Shield53

Author: chris.stewart

  • Recent Cyber Attacks in 2024

    Recent Cyber Attacks in 2024

    The year 2024 has seen a significant rise in cyber attacks, highlighting the urgent need for robust cybersecurity measures across all sectors. One of the most notable incidents involved Bank of America, which suffered a data breach affecting 57,028 individuals due to a cyberattack on Infosys McCamish Systems. This breach exposed sensitive information such as names, social security numbers, and account details, emphasizing the cascading risks associated with interconnected service ecosystems​ (Techopedia)​.

    In another major incident, McLaren Health Care in Michigan reported a data breach that compromised the personal information of approximately 2.2 million patients. This breach, which went undetected for nearly a month, exposed critical data including full names, social security numbers, and personal health information. The affected individuals are now offered credit monitoring and identity protection services to mitigate the impact of the breach​ (Firewall Times)​.

    Furthermore, the cyber landscape saw a sophisticated attack on the Indian Council of Medical Research (ICMR), affecting around 815 million individuals. This breach exposed sensitive data related to COVID-19 testing and highlighted the vulnerabilities in health data management systems. Such large-scale breaches underscore the importance of stringent cybersecurity measures and proactive threat management to protect sensitive information from malicious actors​ (Termly)​.

    These recent hacks serve as a stark reminder of the evolving threat landscape and the necessity for continuous vigilance and advanced cybersecurity practices. As cybercriminals become more sophisticated, organizations must prioritize their cybersecurity strategies to safeguard against potential breaches and ensure the protection of critical data.

    By partnering with Shield53, organizations can proactively defend against cyber threats, protect their critical data, and ensure resilience in the face of evolving cybersecurity challenges. Contact us today to learn more about how we can help secure your digital future.

  • Critical PAN-OS CVE-2024-3400 used by Threat Actors

    Critical PAN-OS CVE-2024-3400 used by Threat Actors

    Yesterday a critical security alert issued by Palo Alto Networks regarding a flaw in its PAN-OS software, commonly used in GlobalProtect gateways. Tracked as CVE-2024-3400, this vulnerability has been assigned a CVSS score of 10.0, indicating its severity.

    This vulnerability, classified as a command injection flaw, poses a significant risk as it could potentially allow an unauthorized attacker to execute arbitrary code with root privileges on affected firewalls. The impacted versions of PAN-OS include:

    • PAN-OS < 11.1.2-h3

    • PAN-OS < 11.0.4-h1

    • PAN-OS < 10.2.9-h1

    It’s important to note that this issue specifically affects firewalls configured with both GlobalProtect gateway and device telemetry enabled.

    While Palo Alto Networks is actively working on fixes, they are anticipated to be released on April 14, 2024. In the interim, if your organization have Threat Prevention subscription from Palo Alto, it is strongly advised to enable Threat ID 95187 to bolster your defenses against potential threats exploiting this vulnerability.

    Mitigation Strategies

    • Customers with a Threat Prevention subscription can block attacks for this vulnerability by enabling Threat ID 95187 (introduced in Applications and Threats content version 8833-8682). In addition to enabling Threat ID 95187, customers should ensure vulnerability protection has been applied to their GlobalProtect interface to prevent exploitation of this issue on their device. More information here

    • Those unable to apply the Threat Prevention mitigation can mitigate by temporarily disabling device telemetry until the device is upgraded to a fixed PAN-OS version. Once upgraded, device telemetry should be re-enabled on the device.

    Although detailed information about the attacks leveraging this vulnerability is limited, your organization must remain vigilant. This development aligns with a concerning trend where threat actors, particularly of Chinese origin, have increasingly exploited zero-day flaws in various networking products to infiltrate targets and establish clandestine access points.

  • The Growing Ransomware Threat in 2024

    The Growing Ransomware Threat in 2024

    Ransomware attacks have surged in 2024, presenting a significant and growing threat to organizations worldwide. According to the latest reports, ransomware incidents have increased by 68% compared to the previous year. Notably, the LockBit ransomware gang has been responsible for some of the largest ransom demands, including a staggering $80 million following an attack on Royal Mail. These attacks have become more sophisticated, with cybercriminals utilizing zero-day vulnerabilities and evolving their tactics to target a higher volume of victims simultaneously​ (Sophos News)​​ (Rapid7)​.

