Summertime, and the readin's easy! Welcome to the June edition of principia/RAID's Defrag, you Cybersecurity Heroes. The bad guys haven't clocked out on their family vacations just yet, so read on, Intrepid Security practitioners, and bask in the heat dome of the notable cybersecurity stories and happenings from the last month.
VULNS
Urgent Update Alert for All Windows Users
Microsoft has disclosed a critical Wi-Fi vulnerability in all supported versions of Windows, designated as CVE-2024-30078, with a severity score of 8.8. This flaw allows for remote code execution by an attacker within physical proximity to the targeted device, without any user interaction or prior authentication. The vulnerability poses a particular threat in environments with dense endpoint usage, such as hotels or trade shows, where it could be exploited discreetly. Microsoft and security experts are urging immediate patching for supported Windows versions and recommend upgrading or using endpoint detection for older, unsupported versions to mitigate risks associated with this severe security flaw.
Â
Â
Mailcow Mail Server Vulnerabilities Enable Remote Code Execution
Recent disclosures have identified two significant security vulnerabilities within the Mailcow open-source mail server suite, potentially allowing attackers to execute arbitrary code on affected systems. The vulnerabilities, found in all software versions prior to the 2024-04 release dated April 4, 2024, include a path traversal flaw (CVE-2024-30270) with a CVSS score of 6.7, which could enable attackers to overwrite files as the "www-data" user, and a cross-site scripting (XSS) issue (CVE-2024-31204) with a CVSS score of 6.8, stemming from unsanitized exception details. These vulnerabilities could be exploited together by a malicious actor to hijack admin sessions and perform unauthorized actions, or even inject harmful scripts via specially crafted emails viewed by an admin, without any direct interaction with the content of the email. Organizations utilizing Mailcow should hoof it to apply updates and review their security protocols to mitigate these risks.
Â
Don't get TunnelVisionÂ
Researchers from Leviathan Security Group have unveiled a significant vulnerability in the functioning of VPNs, named TunnelVision, which allows malicious actors to reroute encrypted VPN traffic through unsecured pathways. This vulnerability stems from exploiting DHCP option 121 to manipulate routing tables, enabling attackers to divert, read, or modify data intended to be secured by the VPN. Despite Android being immune due to its non-implementation of option 121, most other operating systems are susceptible, with limited mitigation options available. The disclosure of TunnelVision challenges the fundamental reliability of VPNs in safeguarding user data against interception on compromised or hostile networks.Â
INSIGHTS
No Org Too Small
Despite many small defense contractors believing themselves too insignificant to attract the attention of nation-state hackers, NSA officials stress that these businesses are indeed prime targets. At the RSA Conference, Bailey Bickley, chief of DIB defense at the NSA Cybersecurity Collaboration Center, highlighted the vulnerability of small contractors in the defense sector, which comprises 70% of the defense industrial base. These entities face the same cybersecurity threats as other small businesses, but often lack the necessary technical expertise and resources to effectively defend themselves. The NSA assists by providing free cybersecurity tools like DNS filters, threat intelligence sharing, and vulnerability scans to help mitigate risks. However, challenges remain, particularly with sophisticated threats like the Chinese hacking group Volt Typhoon, known for its persistent intrusions into American infrastructure. The NSA continues to seek new cybersecurity solutions that are affordable and easy to implement for these vulnerable components of national defense. Got questions? principia/RAID can help.Â
Â
Â
Six Data Breach Prevention Tips for CISOs
Data breaches targeting well-established enterprises like CDK Global, 23&Me, Okta, United Healthcare, and American Express highlights the concerning and continuing trend of compromises facilitated by inadvertent third-party access. As an example, the Okta incident, which impacted all of their customers was made possible because an employee used a personal Google profile on a company laptop. A compromise that particularly underscores the role of human elements in cybersecurity. A factor which is cited in 74% of breaches per the Verizon DBIR 2024. Venture beat made some strategic recommendations to reduce the risk from inadvertent insider threat:
Employ Remote Browser Isolation (RBI)
Implement Zero Trust Architecture
Enforce and Monitor IT Policies
Prepare Incident Response Plans
Strengthen Privileged Access Management (PAM)
Reinforce Endpoint Security
Â
Â
Taking It Personally?Â
As individual users continue to be caught in the cybersecurity crossfire, it's only a matter of time until you, intrepid reader, get that every security practitioner dreads:Â "Hey, I think I've been hacked". It's always difficult closing that barn door after the Cyber horses have been hacked, but here's some key actions from SlashGear that you can always recommend to protect personal accounts and online data:
Enable Multi-Factor Authentication: Adds an extra layer of security beyond just the password.
Use Strong, Unique Passwords: Employ a password manager to generate and store complex passwords.
Review Account Permissions: Regularly update or revoke permissions for linked services and apps.
Check Connected Devices: Ensure only your current devices have access to your accounts.
Install and Update Security Software: Use reliable anti-virus programs and keep your operating systems updated.
Be Wary of Suspicious Messages and Links: Don't click on unexpected links, even from known contacts, without verification.
Educate Close Contacts: Inform your family and friends about the breach to prevent further spread of the attack.
Change Passwords Immediately: Start with your primary email address as it is crucial for recovering other accounts.
And of course:
Monitor Financial Transactions: Check bank and credit card accounts for any unauthorized transactions.
These steps can help minimize the risk and the damage from a compromise and secure your accounts against future threats.
Â
Â
Â
Hello Internet...Are You There? It's Me.
