Flair Data Systems Technology Insights

Choosing the Right Cybersecurity Solutions in Dallas, TX

Fri, 03 Oct 2025 04:33:21 GMT

In today’s digital-first world, small and medium-sized enterprises (SMEs) in Dallas face increasing threats to their data, operations, and customer trust. From ransomware attacks to phishing scams and data breaches, the need for robust cybersecurity solutions in Dallas, TX, has never been more urgent. This guide offers practical insights for local businesses seeking to safeguard their digital assets and highlights how Flair Data Systems delivers tailored protection.

The Rising Tide of Cyber Threats in Dallas

Dallas has become a thriving hub for innovation and entrepreneurship, but with growth comes vulnerability. Cybercriminals are targeting SMEs more aggressively, knowing that many lack the resources of larger corporations. Common threats include:

Ransomware: Malicious software that locks systems until a ransom is paid.
Phishing: Deceptive emails or messages designed to steal credentials.
Data Breaches: Unauthorized access to sensitive customer or business data.

These attacks can cripple operations, damage reputations, and lead to significant financial losses. That’s why investing in cybersecurity solutions in Dallas, TX, is not just a precaution—it’s a necessity.

What Makes a Cybersecurity Solution Effective?

Choosing the right cybersecurity solution involves more than just installing antivirus software. Effective protection requires a multi-layered approach tailored to your business’s unique needs. Key components include:

Network Security: Firewalls, intrusion detection systems, and secure configurations.
Endpoint Protection: Safeguarding devices like laptops, smartphones, and tablets.
Data Encryption: Ensuring sensitive information is unreadable to unauthorized users.
Employee Training: Educating staff on recognizing and avoiding threats.

A comprehensive strategy ensures that every aspect of your digital infrastructure is protected. Flair Data Systems specializes in delivering cybersecurity solutions in Dallas, TX, that are customized for local businesses.

Why Local Businesses Need Tailored Cybersecurity

Generic cybersecurity tools often fall short for SMEs. Local businesses in Dallas operate in diverse industries—from retail and healthcare to finance and logistics—each with its own risks and compliance requirements. Tailored solutions offer:

Industry-Specific Protection: Addressing threats unique to your sector.
Scalability: Growing with your business without compromising security.
Compliance Support: Meeting regulations like HIPAA, PCI-DSS, or GDPR.

Flair Data Systems understands the Dallas business landscape and provides cybersecurity solutions in Dallas, TX, that align with your goals and challenges.

Flair Data Systems: Your Local Cybersecurity Partner

Flair Data Systems is a trusted provider of cybersecurity solutions in Dallas, TX, helping SMEs defend against evolving threats. Their approach is rooted in understanding your business and delivering proactive, responsive, and scalable protection.

Services Offered:

Risk Assessments: Identifying vulnerabilities before attackers do.
Managed Security Services: 24/7 monitoring and incident response.
Cloud Security: Protecting data stored in cloud environments.
Compliance Consulting: Ensuring your business meets legal and industry standards.

With a team of experienced professionals and cutting-edge technology, Flair Data Systems empowers Dallas businesses to operate confidently in a digital world.

Real-World Impact: How Flair Data Systems Protects Dallas SMEs

Consider a local retail company that suffered a phishing attack, compromising customer data and halting operations. Flair Data Systems stepped in with a rapid response plan, restoring systems, securing data, and implementing employee training to prevent future incidents.

Another example is a healthcare provider facing HIPAA compliance challenges. Flair Data Systems conducted a thorough audit, implemented encryption protocols, and provided ongoing support—ensuring both security and regulatory peace of mind.

These success stories highlight the importance of choosing cybersecurity solutions in Dallas, TX, that are both proactive and personalized.

How to Choose the Right Cybersecurity Partner

When evaluating cybersecurity providers, Dallas SMEs should consider:

Experience: Does the provider understand the local business environment?
Customization: Are solutions tailored to your industry and size?
Support: Is there 24/7 assistance and rapid incident response?
Transparency: Are services clearly explained with no hidden costs?

Flair Data Systems checks all these boxes, offering cybersecurity solutions in Dallas, TX, that are built around your business—not a one-size-fits-all model.

The Cost of Inaction

Ignoring cybersecurity can be costly. A single breach can result in:
Financial Losses: From ransom payments to lost revenue.
Legal Consequences: Fines for non-compliance with data protection laws.
Reputation Damage: Loss of customer trust and brand credibility.

Investing in cybersecurity solutions in Dallas, TX, is a strategic move that protects your bottom line and future growth.

Building a Cyber-Resilient Culture

Technology alone isn’t enough. A cyber-resilient business fosters a culture of awareness and accountability. This includes:

Regular Training: Keeping employees informed about new threats.
Clear Policies: Defining acceptable use and response protocols.
Continuous Improvement: Updating systems and strategies as threats evolve.

Flair Data Systems supports this cultural shift by offering training and consulting as part of their cybersecurity solutions in Dallas, TX.

Ready to Secure Your Business?

Cyber threats are not going away—but with the right partner, your business can stay ahead of them. Flair Data Systems is committed to helping Dallas SMEs protect their digital assets with smart, scalable, and effective cybersecurity solutions.

Cyber threats in Dallas are real and growing, but with the right cybersecurity solutions, you can safeguard your business from devastating attacks. Investing in a customized cybersecurity strategy with Flair Data Systems’s expert team gives you peace of mind and protection tailored to your needs.

Don’t wait until your digital assets are compromised. Call us today at (214) 445-3500 to schedule a consultation. Let Flair Data Systems help you choose the right cybersecurity solutions in Dallas, TX, and secure your business’s future.

Cybersecurity Solutions in Fort Worth, TX: 5 Insights

Mon, 25 Aug 2025 12:03:48 GMT

In 2025, cybersecurity is no longer a secondary IT issue—it’s a mission-critical priority for businesses of all sizes. At Flair Data Systems, we’ve witnessed the growing complexity of cyber threats across Fort Worth, from targeted ransomware to phishing campaigns and cloud-based vulnerabilities. As attackers grow more sophisticated, your organization’s defense strategies must evolve just as quickly. That’s where we come in. Our team specializes in cybersecurity solutions in Fort Worth, TX that are tailored, proactive, and built to stop threats before they cause harm. Ready to strengthen your digital defenses? Call us today at (214) 445-3500 to speak with a local expert.

In this post, we’ll explore local cybersecurity trends, analyze recent Fort Worth incidents, and explain how Flair Data Systems is equipping organizations with next-level protection. If you’re searching for a reliable cybersecurity news blog in Fort Worth, TX, or looking to strengthen your current IT defenses, you’ve landed in the right place.

Cybersecurity in Fort Worth: A 2025 Snapshot

As Fort Worth rapidly expands as a leading business and technology hub, it has also become a prime target for cyberattacks. From small businesses and healthcare facilities to municipal infrastructure, the rise in threats is undeniable. This surge in activity highlights the urgent need for cybersecurity solutions in Fort Worth, TX that provide immediate response and long-term protection.

In just the first half of 2025, numerous Fort Worth-based businesses have been hit by ransomware strains such as Black Basta and LockBit 3.0. Even the Fort Worth ISD (Independent School District) reported attempted data breaches in April, which were successfully mitigated thanks to their internal cybersecurity team's quick action. These incidents are far from isolated—they mirror broader trends affecting organizations across the country. At Flair Data Systems, we emphasize the importance of proactive, locally focused cybersecurity solutions in Fort Worth, TX to help businesses and institutions defend against these evolving threats and protect their digital future.

Why Local Threats Need Localized Cybersecurity Solutions

One-size-fits-all doesn’t work when it comes to cybersecurity. At Flair Data Systems, we don’t just install generic firewalls and walk away. We take a tailored approach to cybersecurity solutions in Fort Worth, TX. That means understanding your specific risks—whether you're a retail store downtown, a medical facility on the west side, or a financial services firm near Sundance Square.

By analyzing Fort Worth-specific incident patterns and industry-specific vulnerabilities, we craft layered defense strategies. These include:

Real-time threat monitoring and SIEM integration.
Endpoint detection and response (EDR) tailored to mobile/remote employees.
Multi-factor authentication and access control systems.
Staff cybersecurity training workshops (essential for ransomware prevention).
Regulatory compliance solutions for HIPAA, PCI-DSS, and NIST frameworks.

Top Cybersecurity Trends in Fort Worth for 2025

We're monitoring several critical trends that directly impact Fort Worth businesses:

1. Rise of AI-Driven Cyberattacks

Cybercriminals are increasingly using AI-powered tools to automate phishing attacks and scan for vulnerabilities at scale. In Fort Worth, several mid-sized businesses have already been targeted by deepfake video scams—where attackers convincingly impersonate company executives during video calls to authorize fraudulent fund transfers. These advanced threats highlight the growing need for robust, adaptive cybersecurity solutions in Fort Worth, TX that can detect and neutralize AI-driven attacks before they cause significant financial or reputational damage.

2. Targeting of Municipal Infrastructure

Like many U.S. cities, Fort Worth’s public services face increasing cyber threats. In early 2025, there was an attempted breach of city planning department files—an incident that underscores the need for endpoint resilience and network segmentation.

3. Cloud Misconfigurations

As more Fort Worth businesses migrate to cloud platforms, misconfigured access settings are leading to exposed data. Our team frequently assists with cloud security audits and secure architecture design.

As these trends accelerate, our commitment remains clear: provide robust, industry-specific cybersecurity solutions in Fort Worth, TX that adapt faster than the threats.

Real Fort Worth Incident: How Flair Data Systems Responded

Earlier this year, a local manufacturing firm in Fort Worth experienced a ransomware attack that encrypted their production system. Within hours, our team responded. Using endpoint isolation, forensic analysis, and rapid data recovery protocols, we restored their operations with zero ransom paid.

That’s the power of proactive defense—and the expertise Flair Data Systems brings to the table.

Education, Awareness, and the Role of Community

While we provide technology-based solutions, we know that awareness is just as vital. That’s why our cybersecurity news blog in Fort Worth, TX is updated monthly to cover emerging risks, incident breakdowns, and tips for employee safety online.

As part of our comprehensive cybersecurity solutions in Fort Worth, TX, we host quarterly webinars and provide on-site training tailored for local organizations. Our services include simulated phishing attacks, in-depth vulnerability assessments, and customized playbook development to enhance your incident response strategy.

Cybersecurity is a shared responsibility—and at Flair Data Systems, we’re committed to making Fort Worth smarter, stronger, and safer.

Secure Your Digital Future Today

At Flair Data Systems, we recognize the critical need for effective cybersecurity solutions in Fort Worth, TX. Whether you're a small startup or a large enterprise, every business in Fort Worth deserves proactive, adaptive protection. Cyber threats are real, the risks are significant, and there’s no better time to take action than now.

If you're ready to evaluate your current systems or simply want to stay informed via a trusted cybersecurity news blog in Fort Worth, TX, we’re here for you. Reach out to us today for a custom consultation, and let’s start securing your organization for the challenges of 2025.

Visit our Contact Page or call (214) 445-3500 to schedule a cybersecurity assessment with our Fort Worth-based team.

Why Businesses Can’t Ignore Managed Cybersecurity Solutions

Wed, 30 Jul 2025 23:02:59 GMT

Businesses face numerous digital threats. Flair Data Systems provides essential cybersecurity solutions in Fort Worth, TX , to protect your company from these risks. When it comes to securing your data and safeguarding customer information, you can’t afford to overlook managed cybersecurity services. The insights in this article are brought to you by Flair Data Systems, your trusted partner in cybersecurity.

Understanding Cybersecurity Risks

Cyber threats are constantly evolving. Businesses must stay ahead of these threats to avoid breaches. Managed cybersecurity solutions provide a proactive approach to identifying and mitigating risks. These solutions include constant monitoring, threat detection, and response strategies. It’s not just a matter of installing antivirus software or firewalls; it is about having a comprehensive, all-encompassing defense system in place.

Consider the increase in ransomware attacks, where hackers encrypt a company’s data and demand a ransom for its release. Without managed cybersecurity, businesses are more vulnerable to these kinds of malicious activities. Moreover, data breaches can lead to the loss of sensitive information, financial losses, and damage to the company’s reputation.

DIY vs. Managed Cybersecurity

Many businesses consider handling cybersecurity internally. However, DIY cybersecurity lacks the expertise and resources needed to tackle sophisticated cyber threats. Managed cybersecurity solutions offer professional expertise. Companies benefit from experienced teams dedicated to managing and responding to cyber incidents. Hiring in-house experts can be costly and may not provide 24/7 coverage. Managed cybersecurity services solve this by offering constant surveillance and rapid response to any security issues that may arise.

DIY approaches often involve inconsistent security policies and fragmented tools, creating potential security gaps. Managed cybersecurity providers offer a cohesive, streamlined approach, ensuring all aspects of your cybersecurity infrastructure work harmoniously.

Cost Savings With Managed Services

Investing in managed cybersecurity solutions initially seems costly. However, the long-term benefits outweigh the expenses. Picture the cost associated with a significant data breach—loss of revenue, regulatory fines, legal fees, and loss of customer trust. Businesses save money by preventing costly data breaches. Managed services reduce downtime and increase productivity. These solutions ensure business continuity during cyber incidents.

Additionally, managed cybersecurity services can help businesses avoid the hidden costs of cybersecurity. This includes training employees, updating systems, and staying current with the latest threats. By outsourcing these tasks to experts, businesses can focus their resources on core functions without compromising on security.

24/7 Monitoring and Support

One of the significant benefits of managed cybersecurity solutions is round-the-clock monitoring. Cyber threats don’t keep business hours. Hackers often exploit vulnerabilities at odd hours when businesses are less likely to respond promptly. 24/7 monitoring ensures immediate response to potential threats, minimizing damage. Constant vigilance provides peace of mind to business owners.

Around-the-clock monitoring also means that businesses have access to cybersecurity expertise at any time, ensuring that any issues are addressed swiftly and effectively. This reduces the window of opportunity for attackers and lowers the risk of prolonged downtime or data loss.

Scalability for Growing Businesses

As businesses grow, so do their cybersecurity needs. Managed cybersecurity solutions offer scalability to match business expansion. They adapt to the increasing complexity of your digital infrastructure. This flexibility ensures continuous protection as your business evolves.

Managed services can easily adjust to new challenges, whether you are expanding your network, adopting cloud services, or opening new branches. They provide tailor-made solutions that grow with your company, ensuring every aspect of your business remains secure.

Real-World Benefits

The real-world benefits of managed cybersecurity solutions are tangible. For example, businesses avoid financial losses associated with data breaches. Customer trust is maintained when their data is protected. Compliance with regulations is easier when using managed services. These solutions offer a comprehensive approach to securing business operations.

Consider a scenario where a competitor business experiences a massive data breach due to poor cybersecurity infrastructure, leading to a significant loss of client trust and legal troubles. Your business, safeguarded by managed cybersecurity services, not only avoids similar pitfalls but also stands out as a secure and trustworthy entity.

Insights From Cybersecurity Blog Posts

Valuable insights are shared in cybersecurity blog posts. These posts highlight current trends and threats. Businesses gain knowledge on best practices for enhancing their cybersecurity posture. Staying informed through blog posts helps in making educated decisions regarding cybersecurity investments.

For example, by reading regular updates from cybersecurity blog posts in Fort Worth, TX, business owners can stay updated with emerging threats, understand the necessity of patches and updates, and even learn about potential vulnerabilities in their current systems. Additionally, knowledge from these blog posts, along with resources like this article on securely shutting down business units , can offer valuable guidance on various cybersecurity aspects.

Flair Data Systems: Your Trusted Partner

Flair Data Systems, serving Fort Worth, TX, offers expert managed cybersecurity solutions. Their services include detailed assessments, implementation, and ongoing management. Partnering with Flair Data Systems ensures your business is equipped with proactive cybersecurity measures.

Act Now to Protect Your Business

Don’t leave your business vulnerable to cyber threats. Contact Flair Data Systems in Fort Worth, TX, today. Protect your data, maintain customer trust, and ensure regulatory compliance with managed cybersecurity solutions. Secure your business’s future with expert support and 24/7 monitoring services. Let Flair Data Systems guide you in fortifying your digital defenses.

Cybersecurity Services in Dallas, TX for Business Protection

Mon, 03 Mar 2025 08:46:11 GMT

The digital landscape is evolving rapidly, and with it, the risk of cyberattacks grows daily. Cybersecurity services in Dallas, TX are essential for businesses looking to protect sensitive data and maintain operational security. Investing in advanced cybersecurity solutions helps prevent breaches and ensures data integrity.

Why Your Business Needs Cybersecurity Services in Dallas, TX

In today's digital world, businesses of all sizes are vulnerable to cyberattacks. Hackers continuously develop new techniques to breach security systems, putting sensitive data, customer information, and financial records at risk. A single cyberattack can result in financial losses, reputational damage, and legal consequences.

Having a strong cybersecurity framework in place can help businesses prevent unauthorized access, mitigate risks, and maintain regulatory compliance. Partnering with cybersecurity professionals ensures that your company benefits from the latest security technologies and best practices.

Organizations that neglect cybersecurity measures often face prolonged downtime, disrupted operations, and loss of customer trust. By investing in cybersecurity services in Dallas, you take proactive steps to secure your business, allowing you to focus on growth and success.

Cyber threats come in many forms, from data breaches to phishing attacks and malware. Without proper cybersecurity measures, your business could face devastating financial and reputational losses. Investing in professional cybersecurity services in Dallas ensures your company remains protected against evolving threats.

Essential Components of a Strong Cybersecurity Framework

Implementing strong cybersecurity measures is vital for protecting your company's digital assets. Effective strategies include:

Firewalls and Intrusion Detection: Blocking unauthorized access to your network.
Employee Training: Educating staff to recognize phishing attempts and cyber risks.
Multi-Factor Authentication (MFA): Adding an extra layer of security to logins.
Regular Security Audits: Ensuring your defenses stay up-to-date.

Key Benefits of Cybersecurity Services in Dallas, TX

Advanced Threat Detection: Identify and mitigate cyber threats before they cause damage.
24/7 Monitoring: Continuous surveillance ensures real-time security management.
Data Encryption: Protect sensitive customer and company information.
Compliance Assurance: Meet industry standards and regulatory requirements with ease.

Enhancing Cybersecurity With Proven Strategies

Strengthening cybersecurity requires a multi-layered approach. Businesses can improve their security posture by implementing robust firewalls, advanced endpoint protection, and regular vulnerability assessments. Proactive monitoring and rapid response strategies are also key to preventing cyber threats from causing disruption.

Protect Your Business With Cybersecurity Services in Dallas, TX

Don't let cyber threats jeopardize your business. Protect your data and maintain business continuity with cybersecurity services in Dallas, TX from Flair Data Systems. Call us today at (214) 445-3500 or contact us online to schedule a consultation. Your security is our priority!

Cybersecurity Services in Fort Worth, TX for Business Safety

Fri, 07 Feb 2025 14:06:59 GMT

As a small or medium-sized business owner in Fort Worth, TX, you know that keeping your data and systems secure is essential to your operations. Unfortunately, the threat landscape for cybersecurity has evolved rapidly, and small businesses are increasingly becoming prime targets for cybercriminals. Cybersecurity services in Fort Worth, TX , are no longer a luxury—they're a necessity to protect your business from a growing number of threats. Let’s explore the top cybersecurity threats facing Fort Worth businesses today and how comprehensive cybersecurity services can offer protection.

The Threat of Phishing: Why Cybersecurity Services in Fort Worth, TX Matter

Phishing is one of the most prevalent cybersecurity threats confronting Fort Worth businesses. Hackers use deceptive emails and websites to trick employees into divulging sensitive information such as login credentials or financial details. These attacks are becoming increasingly sophisticated, making it challenging for even seasoned IT professionals to identify them. Defending Against Phishing: Employing advanced cybersecurity measures such as email filtering, employee training on recognizing phishing attempts, and implementing two-factor authentication can significantly reduce the risk of falling victim to phishing scams.

Ransomware: A Growing Cybersecurity Threat for Businesses in Fort Worth, TX

Ransomware attacks have skyrocketed in recent years and can cripple companies by encrypting their data and demanding substantial ransoms for its return. These attacks can lead to extensive downtime, loss of critical data, and reputational damage.

Ransomware Mitigation: Businesses should adopt a proactive cybersecurity stance by regularly backing up data, keeping software updated, and utilizing endpoint protection systems to detect and neutralize threats.

Cybersecurity Services in Fort Worth, TX: Tackling Insider Threats

While external threats often garner more attention, insider threats can be equally devastating. Disgruntled employees or those with ulterior motives can exploit their access to company systems to steal data, sabotage operations, or leak confidential information.

Reducing Insider Threats: Implement strict access controls, conduct regular audits, and foster a positive work environment to minimize the risk posed by insiders. Employing behavioral monitoring tools can also help identify unusual activities indicative of insider threats.

Partner With Flawless Experts: The best strategy for protecting your business’s digital assets is to employ comprehensive cybersecurity services. Partnering with experts in the field, such as Flair Data Systems, can fortify your defenses against these escalating threats. Flair Data Systems offers tailored cybersecurity solutions in Fort Worth, TX, to protect your data, infrastructure, and reputation.

Lack of Proper Security Protocols: How Cybersecurity Services in Fort Worth, TX Can Help

As cyber threats continue to evolve, staying ahead requires more than just basic security measures. It demands a strategic approach and vigilance. Businesses in Fort Worth, TX, shouldn’t leave their cybersecurity to chance. By partnering with us, you gain access to cutting-edge technology and expert insights tailored to your unique needs. Stay ahead of cyber threats—contact us today at (214) 445-3500 for tailored cybersecurity solutions in Fort Worth, TX!

Flair Data Systems Cybersecurity News Update 7-22-2024

Mon, 22 Jul 2024 22:09:15 GMT

My name is Brent Forrest and I serve as a vCISO at Flair Data Systems. Here is your cybersecurity news update for 7/22/2024...

Happy Monday!

Today is not Wednesday (my usual day for posting) and you still have a full week ahead of you! However, due to the massive issues that occurred on Friday (CrowdStrike + Microsoft) I felt sending out my weekly newsletter a bit earlier in the week was appropriate. First off, the elephant in the room where 8.5 million endpoints were affected by a single “content update” that affected a security tool had the consequences of breaking multiple industries systems across the globe.

I have also been asked by several customers if SentinelOne has the same potential for occurring, and the quick answer is no. For one, SentinelOne does not manipulate mechanisms within the Kernal with their Content Updates. Secondly, their agent updates are fully controlled by the customers – you determine how slow or fast you wish to push those updates.

This incident's aftermath will still unfold over weeks, months, or even years. When something can take down government agencies, airlines, and other organizations in this manner, there will be conversations about how this happened and how it will not happen again.

As for the rest of this week’s updates....here you go!

CrowdStrike Outage and Updates

This outage was due to a Kernel update for the Falcon product line, their flagship EDR

Content Updates are typically pushed automatically, without any input from the Organization – as this is how CrowdStrike (and many others) feel is best to get updates to the endpoints quickly
Unfortunately, this update causes a BSOD (Blue Screen of Death) because it faulted at the Kernel level for Windows system
This outage caused massive outages across every sector in the world, and global outages, including some statistics from their own website
298 of the Fortune 500
538 of the Fortune 1000
8 out of the top 10 Financial services firms
7 out of the top 10 manufacturers
8 out of the top 10 food & beverage companies
8 out of the top 10 auto companies
43 of the 50 U.S. states
6 out of the top 10 healthcare providers
8 out of the top 10 technology firms
Several people I am connected to on LinkedIn showed signs of the BSOD at gas stations, local gyms, airports, etc.
I had friends reaching out telling me how their network went down due to the issue, and they were mainly a Chrome Book environment – so you ask how? Active Directory is their DNS/DHCP controllers, when that goes down everything follows.
Recovery was a bit of a nightmare, which I have heard CrowdStrike is working to help customers. However, it does currently require gaining Safe Boot to delete certain files – remote users? BitLocker? Those two variables are a nightmare to work through.
I know one person reading this email is probably having a panic attack as he reads this part about BitLocker key being required to access Safe Boot
Having a BCP/DR plan for these types of outages are not really considered, even though they should be – also understanding what your critical services can do instead of blindly trusting the developers
Some users lucked out – either their systems were offline (for whatever reason) and did not get the update, or constantly rebooting the system finally allowed the fixed version to be updated before Falcon went online (I have heard it could take up to 15 reboots to get that one to work)
For me, I was making a purchase and had to wait for a statewide website to come back online before it could be finalized – that happened between 4:45P and 5P CST. The funny part is that the front-end portion never went off, but the authentication portion would never work – telling me that the web app was probably Linux based and the backend was a Windows based database server.

Link (1): https://www.crowdstrike.com/blog/falcon-update-for-windows-hosts-technical-details/

Link (2): https://www.wired.com/story/microsoft-windows-outage-crowdstrike-global-it-probems/

Link (3): https://lifehacker.com/tech/fix-the-crowdstrike-bug-with-usb-drive

Cisco Smart Software Manager Vulnerability CVE-2024-20419

CVE-2024-20419 (score of 10): Vulnerability within the authentication system of Cisco Smart Software Manager On-Premises (SSM On-Prem) could allow an unauthenticated, remote attacker to change the password of any user, including administrative users

This occurred due to improper implementation of the password-change process, where an attacker could exploit this by sending crafted HTTP requests to an affected device.
Successful exploitation would allow an attacker to access the web UI or API with the privileges of the compromised user
Patches have been released, and Cisco is not seeing any exploitation in the wild

Link (1): https://sec.cloudapps.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-cssm-auth-sLw3uhUy

Link (2): https://thehackernews.com/2024/07/cisco-warns-of-critical-flaw-affecting.html

Critical Security Flaw in Cisco Secure Email Gateway: CVE-2024-20401

CVE-2024-20401 (score of 9.8): vulnerability in the content scanning and message filtering features of Cisco Secure Email Gateway could allow an unauthenticated, remote attacker to overwrite arbitrary files on the underlying operation system

This is due to an improper handling of email attachments when file analysis and content filters are enabled, where an attacker could exploit this by sending an email that contains a crafted attachment through an affected device
A successful exploit could allow the attacker to replace any file on the underlying file system, and then perform any of the following actions: add users with root privileges, modify the device config, execute arbitrary code, or cause a permanent DoS condition on the affected device
Devices not affected by this would include Secure Email and Web Manager, and Secure Web Appliance
The vulnerability affects Cisco Secure Email Gateway IF it is running a vulnerable release of Cisco AsyncOS and BOTH of the following conditions are met
Either the file analysis feature, which is part of Cisco AMP, or the content filter feature is enabled and assigned to an incoming mail policy
Content Scanner Tools version is earlier than 23.3.0.4823

Link (1): https://sec.cloudapps.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-esa-afw-bGG2UsjH

Link (1): https://thehackernews.com/2024/07/cisco-warns-of-critical-flaw-affecting.html

Until next week, it’s Brent Forrest signing off. Be cyber safe my friends!

About the Author: Brent Forrest is a Field CISO with Flair Data Systems. In this role, Brents acts as an advisor to customers that span across different verticals providing guidance to include; developing strategies to reduce risk with existing or modern technology while enabling the business. With over 20 years of experience in the IT industry, Brent has been able to be a part of multiple groups within the IT field spanning from Telecom, Network, Wireless, Infrastructure, and eventually finding his passion within Security. Roughly 20 years of that time was spent within the Oil and Gas industry working across multiple teams and leading initiatives. Specifically with EnLink Midstream, he spent most of his time building resilience and developing the cybersecurity program.

Brent has been with Flair Data for 3 years and is CISSP, C|CISO, CvCISO, & Sec+ certified. In his free time, he likes to spend time with family, working out, or staying up with personal development. He lives in Dallas, Texas with his wife and children.

About: Flair Data Systems is a strategically priced IT solutions company, serving clients in the U.S., with offices in Texas and Colorado. Now a technology industry leader, we began in 1916 as the Porter Burgess Company. Flair Data Systems is your Trusted Advisor for: Collaboration, Unified Communications, Networking, Cloud, Infrastructure, Data Analytics, and Cybersecurity, serving the U.S. We provide trusted cybersecurity services in Dallas, TX. and the DFW Metroplex.

Flair Data Systems Cybersecurity News Update 7-17-2024

Wed, 17 Jul 2024 18:39:39 GMT

My name is Brent Forrest and I serve as a vCISO at Flair Data Systems. Here is your cybersecurity news update for 7/17/2024...

Good morning!

Over the past week, it has been quite a whirlwind to say the least. For one, I was part of a Podcast by Security Studio CvCISO this past Friday (set to release this coming Friday) and that led to an interesting conversation around the use of terminology. Cybersecurity vs Information Security was one of the topics and the differences between those two words. At the end of the day people are using them quite interchangeably and adding to more of the confusion. For one, Cybersecurity falls underneath Information Security, yet the industry continues to call them one in the same. This is not something to get worked up about and honestly, I do not see it changing (as I had this conversation with someone 5 years ago, and yet we are still having it).

Another enjoyable conversation that occurred in the past week was with a friend about the state of cybersecurity (see, I just did it) and what they should be doing to continue to increase their controls and awareness. One of the biggest areas is education of users, whether it's about how to spot malicious intent emails/texts/instant messages, to why it's important to use longer passwords over simple to remember passwords (I am not referring to making them overly complicated - you can use simplicity with length), and lastly making sure users understand the importance of Multifactor Authentication being enabled and why. Yet, if we want to focus on areas we CAN control (well, because people are not a variable that can be controlled) would be implementing tools to help educate them on creating proper passwords effectively.

Are these measures 100% stopping threats? By no means, but they do implement a solid deterrent.

So, with that, let’s dive into this week’s cybersecurity news update...

Advance Auto Parts reveals damage from Snowflake breach

This appears to be yet another company being affected by the Snowflake incident, which has affected 2.3 million people

The attacker had access to the environment from April 14 until May 24
Compromised data potentially included names, Social Security numbers, driver’s license or other government issued ID numbers and dates of birth
One thing is for certain, the Snowflake breach has caused a large limelight to be placed on SaaS providers and MFA not being enabled – where does the responsibility lie? On the Customer or the Vendor? Both?

Link (1): https://www.cybersecuritydive.com/news/advance-auto-parts-snowflake-data-breach/721353/

The personal security implications of the AT&T breach, and the laundering of the ransom paid

AT&T revealed threat actors have gained access to their Snowflake instance to obtain records of customer call and text interactions from May 2022 through Oct 2022

The data included interacted phone numbers, including call or text counts and call durations – this did NOT include the content of the calls or texts, timestamps, and other sensitive personal information (i.e., customer names – but let’s be honest, finding the correlation between a phone number and name is simple)
AT&T paid roughly $370,000 in bitcoin in May 2024 to prevent the data from getting leaked
The threat actor involved has started taking the bitcoin paid by AT&T and because laundering it through cryptocurrency mixing platforms and gambling services

Link (1): https://www.securityweek.com/att-breach-linked-to-american-hacker-telecom-giant-paid-370k-ransom-reports/

Link (2): https://therecord.media/att-ransom-laundered-mixers-research

Patch or Peril: A Veeam Vulnerability Incident

CVE-2023-27532 was made public in March of 2023, and has already had patches released by Veeam

The above blog is based on the findings from Group IB, the DFIR team that found this vulnerability and reported it
The Threat Actor, Estate Ransomware, initially accessed the environment through a dormant account to gain VPN access from a FortiGate SSL VPN connection
They then gained persistence through a backdoor (svchost.exe) on the failover server, and conducted lateral movement through RDP
The CVE in question for Veeam was exploited by activation of xp_cmdshell and a rogue user account was created
Using known tools by NirSoft they were able to conduct discovery, enumeration, and credential harvesting (i.e., NetScan, AdFind, and others)
Windows Defender was disabled using DC.exe, which then allowed the threat actor to deploy and execute their ransomware software by using PSExec.exe
Sadly, I have seen these tactics personally within other organizations and the TTP’s listed above are not shocking but more worrisome due to some of these are basics that should be handled – dormant accounts, blocking of certain types of tools (psexec.exe), monitoring/response of activities to gain persistence by pivoting to different services already running.

