Microsoft Patch Tuesday Puts Focus on NTLM and Outlook; Emergency Network Infiltration; DNSSEC Flaw Poses DoS Threat

This set of patches notably includes another patch to prevent outbound SMB connections leaking NTLM hashes. One of them is already being exploited (and the trivial exploit has been shared widely). Can't wait for NTLM to go away. Also note that SMB will soon be available over QUIC, and you may see traffic on 445/UDP, not just TCP.

Those two flaws, CVE-2024-214121, Internet shortcut security bypass, CVSS score 8.1 and CVE-2024-21351, SmartScreen feature bypass, CVSS score 7.6 are not rated as critical, but as they are being actively attacked, you need to consider that they are. There are five critical flaws, one of which (CVE-2024-21410, CVSS score 9.8) is an Exchange Server pass-the-hash bug, which means you've got to jump on your exchange servers again, unless you've migrated to a hosted option.

“Security feature bypass vulnerability” immediately brings the “tollbooth in the desert” scene from the movie “Blazing Saddles” which is now 50 years old, about 1 year older than Microsoft. That scene in “Blazing Saddles” should play a big role in Microsoft’s announced “Secure Future Initiative.”

Voltzite overlaps Volt Typhoon, so you're going to hear both names referring to these threat actors. They were targeting OT system access, which they didn't achieve, but did get GIS data which they may be able to use in future attacks. The attackers are exploiting vulnerable routers and gateways, using living off the land techniques for lateral movement, reinforcing the need to keep. those devices updated. So far, the list of things compromised includes Fortinet FortiGuard, PRTG Network Monitor appliances, ManageEngine ADSelfService Plus, FatePipe WARP, Ivanti Connect Secure VPN, and Cisco ASA. Odds are you have one or more of these in your shop; you may want to follow up on that.

Cyber is the fifth warfighting domain and as such, you can expect nation states to conduct operational planning in that domain which includes critical infrastructure. I acknowledge that much of the critical infrastructure is privately owned/operated but there must be an agreement with government to regularly test the state of cyber and physical security for each of these critical infrastructure sectors. More can and should be done.

In time of armed conflict the ability to interfere with emergency services might be valuable. While some of these services may use common software, in general they operate independently of one another. This makes it unlikely that a successful attack against any one service will lower the cost of attack against others.

A DoS vulnerability in these widely used resolvers is noteworthy and needs to be addressed quickly. BIND also published other patches this week. Maybe schedule a test in a week or so to check if your systems are still vulnerable, or if patching worked as expected.

The software, like BIND and Windows DNS, used for many DNS servers has always required frequent patching; the patch out will mitigate the impact of this flaw until the standard can be updated to fully fix it. This flaw was built in decades ago and was only eventually found by a variant of “fuzzing” – trying many combinations of conditions. This really points out why no large piece of code is ever really fully safe, let alone never again requiring patching.

While the flaw appears severe, there is no evidence of this being exploited in the wild. CVE-2023-50387, CVSS score of 7.5, can be remotely exploitable and when triggered causes extreme CPU usage by the DNSSEC validator. You can mitigate the vulnerability by disabling DNSSEC validation, but that isn't advisable. Instead, update to the latest version of BIND (9.16.48, 9.18.24 or 9.19.21).

Good on Prudential for disclosing this in their filing, even though they do not believe it has or will cause material impact or effect customer data. More information on how the attack succeeded, once they have closed the holes, would be a good service to the world, as well.

Unfortunately, even a Fortune 500 company can fall victim to attack if they don’t have good cybersecurity processes in place. What’s interesting is the phrasing of the SEC form 8-K notification around material impact of the cyber incident – to date no material impact but we’re not quite sure if it will have a future material impact. Well played Prudential, well played.

We still need more experience with the SEC breach reporting requirement. However, if this incident proves to be typical, then we can expect defensive reporting, in which the enterprise reports any breach promptly without a determination of materiality.

