Flair Data Systems Cybersecurity News Update 2-01-2024

Hope the week is treating you well! As we continue to walk into the new year, it is a reminder that we must stay diligent in all aspects of cybersecurity maturity. More and more companies continue to experience some type of incident, and it is becoming normal which is a scary realization. Honestly, I feel as though this has been the reality that most just want to ignore and continue to think its a "season". Yesterday I was on a call where we were discussing the onboarding of a Privileged Access Management ("PAM") platform, and multiple separate groups were on the call - it brought back memories of concerns and frustrations of change when I personally implemented the technology several years ago. In the beginning, change will always be hard - especially when one has done the same thing for years (if not decades). But in the world that we live in now, if we continue to live as we always have then the risk of being hit by a cyber incident is going to increase (some of you have already experienced these 2 or more times in your career). 

Please stay diligent and welcome change, even in those hard moments, realizing that it is just the rubbing against the grain of long-standing routines. 

On that note, let’s jump into this week's cybersecurity news update. 

Cyberattack knocks EquiLend offline 

Attack was first detected on January 22nd for unauthorized access to a portion of the infrastructure 

• 3rd party investigation teams have been brought in to assist, but no other details have been provided 
• LockBit has taken claim for this attack 
• This is an ongoing trend for the Lending sector – Mr. Cooper, Fidelity National Financial, and loanDepot 

Link (1): https://www.theregister.com/2024/01/25/cybersecurity_incident_forces_equilend_to/ 

Hewlett-Packard Enterprise faces Cybersecurity Breach by Notorious APT29 

HPE notified the SEC on December 12th that Midnight Blizzard had breached its network and spent months exfiltrating data 

• Upon investigation, HPE states that data began being exfiltrated in May 2023 from a small percentage of HPE mailboxes - Cybersecurity, go-to-market, business segments, and other functions 
• This comes out right after Microsoft also recently announced the same threat actor attacking their infrastructure 

Link (1): https://therecord.media/hpe-tells-sec-breached-by-cozy-bear 

Urgent patch alert for Jenkins 

CVE-2024-23897: allows unauthenticated attackers with "overall/read" permissions to read arbitrary files on the Jenkins controller file system 

• Without the above permissions, files can still be read but only the first few lines 
• Threat actors could exploit this vulnerability to read Jenkins secrets, in order to "escalate privileges to admin and eventually execute arbitrary code on the server" 
• Jenkins has around 44% of the CI/CD market 
• If an attacker were to gain remote control of these dev environments, they could theoretically plant malicious code in new software builds (think Solarwinds) 

Link (1): https://www.infosecurity-magazine.com/news/exploits-released-critical-jenkins/#:~:text=Software%20developers%20have%20been%20told,the%20Jenkins%20controller%20file%20system. 

Cisco flaw exposes Unified Comms systems 

CVE-2024-20253: Remote code execution vulnerability that could allow an unauthenticated, remote attacker to execute arbitrary code on an affected device 

• This issue is due to the improper processing of user-provided data that is being read into memory - where an attacker could exploit this by sending a crafted message to a listening port of an affected device 
• A successful exploit could allow the attacker to execute arbitrary commands on the underlying OS with the privileges of the web services user and potentially root 
• Patches have been released for multiple product lines: CUCM and CUCM SME, CUCM IM&P, CUC, UCCX, and VVB 
• At this point in time, Cisco is not aware of any public announcements (POC) or malicious use of the vulnerability 

Link (1): https://www.bleepingcomputer.com/news/security/cisco-warns-of-critical-rce-flaw-in-communications-software/ 

Link (2): https://sec.cloudapps.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-cucm-rce-bWNzQcUm 

Midnight Blizzard abuse OAuth apps in Microsoft attack 

Midnight Blizzard utilized password spray attacks, which is successful when poor passwords and no MFA are utilized 

• The Threat Actor after gaining access to a tenant with the above mechanism (or others) is able to create, modify, and grant high permissions to OAuth applications that allow them to hide malicious activities 
• In the Microsoft OAuth situation, they used the legacy test OAuth application to grant them the Office 365 Exchange Online full_access_as_app role, which allows access to mailboxes 
• By leveraging these malicious OAuth applications to authenticate to Microsoft Exchange Online and target corporate email accounts 
• Defenses to put in place 
• Audit current privilege levels of all identities, both users and service principals 
• Audit identities that hold application impersonation privileges in Exchange Online 
• Identify malicious OAuth apps using anomaly detection policies 
• Implement Conditional Access app controls 
• Review any applications that hold EWS.AccessAsUser.All and EWS.full_access_as_app permissions 
• If Apps are required to access mailboxes, granular and scalable access can be implemented using RBAC for apps 
• Protecting against Password Sprays - full list at the bottom of Microsoft blog (Link #2) 

