CVE-2023-20198
Alert Plus: US and UK launch air strikes on Houthi targets in Yemen

Current Situation of US and UK air strikes in Yemen
Intelligence cut off time 15:00 GMT 12th of January 2024
On the 11-12 January, US and UK aircraft and warships conducted at least 70 strikes on multiple military targets in Houthi-controlled Yemen. Reports indicate that over 100 precision guided munitions were fired on at least 16 Houthi locations. This includes a military base adjacent to Sanaa airport, a military site near Taiz airport, a Houthi naval base in Hodeidah and military sites in Hajjah governorate. Houthi’s stated that five of the group’s fighters were killed in the strikes with six others wounded.
The US Secretary of Defense, Lloyd J. Austin III, released a statement indicating that targeted strikes were conducted on sites associated with unmanned aerial vehicle’s (UAV), ballistic and cruise missiles, and coastal radar and air surveillance capabilities.
Majority of the firepower came from US jets, with the US having the aircraft carrier USS Dwight D Eisenhower already in the Red Sea, as well as air bases in the region. US Navy warships also fired Tomahawk land attack cruise missiles (LACMs), which are GPS-guided and can be programmed to fly evasively. The UK contributed by sending four RAF Typhoons from Akrotiri, Cyprus, carrying Paveway IV guided bombs.

Houthi Response to UK and US Air Strikes in Yemen
In response, the Houthis have stated that they are not deterred by the attacks. The group’s leader, Mohammed al-Bukhaiti, stated that the US and UK would “soon realise” the action was “the greatest folly in their history”. Hezbollah, Hamas, and the Palestinian Islamic Jihad responded by saying that the strikes show Washington and London’s support for Tel Aviv and that the West are now responsible for the subsequent impact on the region’s security. Iran also responded forcefully, expressing that the strikes were a breach of international laws. Saudi Arabia and Jordan did not condemn the attacks but did call for restraint. Several Western nations supported the operation as an attempt to restore the free flow of trade and deter further Houthi attacks.
Who is Behind The Houthi Movement?
The Houthi Movement is an Iranian aligned group that controls much of Yemen after nearly a decade of civil war against a Western-backed and Saudi-led coalition. The two sides are currently observing a tentative ceasefire that officially ended in late 2022 but has remained in place to the current day.
Following the outbreak of the Hamas-Israel conflict, the Houthi’s emerged as a strong supporter of the Palestinian Islamist group. The Houthis began attacks on shipping between the Gulf of Aden and the Red Sea in December 2023, claiming to target vessels linked to Israeli persons, businesses, and interests.
However, this route, which links Europe and Asia and Africa via the Suez Canal, accounts for roughly 15 percent of the world’s shipping traffic. The attacks have forced some shipping companies to limit transits through the waterway, or even cease operations altogether, instead taking the longer route around southern Africa. This has significantly disrupted international commerce, increasing delivery costs and time, stoking fears about a global inflation.
US response to Houthi Attacks on 9th January 2024
In response to the Houthi attacks, the US launched Operation Prosperity Guardian alongside several allies, which aimed to end the blockade and counter all threats by Houthi forces against international maritime trade. The operation was defensive in nature, destroying only missiles launched at vessels with no pro-active strikes conducted. The Houthis continued to fire at merchant vessels, as well as allied naval vessels, dismissing warnings from Washington and London. Then on 9 January, US and British warships shot down 21 drones and missiles, repelling the largest Houthi attack so far.
How will UK and US airstrikes in Yemen affect global stability?
It is highly likely that the Houthi’s largest attack to date on 9 January was the trigger that surpassed the US-UK threshold. While international prices have yet to see a significant impact, Operation Prosperity Guardian was not working as a deterrent. It is highly likely that more extensive, continued Houthi action would force more merchant vessels away from the Red Sea, almost certainly disrupting maritime trade, therefore increasing consumer prices and shortages.
What course of action will the Houthi’s take to retaliate?
In the immediate aftermath, the Houthi’s are highly likely to increase their attacks on commercial and military vessels in the region in retaliation. However, it is likely that their ability to launch missiles and drones has been degraded. Should the Houthis sustain their attacks, it is almost certain that the US and UK will continue their strikes on targets within Yemen. It is also highly likely that the group will be re-designated as a terrorist organisation if they continue. This would have a significant impact on the peace process to end the Yemeni Civil War between the Houthi’s and the Saudi-led coalition, which has continued to progress despite regional tensions.
A breakdown of the process would almost certainly see a resumption of hostilities between the two sides, with locations within Saudi Arabia and the United Arab Emirates likely becoming viable targets for the Houthi’s as evidenced by their previous attacks.
Will the UK and US involvement spark conflict with the Middle East?
Across the Middle East, it is highly likely that Houthi’s allies and other Iranian proxies start to act in solidarity with the group. These groups will almost certainly view the attacks as Western support for Israel.
It is almost certain that Popular Mobilisation Forces (PMF) in Iraq and Syria will continue to target US military bases across the region. It is also likely that the frequency and scale of these attacks will increase considerably. There is a realistic possibility that US military locations that have not been targeted yet in Kuwait, Saudi Arabia, and the UAE, are targeted.
Hezbollah will likely continue to focus its attacks on Israel, however an attack on the US cannot be ruled out. While still unlikely, the US and UK strikes on Yemen have increased the likelihood of a wider conflict developing in the Middle East, as well as the West entering a proxy war with Iran. This eventuality would highly likely take focus away from the conflict in Gaza, almost certainly intensifying the humanitarian situation.
Travel Risk Advice
- Avoid all non-essential travel to Yemen.
- Anyone operating in the region should monitor events from a reliable source in case of a major escalation.
- Key military and political infrastructure inside Sana’a are very likely to remain focal points for violence and demonstrations. You should be particularly vigilant in these areas and follow any specific advice from the local security authorities.
- Avoid US and UK embassies or consulates across the region as these will likely be the epicentres for demonstrations.
- If air-raid or rocket warning sirens are sounded, seek secure shelter immediately, ideally in a purpose-built shelter. If in a building when sirens are sounded, head to a secure room, stairwell or inner room. Close all windows and doors, stay in shelter for ten minutes after the siren ends.
- If hostilities resume between the Houthis and the Saudi-led coalition, key civilian and military installations in Saudi Arabia and the UAE will likely become targets. Avoid these locations if not essential.
- Previous Houthi attacks have targeted major airports. Ensure alternative travel plans have been prepared for, as well as all individuals having comprehensive travel insurance.
- Mariners in the region should proceed with extreme caution, maintaining contact with port and shipping authorities at all times.
- Always follow all instructions and orders from security forces. Where possible, avoid areas of active conflict and remain inside a secure location away from windows.
- Ensure that you always carry personal identification documents. Consider making photocopies of important documents in case of confiscation, theft or loss.Keep these documents separated from the originals.
- Have emergency contact numbers saved on your phone. These should include the local authorities, medical facilities and any consular support. Ensure that mobile phones are charged in case of any losses in electricity.
- If caught in the vicinity of a security incident, seek shelter immediately and leave the area if safe to do so. Continue to adhere to all instructions issued by authorities and obey any security cordons in place.
- Monitor the Solace Secure platform and trusted local media for relevant updates.
More on the recent activity in the region
Houthi Attacks in the Red Sea
Since the start of the Israel-Hamas war, the Houthi Movement has supported the Palestinian cause by targeting southern Israel directly and Israeli-linked vessels on shipping routes in the Gulf of Aden, Red Sea, and the Bab-al-Mandeb.
Houthi Seizure of Merchant Vessel Galaxy Leader
In a brazen incident on 19 November, the Galaxy Leader, a Bahamian-flagged and Japanese-operated merchant vessel (IMO: 9237307), fell victim to suspected Houthi Movement militants in the Southern Red Sea.
Israel-Hamas War 2023
With the incursion into southern Israel by the Gaza-based militant group Hamas over the weekend of 7 and 8 October, this eventuality became a reality, and the region is now on the precipice of a protracted and deadly conflict.
Safegurd your journey with Solace Global
Security Services for Remote and High Risk Areas
We manage the full security lifecycle, from initial security strategy, protection on-the-ground and ongoing overwatch, with advanced risk management software to support compliance and reporting.

