This alert covers a recent change in attacker tools, tactics and procedures (TTPs) and is intended to raise awareness so that organisations can defend against these evolving attacks, where necessary through educating their staff and users on these latest changes.

Executive Summary

Research from the Japanese Computer Emergency Response Team (JPCERT) has found that hackers are utilising polygots, which are files that feature two formats and can be executed as more than one file type, to conduct attacks. Specifically, malicious word documents are being hidden within PDF documents to escape detection software.

What’s the risk to me or my business?

There is a risk if the disguised polygot is opened as a word document rather than a PDF document then it will enable a macro to run. The macro will then cause the victims device to download and install malware, impacting the confidentiality, integrity and availability of data. Worryingly, whether the polgygot opens as a PDF or Word document is dependant on the application opening it.

What can I do?

Microsoft’s default security setting is to disable macros from running on Microsoft Office files, and only files that were not downloaded from the internet can have macros enabled without going through multiple steps. Even with this control in place, organisations should remain vigilant and be aware that PDF files, like anything else, are susceptible to malicious modification.

Further information can be found below:

https://www.bleepingcomputer.com/news/security/maldoc-in-pdfs-hiding-malicious-word-docs-in-pdf-files/

Need help understanding your gaps, or just want some advice? Get in touch with us.

#threatadvisory #threatintelligence #cybersecurity

This is an update following the 19 July Critical Citrix ADC and Gateway flaw actively exploited advisory by Black Arrow.

Executive Summary

Following the previous advisory on the Citrix Netscaler ADC vulnerability (CVE-2023-3519), the NCC Group has identified that as of 14 August, 1828 Citrix NetScaler servers remain compromised or ‘backdoored’ by attackers. Approximately 69% of the servers that contain a backdoor have been updated to remediate the vulnerability and are no longer vulnerable to CVE-2023-3519. This means that the affected systems were compromised by a malicious actor prior to the updates being applied, allowing the malicious actor to establish persistent access to the systems even after the vulnerability has been remediated.

What’s the risk to me or my business?

Successful exploitation of the vulnerability prior to updating would allow an attacker to perform arbitrary code execution with administrator privileges. The main attack campaign is believed to have taken place between late 20 July to early 21 July. If updates were not applied to affected and vulnerable systems prior to this date, exploitation may have already taken place.

Further information on the vulnerability can be found on our previous advisory linked below.

What can I do?

If you have not already updated to a Citrix version that resolves this vulnerability, Black Arrow recommends applying these updates urgently. All affected systems, updated and vulnerable, should be scanned for indicators of compromise (IoC), Mandiant have released a tool that can help organisations to scan their Citrix devices for evidence of post-exploitation indicators. If IoC’s are identified, then forensic data should be secured by taking a copy of both the disk and the memory of the appliance before any remediation or investigative actions are completed. If evidence of persistence such as a webshell is found, then this should be investigated through threat hunting techniques to establish the extent of the incident whilst conducting containment and remediation activities.

More information on the NetScaler vulnerability:

https://support.citrix.com/article/CTX561482/citrix-adc-and-citrix-gateway-security-bulletin-for-cve20233519-cve20233466-cve20233467

Information on the Mandiant Tool:

https://github.com/mandiant/citrix-ioc-scanner-cve-2023-3519

Further information on the study of the exploited devices:

https://research.nccgroup.com/2023/08/15/approximately-2000-citrix-netscalers-backdoored-in-mass-exploitation-campaign/

Previous Advisory: https://www.blackarrowcyber.com/blog/advisory-19-july-2023-citrix-vulns-exploited

Artificial Intelligence (AI) has unlocked countless doors to innovation, paving the way for unprecedented efficiency, automation, and business intelligence in organisations globally. However, the AI we so keenly herald as a catalyst for advancement is not without its dangers. From a cyber security perspective, the risks associated with AI, particularly those concerning insider threats and AI-driven attacks, are of increasing concern.

Consider the potential of AI in the wrong hands

Threat actors leverage AI to enhance their illicit activities. Sophisticated cyber attacks, traditionally relegated to a small number of skilled and capable individuals or groups, could be automated and exponentially expanded in scale. The very virtues that make AI so appealing to businesses - scalability, adaptability, and autonomy - are transformed into threats by attackers to harm those same businesses as well as individuals. A cyber attacker utilising AI tools could easily automate processes like social engineering attacks, identifying system vulnerabilities, or developing advanced malware that adapts to today’s countermeasures.

AI has catapulted the capabilities of attackers

Reflect on the MOVEit scandal this summer that has impacted tens of millions of individuals globally. In May this year, the Russian-based CL0P ransomware gang exploited a previously undiscovered vulnerability in the popular file transfer platform called MOVEit. The platform is a component of the supply chain that is used by many companies, paradoxically to keep their documents secure from unauthorised access. Nonetheless, the attackers managed to break into MOVEit in different organisations to harvest the information within it, or use that access as a door to other parts of the target’s systems. So far, the compromise has claimed sensitive data from at least 230 firms across the world, from government and education to transport and finance including Ernst & Young, British Airways, the BBC and Tesco Bank. The heist undoubtedly took significant skill and expertise to accomplish, and highlights the need to manage the security within the chain of organisations and systems that are connected across borders and sectors.

Now, imagine what happens when attackers conduct these kinds of attacks by levering the power and creativity of AI. Attackers are constantly probing and identifying novel methods of attack, to swiftly bypass existing security measures and evade detection. With AI, attackers are already sending out seemingly flawless phishing messages to successfully break into systems through people, and will soon attack technology systems using AI in sophisticated ways at a rate that humans cannot possibly keep pace with.

Poisoning the AI data pool

Beyond harnessing AI for malicious intent, threat actors could exploit AI systems' inherent vulnerabilities. One alarming method is adversarial machine learning; this is a technique wherein 'poisoned' data is used to manipulate AI algorithms. In a cyber security context, attackers could intentionally feed misleading data into AI security systems, causing them to overlook genuine threats or behave unpredictably. People may be inclined to trust the output of AI making autonomous decisions, because they do not believe that malicious or false information could have been added into the source data.

AI models used in sensitive sectors like healthcare, finance, or defence are an attractive target for intellectual property theft. The very algorithms that drive insights, predictions, and automated decisions could be stolen, reverse-engineered, or used maliciously. The successful theft of an AI model could cause extensive financial loss, and potentially even endanger national security.

