This advisory is for organizations that use Veeam ONE to monitor virtual infrastructure, backup infrastructure, and data protection environments. If your organization does not use this platform, this notification may be discarded.

Summary
Veeam has released hotfixes to address four vulnerabilities, two of them critical, present in the Veeam ONE platform. The first critical vulnerability may allow an unauthenticated user to gain information about the SQL server connection that Veeam ONE uses to access its configuration data base, introducing the potential for an attacker to perform remote code execution on the SQL server hosting the database.

The second critical vulnerability may be leveraged to leak the NTLM hash of the account used by the Veeam ONE Reporting Services to an unprivileged user with access to the UI.

CVE-2023-38547 – This unspecified flaw could be exploited by an unauthenticated user to gain information about the SQL server connection used by Veeam ONE to access its configuration database. CVSSv3: 9.9

CVE-2023-38548 – Vulnerability that could allow an unprivileged user with access to the Veeam ONE Web Client to obtain the NTLM hash of the account used by the Veeam ONE Reporting Service. CVSSv3: 9.8

Affected Products/Versions
Veeam ONE 11, 11a, 12

Mitigations
A Hotfix to resolve these vulnerabilities is available for:

1. Veeam ONE 12 P20230314 (12.0.1.2591)
2. Veeam ONE 11a (11.0.1.1880)
3. Veeam ONE 11 (11.0.0.1379)

To apply the hotfix, admins must stop the Veeam ONE monitoring and reporting services on impacted servers, replace the files on the disk with the files provided by the hotfix, and restart the services to deploy the fixes.

Hotfixes
https://www.veeam.com/kb4508#:~:text=Download%20Hotfix%20That%20Matches%20Installed%20Build%20Number

Additional Resources
https://www.bleepingcomputer.com/news/security/veeam-warns-of-critical-bugs-in-veeam-one-monitoring-platform/ https://www.veeam.com/kb4508

(This article was originally published on MSU Denver)

For sophisticated hackers, small government agencies and local institutions can seem like sitting ducks. And while the federal government and major corporations all have generous budgets to fund monitoring and protection, most smaller organizations and civic institutions simply do not.

“Colorado has many huge rural counties, way distant from cities, that have zero budget, expertise or practical means of providing protection from hackers,” said Richard Mac Namee, director of the Cybersecurity Center at Metropolitan State University of Denver.

That’s a big problem. Cybercrime accounts for a jaw-dropping amount of money — it’s predicted to reach a global cost of $8 trillion this year — and the threat is only growing. Fortunately, the PISCES (Public Infrastructure Security Cyber Education System) program at MSU Denver has found a solution. The University’s Cybersecurity program supports 10 “customers,” including school districts, county governments and a fire department.

Through PISCES, student analysts provide a monitoring service, and when they spot anything suspicious, they escalate it immediately to the National Cybersecurity Center. The Colorado Springs-based nonprofit, which promotes cybersecurity innovation, education and workforce development, then passes on details of the security concern. Mac Namee says it’s fast, efficient and remarkably effective.

“Smaller organizations desperately want help right now to protect their systems, while students training to be cyberanalysts absolutely need experience working with real data,” explained Mac Namee. “Put them together, and everyone wins.”

Expanding program

Program supporters say the beauty of PISCES, which originated in Washington state before coming to Colorado, lies in the simplicity of its central premise: pairing organizations that lack any digital protection with Cybersecurity students who crave experience in a live working environment.

Although successful, PISCES has operated at a modest level. Mac Namee sees the program’s potential to help many more organizations on a much broader scale.

“The current risk level is the highest I’ve seen in five years,” Mac Namee said. “The introduction of AI, in particular, has meant even novice hackers can now weaponize advanced tech for serious attacks. We’re at a turning point, where immediate action is necessary.”

Others are recognizing the growing threat and the potential of PISCES to address it. Last month, the Colorado Attorney General’s Office awarded the program $500,000 to expand across the state over the next two years, with the potential for another $250,000 in 2025.

Attorney General Phil Weiser said PISCES will create more jobs in the cybersecurity field and recruit participants from rural communities into this good-paying profession.