Solace Secure: Travel risk management software
Give your people peace of mind when they travel for work, so they remain focused on the job at hand. We mitigate risks, manage incidents if they occur, and support your people with security advice or help in a crisis. With Solace Secure you have everything you need to provide safe passage on a global scale.

Enhanced Monitoring in High-Risk or Remote Locations
An extra layer of security support can be added with our overwatch monitoring tool on Solace Secure. Our crisis response team support your travel policy protocols and keep eyes on travelling employees check in’s. Should anything go amiss, we can begin response procedures immediately.

Speak to our team about your journey management needs
Solace Cyber Recognised as Assured Service Provider by National Cyber Security Centre.

Solace Cyber, a leading Cyber Security organisation with headquarters in Dorset, has achieved recognition as an Assured Service Provider under the prestigious Cyber Incident Response (Level 2) scheme by the National Cyber Security Centre (NCSC). This accolade positions Solace Cyber among the first in the UK to attain Incident Response accreditation through the scheme, highlighting their commitment to providing high-quality incident response services.
The NCSC’s Cyber Incident Response project aims to offer support to UK organisations that have fallen victim to cyber-attacks, by raising awareness of high-quality incident response providers who can offer external support and advice on how to manage and recover from cyber incidents.
The initiative builds on the Level 1 scheme, which was developed to assure companies that have the capability to provide incident response services to nationally significant organisations such as regulated industries, central government, and critical national infrastructure.

With an impressive track record, Solace Cyber has been instrumental in helping companies across the UK recover from ransomware attacks and data breaches. Serving as representatives for International Loss Adjusters and Cyber Insurance companies, Solace covers more than 30,000 commercial businesses nationwide, through our channels, providing hundreds of successful response recoveries.
Rowland Johnson, President of CREST said, “Congratulations to Solace for gaining NCSC Cyber Incident Response (Level 2) scheme Assured Service Provider status for its incident response services. This means Solace has been assessed as capable of supporting most organisations with common cyberattacks, such as ransomware. It provides valuable assurance to buyers of the high quality of Solace’s incident response services.”
This prestigious accreditation reaffirms Solace Cyber’s dedication to meeting the NCSC’s stringent standards for both technical and organisational capability. By achieving the Cyber Incident Response (Level 2) status, Solace Cyber continues to demonstrate its unwavering commitment to enhancing the cybersecurity landscape and providing unparalleled support to organisations facing the challenges of cyber threats.
For media inquiries, please contact: rbessant@solaceglobal.com
Incident Response Services
Complete a cyber risk assessment
We will test your security posture against the latest cyber threats.

Request your incident response plan
You will receive a comprehensive report detailing the current IT cyber security posture of your estate as well as ongoing access to the Cyber Security Incident Response Team and the Realtime Risk Platform.

Access to Real-time Risk Platform
A comprehensive platform to consolidate all your cyber risk management.

Cloud XDR
Spot malicious activity and respond quickly, before material damage is done to your business.

Managed Detection & Response
Mitigate cyber risk for all endpoints and servers with these critical components; advanced machine learning and AI.

