Cyber Month in Review May 2023

Welcome back to this month’s security review. The world of security is always moving and evolving, with vulnerabilities, breaches and new guidance being released every day.

The volume and complexity of some of these can sometimes be overwhelming and difficult to keep track of, so let’s use this article to help summarise some of this month’s highlights so that together, we can be more cyber-aware.

Apple’s New Rapid Security Response Patches

May saw the introduction of Apple’s new “Rapid Security Response” patches. The patches were pushed out for iOS 16.4.1 and macOS 13.3.1 devices and designed to be a new type of small-sized software release moving forward to “deliver important security improvements between software updates”.

The patches come in a slightly new format, essentially appending the current main release – e.g. ‘16.4.1 (a)’ for the Rapid Security Response (RSR) version at the time of this article.

What Should I Do (At a Glance)

Whilst the patch is available to all iOS and macOS devices in the usual way of patching, Apple still has yet to announce what this current RSR release has patched, with no details on the Apple Security update page. If you chose not to apply the RSR patch, “your device will receive the relevant fixes or mitigations when they’re included in a subsequent software update”.

Network Admins using Intune for their Mobile Management Solution should also note that at the time of this article, Intune struggles to support the new patch format making it difficult to enforce a minimum OS version for the RSRs.

---

Business Cyber Security Posture Assessment
31% of business reported a cyber incident last year. Don’t be next. Take this FREE assessment to uncover your cyber security weaknesses.

Book Assessment

---

Microsoft’s Patch Tuesday Optional Secure-boot fix

In a slightly unusual patch Tuesday this month, Microsoft has addressed a fix for CVE-2023-24932 (amongst the other 38 flaws fixed). The vulnerability is a secure boot bypass which allows an attacker to execute self-signed code at the UEFI level. At the same time, Secure Boot is enabled – helping the attacker achieve persistence on the device. Microsoft has confirmed that “successful exploitation relies on the attacker having physical access or local admin privileges on the targeted device”. However, all Windows systems with Secure Boot protections enabled are affected by the flaw (including on-prem, virtual machines, and cloud-based devices).

What makes this fix slightly different is Microsoft’s choice to deploy it using a phased approach, meaning this particular vulnerability fix is disabled by default, requiring manual intervention from the admin to enable it.

What Should I Do (At a Glance)

In line with Microsoft’s phased approach, Admins who want to protect against this attack now must “carefully follow manual steps to update bootable media and apply revocations before enabling this update”. The timeline for future developments at the time of this article is below:

• May 9, 2023: The initial fix for CVE-2023-24932 is released. In this release, this fix requires the May 9, 2023, Windows Security Update and additional customer action to implement the protections fully.

• July 11, 2023: A second release will provide additional update options to simplify the deployment of the protections.

• First quarter 2024: This final release will enable the fix for CVE-2023-24932 by default and enforce boot manager revocations on all Windows devices.

More information on the secure boot flaw and mitigation can be found here: Guidance related to Secure Boot Manager changes associated with CVE-2023-24932 | MSRC Blog | Microsoft Security Response Center

More information on the May Patch Tuesday, in general, can be found here: Security Update Guide – Microsoft.

 

VirusTotal Uses AI

Near the end of last month’s RSA conference, Google announced the introduction of VirusTotal Insight – utilising AI for code analysis in a massive leap forward for security admins in malware analysis.

The new VirusTotal Insight analyses potentially harmful files to explain their behaviour. It is done independently from other data like antivirus results, helping users root out AV false positives and negatives. The functionality is currently deployed to a subset of PowerShell files uploaded to VirusTotal. In addition, Google recently added support for scripting languages such as BAT, CMD, SH, AHK, PY, and VBS scripts.

Despite the quick progress with this new tool and the amazing uses this could provide for investigating security admins, it is still important to note the tool itself is also capable of producing errors, so caution and context should be employed when used.

What Should I Do (At a Glance)

VirusTotal has been a valuable tool for a while now, with over 70 scanners incorporated to help users identify potentially malicious files and/or URLs. Still, with the introduction of AI analysis and a promising roadmap, security admins have much to look forward to.

More information and examples of this functionality can be found in their article here: Introducing VirusTotal Code Insight: Empowering threat analysis with generative AI ~ VirusTotal Blog.

 

BianLian CISA Advisory

CISA (The US’s Cybersecurity and Infrastructure Security Agency) released a joint advisory this month with Australia regarding the latest tactics and techniques in use by the BianLian ransomware group. The BianLian group are a ransomware and data extortion cybercriminal group; however, since Avast’s BianLian decryptor release in January, the group have switched to simple extortion and data theft without the need for encrypting systems.

In the advisory, CISA warns that the actors gain initial access by leveraging compromised RDP (remote desktop protocol) credentials through brokers or phishing attempts before establishing a custom backdoor written in Go and installing remote management and access software (TeamViewer, SplashTop, AnyDesk etc.) for persistence.

