days until DORA is in effect on January 17, 2025. Download your cheat sheet here.
ECI Client Alerts
IN ADDITION TO THE ALERTS BELOW, ECI UTILIZES A MASS NOTIFICATION PLATFORM TO COMMUNICATE WITH CLIENTS REGULARLY.
October 2023: Advisory: Critical Vulnerabilities in Cisco IOS XE Software Web UI (CVE-2023-20198)
October 2023: Advisory: Critical Vulnerabilities in Cisco IOS XE Software Web UI (CVE-2023-20198)
Cisco has issued a warning to administrators regarding a critical security vulnerability in its IOS XE software, identified as CVE-2023-20198. This authentication bypass zero-day vulnerability poses a severe threat, allowing unauthenticated attackers to gain full administrator privileges and take remote control of affected routers and switches. The flaw affects devices with the Web User Interface (Web UI) feature enabled, coupled with the HTTP or HTTPS Server feature. Active exploitation of this vulnerability was discovered by Cisco, enabling attackers to create an account on the affected device with privilege level 15 access, granting them complete control and the potential for unauthorized activities. Cisco's investigation found evidence of malicious activity related to this vulnerability, starting from September 18 and intensifying in October, suggesting the involvement of a single actor in these activities.
Cisco advises the deactivation of HTTP(S) server features on systems exposed to the Internet. At ECI, this practice has been a longstanding standard applied consistently across our private cloud and client switches and routers. As an added precaution, we have reviewed all of our cloud switches and routers to verify the deactivation of the HTTP server. Our networking team is actively reviewing ECI-managed devices owned by our clients and will promptly deactivate the HTTP server functionality if detected. We will also be applying the necessary patches and hotfixes once they are made available by Cisco.
More details about this breach can be found at the links below:
Cisco warns of new IOS XE zero-day actively exploited in attacks (bleepingcomputer.com)
Multiple Vulnerabilities in Cisco IOS XE Software Web UI Feature
October 2023: Advisory: Security Advisory Regarding the Recent Okta Breach
October 2023: Advisory: Security Advisory Regarding the Recent Okta Breach
Okta, a company providing identity tools like multi-factor authentication and single sign-on to businesses, has experienced a security breach in its customer support unit. Hackers had access to Okta's support platform for at least two weeks before containment. The breach affected a small number of customers. The attackers used stolen credentials to access Okta's support case management system, potentially viewing sensitive files uploaded by certain customers. These files contained data like cookies and session tokens, which could be exploited for impersonation. Okta has been working with impacted customers, revoked session tokens, and recommended sanitizing credentials and tokens within files shared for troubleshooting.
We have received confirmation from Okta stating that none of the ECI tenants have been affected by this breach. Clients managing their own Okta tenants are strongly advised to contact Okta for confirmation. We will continue monitoring the situation and provide further updates if necessary.
More details about this breach can be found at the links below:
Hackers Stole Access Tokens from Okta’s Support Unit – Krebs on Security
Okta says hackers breached its support system and viewed customer files | Ars Technical
October 2023: Security Advisory Regarding ServiceNow Data Leakage
October 2023: Security Advisory Regarding ServiceNow Data Leakage
We have been informed of a potential data leakage issue involving the ServiceNow platform due to a security misconfiguration related to the "SimpleList" widget. If this widget is enabled for public access without the proper access control lists (ACLs) in place, it could potentially expose sensitive information about customers, including personally identifiable information (PII), internal documents, incident details, and more.
In response to this situation, we promptly reached out to ServiceNow and obtained detailed instructions for reviewing logs and identifying any such incidents on our platforms. We then manually conducted our own simulated attacks and compared the resulting log data with those obtained from our production instance. We are pleased to report that our investigation has confirmed that ECI's customer data has NOT been affected by this data leakage incident.
Please rest assured that we take data security very seriously, and we will continue to proactively monitor and address any potential security concerns to safeguard your information.