Link (1): https://www.group-ib.com/blog/estate-ransomware/

Palo Alto patches critical vulnerability within Expedition Migration Tool

The Expedition Migration Tool is used to take configurations from other Firewall config’s and convert them into Palo’s config, to help speed up migration processes

CVE-2024-5910 (score of 9.3): missing authentication in the migration tool that could lead to an admin account takeover
This impacts all versions of Expedition prior to version 1.2.92
No evidence of exploitation in the wild, but users are advised to update to the latest version
If not able to patch, the work around is to isolate the tool to authorized users, hosts, or networks

Link (1): https://thehackernews.com/2024/07/palo-alto-networks-patches-critical.html?m=1

Rite Aid announces data breach following June cyberattack and updates

Interesting finding, the “Limited” cyber incident reported by Rite Aid has not exposed more than 2 million records of sensitive information

The attack began on June 6, where a hacker impersonated a company employee to compromise their business account and gain access to certain systems
Unfortunately, this is not the first incident that Rite Aid has faced recently, they have reported other incidents to regulators in California in 2015, 2017, and 2018; and are facing lawsuits from a data breach in 2023 that exposed PHI

Link (1): https://therecord.media/rite-aid-data-breach-2-million-people

CDK Global paid ransom

To add more color to the CDK Global incident, it has been reported that they paid $25 million ransom in bitcoin

The threat actor’s bitcoin wallet showed a transaction of $25 million (387 bitcoin) but it is to note that this transaction did not come from CDK Global directly, which is common in these situations
What is interesting, the ransom was paid 2 days after the attack, but even with the decryption keys in hand it does take quite a bit of time to restore the systems and get things back online

Link (1): https://www.theregister.com/2024/07/12/cdk_ransom_payout/

Indiana county files declaration of emergency after ransomware attack (Clay County)

During a cyber incident this month, Clay County Indiana, filed a local disaster declaration

This was due to the inability to provide critical services required for the daily operation of all offices of the Clay County Courthouse, Community Corrections, and Clay County Probation
The incident occurred on July 9th and the declaration was issued on July 11th
Clay County houses roughly 25,000 people in southern Indiana
911 services were not affected by the incident, but non-emergency lines were disrupted (and since been restored)

Link (1): https://therecord.media/indiana-county-disaster-declaration-ransomware-attack-dallas

Until next week, it’s Brent Forrest signing off. Be cyber safe my friends!

Check out our last post: Flair Data Systems Cybersecurity News Update 7-10-2024

Flair Data Systems Cybersecurity News Update 7-10-2024

Wed, 10 Jul 2024 17:20:39 GMT

My name is Brent Forrest and I serve as a vCISO at Flair Data Systems. Here is your cybersecurity news update for 7/10/2024...

Happy Wednesday!

A quick update from last week about the Evolve Bank incident regarding the data exfiltration has been confirmed to affect 7.6 million customers. Outside of the normal activities, it was nice to have a slower than normal weekend due to the 4th of July holiday but getting back into the swing of things has been nice as well.

Please, take a special note of the Microsoft Patch Tuesday this month, there are some severe vulnerabilities being patched this month.

So, with that, let’s dive into this week’s cybersecurity news update...

China’s Velvet Ant hackers exploiting new Cisco zero-day

CVE-2024-20399: a vulnerability affecting the Cisco NX-OS software in Nexus-series switches (which was discussed last week)

Velvet Ant, state backed hackers from China, have been seen to use this vulnerability where they focus on establishing long-term access
This vulnerability was discovered during an IR (Incident Response) engagement where Velvet Ant was the Threat Actor
The Threat Actor had to have already gained access to the environment to exploit the vulnerability

Link (1): https://therecord.media/cisco-velvet-ant-hackers-china

Europol law enforcement takes down Cobalt Strike servers

Operation Morpheus, was a Europol coordinated join operation that led to almost 600 cobalt servers

These servers are being used for criminal activities to attack infrastructure
Over 690 IP addresses were flagged by service provides across 27 counties, where 593 were taken down over the course of a week

Link (1): https://www.bleepingcomputer.com/news/security/europol-takes-down-593-cobalt-strike-servers-used-by-cybercriminals/

Twilio SMS MFA list compromised

Twilio has confirmed that an unsecured API allowed threat actors to verify the phone number of millions of Authy MFA users

The concern here is that this could potentially make these users vulnerable to SMS phishing and SIM swapping attacks
The data released was by a threat actor, ShinyHunters, where they released a CSV containing 33 million phone numbers registered with Authy services
This unsecured API has since been resolved and is now secured
This is similar to how threat actors abused the unsecured Twitter API and Facebook API in the past

Link (1): https://www.bleepingcomputer.com/news/security/hackers-abused-api-to-verify-millions-of-authy-mfa-phone-numbers/

Australian man charges with running fake Wi-Fi while on airline

A 42-year-old Australian man (unnamed) has been charged with running a fake Wi-Fi access point during a domestic flight with the goal of stealing user credentials and data

The suspicious wireless network was discovered by the employees of an airline during a domestic flight
This is not the first time this has happened; I have heard talks from threat researchers where they will stand up a Wi-Fi Pineapple device on a flight or at an airport where it will allow auto connections to Open Wi-Fi connections that someone has established on their devices already to automatically connect
Consider turning off your wireless when you are not at home or in a trusted area - for iPhones, there are mechanisms you can use that are built in that will automatically disable wireless when you leave your home and turn on when you come back

Link (1): https://thehackernews.com/2024/07/australian-man-charged-for-fake-wi-fi.html

Alabama Department of Education suffers data breach

On June 17th, Alabama State Department of Education announced that it stopped a ransomware attack, yet the threat actors were still able to exfiltrate data that it had accessed and disrupted some services before being stopped

The type and amount of data is still being investigated
This goes to validate that just because you "stopped" the ransoming of your environment does not mean you stopped the exfiltration of your data - because that last part has already occurred before the ransom occurs

Link (1): https://securityaffairs.com/165389/uncategorized/alabama-state-department-of-education-data-breach.html

Microsoft Patch Tuesday - July

CVE-2024-37985: Information disclosure vulnerability with a low CVSS temporal score of 5.2. Although publicly disclosed , it has not been detected publicly. Microsoft also gives this an "Exploitation Less Likely" rating.

CVE-2024-38080: This update has a slightly higher CVSS temporal score of 6.8. An attacker who successfully exploits it could gain SYSTEM privileges. It is not publicly disclosed but exploitation has been detected in the wild .
CVE-2024-38112: A spoofing vulnerability that has a score of 7.0. This CVE is also not public but is being exploited . It does require user interaction as Microsoft says successful exploitation would require an attacker to trick a user into executing a malicious file.
CVE-2024-35264: This zero day is a remote code execution scored 7.1. This has been publicly disclosed , but exploitation has not yet been detected. The attack complexity is high.
Microsoft SharePoint Server 2019 has had alleged RCE Proof of Concepts go up on the dark web for the following CVEs
CVE-2024-38094
CVE-2024-38024
CVE-2024-38023

Until next week, it’s Brent Forrest signing off. Be cyber safe my friends!

Flair Data Systems Cybersecurity News Update 7-03-2024

Wed, 03 Jul 2024 16:49:36 GMT

My name is Brent Forrest and I serve as a vCISO at Flair Data Systems. Here is your cybersecurity news update for 7/03/2024...

Happy 4th of July!

I know there are a few that are taking today or Friday off since the 4th of July falls on a Thursday this year. For those traveling, please stay safe and enjoy time with your family and friends.

Last week I brought up two different stories and I wanted to provide an update as things have become clearer (or I found updated information after the fact).

Federal Reserve : It seems that it was a 3rd party that was compromised, not the Federal Reserve but the Threat Actor was making misdirected claims. Who knew, the bad guys lied... But the story of Evolve Bank, who appears to be the one that was affected, has become an interesting one.
CDK Global : I made a comment about how they had not published their 8-k yet, but that is because in late 2022 Brookfield Business Partners took them private. Which explains why they are not held to the 8-k requirement anymore.

So, with that, let’s dive into this week’s cybersecurity news update...

Gas chromatograph vulnerabilities reveal medical IoT challenges

For those that are not aware, Gas Chromatograph machines are used across multiple industries but are chemical analysis instruments that measures the content of various components of samples

Claroty, a security IoT company, discovered multiple vulnerabilities within specific gas chromatograph devices built by Emerson
Devices affected are Rosemount GC370XA, GC700XA, and GC1500XA, confirmed by Emerson
One of the vulnerabilities include command injection that would allow an unauthenticated attacker with network access to remotely execute arbitrary commands with root privileges
Always work with the vendor to obtain the proper firmware updates to resolve these vulnerabilities, usually the OT groups have necessary information of vendors but to be honest, once they are put in place they are rarely ever updated unless there are operational issues

Link (1): https://www.securityweek.com/gas-chromatograph-hacking-could-have-serious-impact-security-firm/

Evolve Bank confirms data breach, undermining LockBit’s Federal Reserve claim

Evolve has confirmed a data breach and working to investigate the incident

Data exposed included PII, which has been placed on the dark web, some of the following may be included
Name, SS#, DoB, Account Information or other personal information
Customers will be notified by Evolve with further information and those that had their account number compromised will have that updated with new account numbers

Link (1): https://therecord.media/evolve-bank-data-breach-lockbit

TeamViewer Compromise (and updates)

TeamViewer has stated that only their internal IT systems were compromised, and not their product environment for applications used by customers (reconfirmed on June 30th)

TeamViewer has enhanced their security controls within the organization to reduce the risk of this occurring again in the future.
The incident was found to occur due to credentials of a standard employee account performed by Midnight Blizzard (the same that went after Microsoft)
Note that I know that some organizations that were currently using TeamViewer put in controls to block them going forward and looking for alternatives, one could say this is extreme, but I do believe they are doing what is best for their organization to maintain a secure environment
Considering how LastPass ended up occurring, it makes sense for organizations to take a step back and consider their relationships with suppliers when these types of events do occur

Link (1): https://www.teamviewer.com/en-us/resources/trust-center/statement/

GitLab Critical Update

GitLab has released updates for both their Community and Enterprise Editions (16.7.2, 16.6.4, and 16.5.6)

Fixes included:
Account Takeover via password reset without user interactions (Critical)
Bypass CODEOWNERS approval removal (High)
Attacker can abuse Slack/Mattermost integrations to execute slash commands as another user (High)
Workspaces able to be created under different root namespace (Medium)
Commit signature validation ignores headers after signature (Low)
GitLab is recommending customers to upgrade to the latest versions to resolve these issues listed above

Link (1): https://about.gitlab.com/releases/2024/01/11/critical-security-release-gitlab-16-7-2-released/

HubSpot investigates customer account hacks

HubSpot is investigating an incident that is targeting customers (less than 50 accounts were compromised) and measures were put in place to protect customer data

This incident was discovered on June 22nd and based on what I am reading about this, it appears that it was a password spray targeting HubSpot, but Threat Actors were able to gain access to less than 50 accounts
With the limited information given, it is easy to make assumptions - but after Snowflake's situation these types of attacks are going to force the hands of vendors to enforce measures such as MFA by default

Link (1): https://economictimes.indiatimes.com/tech/technology/update-3-hubspot-investigating-customer-account-hacks/articleshow/111357063.cms?from=mdr

Zero-day exploit found in Cisco nexus switches during an incident response investigation

A China threat actor named, Velvet Ant, has been found to be exploiting a new zero-day

CVE-2024-20399, a vulnerability affecting the Cisco NX-OS software used in Nexus-series switches
A vulnerability in the CLI (command-line interface) of Cisco NX-OS could allow an authenticated, local attacker to execute arbitrary commands as root on the underlying OS of an affected device
This does require the threat actor have the Administrator credentials (how many times do System / Network admins store their credentials in an excel document?)
This has been added to the CISA KEV Database with a due date of 7/23/2024 and was added to the list yesterday (7/2/2024)

Link (1): https://therecord.media/cisco-velvet-ant-hackers-china

Link (2): https://nvd.nist.gov/vuln/detail/CVE-2024-20399

14 million Linux systems threatened by ‘RegreSSHion’ vulnerability

CVE-2024-6387 (reintroduced 2006 vulnerability CVE-2006-5051) allows an unauthenticated remote code execution in the OpenSSH - this has been dubbed RegreSSHion with a score of 8.1 CVSS

This is specifically affecting the glibc-based Linux systems running sshd in its default configuration - where if exploited could lead to full system compromise
It is of note that the vulnerability is not trivial to exploit but also it is not easy to fully remediate
Working with one organization, I found that this vulnerability was being found on appliance-based systems - i.e., Pure Storage, Cisco UCS Chassis, Phone systems, etc.
Please work with vendors to obtain the necessary patches

Link (1): https://www.darkreading.com/cloud-security/regresshion-bug-threatens-takeover-of-millions-of-linux-systems

Critical patch issued for Juniper routers

CVE-2024-2973 (score of 10): an authentication bypass using an alternate path or channel vulnerability in the Session Smart Router or Conductor running with a redundant peer allows a network-based attacker to bypass authentication and take full control of the device

For MIST Managed WAN Assurance routers this has been patched automatically through the Mist Cloud
Due to the severity, if you are not under some type of managed platform like Mist Cloud, test and apply patches

Link (1): https://thehackernews.com/2024/07/juniper-networks-releases-critical.html

Millions not thousands impacted by Prudential breach

In Feb 2024, Prudential submitted an 8-k filing to the SEC to disclose a breach where an attacker accessed administrative/user data and employee/contractor accounts

Originally it revealed it notified over 36k people whose information (name, DL#, and non-DL card numbers) were stolen during the breach
It has since been changed to state that over 2.5 million people had their personal information compromised during the incident
ALPHV has taken claim to the incident on Feb 13th where it pulled the exit strategy once Prudential paid the ransom ($22 million) and they stiffed the affiliate that gave them access into the environment (again, those honorable bad guys)
One other thing to note, May 2023, PII of over 320k Prudential customers were exposed during the Cl0p MOVEit attack

Link (1): https://www.bleepingcomputer.com/news/security/prudential-financial-now-says-25-million-impacted-by-data-breach/

Patelco Credit Union cyberattack disrupts services for nearly 500,000 members

Patelco, noted as one of the oldest and largest credit unions in the US, fell victim to a ransomware attack on June 29th - forcing them to shutdown most of its day-to-day banking systems

This has affected nearly 500k members across Bay Area and Northern California
Debit and Credit card transactions are functioning in a limited capacity, while ATM cash withdrawals and deposits remain available

Link (1): https://thecyberexpress.com/patelco-credit-union-hit-by-ransomware-attack/

Until next week, it’s Brent Forrest signing off. Be cyber safe my friends!

Flair Data Systems Cybersecurity News Update 6-26-2024

Wed, 26 Jun 2024 19:18:51 GMT

My name is Brent Forrest and I serve as a vCISO at Flair Data Systems. Here is your cybersecurity news update for 6/26/2024...

Good afternoon!

The more and more that is released regarding the Snowflake situation and then again how Medibank is being taken to court, all because MFA was not properly enabled. This is one of those drums I will continue to beat, MFA needs to be enabled by default and not putting it on the customer to 'enable' if they choose. Considering that there will be times when services will be purchased through other business units, not IT/Security teams, this would be best practice.

I’m not sure if I mentioned this previously, but there was an organization that had their Facebook page taken over due to lack of MFA. After the takeover, IT was informed of the incident and asked to "fix it" but they were not brought in previously to discuss security control best practices. If you have ever had to deal with these types of account takeovers, it can be a nightmare.

Now think about Snowflake and the impact this incident is having on organizations. Ask someone over at Neiman's how over 64k people were affected and data exposed. Sp1d3r (hacker group) is requesting (ransom) a sum of $150,000 for the data that is currently up for sale on the dark web. Shocking...but common.

So, with that, let’s dive into this week’s cybersecurity news update...

Markopolo scam delivers infostealer through fake meeting software

This campaign is spreading three infostealers: Rhadamanthys, Stealc, and Atomic macOS Stealer (AMOS)

Markopolo, the Threat Actor, uses shared hosting and C2 infrastructure to be more agile and quickly pivot when new scams are detected
Based on findings, these attacks are used to harvest credentials, positioning Markopolo as an initial access broker
Best ways to prevent is: Educate users on spotting malicious emails and software downloads, preventing the download of unlicensed software, and encourage users to report suspicious activities

Link (1): https://www.recordedfuture.com/the-travels-of-markopolo-self-proclaimed-meeting-software-vortax-spreads-infostealers

Medibank hack blamed on MFA failure

In 2022, Medibank was compromised, which is a health insurance provider

Based on court documents, Australia's data protection regulator is claiming that the most likely cause was due to lack of multi-factor authentication
If these findings are true, then it appears that by not meeting these basic security controls will give grounds for suits to be filed and show being negligent in basic cybersecurity measures

Link (1): https://therecord.media/medibank-hack-australian-government-report-mfa

US blocks Kaspersky and sanctions executives

Last Thursday, the US is working to ban the use of software from Kaspersky Lab's within the US

This is coming from the long-standing national security and data privacy concerns and a push for better protecting critical infrastructure
This prohibition is set to begin on September 29th, which will effectively ban Kaspersky from providing cybersecurity services anywhere in the US
Existing customers will also not be able to update Kaspersky software after that date
After July 20, the company will no longer be able to sign up new clients within the US
Kaspersky has stated they plan to fight these bans, but if you or anyone you know is using Kaspersky it would not hurt to start looking for alternatives

Link (1): https://therecord.media/us-ban-kaspersky-lab-software

CDK Global gets hacked twice - BlackSuit, SEC reports pile up following the attack

More than 15k car dealers across North America use CDK Global for almost all aspects of their operations - facilitating car sales, repairs, registrations, etc.

Car repair shops use them for placing orders on parts, or in some respects use other services (Auto Trader as an example) to communicate with CDK Global to order parts

Link (1): https://therecord.media/cyberattack-cdk-global-auto-dealershiups

Link (2): https://therecord.media/car-dealerships-reports-sec-cdk-software-ransomware

Link (3): https://www.bleepingcomputer.com/news/security/cdk-global-outage-caused-by-blacksuit-ransomware-attack

CDK Global was hit last week, and shortly after attempting to return systems back online were hit again

Multiple organizations have had to start reporting to the SEC that they are facing disruptions because of the CDK Global shutdown in response to the cyber attack

Not knowing the specifics, but reading between the lines - this shows a great reason to understand how, when, and where they have established themselves before you attempt to bring systems back online
Do not get me wrong, an organization needs to turn systems back on to continue to do business but IF one does not know
when they got in (how can you know when to restore from backup) or;
how they got in (how can you make sure the way in was closed) or;
where they have placed their footholds (how do you know you have removed them)
Lastly, when I was looking yesterday (25th) I did not see an 8-K filing for CDK Global themselves, yet other firms are already filing theirs (previous filing was back in 2022)

Link: See links above

(Notes of clarification 7/3/24: I made a comment about how they had not published their 8-k yet, but that is because in late 2022 Brookfield Business Partners took them private. Which explains why they are not held to the 8-k requirement anymore.)

UK’s largest nuclear site pleads guilty over cybersecurity failures

Sellafield, one that manages the world's largest stockpile of plutonium, has plead guilty to criminal charges related to cybersecurity failings

The charges span across 4 years (2019 - 2023), due to strict cybersecurity regulations were not sufficiently adhered to
These would include a failure by the site to ensure sensitive information on its IT network were adequately protected
Based on the reports, these deficiencies did not lead to a breach of data

Link (1): https://www.infosecurity-magazine.com/news/sellafield-pleads-guilty/

Federal Reserve supposedly compromised by LockBit

Over the past few days Lockbit had announced that the Federal Reserve had up until the 25th to negotiate or have data start to be released that LockBit had gotten ahold of

LockBit claims to have obtained over 33TB of data, and the Federal Reserve Board has yet to confirm the breach
The data that was leaked was spread across 21 links (parent directories and torrent files)

Link (1): https://www.scmagazine.com/brief/allegedly-stolen-federal-reserve-data-exposed-by-lockbit

Link (2): https://www.scmagazine.com/news/lockbit-claims-ransom-negotiations-with-the-fed-over-33tb-of-stolen-data

(Notes of clarification 7/3/24: It seems that it was a 3rd party that was compromised, not the Federal Reserve but the Threat Actor was making misdirected claims. Who knew, the bad guys lied... But the story of Evolve Bank, who appears to be the one that was affected, has become an interesting one.)

Fresh MOVEit bug under attack just hours after disclosure

CVE-2024-5806 (7.4), is an improper authentication vulnerability in MOVEit's SFTP module, which could lead to authentication bypass in limited scenarios

Interesting that they state "limited scenarios" when it already being seen to be actively exploited in the wild just hours after it was made public
The two known attacks would be
An attacker could perform a forced authentication, using a malicious SMB server and a valid username (enabled by a dictionary-attack approach)
An attacker could impersonate any user on the system by uploading a SSH public key to the server without even logging in, giving them the rights as the user they are impersonating (reading, modifying, or deleting data)

Link (1): https://www.darkreading.com/remote-workforce/fresh-moveit-bug-under-attack-disclosure

Until next week, it’s Brent Forrest signing off. Be cyber safe my friends!

Flair Data Systems Cybersecurity News Update 6-19-2024

Thu, 20 Jun 2024 01:49:01 GMT

My name is Brent Forrest and I serve as a vCISO at Flair Data Systems. Here is your cybersecurity news update for 6/19/2024...

Good afternoon!

I know today is a holiday for many organizations, and for those that can enjoy it, I hope you are spending it with your family and resting! This week has some really interesting updates, specifically on a report called Inverted Rook, take a look at the full story in the link below and take a step back from your own personal thoughts about our current state of the U.S. and look around you as to how this type of scenario could really affect our country if it was to happen, not just our country, but the world as a whole. This is not me trying to induce FUD (Fear, Uncertainty, and Doubt) but to look at this report and how it would look if it really did happen.

Now, let’s dive into this week’s cybersecurity news update...

RAND's Inverted Rook wargame

Office of the Director of National Intelligence (ODNI) performed an exercise that called Defending the United States Against Critical Infrastructure Attacks: Exploring a Hypothetical Campaign of Cascading Impacts

Ok, whoever decided to make a Title of a report the length of a full-on sentence....
The types of attacks in the scenario included: physical attacks on electrical substations, ransomware attacks on government services, malware attacks on power grids, disruption in transportation, hackers remotely poisoning water treatment facilities, and cyber attacks on Wall Street
The ripple effect would then lead to: government services being shutdown; power outages affecting hospitals, transportation, refrigeration, heating, etc.; sickness and death from poisoned water, hypothermia, exposure, civil unrest, etc.; financial services being disrupted; splitting factions between those blaming domestic extremists, foreign adversaries, and their own government; and the inability of government to go after foreign adversaries in order to deal with all the domestic chaos
Honestly, the scary part of all of this is that I can see it happening due to the lack of interworking between all entities, along with the fact no one really trusts one another - there is too much distrust between all of society that if something like this was to happen how do you know who to trust with as much lies that continues to spread across all government parties

Link (1): https://sociable.co/military-technology/us-unprepared-attacks-critical-infrastructure-rand-simulation/

Black Basta Exploited CVE-2024-26169 Prior to Patch

The Black Basta ransomware group exploited a privilege escalation flaw (CVE-2024-26169) in the Windows Error Reporting Service as a zero-day before it was patched in March 2024.

This vulnerability allows attackers to gain SYSTEM privileges. leveraging the flaw to create registry keys and start a shell with administrative privileges.
For years, I have noticed that WerFault has been able to gain access to LSASS and pull information that is then shipped back to Microsoft for "analysis", but I have always questioned this and the capabilities of when this would be utilized to perform actions (either through the ability to gather this information or the use of the tool with its inherent privileges)
I understand why Microsoft has such a tool built into Windows to help determine if there is an issue with their application and others, but the fact that it's pulling this data as needed without any user knowledge or ability to restrict it is not acceptable, but yet we are not the "owners" of the OS (Microsoft or Apple) to make that decision

Link (1): https://symantec-enterprise-blogs.security.com/threat-intelligence/black-basta-ransomware-zero-day

Pixel Phone 0-Day Patched

CVE-2024-32896: elevation of privilege issue in Pixel Firmware that has potentially been under limited, targeted exploitation

GrapheneOS, an open-source security and privacy focused Android fork, revealed that this CVE addresses a previously incorporated partial solution for another CVE (CVE-2024-29748), and that they are not specific to Pixel devices - yet the mitigations that have been added to are specific to Pixel
Both CVEs refer to the same vulnerability of interrupting reboot for wipes via the device admin API, which applies to all devices and CVE-2024-32896 is a full fix in AOSP as part of Android 14 QPR3. It's not at all Pixel specific
The June 2024 patches addressed a total of 50 security vulnerabilities

Link (1): https://source.android.com/docs/security/bulletin/pixel/2024-06-01

Link (2): https://thehackernews.com/2024/06/google-warns-of-pixel-firmware-security.html

Life360 faces extortion attempt after Tile data breach

Life360, who a safety and location services company, has been a target of an extortion attempt after a threat actor accessed and stole sensitive information from a Tile customer support platform

Life360 acquired Bluetooth tracking service provider Tile in December 2021
It has not been released the "how" or "what" this event encompassed, but 404 Media reported that the hacker was believed to have used stolen credentials of a former Tile employee to gain access to multiple systems

Link (1): https://www.bleepingcomputer.com/news/security/life360-says-hacker-tried-to-extort-them-after-tile-data-breach/

Ascension Updates

Ascencion must provide an update that sates a worker had accidentally downloaded a malicious file, which was the cause for this nationwide cyberattack

This continues to beat the drum of we cannot rely on technology-based controls alone, but also, we need to continue to properly educate ourselves and our users
This week alone, I have had someone that has personally built out security awareness training for large organizations openly admit to me that they clicked on a phishing email "because they were not fully paying attention"
This does not mean they did anything wrong; it means that they got a friendly reminder to stop and think before clicking
Also, technology has its place - removing administrative rights from users is necessary and putting controls in place that elevate necessary tasks and not the user

Link (1): https://www.wisn.com/article/ascension-reason-for-nationwide-cyber-attack/61101238

Snowflake breach escalates with ransom demands and death threats

Up to 10 organizations have been contacted for extortion payments ranging from $300k to $5m

Mandiant has reported that up to 165 Snowflake customers had their accounts compromised by UNC5537 through credential exposed by info-stealing malware

Link (1): https://www.scmagazine.com/brief/ransom-demands-issued-to-snowflake-hack-victims

AMD investigates breach after data for sale on hacking forum

AMD is currently investigating whether or not it suffered a cyberattack after a threat actor posted on a forum that they stole data and have it up for sale

Data supposedly claimed to have been taken included: AMD employee information, financial documents, and confidential information
IntelBroker is the threat actor making the claim, who was also responsible for the DC Health Link breach and Europol Platform for Experts

Link (1): https://www.bleepingcomputer.com/news/security/amd-investigates-breach-after-data-for-sale-on-hacking-forum/

Blackbaud has been fined for 2020 ransomware attack

California Attorney General's Office has ordered a fine of $6.75 million to settle a ransomware attack that took place in May 2020

The AG office is claiming that the attack occurred due to poor security practices by Blackbaud
Blackbaud had made misleading statements about the sufficiency of its data security efforts prior to the breach and about the extent of the breach to its nonprofit customers and the public
It was discovered that the threat actors compromised unencrypted SSN's, bank account details, and login credentials
Private information of 13k nonprofits, universities, hospitals, and other organizations were compromised through Blackbaud
The company paid the ransom of $250k
This should show that one cannot just "pay" the ransom and hope to sweep the event under the rug, depending on what is said by the organization during the incident can have after affects that can go on for years

Link (1): https://www.darkreading.com/cyberattacks-data-breaches/blackbaud-fined-6m-after-2020-ransomware-attack#

Until next week, it’s Brent Forrest signing off. Be cyber safe my friends!

Flair Data Systems Cybersecurity News Update 6-12-2024

Wed, 12 Jun 2024 16:44:48 GMT

My name is Brent Forrest and I serve as a vCISO at Flair Data Systems. Here is your cybersecurity news update for 6/12/2024...

Good afternoon!

Let's take a moment to reflect on some of the most significant cyber issues we've faced. Remember last year’s MOVEit fiasco? It felt like every day brought news of another data compromise. This year, it seems Snowflake is taking on that role, with more and more organizations reporting data compromises.

It’s frustrating that many vendors still don't require Multi-Factor Authentication (MFA) by default. Equally concerning is that organizations often don't enable this essential security feature right away. Sure, MFA isn't foolproof—there are methods like session theft, where the threat actor can gain the actual session cookie after someone uses their correct credentials. But by enabling MFA, it complicates things for a threat actor - as they must get creative on their attack vector instead of just spraying passwords at a login portal.

It's essential to ensure your critical applications are secured with MFA. Whether your organization uses platforms like Facebook, X (formerly Twitter), or LinkedIn, make sure MFA is enabled. Compromised accounts can lead to significant reputational damage and can be incredibly challenging to recover.

Now, let’s dive into this week’s cybersecurity news update...

LockBit ransomware gang victims get lifeline from FBI

Due to the FBI takedown of LockBit systems, they have been able to obtain more than 7,000 decryption keys

Victims of LockBit have been advised to submit a request through the IC3 and the FBI will reach out to assist

Link (1): https://www.securityweek.com/fbi-says-it-has-7000-lockbit-ransomware-decryption-keys/

Microsoft resets Recall plans

Microsoft has announced the release of a new AI feature, Recall, that will allow Copilot+ PCs to take screenshots of the desktop every 5 seconds, and then analyze and parse to surface relevant information

Originally, this was planned to be enabled by default and has since been changed to be disabled by default (opt-in)
Consider recorded information of documents, emails, or messages containing sensitive information
The other add-on that Microsoft has made a requirement is the use of Windows Hello to access the data, proof you are actively at the system which would then allow for the data to be decrypted (originally unencrypted at rest in an SQLite database)

Link (1): https://thehackernews.com/2024/06/microsoft-revamps-controversial-ai.html

LastPass says outage caused by bad Chrome extension update

LastPass experienced a roughly 12-hour outage on June 6th due to a bad update to its Google Chrome extension

This update inadvertently caused load issues on the backend infrastructure - which has since become stable and operational

Link (1): https://www.bleepingcomputer.com/news/security/lastpass-says-12-hour-outage-caused-by-bad-chrome-extension-update/

New York Times source code stolen using exposed GitHub token

The New York Times internal source code and data was leaked on the 4chan message boards after being stolen from the company's GitHub repo in January this year

The amount of data that has been released amounted to 273GB of data
The data included IT documentation, infrastructure tools, and source code
It appears this happened due to a credential exposure for a cloud-based third-party code platform (GitHub)

Link (1): https://www.bleepingcomputer.com/news/security/new-york-times-source-code-stolen-using-exposed-github-token/

Mandiant and Snowflake sending out breach notices

Last week I brought up how a couple of large organizations data were exposed, and at the same time Snowflakes announced that a demo system was compromised

Ticketmaster and LendingTree have both confirmed that data thefts were hosted on Snowflake
Mandiant is attributing this attack to UNC5537, and the attacks were relying on the use of "stolen credentials "
Majority of the stolen credentials used by UNC5537 were "available from historical infostealer infections" going as far back as 2020
Pre incident, Snowflake did not require its customers to use MFA by default or enforce the security features
Post incident, it is currently under development to enforce the use of MFA on its customers' accounts, no timeline has been provided as of yet

Link (1); https://techcrunch.com/2024/06/10/mandiant-hackers-snowflake-stole-significant-volume-data-customers/?guccounter=1

Pure Storage hacked via Snowflake workspace

Pure is another organization that was recently hit by the Snowflake incident

Data exposed included customer names, usernames, and email addresses
Pure has stated they have addressed the security incident, and they are in contact with customers that were in the database

Link (1): https://www.bleepingcomputer.com/news/security/pure-storage-confirms-data-breach-after-snowflake-account-hack/

Local government cyber-attacks (Wichita & Cleveland)

This week, Cleaveland City Hall was closed on Monday due to an active investigation of a "cyber incident" affecting some of the city's computer systems

The city did state that City and Emergency Services (Department of Public Safety, Department of Port Control, and Department of Public Utilities) were not affected
Early May, the City of Wichita (Kansas) was offline due to a ransomware attack and after a month, some systems are coming back online
The attack took down several online city services (online water bill payments, some city building Wi-Fi, electronic payments, etc.)

Link (1): https://www.cleveland.com/cityhall/2024/06/cyber-incident-shuts-down-cleveland-city-hall.html

Link (2): https://www.kansas.com/news/local/article289148999.html

Cyber assistance coming to rural hospitals

A new initiative from Microsoft, Google, and the White House was used to reduce prices for cybersecurity services

Google has stated it will provide endpoint security advice to rural hospitals and nonprofit organizations at no cost and a pool of funding to support software migrations
Microsoft has announced a program that will provide non-profit pricing and other discounts up to 75% for security products used by independent critical access hospitals and rural emergency hospitals
Microsoft has also stated that will provide free Win 10 security updates for up to 1 year or free cybersecurity assessments to "evaluate risks and gaps"

Link (1): https://therecord.media/microsoft-google-rural-hospital-cybersecurity

BlackBerry Cylance data up for sale

A threat actor has put up for sale on the dark web data of Cylance and requesting an amount of $750,000 that allegedly belongs to customers, partners, and employees of BlackBerry's Cylance cybersecurity unit

The data supposedly includes 34 million customer and employee emails, which contains customer emails, personally identifiable information, sales prospects, and user and partner lists
BlackBerry is stating that based on their investigation it was obtained through a third-party platform (not core infrastructure of Blackberry) and appears to be from 2015-2018
BlackBerry did not specifically confirm or deny that the data came from Snowflake, but stated they are not a current customer of Snowflake

Link (1): https://www.securityweek.com/blackberry-cylance-data-offered-for-sale-on-dark-web/

Until next week, it’s Brent Forrest signing off. Be cyber safe my friends!

