Newsletters

Over the past three days—since our last newsletter edition—the situation around the latest zero-day attacks targeting Cisco IOS XE devices has drastically changed, and we feel the need to cover it in our featured section and provide a short summary of what has been going on.

Although these attacks have been taking place since at least September 28, news of this campaign came out last Monday, on October 16, when Cisco revealed the existence of a zero-day tracked as CVE-2023-20198 in the web administration panel of its IOS XE operating system.

The zero-day allowed threat actors to create an admin account with the highest level of privileges on devices that had their WebUI panel exposed on the internet.

Two ransomware gangs have had their dark web server infrastructure disrupted this week in two extremely different circumstances, with hacktivists wiping the servers of the Trigona gang and law enforcement seizing RagnarLocker's infrastructure a day later.

The first to fall was Trigona, a ransomware operation that began operations in June of last year.

In Facebook and Twitter posts, a group of pro-Ukrainian hacktivists named the Ukrainian Cyber Alliance said they hacked the backend servers supporting Trigona's operations.

CISA and NSA have published a joint advisory on the most common misconfigurations experienced in cases across federal and state governments, the defence industrial base and critical infrastructure operators.

You would expect to see well configured networks at these organisations, but the CISA/NSA advisory says these misconfigurations occurred even in networks with "mature cyber postures". The list is made up of 101-level problems:

The report describes these misconfigurations as "systemic weaknesses across many networks". Given that getting these settings right is 'basic cyber hygiene', these misconfigurations shouldn't exist in an organisation with a mature cyber posture.

A mysterious APT group has compromised secure USB drives used by an Asian country's government to safely store and physically transfer data between sensitive government systems.

Spotted by Kaspersky, the attacks took place in early 2023. While the security firm has not attributed the operation to any particular APT group or state, the campaign is extremely likely to be Chinese in origin. Chinese APT groups—such as Camaro Dragon, Temp.Hex, UNC4191, Mustang Panda, and Troppic Trooper—have used USB drives as a way to distribute malware across the APAC region for the past several years, and some of these campaigns have been recently seen in Africa and Europe as well.

But while previous campaigns targeted your run-of-the-mill USB thumb drives, Kaspersky says this campaign targeted "a specific type of a secure USB drive" used by that country's government agencies.

In the face of an escalating military conflict with Hamas and Hezbollah forces, the Israeli government has asked citizens to secure home security cameras or shut them down completely, fearing the devices could be hacked and used for espionage and intelligence collection.

In a memo on Friday, Israel's National Cyber Directorate has asked camera owners to change their passwords, enable two-factor authentication if present, and enable automatic security updates.

If camera owners can't change any of their settings, officials have urged owners to either cover camera lenses or shut down devices completely.

Microsoft has announced plans to disable support for the NTLM authentication protocol in a future version of Windows 11.

Even if Microsoft has not put out a hard cut-off date, this is good news regardless, as it sets the stage for the protocol to be removed after 30 years of use.

Short for New Technology LAN Manager, the protocol was introduced in 1993 with the release of Windows NT 3.1. It was the primary user authentication protocol until Windows 2000, when it was replaced by Kerberos.

It is hard to care about hacktivism when the news from Israel and Gaza is so bleak, but there has been a flurry of activity from both camps since the conflict erupted.

Cyber attacks reported so far include the DDoSing of both Israeli and Palestinian websites and the leaking of stolen documents and credentials from Israeli-related sites. While these actions generally made little difference to events on the ground, some attacks attempted to disrupt Israel's response to Hamas rocket attacks.

Per Wednesday's edition of Risky Business News:

Microsoft has deprecated VBScript, a powerful scripting language that has been part of the Windows operating system since 1998.

VBScript has been made a "Feature on Demand" (FoD), and Microsoft plans to remove it completely in a future version of Windows.

As a FoD, Microsoft says VBscript will be preinstalled on Windows OS images but not enabled by default.

The number of human-operated ransomware attacks has more than doubled over the past year, Microsoft said in its yearly Digital Defense Report.

The term "human-operated ransomware" refers to certain intrusions where the ransomware is deployed manually rather than using automated scripts.

During these intrusions, one or more members of the ransomware group manually connect to a breached network and run commands in a terminal to make sure scripts execute with the proper parameters, data is exfiltrated without errors, and files are encrypted correctly.

A group of more than 50 tech experts and organizations have signed an open letter asking EU officials to rethink Article 11 of the upcoming EU Cyber Resilience Act.

The article introduces a mandatory requirement for all software vendors to disclose vulnerabilities to the ENISA, the EU's cybersecurity agency, within 24 hours of becoming aware of in-the-wild exploitation. ENISA will then relay this information to national CSIRT teams and stock market watchdogs across its member states.

The open letter's signatories argue that the CRA's Article 11—in its current form, at least—greatly expands the number of organizations that will have first-hand and real-time immediate knowledge of actively exploited vulnerabilities, which, in turn, increases the risks to product vendors, their customers, and the general public.