Contact

DataEndure | Managed Cybersecurity. It's about time.

Under Attack?
Home > Security Advisories > Security Advisory Roll Up: Week ending March 24, 2023

Security Advisory Roll Up: Week ending March 24, 2023

 

  • Cisco Releases Security Advisories for Multiple Products
  • JCDC Cultivates Pre-Ransomware Notification Capability
  • Untitled Goose Tool Aids Hunt and Incident Response in Azure, Azure Active Directory, and Microsoft 365 Environments
  • CISA and NSA Release Enduring Security Framework Guidance on Identity and Access Management

_______________________________

Cisco Releases Security Advisories for Multiple Products

Situation:
Cisco has released security advisories for vulnerabilities affecting multiple Cisco products.

Problem:
A remote cyber threat actor could exploit these vulnerabilities to take control of an affected system.

Implication:
If the following issues aren’t addressed then an attacker can halt the company’s services and exfiltrate confidential company data.

Need:
CISA encourages users and administrators to review the following advisories and apply the necessary updates:

  • Cisco IOS XE Software Virtual Fragmentation Reassembly Denial of Service Vulnerability
  • Cisco IOS XE Software IOx Application Hosting Environment Privilege Escalation Vulnerability
  • Cisco IOS XE SD-WAN Software Command Injection Vulnerability
  • Cisco IOS XE Software Fragmented Tunnel Protocol Packet Denial of Service Vulnerability
  • Cisco IOS and IOS XE Software IPv6 DHCP (DHCPv6) Relay and Server Denial of Service Vulnerability
  • Cisco IOS XE Software for Wireless LAN Controllers HTTP Client Profiling Denial of Service Vulnerability
  • Cisco DNA Center Privilege Escalation Vulnerability
  • Cisco IOS XE Software for Cisco Catalyst 9300 Series Switches Secure Boot Bypass Vulnerability
  • Cisco Access Point Software Association Request Denial of Service Vulnerability

Additional Resources:

Cisco Releases Security Advisories for Multiple Products:
https://www.cisa.gov/news-events/alerts/2023/03/23/cisco-releases-security-advisories-multiple-products

Cisco IOS XE Software Virtual Fragmentation Reassembly Denial of Service Vulnerability:
https://sec.cloudapps.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-ipv4-vfr-dos-CXxtFacb

Cisco IOS XE Software IOx Application Hosting Environment Privilege Escalation Vulnerability:
https://sec.cloudapps.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-iox-priv-escalate-Xg8zkyPk

Cisco IOS XE SD-WAN Software Command Injection Vulnerability:
https://sec.cloudapps.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-ios-xe-sdwan-VQAhEjYw

Cisco IOS XE Software Fragmented Tunnel Protocol Packet Denial of Service Vulnerability:
https://sec.cloudapps.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-ios-gre-crash-p6nE5Sq5

Cisco IOS and IOS XE Software IPv6 DHCP (DHCPv6) Relay and Server Denial of Service Vulnerability:
https://sec.cloudapps.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-ios-dhcpv6-dos-44cMvdDK

Cisco IOS XE Software for Wireless LAN Controllers HTTP Client Profiling Denial of Service Vulnerability:
https://sec.cloudapps.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-ewlc-dos-wFujBHKw

Cisco DNA Center Privilege Escalation Vulnerability:
https://sec.cloudapps.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-dnac-privesc-QFXe74RS

Cisco IOS XE Software for Cisco Catalyst 9300 Series Switches Secure Boot Bypass Vulnerability:
https://sec.cloudapps.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-c9300-spi-ace-yejYgnNQ

Cisco Access Point Software Association Request Denial of Service Vulnerability:
https://sec.cloudapps.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-ap-assoc-dos-D2SunWK2

________________________________

JCDC Cultivates Pre-Ransomware Notification Capability

Situation:
Associate Director of the Joint Cyber Defense Collaborative (JCDC) Clayton Romans highlighted recent successes of pre-ransomware notification and its impact in reducing harm from ransomware intrusions

Problem:
With pre-ransomware notifications, organizations can receive early warning and potentially evict threat actors before they can encrypt and hold critical data and systems for ransom

Implication:
Using this proactive cyber defense capability, CISA has notified more than 60 entities of early-stage ransomware intrusions since January 2023, including critical infrastructure organizations in the Energy, Healthcare and Public Health, Water and Wastewater Systems sectors, as well as the education community.

Need:
We suggest companies sign up for pre-ransomware notifications to help stop attacks before they occur.

