Cisco disclosed two critical vulnerabilities affecting their Secure Email Gateway and Smart Software Manager On-Prem. For our organization and customers, this means heightened vulnerability to cyberattacks, emphasizing the urgent need to apply Cisco’s released patches to safeguard our systems, our customer systems and data.
Cisco Secure Email Gateway Arbitrary File Write Vulnerability
Advisory ID: cisco-sa-esa-afw-bGG2UsjH
Published: July 17, 2024
Severity: Critical (CVSS Score: 9.8)
CVE: CVE-2024-20401
A critical vulnerability has been identified in the content scanning and message filtering features of Cisco Secure Email Gateway. This flaw allows an unauthenticated, remote attacker to overwrite arbitrary files on the underlying operating system. The vulnerability arises from improper handling of email attachments when file analysis and content filters are enabled. Exploitation could lead to actions such as adding users with root privileges, modifying device configurations, executing arbitrary code, or causing a permanent denial of service (DoS) condition. Cisco has released software updates to address this issue. No workarounds are available.
Cisco Smart Software Manager On-Prem Password Change Vulnerability
Advisory ID: cisco-sa-cssm-auth-sLw3uhUy
Published: July 17, 2024
Severity: Critical (CVSS Score: 10.0)
CVE: CVE-2024-20419
A critical vulnerability in the authentication system of Cisco Smart Software Manager On-Prem (SSM On-Prem) has been disclosed. This vulnerability allows an unauthenticated, remote attacker to change the password of any user, including administrative users, due to improper implementation of the password-change process. Exploitation could grant the attacker access to the web UI or API with the privileges of the compromised user. Cisco has released software updates to mitigate this vulnerability. No workarounds are available.
Its important to stay updated and ensure ours and our customer systems are patched to protect against these critical vulnerabilities. .
References:
Security Alert: New Play Ransomware Targets VMware ESXi VMs
Here at Cerium, we specialize in working with VMware to support clients who utilize ESXi virtual machines. Our expertise ensures that your virtual environments are secure, efficient, and resilient against threats.
Understanding the latest ransomware attempts targeting ESXi VMs is crucial for maintaining the integrity and availability of your systems. By staying informed and implementing robust security measures, we help protect your critical assets and minimize the risk of operational disruptions and data loss. Your security is our priority, and we are committed to providing the best solutions to safeguard your virtual infrastructure.
A new variant of the Play ransomware has emerged, specifically targeting VMware ESXi virtual machines. This development marks a significant shift in the ransomware landscape, as attackers increasingly focus on high-value targets within virtualized environments. The ransomware executes shell script commands to scan and power off all VMs, then encrypts VM files, appending the extension “.PLAY” to affected files.
The impact of this ransomware can be severe, as compromising VMware ESXi environments can disrupt operations and compromise backups, making recovery efforts more difficult. Organizations using VMware ESXi are at heightened risk of ransomware attacks, which can lead to significant operational disruptions and data loss.
To mitigate these risks:
- Implement robust security measures.
- Regularly patch systems, especially VMware ESXi, to protect against vulnerabilities.
- Establish strong access controls to limit unauthorized access to critical systems.
- Use network segmentation to contain potential breaches and limit the spread of ransomware.
- Maintain offline backups to ensure data recovery in case of an attack.
Deploying security monitoring and incident response solutions can also help detect and respond to threats promptly. By staying vigilant and proactive in securing virtual environments, organizations can mitigate the risks posed by this new ransomware variant and protect their critical assets.
Stay informed and act to protect your systems against this evolving threat.
References:
New Play ransomware Linux version targets VMware ESXi VMs
Security Alert: Crowdstrike BSOD & The Fallout
The recent CrowdStrike update incident has caused significant disruptions worldwide, providing a fertile ground for cybercriminals to exploit the chaos. On July 19, 2024, a faulty update to CrowdStrike’s Falcon sensor software led to widespread crashes of Windows systems globally. This update resulted in the infamous “Blue Screen of Death,” affecting critical services such as airports, hospitals, and TV stations. The issue stemmed from a logic error in the update, which caused an operating system crash on Windows systems. Despite CrowdStrike’s quick response to fix the issue, the fallout continued as many systems required manual intervention to recover.
In the wake of this chaos, cybercriminals seized the opportunity to launch various attacks. One of the primary methods employed by hackers was the creation of fake websites and phishing emails designed to trick users into downloading malicious software. These phishing attempts often impersonated CrowdStrike, offering fake support and solutions to the affected users. By exploiting the confusion and urgency of the situation, hackers were able to deceive many users into compromising their systems further.
Another particularly insidious method involved distributing a fake CrowdStrike repair manual. This manual, when downloaded, installed the Daolpu infostealer malware. The malware was designed to steal sensitive information from the infected systems, further compromising the security of the affected organizations. This tactic not only exacerbated the initial problem caused by the faulty update but also introduced new security threats that organizations had to contend with.
Additionally, scammers posed as tech support representatives, contacting affected users and offering to fix their systems. These scams aimed to gain remote access to users’ computers, allowing the attackers to steal personal information and credentials. By posing as legitimate support personnel, these scammers exploited the trust of users who were desperate for a solution to their technical issues.
The CrowdStrike update incident highlights the vulnerabilities that can arise from software updates and the rapid exploitation of such situations by cybercriminals. It underscores the importance of robust cybersecurity measures and vigilance in the face of unexpected disruptions. Organizations must remain alert to exploitation during crisis times and ensure that their security protocols can mitigate such risks.
References:
Fake Websites, Phishing Appear in Wake of CrowdStrike Outage
Fake CrowdStrike repair manual pushes new infostealer malware
