The situation with the Citrix Bleed vulnerability has escalated.   

At least 60 credit unions across the U.S. have been knocked offline by a ransomware attack against their 3rd party cloud provider in the past few days. Citrix Bleed was the attacker’s way in, but this email isn’t just about another vulnerability.  

This email is about something far worse: supply chain attacks! We’re seeing case after case of devastating supply chain attacks that are crippling critical infrastructure, leaving everyday businesses as victims. 

One of the largest examples of this unfolded on July 2, 2021 against Kaseya, a Miami-based software company, a case that brings into focus the level of damage that can be inflicted by a supply-chain attack.  That attack against Kaseya disrupted nurseries, schools, pharmacies, and supermarkets in 17 countries.  Millions of people were impacted. 

Supply chain attacks are tricky because they work through existing relationships, and you can’t simply block them. Your MSP’s reputation is on the line, and guess what?  If hackers use you to get to your clients, your clients are in danger because of you. So, if you don’t take proactive steps, you’ve unknowingly added trojan horse software to your whitelists. 

Throughout 2023 we’ve seen attack after attack.  You may remember some of the major ones: 

• February 2023 – Applied Materials Supply Chain Attack: A key partner of Applied Materials was targeted, causing a staggering $250 million loss in Q1 2023. This caused significant shipment delays and financial turmoil! 
• February 2023 – University of San Francisco Attack: Imagine a doctor not being able to operate because of a system being offline for several days. Staff members were unable to access records or schedule surgeries and personal information belonging to clinical trial participants was stolen.  
• March 2023 – 3CX Supply Chain Attack: Malware was silently delivered to and hidden in a number of client organizations. It acted as a ticking time bomb, with the hackers in control of the detonator switch.
• June 2023 – MOVEit Supply Chain Attack: Personal data and flight safety was compromised in a massive breach, compromising travel security for thousands. 

Supply Chain Attacks are no joke. We anticipate more issues around supply chain attacks with entry ways such as the Citrix Bleed vulnerability. 

Once you deploy a product, your vendor is given unchecked access to your network. You need to commit to becoming vigilant and increasing the readiness of your MSP and your clients. 

What’s the solution? Start by using a Level 1 pen test to see if you find any vulnerabilities in your client’s environment. 

Then, meet with the client to establish a recurring cadence with comprehensive, Level 3 pen tests that demonstrate supply chain attack vectors. One weak link can totally devastate your reputation, and it’s important that you’re not blindsided by that reality. 

Having a comprehensive test done regularly is the major line of defense to stop a supply chain compromise. You can use your quarterly meetings to guide clients to go from basic defense to a powerful shield of defense in layers. 

As you continue to prepare your clients to survive a supply chain risk in the New Year, we want you to know that we’ve got your back. We’ll be adding additional details related to supply chain attacks in our pen test findings to ensure you don’t become a victim of a hacker with unchecked control over your clients. 

Please, don’t ignore this invisible threat, reach out to your PSM about recurring Level 3 pen tests for you and your clients today before a mistake that some other company made becomes your problem. 

As of June 12th, 2023, Atlassian urgently addressed a high-severity zero-day vulnerability specific to its self-hosted Confluence Data Center and Server software, which has already seen malicious exploitation.

So, here’s the details:

• Attackers can exploit this vulnerability to create unauthorized Confluence administrator accounts in publicly accessible instances.
• The affected Confluence self-hosted versions are rectified in versions 8.3.3, 8.4.3, and 8.5.2.
• CVE-2023-22515 marks this critical flaw.
• With numerous Confluence servers accessible via the internet, there’s potential exposure for millions, especially those on affected versions.

Immediate Actions:

• Update to the patched Atlassian Confluence versions (8.3.3, 8.4.3, or 8.5.2) without delay.
• Engage and inform your clients regarding the urgency and significance of these patches.
• Regularly monitor and inspect your systems for anomalies or suspicious activities.

This is very time sensitive since, given the history, vulnerabilities like these are often targeted soon after patches become available. That makes it crucial for organizations to enhance cybersecurity measures immediately.

We understand the risks associated with this vulnerability. Please contact us for assistance with patch implementation or any guidance on fortifying defenses against such threats.

Stay proactive and protected.

This is an urgent update on a critical situation concerning Exim, the widely used mail transfer agent (MTA). Potentially 3 million mail servers will be impacted by this situation since more than half of all mail servers exposed to the internet are running on Exim according to a recent study by E-Soft Inc.

