Cybersecurity Saturday - Ermer and Suter PLLC

From the cybersecurity breaches and vulnerability front —

Cybersecurity Dive informed us on July 5,
- “The widely exploited vulnerability in Progress Software’s MOVEit file transfer service has impacted nearly 200 organizations, according to Brett Callow, a threat analyst at Emsisoft.
- “The scope of damage caused by Clop’s mass exploit of a zero-day vulnerability in MOVEit continues to snowball as third-party vendors expose multiple downstream victims. Progress discovered the zero-day over Memorial Day weekend on May 28.
- “Despite the number of victims so far, experts anticipate more will come forward. “While many organizations have made a disclosure, a significant number have yet to do so,” Callow said via email.
- “Progress on Wednesday released another update, including security fixes, and said it will consistently release MOVEit product updates every two months going forward.”

Here is a Cybersecurity and Infrastructure Security Agency (CISA) link about the Progress Software MOVEit patch.

CISA added another known exploited vulnerability yesterday.

On July 6, CISA issued a “Joint Cybersecurity Advisory on Newly Identified Truebot Malware Variants.”
- “The Cybersecurity and Infrastructure Security Agency (CISA), Federal Bureau of Investigations (FBI), the Multi-State Information Sharing and Analysis Center (MS-ISAC), and the Canadian Centre for Cyber Security (CCCS) released a joint Cybersecurity Advisory (CSA), Increased Truebot Activity Infects U.S. and Canada Based Networks, to help organizations detect and protect against newly identified Truebot malware variants. Based on confirmation from open-source reporting and analytical findings of Truebot variants, the four organizations assess cyber threat actors leveraged the malware through phishing campaigns containing malicious redirect hyperlinks.
- “Additionally, newer versions of Truebot malware allow malicious actors to gain initial access by exploiting a known vulnerability with the Netwrix Auditor application (CVE-2022-31199). As recently as May 2023, cyber threat actors used this common vulnerability and exposure to deliver new Truebot malware variants and to collect and exfiltrate information against organizations in the U.S. and Canada.
- “CISA, FBI, MS-ISAC, and the CCCS encourage all organizations to review this joint advisory and implement the recommended mitigations contained therein—including applying patches to CVE-2022-31199, to reduce the likelihood and impact of Truebot activity, as well as other ransomware-related incidents.”

Bleeping Computer reports
- “CISA ordered federal agencies today to patch a high-severity Arm Mali GPU kernel driver privilege escalation flaw added to its list of actively exploited vulnerabilities and addressed with this month’s Android security updates.
- “The flaw (tracked as CVE-2021-29256) is a use-after-free weakness that can let attackers escalate to root privileges or gain access to sensitive information on targeted Android devices by allowing improper operations on GPU memory.
- “A non-privileged User can make improper operations on GPU memory to gain access to already freed memory and may be able to gain root privilege, and/or disclose information,” Arm’s advisory reads.”
and
- “Security researchers have dissected a recently emerged ransomware strain named ‘Big Head’ that may be spreading through malvertising that promotes fake Windows updates and Microsoft Word installers.
- “Two samples of the malware have been analyzed before by cybersecurity company Fortinet, who looked at the infection vector and how the malware executes.
- “Today [July 8], Trend Micro published a technical report on Big Head that claiming that both variants and a third they sampled originate from a single operator who is likely experimenting with different approaches to optimize their attacks.”

Cybersecurity Dive points out
- “More than two-thirds of Fortinet’s FortiGate firewalls remain at risk of exploits through a vulnerability the company disclosed on June 12, according to research Bishop Fox released Friday.
- “Researchers at Bishop Fox, an offensive security testing firm, identified 490,000 affected SSL VPN interfaces exposed to the internet and determined 69%, around 338,000, of those FortiGate firewalls are unpatched.
- “The heap-based overflow vulnerability, CVE-2023-27997, could allow a remote attacker to execute arbitrary code or commands and has a CVSS score of 9.8 out of 10.”

ISACA warns us
- “In the US, the FBI and FCC recently warned that free USB charging stations in public spaces, such as airports, hotels, hospitals, business buildings and any other type of publicly available location, can have devices hidden within them to steal data, spread malware and commit other malicious activities broadly referenced as juice jacking. The term “juice jacking” started being used several years ago to mean that while individuals using USB charging ports to charge (or “juice”) their phones, they were also having their data highjacked (“jacked”) through malicious, unnoticed skimming tech. I actually started covering this risk at a few onsite security and privacy training courses in 2010 when I first became aware of what was then an emerging new threat from a business friend, an electrical engineer, who I think may have invented what the first juice jack blocker—a data blocker for USB ports was.
- “The malicious USB charging connection not only gives access to the phone apps and data, but it creates a connection to all the networks that the phone is connected to that do not have active access controls and blocks established when the phone was connected to the USB charger. So, malicious USB charging ports, cables and possibly other components of the public charging stations can also be used to plant ransomware, keystroke loggers and other types of malware, GPS tracking and audio eavesdropping. They can also take control of the device being charged. All these malicious activities can occur not only on the device being charged (phone, laptop, tablet, etc.) but also on devices and network components within those other connected networks.”
The FEHBlog notes the ISACA article offers the following suggestions plus policy advice
- “Juice jack blockers attach to the end of your USB cable to protect against skimmers when you charge your devices in public places. This is not as bulky as hauling around most portable chargers and extra cables. I’ve purchased USB juice jack blockers for as low as two for US$12. They’re small and easily fit in a pocket without any bulkiness.
- “It’s also a good idea to travel with personal charging devices. While not as small as juice jack blockers, they have become much smaller, with much more power, and less expensive in recent years. They limit the need to use public chargers at all.
- “Ideally, it would be best to make sure only non-data power-only ports and cables are used in public areas. However, most cables used to support data transfer, and there is not an easy way for most folks to visually tell if a cable is charge-only.”

From the cybersecurity defenses front —

Cybersecurity Dive discusses “the role for AI in cybersecurity; generative AI can be an ally for new security professionals. For more seasoned security analysts, it can offer time to refine their skills through automation of repetitive tasks.” Check it out.

Cookie	Duration	Description
cookielawinfo-checbox-analytics	11 months	This cookie is set by GDPR Cookie Consent plugin. The cookie is used to store the user consent for the cookies in the category "Analytics".
cookielawinfo-checbox-functional	11 months	The cookie is set by GDPR cookie consent to record the user consent for the cookies in the category "Functional".
cookielawinfo-checbox-others	11 months	This cookie is set by GDPR Cookie Consent plugin. The cookie is used to store the user consent for the cookies in the category "Other.
cookielawinfo-checkbox-necessary	11 months	This cookie is set by GDPR Cookie Consent plugin. The cookies is used to store the user consent for the cookies in the category "Necessary".
cookielawinfo-checkbox-performance	11 months	This cookie is set by GDPR Cookie Consent plugin. The cookie is used to store the user consent for the cookies in the category "Performance".
viewed_cookie_policy	11 months	The cookie is set by the GDPR Cookie Consent plugin and is used to store whether or not user has consented to the use of cookies. It does not store any personal data.

Subscribe to FEHBlog