In today’s rapidly evolving digital landscape, organizations face an ever-increasing number of cyber threats. As highlighted by recent industry reports, traditional network operations solutions often fall short in providing the necessary visibility and control to manage and mitigate these threats effectively. This gap underscores the critical importance of comprehensive attack surface management (ASM) solutions.

Why Network Operation Solutions Fall Short

Limited Visibility and Context

Traditional network management tools are primarily designed to monitor and maintain network performance. While they excel at identifying performance bottlenecks and ensuring operational uptime, they often lack the ability to provide a complete and continuous view of an organization’s attack surface. This limitation becomes especially pronounced in complex, multi-cloud environments where assets are dispersed across various platforms and locations.

Incomplete Asset Inventories

Effective attack surface management begins with a comprehensive and up-to-date inventory of all digital assets. This includes not only the assets themselves but also their locations, the software they run, access permissions, and associated security controls. Traditional tools frequently struggle to maintain such detailed inventories, particularly in dynamic environments where assets and configurations are continually changing.

Inadequate Risk Prioritization

Identifying vulnerabilities is only the first step in securing an organization’s digital environment. The real challenge lies in prioritizing these vulnerabilities based on their potential impact. Traditional network management solutions often lack the advanced analytics required to assess and prioritize risks effectively. This can lead to inefficient use of resources and leave critical vulnerabilities unaddressed.

Performance Over Security

Many network operations solutions are primarily focused on ensuring network performance and availability. While these are important aspects of IT management, they do not address the dynamic and evolving nature of cyber threats. Effective cybersecurity requires a proactive approach that includes continuous monitoring, risk assessment, and the implementation of robust security measures.

The RedSeal Advantage

At RedSeal, we understand the complexities and challenges associated with managing an organization’s attack surface. Our platform provides the comprehensive visibility and contextual intelligence needed to secure your digital environment effectively.

Comprehensive Network Visualization

RedSeal offers detailed network visualization, allowing organizations to see their entire network, including cloud and on-premises environments. This holistic view is crucial for identifying and managing all assets, understanding access paths, and ensuring that security controls are properly implemented.

Continuous Monitoring and Risk Assessment

Our platform continuously monitors the network for changes and potential vulnerabilities. By maintaining an up-to-date inventory of all assets and their configurations, RedSeal keeps organizations ahead of evolving threats. Advanced analytics enable the prioritization of vulnerabilities based on their potential impact, ensuring that resources are used efficiently to address the most critical risks first.

Proactive Security Measures

At RedSeal, we proactively implement and maintain robust security measures for customers, including network segmentation, access control, and the continuous monitoring of security policies. This proactive stance reduces the attack surface and mitigates the risk of cyberattacks.

Continuous Compliance

RedSeal safeguards a full range of critical compliance and governance requirements with over 125 built-in integrations, ensuring adherence to external requirements, internal policies, and best practices.

In the face of increasingly sophisticated cyber threats, traditional network operations solutions are often inadequate for comprehensive attack surface management. RedSeal is the advanced and critical platform needed to visualize, monitor, and secure your entire digital environment effectively. By leveraging RedSeal’s platform, an organization’s cybersecurity posture is significantly enhanced, attack path surfaces are reduced, and critical assets are protected against cyber threat.

Welcome to this week’s cybersecurity roundup, focusing on key developments in digital security. Start your week with the latest headlines from around the globe to keep you informed and ready to defend against evolving cyber threats.

We begin with a follow-up to last week’s blog on AT&T’s breach, which exposed metadata that cybercriminals could use for impersonation. NATO has announced a new cyber defense center in Belgium to combat state-sponsored threats. Microsoft is phasing out Android use for employees in China due to security concerns, and CISA has added a Cisco command injection vulnerability to its Known Exploited Vulnerabilities catalog, highlighting ongoing zero-day risks. Additionally, the U.S. Senate is introducing legislation to streamline cybersecurity regulations.

