As of June 12th, 2023, Atlassian urgently addressed a high-severity zero-day vulnerability specific to its self-hosted Confluence Data Center and Server software, which has already seen malicious exploitation.

So, here’s the details:

• Attackers can exploit this vulnerability to create unauthorized Confluence administrator accounts in publicly accessible instances.
• The affected Confluence self-hosted versions are rectified in versions 8.3.3, 8.4.3, and 8.5.2.
• CVE-2023-22515 marks this critical flaw.
• With numerous Confluence servers accessible via the internet, there’s potential exposure for millions, especially those on affected versions.

Immediate Actions:

• Update to the patched Atlassian Confluence versions (8.3.3, 8.4.3, or 8.5.2) without delay.
• Engage and inform your clients regarding the urgency and significance of these patches.
• Regularly monitor and inspect your systems for anomalies or suspicious activities.

This is very time sensitive since, given the history, vulnerabilities like these are often targeted soon after patches become available. That makes it crucial for organizations to enhance cybersecurity measures immediately.

We understand the risks associated with this vulnerability. Please contact us for assistance with patch implementation or any guidance on fortifying defenses against such threats.

Stay proactive and protected.

This is an urgent update on a critical situation concerning Exim, the widely used mail transfer agent (MTA). Potentially 3 million mail servers will be impacted by this situation since more than half of all mail servers exposed to the internet are running on Exim according to a recent study by E-Soft Inc.

Here’s the tech 411:

Exim has been discovered to harbor several vulnerabilities, most notably CVE-2023-42115, CVE-2023-42116, and CVE-2023-42117. What does this mean? Well, if these vulnerabilities are exploited, they can grant malicious actors remote code execution capabilities. There’s also growing concerns regarding the speed of Exim’s response to these vulnerabilities, because some patches reportedly taking up to four months to be released.

The good news:

A patch has been released today for these vulnerabilities, with the updated version being exim-4.96.1.

Immediate Actions for MSPs:

1. Audit and identify any Exim installations within your and your clients’ networks.
2. Apply the exim-4.96.1 patch immediately to mitigate the known vulnerabilities.

We’re here to help and collaborate during this crucial phase. Reach out for any support or clarifications.

This alert is about a very serious vulnerability—identified as CVE-2023-5129—that could be hiding all over your clients’ environments. In fact, CVE-2023-5129 is so serious that Google has stamped it with their highest severity rating: a solid 10/10.

CVE-2023-5129 was initially classified as a Chrome issue. But we now realize that it pertains much more broadly to any software that utilizes the libwebp open-source library.

Here’s the technical gist: This flaw revolves around a heap buffer overflow in WebP, related to the Huffman coding algorithm used by libwebp for lossless compression. So malicious actors can potentially take advantage of this vulnerability to execute unauthorized commands or access sensitive data by using maliciously crafted pages.

The real problem, however, is that a lot of software uses the libwebp library. So we’re looking at a vast landscape of potential vulnerabilities that includes 1Password, Signal, Safari, Mozilla Firefox, Microsoft Edge, Opera, native Android web browsers, and more.

Remediating this vulnerability therefore requires you to pinpoint every piece of software in your clients’ environments (and your own) that integrates the libwebp library.

This will be a huge undertaking. And it underscores the critical importance of maintaining a complete, accurate, and up-to-date software inventory. So we need to act fast and remediate thoroughly.

We can discuss CVE-2023-5129 further during office hours, coaching calls, and on the forum. But we need to get on this right away.

Stay tuned for new developments as this situation continues to quickly unfold.

Goliath has fallen.

MGM Properties got hit and they got hit hard. Yes, I’m talking about the company that owns 31 unique gambling and hotel properties. Their casino and hospitality operations were brought to their knees causing them to shutter MGM Grand and other Las Vegas properties. Gambling was shut down and patrons were left unable to enter their hotel rooms.

Who’s responsible? A group identified as “Scattered Spider” or UNC3944, an affiliate of a ransomware-as-a-service “BlackCat.”

Once they compromise a company and steal its data, Scattered Spider attacks virtual machines through virtual serial and administrative consoles and purposely inject vulnerable signed drivers to escalate privileges or move laterally within a network. They use BlackCat ransomware to strike a final blow.

The BlackCat ransomware, developed by UNC3507, or ALPHV, has been widely used by threat actors in many cybersecurity incidents in the last year. Did you know that nearly 12% of all cybersecurity attacks in 2022 involved the BlackCat ransomware, including the attacks on semiconductor manufacturer, Seiko, and the international auditing and accounting company, Mazars Group?

Scattered Spider is known for its reliance on social engineering to establish a point of entry into an organization, which means they psychologically manipulate their victims to get what they want. Then they use advanced techniques to capture critical business and personal information. As if they weren’t deadly enough, being based in the United States, Scattered Spider has an advantage over foreign adversaries. This helps them in doing scams that involve things like calling a victim and convincing them to click links, accept MFA requests, or run executables, for example.

Once into a system, Scattered Spider steals data from the organization, including business documents, personal information such as social security numbers, and client and customer data for use in double extortion. Ransomware is deployed—in this case BlackCat, developed by ALPHV—which allows Scattered Spider to extort the business for ransom. Not willing to pay a ransom? Scattered Spider then goes to work through their affiliate network to post the stolen information for the second extortion attempt.

While the MGM situation is still transpiring and many elements are still unknown, this attack highlights several areas of focus for all businesses and employees:

• Defense In Depth is essential to ensure that a small breach doesn’t turn into a major business catastrophe
• All employees must be continuously educated on how to resist social engineering exploits executed on them via email, text, or phone
• Organizations must proactively run tests to ensure that their employees are in fact resisting social engineering tactics—and re-train any under-performing employees
• Wise executives will press their suppliers, contractors, and other business partners to also take appropriate steps to assess and enhance their own security posture in order to further reduce their exposure to risk

But this doesn’t just stop with businesses and employees. Anyone who visited MGM properties is at additional risk, including those who have stayed at one of the hospitality properties or signed up for lines of credit. What should you do if this is you? Well, at the moment it’s still unclear what data was stolen, but it’s always a good idea to monitor bank accounts, credit/debit cards, and social security information.