Welcome to Ironshare’s Cyber Round-up, where we look back at the events of that last week to cover some of the news, posts, views, and highlights from the world of Security.
In this week’s round-up:
Cybersecurity researchers have discovered a flaw in the Microsoft Entra ID application, that could allow an attacker to elevate their privileges. This exploit requires the attacker to take advantage of an abandoned reply URL and utilise it to “redirect authorization codes to themselves”. Once the codes have been exchanged for access tokens, the criminal can obtain elevated privileges by invoking the Power Platform API via a middle-tier service and altering the environment configurations.
This exploit was responsibly disclosed to Microsoft back in April; a fix was issued almost immediately, meaning this flaw is no longer present.
Mom’s Meals is a popular meal delivery business, specifically for individuals with chronic health conditions. Earlier this week their parent company, PurFoods, announced that the business had suffered a data breach, with more than 1.2 million customers affected. The latest report of this incident mentions the encryption of sensitive files, and unauthorised network access; this suggests that the company suffered a ransomware attack, in which user data was stolen and publicised.
While specific details of the attack have not been released, it was confirmed who is affected, and what data was compromised:
“Affected individuals include those who have received Mom’s Meals packages, including Medicare, Medicaid and self-paying members without an eligible health plan or who don’t qualify for government assistance.”
The stolen information includes customers names, Social Security numbers, payment card information, health information, and more.
While the origin of the attack is still unknown, it is possible this was related to the security consultancy Kroll, who has had access to PurFoods’ credit monitoring service for the last year. Kroll also recently suffered a cyberattack, which could be related.
The National Cyber Security Centre has issued a warning to organisations regarding the use of large language models / AI chatbots - ChatGPT included. Many businesses are excited by the idea of implementing large language models into their work and are starting to integrate them into certain services. While this is an exciting prospect, it is vital to consider the potential risks that come with it. LLMs are still very new, and there is so much that we do not understand about them; if we don’t even understand its full capabilities yet, how can we understand its weaknesses and flaws?
Some issues that have been raised include chatbots saying “upsetting or embarrassing things”. While these kinds of issues are a problem for a business’s reputation, there are almost certainly security vulnerabilities present that are yet to be discovered.
The NCSC is not opposed to the integration of large language models but advises any businesses who wish to do so to do their due diligence and ensure that they are implementing the technology safely and with minimal risk.
The FBI has taken down the QakBot botnet in their latest significant cybersecurity operation and were even able to remove the malware from all infected machines.
Originally starting out as a banking trojan to steal credentials, QakBot grew into a malware delivery service for conducting ransomware attacks, data theft, and other malicious cyber activities. It was primarily spread through phishing emails and exploit kits before the FBI seized the attacker's server infrastructure, effectively disrupting its operations. By accessing one of QakBot administrator’s devices the FBI was able to capture the encryption keys used to communicate with these command-and-control servers and replace its “supernode” with one developed by law enforcement.
This allowed the FBI to distribute a customer DLL that uninstalled the malware from approximately 700,000 infected devices. "The shellcode unpacks a custom DLL (dynamic link library) executable that contains code that can cleanly terminate the running QakBot process on the host" reported SecureWorks.
No arrests were made in the wake of this incident and although this is a big hit to QakBot’s operations it is unlikely to be the last we will hear from them.
A new attack method being actively exploited has been reported by Japan’s Computer Emergency Response Team (JPCERT).
The technique, known as “MalDoc in PDF”, involves a malicious file that has the structure of a PDF, but can be opened using Microsoft Office as a .doc file causing it to perform malicious behaviours. This can confuse PDF analysis tools, sandboxes, and antivirus software due to the PDF file structure meaning they are unable to detect the malicious contents inside.
JPCERT elaborated on this technique, stating that: “the MalDoc file is created by adding an mht file and macro to a "PDF" file object.”.
According to JPCERT, malicious Word file analysis could be an effective countermeasure to this method as it would be able to detect the macro.
Andy Jassy, Amazon's Chief executive, has warned remote workers of plans to return to office working for 3 days a week. The major tech company put a “return to office” policy in place on 1st May, where employees have to be in the office at least 3 days a week; this has forced some workers to relocate to other cities to comply with this request, however many employees are still resisting this change.
30,000 employees are petitioning the company to reconsider its stance on remote working.
“It’s easier to learn, model, practice, and strengthen our culture when we’re in the office together most of the time and surrounded by our colleagues. It’s especially true for new people, and we hired a lot of people in the pandemic,” Jassy stated in a post.
Failure to comply could see workers forced into a “voluntary resignation.”
And that’s it for this week’s round-up, please do check in next week for our new batch of security news and posts.
Stay Safe, Secure and Healthy!
Edition #249 – 1st September 2023
Stuart Hare is a Technologist with a passion for helping people in all aspects of IT & Cyber Security. Stuart is the Founder of Ironshare, an Information and Cyber Security company providing consultancy and managed services.
Samuel is a Security Analyst with Ironshare, an Information and Cyber Security company providing Security consultancy and managed services.
Joshua is working as a Managed Service Lead with Ironshare, an Information and Cyber Security company providing Security consultancy and managed services.
Ironshare is a provider of Information and Cyber Security services.