You can learn more about this threat through the following articles:
https://www.enumerated.ie/index/servicenow-data-exposure
https://cybernews.com/news/servicenow-leak-thousands-companies-risk/
October 2023: Zero-Day HTTP/2 Rapid Response Vulnerability (CVE-2023-44487)
October 2023: Zero-Day HTTP/2 Rapid Response Vulnerability (CVE-2023-44487)
ECI has been made aware of a novel zero-day Dynamic Denial of Service (DDos) attack, called “HTTP/2 Rapid Reset”, which exploits the stream multiplexing capabilities of HTTP/2 protocol to incapacitate target web servers. We are actively monitoring the situation and promptly implementing requisite patches as they become available from the respective vendors.
In addition, we have initiated the application of essential patches to our Citrix NetScaler ADC appliances that host our cloud services. For clients utilizing NetScaler appliances, your dedicated account teams will be in contact with you to facilitate the manual application of these patches. If you are operating self-managed web servers, we strongly advise vigilance in monitoring vendor announcements and prompt updating of your servers as needed.
Technical details can be found at the link(s) below:
HTTP/2 Rapid Reset Vulnerability, CVE-2023-44487 | CISA
How it works: The novel HTTP/2 ‘Rapid Reset’ DDoS attack | Google Cloud Blog
HTTP/2 Rapid Reset: deconstructing the record-breaking attack (cloudflare.com)
June 2023: Security Advisory: Vulnerability in Microsoft Teams
June 2023: Security Advisory: Vulnerability in Microsoft Teams
ECI has been made aware of a vulnerability in Microsoft Teams that allows malicious third parties to deliver malware directly to an employee’s Teams inbox. This delivery method is particularly effective because most end-users are trained to focus their attention on malware delivered via email and other vectors, but not typically MS Teams.
The vulnerability exists due to a bug in the MS Teams client that allows the message to circumvent client-side protections. Microsoft is aware of the flaw but has thus far responded that "it does not meet the bar for immediate servicing." Unfortunately, the details of the bug are public, and the attack methodology is fairly trivial. Compounding the problem is that the MS Teams logging facilities around external messaging are weak, preventing SIEM from effectively detecting these attacks in their early stages. Modern XDR platforms like ECI XDR are still effective in detecting and preventing the attack after the initial payload.
Until Microsoft releases updated client software, the most effective solution is to change a global setting, preventing any external domains from communicating with your organization via Teams. Unfortunately, this would be disruptive to many customer workflows.
ECI recommends customers allowing communication only with specific external domains in a whitelist (maximum 3000 domains), please contact your ECI representative if you would like to implement this configuration.
Clients who would like to pursue this option should recognize that creation of the whitelist is not something that can be fully automated without customer engagement and review.
Technical details can be found at the link(s) below:
https://www.helpnetsecurity.com/2023/06/23/microsoft-teams-deliver-malware/
MARCH 2023: CRITICAL OUTLOOK VULNERABILITY (CVE-2023-23397) SOURCE: ECI
MARCH 2023: CRITICAL OUTLOOK VULNERABILITY (CVE-2023-23397) SOURCE: ECI
ECI has been made aware of a critical escalation of privilege vulnerability in Microsoft Outlook, CVE-2023-23397. The vulnerability allows an attacker to obtain the NTLM password hash of the target user by sending them a specially crafted email containing a UNC path to a SMB server controlled by the attacker.
- For customers using ECI Managed SIEM services, we already have detection rules in place to alert us on successful outbound SMB traffic to the internet. The SOC team will investigate such incidents on a case-by-case basis.
- For customer using ECI-managed Palo Alto Firewalls, we have policies in place to block such traffic to the internet.
- For all other customers, we are investigating different approaches to block outbound SMB traffic using alternative methods without causing service disruptions.
