JNJ Technology

03/28/2023

Last week, Microsoft Threat Intelligence discovered a critical elevation of privilege (EoP) vulnerability in Microsoft Outlook that allows for New Technology LAN Manager (NTLM) credentials to be stolen. Threat actors can potentially authenticate, escalate privileges, and gain access to the victim’s Windows environments. SOC recommends installing the latest Outlook security update and performing Microsoft’s impact assessment.

What is the threat?
CVE-2023-23397 is a critical EoP vulnerability that exists within Microsoft Outlook. This occurs when the threat actor sends a message with an extended Messaging Application Programming Interface (MAPI) property with a Server Message Block (SMB) share path on a malicious server. User interaction with the message is not required. This connection to the threat actor’s remote server then exposes the NTLM credentials of the victim. It is then used by the threat actor to authenticate into the victim’s systems that use NTLM authentication, leading to privileges being escalated. All supported versions of Microsoft Outlook for Windows are impacted by CVE-2023-23397.

Why is it noteworthy?
Microsoft Outlook is an email client used by businesses globally to send and receive emails. CVE-2023-23397 received a Common Vulnerability Scoring System (CVSS) critical base score of a 9.8 out of 10 according to NIST’s National Vulnerability Database. All supported versions of Microsoft Outlook for Windows specifically are impacted. This vulnerability is especially dangerous since user interaction is not required and the victim is affected the moment the email reaches their inbox. Businesses utilizing Microsoft Outlook on the Windows operating system are directly affected by this EoP vulnerability and should be assessed carefully.

What is the exposure or risk?
Elevation of privilege vulnerabilities are deemed critical since this can lead to full access to all systems in a victim’s environment. For this vulnerability, it leads to the exposure of sensitive credentials allowing threat actors to relay them back into the victim’s Outlook environment. Due to the nature of Microsoft Outlook, personal and confidential data within these environments are at risk of being exposed when this vulnerability is exploited. Microsoft has recently provided mitigation efforts against CVE-2023-23397.

What are the recommendations?

Immediately install the Outlook security update, regardless of where your mail is hosted.
Perform Microsoft’s Impact Assessment (documentation and script provided at: https://microsoft.github.io/CSS-Exchange/Security/CVE-2023-23397/
Block TCP 445/SMB outbound from your network to prevent the sending of NTLM authentication messages to remote file shares.
Add users to the Protected Users Security Group on Outlook to prevent the use of NTLM authentication.
References
For more in-depth information about the recommendations, please visit the following links:

https://msrc.microsoft.com/blog/2023/03/microsoft-mitigates-outlook-elevation-of-privilege-vulnerability/
https://msrc.microsoft.com/update-guide/vulnerability/CVE-2023-23397
https://learn.microsoft.com/en-us/windows-server/security/credentials-protection-and-management/protected-users-security-group
https://support.microsoft.com/en-us/topic/description-of-the-security-update-for-outlook-2016-march-14-2023-kb5002254-a2a882e6-adad-477a-b414-b0d96c4d2ce3
https://microsoft.github.io/CSS-Exchange/Security/CVE-2023-23397/
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-23397
https://nvd.nist.gov/vuln/detail/CVE-2023-23397
If you have any questions, please contact our Security Operations Center.

Secure .gov websites use HTTPS A lock () or https:// means you've safely connected to the .gov website. Share sensitive information only on official, secure websites.

02/28/2023

New malicious packages were discovered on the Python Package Index (PyPI) that can steal passwords, authentication cookies, and cryptocurrency wallets from developers.

What is the threat?
Over the past year, numerous malicious packages have been uploaded to open-source repositories under names that appear legitimate. Between January 27 and January 29, 2023, a threat actor uploaded five malicious packages containing the “W4SP Stealer” malware to PyPI. The information-stealing malware, identified in these packages by BleepingComputer, steals data from web browsers at first, then attempts to steal authentication cookies from Discord and other similar programs. Finally, the malware will try to steal cryptocurrency wallets and cookies.

