Cyber Security Trends 2024

Aspire’s Monthly Cyber Security Trends 2024

Welcome to the monthly 2024 cyber security trends report from Aspire’s Security Operations Centre. Our 24/7 security operations team works diligently to keep organisations safe, defending against attacks and continually developing detection capabilities to keep pace with emerging cyber security threats.

The team’s monthly threat analysis will explore the general trends Aspire are seeing in cyber attacks and provide recommendations where possible.

We will also explain the methods and tools our RealProtect managed cyber security services provide to mitigate such attacks.

February 2024

CVE-2024-21762 – Fortinet FortiOS Out-of-Bound Write Vulnerability

Overview

The vulnerability, CVE-2024-21762 (CVSS score: 9.6), allows for the execution of arbitrary code and commands. An out-of-bounds write vulnerability [CWE-787] in FortiOS may allow a remote unauthenticated attacker to execute arbitrary code or command via specially crafted HTTP requests. Fortinet has stated that it is likely this is being “exploited in the wild.” This is concerning as this vulnerability can lead to sensitive data exposure and/or a disruption in network operations.
The Bottom-line Up Front (BLUF) denotes that both vulnerabilities enable authenticated attackers to execute arbitrary code, significantly impacting confidentiality, integrity, and availability, and require no user interaction.

Countermeasures

It is incredibly important to identify which products are used within a company’s environment and if this is on the Affected Version and if so, upgrade these as soon as possible to mitigate potential threats. If you are unable to patch affected instances, it is possible to mitigate CVE-2024-21762 by disabling SSL VPN (Virtual Private Network) as a workaround.

Aspire Recommendations

• Patch Management: Keep all software, operating systems, and firmware up to date with the latest security patches and updates to mitigate the risk of exploitation by known vulnerabilities.
• Data backup and Recovery: Implement regular data backup procedures to ensure that critical data can be restored in the event of a cyber incident. Store backups securely, preferably offline or in a separate, isolated environment.
• Access Control and Privilege Account Management: Implement strong access control measures to limit access to sensitive data and systems. Use multi-factor authentication (MFA) for accessing critical systems and regularly review and update user access privileges.
• Employee Training: Provide regular cybersecurity training to employees to increase awareness of potential threats, such as phishing attacks, malware, and social engineering tactics. Employees should be trained on how to recognize and report suspicious activity.

Aspire SOC

A Security Operations Centre (SOC) is important in mitigating and preventing threats such as CVE-2024-21762. A SOC will provide constant monitoring and respond to any potential threats. When an attack takes place, a SOC will respond quickly to contain the threat and prevent further action taking place.

Tools a SOC will use, such as Qualys are crucial to quickly identifying and patching any vulnerabilities such as CVE-2024-21762. Qualys will scan infrastructure and identify vulnerabilities, which can then be remediated in a timely manner.

January 2024

Ivanti Connect Secure VPN faced a significant security threat due to two zero-day vulnerabilities identified as CVE-2023-46805 and CVE-2024-21887.

Summary

Two zero-day vulnerabilities in Ivanti Connect Secure VPN. Zero-day vulnerabilities are previously unknown software flaws that hackers can exploit before the software vendor has an opportunity to create a patch to fix the flaw. In this context, Ivanti Connect Secure VPN, which is widely used for secure remote access to corporate networks, is vulnerable. This situation is particularly critical because VPNs are critical for secure communication, and vulnerabilities within them can lead to unauthorised access, data breaches, and potentially large-scale security incidents.