Insider threats

The realm of insider threats is yet another frontier where AI's risk factors come to the fore. Consider the rise of powerful language models like ChatGPT, that must be handled with care in organisations because sometimes, employees unwittingly become a threat.

Samsung reported that their staff had leaked sensitive proprietary information by inputting it into such models. Many organisations such as Amazon and Apple have already banned their employees from using publicly accessible generative AI systems like ChatGPT, and have instead provided their own private alternatives for internal use.

How to protect your organisation

Mitigating the dangers of AI requires a two-pronged approach. First, robust AI governance is needed at a national and international level. Governments must implement ethical guidelines, transparency measures, and regulation; however, these measures are unlikely to be implemented at a pace that matches the development and adoption of AI. Secondly, organisations must themselves immediately begin to foster a culture of AI and cyber security awareness among their employees. Clear communication about the capabilities and potential dangers of AI, coupled with training employees to recognise AI-enhanced threats and implementing strong cyber security controls across people, operations and technology can all help in this endeavour.

The advent of AI has ushered in a new era of previously unimaginable benefits, and risks. From AI-driven cyber attacks to the dangers posed by employee use, the threats are real and rapidly evolving. As organisations increasingly and inevitably adopt AI, they must stay vigilant to these threats and proactively invest in robust cyber security measures to safeguard against them. The reality of AI and cyber security is a delicate balancing act that we are all learning as we leverage those benefits while mitigating the risks.

Contact us to discuss how to embrace AI and manage the risks to your organisation

An increasing number of organisations are contacting us to take advantage of our expertise and advice on how they can benefit from AI while managing the complex risks. Contact us today to discuss how we can help you assess and govern the risks though cyber security controls across people, operations and technology.

Executive summary

Microsoft’s August Patch Tuesday provides updates to address 86 security issues across its product range, including two zero-day vulnerabilities (CVE-2023-36884, CVE-2023-38180). The vulnerabilities allow remote code execution and denial of service. Among the updates provided by Microsoft, 6 addressed critical vulnerabilities.

What’s the risk to me or my business?

The vulnerabilities allow an attacker to remotely execute code and cause a denial-of-service, impacting the confidentiality, integrity and availability of data held by an organisation. CVE-2023-38180, which is a denial-of-service vulnerability has been recorded by the US Cybersecurity and Infrastructure Security Agency (CISA) in its “Known Exploited Vulnerabilities” Catalogue.

What can I do?

Security updates are available for all supported versions of Windows impacted. The updates should be applied immediately for the zero-day vulnerabilities and as soon as possible for all other vulnerabilities.  Microsoft has also published an separate advisory for CVE-2023-36884.

Technical Summary

CVE-2023-36884: This vulnerability, if exploited allows threat actors to create specially crafted documents which bypass Mark of the Web (MoTW) security features, causing files to be opened with no warning, allowing a threat actor to perform remote code execution.

CVE-2023-38180: The actively exploited vulnerability allows an attacker to cause a denial-of-service attack on .NET applications and Visual Studio.

Adobe

In addition to Microsoft’s Patch Tuesday Adobe released fixes for 36 vulnerabilities, of which 19 were rated critical. The critical vulnerabilities spanned across Adobe Acrobat and Reader (16), Adobe Commerce and  Adobe Dimension (2). At current, Adobe is not aware of any of these vulnerabilities being actively exploited. The vulnerabilities include remote code execution, memory leak and security bypass.

further details on other specific updates within this patch Tuesday can be found here:

https://www.ghacks.net/2023/08/08/the-windows-august-2023-security-updates-fix-critical-vulnerabilities-and-internet-explorer/

Further details about CVE-2023-38180 can be found here:                     

https://msrc.microsoft.com/update-guide/vulnerability/CVE-2023-38180

Further details about CVE-2023-36884 can be found here:                     

https://msrc.microsoft.com/update-guide/vulnerability/CVE-2023-36884  

The advisory from Microsoft can be found here:

Further information on CISA’s Known Exploited Vulnerabilities Catalog can be found here:

https://www.cisa.gov/known-exploited-vulnerabilities-catalog

https://msrc.microsoft.com/update-guide/vulnerability/ADV230003

Further details of the vulnerabilities addressed in Adobe Acrobat DC and Reader can be found here: https://helpx.adobe.com/security/products/acrobat/apsb23-30.html

Further details of the vulnerabilities addressed in Adobe Commerce can be found here: https://helpx.adobe.com/security/products/magento/apsb23-42.html

Further details of the vulnerabilities addressed in Adobe Dimension can be found here: https://helpx.adobe.com/security/products/dimension/apsb23-44.html

Need help understanding your gaps, or just want some advice? Get in touch with us.

#threatadvisory #threatintelligence #cybersecurity 

Executive Summary

A vulnerability dubbed as ‘Zenbleed’ was discovered in AMD's Zen2 microarchitecture which could enable an malicious attacker to steal sensitive data, such as passwords and encryption keys. The Zenbleed vulnerability has been found to affect all AMD Zen 2 processors, including various models of the Ryzen processor and EPYC processor series.  Zenbleed requires local account access to the target system and a high degree of specialization and knowledge to exploit, however a proof of concept has now been publicly released.

What’s the risk to me or my business?

Exploitation of this vulnerability could compromise the confidentiality of data held or accessed through an affected device, allowing an attacker to gain unauthorised access to sensitive data. In addition, detection of the exploitation has been reported as almost impossible due to there being no requirement for elevated privileges to perform the attack. This vulnerability could also allow a malicious actor on a shared tenancy environment to access information running on the same server from a different tenant.

What can I do?

This vulnerability affects all Zen 2 class processors and as such it is essential to prioritise the patching of the upcoming updates to protect devices from this vulnerability when they become available. AMD has released a security bulletin detailing the AGESA Firmware updates which will be included within the BIOS updates for affected processors, and have classified the vulnerability as ‘Medium’ severity. Microcode updates have been created for the affected AMD EPYC processors, however updates for the Desktop, Mobile, High-end Desktop and Workstation processors are scheduled for later in the year. Once OEM’s have released BIOS updates it is strongly recommended that they are applied after appropriate testing has taken place.

