Cyber Month in Review October 2023

Welcome back to this month’s security in review. The world of security is always moving and evolving, with vulnerabilities, breaches and new guidance being released every day.

The volume and complexity of some of these can sometimes be overwhelming and difficult to keep track of. Due to missing last month’s review, this slightly extended article will help merge August and September into one piece to cover the most prominent stories from both so that together we can stay cyber secure.

Confluence Zero-day

To start this month’s article, Atlassian Confluence has been affected by a critical vulnerability in some versions of Confluence Data Centre and Server, exposing millions of users to potential cyberattacks. Confluence is a popular collaboration software that allows teams to create, share, and manage documents, projects, and knowledge.

The vulnerability, CVE-2023-22515, is a broken access control flaw that allows unauthenticated remote attackers to create unauthorised administrator accounts and access Confluence instances. The attackers can then perform various malicious actions, such as exfiltrating data, installing malware, or compromising other systems on the network.

The CVSS 10.0 vulnerability was disclosed on October 4, 2023, with Atlassian releasing patches for the affected versions and urging customers to upgrade immediately.

However, the patches came too late for some users, as Microsoft Threat Intelligence revealed that it had been tracking the active exploitation of the vulnerability since September 14, 2023. Microsoft attributed the attacks to a Chinese state-backed hacking group called Storm-0062 (also known as DarkShadow or Oro0lxy), with US authority CISA also issuing a joint cybersecurity advisory on October 16, 2023, warning of the ongoing exploitation of the vulnerability by nation-state actors and other threat groups. The advisory stated that due to the ease of exploitation, widespread and continued attacks are expected. 

The advisory also provided detection signatures and indicators of compromise (IOCs) to help network administrators identify and respond to potential intrusions.

The advisory emphasised the importance of applying the patches as soon as possible and conducting a thorough investigation of any affected Confluence instances. The advisory also recommended taking additional steps to secure the network, such as turning off unnecessary services, enforcing strong passwords, implementing multi-factor authentication, and monitoring network traffic.

The Atlassian Confluence zero-day vulnerability is a serious threat to networks that use the software for collaboration and communication. Users should immediately protect their data and systems from potential compromise. Users should also stay vigilant and informed of any new developments or updates regarding this issue.

What Should I do (At a Glance)

The first thing customers should do is assess whether or not they are affected by the vulnerability and upgrade to the latest fixed version as soon as possible where necessary. CISA’s advisory also provides detection signatures and indicators of compromise (IOCs) to help admins identify and respond to any instances of compromise via this vulnerability.

For more information, the CISA advisory can be found here: Threat Actors Exploit Atlassian Confluence CVE-2023-22515 for Initial Access to Networks | CISA

The Atlassian notification can also be found here: CVE-2023-22515 – Broken Access Control Vulnerability in Confluence Data Center and Server | Atlassian Support | Atlassian Documentation

---

Sony Data Breach

Sony is investigating their 2nd data breach just five months after allegations on hacking forums that data had been stolen from their systems. The first happened in May 2023, when hackers exploited a vulnerability in the MOVEit Transfer platform, which Sony used to share sensitive data. This initial attack, carried out by the ransomware gang known as CL0P, stole the personal information of 6,791 individuals in the US, including current and former employees and their family members. The data included names, addresses, social security numbers, and other confidential details. Sony discovered this breach on June 2 and notified the affected individuals, offering them credit monitoring and identity restoration services.

This more recent and second breach, however, occurred towards the end of September, when two separate hackers both claimed to have breached Sony’s online systems and leaked 3.14 GB of data on the dark web. The data included screenshots of an internal login page, a PowerPoint presentation, and some Java files. However, unlike the first breach, there is no evidence of personal data compromise. Sony is still investigating the breach and has not disclosed the extent of the damage or the potential impact on its customers and partners.

What Should I do (At a Glance)

Both breaches highlight the challenges that Sony and other companies face in protecting their data from cyberattacks. They also underscore the importance of having robust cybersecurity measures and updating them regularly to prevent future incidents.