Countermeasures

To determine if your system has been compromised by the vulnerabilities in Ivanti Connect Secure VPN as reported by Volexity, follow these key steps:

1. Run Ivanti Integrity Checker Tool: Use this tool to detect any new or mismatched files on the Ivanti Connect Secure VPN appliance. Follow instructions in Ivanti’s KB44755 for guidance on running this tool.
2. Analyse Network Traffic: Check for unusual outbound and inbound connections involving the VPN appliance. Look for signs like unexpected curl requests to external websites, reverse proxy connections, or SSH tunnelling that are not part of regular operations.
3. Review VPN Device Logs: Examine logs for signs like wiped or disabled logs, which can be a strong indicator of a compromise. Also, look for requests to atypical file paths or other irregular log entries.
4. Check for Signs of Lateral Movement: Monitor internal network traffic for unusual activities such as RDP, SMB, and SSH attempts to internal systems, or unexpected port scanning activities.
5. Examine Modifications to System Components: Look for unauthorised changes to system files, especially web components like CGI or JavaScript files used by the VPN appliance, which could indicate credential theft or command execution setups.
6. Evaluate Integrity Checker Tool Results: Pay attention to the results from the Integrity Checker Tool, particularly any reports of new or mismatched files, which could be a strong indicator of a compromise.

If any of these signs are present, it is crucial to consider the system compromised and initiate a comprehensive incident response, including forensic investigation and mitigation measures.

Recommendations

Based on the Ivanti report on the vulnerabilities in Ivanti Connect Secure VPN, here are key recommendations to safeguard your systems:

1. Apply Ivanti Mitigations and Patches: Immediately implement the available mitigations provided by Ivanti and install any patches as soon as they are released. This is crucial for preventing exploitation of the vulnerabilities.
2. Regular Use of the Integrity Checker Tool: Utilize Ivanti’s Integrity Checker Tool regularly to identify any new or mismatched files on the VPN appliance. This tool is vital for early detection of potential compromises.
3. Enhanced Network Monitoring: Vigilantly monitor network traffic for anomalies, especially outbound and inbound connections related to the VPN appliance, to detect signs of a compromise.
4. VPN Device Log Analysis: Regularly review the logs from your VPN device for unusual activities such as wiped logs, requests for uncommon file paths, or other irregular entries that might indicate a breach.
5. Investigate Signs of Lateral Movement: Be on the lookout for indications of lateral movement within your network, such as unauthorised RDP, SMB, SSH attempts, or port scanning activities.
6. Credential Management Review: Assume that credentials accessible or stored on the compromised VPN appliance are at risk. Implement immediate resets and changes to these credentials.
7. Incident Response Preparedness: In case signs of compromise are detected, have a robust incident response plan ready to swiftly address and mitigate the breach.
8. Educate and Train Staff: Raise awareness among your staff about these specific vulnerabilities and general best practices in cybersecurity to prevent successful phishing or other exploitation attempts.

Aspire SOC & IR

The joint effort of the Security Operations Centre (SOC) and Incident Response (IR) in managing Ivanti Connect Secure VPN vulnerabilities provides an effective and comprehensive defence. This approach swiftly addresses immediate threats and bolsters long-term cybersecurity. Incident Response is crucial for quick containment, in-depth analysis, and the implementation of strategic remediations, ensuring the organisation is better prepared for future cyber threats.

Elevation of Privilege Vulnerability in Microsoft SharePoint Server: CVE-2023-29357.

Summary

This type of vulnerability typically enables attackers to obtain higher-level permissions on a system or network, potentially leading to unauthorised access or control over the affected system. Specifically in the context of Microsoft SharePoint, a widely used platform for collaboration and document management, this vulnerability could allow attackers to gain elevated privileges within the SharePoint environment. Such exploitation compromises the integrity and confidentiality of the data and processes managed by SharePoint. A remote, unauthenticated attacker can exploit this vulnerability by sending a spoofed JWT (JSON Web Token) authentication token to a vulnerable server, thereby obtaining the privileges of an authenticated user on the target system.