Additional Resources:

JCDC Cultivates Pre-Ransomware Notification Capability:
https://www.cisa.gov/news-events/alerts/2023/03/23/jcdc-cultivates-pre-ransomware-notification-capability

Getting Ahead of the Ransomware Epidemic: CISA’s Pre-Ransomware Notifications Help Organizations Stop Attacks Before Damage Occurs:
https://www.cisa.gov/news-events/news/getting-ahead-ransomware-epidemic-cisas-pre-ransomware-notifications-help-organizations-stop-attacks

Report Ransomware:
https://www.cisa.gov/stopransomware/report-ransomware

Stop Ransomware:
https://www.cisa.gov/stopransomware

________________________________

Untitled Goose Tool Aids Hunt and Incident Response in Azure, Azure Active Directory, and Microsoft 365 Environments

Situation:
CISA released the Untitled Goose Tool to help network defenders detect potentially malicious activity in Microsoft Azure, Azure Active Directory (AAD), and Microsoft 365 (M365) environments.

Problem:
Attackers can potentially conduct malicious activity to the following Microsoft products.

Implication:
Without the Untitled Goose Tool, companies using the following Microsoft tools will be vulnerable to crucial data and financial loss.

Need:
We suggest utilizing the Untitled Goose tool which enables users to:

  • Export and review AAD sign-in and audit logs, M365 unified audit log (UAL), Azure activity logs, Microsoft Defender for IoT (internet of things) alerts, and Microsoft Defender for Endpoint (MDE) data for suspicious activity.
  • Query, export, and investigate AAD, M365, and Azure configurations.
  • Extract cloud artifacts from Microsoft’s AAD, Azure, and M365 environments without performing additional analytics.
  • Perform time bounding of the UAL.
  • Extract data within those time bounds.
  • Collect and review data using similar time bounding capabilities for MDE data.

Additional Resources:

Untitled Goose Tool Aids Hunt and Incident Response in Azure, Azure Active Directory, and Microsoft 365 Environments:
https://www.cisa.gov/news-events/alerts/2023/03/23/untitled-goose-tool-aids-hunt-and-incident-response-azure-azure-active-directory-and-microsoft-365

The Untitled Goose Tool GitHub Repository:
https://github.com/cisagov/untitledgoosetool
Untitled Goose Tool Fact Sheet:
https://www.cisa.gov/sites/default/files/2023-03/untitled_goose_tool_fact_sheet_final_508cv2.pdf

________________________________

CISA and NSA Release Enduring Security Framework Guidance on Identity and Access Management

Situation:
CISA and NSA has released information on the best practices to protect address threats regarding Identity and Access Management (IAM). It identifies mitigation areas most effective in reducing the impacts of these threats to IAM.

Problem:
There has been an increase of attacks targeting credentials of companies or businesses. They can use stolen credentials to authenticate themselves and attain more privileges within their computer systems.

Implication:
If the issue isn’t addressed, a company can suffer substantial damage to their availability of resources and financials.

Need:
We suggest applying CISA and NSA’s IAM best practices through deterrence, prevention, detection, damage limitation, and response.

Specially these areas:

• Identity Governance – policy-based centralized orchestration of user identity management and access control and helps support enterprise IT security and regulatory compliance

• Environmental Hardening – makes it harder for a bad actor to be successful in an attack

• Identity Federation and Single Sign-On – Identity federation across organizations addresses interoperability and partnership needs centrally. SSO allows centralized management of authentication and access thereby enabling better threat detection and response options

• Multi-Factor Authentication – uses more than one factor in the authentication process which makes it harder for a bad actor to gain access

• IAM Monitoring and Auditing – defines acceptable and expected behavior and then generates, collects, and analyzes logs to provide the best means to detect suspicious activity

Additional Resources:

CISA and NSA Release Enduring Security Framework Guidance on Identity and Access Management:
https://www.cisa.gov/news-events/alerts/2023/03/21/cisa-and-nsa-release-enduring-security-framework-guidance-identity-and-access-management

Identity and Access Management Recommended Best Practices Guide for Administrators:
https://media.defense.gov/2023/Mar/21/2003183448/-1/-1/0/ESF%20IDENTITY%20AND%20ACCESS%20MANAGEMENT%20RECOMMENDED%20BEST%20PRACTICES%20FOR%20ADMINISTRATORS%20PP-23-0248_508C.PDF

NEW BLOG:Seeing the Bigger Picture: Achieving Digital Resilience
+ +