A recent information disclosure by Microsoft revealed there is a remote code execution vulneability in the SMB3 services (client and server). This vulnerability could be leveraged in a simmilar manner to MSBLASTER/NACHI/WannaCry etc.
This is a CRITICAL vulnerability, yet currently there are no reports of this being exploite in the wild (epect that the change in the near future)
Read more “KB4551762 (CVE-2020-0796)”
Internet facing exposed RDP services with a weak securiy configuraiton are never a good idea. In our latest video Matthew Haynes and Daniel Card take a look at the RDP threat lanscape and then following up with a lab demo of a simple RDP brute force attack.
You can see the video here on our youtube channel! Remember to like and subscribe! Stay safe!
When a post starts like this:
“On May 14, Microsoft released fixes for a critical Remote Code Execution vulnerability, CVE-2019-0708, in Remote Desktop Services – formerly known as Terminal Services – that affects some older versions of Windows. In our previous blog post on this topic we warned that the vulnerability is ‘wormable’, and that future malware that exploits this vulnerability could propagate from vulnerable computer to vulnerable computer in a similar way as the WannaCry malware spread across the globe in 2017.” – https://blogs.technet.microsoft.com/msrc/2019/05/30/a-reminder-to-update-your-systems-to-prevent-a-worm/
“Microsoft is confident that an exploit exists for this vulnerability” Read more “CVE-2019-0708 – BlueKeep”
So, you have deployed Office 365, you’ve setup multi-factor authentication and deployed password managers so that your users can safely use MFA where it is supported but fall back to app passwords where it’s not. Great stuff… except by default you aren’t quite as secure as you would think!
Default Office365/Exchange Online Config
Now this is great for HTTP based communication methods. but email isn’t restricted to HTTP only. When we investigate the default deployment configuration we see that IMAP and POP3 are both enabled. The below screenshot shows the default mailbox feature configuration:
Now as we know, both IMAP and POP3 do not support a second or multi-factor authentication by default, so in the GUI you should disable those (unless you have a really specific business reason that means you MUST use these) Read more “Defending Office 365 against MFA bypass using IMAP”
Well with the year winding down you’ve probably seen that Microsoft just released an out of band security patch:
https://portal.msrc.microsoft.com/en-us/security-guidance/advisory/CVE-2018-8653
CVE-2018-8653 is described as:
“A remote code execution vulnerability exists in the way that the scripting engine handles objects in memory in Internet Explorer. The vulnerability could corrupt memory in such a way that an attacker could execute arbitrary code in the context of the current user. An attacker who successfully exploited the vulnerability could gain the same user rights as the current user. If the current user is logged on with administrative user rights, an attacker who successfully exploited the vulnerability could take control of an affected system. An attacker could then install programs; view, change, or delete data; or create new accounts with full user rights. In a web-based attack scenario, an attacker could host a specially crafted website that is designed to exploit the vulnerability through Internet Explorer and then convince a user to view the website, for example, by sending an email.”
Read more “Happy Bugmass 2019! Critical vulnerability patched”
As reported across major news networks over the world, British Airways has suffered a data breach that not only includes customer data but also includes payment details. Details from 380,000 customers have been accessed by an unauthorised third party. More details can be found on news sites such as:
https://www.theregister.co.uk/2018/09/06/british_airways_hacked/
https://www.bbc.com/news/uk-england-london-45440850
It’s likely that attackers have compromised a web service which is linked to payment services, however no specific details have been released yet so until then we can only speculate.
In this post we look at the information reported by British Airways, guidance for customers from BA, ourselves and NCSC but also we discuss the steps business’s should be taking to ensure they have a strong security posture, especially where customer data is concerned. Read more “British Airways breach”
Welcome to another threat update, this week we look at some interesting twitter dumpster fires and a highly targeted ransomware campaign
You got root sir but that’s not a hack! The world turns upside-down and inside out when @cybergibbons and a band of hackers go on rage mode at the claims from John McAfee and BitFi that their wallet is un-hackable and the ‘restrictions’ placed on the bug bounty.
https://twitter.com/officialmcafee/status/1024385313966379010
@ingnl caused some fun when they recommend not using password managers which went down well with the twitter infosec community. Just so everyone is aware, we recommend using a password manager.
Welcome to another Threat Week update, today we are going to look at some of the active threats in the wild and in the news.
Common attack vectors are still the usual suspects. Phishing, drive by infections, insecure internet exposed services (e.g. FTP, RDP, SSH, web services etc.) We’ve seen phishing attacks using legitimate services such as Zoho CRM to hijack their mail domain to bypass mail filters, so again good education plus technical controls are the best defence against these attacks.
Xservus run a vulnerable lab which hosts honeypots, web services and is used to detect threats. The following graph showcases external threats detected. Read more “July Threat Update”
Welcome to the first instalment of threat week, the concept of threat week is to provide regular updates on threats, vulnerabilities, security news to provide you with a service that cuts through the noise and enables you to improve the security of your organisation.
To give people an idea of the content we will be producing we’ve published the following below. The concept is to tailor the content to your specific organisation as we’ve been doing with our customers. To start this process, after your subscribe one of the team will be in touch to discuss your specific requirements.
Vmware releases patches for ESXi, Fusion and Workstation to remove data leakage vulnerabilities!
https://www.vmware.com/uk/security/advisories/VMSA-2018-0016.html
Hackers are targeting CISCO CVE-2018-0296
https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20180606-asaftd
Threat Trend – Ransomware declines whilst Crypto mining malware becomes king of the hill for attackers
http://www.newsweek.com/crypto-mining-malware-outbreak-infected-500000-computers-single-day-836145
Ticketmaster breach – Most of you will be aware that Ticketmaster was involved in a cyber incident. The NCSC has published guidance for customers who suspect their account have been compromised.
https://www.ncsc.gov.uk/guidance/ncsc-advice-ticketmaster-customers