In the meantime, a workaround has been recommended by the security researcher who discovered the vulnerability. If you are unsure whether you are impacted or how to implement the mitigation, then you should contact your vendor/MSP. Please note, workarounds are not a permanent fix and Black Arrow maintains that the patches should be applied when available.

Technical Summary

CVE-2023-20593 – If successfully exploited this vulnerability allows a malicious actor to access sensitive data from any system operation including those taking place in virtual machines, isolated containers, and sandboxes.

Affected product ranges include:

• 2nd Generation AMD EPYC “Rome” Processors

• AMD Ryzen 3000 and 4000 series Desktop Processors

• AMD Ryzen Threadripper 3000 and 3000WX series High End Desktop and Workstation Processors

• AMD Ryzen 4000, 5000 and 7020 series Mobile Processors

Further details of the Zenbleed vulnerability can be found here:

https://lock.cmpxchg8b.com/zenbleed.html

https://www.amd.com/en/resources/product-security/bulletin/amd-sb-7008.html

Need help understanding your gaps, or just want some advice? Get in touch with us.

Executive Summary

Apple has recently released multiple patches, covering a number of vulnerabilities, including one actively exploited zero-day. The zero-day vulnerability has been found to affect devices running vulnerable versions of iOS, iPadOS, macOS, tvOS, watchOS and Safari. The actively exploited zero-day allows threat actors to obtain the highest privileges available (kernel privileges) on affected devices. Earlier this month, another actively exploited zero day, CVE-2023-37450, was addressed by Apple through a Rapid Security Response update.

What’s the risk to me or my business?

Exploitation of the vulnerability could allow an attacker unauthorised access to sensitive data, allowing them to manipulate or delete important information, or even take over the entire device, compromising the confidentiality, integrity, and availability of the data held by an exploited device. In some cases, threat actors are exploiting the vulnerability to install spyware on vulnerable devices.

What can I do?

Given the widespread use of Apple devices for both corporate and personal use, it is important to prioritise the application of the released patches to protect devices. Apple has also released patches addressing these vulnerabilities for products that are no longer supported. We recommend updating your devices promptly to these latest versions. Apple has acknowledged active exploitation of these vulnerabilities and as such recommends updating immediately. Organisations who do not use Apple devices, but have a bring your own device policy should consider whether this may include Apple devices.

Apple have addressed the zero-day in the following versions:

• macOS Ventura 13.5

• iOS 16.6

• iPadOS 16.6

• Safari 16.6

• tvOS 16.6

• watchOS 9.6

 Technical Summary

CVE-2023-38606 – Successful exploitation of this flaw could lead to a threat actor obtaining kernel privileges (the highest available). This allows the malicious actor to “modify sensitive kernel state”.

For information on all vulnerabilities addressed can be found in the following links below:

Further information on the iOS and iPadOS vulnerabilities can be found here:

https://support.apple.com/en-us/HT213841

Further information on the Mac vulnerabilities can be found here:

https://support.apple.com/en-us/HT213843

Further information on the Safari vulnerabilities can be found here:

https://support.apple.com/en-gb/HT213847

Further information on the tvOS vulnerabilities can be found here:

https://support.apple.com/en-gb/HT213846

Further information on the watchOS vulnerabilities can be found here:

https://support.apple.com/en-gb/HT213848

Need help understanding your gaps, or just want some advice? Get in touch with us.

#threatadvisory #threatintelligence #cybersecurity

Executive Summary

A remote code execution vulnerability has been discovered in OpenSSH’s forwarded ssh-agent. This vulnerability could potentially enable a remote attacker to execute arbitrary commands on a vulnerable system. Whilst this vulnerability has currently not been given a CVSS rating it is embedded in to a significant amount of systems and devices. A proof of concept (PoC) has also been made public by Qualys Threat Research Unit.

Technical Summary

CVE-2023-38408 – Successful exploitation of this vulnerability allows a remote attacker to execute commands on vulnerable OpenSSH forwarded ssh-agents.

What’s the risk to me or my business?

Successful exploitation of this vulnerability can compromise the confidentiality, integrity, and availability of the data in your organisation. This can result in a malicious actor gaining unauthorised access to sensitive data, manipulation, or deletion of important information, or even a complete system takeover. The publicly released PoC exploits focus on Ubuntu Desktop 22.04 and 21.10, however Qualys Threat Research Unit have advised other Linux distributions are “likely vulnerable and probably exploitable”.

the patch for this vulnerability is available in OpenSSH 9.3p2.

What can I do?

Given the widespread use of OpenSSH's forwarded ssh-agent in devices, software and applications, it is important prioritise the application of patches provided by OpenSSH for this vulnerability. Black Arrow recommends performing vulnerability scanning to identify any devices and software that have been impacted by this vulnerability.

More information on the OpenSSH vulnerability can be found here:

https://blog.qualys.com/vulnerabilities-threat-research/2023/07/19/cve-2023-38408-remote-code-execution-in-opensshs-forwarded-ssh-agent

An in-depth breakdown of the vulnerability can be found here:

https://www.qualys.com/2023/07/19/cve-2023-38408/rce-openssh-forwarded-ssh-agent.txt

Need help understanding your gaps, or just want some advice? Get in touch with us.

#threatadvisory #threatintelligence #cybersecurity

Executive Summary

Citrix have released a patch for three vulnerabilities, including one critical vulnerability in NetScaler ADC (formerly Citrix ADC) and NetScaler Gateway (formerly Citrix Gateway). If exploited, the critical vulnerability allows an unauthenticated malicious actor to perform remote code execution. The other two vulnerabilities allow an attacker to gain root administrator permissions and deliver malicious files and links to a victim.

Technical Summary

CVE-2023-3519 – This is a critical vulnerability which allows an unauthenticated attacker to perform remote code execution. For it to work it requires the appliance to be configured as a gateway.

CVE-2023-3466 – This vulnerability, categorised as high, allows an attacker to perform reflected cross-site scripting, allowing them to deliver malicious files, links, and emails. For it to work, it requires the victim to access an attacker-controlled link in the browser while being on the network.

CVE-2023-3467 – This vulnerability, categorised as high, allows an attacker to perform privilege escalation to gain the highest available. For successful exploitation the attacker needs to have authenticated access to the management interface access.

 What’s the risk to me or my business?

