Hackers are using open-source software that’s popular with video game cheaters to allow their Windows-based malware to bypass restrictions Microsoft put in place to prevent such infections from occurring.

The exploits have been released to the public in the form of free, available tools that are being repurposed by serious hackers to empower their malware with kernel access.

Kernel access is the equivalent of God-mode when it comes to privilege escalation and would allow an attacker to do just about anything. This new method is bypassing all of the driver restrictions that Windows released back in the days of Windows Vista.

In fact, this exploit exists because Windows wanted to ensure that older software could still run even after the updates. This is the hole that attackers are exploiting. They load in malicious drivers with a signing date earlier than 2015, and then combine it with stolen or expired certificates and the tools from video game cheaters. This creates much more destructive malware.

Hackers are using the same sort of access that allows antivirus software to have such deep access to your system. Once an attacker gains administrative privileges, they can take it a step further, potentially being able to shut down EDR/MDR/XDR and other advanced security tools such as application control.

Unfortunately, Microsoft’s driver blocking capabilities currently seem to be broken. Although they have assured the community that this is fixed with the most recent Windows Updates, security researchers state that this is false.

We expect to see increased pressure on Microsoft in the coming days to release a better fix for this issue, but as it stands now, we recommend the following:

• Ensure that all Windows systems are running the latest version of the operating system.
• Monitor for any suspicious activity on the network, such as unusual outbound traffic or unexpected system drivers.
• Regularly scan for malicious system drivers and remove any that are found.
• Educate users on the importance of not downloading or installing software from untrusted sources.

There’s been an alarming uptick in partners asking for assistance with ransomware events. While this is terrible news, it’s encouraging to see that most of these events were with their prospects (not existing clients).

While it is definitely good news to hear about getting new prospects, the ransomware attacks are a startling reflection of what’s happening in the world. Cyberattacks increased in June 2023. According to a report by IT Governance, there have been 104 publicly disclosed security incidents in 2023, which accounted for 277,618,767 leaked records. Of these, 23 incidents occurred in June, which is more than any other month so far this year.

So, what’s going on?

It could be the destabilization in Russia, the economy, political activism, or the continued sophistication of hackers. This is a complex issue, but here are a few facts:

• On June 28, 2023, the National Security Agency and Central Security Service issued a report in which they noted the growing sophistication of hackers, and the dire need for vigilance.
• The current destabilization in Russia is creating much uncertainty and fear (this could make people more likely to launch cyberattacks.)
• Every industry is being hit by Inflation, the energy crisis and supply chain issues, which means a new crop of hackers entering the field and lower budgets for organizations to address them.
• Political activists throughout the world are using cyberattacks as a way to hit companies of all sizes in order to make a statement.

I know it’s a holiday, but let’s not forget the danger is real. It’s okay to wake up after the 4th of July to a yard littered with leftovers from a great party. It’s not okay to wake up after the 4th of July to devastation from a cyberattack.

Make sure you get Level 1 Penetration tests after projects or major network changes.

Also, for those of you with ClientWatch clients, let us know when changes occur so we can perform a full Level 3 analysis.

It’s easy to let your guard down during a holiday, but now more than ever, we just can’t afford to do that.

Make sure you have a plan if there’s an event, and remember we are here if you need assistance.

On June 11th, 2023, Fortinet quietly released firmware updates addressing a serious, undisclosed pre-authentication Remote Code Execution (RCE) vulnerability affecting all versions of Fortigate SSL-VPN devices.

The details:

This RCE flaw could allow a malicious agent to interfere via the VPN, even with Multi-Factor Authentication (MFA) in place.

The FortiOS firmware updates that address this issue include versions 6.0.17, 6.2.15, 6.4.13, 7.0.12, and 7.2.5.

The vulnerability, coded as CVE-2023-27997, was identified by researchers Charles Fol and Rioru.

More than 250,000 Fortigate firewalls are potentially exposed, because they can be reached from the internet, and the majority are likely running affected versions.