 

1. The personal security implications of the AT&T breach

The phone carrier’s data breach, which was announced on Friday, contained records of the phone numbers that were called to or texted to by customers between May 1, 2022 and October 31, 2022. The stolen data does not include any content of calls or texts, nor their time or date. In some instances cell site information was stolen, which might assist threat actors to triangulate customers’ locations as well as the people they interacted with, through the numbers themselves. According to Rachel Tobac, a social engineering expert and founder of cybersecurity firm SocialProof Security, quoted in TechCrunch, this type of data, referred to as metadata, “makes it easier for cybercriminals to impersonate people you trust, making it easier for them to craft more believable social engineering or phishing attacks against AT&T customers.” She continues, “the attackers know exactly who you’re likely to pick up a call from, who you’re likely to text back, how long you communicate with that person, and even potentially where you were located during that conversation due to the metadata that was stolen.” (TechCrunch)

Read our latest blog on network modeling to discover what RedSeal can do to bolster your cybersecurity efforts.

 

2. NATO will build a cyber defense center in Belgium

NATO members have agreed to establish the NATO Integrated Cyber Defence Centre (NICC) at the Supreme Headquarters Allied Powers Europe (SHAPE) in Belgium. Announced during NATO’s 75th-anniversary summit in Washington DC, the NICC aims to enhance resilience and respond to digital threats. The center will house civilian and military experts from member states and utilize advanced technology to improve situational awareness and collective cyber defense. Its primary role is to inform military commanders about offensive cyber threats and vulnerabilities, including those affecting civilian critical infrastructure. NATO has been bolstering its cyber capabilities, conducting defense exercises and developing rapid response strategies. The NICC and similar initiatives respond to rising threats from countries like Russia and China, emphasizing the alliance’s commitment to cybersecurity. (Infosecurity Magazine)

 

3. Microsoft is phasing out Android use for employees in China

Starting in September, Microsoft employees in China will be required to use iPhones for work, cutting off Android devices. An internal memo revealed that this move is part of Microsoft’s Secure Future Initiative, aiming to ensure all staff use Microsoft Authenticator and Identity Pass apps. The decision stems from the fragmented Android app market in China, where Google Play is unavailable, and local platforms by Huawei and Xiaomi prevail. Consequently, Microsoft has decided to block these devices from accessing its corporate resources. Affected employees will receive an iPhone 15 as a one-time replacement. The change is driven by security concerns, following multiple state-sponsored cyberattacks, including a significant breach linked to Russia earlier this year. Microsoft’s Executive Vice President, Charlie Bell, emphasized the company’s commitment to prioritizing security, pledging a major overhaul to address cloud vulnerabilities and enhance credential protection. (Bloomberg)

 

4. CISA adds a Cisco command injection vulnerability to its Known Exploited Vulnerabilities catalog

The U.S. Cybersecurity and Infrastructure Security Agency (CISA) added a Cisco NX-OS Command Injection Vulnerability, CVE-2024-20399, to its Known Exploited Vulnerabilities catalog. This zero-day vulnerability, exploited by the China-linked group Velvet Ant, allows authenticated, local attackers with administrator credentials to execute arbitrary commands as root on affected devices. Cisco addressed the flaw, which affects several Nexus series switches, and recommended using the Cisco Software Checker to identify vulnerable devices. Federal agencies must fix this vulnerability by July 23, 2024. (Securityaffairs)

 

5. Top threats facing NATO ahead of major milestone 

Ahead of NATO’s 75th anniversary, analysts at Mandiant have outlined the greatest threats facing the organization and its allied countries. According to Mandiant Intelligence chief analyst John Hultquist, the primary adversaries remain Russia and China. The main threat actors identified include Russia’s APT29, COLDRIVER, and APT44, focusing on espionage, disinformation, and disruptive cyberattacks. China’s espionage efforts have become more stealthy, targeting government, military, and economic entities within NATO using sophisticated techniques like zero-day exploits and operational relay box (ORB) networks. Disinformation and hacktivism are increasing, with groups exploiting geopolitical tensions to undermine NATO’s stability and security. (Security Week)

 

