Search
Close this search box.

Neu Cyber Threats – 15th June 2023

Table of Contents

[fusion_builder_container type=”flex” hundred_percent=”no” equal_height_columns=”no” hide_on_mobile=”small-visibility,medium-visibility,large-visibility” background_position=”center center” background_repeat=”no-repeat” fade=”no” background_parallax=”none” parallax_speed=”0.3″ video_aspect_ratio=”16:9″ video_loop=”yes” video_mute=”yes” border_style=”solid” margin_top=”1px” flex_align_items=”center” flex_justify_content=”flex-start”][fusion_builder_row][fusion_builder_column type=”1_1″ layout=”1_1″ background_position=”left top” border_style=”solid” border_position=”all” spacing=”yes” background_repeat=”no-repeat” margin_top=”0px” margin_bottom=”0px” animation_speed=”0.3″ animation_direction=”left” hide_on_mobile=”small-visibility,medium-visibility,large-visibility” center_content=”no” last=”true” hover_type=”none” first=”true” min_height=”” link=”” background_blend_mode=”overlay”][fusion_text]

Welcome to the latest edition of the Neu Cyber Threats, a weekly series in which we bring attention to the latest cyber-attacks, scams, frauds, and malware including Ransomware and DDoS, to ensure you stay safe online.

Here are the most prominent threats which you should be aware of:

Cisco Fixes AnyConnect Bug Giving Windows SYSTEM Privileges

Cisco recently addressed a high-severity flaw in its Cisco Secure Client software that could allow threat actors to escalate privileges to the SYSTEM account used by the operating system.

This vulnerability, tracked as CVE-2023-20178 has a high severity rating and can be exploited without user interaction, making it a significant security concern.

Which products are affected?

The affected products include Cisco AnyConnect Secure Mobility Client for Windows Software version 4.10 and earlier and Cisco Secure Client for Windows 5.0. It’s important to note that this specific vulnerability does not affect other platforms, such as Linux, MacOS, Android, and iOS.

How can cybercriminals exploit the vulnerability?

According to Cisco, the vulnerability stems from improper permissions assigned to a temporary directory created during the upgrade process. An attacker can exploit a specific function of the Windows installer process to exploit this vulnerability.

As of now, there is no evidence of active exploitation of CVE-2023-20178. However, since the vulnerability has been publicly disclosed, threat actors will likely attempt to exploit it in the near future. Therefore, users must promptly update their software to fixed releases to mitigate potential attacks.

How has Cisco addressed this vulnerability in the cyber network?

Cisco has addressed this vulnerability in Cisco AnyConnect Secure Mobility Client for Windows Software version 4.10MR7 and Cisco Secure Client for Windows Software version 5.0MR2. Users should ensure they update to these fixed releases as soon as possible to protect their systems from potential exploitation.

This vulnerability poses a significant risk to Windows users utilising affected Cisco’s Secure Client software versions. Promptly applying the available updates is essential to maintaining the security and integrity of systems and preventing potential unauthorised privilege escalation attacks.

Source: https://sec.cloudapps.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-ac-csc-privesc-wx4U4Kw

Email Security Gateway Issue: Do you have this appliance?

A prominent Email and network security company announce a serious security issue. Do you have this cyber appliance, and is your business affected?

A severe security issue involving Email Security Gateway

Barracuda has warned of a severe security issue involving Barracuda’s Email Security Gateway (ESG) appliances. Barracuda has warned its customers that ESG appliances that were hacked in attacks targeting a now-patched zero-day vulnerability must be replaced immediately, regardless of the patch version level.

Why the urgency for total replacement?

The urgency for replacement suggests that the nature of the compromise is severe and difficult to remediate. The exact reason for requiring a total replacement is not explicitly stated. However, it is speculated that custom malware may have been used, which could persist even after attempts to remove it remotely. Additionally, if the firmware of the impacted appliances was altered, traditional means of applying updates might not be possible. In such cases, replacing the affected products entirely would be the safer option.

Interestingly, CVE-2023-2868 vulnerability had been exploited as a zero-day for approximately seven months before it was discovered and disclosed. Threat actors used this vulnerability to breach ESG appliances, install malware, and establish persistent access to compromised devices. They used malicious tools like Saltwater, SeaSpy, and SeaSide to backdoor the infected appliances, show remote access, and steal data. You can see how severe the cyber attack was now.

The situation has been included in prominent Cybersecurity Reports

The severity of the situation is evident from the Cybersecurity and Infrastructure Security Agency (CISA) report, which included the CVE-2023-2868 vulnerability in its catalogue of exploited bugs, urging federal agencies with ESG appliances to check their networks for any signs of breaches.

To mitigate the risk, Barracuda has been actively reaching out to impacted customers through the ESG’s user interface and email, urging them to replace their devices immediately. The recommendation for full replacement indicates the urgency and the potential risks involved if the compromised appliances continue to be used.

Completely replace your Email Security Gateways

Ultimately, the report highlights that there is a critical security incident involving Barracuda’s ESG appliances. The compromised devices must be replaced immediately due to the severity of the compromise and the potential persistence of custom malware. The extensive exploitation and data theft period further emphasises the situation’s urgency.

Customers are advised to follow Barracuda’s remediation recommendation and contact support for assistance in replacing the impacted ESG appliances.

Source: https://krebsonsecurity.com/2023/06/barracuda-urges-replacing-not-patching-its-email-security-gateways/

Don’t expose RDP to the internet!

Researchers using a Remote Desktop Protocol (RDP) honeypot have highlighted the risks associated with exposing RDP to the internet and the prevalence of brute-force attacks targeting RDP connections.

