Flair Data Systems Cybersecurity News Update 3-20-2024
My name is Brent Forrest and I serve as a vCISO at Flair Data Systems. Here is your cybersecurity news update for 3/20/2024...
Happy Wednesday!
The FBI released their IC3 Annual Report, and it has some interesting statistics, such has between 2019 and 2023 there have been 3.79 million complaints and $37.4 Billion in total losses. These are "reported" complaints and losses to the IC3 program specifically. Let's be honest, those numbers are much higher because not everyone is going to report that type of information to the FBI/IC3 - either because they are not aware of the process, its availability, or the desire to share the information with the feds. Also in the report, it shows that Phishing is the leader in the crimes across every year. It is a great report to understand the landscape from their perspective.
IC3 Annual Report 2023- Link: https://www.ic3.gov/Media/PDF/AnnualReport/2023_IC3Report.pdf
With that, let’s jump into this week’s cyber security news update.
Change Healthcare - AHA asks for aid, HHS questions HIPAA compliance, and UnitedHealth fronts over $2 billion in recovery efforts
U.S. Department of Health and Human Services' (HHS) Office for Civil Rights (OCR) [ok, that's a long name for a single department....] has issued a letter addressing the cyber incident affecting Change Healthcare that states they will be initiating an investigation into the incident
- The investigation will be focusing on two areas: if there was a breach of PHI that occurred, and if Change Healthcare / UHG's were in compliance with the HIPAA rules
- The American Heath Association (AHA) has urged Congress to consider several actions (Link 2) for assistance from the Government in any means necessary (including financial)
- As of March 18th, UHG (UnitedHealth Group) has advanced payments of over $2 billion (yes that is a B) to aid healthcare providers
- Currently, UHG has suspended paperwork that would normally be required to get approval for insurance coverage for most outpatient services, as well as review of inpatient admissions for government-backed Medicare Advantage plans to help those that were impacted
Fortinet warns of severe SQLi vulnerability in FortiClientEMS software
FortiClient Enterprise Management Server (EMS) has recently been patched due to being vulnerable to a RCE attack
- FortiCLient EMS allows admins to manage endpoints connected to an enterprise network, allowing them to deploy FortiClient software and assign security profiles to Windows devices
- CVE-2023-48788 is a SQL injection in the DB2 Administration Server component where an unauthenticated attacker could gain RCE with SYSTEM privileges on unpatched servers in a low-complexity attack that would not require user interaction
- No evidence at the time of the article being written on this vulnerability being exploited in the wild
- Fortinet has been releasing numerous set of patches to fix disclosed vulnerabilities in their platform (FortiOS and FortiProxy)
Yacht company MarineMax announces cyberattack
MarineMax (Billion-dollar boat seller) has filed an 8K with the SEC on March 12th describing a cyber incident
- Per MarineMax, operations have continued but they have brought in a 3rd party DFIR team to investigate
Link (1): https://therecord.media/boat-seller-marinemax-reports-cyberattack-sec
Global McDonald’s outage blamed on third-party vendor, not cyberattack
McDonalds had to suspend operations in multiple countries last weekend due to an IT outage (per McDonalds)
- The exact root cause has not been divulged, nor has the 3rd party that was the cause of the outage
- It makes one consider the Business Continuity exercises when heavily relying on technology (especially 3rd party services) that could cause issues of this magnitude
Link (1): https://www.computerweekly.com/news/366574032/Global-McDonalds-IT-outage-result-of-third-party-error
Network outages hit Birmingham Alabama
Birmingham still experiences outages limiting government services more than a week after a network "disruption"
- The city has provided no updates since the initial release of the disruption
- An internal memo was released to the city employees denying rumors of data being stolen but provided no specific information (probably because they knew it would be released to the public)
- During an incident, an organization (or city or county or other entity) needs to take into consideration "optics" and how the public will view them during and after any situation that is causing a disruption of services
Cisco closed its $28b all-cash acquisition of Splunk
It is official, Cisco closed the $28 billion acquisition of Splunk!
