As of June 12th, 2023, Atlassian urgently addressed a high-severity zero-day vulnerability specific to its self-hosted Confluence Data Center and Server software, which has already seen malicious exploitation.

So, here’s the details:

• Attackers can exploit this vulnerability to create unauthorized Confluence administrator accounts in publicly accessible instances.
• The affected Confluence self-hosted versions are rectified in versions 8.3.3, 8.4.3, and 8.5.2.
• CVE-2023-22515 marks this critical flaw.
• With numerous Confluence servers accessible via the internet, there’s potential exposure for millions, especially those on affected versions.

Immediate Actions:

• Update to the patched Atlassian Confluence versions (8.3.3, 8.4.3, or 8.5.2) without delay.
• Engage and inform your clients regarding the urgency and significance of these patches.
• Regularly monitor and inspect your systems for anomalies or suspicious activities.

This is very time sensitive since, given the history, vulnerabilities like these are often targeted soon after patches become available. That makes it crucial for organizations to enhance cybersecurity measures immediately.

We understand the risks associated with this vulnerability. Please contact us for assistance with patch implementation or any guidance on fortifying defenses against such threats.

Stay proactive and protected.

This is an urgent update on a critical situation concerning Exim, the widely used mail transfer agent (MTA). Potentially 3 million mail servers will be impacted by this situation since more than half of all mail servers exposed to the internet are running on Exim according to a recent study by E-Soft Inc.

Here’s the tech 411:

Exim has been discovered to harbor several vulnerabilities, most notably CVE-2023-42115, CVE-2023-42116, and CVE-2023-42117. What does this mean? Well, if these vulnerabilities are exploited, they can grant malicious actors remote code execution capabilities. There’s also growing concerns regarding the speed of Exim’s response to these vulnerabilities, because some patches reportedly taking up to four months to be released.

The good news:

A patch has been released today for these vulnerabilities, with the updated version being exim-4.96.1.

Immediate Actions for MSPs:

1. Audit and identify any Exim installations within your and your clients’ networks.
2. Apply the exim-4.96.1 patch immediately to mitigate the known vulnerabilities.

We’re here to help and collaborate during this crucial phase. Reach out for any support or clarifications.

This alert is about a very serious vulnerability—identified as CVE-2023-5129—that could be hiding all over your clients’ environments. In fact, CVE-2023-5129 is so serious that Google has stamped it with their highest severity rating: a solid 10/10.

CVE-2023-5129 was initially classified as a Chrome issue. But we now realize that it pertains much more broadly to any software that utilizes the libwebp open-source library.

Here’s the technical gist: This flaw revolves around a heap buffer overflow in WebP, related to the Huffman coding algorithm used by libwebp for lossless compression. So malicious actors can potentially take advantage of this vulnerability to execute unauthorized commands or access sensitive data by using maliciously crafted pages.

The real problem, however, is that a lot of software uses the libwebp library. So we’re looking at a vast landscape of potential vulnerabilities that includes 1Password, Signal, Safari, Mozilla Firefox, Microsoft Edge, Opera, native Android web browsers, and more.

Remediating this vulnerability therefore requires you to pinpoint every piece of software in your clients’ environments (and your own) that integrates the libwebp library.

This will be a huge undertaking. And it underscores the critical importance of maintaining a complete, accurate, and up-to-date software inventory. So we need to act fast and remediate thoroughly.

We can discuss CVE-2023-5129 further during office hours, coaching calls, and on the forum. But we need to get on this right away.

Stay tuned for new developments as this situation continues to quickly unfold.

Goliath has fallen.

MGM Properties got hit and they got hit hard. Yes, I’m talking about the company that owns 31 unique gambling and hotel properties. Their casino and hospitality operations were brought to their knees causing them to shutter MGM Grand and other Las Vegas properties. Gambling was shut down and patrons were left unable to enter their hotel rooms.