What you need to do NOW:

• Apply the Fortinet security patches immediately. The patches are available for FortiOS versions 6.0.17, 6.2.15, 6.4.13, 7.0.12, and 7.2.5. Given the nature of the vulnerability, it is URGENT that these patches are applied promptly.
• Communicate this update to your clients and educate them about the importance of the immediate application of these patches as well as the potential risk to their data if left unpatched.
• Monitor your systems for any irregularities. Since the flaw could potentially be exploited pre-authentication, any signs of abnormal system behavior should be treated with caution.

Remember, historical data suggests threat actors exploit SSL-VPN flaws mere days after patches are released. They use them as initial access points for data theft and ransomware attacks, so this is a crucial time for you and your clients to bolster your defenses.

We understand the gravity of this situation and we’re here to assist you. If you need help applying the patches or want to learn more about how to prevent similar threats, please don’t hesitate to contact us.

Stay vigilant and stay secure.

What’s the issue?

The United States and international cybersecurity authorities discovered a cluster of activity associated with a People’s Republic of China (PRC) state-sponsored cyber actor known as Volt Typhoon. This activity targets networks across critical infrastructure sectors, and there is a potential for similar techniques to be used worldwide.

What’s the risk?

This attacker employs “living off the land” tactics, using built-in network administration tools to carry out their objectives. This allows them to evade detection by blending in with normal Windows systems and network activities. They avoid endpoint detection and response (EDR) products and are nearly undetectable in default logging configurations. Some of the built-in tools used by the actor include wmic, ntdsutil, netsh, and PowerShell.

What’s the solution?

The joint advisory provides hunting guidance and best practices to detect this activity. It includes examples of the actor’s commands and detection signatures to aid network defenders. However, it’s important to note that some of the behavioral indicators also can be legitimate system administration commands, requiring further investigation.

Please check CISA’s website for the joint advisory at http://cisa.gov

Important Action

To enhance cybersecurity posture against this threat actor, we recommend implementing the following mitigations:

• Harden domain controllers and monitor event logs for suspicious process creations.
• Limit port proxy usage and investigate unusual IP addresses and ports in command lines, registry entries, and firewall logs.
• Review perimeter firewall configurations for unauthorized changes.
• Monitor for abnormal account activity and impossible logons.
• Forward log files to a centralized logging server and monitor for log clearing.
• Enable logging on edge devices and network management devices.
• Configure Windows security logs to include “audit process creation” and “include command line in process creation events.”

If you have any questions or need assistance with implementing these mitigations, please reach out to our team at D1 Defend.

CISA Requiring Federal Agencies to patch known iPhone and Mac OS exploits immediately!

What’s the issue?

Apple has released emergency security updates to address two zero-day vulnerabilities that have been exploited in recent attacks affecting iPhones, iPads, and Macs. These vulnerabilities could allow attackers to execute arbitrary code with kernel privileges or execute malicious code on hacked devices.

What’s the risk?

Although the exploits were likely used in highly targeted attacks, it’s essential to install these emergency updates as soon as possible to prevent potential attacks.

The list of affected devices is extensive and includes the following:

· iPhone 8 and later,

· iPad Pro (all models),

· iPad Air 3rd generation and later,

· iPad 5th generation and later,

· iPad mini 5th generation and later, and

· Macs running macOS Ventura.

What’s the solution?

Apple has released updates for these vulnerabilities in iOS 16.4.1, iPadOS 16.4.1, macOS Ventura 13.3.1, and Safari 16.4.1, with improved input validation and memory management.

Important Action

To secure your devices against these vulnerabilities, it’s crucial to install the updates released by Apple as soon as possible. We strongly advise updating all iOS, iPadOS, and macOS devices immediately to address the two zero-day vulnerabilities.

This is a serious, wide-reaching issue and the Cybersecurity and Infrastructure Security Agency (CISA) has issued a directive calling for patching of these vulnerabilities by federal agencies by May 1st, 2023.

If you have any questions, concerns or would like to discuss proper patch management please reach out to our team here at D1 Defend.