nGuard

Call us p. 704.583.4088
Client PortalSpeak to An Expert

#CyberThreats

Cisco, Fortinet, VMware: Critical Security Flaws Exposed!

As of February 7th, 2024, three technology giants in the dynamic landscape of InfoSec: Cisco, Fortinet, and VMware, have recently unveiled critical security vulnerabilities in their systems. If left unaddressed these weaknesses could lead to a plethora of arbitrary actions, emphasizing the criticality of swift patching and timely updates. This security advisory will delve into the specifics of the disclosed vulnerabilities, their potential impacts, and the recommended steps to protect your digital defenses.

  1. Cisco Expressway Series: Cisco has identified three critical flaws, CVE-2024-20252, CVE-2024-20254, and CVE-2024-20255, affecting the Expressway Series. With a CVSSv3 Score of 9.6, these pose a sizeable risk for exploit of cross-site request forgery (CSRF) attacks, potentially allowing unauthorized activity. Furthermore, CVE-2024-20255 could lead to a denial-of-service (DoS) condition. With no workarounds, organizations are urged to apply patches available in Cisco Expressway Series Release versions 14.3.4 and 15.0.0 to mitigate these risks.
  2. Fortinet FortiSIEM Supervisor: Fortinet has released updates addressing bypasses for a previously disclosed critical flaw (CVE-2023-34992) in FortiSIEM Supervisor. The new variants, CVE-2024-23108 and CVE-2024-23109, may enable unauthenticated attackers to execute unauthorized commands through crafted API requests. With a score of 9.8 on the CVSSv3 System, Fortinet recommends updating to FortiSIEM versions 7.1.2 or above as soon as possible.
  3. VMware Aria Operations for Networks: VMware has disclosed five severity flaws ranging from 4.3 to 7.8 on CVSSv3 in Aria Operations for Networks, formerly known as vRealize Network Insight. These involve issues like local privilege escalation, cross-site scripting (XSS), and local file read vulnerabilities that could lead to unauthorized access to sensitive information. Users are strongly advised to upgrade to version 6.12.0, which VMware has detailed in a response matrix in the link above for ease of mitigation.

The acknowledgment of critical vulnerabilities by Cisco, Fortinet, and VMware underscores the relentless cat-and-mouse game between cybersecurity professionals and attackers. As history has shown, prompt patching is the first line of defense against potential exploits. Additionally, routine vulnerability scanning, managed SIEM, penetration testing, and device audits are the gold standard to building cybersecurity resilience.

Organizations are strongly encouraged to prioritize the implementation of the mentioned updates to bolster their cybersecurity posture. By staying vigilant and proactive, businesses can minimize the risk of falling victim to cyber threats and ensure the security and integrity of their digital infrastructure.

Your DNA on the Dark Web: The 23andMe Breach Unveiled

Introduction
In early October, a significant breach at genetic testing giant 23andMe compromised the personal data of 6.9 million users. This incident not only exposed sensitive genetic information but also highlighted the critical vulnerabilities that exist within digital security infrastructures.

The Breach
Hackers leveraged a credential stuffing attack, exploiting password reuse across platforms to gain unauthorized access. Initially, they penetrated 0.1% of user accounts, around 14,000 individuals. However, exploiting the DNA Relatives feature, they widened their impact, reaching an additional 5.5 million users. This feature, which connects users with potential relatives by analyzing shared DNA, became the unwitting conduit for a breach of staggering proportions.

The compromised data included display names, family tree profiles, birth years, self-reported locations, and detailed genetic information, including the percentage of DNA shared with potential relatives. Notably, the breach was first recognized when user information appeared for sale on the dark web, with claims that it included genetic profiles of specific ethnic groups and individuals from affluent regions in the U.S. and Western Europe.

Company Response and Consumer Impact
23andMe’s response to the breach has involved steps to reinforce account security, such as mandatory two-step verification and urging users to reset passwords. Despite the measures taken, the breach’s scale has raised questions about the security protocols in place and the company’s initial response. Cybersecurity experts highlight the human element in this breach, noting the common practice of password reuse. Ronnie Tokazowski, a digital scams researcher, emphasizes this behavior as a primary enabler of credential stuffing attacks.

Our Take: nGuard’s Perspective on Preventative Measures
As a leader in cybersecurity solutions, nGuard recognizes the 23andMe breach as a stark warning for stronger security protocols. We advocate for preemptive action through services like Web Application & API Penetration Testing, which could detect and mitigate such exploitable issues beforehand. Moreover, our Password Database Audit service is crucial, as it rigorously scrutinizes password storage and management systems, identifying vulnerabilities that could lead to devastating breaches. Alongside this, our Red Team Assessment delivers a simulated real-world attack scenario to uncover potential security flaws, potentially recognizing risks such as those exploited in the DNA Relatives feature.

