Flair Data Systems Cybersecurity News Update 5-29-2024

Good afternoon! 

For those of us in the DFW / North Texas area and have experienced some type of damage from the storm that passed through here yesterday morning are in the process of recovering.  Yesterday was supposed to be a trip to Tyler for a meeting, but when I was going to leave the storm was right over our house and would have followed me the entire way there.  That said, I stayed home and no major damage for us minus a small portion of our fence that needed some TLC yesterday afternoon. I hope everyone is safe and your damage was not extensive.  

So, with that, let’s jump into this week's cybersecurity news update.... 

Veeam Vulnerability  

Veeam has released patches for four (4) CVE's, Veeam Backup Enterprise Manager 12.1.2.172 has been released to fix the below 

• CVE-2024-29849: This vulnerability in Veeam Backup Enterprise Manager allows an unauthenticated attacker to log in to the Veeam Backup Enterprise Manager web interface as any user. 
• CVE-2024-29850: This Vulnerability in Veeam Backup Enterprise Manager allows account takeover via NTLM relay. 
• CVE-2024-29851: This vulnerability in Veeam Backup Enterprise Manager allows a high-privileged user to steal the NTLM hash of the Veeam Backup Enterprise Manager service account if that service account is anything other than the default Local System account. 
• CVE-2024-29852: This vulnerability in Veeam Backup Enterprise Manager allows high-privileged users to read backup session logs. 
• For those that CAN NOT patch, the above link provide a mitigation plan to assist 
• Also, it worth a note that VBEM is not an application that is installed by default however it gives customers access to a web console to remotely manage multiple Veeam Backup & Replication instances 

Link (1): https://www.veeam.com/kb4581 

Link (2): https://www.scmagazine.com/news/veeam-patches-critical-flaw-that-puts-enterprise-backups-at-risk 

Justice AV Solutions Software Backdoor 

 

CVE-2024-4978: Justice AV Solutions Viewer Setup 8.3.7.250-1 contains a malicious binary when executed and is signed with an unexpected authenticode signature. A remote, privileged threat actor may exploit this vulnerability to execute unauthorized PowerShell commands. 

• Justice AV Solutions is a U.S. based company specializing in digital audio-visual recording solutions for courtroom environments 
• The critical nature of this is because if the JAVS Viewer v8.3.7 is currently installed, a backdoor installer that allows a threat actor to gain full control of affected systems where a complete re-imaging of the endpoint and resetting associated credentials is necessary to ensure attackers have not created persistence through backdoors or stolen credentials 
• Upgrading to v8.3.8 or higher is necessary AFTER re-imaging the device 

Link (1): https://www.rapid7.com/blog/post/2024/05/23/cve-2024-4978-backdoored-justice-av-solutions-viewer-software-used-in-apparent-supply-chain-attack/ 

OmniVision discloses data breach. 

OmniVision is an imaging sensors manufacturer out of California and has disclosed a data breach after an incident that involved Cactus ransomware group last year 

• They design and develop imaging sensors for smart phones, laptops, web cams, automotive, medical imaging systems, and others 
• The incident occurred between Sept 4 - 30, 2023 where systems were encrypted with ransomware 
• The internal investigation took until April 2024 to reveal that the attackers stole PII 
• Data stolen included: Passport scans, NDA's, Contracts, and other confidential documents 
• The point here is that even though an organization is recovered and operational again does not mean they fully understand what actually occurred and what was taken - this takes time and effort and requires proper logging to be put in place prior to the incident even occurring.  For example, 2 days from now can you tell exactly what data was in what database?  What about 30 days ago, 60 days ago, 6 months?  Logging is essential and having it stored in a location that a threat actor would not have direct access to it in the event the organization was compromised. 

Link (1): https://www.bleepingcomputer.com/news/security/omnivision-discloses-data-breach-after-2023-ransomware-attack/ 

LastPass encrypts URLs 

LastPass is in the process of encrypting the URL, not just the other data fields to continue to improve their product 

• This change will require some interaction from the customers, and is expected sometime in the latter half of 2024 

Link (1): https://blog.lastpass.com/posts/2024/05/lastpass-is-encrypting-urls-heres-whats-happening 

Edge gets screenshot protection 

Microsoft Edge for Business be incorporating the ability to prevent users from taking screenshots of websites and sending them to others 

• This will be done through a tagging mechanism where certain websites (i.e., ERM platforms) are protected 
• In the above article, it is ironic that Microsoft releases this information shortly after revealing the new Copilot offering where it is creating snapshots of everything one does on their PC 

Link  (1): https://www.pcworld.com/article/2336462/microsoft-edge-will-start-blocking-screenshots-on-the-job.html#:~:text=Microsoft%20is%20adding%20screenshot%20prevention,using%20Microsoft%20Edge%20for%20Business

Cencora notifies customers of data breach 

Cencora, formally known as AmerisourceBergen, is a U.S. pharmaceutical service provider that experienced a cyberattack in February 2024 

• This cyberattack has affected organizations like Novartis Pharmaceuticals, Bayer, GlaxoSmithKline, and eight other major pharmaceutical firms 
• Information affected includes: full names, addresses, diagnoses, prescriptions, and medications 

Link (1): https://www.scmagazine.com/brief/nearly-a-dozen-drug-firms-impacted-by-cencora-breach 

Arc browser’s Windows launch sabotaged by malvertising 

Arc browser was originally launched in the summer of 2023 for macOS systems and has since started to be released for Windows systems 

• Unknown threat actors are creating websites with typosquatting domains and google ads to redirect people to download malicious versions of Arc 
• Remember it is best to bypass the search results that include "advertisement" or "sponsored" and focus on the legitimate results
• The versions being downloaded do include the real browser, with a little malicious extra payload bundled with it 

Link (1): https://www.techradar.com/pro/security/hackers-hijack-arc-browser-windows-launch-with-malvertising-campaign 

New ransomware uses Windows BitLocker to encrypt victim data 

ShrinkLocker is a new ransomware strain that creates a new boot partition to encrypt corporate systems using Windows BitLocker 

• So far targets have been government entity and companies in the vaccine and manufacturing sectors 
• This is not a new way to encrypt systems, but some differences is that it is written in VBScript (currently working towards being depreciated) and is able to determine Windows version using WMI 
• If specific parameters are met, then the attack will continue: current domain matching the target and OS version that is newer than Vista - but when it does continue it uses diskpart utility in Windows to shrink every non-boot partition by 100MB and splits the unallocated space into new primary volumes of the same size 
• Another aspect is that it will modify registry entries to disable remote desktop connections or enable BitLocker encryption on hosts without a TPM 
• The final stage of the attack forces the system to shut down for all the changes to take effect and leave the user with drives locked and no BitLocker recovery options (plus a place to leave a message) 
• The How on detecting/preventing is by choosing EPPs that can detect BitLocker abuse attempts, along with other core recommendations around minimal privileges, and proper logging 

Link (1): https://www.bleepingcomputer.com/news/security/new-shrinklocker-ransomware-uses-bitlocker-to-encrypt-your-files/ 

Until next week, it’s Brent Forrest signing off. Be cyber safe my friends!