The vulnerabilities allow for a range of attacks such as unauthenticated remote code execution, privilege escalation to root as well as enabling an attacker the ability to distribute malicious files, links, and emails to users. All of which compromise the confidentiality, integrity, and availability of the data in your organisation.

Impacted versions of the products include the following:

• NetScaler ADC and NetScaler Gateway 13.1 before 13.1-49.13 

• NetScaler ADC and NetScaler Gateway 13.0 before 13.0-91.13 

• NetScaler ADC 13.1-FIPS before 13.1-37.159

• NetScaler ADC 12.1-FIPS before 12.1-55.297

• NetScaler ADC 12.1-NDcPP before 12.1-55.297

NetScaler ADC and NetScaler Gateway version 12.1 is now End Of Life (EOL). Citrix advises customers to upgrade their appliances to one of the supported versions that address the vulnerabilities. 

 What can I do?

Citrix has recommended to apply patches which they have made available for the following versions:

• NetScaler ADC and NetScaler Gateway 13.1-49.13 and later releases

• NetScaler ADC and NetScaler Gateway 13.0-91.13 and later releases of 13.0  

• NetScaler ADC 13.1-FIPS 13.1-37.159 and later releases of 13.1-FIPS  

• NetScaler ADC 12.1-FIPS 12.1-55.297 and later releases of 12.1-FIPS  

• NetScaler ADC 12.1-NDcPP 12.1-55.297 and later releases of 12.1-NDcPP 

 More information on the Citrix ADC and Gateway flaw vulnerability can be found here:

https://support.citrix.com/article/CTX561482/citrix-adc-and-citrix-gateway-security-bulletin-for-cve20233519-cve20233466-cve20233467

Need help understanding your gaps, or just want some advice? Get in touch with us.

#threatadvisory #threatintelligence #cybersecurity 

Executive Summary

A critical vulnerability has been identified and addressed in Cisco's network management software, SD-WAN vManage. The vulnerability allows a remote unauthenticated attacker to gain read or limited write permissions to the configuration of an affected Cisco SD-WAN vManage instance. This vulnerability only affects the REST API and does not affect the web-based management interface or the command line interface.

What’s the risk to me or my business?

A successful exploitation of the critical vulnerability allows a remote unauthenticated threat actor to read sensitive information from the compromised system, modify certain configurations, disrupt network operations. This will compromise the confidentiality, integrity, and availability of data in your organisation.

The following Cisco SD-WAN vManage versions are affected by the vulnerability:

• v20.6.3.3 – fixed in v20.6.3.4

• v20.6.4 – fixed in v20.6.4.2

• v20.6.5 – fixed in v20.6.5.5

• v20.7 – Migrate to fixed version v20.8 – Migrate to fixed version

• v20.9 – fixed in v20.9.3.2

• v20.10 – fixed in v20.10.1.2

• v20.11 – fixed in v20.11.1.2

What can I do?

There are no workarounds for the critical vulnerability. As such, it is advised that patches are applied immediately. For versions v20.7 and v20.8, Cisco advises customers to migrate to a fixed release. Cisco has given advice on how to reduce the attack surface for this attack, this includes actions such as monitoring logs for the REST API and limiting instances to specified instances. If you are unsure check with your MSP or network team to ensure these are in place.

More information on the Cisco SD-WAN vManage vulnerability can be found here:

https://sec.cloudapps.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-vmanage-unauthapi-sphCLYPA

Need help understanding your gaps, or just want some advice? Get in touch with us.

#threatadvisory #threatintelligence #cybersecurity

Executive summary

Microsoft’s July 2023 Patch Tuesday provides updates to address 138 security issues across its product range, including six actively exploited zero-day vulnerability. The exploited zero-day vulnerabilities use a range of Microsoft Windows products to bypass security features, elevate privileges and perform remote code execution. Among the updates provided by Microsoft 9 addressed critical vulnerabilities.

What’s the risk to me or my business?

The actively exploited vulnerabilities could allow an attacker with standard user access, to gain elevated privileges, or install kernel drivers, depending on the exploit used. Other risks such as bypassing security features of Microsoft Outlook and performing remote code execution can occur. This could allow an attacker to further compromise the confidentiality, integrity and availability of the organisation’s information assets.

What can I do?

Security updates are available for all supported versions of Windows impacted. The updates should be applied as soon as possible for the actively exploited vulnerability and all other vulnerabilities.  Other mitigations have been provided by Microsoft and can be found below in the further detail’s section.

Technical Summary

CVE-2023-32046 – The actively exploited vulnerability targets MSHTML Platform which could allow an attacker to elevate their privileges to the rights the user that is running the affected application is.

CVE-2023-32049 – This actively exploited vulnerability targets Windows SmartScreen allowing an attacker to bypass security features including the security warning prompt.

CVE-2023-36874 – This actively exploited vulnerability targets the Windows Error Reporting Service allowing an attacker to elevate privileges allowing them to gain administrator privileges.

CVE-2023-36884 – This actively exploited vulnerability targets the Office and Windows HTML allowing an attacker to perform remote code execution.

CVE-2023-35311 – This actively exploited vulnerability targets Microsoft Outlook and bypasses a security feature however to exploit this an attacker would have to have a user click in a specially crafted link through phishing or social engineering.

ADV230001 – This is a Microsoft signed driver that has been maliciously used in post-exploitation activity which abused a Windows policy loophole to install malicious kernel-mode drivers.

Adobe

This month, Adobe released fixes for 4 vulnerabilities, of which 3 were rated critical across Adobe InDesign and Adobe ColdFusion. At current, Adobe are not aware of any active exploitation of the listed vulnerabilities, however the advice is to update the affected products using their priority rating which can be found in the details below. The vulnerabilities include remote code execution, memory leak and security bypass.

