Cyber Round-up for 15th July
Welcome to Ironshare’s Cyber Round-up, where we look back at the events of that last week and year to cover some of the news, posts, views, and highlights from the world of Security.
In this week’s round-up:
Microsoft announced this week that a huge phishing campaign had been spotted. It appears the attacks have hit more than 10,000 organisations since its arrival in September 2021; reports suggest that these attacks involve “hijacking Office 365’s authentication process even on accounts secured with multi-factor authentication”. The method used in this campaign has been named adversary-in-the-middle (AiTM) and involves setting up a proxy server between a victim and targeted site to steal credentials.
There are a lot of details about this campaign, as well as an extensive list of indicators of compromise (IOC). We recommend consulting this list and checking for any sightings within your environments. The list of IOCs, as well as further details on this campaign, can be found here.
Windows Autopatch is a new service that has been released by Microsoft to manage the updates of devices and virtual machines. This service offers more granular updates compared to the dedicated monthly updates currently in place such as Patch Tuesday which means devices and virtual machines are at a reduced risk of being exploited by new vulnerabilities. Access to this service requires either a Windows Enterprise E3 or E5 account as well as being enrolled on Azure AD and Microsoft Intune. Additionally, Microsoft has stated that this service won’t prevent glitches or bricking caused by bad patches.
Ransomware is still the largest online threat the UK faces, and it shows no sign of slowing down. Recent studies have shown that more and more businesses are paying ransoms to recover their data, which is contributing massively to the funding of future attacks. Over the last 5 years, cybecrime has cost UK businesses billions of pounds, and the NCSC and ICO are desperately trying to discourage the payment of these ransoms. In their statement on the matter, the two organisations said they believe ransom payments “further incentivise criminals”, while not guaranteeing the return of your data and files. Solicitors have been seen advising affected clients to pay the attackers, but we strongly encourage the opposite.
The NCSC & ICO’s official statement on the situation can be found here. This includes their appeal for assistance in spreading their beliefs regarding ransom payments, as well as additional details on the constant rise in ransomware attacks.
Disneyland Resort’s Instagram and Facebook accounts were under the control of a hacker last Thursday just after 12 pm. The spree of posts uploaded contained racist material, declared he was working on “Covid 20”, and that people should hide before he released the “new deadly virus”. All claims by the hacker are false and shouldn’t be trusted. A statement released by Disney has stated:
“Disneyland Resort’s Facebook and Instagram accounts were compromised early this morning. We worked quickly to remove the reprehensible content, secure our accounts, and our security teams are conducting an investigation.”
Axie Infinity is a video game where players collect and mint NFTs which represent axolotl-inspired digital pets known as Axies. The game uses Ethereum-based cryptocurrencies using Ronin Bridge. The hack occurred in late March 2022, a senior engineer was deceived by hackers impersonating a fake company offering the engineer a job. In doing so the engineer downloaded a fake offer document disguised as a PDF which acted as trojan malware creating access for the hackers to internal systems. With this, the hackers were able to access the crypto wallet and transfer funds. The U.S. Treasury Department has implicated Lazarus Group, a hacker group with close relations to the North Korean state.
Vulnerabilities & Updates
Amazon has identified and patched a vulnerability in an Amazon Elastic Kubernetes Service plugin. The vulnerability relates to a plugin called IAM Authenticator which authenticates users who are trying to access a Kubernetes Cluster. Amazon stated that the vulnerability only occurred when the IAM Authenticator was configured to use the AccessKeyID template parameter. This would allow duplicate parameter names which can be used to elevate privileges. All existing EKS clusters have been patched while the new IAM Authenticator has been patched securing all environments across Amazon Web Service, new or old.
You can find AWS’ official advisory for this vulnerability here.
If you are interested in the nature of this flaw and details of how it can be exploited, we recommend this writeup by Lightspin.
Microsoft’s Patch Tuesday for July has arrived and includes fixes for 84 total vulnerabilities. 4 of these are critical remote code execution flaws, with one actively exploited zero-day being patched as well. We recommend looking into our round-up of this month’s batch of Microsoft updates for any flaws affecting systems you may use. As always, we recommend applying the latest updates as soon as they are made available to ensure you are protected against known threats and vulnerabilities.
And that’s it for this week’s round-up, please do check in next week for our new batch of security news and posts.
Stay Safe, Secure and Healthy!
Edition #197 – 15th July 2022
Why not follow us on social media:
Ironshare – Security Simplified