Microsoft Office 365 and Cloudflare services went down worldwide
Multiple web services were interrupted worldwide last Tuesday. The source of these incidents was Microsoft Office 365 on the one hand and Cloudflare on the other.
In the early hours of Tuesday morning, many users reported problems accessing Microsoft Office 365 services, including Exchange, Teams and SharePoint; Microsoft reported on its official Twitter account about these problems, and that they were due to the fact that the traffic management infrastructure was not working.
Meanwhile, Cloudflare also suffered a massive outage yesterday, affecting well-known websites such as Amazon, Telegram, Twitch, and Gitlab.
The origin of this incident was caused by a change in the network configuration as part of an internal project to increase the resilience of its busiest locations, resulting in 19 of its data centres being affected. Both incidents have now been resolved and all services are operating as usual.
* * *
Critical vulnerability affecting QNAP NAS devices
QNAP has issued a security advisory about a vulnerability affecting its Network Attached Storage (NAS) devices.
According to the manufacturer, some of its server models are vulnerable to possible attacks through a critical PHP vulnerability that dates back to three years ago, as long as they are not configured by default.
The vulnerability, identified as CVE-2019-11043 and with a CVSS3 of 9.8, allows remote code execution for PHP versions 7.1.x below 7.1.33, 7.2.x below 7.2.24 and 7.3.x below 7.3.11.
The company indicates that, in order to exploit this vulnerability, both Nginx and PHP-FPM must be installed on the NAS server. If these conditions are met, the flaw will affect the following versions of its operating systems: QTS 5.0.X and later, QTS 4.5.X and later, and the following versions QuTS hero h5.0.x, QuTS hero h4.5.X, QuTSCloud c5.0.x.
In addition, QNAP advises customers that patches are currently available for the operating systems QTS 22.214.171.1244 build 20220515 and later and QuTS hero h126.96.36.199.2069 build 20220614 and later.
* * *
Quantum: new tool for creating malicious LNK files
Cyble researchers have identified a new tool based on the creation of malicious .LNK files that is increasingly being used in the early stages of an attack.
The use of .LNK files with malicious code is not new, as they have been used to manipulate legitimate Windows system tools in malware infections such as Emotet, Bumblebee, Qbot and IcedID.
Attackers can easily perform techniques such as bypassing user account control or the SmartScreen component, loading multiple payloads via a single .LNK, building HTA and ISO files or executing malware in a delayed fashion, using this new tool, called Quantum.
The developers of this tool also point out that the generated files are evaded by the corresponding security solutions. It should also be noted that some versions of Quantum also include exploits for the “dogwalk” vulnerability, and Cyble links its use to the well-known APT Lazarus.
* * *
Cisco announces it will not fix vulnerability in Small Business RV routers
Cisco has warned users still using Small Business RV routers that the company has no plans to fix a new remote code execution vulnerability, which has been assigned a CVSS of 9.8.
The vulnerability, listed as CVE-2022-20825, is the result of insufficient HTTP packet validation on the Small Business: 110W Wireless-N VPN Firewall, RV130 VPN, RV130W Wireless-N Multifunction VPN, and RV215W Wireless-N VPN routers, as long as the remote management web interface is enabled on WAN connections.
According to the company, despite the severity of the flaw, there will be no patch or fix for the vulnerability, as these devices are currently out of support, and it has made it clear that the only possible mitigation is to disable the remote management interface.
The company has therefore recommended that its users migrate their operation to Cisco Small Business RV132W, RV160 and RV160W routers.
* * *
Critical vulnerability in TheHive and Cortex
Security firm StrangeBee has issued a security advisory to report a critical authentication bypass vulnerability discovered in TheHive and Cortex.
TheHive is an open-source security incident response platform, widely used by companies around the world, while Cortex is an independent scanning engine, also developed by StrangeBee.
The vulnerability, which was discovered by Przemysław Mazurek, allows to impersonate any account on the platform, including administrator accounts, as long as the Active Directory (AD) authentication module is enabled and used to authenticate users on these platforms.
This is because AD accepts anonymous connections, resulting in the fact that, if someone sends an authentication request for an existing account without passwords via the TheHive/Cortex API, AD’s response to the request allows authentication as “anonymous”.
This vulnerability, which does not yet have an identifier, affects TheHive versions 3 to 5 and Cortex 3, so it is recommended to upgrade to the latest version as soon as possible.