From here, they can utilise command-line and scripts for network reconnaissance and exfiltrate any data found via FTP (file transfer protocol), the Rclone tool, or the Mega file hosting service, extorting the victim for money with threats to release data if payment is not made.

What Should I Do (At a Glance)

CISA’s guidance linked below goes into further detail on the group and attack techniques, with indicators of compromise and detailed mitigations. These mitigations include:

• Audit remote access tools and software on your network, ensuring only authorised software is used.

• Strictly limit the use of RDP, closing unused ports, applying MFA, and enforcing other stringent security measures.

• Restrict the use of Powershell by granting use to specific users on a case-by-case basis and enabling enhanced Powershell logging.

• Audit admin accounts, enforcing the least privilege principle and, where possible implementing time-based access. 

• Develop a strong backup and recovery plan with immutable backups where possible in line with NCSC guidance here: Step 1 – Backing up your data – NCSC.GOV.UK.

• Block inbound and outbound connections on common remote access software ports/protocols at the network perimeter and disable all other unused ports. 

• Keep all operating systems, software and firmware patched, segmenting networks for improved security, and actively monitor network activity.

More Mitigations and information are available via the advisory here: #StopRansomware: BianLian Ransomware Group | CISA

 

Cisco 4 Critical Vulnerability

Cisco also warned customers of four critical RCE (remote code execution) vulnerabilities this month, which affect various small business series switches. All four vulnerabilities hold a CVSS score of 9.8, with exploitation allowing an unauthenticated, remote attacker to cause a denial of service (DoS) or execute arbitrary code with root privileges on affected devices.

Cisco further clarified that the vulnerabilities are “not dependant on one another. Exploitation of one of the vulnerabilities is not required to exploit another vulnerability”, meaning the volume and criticality create a sense of urgency for any admin affected.

What Should I Do (At a Glance)

Cisco has released the list of affected switches below:

• 250 Series Smart Switches, 350 Series Managed Switches, 350X Series Stackable Managed Switches, and 550X Series Stackable Managed Switches (fixed in firmware version 2.5.9.16)

• Business 250 Series Smart Switches and Business 350 Series Managed Switches (fixed in firmware version 3.3.0.16)

• Cisco has also noted that Small Business 200 Series Smart Switches, Small Business 300 Series Managed Switches and Small Business 500 Series Stackable Managed Switches are affected but will not be patched due to their end-of-life status. 

If you are using a version from the initial two points above, apply the relevant fix as soon as possible. If you are using an end-of-life switch, as identified in the last point, make sure you have a plan to upgrade them and mitigate the vulnerability.

More details on the vulnerabilities and fixes can be found on the Cisco notice here: Cisco Small Business Series Switches Buffer Overflow Vulnerabilities.

 

KeePass Exploit Reveals Master Passwords

A security researcher discovered a vulnerability in the KeyPass password manager this month, which allows an attacker to extract the master password from the application’s memory, compromising the password vault even with the database locked.

The researcher known as ‘vdohney’ published a proof-concept tool which can exploit the vulnerability being tracked as CVE-2023-3278 and dump the KeePass master password from KeePass’s memory except for the password’s first one or two characters, which can easily be guessed.

Whilst no code execution on the system is required for the memory dump, the exploitation still requires physical access or malware infection on the machine – though malicious scripts could automate this by checking for KeePass and returning the memory dump to the attacker for retrieval.

What Should I Do (At a Glance)

Whilst the researcher has stated KeePassXC, Strongbox and KeePass 1.X is not impacted, it has been confirmed that the latest version of KeePass (2.53.1) is among the affected. KeePass has since promised to roll out a fix for CVE-2023-32784 on KeePass 2.54. However, even then, it is likely that the master password is still stored in memory files which should be manually fixed by restarting the computer and clearing the swap and hibernation files. If you are particularly concerned about compromise, doing this same mitigation in the interim and stopping KeePass use until the new release should help.

More information on this (including more detail on the mitigations) can be found on the researchers’ release here: GitHub – vdohney/keepass-password-dumper: Original PoC for CVE-2023-32784.

 

Conclusion

This month has seen the introduction of some new developments on the blue side of security, with VirusTotals AI and Apple’s RSR patches showing the constant change in security as we move forward. These changes are needed as we also see groups on the other side of the fence changing up their tactics, too, with examples like BianLian’s move focus to extortion and data theft.

As always, it is essential to reiterate that this article has not included ALL security news or vulnerabilities disclosed this month. Others, such as the Discord Breach, Samsung’s ASLR bypass flaw, ASUS’s router outage error, and Microsoft VSCode’s malicious extensions, are examples of other updates you should be aware of and research.

If you have been caught off-guard by some of this month’s developments, look at your security processes and see what changes you can make to ensure you don’t get caught out in the future. Just 20 minutes of research each day can help you keep on top of the significant security trends and alerts which help protect your business and keep you cyberaware! 

If you have any more questions or worries, please do not hesitate to get in touch and see what CyberLab can do to help you and your security posture.