In this blog, Xact IT is going to go into a joint summary that was released by the United States, basically, cybersecurity department, known as CISA, and some other government, actually, foreign government agencies that went with CISA on this release and why it's important. You're going to want to know the information that is being provided out there today.
CISA released this bulletin the other day, and they release bulletins all the time, so does the FBI. Usually, they're bulletins that are around indicators of compromise or what they're seeing in the field when they do investigations, when they're involved in ransomware incidents. A lot of municipal governments, police departments, local governments, state governments, universities, large corporations, all get hacked. The FBI usually gets involved in these. Now, unfortunately, for small businesses, you're not going to get the FBI. You might have to file a police report and that's as far as it goes, but FBI does get involved into a lot of investigations and they just don't have the resources to get involved in everyone.
So, what they do is as they uncover methodologies and see repeat things through these various cyber-attacks, they put out these bulletins that educate the public on things to look for or things that they know are common reasons why cyber criminals are able to get into businesses networks. By uncovering this they released 15 vulnerabilities that are well-known exploits that are out there in the wild that have been patched by the manufacturers. CISA is still continuing to see a massive number of companies, organizations fall victim to ransomware attacks and other cyber-attacks, mostly ransomware attacks, through these vectors and these ways to get in. It's really important that everybody understands that when this information comes out, it's a double-edged sword with this kind of information.
The public is now made aware of the vulnerability, so are the cyber criminals. Usually that's released with a patch or the patch is released ahead of time. Then, they release the bulletin about the vulnerability in the hopes that people have enough time to patch their systems or put the updates on their systems so that these vulnerabilities can't be exploited. Although, unfortunately that's not what we see in reality. In the practical world, most companies don't do a good job with getting their systems patched and they end up with ransomware.
You are probably wondering why it's important for those reasons, but really quick, what are the common things that we're seeing exploited? What are the things out there right now? These are the things that CISA, the FBI and other foreign governments have all collectively come out and said, "Hey, everybody needs to patch this stuff. Everybody needs to do something about this stuff, because it's going to cause a problem for you one day if you don't do it."
Now, one of them is the Log4j, so if you don't know what Log4j, search Xact IT Solutions channel for Log, the number four, J, and you will see videos about this vulnerability and what you need to do about it. There has been a fix out for it for a very, very long time. However, if you don't patch it and an attacker can get control of your system or get inside your network, they can use this vulnerability to basically get admin level access to a machine very easily.
Another one on the list Zoho ManageEngine ADSelfService Plus. This is a third-party program that has known vulnerabilities that integrate with your active directory server. So, if you are a Zoho ManageEngine customer, this is something that you should have taken care of and patch. But yet, we have the FBI saying that we are constantly seeing companies get attacked using this vector.
Then, we also have a slew, like five, seven, nine, don't know how many it was, of Microsoft Exchange Server vulnerabilities that have been patched by Microsoft. Some for many years at this point, for two plus years. So, cyber criminals are still able to attack these systems that, by default, your Microsoft Exchange Server is exposed to the internet, because it wouldn't be able to do its core function of transporting and receiving and sending email for your organization or your company. This particular server has to be exposed to the internet. So, if you didn't patch your Microsoft Exchange Servers, if you still have what's known as on-prem exchange server, and you're not using Office 365 or some cloud-based hosted exchange, you're probably susceptible to these vulnerabilities and you need to get them patched.
The reason Xact IT brought this to attention is because a vast majority of companies out there don't have this patch. The FBI and CISA and federal agencies around the world are sounding the alarms that experts are seeing massive, massive upticks in cyber-attacks because of these vulnerabilities.
Next, Xact IT is going to talk about the Atlassian Confluence Server. This is a documentation server that's out in the cloud. You can purchase licenses through Atlassian. This has been a known vulnerability for their systems for a long time. If a hacker is able to exploit this vulnerability, they can get control of the server that this software runs on, which is usually exposed to the internet. Meanwhile, there is the Microsoft Netlogon Remote Protocol, elevation of privilege for zerologon. This has been patched for a very long time by Microsoft. If you don't have your windows systems up to date, you're going to have this vulnerability.
What's this means for you and what cyber experts see a lot is hackers get in through an exploit through your firewall. Then, once they're in there, they start looking for these other vulnerabilities that might exist in your environment. If cyber criminals find them, they use them to gain further access or to move somewhere else on your network or to create another way in or another back door because you figure out that somebody's getting in through, say, your firewall, well, maybe they put a back door in on two, three, four, five, six, seven computers inside your network. Now, they can get back into your network through those computers, which is actually something experts are seeing a lot of lately. This is something that cyber criminals are getting very good at is maintaining access and setting up other vectors.