“And all the while, it will be protecting Colorado residents from cybersecurity threats,” he said.

A proactive approach

One of the organizations benefiting from the students’ help is West Metro Fire Rescue. And the department’s IT director, Eric Bates, said the program has been a runaway success.

“The vast amount of data generated by our systems had been posing a real challenge to us,” Bates said. “But fortunately, PISCES and MSU Denver came to our aid with a game-changing solution that has fundamentally improved our cybersecurity operations.”

Bates has been impressed by the students’ cutting-edge knowledge and fresh perspectives. But most of all, he is struck by their proactive approach to detecting and responding to potential security threats.

“They have shown real skill and dedication in handling our difficult work and often uncover anomalies that our other threat-response services might miss,” he said.

Hands-on experience

Among the biggest winners from the program have been MSU Denver’s Cybersecurity students, whose overall learning experience has vaulted to a whole new level.

“Working with the PISCES program means we get to apply all the concepts we learned in class within a realistic but guided setting and then refine them through continual practice,” said Monica Ball, a Cybersecurity student. “There’s nothing like getting hands-on experience of everything we’ve learned, such as analyzing workflow, contextualizing alerts and judging search parameters, then putting it all together under real-life circumstances. It’s a really cool way to hone your cyberanalysis skills.”

Crucially, Ball added, the program also helps the students demonstrate to potential future employers that they’re made of the right stuff.

“Most employers are looking for graduates with a degree and relevant experience in the field,” Ball said. “Working with PISCES not only boosts our confidence; it also gives us something tangible to discuss in interviews and makes us way more hireable.”

Ready for action

By immersing students in real-world scenarios and setting them to work on reams of live data (and malicious threats), PISCES makes sure they’re primed to tackle challenges in the workplace.

That’s also why Mac Namee is looking to recruit more MSU Denver Cybersecurity students and graduates to join the PISCES program. He knows it’s a unique opportunity for them.

“With cybersecurity, you essentially only really learn by doing,” he said. “And believe me, nothing teaches a student faster than getting thrown into the metaphorical deep end during live situations.”

Although there is a huge demand for cybersecurity professionals (3.5 million job vacancies worldwide, in fact), Mac Namee points out that employers are emphatically looking for students who have also earned their stripes in the real world.

“On its own, a four-year Cybersecurity degree doesn’t necessarily make you workforce-ready,” he said. “You also need the kind of real live experiences that you’ll only get from internships, work placements or opportunities such as the PISCES program.”

CyberSensei Mike Hamilton comes onto the CyberSensei podcast to discuss how to best prepare cybersecurity students for their jobs.

Results from the survey indicated:

1. Most of communities (66%) reported that elected officials and government executives were engaged and supportive or interested in the program.
2. Five (5) communities providing feedback support communication for law enforcement, while one (1) performs automated traffic management and the other supports water and waste management. Anonymous submissions noted some organization provide support for both communication for law enforcement and election infrastructure. Similarly, one (1) organization reported supporting local city government, while another reported supporting city government that contracts out for services.
3. Two (2) communities reported that alerts received from PISCES are actionable, while the remaining eight (8) communities, in an even split, reported that most or some alerts from PISCES were actionable.
4. Half of the data sharing partners reported that PISCES alerts have resulted in the prevention of serious impacts to your organization, the other reported no large impacts.
5. All but one partner noted that the PISCES monthly reports are useful for themselves as the designated point of contact and staff. On the other spectrum, one community reports distributing the report to selected individuals.
6. Twenty percent (20% ) of data sharing partners noted that utilizing a PISES intern for defined tasks would be helpful to their organization, while sixty percent (60%) shared that it would be helpful dependent on the type of work. The other twenty percent noted that it would not be helpful for their organization.
7. All communities shared their willingness to recommend PISCES to other organizations.
8. One community partner reported its capability and willingness to hire a PISCES graduate. The remaining nine (9) communities have reported not having the capability or willingness to hire a PISCES graduate.
9. Additional highlights & quotes:

• “We really appreciate the service. We have an IT staff of 1 and minimal budget so this service is very valuable.”
• “Great program. If we had a need for PISCES graduate, would definitely consider.”
• “Regarding question 10, we are willing, however, we cannot fund the position right now. We currently have a former PISCES student as an intern.”