Security in Dubai, UAE and COP28 Climate Change Summit

The United Nations Climate Change Summit, COP28 will be hosted in Dubai at the end of the month to bring together global leaders in an effort to take action against climate change.
The Middle East, with its vast energy resources, intricate alliances, and ongoing conflicts, plays a crucial role in the global energy landscape, and the consequences of regional conflicts and geopolitical dynamics in the area have far-reaching implications for the world’s environmental and sustainability goals.
However, in addition to the long-standing geopolitical tensions and conflicts, the Israel-Hamas war holds the potential to heighten tensions and detract from the success of this summit, with the likely possibility of an increasing security risk to Westerners travelling to Dubai.
In this article:
- Security factors during COP28 in Dubai
- Background on Houthi Movement in Yemen
- UAE’s involvement in the Yemen conflict
- Potential for further destabilisation triggered by the Israel-Hamas War?
- Potential outcomes for security in Dubai and UAE
Security factors during COP28 in Dubai
Many Israeli climate organisations have stated that they will boycott COP28 and it is highly likely that Israel will be forced to withdraw from COP28 entirely due to security concerns.
However, COP28 will still attract thousands of Westerners, including many world leaders, diplomats and influential businesspeople. It is likely that COP28 represents an attractive target for terrorist actors due to the influx of foreigners and the international publicity of the event.
On 29 October, the UK’s Foreign, Commonwealth & Development Office (FCDO) issued a warning for British tourists visiting the United Arab Emirates (UAE), indicating an increased threat of terrorist attacks. The advisory warns of a very likely risk of terrorist attacks, which could be indiscriminate and may target places frequented by foreigners. While terror attacks within the UAE and rare and the Emirati counter-terrorist forces are heavily financed and well-trained, there is a realistic possibility that forces will be overstretched as a result of COP28 and that self-radicalisation within the region will increase as a result of the situation in the Gaza Strip.
Background on Houthi Movement in Yemen
In 2004, the Iranian-backed Houthi Movement, otherwise known as Ansar Allah (Supporters of God), rebelled against the Yemeni government with the aspiration of taking control over the entirety of Yemen. The conflict escalated in 2014 when Houthi forces seized Yemen’s capital, Sanna, and forced the Yemeni government into exile. This led to the deployment of a Saudi-led coalition in 2015 that seeks to establish full territorial control by the internationally recognised government within Yemen.
The Saudi-led coalition consists of predominantly Sunni and Arab nations such as the UAE, and is backed by Western powers including the USA, UK and France.
UAE’s involvement in the Yemen conflict
The UAE’s involvement in the coalition has involved a range of military and logistical support for the government of Yemen, including air strikes, the deployment of troops to Yemen and training local Yemeni militias allied to government forces.
The UAE’s involvement in the conflict has made it a target for Houthi forces who have developed an arsenal of long-range drones and missiles facilitated by Iran. Houthi forces have conducted numerous drone and missile attacks on the UAE, typically targeting strategic locations in Abu Dhabi and Dubai, such as airports, ports and oil facilities.
Since 2019, the UAE has significantly reduced its military footprint in Yemen, however it still projects power through its support of a number of militias allied to Yemeni government forces. The Houthis have conducted attacks on the UAE in response to successful military operations by pro-government militias supported by Abu Dhabi, which resulted in a series of high-profile attacks in 2022 against high-profile targets in Abu Dhabi and Dubai.
While the UAE maintains a sophisticated air-defence capability and has been able to shoot down the majority of projectiles within its airspace, it is likely that the Houthis have sufficient drones and missiles to overwhelm and penetrate UAE air defence.
The Houthi Movement have currently been in talks with Saudi Arabia and other local actors regarding a ceasefire.
Potential for further destabilisation triggered by the Israel-Hamas War?
There is a realistic possibility that the Israel-Hamas war destabilises the Middle East, and Iran exploits the situation to order its proxy forces to attack Israeli, Western and anti-Iranian forces and interests throughout the region.
Houthi forces have attempted drone and missile attacks on Israel in response to the Israel Defence Forces (IDF) military activity in the Gaza Strip, with all attacks to date intercepted by IDF or US air defence.
There is a realistic possibility that both Saudi and the UAE will be forced to respond to Houthi attacks which will invariably provoke retaliatory attacks from the Houthis. Moreover, there is also a realistic possibility that the Houthi rebels might seek to exploit the current situation in the Middle East to conduct attacks on the UAE.
In the event of a wider conflict involving Israel, the Houthi rebels could exploit regional tensions to launch missile and drone attacks, engage in cyber warfare, and employ asymmetric tactics against the UAE, aiming to distract or pressure the UAE due to its involvement in regional security initiatives and the Saudi-led coalition.
A further motivation for the Houthis, who are backed by Iran and reportedly allied to Hezbollah, would be to present themselves as defenders of the Palestinian cause and target the UAE for its recent normalisation of relations with Israel and ties to the West.
Potential outcomes for security in Dubai and UAE
If the Israel-Hamas conflict is not contained and provokes a US retaliation, the Supreme Leader of the Houthi Movement has issued a statement declaring that they will respond with drones and missiles, and with the Al Dhafra Air Base located just to the south of Abu Dhabi, it is highly likely that Houthi forces will attempt to target the US military and US interests within the UAE.
For those travelling on business to UAE or will be attending COP28, Solace Global Risk facilitate safer travel for corporate travellers, executives and private clients, with travel risk assessments and end-to-end secure journey management.
Security solutions include intelligence and advisory, latest security alerts through Solace Secure, security trained drivers and airport meet and greet.
Our Journey Risk Management Solutions
Speak to our team about your journey management needs
Overview: A critical patch for Cisco IOS XE devices has been issued. Over 40k+ known exploited Cisco devices discovered.
Threat Name: CVE-2023-20198
Risk Factor: Critical
Date: 24th Oct 2023
Get Help Now
Solace Cyber security specialists can secure your estate with patching and conduct forensic analysis
What We Know About The Attack.
Cisco has announced that a known zero-day CVE-2023-20198 is currently being exploited. This vulnerability has the highest CVSS score of 10. It is a privilege escalation vulnerability allowing an unauthenticated attacker to create a high privilege account on the affected system.
During the known attack Cisco has observed the use of another vulnerability CVE-2023-20273. This CVE allows a remote authenticated attacker to inject arbitrary commands as the root user. Detected implants placed on affected devices plummeted at the weekend. This was likely caused by the threat actors modifying the implant to evade detection.
The threat actor’s intentions are unknown. It is currently believed that over 40K devices have implants. (24/10/23)
Which Organisations Are Affected By This Attack?
Any organisations using Cisco IOS XE devices. The following question to address pertains to the configuration of your server:
Is it set up with either HTTP or HTTPS management? If it is configured this way and remains unpatched, there is potential for exploitation.
Do you operate any services that rely on HTTP or HTTPS communication, such as eWLC? If the answer is no, it is advisable to deactivate the HTTP Server feature. However, if the answer is yes, consider limiting access to those services to trusted networks, if feasible.
Solace Cyber Recommendations
To ensure that your systems have not been compromised, it is essential to follow these steps:
- Check for Compromise: Refer to Cisco’s guidance, where they have released a specific curl command to assist in the verification process. This command will help you assess if there are any malicious artifacts present on the Cisco devices that are linked to this activity.
- Disable the HTTP Server Feature or Limit its Access: On all devices that are exposed to the internet, it is highly recommended to disable the HTTP server feature. This will eliminate a potential attack vector and reduce the risk of unauthorised access through this avenue. By doing so, you are taking proactive steps to enhance the security of your network infrastructure. A1lternatively make this only accessible to trusted IP addresses.
- Patch Your Cisco IOS XE Devices: It is of utmost importance to apply the latest security patches to your Cisco IOS XE devices without delay. Timely patching is a critical aspect of maintaining a secure network environment. By keeping your devices up to date with the latest security updates, you are fortifying your infrastructure against known vulnerabilities and reducing the likelihood of exploitation by malicious actors.
In summary, following these steps diligently will help you mitigate the risks associated with the disclosed vulnerabilities, maintain the security of your network, and protect your systems and data from potential threats.
Need support?
Solace Cyber security specialists can secure your estate with patching and conduct forensic analysis.
Israel’s Military Strategy and Biden’s Visit

