Bear Security – Security News for Week of April 17, 2021
Good News Everyone! So, there was no Bear Security episode this week as Chris finalizes their studies for their CISSP exam on Tuesday, but… we decided to make a blog version to still make sure you heard about some of the important things that happened over the last week.
Bear Security will resume this coming week, along with a podcast version and the blog version. That way you can read, watch, or listen to our coverage of the week’s news in cybersecurity that affects our clients, employers, careers, and communities. More details will be posted this Saturday. Be sure to join our Patreon to get the latest updates.
On to the news of the week!
To Russia, With Love
The US Government has issued sanctions against 6 Russian firms that the US believes worked for the SVR (Russia’s Foreign Intelligence Service) to carry out the supply-chain attack on customers of SolarWinds. SVR-backed hackers are also behind other recent campaigns, targeting COVID-19 research facilities and others, using flaws in Fortinet, Zynacor Zimbra Collaboration Suite, Pulse Secure Connect VPN, Citrix Application Delivery Controller / Gateway, and VMWare Workspace One.
So if you use any of those products and haven’t patched yet and worked to reduce your attack surface, make it a priority for this coming week. Read more over at ARS Technica.
The US Government is Hacking Exchange Systems?
According to the DOJ, the FBI received court approval to remotely hack Exchange systems based in the United States to remove the web shells that are installed on servers that were exploited by the hacking group(s) related to Hafnium to help reduce the overall threat to U.S. Infrastructure. While this isn’t the first time a court order such as this has been issued, it does raise some interesting questions regarding privacy and system controls. So, if you haven’t patched your servers yet, you may want to. Also, be on the lookout for any emails from the FBI, and definitely expect that threat actors may try to take advantage of the confusion of this situation to try and social engineer you or your peers to give them access.
Read more over at The Verge or the DOJ’s Press Release.
April’s Patch Tuesday Brings More Exchange Woes
In addition to more than 115 vulnerabilities that were addressed in this month’s Patch Tuesday release, there was 4 vulnerabilities reported by the NSA related to Microsoft Exchange. Microsoft Exchange 2013, 2016, and 2019 are impacted by the patches and only the current and 2nd most current cumulative updates are being patched. These 4 Exchange vulnerabilities rate high on the CVSS scale as two of them don’t require authentication of any form and have the potential to be wormable with the right exploit. So get to patching, and if you have not started regularly updating your Exchange systems, begin structuring the process, or consider going to the cloud.
Read more from Microsoft on the patch updates for April, or the CISA advisory regarding the latest round of Exchange vulnerabilities.
Millions of IoT Devices Realize… The Problem is DNS
Researchers have found flaws in four different TCP/IP stacks from FreeBSD, Nucleus RTOS, ThreadX, and VxWorks that affect Internet of Things devices and how they handle DNS. These flaws have the potential to cause either Denial of Service (DoS) or enable Remote Code Execution (RCE). While patches have been released, its possible more devices are impacted, or that not all devices can be updated.
IoT devices can be pure chaos for any network. So while we anticipate we will be hearing about vulnerable devices for some time, it’s best that as a practice, you isolate any IoT devices in your environment, limit their access where you can, and make sure to stay on top of any updates as you can.
Read more over on Wired, or read the press release from Forescout, one of the firms who researched along with JSOF Research. You can also read their full report on NAME:WRECK if you want to get down and technical.
No Slack for the Discord Around Messenging App Exploitations
Ok, maybe we stretched the pun there, but take note. Cisco Talos reported this week on how popular messaging apps like Slack and Discord are being used for exfiltration, social engineering, and malware delivery. Given the way these apps work, it allows attackers a way to bypass traditional security controls businesses may use to block malicious content. When files are uploaded to services like Slack and Discord, their direct CDN links can be used to access the files even if they aren’t users of the service according to Cisco Talos. This means that malicious actors can use these services to host the malware for them and augment their social engineering if they know a company uses one of these services, to falsely gain a user’s trust that a file is “authentic”.
So the big takeaway here is that regardless of the messaging medium, whether email or instant message, users should be vigilant all the same. If something is unexpected or looks suspicious, it’s best to confirm in an alternative method or raise a flag to make sure everything is okay to avoid getting compromised. The 2nd takeaway is to consider discouraging the use of these platforms for sharing anything confidential or sensitive to avoid potential exfiltration.
Read the details over at Cisco Talos.
Windows 10 Version 1909 EOL is May 11th, 2021
If you are running Windows 10 version 1909, your time for patches are coming to an end on May 11th. Be sure to update your version to the latest build possible to stay current.
Read more over at Bleeping Computer.
That’s all for this week’s security news. Come back every Saturday for the next rendition. Have a good week everyone!