Flair Data Systems Cybersecurity News Update 6-05-2024

Wed, 05 Jun 2024 17:11:12 GMT

My name is Brent Forrest and I serve as a vCISO at Flair Data Systems. Here is your cybersecurity news update for 6/05/2024...

Good afternoon!

Not a lot to report back on this week, as I have been out of pocket while working with some internal teams around our cybersecurity practice and today, I begin sitting in a 2-day class around Privileged Identity with BeyondTrust.

So, let’s jump into this week's cybersecurity news update....

Checkpoint 0-Day

CVE-2024-24919: Active Exploits target Check Point Security Gateway Zero-Day Information Disclosure flaw

This activity has been seen exploited in the wild, if running Checkpoint VPN make sure you to resolve this as soon as possible
Checkpointed noted that attempts to access these vulnerable systems that had old local accounts with unrecommended password-only authentication
Link 2 contains fixes for the vulnerability that was released by Checkpoint

Link (1): https://blog.checkpoint.com/security/enhance-your-vpn-security-posture

Link (2): https://support.checkpoint.com/results/sk/sk182336

44,000 individuals are affected by the breach of a major U.S. title insurance company

First American Financial Corporation, 2nd largest title insurance company in the U.S., experienced a data breach that affected 44,000 individuals in Dec 2023

In December 2023, First American took their systems down to contain the impact of the breach - however, they did not notify the SEC until May 28th (5 months later) once the investigation had concluded
No one has currently been notified of their information being compromised, but First American has stated that they will be providing appropriate notification
The concerning question here is 1) did it take them 5 months to determine a data breach actually occurred or 2) are they playing the rules against the SEC (material incident) as it is required that a 8-k is to be filed within 4 days of that determination

Link (1): https://www.bleepingcomputer.com/news/security/first-american-december-data-breach-impacts-44-000-people/

Palo Alto firewalls found with crypto miner being deployed on them

CVE-2024-3400: allows an unauthenticated attacker to execute arbitrary code with root privileges

RedTrail is a new cryptocurrency mining malware being used in the wild against Palo Alto Firewalls through the above CVE
The vulnerability has patched through the latest updates by Palo Alto
Palo is not the only one being affected by RedTrail: TP-Link routers (CVE-2023-1389), ThinkPHP (CVE-2018-20062), Ivanti Connect Secure (CVE-2023-46805 and CVE-2024-21887), and VMWare Workspace ONE Access and Identity Manager (CVE-2022-22954)
This goes back to threat actors ever evolving attack techniques to continue to profit in one way or another

Link (1): https://thehackernews.com/2024/05/redtail-crypto-mining-malware.html

STAR test DDoS attack

An 18 year old, Keontra Lamont Kenemore, from Klein ISD is wanted for by the police for a cyberattack that disrupted the STAAR testing for thousands of students in the district

The action, electronic access interference, is considered a third-degree felony
The ability to do these types of attacks are very easy with the fact there are many services on the dark web that provide the ability to do DDoS-as-a-Service
Due to the interruptions, students had to retake their STAAR testing over again - affecting over 24k students over two days

Link (1): https://www.click2houston.com/news/local/2024/05/28/klein-isd-student-accused-of-orchestrating-cyber-attack-that-disrupted-staar-testing/

Ticketmaster hack affects 560 million customers, third-party denied liability

ShinyHunters, Pokemon-themed hacker, has claimed responsibility for two high profile attacks - Ticketmaster and Santander Bank

Two US customers of Ticketmaster have filed claims against Ticketmaster, claiming the company was negligent in protecting their data
Snowflake has denied responsibility for either Ticketmaster or Santander Bank but has confirmed that a demo account for a former Snowflake employee was compromised, which did not contain sensitive data nor was it connected to production or corporate systems
Both Ticketmaster and Santander Bank are claiming their data breaches were through third-party systems, but neither are naming which vendor it is

Link (1): https://www.informationweek.com/cyber-resilience/-it-wasn-t-me-snowflake-denies-attack-responsibility-admits-hack-of-former-worker

Link (2): https://www.informationweek.com/cyber-resilience/shinyhunters-strikes-again-group-hacks-santander-bank-ticketmaster-customers-file-suit

HHS changes tack, allows Change Healthcare to file breach notifications for others

Department of Health and Human Services has announced on May 31st that hospitals and health systems affected by the Change Healthcare incident can require UnitedHealth Group to perform the notification process to patients

But to do so, the hospitals and health systems are to contact United Health directly

Link (1): https://www.aha.org/news/headline/2024-05-31-hhs-says-hospitals-impacted-change-healthcare-cyberattack-can-delegate-breach-notifications#:~:text=%22Affected%20covered%20entities%20that%20want,be%20performed%20by%20Change%20Healthcare.

3 billion records stolen from background check firm

USDoD, cyber gang, has put the database of 2.9 billion records of US, Canada, and British citizens for $3.5 million

Supposedly the data was obtained from National Public Data, a small information broker out of Florida that offers API lookups to other companies for things like background checks
Interesting finding for this incident is that anyone that performed the Opt-Out option did not have their data in the breach - looks like the process has some benefits!

Link (1): https://www.theregister.com/2024/06/03/usdod_data_dump/

Until next week, it’s Brent Forrest signing off. Be cyber safe my friends!

Flair Data Systems Cybersecurity News Update 5-29-2024

Wed, 29 May 2024 18:29:12 GMT

My name is Brent Forrest and I serve as a vCISO at Flair Data Systems. Here is your cybersecurity news update for 5/29/2024...

Good afternoon!

For those of us in the DFW / North Texas area and have experienced some type of damage from the storm that passed through here yesterday morning are in the process of recovering. Yesterday was supposed to be a trip to Tyler for a meeting, but when I was going to leave the storm was right over our house and would have followed me the entire way there. That said, I stayed home and no major damage for us minus a small portion of our fence that needed some TLC yesterday afternoon. I hope everyone is safe and your damage was not extensive.

So, with that, let’s jump into this week's cybersecurity news update....

Veeam Vulnerability

Veeam has released patches for four (4) CVE's, Veeam Backup Enterprise Manager 12.1.2.172 has been released to fix the below

CVE-2024-29849: This vulnerability in Veeam Backup Enterprise Manager allows an unauthenticated attacker to log in to the Veeam Backup Enterprise Manager web interface as any user.
CVE-2024-29850: This Vulnerability in Veeam Backup Enterprise Manager allows account takeover via NTLM relay.
CVE-2024-29851: This vulnerability in Veeam Backup Enterprise Manager allows a high-privileged user to steal the NTLM hash of the Veeam Backup Enterprise Manager service account if that service account is anything other than the default Local System account.
CVE-2024-29852: This vulnerability in Veeam Backup Enterprise Manager allows high-privileged users to read backup session logs.
For those that CAN NOT patch, the above link provide a mitigation plan to assist
Also, it worth a note that VBEM is not an application that is installed by default however it gives customers access to a web console to remotely manage multiple Veeam Backup & Replication instances

Link (1): https://www.veeam.com/kb4581

Link (2): https://www.scmagazine.com/news/veeam-patches-critical-flaw-that-puts-enterprise-backups-at-risk

Justice AV Solutions Software Backdoor

CVE-2024-4978: Justice AV Solutions Viewer Setup 8.3.7.250-1 contains a malicious binary when executed and is signed with an unexpected authenticode signature. A remote, privileged threat actor may exploit this vulnerability to execute unauthorized PowerShell commands.

Justice AV Solutions is a U.S. based company specializing in digital audio-visual recording solutions for courtroom environments
The critical nature of this is because if the JAVS Viewer v8.3.7 is currently installed, a backdoor installer that allows a threat actor to gain full control of affected systems where a complete re-imaging of the endpoint and resetting associated credentials is necessary to ensure attackers have not created persistence through backdoors or stolen credentials
Upgrading to v8.3.8 or higher is necessary AFTER re-imaging the device

Link (1): https://www.rapid7.com/blog/post/2024/05/23/cve-2024-4978-backdoored-justice-av-solutions-viewer-software-used-in-apparent-supply-chain-attack/

OmniVision discloses data breach.

OmniVision is an imaging sensors manufacturer out of California and has disclosed a data breach after an incident that involved Cactus ransomware group last year

They design and develop imaging sensors for smart phones, laptops, web cams, automotive, medical imaging systems, and others
The incident occurred between Sept 4 - 30, 2023 where systems were encrypted with ransomware
The internal investigation took until April 2024 to reveal that the attackers stole PII
Data stolen included: Passport scans, NDA's, Contracts, and other confidential documents
The point here is that even though an organization is recovered and operational again does not mean they fully understand what actually occurred and what was taken - this takes time and effort and requires proper logging to be put in place prior to the incident even occurring. For example, 2 days from now can you tell exactly what data was in what database? What about 30 days ago, 60 days ago, 6 months? Logging is essential and having it stored in a location that a threat actor would not have direct access to it in the event the organization was compromised.

Link (1): https://www.bleepingcomputer.com/news/security/omnivision-discloses-data-breach-after-2023-ransomware-attack/

LastPass encrypts URLs

LastPass is in the process of encrypting the URL, not just the other data fields to continue to improve their product

This change will require some interaction from the customers, and is expected sometime in the latter half of 2024

Link (1): https://blog.lastpass.com/posts/2024/05/lastpass-is-encrypting-urls-heres-whats-happening

Edge gets screenshot protection

Microsoft Edge for Business be incorporating the ability to prevent users from taking screenshots of websites and sending them to others

This will be done through a tagging mechanism where certain websites (i.e., ERM platforms) are protected
In the above article, it is ironic that Microsoft releases this information shortly after revealing the new Copilot offering where it is creating snapshots of everything one does on their PC

Link (1): https://www.pcworld.com/article/2336462/microsoft-edge-will-start-blocking-screenshots-on-the-job.html#:~:text=Microsoft%20is%20adding%20screenshot%20prevention,using%20Microsoft%20Edge%20for%20Business

Cencora notifies customers of data breach

Cencora, formally known as AmerisourceBergen, is a U.S. pharmaceutical service provider that experienced a cyberattack in February 2024

This cyberattack has affected organizations like Novartis Pharmaceuticals, Bayer, GlaxoSmithKline, and eight other major pharmaceutical firms
Information affected includes: full names, addresses, diagnoses, prescriptions, and medications

Link (1): https://www.scmagazine.com/brief/nearly-a-dozen-drug-firms-impacted-by-cencora-breach

Arc browser’s Windows launch sabotaged by malvertising

Arc browser was originally launched in the summer of 2023 for macOS systems and has since started to be released for Windows systems

Unknown threat actors are creating websites with typosquatting domains and google ads to redirect people to download malicious versions of Arc
Remember it is best to bypass the search results that include "advertisement" or "sponsored" and focus on the legitimate results
The versions being downloaded do include the real browser, with a little malicious extra payload bundled with it

Link (1): https://www.techradar.com/pro/security/hackers-hijack-arc-browser-windows-launch-with-malvertising-campaign

New ransomware uses Windows BitLocker to encrypt victim data

ShrinkLocker is a new ransomware strain that creates a new boot partition to encrypt corporate systems using Windows BitLocker

So far targets have been government entity and companies in the vaccine and manufacturing sectors
This is not a new way to encrypt systems, but some differences is that it is written in VBScript (currently working towards being depreciated) and is able to determine Windows version using WMI
If specific parameters are met, then the attack will continue: current domain matching the target and OS version that is newer than Vista - but when it does continue it uses diskpart utility in Windows to shrink every non-boot partition by 100MB and splits the unallocated space into new primary volumes of the same size
Another aspect is that it will modify registry entries to disable remote desktop connections or enable BitLocker encryption on hosts without a TPM
The final stage of the attack forces the system to shut down for all the changes to take effect and leave the user with drives locked and no BitLocker recovery options (plus a place to leave a message)
The How on detecting/preventing is by choosing EPPs that can detect BitLocker abuse attempts, along with other core recommendations around minimal privileges, and proper logging

Link (1): https://www.bleepingcomputer.com/news/security/new-shrinklocker-ransomware-uses-bitlocker-to-encrypt-your-files/

Until next week, it’s Brent Forrest signing off. Be cyber safe my friends!

Flair Data Systems Cybersecurity News Update 5-15-2024

Wed, 15 May 2024 21:41:38 GMT

My name is Brent Forrest and I serve as a vCISO at Flair Data Systems. Here is your cybersecurity news update for 5/15/2024...

Good afternoon!

This week has been pretty crazy in its own way right, to say the least. With this being Patch Tuesday week, take time to review the updates released. Also, Apple released updates for all devices as there are active exploits occurring and the patches are necessary to fix this gap.

As for Microsoft, the following types of vulnerabilities were addressed:
- 26 Remote Code Execution (RCE) Vulnerabilities

- 17 Elevation of Privilege (EoP) Vulnerabilities

- 7 Information Disclosure Vulnerabilities

- 4 Spoofing Vulnerabilities

- 3 Denial of Service (DoS) Vulnerabilities

- 2 Security Feature Bypass Vulnerabilities

- 1 Cross-site Scripting (XSS) Vulnerability

- 1 Tampering Vulnerability

With that, let’s get into this week's cybersecurity news update.

Ascension healthcare suffers cyberattack, goes offline

Ascension operates 140 hospitals across 19 states has been facing an ongoing outage due to a cyber attack

The incident became apparent on May 7th and was disclosed on May 8th
This is a prime example of having a proper BCP in place to make sure the business can operate effectively during an incident like this when the core systems are completely down
Also, how is this affecting other organizations that are connected to a network affected by an incident of this magnitude

Link (1): https://www.darkreading.com/cyberattacks-data-breaches/ascension-healthcare-hit-by-cyberattack

Lockbit takes credit for Wichita attack

On May 6th, Wichita disclosed the cyber incident (a day after the incident occurred) and Lockbit has added the city to their site as of May 7th

This incident has impacted water utility, municipal court, cultural, and public transportation payments
The city also announced that public Wi-Fi was not working at the airport, and arrival and departure screens stopped working due to the hack
Government sectors, specifically city and county, need to take into account all aspects of their operational systems - how will 911 continue to operate if they are on a VoIP system

Link (1): https://www.securityweek.com/lockbit-takes-credit-for-city-of-wichita-ransomware-attack/

Microsoft April patch causing AD issues and 2 Zero Days fixed in May patches

April patches began causing NTLM authentication

May patches fixed 2 Zero Days actively being exploited in the wild and publicly disclosed before the patches were made available
CVE-2024-30040 - Windows MSHTML Platform Security Feature Bypass Vulnerability
CVE-2024-30051 - Windows DWM Core Library Elevation of Privilege Vulnerability

Link (1): https://www.bleepingcomputer.com/news/microsoft/microsoft-april-windows-server-updates-cause-ntlm-auth-failures/

Link (2): https://www.bleepingcomputer.com/news/microsoft/microsoft-may-2024-patch-tuesday-fixes-3-zero-days-61-flaws/

Dell announces data breach affecting 49 million customers

This was originally discovered in late April, which involved a partner portal where the attacker accessed customer information by posing as a reseller

Threat actor, "Menelik", claims that the ability to create an account on the partner portal was simple and once in the system was able to scrape data at a rate of 5,000 requests per minute over 3 weeks
Data stolen included customer names, physical addresses, Dell hardware details, order information, service tags, item descriptions, order dates, and warranty information
Being on the "partner" side I have noticed that a lot of vendors do not put any type of MFA on their portals, and the validation on account creations can vary from vendor to vendor - and almost everyone one of them use a 3rd party provider to host the portals

Link (1): https://techround.co.uk/news/dell-data-breach-sells-customer-data-on-dark-web/

Other May Patches for other vendors

Adobe has released security updates for After Effects, Photoshop, Commerce, InDesign, and more.
Apple backported an RTKit zero-day to older devices and fixed a Safari WebKit zero-day flaw exploited at Pwn2Own.
Cisco released security updates for its IP phone products.
Citrix urged Xencenter admins to manually fix Putty flaw, which can be used to steal an admin's private SSH key.
F5 releases security updates for two high-severity BIG-IP Next Central Manager API flaws.
Google released an emergency update to fix the sixth zero-day of 2024.
TinyProxy fixes a critical remote code execution flaw that was disclosed by Cisco.
VMware fixes three zero-day bugs exploited at Pwn2Own 2024.

Until next week, it’s Brent Forrest signing off. Be cyber safe my friends!

Flair Data Systems Cybersecurity News Update 5-8-2024

Wed, 08 May 2024 20:02:10 GMT

My name is Brent Forrest and I serve as a vCISO at Flair Data Systems. Here is your cybersecurity news update for 5/8/2024...

I hope your week is going well so far. For some, it’s been smooth sailing, while others are juggling new projects and the usual daily grind. Speaking of high-stakes scenarios, the US has placed a $10 million bounty on the head of the LockBit creator (details in the article below). Imagine the mixed emotions that must bring! It’s fascinating how anonymity online can give people a sense of invincibility. But once your real identity is exposed, that sense of security vanishes, and the reality of a bounty on your head, sets in.

In the US, $10 million is a significant amount, but in other parts of the world, its value is even more impactful. One has to wonder how this revelation affects the trust and relationships the LockBit creator has with those around him.

Now, let's dive into this week's cybersecurity news update....

US indicts LockBit ransomware ringleader

Dmitry Yuryevich Khoroshev, a 31-year-old Russian national, has been indited by the DOJ for the development and administration of LockBit ransomware

Artur Sungatov and Ivan Kondratyev have also been charged for deploying LockBit against victims in the US
Khoroshev is facing 26 charges and up to 185 years in prison with a bounty of $10 million for information that helps law enforcement apprehend him

Link (1): https://www.theverge.com/2024/5/7/24151493/us-lockbit-ransomware-ringleader-indictment-reward

LastPass spin off from GoTo

LastPass has announced it has separated from the parent company, GoTo - which was stated to start that process in December of 2021

The new holding company will be LMI Parent, a shareholder holding company
The CEO, Karim Toubba, will stay at the helm with the new structure

Link (1): https://www.theverge.com/2024/5/1/24146205/lastpass-independent-company-security-breaches

Goldoon botnet exploits D-Link routers

A new botnet dubbed, Goldoon, has been found to be exploiting a decade-old vulnerability in unpatched D-Link routers

CVE-2015-2051 - could allow a threat actor to run code remotely on infected hardware with low attack complexity
The activity spiked in April, which was doubling the frequency

Link (1): https://therecord.media/goldoon-botnet-unpatched-dlink-routers

Dropbox discloses breach of digital signature service

Dropbox Sign (formally HelloSign) has announced a breach of their system where a threat actor was able to access customer information

Dropbox investigation has them to believe that only the Sign infrastructure was compromised, and not the other Dropbox platforms
Data exposed included Email, Usernames, phone numbers and hashed passwords along with general account settings and certain authentication information (API keys, OAuth tokens, and MFA)
If someone was to received or signed a Dropbox Sign document, but never created an account the email address and names were also exposed
If the authentication was set up through Google, no password was stored or exposed
Currently, there is no evidence of customer accounts being accessed or payment information

Link (1): https://sign.dropbox.com/blog/a-recent-security-incident-involving-dropbox-sign

Cybersecurity consultant arrested after allegedly extorting IT firm

Vincent Cannady, 57, worked for a staffing company to assess and remediate potential vulnerabilities in a New York-based multinational IT ISP

On June 23, 2023, he was terminated for performance reasons
Cannady allegedly used a company-issued laptop to download proprietary and confidential documents, including architectural maps, trade secrets, and list of potential vulnerabilities to which he still maintained access to after being terminated
He threatened to publicly disclose the information unless the company agreed to pay him up to $1.5 million as a settlement, for what he claims to be employment termination
This one hit home, as a security professional we are trusted advisors to the organization we support and yet people are going to be just that... people. I completely disagree with everything this individual did, and for an executive or outsider looking in it paints a horrible picture of our industry

Link (1): https://www.bleepingcomputer.com/news/legal/cybersecurity-consultant-arrested-after-allegedly-extorting-it-firm/

Buffer Overflow Vulnerabilities in ArubaOS (critical 9.8 rating)

There is a temporary work around available until patches can be applied.

CVE-2024-26305: Buffer overflow in ArubaOS' utility daemon
CVE-2024-26304: Buffer overflow in ArubaOS' L2/L3 management service
CVE-2024-33511: Buffer overflow in ArubaOS' automatic reporting service
CVE-2024-33512: Buffer overflow in ArubaOS' local user authentication database
No PoC has been released as of yet but all 4 exploits are accessible through Aruba's PAPI UDP port 8211
Aruba Mobility Conductors, Mobility Controllers, and WLAN and SD-WAN gateways are all affected

Link (1): https://www.arubanetworks.com/support-services/security-bulletins/

Link (2): https://www.theregister.com/2024/05/02/hpe_aruba_patches/

Feds warn about North Korean exploitation of improperly configured DMARC

Several Fed Agencies have published an advisory last week to warn of hackers targeting improperly configured DNS DMARC record policies

DMARC, a decade old, used by email platforms to authenticate messages and reduce the ability to spoof domains
North Korean hackers have been targeting improperly configured DMARC setups to make it look like their emails are coming from a legitimate domains email exchange, allowing them to masquerade as experts or academics with credible links to North Korean policy circles
This is a reminder that when creating a control, it is fully implemented - there are times to allow for testing to be performed but a following to finalize the controls is necessary - this is something we all know, but have a tendency to get busy chasing squirrels and circling back gets delayed or forgotten until it's too late

Link (1): https://therecord.media/north-korea-kimsuky-hackers-dmarc-emails

DHCP Based VPN Routing Leaks

CVE-2024-3661: By design, the DHCP protocol does not authenticate messages, including for example the classless static route option (121). An attacker with the ability to send DHCP messages can manipulate routes to redirect VPN traffic, allowing the attacker to read, disrupt, or possibly modify network traffic that was expected to be protected by the VPN. Many, if not most VPN systems based on IP routing are susceptible to such attacks.

There are fix capabilities, but it will require a lot of times for vendors to update their VPN software or applying work arounds
The link above does provide a PoC for how this works

Link (1): https://www.leviathansecurity.com/blog/tunnelvision

Until next week, it’s Brent Forrest signing off. Be cyber safe my friends!

About: Flair Data Systems is a strategically priced IT solutions company, serving clients in the U.S., with offices in Texas and Colorado. Now a technology industry leader, we began in 1916 as the Porter Burgess Company. Flair Data Systems is your Trusted Advisor for: Collaboration, Unified Communications, Networking, Cloud, Infrastructure, Data Analytics, and Cybersecurity, serving the U.S. We are a trusted cyber security solutions company in Dallas, TX.

Flair Data Systems Cybersecurity News Update 5-1-2024

Wed, 01 May 2024 18:43:12 GMT

My name is Brent Forrest and I serve as a vCISO at Flair Data Systems. Here is your cybersecurity news update for 5/1/2024...

Good evening!

Today’s update brought back a wave of memories. I am reflecting on stories like the one about UnitedHealth, particularly regarding a significant turning point in my perspective on security. It's disheartening to see parallels between UnitedHealth's ordeal and an experience I had during a pen test years ago. The scenario of compromised credentials leading to unauthorized access via a non-MFA system, such as Citrix, feels all too familiar.

For me, that incident occurred over a decade ago during a sanctioned and paid engagement. However, for UnitedHealth, it unfolded as an unauthorized and paid engagement, resulting in widespread distress for countless individuals. It serves as a poignant reminder of the real-world consequences of security vulnerabilities and the importance of proactive measures to safeguard sensitive information.

With that, let’s get into today’s cybersecurity news update....

UnitedHealth Group CEO faces congress & cause of hack revealed

It has been publicly confirmed that UnitedHealth paid the $22 million ransom

The method of access was through compromised credentials that were used to access UnitedHealth's Citrix platform that lacked MFA
Not being a part of their Infrastructure or Security teams, I will not try to understand how that was allowed to occur in 2024

Link (1): https://therecord.media/unitedhealth-ceo-testifies-senate-hearing

ByteDance on the clock to divest TikTok

ByteDance, the parent company of TikTok, has been given 9 months to sort out a deal to divest TikTok with the ability to extend for another 3 months if necessary

TikTok is planning to challenge this in court, stating it is unconstitutional to ban

Link (1): https://www.theverge.com/2024/4/24/24139036/biden-signs-tiktok-ban-bill-divest-foreign-aid-package

Kaiser Permanente website tracking tools may have compromised customer data

Kaiser Permanente, a healthcare giant, has been notifying more than 13 million customers of their personal information had been potentially shared with third-party vendors

Information would have included: IP Addresses, names, information on how a member/patient was signed into their account, information showing how a member/patient interacted with and navigated through the website/mobile application, and search terms used in the health encyclopedia
Financial information or Social Security Numbers were not included
Third-party vendors included Google, Microsoft Bing, and X

Link (1): https://therecord.media/kaiser-permanente-potential-third-party-data-exposure

Avast gets GDPR fine:

Avast, a Czech endpoint protection company, was fined by GDRP for $14.9 million for processing customers' data illegally per GDPR rules

NGO Facua (Spanish not-for-profit) focuses on consumer rights brought it to the attention of Spain's Agency for Data Protection where Avast had collected and sold private browsing data, including identifying data, with the knowledge or authorization from its customers
The type of data being collected included Google Maps location searches and GPS coordinates, videos viewed on YouTube, profiles on LinkedIn, and Google Searches
Per Avast, this was shut down in January of 2020

Link (1): https://www.techradar.com/news/avast-hit-with-multimillion-euro-fine-for-gdpr-failure

Major U.S. wireless carriers face $200M FCC fine

AT&T, Sprint, T-Mobile, and Verizon are all being levied fines totaling nearly $200 million for illegally sharing access to customer's location information without consent

The investigation started over four-years ago (Feb 2020)
Each of the four above sold access to its customers' location information to 'aggregators' who then resold access to the information to third-party location-based service providers

Link (1): https://krebsonsecurity.com/2024/04/fcc-fines-major-u-s-wireless-carriers-for-selling-customer-location-data/

Marriott backtracks claims of encryption protection

Over the past 5 years, Marriot has defended its 2018 data breach by arguing that its encryption (AES-128) was strong enough and that it should be dismissed

However, this past April (the 10th) the attorneys for Marriot admitted that it never used AES-128 during the time of the breach
It had been using hashing (SHA-1) and not encryption but claimed it had been doing so
Interesting though, how did third-party forensic firms (Accenture, Verizon, and Crowdstrike) did not notice that there were in no encryptions put in place
Another valid question is around, if the above teams DID notice it why then did Marriot stick behind the original story (AES-128)
Lastly, when and how did Marriot discover the truth after the past 5 years

Link (1): https://www.csoonline.com/article/2096365/marriott-admits-it-falsely-claimed-for-five-years-it-was-using-encryption-during-2018-breach.html

Until next week, it’s Brent Forrest signing off. Be cyber safe my friends!

SEO: flair data systems cybersecurity, cybersecurity blog, cybersecurity news, cyber security company plano tx

Flair Data Systems Cybersecurity News Update 4-24-2024

Wed, 24 Apr 2024 21:57:35 GMT

My name is Brent Forrest and I serve as a vCISO at Flair Data Systems. Here is your cybersecurity news update for 4/24/2024...

Good morning!

In a previous chapter of my career, I had the privilege of learning from a mentor whose wisdom I still carry with me today. Whenever tensions flared and disagreements escalated, he would humorously threaten to "send us camping," implying that we wouldn't return until we resolved our differences. While this directive was never enforced, there were moments when I truly believed some individuals might benefit from such an experience.

In the realm of active incident response, this concept applies. It underscores the necessity for individuals to set aside personal differences and collaborate towards a common resolution. Much like the hypothetical camping trip, it demands that we overcome individual barriers to address the overarching issue at hand.

Advice on how to structure tabletop exercises

Make it a safe place when performing the exercise
Not knowing is OK but giving wrong information is NOT OK
Research what you don't know after the fact, don't assume you have the ability but validate it
Determine if existing toolsets are capable before purchasing a new tool to compensate
Finally, teams need to understand the term "privileged" and know why it is needed (along with who can provide this)

Tabletop exercises present invaluable opportunities for teams to hone this collaborative spirit. They allow participants to navigate through simulated scenarios, fostering cohesion and mutual understanding while sidestepping the pitfalls of blame and discord. My earnest advice is to leverage these exercises not merely as platforms for showcasing individual prowess, but rather as occasions for fostering team synergy and camaraderie. For those wanting to explore the topic more, I recommend delving into Christian Espinosa's insightful book on the matter.

With that, let’s jump into this week's cyber update....

Cisco ASA / FTD Vulnerabilities being Exploited in the Wild

It is recommended to patch, but make sure you validate that your version is on an affected version and any type of reliance on other components (such as FMC)

CVE-2024-20353 (denial of service)
CVE-2024-20359 (persistent local code execution)
CVE-2024-20358 (command injection vulnerability)
Cisco has warned that state-backed hacking group (STORM-1849 / UAT4356) has been infiltrating vulnerable Cisco ASA/FTDs through a campaign tracked as ArcaneDoor
This has been going on as early as November of 2023, but Cisco became aware of this in early January 2024
The initial attack vector has not been identified, but Cisco has discovered and fixed the above security flaws

Link (1): https://www.bleepingcomputer.com/news/security/arcanedoor-hackers-exploit-cisco-zero-days-to-breach-govt-networks/

Recent Vulnerabilities released have Proof of Concepts released

Both Delinea and Ivanti vulnerabilities have had Proof of Concepts released to the public, which means now threat actors can create working attacks towards these applications

Delinea Secret Server Authn Authz Bypass: Link (1): https://straightblast.medium.com/all-your-secrets-are-belong-to-us-a-delinea-secret-server-authn-authz-bypass-adc26c800ad3
Ivanti Avalanche PoC/Details: https://www.tenable.com/security/research/tra-2024-10
Palo Alto GlobalProtect: https://therecord.media/palo-alto-networks-fixes-vpn-zero-day
Palo Alto GlobalProtect has been actively exploited in the wild (CVE-2024-3400) since at least March 26, 2024
Patches have been released for all three of the listed vulnerabilities, take the time to review, test, and apply the patches as soon as possible

Advanced Phishing Campaign

Lookout has been found a new campaign mimicking the FCC Okta login page

The attack appears to be targeting FCC, Binance, and Coinbase in an effort to grab credentials, which is mimicking Scattered Spider tactics
Victims have reported to have received both phone calls (spoofed real customer support numbers) and text messages to encourage victims to complete the process
The concern is that these types of attacks, if successful, open the door for expanding this out to other types of campaigns
The link above contains a list of IoC's to be aware of

Link (1): https://www.lookout.com/threat-intelligence/article/cryptochameleon-fcc-phishing-kit

LabHost take down

LabHost is a Phishing-as-a-Service platform that was recently shutdown through a global operation from law enforcement agents spanning 19 different countries

LabHost was previously available on the open web, not the dark web - meaning anyone was able to access it
40,000 phishing domains associated with them with over 10k users worldwide
Austrian authorities took down 207 servers hosting phishing sites and arrested 5 in country that had relationships to the operation
U.K. has arrested 4 individuals associated to the operation, one of which is the alleged original developer

Link (1): https://therecord.media/phishing-platform-labhost-shutdown-europol

MITRE’s breached was through Ivanti zero-day vulnerabilities

MITRE has confirmed that a state-backed hacking group has compromised the network back in January 2024 by chaining together two Ivanti VPN zero-days

The threat actors accessed their NERVE (Networked Experimentation, Research, and Virtualization Environment), an unclassified collaboration network used for research and development
No evidence shows that the threat actors accessed the organizations core enterprise network or partner systems
The two zero-days were CVE-2023-46805 (auth bypass) and CVE-2024-21887 (command injection)

Link (1): https://www.bleepingcomputer.com/news/security/mitre-says-state-hackers-breached-its-network-via-ivanti-zero-days/

CrushFTP vulnerabilities

The CVE has the potential for a Remote Code Execution with a arbitrary read flaw that allows an attacker with low privileges to escape the servers virtual file system sandbox to access and download system files.

CVE-2024-4040: improper input validation vulnerability in the CrushFTP file transfer server version 11.1
The vendor has already released patches, but exploits have been released and being exploited

Link (1): https://www.darkreading.com/cloud-security/patch-crushftp-zero-day-cloud-exploit-targets-us-orgs

Evil XDR: Turning an XDR into an Offensive Tool

A researcher at Black Hat Asia described how he not only reverse-engineered and cracked into Palo Altos Cortex product but also weaponized it to deploy a reverse shell and ransomware.

