Welcome to Ironshare’s Cyber Round-up, where we look back at the events of that last week to cover some of the news, posts, views, and highlights from the world of Security.
In this week’s round-up:
QNAP has addressed two critical vulnerabilities affecting the operating systems of their NAS devices. The first of these flaws, if exploited successfully, could allow a remote attacker to execute arbitrary code on the target device. The flaw is known to affect devices running QTS, QuTS hero, and QuTScloud, and is being tracked as CVE-2023-23368 (CVSS Score: 9.8).
Exploitation of the second vulnerability could also lead to remote code execution capabilities, and affects QTS, Multimedia Console, and the Media Streaming add-on. Tracked as CVE-2023-23369, this flaw has a CVSS score of 9.0.
We strongly urge all users of QNAP devices to apply the latest updates as soon as possible.
Veeam has released patches for four vulnerabilities, two of which are critical, that are currently affecting their Veeam ONE Software.
With a CVSS Score of 9.9, the first flaw could allow a remote attacker to execute arbitrary code. This vulnerability can be exploited by an unauthenticated attacker and is being tracked as CVE-2023-38547.
The second critical flaw allows a user with insufficient privileges to access and obtain the hashed password of the Veeam ONE Reporting Service. Sporting a CVSS Score of 9.8, this flaw is being tracked as CVE-2023-38548.
The third flaw allows an attacker to obtain an administrator’s access token, but requires both power-user privileges for the attacker, and interaction from the target admin. Because of these hard-to-meet requirements, CVE-2023-38549 is considered a medium-severity vulnerability.
Lastly, there is a minor flaw (CVE-2023-41723) that could allow read-only users to access Veeam ONE’s dashboard schedule; this was fixed in the latest patch.
As far as we know, these flaws have not been actively exploited in the wild, but patching should still be a priority. Hotfixes were released to address these four flaws for versions 11, 12, and 13. We advise all users to apply the latest updates as soon as possible.
Four zero-day vulnerabilities have been discovered in Microsoft Exchange; successful exploitation of these flaws could lead to remote code execution, or the theft of sensitive data. Trend Micro’s Zero Day Initiative originally reported these vulnerabilities to Microsoft in early September, but Microsoft engineers did not consider them serious enough to address immediately.
This week, two months after the initial discovery, Trend Micro decided to publicly disclose these zero-days with their own tracking IDs (ZDI-23-1578, ZDI-23-1579, ZDI-23-1580, ZDI-23-1581). Trend Micro’s team reportedly disagreed with Microsoft’s unwillingness to respond quickly and took action themselves.
All four of these vulnerabilities require authentication to exploit, which brings their CVSS scores down dramatically; this is likely why Microsoft chose to postpone fixes. We recommend consulting the ZDI advisories (linked above) for full details.
ChatGPT, the large language model-based chatbot developed by OpenAI, suffered intermittent outages late Wednesday due to “abnormal traffic” to the service. OpenAI reported that the service received an unusually high amount of traffic which caused periodic outages to users and API integrations. While OpenAI hasn’t said that the traffic was part of a cyberattack on its systems they have referenced that it bears signs of a DDoS attack causing their systems to be overloaded with requests.
The NCSC has put out a public warning to internet users warning them of the “Enhanced” online scams in the run-up to Black Friday. The warning advises users to be vigilant due to the threat of AI-generated scams being used online allowing cyber criminals to commit online fraud.
The use of AI to assist in scams is expected to increase and be present across emails, fake adverts, and bogus websites all advertising black Friday deals to victims. Last year, £10 million pounds was lost to cyber criminals around Black Friday and this is only expected to increase as AI generates more accurate and professional-looking content to dupe victims into giving away their financial details or download malware on an increasingly large scale.
Japan Aviation Electronics (JAE), a contractor for the Japanese defence sector, was attacked by the ransomware gang ALPHV, also known as BlackCat. JAE confirmed that a cyberattack had taken place as an external party accessed some systems without authorization.
“We are currently investigating the status of damage and restoring operations, but some systems have been suspended, and there have been some delays in sending and receiving emails,” JAE reported.
No information has been shared regarding the type of data that may have been accessed and JAE noted that there is no indication information was leaked.
And that’s it for this week’s round-up, please do check in next week for our new batch of security news and posts.
Stay Safe, Secure and Healthy!
Edition #258 – 10th November 2023
Stuart Hare is a Technologist with a passion for helping people in all aspects of IT & Cyber Security. Stuart is the Founder of Ironshare, an Information and Cyber Security company providing consultancy and managed services.
Samuel is a Security Analyst with Ironshare, an Information and Cyber Security company providing Security consultancy and managed services.
Joshua is working as a Managed Service Lead with Ironshare, an Information and Cyber Security company providing Security consultancy and managed services.
Ironshare is a provider of Information and Cyber Security services.