Welcome to another week of Critical Chatter, CloudGuard’s weekly roundup of security...
How we foiled a new customer’s 5-month-hidden cyberattack
In August 2023, a new customer partnered with CloudGuard to enhance their cybersecurity posture. Little did they know that within days of going live with the CloudGuard Protect MXDR service, a multi-stage incident lurking in their environment would be exposed. This case study delves into the incident, highlighting the importance of robust threat detection and incident response.
CloudGuard’s Protect MXDR service wasted no time in proving its worth. Within days of deployment, it raised the alarm on a serious security incident. Suspicious commands and tasks were cleverly concealed within Base64 encrypted payloads, making detection by traditional means nearly impossible. The SOC (Security Operations Centre) team quickly sprang into action.
Decoding the threat
The SOC team’s expertise was put to the test as they successfully decoded the encrypted payloads. What they unveiled was chilling: a discreet form of malware had been making recurring attempts to manipulate the registry in the customer’s environment since March 2023. The threat actors behind this attack were not to be underestimated.
One of the crucial aspects of threat detection is understanding the adversary. In this case, CloudGuard’s automated threat intelligence and threat enrichment capabilities swiftly linked the attack to notorious threat actors, suspecting Emotet or Gozi to be the threat group . This attribution provided critical context for the incident response.
Rapid response is key
Time is of the essence in the world of cybersecurity, and CloudGuard proved its worth once again. Within a mere 20 minutes of detecting the threat, CloudGuard’s MXDR service had not only exposed the malicious command lines but also alerted the customer about the critical incident. Furthermore, it provided detailed remediation actions, including isolating and rebuilding the affected machine.
The timeline of this incident is notable. The malware had infiltrated the customer’s environment in March 2023, long before their partnership with CloudGuard began in August. This highlights the importance of continuous monitoring and detection capabilities, as threats may remain dormant for extended periods.
Moreover, the incident showcases the value of an integrated MXDR service like CloudGuard’s. Rapid detection, immediate alerting, and actionable remediation guidance proved invaluable in mitigating the threat swiftly.
While the immediate threat was addressed efficiently, the work is far from over. An ongoing investigation aims to uncover how the malware gained a foothold in the environment and whether any damage was inflicted. The incident underscores the need for proactive threat hunting and post-incident analysis to strengthen defences against future attacks.
The importance of cybersecurity
The CloudGuard Protect MXDR service proved its ability in unearthing a stealthy, long-standing threat within a new customer’s environment. The incident proves the importance of robust threat detection, rapid incident response, and continuous monitoring.
As organisations continue to face evolving and sophisticated threats, services like CloudGuard’s MXDR play a crucial role in bolstering cybersecurity defences. The swift identification and mitigation of this incident highlight the value of proactive cybersecurity measures in safeguarding sensitive data and business continuity.
In an era where cyber threats are ever-present, CloudGuard remains dedicated to helping its customers navigate the digital landscape securely and confidently. This case study proves our commitment to safeguarding organisations against even the most insidious threats.
Critical Chatter: Apple, Cisco, Android, and Mircosoft vulnerabilities
Welcome to another week of Critical Chatter, CloudGuard’s weekly roundup of security articles curated by Guardians. This week’s news flash has been curated by Joe Appleby (SOC Analyst).
Top stories – 8 September 2023
- Apple zero-click iMessage exploit used to infect iPhones with spyware
- Cisco BroadWorks impacted by critical authentication bypass flaw
- CISA warning: Nation-state hackers exploit Fortinet and Zoho vulnerabilities
- Zero-day alert: Latest Android patch update includes fix for newly actively exploited flaw
- W3LL Gang compromises thousands of Microsoft 365 accounts
Apple zero-click iMessage exploit used to infect iPhones with spyware
- Apple has patched two zero-day vulnerabilities exploited by NSO Group’s Pegasus spyware in an emergency update. These flaws allowed attackers to compromise fully-patched iPhones running iOS 16.6 via iMessage attachments.
- CVE-2023-41064, a buffer overflow issue, and CVE-2023-41061, a validation problem, enabled attackers to execute arbitrary code on various Apple devices.
- Apple quickly fixed these issues in macOS Ventura 13.5.2, iOS 16.6.1, iPadOS 16.6.1, and watchOS 9.6.2. Users should update their devices immediately, and those at risk should activate Lockdown Mode. This incident highlights the importance of timely security updates.
In an emergency security update, Apple has patched two zero-day vulnerabilities actively exploited by the NSO Group’s Pegasus spyware. These vulnerabilities, identified as CVE-2023-41064 and CVE-2023-41061, enabled attackers to compromise fully-patched iPhones running iOS 16.6 without any user interaction.
The attack, known as BLASTPASS, exploited PassKit attachments containing malicious images sent via iMessage. Citizen Lab, alongside Apple, discovered these vulnerabilities in the Image I/O and Wallet frameworks.
CVE-2023-41064 is a buffer overflow flaw triggered by maliciously crafted images, while CVE-2023-41061 is a validation issue that attackers can exploit via malicious attachments. Both vulnerabilities allowed threat actors to execute arbitrary code on unpatched iPhones, iPads, Macs running macOS Ventura, and Apple Watch Series 4 and later.
Apple swiftly addressed these issues in macOS Ventura 13.5.2, iOS 16.6.1, iPadOS 16.6.1, and watchOS 9.6.2, improving logic and memory handling. Citizen Lab urged Apple users to update their devices immediately and recommended activating Lockdown Mode for individuals at risk of targeted attacks due to their identity or profession.
This marks the latest in a series of zero-day vulnerabilities that Apple has patched this year, totaling 13 across iOS, macOS, iPadOS, and watchOS, highlighting the ongoing need for vigilant security measures and timely updates.
Cisco BroadWorks impacted by critical authentication bypass flaw
- A critical vulnerability (CVE-2023-20238) in Cisco BroadWorks platforms allows remote attackers to forge credentials and bypass authentication, potentially gaining extensive control.
- Exploiting this flaw could enable attackers to execute commands, access data, and commit toll fraud within Cisco’s cloud communication services.
- Cisco advises users to update to specific versions to address the issue promptly, as there are no current reports of active exploitation.
A critical vulnerability affecting Cisco BroadWorks Application Delivery Platform and Cisco BroadWorks Xtended Services Platform has been discovered, tracked as CVE-2023-20238, with a maximum CVSS score of 10.0 (critical). This vulnerability allows remote attackers to forge credentials and bypass authentication, potentially granting them extensive control over affected systems.
The impacted platforms are integral to Cisco’s cloud communication services for businesses and consumers. Threat actors exploiting this flaw can execute commands, access confidential data, modify user settings, and commit toll fraud.
The vulnerability is linked to the validation of Single Sign-On (SSO) tokens. Attackers can authenticate to the application using forged credentials. The extent of their access depends on the privilege level of the compromised account, with “administrator” accounts posing the greatest risk.
Notably, attackers need a valid user ID linked to the targeted Cisco BroadWorks system, which limits the potential attackers but does not eliminate the risk.
To address this issue, Cisco recommends updating to specific versions: AP.platform.23.0.1075.ap385341 for users of the 23.0 branch and versions 2023.06_1.333 or 2023.07_1.332 for users of the release-independent (RI) edition. However, users of the 22.0 branch will not receive a security update and should consider migrating to a fixed release.
While there are no current reports of active exploitation, system administrators are advised to apply the provided updates promptly to mitigate the risk.
CISA warning: Nation-state hackers exploit Fortinet and Zoho vulnerabilities
- CISA warns of nation-state actors exploiting CVE-2022-47966, a critical remote code execution vulnerability, in Fortinet FortiOS SSL-VPN and Zoho ManageEngine ServiceDesk Plus.
- In a recent incident response case, attackers gained root-level access, downloaded malware, collected credentials, and moved laterally after exploiting CVE-2022-47966.
- The attackers also leveraged CVE-2022-42475 in Fortinet FortiOS SSL-VPN and attempted to exploit CVE-2021-44228 (Log4Shell). To mitigate these risks, organisations should apply updates, monitor remote access software, and eliminate unnecessary accounts and groups.
The U.S. Cybersecurity and Infrastructure Security Agency (CISA) has issued a warning regarding multiple nation-state actors exploiting vulnerabilities in Fortinet FortiOS SSL-VPN and Zoho ManageEngine ServiceDesk Plus. These attacks involve the use of CVE-2022-47966, a critical remote code execution flaw, to gain unauthorised access and establish persistence on compromised systems. This vulnerability has a high severity score.
In one incident response engagement at an unnamed aeronautical sector organisation from February to April 2023, it was discovered that the attackers had started their malicious activities as early as January 18, 2023. After exploiting CVE-2022-47966, threat actors gained root-level access to the web server, downloaded additional malware, collected administrative user credentials, and moved laterally through the network.
