Author: Crystal Hewett

ACSC Flags Microsoft Exchange Vulnerabilities

ACSC flags Microsoft Exchange vulnerabilities

The Australian Cyber Security Centre (ACSC) has reported two new zero-day vulnerabilities in Microsoft Exchange Servers 2013, 2016, 2019.

Microsoft published a list of the common vulnerabilities and exposures (CVEs), assigned to:

  • CVE-2022-41082 – remote code execution vulnerability
  • CVE-2022-41040 – elevation of privilege vulnerability

Also noted are Historical CVEs related to ProxyShell, including:

  • CVE-2021-34473 – pre-auth path confusion leads to ACL bypass (patched in April by KB5001779).
  • CVE-2021-34523 – elevation of privilege on exchange powerShell backend (patched in April by KB5001779).
  • CVE-2021-31207 – post-auth arbitrary-file-write leads to RCE (patched in May by KB5003435).

Organisations are being urged to deploy mitigations, particularly those who have already suffered breaches. The advice is calling to search for post-exploitation activity including deployment of webshells.

The ACSC is not yet aware of successful exploitation in Australia and has advised stakeholders to monitor the situation. Impacted organisations have been encouraged to report any incidents to the agency.

Find out how Acurus can protect your organisation from vulnerabilities, contact us today.

Contact



    Optus Hacked: Customers warned to check in with their banks after personal data exposed

    Optus hacked; customers warned to check in with their banks after personal data exposed

    Last Thursday, Optus alerted its customers of the security breach and confirmed that the attack was quickly identified and shut down. However, the telco’s 11 million customers have been urged by cyber security experts to be extra vigilant of potential threats over the coming weeks.

    Types of personal data that had been compromised included home addresses, ID documents such as driver’s licences and passports, phone numbers and customer names.

    Optus is working with the Australian Federal Police, Australian Signals Directorate, and Office of the Australian Information Commissioner to mitigate risk and find the culprit of the attack.

    The telco has confirmed the attack did not compromise services such as mobile and home internet, payment details or account passwords. The company also verified that messages and voice calls had not been compromised and were safe to use as well.

    Experts are concerned that the security breach could pave more ways to conduct social engineering attacks. This is when scammers might pretend to be an Optus representative and trick people into handing over sensitive data.

    The Australian Cyber Security Centre (ACSC) had been notified of the incident according to a spokesman for Cyber Security Minister Clare O’Neil.

    “The Australian Signals Directorate’s Australian Cyber Security Centre has seen broad targeting of Australians and Australian organisations, through rapid exploitation of technical vulnerabilities by state actors and cyber criminals seeking to exploit weaknesses and steal sensitive data.”

    The Optus data breach has been dubbed as one of Australia’s largest cyber attacks in history. According to Optus, the type of information which may have been exposed includes:

    • Customers’ names
    • Dates of birth
    • Phone numbers
    • Email addresses

    For a subset of customers compromised data include:

    • Addresses
    • ID document numbers such as driver’s licence or passport numbers
    • Optus says payment details and account passwords have not been compromised.

    According to Sean Duca, vice president and regional chief security office for APJ at Palo Alto Networks the attack calls for an even stronger collaboration between the Australian government and the private sector to tackle the rise in cyber attacks.

    If you would like more information on how to identify potential cyber security threats speak to one of our cyber security experts today.

    Contact



      LastPass Notified Users of Security Incident

      In late August, LastPass started notifying its users of a “recent security incident” where an “unauthorized party” used a compromised developer account to access parts of its password manager’s source code and “some proprietary LastPass technical information.”

      In a letter to its users, the company’s CEO Karim Toubba explains that its investigation hasn’t turned up evidence that any user data or encrypted passwords were accessed.

      LastPass’s software acts like a Safe for your valuable passwords and private information. As a result of the way LastPass works, they themselves can never see the contents of what is in the “safe” they produce. This security incident is as if the designs to a safe have been stolen from a safe-making factory, but not the actual safes themselves or the valuable information which resides in those safes such as passwords.

      Hackers having access to a program’s source code doesn’t immediately mean they can instantly compromise it, or break through its defences. Famously, Microsoft says it doesn’t rely on its source code remaining private for security and says that people being able to read it shouldn’t be a risk.

      As LastPass explains, at this point if you are a LastPass user you don’t have to do anything — there’s no reason for you to spend an afternoon changing your master password and doing a full security audit.

      If LastPass changes its position or releases further information on the matter we will share it here.

      If you have any questions or wish to know more about this incident please contact us below.

      Contact



        How the Russia-Ukraine war makes ransomware payments harder

        How the Russia-Ukraine war makes ransomware payments harder

        Before the start of the Russia-Ukraine war, nearly 75 per cent of cryptocurrency payouts for ransomware went to Russia, according to a study conducted by Chainanalysis.

        As Russia is now a sanctioned country, the legal ramifications of paying ransoms means that victims seeking response and negotiation services are being turned down.

        Russian sanctions are wide and ambiguous, making them difficult to abide by says Kurtis Minder, CEO of digital risk protection firm GroupSense, who’s negotiated hundreds of ransomware payouts over the past two years.

        Sanctions aim to combat ransomware by disrupting ransomware gangs, bolstering resilience, making laundering through cryptocurrency more difficult, and addressing safe harbors like those in Russia. 