All but one of the weaknesses discovered have since been resolved by Palo Alto, where the one that was not due to the fact that the risk was minimum (encryption of the Lua files)
The researcher was able to not only make the management console think the agent was online, it was offline and it provided the research the ability to gain remote access to the endpoint, along with deploying ransomware to the system without Cortex knowing or stopping it from happening
The how is very interesting, and worth a read in the article
Secondly, this opens the idea around how much privilege is given to XDR type tools to be able to perform their given ability to stop threats
One final note, this should not be something to scare people away from using EDR/XDR platforms but to fully understand and trust their provider that they are doing proper controls and testing to reduce these types of situations from occurring

Link (1): https://www.darkreading.com/application-security/evil-xdr-researcher-turns-palo-alto-software-into-perfect-malware

Until next week, it’s Brent Forrest signing off. Be cyber safe my friends!

About: Flair Data Systems is a strategically priced IT solutions company, serving clients in the U.S., with offices in Texas and Colorado. Now a technology industry leader, we began in 1916 as the Porter Burgess Company. Flair Data Systems is your Trusted Advisor for: Collaboration, Unified Communications, Networking, Cloud, Infrastructure, Data Analytics, and Cybersecurity, serving the U.S. We are a trusted cyber security company in Dallas, TX.

Flair Data Systems Cybersecurity News Update 4-10-2024

Wed, 10 Apr 2024 22:12:08 GMT

My name is Brent Forrest and I serve as a vCISO at Flair Data Systems. Here is your cybersecurity news update for 4/10/2024...

Hope everyone enjoyed the Eclipse! A few of us watched from the office, and the rest of our team was working remotely. We shared some pictures of our views with each other! It was a pretty awesome event!

Sadly, today is not such a fun day in cyber news - specifically around Microsoft patches. It seems this was the one of the highest number of patches released by Microsoft in a given day (150).

Microsoft Releases patches for two Zero Day

CVE-2024-26234: Proxy driver spoofing vulnerability, originally reported by Sophos X-Ops in December 2023 and is currently being exploited in the wild and publicly disclosed

CVE-2024-29988: SmartScreen prompt security feature bypass vulnerability caused by a protection mechanism failure weakness, which is a bypass for CVE-2024-21412 flaw
Since last months patch release, there has been a total of 172 vulnerabilities (150 today alone)
Another patch that was pulled into this month dealt with Xbox Gaming Service, which unless you are performing a golden image on systems prior to deployment (which removes this plus other bloatware) systems are affected by it
CVE-2024-28916: Xbox gaming Services Elevation of Privilege Vulnerability

Link (1): https://www.bleepingcomputer.com/news/microsoft/microsoft-fixes-two-windows-zero-days-exploited-in-malware-attacks/

Over 90,000 LG Smart TVs exposed to remote attack

Four (4) vulnerabilities have been discovered to enable unauthorized access and control over affected models, including authorization bypass, privilege escalation, and command injection

The vulnerabilities affect the LG WebOS service, where it should reside only on the LAN network - however, Shodan is seeing over 91k devices exposed to the internet
CVE-2023-6317 allows attackers to bypass the TV's authorization mechanism by exploiting a variable setting, enabling the addition of an extra user to the TV set without proper authorization
CVE-2023-6318 is an elevation of privilege vulnerability that allows attackers to gain root access following the initial unauthorized access provided by CVE-2023-6317
CVE-2023-6319 involves operating system command injection via manipulation of a library responsible for displaying music lyrics, allowing execution of arbitrary commands
CVE-2023-6320 permits authenticated command injection by exploiting the com.webos.service.connectionmanager/tv/setVlanStaticAddress API endpoint, enabling command execution as the dbus user, which has similar permissions to the root user

Link (1): https://www.bleepingcomputer.com/news/security/over-90-000-lg-smart-tvs-may-be-exposed-to-remote-attacks/

Microsoft exposed internal passwords in security lapse

SOCRadar researchers have found an open and public storage server hosted on Azure that was storing internal information related to Microsoft Bing search engine

This information housed code, scripts, and config files containing passwords, keys, and credentials used by Microsoft employees for accessing other internal databases and systems
The storage server was not protected with a password and was accessible by everyone on the internet - which as since been taken down
Reported to Microsoft on Feb 6, 2024
Removed by Microsoft on March 5, 2024
Currently unknown as to how long it was online nor who had accessed the data while it was publicly available

Link (1): https://techcrunch.com/2024/04/09/microsoft-employees-exposed-internal-passwords-security-lapse/

New MFA-bypassing phishing kit targets Microsoft 365, Gmail accounts

Tycoon 2FA, active since August 2023, is a Phishing-as-a-Service platform that targets Microsoft 365 and Gmail accounts to bypass two-factor authentication protections

Found to have 7 distinct stages
Stage 0 – Attackers distribute malicious links via emails with embedded URLs or QR codes, tricking victims into accessing phishing pages.
Stage 1 – A security challenge (Cloudflare Turnstile) filters out bots, allowing only human interactions to proceed to the deceptive phishing site.
Stage 2 – Background scripts extract the victim's email from the URL to customize the phishing attack.
Stage 3 – Users are quietly redirected to another part of the phishing site, moving them closer to the fake login page.
Stage 4 – This stage presents a fake Microsoft login page to steal credentials, using WebSockets for data exfiltration.
Stage 5 – The kit mimics a 2FA challenge, intercepting the 2FA token or response to bypass security measures.
Stage 6 – Finally, victims are directed to a legitimate-looking page, obscuring the phishing attack's success.

Link (1): https://www.bleepingcomputer.com/news/security/new-mfa-bypassing-phishing-kit-targets-microsoft-365-gmail-accounts/

Omni Hotels confirms cyberattack

Omni Hotels & Resorts was affected by a cyberattack since March 29th

Omni shutdown systems to protect data, which resulted in a nationwide outage that weekend
The scope of the event and data impacted is currently still unknown and being reviewed by third party response teams

Link (1): https://www.cybersecuritydive.com/news/omni-hotels-cyberattack/712452/#:~:text=Omni%20Hotels%20%26%20Resorts%20properties%20were,that%20began%20this%20past%20weekend.

Classified Five Eyes data theft announced

IntelBroker has taken credit for the breach where the Five Eyes Intelligence Group data has been obtained by breaching into Acuity Inc, which is a third party company that works directly with the Us Government and its allies

Acuity is a Virginia-based federal tech consulting firm
Supposedly this breach has contained data around classified information including full names, government and miliary email addresses, office and personal phone numbers - along with classified information and communications between the Five Eyes, 14 Eyes, and US allies.

Link (1): https://www.infosecurity-magazine.com/news/threat-actor-classified-five-eyes/

Cancer center data breach affects 800,000

City of Hope has disclosed a data breach of 827k patients personal and health information

City of Hope is a cancer hospital operator and clinical research organization
The incident was discovered almost 6 months ago (Oct 13, 2023) but did not post the information until April 2nd
The intrusion appears to have occurred between Sept 19th and Oct 12th
Data stolen included patient names, contact information (email, phone #s), date of birth, SS#, DL#, financial details (bank account # and/or CC#), health insurance information, medical records, and information about medical history and/or associated conditions, and/or unique identifiers to associated individuals with City of Hope (medical record numbers)

Link (1): https://www.fiercehealthcare.com/health-tech/city-hope-discloses-data-breach-impacting-827k-patients-personal-and-health-information#:~:text=City%20of%20Hope%20discloses%20data,patients'%20personal%20and%20health%20information&text=City%20of%20Hope%2C%20a%20cancer,of%20nearly%201%20million%20patients.

Government warns hospitals of hackers targeting IT help desks

Much like what happened at MGM, what feels like Scattered Spider is now starting to occur at hospitals

Just because a threat actor targets someone outside of those with access to critical systems does not mean they cannot pivot to those accounts once in the environment
The health sector is being advised:
Require callbacks to verify employees requesting password resets and new MFA devices.
Monitor for suspicious ACH changes.
Revalidate all users with access to payer websites.
Consider in-person requests for sensitive matters.
Require supervisors to verify requests.
Train help desk staff to identify and report social engineering techniques and verify callers' identities.

Link (1): https://www.bleepingcomputer.com/news/security/us-health-dept-warns-hospitals-of-hackers-targeting-it-help-desks/

New York City becomes latest in municipal government hack attempts

NYC has taken their city payroll website offline and remove it from public view after a phishing incident

This incident took place during a time people were submitting information for their taxes

Link (1): https://therecord.media/new-york-city-government-smishing-attack

Home Depot third party breach of employee data

IntelBroker (yet again) has leaked data for approximately 10k Home Depot employees

Home Depot has confirmed this was due to one of its third-party SaaS vendors mistakenly exposed sample employee data (names, work email addresses, and User IDs) during a systems test
Taking into consideration how third-parties are handling data is key when building out relationships and contracts

Link (1): https://www.bleepingcomputer.com/news/security/home-depot-confirms-third-party-data-breach-exposed-employee-info/

Change healthcare targeted again - a different threat actor

RansomHub has claimed to have stolen 4TB of data from Change Healthcare in February

This is coming off of another incident where AlphV ransomed their systems for $22 million
The data is said to include medical/dental records, payment/claims information, patient PII (including SS#) along with source code files of their software solutions

Link (1): https://thecyberwire.us16.list-manage.com/track/click?u=9f0cab23b3ee44f3bc482be80&id=af9eb66c93&e=75c345233e

Until next week, it’s Brent Forrest signing off. Be cyber safe my friends!

6 things You Need to Know About the VMware Price Increases

Tue, 02 Apr 2024 18:47:34 GMT

Are you being held hostage by the VMware pricing increases? Flair Data Systems discusses the top issues affecting your network cloud storage solutions and budget. Read on...

VMware, a cornerstone in the realm of virtualization and network cloud storage solutions recently announced some changes that have sent ripples through the tech industry. Though we aren’t giving an opinion on the reasons for these drastic price increases, we do know you are seeking resources and advice on the topic.

Here are six key points everyone should know about these changes:

Significant Price Increases: So, VMware has decided to up the ante with some price increases across its product lineup. We have heard rumors of some quotes being 4X the price. Yikes! It's a bit of a letdown, especially if you're used to certain costs. But hey, let's dive in and see what this means for us.
Shaking Up the Licensing Game : Alongside those price hikes, VMware is also switching things up in the licensing department. They're moving from per-CPU to per-core licensing for some products. It's like they're playing musical chairs with our budgets!
Budget Blues : These price hikes might mean some reshuffling in your IT budget. It's understandable to feel a bit anxious about it, these increases may necessitate tough decisions regarding resource allocation and investment in alternative solutions. But take a breath, and let's see how we can make the most of what we've got.
Do you feel like a Hostage? VMware's price hikes have reignited discussions around vendor lock-in, with some customers expressing concerns about being tied to a single vendor for critical infrastructure needs. This has prompted organizations to explore alternative virtualization and cloud computing providers, seeking greater flexibility and cost-effectiveness.
Freedom to Choose : With all this talk about price hikes, it's natural to wonder if we're getting boxed into a corner with VMware. But fear not, there are plenty of other fish in the sea when it comes to virtualization and network cloud storage solutions, including our partnership with Nutanix. We've got options, and we'll find the right fit for your needs.
Finding Our Way : So, what's the game plan? Well, we're all in this together. Let's take a step back, assess our current setup, and explore our options. Maybe a little negotiation here, a dash of optimization there, and voilà! We'll navigate these changes like seasoned captains of the cloud.

In the end, VMware's price hikes might feel like a curveball, but we've got what it takes to roll with the punches. Together, we can chart a course through these changes, keeping our budgets in check and our network cloud storage systems running smoothly. Want to discuss your options? Set up some time with the Flair Data team by clicking the button below and filling out the form.

How may we serve you?

Who is Flair Data Systems?

Flair is a Technology Solution Provider for: Digital Transformation, Collaboration, Networking, Cloud, Infrastructure, Data Analytics, and Cybersecurity - serving the U.S., with offices in Plano, TX and Colorado. For over 100 years, they have been bridging the gap between technology and business results.

Why Choose Flair Data Systems as your Technology Solutions Provider?

Flair has a legacy as part of the Porter Burgess Company, which started in 1916, installing auto accessories for dealers. Now, they deploy proven technology solutions for their clients.

Flair has served over 1000 happy customers, ranging across industries from Automotive to SLED, Retail to CPG, and Healthcare to Finance.

If you are seeking advice from a proven technology solution provider, we would love to chat with you. Visit our website and send us a message! Data & IT Consulting | Plano, TX | Flair Data Systems

About the Author: Emily Bell-Wootten builds brands to make an IMPACT. Working with 60 brands across 17 industries has taught her to be agile and focus on human centered design, leading her companies to over 1 billion in growth. She has been a CEO, CMO, Fractional CMO, and a global CX and MarTech thought leader for 2 Fortune 100 companies, and currently serves as the Director of Marketing and Customer Success for Flair Data Systems. Outside of her career responsibilities, she is passionate about volunteering in her community to effect real change. marketing@flairdata.com

Flair Data Systems Cybersecurity News Update 3-20-2024

Wed, 20 Mar 2024 18:38:58 GMT

My name is Brent Forrest and I serve as a vCISO at Flair Data Systems. Here is your cybersecurity news update for 3/20/2024...

Happy Wednesday!

The FBI released their IC3 Annual Report, and it has some interesting statistics, such has between 2019 and 2023 there have been 3.79 million complaints and $37.4 Billion in total losses. These are "reported" complaints and losses to the IC3 program specifically. Let's be honest, those numbers are much higher because not everyone is going to report that type of information to the FBI/IC3 - either because they are not aware of the process, its availability, or the desire to share the information with the feds. Also in the report, it shows that Phishing is the leader in the crimes across every year. It is a great report to understand the landscape from their perspective.

IC3 Annual Report 2023- Link: https://www.ic3.gov/Media/PDF/AnnualReport/2023_IC3Report.pdf

With that, let’s jump into this week’s cyber security news update.

Change Healthcare - AHA asks for aid, HHS questions HIPAA compliance, and UnitedHealth fronts over $2 billion in recovery efforts

U.S. Department of Health and Human Services' (HHS) Office for Civil Rights (OCR) [ok, that's a long name for a single department....] has issued a letter addressing the cyber incident affecting Change Healthcare that states they will be initiating an investigation into the incident

The investigation will be focusing on two areas: if there was a breach of PHI that occurred, and if Change Healthcare / UHG's were in compliance with the HIPAA rules
The American Heath Association (AHA) has urged Congress to consider several actions (Link 2) for assistance from the Government in any means necessary (including financial)
As of March 18th, UHG (UnitedHealth Group) has advanced payments of over $2 billion (yes that is a B) to aid healthcare providers
Currently, UHG has suspended paperwork that would normally be required to get approval for insurance coverage for most outpatient services, as well as review of inpatient admissions for government-backed Medicare Advantage plans to help those that were impacted

Link (1): https://www.hhs.gov/about/news/2024/03/13/hhs-office-civil-rights-issues-letter-opens-investigation-change-healthcare-cyberattack.html

Link (2): https://www.aha.org/news/headline/2024-03-04-aha-urges-congress-provide-support-help-minimize-further-fallout-change-healthcare-attack

Link (3): https://www.reuters.com/business/healthcare-pharmaceuticals/unitedhealth-says-advanced-over-2-bln-payments-providers-2024-03-18/#:~:text=March%2018%20(Reuters)%20%2D%20UnitedHealth,its%20technology%20unit%2C%20Change%20Healthcare.

Fortinet warns of severe SQLi vulnerability in FortiClientEMS software

FortiClient Enterprise Management Server (EMS) has recently been patched due to being vulnerable to a RCE attack

FortiCLient EMS allows admins to manage endpoints connected to an enterprise network, allowing them to deploy FortiClient software and assign security profiles to Windows devices
CVE-2023-48788 is a SQL injection in the DB2 Administration Server component where an unauthenticated attacker could gain RCE with SYSTEM privileges on unpatched servers in a low-complexity attack that would not require user interaction
No evidence at the time of the article being written on this vulnerability being exploited in the wild
Fortinet has been releasing numerous set of patches to fix disclosed vulnerabilities in their platform (FortiOS and FortiProxy)

Link (1): https://www.bleepingcomputer.com/news/security/fortinet-warns-of-critical-rce-bug-in-endpoint-management-software/

Yacht company MarineMax announces cyberattack

MarineMax (Billion-dollar boat seller) has filed an 8K with the SEC on March 12th describing a cyber incident

Per MarineMax, operations have continued but they have brought in a 3rd party DFIR team to investigate

Link (1): https://therecord.media/boat-seller-marinemax-reports-cyberattack-sec

Global McDonald’s outage blamed on third-party vendor, not cyberattack

McDonalds had to suspend operations in multiple countries last weekend due to an IT outage (per McDonalds)

The exact root cause has not been divulged, nor has the 3rd party that was the cause of the outage
It makes one consider the Business Continuity exercises when heavily relying on technology (especially 3rd party services) that could cause issues of this magnitude

Link (1): https://www.computerweekly.com/news/366574032/Global-McDonalds-IT-outage-result-of-third-party-error

Network outages hit Birmingham Alabama

Birmingham still experiences outages limiting government services more than a week after a network "disruption"

The city has provided no updates since the initial release of the disruption
An internal memo was released to the city employees denying rumors of data being stolen but provided no specific information (probably because they knew it would be released to the public)
During an incident, an organization (or city or county or other entity) needs to take into consideration "optics" and how the public will view them during and after any situation that is causing a disruption of services

Link (1): https://therecord.media/network-outage-birmingham-alabama-ongoing-cyberattack#:~:text=The%20Birmingham%20outages%20took%20place,ransomware%20so%20far%20in%202024.

Cisco closed its $28b all-cash acquisition of Splunk

It is official, Cisco closed the $28 billion acquisition of Splunk!

There are those that are concerned with how Cisco will change the Splunk culture (I mean let's be honest - Splunk is already a very expensive solution, is it going to go up even more!?)
Broadcom's recent changes with VMWare have made people reconsider their footprint in that specific vendor - needless to say, it has been chaotic for most customers when they are receiving their renewals

Link (1): https://www.theregister.com/2024/03/19/cisco_closes_splunk_acquisition/

Microsoft announced deprecation of 1024 bit RSA Keys

Not a lot more to share here, other than it is finally coming to an end - several years after it should have been depreciated

Funny enough, Microsoft announces it will be depreciated - but leaves out the actual date of when...

Link (1): https://learn.microsoft.com/en-us/windows/whats-new/deprecated-features#deprecated-features

Fortra FileCatalyst Vulnerability CVE-2024-25153

CVE-2024-25153: (9.8 score) directory traversal within the 'ftpservelet' of the FileCatalyst Workflow Web Portal allows files to be uploaded outside of the intended 'uploadtemp' directory with a specially crafted POST request - specially crafted JSP files could be used to execute code, including web shells

Originally discovered in Aug 2023
Patches have been released, and based on what I have heard - this does not take a lot to exploit based on POC reviews
Cl0p group leveraged a zero-day vulnerability (CVE-2023-0669) for the same solution, resulting in having data stolen from over 130 victim organizations

Link (1): https://www.fortra.com/security/advisory/fi-2024-002

Link (2): https://www.helpnetsecurity.com/2024/03/19/cve-2024-25153-poc-exploit/

Mid-stream hack postpones ESports league

Apex Legends Global Series, an ESport tournament for a shooter game Apex Legends (a $5 million total prize pool!)

During the event, two players on Sunday appeared to have been hacked during the live-streaming game - which prompted the postponement of the tournament
Just to forewarn, the article above does have some explicit language
Easy Anti-Cheat, the makers of the anti-cheat system used with Apex Legends and other games ruled out the possibility that there is a RCE bug in their system
First off, I had no clue (because I guess I hit the "old" age) that games have gotten to this point - $5 million! I mean, I remember the movie The Wizard which portrayed these types of events back in the late 80's

Link (1): https://techcrunch.com/2024/03/18/esports-league-postponed-after-players-hacked-midgame/

Abusing the DHCP Administrators Group to Escalate Privileges in Windows Domains

Akamai researchers discovered a new means to perform privilege escalation affecting on-premise AD leveraging the DHCP administrators' group

This is where the DHCP server role is installed on a Domain Controller, which could allow the threat actor to gain domain admin privileges
It is based on an abuse of legitimate features and doesn't rely on any vulnerability
Check out the link above, it is pretty detailed on how the process works and a few steps of how to reduce the risk from this technique

Link (1): https://www.akamai.com/blog/security-research/abusing-dhcp-administrators-group-for-privilege-escalation-in-windows-domains

Until next week, it’s Brent Forrest signing off. Be cyber safe my friends!

Flair Data Systems Cybersecurity News Update 3-13-2024

Wed, 13 Mar 2024 18:01:09 GMT

My name is Brent Forrest and I serve as a vCISO at Flair Data Systems. Here is your cybersecurity news update for 3/13/2024...

Good morning!

This past week, I have been spending time building out Tabletop scenarios for exercises coming up in the next 4 - 6 weeks. Going through this type of activity forces one to put yourself in two seats; how are the responders going to act and what a threat actor could do in these situations. One thing to always remember is that no matter the type of controls you have in place, at some point there is always a chance they could be bypassed or compromised due to unforeseen circumstances and/or vulnerabilities discovered.

With that, let’s jump into this week’s cyber security news update.

March Patch Tuesday - Zero Zero-Days

18 Remote Code Execution (RCE) Vulnerabilities
24 Elevation of Privilege (EoP) Vulnerabilities
6 Denial of Service (DoS) Vulnerabilities
2 Spoofing Vulnerabilities
6 Information Disclosure Vulnerabilities
1 Cross-site Scripting (XSS) Vulnerabilities
3 Security Feature Bypass Vulnerabilities*
CVE-2024-21407: (8.1 score), an authenticated attacker on a guest VM could exploit the vulnerability by sending specially crafted file operation requests to the VM's hardware resources, enabling RCE on the host server
To exploit, the attacker must have environment-specific information and take additional steps to prepare the target environment
CVE-2024-21408: (5.5 score), not much data on this one except that it has significant impact on availability by causing a DoS in Hyper-V\
"Most Likely" to be exploited based on Threat Intel
CVE-2024-21433 (CVSS: 7.0) – Windows Print Spooler Elevation of Privilege Vulnerability
CVE-2024-21437 (CVSS: 7.8) – Windows Graphics Component Elevation of Privilege Vulnerability
CVE-2024-26160 (CVSS: 5.5) – Windows Cloud Files Mini Filter Driver Information Disclosure Vulnerability
CVE-2024-26170 (CVSS: 7.8) – Windows Composite Image File System (CimFS) Elevation of Privilege Vulnerability
CVE-2024-26182 (CVSS: 7.8) – Windows Kernel Elevation of Privilege Vulnerability
CVE-2024-26185 (CVSS: 6.5) – Windows Compressed Folder Tampering Vulnerability

Online fraud hits record losses

An IC3 (Internet Crimes Complaint Center) Report shows that in 2023 with reporting up to $12.5 billion - a 22% increase from 2022

These are only counted towards crimes reported to the FBI, so the number is much higher than that above
Take time to review the rest of the report - worth the read!

Link (1): https://www.tripwire.com/state-of-security/125-billion-lost-cybercrime-amid-tidal-wave-crypto-investment-fraud#:~:text=According%20to%20the%20IC3%20report,to%20be%20much%2C%20much%20higher.

States urge Meta to crack down on scammers

41 U.S. States have called on Meta to crack down on hackers and scammers on their platform

Between 2019 and 2023, the complaints have increased by 1000%, based on New York AG office
If these complains are making it to the AG's office, did they also make it to Meta? If so, why isn't Meta doing more to stop these attacks? Part of it is due to not enforcing MFA on accounts, with the high volume of these types of attacks why hasn't Meta enforced MFA enablement?

Link (1): https://www.spiceworks.com/it-security/cyber-risk-management/news/states-urge-meta-combat-facebook-instagram-account-takeovers/#:~:text=41%20U.S.%20States%20called%20on,hijacking%20attacks%20in%20recent%20months.

Apple issues update for zero-day flaw

CVE-2024-23225: A memory corruption issue in the Kernel that an attacker with arbitrary kernel read and write capabilities can exploit to bypass kernel memory protections

CVE-2024-23296: A memory corruption issue in the RTKit real-time operating system (RTOS) that an attacker with arbitrary kernel read and write capabilities can exploit to bypass kernel memory protections
Apple statement on March 5th said that it is "aware of report that this issue may have been exploited"

Link (1): https://www.msspalert.com/news/apple-issues-critical-ios-security-updates-for-exploited-zero-day-flaws

Flipper Zero MiTM WiFi attack can unlock and steal Tesla cars

Researchers have demonstrated that they can perform a MiTM (Man-in-the-Middle) phishing attack to compromise Tesla accounts, unlocking cars, and starting them

The attacker could utilize a Flipper Zero to broadcast a wireless SSID (Tesla Guest) at a charging station, where Tesla owners could connect and log in to a fake Tesla login page using their Tesla credentials and on top of that prompt for their MFA information all in real-time
Rest of the article goes into how they were able to add a Phone Key to their own app while in proximity to the Tesla being targeted (Model 3)
Sadly, when presented to Tesla they were told this was considered "out of scope"

Link (1): https://www.bleepingcomputer.com/news/security/mitm-phishing-attack-can-let-attackers-unlock-and-steal-a-tesla/

Former Google engineer indicted for stealing AI secrets for Chinese companies

Linwei Ding, aka Leon Ding, faces up to 10 years in prison and a fine up to $250k for each count (total of 4 counts) of trade secret theft

Ding was hired by Google as a software engineer in May 2019, which gave him authorized access to confidential information related to hardware infrastructure, software platforms, AI models, and the application they supported at Google's supercomputing centers
Indictment charges claim he took over 500 unique files containing Google AI related trade secrets and secretly uploaded them to a personal Google account (between May 2022 through May 2023)
In May 2023, Ding founded Shanghai Zhisuan Technology, a China-based firm

Link (1): https://www.darkreading.com/insider-threats/google-engineer-steals-ai-trade-secrets-chinese-companies

PetSmart warns customers of credential stuffing attack

PetSmart systems picked up on a credential stuffing attack on their petsmart.com domain

For due diligence, PetSmart has sent notifications to all customers that appeared to log in during the time period of the attack - since they are not able to determine good from bad login attempts
Credential stuffing attacks compromise of using known passwords from other attacks - meaning password reuse is still heavily used
To help solve this, using a password manager that generates passwords for you will help keep these types of attacks from being as successful

Link (1): https://www.bleepingcomputer.com/news/security/petsmart-warns-of-credential-stuffing-attacks-trying-to-hack-accounts/

Microsoft says Russian hackers breached its systems, accessed source code

Midnight Blizzard, who accessed Microsoft back in January 2024, has recently gained access again from previously stolen authentication secrets

This latest breach has led to unauthorized access to source code repositories and internal systems
Microsoft is stating that as of yet there is no evidence that customer-facing systems were compromised
In several of the emails compromised originally, it was discovered that there were emails between Microsoft and Customers that held authentication secrets

Link (1): https://www.bleepingcomputer.com/news/microsoft/microsoft-says-russian-hackers-breached-its-systems-accessed-source-code/

Cisco VPN Client Vuln

CVE-2024-20337: vulnerability in the SAML authentication process of Cisco Secure Client could allow an unauthenticated, remote attacker to conduct a carriage return line feed (CRLF) injection attack against a user

Patches have been released to resolve this issue
No know public announcements or malicious use of this vulnerability

Link (1): https://sec.cloudapps.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-secure-client-crlf-W43V4G7

Roku forces reset after 15,000 accounts compromised

15,000 Roku accounts compromised and put up for sale on dark web markets - $.50 each

This would allow threat actors to gave access to saved credit card information on the customers accounts and make fraudulent transactions
Once the threat actor gained access, they were locking users out by changing passwords, email addresses, and shipping addresses
This was another credential stuffing attack, again password reuse issues

Link (1): https://www.bleepingcomputer.com/news/security/over-15-000-hacked-roku-accounts-sold-for-50-each-to-buy-hardware/

Lastly, some resources from CISA/NSA Secure Cloud Guides

Until next week, it’s Brent Forrest signing off. Be cyber safe my friends!

Flair Data Systems Cybersecurity News Update 3-06-2024

Wed, 06 Mar 2024 21:31:56 GMT

My name is Brent Forrest and I serve as a vCISO at Flair Data Systems. Here is your cybersecurity news update for 3/06/2024...

As yesterday was Super Tuesday - it appears that the Primary's went off without any type of cyber incident. There seems to be a lot to report back this week on other areas, other than Apple released a new update for both the iPhone and iPad iOS's this week - and there were security updates included.

With that, let’s jump into this week’s cyber security news update.

Biden signs order limiting the sale of personal data

This specific EO (Executive Order) is restricting access to "countries of concern" around sensitive data

The EO affects data brokerages, third-party vendor agreements, employment agreements, investment agreements, and others
Sensitive Data is referring to a broad definition that includes personal identifiers, geolocations and related sensor data, biometric identifiers, human 'omic data, personal health data, personal financial data, or any combination
'omic data refers to data generated from humans that characterizes or quantifies human biological molecules or metabolic data - all of our fancy fitness wearables
One thing to note is that this EO appears to be a 2-phase approach for implementation - "highly sensitive data transactions" will be outright prohibited and other categories will be "restricted" but could proceed on the condition that they comply with certain predefined
Reading through the fact sheet, their appears to be some wiggle room built in to not prohibit businesses from operating - but the goal is to restrict the data from getting into the hands of "concerned countries"

Link (1): https://www.whitehouse.gov/briefing-room/statements-releases/2024/02/28/fact-sheet-president-biden-issues-sweeping-executive-order-to-protect-americans-sensitive-personal-data/

Link (2): https://www.whitecase.com/insight-alert/new-executive-order-seeks-protect-americans-sensitive-personal-data

GlobalBlock Service To Prevent Trademark abuse

Registrars now have the ability (for a cost $$$$) to block threat actors (or competitors or jokesters) from registering domain names that look like on brand names

GlobalBlock - being used by GoDaddy, 101domain, and markMonitor allow businesses to pay a subscription fee to reserve a part of the domain space to protect trademarks
Traditionally, when someone spun up a "homoglyph" (or similar domain) and it was used for malicious purposes - the organization being mimicked would need to contact the register, provide evidence of malicious activity, and after a period of time the domain was offline, purchase the domain to prevent the attack from occurring again.
For others, businesses would issue "Cease and desist" letters to the registration owners
The basic plans look to be limiting to other TLD (top level domains) like .com, .us, .mil, etc... but not the character changed versions $5,999 yearly fee
The "plus" plans take it a step further and look to block up to the tens of thousands of domain name being registered $8,999 yearly fee
Lastly, there is an "AutoCatch" feature that can be used to grab up a domain that falls into the above once the registration expires

Link (1): https://www.bleepingcomputer.com/news/technology/registrars-can-now-block-all-domains-that-resemble-brand-names/

Pharma giant Cencora announces data breach

Cencora, a global pharma company, reported Feb 27th on their 8-k SEC filing that they discovered that intruders had stolen data from its network

The event was first discovered on Feb 21st but the nature has not been disclosed
Cencora was formally known as AmerisourceBergen, Pennsylvania based corporation

Link (1): https://therecord.media/cencora-pharmaceutical-giant-reports-cyber-incident

GenAI drives surge in BEC attacks

Note, the above link is gated - to get the report you will have to provide your information

Between 2022 and 2023, the BEC type of attacks went from 1% to 18.6% of all attacks in 2023
I have personally seen a higher number of BEC attacks occurring, where what appears to be a vendor sending updated ACH/Banking information to an organization with very specially crafted emails and attachments
Most of the attacks were thought to be the vendor in questions network being compromised, however, it was found that the organization receiving the emails were actually compromised - mostly due to proxyMFA attacks or no MFA enabled

Link (1): https://perception-point.io/resources/report/2024-annual-report/

Flair Data Systems Hosts a Tech Demo Day

Tue, 05 Mar 2024 17:20:45 GMT

On February 22nd, 2024- Flair hosted Demo Day, where technology partners were given the opportunity to pitch innovative technology and demo solutions to CIOs, CTOs, and CISOs from the DFW Metroplex. Read all about it!

Flair Data Systems is jumping into the ring, facilitating impactful tech events to bolster community engagement and education in the DFW technology community. On February 22nd, Flair hosted Demo Day, where technology partners were given the opportunity to pitch innovative technology and demo solutions to CIOs, CTOs, and CISOs from the DFW Metroplex. Not only did the attendees get to attend informative sessions, they also were treated to Hard8 BBQ, raffle prizes, and shooting experiences at Texas Gun Experience in Grapevine, Texas. An enjoyable day was had by all!

Demo Day Event Details

Flair Data Systems hosted an invite-only event on Feb. 22nd, 9 am - 4 pm, at the Texas Gun Experience. Flair Data Systems presented an unparalleled opportunity for technology enthusiasts to experience a day of cutting-edge demos, networking, shooting experiences, and some Texas-sized BBQ!