Current Assessment of Israel Hamas Conflict
Intelligence cut-off time 11:00 GMT 17th of October 2023
Whilst it remains almost certain that the Israeli Defence Forces (IDF) will commit to a ground offensive in the Gaza Strip, this is unlikely to occur within the next 24-48 hours.
The main factor contributing to the postponement is the recent revelation of President Biden’s visit to Israel for discussions with Israeli Prime Minister Benjamin Netanyahu on Wednesday 18 October. It is highly unlikely that the US will sponsor an IDF invasion while President Biden is within Israel due to the threat associated with Hezbollah retaliation from Lebanon, which will almost certainly be backed by the Iranian regime, or from one of the other militant groups operating out of the West Bank. It is estimated that Hezbollah alone has amassed a stock of over 150,000 rockets. While most of these rockets are crude and unguided munitions that range out only to 10-40km, Hezbollah also maintain a stock of more sophisticated Iranian-derived rocket and missile systems such as the Fateh-110 (250-300km), SCUD-B/C/D (300-550km) and the Zelzal 1/2 ballistic missiles (125-250km). Such weapon systems enable Hezbollah to target high-value targets such as Ben Gurion airport with a high degree of accuracy. While it is expected that Israel’s Iron Dome air defence system will detect and intercept the majority of rockets, there is a realistic possibility that Hezbollah could launch missile and rocket salvos large enough to overwhelm the air defence system.
Given the missile and rocket threat posed by Hezbollah and the fact Hamas have now likely fired the majority of their rockets, there is a realistic possibility that the IDF will be forced to reposition mobile elements of its Iron Dome system to counter the emerging threat in the north.
Iran’s Involvement with Israel Hamas Conflict
Iran has warned that its proxy forces will conduct “pre-emptive action” in response to Israel’s retaliatory strikes on Gaza, which will invariably include the use of Hezbollah forces. However, it is unlikely that Hezbollah will conduct any major attacks with President Biden in Israel for fear of a major US retaliation.
Moreover, it is more likely that Hezbollah and Iran will wait until Israel commits forces to Gaza as the IDF will have a considerable amount of its forces fixed in the south, offering a tactically advantageous position to open up a northern front that will almost certainly stretch IDF forces and complicate Israeli re-supply and sustainment. To counter Iran and its proxies’ threats, the US has moved its USS Gerald Ford led Carrier Strike Group (CSG) 12 into the Eastern Mediterranean and has deployed a second CSG led by the USS Eisenhower to the Mediterranean which is currently in the eastern Atlantic and is expected to enter the eastern Mediterranean in the next couple of days. The combined combat power of two US CSGs will provide Israel with overwhelming air superiority should the US enter into a conflict with Israel, with warnings already issued to Iran that the US will engage Iranian proxy forces. It is highly likely that Israel will delay a ground offensive until the USS Eisenhower is positioned in the eastern Mediterranean.
Expectations for Biden’s Visit to Israel
It is expected that Biden will discuss with Netanyahu the evacuation of civilians from the Gaza Strip through the Rafah crossing with Egypt. It is likely that Biden will demand that a humanitarian corridor is established before IDF forces enter Gaza, with Biden also forecasted to visit Egypt where he will likely use diplomatic pressure to demand the same from Egypt. It is likely that the IDF will want to commit forces sooner rather than later as any delay will afford Hamas and other militants to prepare defensive positions and mobilise forces. However, Israel is hugely dependent on US military aid which currently stands at approximately USD 4 billion per annum. It is unlikely that Israel has weapon stocks high enough to sustain military operations whilst maintaining enough weaponry to counter Hezbollah or deal with a wider conflict. Therefore, it is likely that Israel will have to submit to US requests in order to guarantee the delivery of future military aid and will not commit to a ground offensive until Biden has some reassurances from Tel Aviv.
Alternative Analysis
Hezbollah, under orders from Iran will launch a pre-emptive attack on Israel prior to the arrival of President Biden. Such a move will provoke Israel into retaliating and committing to a ground offensive in Gaza before the Rafah crossing is opened and civilians are evacuated, causing an acute humanitarian crisis. This will undoubtedly provoke much international condemnation, resulting in anti-Israeli protests and rhetoric and potentially force the West to temper its support of Israel.
Solace Global Security Within Israel
Whether you are considering an evacuation or seeking to continue operations while ensuring the safety of your team, we are here to assist.
For those seeking a secure exit from Israel, Solace Global offers comprehensive journey management services:
- Private Charter Flights: Flight options are available to various destinations across Europe.
- Secure Ground Transportation: Secure movement within Israel, ensuring access to open land borders and maritime evacuation points.
- Armed or unarmed English-speaking security-trained drivers, Close Protection Officers (CPOs), and discreet, low-profile vehicles at your disposal.
Overview: A small botnet has leveraged a HTTP/2 vulnerability to cause a record-breaking DDoS attack.
Threat Name: CVE-2023-44487
Risk Factor: Medium
Date: Oct 2023
Get Help Now
Solace Cyber security specialists can secure your estate with patching and conduct forensic analysis
What We Know About The HTTP/2 DDoS Attack.
Cloudflare detected an unprecedented DDoS attack on August 25, 2023, reaching a peak of over 201 million requests per second, three times larger than Cloudflare’s previous record. The attack exploited a weakness in the HTTP/2 protocol and was executed by a modest botnet comprising 20,000 machines.
Cloudflare reported that the entire web experiences 1-3 billion requests per second, suggesting that using this method, attackers could concentrate the equivalent of the entire web’s volume of requests on a few specific targets. Similar attacks have also been observed by Google and AWS in recent weeks.
This vulnerability allows an attacker to deplete the victim’s server resources by repeatedly sending and canceling requests in rapid succession, ultimately impacting the targeted website or application.
CISA have added this vulnerability to its known exploit catalogue. https://www.cisa.gov/news-events/alerts/2023/10/10/cisa-adds-five-known-vulnerabilities-catalog
What’s The Impact of the DDos Attack?
The identified vulnerability predominantly poses a threat to the availability of systems. In light of this, if your business relies on external web servers for its operations, it is imperative to take proactive measures to safeguard against potential disruptions. This entails diligently implementing the latest updates for your webservers and fortifying your defenses with resilient Distributed Denial of Service (DDoS) mitigation strategies.
To address this vulnerability effectively, it is crucial to patch all accessible web services that utilize the HTTP/2 protocol. Regularly updating and patching these services is pivotal to staying ahead of potential exploits, ensuring that your systems are fortified against emerging threats.
How Do I Protect My Business?
Incorporating a comprehensive approach to cybersecurity is essential. This involves not only staying current with software updates but also implementing robust DDoS mitigation methods. By doing so, you establish a proactive defense mechanism, capable of swiftly identifying and neutralizing any attempts to exploit vulnerabilities.
In essence, a multi-faceted security strategy is essential for any organisation reliant on external web servers. Through diligent updates, particularly for HTTP/2-utilizing web services, and the implementation of robust DDoS mitigation measures, you fortify your business against potential disruptions, thereby safeguarding the availability of critical systems integral to your operations.
Solace Cyber Recommendations
Swiftly update your webservers by applying the available software updates for Apache, Tomcat, IIS, .NET, nghttp2, and h2o.
Mitigate the impact of potential DDoS attacks on your organisation by implementing DDoS mitigation services.
Solace is ready to support you in ensuring that your security products are up to date with the latest patches and can provide assistance with any inquiries regarding DDoS mitigation methods.
Need support?
Solace Cyber security specialists can secure your estate with patching and conduct forensic analysis.
Overview: Security researchers recently uncovered a straightforward method to spoof more than 2 million domains, raising significant concerns in the cyber security community.
Risk Factor: Critical
Date: Sept 2023
Get Help Now
Solace Cyber security specialists can perform a detailed mail security review and assist you with your supply chain risk.
What We Know About The MailChannels Spoofing Issue
The news comes after the recent Defcon hacking conference where Marcello Salvati, a researcher affiliated with Rapid 7, gave an eye-opening talk that demonstrated a method for leveraging the “biggest transactional email service” and Cloudflare, effectively circumventing the safeguards of SPF (Sender Policy Framework) and DMARC (Domain-based Message Authentication, Reporting, and Conformance).
While the initial insights shared during the talk have seen some partial mitigation measures implemented, particularly with the use of Cloudflare workers and MailChannels, a disconcerting concern still persists.
What is the ongoing risk to MailChannels Users?
The issue poses a substantial risk for MailChannels customers, as well as those whose hosting providers rely on their services. Even if your domain has SPF and DMARC measures well-configured, the possibility remains that your domain could be maliciously spoofed by other MailChannels customers.
This alarming revelation underscores the persistent challenges in ensuring the security and authenticity of email communications, compelling organisations to remain vigilant and consider additional protective measures to safeguard their digital identities.
What’s The Impact on MailChannels Services?
Inclusion of the MailChannels SPF record may expose domains and users to impersonation risks. A recent solution has been introduced to address this concern. Given that a significant portion of the 2 million domains lacks these protective measures, it opens the door to widespread misuse of the MailChannels service.
The author highlights the absence of sender identity verification, allowing anyone to register on their website for a mere $80 and employ their “normal” SMTP relay to maliciously spoof customer domains.
Furthermore, another discovery reveals the adoption of a novel email service known as ARC, which inherently reduces spam scores.
Solace Cyber’s threat researchers, utilising SMTP, have validated these findings as genuine threats, emphasising the importance of organisations implementing countermeasures promptly.
Solace Cyber Recommendations
Ensure that your organisation has adequate email safeguards activated, including SPF, DMARC, and DKIM protocols.
Confirm the integrity of your SPF records and check for the presence of MailChannels. If you do, it will look like this: “include:relay.mailchannels.net.” Ensure the necessity of all other entries in your SPF record, and if the MailChannels entry is unnecessary, remove it from your SPF configuration, along with any other superfluous entries.
Alternatively, if you require the MailChannels SPF record, add the recommended MailChannels lockdown TXT record. You may need to speak to your webhosting provider.
- Create a DNS TXT record following the pattern _mailchannels.yourdomain.com, replacing yourdomain.com with your domain name.
- In the DNS TXT record, specify one or more MailChannels account ids (auth) or sender ids (senderid) that are permitted to send emails for their domain, using the following syntax: v=mc1 auth=myhostingcompany senderid=mysenderid
Furthermore, it is advisable to evaluate your supply chain for potential vulnerabilities in their email configurations.
Useful Resources
Need help?
Solace Cyber security specialists can perform a detailed mail security review and assist you with your supply chain risk.
Overview: Researchers have found that the DarkGate malware strain is being spread through phishing campaigns in Microsoft Teams by outside parties
Risk Factor: High
Date: August 2023
Get Help Now
Solace Cyber security specialists can perform gap analysis of your current AV / EDR products to ensure all endpoints are protected.
What We Know About The Microsoft Teams Phishing Campaign Pushing DarkGate Malware
In a recent incident, security experts at Truesec noticed Microsoft Teams messages originating from third-party accounts, delivering ZIP files that purported to be from the victims HR department.
Initially, the attack commenced with a social engineering tactic aimed at enticing the recipient to click on the .zip file, which contained an LNK (shortcut) file masquerading as a PDF document.
Upon execution, this file triggered a VBScript that initiated the download of a payload utilizing curl.exe and harnessed AutoIT in conjunction with a compiled AutoIT script. The outcome of this process was the detection of the file as DarkGate Malware by VirusTotal.
The malware supports a magnitude of malicious activities including remote access tooling, cryptocurrency mining, keylogging and a built-in stealer.
Security Awareness in Microsoft Teams
Microsoft Teams, by default, permits external third parties to engage in communication through its platform. While many training resources focus on email as a potential threat vector, it’s crucial to educate your user base about the risks associated with external communications in Teams as well.
It’s worth noting that even with security measures like Microsoft Safe Links and Safe Attachments in place, they may not provide complete protection against all types of threats. As seen in the incident investigated by TrustSec, there can still be vulnerabilities and risks to address. Therefore, a multi-layered security approach that includes user awareness and training is essential to bolster your organization’s defense against evolving threats in platforms like Microsoft Teams.
Emerging Phishing Threats: What’s The Impact?
This particular phishing campaign is still in its early days.
Given the limited range of mitigation methods currently available and the probability that users have not been adequately trained to recognise this specific threat vector, they may be more susceptible to this tactic compared to traditional email-based attacks.
Solace Cyber Recommendations
Educating staff about this specific threat vector is crucial. Prioritise raising awareness, similar to efforts against email phishing attacks.
Given the restricted options for mitigation, it’s advisable to assess external messaging permissions. Administrators have the option to create an approved list of specific organisations allowed to communicate or, alternatively, block all third-party communications.
Additionally, it’s essential to conduct a comprehensive gap analysis of your existing AV (Antivirus) and EDR (Endpoint Detection and Response) solutions to guarantee that all endpoints are equipped with functioning and current protection measures.
Gap Analysis Support
Solace Cyber can perform gap analysis of your current AV / EDR products to ensure all endpoints are protected.
Navigating the Crossroads: The Impact of Cyber Security Threats on the Automotive Industry