A second initial access vector involved the exploitation of CVE-2022-42475, a severe vulnerability in Fortinet FortiOS SSL-VPN, to access the firewall. The attackers used disabled legitimate administrative account credentials from a previously hired contractor, taking advantage of the disabled user’s credentials.
The attackers also initiated Transport Layer Security (TLS)-encrypted sessions to multiple IP addresses, indicating data transfer from the firewall device. They disabled administrative account credentials and deleted logs on critical servers to conceal their activities. Additionally, they installed AnyDesk on multiple hosts, with the method of installation remaining unknown.
The threat actors attempted to exploit CVE-2021-44228 (Log4Shell) in the ServiceDesk system but were unsuccessful. They also utilised ConnectWise ScreenConnect to download and run the credential dumping tool Mimikatz.
While the identity of the threat groups is undisclosed, U.S. Cyber Command hinted at Iranian nation-state involvement. To mitigate these risks, organisations are advised to apply the latest updates, monitor remote access software for unauthorised use, and eliminate unnecessary accounts and groups to prevent their misuse.
Zero-day alert: Latest Android patch update includes fix for newly actively exploited flaw
- Google’s monthly Android security patches include fixes for multiple vulnerabilities, including a possibly exploited zero-day bug (CVE-2023-35674) in the Android Framework, raising concerns about targeted attacks.
- The update addresses a critical security flaw in the System component, which could result in remote code execution without user interaction.
- In total, 14 vulnerabilities in the System module and two in the MediaProvider component were fixed, emphasizing the importance of these updates for Android users to protect their devices.
Google has released its monthly Android security patches, addressing multiple vulnerabilities, including a zero-day bug, possibly already exploited in targeted attacks. The high-severity vulnerability, tracked as CVE-2023-35674, is a privilege escalation issue within the Android Framework, though Google provided limited details about its exploitation. Three additional privilege escalation flaws in Framework were also addressed, with one considered highly severe, allowing local privilege escalation without user interaction.
Another critical security vulnerability was fixed in the System component, potentially leading to remote code execution without user interaction. Google evaluated severity based on potential device impact if platform and service mitigations were bypassed. In total, 14 flaws in the System module and two in the MediaProvider component were resolved, with the latter addressed through a Google Play system update.
These updates are essential for Android users to safeguard their devices against potential security risks, especially the zero-day vulnerability that might have been actively exploited.
W3LL Gang compromises thousands of Microsoft 365 accounts
- Cyber group W3LL has compromised 8,000+ corporate Microsoft 365 accounts in 10 months, targeting diverse sectors globally.
- W3LL operates 850+ unique phishing sites and provides a phishing kit, W3LL Panel, to 500+ cybercriminals. The kit targets Microsoft 365 accounts, enabling MFA bypass and facilitating BEC attacks.
- This highlights the need for stronger email security. Experts advise monitoring logins, regular password changes, enforcing multi-factor authentication, employee training, and proactive communication from platform providers like Microsoft to counter evolving cyber threats.
A cyber threat actor known as W3LL has been operating a vast phishing network, successfully compromising over 8,000 corporate Microsoft 365 business accounts in Australia, Europe, and the US in the past 10 months. Group-IB’s investigation reveals that W3LL has targeted at least 56,000 Microsoft 365 accounts since October, boasting a 14.3% success rate.
This cybercriminal group operates nearly 850 unique phishing websites, targeting various industries. W3LL has also established a secretive underground marketplace called W3LL Store, providing a highly sophisticated phishing kit called W3LL Panel to over 500 cybercriminals for launching their campaigns.
The W3LL Panel specifically targets Microsoft 365 accounts, offering multifactor authentication bypass capabilities and 16 other customised tools for business email compromise (BEC) attacks. The market shares profits with affiliates and provides a 10% referral bonus, collectively accumulating $500,000 since last October. W3LL consistently updates its tools, enhancing anti-detection measures and adding new features.
Phishers using W3LL Panel can misuse compromised email accounts for data theft, fake invoice scams, account impersonation, or malware distribution, causing severe consequences for victimised companies.
The rise of W3LL’s sophisticated phishing ecosystem highlights the need for organisations to bolster their email security measures. Experts emphasise the importance of a layered cybersecurity approach, including monitoring login activity, regular password resets, enforcing multi-factor authentication, and employee training.
Additionally, they call for platform providers like Microsoft to proactively communicate updates and issues to protect their customers from such threats. The W3LL threat underscores the evolving sophistication of cybercrime, necessitating increased vigilance and preparedness.
What is Business Email Compromise? How to protect your business
Most business operations and communication happen through email. So, there should be no surprise that cybercriminals have found new ways to exploit vulnerabilities. One such threat that has gained prominence in recent years is Business Email Compromise (BEC).
In this comprehensive guide, we will delve into the world of BEC, exploring what it is, how it works, its various types, and most importantly, how you can defend against it.
- What is Business Email Compromise?
- Type of Business Email Compromise scams
- How do BEC scams work?
- Targets of Business Email Compromise
- The dangers of BEC
- Business Email Compromise examples
- 5 tips to prevent BEC
- Business Email Compromise protection
- The best BEC solution
What is Business Email Compromise (BEC)?
Business Email Compromise, often referred to as BEC, is a sophisticated form of phishing attack that specifically targets organisations. The primary objective of BEC is to deceive individuals within a company into taking actions that compromise the organisation’s financial assets or sensitive information.
BEC attackers pose as trusted figures, such as executives or vendors, to manipulate recipients into carrying out their malicious intentions. This threat has seen a significant uptick in recent years, primarily due to the surge in remote work. In fact, the FBI received nearly 20,000 BEC-related complaints last year alone.
Types of Business Email Compromise scams
BEC attacks come in various forms, each designed to exploit different vulnerabilities within an organisation. Here are some common types of BEC scams:
- Data Theft: Cybercriminals may initiate BEC attacks by targeting the HR department to steal confidential company information, like employee schedules or personal phone numbers. This stolen data can be leveraged in subsequent BEC scams to make the deception appear more convincing.
- False Invoice Scheme: In this type of BEC scam, the attacker poses as a legitimate vendor that your company does business with. They send a fake invoice, often meticulously crafted to resemble a genuine one, with minor alterations such as a slightly different account number. Alternatively, they may claim that their bank is under audit and request payments to a different account.
- CEO Fraud: Scammers either spoof or compromise a CEO’s email account and then instruct employees to make purchases or send money via wire transfers. They might even ask employees to purchase gift cards and provide photos of the serial numbers.
- Lawyer Impersonation: In this scam, attackers gain unauthorised access to a law firm’s email account and send clients fake invoices or links to pay online. While the email address may appear legitimate, the bank account provided is fraudulent.
- Account Compromise: Cybercriminals use phishing or malware to gain access to a finance employee’s email account, such as an accounts receivable manager. Once inside, they send the company’s suppliers fake invoices that request payment to a fraudulent bank account.
How do BEC scams work?
Understanding the mechanics of a BEC scam is crucial in protecting against it. Here’s a step-by-step breakdown of how a BEC scam typically unfolds:
- Research and Identity Deception: Scammers thoroughly research their targets, creating a detailed profile that allows them to convincingly impersonate trusted individuals within the organisation. They may even go as far as creating fake websites or registering companies with names similar to the target.
- Email Monitoring: After gaining access to the victim’s email account, scammers closely monitor email correspondence to identify potential targets for financial transactions. They study email patterns, invoices, and conversations to increase the authenticity of their deception.
- Gaining Trust and Requesting Action: Once the scammer has gathered enough information, they establish trust with the target through a series of email exchanges. Eventually, they request money, gift cards, or sensitive information.
- Email Spoofing: To further deceive the target, scammers may impersonate one of the parties involved by spoofing the email domain. This can involve minor alterations to the email address or sending emails “via” a different domain.
Targets of Business Email Compromise
BEC attacks can target a wide range of individuals and organisations. Common targets include:
- Executives and leaders, whose details are often publicly available on company websites.
- Finance employees, such as controllers and accounts payable staff, who have access to banking details and account numbers.
- HR managers, who possess employee records containing sensitive information.
- New or entry-level employees who may lack experience in verifying email legitimacy.
The dangers of BEC
The consequences of a successful BEC attack can be devastating for organisations. If left unchecked, a BEC attack can lead to:
- Financial Loss: Organisations can lose hundreds of thousands to millions of pounds through fraudulent transactions orchestrated by BEC scammers.
- Identity Theft: Personally identifiable information (PII) can be stolen, leading to widespread identity theft among employees and clients.
- Confidential Data Exposure: BEC attacks may accidentally result in the exposure of sensitive company data, including intellectual property.
