Daily Brief

Microsoft's Exchange Team has encouraged administrators to deploy a new, more effective patch for a critical security flaw in its Exchange Server software. The vulnerability, designated as CVE-2023-21709, was first addressed in August 2023. It allowed attackers to gain increased privileges on unpatched servers through brute force password attacks without any user interaction. Although security updates were provided by Microsoft, admins were also required to manually remove the vulnerable Windows IIS Token Cache module or use a PowerShell script to fully protect their servers from CVE-2023-21709 exploits. In the latest security update (CVE-2023-36434), a new solution has been provided that fully resolves the initial flaw, without requiring additional action. The company is now asking administrators to reinstall the Windows IIS Token Cache module on their servers. Microsoft has indicated that updates are being made to all relevant documentation and scripts, and changes are being made to the Health Checker tool to reflect the new recommendations. Microsoft also refused to issue a fix for an identified Skype for Business Elevation of Privilege Vulnerability until the recent Patch Tuesday, despite the fact that it was disclosed in September 2022 and has been actively exploited.

The infamous Mirai botnet is displaying increased activity with a significantly updated arsenal of exploits, making it the first major update to the IZ1H9 Mirai variant in months. Researchers at FortiGuard Labs reported that the campaign revealed a capacity to infect devices and rapidly expand its botnet by swiftly using recently released exploit code, with overall activity peaking in September. The escalated Mirai activity was rated as "critical" in severity by FortiGuard Labs due to the scale of break-in attempts and the potential for remote control of Linux-based devices. Mirai now has the ability to exploit four different D-Link vulnerabilities, dating between 2015 and 2021, indicating a threat even to devices that should have been patched by now considering the age of these vulnerabilities. Furthermore, eleven vulnerabilities from 2021 have been added, which enables Mirai to exploit Sunhillo SureLine software, Geutebruck's video management products, and Yealink Device Management systems. Mirai currently remains a significant threat in the cybercrime space, despite having failed to replicate its headline-grabbing DDoS attack of 2016, as it continues to target and exploit Linux-based enterprise IoT devices.

Microsoft has released its October 2023 Patch Tuesday, resolving 104 flaws which include three zero-day vulnerabilities that were actively exploited. Despite 45 remote code execution (RCE) bugs being addressed, only 12 vulnerabilities classified as "critical" were rectified, all of which were RCE flaws. These updates do not include one Chromium bug that was tracked as CVE-2023-5346 and fixed by Google on 3rd October that applied to Microsoft Edge. Microsoft has tackled a Skype for Business vulnerability classified as an Elevation of Privileges bug. The flaw could expose sensitive information but the attacker cannot exploit this to make changes or limit access to resources. A second vulnerability in Microsoft's WordPad which would allow an attacker to steal NTLM hashes when opening a document was also addressed. A new zero-day DDoS attack technique called 'HTTP/2 Rapid Reset', which had been actively exploited since August, was mitigated. Instructions on disabling the HTTP/2 protocol on your server were provided. The disclosure of the HTTP/2 Rapid Reset flaw was jointly made by Microsoft, Cloudflare, Amazon, and Google. Other vendors also released updates or advisories in October 2023.

Spanish airline Air Europa has suffered a data breach, exposing customer's credit card details including card numbers, expiry dates and CVV codes. The company has urged impacted customers to cancel their cards to prevent potential fraudulent use. The company has not yet disclosed the number of affected customers or detailed when the breach occurred and was detected. A representative was not available for comment. The airline alerted relevant authorities and entities (AEPD, INCIBE, banks etc.) and assured customers that systems have been secured. Customers are being warned not to provide personal or card PIN details to anyone contacting them via phone or email, and not to click any links in emails or messages warning of fraudulent operations concerning their cards. This is not the first data breach for Air Europa; in March 2021, the company was fined €600,000 by Spain's DPA for infringing GDPR regulations and for late notification of a breach that affected around 489,000 individuals. In that breach, the stolen credit card data of approximately 4,000 customers was used fraudulently.

Microsoft has announced plans to phase out VBScript, a programming language that has been directly linked to malware distribution, from future versions of Windows. VBScript has been in use for about 30 years and has known applications in facilitating active scripting in Windows environments. Until it is totally removed, VBScript will be available as an on-demand feature to support uninterrupted use as users plan for a future without VBScript. The deprecation of VBScript is highly likely connected to the earlier discontinuation of Internet Explorer, rendering a common malware distribution vector ineffective. Threat actors have been known to use VBScript, notably in distributing Lokibot, Emotet, Qbot and DarkGate malware strains. Microsoft has been working on strategies to curtail malware distribution via Windows and Office, tracing back to AMSI support extension to Office 365 applications in 2018. Other efforts include disabling Excel 4.0 macros, introducing XLM macro protection, default blocking of VBA Office macros and blocking untrusted XLL add-ins.