In an era marked by rapid technological advancements, the automotive industry is undergoing a transformative shift. With the advent of connected vehicles, autonomous driving, and integrated smart systems, vehicles have evolved from mere mechanical machines to sophisticated computers on wheels. While this evolution brings remarkable benefits, it also introduces a new frontier of challenges, primarily in the realm of cyber security. This blog explores the growing influence of cyber security threats on the automotive industry and the measures being taken to address these challenges.
The Rise of Connected Vehicles and Vulnerabilities
Connected vehicles have become a symbol of convenience and innovation. However, the integration of internet connectivity into cars also presents a potential gateway for cyber attackers. Hackers can exploit vulnerabilities in infotainment systems, telematics, and communication protocols to gain unauthorised access to a vehicle’s network. This access could lead to unauthorised control over critical functions, jeopardising passenger safety.
Autonomous Vehicles and Their Security Quandaries
The pursuit of autonomous driving has further intensified the need for robust cyber security. Autonomous vehicles rely on an array of sensors, cameras, and data-sharing mechanisms to navigate roads safely. Any compromise in the integrity of these systems could result in accidents or even intentional harm. Protecting these vehicles from hacking attempts is crucial to ensure public trust and safety in this transformative technology.
Data Privacy and User Information
Connected vehicles generate an immense amount of data related to driving patterns, user preferences, and geolocation. This data is not only valuable for manufacturers but also for malicious actors seeking to exploit personal information for financial gain or other nefarious purposes. Ensuring the privacy of user data has become a significant concern, necessitating stringent data protection measures.

Supply Chain Vulnerabilities
The automotive industry relies on a complex global supply chain, which can inadvertently introduce vulnerabilities. If even a single component or software module is compromised at any point in the supply chain, it could potentially expose the entire vehicle fleet to cyber threats. Collaborative efforts between manufacturers and suppliers are essential to establish a chain of trust and enhance cyber security resilience.
Industry Response and Collaborative Initiatives
Recognising the severity of cyber security threats, the automotive industry has begun taking proactive measures. Collaboration between automakers, technology companies, and cyber security experts has led to the development of best practices, guidelines, and standards specifically tailored to the industry’s unique challenges. Organisations like the Automotive Information Sharing and Analysis Center (Auto-ISAC) have been established to facilitate information sharing and coordination among industry stakeholders.
Integration of Security by Design
To mitigate cyber security risks, manufacturers are increasingly adopting a “security by design” approach. This strategy involves integrating cyber security measures at every stage of a vehicle’s development lifecycle. From concept and design to manufacturing and maintenance, security considerations are embedded to create a holistic and robust cyber security framework.
The Comprehensive Solace Cyber Solution
As the automotive industry accelerates toward a future defined by connectivity and automation, the spectre of cyber security threats looms large. The intersection of technology and transportation has brought unprecedented conveniences and efficiencies, but it has also exposed vehicles to new forms of risk.
Organisational compute and infrastructure, such as classic on-premises server rooms, datacentres and cloud-based services are all subject to regular attack and the colocation of many services, often with network cross over between, has simply increased the scope and availability of a reachable threat surface.
By employing our Anticipate, Protect, and Respond strategy in the realm of cyber security, Solace Cyber has formulated a variety of service packages that can assist the industry in navigating this crossroad. These packages are built upon our core Real-time Risk Platform initially, scaling out to extend all the way up to our comprehensive safeguarding service suite of Solace Cyber Secure 360.
By acknowledging these challenges and collectively working towards innovative solutions we can build a safer and more secure automotive landscape for everyone.
Find out more about how Solace Cyber can support you on your cyber secure journey.
Request a free 30-minute consultation
If you’re concerned your business has fallen victim to a phishing or ransomware attack – get in touch with the incident response team today.
Military Coup in Gabon August 2023