As the threat landscape continues to evolve, so do the strategies employed to protect against BEC attacks. For instance, Microsoft alone blocked a staggering 32 billion email threats in 2021, underscoring the importance of robust email security solutions.
Business Email Compromise examples
To illustrate the diversity and sophistication of BEC attacks, here are some real-world examples:
- Pay This Urgent Bill: An employee in the finance department receives an email from what appears to be the CFO, urgently requesting payment for an overdue bill. However, the email is not from the CFO, but from a BEC scammer. Alternatively, the scammer may impersonate a trusted vendor and send a convincing-looking invoice.
- What’s Your Phone Number?: A company executive emails an employee, requesting their phone number for a “quick task.” This seemingly innocuous request is a ploy to shift communication to a more personal medium, such as text messaging, where the scammer hopes to extract sensitive information.
- Your Lease is Expiring: A scammer gains access to a real estate company’s email account and identifies ongoing transactions. They then email clients, providing a link to pay lease-related expenses or renew office leases. In some cases, scammers have swindled victims out of substantial sums of money using this method.
- Top Secret Acquisition: An employee receives an email from their boss, requesting a down payment for the acquisition of a competitor. The email emphasises confidentiality, discouraging the employee from verifying the request. Given the secretive nature of mergers and acquisitions, this scam can appear legitimate at first glance.
5 tips to prevent BEC
Now that you understand the gravity of BEC attacks and their various forms, here are five best practices to help you prevent falling victim to a BEC scam:
- Use a Secure Email Solution: Implement email solutions like Office 365 that automatically flag and delete suspicious emails or alert you when the sender isn’t verified. Additional features like advanced phishing protection and suspicious forwarding detection, available in Defender for Office 365, can further enhance BEC prevention.
- Set Up Multifactor Authentication (MFA): Strengthen your email security by enabling MFA, which requires an additional code, PIN, or fingerprint in addition to your password for login.
- Educate Employees: Ensure that your entire organisation is educated about how to identify warning signs of phishing attacks, such as mismatched domain and email addresses. Conduct simulated BEC scam exercises to enhance awareness.
- Implement Security Defaults: Administrators can tighten security across the organisation by mandating the use of MFA, imposing authentication challenges for new or risky access, and requiring password resets in case of information leaks.
- Use Email Authentication Tools: Employ email authentication methods such as Sender Policy Framework (SPF), DomainKeys Identified Mail (DKIM), and Domain-based Message Authentication, Reporting, and Conformance (DMARC) to make it more challenging for scammers to spoof your email.
Business Email Compromise protection
To protect your organisation against BEC attacks, consider adopting solutions like Microsoft Defender for Office 365, which offers the following capabilities:
- Automated Email Authentication Checks: Detect email authentication standards and identify spoofing, automatically sending suspicious emails to quarantine or junk folders.
- AI-Powered Anomaly Detection: Utilise artificial intelligence to model each user’s normal email patterns and flag unusual activity.
- Customised Email Protection: Configure email protection settings by user, domain, and mailbox to suit your organisation’s unique needs.
- Threat Investigation: Investigate potential threats, identify targets, distinguish false positives, and pinpoint scammers using Threat Explorer.
- Spoof Intelligence: Employ advanced algorithms to analyse domain-wide email patterns and highlight unusual activity, enhancing your defence against email spoofing.
The best BEC protection: MXDR
An MXDR (Managed eXtended Detection and Response) solution that uses Microsoft Sentinel as its SIEM (Security Information and Event Management) can provide a formidable defense against BEC attacks. By integrating the power of Sentinel’s advanced threat detection capabilities with the broader context of an MXDR system, organisations can enhance their ability to detect and block BEC threats effectively.
Microsoft Sentinel can analyse email-related events, user behavior, and network activity, allowing it to identify anomalous patterns or actions that are indicative of BEC scams. Additionally, by correlating information from multiple data sources, such as email logs, network traffic, and user activities, Sentinel can uncover subtle indicators of compromise that might go unnoticed by traditional security measures.
Furthermore, the automated response capabilities of an MXDR solution can swiftly quarantine suspicious emails, block malicious IP addresses, and alert security teams to take immediate action, mitigating the potential damage caused by a BEC attack. This integrated approach not only bolsters an organisation’s email security but also provides real-time threat intelligence and response capabilities to proactively block BEC threats before they can wreak havoc.
Now you’re ready to defend against Business Email Compromise
Business Email Compromise is a pervasive and ever-evolving threat that can have severe financial and reputational consequences for organisations. By understanding the various forms of BEC attacks, their mechanisms, and implementing robust email security measures, you can significantly reduce the risk of falling victim to these malicious schemes.
In an era where email is the king of communication, defending against BEC is not just an option; it’s a necessity to protect your organisation’s interests and data. Stay vigilant, educate your team, and invest in cutting-edge email security solutions to protect your business from the perils of Business Email Compromise.
Critical Chatter: Exploited CISCO VPNs, WinRAR zero-day, malicious Google ads and more
Welcome to another week of Critical Chatter, CloudGuard’s weekly roundup of security articles curated by Guardians. This week’s news flash has been curated by Joe Appleby (SOC Analyst).
Top stories – 25 August 2023
- New Akira ransomware targets businesses via exploited CISCO VPNs
- New stealthy techniques let hackers gain Windows SYSTEM privileges
- Over 3,000 Openfire servers vulnerable to takover attacks
- Threat actor exploits zero-day in WinRAR to target crypto accounts
- Sneaky Amazon Google ad leads to Microsoft support scam
New Akira ransomware targets businesses via exploited CISCO VPNs
- Akira ransomware targets corporate networks by exploiting vulnerabilities in Cisco VPNs, particularly those without MFA.
- The group likely uses brute force attacks or dark web access purchases to compromise VPN accounts.
- Akira’s Linux variant affects various sectors, including education, healthcare, and manufacturing, highlighting the need for MFA and password policies to prevent unauthorised access.
The Akira ransomware, a group that targets corporate entities, has gained attention for exploiting vulnerabilities in Cisco VPNs. The group focuses on infiltrating corporate networks without multi-factor authentication (MFA) for VPN access.
Suspected use of a zero-day vulnerability has allowed unauthorised access to VPN accounts. Akira targets various sectors, including education, healthcare, manufacturing, and more. Cisco VPN products are a popular choice for businesses, making them a lucrative target.
Research indicates that Akira likely used brute force attacks or purchased access from the dark web to compromise VPN accounts. SentinelOne’s research published on 23 August suggest a zero-day vulnerability impacting accounts without MFA might have been exploited.
The ransomware’s Linux variant, based on the Crypto++ library, targets educational, real estate, healthcare, manufacturing, and corporate sectors. However, the command set lacks options to shut down virtual machines before encryption. The encryption speed influences data recovery chances.
Akira was first detected by Arctic Wolf in March 2023, with a focus on small to medium-sized businesses, particularly in the US and Canada. Avast released an Akira decryptor, but the ransomware operators updated the encryptor. Organisations are advised to prioritise two-factor authentication for VPNs to prevent unauthorised access, and to implement policies against password reuse to minimise risks of credential breaches
New stealthy techniques let hackers gain Windows SYSTEM privileges
- Researchers created NoFilter, a tool that exploits Windows Filtering Platform (WFP) to elevate privileges to SYSTEM level.
- NoFilter utilises access token duplication via WFP, stealthily avoiding DuplicateHandle detection.
- The tool abuses IPSec and Print Spooler to attain SYSTEM tokens and enables lateral movement through logged-in users’ processes.
- Despite reporting, Microsoft considers the behavior intended, so detection measures are suggested by Deep Instinct, the tool’s creator.
Security researchers have developed NoFilter, a tool that exploits the Windows Filtering Platform (WFP) to escalate user privileges to the SYSTEM level, the highest on Windows. This is particularly useful for attackers in post-exploitation scenarios who need to execute malicious code with elevated permissions or move laterally within a network. The tool takes advantage of three techniques:
- Access Token Duplication: NoFilter uses WFP to duplicate access tokens, enabling privilege escalation. By calling the NtQueryInformationProcess function, handles to tokens held by a process are duplicated for another process to escalate to SYSTEM. This method avoids DuplicateHandle, enhancing stealth to evade detection.
- Getting SYSTEM Access Token: The tool triggers an IPSec connection and abuses the Print Spooler service to insert a SYSTEM token into the table. This technique is stealthier as IPSec policy configuration is typical for privileged users, and network monitoring tools tend to ignore local host connections.
- Lateral Movement: The tool can obtain tokens of logged-in users for lateral movement. By identifying processes running as domain admins with RPC interfaces, NoFilter abuses the OneSyncSvc service and SyncController.dll to launch processes with logged-in user permissions.
