This Week in Cyber 16th June 2023

Windows 10 21H2 Reaches End of Service

Multiple editions of Windows 10 21H2 have reached their end of service (EOS), prompting Microsoft to remind users of the importance of upgrading to the latest release to mitigate potential security risks. Windows 10 21H2 will no longer receive security updates, leaving systems vulnerable to attacks targeting unpatched vulnerabilities. Microsoft advises customers to update to the latest version of Windows 10 or consider upgrading to Windows 11 for continued support. The affected editions include Windows 10 Home, Pro, Pro Education, and Pro for Workstations. Additionally, the Windows 10 2022 Update (22H2) has entered broad deployment, while Windows 11 22H2 is being automatically installed on systems running Windows 11 21H2 nearing their end-of-service (EOS) date. Microsoft emphasizes the importance of staying protected and productive by allowing devices to restart and complete necessary updates.

Widespread Adversary-in-the-Middle Attack Campaign Targets Global Organizations

Numerous global organizations have fallen victim to a widespread business email compromise (BEC) campaign employing adversary-in-the-middle (AitM) techniques to carry out the attacks. Sygnia researchers reported that after successfully phishing an employee, the threat actor executed an AitM attack to bypass Office365 authentication and maintain persistent access to the compromised account. Exploiting this access, the attacker exfiltrated data and propagated phishing attacks against other employees within the organization, as well as external targeted entities. This revelation comes shortly after Microsoft disclosed a similar AitM phishing and BEC attack on banking and financial services organizations. BEC scams typically involve deceiving victims into sending money or divulging confidential information, often by impersonating trusted figures. In the Sygnia-documented attack chain, the threat actor used a phishing email with a link to a fraudulent "shared document," redirecting victims to an AitM phishing page designed to harvest credentials and one-time passwords. Furthermore, the attackers leveraged temporary access to the compromised account to register a new multi-factor authentication device, establishing persistent remote control from a different IP address. Exploiting this foothold, they sent phishing emails with the malicious link to multiple employees and targeted organizations, spreading in a worm-like fashion. The full scope of this campaign remains unknown, highlighting the ongoing threats posed by sophisticated cyberattacks.

SMB Cybersecurity Study Reveals Priority Targets for Cyber-Criminals

A recent study highlighted the concerning cybersecurity landscape for small and medium-sized businesses (SMBs) in the U.S. and U.K. According to the study, over 50% of SMBs experienced successful cyberattacks in the past year. The impact of these attacks was significant, with 58% of respondents reporting business downtime and 39% suffering customer data loss. It was observed that cybercriminals often target organizations with inadequate protection, making SMBs vulnerable. Surprisingly, 87% of IT decision-makers reported facing multiple successful attacks, with data exfiltration being a common tactic. These findings underscore the need for enhanced security measures to combat evolving attack techniques. SMBs face challenges such as a lack of knowledge about potential threats and the cost of hiring cybersecurity professionals. When selecting cybersecurity service providers, SMBs prioritize high security standards and expect providers to understand their unique challenges. It is important for SMBs to choose providers that proactively adopt new technologies and strategies to stay ahead.

Microsoft's June Patch Tuesday: Critical Vulnerabilities Addressed

Microsoft has released its latest round of software updates, addressing numerous security vulnerabilities in Windows operating systems and other software. Notably, this month's Patch Tuesday brings a welcome relief for system administrators, as it marks the absence of any active exploitation of zero-day vulnerabilities in Microsoft products since March 2022. While none of the 70 patched vulnerabilities have been reported as exploited in the wild, Microsoft has identified certain issues, such as CVE-2023-29357 in SharePoint Server, as more likely to be exploited. Additionally, three vulnerabilities affecting the widely-used Windows Pragmatic General Multicast (PGM) have been fixed, with a collective high CVSS score of 9.8. Organizations relying on Microsoft Exchange for email should also take note of the Exchange bugs (CVE-2023-32031 and CVE-2023-28310) that closely resemble the ProxyNotShell exploits.

Update on MOVEit Transfer and MOVEit Cloud Vulnerability (CVE-2023-34362): Urgent Action Required

An important update has been issued regarding a critical SQL injection vulnerability, identified as CVE-2023-34362, affecting MOVEit Transfer and MOVEit Cloud. This vulnerability poses a significant security risk, potentially granting attackers complete control over the affected MOVEit installations. Exploiting this vulnerability enables unauthorized data alteration, theft, installation of malicious software, and server configuration manipulation. A patch has been released for on-premises and cloud customers to address this issue. However, since attacks may have occurred prior to the patch's availability, users are urged to check for signs of compromise beyond publicly discussed methods. It is crucial for all MOVEit customers to promptly apply the latest patch and actively monitor for any malicious activity. Comprehensive impact assessment and queries for identifying potential exploit attempts, compromised processes, and web shell activity are available to assist in monitoring. Taking immediate action is imperative to mitigate the risks associated with this vulnerability and safeguard critical data and systems.