Summary of Military Coup in Gabon
In the early hours of 30 August, the Gabonese Election Centre (CGE) announced that President Ali Bongo had won a third term in office, having received 64.27 percent vote share in Saturday’s general election. However, just after 05:00 local time, a group of senior officers from the Gabonese military announced on television channel, Gabon 24, that they had seized power with the full support of the Gabonese security and defence forces.
Introducing themselves as members of The Committee of Transition and the Restoration of Institutions, the officials stated that the election results were cancelled, all borders were closed until further notice and state institutions – the government, the senate, the national assembly, the constitutional court and the election body – were dissolved.
Following the announcement, domestic and regional sources reported gunfire could be heard in the capital Libreville. However, as the day progressed, the streets appeared calm, and crowds of citizens peacefully took to the streets. Videos circulating on social media showed multiple instances of people celebrating and cheering, often in close proximity to the country’s armed forces. So far, there has been no signs of widespread protest or alarm. Several hours after the officers’ announcement, internet access also appeared to be restored for the first time since Saturday’s vote.
The Gabonese government has yet to make an official statement, with President Bongo reportedly under house arrest, surrounded by his family and doctors.
Potential for Political Unrest in Gabon
Ahead of the coup, there was significant concern over potential unrest following Saturday’s presidential, parliamentary and legislative elections that the opposition alleged were plagued by fraud. Questions over the election’s transparency were re-enforced by the lack of international observers, the suspension of foreign media broadcasts, the decision to cut internet service, and the imposing of a nationwide curfew.
President Ali Bongo and his father, Omar Bongo, have ruled Gabon since 1967, but frustrations with the political dynasty had been growing for several years ahead of Saturday’s election. The Central African nation is a major oil producer, so much so that it is a member of OPEC, as well as being a major exporter of uranium and magnesium. Indeed, the country is home to over one-quarter of the world’s proven magnesium reserves. However, Bongo has done little to channel its oil and other wealth towards the population of some 2.3 million people, a third of whom live in poverty.
This is also not the first attempt in recent history to overthrow Bongo as in January 2019 he and the Gabonese government were able to foil an attempted military coup after soldiers briefly seized the state radio station and broadcasted a message saying Bongo, who had suffered a stroke months earlier, was no longer fit for office.
Find further analysis on political instability in West Africa
Situation Analysis by Solace Global
The strength of Gabon’s extractive-based economy means that it is Africa’s third most wealthy country by GDP per capita. However, with large swathes of the country still living in poverty, it is highly likely that the state has failed to transfer much of this wealth to ordinary citizens. It is likely that economic disparities have been one of the major triggers for the coup. This is likely supported by the lack of public resistance and the fact that celebrations have been seen on the streets of Libreville and other major population centres across the country.
Furthermore, the coup has yet to be characterised by anti-French rhetoric in a similar vein to the recent West and Central African coups in countries like Niger and Mali. However, the coup is almost certainly another problem for Paris in Africa, with multiple French companies operating in the country. Unlike the other coups in Africa, it is doubtful that the Gabonese coup leaders will seek Russian support in favour of maintaining Western relations. Gabon has traditionally had weak ties with Russia and unlike much of Africa, has not been threatened with major insurgencies and security issues. Moreover, Gabon was one of the countries in Africa that voted against Russia at the United Nations in the 2022 resolution on Ukraine.
Economically, the coup is almost certainly going to lead to price volatility in global oil and magnesium markets. Gabon has strong economic links with both France, and increasingly with China, and it is a major exporter of commodities to these nations. Reports indicate that some foreign companies like the French mining company, Eramet, have already suspended operations in Gabon in response to the coup. It is therefore highly likely that both France and China will be looking for the political situation to be resolved quickly, and there is a realistic possibility of diplomatic involvement from both Paris and Beijing.
In the immediate future, it is unlikely that any major protests or armed clashes will break out as the Gabonese security forces are seemingly onside, and most indications suggest the public is too. The turning on of the internet was likely a move to win over the public as well as signal a different approach to governance than the Bongo regime. However, this also presents an increased potential for demonstrations and protests, both in favour and against the coup, to occur as information is spread on social media. There is a realistic possibility of sustained demonstrations which will likely lead to disruption in major population hubs. Borders will likely remain closed for upcoming days, but if scenes remain calm, borders are likely to reopen quicker than seen in Niger and Mali.

Advice for travellers affected in Gabon
- Although the coup appears to be relatively peaceful, widespread unrest and violence could ignite at any time. Travellers should avoid all ongoing military activity and any large public gatherings as the security situation may deteriorate quickly and without warning.
- In the event of significant security development, travellers in Gabon should follow any instructions issued by the government or military authorities. If a curfew is declared it is vital to abide by the curfew rules to avoid any conflicts with security forces.
- If violence escalates inside the capital, consider departing from Libreville whilst commercial options are still available.
- Key military and political infrastructure inside the capital are very likely to remain focal points for violence and demonstrations. You should be particularly vigilant in these areas and follow any specific advice from the local security authorities.
- Expect significant travel disruption and an enhanced security force posture inside Libreville in the short-term. Should any opposition movement to the coup materialise, it is likely that flights will be suspended, and roadblocks or vehicle checkpoints will be established.
- Always follow all instructions and orders from security forces. Where possible, avoid areas of active conflict and remain inside a secure location away from windows.
- Ensure that you always carry personal identification documents. Consider making photocopies of important documents in case of confiscation, theft or loss and keep these documents separated from the originals.
- Emergency services may be unable to support you in the short-term. Be aware of what consular support may be available to you in-country. Many countries do not provide direct consular support in Gabon. The UK’s consular services for Gabon are based in Yaoundé, Cameroon.
- Have emergency contact numbers saved on your phone. These should include the local authorities, medical facilities and any consular support. Ensure that mobile phones are charged in case of any losses in electricity.
- If caught in the vicinity of a security incident, seek shelter immediately and leave the area if safe to do so. Continue to adhere to all instructions issued by authorities and obey any security cordons in place.
- Monitor the Solace Secure platform and trusted local media for updates relevant to the coup.

Attempted coup in Niger July 2023

Summary of Attempted Coup in Niger
On the morning of 26 July, multiple domestic and regional sources reported that a potential coup was underway in Niamey, Niger. Early indications suggested that the Presidential Guard had blocked the entrance to the Presidential Palace, and detained President Mohamed Bazoum. Concurrently, government ministries next to the palace were blockaded, with those inside, including the Minister of the Interior, detained.
By early afternoon, the Niger Armed Forces (FAN) and National Guard had both deployed in the vicinity of the Presidential Palace. The FAN and the Presidential office both released statements asserting that the ongoing coup attempt was being driven by “anti-republican” elements and gave the Presidential Guard an “ultimatum” to stand down and release President Bazoum, or face being attacked. Unverified social media reports have subsequently described armoured FAN columns entering Niamey. Further unverified reports later emerged of roadblocks appearing across the city.
The conditions in Niamey remained calm initially, however, as the situation developed businesses were reputedly told to close and residents were ordered to stay at home. Operations at Diori Hamani International Airport currently remain unaffected, with flight tracking data showing that both inbound and outbound flights were operating as normal.
Recent Instability in Western Africa
Since 2020, several coups have taken place across the Sahel region, most notably in neighbouring Mali and Burkina Faso. The key driver for instability has been the inability of central governments to guarantee internal security from a myriad of insurgencies and terrorist actors. Niger has been increasingly afflicted by the instability affecting the wider region. In the southeast, Niger is battling incursions from Boko Haram and in the west of the country, the government is attempting to contain threats from Islamic State’s Sahel Province.
Due to the external and internal threats posed by these actors, Niger has become a major operating base for Western nations in the region. Indeed, both France and the USA utilise the country as a base for operations in the wider Sahel.
This relationship has grown in significance for Western governments as relations with other states in the region, such as Mali and Burkina Faso, have broken down in the wake of their own respective coups, leading to the expulsion of French forces.
Further strengthening this relationship is the fact that Niger’s President was democratically elected in 2021 and is one of the region’s few remaining democratically elected heads of state. However, in February 2023 protests erupted in the capital, Niamey, with demonstrators expressing their dissatisfaction with a sustained French military presence in the country, with many believing that the foreign presence was either ineffective or had exacerbated security concerns.
Find further analysis on political instability in West Africa
Situation Analysis by Solace Global
At the time of writing, there has been no official statement from Presidential Guard. However, given the recent regional trends, it is highly likely that this attempted coup has transpired due to concerns regarding the deteriorating security of Niger.
This is further evidenced by the fact that the Presidential Guard has also apprehended the Minister of the Interior, who is the person ultimately responsible for policing and internal security in Niger. The recent uptick in attacks near the borders with Burkina Faso and Mali likely provided the catalyst for the current situation.
As the situation develops, it is almost certain that key transport routes and critical locations across Niamey will be seized by rival forces. This will include Niamey’s key river crossings, which connect the main part of the city on the eastern bank of the Niger River to its western parts, the international airport, and state TV and radio offices. At the time of writing, it is believed that President Mohamed Bazoum remains in detention.
The success of the ongoing attempted coup remains to be seen. Initial signs suggest that the FAN and National Guard have remained loyal to President Bazoum and are willing to fight. If this remains the case, it is unlikely that the coup succeeds due to the disparity in military firepower between the two sides. This result would ultimately see the Presidential Guard purged.
However, should the coup succeed, civil unrest, both in favour and against, will highly likely occur. A transitional military council will likely take over the government and immediately revise the stationing of foreign militaries in Niger. The removal of the last remaining Western forces in the region will likely create a security vacuum, that will almost certainly benefit the insurgencies and terrorist groups in Niger and the wider region.
Stay ahead of global events with free weekly intelligence

A critical pre-authentication vulnerability in NetScaler ADC (formerly Citrix ADC) and NetScaler Gateway (formerly Citrix Gateway) is currently being exploited by threat actors who have been able to execute code with zero credentials.
Threat Name: CVE-2023-3519
Risk Factor: Critical
Date: July 2023
Get Help Now
Solace Cyber security specialists can secure your estate with patching and conduct forensic analysis.
What we know so far about the Citrix vulnerability
A critical pre-authentication vulnerability in the NetScaler ADC (formerly Citrix ADC) and NetScaler Gateway (formerly Citrix Gateway) was discovered in the first week of July. This vulnerability is currently being exploited by threat actors and has been tracked as CVE-2023-3519, which carries a 9.8 CVSS.
This has led Citrix to issue updates for affected products – it’s recommended that all those affected install the updates immediately.
How the Zero Day Exploit CVE-2023-3519 works
The vulnerability allows an attacker with zero credentials to execute code. There is no need for an attacker to worry about MFA in this scenario as its pre-authentication.
The following supported versions of NetScaler ADC and NetScaler Gateway are affected by the vulnerabilities:
- NetScaler ADC and NetScaler Gateway 13.1 before 13.1-49.13
- NetScaler ADC and NetScaler Gateway 13.0 before 13.0-91.13
- NetScaler ADC 13.1-FIPS before 13.1-37.159
- NetScaler ADC 12.1-FIPS before 12.1-55.297
- NetScaler ADC 12.1-NDcPP before 12.1-55.297
Note: NetScaler ADC and NetScaler Gateway version 12.1 is now End Of Life (EOL) and is vulnerable.
Solace Cyber recommendations
It is advisable to patch the system immediately and search for any web shells that may have been created, as this vulnerability has been used maliciously. The following guidance is recommended:
Step 1) Review edited files within:
- “/netscaler/ns_gui/”
- “/var/vpn/”
- “/var/netscaler/logon/”
- “/var/python/”
Step 2) Review HTTP error log files
Step 3) Review shell log files
If no exploitation can be found, then proceed with updating the following to the latest versions of Netscaler ADC (Citrix ADC) and Netscaler Gateway (Citrix Gateway)
- NetScaler ADC and NetScaler Gateway – 13.1-49.13 and later releases
- NetScaler ADC and NetScaler Gateway – 13.0-91.13 and later
- NetScaler ADC 13.1-FIPS – 13.1-37.159 and later
- NetScaler ADC 12.1-FIPS – 12.1-55.297 and later NetScaler ADC 12.1-NDcPP – 12.1-55.297 and later
Solace Cyber can support your efforts in upgrading to the latest software versions. Additionally, our cyber security specialists can conduct forensic analysis to detect and determine the cause of a security incident and support recovery plans.
Speak to a cyber security specialist
Solace Cyber offers expert assistance with critical pre-authentication vulnerabilities
Fortinet has rolled out an updated version of FortiOS/FortiProxy, to address a severe SSL-VPN component vulnerability.
Threat Name: CVE-2023-27997
Risk Factor: Critical
Date: June 2023
Get Help Now
Solace Cyber security specialists can secure your estate with patching and conduct forensic analysis
What we know about the Fortigate – SSL VPN vulnerability
The vulnerability, which is tracked as CVE-2023-27997 is a pre-authentication remote code execution vulnerability, which if left unpatched, could lead to critical organisational risk.
The SSL-VPN vulnerability would allow an attacker with zero credentials to execute arbitrary code during the pre-authentication stage. This means, the attacker could circumnavigate MFA.
Which OS versions are affected by the vulnerability?
- FortiOS-6K7K version 7.0.10
- FortiOS-6K7K version 7.0.5
- FortiOS-6K7K version 6.4.12
- FortiOS-6K7K version 6.4.10
- FortiOS-6K7K version 6.4.8
- FortiOS-6K7K version 6.4.6
- FortiOS-6K7K version 6.4.2
- FortiOS-6K7K version 6.2.9 – 6.2.13
- FortiOS-6K7K version 6.2.6 – 6.2.7
- FortiOS-6K7K version 6.2.4
- FortiOS-6K7K version 6.0.12 – 6.0.16
- FortiOS-6K7K version 6.0.10
- FortiProxy version 7.2.0 – 7.2.3
- FortiProxy version 7.0.0 – 7.0.9
- FortiProxy version 2.0.0 – 2.0.12
- FortiProxy 1.2 all versions
- FortiProxy 1.1 all versions
- FortiOS version 7.2.0 – 7.2.4
- FortiOS version 7.0.0 – 7.0.11
- FortiOS version 6.4.0 – 6.4.12
- FortiOS version 6.0.0 – 6.0.16
Solace Cyber recommendations
The disclosure of this vulnerability would likely assist adversaries in leveraging it, so its highly recommended that patches are applied before further exploitation of the vulnerability takes place.
Above all, we strongly advise you to apply updates to the following applications:
- FortiOS-6K7K version 7.0.12 or above
- FortiOS-6K7K version 6.4.13 or above
- FortiOS-6K7K version 6.2.15 or above
- FortiOS-6K7K version 6.0.17 or above
- FortiProxy version 7.2.4 or above
- FortiProxy version 7.0.10 or above
- FortiProxy version 2.0.13 or above
- FortiOS version 7.4.0 or above
- FortiOS version 7.2.5 or above
- FortiOS version 7.0.12 or above
- FortiOS version 6.4.13 or above
- FortiOS version 6.2.14 or above
- FortiOS version 6.0.17 or above
Solace Cyber can support your efforts in upgrading to the latest software versions. Additionally, our cyber security specialists can conduct forensic analysis to detect and determine the cause of a security incident and support recovery plans.
Get help with a VPN vulnerability
Solace Cyber offers expert assistance in managing a VPN exploitation.
The MOVEit transfer application used to transfer files has a zero-day vulnerability in the form of an SQL injection vulnerability.
The impact is still yet to be fully materialised.
Threat Name: CVE-2023-34362
Risk Factor: High
Date: May 2023
Get Help Now
Solace Cyber security specialists can provide technical guidance for assessing a potential supply chain risk
What we know about the MOVEit Transfer vulnerability
The MOVEit transfer application used to transfer files has a zero-day vulnerability in the form of an SQL injection vulnerability. This in turn allows the adversary to drop a web shell on the host inside the MOVEit wwwroot directory. After which time, the attacker could then download any file within MOVEit and install a backdoor.
A known breach involving Zellis, a supplier of IT services for payroll and human resources says a “small number” of organisations have been affected.
The ransomware group “Cl0p” has posted on their ransomware site that they are exploiting the MOVEit vulnerability. Microsoft have also attributed the attack to Cl0p. The recent attacks do not show signs of encryption, although there is potential for this to occur as well as lateral spread.
The group states on their Darknet page that they’ll post the names of the organisations compromised on June 14th 2023 if the targeted organisation hasn’t already contacted them. In the past 24 hours the BBC, Boots and British Airways have confirmed they’ve been impacted.
The UK’s National Cyber Security Centre said it was “monitoring the situation” and urged organisations using the compromised software to carry out security updates. As of today, results from internet reconnaissance show that there are 127 instances in the UK of the MoveIT Transfer application and 1853 in the US.
What’s the impact of the zero-day exploit?
Due to the growing number of compromised organisations and the current supply chain spread the impact is still yet to be fully materialised.
Organisations without the vendor’s latest patch against CVE-2023-34362 should assume breach and conduct investigative and remediation efforts where the service is publicly accessible.
Solace Cyber recommendations
Where applicable we recommend organisations:
- Disconnect MOVEit Transfer servers from the internet
- Search for indicators of compromise
- Rotate credentials for Azure storage keys / Rotate any other SQL credentials
- Perform a forensics investigation of your affected servers
- Restore and rebuild from a backup of the systems last known good state
- Apply the patch
- Continuously monitor all systems
Solace Cyber is here to help with technical guidance to assess a potential supply chain risk or give further support to the recommendations above.
Speak to a cyber security specialist
Solace Cyber offers expert assistance in managing potential supply chain risks.
Microsoft Outlook has a critical vulnerability Critical 9.8 (CVSSv3) that requires zero interaction to be successful.
Microsoft has released a patch for Outlook.
Threat Name: CVE-2023-23397
Risk Factor: Critical
Date: April 2023
Get Help Now
Solace Cyber security specialists can secure your estate with patching and conduct forensic analysis
What we know so far about Microsoft Outlook zero day exploit
The vulnerability has been exploited by the threat group APT28, also known as Fancy Bear, Sofacy, and STRONTIUM since April 2022.
It was initially reported to Microsoft by the Ukrainian CERT. According to Microsoft, “a Russia-based threat actor” exploited the vulnerability in targeted attacks against several European organizations in government, transportation, energy, and military sectors.
Currently 15 organisations are believed to have been targeted or breached using CVE-2023-23397.
Solace Cyber Head of Incident Response believes with high certainty that this particular vulnerability will be used by other threat actors – equating to a vast quantity of attacks in the coming days to weeks.
As of 16/03/2023 proof of concept code has been developed by security researchers and it is likely to be used in subsequent attacks by other threat actors.
How Zero Day Exploit CVE-2023-23397 works
The attack involves the attacker sending an Outlook note or task to the victim, triggering the notification sound file mechanism, which sends an NTLM negotiation request to the attacker-controlled SMB share. The threat actors accomplish this using extended MAPI properties that contain UNC paths. The vulnerability can be exploited with a simple, specially crafted email, even if the victim doesn’t open the item.
However, it’s worth noting that this vulnerability cannot be exploited with Outlook for iOS, Mac, or Outlook for Android. Nevertheless, it affects all Windows versions of Outlook that are currently supported.
Who is at risk from the Microsoft Outlook Zero Day Vulnerability
- Organisations that have on-premises domain controllers and use outlook.
- Organisations that only use Azure AD only and have no on-premises domain controllers are protected.
Note: Those at a higher risk include remote workers due to home firewalls that do not block SMB traffic.
Solace Cyber Recommendations to mitigate risk
- Immediately patch all Outlook clients to the latest available version (Microsoft released the required software update this Tuesday).
This can be done by emailing all end users to advise a manual update of Microsoft Office (click-to-run) or updating via alternative methods. If you require assistance with auto-patching solace cyber can assist.
- Launch any office application. Microsoft Outlook, Word, Excel or PowerPoint.
- Select File > Office Account.
- Update Options > Update Now.
- Allow update process to complete (Approximate time to complete: < 15 mins)
- Additionally, organisations are strongly advised to run Microsoft’s script to look for signs of compromise in user’s mailboxes.
Preferably this is run in audit mode only so that forensic data can be reviewed. If the script produces results it is recommended that you review the UNC paths in the outlook items to ensure no exploitation has occurred.
- Ensure SMB outbound connections are blocked on your organisations firewall.
Speak to a cyber security specialist
Solace Global can conduct forensic audits and patching to secure your estate from Microsoft Outlook zero-day vulnerability
Alert Plus: Multiple Large Earthquakes Strike Southern Turkey