Or, If a root DNS server fails and no-one knows why, can I still do the NYT Spelling Bee? For over four days in May, one of the Internet's thirteen crucial root DNS servers, maintained by Cogent Communications, experienced a synchronization failure with its peers, posing potential stability and security risks globally. This server plays a vital role in translating domain names into IP addresses—a fundamental process for internet functionality. The issue prevented this server from updating alongside others, disrupting the uniformity necessary for reliable internet operation and secure DNS practices. Engineers had to postpone scheduled DNSSEC key updates for .gov and .int domains due to the inconsistency across servers. Although minimal immediate disruptions occurred, the implications of prolonged discrepancies could lead to significant DNS security vulnerabilities. The problem, attributed to an "unrelated routing policy change" at Cogent, was rectified after it had impacted the root zone's data freshness for several days.
BREACHES
Time For Your Service Appointment Â
CDK Global, a software platform used by over 15000 car dealers to facilitate vehicle acquisitions, financial management and service department functions suffered a catastrophic compromise via a ransomware attack on June 19th. Details of the attack have yet to be disclosed. As a result, Dealers are left using paper and ink to continue day to day services. Over the weekend CDK advised that it does not expect to restore services before the end of the month. To add to the chaos, bad actors are now using offers of fake patches to phish individual dealerships. This event highlights the need to maintain and exercise disaster recovery and incident response plans. We often see clients try to avoid the sometimes difficult but critical task of identifying systems critical to the business. Or worse yet, try to take the position that every system is critical. Every CISO, vCISO and IT person stuck with CISO responsibilities (Guess what? Congratulations, you're the CISO) should take note and examine which systems are truly critical to the business during the next DR and IR review.  Â
Â
Each Breach is Unique as Snowflake ExploitedÂ
Google Cloud's cybersecurity team, Mandiant, has issued notifications to about 165 organizations potentially impacted by a cyber incident at Snowflake. This incident involved hackers exploiting stolen valid login credentials. Major companies like Advance Auto Parts and Ticketmaster are currently investigating potential breaches linked to their Snowflake accounts. The cybercriminal group UNC5537, identified by Mandiant, accessed these credentials via infostealer malware, some incidents dating back to 2020. Mandiant detected this suspicious activity on April 19 and promptly alerted Snowflake, with formal notifications to affected parties commencing on May 22. Vulnerabilities arose from lapses such as the absence of multifactor authentication, failure to refresh passwords post-breach, and inadequate access restrictions. Additionally, some breaches were exacerbated by contractors using personal devices for work. In response to this widespread security lapse, Snowflake's CEO announced plans to implement multifactor authentication by default for all accounts.
Â
Â
Jinkies! The Mystery of the Pumpkin EclipseÂ
In October 2023, Windstream customers reported widespread malfunctions of their routers, which displayed a persistent red light and were unresponsive to resets, an incident now identified as Pumpkin Eclipse. This mass disruption was caused by a deliberate malware attack, confirmed by a recent report from Lumen Technologies’ Black Lotus Labs. The malware, identified as Chalubo, was used to irreversibly overwrite the firmware of approximately 600,000 routers connected to a single ISP's network. A report released in May 2024 by Black Lotus Labs, provided these new insights into the incident, which has not yet been clarified by Windstream.Â
RECENT EVENTS
The CISO Initiative Summit June 5 and 6, Ft. Myers, FL.
As always, the CISO Initiative Summit held in Ft. Myers on June 5th  and 6th brought together an amazing gathering of cybersecurity leaders for a dynamic exchange of insights and strategies. This premier event featured keynote addresses from industry pioneers, thought leaders, and cybersecurity leaders from the US Government to discuss the latest trends, solutions and innovations in IT Security.
One of the outstanding takeaways of The CISO Summit is the invaluable networking, allowing CISOs to connect with peers and forge lasting partnerships aimed at tackling common challenges. Interactive panel discussions provided a platform for deep dives into regulatory compliance, incident response best practices, and the ethical implications of cybersecurity decisions. Through collaborative sessions participants shared insights on navigating the ever-evolving cybersecurity landscape effectively. The thing we enjoy most about these gatherings is the long-lasting relationships and community that are developed.
Â
It was so good to see old colleagues again and meet new attendees. The event would not have been possible without the Ring-Leading of Linda Herdt. And a huge thank you to the participants that brought such amazing content and drove the discussions: Rob Price, Craig Unger, Paul Quanrud, Jim Ballowe, Mark Mulzer, Chris Hallenbeck, Â
Â
 We’re already planning the next one, so stay tuned.
UPCOMING EVENTS
Cybersecurity Summit, Washington, DC, July 18
Â
FutureCon, Washington, DC, August 22
Â
HyperConnect, San Diego, September 16
Â
Â
Drop us a line if you're attending these, we'd love to see you in person.
School's out on this month's edition of principia/RAID's Defrag. Just like after the last song at the prom, you don't have to go home, but you can't stay here. And remember, every day in cybersecurity can turn out to be the longest day of the year, so take some time to get out there and enjoy the long days summer while we can. Until next time, be careful out there, you Cybersecurity Heroes! Â
principia/RAID Digital Security delivers information technology advisory and consulting services with a specific focus on vCISO services, information security and compliance management. We thrive on helping our clients reduce their cybersecurity risk and achieve compliance with their CMMC, NIST 800-171, NIST 800-53, DFARS, and SOC/ISO requirements.
Have questions? We can help you.
Comments