity flaws in Veeam Backup & Replication, Service Provider Console, and Veeam One. The most serious is an RCE in Backup & Replication that can result in full compromise.
WhatsUp Gold is a stalwart in the monitoring arena, having been around for decades informing admins and technicians of issues with their systems. Progress Software has released several patches recently to fix defects that can allow for RCE, and SQL injection and theft of information. Updates are available from the manufacturer, and have been for some time, yet over 1,200 of these unpatched systems are still visible on the internet. Come on people, patch this stuff! PoC already exists out there to exploit some of these identified defects.
Zyxel has released patches for a large number of their firewalls. At least one flaw allows for an unauthenticated attacker to execute OS commands. Patch quickly.

In Ransomware, Malware, and Vulnerabilities News:

The NSA, FBI, CISA, US Dept. Treasury, US State Department, CNMF, MIVD, VZ, BIS, KAPO, VDD, SBU, CERT-UA, CSIS, CSE, ASD’s ACSC, and NCSC-UK have issued a joint 36-page PDF document describing and decrying Russian Military Cyber Actors Target U.S. and Global Critical Infrastructure. It is a lot to digest, but worth reading with sound analysis and recommendations. Summary, Russia bad.
Critical Infrastructure sustained 13 cyberattacks per second in 2023. That is a staggering headline. And it is not slowing down in 2024.

In Other News Events of Note and Interest:

Microsoft PowerToys is getting more new features and capabilities. If you’ve not played with this versatile Redmon Army Knife, give it a go.
The ‘Ban TikTok’ movement is losing momentum among Americans. We defenders are clearly losing in the mindspace security war. The public is so inundated by breaches and vulnerabilities that they’ve become inoculated to news and facts and simply don’t care anymore. “I just want my dancing cat videos…China can have my data”.

In Cyber Insurance News:

Big names proposing cyber insurance backstop. With the ever-looming specter of a catastrophic event, reminiscent of CrowdStrike’s recent spectacular failure, insurers are increasingly pushing for government-backed help in the event of something that is truly apocalyptic in nature to insurers.

Musings:

Next week is Patch Tuesday from Microsoft and a large swath of cyber vendors worldwide. By now you should have vetted, tested, and applied the August releases from last month. If you haven’t, get to it since PoC’s have been out for a while for some of the most severe vulnerabilities. And there’s still the looming unpatched “downdate” flaw in Microsoft Windows. Hopefully, Big Redmon plugs that particular massive hole this coming week. Much care will be warranted on this one due to the immense complexity of this issue. Vet carefully as it will have wide-reaching impact inside of Microsoft’s operating systems. You don’t want the cure to be worse than the disease.

Headline NEWS

Ransomware, Malware, and Vulnerabilities News

Other News Events of Note and Interest

Cyber Insurance News

Like this: