Welcome to Ironshare’s Cyber Round-up, where we look back at the events of that last week to cover some of the news, posts, views, and highlights from the world of Security.
In this week’s round-up:
A cyberattack on MGM Resorts has resulted in some of its systems being impacted, including its website, online reservations, and in-casino services. “MGM Resorts recently identified a cybersecurity issue affecting some of the Company’s systems” and that it “took prompt action to protect our systems and data, including shutting down certain systems.” Some services such as ATMs have been switched to manual operations while their website instructs customers that it is currently unavailable, and they can make hotel reservations “at any of our destinations” over the phone. The nature of the attack and its technical details are yet to be publicly disclosed by MGM Resorts.
N-Ables’s Take Control Agent is a remote management tool to aid in troubleshooting and resolving device issues. Tracked as CVE-2023-27470 with a CVSS of 8.8, a vulnerability present in this software relating to a Time-of-Check to Time-of-Use race condition which could be exploited to delete arbitrary files on a Windows system. The race condition occurs between logging multiple file deletion events, and each delete action from a specific folder named "C:\ProgramData\GetSupportService_N-Central\PushUpdates." "To put it simply, while [Take Control Agent] logged the deletion of aaa.txt, an attacker could swiftly replace the bbb.txt file with a symbolic link, redirecting the process to an arbitrary file on the system," Mandiant security researcher Andrew Oliveau said.
A threat actor, identified as Storm-0324, has been identified by security researchers at Microsoft to be using Teams as a platform for phishing. “Beginning in July 2023, Storm-0324 was observed distributing payloads using an open-source tool to send phishing lures through Microsoft Teams chats,” researchers said. The threat actor has been seen sending links to malicious SharePoint hosted files as well as using TeamsPhisher which can enable “Teams tenant users to attach files to messages sent to external tenants” furthering their campaign. “These Teams-based phishing lures by threat actors are identified by the Teams platform as “EXTERNAL” users if external access is enabled in the organization,” Microsoft reported as well as suspended accounts and tenants associated with fraudulent behaviour and has rolled out enhancements and restrictions to protect customers.
This week, we have seen an influx of phishing attacks targeting our customers and associated partners; what makes these attacks so interesting to us is the absence of a traditional link or attachment. Instead, these emails featured QR codes and attempted to bait the user into scanning the code with their mobile phone. This is the key difference that we have found makes quishing attacks so effective - its enhanced ability to evade detection from security measures. We have noticed Office 365 having difficulty spotting these emails due to the absence of a link or attachment to detect.
The attempts we have seen this week utilised the typical urgent approach, with requests such as:
“Please Scan the QR code below with your smartphone camera to view your account statement and balance.”
This may be a serious risk for parties who do not consider the security of corporate and BYOD mobile devices. Mobile device management and protection seems to be a point of weakness for a lot of businesses; with this new phishing method seemingly on the rise, we advise considering the risks that quishing may present to your organisation.
A critical zero-day vulnerability has been found affecting Google Chrome; this was discovered after being actively exploited in the wild and was quickly addressed in an emergency patch for Chrome 116. This zero-day has been labelled as a heap buffer overflow vulnerability in WebP, a compressed image format for use on the Web. Successful exploitation of this flaw could lead to the execution of arbitrary code on the target system.
All Google Chrome users are advised to update their browser to the latest version as soon as possible, to ensure they are protected against this flaw. More details on the nature of this vulnerability can be found here.
Welcome to our Round-Up of Microsoft’s Patch Tuesday for September! This month’s batch of security updates includes fixes for 61 total vulnerabilities, 5 of which are considered critical. With two vulnerabilities being actively exploited in the wild, we recommend consulting this round-up, and applying the latest updates to ensure you are protected.
More details on the key vulnerabilities addressed this month can be found here.
And that’s it for this week’s round-up, please do check in next week for our new batch of security news and posts.
Stay Safe, Secure and Healthy!
Edition #251 – 15th September 2023
Stuart Hare is a Technologist with a passion for helping people in all aspects of IT & Cyber Security. Stuart is the Founder of Ironshare, an Information and Cyber Security company providing consultancy and managed services.
Samuel is a Security Analyst with Ironshare, an Information and Cyber Security company providing Security consultancy and managed services.
Joshua is working as a Managed Service Lead with Ironshare, an Information and Cyber Security company providing Security consultancy and managed services.
Ironshare is a provider of Information and Cyber Security services.