WME Security Briefing 27 April 2024

Critical Security Advisory | US Federal Agencies Ordered to Remove Suspect Foreign Software

Overview

• The latest guidelines from the US Cybersecurity and Infrastructure Security Agency (CISA) insist that federal agencies must identify and remove software products linked to foreign adversaries. The campaign homes in on software emanating from firms in countries seen as a national security danger.
• The listed types of software include network management and data services, which, despite being vital to federal operations, also have the potential to be backdoors for surveillance and data theft.

Impact

• Such software vulnerabilities in federal systems allow any stranger to have a free pass and thus engage in espionage. This would compromise the sensitive data the government holds, and thus, national and infrastructure security will be compromised.
• CISA assessed this as a high risk due to foreign entities’ impact on critical infrastructure and the wide range of uses within many federal departments.

Recommendation

• These federal agencies are encouraged to assess their current software inventory for the products developed by foreign entities listed in CISA.
• Any such products should be removed immediately and replaced, followed by a full audit of the network to ascertain that no remaining vulnerability exists.
• Other software solutions from reputable vendors that meet the latest domestic security standards are recommended to be used by CISA.

Security Alert: Arrest Warrant Issued for Suspected Cybercriminal in Germany

Overview

• German authorities arrested a suspect cybercriminal with participation in many assaults on critical infrastructures, following the search of his residence.
• The person, exploiting the vulnerabilities of the systems of public utilities, has caused great harm.
• This statement came after thorough investigations by the Federal Cyber Protection Agency of Germany.

Impact

• Interruptions in infrastructure: The majority of the subjects of the attack were public utilities with the main aim of causing temporary shutdowns and disorder, affecting public services.
• Data Breach: The personal data of thousands of citizens was compromised, bringing about huge concerns about privacy and security.
• Increased Alertness: The cases have led to beefed-up cyber security even in all other sectors that are prone to similar attacks.

Recommendation

• Enhanced Security Protocols: Organizations should enhance their cybersecurity defenses in areas that have previously been established as weaknesses.
• Regular System Audit: A systematic audit of IT systems to identify and recognize possible loopholes in security and get rid of them.
• Public awareness: Create awareness among the stakeholders and the public about the necessity of adopting security best practices.

Security Brief: APT28 Exploits Windows Print Spooler Vulnerability

Overview

A vulnerability has been found in the Windows Print Spooler service which is under attack by the notorious Russian cyber-espionage group APT28 (Fancy Bear). The vulnerability is active in the wild and has been used to compromise several high-profile targets across the globe actively. Microsoft has identified this vulnerability and released security updates that would help reduce the associated risk of exploitation.

Impact

• System Compromise: The exploit provides APT28 with unauthorized admin privileges, thereby allowing them to install malware, view, change, or delete data, and create new accounts with full user rights.
• Data Breach: The confidential data of the affected organizations, including the military and government, are at risk of being breached and manipulated.
• Operational disruption: Systems and services that are organizationally important may not be available, hence leading to operational and security breaches within the organization.

Recommendation

• All organizations using Windows systems for the Print Spooler service should immediately install provided patches by Microsoft.
• Increase the level of monitoring in system and network activities for earlier detections of any form of compromise.
• Conduct a review of system accesses and privileges and a security audit to ensure no unauthorized change was made during the vulnerability period.

Security Advisory: Detailed Breakdown of Newly Uncovered Windows Path Conversion Vulnerabilities

Overview

A new report from Israeli cybersecurity outfit SafeBreach details critical vulnerabilities in the Windows path conversion mechanism, first revealed just last week at the Black Hat Asia conference. The vulnerabilities arise during the conversion from DOS paths to NT paths, most often done by any number of functions throughout the Windows operating system.

Impact

Path Manipulation: As for the user, whenever a path is provided as an argument to any function they call, the system will translate DOS paths into NT paths. In the course of conversion, trailing dots in any part of the path element and trailing space in the last element are thrown away.

Security Implications: Such manipulations can serve as very good exploitation opportunities for malicious actors to break security mechanisms and lead to various kinds of unauthorized access or information disclosure.

Affected APIs: Most user-space APIs in Windows are affected, which means that a huge number of apps and services are affected.

Recommendation

• Patch and Update: Users are highly encouraged to apply the patches promptly (if any issued by Microsoft) that address the said vulnerabilities.
• Code review and testing are prime aspects for every developer and system administrator. For the affected API, it is crucial to test the application under every possible system exploitation scenario.
• Monitor and Audit: Continuous monitoring of unusual system behavior and regular audit of the system logs may be very helpful for early detection of potential exploits.

Microsoft Identifies North Korean Hacking Campaign Targeting Research Institutions

Overview

Microsoft is warning of a new sophisticated hacking campaign by North Korean-linked “Kimsuky” cyber-actors targeting global research institutions and think tanks. The spear-phishing and social engineering attacks campaign range from espionage to exfiltrating sensitive information across nuclear, defense, and human rights research organizations.

Impact

• Data Theft: The main motivation comes from exfiltration, in which data is transferred out of a computer system, stealing confidential research, and intellectual property.
• Targeted Organizations: Institutions in Policy Research and National Security, United States, Japan, and South Korea.
• The attacks are based on carefully crafted phishing emails pretending to be legitimate communications and usually use stolen credentials for initial access.

Recommendation

• Enhanced Vigilance: You must sensitize the staff on the risks of spear-phishing and, in the same spirit, discourage their inclination to open attachments and carelessly click on the links contained in the emails.
• Advanced Security Measures: Implement MFA, periodic password renewal, and tracking of network traffic.
• Incident Response Plan: Ensure that you have an effective incident response plan to react quickly to breaches or suspected malicious activities.

 Windows Management Experts

Now A Microsoft Solutions Partner for:

✓ Data & AI

✓ Digital and App Innovation

✓ Infrastructure

✓ Security

The Solutions Partner badge highlights WME’s excellence and commitment. Microsoft’s thorough evaluation ensures we’re skilled, deliver successful projects, and prioritize security over everything. This positions WME in a global tech community, ready to innovate on the cloud for your evolving business needs.

CTA: Know More

Why not reach out to us at WME?

Contact us and let us transform your business’s security into a strategic advantage for your business. Be sure, with WME, you’re just beginning a path toward a more streamlined and secure future.

Contact us: sales@winmgmtexperts.com