Flair Data Systems Cybersecurity News Update 3-13-2024

My name is Brent Forrest and I serve as a vCISO at Flair Data Systems. Here is your cybersecurity news update for 3/13/2024...

Good morning!

This past week, I have been spending time building out Tabletop scenarios for exercises coming up in the next 4 - 6 weeks. Going through this type of activity forces one to put yourself in two seats; how are the responders going to act and what a threat actor could do in these situations. One thing to always remember is that no matter the type of controls you have in place, at some point there is always a chance they could be bypassed or compromised due to unforeseen circumstances and/or vulnerabilities discovered.

With that, let’s jump into this week’s cyber security news update.

March Patch Tuesday - Zero Zero-Days

18 Remote Code Execution (RCE) Vulnerabilities
24 Elevation of Privilege (EoP) Vulnerabilities
6 Denial of Service (DoS) Vulnerabilities
2 Spoofing Vulnerabilities
6 Information Disclosure Vulnerabilities
1 Cross-site Scripting (XSS) Vulnerabilities
3 Security Feature Bypass Vulnerabilities*
CVE-2024-21407: (8.1 score), an authenticated attacker on a guest VM could exploit the vulnerability by sending specially crafted file operation requests to the VM's hardware resources, enabling RCE on the host server
To exploit, the attacker must have environment-specific information and take additional steps to prepare the target environment
CVE-2024-21408: (5.5 score), not much data on this one except that it has significant impact on availability by causing a DoS in Hyper-V\
"Most Likely" to be exploited based on Threat Intel
CVE-2024-21433 (CVSS: 7.0) – Windows Print Spooler Elevation of Privilege Vulnerability
CVE-2024-21437 (CVSS: 7.8) – Windows Graphics Component Elevation of Privilege Vulnerability
CVE-2024-26160 (CVSS: 5.5) – Windows Cloud Files Mini Filter Driver Information Disclosure Vulnerability
CVE-2024-26170 (CVSS: 7.8) – Windows Composite Image File System (CimFS) Elevation of Privilege Vulnerability
CVE-2024-26182 (CVSS: 7.8) – Windows Kernel Elevation of Privilege Vulnerability
CVE-2024-26185 (CVSS: 6.5) – Windows Compressed Folder Tampering Vulnerability

Online fraud hits record losses

An IC3 (Internet Crimes Complaint Center) Report shows that in 2023 with reporting up to $12.5 billion - a 22% increase from 2022

These are only counted towards crimes reported to the FBI, so the number is much higher than that above
Take time to review the rest of the report - worth the read!

Link (1): https://www.tripwire.com/state-of-security/125-billion-lost-cybercrime-amid-tidal-wave-crypto-investment-fraud#:~:text=According%20to%20the%20IC3%20report,to%20be%20much%2C%20much%20higher.

States urge Meta to crack down on scammers

41 U.S. States have called on Meta to crack down on hackers and scammers on their platform

Between 2019 and 2023, the complaints have increased by 1000%, based on New York AG office
If these complains are making it to the AG's office, did they also make it to Meta? If so, why isn't Meta doing more to stop these attacks? Part of it is due to not enforcing MFA on accounts, with the high volume of these types of attacks why hasn't Meta enforced MFA enablement?

Link (1):https://www.spiceworks.com/it-security/cyber-risk-management/news/states-urge-meta-combat-facebook-instagram-account-takeovers/#:~:text=41%20U.S.%20States%20called%20on,hijacking%20attacks%20in%20recent%20months.

Apple issues update for zero-day flaw

CVE-2024-23225: A memory corruption issue in the Kernel that an attacker with arbitrary kernel read and write capabilities can exploit to bypass kernel memory protections

CVE-2024-23296: A memory corruption issue in the RTKit real-time operating system (RTOS) that an attacker with arbitrary kernel read and write capabilities can exploit to bypass kernel memory protections
Apple statement on March 5th said that it is "aware of report that this issue may have been exploited"

Link (1):https://www.msspalert.com/news/apple-issues-critical-ios-security-updates-for-exploited-zero-day-flaws

Flipper Zero MiTM WiFi attack can unlock and steal Tesla cars

Researchers have demonstrated that they can perform a MiTM (Man-in-the-Middle) phishing attack to compromise Tesla accounts, unlocking cars, and starting them

The attacker could utilize a Flipper Zero to broadcast a wireless SSID (Tesla Guest) at a charging station, where Tesla owners could connect and log in to a fake Tesla login page using their Tesla credentials and on top of that prompt for their MFA information all in real-time
Rest of the article goes into how they were able to add a Phone Key to their own app while in proximity to the Tesla being targeted (Model 3)
Sadly, when presented to Tesla they were told this was considered "out of scope"