Further details on other specific updates within this patch Tuesday can be found here:

https://www.bleepingcomputer.com/news/microsoft/microsoft-july-2023-patch-tuesday-warns-of-6-zero-days-132-flaws/  

Further details about CVE-2023-32046 can be found here:                     

https://msrc.microsoft.com/update-guide/vulnerability/CVE-2023-32046

Further details about CVE-2023-32049 can be found here: 

https://msrc.microsoft.com/update-guide/vulnerability/CVE-2023-32049

Further details about CVE-2023-36874 can be found here: 

https://msrc.microsoft.com/update-guide/vulnerability/CVE-2023-36874

Further details about CVE-2023-36884 can be found here:                   

https://msrc.microsoft.com/update-guide/vulnerability/CVE-2023-36884

Further details about CVE-2023-35311 can be found here:                   

https://msrc.microsoft.com/update-guide/vulnerability/CVE-2023-35311

Further details about ADV230001 can be found here:

https://msrc.microsoft.com/update-guide/en-US/vulnerability/ADV230001

Further details of the vulnerabilities addressed in Adobe InDesign can be found here:

https://helpx.adobe.com/security/products/indesign/apsb23-38.html

Further details of the vulnerabilities addressed in Adobe ColdFusion can be found here:

https://helpx.adobe.com/security/products/coldfusion/apsb23-40.html

Need help understanding your gaps, or just want some advice? Get in touch with us.

#threatadvisory #threatintelligence #cybersecurity

Executive Summary

A vulnerability has been discovered in Microsoft Teams, which allows malicious actors to circumvent the application's built-in restrictions for files originating from external sources. The ‘TeamsPhisher’ application which has been developed by the US Navy’s Red Team which is freely available, takes advantage of this technique to easily allow an attacker to send a malicious attachment to a targeted set of Teams users. Exploiting this vulnerability enables attackers to distribute malware to users using accounts that are external to a targets Microsoft Tennant, posing significant risks to individuals and businesses.

What’s the risk to me or my business?

Exploiting this vulnerability enables malicious actors to engage in social engineering and phishing attacks by leveraging Microsoft Teams as a communication platform. Furthermore, it bypasses all built-in security restrictions, allowing the delivery of malicious payloads directly to users' inboxes. Clicking or launching these payloads can grant attackers further access to your systems, compromising the confidentiality, integrity, and availability of your organization's data.

What can I do?

At this time Microsoft has not yet issued a fix to this problem but has provided the following statement to ‘Bleeping Computer’: “We’re aware of this report and have determined that it relies on social engineering to be successful.

We encourage customers to practice good computing habits online, including exercising caution when clicking on links to web pages, opening unknown files, or accepting file transfers.”

To mitigate the risk, it is advised that you turn off communication with external tenants. However if this is not possible due to needing to regularly communicate with clients it is advised to change the security settings to only whitelist certain required domains. Both actions can be done in Microsoft Teams Admin Center > External Access. It is important to emphasise within your organisation that phishing attacks can happen in various forms, other than emails. Therefore, it is essential to maintain constant vigilance in all aspects of online communication. 

 More information on the Microsoft Teams Phishing can be found here:

https://labs.jumpsec.com/advisory-idor-in-microsoft-teams-allows-for-external-tenants-to-introduce-malware/

https://github.com/Octoberfest7/TeamsPhisher

https://www.bleepingcomputer.com/news/security/new-tool-exploits-microsoft-teams-bug-to-send-malware-to-users/

Need help understanding your gaps, or just want some advice? Get in touch with us.

#threatadvisory #threatintelligence #cybersecurity

Executive Summary

Last weekend, Barts Health NHS trust was breached in a cyber attack, with Russian-linked cyber crime gang ALPHV, also known as BlackCat. The attackers claimed to have acquired seven terabytes of internal documents from the trusts’ systems.  A selection of files including copies of driving licenses, passports and correspondence have already been leaked. It is believed that more is to come. This comes after other recent cyber attacks, such as the MOVEit hack, which has impacted over 130 organisations and 15 million individuals.

What’s the risk to me or my business?

The availability of such detailed personal information poses an increased risk of threat actors exploiting it for phishing purposes, and also increases the likelihood that the information could be used for identity fraud. With access data such as previous email chains with an individual, phishing attacks can appear more authentic as responses to legitimate requests, making them more likely to succeed.

What can I do?

To help mitigate the risk, Black Arrow strongly recommend maintaining a high level of vigilance and awareness. It is crucial to understand that the presence of personal or confidential information alone does not guarantee authenticity. Take the time to double-check any suspicious communication or requests before sharing sensitive information. By remaining cautious and verifying the legitimacy of any unexpected or unusual messages, you can reduce the likelihood of falling victim to phishing attacks. It is also recommended that individuals monitor their own personal accounts for suspicious activity including the information stored with credit unions such as Equifax and Transunion to identify potential cases of identity theft.

More information on the NHS Breach can be found here: https://www.telegraph.co.uk/news/2023/06/30/russia-may-have-hacked-nhs-trust-with-two-million-patients/

More information on the MOVEit attack can be found here: https://www.securityweek.com/over-130-organizations-millions-of-individuals-believed-to-be-impacted-by-moveit-hack/

Need help understanding your gaps, or just want some advice? Get in touch with us.

#threatadvisory #threatintelligence #cybersecurity

Executive summary

A critical vulnerability has been identified and addressed in Fortinet FortiNAC products. Fortinet’s FortiNAC is a network access control solution and successful exploitation of the critical vulnerability allows a threat actor to remotely execute code without requiring authentication. In addition, another vulnerability which allowed improper local access in FortiNAC has been addressed.

What’s the risk to me or my business?

The vulnerabilities, if exploited, could allow an attacker to remotely execute code as well as copy local files. Both of which compromise the confidentiality, integrity and availability of data in your organisation.

Technical Summary

CVE-2023-33299– This critical vulnerability is an untrusted object deserialization, allowing an unauthenticated user to execute code or commands via specifically crafted requests.

CVE-2023-33300- This vulnerability allows an unauthenticated attacker to copy local files to other local folders of a device, through specially crafted input fields. It requires local access.

What can I do?

There is no mitigation advice for the critical vulnerability (CVE-2023-33299). As such, customers are urged to immediately upgrade their FortiNAC version depending on the affected product in use. There is no upgrade available for any FortiNAC products running version 8.x. The other vulnerability, CVE-2023-33300, requires users on affected versions to upgrade to 9.4.4 or above or 7.2.2 or above.

