May '24 Policyholder Newsletter

Attacks on Microsoft RD Web access are UP

Earlier this month, the U.S. Department of Justice charged two suspects allegedly responsible for leading a crime ring that laundered approximately $73 million from cryptocurrency investment schemes. They met victims through dating apps or social media platforms and promised to invest their funds, but instead siphoned it to their own accounts. This type of long-term investment scam is commonly called pig butchering — since threat actors are after every last bit of profit, or the whole “hog.” …So, uh, who’s excited for grilling season? 

For more updates on the threat landscape and the Risk Dashboard — and less grotesque nicknames for cybercrime — keep reading...

❗We’ve noticed an uptick in attacks against external-facing Microsoft RD Web Access (a component of Microsoft Remote Desktop Services that allows users to remotely access desktops and applications through a Web browser).

What’s happening? Threat actors are either using stolen credentials or brute-forcing weak user credentials to access an organization’s network and move undetected in an environment, usually with the ultimate goal of deploying malware, such as ransomware.

How can you protect against brute-force attacks? A brute-force attack is basically a cybercriminal strong-arming their way into an account through trial-and-error, guessing login credentials until they get in. 

While there are widely available tools leveraged by threat actors to automate the work, prevention is relatively straightforward. To decrease your vulnerability to these kinds of attacks, we recommend stronger passwords (a password manager can help), multi-factor authentication, and limiting public internet-facing systems, like RDS Web Gateway (common alternatives are Zero Trust Network Access, cloud resources, and Virtual Private Networks). 

Check your exposure: A large number of threat actors are focusing their efforts on breaking in through Microsoft RD Web Access. We are also seeing this as an initial point of compromise in our claims. If you’re unsure about your exposure, the Risk Dashboard will provide you with personalized guidance if the Corvus Scan identifies publicly accessible Microsoft RDS Web Gateway on your system(s).

As always, mitigating risk for your organization is our top priority. This extends to our “home base” — the Risk Dashboard. To help keep your information secure, we’ve made setting up multi-factor authentication (MFA) as straightforward as possible. 

🕒 By the end of 2024, we’ll require MFA for all Risk Dashboard users. If you haven’t already set up MFA, you’ll notice a few new prompts the next time you log-in.

In just a few steps, your information will be better protected against malicious actors: 

1. Download an Authenticator app on your mobile device (if you don’t already have one). We recommend Google or Microsoft Authenticator.

2. Open the Authenticator app and locate the “Scan QR code” feature within the app.

3. Scan the QR code and enter the 6-digit code on the Risk Dashboard log-in screen. Get personalized security recommendations and threat alerts. 😊

The Corvus Scan is a powerful asset that helps us identify which policyholders may be at greater risk for vulnerabilities. In response, we send tailored, time-sensitive notifications with direct guidance for remediation.

We’ve gathered a monthly round-up of our alerts and threat intel updates below:

Veeam Vulnerability Alert | May 2024

CVE-2024-29849, CVE-2024-29850, & CVE-2024-29851 

Veeam issued a security advisory for a number of critical security vulnerabilities. The flaws affect Veeam Backup Enterprise Manager, commonly used for management and reporting of Veeam Backup & Replication installations from a web console. We recommend organizations upgrade to the most recent version immediately.

As reported by Veeam, CVE-2024-29849 could allow an unauthenticated attacker to log into the Veeam Backup Enterprise Manager web interface as any user. This could lead to serious incidents such as data theft or ransomware. These vulnerabilities affect the following products: Veeam Backup & Replication versions 12.1.x and prior (fixed in Veeam Backup Enterprise Manager 12 . 1 . 2 . 172).

Ivanti Avalanche and EPM Vulnerability Alert | May 2024

CVE-2024-29848, CVE-2024-29846, & CVE-2024-29822 - CVE-2024-29830

Ivanti issued a security advisory for a number of critical security vulnerabilities. The flaws affect Ivanti Avalanche and Endpoint Manager (EPM) commonly used for endpoint and device management. We recommend organizations upgrade to the most recent version immediately.

As reported by Ivanti, the vulnerabilities enable an unauthorized, remote (internet-facing) actor to execute remote code on the appliance. This could lead to serious incidents such as data theft or ransomware. These vulnerabilities affect the following products:

•  Ivanti Avalanche before 6.4.x

•  Ivanti Endpoint Manager (EPM) 2022 SU5 and earlier versions

QNAP Vulnerability Advisory | May 2024

CVE-2024-27128, CVE-2024-27129, & CVE-2024-27130

QNAP issued a security advisory for critical security flaws (CVE-2024-27128, CVE-2024-27129, & CVE-2024-27130) affecting certain QNAP operating system versions. QNAP products are commonly used for network storage and file sharing. The vulnerability allows an authenticated attacker to remotely execute arbitrary code. Proof of Concept (PoC) code has been released publicly. Though QNAP reports that this vulnerability requires user authentication, other sources and the released PoC report that an untrusted user may exploit the vulnerability when provided a file-sharing URL. Security patches are available and should be applied as soon as possible.

The vulnerabilities affect multiple products and users are recommended to upgrade to the following versions:

• QTS QTS 5.1.x (update to QTS 5 . 1 . 7 . 2770 build 20240520 and later)
• QuTS hero h5.1.x (update to QuTS hero h5 . 1 . 7 . 2770 build 20240520 and later