Researchers conducted an experiment using an RDP honeypot, which simulated a vulnerable RDP connection accessible from the public web. The honeypot attracted approximately 37,000 daily attacks from various IP addresses. These attacks were primarily automated, with attackers attempting to gain access using brute-force methods to guess login credentials. Once thriving, attackers would manually search for critical or sensitive files.

What were the statistics behind the cyber attack research?

Over three months, the researchers recorded close to 3.5 million login attempts on their RDP honeypot system, indicating the relentless nature of the attackers. The honeypot was attacked from over 1,500 IP addresses, with 13 million login attempts yearly.

The attackers primarily used automated brute-force techniques, focusing on the default username “Administrator” with length, language, and letter case variations. Some attackers also performed reconnaissance activities before attempting access. The researchers observed that specific odd usernames related to the honeypot system were targeted, suggesting that attackers gathered information about the victim before logging in.

What were the researchers analysing?

The researchers collected password hashes from the attacks and analysed them. The most common password strategy involved variations of the RDP certificate, followed by variants of the word “password” and simple strings of up to ten digits. Notably, login attempts using the RDP certificate name were exclusively from IP addresses in China (98%) and Russia (2%), though this doesn’t necessarily indicate the attackers’ origin.

The attack patterns exhibited daily schedules, with attackers taking breaks. Activity chunks typically lasted from four to eight hours, suggesting human intervention. The attacks ceased during weekends, indicating a possible organised approach resembling regular office hours. The researchers noticed an eight-hour gap between episodes, potentially indicating attackers working in shifts.

How to mitigate these potential cyber attacks

To mitigate such attacks, it is crucial not to expose RDP to the internet and to change default passwords for any internet-facing devices. Multi-factor authentication (MFA) is highly recommended as it significantly enhances security. MFA can be combined with other techniques to require a second factor only under specific circumstances, such as suspicious login attempts from new browsers/devices, unusual locations, or known untrusted IP addresses.

The experiment also revealed that only a small percentage of attackers explored the honeypot for essential files. Future research will monitor attackers’ movements by populating the server with fake corporate files.

Source: https://www.bleepingcomputer.com/news/security/rdp-honeypot-targeted-35-million-times-in-brute-force-attacks/

[/fusion_text][/fusion_builder_column][/fusion_builder_row][/fusion_builder_container]

Want to keep up with our blog?

Get our most valuable tips right inside your inbox, once per month!

Latest IT News & Insights
Phishing Awareness Training
How To React To The Rise In Quality of Phishing Attacks
Be Cybersafe, stay informed, stay vigilant, and let Neuways help you build a strong and secure defence...
Read More
IT Support issues can be resolved by working with companies like Neuways
IT Support issue caused Cornwall Hospital Disruption - Not Cyber Attack
IT Support issues - It's all about backup protocols. These Issues caused disruption in Cornwall. but...
Read More
Neuways explain how to help move IT offices seamlessly.
How to seamlessly move offices without your IT being affected
Moving offices as a business does not have to be complicated. Make life easier for your team by enlisting...
Read More
Choose Neuways for your IT Support, Cyber Security and Business Central needs.
Become Cybersafe: Listen to our Cybersafe Digest Podcast
As leaders of businesses and companies, the weight of safeguarding your company’s assets, reputation,...
Read More
Use a password manager tool like the ones recommended from Neuways
Best thing about using a Password Manager tool
When using a password manager tool, you can store all your login details in one accessible place. It's...
Read More
Cyber Security Representation
The Critical Need for Businesses to Strengthen Cyber Security in the Age of AI
Businesses must take note of the dangers of AI and Cyber Security. In our latest blog we explain the...
Read More
IT Support in Derby from Neuways
What Questions should you be asking your IT Support Provider?
Choosing the right managed IT service provider (MSP) is crucial for your business’s success, and...
Read More
Microsoft Dynamics 365 Business Central Main Product Mockup Showcase ERP
Why Business Central enhances and streamlines solutions
See how Microsoft Dynamics 365 Business Central enhances business solutions and streamlines the processes...
Read More

Frequently Asked Questions

As a leading IT and technology provider, we offer three core services, all of which have additional add-ons. We offer Managed IT Support, Business Central implementation and consultation, as well as Managed Cyber Security. Call us on 01283 753333 if you are interested in any of our services.

Contact us

Support: 01283 753300

Business Development: 01283 753333

Purchasing: 01283 753322

Admin and Accounts: 01283 753311

Email: hello@neuways.com

Managed IT support is a comprehensive solution where an expert IT provider, like Neuways, handles your technology infrastructure. This includes proactive monitoring, maintenance, cyber security, and support.

Yes we do. Your business needs Cyber Security due to the increasing number of cyber threats that are affecting businesses in all industries. If your business has data and technology systems implemented, you will need Managed Cyber Security.

Yes we can. We have our own dedicated Microsoft Dynamics 365 Business Central teams who work to ensure that we can implement the right systems and solutions into your website that are absolute right for you. 

Exclaimer Pro is a dynamic email signature that helps clients to switch and change around email signatures so that clients are able to advertise different offers and brands to a variety of email recipients. Administrators can also manage user emails internally, meaning the user does not have to touch their own email signature.

We offer Managed Security Training to help employees spot email phishing attacks, spear phishing attacks and vishing attacks. We also help train clients on how to use the various pieces of software we provide to clients, like Exclaimer Pro, Business Central and Cybersafe software.

We are a Managed IT Support provider based in Derby, East Midlands. However, we cover so many areas including the whole of the UK, Europe, and America. We are always willing to travel and send our expert technicians to ensure you have the best experience. 

Got a question?

Reach out
& Connect

Please enable JavaScript in your browser to complete this form.
Name