6. Senate takes aim at ‘overly burdensome’ cybersecurity regs

The Senate has introduced new bi-partisan legislation called the “Streamlining Federal Cybersecurity Regulations Act.” The bill would create a committee tasked with harmonizing the “overly burdensome, inconsistent, or contradictory” cybersecurity requirements currently imposed on companies by federal regulatory agencies. The committee would include the national cyber director, the heads of each federal regulatory agency and other government leaders. The new bill comes a month after assistant national cyber director for cyber policy and programs, Nicholas Leiserson, warned lawmakers of increasing “fragmentation” of cybersecurity regulations. (CyberScoop)

 

7. Chinese threat actors exploit N-day vulns in mere hours

U.S. agencies including CISA, the FBI and NSA, as well as international law enforcement have issued a joint advisory warning that Chinese state-sponsored actor, APT40, is targeting newly discovered software vulnerabilities within hours. Rather than using techniques that require user interaction, the group is exploiting vulnerable, public-facing infrastructure to obtain valid credentials. The speed at which ATP40 is operating is setting up a “patching race” condition for organizations. This highlights the need for security teams to promptly patch internet-facing vulnerabilities and monitor for advisories from trusted sources.(Dark Reading)

 

8. Microsoft patches two zero-days

Microsoft yesterday issued patches for 142 vulnerabilities, including two actively exploited zero-days, Help Net Security reports. One of the zero-days (CVE-2024-38112) is a spoofing vulnerability in the Windows MSHTML Platform that can be triggered with a malicious HTML file. Researchers at Check Point found that threat actors have been exploiting the flaw since at least January 2023. Check Point explains, “Specifically, the attackers used special Windows Internet Shortcut files (.url extension name), which, when clicked, would call the retired Internet Explorer (IE) to visit the attacker-controlled URL. An additional trick on IE is used to hide the malicious .hta extension name. By opening the URL with IE instead of the modern and much more secure Chrome/Edge browser on Windows, the attacker gained significant advantages in exploiting the victim’s computer, although the computer is running the modern Windows 10/11 operating system.” (Help Net Security)

 

9. Australia targets government tech under foreign control

Australia’s Department of Home Affairs issued new instructions to all government agencies, ordering them to review their tech stacks for Foreign Ownership, Control or Influence risks. The agencies have until June 2025 to report these risks. A separate order requires developing a security risk management plan for any internet-facing services or systems that can be “directly accessed by untrusted or unknown entities.” A third order mandates government agencies using threat intelligence platforms to connect to a centralized sharing platform run by the Australian Signals Directorate. (The Record)

 

10. New group targets Veeam vulnerability

Researchers at Group-IB discovered a ransomware group known as EstateRansomware began exploiting a known flaw in Veeam Backup & Replication in early April 2024. Veeam patched this flaw in March 2023. The group gained initial access through Fortinet VPN appliances using dormant accounts. From there the attacks access a failover server. Once obtaining access, EstateRansomware created a rogue user account and established a command shell. Before dropping its ransomware payload, the group disabled Windows Defender. The Russian FIN7 cybercrime group exploited the same flaw last year. (The Hacker News)

 

11. Google expands security services

It’s always a good idea to keep abreast of changes to Google security services. Google introduced its  Advanced Protection Program back in 2017, designed to provide extra security for targeted users like journalists and politicians. Since launch, this required two physical security keys to set up, with users having to provide a password and one of those keys to log in. Now Google allows setting up the service with a single passkey using phone-based biometrics. The company also announced it will make its “Dark Web reports” available to all Google accounts later this month. Google previously limited these reports to Google One subscribers. As such, the reports will no longer show up in the Google One app, moving instead to general account settings. (The Verge, 9to5Google)

 

12. A massive phishing campaign is exploiting Microsoft SharePoint servers

A massive phishing campaign is exploiting Microsoft SharePoint servers to host malicious PDFs with phishing links. The attack, observed by malware hunting service ANY.RUN, has surged, with over 500 detections in the last 24 hours. This campaign uses trusted SharePoint services, making it hard to detect malicious intent. The phishing flow involves an email link directing to a SharePoint PDF, a CAPTCHA prompt, and a fake Microsoft login page. Users should verify email sources, check URLs, and enable multi-factor authentication. Indicators of phishing include unexpected SharePoint notifications, mismatched file types, urgent requests, and suspicious login pages. (Cyber Security News)