Event Highlights:

Dedicated Demo Time: explore our latest products and solutions during a 3-hour demo session tailored to your interests. Choose the AM or PM slot...whichever fits your schedule.
Choose Your Experience : opt in for a thrilling "shooting experience" with a machine gun, 1-hour shooting range gift card, or grab a branded tumbler cup.
Texas BBQ Extravaganza: Indulge in a complimentary BBQ lunch while discussing tech innovations.
Active Directory Check POC (Proof of Concept): Exclusive on-premises offer from Flair Data's vCISO team. Claim your POC here: https://share.hsforms.com/1ZMM8Imv-QgCkmpxOpE2RcQ3xfp4
Raffle Prizes: Win exciting prizes in our raffle, with tickets earned for attending, participating in demos, and scheduling follow-up calls.
Networking Opportunities: Connect with leading Partners from various tech segments - Collaboration, Networking, Cloud, Infrastructure, Data Analytics, and Cybersecurity.

Event Schedule:

8:30 Check-in and Breakfast Snacks
9 am - 12 pm: First Session – Demos, Networking and Machine Guns!
12 pm - 1 pm: Lunch Break
1 pm - 4 pm: Second Session - More Demos, Networking, and Shooting Experiences

Sponsors of Flair Data Systems Demo Day

Who is Flair Data Systems?

Flair is a Technology Solution Advisor for: Digital Transformation, Collaboration, Networking, Cloud, Infrastructure, Data Analytics, and Cybersecurity - serving the U.S., with offices in Plano, TX and Colorado. For over 100 years, they have been bridging the gap between technology and business results.

Why Choose Flair Data Systems as your Technology Solutions Provider?

Flair has a legacy as part of the Porter Burgess Company, which started in 1916, installing auto accessories for dealers. Now, they deploy proven technology solutions for their clients. Flair has served over 1000 happy customers, ranging across industries from Automotive to SLED, Retail to CPG, and Healthcare to Finance.

If you are seeking cybersecurity advice, get 30 minutes of a vCISO’s time on us! Sign up here: https://share.hsforms.com/1jBwAxwPGTteIDMXcyGV_0Q3xfp4

Want to Attend a Flair Data Systems Event?

If you missed this event, there will be more. Sign up to receive communications from Flair where you can receive our Tech Insights Newsletter, highlighting tech industry trends and cybersecurity insights from Brent Forrest, Flair Data’s own vCISO, as well as exclusive invites to technology events. Register here: https://share.hsforms.com/1hiqV5ZdYQkCyrzYxwwTMmw3xfp4

We look forward to hosting you at our next event!

Flair Data Systems Cybersecurity News Update 2-28-2024

Wed, 28 Feb 2024 21:05:44 GMT

My name is Brent Forrest and I serve as a vCISO at Flair Data Systems. Here is your cybersecurity news update for 2/28/2024.

Lots of updated news around LockBit since they were hit by law enforcement over the past couple of weeks. Something that I have been thinking about a lot has been around the fact we never really see Anonymous mentioned anymore in the news. It makes one wonder if those that at one point supported or were part of Anonymous decided to go at things for a monetary purpose...food for thought.

Outside of that, one hot topic that I have had continued conversations about, has been giving users "Administrator" privileges on their local systems. This is a hot topic for many organizations, some take the hard line that no one will have it (knowing it will cause for higher calls from users to Help Desk for assistance). Others have taken the line of they do not have the workforce to support every user needing something. Other organizations are heavy in technical staff or developers, and removing those administrator rights would impede their ability to perform necessary work. For the most part, I am asked how I would recommend solving this problem and for the most part it goes back to enabling your users, but to do so in a safe way requires technical controls (i.e., Endpoint management software) that will elevate software as needed with a privileged token without giving that right to the user on a constant basis for any and all tasks. There are multiple vendors that can help in this fashion, but the challenge is picking the best solution for your team to own it effectively.

With that, let’s jump into this week’s cyber security news update.

LockBit Updates

It was discovered during the takedown that Lockbit was actually deleting the data as promised if a ransom was paid - are we really surprised by this one?

During the takedown, it was discovered that LockBit was building an updated version of their file encrypting malware (LockBit-NG-Dev) where it would possibly be considered LockBit 4.0
This was a change in their coding from C/C++ to .NET compiled with CoreRT and packed with MPRESS
The new version appears to have supported three encryption modes (using AES+RSA) called "fast", "intermittent", and "full"
Offering a feature that would allow it to self-delete where it overwrites LockBit's own file contents with null bytes

Link (1): https://therecord.media/lockbit-lied-about-deleting-exfiltrated-data-after-ransom-payments

Link (2): https://www.bleepingcomputer.com/news/security/lockbit-ransomware-secretly-building-next-gen-encryptor-before-takedown/#:~:text=LockBit%20ransomware%20developers%20were%20secretly,cybercriminal's%20infrastructure%20earlier%20this%20week.

Connectwise ScreenConnect Vulnerabilities

CVE-2024-1709: affects ScreenConnect 23.9.7 and older - allows any remote attacker to bypass authentication to delete the ScreenConnect user database and get control of an admin user

CVE-2024-1708: allowing path traversal, which enables an attacker to access files and directories that should not be accessible
Exploitation of CVE-2024-1709 has been seen in mass in the wild starting the day after the patch was released
The cloud version of ScreenConnect was automatically patched, but anyone still running the on-premise version is reliant on customers to patch manually

Link (1): https://www.techrepublic.com/article/connectwise-screenconnect-vulnerability/

Thousands of wireless customers suffer outage

Last Thursday, it probably felt like an apocalyptic event, or you were on vacation when a good portion of cell services were disrupted due to the ATT outage.

ATT is attributing the outage to a software bug "cased by the application and execution of an incorrect process used as we were expanding our network, not a cyber attack"
This type of event (much like the 2019/2020 Pandemic) will lay the groundwork for tabletop scenarios and how to prepare for them
Interesting enough though, people were calling 911 to "test their phones" - which is not what I thought of doing when the service was down

Link (1): https://www.cbsnews.com/news/numerous-us-cellphone-providers-experiencing-outages-downdetector/

Prescription delays due to Change Healthcare cyberattack

Change Healthcare (owned by Optum) has been experiencing a cyber incident for the past week

Blackcat has taken responsibility for this incident, even though Change Healthcare has been stating it was a nation-state attacker (based on their 8-k SEC filing)
Change Healthcare incident has disrupted pharmacy services nationwide

Link (1): https://therecord.media/change-healthcare-blackcat-alphv-incident-drags-on

Link (2): https://status.changehealthcare.com/incidents/hqpjz25fn3n7

PayPal files patent for new stolen cookies detector

PayPal has filed a patent application for a way to identify when "super-cookie" is stolen.

Super-cookies (also referred to as "flash cookies") are Local Shared Objects that are injected at the network level as unique identifier headers by the user's ISP
These are used primarily for cross-site tracking, following users across different browsers on the same device, collecting data on browsing activity, and serving as persistent "device fingerprints"

Link (1): https://www.bleepingcomputer.com/news/security/paypal-files-patent-for-new-method-to-detect-stolen-cookies/

U-Haul affected by a breach

On Dec 5th, 2023 - an unauthorized actor was able to access systems used by U-Haul dealers and team members to track customer reservations and view customer records, using legitimate credentials.

After an investigation, it appears that certain customer records were access in the breach, including name and drivers licenses - U-Haul is in the process of notifying customers
In 2022, another incident similar to this one occurred, with stolen credentials
My question to any organization storing any type of sensitive information, why are you not implementing MFA on your platforms for access? Some type of MFA challenge is better than nothing at all, especially considering users are notorious about credential reuse and the high number of password breaches that are continuously occurring

Link (1): https://www.darkreading.com/cyberattacks-data-breaches/67k-customers-impacted-by-data-breach-according-to-u-haul

Brand domains used in spam operation

Affecting more than 8,000 domains and 13,000 subdomains - being tracked as SubdoMailing

The threat actor is being called RessurecAds, where they will resuscitate dead domains of or affiliated with big brands with the end goal of manipulating the digital advertising ecosystem for nefarious gains
Brands have included: ACLU, ebay, Lacoste, Marvel, McAfee, MSN, Pearson, PwC, Swatch, Symantec, VMWare, and others
Marketing departments will stand up domains, use them for campaigns, and then abandon them after a period of time without properly cleaning things up - which allows for threat actors to come in and purchase the abandoned domain
One example would be where a company could add this campaign domain in their SPF records, but when its abandoned the DNS owners are never notified to remove that entry and still considered "trusted"

Link (1): https://thehackernews.com/2024/02/8000-subdomains-of-trusted-brands.html

Steel giant hit with cyberattack

ThyssenKrupp, one of the world's largest steel producers, employing over 100k personnel and annual revenue over $44.4 billion

ThyssenKrupp has confirmed a breach of their systems in its Automotive division last week, forcing them to shutdown IT systems as part of its responses and containment efforts
They are considered a crucial component of the global supply chain of products that use steel as a material across various sectors
Currently no threat actor group has taken responsibility for this attack, nor has the organization offered any insight
This is not their first attack either; 2022, 2020, 2016, and 2013

Link (1): https://www.bleepingcomputer.com/news/security/steel-giant-thyssenkrupp-confirms-cyberattack-on-automotive-division/

Until next week, it’s Brent Forrest signing off. Be cyber safe my friends!

Flair Data Systems Cybersecurity News Update 2-21-2024

Wed, 21 Feb 2024 20:24:10 GMT

My name is Brent Forrest and I serve as a vCISO at Flair Data Systems. Here is your cybersecurity news update for 2/21/2024.

The past couple of days has been a bit of a rollercoaster with the news around LockBit systems being compromised by law enforcement agencies across the world.

Last week I mentioned an article related to "network connected toothbrush bots" and that story is still undetermined in its authenticity. In one hand, Fortinet stated it was hypothetical and not a true incident. However, the journalist is fighting back against that statement and what they were told by Fortinet. On top of that, Fortinet had to release several vulnerabilities last week – I am sure it felt like a monsoon for Fortinet last week.

Lastly, I provided a screenshot of how to approach vulnerability patching with the world we live in (included screenshot once more for reference) and I would like to clarify, this is something every organization will have to consider. Some say it is too aggressive - probably so. Some say just focus on Zero-Day / Critical - sounds like a great start. The point is that we are living in a world where threat actors are taking advantage of discovered vulnerabilities sometimes much faster than the vendor can patch them. Do not make changes based on one person's perspective, and do not live in an echo chamber. Determine what is the best fit for the organization you are supporting and requirements around business/compliance/regulations.

With that, let’s jump into this week’s cyber security news update.

LockBit disrupted by global police operation

Operation Cronos, a joint operation between law agencies across 10 countries, has disrupted the LockBit ransomware operation

National Crime Agency of the United Kingdom has modified the banner on the data leak website to show they have gained control of the site, including the negotiation sites
Other components of LockBits sites are still operating (data hosting and private message platform)
Other items that were seized included: LockBit source code, chats, victim information
Updated to include over 1,000 decryption keys, 34 servers, and over 200 cyrpto-wallets
Link 3 is a portal that contains Decryption Tools for those that are affected by various threat actors
Two operators of LockBit were arrested in Poland and Ukraine
Three international warrants and five indictments targeting other members of LockBit

Link (1): https://www.bleepingcomputer.com/news/security/lockbit-ransomware-disrupted-by-global-police-operation/

Link (2): https://www.bleepingcomputer.com/news/security/police-arrest-lockbit-ransomware-members-release-decryptor-in-global-crackdown/

Link (3): https://www.nomoreransom.org/en/index.html

Trans-Northern Pipelines (TNPI) confirms cyberattack

Breached in November of 2023 by ALPHV/BlackCat ransomware gang

TNPI operates over 528 miles of pipeline in Ontario-Quebec and 198 miles in Alberta transporting over 221,000 barrels daily
Pipelines transport gasoline, diesel fuel, aviation fuel, and heating fuel from refineries to distribution terminals
ALPHV has claimed to have stolen 183GB of documents from the breach

Link (1): https://www.bleepingcomputer.com/news/security/trans-northern-pipelines-investigating-alphv-ransomware-attack-claims/

ALPHV gang takes credit for LoanDepot, Prudential attacks

On Feb 16, both Prudential and LoanDepot were listed on ALPHV leak site

LoanDepots is pending ALPHV potentially selling the data - 16.6 million people personal information stolen
Prudential's data is looked to be released for free after failed negotiations, and has yet to find evidence that the attacker had actually exfiltrated customer or client data

Link (1): https://www.bleepingcomputer.com/news/security/alphv-ransomware-claims-loandepot-prudential-financial-breaches/

Threat actors using LLMs to improve cyberattacks

LLM (Large Language Models) for those not familiar with the term is essentially what OpenAI or Gemini (Google) AI based chats are based upon

Threat actors are weaponizing LLM's to perform reconnaissance, such as learning about potential victims' industries, locations, and relationships
Five nation-States threat actors weaponizing AI
Forest Blizzard - Russia
Emerald Sleet - North Korea
Crimson Sandstorm - Iran
Charcoal Typhoon - China
Salmon Typhoon - China

Link (1): https://www.infosecurity-magazine.com/news/microsoft-nation-states-gen-ai/#:~:text=Its%20main%20uses%20of%20LLMs,support%20app%20and%20web%20development.

Google Chrome feature blocks attacks against home networks

Starting in Chrome 123, Google has proposed implementing a "Private Network Access protections" feature - starting out in a "warning-only" mode

This new feature will conduct checks before a public website directs a browser to visit another site within the user's private network
The check includes verifying if the request comes from a secure context and sending a preliminary request to see if the internal site permits access from a public website through specific requests called CORS-preflight requests
The intent for this change is to prevent malicious websites on the internet from exploiting flaws on devices or servers in users' internal networks

Link (1): https://www.bleepingcomputer.com/news/google/new-google-chrome-feature-blocks-attacks-against-home-networks/

Mastermind behind Zeus and IcedID malware pleads guilty

Vyacheslav Igorevich Penchukov (aka Tank) was on the FBI's Cyber Most Wanted List until 2022, where he was arrested in Switzerland

He was extradited to the US last year and has pleaded guilty to RICO and wire fraud charges related to his leadership role in separate cybercrime operations involving the Zeus and IcedID malware
Zeus operations started in May 2009 - infecting millions of devices, including thousands of business computers, enabling threat actors to obtain personal and banking information that was capable of being used to make unauthorized transfers from victims' bank accounts
IcedID operations existed between November 2018 and February 2021 - allowing threat actors to steal banking and personal information, and could also be used to deliver other malware to compromised computers, including ransomware
Vyacheslav sentencing is scheduled for May 9th and faces up to 20 years in prison for each count

Link (1): https://www.securityweek.com/ukrainian-pleads-guilty-in-us-to-key-role-in-zeus-icedid-malware-operations/

Air Canada must honor refund invented by its chatbot, says court

Jake Moffatt used Air Canada's chatbot to explain how the bereavement rates worked after finding out that his grandmother passed away

The chatbot provided inaccurate information, encouraging Moffatt to book a flight immediately and then request a refund within 90 days
However, Air Canada's policy explicitly stated that the airline will not provide refunds for bereavement travel after the flight is booked
After months of fighting between Moffatt and Air Canada through small claims courts (Canada's Civil Resolution Tribunal), and the case was found in favor of Moffatt
The Tribunal member stated that "Air Canada argues it cannot be held liable for information provided by one of its agents, servants, or representatives - including a chatbot"
This is something every organization needs to take into consideration when standing up chatbots to assist their customers, because that chatbot is speaking on behalf of the organization

Link (1): https://www.wired.com/story/air-canada-chatbot-refund-policy/

Cactus leaks Schneider Electric data on dark web

Last month, it was announced that subsidiary of Schneider Electric - Sustainability Business division was comprised

Cactus ransomware gang has claimed to have stolen 1.5TB of data from Schneider, 25MB of it was leaked on the operations' dark web leak site as proof of life
It is still unknown what specific data was stolen - but based on the compromised systems that the potential for sensitive information about customers' industrial control and automation systems and information about environmental and energy regulations compliance is a concern

Link (1): https://www.bleepingcomputer.com/news/security/cactus-ransomware-claim-to-steal-15tb-of-schneider-electric-data/

Wyze camera - Incident leading to accidently user view

In September 2023, Wyze users reported that they were seeing camera feeds that were not theirs, which was found to be a Web caching problem

Last Friday (Feb 16, 2024), this situation occurred again but on a larger scale - 13,000 users received thumbnails from cameras that were not theirs, and 1,504 of those users enlarged the image
Consumers of Wyze went to Reddit to report the situation, where people were seeing things such as "a stranger's porch", "someone else's living room", and other footages from a different time zone
The issue was around an AWS outage that occurred early Friday morning and the Wyze servers were overloaded, which resulted in it corrupting some user data (AWS did not report an outage during the time frame of the issues)
There are multiple concerns here, and it's not my place to judge where one person places a camera vs another person - but this is the very reason you won't find a web-based camera like this within my home. The number of IoT based tools people are bringing into their homes has expanded dramatically and continues to do so every year. One question I like to ask people is "Do you know every device on your home wireless network?" most have no clue.

Link (1): https://www.darkreading.com/endpoint-security/wyze-cameras-allow-accidental-user-spying

Until next week, it’s Brent Forrest signing off. Be cyber safe my friends!

Flair Data Systems Cybersecurity News Update 2-14-2024

Wed, 14 Feb 2024 22:30:12 GMT

My name is Brent Forrest and I serve as a vCISO at Flair Data Systems. Here is your cybersecurity news update for 2/14/2024...

Happy Wednesday!

The past couple of weeks, it was noted that the number of ransomware payments has decreased dramatically in 2023 but a new statistic has populated to show that a new milestone was hit in 2023 - over $1 billion (about $3 per person in the US) was paid in Ransomware incidents. The ransomware actors are taking advantage of inflation.

Another interesting note I came across this morning was around the "new patching schedule" that should be considered. Previously we have followed the idea of Critical to be patched within 30 days, and then you proceed down to the 30/90/180/365 day remediation path. With more and more zero days being introduced with exploits already in the wild and rapidly accelerating this, the below image stood out to me, and I wanted to share.

Lastly, being Patch Tuesday week - there are two zero-day vulnerabilities being released this week. CVE-2024-21351 and CVE-2024-21412 , along with 8 other vulnerabilities marked as "Exploitation More Likely".

On that note, let’s jump into this week's cybersecurity news update.

TTP to be aware of (Volt Typhoon)

The link is a Joint Guidance that was co-authored by CISA, NSA, FBI and other agencies

The Joint Guidance is providing Identifying and Mitigating Living Off the Land Techniques - worth a read through (Link 2)

Link (1): https://www.cisa.gov/resources-tools/resources/identifying-and-mitigating-living-land-techniques

Link (2): https://www.cisa.gov/sites/default/files/2024-02/Joint-Guidance-Identifying-and-Mitigating-LOTL_V3508c.pdf

Cisco fixes critical Expressway flaws

Cisco has patched 3 CSRF (Cross-Site Request Forgery) vulnerabilities in the Expressway Series and a DoS flaw in the ClamAV anti-malware engine

CSRF flaws allow unauthenticated attackers to perform arbitrary actions on vulnerable devices by tricking users to click on a specifically crafted link
CVE-2024-20252: score of 9.8; located in the API of Cisco Expressway Series devices and stem from a lack of CSRF protections in the web-based management interface
CVE-2024-20254: score of 9.8; same as above
CVE-2024-20255: score of 8.2; allows an attacker to cause a DoS condition by overwriting system configuration settings. This one only affects devices if the cluster database (CDB) API feature has been enabled (disabled by default)
Cisco advises customers of Cisco Expressway Series release 14.0 to upgrade to the newly released 14.3.41 version or upgrade to 15.0.01. To enable the fix, customers also must run the following command: xconfiguration Security CSRFProtection status: “Enabled”
CVE-2024-20290: score of 7.5; a heap buffer over-read caused by incorrect checks for end-of-string values in the OLE2 file format parser - this could be exploited by sending a specially crafted file with OLE2 content to the ClamAV scanner, which could crash the scanning process and consume system resources

Link (1): https://www.csoonline.com/article/1306892/cisco-patches-serious-flaws-in-expressway-and-clamav.html#:~:text=Cisco%20has%20fixed%20three%20serious,the%20ClamAV%20anti%2Dmalware%20engine.

3 million records from thousands of credit unions exposed

U.S. Credit Union Services exposed over 3 million records as a result of a misconfigured cloud database

This is suspected to be a customer relationship management system of Michigan-based credit union service provider CU Solutions Group
This exposure included data belonging to thousands of U.S. credit unions, internal notes, and clients' full names, home and email addresses, and plaintext passwords
The database has sense been secured, but whether or not if a threat actor gained access is unknown

Link (1): https://www.scmagazine.com/brief/over-3m-us-credit-union-service-records-exposed-by-database-misconfiguration

Fake LastPass App in Apple App Store

LastPass released a blog notice that a developer by the name of Parvati Patel released an app with the name of LassPass Password Manager on the Apple App Store

This app utilized the LastPass branding
As of Feb 8th, the fraudulent app was removed from the Apple App Store

Link (1): https://blog.lastpass.com/2024/02/warning-fraudulent-app-impersonating-lastpass-currently-available-in-apple-app-store/

Ivanti XXE Vulnerability

CVE-2024-22024: score of 8.3; an XML external entity (XXE) in the SAML component of Ivanti Connect Secure, Ivanti Policy Secure, and ZTA gateways which allows an attacker to access certain restricted resources without authentication

Ivanti flaw used to deploy backdoor with CVE-2024-21893
CVE-2024-21893 is a server-side request forgery bug identified in the SAML component of Connect Secure, Policy Secure, and ZTA gateways which could be exploited without authentication to leak sensitive information
Orange Cyberdefense has discovered that threat actors are injecting a backdoor into a component of the Ivanti appliance using this vulnerability
Needless to say Ivanti has been in the news for numerous and continuous vulnerabilities - almost as much as MoveIT was in the news for the number of compromises

Link (1): https://forums.ivanti.com/s/article/CVE-2024-22024-XXE-for-Ivanti-Connect-Secure-and-Ivanti-Policy-Secure

Link (2): https://www.securityweek.com/ivanti-vulnerability-exploited-to-deliver-new-dslog-backdoor/#:~:text=Backdoor%20deployed%20using%20recent%20Ivanti,request%20and%20system%20log%20theft.&text=A%20recently%20patched%20zero%2Dday,services%20provider%20Orange%20Cyberdefense%20reports.

FortiOS sslvpnd vulnerability

CVE-2024-21762: score of 9.6; out-of-bounds vulnerability in FortiOS and FortiProxy may allow a remote unauthenticated attacker to execute arbitrary code or command via specially crafted HTTP requests

Workaround: disable SSL VPN (disable webmode is NOT a valid workaround)
Fortinet is stating this is potentially being exploited in the wild
See image above on how quickly one should be upgrading this vulnerability!

Link (1): https://www.fortiguard.com/psirt/FG-IR-24-015

Raspberry Robin – a new one-day exploit targeting Windows

Originally discovered in 2021, is a worm that is incorporating one-day exploits as soon as they are developed, to improve on its privilege escalation capabilities

The progression of the time it takes for the group to weaponize vulnerabilities after disclosure has gone from one year, to two months, to two weeks

Link (1): https://www.darkreading.com/application-security/raspberry-robin-1-days-escalate-unpatched-networks

Cisco to cut thousands of jobs as it focuses on high growth areas

As with most other tech organizations, Cisco is working to restructure its business and that will include laying off thousands of employees

The specific employee count or which departments is yet to be disclosed (or possibly determined)

Link (1): https://www.reuters.com/business/cisco-cut-thousands-jobs-it-seeks-focus-high-growth-areas-sources-2024-02-09/

Prudential Financial data breached in cyberattack

Last week, Prudential Financial disclosed that their network was compromised, with attackers stealing employee and contractor data before being removed from the network one day later

Based on the 8-K filing to the SEC, the company stated they detected the breach on February 5th after the attackers gained access to some of its systems one day earlier on February 4th
As of this writing, there have been no indicators that the threat actors have obtained customer or client data

Link (1): https://www.bleepingcomputer.com/news/security/prudential-financial-breached-in-data-theft-cyberattack/

Bank of America customers at risk after third party breach

BofA has warned customers of a leak of their sensitive data that occurred due to a ransomware attack against a third-party company (Infosys McCamish Systems) last Fall

At least 57,028 customers were affected by this breach - the scary part is that IMS is stating that it is unlikely that they will be able to determine with certainty what personal information was accessed as a result of the incident
which includes Names and SSNs, but may also include addresses, business email addresses, DOB, and other account information
One of the topics we touch on during our tabletop exercises with clients is specifically around "do you have the means in place to know what data is viewed and/or modified if there was an incident"
LockBit has claimed responsibility for this breach - where 2,000 IMS systems were encrypted by the threat actor
At this point in time, it is unclear if IMS paid the ransom or not

Link (1): https://www.darkreading.com/cyberattacks-data-breaches/bofa-warns-customers-of-data-leak-in-third-party-breach

Fulton County, GA claimed by LockBit

Late in January Fulton County was dealing with an IT outage caused by a ransomware attack that affected office phone systems and online transactions (including those involving firearm and marriage licenses)

The investigation has been ongoing but as of this week, LockBit is taking responsibility for the attack

Link (1): https://therecord.media/fulton-county-georgia-atlanta-cyberattack-causing-outages

Until next week, it’s Brent Forrest signing off. Be cyber safe my friends!

Flair Data Systems Cybersecurity News Update 2-07-2024

Wed, 07 Feb 2024 21:43:37 GMT

My name is Brent Forrest and I serve as a vCISO at Flair Data Systems. Here is your cybersecurity news update for 2/07/2024.

I hope that the week is treating you well and enjoying some of the spring weather (wait, we are still in Winter?). The world never ceases to amuse one with the stories that are discovered, such as the last one with IoT based toothbrushes, which comes the same week I spent time with friends from Phosphorus (a firm that focuses on identity and manage xIoT devices) learning about their platform and capabilities.

On that note, let’s jump into this week's cybersecurity news update.

FBI grounds Volt Typhoon

Volt Typhoon is a hacking campaign targeting privately owned Cisco and NetGear routers infected with "KV Botnet" malware

The FBI issued a command to infected routers that would delete the KV Botnet malware from the devices without affecting any legitimate files or information on the routers
A 2023 Lumen analysis showed that Volt Typhoon had been active since at least February 2022

Link (1): https://cyberscoop.com/chinese-cyber-threats-fbi-operation-botnet/

More companies refuse to pay ransoms

Based on data points provided in a Coveware report for Q4 of 2023, only 29% of organizations paid a ransom

In Q1 of 2019, 85% were paying the ransom
There are a couple of factors that attributed to this decrease in payment
Enterprise networks have increased cyber defenses and have more data backups to help them recover quickly
More companies are not trusting that the hackers will keep their promises and delete any stolen data
I mentioned in a prior email that I worked with an organization that found it easier to just wipe everything and rebuild than pay the ransom, considering most ransoms are starting to increase

Link (1): https://www.axios.com/2024/01/30/ransomware-pay-out-decline-chart

More vulnerabilities for Ivanti

Over the past 12 months, the number of vulnerabilities that have been disclosed by Ivanti has continued to increase - which is not out of the normal for software firms

CVE-2024-21888: Privilege Escalation in the web component of Ivanti Connect Secure and Policy Secure
CVE-2024-21893: Server-side request forgery in the SAML component of Ivanti Connect Secure and Policy Secure
What is abnormal is the criticality of these vulnerabilities and the nature of what Ivanti performs as a Software company
These vulnerabilities continue to come with exploitation being seeing in the wild
One last note, this has gotten to the point where CISA has issued an emergency directive that required all federal agencies to disconnect all instances of Connect Secure and Policy Secure solutions from the agency networks no later than 11:59PM on Friday February 2, 2024 (last Friday)

Link (1): https://www.cybersecuritydive.com/news/ivanti-vpns-threat-patch-CVEs/706707/#:~:text=Ivanti%20last%20week%20disclosed%20new,patch%20and%20new%20activity%20since.

Link (2): https://nvd.nist.gov/vuln/detail/CVE-2024-21893

Link (3): https://nvd.nist.gov/vuln/detail/CVE-2024-21888

Event log Crasher all versions of windows

Microsoft has released patches for a new zero-day flaw (EventLogCrasher) that would allow an attacker to remotely crash the Event Log service on devices within the same Windows domain

This patch included all versions of Windows, including Win7 up to Win11 and Server 2008 R2 to Server 2022
Credential level needed would be a low level (Domain User) which includes the Domain Controllers
The issue here is that once crashed, the logs of what occurred on a system would no be recorded
Most 3rd party log monitoring systems (Sumo Logic, Splunk, etc.) utilize the Event Log service to capture the logs occurring on the system - so if it crashes, those tools are no longer capturing those logs

Link (1): https://www.bleepingcomputer.com/news/microsoft/new-windows-event-log-zero-day-flaw-gets-unofficial-patches/

Continues layoffs in Tech

Over the past year, we have seen the technology world start to lay off personnel - it has not stopped in 2024. So far this year:

SAP: 8k employees
EBay: 1k employees
Microsoft: 1,900 in the gaming division
Google: Replaces part of its ad sales team with AI
Alphabet: 12k employees including engineering, hardware, and digital assistant teams

Link (1): https://www.computerworld.com/article/3685936/tech-layoffs-in-2023-a-timeline.html

Cloudflare announces nation-state level breach

Thanksgiving Day last year a threat actor was detected in the Cloudflare self-hosted Atlassian server and was quickly removed from the environment

Between November 14 to 17, a threat actor was able to perform reconnaissance on their internal wiki and bug database systems
Between Nov 20 and 21st, additional access indicated that they threat actor came back to test access to ensure they maintained connectivity
On November 22, persistent access to the Atlassian server using ScriptRunner for Jira was used against their source code management system - but was unsuccessful in accessing the console server that had access to the data center where Cloudflare had not yet put into production (Sao Paulo, Brazil)
The full report is worth reading, and one with a lot of great information where most organizations do not share at this level

Link (1): https://blog.cloudflare.com/thanksgiving-2023-security-incident

AnyDesk says hackers breached production servers, reset passwords

AnyDesk is a remote access solution (i.e., ScreenConnect, TeamViewer, etc.) which has over 170,000 customers including 7-Eleven, Comcast, Samsung, MIT, NVIDIA, Siemens

They have recently reported that they have experienced a cyberattack that allowed a threat actor to gain access to the company's production systems - source code and private code signing keys were stolen during the attack
Ransomware was not involved (or at least reported) for this incident but not much other details were provided other than the incident is currently under investigation
As part of the response, AnyDesk has stated they revoked security-related certificates and remediated or replaced systems as necessary
AnyDesk statement: "We can confirm that the situation is under control, and it is safe to use AnyDesk. Please ensure that you are using the latest version, with the new code signing certificate."
Threat actors continue to utilize these types of tools to infiltrate or maintain persistence into environments - which makes sense why they are being targeted (think LastPass)

Link (1): https://www.bleepingcomputer.com/news/security/anydesk-says-hackers-breached-its-production-servers-reset-passwords/

Chicago children’s hospital announces cyberattack

Lurie Children's Hospital network has hit the 8th day of a cyber incident which has knocked out systems

No other further information is being provided to the public, so speculation has started to point to a ransomware incident
During most incidents, everyone is working around the clock to maintain operations while also restore systems without losing the data needed to determine the type of information potentially stolen

Link (1): https://wgntv.com/news/chicago-news/lurie-childrens-hospital-network-outage-reaches-8th-day-experts-believe-ransomware-attack-is-to-blame/

Verizon 2023 breach - insider

Verizon Communications has stated that due to an insider data breach 63,206 employee's sensitive data was exposed (not customer data)

The data exposed included: Full Name, Physical Address, SSN, National ID, Gender, Union affiliation, DoB, Compensation Information
They are stating that at this point in time there is no evidence that the information had been misused or shared outside of Verizon
Employees and Regulators are being notified of the incident
We continually ask organizations about processes and procedures around how they handle employee data and who has access to that data, for example are there controls in place to prevent SSN from being exported without it being masked

Link (1): https://www.bleepingcomputer.com/news/security/verizon-insider-data-breach-hits-over-63-000-employees/

Chief AI Officer now a thing

This article is dated; however, it came across this week on a news podcast I was listening to about how we will start seeing a new "chief" known as the CIAO

What stood out to me in this article is around this statement "A typical candidate is someone who has a proven track record of leading successful AI programs," - One could argue that AI is still considered bleeding edge and being developed so how has someone shown a "proven track record"
I know this is not technically a security concern, but it is a conversation I continue to have more with clients and others around AI and how it is affecting businesses

Link (1): https://www.cio.com/article/657977/chief-ai-officer-what-it-takes-to-land-the-c-suites-hottest-new-job.html

Three million malware-infected smart toothbrushes used in Swiss DDoS attacks

The "who" and "how" has not been released but the fact that we have IoT based toothbrushes (thanks Phillips and Sonicare) is amusing still

These types of devices and combined with these attacks show that we need to continue evaluate the risk verse reward for building items like toothbrushes, toasters, washing machines to be connected to the internet
Updated comment from Fortinet: "To clarify, the topic of toothbrushes being used for DDoS attacks was presented during an interview as an illustration of a given type of attack, and it is not based on research from Fortinet or FortiGuard Labs. It appears that due to translations the narrative on this topic has been stretched to the point where hypothetical and actual scenarios are blurred.", the original author claims that is not the case

Link (1): https://www.tomshardware.com/networking/three-million-malware-infected-smart-toothbrushes-used-in-swiss-ddos-attacks-botnet-causes-millions-of-euros-in-damages

Link (2): https://www.msn.com/en-us/news/technology/the-mysterious-case-of-the-3-million-toothbrushes-ddos-attack-was-original-report-a-hypothetical-scenario-that-never-happened-or-is-the-truth-elsewhere/ar-BB1i2Qsm

Until next week, it’s Brent Forrest signing off. Be cyber safe my friends!

