April 5, 2022

Good morning, everyone!

The latest critical vulnerabilities: Apple released emergency fixes to new vulnerabilities being actively exploited. Users are urged to update to macOS 12.3.1, iOS 15.4.1 iPadOS 15.4.1, tvOS 15.4.1, and watchOS 8.5.1. Sophos released a patch for a critical vulnerability in its firewall product Chrome and Edge have released fixes for flaws that are being actively exploited HP has published security advisories for three critical-severity vulnerabilities affecting hundreds of its LaserJet Pro, Pagewide Pro, OfficeJet, Enterprise, Large Format, and DeskJet printer models. Schneider Electric released security advisories on APC Smart-UPS devices Siemens released patches for vulnerabilities affecting many of its products Patch All the Things!

Did you update everything last week?

A few hours after my last newsletter went out, one faithful reader wrote to me:

Glenda, I'm supposed to get auto updates. I checked my Note 10+, and it told me I was up to date. But, the last update was 2-4-22, so I manually checked. There was an update to be had.

See? I told you so! Patch all the things!

Viasat has released a report in which it details how its recent data breach occurred: "a misconfiguration in a VPN appliance" -- didn't I say just two weeks ago that Configuration is Everything?!!?!

2FA and Prompt Bombing

The bad guys just never sit back and relax, do they? The Lapsus$ group and the gang that hacked SolarWinds have a new attack to bypass the protections of two-factor or multi-factor authentication (2FA/MFA): Prompt Bombing!

“Many MFA providers allow for users to accept a phone app push notification or to receive a phone call and press a key as a second factor,” Mandiant researchers wrote. “The [Nobelium] threat actor took advantage of this and issued multiple MFA requests to the end user’s legitimate device until the user accepted the authentication, allowing the threat actor to eventually gain access to the account.”

So you all know how much I love 2FA/MFA but no system is perfect, right? You have to use it properly.

Think before you click! One of the best things about these push notifications is that it gives you a warning – but only if you pay attention! When you get a popup on your mobile device, READ IT. If it’s asking you to confirm that you are trying to log in from a new device, and you aren’t, then say “NO” and immediately change your password to this account.

If the attacker got to the point of sending the 2FA/MFA request to log in, that means he has your actual password to that account. Either it was stolen or it was guessed, but either way, that account is now compromised. And the warning of a 2FA/MFA popup is telling you this.

Go forth and be secure! and have a great week.

Remember, you can read past editions of this newsletter on our website, along with tons more information under the Resources tab.

Talk to you again soon!

Glenda R. Snodgrass
grs@theneteffect.com
(251) 433-0196 x107
https://www.theneteffect.com
For information security news & tips, follow me!

Security Awareness Training Available Here, There, Everywhere!

Thanks to COVID-19, lots of things went virtual, including my employee Security Awareness Training. Live training made a comeback a few months ago, but many organizations are retreating. No worries. Wherever you and your employees may be, I can deliver an interesting and informative training session in whatever format you prefer.

Contact me to schedule your employee training sessions. They're fun! ☺