Shield53

Category: Cybersecurity

  • Recent Cyber Attacks in 2024

    Recent Cyber Attacks in 2024

    The year 2024 has seen a significant rise in cyber attacks, highlighting the urgent need for robust cybersecurity measures across all sectors. One of the most notable incidents involved Bank of America, which suffered a data breach affecting 57,028 individuals due to a cyberattack on Infosys McCamish Systems. This breach exposed sensitive information such as names, social security numbers, and account details, emphasizing the cascading risks associated with interconnected service ecosystems​ (Techopedia)​.

    In another major incident, McLaren Health Care in Michigan reported a data breach that compromised the personal information of approximately 2.2 million patients. This breach, which went undetected for nearly a month, exposed critical data including full names, social security numbers, and personal health information. The affected individuals are now offered credit monitoring and identity protection services to mitigate the impact of the breach​ (Firewall Times)​.

    Furthermore, the cyber landscape saw a sophisticated attack on the Indian Council of Medical Research (ICMR), affecting around 815 million individuals. This breach exposed sensitive data related to COVID-19 testing and highlighted the vulnerabilities in health data management systems. Such large-scale breaches underscore the importance of stringent cybersecurity measures and proactive threat management to protect sensitive information from malicious actors​ (Termly)​.

    These recent hacks serve as a stark reminder of the evolving threat landscape and the necessity for continuous vigilance and advanced cybersecurity practices. As cybercriminals become more sophisticated, organizations must prioritize their cybersecurity strategies to safeguard against potential breaches and ensure the protection of critical data.

    By partnering with Shield53, organizations can proactively defend against cyber threats, protect their critical data, and ensure resilience in the face of evolving cybersecurity challenges. Contact us today to learn more about how we can help secure your digital future.

  • Critical PAN-OS CVE-2024-3400 used by Threat Actors

    Critical PAN-OS CVE-2024-3400 used by Threat Actors

    Yesterday a critical security alert issued by Palo Alto Networks regarding a flaw in its PAN-OS software, commonly used in GlobalProtect gateways. Tracked as CVE-2024-3400, this vulnerability has been assigned a CVSS score of 10.0, indicating its severity.

    This vulnerability, classified as a command injection flaw, poses a significant risk as it could potentially allow an unauthorized attacker to execute arbitrary code with root privileges on affected firewalls. The impacted versions of PAN-OS include:

    • PAN-OS < 11.1.2-h3

    • PAN-OS < 11.0.4-h1

    • PAN-OS < 10.2.9-h1

    It’s important to note that this issue specifically affects firewalls configured with both GlobalProtect gateway and device telemetry enabled.

    While Palo Alto Networks is actively working on fixes, they are anticipated to be released on April 14, 2024. In the interim, if your organization have Threat Prevention subscription from Palo Alto, it is strongly advised to enable Threat ID 95187 to bolster your defenses against potential threats exploiting this vulnerability.

    Mitigation Strategies

    • Customers with a Threat Prevention subscription can block attacks for this vulnerability by enabling Threat ID 95187 (introduced in Applications and Threats content version 8833-8682). In addition to enabling Threat ID 95187, customers should ensure vulnerability protection has been applied to their GlobalProtect interface to prevent exploitation of this issue on their device. More information here

    • Those unable to apply the Threat Prevention mitigation can mitigate by temporarily disabling device telemetry until the device is upgraded to a fixed PAN-OS version. Once upgraded, device telemetry should be re-enabled on the device.

    Although detailed information about the attacks leveraging this vulnerability is limited, your organization must remain vigilant. This development aligns with a concerning trend where threat actors, particularly of Chinese origin, have increasingly exploited zero-day flaws in various networking products to infiltrate targets and establish clandestine access points.

  • The Growing Ransomware Threat in 2024

    The Growing Ransomware Threat in 2024

    Ransomware attacks have surged in 2024, presenting a significant and growing threat to organizations worldwide. According to the latest reports, ransomware incidents have increased by 68% compared to the previous year. Notably, the LockBit ransomware gang has been responsible for some of the largest ransom demands, including a staggering $80 million following an attack on Royal Mail. These attacks have become more sophisticated, with cybercriminals utilizing zero-day vulnerabilities and evolving their tactics to target a higher volume of victims simultaneously​ (Sophos News)​​ (Rapid7)​.

    The financial impact of ransomware attacks has also escalated. The average ransom payment has increased fivefold over the last year, from $400,000 to $2 million​ (Rapid7)​​ (SecurityWeek)​. Interestingly, while the number of attacks has slightly decreased, the overall recovery costs have soared to an average of $2.73 million per incident, highlighting the substantial financial burden on affected organizations. Despite these rising costs, more than half of the organizations hit by ransomware have admitted to paying the ransom to recover their data, reflecting the desperation and critical nature of these situations.

    Moreover, the threat landscape continues to evolve with an increasing trend of data exfiltration, where cybercriminals steal sensitive data in addition to encrypting systems. This dual threat of data theft and encryption has intensified the pressure on organizations to bolster their cybersecurity measures. As ransomware remains a top priority for executive leadership, with many companies making significant investments in prevention and recovery strategies, it is clear that combating this menace requires continuous vigilance and robust security practices​ (Malwarebytes)​​ (SecurityWeek)​.

    For more details on the latest ransomware trends and defense strategies, refer to the comprehensive reports from Sophos, Rapid7, and Malwarebytes​ (Sophos News)​​ (Rapid7)​​ (Malwarebytes)​​ (SecurityWeek)​.

