Security Alerts
Our support will regularly inform you of important events here.
Would you like to be notified by e-mail in case of future Security Alerts? Then sign up here in!
The group uses a technique called device code phishing, tricking victims into signing up to fake login pages, stealing their authentication tokens. This enables attackers to gain access to their accounts and data, and even make lateral movements within networks.
Recently, Microsoft adopted that the group is now also abusing the Microsoft Authentication Broker to refine their attack techniques and maintain longer-term access.
How does device code phishing work?
It is a way to extract your access token and abuse it afterwards.
What is VanRoey doing to prevent this in your area?
Customers who use our Managed Microsoft 365 services enjoy are already extra well protected anyway thanks to the strict policies we enforce. For example, we restrict who can add devices to Entra ID and limit the validity of sessions. But we are also taking additional measures:
- We are pushing an additional Conditional Access policy to all Managed customers to prevent this attack.
- We also strongly recommend the User Awareness (KnowBe4) training to prevent phishing in its broadest sense
What can you do yourself to prevent this?
To prevent this threat, it is initially crucial to make users aware of phishing techniques and suspicious login requests by using a 'Security Awareness campaign‘.
Organisations can mitigate the risk by reducing the device code authentication flow eliminate where possible and a strict Conditional access policy set up. It also recommends making multifactor authentication (MFA) mandatory and giving preference to phishing-resistant methods such as FIDO tokens or Microsoft Authenticator with passkeys. Also blocking legacy authentication and regular monitoring of suspicious login activity can help detect attacks early.
Take action
In addition to the aforementioned User Awareness training and tightening/enforcing the right policies in your Microsoft 365 environment can be found in the source article more information as well as options to maximise protection.
Should suspicious behaviour be observed, it is important to immediately contact the refresh tokens of affected accounts and require users to log in again. Implementing a sign-in risk policy can help to automatically respond to suspicious logins.
Finally, it is recommended to centralise identity and access management to detect suspicious activity faster and strengthen the organisation's security.
Feel free to contact us to minimise this risk for you. Existing customers can get a create a ticket. Others feel free to send an email at support@vanroey.be or count: 014 470 600.
Microsoft schakelt binnenkort de ‘legacy Exchange Online tokens’ uit. Dit betekent dat de Phish Alert Button (PAB) van KnowBe4 niet langer zal werken zonder een aanpassing.
Take action
Om de PAB correct te laten functioneren, moet deze opnieuw worden geauthenticeerd via Nested App Authentication Single Sign-On (NAA-SSO), zoals omschreven op de website van KnowBe4: https://support.knowbe4.com/hc/en-us/articles/38439352278803-Update-To-Nested-App-Authentication-Single-Sign-On-NAA-SSO-For-The-Phish-Alert-Button-PAB
Let wel: Na het goedkeuren van de rechten voor NAA-SSO kan het nodig zijn om de Phish Alert Button opnieuw te downloaden en uit te rollen.
Klanten met een Security Awareness contract zullen wij proactief ondersteunen. Heb je geen contract en heb je hulp nodig bij deze aanpassing? Laat het ons dan weten, wij helpen je graag verder!
A vulnerability was recently discovered in FortiOS and FortiProxy that could potentially allow an attacker to gain unauthorised access to a firewall's management interface. The problem was documented under CVE-2024-55591 by means of a CVSS score of 9.3 (Critical).
Affected products:
- FortiOS: 7.x and earlier
- FortiProxy: particular version (see overview)
Take action
As a patch is not yet available, Fortinet recommends a temporary measure/workaround to reduce risk.
We'll schedule a Managed Services customers need not worry, however: we have already thoroughly vetted your environment. Thanks to our standard configurations, which strictly secure access to the management interface, it is impossible to exploit this vulnerability in your systems.
Not sure if your IT environment is secure or need help with the suggested workaround? Then don't hesitate to contact us!
CVE-2024-42448
makes it possible for an attacker to remotely execute code on the VSPC server from an authorised management agent machine. This means that an attacker can gain full control over the server, which can lead to serious security problems. The severity of this vulnerability has been rated as critical, with a CVSS score of 9.9.
CVE-2024-42449
This vulnerability allows an attacker to leak an NTLM hash of the VSPC server service account and delete files on the VSPC server, also from an authorised management agent machine. This could lead to data leakage and loss of important data. The severity of this vulnerability is high, with a CVSS score of 7.1.
Risks
If you do not take action, with CVE-2024-42448, attackers can execute arbitrary code on your server. With CVE-2024-42449, attackers can steal sensitive information and delete files, which can lead to data breaches and loss of critical data.
Take action
The only solution to both vulnerabilities is to update to the latest version of Veeam Service Provider Console, version 8.1.0.21999.
Existing VanRoey 'Private Cloud' customers or customers using our console have/had nothing to fear anyway as this environment is already extra strictly secured from external access. This console will also be upgraded in a planned maintenance session in the near future, which means that the necessary security patches will be applied immediately.
No other mitigations are available, so it is essential to implement this update as soon as possible to protect your systems. Of course, we can arrange this for you.
Not a customer yet? Feel free to contact us via support@vanroey.be or count: 014 470 600. As an existing, non-managed customer, you can also have a create a ticket.
A critical vulnerability has been discovered in FortiManager, Fortinet's central management platform used to manage the configuration, security policies and updates of Fortinet devices (e.g. FortiGate firewalls). This CVE could allow attackers to gain unauthorised access to sensitive systems if not patched.
Take action
What should you do?
- This vulnerability was patched with subsequent versions:
Version Affected Solution FortiOS 7.4 7.4.0 to 7.4.1 Upgrade to 7.4.2 or higher FortiOS 7.2 7.2.0 to 7.2.7 Upgrade to 7.2.8 or higher FortiOS 7.0 7.0 all versions Migrate to a version that has been patched FortiOS 6.4 6.4 all versions Migrate to a version that has been patched - If this is not a possibility for the time being, temporarily turning off your FortiManager is an alternative security measure. This has no impact on the operation of e.g. your firewalls.
What does VanRoey do?
- Our Managed Services customers can rest assured that we are in the process of applying the above patches or have already done so.
Are you not a Managed Services customer and need support to fix this important vulnerability? Please do not hesitate to contact our Support Service.
A new vulnerability (CVE) has been discovered in Veeam Backup & Replication versions older than v12.1.2.172. This means that all versions below this version should be patched.
Take action
If you use our Full Managed services, you don't need to worry. Our will securely provide your environment with the right updates.
Are you not a Managed Services customer and need help with this important update? Then don't hesitate to contact our specialists!
Alerts in your mailbox?
Would you like to be notified by e-mail in case of future Security Alerts?
