Welcome to this week’s Security News.
If you have any queries or concerns about anything in this week’s news, then please get in touch with our team who can advise further. For our existing clients, if we believe anything may affect your organisation, our team will be in touch directly.
Vulnerabilities and Patches
Microsoft shares temporary fix for broken Windows Server 2022 Virtual Machines
Microsoft has officially acknowledged a known issue causing blue screens and boot failures on Windows Server 2022 virtual machines (VMs) running on VMware ESXi hosts. The problem arises after the installation of the KB5031364 October 2023 cumulative update. Windows administrators have reported difficulties with VM start failures following the installation of this update. Microsoft has confirmed that these issues specifically affect VMware ESXi hosts and are linked to the aforementioned update released as part of the previous month’s Patch Tuesday. The fix is detailed at BleepingComputer – link here.
Microsoft: SysAid zero-day flaw exploited in Clop ransomware attacks
Threat actors are taking advantage of a zero-day vulnerability in SysAid, a service management software, to infiltrate corporate servers for data theft and deploy the Clop ransomware. SysAid is an IT Service Management (ITSM) solution designed to manage various IT services within organizations. The Clop ransomware is known for exploiting zero-day vulnerabilities in widely used software, and previous instances include vulnerabilities in MOVEit Transfer, GoAnywhere MFT, and Accellion FTA. The specific vulnerability is identified as CVE-2023-47246, and it was discovered on November 2 after hackers successfully exploited it to compromise on-premise SysAid servers. This incident highlights the ongoing challenge of securing software and the potential risks associated with undiscovered vulnerabilities that threat actors can exploit for unauthorized access and ransomware attacks.
News from the Sector
Microsoft drops SMB1 firewall rules in new Windows 11 build
Windows 11 will no longer add SMB1 (Server Message Block version 1) Windows Defender Firewall rules when creating new SMB shares, starting with the Canary Channel Insider Preview Build 25992. Previously, since Windows XP SP2, creating SMB shares would automatically set up firewall rules within the “File and Printer Sharing” group. However, with this change, Windows 11 will configure the updated “File and Printer Sharing (Restrictive)” group, excluding inbound NetBIOS ports 137-139, which are associated with SMB1 artifacts. According to Microsoft’s Amanda Langowski and Brandon LeBlanc, this alteration aims to enhance default network security and align SMB firewall rules more closely with the behavior of the Windows Server “File Server” role.
WhatsApp now lets users hide their location during calls
WhatsApp is introducing a new privacy feature for Android and iOS users that allows them to conceal their location during calls. This is achieved by routing the connection through WhatsApp servers, obscuring the users’ location from other call participants. The standard peer-to-peer direct connection between callers is switched to proxy the calls through WhatsApp servers, which helps obfuscate IP address metadata containing information about the users’ internet service provider or general geographical location. It’s important to note that, despite the relay through WhatsApp servers, the company asserts that it cannot eavesdrop on the calls as they remain end-to-end encrypted. Additionally, the company mentions that group calls are always relayed through its servers by default.
Cyber Attacks
Cloudflare website downed by DDoS attack claimed by Anonymous Sudan
Cloudflare confirmed that a recent outage on their www.cloudflare.com website was the result of a DDoS (Distributed Denial of Service) attack. However, this attack only affected the website and did not impact any other Cloudflare products or services. The company did not attribute the attack to a specific threat actor. According to a spokesperson, the DDoS attack caused intermittent connectivity issues for a few minutes, but no Cloudflare customers were impacted. The company emphasized that their website is hosted separately and does not affect the functionality of their services.
OpenAI confirms DDoS attacks behind ongoing ChatGPT outages
OpenAI has faced “periodic outages” in the past 24 hours due to distributed denial-of-service (DDoS) attacks targeting its API and ChatGPT services. Although the company did not initially disclose specific details about the root cause of these incidents, they later confirmed that the outages were indeed a result of ongoing DDoS attacks. In an update to an incident report published approximately 11 hours ago, OpenAI stated, “We are dealing with periodic outages due to an abnormal traffic pattern reflective of a DDoS attack. We are continuing work to mitigate this.”