Link (1): https://www.darkreading.com/cyberattacks-data-breaches/microsoft-shares-new-guidance-in-wake-of-midnight-blizzard-cyberattack 

Link (2): https://www.microsoft.com/en-us/security/blog/2024/01/25/midnight-blizzard-guidance-for-responders-on-nation-state-attack/ 

SolarWinds seeks dismissal of SEC lawsuit 

For a refresher, SEC is claiming that SolarWinds knew it did not have appropriate security controls in place to protect their systems, yet failed to act 

• They are also asserting that SolarWinds insiders, including Brown (CISO) were aware of the suspicious activity in the systems but willfully misled customers about the possible threat 
• SEC is also accusing Brown of dumping SolarWinds stock, profiting around $170k due to insider information before the attack was made public 
• SolarWinds is offering detailed denial to these above charges, stating that they made proper, accurate disclosers both before and after the Sunburst incident - pointing out that the SEC was unable to specifically identity which security control ran afoul of regulation 

Link (1): https://www.darkreading.com/cyber-risk/solarwinds-files-motion-to-dismiss-sec-lawsuit 

DOJ and FTC tell companies to stop deleting chats 

On January 26th, the FTC and DOJ announced that both agencies are updating their language in their standard preservation letters and specifications for all second requests, voluntary access letters, and compulsory legal process to address the increased use of collaboration tools and ephemeral messaging platforms 

• This includes grand jury subpoenas 
• The thoughts here is around retention periods within an organizations policy, and the capabilities to pull and maintain logs for collaboration tools 

Link (1): https://www.ftc.gov/news-events/news/press-releases/2024/01/ftc-doj-update-guidance-reinforces-parties-preservation-obligations-collaboration-tools-ephemeral 

Microsoft takes another hit with Teams

Last Friday and again this Monday, Microsoft was experiencing issues with Teams 

• Connectivity Issues 
• Delays in sending / receiving messages (mobile and desktop clients) 
• Personally, this made my Friday very frustrating when attempting to work with multiple organizations across Teams 
• The "why" for such a highly relied upon tool within the Microsoft ecosystem did not seem to be necessary to disclose - hopefully in the future they change their tune and share what really happened 

Link (1): https://www.bleepingcomputer.com/news/microsoft/microsoft-teams-hit-by-second-outage-in-three-days/ 

Energy giant hit by ransomware 

Schneider Electric was hit with a ransomware attack by Cactus - left with corporate data 

• The attack disrupted the Resource Advisors cloud platform - which was still offline as of the 29th 
• Type of data is unknown, but it was the Sustainability Business division that was compromised, and they provide services to enterprise organizations - advising on renewable energy solutions and helping navigate complete climate regulatory requirements 
• Organizations that are supported by this business unit: Allegiant Travel Company, Clorox, DHL, DuPont, Hilton, Lexmark, PepsiCo, and Walmart 

Link (1): https://www.bleepingcomputer.com/news/security/energy-giant-schneider-electric-hit-by-cactus-ransomware-attack/ 

Until next week, it’s Brent Forrest signing off. Be cyber safe my friends! 

About the Author: Brent Forrest is a Field CISO with Flair Data Systems. In this role, Brents acts as an advisor to customers that span across different verticals providing guidance to include; developing strategies to reduce risk with existing or modern technology while enabling the business.  With over 20 years of experience in the IT industry, Brent has been able to be a part of multiple groups within the IT field spanning from Telecom, Network, Wireless, Infrastructure, and eventually finding his passion within Security. Roughly 20 years of that time was spent within the Oil and Gas industry working across multiple teams and leading initiatives. Specifically with EnLink Midstream, he spent most of his time building resilience and developing the cybersecurity program. 

Brent has been with Flair Data for 3 years and is CISSP, C|CISO, CvCISO, & Sec+ certified. In his free time, he likes to spend time with family, working out, or staying up with personal development. 

He lives in Dallas, Texas with his wife and children. 

About: Flair Data Systems is a strategically priced IT solutions company, serving clients in the U.S., with offices in Texas and Colorado. Now a technology industry leader, we began in 1916 as the Porter Burgess Company. Flair Data Systems is your Trusted Advisor for: Collaboration, Unified Communications, Networking, Cloud, Infrastructure, Data Analytics, and Cybersecurity, serving the U.S.  We are a trusted cyber security company in Plano, TX.