Content 

01. News Bites
  • Massive Global Outage Disrupts TV Channels, Airports, and Banks as Windows Computers Crash
  • CVE-2023-6548 upgraded to critical following new intel, Immediate software updates advised
  • Cisco issues critical software update for CVE-2024-20419 vulnerability
  • Microsoft reports Scattered Spider adds Qilin ransomware to arsenal
  • Life360 customer data breach exposes personal information
02. Conclusion

Quick News Bites

Massive global outage disrupts TV channels, airports, and banks as windows computers crash

Television channels, airports, and banks worldwide have been disrupted by a major outage causing Windows computers to shut down unexpectedly. Sky News’s breakfast show was replaced by archive footage on Friday morning.

Downdetector reported sudden spikes in problems with websites, including Microsoft applications, banking websites, and airline apps. Ryanair urged passengers to arrive three hours early due to a “third party IT issue” affecting all airlines.

Users across Australia, New Zealand, India, and Japan reported problems, with the UK particularly impacted during Friday’s rush hour. Cyber security researchers noted that “something super weird” was happening globally, with Windows computers displaying the “blue screen of death.”

Cyber security engineers identified a problem with Crowdstrike antivirus software causing crashes. Crowdstrike acknowledged the issue, stating: “Crowdstrike is aware of reports of crashes on Windows related to the Falcon Sensor.” Thousands of Windows machines worldwide are affected, causing significant disruptions.

"Crowdstrike has had a catastrophic error that has taken a large percentage of the global IT systems offline. On the one hand it's shown how large Crowdstrike's market share is, but it's also shown how fragile the interconnected world we live in can be. This issue has grounded airlines, halted broadcasters and taken channels offline, and, at the most critical end, severely impacted emergency services. In this instance a small change has led to a huge global impact, and the questions will be how and why it happened. Crowdstrike were very bullish in their mission statement: "We Stop Breaches". Unfortunately, this time, they've created the outage.

The Crowdstrike ecosystem revolves around a single agent deployment to deliver their portfolio of security solutions, which operates permanently online, connected to their SaaS-based management platform. In a world where threats are constantly evolving, and we need to move quickly and often to counter them, this approach really works and has become the industry norm. Updates are delivered directly to the endpoint agents as they become available ensuring systems have the real-time protection they need. The downside, and what has happened with Crowdstrike today, is that a bad update can have wide ranging ramifications."

- Richard Ford, Integrity360 CTO

CVE-2023-6548 upgraded to critical following new intel, Immediate software updates advised 

The NHS England National Cyber Security Operations Centre (CSOC) has received intelligence from CrowdStrike, indicating that contrary to Citrix’s initial disclosure, the vulnerability identified as CVE-2023-6548 does not require user privileges for exploitation. CVE-2023-6548 is now designated as a critical vulnerability, capable of allowing a remote, unauthenticated attacker to execute remote code on a vulnerable NetScaler Gateway or NetScaler ADC device. 

This vulnerability has been assigned two different CVSSv3 scores. The NIST National Vulnerability Database (NVD) classifies it with a score of 8.8, whereas Citrix rates it at 5.5. The issue lies in the Improper Control of Generation of Code ('Code Injection') in NetScaler ADC and NetScaler Gateway, potentially enabling a remote, unauthenticated attacker to execute arbitrary code by accessing the management interface. 

Citrix initially released a security advisory for CVE-2023-6548 and CVE-2023-6549 in January 2024, with Cyber Alert CC-4439 being published at medium severity. However, based on new intelligence from CrowdStrike, this Cyber Alert is now being updated to high severity, reflecting the elevated risk posed by the vulnerability. 

Affected Versions:  

The following supported versions of NetScaler ADC and NetScaler Gateway are affected by the vulnerabilities:  

  • NetScaler ADC and NetScaler Gateway 14.1 before 14.1-12.35 
  • NetScaler ADC and NetScaler Gateway 13.1 before 13.1-51.15 
  • NetScaler ADC and NetScaler Gateway 13.0 before 13.0-92.21 
  • NetScaler ADC 13.1-FIPS before 13.1-37.176 
  • NetScaler ADC 12.1-FIPS before 12.1-55.302 
  • NetScaler ADC 12.1-NDcPP before 12.1-55.302 

The initial remediation advice issued in January 2024 recommended updating to the latest versions of software listed in CTX584986. Since additional builds have been released since then, the revised advice is to update to the most current version of the software available, as seen below. 

Affected customers of NetScaler ADC and NetScaler Gateway to install the relevant updated versions as soon as possible.  