Despite reporting these techniques to Microsoft, the company deemed the behaviour as intended, implying no fix or mitigation. Deep Instinct, the cybersecurity company behind NoFilter, suggests detection measures including identifying new IPSec policies, monitoring RPC calls to Spooler and OneSyncSvc during IPSec policies, brute-forcing token LUIDs, and monitoring device IO requests to WfpAle by non-BFE service processes.
Over 3,000 Openfire servers vulnerable to takover attacks
- Openfire servers are at risk from CVE-2023-32315, enabling unauthenticated users to create admin accounts.
- Despite security updates in newer versions, 50% of internet-facing servers remain vulnerable.
- Researchers reveal an exploit method allowing malicious plugin upload without admin accounts, urging prompt upgrades for unpatched servers.
Thousands of Openfire servers are still vulnerable to CVE-2023-32315, a path traversal vulnerability that allows unauthenticated users to create admin accounts. Openfire, a widely used Java-based open-source chat server, was impacted by an authentication bypass issue in versions 3.10.0 and earlier.
Security updates in versions 4.6.8, 4.7.5, and 4.8.0 were released, but many servers remain unpatched. The flaw has been actively exploited to create admin users and upload malicious plugins. VulnCheck researcher Jacob Baines revealed a method to exploit the flaw without creating admin accounts, making it more attractive to cybercriminals.
VulnCheck reported that among 6,324 internet-facing Openfire servers, 50% (3,162 servers) are still vulnerable. Only 20% have patched, while 25% use versions older than 3.10.0 when the vulnerability was introduced. Some use forks of the project, which might be impacted.
The current exploits are noisy, leaving traces in security logs. However, VulnCheck’s PoC demonstrates a stealthier method using ‘plugin-admin.jsp’ to upload a malicious plugin without admin accounts, avoiding detection in security logs. As the vulnerability is already under active exploitation, unpatched Openfire server admins are strongly advised to upgrade promptly.
Threat actor exploits zero-day in WinRAR to target crypto accounts
- A threat actor, possibly linked to the Evilnum group, targets trading forums using a patched WinRAR vulnerability (CVE-2023-38831).
- The bug allowed malicious code to hide in harmless formats within zip archives, affecting cryptocurrency forums since April.
- The attacker delivered malware like DarkMe, GuLoader, and Remcos RAT to compromise trading accounts, urging WinRAR users to update to prevent further exploitation.
A threat actor potentially linked to the Evilnum group is targeting users on trading forums using a now-patched vulnerability in WinRAR (CVE-2023-38831).
This bug allowed them to hide malicious code in seemingly harmless file formats like “.jpg” and “.txt” within zip archives, distributed across cryptocurrency trading forums. The campaign started in April, with Group-IB discovering the vulnerability and reporting it to WinRAR’s developer, Rarlab.
Though a patch was issued, at least 130 systems remain infected. Group-IB advises the estimated 500 million WinRAR users to update immediately. The attacker, possibly connected to Evilnum, used the vulnerability to deliver malware like DarkMe, GuLoader, and Remcos RAT via weaponised zip archives in forum posts and private messages. The malware compromised trading accounts, executing unauthorised transactions. Despite forum administrators’ warnings, the attacker continued spreading malicious files.
Sneaky Amazon Google ad leads to Microsoft support scam
- A deceptive Amazon ad in Google search redirects users to a Microsoft Defender tech support scam, falsely appearing as a legitimate Amazon URL.
- This scam traps users in full-screen mode, necessitating Chrome termination to exit, and it resurfaces upon relaunch, showcasing persistence.
- Google has faced backlash for permitting ads that imitate real URLs for scams; Google and Amazon’s lack of response raises concerns amid ongoing malicious ad distribution, including ransomware and Cobalt Strike beacon deployment by threat actors.
A deceptive Amazon ad appearing in Google search results redirects users to a Microsoft Defender tech support scam. The ad, seemingly legitimate, features Amazon’s URL but leads to a tech support scam mimicking Microsoft Defender alerts about malware infection.
The scam forces full-screen mode, requiring users to terminate Chrome to exit, yet reopening the scam upon relaunch. A similar incident occurred in June 2022 involving a YouTube ad.
Google has faced criticism for allowing ads to impersonate legitimate URLs for convincing scams. Google and Amazon haven’t responded to inquiries about this malvertising issue. Malicious actors have frequently misused Google ads to distribute malware, including ransomware.
These actors create counterfeit sites with altered download links to spread trojanized programs. Additionally, the Royal ransomware operation employs Google ads to promote sites installing Cobalt Strike beacons, granting initial network access for ransomware attacks.
Cybersecurity in manufacturing: How to improve your posture
We live in a fast-paced digital world. Manufacturing companies are embracing innovative technologies to boost efficiency and productivity. Yet, alongside these benefits, a mounting wave of cybersecurity challenges threatens to weaken the very core of these companies. As an IT decision maker within a manufacturing firm, it is crucial for you to understand and address these challenges head-on. This article explores the critical cybersecurity challenges faced by manufacturing companies and introduces the transformative solution of Managed Extended Detection and Response (MXDR).
The manufacturing industry’s cybersecurity landscape
- Supply Chain Vulnerabilities: Manufacturing companies often operate intricate supply chains comprising various partners and suppliers. While these networks are essential for production, they can inadvertently introduce vulnerabilities. Ransomware is of key concern. Cybercriminals exploit these weak links to infiltrate the entire ecosystem, causing disruptions and data breaches.
- Legacy Systems and Outdated Infrastructure: A significant proportion of manufacturing processes rely on legacy systems that predate the era of robust cybersecurity measures. In fact, this is true for 74% of manufacturers. These systems lack the advanced security features present in modern software and hardware, making them prime targets for cyberattacks.
- IoT and OT Convergence: The integration of Internet of Things (IoT) devices with Operational Technology (OT) systems has revolutionised manufacturing processes. However, this amplifies the potential attack surface. They are particularly vulnerable to network attacks. Cybercriminals can exploit vulnerabilities in connected devices with phishing attacks, spoofing and denial of service attacks (DDoS attacks). This helps them gain unauthorised access to crucial production systems.
- Data Protection and Privacy: Manufacturing companies handle an array of sensitive information, including proprietary designs, customer data, and intellectual property. Data breaches not only lead to financial losses but also erode customer trust and tarnish the company’s reputation. IBM reported that manufacturing companies are the most heavily targeted industry.
Now we understand the threat landscape, it’s time to move on to how we improve security posture with an innovative cybersecurity service.
Unveiling MXDR: A comprehensive cybersecurity solution
Truth be told, conventional solutions fall short in addressing the sophisticated techniques employed by malicious actors. Managed Extended Detection and Response (MXDR) is an innovative manufacturing cybersecurity service designed to bridge this gap by offering proactive, real-time threat detection and response capabilities.
Advantages of MXDR as cybersecurity for manufacturing companies:
- Real-time Threat Detection and Mitigation: MXDR employs cutting-edge AI-driven analytics and machine learning algorithms to monitor network traffic and identify anomalies. This proactive approach enables the swift detection of potential threats, preventing them from escalating into full-blown cyber incidents.
- Comprehensive Visibility Across the Digital Landscape: One of MXDR’s standout features is its ability to provide a unified view of your entire digital environment. From traditional IT systems to the myriad IoT devices and legacy machinery, MXDR ensures no potential entry point for cybercriminals goes unnoticed.
- Swift and Efficient Incident Response: In the unfortunate event of a cyber incident, MXDR excels by enabling rapid and effective incident response. Automated workflows and predefined playbooks empower your IT team to contain the threat, minimise damages, and restore normal operations in a timely manner.
- Continuous Monitoring and Adaptive Learning: Unlike traditional security solutions, MXDR does not operate in silos. It is in a constant state of vigilance, continuously scanning your network for emerging threats. Moreover, MXDR’s algorithms evolve alongside attackers’ techniques, ensuring your defences remain formidable.
Case study: MXDR in action
CloudGuard has been supporting the cybersecurity of global manufacturing company with its MXDR over the last 12 months. They initially contacted us after one of their subsidiaries was compromised by a ransomware attack, which soon impacted the entire group’s operations.
Once we’d helped them securely restore business operations, they wanted to build a new, more security-focused strategy that met the changing business needs with 24 x 7 real-time security monitoring and expert response. Enter our MXDR service.
Over the last 12 months, 82% of all identified vulnerabilities have been successfully remediated – with 76% solved through automation. This performance led to them renewing their partnership with CloudGuard with a multi-year contract.
Key considerations when embracing MXDR:
- Integration Complexity: Implementing MXDR requires careful integration with your existing cybersecurity infrastructure. To ensure a seamless transition, collaborate closely with the MXDR provider and conduct comprehensive testing.