13. Germany strips Huawei and ZTE from 5G infrastructure

The German government has agreed with major telecom companies to phase out critical Huawei and ZTE components from their 5G infrastructure over the next five years. Interior Minister Nancy Faeser announced that Deutsche Telekom, Vodafone, and Telefonica would discontinue using Chinese-made components in core 5G network parts by the end of 2026 and from antennas, transmission lines, and towers by the end of 2029. This decision aims to protect Germany’s economy and communication systems from potential cybersecurity risks. Despite no specific evidence against Huawei, the move aligns Germany with other European countries and the US, which have already restricted Huawei and ZTE equipment. (NYT)

 

14. CDK Global reportedly pays $25M ransom following cyberattack

Following up on the story regarding CDK Global, the maker of specialized software for car dealerships, The Register reports that the company paid the $25 million ransom in bitcoin, to the group that runs BlackSuit ransomware. The consulting firm Anderson Economic Group suggests that the total financial damage to dealers in the first two weeks of the shutdown is just over $600 million, or 24 times the ransom. The problems for CDK and its customers are not yet over, with certain parts of the network still offline as restoration and rebuilding continues. (The Register and Anderson Economic Group)

 

15. CISA breaks into a U.S. federal agency, goes unnoticed for five months

As part of a red teaming exercise, named by CISA as SILENTSHIELD assessments, specialists exploiting an unpatched vulnerability in the Oracle Solaris enclave of an unnamed federal civilian executive branch agency, leading to what it said was a full compromise. The intrusion was made in January 2023, and for the following five months of the assessment, the target organization “failed to detect or remediate any of the SILENTSHIELD activity, raising concerns over its ability to spot genuine malicious activity.” As reported in The Register, “After gaining access to the Solaris enclave, the red team discovered they couldn’t pivot into the Windows part of the network because missing credentials blocked their path, despite enjoying months of access to sensitive web apps and databases. Undeterred, CISA managed to make its way into the Windows network after carrying out phishing attacks on unidentified members of the target agency, one of which was successful.” (The Register)

Have questions? Reach out to RedSeal today to chat with one of our cybersecurity experts.

1. Update on the TeamViewer network breach

The remote access software company is now attributing Wednesday’s attack on its corporate networks as being the work of Russian state-sponsored hacking group Midnight Blizzard, also known as Cozy Bear and APT29. They clarify that “TeamViewer’s internal corporate IT environment is completely independent from the product environment”. According to The Record, the hack was traced back to the credentials of a standard employee account within the company’s corporate IT environment. (BleepingComputer, The Record)

 

2. U.S. businesses struggle to obtain cyber insurance

At the hearing before the House Homeland Security Committee’s cyber-focused subcommittee, representatives from companies and associations described the difficulties they are experiencing, trying to obtain insurance against breaches, finding them hard to come by and with terms that are very difficult to understand, especially in terms of exclusions and definitions of breaches as “acts of war.” This has only led to increasing insurance premiums, which has caused some clients calling for a “so-called backstop for the market in which the federal government would step in and guarantee large-scale insurance losses. (Cyberscoop)

 

3. Microsoft expands scope of mail compromise warning

The hack to Microsoft’s internal email systems, which was revealed in January of this year, was initially described as having affected “a very small percentage of Microsoft corporate email accounts.” Now, however, Microsoft has started alerting organizations and individuals, specifically more than a dozen state agencies and public universities in Texas, that emails between themselves and Microsoft were accessed. This is according to reporting by Bloomberg. This hack is also being attributed to Midnight Blizzard. (Bloomberg, Yahoo News)

 

4. Hackers exploit critical D-Link DIR-859 router flaw to steal passwords

A critical vulnerability affecting all D-Link DIR-859 WiFi routers is currently being exploited by hackers “to collect account information from the device, including passwords.” The flaw has a CVE number and a 9.8 severity score. According to BleepingComputer, the D-Link DIR-859 WiFi router model reached end-of-life (EoL) and no longer receives any updates, [but] the vendor did still release a security advisory explaining that the flaw exists in the “fatlady.php” file of the device, affects all firmware versions, and allows attackers to leak session data, achieve privilege escalation, and gain full control via the admin panel.” (BleepingComputer)