Technical details can be found at the link(s) below:
CVE-2023-23397 - Security Update Guide - Microsoft - Microsoft Outlook Elevation of Privilege Vulnerability
Critical Microsoft Outlook bug PoC shows how easy it is to exploit (bleepingcomputer.com)
FEBRUARY 2023: MULTIPLE MICROSOFT AND CITRIX VULNERABILITIES SOURCE: ECI
FEBRUARY 2023: MULTIPLE MICROSOFT AND CITRIX VULNERABILITIES SOURCE: ECI
ECI has been made aware of multiple security vulnerabilities in Microsoft and Citrix software products outlined below.
Citrix
- CVE-2023-24483: Improper privilege management flaw leading to privilege escalation to NT AUTHORITY\SYSTEM. Impacts Citrix Virtual Apps and Desktops before 2212, 2203 LTSR before CU2, and 1912 LTSR before CU6.
- CVE-2023-24484: Improper access control flaw allowing log files to be written to a directory that should be out of reach for regular users. Impacts Citrix Workspace App for Windows before 2212, 2203 LTSR before CU2, and 1912 LTSR before CU6.
- CVE-2023-24485: Improper access control flaw leading to privilege escalation. Impacts Citrix Workspace App for Windows before 2212, 2203 LTSR before CU2, and 1912 LTSR before CU6.
- CVE-2023-24486: Improper access control flaw leading to session takeover. Impacts Citrix Workspace App for Linux before 2302.
Microsoft
- CVE-2023-21823 - Windows Graphics Component Remote Code Execution Vulnerability allowing attackers to execute commands with SYSTEM privileges.
- CVE-2023-21715 - Microsoft Publisher Security Features Bypass Vulnerability allowing a specially crafted document to bypass Office macro policies that block untrusted or malicious files. Exploiting this flaw would effectively allow macros in a malicious Publisher document to run without first warning the user.
- CVE-2023-23376 - Windows Common Log File System Driver Elevation of Privilege Vulnerability allowing attackers to gain SYSTEM privileges upon exploitation.
We are actively monitoring the situation and reviewing uses of related software internally and at our customers. We are planning to apply updates and patches using our remote management and monitoring (RMM) toolset, or manually where necessary. You will be informed if any of the necessary changes impact your services.
Note that ECI employs a defence-in-depth approach to your security which provides layered protection across multiple attack vectors. Please stand by for further updates as we perform our investigation.
JANUARY 2023: MS DEFENDER DELETING SHORTCUTS SOURCE: ECI
JANUARY 2023: MS DEFENDER DELETING SHORTCUTS SOURCE: ECI
We have been noticing issues across a number of customers caused by a bug in the most recent definition update for Microsoft Defender for Endpoint. Based on the preliminary reports we have collected, the bug is causing application shortcuts for Microsoft Office and a number of other applications to be removed from desktop and start menu.
Microsoft has reverted the culprit Attack Surface Reductio (ASR) rule and we are remediating the problem for affected customers on a case-by-case basis until the vendor releases a working solution to restore the missing/malfunctioning shortcuts.
We will continue to monitor the situation and provide you with updates as they become available.
You can find more information about this incident here.
DECEMBER 2022: LASTPASS BREACH SOURCE: ECI
DECEMBER 2022: LASTPASS BREACH SOURCE: ECI
On December 22, 2022, LastPass notified their customers that an unauthorized party has gained access to their environment and stolen customers encrypted password vaults and unencrypted metadata such as website addresses. Below is the list of our recommendations based on the preliminary information currently available on this breach.
- We recommend all LastPass users to reset their master passwords immediately. The master password should not be used anywhere else.
- Despite the vendor’s assurances about the safely of the stolen vaults, we recommend that users err on the side of caution reset all passwords stored in LastPass, with higher priority given to critical accounts such as banking, e-mail, and social media. This is especially important for users who have used short or easy-to-remember master passwords for their vaults.
- Users who have been using MFA using software or hardware tokens are also recommended to follow the steps above. While using MFA greatly reduces the risk of breaches against online accounts, it does not protect you against offline attacks on password vaults.