Varta shut down their IT systems and disconnected from the Internet while they investigate the incident. This was according to their response plan, kudos to them for sticking to the plan, even if the impact seems overly extreme, the time to adjust is in post-mortem/lessons learned, not when the chips are down. If your response plans include broad shutdown or disconnect actions, make sure you've evaluated both the impact and restoration/resynchronization processes.

Not a lot of details out yet in this one but a good reminder that if your company is in a very competitive industry (like batteries) it is the target of industrial and state-sponsored espionage and attack. Check those admin and remote access accounts for any not using phishing resistant authentication.

Ransomware gangs have gone after these devices for years. I have been involved in scenarios where the person had their primary devices encrypted, and their backups on a Synology/QNAP/etc. NAS also get encrypted. Make sure you keep these patched.

As NAS devices continue to be a target, apply the update to a fixed version of the OS. You can check to see if your device is vulnerable by going to https://:/cgi-bin/quick/quick.cgi If you get a 404 error, you're not vulnerable, if you get an empty page, you need to update to the fixed version. Make sure you can't perform that check from the Internet.

I guess we should consider software like we do food: everyone knows not to put rodent parts/droppings into their food products, but it continues to happen. Failure to validate input into food is the same as failure to validate input in software – yucky stuff results. In the food market, costly recalls are often required. It is really time for making the cost of easily avoidable errors in software more expensive to the companies releasing the broken software.

The lead is CVE-2024-24691, improper input validation, CVSS score 9.6, affecting the Desktop, VDI, Rooms and Meeting SDK for Windows, but there are other flaws, such CVE-2024-24699 and CVE-2024-24698 with cross platform impacts. Make sure you're pushing updates to all your Zoom clients (Windows, Mobile, Mac and Linux).

Early in the Pandemic, as Zoom use soared, a number of security issues emerged. Zoom reacted promptly. This is Zoom being proactive.

Moobot is a Mirai variant operated by APT28 (Fancy Bear) which infected the devices via default credentials. I think I heard all of your eyerolls at default admin passwords. You may have missed that these routers also had their admin interfaces exposed to the Internet. The FBI, as part of the takedown, added firewall rules to the devices to block Internet access to the admin interface (as well as disinfecting them and monitoring for further access attempts). If your SOHO router admin interface is exposed to the Internet - regardless of brand - update to the latest firmware, factory reset it, change the default passwords and turn off Internet access to the admin interface.

The second such botnet takedown in the last few weeks by law enforcement. Botnets are typically used to conduct distributed denial-of-service attacks and are likely state sponsored. What’s disappointing is that the routers were compromised by simply using the default administrative password to gain access. A secure by design principle would have the device owner create a unique administrative password as part of the installation process.

This is an interesting exploit path because this exploits WPA2 protocols that are used in enterprises (such as WPA2 PEAP w/ MS-CHAPv2). The vulnerability does not target PSK. It's an interesting set of bugs. We don’t see these often, and I’m unsure exactly what the patch is.

The IWD flaw, CVE-2023-52161, allows an attacker to skip message 2 and 3 of the 4-way handshake, allowing the attacker to connect to the network without knowing the password. This is fixed in IWD version 2.12. Wpa_supplicant provides support for WPA, WPA2 and WPA3, is present in all Android devices, the Chromebook OS and most Linux devices. CVE-2023-52160 is an enterprise network (Certificate based) bypass flaw, which requires a configuration where the TLS certificate is not checked. That is user selectable. Wpa_supplicant version 2.11 will contain the needed patch. Google has released updates to ChromeOS 118, and AOSP, so Android users should have the fix soon. Linux systems are dependent on the update process for their distribution.

A very serious couple of vulnerabilities affecting a large swath of Android, Linux, and Chromebook devices. The attacker simply needs some proximity to the device and the SSID. The good news is that the vulnerability researchers have worked with Google in advance and a patch is available. However, affected Linux devices will need to download the patch from their Linux distribution.