About the Author: Brent Forrest is a Field CISO with Flair Data Systems. In this role, Brents acts as an advisor to customers that span across different verticals providing guidance to include strategies to reduce risk with existing or modern technology while enabling the business. With over 20 years of experience in the IT industry, Brent has been able to be a part of multiple groups within the IT field spanning from Telecom, Network, Wireless, Infrastructure, and eventually finding his passion within Security. Roughly 20 years of that time was spent within the Oil and Gas industry working across multiple teams and leading initiatives. Specifically with EnLink Midstream, he spent most of his time building resilience and developing the cybersecurity program.

Flair Data Systems Cybersecurity News Update 2-01-2024

Thu, 01 Feb 2024 22:24:04 GMT

My name is Brent Forrest and I serve as a vCISO at Flair Data Systems. Here is your cybersecurity news update for 2/01/2024...

Hope the week is treating you well! As we continue to walk into the new year, it is a reminder that we must stay diligent in all aspects of cybersecurity maturity. More and more companies continue to experience some type of incident, and it is becoming normal which is a scary realization. Honestly, I feel as though this has been the reality that most just want to ignore and continue to think its a "season". Yesterday I was on a call where we were discussing the onboarding of a Privileged Access Management ("PAM") platform, and multiple separate groups were on the call - it brought back memories of concerns and frustrations of change when I personally implemented the technology several years ago. In the beginning, change will always be hard - especially when one has done the same thing for years (if not decades). But in the world that we live in now, if we continue to live as we always have then the risk of being hit by a cyber incident is going to increase (some of you have already experienced these 2 or more times in your career).

Please stay diligent and welcome change, even in those hard moments, realizing that it is just the rubbing against the grain of long-standing routines.

On that note, let’s jump into this week's cybersecurity news update.

Cyberattack knocks EquiLend offline

Attack was first detected on January 22nd for unauthorized access to a portion of the infrastructure

3rd party investigation teams have been brought in to assist, but no other details have been provided
LockBit has taken claim for this attack
This is an ongoing trend for the Lending sector – Mr. Cooper, Fidelity National Financial, and loanDepot

Link (1): https://www.theregister.com/2024/01/25/cybersecurity_incident_forces_equilend_to/

Hewlett-Packard Enterprise faces Cybersecurity Breach by Notorious APT29

HPE notified the SEC on December 12th that Midnight Blizzard had breached its network and spent months exfiltrating data

Upon investigation, HPE states that data began being exfiltrated in May 2023 from a small percentage of HPE mailboxes - Cybersecurity, go-to-market, business segments, and other functions
This comes out right after Microsoft also recently announced the same threat actor attacking their infrastructure

Link (1): https://therecord.media/hpe-tells-sec-breached-by-cozy-bear

Urgent patch alert for Jenkins

CVE-2024-23897: allows unauthenticated attackers with "overall/read" permissions to read arbitrary files on the Jenkins controller file system

Without the above permissions, files can still be read but only the first few lines
Threat actors could exploit this vulnerability to read Jenkins secrets, in order to "escalate privileges to admin and eventually execute arbitrary code on the server"
Jenkins has around 44% of the CI/CD market
If an attacker were to gain remote control of these dev environments, they could theoretically plant malicious code in new software builds (think Solarwinds)

Link (1): https://www.infosecurity-magazine.com/news/exploits-released-critical-jenkins/#:~:text=Software%20developers%20have%20been%20told,the%20Jenkins%20controller%20file%20system.

Cisco flaw exposes Unified Comms systems

CVE-2024-20253: Remote code execution vulnerability that could allow an unauthenticated, remote attacker to execute arbitrary code on an affected device

This issue is due to the improper processing of user-provided data that is being read into memory - where an attacker could exploit this by sending a crafted message to a listening port of an affected device
A successful exploit could allow the attacker to execute arbitrary commands on the underlying OS with the privileges of the web services user and potentially root
Patches have been released for multiple product lines: CUCM and CUCM SME, CUCM IM&P, CUC, UCCX, and VVB
At this point in time, Cisco is not aware of any public announcements (POC) or malicious use of the vulnerability

Link (1): https://www.bleepingcomputer.com/news/security/cisco-warns-of-critical-rce-flaw-in-communications-software/

Link (2): https://sec.cloudapps.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-cucm-rce-bWNzQcUm

Midnight Blizzard abuse OAuth apps in Microsoft attack

Midnight Blizzard utilized password spray attacks, which is successful when poor passwords and no MFA are utilized

The Threat Actor after gaining access to a tenant with the above mechanism (or others) is able to create, modify, and grant high permissions to OAuth applications that allow them to hide malicious activities
In the Microsoft OAuth situation, they used the legacy test OAuth application to grant them the Office 365 Exchange Online full_access_as_app role, which allows access to mailboxes
By leveraging these malicious OAuth applications to authenticate to Microsoft Exchange Online and target corporate email accounts
Defenses to put in place
Audit current privilege levels of all identities, both users and service principals
Audit identities that hold application impersonation privileges in Exchange Online
Identify malicious OAuth apps using anomaly detection policies
Implement Conditional Access app controls
Review any applications that hold EWS.AccessAsUser.All and EWS.full_access_as_app permissions
If Apps are required to access mailboxes, granular and scalable access can be implemented using RBAC for apps
Protecting against Password Sprays - full list at the bottom of Microsoft blog (Link #2)

Link (1): https://www.darkreading.com/cyberattacks-data-breaches/microsoft-shares-new-guidance-in-wake-of-midnight-blizzard-cyberattack

Link (2): https://www.microsoft.com/en-us/security/blog/2024/01/25/midnight-blizzard-guidance-for-responders-on-nation-state-attack/

SolarWinds seeks dismissal of SEC lawsuit

For a refresher, SEC is claiming that SolarWinds knew it did not have appropriate security controls in place to protect their systems, yet failed to act

They are also asserting that SolarWinds insiders, including Brown (CISO) were aware of the suspicious activity in the systems but willfully misled customers about the possible threat
SEC is also accusing Brown of dumping SolarWinds stock, profiting around $170k due to insider information before the attack was made public
SolarWinds is offering detailed denial to these above charges, stating that they made proper, accurate disclosers both before and after the Sunburst incident - pointing out that the SEC was unable to specifically identity which security control ran afoul of regulation

Link (1): https://www.darkreading.com/cyber-risk/solarwinds-files-motion-to-dismiss-sec-lawsuit

DOJ and FTC tell companies to stop deleting chats

On January 26th, the FTC and DOJ announced that both agencies are updating their language in their standard preservation letters and specifications for all second requests, voluntary access letters, and compulsory legal process to address the increased use of collaboration tools and ephemeral messaging platforms

This includes grand jury subpoenas
The thoughts here is around retention periods within an organizations policy, and the capabilities to pull and maintain logs for collaboration tools

Link (1): https://www.ftc.gov/news-events/news/press-releases/2024/01/ftc-doj-update-guidance-reinforces-parties-preservation-obligations-collaboration-tools-ephemeral

Microsoft takes another hit with Teams

Last Friday and again this Monday, Microsoft was experiencing issues with Teams

Connectivity Issues
Delays in sending / receiving messages (mobile and desktop clients)
Personally, this made my Friday very frustrating when attempting to work with multiple organizations across Teams
The "why" for such a highly relied upon tool within the Microsoft ecosystem did not seem to be necessary to disclose - hopefully in the future they change their tune and share what really happened

Link (1): https://www.bleepingcomputer.com/news/microsoft/microsoft-teams-hit-by-second-outage-in-three-days/

Energy giant hit by ransomware

Schneider Electric was hit with a ransomware attack by Cactus - left with corporate data

The attack disrupted the Resource Advisors cloud platform - which was still offline as of the 29th
Type of data is unknown, but it was the Sustainability Business division that was compromised, and they provide services to enterprise organizations - advising on renewable energy solutions and helping navigate complete climate regulatory requirements
Organizations that are supported by this business unit: Allegiant Travel Company, Clorox, DHL, DuPont, Hilton, Lexmark, PepsiCo, and Walmart

Link (1): https://www.bleepingcomputer.com/news/security/energy-giant-schneider-electric-hit-by-cactus-ransomware-attack/

Until next week, it’s Brent Forrest signing off. Be cyber safe my friends!

Brent has been with Flair Data for 3 years and is CISSP, C|CISO, CvCISO, & Sec+ certified. In his free time, he likes to spend time with family, working out, or staying up with personal development.

He lives in Dallas, Texas with his wife and children.

Flair Data Systems Cybersecurity News Update 1-24-2024

Wed, 24 Jan 2024 15:49:49 GMT

My name is Brent Forrest and I serve as a vCISO at Flair Data Systems. Here is your cybersecurity news update for 1/24/2024

Well, it seems the cold will leave us for a while and give us warmer weather, yet yesterday was one wet day. This past week of events that have come out has caught my attention, specifically regarding Microsoft and their corporate email accounts being compromised.

On that note, let’s jump into this week's cybersecurity news update.

Water management conglomerate hit by ransomware

Veolia North America, a subsidiary of transnational conglomerate Veolia, has disclosed that they were impacted by a ransomware attack that affected systems part of its Municipal Water division and disrupted its bill payment systems

Law enforcement and third-party forensics have been engaged to determine the extent of the attacks impact
The attack only appeared to affect the bill payment system and not water treatment operations or wastewater services
At this point in time, the threat actor is not being disclosed now

Link (1): https://www.bleepingcomputer.com/news/security/water-services-giant-veolia-north-america-hit-by-ransomware-attack/

Have I Been Pwned adds “statistically significant” data leak

71 million email addresses were recently added to the Have I Been Pwned system

Have I Been Pwned is a site one can use to validate if their email has been part of a compromise
The database of information has been circulating for the past several months, but was originally dismissed as though it was all historical data
The big concern here is that Troy Hunt (HIBP owner) noticed after further review that about 1/3 of the email addresses were brand new
If one researches HIBP service, and their email address pops up with "Naz.API", this would point to a likely infection of malware that stole passwords

Link (1): https://www.techradar.com/pro/security/one-of-the-biggest-password-dumps-in-recent-history-has-been-revealed-but-theres-an-easy-way-to-find-out-if-youre-at-risk#:~:text=Have%20I%20Been%20Pwned%3F,breached%20to%20obtain%20the%20information.

iShutdown helps discover spyware on iPhones

An interesting find by security researchers that if a device was infected by Pegasus, Reign, or Predator that it could be discovered by checking the Shutdown.log, a system log file that stores reboot events

There is a Python script released by Kaspersky to help automate the process of analyzing the Shutdown.log file and recognize potential signs of malware infection

Link (1): https://securelist.com/shutdown-log-lightweight-ios-malware-detection-method/111734/

Link (2): https://www.bleepingcomputer.com/news/security/ishutdown-scripts-can-help-detect-ios-spyware-on-your-iphone/

Kansas State University sustains cyberattack

K-State has announced that it is in the process of managing a cybersecurity incident that has disrupted network systems

VPN, K-State Today emails, and video services on Canvas and Mediasite
Third-party forensics has been engaged to assist on the investigation
At this point in time, no threat actor has taken claim to this attack nor has K-State divulged this information

Link (1): https://www.bleepingcomputer.com/news/security/kansas-state-university-cyberattack-disrupts-it-network-and-services/

Subway has been hit by Lockbit

Subway has shown up on the Leaked Data site for Lockbit - which brings concerns around sensitive customer and corporate data being exfiltrated

Sources have disclosed that the encryption of crucial files has occurred with a substantial amount for the ransom
Other than that, the teams within Subway are working to resolve the issue, no other information has been provided

Link (1): https://medium.com/@defxcyber/major-us-sandwich-chain-falls-victim-to-lockbit-ransomware-attack-5fa55ecc82c6

Russian hackers breach Microsoft executive emails to learn about themselves

Last Friday it was announced that Microsoft corporate email accounts had been compromised and data was stolen by "Midnight Blizzard"

It was originally detected on January 12th but the system was originally breached in November 2023 through a password spray attack against a legacy non-production test tenant account
This type of attack points to the non-use of MFA on that tenant and the accounts
The real question is how a test tenant was able to have access to the larger corporate email platform
The targets included members of the leadership team and employees within the cybersecurity and legal departments
Initial investigation is pointing to the initial targets were email accounts with information about themselves, Midnight Blizzard

Link (1): https://www.bleepingcomputer.com/news/security/russian-hackers-stole-microsoft-corporate-emails-in-month-long-breach/

JPMorgan Chase says hacking attempts are increasing

JPMorgan currently invests around $15 billion (that is a B ) a year and employs more 62,000 technologists to enhance their security defenses

Early in the panel discussion, Erodes made a comment about how they experienced over 45 billion cyber-attacks made last year... this statement has been clarified by someone else with JPMorgan to state it is observed activity collected (malicious or not) which is a more accurate statement
The concerns here is how we are arming those outside of our realm with information and making sure they are properly articulating what it is they were provided

Link (1): https://finance.yahoo.com/news/jpmorgan-chase-fights-off-45-211618309.html

TeamViewer still being abused to breach networks in new ransomware attacks

RMM type tools (i.e., TeamViewer) are still being utilized to either gain access or maintain access to organizations and deployment of ransomware malware

TeamViewer is stating these breaches into their clients' tenants is not due to a vulnerability but more due to credential stuffing attacks (leaked credentials)
The key point here is to make sure you have good password policies in place, not only in your corporate environment but also your SaaS platforms (along with MFA)
More and more third-party tools are moving to a SaaS based solution, those usually have more "god-like" access than some of the on-premise applications and needed to be secured as such
RMM tools are not the only ones that fall into this category: Endpoint Protection, DLP, PAM, DDI (think Infobox), and Patch Management (Ivanti, Automox) are all examples

Link (1): https://www.bleepingcomputer.com/news/security/teamviewer-abused-to-breach-networks-in-new-ransomware-attacks/

POC For Fortra GoAnywhere MFT Authentication Bypass CVE-2024-0204

CVE-2024-0204: Authentication Bypass where an unauthorized user can create an admin user via the administration portal

There is a patch released for this vulnerability (see Link 2 for more details)

Link (1): https://www.horizon3.ai/cve-2024-0204-fortra-goanywhere-mft-authentication-bypass-deep-dive/

Link (2): https://www.fortra.com/security/advisory/fi-2024-001

Until next week, it’s Brent Forrest signing off. Be cyber safe my friends!

Brent has been with Flair Data for 3 years and is CISSP, C|CISO, CvCISO, & Sec+ certified. In his free time, he likes to spend time with family, working out, or staying up with personal development.

He lives in Dallas, Texas with his wife and children.

Brent Forrest's Cybersecurity News Update 1-17-2024

Wed, 17 Jan 2024 23:19:08 GMT

My name is Brent Forrest and I serve as a vCISO at Flair Data Systems. Here is your cybersecurity news update for 1/17/2024

After a long weekend and a bit of cold weather, it was good to get back into the office this morning and see people through my glass door! Ok, all jokes aside it was really nice to get out of the house after being self-confined to our four walls. The best part is, I had a traveler with me this morning. My 8-year-old daughter came into the office with me today to have a "homeschool field trip" to work alongside a couple of our wonderful ladies in the office. She even brought along her notebook to take notes in preparation to "do cybersecurity" when she gets older. Start them young!

On that note, let’s jump into this week's cybersecurity news update.

HMG, Texas healthcare provider suffers data breach

MHG Healthcare, LLC has confirmed that the PHI of up to 80k individuals has been exposed and potentially stolen in a cyberattack that occurred in November of 2023

After investigation, it was found that the initial compromise occurred in August 2023
It was also confirmed that unencrypted files were copied but it "was not feasible" to identify exactly what types of information were obtained by the hackers
This statement is still unclear why it was decided upon (Insufficient logging or was a comprehensive review that would prove too timely and costly)
Lastly, the nature of the attack has not been disclosed either and that HMG "worked diligently to ensure the stolen files were not further shared by hackers"
This statement suggests that HMG paid the threat actors to prevent publication/sale of the stolen data (pure assumption based on the statements made and past experiences with other ransomware engagements)

Link (1): https://www.hipaajournal.com/hmg-healthcare-data-breach/#:~:text=HMG%20Healthcare%2C%20LLC%2C%20a%20Texas,was%20detected%20in%20November%202023.

Decryptor for Babuk Tortilla ransomware released

Babuk ransomware emerged in 2021 targeting industries such as healthcare, manufacturing, logistics and public services, including critical infrastructure

The Tortilla campaign was discovered by Cisco Talos on Oct 12, 2021, targeting vulnerable Exchange servers exploiting ProxyShell vulnerabilities
Cisco Talos obtained the executable code capable of decrypting, which has allowed Talos to extract and share the private decryption key used by the threat actor
This decryptor was shared with Avast to be included in their Avast Babuk decrypted that was originally released in 2021
Dutch Policy were able to identify, apprehend, and prosecute the threat actors behind Babuk Tortilla operations based on threat intel provided by Cisco Talos

Link (1): https://blog.talosintelligence.com/decryptor-babuk-tortilla/

Akira targeting backups

Finish National Cybersecurity Center (NCSC-FI) has been seeing increased activity by Akira in December of targeting companies in Finland and wiping backups

Most larger organizations utilize backup solutions such as a SAN, however smaller organizations utilize systems such as a NAS (Network Attached Storage) and Akira has been targeting to delete these to further eliminate options on restoring data without paying the ransom
Here recently, I ran across Akira targeting a small organization in the North Texas region - interesting enough, the threat actor did not respond to correspondences and the organization decided it best to just wipe and start completely over on their system (this was base don the size of their organization and access to offline backups / SaaS services)

Link (1): https://www.bleepingcomputer.com/news/security/finland-warns-of-akira-ransomware-wiping-nas-and-tape-backup-devices/

Sensitive school data accidentally exposed online

Raptor Technologies, a firm that provides software that allows schools to track student attendance, monitor visitors, and manage emergency situations

Jeremiah Fowler, a security researcher, discovered that 800GB of files and logs were linked to Raptor Technologies - which included more than 4 millions records
This disclosure was not due to a cyberattack, but 3 unsecured web buckets that dated between 2022 and 2023
More than 75% of the exposed documents appeared to be threat reports, details on safety drills, or related emergency procedures
No evidence to show the files were accessed by a malicious threat actor, however, the details they included could potentially be exploited by someone planning to attack a school

Link (1): https://www.wired.com/story/us-school-shooter-emergency-plans-leak/

ManageEngine ADSelfService Plus Patch

CVE-2024-0252: an authenticated remote code execution vulnerability in the load balancer component of ADSelfService Plus

All ADSelfService Plus installations, regardless of load balancer configurations, are vulnerable
To remediate, update the instance to build 6402 using a service pack provided by Zoho

Link (1): https://www.manageengine.com/products/self-service-password/advisory/CVE-2024-0252.html

Google patches first Chrome zero-day vulnerability of the year

This marks the 1st Zero-Day for Chrome being exploited in the wild since the start of the year (17 days in)

CVE-2024-0519 is due to a high-severity out-of-bounds memory access weakness in the Chrome V8 JavaScript Engine, allowing a Threat Actor to exploit it to gain access to data beyond the memory buffer, providing access to sensitive information or triggering a crash
For those that like to keep your Chrome browser up, expecting it to be patched - you still need to click the "apply update" in the top right corner or it won't take affect

Link (1): https://www.bleepingcomputer.com/news/security/google-fixes-first-actively-exploited-chrome-zero-day-of-2024/

Urgent warning from Citrix to patch two zero-day vulnerabilities

CVE-2023-6548: Citrix NetScaler ADC and Gateway Authenticated Remote Code Execution (RCE) Vulnerability, an authenticated attacker with low level privileges could exploit this vulnerability if they were able to access NetScaler IP (NSIP), Subnet IP (SNIP), or cluster management IP (CLIP) with access to the appliance's management interface

CVE-2023-6549: Citrix NetScaler ADC and Gateway Denial of Service Vulnerability, an attacker could exploit this vulnerability when a vulnerable appliance has been configured as a Gateway (e.g., VPN, ICA Proxy, CVPN, RDP Proxy) or as a AAA virtual server
At this point in time, no public Proof-of-Concepts (POC) have been identified for either vulnerabilities - but given historical exploitation of Citrix Netscaler ADC and Gateway it is anticipated that exploit code may become available soon
Citrix has released patches, see the Link above for a matrix of the patches necessary to install

Link (1): https://www.tenable.com/blog/cve-2023-6548-cve-2023-6549-zero-day-vulnerabilities-netscaler-adc-gateway-exploited

Ivanti Vulnerability Widespread Scanning

Ivanti Connect Secure VPN has started to see global exploitation - over 1,700 compromised devices worldwide

All verticals appear to be present: military, defense, government, financial, & technology
CVE-2024-21887: Command injection vulnerability in web components of Ivanti Connect Secure (9.x, 22.x) and Ivanti Policy Secure (9.x, 22.x) allows an authenticated administrator to send specifically crafted requests and execute arbitrary commands on the appliance
CVE-2023-46805: an authentication bypass vulnerability in the web component of Ivanti ICS (9.x, 22.x) and Ivanti Policy Secure allows a remote attacker to access restricted resources by bypassing control checks
Ivanti has published a workaround, but a patch is still in development at this point in time

Link(1): https://isc.sans.edu/diary/Scans%20for%20Ivanti%20Connect%20%22Secure%22%20VPN%20%20Vulnerability%20%28CVE-2023-46805%2C%20CVE-2024-21887%29/30562

Link (2): https://www.volexity.com/blog/2024/01/15/ivanti-connect-secure-vpn-exploitation-goes-global/

Link (3): https://forums.ivanti.com/s/article/KB-CVE-2023-46805-Authentication-Bypass-CVE-2024-21887-Command-Injection-for-Ivanti-Connect-Secure-and-Ivanti-Policy-Secure-Gateways?language=en_US

Until next week, it’s Brent Forrest signing off. Be cyber safe my friends!

About the Author: Brent Forrest is a Field CISO with Flair Data Systems. In this role, Brents acts as an advisor to customers that span across different verticals providing guidance to include; developing strategies to reduce risk with existing or modern technology while enabling the business. With over 20 years of experience in the IT industry, Brent has been able to be a part of multiple groups within the IT field spanning from Telecom, Network, Wireless, Infrastructure, and eventually finding his passion within Security. 20 years of that time was spent within the Oil and Gas industry working across multiple teams and leading initiatives. Specifically with EnLink Midstream, he spent most of his time building resilience and developing the cybersecurity program.

Brent has been with Flair Data for 3 years and is CISSP, C|CISO, CvCISO, & Sec+ certified. In his free time, he likes to spend time with family, working out, or staying up with personal development.

He lives in Dallas, Texas with his wife and children.

Flair Data Systems Cybersecurity News Update 1-10-2024

Wed, 10 Jan 2024 21:15:41 GMT

My name is Brent Forrest and I serve as a vCISO at Flair Data Systems. Here is your cybersecurity update for 1/10/2024...

Over the past few weeks, I have been wondering if it was December/January or if we were still in October because it's been too nice outside... well here in the DFW area that is about to change starting Sunday night / Monday morning. Break out those jackets for at least a couple of days and hope our pipes do not freeze.

One thing to mention is that this is Microsoft Patch Tuesday, and for the first time in a long time there are no zero-day patches being applied. There are some patches of interest, but overall, this month is considered lighter than others recently.

So, let’s get into this week's update....

X accounts restored after crypto scam hack

It is currently unknown how X (formally Twitter) accounts are being compromised and below are the ideas going around X and the web

Compromised Help Desk personnel at X - honestly, it feels like the majority of people want to blame X for anything since it moved to the new ownership
MFA not set up - this one seems more likely, because I remember setting up my Twitter account years ago MFA was not something automatically enabled
When has marketing really engaged the Security team on setting up their social media presence?? Extremely rare
Compromised credentials through other means - we all know that with browser attacks and bypass email attacks, this is becoming more common with sessions being stolen
These compromises have been focused on cryptocurrency scams, and with the SEC it was pushing out false information around an announcement on Bitcoin - which caused the price of Bitcoin to pike to $48,000
Link (1): https://www.msn.com/en-us/money/markets/sec-says-its-x-account-was-compromised-and-it-has-not-approved-bitcoin-etfs/ar-AA1mIjeA
Link (2): https://thehackernews.com/2024/01/mandiants-twitter-account-restored.html

Law firm that handles data breaches hit by data breach

Orrick, Herrington & Sutcliffe, a San Francisco based law firm that has focused on working with organizations affected by security incidents

The incident occurred in March 2023, which entailed the exfiltration of personal information and sensitive health data of more than 637,000 data breach victims off of a file share on its network
It was confirmed that it involved clients' data, including individuals who had vision plans with insurance giant EyeMed Vision Care and dental plans with Delta Dental of California
Data that was exfiltrated included: Name, DoB, Postal and email Addresses, and government issued ID's (SSN, Passport, Driver's License, and Tax ID Numbers)
The details around the incident are not being disclosed, which I am not surprised by any means
Link (1): https://techcrunch.com/2024/01/04/orrick-law-firm-data-breach/?guccounter=1#:~:text=Law%20firm%20that%20handles%20data%20breaches%20was%20hit%20by%20data%20breach,-Zack%20Whittaker%40zackwhittaker&text=San%20Francisco%2Dbased%20Orrick%2C%20Herrington,an%20intrusion%20in%20March%202023.

BreachForums admin Popompurin breaches terms of pretrial freedom

Conor Brian Fitzpatrick, who has plead guilty to the following three charges: Conspiracy to commit access device fraud, access device fraud - unauthorized solicitation, and possession of child sex abuse materials

Fitzpatrick was granted pretrial on a $300,000 bond under a number of conditions - not getting on a computer without monitoring software or using a VPN
He has been arrested for violating both of the above conditions on January 2nd and will now be held in custody until he attends both court appearances (breach of pretrial agreement AND his sentencing hearing)
The consequences to his first act is pretty substantial and should be looked at in the link above
Link (1): https://www.theregister.com/2024/01/05/breachforums_admin_arrested_again/

loanDepot breach investigation underway

loanDepot's is one of the largest nonbank home loan financing lenders in the US. loanDepot's IT systems were compromised in a recent cyber related attack.

Currently known outages results in online loan payment portal and contacting customer services as being offline
On the heels of Mr. Cooper's 2023 incident, this could be the starts of a trend against the financial sector
Link (1): https://www.bleepingcomputer.com/news/security/mortgage-firm-loancare-warns-13-million-people-of-data-breach/
Link (2): https://www.bleepingcomputer.com/news/security/mortgage-firm-loandepot-cyberattack-impacts-it-systems-payment-portal/

Lockbit and Capital Health

Over the past weekend, Lockbit claimed responsibility for a November 2023 cyberattack asking for ~$250,000 for the data

According to Lockbit: Data only stolen, no encrypted files, which they stole more than 10 million files that allegedly included medical confidential information
In December, Capital Health launched an investigation into a cyber incident after they experienced a network outage
It should also be noted that only Capital Health Regional Medical Center was compromised, not the full Capital Health system
Link (1): https://www.securityweek.com/ransomware-gang-claims-attack-on-capital-health/

Until next week, it’s Brent Forrest signing off. Be cyber safe my friends!

About the Author: Brent Forrest is a Field CISO with Flair Data Systems. In this role, Brents acts as an advisor to customers that span across different verticals providing guidance to include; developing strategies to reduce risk with existing or new technology while enabling the business. With over 20 years of experience in the IT industry, Brent has been able to be a part of multiple groups within the IT field spanning from Telecom, Network, Wireless, Infrastructure, and eventually finding his passion within Security. Roughly 20 years of that time was spent within the Oil and Gas industry working across multiple teams and leading initiatives. Specifically with EnLink Midstream, he spent the majority of his time building resilience and developing the cybersecurity program from the ground up.

Brent has been with Flair Data for 3 years and is CISSP, C|CISO, CvCISO, & Sec+ certified. In his free time, he likes to spend time with family, working out, or staying up with personal development.

He lives in Dallas, Texas with his wife and children.

Flair Data Systems Cybersecurity News Update 1-3-2024

Wed, 03 Jan 2024 16:42:59 GMT

My name is Brent Forrest and I serve as a vCISO at Flair Data Systems. Here is your cybersecurity update for 1/3/2024...

Happy New Year! I hope everyone had a great holiday week celebrating both Christmas and New Years. Now it’s time to get back into the swing of things.

In 2023, there were too many incidents that occurred throughout the year, that I am hoping for a "slower" year in 2024! As a community, we all need to be more resilient and diligent in the protection of the data we are put in place to protect. There will never be a 100% silver bullet, but if strong enough safeguards are put in place (i.e., awareness training, technical controls, third-party risk awareness, etc.) then there is a stronger chance to reduce the risk of an incident occurring. I remember being asked a few years ago "what is the point of all these security tools if the bad guys still can get in" and what was said then still stands true today - sometimes it's slowing the threat actor down long enough to set off alarms and lock them out before real damage is done is what matters.

That said, let’s jump into this week’s cyber update...

Ransomware incident at Xerox

INC Ransomware has added Xerox to their ransom portal on December 29th, claiming to have stolen sensitive data and confidential documents

Xerox has stated they had detected and contained the incident, which affected the Xerox Business Solutions subsidiary
Third-party investigations are underway to determine the full scope of the incident, and they are taking necessary steps to secure the environment
INC Ransomware shared that they have obtained email communications, payment details, invoices, filled-out request forms, and purchase orders
Link (1): https://www.bleepingcomputer.com/news/security/xerox-says-subsidiary-xbs-us-breached-after-ransomware-gang-leaks-data/

Agent Tesla and an old Microsoft Office vulnerability create new problems

CVE-2017-11882, which allows for remote code execution capabilities through a memory corruption vulnerability

Fake Excel document is being attached to invoice-themed messages and potential targets, once opened the malicious documents are taking advantage of the CVE listed above
Through the phishing campaigns, the exploited enabled office document is being used to deliver an infostealer malware dubbed Agent Tesla
Link (1): https://securityboulevard.com/2024/01/ms-excel-vulnerability-exploited-to-distribute-agent-tesla/#:~:text=Threat%20actors%20with%20malicious%20intent,infostealer%20malware%20dubbed%20Agent%20Tesla.

First American suffers cyberattack

The incident was disclosed on Dec 20th, where a Threat Actor gained access and stole non-production systems company data

The incident has been contained but further investigation is underway, the banking unit is back online and operational
First American is the second largest title insurance firm, and it has not been determined as of yet if this incident is considered to have material impact
Link (1): https://www.cybersecuritydive.com/news/first-american-financial-encrypted-data/703411/#:~:text=First%20American%20Financial%20said%20the,the%20Securities%20and%20Exchange%20Commission.

CBS and Paramount owner hacked a year ago

National Amusements, the cinema chain and corporate parent of paramount and CBS, has confirmed that it experienced a data breach in which personal information of 82,128 people during a December 2022 data breach

People affected were only started to be notified a year later, and only discovered the breach in August of 2023 - what information was taken was unknown
Other information stolen included Financial Information (banking account numbers or credit cards numbers) along with associated security codes, passwords, or secrets
Stolen data related to company employees
Link (1): https://techcrunch.com/2023/12/26/cbs-paramount-owner-national-amusements-hacked/#:~:text=The%20private%20media%20conglomerate%20said,notifying%20those%20affected%20last%20week.

Ohio Lottery cyberattack claimed by DragonForce

On Christmas Eve, the Ohio Lottery shut down key systems after a cyber-attack affected an undisclosed number of internal applications

Incident is currently under investigation, restoration of impacted systems is underway, and the gaming system is still fully operational
A new ransomware gang has emerged, DragonForce, and claimed the incident - who has stated they encrypted devices and stolen data during the attack including SS#'s and DoB's - potentially belong to both employees and customers
Link (1): https://www.bleepingcomputer.com/news/security/ohio-lottery-hit-by-cyberattack-claimed-by-dragonforce-ransomware/

Flaw in Black Basta decryptor allows recovery of victims’ files - temporarily

Researchers were able to create a decryptor that exploits a flaw in Black Basta ransomware, allowing victims to recover their files for free

Victims from November 2022 to December 2023 are potentially able to recover their files
Black Basta developers have fixed the bug in their encryption routine about a week ago, preventing this decryption technique from being used on newer attacks
Link #2 points to a Git Hub for the decryptor
Link (1): https://www.bleepingcomputer.com/news/security/new-black-basta-decryptor-exploits-ransomware-flaw-to-recover-files/
Link (2): https://github.com/srlabs/black-basta-buster

Cyberattack hits Boston area hospital

On Christmas Eve, a cyber-attack caused the Anna Jaques Hospital (35 miles north of Boston) to turn away ambulances due to their electronic health records systems being down

This hospital is part of the Beth Israel-Lahey Health system - however, no other details are being provided about the incident
Link (1): https://therecord.media/cyberattack-on-massachusetts-hospital-disrupted-health-record-system

Until next week, it’s Brent Forrest signing off. Be cyber safe my friends!

