Security Headlines From May

The month of May saw a number of security headlines related to new attack methods, data breaches, and security updates. This post provides a quick review and key takeaways from the month of May to keep your organization covered as well as some best practices these articles shine light on.

Please note there are numerous headlines related to cybersecurity news. Thoreson Consulting aims to curate headlines most important to small businesses.

This recap includes information around ‘Patch Tuesday’, potential new phishing domains, and new WordPress vulnerabilities.

Microsoft Releases Patch for Known Outlook Exploited Vulnerability

What Happened?

Earlier this month, Microsoft patched a vulnerability in Outlook that was actively exploited by Russian threat actors. In their advisory disclosing the 9.8 CVSS vulnerability, Microsoft notes:

Microsoft Threat Intelligence assesses that a Russia-based threat actor used the exploit patched in CVE-2023-23397 in targeted attacks against a limited number of organizations in government, transportation, energy, and military sectors in Europe.

According to researchers at Akami, the vulnerability is a ‘zero-click’ meaning that it requires no interaction by users. Successful exploit allows for attackers to steal files which could lead to the decryption of user authentication hashes.

Why it Matters?

This vulnerability, when successfully exploited, can result in the takeover of user accounts as it targets netNTLMv2 hashes. Since it is a ‘Zero-Click’ vulnerability, the exploit was proven to be triggered by sending a maliciously crafted calendar invite to the victim.

This patch was one of 49 other vulnerabilities, including three zero-day vulnerabilities and five critical Remote Code Execution (RCE) vulnerabilities addressed in Microsoft’s ‘Patch Tuesday’ updates.

The bottom line is that organizations should prioritize patching and ensure updates are automatically queued up in a timely manner that allows for the addressing vulnerabilities on time. ‘Patch Tuesday’ occurs monthly and offers fixes to some of the most critical and actively exploited vulnerabilities in the wild.

Google’s New Top Level Domains (TLD) Give Social Engineers a New Angle

What Happened?

Google released two Top Level Domains (TLD)s this week allowing for customers to purchase domains ending in .zip and .mov. This has raised concern from security professionals arguing that it gives social engineers a new tool set in phishing attacks.

This combined with other well known obfuscation techniques could allow for attacks to more easily trick victims into phishing attacks.

Why It Matters?

In theory, attackers could leverage domains that look like files as it would be difficult to distinguish the difference. The confusion could direct users to malicious websites instead of an expected file download. Ultimately the new domains add another layer of confusion that must be taught to combat social engineering.

Administrators should identify any business cases where the .zip or .mov domains would be required and then block domains at the TLD level (i.e. *.mov and *.zip). There are likely few use cases where these domains are required for business function.

WordPress Automatically Patches Over 1 Million Vulnerable Sites

What Happened?

Automattic, the company behind WordPress, has started to ‘force’ patching of the Jetpack plugin. The forced update is to address a critical vulnerability in which a threat actor can manipulate files hosted on the WordPress website.

Per Bleeping Computer,

Jetpack is an immensely popular plug-in that provides free security, performance, and website management improvements, including site backups, brute-force attack protection, secure logins, malware scanning, and more

Automattic noted in their updates that they do not believe that anyone has exploited the vulnerability but is patching the 5 million WordPress sites actively using their Jetpack plugin as a precaution.

Why It Matters?

When vendors automatically start applying patches, it is because the vulnerability is serious. WordPress plugins are often targeted by threat actors for a number of nefarious reasons. Most common is ‘Click Jacking’ where the attackers re-direct users to websites to generate traffic or ad-revenue. In this case, attackers could replace files with malware laced versions targeting website visitors in a ‘supply chain’ attack.

Organizations leveraging WordPress should review whether the Jetpack plugin is in use and ensure the patch was properly applied. Additionally, it is a good opportunity to review and patch other plugins that may be vulnerable to similar attacks.

Need Help?

Thoreson Consulting is here to assist with any questions you may have around the ever changing security threat landscape. Reach out to us today for a free consultation to learn how we can best assist your organization.