Some of the targeted websites to be aware of include:

Coinbase.com
Gmail.com
YouTube.com
Instagram.com
PayPal.com
Telegram.com
Hotmail.com
Outlook.com
Aliexpress.com
ExpressVPN.com
eBay.com
Playstation.com
xbox.com
Netflix.com
Uber.com

Why is it noteworthy?
Supply chain attacks are expected to continue to increase in the future. Gartner predicts that by 2025, 45 percent of organizations worldwide will have experienced attacks on their software supply chains, three times as many as in 2021. In addition to PyPI, attackers have targeted other code repositories like GitHub and companies like CircleCI, a provider of continuous integration/continuous delivery (CI/CD). Repositories such as GitHub and PyPI are immensely popular among developers; there are 100 million GitHub users and 400,000 packages on PyPI.

What is the exposure or risk?
If a malicious package enters a popular repository, it can be downloaded by many different developers before being discovered and remediated. Any developer that uses open-source package repositories could be vulnerable to these types of attacks. It is of the utmost importance to analyze the code in packages before adding them to projects.

References
For more in-depth information about the recommendations, please visit the following links:

https://www.cisa.gov/uscert/sites/default/files/publications/ESF_SECURING_THE_SOFTWARE_SUPPLY_CHAIN_DEVELOPERS.PDF
https://thehackernews.com/2023/02/researchers-uncover-obfuscated.html
https://www.bleepingcomputer.com/news/security/devs-targeted-by-w4sp-stealer-malware-in-malicious-pypi-packages/
https://www.gartner.com/en/articles/7-top-trends-in-cybersecurity-for-2022

02/06/2023

What is the threat?
A remote code ex*****on vulnerability exists in the Atlassian’s Jira Service Management Server and Data Center versions 5.3.0 through 5.5. An attacker who successfully exploits this flaw will be able to impersonate other users and gain remote access to the systems. This vulnerability has been categorized with a critical severity score of 9.4.

Why is it noteworthy?
This vulnerability has a high success rate when targeting bot accounts. Upon a successful exploitation, the attacker can interact with others within JIRA, add themselves to JIRA issues, as well as request and receive emails using the ‘View Request’ link – which can then allow them to acquire signup tokens. When a critical vulnerability is identified publicly, attackers will often expedite their attack rate before the vulnerability is resolved.

What is the exposure or risk?
Upon a successful exploitation, an attacker can change a user’s password without the account owner’s knowledge, making it difficult for users to detect a compromise. The attacker can then run remote code to install programs, exfiltrate, view, change, or delete data, or create new accounts without the administrator noticing. These privileges give the attacker the tools to conduct a ransomware event or an impersonation event for lateral movements within the environment, that can lead to temporary or permanent loss of sensitive or proprietary information, disruption to regular operations, financial losses, and potential harm to an organization’s reputation.

What are the recommendations?
Upgrade to versions 5.3.3, 5.4.2, 5.5.1, and 5.6.0 or later.
If for some reason you are unable to upgrade, follow the steps below to apply a workaround fix:
Download the associated JAR from the Atlassian Security Advisory
Stop Jira
Copy the JAR file into the Jira home directory (“/plugins/installed-plugins” for servers or “ for data centers)
Restart the service.
References
For more in-depth information about the recommendations, please visit the following links:

NVD – CVE-2023-22501 (nist.gov)

FAQ for CVE-2023-22501 | Atlassian Support | Atlassian Documentation

https://www.bleepingcomputer.com/news/security/atlassian-warns-of-critical-jira-service-management-auth-flaw/

If you have any questions, please contact our Security Operations Center.

A critical vulnerability in Atlassian's Jira Service Management Server and Data Center could allow an unauthenticated attacker to impersonate other users and gain remote access to the systems.

01/24/2023

Recently, thousands of NortonLifeLock customers had their accounts compromised, potentially allowing malicious actors to access user password managers. Gen Digital, Norton LifeLock’s parent company, has sent notices to over 6,000 customers whose accounts were compromised.

What is the threat?
According to a recent data breach notice shared with the Office of the Vermont Attorney General, the attacks did not stem from a breach on Norton but from compromised credentials on external platforms.