  • NetScaler ADC and NetScaler Gateway 14.1-12.35 and later releases 
  • NetScaler ADC and NetScaler Gateway 13.1-51.15 and later releases of 13.1 
  • NetScaler ADC and NetScaler Gateway 13.0-92.21 and later releases of 13.0   
  • NetScaler ADC 13.1-FIPS 13.1-37.176 and later releases of 13.1-FIPS   
  • NetScaler ADC 12.1-FIPS 12.1-55.302 and later releases of 12.1-FIPS   
  • NetScaler ADC 12.1-NDcPP 12.1-55.302 and later releases of 12.1-NDcPP  

Note: NetScaler ADC and NetScaler Gateway version 12.1 is now End Of Life (EOL). Customers are recommended to upgrade their appliances to one supported version that addresses the vulnerabilities. 

Cisco Issues Critical Software Update for CVE-2024-20419 Vulnerability 

Cisco has released software updates to address a critical vulnerability, CVE-2024-20419, with a maximum base score of 10. This flaw allows attackers to change any user's password, including administrators, without authentication. 

The vulnerability affects the authentication system of Cisco Smart Software Manager On-Prem (SSM On-Prem), used for managing Cisco software licenses and administering various products on-premises. Cisco explained that improper implementation of the password-change process caused this vulnerability. 

“An unauthenticated, remote attacker could exploit this by sending crafted HTTP requests to an affected device, allowing access to the web UI or API with the compromised user's privileges,” Cisco stated. 

As well as “This vulnerability affects Cisco Secure Email Gateway if it is running a vulnerable release of Cisco AsyncOS and both of the following conditions are met: 

  • Either the file analysis feature, which is part of Cisco Advanced Malware Protection (AMP), or the content filter feature is enabled and assigned to an incoming mail policy 
  • The Content Scanner Tools version is earlier than 23.3.0.4823” 

Fixed Releases The fix for this vulnerability is distributed through an updated version of the Content Scanner Tools package. Content Scanner Tools versions 23.3.0.4823 and later contain the fix for this vulnerability. The updated version of Content Scanner Tools is included by default in Cisco AsyncOS for Cisco Secure Email Software releases 15.5.1-055 and later. 

All Cisco SSM On-Prem releases earlier than version 7.0 are vulnerable, with no workarounds available. Cisco has yet not detected any exploitation in the wild.  

Microsoft Reports Scattered Spider Adds Qilin Ransomware to Arsenal 

Microsoft has revealed that the Scattered Spider (tracked as Octo Tempest by MS) cybercrime gang has incorporated Qilin ransomware into its attack strategies. 

"In the second quarter of 2024, financially motivated threat actor Octo Tempest, our most closely tracked ransomware threat actor, added RansomHub and Qilin to its ransomware payloads in campaigns," Microsoft stated on Monday. 

Emerging in early 2022, this threat group, also known as Octo Tempest, UNC3944, and 0ktapus, gained notoriety with their 0ktapus campaign, targeting over 130 high-profile organisations, including Microsoft, Binance, and T-Mobile. The gang also encrypted MGM Resorts' systems after affiliating with BlackCat/ALPHV ransomware in mid-2023. 

The FBI and CISA highlighted Scattered Spider's tactics in November, noting their use of phishing, MFA bombing, and SIM swapping for network access. Since December 2023, Qilin has developed advanced Linux encryptors targeting VMware ESXi virtual machines. 

Qilin operators infiltrate networks, extract data, and deploy ransomware, leading to double-extortion attacks. Ransom demands have ranged from $25,000 to millions, impacting various organisations, including the UK's Synnovis, disrupting several NHS hospitals. 

Life360 customer data breach exposes personal information 

A threat actor known as 'emo' has leaked a database containing the personal information of 442,519 Life360 customers. The data was collected by exploiting a flaw in the login API. 

The unsecured API endpoint allowed the verification of users' email addresses, names, and phone numbers. "When attempting to login to a Life360 account on Android, the login endpoint would return the first name and phone number of the user," emo explained. Verified phone numbers were partially masked. 

Life360 has since fixed the API flaw, replacing actual phone numbers with placeholders. The breach was first noticed by HackManac, with the data leak occurring in March 2024. Emo stated they were not responsible for the incident. 

In a related event, emo leaked over 15 million Trello email addresses, also obtained via an unsecured API. Additionally, Life360 disclosed an extortion attempt after attackers breached a Tile customer support platform, stealing sensitive information. The company, which acquired Tile in 2021, confirmed the exposed data did not include credit card numbers or other highly sensitive information. 

Closing Summary

If you are worried about any of the threats outlined in this bulletin or need help in determining what steps you should take to protect yourself from the most material threats facing your organisation, please contact your account manager, or alternatively Get in touch to find out how you can protect your organisation. 

Disclaimer

The Threat Intel Roundup was prepared by Integrity360 summarising threat news as we observe it, current at the date of publishing. It should not be considered to be legal, consulting or any other professional advice. Any recommendations should be considered in the context of your own organisation. Integrity360 does not take any political stance in the information that we share. Moreover, the opinions expressed may not necessarily be the views of Integrity360.