 

5. 14 million Linux systems threatened by ‘RegreSSHion’ vulnerability

Researchers at Qualys have uncovered a critical vulnerability, “regreSSHion” (CVE-2024-6387), which some experts are comparing to the notorious Log4Shell in terms of potential severity. This flaw, with a CVSS score of 8.1, affects glibc-based Linux systems running sshd in its default configuration. Exploiting this vulnerability could allow attackers to completely take over systems, install malware, manipulate data, and create backdoors for persistent access. The vulnerability poses a severe threat, enabling unauthorized remote code execution with root privileges, leaving over 14 million servers potentially vulnerable. (Bleeping Computer), (Security Week), (Dark Reading)

Read about how RedSeal responds to the “regreSSHion” vulnerability and helps fortify your network security HERE.

 

6. Critical patch issued for Juniper routers

It’s going to be a perfect 10 on the CVSS scale for a critical vulnerability (CVE-2024-2973) impacting Juniper Networks routers. The company released patches outside of their usual schedule, indicating the severity of the flaw. According to Juniper, the issue affects all Session Smart routers and conductors running in high-availability redundant configurations. This vulnerability allows for a network-based attack to bypass authentication and take over the device. (Juniper), (Dark Reading), (The Register)

 

7. Chinese hackers exploit zero-day in Cisco Devices

State-backed Chinese hackers, known as Velvet Ant, exploited a newly identified zero-day vulnerability (CVE-2024-20399) in Cisco NX-OS software used in Nexus-series switches. The discovery was made by Sygnia during a forensic investigation where  the hackers gained administrator-level access to deploy custom malware for remote control of compromised devices. Cisco has issued software updates to address the vulnerability, with no available workarounds. (Bleeping Computer) , (The Record)

 

8. CDK Global gives update on restoration timeline

An update to a story we’ve been following for the last two weeks: CDK Global says all car dealerships using their platform will be back online by this Thursday, July 4th. The software-as-a-service provider’s platform, which is used by over 15,000 car dealerships around North America, experienced not one but two attacks last month, forcing the company to take all IT systems offline. According to Bleeping Computer, the BlackSuit ransomware gang was tied to this attack. (Bleeping Computer)

 

9. Chinese threat actor exploits Cisco zero-day

A China-aligned cyberespionage actor dubbed “Velvet Ant” exploited a zero-day vulnerability (CVE-2024-20399) affecting a wide range of Cisco Nexus devices, according to researchers at Sygnia. The flaw is a command injection vulnerability in the Cisco NX-OS Software CLI that can “allow an authenticated, local attacker to execute arbitrary commands as root on the underlying operating system of an affected device.” Cisco has issued patches for the flaw. Sygnia says Velvet Ant’s “exploitation led to the execution of a previously unknown custom malware that allowed the threat group to remotely connect to compromised Cisco Nexus devices, upload additional files, and execute code on the devices.” (Sygnia)

 

10. Google fixes 25 Android flaws, including critical privilege escalation bug

Google has released patches for 25 security vulnerabilities in the Android operating system, including a critical-severity flaw in the Framework component. The critical bug (tracked as CVE-2024-31320), impacts Android versions 12 and 12L and allows an attacker to escalate privileges on a vulnerable device. That flaw, along with fixes for seven other high-severity issues, were released by Google on Monday. This coming Friday, Google plans to release updates that resolve an additional 17 vulnerabilities in Kernel, Arm, Imagination Technologies, MediaTek, and Qualcomm components. (SecurityWeek)

 

11. French authorities seize nearly $6M in illicit online platform takedown

In a coordinated international effort, French authorities have seized servers and proceeds worth millions belonging to the “Coco” chat website. Authorities said the site facilitated child pornography, other sexual exploitation, drug dealing and violent acts including homicides. The website is owned by a Bulgarian company and had over 850,000 users in France alone as of 2023. Child rights activists have been lobbying against the site they referred to as a “predators den” since 2013. The Coco site has been replaced with a seizure notice from the French national police. (The Cyber Express)

 

Have questions? Reach out to RedSeal today to chat with one of our cybersecurity experts.