- Resource Allocation: While the benefits of MXDR are undeniable, its effective utilisation demands an investment in both financial resources and skilled personnel. Adequate training for your IT team is imperative to fully harness the potential of the platform.
- Data Privacy and Compliance: Given the sensitivity of data handled in the manufacturing sector, it is paramount to verify that MXDR aligns with data protection regulations and industry-specific compliance requirements.
- Tailored Customisation: No two manufacturing companies are identical, and neither are their cybersecurity needs. Seek an MXDR provider that offers customisable features and support to align the platform with your unique requirements.
Cybersecurity in manufacturing: MXDR secures your future
The manufacturing industry’s transition into the digital era is not without its challenges, and robust cybersecurity has become non-negotiable. Managed Extended Detection and Response (MXDR) emerges as a serious contender, equipping you with the tools needed to safeguard your operations and sensitive data.
With real-time threat detection, 360 visibility, rapid incident response, and continuous monitoring, MXDR enables you to tackle cyber threats head-on. However, a successful MXDR implementation requires careful consideration of integration complexities, resource allocation, compliance, and customisation.
By embracing MXDR, your manufacturing company can embrace the future with confidence, knowing your operations are protected against the ever-evolving landscape of cyber threats. Stay secure, stay ahead with MXDR.
MXDR for SMBs: Your journey to cybersecurity excellence
In the dynamic digital landscape, small and medium-sized businesses (SMBs) are the engines of innovation and growth. Yet, alongside their potential for success, they also face an increasingly sophisticated and aggressive cyber threat landscape. Cybercriminals continually seek vulnerabilities to exploit, making cybersecurity an imperative. Enter MXDR for SMBs—a transformative solution designed to protect and empower businesses against cyber threats.
The cybersecurity imperative for SMBs
Cybersecurity is no longer optional—it’s a strategic necessity for SMBs. More than half (54%) of SMBs in the UK had experienced some form of cyberattack in 2022. As your business embraces digital transformation, your exposure to cyber threats grows exponentially. Cyber attackers target SMBs due to their often limited resources and potential vulnerabilities. Therefore, you need an advanced solution that not only detects threats but also responds effectively.
MXDR for SMBs: A tailored defence
MXDR (Managed eXtended Detection and Response) is as the answer to your cybersecurity concerns. Tailored specifically to your requirements, MXDR is a comprehensive defence strategy that involves data ingestion, AI-driven analysis, and orchestrated incident response.
At its core, MXDR harnesses the power of a Security Information and Event Management (SIEM) solution. This centralised hub gathers data from your various sources—cloud environments, on-premises systems, applications, and endpoints—creating a comprehensive view of your organisation’s security landscape.
AI-powered vigilance for SMBs
Central to MXDR’s capabilities is artificial intelligence (AI), the guardian that never sleeps. MXDR’s AI algorithms analyse data, learning the unique patterns of your digital environment. By establishing a baseline of normal behaviour, AI can swiftly detect deviations and potential threats that evade traditional defence strategies.
MXDR also integrates with threat intelligence feeds, translating the cryptic language of cyber attackers. It identifies malicious IP addresses, known malware signatures, and emerging attack vectors, adding a layer of proactive defence.
From detection to action: MXDR’s strength
MXDR for SMBs isn’t just about identifying threats; it’s about taking action. When a threat is detected, MXDR doesn’t just raise an alert—it provides actionable insights. Enriched alerts include context, details, and recommended responses, helping you to make swift, informed decisions.
Automation is seamlessly woven into MXDR’s fabric. Known threats trigger automated responses, swiftly neutralising the danger. Yet, the human touch remains essential. Security Operations Centre (SOC) teams leverage MXDR’s insights to validate threats, orchestrate precise responses, and investigate incidents.
The ROI of MXDR for SMBs
MXDR isn’t just an expense—it’s an investment with tangible returns. You can measure MXDR’s impact through reduced incident response time, thwarted attacks leading to cost savings, minimised downtime, and enhanced customer trust. With MXDR, your operations are secure, and your future ambitions are protected.
Victory in the cyber battleground
The cyber battleground is real, but your business doesn’t have to be a victim. MXDR allows you to be contenders. With MXDR as your ally, you can emerge victorious. You’ll be armed with the tools to protect data, ensure continuity, and uphold your reputation.
In the pursuit of growth, MXDR for SMBs is more than a cybersecurity solution; it’s a strategic asset. As cyber threats evolve, SMBs grow with MXDR—a solution of innovation, a testament to determination, and a symbol of your ability to thrive in the digital age.
Critical Chatter: Lolek Hosted dismantled, mulitple Citrix exploits, LinkedIn account hacks and website phishing
Welcome to another week of Critical Chatter, CloudGuard’s weekly roundup of security articles curated by Guardians. This week’s news flash has been curated by Vaughan Carey (Senior SOC Analyst).
Top stories – 18 August 2023
- Lolek bulletproof hosting servers seized
- CISA adds Citrix ShareFile flaw to KEV catalogue
- 400,000 proxy botnet built with stealthy malware infections
- Almost 2,000 Citrix NetScaler servers backdoored in hacking campaign
- LinkedIn suffers ‘significant’ wave of account hacks
- Phishing operators make ready use of abandoned websites for bait
Lolek bulletproof hosting servers seized
- Law enforcement dismantles Lolek Hosted, a bulletproof hosting service aiding global cyberattacks.
- Five administrators arrested, servers seized, ending LolekHosted.net, which supported malware, DDoS attacks, botnets, and spam distribution.
- Joint European and U.S. efforts target such criminal infrastructure, aiming to curb malicious activities like ransomware, phishing, and DDoS attacks.
European and U.S. law enforcement agencies have dismantled Lolek Hosted, a bulletproof hosting service that facilitated cyberattacks globally. Five administrators were arrested, and servers seized, halting LolekHosted.net. The service enabled malware distribution, DDoS attacks, fake online shops, botnet management, and spam distribution. The August 8, 2023, seizure highlights increasing government efforts to disrupt cybercriminal networks.
Lolek Hosted focused on privacy and anonymity, offering no-log policies and cryptocurrency payments. Such services have been controversial, providing a platform for criminal groups to disseminate malware, orchestrate attacks, and commit cybercrime. U.S. Department of Justice states Lolek Hosted aided ransomware attacks and money laundering.
Founder Artur Karol Grabowski, accused of allowing false registrations, ignoring abuse complaints, and aiding ransomware attacks, faces 45 years’ imprisonment if convicted. Lolek Hosted allegedly participated in 50 NetWalker ransomware attacks. Recent joint efforts by Europe and the U.S. aim to combat criminal infrastructure supporting malicious activities like DDoS, phishing, and ransomware.
This action follows the sentencing of Mihai Ionut Paunescu in June 2023 for operating the bulletproof hosting service PowerHost[.]ro, facilitating Gozi, BlackEnergy, SpyEye, and Zeus backdoors.
CISA adds Citrix ShareFile flaw to KEV catalogue
- CISA lists Citrix ShareFile storage zones controller flaw (CVE-2023-24489) in Known Exploited Vulnerabilities due to ongoing attacks.
- The vulnerability, with a CVSS score of 9.8, allows remote compromise through improper access control and flawed cryptographic handling.
- Exploitation surged after initial signs in July, impacting ShareFile versions before 5.11.24. Timely vendor fixes required for Federal Civilian Executive Branch agencies by September 6, 2023.
The U.S. Cybersecurity and Infrastructure Security Agency (CISA) has included a significant security flaw in Citrix ShareFile storage zones controller in its Known Exploited Vulnerabilities (KEV) list, given ongoing real-world attacks. Tracked as CVE-2023-24489 (CVSS score: 9.8), the vulnerability involves improper access control, potentially allowing remote compromise by unauthenticated attackers.
The issue originates from ShareFile’s handling of cryptographic processes, enabling adversaries to upload arbitrary files and trigger remote code execution. This flaw impacts all supported ShareFile storage zones controller versions before 5.11.24. Discovery credit goes to Dylan Pindur of Assetnote, with initial signs of exploitation emerging in late July 2023. While the attackers’ identity remains unknown, the Cl0p ransomware group has previously targeted managed file transfer solutions’ zero-day vulnerabilities.
GreyNoise, a threat intelligence firm, observed a notable surge in exploitation attempts, with up to 75 unique IP addresses targeting the flaw on August 15, 2023. The bug exists in Citrix ShareFile’s Storage Zones Controller, a .NET web application, allowing unauthenticated arbitrary file upload and remote code execution due to incorrect validation of decrypted data using AES encryption with CBC mode and PKCS7 padding.
Federal Civilian Executive Branch agencies are required to apply vendor fixes to address the vulnerability by September 6, 2023.
