This Month in Cybersecurity - October Edition

Unpatched Cisco Zero-Day Vulnerability Actively Targeted

A critical, unpatched security flaw found within Cisco’s IOS XE software has been found and announced by the company. The flaw, that is being tracked as CVE-2023-20198, has been assigned the severity level of 10.0, which is the maximum rating that something can receive on the CVSS scoring system.

The vulnerability is allowing threat agents to create accounts on affected systems with the highest privilege level and gain control of the system. There isn’t a true fix out currently, but Cisco is suggesting to disable the HTTP server feature on internet-facing systems.

Similar vulnerabilities have been seen in other firewall brands such as WatchGuard which impacted several local businesses at the time.  Cyber Defense has long suggested removing administrative based systems from the internet as a best practice and highlight this in penetration test reports. 

Zoom Links Offer Exploitation Point for Organizations

Zoom has offered the ability to create Personal Meeting ID’s (PMI) to allow for quick and easy meetings to be scheduled or created. These IDs have created a personal meeting room that is available around the clock for both you and your clients to access, but because they are a static ID, anyone can gain access to that meeting room if they find out the PMI or receive an embedded passcode link.

Thanks to a security researcher, it has been found that many organizations can have their meetings accessed by threat agents looking to gain private information that could be shared over these meetings through impersonation or joining an ongoing meeting. The solutions to avoiding this are fortunately included in Zoom already and the researcher suggests implementing at least one of the following:

  • Require a Passcode to Join

  • Only Allow Registered Users

And of course, there is always the choice to disable the Personal Meeting ID for public meetings altogether.

CISA Shares Knowledge of Vulnerabilities and Misconfigurations

CISA launched an initiative this year known as the Ransomware Vulnerability Warning Pilot to bring more attention to known vulnerabilities and hopefully prevent ransomware incidents. This week, they have added new resources to this program, the “Known Exploited Vulnerabilities Catalog” and a “Misconfigurations and Weaknesses List”.

The Known Exploited Vulnerabilities Catalog, or KEV, details existing exploits that CISA has determined and whether or not they are known to have been used in ransomware campaigns. The Misconfiguration and Weaknesses List bolsters the KEV Catalog by including non-CVE based exploits and weaknesses created by misconfigurations.

 

Defensible Strategies

Learn from those who have been attacked

Genetic Testing Provider 23andMe Facing Lawsuits After Hack

Last month, a threat agent released a large file that included customer data gathered from the genetic testing provider. The company announced that the attack happened by using compromised user credentials to gain access into weakly secured accounts. The original threat agent retracted the document to sell off the data of specific profiles, but other agents have continued to post the original file.

Despite certain users having taken the additional step of implementing user side security measures such as Multi-factor authorization, they still found themselves victims of the breach due to a lack of data safety implemented on 23andMe’s side. This has caused multiple lawsuits to be filed, along with the lack of information regarding the current safety of user data and the lack of information regarding details of the attack itself, and the delay in 23andMe’s reporting of the incident.

This illustrates the value of reporting early and often to manage the reputational impact of a data breach, but to also reduce the liability associated with a data breach. In case of a data breach, it is important to engage a breach coach as soon as possible in the incident response process.  Breach coaches, who are privacy trained attorneys are often included as a part of most cyber liability insurance policies.

2017 Equifax Data Breach Incurs $13.5 Million Fine

In 2017, Equifax was the victim of a data breach that occurred from improper management of data. The Financial Conduct Authority (FCA_ of the United Kingdom determined that the leak happened due to a failure in managing and monitoring of consumer data that had been outsourced to the United States portion of the company.

The FCA also determined that Equifax’s security systems were “plagued with known weaknesses” and that no action was taken to rectify those issues. Due to the negligence and mishandling of data, the FCA has fined Equifax a total of $13.5 Million on top of the $700 million settlement that occurred in the United States. The US courts also required the company to invest a minimum of $1 billion in improving its data security stance.