enterprise networks Archives

Winsage

March 4, 2025

CISA Alerts on Active Exploitation of Cisco Small Business Router Flaw

The U.S. Cybersecurity and Infrastructure Security Agency (CISA) has issued a critical alert about a command injection vulnerability (CVE-2023-20118) affecting Cisco Small Business RV Series Routers, which are end-of-life. This vulnerability, rated 6.5 on the CVSSv3.1 scale, allows authenticated attackers to execute arbitrary commands with root privileges. The affected models include RV016, RV042, RV042G, RV082, RV320, and RV325, running firmware versions released before April 2023. Cisco will not provide patches for these devices. CISA mandates that federal agencies either implement mitigations or stop using the routers by March 24, 2025. Private organizations are also encouraged to address the issue, especially due to exploitation attempts linked to the PolarEdge botnet campaign. Administrators are advised to restrict administrative access, monitor logs for unusual activity, and consider decommissioning affected devices. The continued use of unpatched routers poses significant risks to critical infrastructure, particularly in small business and remote work environments.

Winsage

February 13, 2025

Russian state threat group shifts focus to US, UK targets

A report from Microsoft reveals that the Russian state-sponsored threat group known as Seashell Blizzard has shifted its operational focus to exploiting public vulnerabilities in internet-facing systems. This subgroup, associated with the Russian Military Intelligence Unit 74455 (GRU), has been conducting operations under the "BadPilot campaign," allowing them to maintain long-term access to compromised systems since at least 2021. They have been responsible for at least three destructive cyberattacks in Ukraine since 2023 and are now targeting a broader range of industries globally, including energy, telecommunications, and government sectors. Since early 2024, they have exploited vulnerabilities in software such as ConnectWise ScreenConnect and Fortinet FortiClientEMS, indicating a "spray and pray" approach to achieve compromises at scale. The group has adapted to exploit various public vulnerabilities, including critical issues in applications like Microsoft Exchange and Zimbra Collaboration, demonstrating their capability to leverage weaknesses in essential systems. Microsoft describes Seashell Blizzard as a key component of Russia's cyber strategy, particularly in efforts to destabilize Western institutions.

Winsage

November 15, 2024

November delivers a heap of Microsoft patches for admins

Microsoft released updates addressing 89 CVE-listed security vulnerabilities, including two actively exploited flaws: CVE-2024-49039 (Windows Task Scheduler, CVSS 8.8) allowing privilege escalation, and CVE-2024-43451 (NTLM spoofing, CVSS 6.5) enabling account impersonation. Other critical vulnerabilities include CVE-2024-43602 (Azure CycleCloud, CVSS 9.9) allowing remote code execution, CVE-2024-43498 (.NET and Visual Studio, CVSS 9.8) exploitable via malicious requests, and CVE-2024-43639 (Windows Kerberos, CVSS 9.8) leading to remote code execution. CISA added the Windows Task Scheduler and NTLMv2 vulnerabilities to its Known Exploited Vulnerabilities Catalog and reported an increase in zero-day exploitations in 2023 compared to 2022. Citrix, Intel, AMD, and Adobe also released patches for various vulnerabilities.

Winsage

November 9, 2024

Microsoft says recent Windows 11 updates break SSH connections

Microsoft has acknowledged a significant issue with last month's Windows security updates that disrupt SSH connections on select Windows 11 22H2 and 23H2 systems, primarily affecting enterprise, IoT, and education customers. The company is investigating whether Windows 11 Home or Pro editions are also impacted. The October 2024 security update has caused the OpenSSH service to fail to start, preventing SSH connections, and this issue occurs without detailed logging, requiring manual intervention to start the sshd.exe process. A temporary workaround involves adjusting access control list (ACL) permissions on specific directories, with instructions provided for affected users. Microsoft is working on a permanent fix to be included in a future Windows update. Additionally, the October Patch Tuesday updates resolved fingerprint sensor freeze issues on Windows 11 24H2 devices and lifted a safeguard hold on upgrades for impacted systems. Microsoft also addressed issues in previous updates affecting application launches on Windows 10 22H2 and Remote Desktop connections in enterprise networks.

Winsage

October 8, 2024

Microsoft fixes Remote Desktop issues caused by Windows Server update

Microsoft's cumulative updates for October address a significant issue with Remote Desktop connections on Windows servers, specifically related to the RD Gateway service, which began crashing every 30 minutes after the July security updates. This issue, confirmed by Microsoft, is linked to a TSGateway service termination problem that triggers an 0xc0000005 exception code, logged as Event 1000. The affected Windows Server releases include: - Windows Server 2022 (KB5040437) - Windows Server 2019 (KB5040430) - Windows Server 2016 (KB5040434) - Windows Server 2012 R2 (KB5040456) - Windows Server 2012 (KB5040485) Temporary workarounds include blocking connections over the pipeRpcProxy3388 and modifying the RDGClientTransport registry key. Administrators are advised to back up the registry before making changes. Microsoft has previously addressed similar connectivity issues and has also released security updates for October 2024 that fix 118 vulnerabilities, including five zero-days.

Winsage

July 25, 2024

Microsoft fixes bug behind Windows 10 Connected Cache delivery issues

Microsoft has resolved a known issue with Windows 10 updates impacting Microsoft Connected Cache (MCC) node discovery on enterprise networks. The fix is part of the KB5040525 July 2024 preview update for Windows 10 22H2.