Welcome to Ironshare’s Cyber Round-up, where we look back at the events of that last week to cover some of the news, posts, views, and highlights from the world of Security.
In this week’s round-up:
Meta has started to roll out end-to-end encryption for personal calls and messages in their Messenger app. Messenger initially implemented “secret conversations” which was an opt-in chat option that provided end-to-end encryption since 2016. Mark Zuckerberg, who announced a "privacy-focused vision for social networking" in 2019 reported a redesign of the platform to provide better privacy for its users. After years of work, Meta have "rebuilt the app from the ground up, in close consultation with privacy and safety experts," as shared by Loredana Crisan, in a post shared on X. Encryption will be enabled by default for all users, and will not require any interaction to get working.
Four critical remote code execution vulnerabilities impacting Confluence, Jira, and Bitbucket servers, and a companion app for macOS have been addressed. All the vulnerabilities received a CVSS of at least 9.0 out of 10.0 based on Atlassian's internal assessment. The four RCE CVEs patched were:
• CVE-2023-22522: Template Injection vulnerability allows an authenticated attacker, including one with anonymous access, to inject unsafe user input into a Confluence page.
• CVE-2023-22523: Allows an attacker to perform privileged RCE on machines with the Assets Discovery agent installed. The vulnerability exists between the Assets Discovery application and the Assets Discovery agent.
• CVE-2023-22524: An attacker could utilize WebSockets to bypass Atlassian Companion’s blocklist and MacOS Gatekeeper to allow the execution of code.
• CVE-2022-1471: RCE in SnakeYAML library impacting multiple versions of Jira, Bitbucket, and Confluence products.
We advise all users of the affected Atlassian products to apply the latest updates as soon as possible.
CVE-2023-45866 is a Bluetooth authentication bypass vulnerability allowing attackers to connect to Apple, Android, and Linux devices and inject keystrokes to run arbitrary commands, according to a software engineer at drone technology firm SkySafe. Exploitation doesn’t require any special hardware, and the attack can be pulled off from a Linux machine using a regular Bluetooth adapter, says Marc Newlin, who found the flaw. Google reported "Fixes for these issues that affect Android 11 through 14 are available to impacted OEMs. All currently supported Pixel devices will receive this fix via December OTA updates." Linux distros including Ubuntu, Debian, Fedora, Gentoo, Arch, Alpine, and Ubuntu remain vulnerable. The vulnerability also affects macOS and iOS when Bluetooth is enabled, and a Magic Keyboard has been paired with the vulnerable phone or computer.
Nissan’s Oceania division is currently dealing with heavy business impact believed to have been caused by a cyberattack. Investigations are underway and, while not much is known about the incident, it has been confirmed that the company’s operations in New Zealand and Australia have been affected.
Nissan are providing their customers with updates via their website, and are looking to restore their systems as soon as possible; the latest update stated:
“Nissan is working with its global incident response team and relevant stakeholders to investigate the extent of the incident and whether any personal information has been accessed,”.
If there are any signs of sensitive information being compromised, we will provide updates here.
The NCSC has announced today the launch of a new scheme, dedicated to helping organisations practise and understand their own cyber incident response plans. The Director of Operations at the NCSC believes that:
“the first time you try out your cyber incident response plan shouldn’t be on the day you are attacked. So, if you do only one thing on a regular basis, incident exercising should be it.”
This philosophy has led to the creation of this scheme, which aims to give companies the opportunity to engage in both table-top, and live-play exercises to test and practise the IR plans. The Cyber Incident Exercising scheme will be delivered by those on the NCSC’s list of ‘Assured Service Providers’, which can be found here.
This is an amazing idea that gives UK businesses an opportunity to be more in touch with their security culture and better understand their own processes.
Microsoft have announced the appointment of Igor Tsyganskiy as their new CISO, after reassigning his predecessor to an advisory role. Bret Arsenault has served the role of Chief Information Security Officer for the last 14 years, which makes his sudden replacement a surprise to many.
Microsoft’s Executive Vice President, Charlie Bell, has vouched for Tsyganskiy, labelling him as a “technologist and dynamic leader with a storied career in high-scale/high-security, demanding environments,”.
We are hoping that these changes will benefit the company and help with the delivery of their new ‘Secure Future Initiative’. The changes promised by this initiative are much needed after the mess faced in 2023, and Microsoft seem hopeful that Tsyganskiy is the man to guide them through these improvements.
And that’s it for this week’s round-up, please do check in next week for our new batch of security news and posts.
Stay Safe, Secure and Healthy!
Edition #261 – 8th December 2023
Stuart Hare is a Technologist with a passion for helping people in all aspects of IT & Cyber Security. Stuart is the Founder of Ironshare, an Information and Cyber Security company providing consultancy and managed services.
Samuel is a Security Analyst with Ironshare, an Information and Cyber Security company providing Security consultancy and managed services.
Joshua is working as a Managed Service Lead with Ironshare, an Information and Cyber Security company providing Security consultancy and managed services.
Ironshare is a provider of Information and Cyber Security services.