---

Cisco IOS XE zero day actively exploited

Cisco has warned its customers that a critical zero-day vulnerability affecting the web user interface of its IOS XE software is being actively exploited by hackers to compromise routers, switches, and wireless LAN controllers. The vulnerability, tracked as CVE-2023-20198, allows attackers to create an account on the affected device with privilege level 15 access, granting them full control of the compromised device and allowing possible subsequent unauthorised activity. The vulnerability was discovered by Cisco Talos researchers on September 28, when they noticed suspicious activity on a customer device. This was expanded on October 12 when they later detected an additional unauthorised user under the name “cisco_support”, which, unlike the September finding, included several subsequent malicious actions. 

With approximately 145,000 Cisco IOS XE hosts reachable over the internet, the scope for this zero-day is massive. In an update by Censys on October 18, the number of compromised Cisco devices is said to have reached over 40,000 devices infected by the implant so far, which allows the attackers to monitor network traffic, pivot into protected networks, and perform any number of man-in-the-middle attacks.

However, in a recent concerning development, the number of infected devices has plummeted from the 40,000 mark to just 1,200. Whilst (at the time of this article) it is not known fully why this has happened, it is speculated that the likelihood lies with the original threat actor either removing the implants or, more likely, trying to deploy an update to hide its presence.

What Should I do (At a Glance)

Regardless of whether the attacker has removed or updated the implants, the exploit remains a serious one for those affected. The vulnerability has received the highest CVSS score of 10, indicating that it is easy to exploit and has a severe impact. The NCSC recommend the following priority actions: 

1. Check for compromise using the detection steps and indicators of compromise (IoCs) detailed in the Cisco advisory.
2. If you believe you have been compromised and are in the UK, report it to the NCSC.
3. Disable the HTTP Server feature on all internet-facing devices or restrict access to trusted networks.
4. Install the latest version of Cisco IOS XE. More information is on the Cisco website. Organisations should monitor that advisory for the latest information and software updates.

Cisco has also released the following decision tree for admins to help identify and triage the issue:

• Are you running IOS XE?

• • No. The system is not vulnerable. No further action is necessary.

• • Yes. Is ip HTTP server or ip HTTP secure-server configured?

• • • No. The vulnerabilities are not exploitable. No further action is necessary.

• • • Yes. Do you run services that require HTTP/HTTPS communication (for example, eWLC)?

• • • • No. Disable the HTTP Server feature.

• • • • Yes. If possible, restrict access to those services to trusted networks.

---

Amazon to require MFA and introduce passkey sign-in

Amazon has announced two major changes to its sign-in process that will affect millions of customers. Starting from mid-2024, Amazon will require multi-factor authentication (MFA) for all privileged AWS accounts, and starting this month, Amazon will allow customers to use passkeys, a passwordless sign-in option, on its website and iOS app.

MFA is a well-established practice now, and many continue to use this additional measure to protect accounts and make it harder for attackers to access by stealing passwords. However, despite the guidance, there are still many instances where MFA has yet to be set, and big companies like Amazon need to enforce the option to secure those who may not be in the know. Amazon has stated that all privileged accounts from mid-2024 will be implemented, with secret accounts being those with permission to perform actions that can affect the security or availability of AWS resources, such as creating or deleting users, changing passwords, or modifying security policies. 

In the meantime, however, they have also joined other tech companies such as Google, Microsoft, and Apple in offering the implementation of passkeys, which allow users to sign in to Amazon without using a password. Instead, users can use the same face, fingerprint, or PIN to unlock their device. This offers a more accessible and safer way to sign in, as users don’t need to remember or type passwords, which can otherwise be forgotten, stolen, or guessed. Moreover, since passkeys are unique to each device and domain, the compromise of one device/domain means the other devices and domains would still be protected.  

