Quest Security and Service Advisories
As an ongoing service to Quest's valued clients, our team of experts monitors security and service advisories we are seeing in the market from multiple vendors and these important notices are sent to our clients. You can view an overview of our recent advisories below. If you need more information on any of these advisories, or would like to set up a meeting to discuss them further, please reach out to our team.
Security Advisory: Advanced Phishing Attempt Posing as WordPress (12/5/2023):
Quest has been made aware of an advanced phishing attempt that appears to come from “WordPress”. The phishing attempt claims there is an active WordPress vulnerability requiring immediate action. The fraudulent email includes a malicious “patch” download link, which is a near duplicate of the actual WordPress site. When downloaded and installed, this "patch" creates a hidden administrative account and establishes persistence on the affected host. This allows threat actors to connect remotely and perform administrative functions at will.
Images of the email and download site are provided below:
Quest recommends that our customers remain vigilant and verify any advisories through multiple sources such as CISA.gov or by manually visiting the vendor’s advisory sites.More information can be found here: https://www.bleepingcomputer.com/news/security/fake-wordpress-security-advisory-pushes-backdoor-plugin/ Alternatively, by contacting Quest, our security experts can assist in identifying potential phishing attempts and help you stay ahead of threats to your environment. If you wish to discuss this further, we are here to help.
Security Advisory: Google Chrome 0-Day Vulnerability (12/1/2023):Quest has been made aware of a significant Cyber threat affecting Google’s Chrome browser. This vulnerability, currently rated a High severity by NIST and actively being exploited, affects versions of Chrome prior to 119.0.6045.199. Threat actors can craft custom web pages that, when accessed, execute malicious code on the host system allowing for access to sensitive data and/or other malicious activity. Quest recommends that our customers immediately patch all versions of Chrome to latest available update. More information on the vulnerability can be found below: https://nvd.nist.gov/vuln/detail/CVE-2023-6345 https://www.darkreading.com/vulnerabilities-threats/google-patches-another-chrome-zero-day-as-browser-attacks-mount If you need help applying the necessary recommendations, staying on top of patching within your environment, reviewing your environment for malicious activity, or would like to discuss further, we are here to help.
Security Advisory: User ID Cleanup - Access Control (11/21/2023):
Threat actors continue to succeed by targeting user access to systems such as Active Directory (AD), Software as as Service (SaaS) applications, partner portals, and client applications. A successful breach grants a hacker access to a user's computer, your network, direct access to cloud systems like email, and enable them to streamline their harmful activities, compromising both on-site and off-site applications and data. There are a few ways you can protect yourself from these targeted attacks, which we have outlined below:
- Conduct Auditing and Monitoring on a Scheduled Basis: Audit user and admin accounts for inactive or unauthorized accounts quarterly. Prioritize the review of remote monitoring and management accounts that are publicly accessible — this includes audits of third-party access given to service providers. Monitoring user activities, especially those with elevated permissions, can help detect and neutralize suspicious activities swiftly.
- Don't Overuse Elevated Privileges: If attackers compromise an account with elevated privileges, the results can be devastating. Implement the principle of least privilege, minimizing the number of users with elevated privileges. Restrict and monitor the activities of accounts associated with the Domain Admins group or Enterprise Admins group.
- Implement Multi-Factor Authentication (MFA): Implement phishing-resistant MFA for all services, particularly for email, VPNs, and accounts that access critical systems. Escalate to senior management upon the discovery of systems that do not allow MFA, systems that do not enforce MFA, and any users who are not enrolled with MFA.
- Lockout Policies: Enforce account lockout policies after a certain number of failed login attempts. Log and monitor login attempts to detect brute force password cracking and password spraying.
- Create and Follow Off-Boarding Practices to Remove All Application Access: Collaborate with business units and IT to remove user access to AD, SaaS, Client, and Partner systems.
- Save Money: Establishing good access management and off-boarding practices will reduce the expenses to your organization by eliminating payment for services that are no longer needed.
Security Advisory: Cisco Releases Software Updates for Multiple Vulnerabilities (11/3/2023):
Cisco recently released software updates to address an extensive range of over 25 vulnerabilities across several Cisco products, including the Adaptive Security Appliance (ASA), Firepower Management Center (FMC), and Firepower Threat Defense (FTD). This week alone, there have been 13 advisories with a rating of Critical or High impact.The application of these updates is crucial in maintaining the security and integrity of your systems. We strongly urge all our clients to review these advisories and implement the recommended updates promptly. For more details, the official notification can be found here: Security Advisories (cisco.com) Cisco Releases Security Advisories for Multiple Products | CISA Should you require assistance in applying these recommendations, conducting a review for potential malicious activity, or if you wish to delve deeper into this matter, please reply to this email.
Security Advisory: Latest Threat Actor Exploits: CISA Reveals Vulnerabilities and Misconfigurations (10/31/2023):
The Cybersecurity and Infrastructure Security Agency (CISA) has recently published a list of known open and misconfigured ports which are frequently exploited by threat actors to gain unauthorized access to networks. These vulnerable ports allow threat actors to bypass your firewall, resulting in direct access to your platforms. Quest strongly advises our clients to conduct a comprehensive review of both inbound and outbound firewall rules. This will help identify and rectify any potential vulnerabilities, thereby minimizing the risk of cyber threats.Most Common ports: Misconfigurations and Weaknesses Known to be Used in Ransomware Campaigns | CISA Full list of ports: Known Exploited Vulnerabilities Catalog | CISA If you need assistance in reviewing your configuration or have any questions about mitigating these risks, please contact us. Our team of experts is ready to guide you through this process and ensure the optimal security of your network infrastructure.