Affected products for the critical vulnerability and their patches include:

FortiNAC version 9.4.0 through 9.4.2 upgrade to 9.4.3 or above

FortiNAC version 9.2.0 through 9.2.7 upgrade to 9.2.8 or above

FortiNAC version 9.1.0 through 9.1.9 upgrade to 9.1.10 or above

FortiNAC version 7.2.0 through 7.2.1 upgrade to 7.2.2 or above

FortiNAC 8.8 all versions

FortiNAC 8.7 all versions

FortiNAC 8.6 all versions

FortiNAC 8.5 all versions

FortiNAC 8.3 all versions

Affected products for CVE-2023-33300 include:

FortiNAC 9.4.0 through 9.4.3 upgrade to 9.4.4. or above

FortiNAC 7.2.0 through 7.2.1 upgrade to 7.2.2 or above

Further details on Fortinet’s advisories for the critical vulnerability can be found here:

https://www.fortiguard.com/psirt/FG-IR-23-074

Further details on Fortinet’s advisory for CVE-2023-33300 can be found here

https://www.fortiguard.com/psirt/FG-IR-23-096

Need help understanding your gaps, or just want some advice? Get in touch with us.

#threatadvisory #threatintelligence #cybersecurity

Executive Summary

Open Sources Intelligence (OSINT) conducted by Black Arrow Cyber have identified a number of threats against the Apple ecosystem, with some threats reported to have nation state involvement. It is important to highlight that any internet-abled product can be a target for attackers, therefore appropriate protective controls should always be considered for all devices, especially those that are used to directly access sensitive information.

MacOS “Migraine” Vulnerability

Recently, Microsoft revealed a new macOS vulnerability dubbed “Migraine” (CVE-2023-3269) which impacts vulnerable apple devices which run macOS. The vulnerability allows an attacker with root access, which is the highest level of permissions to bypass the built in security protections, gaining remote code execution and the ability to create undeletable malware, tamper with the integrity of systems and expand the attack to the rest of the network. Apple has released a security patch which addresses this vulnerability, further details can be found at the bottom of this post.

iOS “Operation Triangulation”

Reports have identified a new mobile state-sponsored advanced persistent threat group that has been targeting iOS devices as part of an attack campaign labelled “Operation Triangulation”. the campaign is carried out using an invisible iMessage with a malicious attachment, which when executed on a device installs spyware. The deployment of the spyware is completely hidden and requires no action from the user. The spyware then quietly transmits private information to remote servers; this includes microphone recordings, photos from instant messengers, geolocation, and data about a number of other activities of the owner of the infected device. This trojan is targeting middle and upper management staff with the only workaround currently being a complete reset of the device.

Complex toolkit with files allowing backdoor capabilities targeting macOS

Bitdefender researchers have recently discovered a set of malicious files that are part of a sophisticated toolkit targeting Apple macOS systems. This malicious attack allows an attacker to gather system information, run commands, download and execute files on the victim’s machine, and to terminate the exploit script. The malicious files predominantly target macOS Monterey (version 12) and newer.

Growing Malware Threats to macOS

In addition to this, additional growing threats to macOS have been recorded in the wild. This includes:

- Threat actor groups Lazarus and BlueNoroff have been using malware dubbed “RustBucket” in financially motivated attacks to target users and steal victim’s data.  

- Reports identifying ransomware gangs, including the infamous Lockbit, developing encryption that targets macOs, specifically their M1 chips. There is no current working version of this malware.

- A rise in the use of XCSSET malware, which exploits multiple zero-days found in the Apple safari browser to download a developer version of the app on the target’s device giving it access to data from other apps such as Skype, Telegram, notes, and screen recorders.

-  An increase in the use of malware-as-a-service (MaaS), such as Atomic macOS Stealer which is capable of stealing passwords, credentials, cookies, browser data, auto-fills, and other important information and MacStealer, which extracts information from compromised systems.

- The well known 3CX attack in which the state-sponsored APT’s had altered the MacOS version of the 3CX desktop client to deliver further malware, and exfiltrate it.

Mac Vulnerabilities

Looking at the US Cybersecurity and Infrastructure Security Agency’s (CISA) Known Exploited Vulnerabilities (KEV) catalogue, there have been 36 actively recorded exploits relating to devices running macOS devices since 2021.  

What’s the risk to me or my business?

An organisation which excludes the security of any asset, relying on reputation or built-in protections alone, is leaving themselves open to potential compromise of the confidentiality, integrity and availability of the data which is held on the asset and is accessed through the asset, which includes Apple devices. Such assets include devices that are purchased by the organisation to be used as corporate devices and those that are personally owned by employees being used as part of Bring Your Own Device schemes.

What can I do?

Endpoint Protective Technologies and Security Hardening including anti-malware, Firewalls and detective solutions should be considered for all endpoints, including those that run Windows, macOS, Linux, Android and iOS.

Organisation should ensure that their asset registers are up to date and include all assets which hold or access organisational information. The better view an organisations has of its attack surface, the greater their cyber resilience will be. This should be supplemented with an effective threat intelligence programme, allowing organisations to keep up to date with emerging threats.

Further information can be found here:

macOs “Migraine” Vulnerability: https://www.microsoft.com/en-us/security/blog/2023/05/30/new-macos-vulnerability-migraine-could-bypass-system-integrity-protection/

Lockbit Encryptors found targeting macOS: https://www.bleepingcomputer.com/news/security/lockbit-ransomware-encryptors-found-targeting-mac-devices/

iOS Operation Triangulation: https://usa.kaspersky.com/blog/triangulation-attack-on-ios/28444/

6 Growing Malware Threats to macOS: https://www.darkreading.com/endpoint/top-macos-malware-threats-proliferate

Malicious Files with Backdoor targeting macOS attack: https://www.bitdefender.com/blog/labs/fragments-of-cross-platform-backdoor-hint-at-larger-mac-os-attack/

Need help understanding your gaps, or just want some advice? Get in touch with us.

#threatadvisory #threatintelligence #cybersecurity

Executive summary

Apple has recently released updates for iOS, iPadOS, macOS, watchOS and Safari browser. These updates address a set of flaws that were actively exploited in the wild with the most severe allowing an attacker to perform Arbitrary Code Execution.

What’s the risk to me or my business?

Depending on the privileges associated with the user, if the vulnerability is successfully exploited an attacker could install programs; view, change, or delete data; or create new accounts with full user rights. This can lead to compromise of the confidentiality, integrity, and availability of organisational information in that could be accessed from the affected asset.

Technical Summary

The two vulnerabilities below have been actively exploited in the mobile surveillance campaign called Operation Triangulation.