Countermeasures

1. Apply Microsoft Security Patches: Promptly install all security updates released by Microsoft for SharePoint Server.
2. Regular System Updates: Keep systems up to date with the latest security features.
3. Enhance Monitoring and Logging: Improve surveillance of SharePoint Server activities for early detection of unusual access or exploitation attempts.
4. Implement Strict Access Controls: Strengthen environment security through rigorous access control and user privilege management.
5. Conduct Regular Security Audits: Perform routine audits to identify and resolve any lingering vulnerabilities, reinforcing defence mechanisms.

Recommendations

1. Develop an AI-Integrated Security Framework: Integrate AI tools for advanced threat detection specific to SharePoint environments.
2. Employee Awareness and Training: Educate staff about the latest security threats to SharePoint Server and train them in best practices for prevention and response.
3. Backup and Disaster Recovery Planning: Establish robust backup protocols and a disaster recovery plan to ensure data integrity and availability.
4. Collaborate with Security Experts: Engage with cybersecurity experts to gain insights into advanced protection strategies for SharePoint Server.
5. Evaluate Third-Party Security Solutions: Consider implementing third-party security solutions that complement Microsoft’s native security features for SharePoint.
6. Implement Network Segmentation: Use network segmentation to protect SharePoint data by limiting access to sensitive areas within the network.
7. Regular Penetration Testing: Conduct penetration testing to proactively identify and address potential security weaknesses.

Aspire SOC

A Security Operations Centre (SOC) is crucial in managing vulnerabilities like CVE-2023-29357 in Microsoft SharePoint Server. The SOC’s role includes continuous network monitoring for early threat detection and expert analysis to guide swift response actions. Although the SOC does not directly apply patches, it plays a significant role in vulnerability identification using tools like Qualys. It also informs tenants, particularly if the vulnerability is being actively exploited, and offers ongoing surveillance and threat intelligence, contributing to a more robust security posture.

The Rise of Ransomware 2024

Summary

Ransomware in 2024 presents a critical and evolving threat, with attackers employing advanced techniques and specifically targeting high-value entities. The use of complex social engineering, sophisticated phishing, and exploitation of zero-day vulnerabilities has become more prevalent, often amplified by artificial intelligence to increase the efficacy of attacks. There is a significant shift towards focused attacks on corporations and government institutions, aimed at securing higher ransom payouts. The emergence and growth of Ransomware-as-a-Service (RaaS) have made ransomware tools and services more accessible, broadening the pool of potential attackers. Additionally, the strategy of double extortion, involving the encryption of victim data followed by threats to publish or sell the information, adds a layer of complexity and urgency for organisations, heightening the stakes and pressure to comply with ransom demands.

Countermeasures

• · Implement advanced cybersecurity protocols.
• Employ AI and machine learning for threat detection.
• Strengthen defences against social engineering and phishing.
•  Regularly update software to patch vulnerabilities.
• Use multi-factor authentication and strong password policies.
• Secure and regularly back up critical data.
• Monitor network traffic for suspicious activities.
• Conduct regular penetration testing.
• Isolate critical systems to limit potential spread.
• Employ endpoint detection and response solutions.

Recommendations

• Regularly update and review cybersecurity policies.
• Conduct comprehensive risk assessments.
• Increase employee awareness and training on cybersecurity.
• Develop a robust incident response plan.
• Foster a culture of cybersecurity vigilance.
• Stay informed about the latest ransomware trends.
• Engage with cybersecurity communities for shared intelligence.
• Invest in advanced threat detection and response tools.
• Review and strengthen data encryption practices.
• Collaborate with external cybersecurity experts as needed.

Aspire SOC

A Security Operations Centre (SOC) is vital in defending against ransomware through its ongoing monitoring and quick response. The SOC is key for early threat detection, using advanced technology to identify and address risks. During attacks, the SOC’s rapid actions help contain the impact and prevent extensive damage. Post-attack analysis by the SOC aids in refining security strategies and preventing future incidents. By keeping up with the latest ransomware trends, the SOC ensures that an organisation’s defences adapt to changing cyber threats, making it crucial for robust cybersecurity.