OTX Partners

OTX Roundtable GRC News

February 2024

Microsoft Reveals Details of Cyber Attack

On January 12, Microsoft discovered a cyber attack that was perpetrated against email accounts within their corporate system. In a report published January 19 Microsoft states that the compromise took place when Midnight Blizzard, a Russian state-sponsored actor performed a password spray attack against a test tenant account in a non-production system. However, they were able to move laterally and access a “small percentage” of Microsoft corporate accounts including members of their senior leadership team. According to Microsoft there is no evidence that had any access to customer environments, production systems, source code, or AI systems

This incident exposes glaring lapses in security protocols at Microsoft. They have admitted that MFA was not enabled on the test account. Although in their statement claims the actors had no access to their production systems, Microsoft indicates MB was able take advantage of a legacy test OAuth application with elevated access to create additional OAuth applications and gain access to corporate mailboxes.

As a result of examining log data from Exchange Web Services activity, along with other knowledge Microsoft has acquired about Midnight Blizzard they have been able to identify activity targeting other organizations. Microsoft subsequently published guidance for administrators in identifying Midnight Blizzard activity and hardening their systems.

As a result of this incident Microsoft has indicated it will accelerate its implementation of the Secure Future Initiative (SFI) introduced in November of last year. As part of that initiative Microsoft will harden many of the “out of the box” default settings. In the report Microsoft admits that this accelerated change may cause some disruption it is necessary give the threats we now face. Frankly, it is long overdue!

ConnectWise Urges Users to Patch ScreenConnect Servers Immediately

This is big! Over the past few days ConnectWise has released patches for two vulnerabilities recently discovered. The two CVEs, involve a maximum severity authentication bypass and a high severity path traversal flaw. The vulnerabilities are being actively exploited by threat actors. The exploitation of the vulnerability appears to be quite simple, leading to the quick escalation of incidents. The flaw allows threat actors to use the setup wizard without authentication. This allows attackers to create new admin accounts and take over the ScreenConnect Server. Another bug allows attackers to access files outside the installation directory.

On February 19, ConnectWise released a security advisory. At the same time a Proof-of-Concept developed by Huntress became public. News of the vulnerability spread quickly throughout the industry with threat actors attacking rapidly while Connectwise urged its customers to update their systems up to the version 23.9.8 immediately. Although the flaw was very basic and should not have slipped through the testing process, Connectwise is getting praise for their handling of the situation with transparency and accountability. Due the severity, they have gone so far as to disable the licenses of all vulnerable servers. However it is possible that those servers with inactive licenses have already been compromised. ConnectWise is also allowing customers no longer under maintenance to upgrade free of charge.

Meanwhile, Andrew Morgan called an emergency CyberCall on February 21 do a deep dive on the situation and try to get the word out. Other cyber security vendors are presenting quickly assembled webinars on the bug.

For those MSPs running on the cloud based Connectwise Automate instance are not affected. However, as of this writing it is reported that there are thousands of on-premise ScreenConnect Servers that are not currently patched.

Details of this vulnerability are being updated rapidly so follow the major cybernews outlets and Linked In sources for the latest information.

AT&T Outage Not Caused by Cyber Attack

OK, so it wasn’t a cyber attack. AT&T announced that it had determined the crisis was caused by an errant software update. Like a scene right out of the new movie playing on Netflix, “Leave the World Behind”, tens of thousands of Americans found themselves without cellular phone service. No calls, no texts, no email, and (egad!) no Instagram!. This left people scrambling to find public wifi. Most seriously though is that it had a major effect on e911 services. Additionally, where 911 was not directly affected local 911 call centers were barraged with calls from users testing their phones. Rideshare services were also affected as well as any other services that rely solely on the cellular network.

Early on in the incident, it was not clear whether this was a cyber attack or a technical malfunction. The FBI and the Department of Homeland security began investigating the issue immediately.

This incident brought to the forefront our reliance on the cellular phone network as well as other critical infrastructure. There has been a lot of news coverage regarding the nation-state actors such as the Chinese Communist Party attempting (and occasionally succeeding) to infiltrate our critical infrastructure. Recovery from a cyber attack is far more difficult and time consuming than reversing a software update. The Cybersecurity and Infrastructure Security Agency (CISA), founded in 2018, has been sounding the alarm about the weaknesses in our infrastructure security. In January, CISA Director Jen Easterly testified in front of Congress stating that “CISA teams have found and eradicated Chinese intrusions in multiple critical infrastructure sectors, including aviation, water, energy, transportation”. Director Easterly lays the blame on fundamentally insecure software and a lax security practices.

It is critical that agencies, software developers, manufacturers, IT Service providers, and public and private institutions work together to harden the attack service within our critical infrastructure.

Featured Recorded Event

LinkedIn Live

The Business of Cybersecurity: Beyond Nerdspeak

Mark Jennings(OTX), Reg Harnish (OrbitalFire), and Kyle Christensen (Empath), discuss how MSPs can address cybersecurity in multiple ways.

When we were teenagers we were taught not to succumb to peer pressure. As our friends were pushing us to try cigarettes or drink alcohol, we were told to hold fast and resist the temptation. Peer pressure, back then, was generally a bad thing full of negative consequences.

In adulthood, however, peer pressure can be a force for good that can motivate us and hold us accountable to our goals. Within the MSP industry there are many peer groups where members share goals of growing their business and meeting certain metrics. These are usually financial benchmarks around maximizing profits and improving performance. Members report progress towards those goals at quarterly meetings. Members hold each other accountable to meeting those goals and contributing to the collective success of the group. You don’t want to be the member that is not hitting their goals or at least making progress. In fact, in some cases, members that consistently miss their goals risk being expelled from the group. This peer pressure keeps members on task and forces them to prioritize profits and performance ahead of the day-to-day distractions that we all face. Read More…

Next OTX Roundtable Meeting

April 18-19, 2024

Little Rock, AR

OTX Partners LLC

OTX Roundtable GRC is a peer group helping MSPs build and maintain a security and compliance-focused culture. Find out more here

 © 2024 OTX Roundtable, Inc. all rights reserved. Designated trademarks, brands, logos, and service marks are the property of their respective owners.