- We are expecting to see an increase in the number of phishing attacks where the scammers attempt to take advantage of this incident and lure users to click on links in order to “update their passwords”.
- We recommend adding your accounts to a Dark Web monitoring service so you get notified if any of your credentials are leaked to the dark web. You can add your accounts on a free service such as haveibeenpwned.com, or leverage ECI Dark Web Monitoring service for better visibility into the content on the Dark Web for both corporate and personal accounts beyond just usernames and passwords.
- To further secure your LasttPass vault, consider increasing the number of iterations for your master password from the default 100,100 rounds to 310,000 rounds recommended by OWASP.
AUGUST 2022: ECI CYBERSECURITY ADVISORY - CVE-2022-30190 (DOGWALK) SOURCE: ECI
AUGUST 2022: ECI CYBERSECURITY ADVISORY - CVE-2022-30190 (DOGWALK) SOURCE: ECI
Summary
Microsoft has released a patch for a critical remote code execution vulnerability, CVE-2022-34713, a new variant of the DogWalk vulnerability that was detected and patched in May, 2022.
The vulnerability allows an attacker to run arbitrary commands on the target device by convincing the user to open a malicious file sent via e-mail or hosted on a website. The vulnerability does not require authentication on the victim's machine and is currently being actively exploited in the wild.
What has been done:
Execution Prevention – ECI Managed Cloud Services or ECI Managed Endpoint Protection
We have confirmed that all known variants of this attack can be detected and blocked by SentinelOne agents.
Detection – ECI Managed SIEM or ECI Cyber Bundle
Detection rules have been added to Eze Managed SIEM and the SOC will monitor for any suspicious activity
Patching – ECI Managed Cloud Services, ECI Patch Management, or ECI Cyber Bundle
The required software patches will be applied to all Windows workstation devices throughout this week, and on all Windows servers over the weekend (August 20-21).
Next Steps:
Customers who do not use any of the services above are highly recommended to manually update all Windows devices as soon as possible and implement the necessary detection rules on their EDR and SIEM platforms.
Customers also have the option to contact their account team and request to opt-out of this weekend’s emergency patch, deferring it to their regular patching schedule.
Please contact our global support desk or reach out to your Customer Success Manager by phone or email for any further questions. We will continue to provide you with more updates on this advisory.
FEBRUARY 2022: ECI RESPONSE TO THE CURRENT CYBERSECURITY THREATS SOURCE: ECI
FEBRUARY 2022: ECI RESPONSE TO THE CURRENT CYBERSECURITY THREATS SOURCE: ECI
With the escalation of conflict in the Ukraine, we want to give an update on what we are doing to protect businesses (yours and ours) from cybersecurity threats. We continue to monitor the threat landscape as we always do. Although we conduct scheduled risk assessments as part of our cyber program, we have initiated a Ukraine specific assessment using guidance provided by the U.S. Cybersecurity & Infrastructure Security Agency (CISA) [cisa.gov].
Currently, most of the Russian attacks have been directed at the Ukraine. Specifically, the Ukraine has been hit with a data-wiper malware, making secure backups as important as ever. An important aspect of the Russia threat is that operations could be indirectly impacted by attacks on other organizations. Russia is known to launch attacks against banks and broad-based infrastructure like electricity, water, and transportation.
Endpoint Protection
Sentinel One, ECI’s EDR Partner, is continually monitoring threat intelligence for known and emerging malware due to the current situation. Our clients are protected against the “Hermetic Wiper” malware threat widely circulating in the Ukraine. ECI currently has over 12,000 protected endpoints under management.
SIEM
With over 600 detection rules in place, our Security Information and Event Monitoring platform is continually monitoring for IOCs (Indicators of Compromise) specific to this event and for other threats using the globally accepted MITRE Attack framework.
Our recommendations
ECI recommends applying updates to any known vulnerabilities so that patches are applied to reduce exposure.