Who’s responsible? A group identified as “Scattered Spider” or UNC3944, an affiliate of a ransomware-as-a-service “BlackCat.”

Once they compromise a company and steal its data, Scattered Spider attacks virtual machines through virtual serial and administrative consoles and purposely inject vulnerable signed drivers to escalate privileges or move laterally within a network. They use BlackCat ransomware to strike a final blow.

The BlackCat ransomware, developed by UNC3507, or ALPHV, has been widely used by threat actors in many cybersecurity incidents in the last year. Did you know that nearly 12% of all cybersecurity attacks in 2022 involved the BlackCat ransomware, including the attacks on semiconductor manufacturer, Seiko, and the international auditing and accounting company, Mazars Group?

Scattered Spider is known for its reliance on social engineering to establish a point of entry into an organization, which means they psychologically manipulate their victims to get what they want. Then they use advanced techniques to capture critical business and personal information. As if they weren’t deadly enough, being based in the United States, Scattered Spider has an advantage over foreign adversaries. This helps them in doing scams that involve things like calling a victim and convincing them to click links, accept MFA requests, or run executables, for example.

Once into a system, Scattered Spider steals data from the organization, including business documents, personal information such as social security numbers, and client and customer data for use in double extortion. Ransomware is deployed—in this case BlackCat, developed by ALPHV—which allows Scattered Spider to extort the business for ransom. Not willing to pay a ransom? Scattered Spider then goes to work through their affiliate network to post the stolen information for the second extortion attempt.

While the MGM situation is still transpiring and many elements are still unknown, this attack highlights several areas of focus for all businesses and employees:

• Defense In Depth is essential to ensure that a small breach doesn’t turn into a major business catastrophe
• All employees must be continuously educated on how to resist social engineering exploits executed on them via email, text, or phone
• Organizations must proactively run tests to ensure that their employees are in fact resisting social engineering tactics—and re-train any under-performing employees
• Wise executives will press their suppliers, contractors, and other business partners to also take appropriate steps to assess and enhance their own security posture in order to further reduce their exposure to risk

But this doesn’t just stop with businesses and employees. Anyone who visited MGM properties is at additional risk, including those who have stayed at one of the hospitality properties or signed up for lines of credit. What should you do if this is you? Well, at the moment it’s still unclear what data was stolen, but it’s always a good idea to monitor bank accounts, credit/debit cards, and social security information.

Hackers are using open-source software that’s popular with video game cheaters to allow their Windows-based malware to bypass restrictions Microsoft put in place to prevent such infections from occurring.

The exploits have been released to the public in the form of free, available tools that are being repurposed by serious hackers to empower their malware with kernel access.

Kernel access is the equivalent of God-mode when it comes to privilege escalation and would allow an attacker to do just about anything. This new method is bypassing all of the driver restrictions that Windows released back in the days of Windows Vista.

In fact, this exploit exists because Windows wanted to ensure that older software could still run even after the updates. This is the hole that attackers are exploiting. They load in malicious drivers with a signing date earlier than 2015, and then combine it with stolen or expired certificates and the tools from video game cheaters. This creates much more destructive malware.

Hackers are using the same sort of access that allows antivirus software to have such deep access to your system. Once an attacker gains administrative privileges, they can take it a step further, potentially being able to shut down EDR/MDR/XDR and other advanced security tools such as application control.

Unfortunately, Microsoft’s driver blocking capabilities currently seem to be broken. Although they have assured the community that this is fixed with the most recent Windows Updates, security researchers state that this is false.

We expect to see increased pressure on Microsoft in the coming days to release a better fix for this issue, but as it stands now, we recommend the following:

• Ensure that all Windows systems are running the latest version of the operating system.
• Monitor for any suspicious activity on the network, such as unusual outbound traffic or unexpected system drivers.
• Regularly scan for malicious system drivers and remove any that are found.
• Educate users on the importance of not downloading or installing software from untrusted sources.