This development coincides with concerns over active exploitation of CVE-2023-3519, a critical vulnerability in Citrix’s NetScaler product, leveraged to deploy PHP web shells on compromised appliances and establish persistent access.
400,000 proxy botnet built with stealthy malware infections
- Researchers uncover campaign delivering proxy server apps to 400,000 Windows systems, operating as exit nodes without user consent.
- Despite claims of user agreement, proxies were silently installed and evade antivirus detection.
- To protect systems, users should check for specific executables and registry keys, delete them, remove suspicious tasks, and avoid downloading pirated software.
A widespread campaign delivering proxy server apps to over 400,000 Windows systems has been exposed by researchers. These proxies operate as residential exit nodes without user consent, with a company charging for the proxy traffic passing through them. Cybercriminals find such proxies valuable for large-scale attacks, while they also have legitimate uses like ad verification or data scraping.
AT&T Alien Labs reveals that the proxy network was established through malicious payloads delivering the proxy app. Despite the company’s claim of user consent, evidence suggests the proxy was silently installed. Its signed status enables it to evade antivirus detection. This company controlled exit nodes using the AdLoad payload, targeting macOS systems as reported last week.
The infection begins with a hidden loader in cracked software, automatically downloading and installing the proxy app in the background. Inno Setup with specific parameters conceals the installation process. The proxy client ensures persistence through registry keys and scheduled tasks. It gathers system data, monitoring performance and responsiveness.
To protect systems, AT&T advises checking for the “Digital Pulse” executable and Registry keys, deleting any found. Also, remove the scheduled task named “DigitalPulseUpdateTask” to prevent reintroduction of the infection through client updates. Avoid downloading pirated software and dubious executables. Indicators of proxyware infection include performance degradation, unusual network traffic, and communication with unknown IPs or domains.
Almost 2,000 Citrix NetScaler servers backdoored in hacking campaign
- A major campaign targets Citrix NetScaler servers, leading to nearly 2,000 compromised systems through the CVE-2023-3519 flaw.
- Over 1,200 servers were breached post-patch due to administrators not checking successful mitigation.
- Researchers advise administrators to assess systems using provided tools as the threat persists, particularly in Europe.
A vast campaign targeting Citrix NetScaler servers has resulted in nearly 2,000 compromised servers, exploiting the critical CVE-2023-3519 remote code execution flaw. Around 1,200 servers were compromised even after the vulnerability was patched, as administrators failed to check for successful exploitation. Security researchers from Fox-IT and the Dutch Institute of Vulnerability Disclosure (DIVD) discovered the campaign, wherein webshells were planted on vulnerable servers, allowing unauthorised access.
Despite the patch being available since July 18, attackers initiated exploitation, with the U.S. Cybersecurity and Infrastructure Security Agency (CISA) highlighting its use to breach a critical infrastructure organisation. The Shadowserver Foundation also reported over 640 compromised servers with web shells.
Fox-IT and DIVD’s investigation unveiled 1,952 backdoored NetScaler servers, representing over 6% of globally vulnerable instances during the campaign. Europe is particularly impacted, with Germany, France, and Switzerland having the highest number of compromised servers.
While the number of affected servers is decreasing, the threat remains. Researchers advise administrators to perform triage on their systems and offer a Python script for assessment. Mandiant has also released a scanner, though running it twice may result in false positives due to script-related NetScaler log entries.
LinkedIn suffers ‘significant’ wave of account hacks
- LinkedIn accounts are under attack, with hackers demanding ransoms or taking control, causing delays in support.
- Attack scenarios involve temporary locks due to suspicious activity and full control by altering email addresses and passwords.
- Users should promptly verify access, update contact info, and enhance security measures, given LinkedIn’s history of cyber threats.
Hackers are targeting LinkedIn accounts in a recent campaign, with some victims receiving ransom demands to regain access. The attacks have surged over the past 90 days, causing extended response times from LinkedIn support.
Two attack scenarios have emerged: one where LinkedIn temporarily locks accounts due to suspicious activity, and another where attackers gain full control by altering associated email addresses and passwords. Some victims have received ransom messages, while others have seen their accounts deleted.
LinkedIn has faced previous cyber threats, including phishing attempts and use by North Korean APT Lazarus. Users are urged to confirm their account access promptly, verify contact information, and enhance security measures like two-step verification.
Phishing operators make ready use of abandoned websites for bait
- Abandoned and poorly maintained websites, especially WordPress sites, are targeted for hosting phishing pages.
- Kaspersky found 22,400 compromised WordPress sites, hosting phishing pages attracting over 200,000 visit attempts.
- Attackers exploit known WordPress vulnerabilities to maintain active phishing pages, and users are advised to be vigilant, especially on smaller sites.
Attackers are increasingly targeting abandoned and poorly maintained websites for hosting phishing pages, with WordPress sites being a prime focus due to their numerous vulnerabilities. Kaspersky discovered 22,400 compromised WordPress websites from mid-May to July, hosting phishing pages that attracted over 200,000 visit attempts.
Hackers often compromise smaller sites that owners can’t immediately detect. The attackers make phishing pages inconspicuous by leaving the main website’s functionality untouched and hiding phishing pages in non-accessible directories.
This strategy is effective since phishing remains a popular attack vector. Attackers capitalize on users’ trust in familiar websites to share sensitive data. Neglected domains are appealing as phishing pages can stay active longer, while attackers exploit known WordPress vulnerabilities to establish control.
Kaspersky advises WordPress operators, especially those running smaller sites, to stay vigilant, offering guidance on detecting and addressing potential breaches. Over 2,370 WordPress and plugin vulnerabilities were disclosed in 2022, making these sites easy targets.
Introducing the Microsoft Sentinel SAP Connector Optimisation Service
In a rapidly evolving digital landscape, businesses are embracing the dynamic fusion of Microsoft and SAP solutions to propel their operations to new heights. However, ensuring a robust and continuously improving security framework across these crucial services has remained a challenging feat—until now. We are thrilled to launch our innovative Microsoft Sentinel SAP Connector Optimisation Service, a game-changing solution that transforms the way you perceive and manage security within your organisation.
A seamless integration of powerhouses
Microsoft understands the complex needs of businesses relying on both its innovative technologies and SAP’s mission-critical applications. The result? The Microsoft Sentinel solution for SAP® applications, an innovative step forward in connecting, ingesting, visualising, protecting, and automating the security logs of your platform and SAP applications.
This enables businesses to proactively safeguard their assets by comprehensively understanding, monitoring, detecting, and responding to security incidents.
Unlocking centralised security excellence
The Challenge: The need for centralised security visibility and detection of data breaches, security incidents, and alerts within SAP systems, managing sensitive business-critical data, has been a long-standing puzzle for SAP customers.
The Solution: Enter the Sentinel connector to SAP, a new solution that enables continuous threat monitoring across networks, operating systems, interfaces, databases, applications, and business processes. Let’s delve into the myriad of benefits this cutting-edge service brings to the table:
🌐 Centralised Visibility: Our service presents security teams with the ability to correlate and normalise SAP signals across diverse environments.
🚀 Threat Intelligence Leveraging: We leverage threat intelligence, enrichment, and context to build continually improving detection and response mechanisms.
📊 Granular Monitoring: Enjoy the prowess of monitoring transactions, privileged escalation, role changes, unauthorized access, and unapproved/unexpected changes.
⚙️ Automated Responses: Empower your organization with rapid automated responses, mitigating risks and bolstering business resilience.
🛡️ Unified Incident Response: Seamlessly centralise security monitoring and incident response within your organization, supported by the expertise of application and platform specialists.
The CloudGuard advantage
Our CloudGuard service includes a complete approach to maximising the potential of the Microsoft Sentinel SAP Connector:
🔍 Thorough Scoping: Tailoring the Microsoft Sentinel SAP connector to your unique Sentinel solution.
🌆 Landscape Review: A comprehensive examination of your SAP landscape to ensure thorough monitoring.
📑 SAP Logs Inspection: In-depth analysis of SAP logs to uncover security insights.
🧠 Best Practices Implementation: Deploying CloudGuard’s best practices for Sentinel SAP connector Data Collection Rules (DCRs) and data transformations before log ingestion.
💰 Cost Optimisation: We optimise Microsoft Sentinel log ingestion costs using event filters and CloudGuard’s analytical rules.
📈 Customised Use Cases: Crafting Sentinel use cases aligned with your specific parameters for enhanced security.
🔎 Threat Hunting Playbooks: Tailored threat hunting playbooks for your SAP processes and sensitive data.
🧪 Analytic Rule Customisation: Fine-tuning Sentinel SAP analytic rules within your workspaces.