The 5th Annual PISCES Academic Workshop will be held on 2 November 2023 in conjunction with the 27th CISSE at Kennesaw State University, Kennesaw, Georgia and on-line.

The deadline is 15 September 2023.

Paper topics may directly address PISCES or may address topics related to PISCES. Example topics may include:

• Tools and Techniques

• Detection Analytics
• Novel Uses of Net Flow Data
• Innovative Approaches Anomaly Detection
• Improvements and Effectiveness of monitoring tools

• Student Engagement and Learning

• Metrics of student engagement and activity
• Research on student outcomes
• Learning with live data and unknown content

• Preparing students for the workforce

• SOC operations and the classroom
• Understanding, defining, and educating for work roles
• Balancing theory and practice

• Public Infrastructure Protection

• Educating on protecting public infrastructure
• Analyzing weakness in public infrastructure

Paper Submission Guidelines
To be considered for presentation at the 5th PISCES Workshop, please submit an original, unpublished paper by 15 September 2023. Parallel submissions are not accepted.

Submit to: papers@piscesintl.wpenginepowered.com.

Student papers will be considered and are encouraged.

Papers will be reviewed by committee.

Papers should present a well-formed and capably written idea, which advances the field of cybersecurity, and which is adequately contextualized and sufficiently supported by the literature. The implications for general application should be clear as well as their advantage and importance to the at-large purposes of the field. Conclusions should be supported by analytic means, either empirical or subjectively derived through commonly accepted methods. Graphic, or tabular support is encouraged.

Please use the IEEE Manuscript Template for your submission.

Word count range of approximately 2,500 to 4,000
Include sufficient references that reflect sufficient consideration of the literature
Include a no-more-than 250-word abstract
Be sure that all photos, graphs and illustrations have a print resolution of no less than 300 dpi
Authors selected to present their papers must register for the 27th CISSE – https://cisse.info/

On 3/14/23 Microsoft released patches to address a critical vulnerability found in Microsoft Outlook for Windows. This vulnerability affects only Microsoft Outlook for Windows. Other versions such as those for Android, iOS, Mac, and Outlook/M365 on the web are not affected.

CVE-2023-23397

Microsoft Outlook Elevation of Privilege (EoP) Vulnerability

CVSSv3.1: 9.8

This vulnerability may be triggered by an attacker that sends a crafted, expired appointment to a user. This will activate the reminder feature within Outlook for overdue appointments with no user interaction required.

The attacker-crafted appointment will exploit the path to the sound file that Outlook plays for a reminder when it is overdue, substituting a UNC (Universal Naming Convention) path within the message that leads to their own server. This will cause the Outlook client to send the user’s login name and their NTLM password hash to the attacker’s remote server.

This exploit does NOT require the recipient to interact with the appointment received from the attacker. The message will be processed behind the scenes, potentially leaving the user unaware that they have been compromised.

Mitigations

• Ensure current patches are applied.
• For those that cannot patch right away, Microsoft provides guidance for DCs using Windows 2012 R2 or newer. Consider adding on-premises accounts to a Protected Users Security Group. This prevents the use of NTLM as an authentication method by group members and continues to allow legacy applications that require NTLM to be excluded from the group and still utilize that authentication method. (Ensure that you review Microsoft documentation for Protected Users Security Groups before implementing: https://learn.microsoft.com/en-us/windows-server/security/credentials-protection-and-management/protected-users-security-group?WT.mc_id=M365-MVP-9501 )

Detection and Response

• Microsoft has made a script available that will review the Exchange environment to see whether a property is populated for a UNC path. The script can also be used to clean up the property for the malicious appointment reminders or even delete the items permanently.
• https://microsoft.github.io/CSS-Exchange/Security/CVE-2023-23397/

Additional Resources

• https://msrc.microsoft.com/blog/2023/03/microsoft-mitigates-outlook-elevation-of-privilege-vulnerability/
• https://msrc.microsoft.com/update-guide/vulnerability/CVE-2023-23397