Cyber Month in Review March 2024

Cyber Security Month in Review: March 2024

ConnectWise, Zoom Privilege Escalation, Apple Quantum-Resistant Encryption, LockBit Takedown,  and 73 Patches.

Advice on How to Stay Cyber Secure

Discover the latest cyber security news and advice on how to protect your data. Welcome back to this month’s security in review, with thanks to Jack Smallpage, ISO at Chess, for his contributions to Cyber Month in Review. The world of security is always moving and evolving, with vulnerabilities, breaches and new guidance being released every day.

The volume and complexity of some of these can sometimes be overwhelming and difficult to keep track of, so let’s use this article to help summarise some of this month’s highlights so that together, we can be more cyber aware.  

ConnectWise 

On February 19th, ConnectWise issued a warning to their customers regarding a maximum severity authentication bypass flaw in their ScreenConnect solution. The vulnerability (identified as CVE-2024-1709) allows an unauthenticated attacker access to confidential data or remote code capability on vulnerable servers and has been aptly given a CVSS score of 10 as a result. A second vulnerability was also highlighted and identified as a path traversal flaw (CVE-2024-1708) which unlike the above, requires high privileges and marked with a CVSS score of 8.4. 

With both flaws being reported on February 13th by an independent researcher, ConnectWise quickly pushed out an advisory and patch to remediate the issue for all on-premise users, whilst cloud-hosted instances on ‘screenconnect.com’ or ‘hostedrmm.com’ were mitigated by ConnectWise themselves. However, it didn’t take long before the exploit code was revealed and exploited in the wild by attackers, with multiple accounts compromised already as confirmed by the advisory.  

What Should I do (At a Glance)

With observed activity of active exploitation and the availability of the exploit code now in the wild, it is essential that admins responsible for managing on-prem instances of ScreenConnect Server instances take the following actions right away:  

1. Quarantine: Any instances running a version under 23.9.8 should be taken offline or isolated immediately to mitigate against ongoing exploitation. 

1. Investigate: Admins should assess their exposure and determine the level in which they are affected using the threat hunting information available on Sophos’s page here: ConnectWise ScreenConnect attacks deliver malware – Sophos News. ConnectWise have also identified the following IP addresses as indicators of compromise:  

• 155.133.5.15 
• 155.133.5.14 
• 118.69.65.60 

It’s important that admins scan their environment regardless. As there may well be instances of ScreenConnect you are unaware of.  

1. Apply the Patch: Ensure that your ScreenConnect installation is updated to the latest patched version before re-introducing it to the network. ConnectWise released a patch for on-prem partners, specifically version 23.9.8 or later. 

1. Supply Chain: If you have instances of ScreenConnect clients, you should assume they are also vulnerable until the patch status of all servers that connect to it can be ascertained and confirmed. 

More information on the exploit and updates can be found on the ConnectWise advisory here: ConnectWise ScreenConnect 23.9.8 security fix 

Zoom privilege escalation 

Zoom, the well-known video conferencing service used by businesses, education and personal homes worldwide has also addressed a series of security vulnerabilities this month, with the most critical among them carrying a CVSS score of 9.6. This particular vulnerability (identified as CVE-2024-24691) lies within the Zoom Desktop and VDI clients for Windows, and Zoom Meeting SDK for Windows, and involves improper input validation that could allow unauthenticated users to escalate their privileges via network access. 

The discovery of the vulnerability was made by Zoom’s own security division and whilst there is not yet evidence of exploitation in the wild, it is important that users update their software as soon as possible before this changes. 

In addition to CVE-2024-24691, Zoom has patched several other security issues, including CVE-2024-24690, CVE-2024-24699, and CVE-2024-24698, which range from medium to high severity. These vulnerabilities could lead to denial-of-service attacks, information disclosure, and improper authentication. 

What Should I do (At a Glance)  

The vulnerability impacts the following product versions: 

• Zoom Desktop Client for Windows before version 5.16.5 
• Zoom VDI Client for Windows before version 5.16.10 (excluding 5.14.14 and 5.15.12) 
• Zoom Rooms Client for Windows before version 5.17.0 
• Zoom Meeting SDK for Windows before version 5.16.5 

Whilst the update should automatically prompt users, it is important to check, and if required, manually install the latest release of the desktop client (version 5.19.7). 

More information can be found on Zoom’s bulletin here: Zoom Security Bulletins | Zoom. 

Apple moves into quantum-resistant encryption 

On the blue side of security this month, Apple has taken a significant leap forward in securing digital communications against future quantum computing threats with the introduction of PQ3, a post-quantum cryptographic protocol for iMessage. 

Traditional encryption methods rely on complex mathematical problems that are currently too challenging for classical computers to solve within a reasonable timeframe, making them secure. However, the need for this updated encryption is due to the introduction of the quantum computer (albeit in early stages) and its ability to solve these problems much more rapidly, potentially exposing encrypted data to new vulnerabilities. 