    The financial impact of ransomware attacks has also escalated. The average ransom payment has increased fivefold over the last year, from $400,000 to $2 million​ (Rapid7)​​ (SecurityWeek)​. Interestingly, while the number of attacks has slightly decreased, the overall recovery costs have soared to an average of $2.73 million per incident, highlighting the substantial financial burden on affected organizations. Despite these rising costs, more than half of the organizations hit by ransomware have admitted to paying the ransom to recover their data, reflecting the desperation and critical nature of these situations.

    Moreover, the threat landscape continues to evolve with an increasing trend of data exfiltration, where cybercriminals steal sensitive data in addition to encrypting systems. This dual threat of data theft and encryption has intensified the pressure on organizations to bolster their cybersecurity measures. As ransomware remains a top priority for executive leadership, with many companies making significant investments in prevention and recovery strategies, it is clear that combating this menace requires continuous vigilance and robust security practices​ (Malwarebytes)​​ (SecurityWeek)​.

    For more details on the latest ransomware trends and defense strategies, refer to the comprehensive reports from Sophos, Rapid7, and Malwarebytes​ (Sophos News)​​ (Rapid7)​​ (Malwarebytes)​​ (SecurityWeek)​.

  • Critical Exchange Vulnerability CVE-2024-21410

    Critical Exchange Vulnerability CVE-2024-21410


    • CVE: CVE-2024-21410

    • Severity: CRITICAL

    • Priority: CRITICAL

    Summary

    Today, Microsoft issued a renewed security advisory cautioning about a critical vulnerability within Exchange Server, which was exploited as a zero-day before being addressed during this month’s Patch Tuesday.

    Internally discovered and identified as CVE-2024-21410, this security loophole enables remote unauthenticated threat actors to potentially escalate privileges through NTLM relay attacks aimed at susceptible versions of Microsoft Exchange Server.

    During such attacks, the threat actor compels a network device, which may include servers or domain controllers, to authenticate against an NTLM relay server under their control. This maneuver allows them to mimic the targeted devices and elevate privileges.

    Microsoft elaborates, stating, “An attacker could exploit an NTLM client such as Outlook with a vulnerability that leaks NTLM credentials.”

    “The compromised credentials can then be relayed to the Exchange server to gain privileges as the compromised client and execute actions on the Exchange server on behalf of the victim.

    “An attacker who successfully exploits this vulnerability could relay a user’s leaked Net-NTLMv2 hash to a vulnerable Exchange Server and authenticate as the user.”

    Recommend Remediation

    To mitigate this threat, Exchange Server 2019 Cumulative Update 14 (CU14), which was released during the February 2024 Patch Tuesday, addresses this vulnerability by activating NTLM credentials Relay Protections (also referred to as Extended Protection for Authentication or EPA).

    Microsoft is automatically enabling Windows Extended Protection on Exchange servers after installing this month’s 2024 H1 Cumulative Update (aka CU14).

    Extended Protection (EP) will automatically be toggled on by default when installing Exchange Server 2019 CU14 (or later) to strengthen Windows Server auth functionality to mitigate authentication relay and man-in-the-middle (MitM) attacks.

  • Shield53 Attack Surface Management

    Shield53 Attack Surface Management

    In today’s dynamic cybersecurity landscape, staying ahead of potential threats requires proactive measures and comprehensive solutions. That’s why it’s essential to leverage tools like Shield53’s Attack Surface Management product, which offers actionable insights into your security posture.

    Shield53’s Attack Surface Management solution goes beyond traditional approaches by providing continuous monitoring and analysis of your organization’s digital footprint. By examining DNS records and other relevant data sources, Shield53 identifies and maps out your attack surface, including potential entry points and vulnerabilities. This comprehensive understanding allows you to prioritize and address security gaps effectively, bolstering your defenses against cyber threats.

    With Shield53, you gain access to a suite of powerful features designed to enhance your security posture. From real-time alerts and threat intelligence to customizable risk assessments and remediation guidance, Shield53 empowers you to take proactive steps in safeguarding your organization’s assets and data.

    Don’t wait until it’s too late. Talk to Shield53 today and take control of your cybersecurity strategy. With Shield53’s Attack Surface Management product, you can strengthen your defenses, mitigate risks, and stay ahead of evolving threats in the digital landscape.

    https://www.shield53.com/attack-shield

  • 2024-02-14 – Microsoft patches zero-days exploited by attackers

    2024-02-14 – Microsoft patches zero-days exploited by attackers

    • CVE: CVE-2024-21412 + CVE-2024-21351 + CVE-2024-21410

    • Severity: CRITICAL

    • Priority: CRITICAL

    CVE-2024-21351 represents a loophole in the Windows SmartScreen security feature, enabling malicious actors to bypass it and potentially deliver malware by tricking users into opening compromised files.