  • Critical Exchange Vulnerability CVE-2024-21410

    Critical Exchange Vulnerability CVE-2024-21410


    • CVE: CVE-2024-21410

    • Severity: CRITICAL

    • Priority: CRITICAL

    Summary

    Today, Microsoft issued a renewed security advisory cautioning about a critical vulnerability within Exchange Server, which was exploited as a zero-day before being addressed during this month’s Patch Tuesday.

    Internally discovered and identified as CVE-2024-21410, this security loophole enables remote unauthenticated threat actors to potentially escalate privileges through NTLM relay attacks aimed at susceptible versions of Microsoft Exchange Server.

    During such attacks, the threat actor compels a network device, which may include servers or domain controllers, to authenticate against an NTLM relay server under their control. This maneuver allows them to mimic the targeted devices and elevate privileges.

    Microsoft elaborates, stating, “An attacker could exploit an NTLM client such as Outlook with a vulnerability that leaks NTLM credentials.”

    “The compromised credentials can then be relayed to the Exchange server to gain privileges as the compromised client and execute actions on the Exchange server on behalf of the victim.

    “An attacker who successfully exploits this vulnerability could relay a user’s leaked Net-NTLMv2 hash to a vulnerable Exchange Server and authenticate as the user.”

    Recommend Remediation

    To mitigate this threat, Exchange Server 2019 Cumulative Update 14 (CU14), which was released during the February 2024 Patch Tuesday, addresses this vulnerability by activating NTLM credentials Relay Protections (also referred to as Extended Protection for Authentication or EPA).

    Microsoft is automatically enabling Windows Extended Protection on Exchange servers after installing this month’s 2024 H1 Cumulative Update (aka CU14).

    Extended Protection (EP) will automatically be toggled on by default when installing Exchange Server 2019 CU14 (or later) to strengthen Windows Server auth functionality to mitigate authentication relay and man-in-the-middle (MitM) attacks.

  • 2024-02-14 – Microsoft patches zero-days exploited by attackers

    2024-02-14 – Microsoft patches zero-days exploited by attackers

    • CVE: CVE-2024-21412 + CVE-2024-21351 + CVE-2024-21410

    • Severity: CRITICAL

    • Priority: CRITICAL

    CVE-2024-21351 represents a loophole in the Windows SmartScreen security feature, enabling malicious actors to bypass it and potentially deliver malware by tricking users into opening compromised files.

    Exploiting this vulnerability allows unauthorized injection of code into SmartScreen, potentially leading to data exposure or system unavailability. Windows typically employs Mark-of-the-Web (MotW) to discern files from untrusted origins. However, SmartScreen bypasses within Windows Defender enable attackers to circumvent this scrutiny and execute code discreetly.

    Although Microsoft hasn’t disclosed the extent of these attacks, it’s prudent to anticipate a rise in exploits as threat actors incorporate this method into their arsenals.

    It’s crucial to promptly test and apply patches for both CVE-2024-21412 and CVE-2024-21351 to mitigate these risks effectively.

    Trendmicro has an excellent blog article on this attack

    CVE-2024-21410, identified as an elevation of privilege flaw within Microsoft Exchange Server, warrants immediate attention for patching. However, addressing this vulnerability fully may pose challenges as it necessitates additional administrative actions.

    Exploiting CVE-2024-21410 could potentially lead to the exposure of NTLM credentials belonging to a targeted user. These credentials could then be exploited in NTLM relay or pass-the-hash attacks, enabling the attacker to authenticate as the targeted user. Satnam Narang, senior staff research engineer at Tenable, emphasizes the value of flaws like these to attackers, citing a similar vulnerability (CVE-2023-23397) exploited by a Russian-based threat actor.

    Additionally, CVE-2024-21413 presents a remote code execution vulnerability affecting Microsoft Office. This vulnerability could allow attackers to circumvent the Office Protected View and open a file in editing mode, potentially enabling code execution. Of particular concern is the possibility of code execution occurring within the Preview Pane.

    Addressing CVE-2024-21413 requires users of both the 32- and 64-bit versions of Office 2016 to install multiple updates to fully mitigate the vulnerability.

  • Fortinet exploit used in the Wild | CVE-2024-21762

    Fortinet exploit used in the Wild | CVE-2024-21762

    Fortinet Firewall SSL VPN

    • CVE: CVE-2024-21762

    • Severity: CRITICAL

    • Priority: CRITICAL

    Summary

    • Fortinet is warning that a new critical remote code execution vulnerability in FortiOS SSL VPN is potentially being exploited in attacks.

    • You will only be impacted if your SSL VPN portal is accessible to the public.

    • The flaw (tracked as CVE-2024-21762 / FG-IR-24-015) received a 9.6 severity rating and is an out-of-bounds write vulnerability in FortiOS that allows unauthenticated attackers to gain remote code execution (RCE) via maliciously crafted requests.

    Out-of-bound Write in SSLVPND

    • An out-of-bounds write vulnerability [CWE-787] in FortiOS may allow a remote unauthenticated attacker to execute arbitrary code or command via specially crafted HTTP requests.

    • Note: This is potentially being exploited in the wild.

    Remediation

    • Upgrade to Unaffected Version

    • Disable SSL VPN (disable webmode is NOT a valid workaround)

    Version Affected Solution
    FortiOS 7.6 Not affected Not Applicable
    FortiOS 7.4 7.4.0 through 7.4.2 Upgrade to 7.4.3 or above
    FortiOS 7.2 7.2.0 through 7.2.6 Upgrade to 7.2.7 or above
    FortiOS 7.0 7.0.0 through 7.0.13 Upgrade to 7.0.14 or above
    FortiOS 6.4 6.4.0 through 6.4.14 Upgrade to 6.4.15 or above
    FortiOS 6.2 6.2.0 through 6.2.15 Upgrade to 6.2.16 or above
    FortiOS 6.0 6.0 all versions Migrate to a fixed release