“Our own systems were not compromised. However, we strongly believe that an unauthorized third party knows and has utilized your username and password for your account,” NortonLifeLock said.

On December 12, 2022, Norton detected an “unusually large volume” of failed login attempts to customer accounts, indicating a credential stuffing attack. The company began their investigation and discovered that around December 1, 2022, an “unauthorized third party” used a list of usernames and passwords obtained from another source, such as the dark web. By December 22, the company had completed their investigation and revealed that the attacks successfully compromised customer accounts. The total number of breached accounts has not been disclosed at this time.

Why is it noteworthy?
NortonLifeLock provides protection against identity theft and various cybersecurity services worldwide. Incidents involving customer password theft are becoming more of a concern in recent years. Earlier in 2022, LastPass announced a data breach in which attackers stole millions of encrypted password vaults.

What is the exposure or risk?
Norton has disclosed that customers’ personal information — including first and last name, phone number, and mailing address – may have been viewed by the unauthorized third party. Additionally, the company stated they “cannot rule out” that the attackers accessed information stored in the Norton Password Manager, for those utilizing the feature. If the password manager was compromised, threat actors could leverage that information to gain access to accounts on other platforms.

References

For more in-depth information about the recommendations, please visit the following links:

https://techcrunch.com/2023/01/15/norton-lifelock-password-manager-data/

https://www.bleepingcomputer.com/news/security/nortonlifelock-warns-that-hackers-breached-password-manager-accounts/
https://web.archive.org/web/20230113191952/https://ago.vermont.gov/blog/2023/01/09/nortonlifelock-gen-digital-data-breach-notice-to-consumers/

History is littered with hundreds of conflicts over the future of a community, group, location or business that were "resolved" when one of the parties stepped ahead and destroyed what was there. With the original point of contention destroyed, the debates would fall to the wayside. Archive Team bel...

08/07/2022

JNJ's proactive services means our technicians are constantly monitoring the health of your network and devices to ensure things are running smoothly.

When problems do happen, we'll immediately identify them and implement the appropriate fix. Try a month of FREE services to find out how JNJ can benefit your business and your bottom line!

08/03/2022

No problem is too large or too small for our certified technical experts✅ What are you waiting for? Help is just a phone call away.

08/03/2022

.

08/03/2022

☀️ Did you miss us?

05/31/2022

01/28/2022

⭐️The current pandemic has fundamentally altered the way business works and what’s needed to keep running. Even when the virus is gone, the changes will be here to stay.

⭐️With the push to work from home, if you want your Business to survive, you need to change the way you do things. You need to provide support remotely, scale beyond the office, and stay ahead of the tsunami of changes.

⭐️The status quo has been altered and is continually being changed. How do you scale and how do you thrive? How do you create your own stimulus?

⭐️Are you just sitting on an island waiting for the waters to wash you away or are you ready to do what needs to be successful?

‼️Reach out to JNJ Technology today to see how we can help restructure your business. ‼️

Email us at [email protected]

01/01/2022

⭐As we reflect on 2021 we think back to a quote that always resonates with us as- a small business...

💡“Sometimes one can become lost in a big company and lose sight of how what one does truly helps or impacts the end customer. If you are one of those, think of a fire brigade, a line of people passing buckets of water from one to the other from a source of water to the site of the fire. An individual in the brigade may not be able to see the end result, i.e., the water being thrown on the fire to put it out, but the contribution of the individual is indispensable to the final outcome.”
– Grant Bright, Former Project Lead IBM

⭐Don't loss sight of your business needs, and the support you deserve!

☎ Call or Email JNJ Technology to find out how we can give you and your employees the service you need!
609-851-0068 or [email protected]

12/25/2021

You have realized your business needs to change and it’s time to put the wheels in motion - however you don’t have to do it alone.🤝

We have helped our client transfer data, migrate to new email accounts, restructure entire offices, run new network cables, successfully execute implementations quickly and efficiently, and so much more through our proven process. ✅

📡Contact our expert team today to find out more!
☎ [email protected] or 609-548-8224

JNJ Technology is here to help you take the hassle out of IT Network Security and Computer management so you can focus on the success of your business.