What Should I do (At a Glance)

Whilst applying MFA to privileged accounts is critical and prioritised, admins should ensure MFA is applied to all user accounts, which can support it as part of best practice. And whilst Amazon is making this change mandatory in 2024, admins should apply these improvements now rather than wait to avoid unnecessary risk. For admins interested in utilising the passkey approach, the option is available in the Amazon “Login & Security” settings with instructions.

Amazon’s announcement on the MFA requirement can be found here: Secure by Design: AWS to enhance MFA requirements in 2024 | AWS Security Blog (amazon.com)

Amazon’s passkey rollout detail can be found here: Amazon is making it easier and safer for you to access your account with passwordless sign-in (aboutamazon.com)

---

Microsoft’s plan with VBScript and NTLM

Microsoft has announced that it will deprecate two legacy technologies, VBScript and NTLM, in future versions of Windows, too. The move is part of the company’s efforts to modernise its operating system and improve its security and performance.

What are VBScript and NTLM?

VBScript, short for Visual Basic Scripting Edition, is a scripting language that was introduced in 1996 as a way to automate tasks and add interactivity to web pages and applications. It was widely used by system administrators and web developers, especially in Microsoft environments such as Internet Explorer and Internet Information Services (IIS).

NTLM, short for NT LAN Manager, is an authentication protocol that was developed in the 1980s for Windows NT. It allows users to log in to a network or a server using a username and password. It was later replaced by Kerberos, a more secure and robust protocol that supports single sign-on and encryption.

Why are they being deprecated?

Both VBScript and NTLM have been considered obsolete for a long time as newer and better technologies have superseded them. For example, VBScript has been replaced by PowerShell, whilst NTLM has been replaced by Kerberos, which offers more robust security and compatibility with other platforms.

Moreover, VBScript and NTLM have been associated with various security risks and vulnerabilities, such as VBScript’s WannaCry exploitation. Likewise, NTLM has been prone to multiple attacks, such as relay, brute force, or password cracking.

Microsoft has decided to phase out these technologies to reduce the attack surface and improve the user experience of Windows. According to the official list of deprecated features for Windows clients, “VBScript is being deprecated. In future releases of Windows, VBScript will be available as a feature on-demand before its removal from the operating system.” The same document also states that “NTLM will be deprecated in future releases of Windows.”

What Should I do (At a Glance)

The deprecation of VBScript and NTLM means that they will no longer be supported or updated by Microsoft in future versions of Windows. Users and developers who rely on these technologies must migrate to alternative solutions before they become unavailable or incompatible.

Microsoft has yet to specify when exactly these technologies will be removed from Windows, but they will likely be phased out gradually over the next few years. In the meantime, Microsoft advises users and developers to prepare for the transition and update their systems accordingly.

By retiring these legacy technologies, Microsoft aims to eliminate potential security risks and improve the user experience of Windows. Users and developers who use these technologies will have to migrate to alternative solutions before they become obsolete or incompatible with future versions of Windows.

More information on this can be found on Microsoft’s page here:

Resources for deprecated features in the Windows client – What’s new in Windows | Microsoft Learn and The evolution of Windows authentication | Windows IT Pro Blog (microsoft.com)

---

Conclusion

It’s been another busy month with the Cisco IOS exploit giving plenty of updates throughout, whilst other providers like Confluence suffered zero days of their own. However, despite data breaches like Sony’s, security continues to evolve as more changes come in from Microsoft to push admins to newer and more secure standards.

As always, it is essential to reiterate that this article has not included ALL security news or vulnerabilities disclosed this month. Others, such as Apple’s latest bout of updates, Microsoft’s security AI copilot early access, Citrix NetScaler zero-day, Casio’s data breach affecting 149 countries, and HTTP/2 DDoS record-breaking zero-day, are many examples of other updates you should be aware of and research.

If you have been caught off-guard by some of this month’s developments, look at your security processes and see what changes you can make to ensure you stay caught up in the future.

Just 20 minutes of research each day can help you keep on top of the significant security trends and alerts which help protect your business and keep you cyberaware! If you have any more questions or worries, please do not hesitate to get in touch and see what CyberLab can do to help you and your security posture.