- There are those that are concerned with how Cisco will change the Splunk culture (I mean let's be honest - Splunk is already a very expensive solution, is it going to go up even more!?)
- Broadcom's recent changes with VMWare have made people reconsider their footprint in that specific vendor - needless to say, it has been chaotic for most customers when they are receiving their renewals
Link (1): https://www.theregister.com/2024/03/19/cisco_closes_splunk_acquisition/
Microsoft announced deprecation of 1024 bit RSA Keys
Not a lot more to share here, other than it is finally coming to an end - several years after it should have been depreciated
- Funny enough, Microsoft announces it will be depreciated - but leaves out the actual date of when...
Link (1): https://learn.microsoft.com/en-us/windows/whats-new/deprecated-features#deprecated-features
Fortra FileCatalyst Vulnerability CVE-2024-25153
CVE-2024-25153: (9.8 score) directory traversal within the 'ftpservelet' of the FileCatalyst Workflow Web Portal allows files to be uploaded outside of the intended 'uploadtemp' directory with a specially crafted POST request - specially crafted JSP files could be used to execute code, including web shells
- Originally discovered in Aug 2023
- Patches have been released, and based on what I have heard - this does not take a lot to exploit based on POC reviews
- Cl0p group leveraged a zero-day vulnerability (CVE-2023-0669) for the same solution, resulting in having data stolen from over 130 victim organizations
Link (1): https://www.fortra.com/security/advisory/fi-2024-002
Link (2): https://www.helpnetsecurity.com/2024/03/19/cve-2024-25153-poc-exploit/
Mid-stream hack postpones ESports league
Apex Legends Global Series, an ESport tournament for a shooter game Apex Legends (a $5 million total prize pool!)
- During the event, two players on Sunday appeared to have been hacked during the live-streaming game - which prompted the postponement of the tournament
- Just to forewarn, the article above does have some explicit language
- Easy Anti-Cheat, the makers of the anti-cheat system used with Apex Legends and other games ruled out the possibility that there is a RCE bug in their system
- First off, I had no clue (because I guess I hit the "old" age) that games have gotten to this point - $5 million! I mean, I remember the movie The Wizard which portrayed these types of events back in the late 80's
Link (1): https://techcrunch.com/2024/03/18/esports-league-postponed-after-players-hacked-midgame/
Abusing the DHCP Administrators Group to Escalate Privileges in Windows Domains
Akamai researchers discovered a new means to perform privilege escalation affecting on-premise AD leveraging the DHCP administrators' group
- This is where the DHCP server role is installed on a Domain Controller, which could allow the threat actor to gain domain admin privileges
- It is based on an abuse of legitimate features and doesn't rely on any vulnerability
- Check out the link above, it is pretty detailed on how the process works and a few steps of how to reduce the risk from this technique
Until next week, it’s Brent Forrest signing off. Be cyber safe my friends!
About the Author: Brent Forrest is a Field CISO with Flair Data Systems. In this role, Brents acts as an advisor to customers that span across different verticals providing guidance to include; developing strategies to reduce risk with existing or modern technology while enabling the business. With over 20 years of experience in the IT industry, Brent has been able to be a part of multiple groups within the IT field spanning from Telecom, Network, Wireless, Infrastructure, and eventually finding his passion within Security. Roughly 20 years of that time was spent within the Oil and Gas industry working across multiple teams and leading initiatives. Specifically with EnLink Midstream, he spent most of his time building resilience and developing the cybersecurity program.
Brent has been with Flair Data for 3 years and is CISSP, C|CISO, CvCISO, & Sec+ certified. In his free time, he likes to spend time with family, working out, or staying up with personal development. He lives in Dallas, Texas with his wife and children.
About: Flair Data Systems is a strategically priced IT solutions company, serving clients in the U.S., with offices in Texas and Colorado. Now a technology industry leader, we began in 1916 as the Porter Burgess Company. Flair Data Systems is your Trusted Advisor for: Collaboration, Unified Communications, Networking, Cloud, Infrastructure, Data Analytics, and Cybersecurity, serving the U.S. We are a trusted cyber security company in Plano, TX.
