Brent Forrest's Cybersecurity Update 11-16-2023

This week has been a great week of spending time with the SentinelOne team getting updated on their newest releases and roadmaps for upcoming changes.  We all know that Roadmaps are future state, so we must always take that into account.  With that said, when these are released, it will be a game changer without adding a lot of complexity. 

Let’s dive into this week's cyber update. 

Microsoft Patch Tuesday 

The following three are three exploited zero-days vulnerabilities 

• CVE-2023-36025: Windows SmartScreen Security Feature Bypass Vulnerability 
• CVE-2023-36033: Windows DWM Core Library Elevation of Privilege Vulnerability 
• CVE-2023-36036: Windows Cloud Files Mini Filter Driver Elevation of Privilege Vulnerability 

Recommendation – test the patches then full deploy, these are being exploited in the wild 

Link (1): https://msrc.microsoft.com/update-guide/vulnerability/CVE-2023-36025 

Link (2): https://msrc.microsoft.com/update-guide/vulnerability/CVE-2023-36033 

Link (3): https://msrc.microsoft.com/update-guide/vulnerability/CVE-2023-36036 

Link (4): https://www.bleepingcomputer.com/news/microsoft/microsoft-november-2023-patch-tuesday-fixes-5-zero-days-58-flaws/ 

Boeing data published by LockBit 

LockBit has released over 43GB of files since Boeing has refused to pay the ransom 

• Most appear to be backups from various systems with a timestamp of October 22 
• Items that showed up from the release include configuration backups of IT Management systems and logs for monitoring and auditing tools 

Link (1): https://www.bleepingcomputer.com/news/security/lockbit-ransomware-leaks-gigabytes-of-boeing-data/ 

US was the most breached country last quarter 

Q3 2023 76% decrease in breached accounts – but US still highest sitting at 26% (8.1 million) 

• Russia came in 2nd place with 7.1 million breached accounts 

Link (1): https://anthonycarranzza.medium.com/the-u-s-still-the-most-breached-country-in-q3-d18dbc2fdaa4 

OpenAI blames DDoS attacks for ongoing ChatGPT outages 

DDoS attack has caused periodic outages affecting ChatGPT and the developer tools 

• On Nov 8th, OpenAI stated that they resolved the DDoS attack however it came back and later stated that they were still experiencing periodic issues 

Link (1): https://techcrunch.com/2023/11/09/openai-blames-ddos-attack-for-ongoing-chatgpt-outage/ 

SysAid Exploited by Cl0p Ransomware (CVE-2023-47246) 

CVE-2023-47246: In SysAid On-Premise before 23.3.36, a path traversal vulnerability leads to code execution after an attacker writes a file to the Tomcat webroot, as exploited in the wild in November 2023 

• DEV-0950 (Lace Tempest), uploaded a WAR archive containing a WebShell and other payloads into the webroot of the SysAid Tomcat web service 
• If you are a SysAid customer using a SysAid On-Prem server, we advise you take the following actions: 
• Ensure that your SysAid systems are updated to version 23.3.36, which includes the patches for the identified vulnerability 
• Conduct a thorough compromise assessment of your SysAid server to look for any indicators mentioned 
• Review any credentials or other information that would have been available to someone with full access to your SysAid server and check any relevant activity logs for suspicious behavior 

Link (1): https://www.sysaid.com/blog/service-desk/on-premise-software-security-vulnerability-notification 

Sumo Logic Breach 

November 3rd, Sumo detected evidence of a breach that an attacker used stolen credentials to gain access to the Sumo Logic AWS account 

• Sumo systems and networks were not impacted, and customer data has been and remains encrypted 
• Immediately upon detection the exposed infrastructure was locked down rotated credentials for infrastructure out of abundance of caution 
• Customers and MSP’s are being advised to rotate API keys 
• Sumo Logic installed collector credentials 
• Third-party credentials that have been stored with Sumo for the purpose of data collection by the hosted collector (e.g., credentials for S3 access) 
• Third-party credentials that have been stored with Sumo as part of webhook connection configuration 
• User passwords to Sumo Logic accounts 

 Link (1): https://www.bleepingcomputer.com/news/security/sumo-logic-discloses-security-breach-advises-api-key-resets/ 

WS_FTP Server Update CVE-2023-42659 

CVE-2023-42659 (CVSS 9.1): In WS_FTP Server versions prior to 8.7.6 and 8.8.4, an unrestricted file upload flaw has been identified. An authenticated Ad Hoc Transfer user could craft an API call which allows them to upload a file to a specified location on the underlying operating system hosting the WS_FTP Server application. 

• Latest November Service Pack has solution incorporated in the patch 
• Note: Upgrading to a patched release, using the full installer is the only way to remediate the issue and an outage to the system will occur while the upgrade is running 

Link (1): https://community.progress.com/s/article/WS-FTP-Server-Service-Pack-November-2023 

ScreenConnect used to Attack Healthcare 

I wish this was the only time I have seen this occur, but it’s not and its very devastating to see its continued to occur 

• ConnectWise toolset ScreenConnect is a normally used program by MSPs, MSSPs, and organizations alike across the world, however they also allow for “trial” offerings and I have personally seen where Threat Actors are utilizing these options to deploy ScreenConnect during an incident to maintain a foothold in an environment 
• The area of concern here is that if a Threat Actor gains access to an existing ScreenConnect instance they can remote into any machine that its installed on and record sessions, upload/download files without user knowledge, and many other operational aspects (shutdown system) 
• The article in link #1 walks through the instance of how a third-party pharmaceutical vendor was linked to a pharmacy and health clinic cyberattack – well worth a read 
• This really goes back to understanding the organization Third-Party Risk Management (TPRM) program and how to get a grasp around how vendors that have access into an environment could introduce threats 

Link (1): https://www.huntress.com/blog/third-party-pharmaceutical-vendor-linked-to-pharmacy-and-health-clinic-cyberattack 

OpenVPN Access Server Vulnerabilities 

CVE-2023-46849: Using the --fragment option in certain configuration setups OpenVPN version 2.6.0 to 2.6.6 allows an attacker to trigger a divide by zero behavior which could cause an application crash, leading to a denial of service. 

• CVE-2023-46850: Use after free in OpenVPN version 2.6.0 to 2.6.6 may lead to undefined behavior, leaking memory buffers or remote execution when sending network buffers to a remote peer. 
• Recommendation is to update OpenVPN Access Server to the latest version as soon as possible, which contains the fixes for the vulnerabilities 

Link (1): https://openvpn.net/security-advisory/access-server-security-update-cve-2023-46849-cve-2023-46850/ 

Link (2): https://nvd.nist.gov/vuln/detail/CVE-2023-46849 

Link (3): https://nvd.nist.gov/vuln/detail/CVE-2023-46850 

Until next week, it’s Brent Forrest signing off. Be cyber safe my friends!