CVE-2023-32434 – This is an integer overflow vulnerability in the kernel that could be exploited by a malicious app to execute arbitrary code with kernel privileges.

CVE-2023-32435 – This is a memory corruption vulnerability in Webkit that could lead to arbitrary code execution when processing specially crafted web content.

The updates are available for the following platforms:

• iOS 16.5.1 and iPadOS 16.5.1 - iPhone 8 and later, iPad Pro (all models), iPad Air 3rd generation and later, iPad 5th generation and later, and iPad mini 5th generation and later

• iOS 15.7.7 and iPadOS 15.7.7 - iPhone 6s (all models), iPhone 7 (all models), iPhone SE (1st generation), iPad Air 2, iPad mini (4th generation), and iPod touch (7th generation)

• macOS Ventura 13.4.1, macOS Monterey 12.6.7, and macOS Big Sur 11.7.8

• watchOS 9.5.2 - Apple Watch Series 4 and later

• watchOS 8.8.1 - Apple Watch Series 3, Series 4, Series 5, Series 6, Series 7, and SE, and

• Safari 16.5.1 - Macs running macOS Monterey

What can I do?

It is recommended to apply the update provided by Apple to all vulnerable systems immediately as the flaws have been addressed in this patch.

Further details on the Apple security updates can be found here: https://support.apple.com/en-us/HT201222

An update from an advisory published on the 8th June 2023 by Black Arrow: https://www.blackarrowcyber.com/blog/advisory-08062023-barracuda-cisco-vmware-vulns

Executive summary

VMware has confirmed that exploitation of the critical rated CVE-2023-20887 has occurred in the wild. This vulnerability affects the VMware Aria Operations (formerly known as vRealize Network Insight) and allows a malicious actor with access to the network to perform remote code execution (RCE).

What’s the risk to me or my business?

The vulnerability, if exploited using command injection, could allow the attacker to have unrestricted access with root to compromise the confidentiality, integrity, and availability of data in your organisation.

Impacted versions include: VMware Aria Operations Networks version 6.x.

What can I do?

VMware have recommended applying patches which they have made available for the following versions: 6.2/6.3/6.4/6.5.1/6.6/6.7/6.8/6.9/6.10.

There are no workarounds for this vulnerability.

Further details on the VMware vulnerability can be found here: https://www.vmware.com/security/advisories/VMSA-2023-0012.html

Further details on the VMware patch can be found here: https://kb.vmware.com/s/article/92684

Executive summary

Microsoft’s June Patch Tuesday provides updates to address 78 security issues across its product range, including 6 critical vulnerabilities. June’s patch Tuesday does not include any zero-day vulnerabilities or actively exploited bugs. The critical vulnerabilities include privilege escalation in Microsoft SharePoint, remote code execution in Microsoft Exchange Server, Windows PGM, .NET, .NET Framework and Visual Studio and finally, a denial of service in Windows Hyper-V.

What’s the risk to me or my business?

The vulnerabilities, if actively exploited allow an attacker to gain system privileges, remotely execute code and cause a denial of service compromising the confidentiality, integrity and availability of data stored by an organisation.

What can I do?

Security updates are available for all supported versions of Windows impacted. The updates should be applied as soon as possible, especially those that have a critical severity rating.

Further details on other specific updates within this patch Tuesday can be found here: https://www.ghacks.net/2023/06/13/the-windows-june-2023-security-patches-are-here-and-address-these-issues/

Need help understanding your gaps, or just want some advice? Get in touch with us.

#threatadvisory #threatintelligence #cybersecurity 

Executive summary

A recent report has highlighted the most notable software vulnerabilities in the first half of 2023, which included 2 critical actively exploited vulnerabilities in PaperCut MF and NG and Fortinet FortiOS products. This comes as Fortinet have recently released a patch for a separate critical vulnerability in FortiOS.  All three vulnerabilities allow an attacker to remotely execute unauthorised code and compromise the confidentiality, integrity and availability of data.

Fortinet

CVE-2023-27997 – This recent critical vulnerability targets an secure socket layer virtual private network  (SSL-VPN) flaw which allows an unauthenticated attacker remote code execution and to interfere with VPN connections even if Mulit-Factor Authentication (MFA) is in place. SSL-VPN is used to allow users to establish a secure, encrypted connection between the public internet and the corporate network.

CVE-2022-41328 – This is a vulnerability in improper limitation of a pathname, allowing an attacker to access restricted files with read and write access. Exploitation allows the attacker to remotely install and execute malware.

What can I do?

Fortinet has released fixes that address the vulnerability CVE-2023-27997. Customers must immediately apply the firmware updates as a matter of urgency. The following versions of FortiOS include patches for the vulnerability: 7.2.5, 7.0.12, 6.4.13, 6.2.15. An advisory has not been publicly announced yet. Results from Shodan indicate around 250,000 publicly discoverable devices are vulnerable.

For CVE-2022-41328, customers are recommended to update the affected products immediately as this is being actively exploited.

Affected products include:

-          FortiOS version 7.2.0 through 7.2.3 (Patched in version 7.2.4 or above)

-          FortiOS version 7.0.0 through 7.0.9 (Patched in version 7.0.10 or above)

-          FortiOS version 6.4.0 through 6.4.11 (Patched in version 6.4.12 or above)

-          FortiOS version 6.2.0 through 6.2.13 (Patched in version 6.2.14 or above)

-          FortiOS 6.0 all versions (No longer supported)

PaperCut

CVE – 2023-27350 – This vulnerability allows an unauthenticated attacker to pull information about a user stored within PaperCut MF or NG. This data includes usernames, full names, email addresses, office/department info and any card numbers associated with the user. The attacker can also retrieve the hashed passwords for internal PaperCut created users only.

The following PaperCut MF and NG versions and components are affected by CVE-2023-27350 on all OS platforms:

-          version 8.0.0 to 19.2.7  

-          version 20.0.0 to 20.1.6

-          version 21.0.0 to 21.2.10

-          version 22.0.0 to 22.0.8

What can I do?

PaperCut has recommended that customers upgrade all application servers and site servers and to patch any of the affected products. This vulnerability has been addressed in Papercut MF and NG versions 20.1.7, 21.2.11, and 22.0.9 and later.