About the Author: Brent Forrest is a Field CISO with Flair Data Systems. In this role, Brents acts as an advisor to customers that span across different verticals providing guidance to include; developing strategies to reduce risk with existing or new technology while enabling the business. With over 20 years of experience in the IT industry, Brent has been able to be a part of multiple groups within the IT field spanning from Telecom, Network, Wireless, Infrastructure, and eventually finding his passion within Security. Roughly 20 years of that time was spent within the Oil and Gas industry working across multiple teams and leading initiatives. Specifically with EnLink Midstream, he spent the majority of his time building resilience and developing the cybersecurity program from the ground up.

Brent has been with Flair Data for 3 years and is CISSP, C|CISO, CvCISO, & Sec+ certified. In his free time, he likes to spend time with family, working out, or staying up with personal development.

He lives in Dallas, Texas with his wife and children.

Flair Data Systems Cybersecurity News Update 12-20-2023

Wed, 20 Dec 2023 18:56:27 GMT

My name is Brent Forrest and I serve as a Field CISO at Flair Data Systems. Here is your cybersecurity update for 12/20/2023...

Happy Wednesday and Merry Christmas!

There has been an interesting set of events in play this week, even if there are only a few of them on the list below. Some of these are updates and a few are new threats. Going into the end of the year, cyber criminals are not taking a break. So, in addition to this last cyber update of 2023, Jessica Nemmers and I took a moment to reflect and discuss some important focus areas to best protect your organization as we ring in the new year, if you want to check out that blog post as well: http://www.flairdata.com/end-of-year-cybersecurity-checkup-for-a-stronger-2024

With next week being a short week due to Christmas and New Years, I plan on postponing my next update until 2024. I hope you have a great Christmas with your family and friends and take time to catch a breath before 2024 strikes up in a couple of weeks. Merry Christmas and Happy New Year!

With that, let’s jump into this week’s cyber update...

Box storage platform suffers outage

Last Friday Box experienced a critical outage that prevented customers from accessing files that impacted logins, uploads, downloads, and API calls

Later that day, Box had restored services however a cause for the outage has not been reported yet - Let's hope it was as they stated and a malfunction of systems and not another company added to a long list being added to cyber attacks
Link (1): https://www.bleepingcomputer.com/news/technology/box-cloud-storage-down-amid-critical-outage/

Alphv/Blackcat website seized

On Tuesday (19th), the DOJ released a noticed that they had seized the domain of Alphv/Blackcat's systems through a multi-national operation to infiltrate and take down the ransomware gang

This is the 3rd time over the years that law enforcement has breached Alphv's (the ransomware gang has operated under different names - DarkSide, BlackMatter, and now BlackCat/AlphV)
Part of the operation allowed the FBI was able to obtain the encryption keys for 400+ organizations ransomed and built a decryption tool to help them
Throughout the day, the FBI and Alphv were playing a game of seeing who could take the domain back which is capable of being done because both sides have the private keys used to register the onion URL in Tor
Bad News: Alphv has also stated that the FBI had only captured roughly 400 companies' encryption keys but there are over 3,000 companies still in their possession and Alphv is stating those will never see their keys
Now the even scarier part - because of this Alphv has stated that any restrictions they had in place against critical infrastructure and hospitals has been removed and are free game
Link (1): https://www.bleepingcomputer.com/news/security/fbi-disrupts-blackcat-ransomware-operation-creates-decryption-tool/
Link (2): https://therecord.media/alphv-black-cat-ransomware-takedown-fbi

MongoDB suffers breach

Last Wednesday (13th), MongoDB detected an incident that led to investigating their systems and found that there was an unauthorized access of certain MongoDB corporate systems

Information is still unknown as MongoDB is continuing to investigate
Link (1): https://www.bleepingcomputer.com/news/security/mongodb-says-customer-data-was-exposed-in-a-cyberattack/

Seattle cancer center hit with ransomware

Last Friday (15th), Hunters International ransomware group listed Fred Hutchinson Cancer Center on its leak site - claiming to have stolen 533 GB of data

On December 11th, Fred Hutchinson Cancer Center had notified federal law enforcement agencies following the detection of unauthorized activity on its clinical network - however, this has probably been ongoing for a longer period of time
It has been reported that the threat actor is also extorting individuals as well as the organization
Ongoing investigation is underway
Link (1): https://therecord.media/seattle-fred-hutch-cancer-center-ransomware-attack

Hacking with Mr. Cooper

This is an update to the incident / data breach that occurred on Oct 31st for Mr. Cooper

Mr. Cooper has started contacting customers (current and previous), which is roughly 14.7 million, that their personal information was exfiltrated
Information would include names, addresses, dates of birth, phone numbers, SS#'s, and bank account numbers
All systems have been restored but details around the "how" it happened has not been released as of yet
Link (1): https://www.securityweek.com/mr-cooper-data-breach-impacts-14-7-million-individuals/#:~:text=Mortgage%20giant%20Mr.%20Cooper%20is,stolen%20in%20a%20recent%20cyberattack.

SMTP smuggling to bypass email protections

This was the results of a research project by SEC Consult Vulnerability Lab and Timo Longin

By performing this exploit, it is possible to smuggle/send spoofed e-mails while still passing SPF alignment checks
Microsoft, GMX, and Cisco Secure Email were products that the researchers identified vulnerabilities - Microsoft and GMX were able to fix these quickly... Cisco did not
Please take the time to review the link - it is very informative and provides workarounds for Cisco
Link (1): https://sec-consult.com/blog/detail/smtp-smuggling-spoofing-e-mails-worldwide/

December Windows 11 Patch Breaks Wi-Fi Connectivity

KB5033375 cumulative updated for December Patch Tuesday has been seen to cause Wi-Fi connectivity issues on some Windows 11 devices

It has been recommended to uninstall the KB listed above IF you are experiencing this issue - but it has only been seen to affect enterprise wireless networks but not affecting home wireless/internet usage
Enterprise wireless networks with fast-transition / fast-roaming enabled to facilitate seamless device movement between wireless access points
Please review the Link above for further information
Link (1): https://www.bleepingcomputer.com/news/microsoft/decembers-windows-11-kb5033375-update-breaks-wi-fi-connectivity/

Comcast Xfinity Data Breach

On December 18th, the Attorney General of Maine was notified of the Comcast breach

35 million customers are currently being notified that their confidential information was compromised
This compromise was due to a Citrix vulnerability
Sensitive information exposed included: Name, Contract Info, last 4 of SS#, DoB, Secret questions and answers, Usernames, and hashed passwords
Based on information from Comcast, they were applying patches as quickly as possible, but the threat actor still was able to gain access between October 16th and 19th of 2023
Link (1): https://www.darkreading.com/cyberattacks-data-breaches/console-associates-p-c-comcast-xfinity-reports-data-breach-exposing-confidential-information-of-35m-customers

Until next YEAR, it’s Brent Forrest signing off. Be cyber safe my friends!

Merry Christmas and Happy New Year!

About the Author: Brent Forrest is a Field CISO with Flair Data Systems. In this role, Brents acts as an advisor to customers that span across different verticals providing guidance to include; developing strategies to reduce risk with existing or new technology while enabling the business. With over 20 years of experience in the IT industry, Brent has been able to be a part of multiple groups within the IT field spanning from Telecom, Network, Wireless, Infrastructure, and eventually finding his passion within Security. Roughly 20 years of that time was spent within the Oil and Gas industry working across multiple teams and leading initiatives. Specifically with EnLink Midstream, he spent most of his time building resilience and developing the cybersecurity program.

Brent has been with Flair Data for 3 years and is CISSP, C|CISO, CvCISO, & Sec+ certified. In his free time, he likes to spend time with family, working out, or staying up with personal development.

He lives in Dallas, Texas with his wife and children.

End of Year Cybersecurity Checkup for a Stronger 2024

Wed, 20 Dec 2023 17:57:08 GMT

As we wrap up 2023, Cybersecurity threats continue to evolve. How can you be prepared for 2024?

As we wrap up 2023, Cybersecurity threats continue to evolve, and threat actors are growing more sophisticated by the day. With so many large-scale cyberattacks happening just recently, Flair Data Systems’ Field CISO’s took some time to discuss some important focus areas to best protect your organization as we ring in the new year.

To start, Jessica Nemmers, Field CISO at Flair Data Systems, shared a few insights.

MGM has taught us that the Human Factor (I refer to it as the “X Factor”) is something we must consider as a threat to any organization. Threat actors have gone to new lengths using AI and social engineering to craft more convincing phishing emails, connect on LinkedIn, and trick humans into granting access to company environments. We cannot discount the importance of constant Security Awareness Training and Testing. In the MGM case, we would focus on training and new processes to verify someone’s identity before resetting passwords or granting permissions into the company’s network.
Compliance scanning : We scan for vulnerabilities, but scans should also be looking for misconfigured infrastructure, outdated operating systems, and other vulnerabilities beyond missing patches (which are also important).
Building a roadmap for change : It is time to plan for upcoming End of Life (EOL) software and hardware in your environment. If retiring it is not possible, consider designing specific security controls to protect these areas. EOL often comes with exploited vulnerabilities that can no longer be patched. Making plans now will allow your organization to prioritize remediation and estimate the costs of performing necessary upgrades.
Update your Policies and Plans : As fast as security moves, it is important to update your cybersecurity and privacy policies to ensure they can be enforced and meet compliance requirements. Also, your Cyber Incident Response Plan, Business Continuity Plan, and Disaster Recovery Plans should be updated and tested. These areas of business resiliency are just as important as strong defenses.

Brent Forrest, Field CISO at Flair added, “To Jessica’s point (#3) Building a Roadmap for Change, is something that every organization experiences. At one of my former companies, we had a 2012 server running Hyperion for Finance Reporting. At the time, the cost to upgrade to the latest server (2019) was going to have a substantial cost due to the 3rd party assistance. This application was only used by a particular group inside our organization. The ROI to upgrade was not there, but the need to continue using the application was necessary. I believe every organization comes up against these hard business decisions at the end of the day, so it is great to have a good partnership with the technology team to make sure these investments are reviewed and put into a roadmap so that they stay secure and viable for the organization.

When compiling your roadmap, ask yourself these questions:

What do I need to assess the risks in my organization?
How will I identify security threats?
How can you reduce your organization’s vulnerability in the most efficient way?

All of these questions will guide you to the “how” of ramping up your readiness against the unexpected”, shared Brent.

How can we help you improve your security posture in 2024?

As we have seen in 2023, cybersecurity threats are only increasing and becoming more sophisticated with AI. There isn’t a magic pill to fully secure your organization. However, if you are continually analyzing threats, investing in governance standards to help your organization approach cybersecurity, and partner with technology teams who can help you choose the right technology stack to better secure your organization, you will be in a better spot to handle the unpredictable.

If you don’t have a trusted cybersecurity advisor/partner, then Flair Data can help! From Cyber Data Management to Cybersecurity Remediation, Flair Data Systems has you covered.

If you would like to schedule some time with Brent or Jessica to discuss your security posture, get 30 minutes of their time on us! Schedule a session with a Field CISO by filling out the form on this site: http://flairdata-6598840.hs-sites.com/flair-data-systems-ciso-consult

Flair Data Systems-Brent Forrest Cybersecurity News Update 12-13-2023

Wed, 13 Dec 2023 19:32:11 GMT

My name is Brent Forrest and I serve as a vCISO at Flair Data Systems. Here is your cybersecurity update for 12/13/2023...

I hope you are enjoying the winterish' weather we have been experiencing here lately and getting ready for the Christmas holidays, I know some of you are winding down and others are going full speed to close out projects before the end of the year. With that being said, let’s jump into this week's cyber news update...

LogoFail Firmware Attack

LogoFail is a group of two dozen newly discovered vulnerabilities that affect the UEFI (Unified Extensible Firmware Interfaces)
As the name of the attack relates - it involves the logo (specifically those of the hardware seller) that are displayed on the device screen early in the boot process
By replacing the legitimate logo images with identical-looking ones that have been specially crafted to exploit these vulnerabilities, LogoFail makes it possible to execute malicious code at the most sensitive stage of the boot process (DXE)
Once done, LogoFail can deliver a second-stage payload that drops an executable onto the hard drive before the main OS has even started (the Link above has a lot of information around this attack)
Best way to prevent these types of attacks is to update the UEFI security updates that are being released - check with your vendors

Link (1): https://arstechnica.com/security/2023/12/just-about-every-windows-and-linux-device-vulnerable-to-new-logofail-firmware-attack/

Microsoft changes their CISO

Microsoft has announced that as part of its new strategic focus on security, Bret Arsenault be moved out of his role as the CISO and over to a Chief Security Advisor position.
Igo Tsyganskiy will assume the CISO role in 2024, who came to Microsoft in September as the Chief Strategy Officer for Security - but has no prior CISO experience in his past.
These changes come on the heels of recent security incidents within the Microsoft ecosystem.

Link (1): https://www.darkreading.com/cybersecurity-operations/microsoft-is-getting-new-ciso-in-new-year

Insurance firm sees cyberattacks as more likely than fire or theft

Aviva, insurance provider, has performed research that shows businesses are 67% more likely to experience a cyber incident than a physical theft and almost 5x more as likely to have an attack than a fire.
1/5th of UK businesses has fallen victim to cyber-attacks in the past year
10% of small businesses and 35% of large corporations experienced an incident.
One of the bigger concerns is around 20% have admitted to not being confident in knowing what to do if it should happen.
Another kicker is that only 17% have a cyber insurance policy - being on the partner side, we are being asked by customers that "we" carry cyber insurance coverage (some have actually put high limit requirements in their MSA)

Link (1): https://www.infosecurity-magazine.com/news/cyberattacks-more-likely-than-fire/#:~:text=New%20research%20from%20insurance%20provider,an%20attack%20as%20a%20fire.

Vulnerability discovered in fleet management software CVE-2023-6248

Syrus4 IoT Gateway (CVE-2023-6248): utilizes an unsecured MQTT server to download and execute arbitrary commands, allowing a remote unauthenticated attacker to execute code on any Syrus4 device connected to the cloud service.
As of Dec 8th, DCT (Digital Communications Technologies) has yet to resolve the vulnerability but were notified by the researchers in April of this year.
The vulnerability permits the unauthorized access to the gateway's software, providing control over commands gaining control over live locations, engine diagnostics, speakers, airbags, and the ability to execute arbitrary code on vulnerable devices - including remotely turning off the vehicle.
As of now, there are no known exploitations in the wild

Link (1): https://socradar.io/syrus4-iot-gateway-vulnerability-could-allow-code-execution-on-thousands-of-vehicles-simultaneously-cve-2023-6248/

Link (2): https://nvd.nist.gov/vuln/detail/CVE-2023-6248

Autospill - android and password managers

Presented at Black Hat Europe, researchers have shown that most password managers for Android devices are vulnerable to AutoSpill
It was discovered that the researchers were able to exploit weaknesses in in the WebView framework to capture the auto-filled credentials on the invoking app, even without JavaScript Injection
If JavaScript injections are enabled, all password managers on Android are vulnerable to this attack.
Based on the Password Managers tested: 1Password, LastPass, Enpass, Keepass2Android and Keeper are vulnerable to this attack (without JavaScript)
Google Smart Lock and Dashlane were only affected if JavaScript injections were used.
Take some time and review the responses from the vendors above regarding the attack method.

Link (1): https://www.bleepingcomputer.com/news/security/autospill-attack-steals-credentials-from-android-password-managers/

Bluetooth Flaw

CVE-2023-45866: authentication bypass that enables attackers to connect to susceptible devices and inject keystrokes to achieve code execution as the victim.
Affecting Android, Linux, macOS, and iOS devices - all of which have had patches released to fix this vulnerability.
Limitation of this attack would require the threat actor to be within close proximity of the device being targeted.
Bluetooth has another CVE (CVE-2023-24023) out that has been called BLUFFS (Link 2)
Bluetooth BR/EDR devices with Secure Simple Pairing and Secure Connections pairing in Bluetooth Core Specification 4.2 through 5.4 allow certain man-in-the-middle attacks that force a short key length, and might lead to discovery of the encryption key and live injection.

Link (1): https://thehackernews.com/2023/12/new-bluetooth-flaw-let-hackers-take.html

Link (2): https://hackaday.com/2023/12/02/update-on-the-bluffs-bluetooth-vulnerability/

Feds Fine Medical Facility for Phishing Attack Compromise of HIPAA data

In 2021, Louisiana-based Lafourche Medical Group, experienced an incident where 35,000 individuals ePHI was compromised.
The incident was a result of a successful phishing attack - which has now landed a settlement of $480,000, on top of the fine Lafourche Medical Group must implement a corrective action plan that includes developing, maintaining, and revising a security risk management plan as well as practices and policies that comply with HIPAA.
HHS OCR (Office for Civil Rights) found that prior to the 2021 breach, the clinic had failed to conduct an enterprise-wide risk analysis to identify potential threats or vulnerabilities to ePHI (required under HIPAA)
Also discovered that Lafourche Medical Group had no policies or procedures in place to regularly review information systems activity to safeguard ePHI against cyber attacks.

Link (1): https://www.healthcareinfosecurity.com/feds-levy-first-ever-hipaa-fine-for-phishing-breach-a-23812?rf=2023-12-08_ENEWS_SUB_HIS__Slot1_ART23812

North Korea finds continued success with Log4Shell

Lazarus group has been seen still exploiting Log4Shell around the world, and attacking organizations with three new remote access Trojans written in "D" programing language - to be honest, this a new one on me, dlang
The group is called Andariel, an entity within Lazarus, which specializes in obtaining initial access and persistence for long-term espionage campaigns.
The intent with the malware being written in "D" is to throw off detection mechanisms.
The recent attacks have been exploiting exposed VMware Horizon servers carrying Log4Shell - which Veracode reported last week that more than a third (38%) of all in-use applications are still using vulnerable versions of Log4J.
Most organizations are not even aware they are running applications that are still vulnerable to Log4J.

Link (1): https://www.darkreading.com/threat-intelligence/lazarus-group-still-juicing-log4shell-rats-written-d

Apache Struts2 Exploit CVE-2023-50164

CVE-2023-50164: a flawed upload logic that could enable unauthorized path traversal and could be exploited under the circumstances to upload a malicious file and achieve execution of arbitrary code
The vulnerability is affecting the following versions and no workarounds that would remediate the issue (only through patches)
Struts 2.3.37 (EOL)
Struts 2.5.0 - Struts 2.5.32 (patch available for 2.5.33 or greater)
Struts 6.0.0 - Struts 6.3.0 (patch available for 6.3.0.2 or greater)
As of now, there is no evidence that the vulnerability is being maliciously exploited in the wild - however CVE-2017-5638 was weaponized by threat actors to breach Equifax in 2017

Link (1): https://thehackernews.com/2023/12/new-critical-rce-vulnerability.html

Until next week, it’s Brent Forrest signing off. Be cyber safe my friends!

About the Author: Brent Forrest is a Field CISO with Flair Data Systems. In this role, Brents acts as an advisor to customers that span across different verticals providing guidance to include; developing strategies to reduce risk with existing or new technology while enabling the business. With over 20 years of experience in the IT industry, Brent has been able to be a part of multiple groups within the IT field spanning from Telecom, Network, Wireless, Infrastructure, and eventually finding his passion within Security. Roughly 20 years of that time was spent within the Oil and Gas industry working across multiple teams and leading initiatives. Specifically with EnLink Midstream, he spent the majority of his time building resilience and developing the cybersecurity program from the ground up.

Flair Data Systems-Brent Forrest Cybersecurity News Update 12-06-2023

Wed, 06 Dec 2023 18:23:29 GMT

My name is Brent Forrest and I serve as a vCISO at Flair Data Systems. Here is your cybersecurity update for 12/06/2023...

One of the big themes to this week's update is going to be around third-party compromises, as there are four different articles around third-party incidents and how they are affecting other organizations - Okta being one of the largest. During our consultations, one area that has not been consistently performed is Third-Party Risk Management, and I will not lie - it is an undertaking but something that is well worth it. It is something that has such importance that we have started working with organizations on how to add this as a program within their organizations.

All Okta customers exposed in breach

Last month it was found that a threat actor gained access to Okta's support case management system, at the time it was disclosed by Okta that only 134 Okta customers were affected, which included HAR files that led to the compromise of Okta environments for customers like 1Password, BeyondTrust, and Cloudflare

However, it has been discovered that the threat actor was able to grab full names and emails for all Okta customers (except Okta's Auth0 support case management system, along with FedRamp High and DoD IL4 environments)
The reason for the delay in findings was that their searching was narrowed down to a specific filtered view, when they continued to investigate and searched in an unfiltered view it provided more context

Link (1): https://www.csoonline.com/article/1249988/okta-confirms-recent-hack-affected-all-customers-within-the-affected-system.html#:~:text=Okta%20confirms%20recent%20hack%20affected%20all%20customers%20within%20the%20affected%20system,-News&text=Contrary%20to%20its%20earlier%20analysis,by%20the%20recent%20security%20incident.

Chrome 6th zero day

CVE-2023-6345: Integer overflow in Skia in Google Chrome prior to 119.0.6045.199 allowed a remote attacker who had compromised the renderer process to potentially perform a sandbox escape via a malicious file

The specific detail for the vulnerability is being withheld until the majority of users have updated the browser to the fixed version

Link (1): https://www.bleepingcomputer.com/news/security/google-chrome-emergency-update-fixes-6th-zero-day-exploited-in-2023/

Link (2): https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-6345

Dollar tree breach

A third-party (Zeroed-In Technologies) breach has affected almost 2 million people that occurred between August 7 and 8, 2023

Data that was compromised was Names, DOB, and SSNs
The concerning part of this entire situation was that Zeroed-In was able to determine which system was accessed, but not what data was accessed - which means they did not have proper logging turned on
In a Tabletop exercise I recently performed, one of the areas of concern that came out of it was around "if a database was accessed, how would you know what data was exported and/or deleted and by who" - meaning, do you have proper logging turned on and at a level that would give the right information during an investigation?

Link (1): https://www.bleepingcomputer.com/news/security/dollar-tree-hit-by-third-party-data-breach-impacting-2-million-people/

Motorola former employee phishing hack

28-year-old Andrew Mahn (Derry, New Hampshire) has plead guilty for illegally hacking the network of his former employer, Motorola, after successfully tricking current staff into handing over login credentials

Mahn used the above access to obtain stolen code and software tools from the Motorola network, which allowed him to unlock radio equipment features
On top of the above, he also attempted to expedite the passport processing time requesting the expedite from Senator Maggie Hassan by stating he had to travel internationally for family reasons
Mahn currently faces up to 20 years in prison, 3 years of supervised release, and a $250,000 fine for the hack; and on top of that a 10 year prison term, 3 years of supervised release, and a fine of another $250,000 for the passport fraud

Link (1): https://www.tripwire.com/state-of-security/ex-motorola-worker-phished-former-employer-illegally-hack-network-and-steal-data

Credit unions facing outages due to ransomware attack on cloud provider

Cloud services provider, Ongoing Operations (owned by Trellance) has experienced a ransomware attack that has affected nearly 60 credit unions across the U.S.

Investigation is currently underway, but at this point in time Ongoing Operations has stated that they are not seeing any signs of data misuse

Link (1): https://www.scmagazine.com/brief/third-party-ransomware-attack-disrupts-dozens-of-us-credit-unions

Roblox, Twitch allegedly targeted by ransomware cartel

Alphv/Blackcat has supposedly breached the accounting software provider, Tipalti, which supports both Roblox and Twitch (amongst others)

Alphv has allegedly exfiltrated over 265 GB of sensitive company data, on both employees and customers
Other orgs supported by Tipalti would include X, GoDaddy, National Geographic, Business Insider, SkillShare, Canva, and others

Link (1): https://cybernews.com/news/roblox-twitch-tipalti-ransomware-cyberattack/#:~:text=Roblox%20and%20Twitch%20data%20allegedly,an%20accounting%20software%20provider%2C%20Tipalti.

Qlik Sense Exploited by Cactus Ransomware

Cactus Ransomware gang has been observed exploiting publicly-exposed installations of Qlik Sense

The three different vulnerabilities will be
CVE:3023-41266 & CVE-2023-41265 combined can lead to an unauthenticated remote code execution
CVE-2023-48365 successful exploitation can lead to an unauthenticated remote code execution
Patches have been released (review links 2 & 3 above)

Link (1): https://arcticwolf.com/resources/blog/qlik-sense-exploited-in-cactus-ransomware-campaign/ https://www.praetorian.com/blog/qlik-sense-technical-exploit/

Link (2): https://community.qlik.com/t5/Support-Updates/Qlik-Sense-Enterprise-for-Windows-New-Security-Patches-Available/ba-p/2108549

Link (3): https://community.qlik.com/t5/Official-Support-Articles/Critical-Security-fixes-for-Qlik-Sense-Enterprise-for-Windows/tac-p/2120510

US confirms Iranian actors behind water breaches

Cyber Av3ngers is the hacktivist group that attacked the water facility in Aliquippa that I covered last week - and since have claimed to have breached multiple water treatment stations in Israel

The reasoning for attacking Aliquippa was because the PLCs were manufactured by an Israeli company, Unitronics Vision PLC
Cyber Av3ngers is supposedly affiliated with the Iranian Government Islamic Revolutionary Guard Corps and has targeted Israeli entities since 2020
This statistic is concerning - per a Shodan search, roughly 1,800 Unitronics PLCs are located around the world and exposed to the internet - with a few hundred being in the U.S.

Link (1): https://www.securityweek.com/ics-at-multiple-us-water-facilities-targeted-by-hackers-affiliated-with-iranian-government/

Federal agency breached through Adobe ColdFusion vulnerability

CVE-2023-26360: Adobe ColdFusion versions 2018 Update 15 (and earlier) and 2021 Update 5 (and earlier) are affected by an Improper Access Control vulnerability that could result in arbitrary code execution in the context of the current user

Exploitation of this issue does not require user interaction
Threat actor is currently unknown
In June 2023, through the exploitation of CVE-2023-26360, threat actors were able to establish an initial foothold on two agency systems in two separate instances
In both incidents, Microsoft Defender for Endpoint (MDE) alerted of the potential exploitation of an Adobe ColdFusion vulnerability on public-facing web servers in the agency’s pre-production environment

Link (1): https://therecord.media/adobe-coldfusion-vulnerability-two-federal-agencies

Malicious loan app downloaded 12 million times from Google Play

Over a dozen malicious loan apps, generically named SpyLoan, have been downloaded more than 12 million times from Google Play (more have been downloaded through other third-party stores)

Device personal data being stolen include: a list of all accounts, device info, call logs, installed apps, calendar events, local Wi-Fi network details, and metadata from images
With potential to extend to contact lists, location data, and text messages per researchers

Link (1): https://www.bleepingcomputer.com/news/security/spyloan-android-malware-on-google-play-downloaded-12-million-times/

Until next week, it’s Brent Forrest signing off. Be cyber safe my friends!

About the Author: Brent Forrest is a Field CISO with Flair Data Systems. In this role, Brents acts as an advisor to customers that span across different verticals providing guidance to include; developing strategies to reduce risk with existing or new technology while enabling the business. With over 20 years of experience in the IT industry, Brent has been able to be a part of multiple groups within the IT field spanning from Telecom, Network, Wireless, Infrastructure, and eventually finding his passion within Security. Roughly 20 years of that time was spent within the Oil and Gas industry working across multiple teams and leading initiatives. Specifically with EnLink Midstream, he spent the majority of his time building resilience and developing the cybersecurity program from the ground up.

Brent Forrest Cybersecurity News Update 11-29-2023

Wed, 29 Nov 2023 17:48:50 GMT

My name is Brent Forrest and I serve as a vCISO at Flair Data Systems. Here is your cybersecurity update for 11/29/2023

It's a chilly morning this week and it is very welcome! For those that know how much I truly love
running, this week was the first week to break out the gloves. Sadly, a few of the updates provided below have affected some businesses either in North Texas or East Texas.

As we move into the Holidays, it is the time for scams and phishing attempts to take a rise with sales, gift cards, and other tricks. Please take the time to continue to educate your employees about the dangers that come along with the joys of the holiday season. There are plenty of options available for bringing this awareness; KnowBe4, Wizer-Training, Proofpoint Security Awareness, Barracuda Security Awareness, and others. Also remember, mixing both education (i.e., video, info graphics, etc.) and training (i.e., phishing tests, gamification) is a great way to solidify diligence when it comes to phishing (email), vishing (voice), and smishing (texting) attacks.

Let’s dive into this week's “chilling” cyber update.

Play Ransomware Update

Play ransomware has shifted to a Ransomware-as-a-Service model.

Utilizing legitimate credentials, exposed RDP servers, and exploits specific to FortiOS vulnerabilities for initial access.
Propagating ransomware internally through GPO's, scheduled tasks, PSExec, or wmic where the ransomware extensions end with ". play"
Incidents in November hit an all time high of 36 cases reported in a single day (Nov 28th)

Google to weaken ad blockers on Chrome in a push for security

Starting in June 2024, adblockers (uBlock Origin as an example) extensions on Chrome will no longer work as intended.

The older platform, Manifest V2, will be disabled as Chrome moves to Manifest V3
V3 is supposed to bring more security, higher efficiency, and ask for few user permissions; yet with more limited feature sets will mean limited functionality.
Speculation is that this is a way for Google to move away from 3rd party adblockers due to their loss in ad-revenue.
Link (1): https://cybernews.com/privacy/google-to-weaken-chrome-ad-blockers-push-for-security/

Fidelity National Financial attacks

On November 22, Blackcat/AlphV publicly took credit for attack on Fidelity Nation Financial

This attack has affected consumers attempting to close on their homes, causing delays on closing the purchase/sale of homes.
The SEC 8-K Filing (Link 2) was released Nov. 19th per the filing, within the document they have restricted access to certain systems that has had a business disruption (title insurance, escrow, and other title related services, mortgage transaction services, and technology to the real estate and mortgage industry)
No other information was released, other than that the threat actor gained access to certain FNF systems and acquired credentials.
Blackcat/AlphV called FNF out on hiring Google Mandiant as their Incident Response
Link (1): https://therecord.media/fidelity-national-financial-ransomware-alphv-black-cat
Link (2): https://www.sec.gov/ix?doc=/Archives/edgar/data/1331875/000133187523000064/fnf-20231119.htm

Gulf Air exposed to data breach

Gulf Air, air carrier for Kingdom of Bahrain, has experienced an incident that resulted in the theft of sensitive customer information.

The "how" is still an unknown - ransomware, MOVEit, Citrix Bleed, or some other mechanism.
Operations and Critical Systems were not affected, which means no disruption of flight schedules - and means that it being a ransomware attack is much less (again, unknown)
Link (1): https://www.techradar.com/pro/security/gulf-air-hit-with-data-breach-customer-data-possibly-affected

Idaho National Labs data breach

SiegedSec, a hacktivists group, leaked stolen HR data online that was obtained from Idaho National Labs (INL)

INL is a nuclear research center ran by the U.S. Department of Energy - employing roughly 5,700 specialists in atomic energy, integrated energy, and national security
SiegedSec is claiming to have obtained data on users, employees, and citizens with the following information: Name, DoB, Email, Phone number, SS#, Address, Employment Info
As of right now, INL has confirmed that servers supporting their Oracle HCM system was affected and they are working to investigate the incident
I have personally been to one of their training facilities several years ago where we were able to perform a true tabletop scenario of an attack on an Operational Technology environment where we had to protect a SCADA / PLC environment
Knowing their team that protects their systems (at least at that point in time), there is no telling how long SiegedSec was in that environment moving around very slowly
Link (1): https://www.bleepingcomputer.com/news/security/hacktivists-breach-us-nuclear-research-lab-steal-employee-data/

ownCloud releases 3 vulnerabilities

CVE-2023-49103 (10): disclosure of sensitive credentials and configuration in containerized deployments (actively being exploited)

CVE-2023-49105 (9.8): WebDAV Api Authentication Bypass using Pre-signed URLs
CVE-2023-49104 (8.7): Subdomain validation bypass
Each of the above CVE's have their own workarounds listed out in the URL's - if you use ownCloud in your environment, review and see how this potentially affects your environment (call their support for additional assistance if necessary)
Link(1): https://www.theregister.com/2023/11/27/three_major_vulnerabilities_in_owncloud/#:~:text=ownCloud%20has%20disclosed%20three%20critical,server%20credentials%2C%20and%20license%20keys.

