Cyber Month in Review January 2023

Welcome back to a new year of our security month in review. The world of security is always moving and evolving, with vulnerabilities, breaches and new guidance being released every day. The volume and complexity of some of these can sometimes be overwhelming and difficult to keep track of, so let’s use this article to help summarise some of this month’s highlights so that together, we can be more cyber aware.

Royal Mail Cyberattack

The year has started at running speed for some as Royal Mail were hit by a ransomware attack, first detected on Tuesday 10th January. The attack has been linked to the Lockbit ransomware operation which has forced them to stop all international shipping services with no current notification as to when shipments can resume.

Whilst the extent of compromised data is yet unknown, printers at the Royal Mail distribution centre reportedly printed copies of the ransom note which provided links to the operation’s Tor leak sites and a decryption ID required to log in and chat with the attackers – however there are further reports that this ID doesn’t work.

More details are bound to be revealed soon, but in the meantime, Royal Mail are working with the UK NCSC (National Cyber Security Centre) to understand the full impact.

What Should I do?

In the meantime, they have advised customers not to try to send international letters and parcels until the issue is resolved. Businesses should also use this incident to monitor their own processes and procedures, making sure your own Business Continuity plans are resilient; both in case your own courier has a similar outage, but also in case you are affected by a ransomware attack yourself.

The NCSC provide useful guidance for mitigating against ransomware attacks here: Mitigating malware and ransomware attacks – NCSC.GOV.UK. The most important message to convey here is that “Law enforcement do not encourage, endorse, nor condone the payment of ransom demands.” If you do pay the ransom, the NCSC have stated that:

• There is no guarantee that you will get access to your data or computer

• Your computer will still be infected

• You will be paying criminal groups

• You’re more likely to be targeted in the future

Avast Releases Ransomware Decryptor

Since we’ve started the article with a ransomware loss, it’s only fitting that we also mention a ransomware victory as Avast has released a free decryption tool for the BianLian ransomware. The decryptor comes after the threat group breached multiple high-profile targets including industries such as healthcare and manufacturing.

It’s important to note however that “the decryptor can only restore files encrypted by a known variant of the BianLian ransomware”. This is because the ransomware deletes itself after it has completed its encryption which makes it difficult for researchers to investigate. For victims of newer strains, it may be possible to find the ransomware binary on the hard drive, but since the ransomware deletes itself, this can be difficult.

What Should I do?

More information can be found out about the decryptor here: Decrypted: BianLian Ransomware – Avast Threat Labs

---

Understand Your Security Risks and How to Fix Them
Take your first steps into improving your cyber security posture, looking at 10 key areas you and your organisation should focus on, backed by NCSC guidance.

Start Assessment

---

Juniper OS DoS Vulnerability

Juniper Networks have highlighted multiple vulnerabilities in their Junos OS this month too. Junos OS is the operating system which runs across all Jumpier routing, switching, and security infrastructure, and the exploitation of these could lead to a Denial of Service (DoS).

The first vulnerability (CVE-2023-22396) has a CVSS score of 7.5 which is classified ‘HIGH’. The vulnerability allows an unauthenticated network-based attacker to send crafted TCP packets resulting in an MBUF leak. The subsequent DoS to the system “does not recover automatically and must be manually restarted to restore service.”

The second vulnerability (CVE-2023-22405) has a lower CVSS score of 6.5 which his classified ‘MEDIUM’. This vulnerability causes the MAC limiting feature to stop working after the PFE is restarted or device rebooted, ultimately allowing an unauthenticated attacker to cause a DoS due to lack of resource.

What Should I do?

CVE-2023-22396 affects Junos OS for the following:

• • 12.3 version 12.3R12-S19 and later versions;

• • 15.1 version 15.1R7-S10 and later versions;

• • 17.3 version 17.3R3-S12 and later versions;

• • 18.4 version 18.4R3-S9 and later versions;

• • 19.1 version 19.1R3-S7 and later versions;

• • 19.2 version 19.2R3-S3 and later versions;

• • 19.3 version 19.3R2-S7, 19.3R3-S3 and later versions prior to 19.3R3-S7;

• • 19.4 version 19.4R2-S7, 19.4R3-S5 and later versions prior to 19.4R3-S10;

• • 20.1 version 20.1R3-S1 and later versions;

• • 20.2 version 20.2R3-S2 and later versions prior to 20.2R3-S6;

• • 20.3 version 20.3R3-S1 and later versions prior to 20.3R3-S6;

• • 20.4 version 20.4R2-S2, 20.4R3 and later versions prior to 20.4R3-S5;

• • 21.1 version 21.1R2 and later versions prior to 21.1R3-S4;

• • 21.2 version 21.2R1-S1, 21.2R2 and later versions prior to 21.2R3-S3;

• • 21.3 versions prior to 21.3R3-S2;

• • 21.4 versions prior to 21.4R3;

• • 22.1 versions prior to 22.1R2-S1, 22.1R3;

• • 22.2 versions prior to 22.2R1-S2, 22.2R2;

• • 22.3 versions prior to 22.3R1-S1, 22.3R2.

CVE-2023-22405 affects Junos OS on QFX5k and EX46xx Series for the following:

• • All versions prior to 20.2R3-S5

• • 20.3 versions prior to 20.3R3-S5;

• • 20.4 versions prior to 20.4R3-S4;

• • 21.1 versions prior to 21.1R3-S3;

• • 21.2 versions prior to 21.2R3-S1;

• • 21.3 versions prior to 21.3R3 on;

• • 21.4 versions prior to 21.4R3 on;

• • 22.1 versions prior to 22.1R2 on.