Microsoft plans to deprecate VBScript, an old programming language that has been used as a malware infection vector. The company will make VBScript a 'feature on demand' in Windows before removing it entirely from the OS to allow for a smooth transition. This decision aligns with Microsoft's previous move to discontinue Internet Explorer, which bundled VBScript. The deprecation of VBScript also removes a common infection pathway used by cybercriminals to spread malware such as Lokibot, Emotet, Qbot, and DarkGate. Microsoft's step towards phasing out VBScript is part of a larger strategy to counteract the rise of malware campaigns exploiting Windows and Office features. Previously, Microsoft had extended support for AMSI to Office 365 applications, disabled Excel 4.0 macros, mandated the blocking of VBA Office macros, and began blocking untrusted XLL add-ins by default.

Researchers recently discovered a high-severity remote code execution (RCE) vulnerability in the libcue library, a component of GNOME-based Linux distros such as Ubuntu, Fedora, and Debian. Tracked as CVE-2023-43641, the vulnerability allows for a one-click attack facilitating RCE when a file is downloaded and stored in a directory frequently scanned by the tracker-miners application, which uses libcue. The tracker-miners application is a crucial component of GNOME-based Linux distros as it indexes files in a user directory, enabling them to show up in search results. The vulnerability can be exploited as soon as a user downloads a malicious .cue file. The bug, a memory corruption flaw, has been given a provisional severity rating of 8.8 by GitHub. Full proofs of concept have not been published yet to allow users to install the patch. The researcher unintentionally discovered a previously unknown sandbox escape while devising the exploit for the RCE vulnerability. This additional bug has already been patched. The vulnerability potentially affects most major distros with broad implications given the global use of these systems, stressing the importance of immediate patch application once available.

A critical severity flaw impacting Citrix NetScaler ADC and NetScaler Gateway could allow the disclosure of sensitive information from vulnerable appliances. The flaw, tracked as CVE-2023-4966, has a CVSS rating of 9.4 and is remotely exploitable without requiring high privileges or user interaction. A second disclosed vulnerability, CVE-2023-4967, is a high-severity flaw that can cause denial of service on vulnerable devices. The affected appliances must be configured as a Gateway (VPN virtual server, ICA Proxy, CVPN, RDP Proxy) or an AAA virtual server to be susceptible to attacks. Citrix recommends upgrading to fixed versions implementing the security updates for the mentioned flaws, without providing any mitigation tips or workarounds. Critical-severity flaws in Citrix products are sought-after by hackers due to the large organizations with valuable assets that use these devices. In July 2023, a critical remote code execution flaw Citrix fixed as a zero-day was exploited by cybercriminals for planting backdoors and stealing credentials.

Amazon Web Services (AWS), Cloudflare, and Google detected and mitigated record-breaking Distributed Denial-of-Service (DDoS) attacks in late August 2023, exploiting a novel vulnerability called HTTP/2 Rapid Reset. The HTTP/2 Rapid Reset is a zero-day flaw in the HTTP/2 protocol, exploited to conduct the DDoos attacks. Attacks targeting Google's cloud infrastructure hit 398 million requests per second (RPS), while AWS and Cloudflare experienced volumes of 155 million and 201 million RPS, respectively. The Rapid Reset attack uses the multiplexing request method of HTTP/2 to cancel requests in quick succession, thereby overloading the server without reaching its configured threshold. The zero-day flaw enabled threat actors to overwhelm targeted websites using just 20,000 machines, as observed by Cloudflare. The vulnerability, tracked as CVE-2023-44487, affects 35.6% of the websites using HTTP/2, which carries a significant volume of total web traffic. Companies urged organizations to take proactive measures for protection against such attacks, with AWS' Mark Ryland emphasizing the increasing awareness of the vulnerability among threat actors, potentially making it trivial to exploit.

A new version of curl, an Internet transfer engine, is set to release on October 11 to address two high severity security flaws: CVE-2023-38545, affecting both libcurl and the curl tool, and CVE-2023-38546, affecting only libcurl. The new release, Curl 8.4.0, is expected to slot in without causing much trouble as it does not involve any API or ABI changes. The curl is a backbone tool of the internet and it is claimed to be used by almost every Internet user globally. Ax Sharma, a security researcher at Sonatype, clarified that the vulnerability is not as severe as the Log4j issue. However, he further warned to look out for docker base images that are not receiving updates and which might have an application using the vulnerable libcurl. Sharma urged to avoid panic but to install the patched packages as soon as they are available and to remember to keep operating systems within containers updated.