Apple has pre-emptively fortified its iMessage encryption, ensuring that communications remain secure even when quantum computers become a more realised reality. PQ3 combines the robustness of Elliptic-Curve cryptography, which is the existing encryption algorithm for iMessage, with the advanced protection of post-quantum cryptography. This hybrid approach creates a formidable defence against both classical and quantum attacks. 

Apple’s initiative in the quantum space sets a path which acts as a warning of the potential threat quantum computing will create in the not-so-distant future, whilst setting a precedent in which other companies will surely follow to ensure readiness.  

More information can be found on Apple’s release here: Blog – iMessage with PQ3: The new state of the art in quantum-secure messaging at scale – Apple Security Research 

LockBit Takedown 

In a sweeping international effort, the notorious LockBit ransomware group was brought to its knees this month in a landmark victory for cybersecurity. The operation, dubbed “Operation Cronos,” saw the collaboration of the UK’s National Crime Agency (NCA), the FBI, and other international partners, culminating in the seizure of LockBit’s infrastructure and the arrest of key figures within the organisation.  

LockBit, known for its ransomware-as-a-service operations, has been a significant threat to businesses, hospitals, and governments worldwide. The group’s sophisticated attacks have resulted in billions of pounds, dollars, and euros in losses due to ransom payments and recovery costs. 

The takedown operation was a result of various law enforcement agencies and involved seizing 34 servers operated by LockBit, closing 14,000 rogue accounts, and freezing over 200 cryptocurrency accounts linked to the group’s activities. LockBit’s bespoke data exfiltration tool, Stealbit, was also seized, further crippling the group’s capabilities. 

The success of the operation highlights the important of international cooperation and transparency in combating cyber threats, with the private sector (such as Trend Micro and Secureworks) also playing its part and helping agencies to create a united front. It’s through information sharing and not obscurity, that organisations and governments globally are able to share information to strengthen defences. It is important to note that conversely, groups like LockBit are difficult to truly eliminate fully as new servers have already resurfaced as cybercriminals learnt and adapt their tactics in the ever-changing game of cat and mouse. 

The NCSC statement for this takedown can be found here: NCSC statement on law enforcement’s disruption of LockBit… – NCSC.GOV.UK 

February’s 73 patch Tuesday

Microsoft has released its monthly security update for February 2024, addressing 73 vulnerabilities across its products and services. Among them, five are rated as critical, 65 as important, and two as moderate. Two of the vulnerabilities (marked as zero-days), CVE-2024-21351 and CVE-2024-21412, have also been reported as being exploited in the wild by malicious actors. 

CVE-2024-21351 Windows SmartScreen (CVSS score 7.6): This vulnerability allows attackers to bypass the Microsoft Defender SmartScreen security feature using a malicious file. Exploitation of this vulnerability involves the attacker leverages social engineering tactics like phishing to convince the target to open the malicious file and bypass the SmartScreen user experience.  

CVE-2024-21412 Internet Shortcut Files (CVSS score 8.1): Similar to the SmartScreen flaw, this vulnerability involves the attacker convincing the target to open malicious internet shortcut files to bypass displayed security checks and lead to remote code execution (RCE) on affected systems. 

CVE-2024-21410 Exchange Server Elevation of Privilege (CVSS score 9.8): This vulnerability gives a remote, unauthenticated attacker a way to disclose and then relay Windows NT Lan Manager (NTLM) hashes to impersonate / be authenticated as legitimate users on Exchange Server. Affecting version such as Exchange Server 2016, cumulative update 23; Exchange Server 2019, cumulative update 13; and Exchange Server 2019, cumulative update 14, Microsoft have highlighted this vulnerability as one that is likely to be exploited within the next 30 days.  

What Should I do (At a Glance) 

The above listed vulnerabilities are just some of the exploits of note in the vast Microsoft patch. With vulnerabilities like the Exchange server elevation flaw likely to be exploited soon, it is important that admins get ahead of the game by applying the patches quickly and ensuring they have applied across the entire estate.  

More information on the other vulnerabilities can be found in Microsoft’s update guide here: February 2024 Security Updates – Release Notes – Security Update Guide – Microsoft. 

Conclusion 

There’s been a mix of good and bad this month. The ConnectWise exploit has shown to be a dangerous development which will continue to damage networks while admins rush to identify and apply the patch, whilst advances like Apple’s PQ3 show how quickly business need and can adapt to the changing landscape. 

As always, it is important to reiterate that this article has not included ALL security news or vulnerabilities disclosed this month. Others such as the latest FortiSIEM RCE bugs, the UK’s move with e-visas, Wyze’s camera glitch, and Mercedes-Benz’s mishandled GitHub token exposure are many examples of other updates you should be aware of and research. 

If you have been caught off-guard by some of this month’s developments, look at your security processes and see what changes you can make to ensure you don’t get caught out in the future. Just 20 minutes of research each day can help you keep on top of the significant security trends and alerts which help protect your business and keep you cyber aware! If you have any more questions or worries, please do not hesitate to get in touch and see what CyberLab can do to help you and your security posture.