    Exploiting this vulnerability allows unauthorized injection of code into SmartScreen, potentially leading to data exposure or system unavailability. Windows typically employs Mark-of-the-Web (MotW) to discern files from untrusted origins. However, SmartScreen bypasses within Windows Defender enable attackers to circumvent this scrutiny and execute code discreetly.

    Although Microsoft hasn’t disclosed the extent of these attacks, it’s prudent to anticipate a rise in exploits as threat actors incorporate this method into their arsenals.

    It’s crucial to promptly test and apply patches for both CVE-2024-21412 and CVE-2024-21351 to mitigate these risks effectively.

    Trendmicro has an excellent blog article on this attack

    CVE-2024-21410, identified as an elevation of privilege flaw within Microsoft Exchange Server, warrants immediate attention for patching. However, addressing this vulnerability fully may pose challenges as it necessitates additional administrative actions.

    Exploiting CVE-2024-21410 could potentially lead to the exposure of NTLM credentials belonging to a targeted user. These credentials could then be exploited in NTLM relay or pass-the-hash attacks, enabling the attacker to authenticate as the targeted user. Satnam Narang, senior staff research engineer at Tenable, emphasizes the value of flaws like these to attackers, citing a similar vulnerability (CVE-2023-23397) exploited by a Russian-based threat actor.

    Additionally, CVE-2024-21413 presents a remote code execution vulnerability affecting Microsoft Office. This vulnerability could allow attackers to circumvent the Office Protected View and open a file in editing mode, potentially enabling code execution. Of particular concern is the possibility of code execution occurring within the Preview Pane.

    Addressing CVE-2024-21413 requires users of both the 32- and 64-bit versions of Office 2016 to install multiple updates to fully mitigate the vulnerability.

  • Fortinet exploit used in the Wild | CVE-2024-21762

    Fortinet exploit used in the Wild | CVE-2024-21762

    Fortinet Firewall SSL VPN

    • CVE: CVE-2024-21762

    • Severity: CRITICAL

    • Priority: CRITICAL

    Summary

    • Fortinet is warning that a new critical remote code execution vulnerability in FortiOS SSL VPN is potentially being exploited in attacks.

    • You will only be impacted if your SSL VPN portal is accessible to the public.

    • The flaw (tracked as CVE-2024-21762 / FG-IR-24-015) received a 9.6 severity rating and is an out-of-bounds write vulnerability in FortiOS that allows unauthenticated attackers to gain remote code execution (RCE) via maliciously crafted requests.

    Out-of-bound Write in SSLVPND

    • An out-of-bounds write vulnerability [CWE-787] in FortiOS may allow a remote unauthenticated attacker to execute arbitrary code or command via specially crafted HTTP requests.

    • Note: This is potentially being exploited in the wild.

    Remediation

    • Upgrade to Unaffected Version

    • Disable SSL VPN (disable webmode is NOT a valid workaround)

    Version Affected Solution
    FortiOS 7.6 Not affected Not Applicable
    FortiOS 7.4 7.4.0 through 7.4.2 Upgrade to 7.4.3 or above
    FortiOS 7.2 7.2.0 through 7.2.6 Upgrade to 7.2.7 or above
    FortiOS 7.0 7.0.0 through 7.0.13 Upgrade to 7.0.14 or above
    FortiOS 6.4 6.4.0 through 6.4.14 Upgrade to 6.4.15 or above
    FortiOS 6.2 6.2.0 through 6.2.15 Upgrade to 6.2.16 or above
    FortiOS 6.0 6.0 all versions Migrate to a fixed release

  • Strengthening Enterprise Security with Shield 53 DNS Virtual Appliance

    Strengthening Enterprise Security with Shield 53 DNS Virtual Appliance

    In today’s digital age, the security of an enterprise’s network and data is paramount. Cyber threats continue to evolve, making it essential for organizations to implement robust security measures. One such critical component is DNS (Domain Name System) protection, and Shield 53 Virtual Appliances are leading the way in providing cutting-edge solutions to safeguard your enterprise.

    DNS Protection: A Vital Element of Enterprise Security

    DNS serves as the internet’s address book, translating user-friendly domain names into IP addresses that computers use to identify each other. Unfortunately, cybercriminals often exploit DNS to launch attacks, such as phishing, malware distribution, and data exfiltration. This is where DNS filtering becomes crucial.