🔐 Security Certification: Our expertise extends to on-premise, Azure, AWS, and Google cloud platforms, ensuring the Microsoft Sentinel solution for SAP® applications is certified for SAP S/4HANA® on-premise, SAP S/4HANA® Cloud, and Private Edition RISE with SAP.
Elevating security to new heights
While Microsoft Sentinel brings remarkable security content, our CloudGuard experts recommend enhancing the system with SAP-specific watchlists, detection rules, and response playbooks. We meticulously verify that Sentinel effectively monitors the PAHI table and all related cloud resources, and we provide adept insights to optimise log ingestion costs.
Our dedicated service ensures ingested logs align with your business processes, driving improved security posture in centralised monitoring.
How this benefits your organisation
With the goal of achieving centralisation, CloudGuard has developed advanced automation that seamlessly integrates and optimises security logs from SAP’s critical business processes, platforms, applications, databases, and cloud services into the SIEM. This innovative process ensures data is refined and prepared before being ingested into the workspace.
The common problem is that SAP security logs can be extensive and therefore, without governance and optimisation, expensive in Microsoft Log Analytics. Further use cases must also be built to both accelerate automation and detection correlation across disparate systems in the SAP business fabric.
As every SAP customer landscape can be different, we’ll actively work with you to understand the security visualisations you need, supported by corresponding use cases and automation. We then align this to security ROI through cost optimisation. Our team of Sentinel experts help to maximise the benefits of Microsoft Sentinel with SAP into a unified security solution this enhances cyber security posture for your business.
Join the cybersecurity revolution with the SAP Sentinel Connector
The Microsoft Sentinel SAP Connector Optimisation Service is available as part of the Protect+ MXDR service from CloudGuard. It’s time for a new era of security excellence within your organisation. Together, we can counteract threats, fortify resilience, and confidently navigate the digital realm with unmatched assurance. Don’t miss out on securing your future—connect with us today!
What is Microsoft Copilot? 6 Things Business Leaders Must Know
In the ever-evolving landscape of technological advancements, Microsoft has introduced a game-changing innovation that promises to redefine the way businesses operate. Microsoft Copilot, an AI-powered tool integrated into the Microsoft 365 suite, has the potential to revolutionise productivity, streamline tasks, and enhance collaboration. As IT and business leaders, it’s essential to grasp both the advantages and potential drawbacks of this groundbreaking technology. In this article, we’ll delve into the intricacies of Microsoft Copilot, offering a balanced overview to help you make informed decisions.
Article quick links
- What is Microsoft Copilot?
- Six Critical Things to Know About Microsoft Copilot
- Pricing and future outlook
What is Microsoft Copilot?
Imagine an AI assistant that can generate documents, analyse data, summarise meetings, and even draft emails—all at your command. That’s the essence of Microsoft Copilot. Launched in March 2023, Copilot is designed to assist users across various Microsoft applications, such as Word, Excel, PowerPoint, Outlook, and Teams. By harnessing the power of AI and natural language processing, Copilot aims to enhance efficiency, creativity, and collaboration within the workplace.
Six Critical Things to Know About Microsoft Copilot
Now you have an understanding of what Microsoft Copilot. Here’s 6 things you must know before it becomes part of your business.
1. Limited availability and rollout strategy
Microsoft Copilot’s introduction has been carefully managed. Therefore, access is initially granted to select large enterprise clients. The goal of this phased rollout is to gather valuable user feedback, address potential issues, and refine the technology before broader availability. As of now, an “invited” list of around 600 customers has access, and a general release is anticipated in the near future, likely by early 2024. This cautious approach reflects Microsoft’s commitment to delivering a polished and effective tool that aligns with user needs and expectations.
2. The evolution from ChatGPT to Microsoft Copilot
Microsoft Copilot is built upon the foundation of ChatGPT, the AI language model developed by OpenAI. However, Copilot goes beyond mere text generation and understanding. It’s a multifaceted AI tool that leverages deep learning and natural language processing to assist users in various tasks. From generating code snippets to composing emails, creating presentations, and analysing data, Copilot’s capabilities are a significant advancement over its predecessors. Its integration into Microsoft 365 applications makes it a versatile and indispensable tool for enhancing productivity and creativity.
3. Seamless integration into Microsoft 365 Suite
One of the most compelling aspects of Microsoft Copilot is its seamless integration into the Microsoft 365 suite. Users will find Copilot’s functionalities embedded within the interfaces of applications like Word, Excel, PowerPoint, Outlook, and Teams. This integration ensures that Copilot’s assistance is available across different tasks and contexts. Whether you’re crafting a document, analysing data, or collaborating with team members, Copilot aims to provide relevant and context-aware suggestions, enhancing the overall user experience.
4. Empowering user productivity across applications
Microsoft Copilot’s potential to enhance user productivity is substantial. For instance, within Word, Copilot can leverage information from OneNote to generate comprehensive proposals tailored to specific needs. It can even suggest visual elements that align with past documents, streamlining the creation of visually appealing content. In Excel, Copilot shines in simplifying complex data analysis tasks. It can help identify trends, generate graphs, and perform intricate calculations, enabling users to extract insights from data more efficiently. By automating repetitive and time-consuming tasks, Copilot allows users to allocate their time and skills to more strategic activities.
5. Balancing suggestions with human judgment
While Microsoft Copilot’s suggestions are valuable, they’re not perfect. Users must use their judgment to determine the relevance and accuracy of Copilot’s recommendations. This is especially crucial for tasks that involve subjective decisions, creative content, or nuanced context. Copilot’s assistance serves as a valuable resource that can accelerate processes and spark creativity. However, the final responsibility for content quality and accuracy ultimately rests with the user. Striking the right balance between leveraging AI capabilities and applying human expertise will be essential for maximising the benefits of Copilot.
6. Data quality, privacy, and security considerations
Microsoft Copilot’s effectiveness heavily relies on the quality of the data it interacts with. The accuracy of its suggestions and insights hinges on the accuracy, completeness, and relevance of the underlying data. Organisations need to prioritise data hygiene, ensuring that the data used by Copilot is accurate, up-to-date, and representative of the tasks at hand.
Furthermore, the access Copilot has to sensitive internal data raises privacy and security concerns. Organisations must apply robust security measures to protect proprietary information and ensure compliance with data protection regulations. Establishing clear guidelines on data usage, storage, and access rights will be essential to build trust and mitigate potential risks associated with data handling.
Pricing and future outlook
As of now, Microsoft has announced a premium of $30 per user per month for access to Microsoft 365 Copilot. This pricing strategy reflects the substantial investment Microsoft has made in developing this AI technology. While the cost may seem significant, the potential gains in productivity and efficiency could justify the expense for forward-thinking organisations.
Looking ahead, the integration of AI tools like Copilot into everyday workflows is an indicator of the evolving nature of business operations. As AI technology continues to advance, Copilot is likely just the beginning of a new era. A time where AI-driven assistance becomes an indispensable part of our work lives.
Understanding Microsoft Copliot: final thoughts
Microsoft Copilot represents a significant leap forward in AI-driven productivity tools. As IT and business leaders, it’s essential to recognise both the potential benefits and challenges that come with its adoption. While Copilot has the capacity to streamline tasks, enhance collaboration, and boost efficiency, its successful implementation requires careful consideration of data quality, security, and employee training. As the technological landscape continues to evolve, embracing innovations like Copilot may be the key to staying competitive and agile in the modern business world.
Critical Chatter: EvilProxy surge, Microsoft Defender exploited, Intel vulnerability and Cloudflare attacks
Welcome to another week of Critical Chatter, CloudGuard’s weekly roundup of security articles curated by Guardians. This week’s news flash has been curated by Ed Bailey (SOC Intern).
Top stories – 11 August 2023
- EvilProxy fuels surge in successful cloud account takeovers
- Microsoft releases patches for 74 vulnerabilities in August updates
- Windows Defender vulnerability exploited: Threat of malware injection and system disruption
- Intel’s downfall vulnerability exposes data theft risk across multiple processors
- Threat actors exploit Cloudflare Tunnels for stealthy attacks
EvilProxy fuels surge in successful cloud account takeovers
- EvilProxy, a phishing platform, targets MFA-protected Microsoft 365 accounts. Successful attacks on executives seen, with 120,000 phishing emails sent, using tactics like brand impersonation and evasion.
- EvilProxy uses reverse proxies to steal credentials, sidestepping MFA. Sold for $400/month, it targets major platforms.
- A recent campaign mimicked Adobe, DocuSign, etc., focusing on C-level executives. To counter, enhance awareness, fortify email filters, and consider FIDO-based keys.