        Below are some points to be aware of when considering ransomware in the current Russia-Ukraine war climate.

        Politics have tightened sanctions on ransomware payments

        Since Russia launched its war against Ukraine, paying ransoms to Russian entities have become a political hot button, with some officials considering ransomware payouts a threat to national security.

        While no businesses have yet been charged for paying ransoms under these sanctions, those that violate them can be slapped with civil and criminal penalties even if the victim doesn’t know they’re in violation.

        Some sanctions lists are out of date

        An example is REvil, which supposedly shuttered operations in January. Now REvil seems to have reemerged under a Russian dark web marketplace called RuTOR. Another example is Conti, which has changed names and diversified into multiple spinoffs since its operators threatened to defend Russia with counterattacks.

        Paying a ransom through any of these entities would be in violation of sanctions so it is important to keep up to date with cyber security news. Subscribe to Acurus State of Cyber Security Newsletter to stay informed of current industry updates here.

        Be ready before a ransomware attack

        Victims and law enforcement need to work together and share intelligence. Relationships with authorities will reduce liability in the case the victim unknowingly pays ransom to or through sanctioned entities and affiliates. If, under the weight of ransomware attack, the victim organisation has reached out to authorities, it demonstrates cooperation with law enforcement and may

        Take care when preserving evidence that is highly volatile in nature or limited in retention to prevent loss or tampering (such as in system memory, Windows security logs, or data in firewall log buffers). Also check if the bureau has a decryption key, which may be available for a specific ransomware strain.

        Focus on ransomware prevention

        With legal liability tied to paying ransoms to Russian and other sanctioned entities, prevention becomes even more critical for enterprise CISOs. Start by mastering the basics: over-permissive/shared admin rights, lack of application whitelisting, and lack of visibility into systems and networks.

        To learn more about how the ransomware landscape is being affected by Russian sanctions, contact one of our IT experts today.

        Contact



          Microsoft confirms new zero-day code execution vulnerability in Office Software

          Researchers Spot New Microsoft Office Zero-Day Exploit in the Wild

          Microsoft has confirmed a zero-day flaw in its Office Software that could be abused to achieve arbitrary code execution on affected Windows systems. The vulnerability has been tracked as CVE-2022-30190, with a CVSS severity score of 7.8 out of 10.

          The vulnerability uses Word’s external link to load a HTML file and then exploits the Microsoft Support Diagnostics Tool to allow attackers to execute PowerShell code remotely on compromised devices.

          The shortcoming came to light after an independent cybersecurity research team known as nao_sec uncovered a Word document (“05-2022-0438.doc“) that was uploaded to VirusTotal from an IP address in Belarus.

          In a standalone analysis, cybersecurity company Huntress Labs detailed the attack flow, noting the HTML file that triggers the exploit originated from a now-unreachable domain named “Xmlformats[.]com.” “A Rich Text Format file could trigger the invocation of this exploit with just the Preview Pane within Windows Explorer,” Huntress Labs’ John Hammond said.

          “Much like CVE-2021-40444, this extends the severity of this threat by not just ‘single-click’ to exploit, but potentially with a ‘zero-click’ trigger.”

          Multiple Microsoft Office versions, including Office, Office 2016, and Office 2021, are said to be affected, although other versions are expected to be vulnerable as well.

          If you need assistance defending your system or wish to learn more about this incident, fill out the button below to speak to one of our cyber security consultants today.

          Contact



            Microsoft Azure: Five Best Practices for Cloud Security

            Cloud security is a fundamentally new landscape for many companies. While many security principles remain the same as on-premises, the implementation is often very different. This overview provides a snapshot of five best practices for cloud security: identity and access management, security posture management, apps and data security, threat protection and network security.

            1. Strengthen access control

            Traditional security measures are not enough to defend against modern security attacks. Today’s best practice is to ‘assume breach’ and protect as though the attacker has breached the network perimeter. A Zero Trust approach that verifies and secures every identity, validates device health, enforces least-privilege access and captures and analyses telemetry is therefore a new security mandate.

            • Enforce Conditional Access policies
            • Institute multi-factor authentication
            • Ensure least privilege access

            2. Improve your security posture

            With the dynamic nature of the cloud and ever-growing landscape of workloads and other resources, it can be difficult to understand your company’s security state in the cloud. Make sure you have the tools you need to assess your current environments, identify risks and mitigate them.

            • Access and strengthen your current posture
            • Educate stakeholders
            • Collaborate with your DevOps team on policies

            3. Secure apps and data

            Protect data, apps and infrastructure through a layered, defence-in-depth strategy across identity, data, hosts and networks.

            • Encryption
            • Follow security best practices
            • Share the responsibility

            4. Defend against threats

            Operational security posture – protect, detect and respond – should be informed by security intelligence to identify rapidly evolving threats early so you can respond quickly.

            • Enable detection for all resource types
            • Integrate threat intelligence
            • Modernise your security information and event management (SIEM)

            5. Protect the network

            The network security landscape is rapidly transforming. To keep pace with the changes, your security solutions must meet the challenges of the evolving threat landscape and make it more difficult for attackers to exploit networks.

            • Keep strong firewall protection
            • Enable distributed denial-of-service
            • Create a micro-segmented network

            Are you looking to strengthen the security of your cloud workloads? Contact us today.

            Contact