    Real-time Protection

    Shield 53 Virtual Appliances offer real-time DNS protection for your enterprise. By constantly monitoring and analyzing DNS requests, they can block unwanted and malicious domain requests instantaneously. This proactive approach to security helps prevent cyber threats from even reaching your network, significantly reducing the risk of security breaches.

    Enforcing a Minimum Security Baseline

    DNS filtering allows organizations to establish and enforce a minimum security baseline. It ensures that all DNS requests conform to predetermined security policies, blocking access to potentially harmful or unapproved websites. This not only enhances security but also helps in regulatory compliance and maintaining a safe and productive work environment.

    Seamless Integration

    One of the key advantages of Shield 53 DNS Virtual Appliances is their seamless integration with local DNS servers. This integration simplifies the migration and setup process, ensuring a smooth transition without disruptions to your network operations. Whether you are a large enterprise or a smaller organization, Shield 53 can be tailored to fit your specific needs.

    Benefits of Shield 53 DNS Virtual Appliances:

    1. Enhanced Security: Shield 53 offers a robust defense against DNS-based threats, significantly reducing the risk of data breaches and other cyberattacks.

    2. Improved Compliance: By enforcing security policies and blocking access to inappropriate websites, Shield 53 helps organizations meet compliance requirements.

    3. Ease of Integration: The seamless integration with local DNS servers means minimal downtime and reduced complexities during setup.

    4. Real-time Protection: Shield 53 acts swiftly to block malicious domain requests in real-time, ensuring threats are neutralized before they can cause harm.

    5. Customization: Tailor Shield 53 to match your organization’s specific needs, whether you require a comprehensive solution for a large enterprise or a more streamlined setup for a smaller business.

    In conclusion, Shield 53 DNS Virtual Appliances provide a crucial layer of security for your enterprise. By proactively blocking unwanted and malicious domain requests, enforcing security policies, and seamlessly integrating with your existing DNS infrastructure, Shield 53 helps reduce corporate risk and strengthen your organization’s overall cybersecurity posture. Don’t wait until the next cyber threat emerges; invest in Shield 53 today to fortify your enterprise’s defenses and protect your data from evolving online dangers.

    Visit www.shield53.com to find out more.

  • What is Secure DNS

    What is Secure DNS

    Within the industry there’s been a lot of talk lately around DNS over HTTPS (DoH) and how adversaries use the channel to perform C2 DNS lookups and exfiltrate data via tunneling without detection by security apparatus.

    Encrypted DNS Protocols

    • DNS over HTTPS (DoH)
    • DNS over TLS (DoT)
    • DNSCrypt

    DoH and DoT operate over TCP ports 443 and 853 respectively by default, and DNSCrypt services commonly run over both TCP and UDP port 443. The three protocols are different but achieve the same goal — DNS queries are passed over a secure channel to a server that in-turn provides a response.

    Controlling DNS

    Many enterprise networks are blind and don’t control and prevent unknown outbound DNS Queries. Ultimately, to solve the visibility and enforcement problem it’s important to establish choke points and block unauthorized channels, such as DoH, DoT, DNSCrypt, Tor, I2P, and Freenet.

    Shield53 offers many strategies to enforce DNS Filtering controls to prevent malicious and unwanted websites. Ask your CISO today if egress DNS traffic is passing through a central control layer where it is inspected and can be blocked in real time.

    DNS over HTTPSDNS Filtering

  • What is DNS

    What is DNS

    Introduction to DNS

    Gettting started most people need to understand DNS and how your using this in your daily life. Lets start by establishing knowlege about DNS and DNS security.

    The domain name system (DNS) works like a postal code or phone book for the internet. When you type “shield53.com” into your browser, the DNS server translates the text into numbers called internet protocol (IP) address. Using the Following Example bellow you can see “shield53.com” being translated into IP Address “198.185.159.144”

    When you open a web browser and go to a website, you don’t have to remember and enter a long number. Instead, you can enter a domain name like “example.com” and still end up in the right place.

    DNS filtering can be used as security layer to mitigate threats and reduce risks in real time. DNS filtering is very simple technique of preventing unwanted web pages or IP addresses that seem suspicious. Once you have a DNS filter enabled, you can browse the Internet knowing that the filter will prevent you from visiting malicious websites by showing you a “block page” in your web browser

    DNS Filtering DNS over HTTPS