Conclusion
The 23andMe breach is a sobering reminder of the ever-present threat landscape. At nGuard, we are committed to fortifying our clients’ defenses with our comprehensive cybersecurity services. We encourage all organizations to learn from this incident and take proactive steps to enhance their security posture.

CISA Alert: Unveiling Cyber Onslaughts on Critical Infrastructure

As the cyber landscape faces ever-growing cyber threats, critical infrastructure entities continue to be prime targets. This Security Advisory explores significant cyber incidents from breaches in U.S. water facilities to ransomware attacks on power generation and municipal water authorities. As these incidents unfold, the imperative for proactive cybersecurity measures becomes even more pronounced.

CISA Alert: Breach at U.S. Water Facility by Exploiting Unitronics PLCs

CISA’s alert revealed a concerning breach at a U.S. water facility, exposing vulnerabilities in Unitronics programmable logic controllers (PLCs). Despite quick action preventing harm to drinking water, the incident emphasizes the need for heightened security measures. Some of the highlights of the CISA Alert for system administrators are:

  • Change all default passwords on PLCs and HMIs and use a strong password.
  • Ensure the Unitronics PLC default password “1111” is not in use.
  • Require multifactor authentication for all remote access to the Operational Technology (OT) network, including from the IT network and external networks.
    • Implement a Firewall/VPN in front of the PLC to control network access to the remote PLC.
    • Use an allowlist of IPs for access.
  • If possible, utilize a TCP port that is different than the default port TCP 20256. Cyber actors are actively targeting TCP 20256 after identifying it through network probing as a port associated to Unitronics PLC.
  • Update PLC/HMI to the latest version provided by Unitronics.

nGuard’s services, such as a comprehensive device configuration audit, play a crucial role in securing critical devices within your infrastructure. By meticulously evaluating your assets against established benchmarks and industry-leading security practices, we ensure the elimination of insecure default settings. This meticulous process ensures that your baseline configuration aligns seamlessly with the highest security standards, enhancing the overall resilience of your system.

Iranian Cyber Av3ngers: Municipal Water Authority Breach

Iranian threat actors, identified as Cyber Av3ngers, breached the Municipal Water Authority of Aliquippa in Pennsylvania on November 25th. They gained control of a booster station, though the Authority emphasized that this did not impact the facility’s operations, water supply, or drinking water. Matthew Mottes, the chairman of the board, attributed the attack to Cyber Av3ngers, noting its immediate detection. The Pro-Palestine group targeted a system by Unitronics, the devices discussed in the CISA Alert mentioned earlier, with the attackers claiming to have accessed several SCADA systems at Israeli water facilities as well. Despite these claims, no serious damage has been reported from the attacks on the targeted facilities.

The ability to detect and alert on attacks like these depends on having well-managed endpoint detection and a SIEM to collect logs and correlate the activity within your network so you can react when the time is right.

Cyberattack on North Texas Municipal Water District: Daixin Team at Play

The North Texas Municipal Water District faced a cyberattack that disrupted its operations, including its phone system. The Daixin Team claimed responsibility for the attack and reportedly stole over 33,000 files containing customer information from the water utility, which serves two million people across 13 cities in North Texas. While the business network has mostly been restored, the phone system remains affected. The core water, wastewater, and solid waste services to member cities and customers have not been impacted.

If your organization finds itself in a situation where incident response services are needed like the North Texas Municipal Water District, nGuard’s Cyber Security Incident Response service can jump in and help you triage.

Ransomware Strikes Slovenian Power Generation: HSE Under Attack

Slovenian power generation company Holding Slovenske Elektrarne (HSE) experienced a ransomware attack on November 22, compromising its systems without affecting power production. Control was regained, and the attack contained by November 24. The National Office for Cyber Incidents and the Ljubljana Police Administration were notified, and HSE collaborated with third-party experts to mitigate the attack’s effects and prevent the spread of malware to other critical infrastructure systems in Slovenia. The Rhysida ransomware gang is suspected, although no ransom demand has been made. The disruption is limited to the Šoštanj Thermal Power Plants and the Velenje Coal Mine websites, with HSE officials asserting control over the situation.

In the face of escalating cyber threats against critical infrastructure, the recent incidents in the U.S. and Slovenia underscore the critical need for robust cybersecurity measures. CISA does offer free vulnerability scanning for water utilities, but if your organization is seeking a deeper evaluation, nGuard’s comprehensive services, including vulnerability management, incident response, and strategic assessments, offer a proactive defense against emerging threats. The uphill battle for strong, defense-in-depth cybersecurity requires constant vigilance, and nGuard stands ready to assist organizations in safeguarding your infrastructure and digital assets.