Security Advisory: VMware vCenter Critical CVE Advisory (10/26/2023):
VMware has released a Security Advisory with a Critical rating, which affects VMware vCenter Server and VMware Cloud Foundation. An out-of-bounds write (CVE-2023-34048) and a partial information disclosure (CVE-2023-34056) pose significant risk to virtual infrastructure and data security. We highly advise all customers to promptly act to remediate these vulnerabilities by applying the updates available from VMware.Link to VMware Advisory: https://www.vmware.com/security/advisories/VMSA-2023-0023.html If we are not already working with you to update your systems, please contact us via phone or email to schedule a meeting to review your VMware circumstances.
Security Advisory: HTTPS/2 Rapid Reset Zero Day Vulnerability (10/18/2023):
Starting last week, a coordinated Denial of Service (DoS) announcement was made by Amazon Web Services, Cloudflare, and Google. They reported mitigating attacks reaching 155 million requests per second (Amazon), 201 million rps (Cloudflare), and a record-breaking 398 million rps (Google).This vulnerability allows a remote attacker to perform a DoS attack. It exists due to improper control over the consumption of internal resources when handling HTTP/2 requests with compressed HEADERS frames. A remote attacker can send a sequence of compressed HEADERS frames followed by RST_STREAM frames to perform a DoS attack, also known as "Rapid Reset". Note that this vulnerability is being actively exploited in the wild. The resolution process involves completing discovery on all internet and internal devices running Microsoft and patching the servers, laptops, and workstations with the latest monthly patch. The key will be to ensure that all devices accessible from the internet (websites, file sharing, etc.) are discovered. For more detail, the official notification can be found here: https://www.cisa.gov/news-events/alerts/2023/10/10/http2-rapid-reset-vulnerability-cve-2023-44487 If you need help applying the necessary recommendations, need assistance with a vulnerability scan, or would like to discuss further, we are here to help.
Security Advisory: Cisco Cyber Threat (10/17/2023):
Quest has been made aware of a significant Cyber threat affecting all Cisco devices running IOS XE. A known vulnerability in all versions of IOS XE with a CVSS score of 10.0, allows threat actors to gain unauthenticated access via the web UI (direct browser management) and create local admin accounts (with level 15 access). Once the account is created, the device is fully compromised allowing threat actors to immediately modify configuration, shut down services, steal credentials/configuration or gain persistence within an environment. It is believed that many Cisco devices have this feature enabled by default.Quest recommends that our customers determine which of their devices is running Cisco IOS-XE and immediately disable the web UI on all external and internal devices. For more detail, the official notification can be found here: https://sec.cloudapps.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-iosxe-webui-privesc-j22SaA4z If you need help applying the necessary recommendations, reviewing for malicious activity, or would like to discuss further, we are here to help.
Security Advisory Update: Addressing the Surge in Ransomware Attacks (9/29/2023):Quest continues to observe an escalation in ransomware attacks and ongoing threats. The ever-changing nature of cyber threats, coupled with the rise in zero-day vulnerabilities, amplifies the risk of falling to ransomware. In response to this evolving landscape, the Cybersecurity and Infrastructure Security Agency (CISA) frequently updates its cybersecurity alerts and advisories. We've highlighted some recent ones for your awareness and preparedness. NSA, FBI, CISA, and Japanese Partners Release Advisory on PRC-Linked Cyber Actors | CISA People's Republic of China-Linked Cyber Actors Hide in Router Firmware | CISA #StopRansomware: Snatch Ransomware | CISA Understanding the gravity of these threats, Quest has developed a set of security check-ups that align with the CISA's proactive measures. These check-ups, which can be found at https://lp.questsys.com/cybersecurity-checkups-details, are simple, quick to implement, and highly effective in warding off ransomware attacks. Please don't hesitate to reach out if you have any queries or if you require assistance in completing a security check-up. Our team is ready to assist you in fortifying your defenses against these ever-evolving cyber threats.
Security Advisory Update: Security Awareness Training (9/21/2023):October 2023 is officially recognized as Cybersecurity Awareness Month, and Quest is dedicated to spreading the word about the importance of cybersecurity awareness training. While some may initially perceive it as a gimmick, this initiative is officially sponsored by the Cybersecurity & Infrastructure Security Agency (CISA). (https://www.cisa.gov/cybersecurity-awareness-month) Security and IT professionals have consistently urged users to report any suspicious activities they encounter. In line with these efforts, our objective is to educate users on how to identify and respond to security threats effectively. We support these initiatives and encourage our clients to spend time with us, exploring how we can assist in enhancing your company's security awareness. Here's an example program for the month that illustrates how we can help:
- Collaborate with clients to craft a company-wide email that breaks down the cybersecurity risks you face, how to identify them, and what steps to take upon spotting suspicious activities (such as reporting to the Help Desk or using the 'phishing email' button).
- Host a company-wide webinar discussing cybersecurity awareness, featuring real-life examples of ransomware attacks and their impact.
- Implement a cybersecurity awareness training module for new hires in your company.
- Assist clients in challenging their companies throughout October to establish or improve their email phishing scores.