Cyber Month in Review
Posted by on | Featured | No Comments

Cyber Security Month in Review: February 2024

Ivanti Vulnerabilities, Ditching the Authy App, Anydesk Breach, Jenkins Flaw and the Mother of All Breaches

Advice on How to Stay Cyber Secure

Discover the latest cyber security news and advice on how to protect your data. This month covers:

  • Ivanti vulnerabilities actively exploited
  • Ditching the Authy Desktop App
  • Anydesk Breach
  • Jenkins Flaw
  • Mother of All Breaches

Welcome back to this month’s security in review, with thanks to Jack Smallpage, ISO at Chess, for his contributions to Cyber Month in Review. The world of security is always moving and evolving, with vulnerabilities, breaches and new guidance being released every day.

The volume and complexity of some of these can sometimes be overwhelming and difficult to keep track of, so let’s use this article to help summarise some of this month’s highlights so that together, we can be more cyber aware.  

Ivanti series of vulnerabilities under active exploitation

At the start of the month, an advisory alerted organisations to a series of vulnerabilities affecting their Ivanti Connect Secure and Policy Secure. These commercial virtual private network (VPN) solutions have been widely deployed by organizations worldwide.

At the beginning of January, two vulnerabilities were publicly disclosed, impacting all supported versions of Ivanti Connect Secure and Ivanti Policy Secure Gateway products. The vulnerabilities (identified as CVE-2023-46805 and CVE-2024-21887) allow attackers to access restricted resources by circumventing control checks and execute arbitrary commands on affected systems without authentication.

This was made worse later in the month when two additional Vulnerabilities were revealed. These newly discovered flaws exacerbate the situation, posing a significant risk to organizations relying on Ivanti’s solutions. These additional vulnerabilities (identified as CVE-2024-21888 and CVE-2024-21893) not only compromise system integrity but also enable a user to elevate to administrator privileges.

What Should I do (At a Glance)
Broader exploitation of the initially disclosed vulnerabilities was observed as early as mid-January with threat actors actively targeted vulnerable systems with dangerous impact, emphasising the urgency of addressing these issues.
To help mitigate or remediate the issue, the NCSC recommends the following action:

  1. Run the Ivanti external Integrity Checker Tool (ICT). The ICT is a snapshot of the current state of the appliance and cannot necessarily detect threat actor activity if they have returned the appliance to a clean state. The ICT does not scan for malware or IoCs.
  2. Check for compromise using the detection steps and indicators of compromise (IoCs) detailed in the Ivanti KB article, the Volexity blogand the Mandiant blog.
  3. If you believe you have been compromised and are in the UK, you should report it to the NCSC.
  4. Review the Ivanti KB article and install the security update once it is available for your version. The vendor recommends performing a factory reset before installing the update.
  5. If an update for your version is not currently possible, install the vendor temporary workaround.
  6. Perform continuous monitoring and threat hunting activities.

Twilio ditching its Authy App

Twilio, the parent company of Authy (a popular two-factor authentication (2FA) app), has recently announced a significant change. Starting in August 2024, Twilio will phase out the desktop version of Authy, affecting users on Windows, MacOS, and Linux platforms.

The majority of Authy users already rely on the mobile app for 2FA. With the increasing prevalence of smartphones, mobile devices have become the primary platform for authentication. By focusing exclusively on mobile, Twilio aims to streamline its efforts and enhance the user experience. The upcoming update to Authy will bring enhanced security features, making the mobile app even more robust.

What Should I do (At a Glance)

Existing users are “strongly recommended to immediately switch” to the mobile app, though the iOS app will still be available to download on M1/M2 Apple computers, making MacOS users relatively unaffected for now.

For users that are worrying about losing passwords; enabling Authy’s backup feature will ensure the desktop client synchronises with your mobile app. Admins should also keep an eye out for communications from platforms that rely on the API to authenticate users, switching to alternatives where impacted.

More information on the switch, can be found here: Authy for Desktop End of Life (EOL) – Authy

AnyDesk Breach

On February 2, 2024, popular remote desktop software provider AnyDesk confirmed that its production systems had been compromised in a cyber-attack. The breach was detected during a security audit conducted by the company whereby attackers managed to infiltrate critical components and expose sensitive information such source code and code signing certificates.

Upon detecting the signs of compromise, AnyDesk conducted a security audit and collaborated with experts such as CrowdStrike to execute a prompt remediation plan. Once the offending vulnerabilities and affected systems had been remediated and secured, AnyDesk revoked all security-related certificates, and all  passwords associated with their web portal.

What Should I do (At a Glance)

To protect yourself and maintain trust in AnyDesk’s products, it is recommended that you follow the below actions:

  1. Update AnyDesk: Ensure you are using the latest version of AnyDesk, which includes the new code signing certificate.
  2. Change Passwords: If you have an account on my.anydesk.com, change your password immediately.
  3. Monitor for Suspicious Activity: Regularly monitor your devices for any unusual behaviour.
  4. Stay Informed: Keep an eye on official AnyDesk communications for further updates, such as the communication here: AnyDesk Incident Response 5-2-2024.