Boeing Grapples with LockBit Gang

In a world where cyber threats loom large, even giants like Boeing are not immune to the relentless onslaught of ransomware attacks. Last week, Boeing confirmed that it had fallen victim to a ransomware attack orchestrated by the notorious LockBit gang. The repercussions of this attack are extensive and should serve as a wake-up call for corporations globally. In this advisory, we delve into the specifics of the Boeing incident and explore the broader implications of such attacks.

The Encounter

The aerospace behemoth Boeing, which plays a pivotal role in global aviation, made headlines on November 1st, when it officially disclosed that it was grappling with a “cyber incident.” Boeing spokesperson Jim Proulx confirmed that this breach had targeted specific aspects of the company’s parts and distribution business. Notably, Boeing stressed that the attack did not compromise flight safety, which is undoubtedly a relief to the aviation industry and passengers worldwide.

LockBit, a ransomware group with alleged ties to Russia, wasted no time in claiming responsibility for this audacious cyberattack on Boeing. This attack serves as another example of the growing boldness and sophistication of ransomware operators. The Cybersecurity & Infrastructure Security Agency has also voiced its concerns, with recent advisories revealing that LockBit has targeted nearly 1,800 victim systems across the United States and around the globe since late 2019.

The gang’s method was not limited to encrypting Boeing’s systems and demanding a ransom. In a since-deleted post, LockBit issued a chilling ultimatum: either meet their ransom demands by November 2, or face the publication of a substantial trove of sensitive data allegedly stolen from Boeing. The removal of this listing from LockBit’s website suggests ongoing negotiations, which is a common tactic employed by ransomware gangs to exert pressure on victims.

The Ethical Quandary and Immediate Fallout

The situation is further complicated by the fact that the U.S. government has previously sanctioned Evil Corp, believed to be an affiliate of the LockBit group. These sanctions make it illegal for any business or individual to pay the attackers, raising complex legal and ethical questions surrounding ransom payments.

Moreover, the implications of paying ransoms to these hacking groups and ransomware gangs go beyond just legality. It can potentially incentivize and finance their criminal activities, leading to a vicious cycle of attacks. In the wake of the recent ransomware attack against MGM Resorts International, Boeing made the swift decision to take down their Parts and Distribution site to ensure no further systems could be reached by malicious actors. This compromise to IT infrastructure caused an immediate halt in production and operations, sending shockwaves despite not fully disclosing the precise details of the breach, including the method of compromise or whether data exfiltration has occurred.

A Ticking Time Bomb

One of the most concerning aspects of this incident is the potential exfiltration of sensitive data. Boeing has not confirmed whether data was stolen or whether a ransom demand was received. Additionally, unverified claims of a zero-day exploit in one of Boeing’s networks may be the source of this breach. This leaves many unanswered questions about the extent of the incident and what sensitive information may be at risk. Boeing’s ordeal is clearly not an isolated incident but part of a broader trend of escalating ransomware attacks.

Given the rise of cyber threats, ensure your organization is implementing the following best practices:

  • Vulnerability Management: From production delays to the cost of restoring systems and potential fines, financial impacts can be crippling. Routine scanning of networks and systems through nGuard’s Vulnerability Management gives your organization the ability to remediate vulnerabilities before attackers discover and exploit them.
  • Patch Management: Performing regular patching and system backups ensures stability and boosts productivity across all endpoints, lowering risk and cost over time.
  • SIEM Solutions: With the constant threat of incoming cyberattacks, employing centralized SIEM services for correlating data and monitoring in real-time ensures your organization is maintaining appropriate logging and continuous event analysis.
  • Incident Response: The disruption of operations and supply chains can have ubiquitous impacts, including public safety. Partnering with nGuard will assist in implementing a robust and comprehensive incident response plan tailored to your environment to minimize damage and downtime.
  • Penetration Testing: Regularly assessing infrastructure and security controls promotes optimal performance. Identifying vulnerabilities and enacting the appropriate remediations hardens infrastructure and reduces the likelihood of future breaches.
  • Strategic Assessments: Threats and breaches underscore the pressing need for companies of all sizes to prioritize their cybersecurity measures. Through certified GRC services, nGuard identifies gaps in protecting assets and maintaining strong security controls across your entire organization.

Boeing’s recent encounter with LockBit serves as a striking reminder that no entity is too large or too fortified to be targeted by cybercriminals. Beyond the immediate operational disruptions, the attack has led to a loss of trust, increased costs, and ongoing legal and regulatory challenges. Boeing’s response to the attack will likely shape its long-term resilience against future cyber threats.

The implications of this attack reach far beyond the industry, highlighting the urgent call for all institutions to fortify their cyber defenses and take proactive measures to safeguard their digital assets. As the battle against ransomware rages on, this incident emphasizes the gravity of the cybersecurity challenges facing even the most prominent organizations.

Chat Icon Chat Close

Learn how nGuard can secure your data

Ready to take the next step? Speak to an nGuard expert and get your questions answered today.

Chat Popup

No thanks, maybe later