Keep an out for any suspicious traffic that may be coming from outside the country to your organization
Keep an eye out for any suspicious emails and phishing activity within your organization
As always, ECI will be closely monitoring the situation and sharing information pertaining to any potential threats that it might pose. If you have any questions, please contact your ECI representative.
DECEMBER 2021: LOG4J ZERO-DAY VULNERABILITY SOURCE: ECI
DECEMBER 2021: LOG4J ZERO-DAY VULNERABILITY SOURCE: ECI
A critical vulnerability has been discovered in Apache Log4j 2, an open-source Java package used to enable logging in many popular applications, and it can be exploited to enable remote code execution on countless servers.
For more information concerning Log4j Zero-Day Vulnerability, please see details published here: https://www.pcmag.com/news/countless-serves-are-vulnerable-to-apache-log4j-zero-day-exploit
SEPTEMBER 2021: APPLE’S EMERGENCY PATCH FOR 'FORCEDENTRY' (IMESSAGE FLAW, CVE-2021-30860) SOURCE: ECI
SEPTEMBER 2021: APPLE’S EMERGENCY PATCH FOR 'FORCEDENTRY' (IMESSAGE FLAW, CVE-2021-30860) SOURCE: ECI
On September 13, 2021, it was announced that A zero-click, zero-day exploit named ‘ForceEntry” has been discovered in Apple products (iPhone, iPad, Mac, and Apple Watch) which takes advantage of a flaw in iMessage that allow the push of the Pegasus spyware to devices. This allows for access to the target device, including personal data, photos, messages and location.
Recommended Action:
Apple has released emergency patches to address the zero-day flaw. ECI recommends immediately updating your Apple products to address this vulnerability.
References:
https://www.nytimes.com/2021/09/13/technology/apple-software-update-spyware-nso-group.html
https://citizenlab.ca/2021/09/forcedentry-nso-group-imessage-zero-click-exploit-captured-in-the-wild/
https://us-cert.cisa.gov/ncas/current-activity/2021/09/13/apple-releases-security-updates-address-cve-2021-30858-and-cve
JULY 2021: KASEYA VSA POTENTIAL ATTACK SOURCE: ECI
JULY 2021: KASEYA VSA POTENTIAL ATTACK SOURCE: ECI
Please be advised that we have been made aware of a potential attack against Kaseya (IT management software provider used by several MSPs), specifically affecting their on premise VSA solution.
You can get the latest updates from Kaseya following the link: https://helpdesk.kaseya.com/hc/en-gb/articles/4403440684689
JANUARY 28, 2021: APPLE IOS ALERT SOURCE: ECI
JANUARY 28, 2021: APPLE IOS ALERT SOURCE: ECI
Please note that Apple has released a new iOS 14.4 update which in addition to the features listed here also includes fixes for a number of known vulnerabilities. The security content of iOS 14.4 is described in this document here. One of the known vulnerabilities is a "WebKit" bug which is known to be actively exploited. This bug allows a remote attacker to cause arbitrary code execution.
Following this latest Apple release ECI recommends that you update your corporate and personal Apple iOS devices to iOS 14.4 version as soon as possible.
JANUARY 13, 2021: MIMECAST SECURITY ALERT SOURCE: ECI
JANUARY 13, 2021: MIMECAST SECURITY ALERT SOURCE: ECI
Eze Castle Integration has been made aware of a breach in the Mimecast platform as part of the SolarWinds fallout. We are actively monitoring the situation and will notify our customers of any known impact to their e-mail. At this time we know that ~10% of Mimecast customers were impacted and Mimecast has already reached out to them directly. We are in the process of evaluating to determine if and which of our clients use certificate-based e-mail for Microsoft365.
Customers that leverage Proofpoint do not appear to be affected by this breach.
Note that Eze Castle Integration employs a defence-in-depth approach to your security which provides layered protection across multiple attack vectors. Please stand by for further updates as we perform our investigation.
For additional information on the breach please see Mimecast’s response here.