A new DDoS technique called 'HTTP/2 Rapid Reset' has been exploited since August 2023, setting a new magnitude record for such attacks; Amazon Web Services, Cloudflare, and Google have been discussing this development in a coordinated response. The sheer size of these attacks is alarming, with Cloudflare reporting mitigation of attacks reaching 201 million requests per second (rps), a figure three times greater than its previous record of 71 million rps recorded earlier this year. The new technique exploits a zero-day vulnerability (CVE-2023-44487) in the HTTP/2 protocol, abusing the 'stream cancellation' feature to overwhelm targeted servers/applications with a flood of requests and rapid resets. Cloudflare has countered this onslaught leveraging its 'IP Jail' system, designed to handle hyper-volumetric attacks; AWS mitigated these attacks, assuring the availability of their customer services was maintained. Cloudflare, AWS, and Google recommend the use of all available HTTP-flood protection tools and multifaceted mitigation strategies to build resilience against 'HTTP/2 Rapid Reset' attacks. The details surrounding the zero-day vulnerability have been kept confidential to allow security vendors and stakeholders ample time to develop countermeasures before the details became public knowledge.

Cybersecurity practices work to protect systems, networks, and data from a variety of threats, thus necessitating active risk management from organizations. The idea of 'risk acceptance' becomes integral in this space, as not all risks can be mitigated due to resource constraints. Risk acceptance involves conscious identification and acceptance of vulnerabilities or threats that are deemed tolerable within the operational context of the company and may vary from accepting the risk forever, accepting it temporarily, transferring it, or eliminating it immediately. Revisiting risk acceptance decisions on a regular basis is crucial due to the dynamic nature of the threat landscape. Instances of data breaches, penetrative tests revealing serious vulnerabilities or the introduction of new systems could trigger immediate re-evaluation of risk acceptance decisions. The article recommends implementation of continuous penetration testing to provide real-time understanding of vulnerabilities and potential consequences, aiding informed decision-making for risk prioritization and mitigation. The representation of agility in cyber risk assessments, characterized by reassessment and adaptation to new information and proactive action against potential threats, is emphasized.

Google has announced the use of passkeys as the default sign-in method for all user accounts, leveraging the passwordless standard developed by the FIDO Alliance. The shift will prompt users to set up passkeys upon next sign-in and will automate when possible the 'skip password' feature in Google Account settings. Passkeys eliminate the need for usernames and passwords, utilising public-key cryptography to authenticate users' access to websites and apps. Each passkey is unique and service-specific, so users will have multiple passkeys correlating with their number of accounts. These passkeys operate exclusively within their respective platforms. The system sends a random challenge to the client during login, prompting the user to verify through biometrics or a PIN, and authentication is confirmed if the resulting signed response matches the correlated public key. The use of passkeys not only simplifies the login process by removing the need for password recall, but also offers better phishing resistance and protection against potential takeover attacks. Other major platforms such as Microsoft, eBay, and Uber have also recently incorporated passkey support to enhance user account security.

Ransomware attackers have significantly reduced the time between gaining an initial foothold in a victim's environment and deploying ransomware to 24 hours in almost two-thirds of cases, according to Secureworks. This dwell time has decreased from 4.5 days in 2022 and 5.5 days the year before. The report indicates this could be due to the cybersecurity industry's improved detection capabilities and the popularity of ransomware-as-a-service (RaaS) model. Variations in dwell time were observed when data exfiltration occurred before ransomware was deployed in double extortion scenarios. However, double extortion events accounted for only 13% of ransomware incidents in the past year. Ransomware attacks are being carried out with less complexity and in greater volumes. This shift is in part due to the RaaS model lowering the barrier to entry for unskilled criminals and the utilization of encryption. Major access vectors facilitating early stages of attacks were vulnerability scanning tools and stolen credentials, which facilitated the initial intrusion in 32% of ransomware attacks over the past year. Malware distributed via phishing emails facilitated 14% of initial intrusions. Secureworks noted that despite hype around AI-style attacks, most successful cyber incidents were due to unpatched infrastructure and lack of basic cyber hygiene.

A critical code injection vulnerability (CVE-2023-3519) in Citrix NetScaler ADC and Gateway devices is being exploited to conduct credential harvesting. In the attack, a PHP-based web shell was deployed using a specially crafted web request, which allowed the appending of custom code to the device's login page. This code, referencing a remote JavaScript file, is designed to capture username and password data and transmit to a remote server. IBM X-Force identified over 600 unique IP addresses hosting modified NetScaler Gateway login pages, most of them based in the US and Europe. The attack appears to be opportunistic, with earliest login page modification recorded on August 11, 2023. It has not been attributed to any specific threat group. The report coincides with Fortinet FortiGuard Labs' discovery of an updated IZ1H9 Mirai-based DDoS campaign, showing increased capacity to quickly exploit recent vulnerabilities. To mitigate threats, experts recommend that organizations promptly apply patches and regularly change default login credentials.