March 2020 / Threat Summary

1. NCSC Work From Home Guidance for IT Administrator

The National Cyber Security Centre has published guidance to support IT Admins in preparing and enabling their organisation and staff to work from home in the wake of quarantine and isolation to prevent the spread of Coronavirus (COVID-19).

The guidance includes advice on setting up and controlling access to corporate systems, keeping user accounts and their devices secure, and helping staff spot phishing attempts and email scams, especially those concerning Coronavirus (COVID-19).

2. Microsoft Ending Support Of Basic Authentication for Office 365

Microsoft has announced that basic authentication – authentication with only a username and password – will be turned off for Office 365 services (including Exchange Online) from October 2020.

After this date Microsoft will only support modern authentication methods, which follow the OAuth 2.0 framework, where applications request access tokens from Azure Active Directory rather than using a username and password to connect.

This will be of particular interest to IT Admins who look after Exchange Online that support POP and IMAP services, which are typically used by generic third party email clients. Microsoft strongly advises that users switch to Outlook for iOS and Android to avoid disruption after the change expected later this year.

3. Adobe Reader & Acrobat Flaws Impact Windows 10 and macOS

Adobe has released a number of patches for popular PDF software, Adobe Reader and Adobe Acrobat. The patches address nine critical flaws and four important vulnerabilities.

Any of the critical flaws could be exploited to install malware on a device running an outdated and vulnerable version of the Adobe software through an infected PDF.

This is especially important in the current climate, where most businesses are supporting an unprecedented number of remote workers which may be using their own personal and home devices to access corporate systems and data and therefore do not adhere to . Wherever possible, IT Admins should contact their staff throughout their organisation to ensure the users version of Adobe Reader and Acrobat are up to date.

4. Paradise Ransomware Hides in Office IQY File

A ransomware variant by the name of Paradise has been breaking through security perimeters in an unlikely fashion, concealing itself within Internet Query files (IQY), which are simple text files used by Microsoft Excel to download data from URLs.

It is understood that most organisations will not detect this attack, let alone filter or block the IQY file type as it is a legitimate process and is also not detected as malware as there is no suspicious code or dodgy payload, just a URL within the file.

The best defences against the Paradise ransomware is to maintain a regular and secure offline backup of your data, employ anti-phishing technology and processes to prevent infected Excel files being opened, and introduce URL and web-filtering to block connections to malicious sites.

5. Trend Micro Plugs Two Zero-Days & Three Critical Flaws

Trend Micro has suffered from two zero-day threats being actively exploited in the wild, resulting in patches being released to address the threats along with fixes for three other critical flaws. It is advised that these patches are applied to the impacted systems immediately.

The two zero-days impacted the Apex One and OfficeScan XG enterprise security products. It is understood that an attacker would need valid user credentials to exploit these vulnerabilities.

The other three critical flaws, also impacting Apex One and OfficeScan, would allow an attacker to exploit the vulnerabilities remotely over the internet without the need for valid credentials, granting the attacker full access over the antivirus software and underlying host operating system.

6. Cisco Releases Fix for Three High-Severity Flaws in SD-WAN Product

Three high-severity flaws in Cisco’s SD-WAN products have been fixed, the flaws could have allowed a local and authenticated attacker to gain root-level privileges and potentially execute arbitrary code.

The flaws impact a range of different systems, both hardware and software products, which are running software earlier than version 19.2.2 (version 19.2.2 is the fixed release).

Cisco is advising their SD-WAN customers to update their estate to the latest fixed release, version 19.2.2, as soon as possible to protect their organisation.