The phishing platform EvilProxy is rapidly becoming a significant threat by targeting multi-factor authentication (MFA) secured Microsoft 365 accounts. A study by Proofpoint reveals a surge of successful cloud account takeovers, with over 120,000 phishing emails sent to numerous organisations, primarily aiming at high-ranking executives. EvilProxy conducts large-scale campaigns employing tactics like brand impersonation, evading bot detection, and using open redirections.
EvilProxy functions as a phishing-as-a-service platform, utilising reverse proxies to intercept authentication requests and user credentials. By stealing authentication cookies, the attackers can sidestep multi-factor authentication, even after victims have completed the process. The platform is being marketed to cybercriminals for $400 per month, offering capabilities to target accounts across major platforms.
Recent attacks include a campaign that began in March 2023, leveraging EvilProxy to send deceptive emails posing as reputable brands such as Adobe, DocuSign, and Concur. Victims are subjected to multiple redirections to obscure the attack’s trail, ultimately reaching a convincing EvilProxy phishing page that mimics Microsoft 365 login.
One key aspect is the attackers’ strategic focus on “VIP” targets, particularly C-level executives, CEOs, vice presidents, and CFOs. A significant portion of breached accounts belonged to these roles. Compromised Microsoft 365 accounts are exploited for persistent access by the attackers, who add their own multi-factor authentication methods.
To counter this growing threat posed by EvilProxy and similar reverse proxy phishing methods, organisations are advised to enhance security awareness, fortify email filtering rules, and consider adopting FIDO-based physical keys.
Microsoft releases patches for 74 vulnerabilities in August updates
- Microsoft’s August 2023 Patch Tuesday tackles 74 vulnerabilities, down from the prior month’s 132, with 6 Critical, 67 Important, and 1 Moderate severity issues.
- A known Microsoft Office flaw targeted by the RomCom group in Ukraine is resolved, and two defence-in-depth updates are introduced.
- Vulnerabilities range across Microsoft services, including Exchange Server, requiring specific conditions for exploitation. Experts recommend prompt patching and security measures.
Microsoft’s August 2023 Patch Tuesday addresses 74 software vulnerabilities, a decrease from the previous month’s 132 fixes. These include six Critical, 67 Important, and one Moderate severity vulnerabilities. Microsoft Office’s known flaw (CVE-2023-36884) exploited by the RomCom threat group targeting Ukraine is mitigated. Two defence-in-depth updates are released for Microsoft Office (ADV230003) and the Memory Integrity System Readiness Scan Tool (ADV230004).
Patched issues span Microsoft Message Queuing, Microsoft Teams, Azure Apache services, Azure DevOps Server, and .NET Framework. Remote code execution vulnerabilities in Exchange Server (CVE-2023-35388, CVE-2023-38182, CVE-2023-38185) are noted, requiring adjacent attack vectors and valid Exchange credentials for exploitation.
A proof-of-concept exploit for a .NET and Visual Studio DoS flaw (CVE-2023-38180) is acknowledged. Patches address five privilege escalation flaws in the Windows Kernel (CVE-2023-35359, CVE-2023-35380, CVE-2023-35382, CVE-2023-35386, CVE-2023-38154) that allow local threat actors to attain SYSTEM privileges.
Microsoft highlights “Exploitation More Likely” for some vulnerabilities, but the need for adjacent attack vectors and valid credentials may limit their exploitation. Experts advise prompt patching and adopting necessary security measures to protect systems.
Windows Defender vulnerability exploited: Threat of malware injection and system disruption
- Microsoft’s August 2023 Patch Tuesday addresses a Windows Defender flaw (CVE-2023-24934) allowing unprivileged users to manipulate signature updates for potential malware injection and attacks.
- Inspired by the 2012 Flame campaign, SafeBreach demonstrates this using an automated tool, wd-pretender.
- The research highlights the vulnerability of signature update processes, underlining the need for improved security measures and ongoing vigilance.
In Microsoft’s August 2023 Patch Tuesday update, a Windows Defender flaw (CVE-2023-24934) has been addressed. This vulnerability allowed unprivileged users to exploit the signature-update process, potentially injecting malware, deleting benign files, and causing denial-of-service attacks. Researchers from SafeBreach created an automated tool named wd-pretender to demonstrate these attack vectors.
This investigation was spurred by the 2012 Flame cyberespionage campaign that manipulated the Windows update process. SafeBreach aimed to reproduce this without complex techniques, focusing on Windows Defender’s susceptibility to takeover by unprivileged users.
The researchers found signature updates in the Microsoft Protection Antimalware Front End (MPAM-FE[.]exe) executable. VDM files contained malware signatures, with “Base” and “Delta” files enabling merging and updates. Attempts to replace files in the MPAM file were thwarted, but manipulation of Microsoft-signed VDM files enabled hijacking.
This research spotlights the vulnerability of signature update processes, prompting further examination to enhance their security. Although Microsoft employs digitally signed files, this vulnerability revealed shortcomings in validation checks, emphasising the need for ongoing security measures and vigilance against evolving attack vectors.
Intel’s downfall vulnerability exposes data theft risk across multiple processors
- The “Downfall” vulnerability (CVE-2022-40982) affects Intel microprocessors from Skylake to Ice Lake, allowing attackers to exploit the gather instruction for stealing sensitive data.
- Google’s Daniel Moghimi devised two attack techniques, Gather Data Sampling (GDS) and Gather Value Injection (GVI), targeting Intel’s memory encryption and creating security concerns.
- While Intel released microcode updates, potential risks remain due to the vulnerability’s reach and attackers possibly using local programs for exploitation. A long-term solution may require hardware redesign.
A newly discovered vulnerability called “Downfall,” tracked as CVE-2022-40982, has been disclosed by a Google senior research scientist. This flaw impacts various Intel microprocessor families, including those based on Skylake through Ice Lake architectures. The vulnerability, classified as a transient execution side-channel issue, potentially enables attackers to steal passwords, encryption keys, and private data such as emails and banking information from users sharing the same computer.
Downfall allows attackers to exploit the gather instruction, leaking content from the internal vector register file during speculative execution. This can lead to the extraction of sensitive information protected by Intel’s hardware-based memory encryption, Software Guard eXtensions (SGX), which creates a trusted isolated environment inaccessible even to the operating system.
The Google researcher, Daniel Moghimi, devised two attack techniques named Gather Data Sampling (GDS) and Gather Value Injection (GVI), both leveraging the gather instruction. The first was able to steal AES cryptographic keys from a separate virtual machine, while the second combined GDS with the Load Value Injection technique to extract encryption data.
Despite Intel’s microcode update to mitigate this vulnerability, security concerns remain. The flaw only impacts processors based on Intel microarchitectures Skylake through Ice Lake, affecting various CPU families. While the vulnerability requires an attacker to be on the same physical processor core as the victim, potential risks persist, with attackers possibly leveraging local programs like malware to exploit this weakness.
Intel’s response has included providing threat assessment and performance analysis information for users to evaluate the impact of the vulnerability. It has also released a microcode update to address the flaw. Despite the available mitigations, software-based solutions are seen as temporary, necessitating further exploration into hardware redesign to eliminate the root cause of the issue.
Threat actors exploit Cloudflare Tunnels for stealthy attacks
- Cyber attackers are exploiting Cloudflare Tunnels for stealthy HTTPS connections, evading firewalls and maintaining persistence.
- GuidePoint’s teams have confronted such attacks involving Cloudflare Tunnels, used for data theft and remote access.
- To counter this threat, monitoring unauthorized tunnel use, tracking DNS queries, and focusing on non-standard ports like 7844 can aid detection, while legitimate users can restrict services to authorized data centers.
Cyber threat actors are adopting novel tactics to breach networks and evade traditional security measures. They are increasingly utilising Cloudflare Tunnels for their attacks, enabling them to establish stealthy HTTPS connections, bypass firewalls, and maintain long-term persistence. GuidePoint’s DFIR and GRIT teams have addressed recent engagements involving these Cloudflare Tunnels, which have been exploited by hackers for data theft and remote device access.
Cloudflare Tunnels establish outbound connections via HTTPS to Edge Servers, granting attackers access to services through configuration changes. The tunnels can be set up on various platforms including Linux, Windows, macOS, and Docker. These tunnels provide high user control over the exposed services, allowing attackers to discreetly communicate via their tunnel tokens and make real-time configuration changes. This flexibility enables threat actors to activate and deactivate functionality, such as enabling RDP for data collection and then disabling it to evade detection.
To defend against these tactics, organisations are advised to monitor unauthorised tunnel use by tracking specific DNS queries and monitoring non-standard ports like 7844. Monitoring file hashes of ‘cloudflared’ client releases can also help detect tunnel use, as installation is necessary. Legitimate users can restrict services to chosen data centres, helping to flag Cloudflared tunnels targeting unauthorised destinations and aiding in their detection.