There was an article on Yuma which is a medical facility in Arizona or somewhere down in the Southwest, that basically said they saw the hackers come in, and then they saw them come back in on Monday. So, this is a real thing that hackers are trying to make sure that they get second, third level access or different ways to get into your network.
Another story experts want to touch on is Pulse Secure Pulse Connect Secure, which has been patched for a long time. So, if you're a Pulse Secure Pulse Connect customer, hopefully you're on the latest version of that software. Then, the last one here in the list of 15, which mostly, again, were Microsoft Exchange vulnerabilities, is the Fortinet FortiOS client, which is a firewall. Cybersecurity experts are seeing this Fortinet firewall exploit happen a lot. Then, once they get in using that vulnerability, they're then using these other vulnerabilities that are mentioned above, and they're using other vulnerabilities that they know of to maintain access or get further access.
Cyber experts notice that the Fortinet is usually being the first thing that gets attacked. Why is this? Well, a lot of companies like to go out and hire people for projects, they don't want to bring somebody in to kind of make sure everything's running smoothly all the time. They're just like, "Hey, we need a office set up. We need to get this office with internet and a network set up." So, one of the things you're going to need is a firewall or some kind of gateway device. Now, you could use your ISP's modem if you like, probably not a good idea. Most people do invest in some kind of firewall or the person that they hire to do the job comes in and gives them some kind of a firewall.
Then, they plug it in. They get it set up. Everything works. But there's no relationship there. They don't have this person coming back out or maybe the person who is actually in charge of running that doesn't know that you have to update that device. Sometimes even you have to buy certain licenses to make sure that that device maintains the same level of security that it had when it originally got installed. So, what experts find is these devices don't get maintained. They don't get updated. Then, these vulnerabilities are easily exploited. Every single one of these devices, these Fortinet devices touches the internet. It's exposed to the internet in some way, shape or form. If it's not configured correctly, if it's not updated correctly, cyber criminals will hop all over these devices and get into your network very, very, very easily. Especially with this particular exploit that exists with this Fortinet firewall.
Fortinet has patched this firewall multiple times. They've patched vulnerabilities with their firewalls but this particular one that's this CVE-2018-13379 happened in 2018. It's been patched pretty much ever since. So, going on four years now for this vulnerability, and it's still one of the top exploits today, and still one of the main reasons why companies are getting ransomware today.
To briefly note there are other common things that are out there as well. For example, Sitecore XP, which has been a vulnerability since last year, ForgeRock OpenAM Server, Accellion FTA, VMware vCenter Server, which is also an exploit from 2021, that allows basically cyber criminals to deploy ransomware. If you have a VMware environment, if they can get on that host machine, which can result in a big attack. Cyber experts have seen this multiple times where cyber criminals hit the Fortinet firewall and then immediately go looking for VMware servers. Also, if VMware servers are not up to date, they're hitting those and encrypting it very, very, very quickly.
SonicWall is another firewall similar to Fortinet, another vulnerability that was patched in 2021 there. A couple other Principal or WindowsPrincipal or vulnerabilities that have been since patched by Microsoft. QNAP devices, which is from 2020 that is still ongoing. QNAP devices are NAS storage devices on networks. You can find more on this on Xact I.T. Solutions YouTube channel.
Citrix Gateway Application Delivery Controller is another vulnerability from 2019 that's still out there being actively exploited because people are not updating their Citrix.
Lastly, Microsoft Office back in 2017 is still being exploited with major vulnerability. They are using things like macros and remote code execution. Also, if you don't know what that means, it means that if someone can get a file on your computer and that person can get it to execute, and can remotely access your computer by just opening it. Microsoft has since patched these holes in their software, so these things can no longer happen. That's essentially what all of these patches do.
All of these patches prevent hackers from being able to take over your system through known vulnerabilities, which is why patch management, having a patch management plan, and making sure that your patches are being done and auditing the fact that they are done. You don't want to go in the honor system with this stuff. There are tools that will scan your network that will let you know that these vulnerabilities exist and live on your network. If somebody were to gain access, they would be able to use these exploits or these vulnerabilities to move further, or actually deploy ransomware in your environment.