CircleCI Breach

At the start of the year, Circle CI alerted their customers that they had been breached, urging all users to rotate their secrets. CircleCI is a CI/CD platform that used by engineers to build full-automated pipelines.

In a statement they released, they have explained that after investigation, the incident  started on the 16^th of December when a CircleCI engineer’s laptop was compromised by malware that wasn’t detected by their antivirus. The malware was then able to execute a session hijack (cookie theft) to impersonate the engineer and bypass the 2FA-backed SSO session. From here the attacker was able to engage in reconnaissance before exfiltrating data such as customer environment variables, tokens, and keys on the 22^nd of December.

What Should I do?

CircleCI have listed their response actions in the advisory below, but importantly for anyone who is a customer of CircleCI – “If you stored secrets on the platform during this period, assume they have been accessed”. Make sure you rotate your secrets right away and investigate your systems for any suspicious activity (starting December 16^th).

For more details on this attack, please see the CircleCI advisory here: CircleCI incident report for January 4, 2023 security incident

Cisco Alert the increased use of XLL add-ins

Cisco Talos released an article towards the end of December showing that attackers are changing tactic by increasingly using Excel add-in files (XLL) as an infection vector. Since Microsoft started blocking macros in Office documents from July 2022, the common attack of using malicious VBA macros in office documents has become more difficult (though still possible in old version of Office).

Sadly, attackers have responded in kind by investigating other methods such as the use of XLL add-ins. These XLL files allow for the introduction of executable code within the document and can be sent by email. “Even with the usual anti-malware scanning measures, users may be able to open them not knowing that they may contain malicious code”.

What Should I do?

With reports that a number of APTs (advanced persistent threat) have been using this tactic already, it’s important for IT admins and security teams to update their phishing training and monitoring accordingly to ensure these don’t bypass your defences.

More details on the tactic can be found here: Threat Spotlight: XLLing in Excel – threat actors using malicious add-ins (talosintelligence.com)

Exchange Server 2013 end of support in 90 days

Microsoft have warned users that Exchange Server 2013 will reach its extended end-of-support date on April 11, 2023. Once past this date Microsoft will no longer provide technical support, bug fixes, and more importantly security updates. Given to the high risk lack of security support exposes, Microsoft have unsurprisingly recommended people to migrate from Exchange Server 2013 to Exchange Online or Exchange Server 2019 as soon as possible.

What Should I do?

If your infrastructure is heavily affected by this change, now might be the time to look at migrating to Microsoft 365 (Microsoft’s recommended approach) – moving mailboxes, public folders, and other data using either cutover, minimal hybrid, or full hybrid. Then, remove your on-premises Exchange servers and Active Directory. Failing that, you can remain on-premise by moving to Exchange 2019 instead.

More details on your migration options can be found from Microsoft here: Exchange 2013 end of support roadmap – Microsoft 365 Enterprise | Microsoft Learn

If you need support with your migration, book a consultation and one of our experts will be in touch.

 

Git get two Critical Fixes

Git has patched two critical severity vulnerabilities this month too, with a third windows specific issue being addressed as well. The first two vulnerabilities (CVE-2022-41903 and CVE-2022-23521) could allow an attacker to execute arbitrary code after successfully triggering heap-based buffer overflow. The third Windows specific vulnerability categorised as ‘High’ (CVE-2022-41953) which is also patched in the same <=2.39.1 involves a “$path lookup which can be leveraged to run arbitrary code when cloning repositories with Git GUI.”

What Should I do?

Git have recommended the most effective way to protect against these vulnerabilities is to upgrade to Git 2.39.1. If you can’t update immediately, reduce your risk by taking the following steps:

• • Avoid invoking the –format mechanism directly with the known operators and avoid running git archive in untrusted repositories.

• • If you expose git archive via git daemon, consider disabling it if working with untrusted repositories by running git config –global daemon.uploadArch false.

• • Avoid using Git GUI on Windows when cloning untrusted repositories.

More details on the vulnerabilities and mitigation can be found on the Git blog here: Git security vulnerabilities announced | The GitHub Blog

---

Conclusion

With a ransomware attack taking down parts of the Royal Mail (considered UK Critical Infrastructure), and a similarly hard-hitting breach for CircleCI, it’s certainly been a rough start to the year, impacting IT admins and customers alike. Despite these setbacks however, advances have still been made with Avast’s decryptor and Cisco’s XLL warning helping to provide defence against future attack with continual improvement.

As always, it is important to reiterate that this article has not included ALL security news or vulnerabilities disclosed this month, and others such as Fortinet’s SSL-VPN Zero-day, Slack’s private Github repo theft, Linux KSMBD Remote Code Vulnerability, and Microsoft’s large 98 vulnerability patch are just honourable mentions as examples of other updates you should be aware of and research.

If you have been caught off-guard by some of this month’s developments, have a look at your security processes and see what changes you can make to ensure you don’t get caught out in the future.

Just 20 minutes research each day can help you keep on top of the major security trends and alerts which help protect your business and keep you cyber aware.

If you have any more questions or worries, please do not hesitate to get in touch and see what CyberLab can do to help you and your security posture.