Link (1):https://www.bleepingcomputer.com/news/security/mitm-phishing-attack-can-let-attackers-unlock-and-steal-a-tesla/

Former Google engineer indicted for stealing AI secrets for Chinese companies

Linwei Ding, aka Leon Ding, faces up to 10 years in prison and a fine up to $250k for each count (total of 4 counts) of trade secret theft

Ding was hired by Google as a software engineer in May 2019, which gave him authorized access to confidential information related to hardware infrastructure, software platforms, AI models, and the application they supported at Google's supercomputing centers
Indictment charges claim he took over 500 unique files containing Google AI related trade secrets and secretly uploaded them to a personal Google account (between May 2022 through May 2023)
In May 2023, Ding founded Shanghai Zhisuan Technology, a China-based firm

Link (1): https://www.darkreading.com/insider-threats/google-engineer-steals-ai-trade-secrets-chinese-companies

PetSmart warns customers of credential stuffing attack

PetSmart systems picked up on a credential stuffing attack on their petsmart.com domain

For due diligence, PetSmart has sent notifications to all customers that appeared to log in during the time period of the attack - since they are not able to determine good from bad login attempts
Credential stuffing attacks compromise of using known passwords from other attacks - meaning password reuse is still heavily used
To help solve this, using a password manager that generates passwords for you will help keep these types of attacks from being as successful

Link (1):https://www.bleepingcomputer.com/news/security/petsmart-warns-of-credential-stuffing-attacks-trying-to-hack-accounts/

Microsoft says Russian hackers breached its systems, accessed source code

Midnight Blizzard, who accessed Microsoft back in January 2024, has recently gained access again from previously stolen authentication secrets

This latest breach has led to unauthorized access to source code repositories and internal systems
Microsoft is stating that as of yet there is no evidence that customer-facing systems were compromised
In several of the emails compromised originally, it was discovered that there were emails between Microsoft and Customers that held authentication secrets

Link (1):https://www.bleepingcomputer.com/news/microsoft/microsoft-says-russian-hackers-breached-its-systems-accessed-source-code/

Cisco VPN Client Vuln

CVE-2024-20337: vulnerability in the SAML authentication process of Cisco Secure Client could allow an unauthenticated, remote attacker to conduct a carriage return line feed (CRLF) injection attack against a user

Patches have been released to resolve this issue
No know public announcements or malicious use of this vulnerability

Link (1):https://sec.cloudapps.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-secure-client-crlf-W43V4G7

Roku forces reset after 15,000 accounts compromised

15,000 Roku accounts compromised and put up for sale on dark web markets - $.50 each

This would allow threat actors to gave access to saved credit card information on the customers accounts and make fraudulent transactions
Once the threat actor gained access, they were locking users out by changing passwords, email addresses, and shipping addresses
This was another credential stuffing attack, again password reuse issues

Link (1):https://www.bleepingcomputer.com/news/security/over-15-000-hacked-roku-accounts-sold-for-50-each-to-buy-hardware/

Lastly, some resources from CISA/NSA Secure Cloud Guides

Until next week, it’s Brent Forrest signing off. Be cyber safe my friends!

About the Author: Brent Forrest is a Field CISO with Flair Data Systems. In this role, Brents acts as an advisor to customers that span across different verticals providing guidance to include; developing strategies to reduce risk with existing or modern technology while enabling the business. With over 20 years of experience in the IT industry, Brent has been able to be a part of multiple groups within the IT field spanning from Telecom, Network, Wireless, Infrastructure, and eventually finding his passion within Security. Roughly 20 years of that time was spent within the Oil and Gas industry working across multiple teams and leading initiatives. Specifically with EnLink Midstream, he spent most of his time building resilience and developing the cybersecurity program.

Brent has been with Flair Data for 3 years and is CISSP, C|CISO, CvCISO, & Sec+ certified. In his free time, he likes to spend time with family, working out, or staying up with personal development. He lives in Dallas, Texas with his wife and children.

About: Flair Data Systems is a strategically priced IT solutions company, serving clients in the U.S., with offices in Texas and Colorado. Now a technology industry leader, we began in 1916 as the Porter Burgess Company. Flair Data Systems is your Trusted Advisor for: Collaboration, Unified Communications, Networking, Cloud, Infrastructure, Data Analytics, and Cybersecurity, serving the U.S. We provide trusted cyber security services in Plano, TX.

< Older Post

Newer Post >