Security Roundup January 2024

January 2024: Microsoft Execs Breached by Russian Attackers, LockBit Holds Subway Sandwiches to Ransom, HPE Purchases Juniper, and More! 

Microsoft Execs Breached by Russian Attackers

Microsoft announced that it detected an attack on its systems on January 12th by Midnight Blizzard, a threat actor tied to Russia’s Foreign Intelligence Service. Microsoft said that Midnight Blizzard gained access to its systems using a simple password spray attack against a ‘legacy system’. From there, the attackers were then able to access some of the email accounts of the company’s senior executives. The organisation believes the group was trying to find information about Midnight Blizzard. 

It is understood that the attackers abused an app within Microsoft’s environment, which used the OAuth authentication standard. This app had elevated access within Microsoft’s wider environment and enabled the attackers to create further malicious OAuth applications. The attack shows that vulnerabilities in the complex relationships between Microsoft’s cloud and on-premises systems can be an entry point for any organisation. Midnight Blizzard used the same tactics to access other organisations, including HPE. 

Microsoft did (some might say cynically) take the opportunity to upsell its security solutions, such as Sentinel and Defender ATP. In a recent LinkedIn article, Alex Stamos, Chief Trust Officer at SentinelOne, pointed out that Microsoft’s security revenue addiction is dangerous. He argues Microsoft should be shipping products that are secure by default rather than organisations needing to pay even more money with them to secure their products. 

LockBit Holds Subway Sandwiches to Ransom

Multinational foot-long sandwich vendor Subway was recently the target of an attack by the notorious LockBit gang, allegedly exposing critical business data. 

LockBit claims various pieces of information have been compromised, including employee salaries, franchise royalties paid, turnover rates for different restaurants and other important information from the organisation’s internal SUBS system. The attack was first announced on the dark web via LockBit’s website, stating that they have hundreds of gigabytes of data, which includes access to their financial systems. 

The group said that if their demands are unmet, they will release the stolen data on February 2nd. Subway has disputed the gang’s claims, saying that the attack only impacted a development environment. 

HPE Purchases Juniper

Hewlett Packard Enterprise (HPE) announced its intentions to buy Juniper Networks for $14 billion in a deal which could shake up the network security market. The deal is being positioned by HPE and Juniper execs as an AI opportunity, with the President and CEO of HPE, Antonio Neri, saying: “This transaction will strengthen HPE’s position at the nexus of accelerating macro-AI trends, expand our total addressable market, and drive further innovation for customers as we help bridge the AI-native and cloud-native worlds”.

However, AI might not be the entire reason for the purchase. Juniper’s SD-WAN business is an obvious draw for HPE, with Juniper’s offering being huge in the ISP arena. There may be other reasons for the acquisition. Whilst Aruba Wireless was the hottest product on the market a few years ago, it’s been disrupted by cloud-managed network providers such as Cisco Meraki and Juniper Mist. However, the acquisition may mean that HPE’s LAN switching offering takes prominence in the new networking giant over Juniper’s offering. HPE’s Aruba switching technology is a significant player in the LAN switching space with 7% of the market; however, it is still dwarfed by Cisco with 46%. 

Some of This Month’s Other Vulnerabilities 

Microsoft Patch Tuesday

Microsoft addressed 49 vulnerabilities in its Patch Tuesday updates this month, including 12 remote code execution flaws. Only two vulnerabilities were classed as critical. One was a Hyper-V remote code execution, and the other was a Kerberos Security Feature Bypass.

Jenkins

Exploits for several vulnerabilities in the popular open-source development platform Jenkins have been identified in the wild. The exploits take advantage of a recently patched vulnerability tracked as CVE-2024-23897 and can lead to remote code execution. Jenkins assists developers with continuous integration and continuous delivery (CI/CD). The flaw has been patched in Jenkins 2.442 and LTS 2.462.3. 

Ivanti

The US Cybersecurity and Infrastructure Security Agency (CISA) issued an emergency directive to mitigate two zero-day vulnerabilities in Ivanti Endpoint Manager Mobile and MobileIron Core, which are now exploited in the wild. The flaw, tracked as CVE-2023-35082, was first announced in August. The vendor is advising the issues are fixed in version 11.11.0.0. 

It looks like 2024 is starting where 2023 left off!