North Texas water utility hit by cyberattack

Daixin Team, cyber gang that first appeared in June 2022 and has also targeted Oakbend Medical Center (Richmon, TX), Fitzgibbon Hospital (Missouri), and Ista International (Germany)

The Threat Actor's page on data exfiltrated is a bit interesting in that they claim to have obtained both PII and PHI data - yet this is a Water, Wastewater, and Solid Waste Management company, so how did they obtain PHI OR is this more of a canned statement?
NTMWD (North Texas Municipal Water District) has stated that only the business network was affected and not any of the Operational network - most of which has been restored at this point.
Pennsylvania water authority was also hit a bit harder by an alleged pro-Iran group (Cyber Av3ngers) by attacking an outpost (Municipal Water Authority of Aliquippa) - this outpost contains a collection of pumps that maintain water pressure and regulate water flow; equipment was taken offline, and they are utilizing backup tools to maintain water pressure.
Link (1): https://therecord.media/north-texas-water-utility-cyberattack
Link (2): https://therecord.media/water-authority-pennsylvania-cyberattack-pro-iran-group

UT Health East Texas resumes divert status; access to MyChart, video visits unavailable in wake of cyberattack.

Ardent Health Services, oversees 30 hospitals across the United States, experienced a severe ransomware attack in Oklahoma, New Mexico, and Texas

Ardent took measures to shut down a significant number of its computerized services, including clinical programs and its use of Epic Systems, which tracks patients' health care records.
The incident began on Thanksgiving Day, but the "who", "how", and "what" has not been released at this point in time - the fact it occurred less than a week ago, this is pretty standard as I am sure they know the "who" and hopefully the "how" so that they are able to remove the threat actors from their systems.
Here in Texas, this has affected many of the hospitals across East Texas that fall under the UT Health East Texas
Link (1): https://www.nbcnews.com/tech/security/emergency-rooms-least-3-states-diverting-patients-ransomware-attack-rcna126890
Link (2): https://www.kltv.com/2023/11/27/ut-health-east-texas-resumes-some-emergency-room-admissions-wake-cyber-security-incident/
Link (3): https://www.kltv.com/2023/11/28/ransomware-investigation-expert-discusses-ut-health-east-texas-data-breach/
Link (4): https://ardenthealth.com/datasecurityupdate

Until next week, it’s Brent Forrest signing off. Be cyber safe my friends!

About the Author: Brent Forrest is a Field CISO with Flair Data Systems. In this role, Brents acts as an advisor to customers that span across different verticals providing guidance to include; developing strategies to reduce risk with existing or new technology while enabling the business. With over 20 years of experience in the IT industry, Brent has been able to be a part of multiple groups within the IT field spanning from Telecom, Network, Wireless, Infrastructure, and eventually finding his passion within Security. Roughly 20 years of that time was spent within the Oil and Gas industry working across multiple teams and leading initiatives. Specifically with EnLink Midstream, he spent the majority of his time building resilience and developing the cybersecurity program from the ground up.

Brent has been with Flair Data for 3 years and is CISSP, C|CISO, CvCISO, & Sec+ certified. In his free time, he likes to spend time with family, working out, or staying up with personal development.

He lives in Dallas, Texas with his wife and children.

Brent Forrest's Cybersecurity Update 11-16-2023

Thu, 16 Nov 2023 18:54:50 GMT

My name is Brent Forrest and I serve as a vCISO at Flair Data Systems. Here is your cybersecurity update for 11/16/2023...

This week has been a great week of spending time with the SentinelOne team getting updated on their newest releases and roadmaps for upcoming changes. We all know that Roadmaps are future state, so we must always take that into account. With that said, when these are released, it will be a game changer without adding a lot of complexity.

Let’s dive into this week's cyber update.

Microsoft Patch Tuesday

The following three are three exploited zero-days vulnerabilities

CVE-2023-36025: Windows SmartScreen Security Feature Bypass Vulnerability
CVE-2023-36033: Windows DWM Core Library Elevation of Privilege Vulnerability
CVE-2023-36036: Windows Cloud Files Mini Filter Driver Elevation of Privilege Vulnerability

Recommendation – test the patches then full deploy, these are being exploited in the wild

Link (1): https://msrc.microsoft.com/update-guide/vulnerability/CVE-2023-36025

Link (2): https://msrc.microsoft.com/update-guide/vulnerability/CVE-2023-36033

Link (3): https://msrc.microsoft.com/update-guide/vulnerability/CVE-2023-36036

Link (4): https://www.bleepingcomputer.com/news/microsoft/microsoft-november-2023-patch-tuesday-fixes-5-zero-days-58-flaws/

Boeing data published by LockBit

LockBit has released over 43GB of files since Boeing has refused to pay the ransom

Most appear to be backups from various systems with a timestamp of October 22
Items that showed up from the release include configuration backups of IT Management systems and logs for monitoring and auditing tools

Link (1): https://www.bleepingcomputer.com/news/security/lockbit-ransomware-leaks-gigabytes-of-boeing-data/

US was the most breached country last quarter

Q3 2023 76% decrease in breached accounts – but US still highest sitting at 26% (8.1 million)

Russia came in 2nd place with 7.1 million breached accounts

Link (1): https://anthonycarranzza.medium.com/the-u-s-still-the-most-breached-country-in-q3-d18dbc2fdaa4

OpenAI blames DDoS attacks for ongoing ChatGPT outages

DDoS attack has caused periodic outages affecting ChatGPT and the developer tools

On Nov 8th, OpenAI stated that they resolved the DDoS attack however it came back and later stated that they were still experiencing periodic issues

Link (1): https://techcrunch.com/2023/11/09/openai-blames-ddos-attack-for-ongoing-chatgpt-outage/

SysAid Exploited by Cl0p Ransomware (CVE-2023-47246)

CVE-2023-47246: In SysAid On-Premise before 23.3.36, a path traversal vulnerability leads to code execution after an attacker writes a file to the Tomcat webroot, as exploited in the wild in November 2023

DEV-0950 (Lace Tempest), uploaded a WAR archive containing a WebShell and other payloads into the webroot of the SysAid Tomcat web service
If you are a SysAid customer using a SysAid On-Prem server, we advise you take the following actions:
Ensure that your SysAid systems are updated to version 23.3.36, which includes the patches for the identified vulnerability
Conduct a thorough compromise assessment of your SysAid server to look for any indicators mentioned
Review any credentials or other information that would have been available to someone with full access to your SysAid server and check any relevant activity logs for suspicious behavior

Link (1): https://www.sysaid.com/blog/service-desk/on-premise-software-security-vulnerability-notification

Sumo Logic Breach

November 3rd, Sumo detected evidence of a breach that an attacker used stolen credentials to gain access to the Sumo Logic AWS account

Sumo systems and networks were not impacted, and customer data has been and remains encrypted
Immediately upon detection the exposed infrastructure was locked down rotated credentials for infrastructure out of abundance of caution
Customers and MSP’s are being advised to rotate API keys
Sumo Logic installed collector credentials
Third-party credentials that have been stored with Sumo for the purpose of data collection by the hosted collector (e.g., credentials for S3 access)
Third-party credentials that have been stored with Sumo as part of webhook connection configuration
User passwords to Sumo Logic accounts

Link (1): https://www.bleepingcomputer.com/news/security/sumo-logic-discloses-security-breach-advises-api-key-resets/

WS_FTP Server Update CVE-2023-42659

CVE-2023-42659 (CVSS 9.1): In WS_FTP Server versions prior to 8.7.6 and 8.8.4, an unrestricted file upload flaw has been identified. An authenticated Ad Hoc Transfer user could craft an API call which allows them to upload a file to a specified location on the underlying operating system hosting the WS_FTP Server application.

Latest November Service Pack has solution incorporated in the patch
Note: Upgrading to a patched release, using the full installer is the only way to remediate the issue and an outage to the system will occur while the upgrade is running

Link (1): https://community.progress.com/s/article/WS-FTP-Server-Service-Pack-November-2023

ScreenConnect used to Attack Healthcare

I wish this was the only time I have seen this occur, but it’s not and its very devastating to see its continued to occur

ConnectWise toolset ScreenConnect is a normally used program by MSPs, MSSPs, and organizations alike across the world, however they also allow for “trial” offerings and I have personally seen where Threat Actors are utilizing these options to deploy ScreenConnect during an incident to maintain a foothold in an environment
The area of concern here is that if a Threat Actor gains access to an existing ScreenConnect instance they can remote into any machine that its installed on and record sessions, upload/download files without user knowledge, and many other operational aspects (shutdown system)
The article in link #1 walks through the instance of how a third-party pharmaceutical vendor was linked to a pharmacy and health clinic cyberattack – well worth a read
This really goes back to understanding the organization Third-Party Risk Management (TPRM) program and how to get a grasp around how vendors that have access into an environment could introduce threats

Link (1): https://www.huntress.com/blog/third-party-pharmaceutical-vendor-linked-to-pharmacy-and-health-clinic-cyberattack

OpenVPN Access Server Vulnerabilities

CVE-2023-46849: Using the --fragment option in certain configuration setups OpenVPN version 2.6.0 to 2.6.6 allows an attacker to trigger a divide by zero behavior which could cause an application crash, leading to a denial of service.

CVE-2023-46850: Use after free in OpenVPN version 2.6.0 to 2.6.6 may lead to undefined behavior, leaking memory buffers or remote execution when sending network buffers to a remote peer.
Recommendation is to update OpenVPN Access Server to the latest version as soon as possible, which contains the fixes for the vulnerabilities

Link (1): https://openvpn.net/security-advisory/access-server-security-update-cve-2023-46849-cve-2023-46850/

Link (2): https://nvd.nist.gov/vuln/detail/CVE-2023-46849

Link (3): https://nvd.nist.gov/vuln/detail/CVE-2023-46850

Until next week, it’s Brent Forrest signing off. Be cyber safe my friends!

About the Author: Brent Forrest is a Field CISO with Flair Data Systems. In this role, Brents acts as an advisor to customers that span across different verticals providing guidance to include; developing strategies to reduce risk with existing or new technology while enabling the business. With over 20 years of experience in the IT industry, Brent has been able to be a part of multiple groups within the IT field spanning from Telecom, Network, Wireless, Infrastructure, and eventually finding his passion within Security. Roughly 20 years of that time was spent within the Oil and Gas industry working across multiple teams and leading initiatives. Specifically with EnLink Midstream, he spent the majority of his time building resilience and developing the cybersecurity program from the ground up.

Brent has been with Flair Data for 3 years and is CISSP, C|CISO, CvCISO, & Sec+ certified. In his free time, he likes to spend time with family, working out, or staying up with personal development.

He lives in Dallas, Texas with his wife and children.

Flair Data Systems Cybersecurity Updates - 11/9/2023

Mon, 13 Nov 2023 20:10:18 GMT

My name is Brent Forrest and I serve as a vCISO at Flair Data Systems. Here is your cybersecurity update for 11/9/2023...

I hope all are doing well and enjoying the Fall weather. We are finally seeing a little Fall in the Dallas Metroplex, even a little rain! Time to get out the sweaters. We also have a little bragging to do...the Texas Rangers won the world series! It was a great way to celebrate last week as well!

For those of you who are just joining us, I send out a weekly update to my mailing list and hope to translate those same topics for a wider audience in a cybersecurity blog. I hope you enjoy the post!

Going into this week's cybersecurity update, there were a lot of pressing topics on my mind. So, let's jump into my highlights in cybersecurity news...

Critical Firepower Vulnerability

https://sec.cloudapps.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-fmc-cmd-inj-29MP49hN

https://bst.cloudapps.cisco.com/bugsearch/bug/CSCwd02925 (requires a CCO account)

CVE-2023-20048 (CVSS 9.9): Vulnerability within the web services interface of the FMC could allow an authenticated, remote attacker to execute certain unauthorized configuration commands on a FTD device that is managed by the FMC
Due to insufficient authorization of configuration commands that are sent through the web service interface
For successful exploitation, an attacker would need valid credentials on the FMC software
Currently there are no known exploitations of this in the wild
Known affected releases: 6.2.3, 6.3.0, 6.4.0, 6.5.0, 6.6.0, 6.7.0, 7.0.0, 7.1.0, 7.2.0, 7.3.0
Known fixed releases: 6.4.0.17, 7.0.6, 7.2.4

CVSS 4.0 Now Official

https://www.first.org/cvss/v4-0/index.html

https://blog.qualys.com/product-tech/2023/11/02/cvss-v4-is-now-live-and-what-do-you-need-to-know

Officially gone to GA as of Nov 1st, the last revised over 8 years ago with the release of CVSS v3.0 (June 2015)
Includes more granular breakdown of the Base Metrics, introduction of new nomenclature to denote combinations of Base, Threat, and Environmental metrics alongside new Base metric values for User Interaction (passive or active)

MOZI Botnet Killswitch

https://www.welivesecurity.com/en/eset-research/who-killed-mozi-finally-putting-the-iot-zombie-botnet-in-its-grave/

https://www.theregister.com/2023/11/01/mozi_botnet_kill_switch/

Mozi Bot, emerged in late 2019, accounted for roughly 90% of all malicious IoT network traffic
In August of 2023, ESET noticed the Mozi traffic took a major slowdown, first in India (Aug 8) and then in China (Aug 16)
ESET researchers found that the control payload inside a UDP message acting as the kill switch
Disabling some system services
Replaced the original application file
Reordered some router/device configuration commands
Disabled access to various ports
The “who” behind the kill order is unknown but the assumption is either Chinese law enforcement or the creator

Power outage darkens Cloudflare dashboard and APIs

https://www.bleepingcomputer.com/news/security/cloudflare-dashboard-and-apis-down-after-data-center-power-outage/

https://www.cloudflarestatus.com/incidents/hm7491k53ppg

Cloudflare is stating that the root cause of the outage is due a regional power issue caused by generator failures that took down facilities.
Due to a regional outage, it affected multiple data center facilities within the state of Oregon that hosts Cloudflare’s control plane (dashboard, logging, etc.)
Investigation of the regional power outage and failure of generators is ongoing with data center vendors.
This outage impacted all services that rely on Cloudflare API infrastructure including Alerts, Dashboard functionality, Zero Trust, WARP, Cloudflared, Waiting Room, Gateway, Stream, Magic WAN, API Shield, Pages, and Workers

Boeing says cyber incident affects parts and distribution

https://www.cybersecuritydive.com/news/citrixbleed-patch-hunt-malicious/699164/#:~:text=%E2%80%9CWe%20are%20aware%20of%20a,law%20enforcement%20and%20regulatory%20authorities.

https://nvd.nist.gov/vuln/detail/CVE-2023-4966

CVE-2023-4966: Sensitive information disclosure in NetScaler ADC and NetScaler Gateway when configured as a Gateway (VPN virtual server, ICA Proxy, CVPN RDP Proxy) or AAA virtual server
Threat actors are targeting this vulnerability to expose users to session hijacking and other threat activity
Exploitation of the above vulnerability has been called CitrixBleed, where a patch was released on Oct 10 but attacks are still occurring.
Rapid7 has seen activity targeting retail, healthcare, and manufacturing.
Recommendation: Patch.

Rightway Breach

https://www.cybersecuritydive.com/news/okta-employees-third-party-attack/698662/

Rightway (third-party vendor to Okta) had data breached on Sept 23rd that included an eligibility census file of roughly 5k current and former employees of Okta that included names, SS#, and health insurance plan numbers
This breach did not impact Okta services, but does not help the fact that Okta has experienced their own share of breaches in the recent months

Okta explains hack source and response timeline

https://www.bleepingcomputer.com/news/security/okta-says-its-support-system-was-breached-using-stolen-credentials/

https://sec.okta.com/harfiles

Threat actors were able to access systems that contained HAR files used for troubleshooting issues, the threat actors were able to access 5 customers Okta platforms – 3 of which are known as 1Password, Cloudflare, and BeyondTrust
During the investigation Okta found that an employee was signed-in to their personal Google profile on the Chrome browser of their Okta-managed laptop, where the username and password of the service account had been saved into the employee’s personal Google account
It was also discovered that depending on how someone viewed the HAR files, the log entries were generated differently (log entry and ID’s were different)
Multiple remediations are being put in place
Disable the compromised server account (completed)
Blocking the use of personal Google profiles with Google Chrome (complete)
Enhance monitoring for customer support systems (complete)
Binding Okta administrator session tokens based on network location (complete)

Looney Tunables now being exploited

https://www.helpnetsecurity.com/2023/11/07/kinsing-exploiting-looney-tunables/

https://www.helpnetsecurity.com/2023/10/05/cve-2023-4911/

Looney Tunables –
CVE-2023-9841 a critical remote code execution vulnerability in the PHP testing framework PHPUnit for initial access
CVE-2023-4911 a buffer overflow vulnerability in the GNU C Library’s dynamic loader to achieve root privileges on the underlying Linux distribution
Kinsing (Money Libra) is a threat actor that has been active since late 2021 targeting cloud-native environments and applications to deploy cryptominers
The actors have been manually probing the environment for system and user information and started a new interactive shell session
They also downloaded and ran several scripts and another one that creates a webshell backdoor

Lazarus Group uses KandyKorn against blockchain engineers

https://securityaffairs.com/153622/hacking/lazarus-kandykorn-malware.html#:~:text=North%20Korea%2Dlinked%20Lazarus%20APT,interact%20with%2C%20and%20avoid%20detection.

Lazarus APT group (North Korea-linked) has been seeing using the new KandyKorn macOS malware in attacks against blockchain engineers
KandyKorn is an advanced implant that contains a variety of capabilities such as monitoring, interactions, and detection avoidance; and utilizes reflective loading, a direct-memory form of execution that could bypass detections
Lazurus is impersonating blockchain engineering community members on a public Discord server, which then trick members to download and decompress a Zip file containing malicious Python code masquerading by an arbitrage bot
Arbitrage bot is a tool that allows users to profit from cryptocurrency rate differences between platforms

Mr. Cooper has experienced an incident

https://www.bleepingcomputer.com/news/security/mortgage-giant-mr-cooper-hit-by-cyberattack-impacting-it-systems/

Mr. Cooper, a U.S. mortgage lending company based out of the DFW area shutdown its IT systems on Oct 31st due to a cyberattack, including access to the online payment portal
On November 2nd, the company notified its customers of the incident – the type of attack and/if any data that was exfiltrated is unknown at this point in time.

New Microsoft Exchange Zero Days

https://www.bleepingcomputer.com/news/microsoft/new-microsoft-exchange-zero-days-allow-rce-data-theft-attacks/

Trend Micro had reported the vulnerabilities to Microsoft on September 7th and 8th, 2023 – however Microsoft decided the flaws were not severe enough to guarantee immediate servicing and postponing the fixes for later
Trend Micro’s Zero Day Initiative (ZDI) posted their tracking ID’s to warn Exchange customers
ZDI-23-1578: Remote Code Execution flaw in the ’ChainedSerializationBinder’ class, where user data isn’t adequately validated, allowing attackers to deserialize untrusted data
Successful exploitation enables an attacker to execute arbitrary code as ‘SYSTEM’
Microsoft Response: Customers who have applied the August Security Updates are already protected.
ZDI-23-1579: located in the ‘DownloadDataFromUri’ method, this flaw is due to insufficient validation of the URI before resource access
Attackers can exploit it to access sensitive information from Exchange servers
Microsoft Response: The technique described requires an attacker to have prior access to email credentials, and no evidence was presented that it can be leveraged to gain elevation of privilege.
ZDI-23-1580: In the ‘DownloadDataFromOfficeMarketPlace’ method, also stems from improper URI validation
Potentially leading to unauthorized information disclosure
Microsoft Response: The technique described requires an attacker to have prior access to email credentials.
ZDI-23-1581: Present in the ‘CreateAttachementFromUri’ method, this flaw resembles the previous bugs with inadequate URI validation
Risking sensitive data exposure
Microsoft Response: The technique described requires an attacker to have prior access to email credentials, and no evidence was presented that it can be leveraged to access sensitive customer information.

All of the above vulnerabilities do require authentication to exploit – which made me think, why did Microsoft not prioritize fixing the bugs?

Until next week, it’s Brent Forrest signing off. Be cyber safe my friends!

About the Author: Brent Forrest is a Field CISO with Flair Data Systems. In this role, Brents acts as an advisor to customers that span across different verticals providing guidance on how to include developing strategies to reduce risk with existing or new technology, while enabling the business. With over 20 years of experience in the IT industry, Brent has been able to be a part of multiple groups within the IT field spanning from Telecom, Network, Wireless, Infrastructure, and eventually finding his passion within Security. Roughly 20 years of that time was spent within the Oil and Gas industry working across multiple teams and leading initiatives. Specifically with EnLink Midstream, he spent the majority of his time building resilience and developing the cybersecurity program from the ground up.

Flair Data Systems participates in Cybersecurity Awareness Month 2023- Secure Our World

Tue, 31 Oct 2023 19:50:54 GMT

As cybersecurity is becoming the leading topic in the tech world, Flair Data Systems made a point to take part in Cybersecurity Awareness Month for 2023.

We launched our Cybersecurity Advisory practice in 2021 to meet the needs of our customers and have expanded our offerings over the years, but marketplace education is a key priority for prevention.

So why should we “Secure Our World”?

According to CISA , “In recognition of the 20th year, CISA announced a new enduring cybersecurity awareness program, Secure Our World. Secure Our World reflects a new enduring message to be integrated across the Cybersecurity and Infrastructure Security Agency’s (CISA) awareness campaigns and programs and encourages all of us to take action each day to protect ourselves when online or using connected devices.” We embrace this mission by supporting our community through social media awareness posts, webinars, and helpful cybersecurity tips, and events. If you missed our Cowgirls in Cybersecurity event, you missed out!

Here are some of our top 5 cybersecurity awareness tips to keep you safe online:

Use Strong Passwords - Passwords with at least 16 characters are hardest to break, and it is best Hard to use combination of random upper and lower-case letters, numbers and symbols. 1234password is not a good choice!
Turn on MFA Authentication - MFA supplies extra security by supplying a secondary method confirming your identity when logging into accounts. MFA usually requires you to enter a code sent to your phone or email, or one generated by an authenticator app. It may feel like an inconvenience, but the added security is worth your time.
Educate Yourself on the Types of Cyber Attacks and Report Suspicious Activity - There are many ways that cybercriminals can get access to your systems: Malware, Phishing, Man-in-the-Middle, Denial of Service, SQL Injection, DDNS Spoofing, Endpoint based attacks, and Ransomware. We could go on, and on. However, these attacks are always evolving. Enroll yourself in an educational program, like our partner Wiser offers, subscribe to cyber updates from known authorities like CISA , and or partner with a solutions integrator like Flair Data Systems to help you stay cyber secure.
Keep Your Software up to Date- One of the easiest ways to protect accounts and data is to keep software and applications up to date. Updates are periodically released to fix software problems and supply security patches for known vulnerabilities in the marketplace. Don’t hit the “remind me later” button. Just click to stay one step ahead of cybercriminals.
Think Twice Before You Click - According to Forbes, “Phishing is one of the most prevalent types of cybercrimes with over 500 million phishing attacks reported in 2022, costing over $52,089,159 in the U.S. alone.” Think before you click on that link or file and invest in software that will monitor suspicious activity. You can’t afford the outcome if you do.

As we wrap up Cybersecurity Awareness Month, we just want to remind you that Cybersecurity doesn’t have to be scary. It can be easy to adopt more secure habits and it may even provide some peace of mind that your online life is more secure. Knowing these top 5 cybersecurity tips can help lessen your breach vulnerabilities. Don’t forget- Just one click on a corrupt link could let a hacker in.

If you need a little advice on your cybersecurity strategy, schedule some time with a Flair Data Systems vCISO. We would love to help your organization protect your people and systems from cyberattacks. Just message us here: Contact a Flair Data Systems vCISO!

Flair Data Systems, Cybersecurity Awareness Month, Top 5 cybersecurity Awareness Tips

Flair Data Systems hosts the first Cowgirls in Cybersecurity event on Oct. 5th, 2023

Mon, 25 Sep 2023 06:39:51 GMT

Flair Data Systems will kick off Cybersecurity Awareness Month with a Cowgirls In Cybersecurity Happy Hour and fireside chat with Flair’s vCISO, Jessica Nemmers ., just before Texas/OU weekend!

Flair Data will host female cybersecurity experts for light bites, bubbles, and a community conversation about top-of-mind cybersecurity topics inside and outside of the home. We are excited to continue building a network of Women in Cybersecurity as well!

This is a limited attendance, invitation only event. All attendees will receive an autographed copy of “The CISO Mentor” a book coauthored by Jessica, that offers practical advice to anyone advancing in their cybersecurity careers. Attendees will also receive some swag to get ready for Texas/OU weekend, no matter what team you are rooting for! There will also be a raffle for prizes from our Partners. We will start bubbles, bites and networking at 4pm, and then walk across the street to Tecovas to do a little shopping.

When: Oct. 5th
Time: 4-7pm

Who is vCISO Jessica Nemmers?

Jessica is known in the Dallas/Ft. Worth area as the “Ballerina Turned CISO” and joined Flair Data in February of 2023, to support our growing Cybersecurity Consulting practice. She will be sharing some highlights of her journey from professional ballerina to a recognized cybersecurity leader and author.

As ransomware attacks and data breaches continue, new regulations and recommendations have been announced to help companies to better protect their operations and customers from emerging cyber threats. Whether it is the SEC’s announcement of new cybersecurity rules or the newly released draft of the NIST 2.0 Core framework , the cybersecurity landscape is more dynamic than ever. Jessica will highlight how industry changes may affect security professionals in the coming months. You will also have an opportunity to meet our Partners who can share their perspectives.

Why a female in Cybersecurity event?

Females, especially in technology related fields, are a small group. “We feel that there is a need for networking, focused on giving women the connections that they need to feel supported in their career”, said Emily Bell-Wootten, Director of Marketing and Customer Success at Flair Data. “We are going to have a great group at this event! We have CISO’s to students at local colleges registered and believe this will make for a great conversation. Who would you call if you had a cyber-attack? How will you stop a cyber-attack from happening to your organization? How will you mentor women in tech fields? We hope to answer this and more in our discussion.”

Flair Data Systems is looking forward to hosting more cybersecurity professionals at events in the future.

If you would like more information on how Flair Data Systems is supporting our client's cybersecurity needs, please visit our website or contact us at marketing@flairdata.com

About Flair Data Systems: Flair Data Systems is a strategically priced IT solutions company, serving clients in the U.S., with offices in Texas and Colorado. Now a technology industry leader, we began in 1916 as the Porter Burgess Company. Flair Data Systems is your Trusted Advisor for: Unified Communication, Networking, Cloud, Infrastructure, Data Analytics, and Cybersecurity, serving the U.S.

Please contact Emily Bell-Wootten- Director of Marketing & CX , for sponsorship opportunities or if you have questions about the event. emily.bell@flairdata.com

Flair Data Systems Technology Insights

Choosing the Right Cybersecurity Solutions in Dallas, TX

The Rising Tide of Cyber Threats in Dallas

What Makes a Cybersecurity Solution Effective?

Why Local Businesses Need Tailored Cybersecurity

Flair Data Systems: Your Local Cybersecurity Partner ﻿

Real-World Impact: How Flair Data Systems Protects Dallas SMEs ﻿

How to Choose the Right Cybersecurity Partner

The Cost of Inaction

Building a Cyber-Resilient Culture

Ready to Secure Your Business?

Cybersecurity Solutions in Fort Worth, TX: 5 Insights

Cybersecurity in Fort Worth: A 2025 Snapshot

Why Local Threats Need Localized Cybersecurity Solutions

Top Cybersecurity Trends in Fort Worth for 2025

1. Rise of AI-Driven Cyberattacks

2. Targeting of Municipal Infrastructure

3. Cloud Misconfigurations

Real Fort Worth Incident: How Flair Data Systems Responded

Education, Awareness, and the Role of Community

Secure Your Digital Future Today

Why Businesses Can’t Ignore Managed Cybersecurity Solutions

Understanding Cybersecurity Risks

DIY vs. Managed Cybersecurity

Cost Savings With Managed Services

24/7 Monitoring and Support

Scalability for Growing Businesses

Real-World Benefits

Insights From Cybersecurity Blog Posts

Flair Data Systems: Your Trusted Partner

Act Now to Protect Your Business

Cybersecurity Services in Dallas, TX for Business Protection

Why Your Business Needs Cybersecurity Services in Dallas, TX

Essential Components of a Strong Cybersecurity Framework

Key Benefits of Cybersecurity Services in Dallas, TX

Enhancing Cybersecurity With Proven Strategies

Protect Your Business With Cybersecurity Services in Dallas, TX

Cybersecurity Services in Fort Worth, TX for Business Safety

The Threat of Phishing: Why Cybersecurity Services in Fort Worth, TX Matter

Ransomware: A Growing Cybersecurity Threat for Businesses in Fort Worth, TX

Cybersecurity Services in Fort Worth, TX: Tackling Insider Threats

Lack of Proper Security Protocols: How Cybersecurity Services in Fort Worth, TX Can Help

Flair Data Systems Cybersecurity News Update 7-22-2024

My name is Brent Forrest and I serve as a vCISO at Flair Data Systems. Here is your cybersecurity news update for 7/22/2024...

Flair Data Systems Cybersecurity News Update 7-17-2024

My name is Brent Forrest and I serve as a vCISO at Flair Data Systems. Here is your cybersecurity news update for 7/17/2024...

Flair Data Systems Cybersecurity News Update 7-10-2024

My name is Brent Forrest and I serve as a vCISO at Flair Data Systems. Here is your cybersecurity news update for 7/10/2024...

Flair Data Systems Cybersecurity News Update 7-03-2024

My name is Brent Forrest and I serve as a vCISO at Flair Data Systems. Here is your cybersecurity news update for 7/03/2024...

Flair Data Systems Cybersecurity News Update 6-26-2024

My name is Brent Forrest and I serve as a vCISO at Flair Data Systems. Here is your cybersecurity news update for 6/26/2024...

Flair Data Systems Cybersecurity News Update 6-19-2024

My name is Brent Forrest and I serve as a vCISO at Flair Data Systems. Here is your cybersecurity news update for 6/19/2024...

Flair Data Systems Cybersecurity News Update 6-12-2024

My name is Brent Forrest and I serve as a vCISO at Flair Data Systems. Here is your cybersecurity news update for 6/12/2024...

Flair Data Systems Cybersecurity News Update 6-05-2024

My name is Brent Forrest and I serve as a vCISO at Flair Data Systems. Here is your cybersecurity news update for 6/05/2024...

Flair Data Systems Cybersecurity News Update 5-29-2024

My name is Brent Forrest and I serve as a vCISO at Flair Data Systems. Here is your cybersecurity news update for 5/29/2024...

Flair Data Systems Cybersecurity News Update 5-15-2024

My name is Brent Forrest and I serve as a vCISO at Flair Data Systems. Here is your cybersecurity news update for 5/15/2024...

Flair Data Systems Cybersecurity News Update 5-8-2024

My name is Brent Forrest and I serve as a vCISO at Flair Data Systems. Here is your cybersecurity news update for 5/8/2024...

Flair Data Systems Cybersecurity News Update 5-1-2024

My name is Brent Forrest and I serve as a vCISO at Flair Data Systems. Here is your cybersecurity news update for 5/1/2024...

Flair Data Systems Cybersecurity News Update 4-24-2024

My name is Brent Forrest and I serve as a vCISO at Flair Data Systems. Here is your cybersecurity news update for 4/24/2024...

Flair Data Systems Cybersecurity News Update 4-10-2024

My name is Brent Forrest and I serve as a vCISO at Flair Data Systems. Here is your cybersecurity news update for 4/10/2024...

6 things You Need to Know About the VMware Price Increases

Are you being held hostage by the VMware pricing increases? Flair Data Systems discusses the top issues affecting your network cloud storage solutions and budget. Read on...

Flair Data Systems Cybersecurity News Update 3-20-2024

My name is Brent Forrest and I serve as a vCISO at Flair Data Systems. Here is your cybersecurity news update for 3/20/2024... ﻿

Flair Data Systems Cybersecurity News Update 3-13-2024

My name is Brent Forrest and I serve as a vCISO at Flair Data Systems. Here is your cybersecurity news update for 3/13/2024...

Flair Data Systems Cybersecurity News Update 3-06-2024

My name is Brent Forrest and I serve as a vCISO at Flair Data Systems. Here is your cybersecurity news update for 3/06/2024...

Flair Data Systems Hosts a Tech Demo Day

On February 22nd, 2024- Flair hosted Demo Day, where technology partners were given the opportunity to pitch innovative technology and demo solutions to CIOs, CTOs, and CISOs from the DFW Metroplex. Read all about it!

Flair Data Systems: Your Local Cybersecurity Partner

Real-World Impact: How Flair Data Systems Protects Dallas SMEs

My name is Brent Forrest and I serve as a vCISO at Flair Data Systems. Here is your cybersecurity news update for 3/20/2024...