Book Your Free 30-Minute Consultation

Our expert consultants are here to take the stress away from cyber security.

Whether you have a pressing question or big plans that need another pair of eyes, discuss it in a free 30-minute session an expert consultant.

Speak with an Expert

Jenkins Flaw

Jenkins, a widely used Continuous Integration/Continuous Deployment (CI/CD) automation server, has recently been in the spotlight due to a critical security vulnerability. This flaw, tracked as CVE-2024-23897, could potentially allow attackers to execute arbitrary code on vulnerable Jenkins servers.

The vulnerability leverages a feature of Jenkins’ built-in command line interface (CLI), which is enabled by default, and when an argument contains an @ character followed by a file path, the command parser automatically replaces it with the file’s contents. Exploitation of this flaw can lead to the access of sensitive information such as SSH keys, credentials, source code and more.

What Should I do (At a Glance)

Scans by Shadowserver, an internet security data company, reveal that approximately 45,000 public-facing Jenkins servers remain vulnerable to this flaw. As such, admins should ensure any instance of Jenkins is identified and patched in-line with the details below:

  1. Patch Jenkins: The Jenkins team promptly addressed the vulnerability in 2.442 and LTS 2.426.3. The fix involves disabling the command parser feature that allowed the exploit.
  2. Short-Term Workaround: Until the patch can be applied, administrators should turn off access to the CLI. This prevents attackers from exploiting the vulnerability.
  3. Monitor and Update: Regularly monitor security advisories and apply updates promptly. Jenkins provides detailed information on security-related issues which can be found here: Jenkins Security Advisory 2024-01-24.

Mother Of All Breaches

In the vast landscape of data breaches, there are leaks, and then there’s the Mother of All Breaches (MOAB). This record-breaking breach dwarfs all others, containing an astonishing 12 terabytes of information spanning over a mind-boggling 26 billion records. Let’s delve into the details of this historic breach.

Unlike a single data breach, the MOAB is a compilation. It includes compiled and re-indexed data from thousands of previous leaks, breaches, and privately sold databases, including known companies such as Twitter, LinkedIn and Adobe. Initially, the owner of this massive dataset remained a mystery. However, Leak-Lookup, a data breach search engine, identified itself as the holder of the leaked dataset. The root cause behind the leak was a “firewall misconfiguration,” which has since been rectified. But the implications of this breach are far-reaching.

While the leaked dataset primarily contains information from past data breaches, it almost certainly harbours new data that was not previously published. The MOAB comprises 26 billion records distributed across 3,800 folders, each corresponding to a separate data breach. These billions of new records point to the likelihood of never-before-seen information being part of the leak.

What Should I do (At a Glance)

Whilst it’s believed to contain a majority of pre-existing data, the MOAB still remains dangerous due to its aggregation. Threat actors can exploit this data for a wide range of attacks, including identity theft, sophisticated phishing schemes, targeted cyberattacks, and unauthorised access to personal and sensitive accounts. The sheer volume of exposed information poses a risk enough to urge users and organisations globally to check their own account security.

  • Check whether your data has been leaked. The advanced scanning software within CyberLab Control crawls the Dark Web for compromised business credentials. Where it finds stolen data, we identify the source of the breach, alert you instantly, and advise you of the best course of action to keep your accounts secure. 

  • Use of Multi-Factor Authentication helps reduce the impact of credential breaches and should be implemented on all accounts that support it.

  • Users should also remember not to re-use passwords, as it is breaches like these that increase the likelihood of an attacker “trying their luck” with passwords you’ve reused on other accounts.

Conclusion

It’s been a busy start to 2024, with several notable breaches and high value vulnerabilities. The Ivanti series of flaws continues to unravel, causing concern for its userbase, while similar flaws such as Jenkins CI/CD vulnerability have urged admins to patch and identify instances which could be public facing. Breaches like MOAB and Anydesk also remain as a reminder for users to enforce good account/password security practise and remind admins of the importance of supply chain security and communication.

As always, it is important to reiterate that this article has not included ALL security news or vulnerabilities disclosed this month. Others such as HPE’s data breach, Trello’s API abuse, Linux glibc privilege escalation flaw, and Fortinet’s FortiSIEM RCE exploit are many examples of other updates you should be aware of and research.

If you have been caught off-guard by some of this month’s developments, look at your security processes and see what changes you can make to ensure you don’t get caught out in the future. Just 20 minutes of research each day can help you keep on top of the significant security trends and alerts which help protect your business and keep you cyber aware! If you have any more questions or worries, please do not hesitate to get in touch and see what CyberLab can do to help you and your security posture.

Leave a Reply

You must be logged in to post a comment.