Here’s the tech 411:

Exim has been discovered to harbor several vulnerabilities, most notably CVE-2023-42115, CVE-2023-42116, and CVE-2023-42117. What does this mean? Well, if these vulnerabilities are exploited, they can grant malicious actors remote code execution capabilities. There’s also growing concerns regarding the speed of Exim’s response to these vulnerabilities, because some patches reportedly taking up to four months to be released.

The good news:

A patch has been released today for these vulnerabilities, with the updated version being exim-4.96.1.

Immediate Actions for MSPs:

1. Audit and identify any Exim installations within your and your clients’ networks.
2. Apply the exim-4.96.1 patch immediately to mitigate the known vulnerabilities.

We’re here to help and collaborate during this crucial phase. Reach out for any support or clarifications.

This alert is about a very serious vulnerability—identified as CVE-2023-5129—that could be hiding all over your clients’ environments. In fact, CVE-2023-5129 is so serious that Google has stamped it with their highest severity rating: a solid 10/10.

CVE-2023-5129 was initially classified as a Chrome issue. But we now realize that it pertains much more broadly to any software that utilizes the libwebp open-source library.

Here’s the technical gist: This flaw revolves around a heap buffer overflow in WebP, related to the Huffman coding algorithm used by libwebp for lossless compression. So malicious actors can potentially take advantage of this vulnerability to execute unauthorized commands or access sensitive data by using maliciously crafted pages.

The real problem, however, is that a lot of software uses the libwebp library. So we’re looking at a vast landscape of potential vulnerabilities that includes 1Password, Signal, Safari, Mozilla Firefox, Microsoft Edge, Opera, native Android web browsers, and more.

Remediating this vulnerability therefore requires you to pinpoint every piece of software in your clients’ environments (and your own) that integrates the libwebp library.

This will be a huge undertaking. And it underscores the critical importance of maintaining a complete, accurate, and up-to-date software inventory. So we need to act fast and remediate thoroughly.

We can discuss CVE-2023-5129 further during office hours, coaching calls, and on the forum. But we need to get on this right away.

Stay tuned for new developments as this situation continues to quickly unfold.

Goliath has fallen.

MGM Properties got hit and they got hit hard. Yes, I’m talking about the company that owns 31 unique gambling and hotel properties. Their casino and hospitality operations were brought to their knees causing them to shutter MGM Grand and other Las Vegas properties. Gambling was shut down and patrons were left unable to enter their hotel rooms.

Who’s responsible? A group identified as “Scattered Spider” or UNC3944, an affiliate of a ransomware-as-a-service “BlackCat.”

Once they compromise a company and steal its data, Scattered Spider attacks virtual machines through virtual serial and administrative consoles and purposely inject vulnerable signed drivers to escalate privileges or move laterally within a network. They use BlackCat ransomware to strike a final blow.

The BlackCat ransomware, developed by UNC3507, or ALPHV, has been widely used by threat actors in many cybersecurity incidents in the last year. Did you know that nearly 12% of all cybersecurity attacks in 2022 involved the BlackCat ransomware, including the attacks on semiconductor manufacturer, Seiko, and the international auditing and accounting company, Mazars Group?

Scattered Spider is known for its reliance on social engineering to establish a point of entry into an organization, which means they psychologically manipulate their victims to get what they want. Then they use advanced techniques to capture critical business and personal information. As if they weren’t deadly enough, being based in the United States, Scattered Spider has an advantage over foreign adversaries. This helps them in doing scams that involve things like calling a victim and convincing them to click links, accept MFA requests, or run executables, for example.

Once into a system, Scattered Spider steals data from the organization, including business documents, personal information such as social security numbers, and client and customer data for use in double extortion. Ransomware is deployed—in this case BlackCat, developed by ALPHV—which allows Scattered Spider to extort the business for ransom. Not willing to pay a ransom? Scattered Spider then goes to work through their affiliate network to post the stolen information for the second extortion attempt.

While the MGM situation is still transpiring and many elements are still unknown, this attack highlights several areas of focus for all businesses and employees:

• Defense In Depth is essential to ensure that a small breach doesn’t turn into a major business catastrophe
• All employees must be continuously educated on how to resist social engineering exploits executed on them via email, text, or phone
• Organizations must proactively run tests to ensure that their employees are in fact resisting social engineering tactics—and re-train any under-performing employees
• Wise executives will press their suppliers, contractors, and other business partners to also take appropriate steps to assess and enhance their own security posture in order to further reduce their exposure to risk

But this doesn’t just stop with businesses and employees. Anyone who visited MGM properties is at additional risk, including those who have stayed at one of the hospitality properties or signed up for lines of credit. What should you do if this is you? Well, at the moment it’s still unclear what data was stolen, but it’s always a good idea to monitor bank accounts, credit/debit cards, and social security information.