Further details on the Fortinet vulnerability can be found here:

https://www.bleepingcomputer.com/news/security/fortinet-fixes-critical-rce-flaw-in-fortigate-ssl-vpn-devices-patch-now/

Further details on the Fortinet CVE-2022-41328 vulnerability can be found here:

https://www.fortiguard.com/psirt/FG-IR-22-369

Further details on the PaperCut vulnerability can be found here:

https://www.papercut.com/kb/Main/PO-1216-and-PO-1219

Executive summary

This week, Barracuda, Cisco, and VMware have all addressed vulnerabilities in their products. The vulnerabilities allow an attacker to elevate privileges to the highest available and remotely execute. Both Cisco and VMware have applied patches, whilst Barracuda have urged users to immediately replace appliances impacted by the vulnerability.

Barracuda

CVE-2023-2868: This is a remote code injection vulnerability which has been exploited for at least seven months, allowing a successful attacker to steal information from Barracuda Email Security Gateway (ESG) devices.

Impacted versions include:

• ESG devices on version 5.1.3.001 through 9.2.0.006

What can I do?

Barracuda have stated that regardless of the patch version level, customers must immediately replace impacted ESG appliances. If you are unsure, Black Arrow recommend to check with your MSP.

CISCO

CVE-2023-20178: This vulnerability, if exploited, can allow an attacker to execute code with SYSTEM privileges, the highest available.

 Impacted versions include:

• Cisco AnyConnect Secure Mobility Client Software for Windows (version 4.10 and earlier)

• Cisco Secure Client Software for Windows (version 5.0). For releases earlier than 5.0, this is known as Cisco AnyConnect Secure Mobility Client for Windows.

CVE-2023-20105: A vulnerability which allows an administrator with read-only access to elevate to have the ability to write to files.

CVE-2023-20192: A vulnerability which allows an authenticated local user to execute commands and modify configuration files. For this to be successful, the vulnerable version must have granted command line interface access (CLI) to a read-only administrator of the system.

Impacted versions include:

Cisco Express Series and Cisco TelePresence VCS version 14.0 and earlier.

What can I do?

Patches are available in AnyConnect Secure Mobility Client for Windows 4.10MR7 and Cisco Secure Client for Windows 5.0MR2 should be applied. No workarounds are available.

For Cisco Express Series and Cisco TelePresence VCS version 14.0 and earlier, the first fixed releases are 14.2.1. for CVE-2023-20105 and 14.3.0 for CVE-2023-20192. As a mitigation for CVE-2023-20192, Cisco have recommended ensure CLI access is disabled for read-only users; this should be disabled by default.

VMware

CVE-2023-20887: A command injection vulnerability, allowing an attacker to execute code remotely.

CVE-2023-20888: An authentication deserialization vulnerability, allowing remote code execution.

CVE-2023-20889: An information disclosure vulnerability, where an attacker with network access can inject commands to force information out.

Impacted versions include:

• VMware Aria Operations Networks version 6.x.

What can I do?

VMware have recommended applying patches available for versions: 6.2 / 6.3 / 6.4 / 6.5.1 / 6.6 / 6.7 / 6.8 / 6.9 / 6.10.

Further details on the Barracuda ESG vulnerabilities can be found here: https://www.barracuda.com/company/legal/esg-vulnerability

Further details on the Cisco vulnerability can be found here: https://sec.cloudapps.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-ac-csc-privesc-wx4U4Kw

Further details on the VMware vulnerabilities can be found here: https://www.vmware.com/security/advisories/VMSA-2023-0012.html

Further details of the patches available for VMware can be found here: https://kb.vmware.com/s/article/92684

Need help understanding your gaps, or just want some advice? Get in touch with us

#threatadvisory #threatintelligence #cybersecurity

Executive Summary

A number of recently disclosed vulnerabilities in Zyxel firewalls are now known to be being actively exploited by malicious actors.

Two of these exploited vulnerabilities are buffer overflows which enable an unauthenticated attacker to cause a denial-of-service (DoS) condition and remote code execution. In addition, a further critical vulnerability has been disclosed which allows an unauthenticated attacker to execute operating system commands to remotely send packets to a device.

These vulnerabilities have been added to the US Cybersecurity and Infrastructure Security Agency (CISA) Known Exploited Vulnerabilities (KEV) catalog: Known Exploited Vulnerabilities Catalog | CISA

What’s the risk to me or my business?

The vulnerabilities, if exploited, allow an attacker to execute remote code and cause a denial of service. If this occurs it can allow an attacker to disable or modify the firewall rules, allowing further malicious attacks to breach the network – all of which impact the confidentiality, integrity and availability of data of the organisation.

Technical Summary

CVE-2023-3309 – A buffer overflow vulnerability in the notification function in some firewall versions could allow an unauthenticated attacker to cause DoS conditions and even remotely execute code on an affected device.

CVE-2023-33010 – A buffer overflow vulnerability in the ID processing function in some firewall versions could allow an unauthenticated attacker to cause DoS conditions and even motely execute code on an affected device.

CVE-2023-28771 – Improper error message handling in some firewall versions could allow an unauthenticated attacker to execute some operating system commands remotely by sending crafted packets to an affected device.

The affected firewall products and versions are patched in version ZLD V5.36 Patch 2:

- ATP – versions: ZLD V4.32 to V5.36 Patch 1

- USG FLEX – versions: ZLD V4.50 to V5.36 Patch 1

- USG FLEX50(W)/USG20(W)-VPN – versions: ZLD V4.25 to V5.36 Patch 1

- VPN – versions: ZLD V4.30 to V5.36 Patch 1

The following affected product and versions are patched in version ZLD V4.73 Patch 2:

-  ZyWALL/USG – versions: ZLD V4.25 to V4.73 Patch 1

What can I do?

It is recommended that patches are applied immediately for the impacted products. Zyxel has also issued guidance to disable HTTP/HTTPS services from the Wide Area Network (WAN) unless absolutely required, and to disable UDP ports 500 and 4500 if not in use. If you are unsure, it is advised to check with your MSP.

Further information can be found here:

https://www.zyxel.com/global/en/support/security-advisories/zyxels-guidance-for-the-recent-attacks-on-the-zywall-devices

Need help understanding your gaps, or just want some advice? Get in touch with us.

#threatadvisory #threatintelligence #cybersecurity