Situation Summary: Large Earthquakes in Southern Turkey
At 01:17 (UTC) on 6 February, a magnitude 7.8 earthquake was detected 30km west-northwest of Gaziantep, Turkey (37°10’26.4″N 37°01’55.2″E). The earthquake struck at a depth of 24.1km and it quickly became apparent that a significant amount of casualties and damage had occurred in Turkey and northern Syria. There have been several substantial aftershocks, eight of which recorded a magnitude of at least 5. Tremors have also been felt in Greece, Cyprus and Lebanon.
As of 10:00, at least 1200 fatalities had been confirmed across Turkey and Syria. Images and videos posted to social media and local news outlets indicate considerable damage to infrastructure. In Turkey alone, at least 2818 buildings have collapsed. At 10:24, the region was then struck again by a separate 7.5 magnitude earthquake 4km south-southeast of Ekinozu (37°10’26.4″N 37°01’55.2″E) – roughly 128km north of the earlier epicentre. At the time of writing, it has been reported that the region has experienced at least 100 aftershocks.
According to the United States Geological Survey (USGS), the area in which the quakes have hit is populated predominately by non-earthquake-resistant residential structures. They are often made of masonry, brick, and non-reinforced concrete frames. As a result, many buildings will have been badly damaged or will have collapsed completely. This means that there will be few places in which survivors can shelter safely.
Turkey declared a ‘Level 4 Alarm’ after the initial tremor, which reportedly includes a call for international assistance and support. The European Union has agreed to send rescue teams and is preparing further help for Turkey. US officials are also monitoring the situation and have noted their willingness to help. Rescue teams from India, Russia and Taiwan have also deployed.
President Recep Tayyip Erdogan has described events so far as the nation’s worst disaster since the 1939 Erzincan earthquake, a 7.8 magnitude earthquake that killed over 32,000.
Intelligence Analysis by Solace Global
The earthquakes have struck as Turkey prepares for its May elections, which were already seen as some of the country’s most consequential in decades. These earthquakes further add electoral weight, since previous large earthquakes have led to major political changes in the country. In the wake of Turkey’s last major earthquakes, in 1999, voters turned away the incumbent parties in the 2002 elections. These parties were punished as a result of the poor relief and reconstruction efforts, and for the large-scale corruption the earthquake exposed. Recep Tayyip Erdogan and his newly formed Justice and Development Party (AKP) party were the major beneficiaries of this political shift. As a result, he became Prime Minster in 2003 and ascended to the Presidency in 2014, a post he currently still holds.
The province of Gaziantep, where the epicentre of the earlier earthquake is located, has long been a cradle of support for the AKP and Erdogan. Indeed, support for the AKP and Erdogan has remained high in the province despite the recent economic volatility and uncertainty in the country, and the persistent accusations of corruption levied against the AKP and President Erdogan. Consequently, comprehensive aid and reconstruction efforts are likely to be implemented swiftly. Despite this, contemporary Turkish political history suggests that the AKP, having been the beneficiaries of the 1999 earthquake, may be victims of these ones. This becomes increasingly possible if victims feel that aid is too slow, not sufficient, or that reconstruction efforts are corrupt.
Northern Syria has also been badly affected by the disaster. This part of the country has seen several recent Turkish military incursions; it is also home to some of the last anti-government areas of control. The tremors are almost certain to mean that Turkish offensive military operations in the region are temporarily halted, as the military is redeployed to support disaster relief and search and rescue operations in Turkey. The Syrian government may also seek to fast-track search and rescue and reconstruction efforts in areas in the region it controls in a bid to try and win support across an area which was long a stronghold of anti-Assad movements.
Those with interests in the region are advised to note that there remains considerable potential for large-magnitude aftershocks or follow-on tremors.

Advice if Affected by Earthquakes in Turkey
- Individuals with planned travel to Turkey or Syria are advised to reconfirm itineraries and expect considerable localised travel disruption, particularly in the vicinity of the Turkey/Syria international border
- Be aware that flights into and out of regional airports may be disrupted, impacting downstream travel plans
- Travellers are advised to avoid the immediate vicinity of all damaged infrastructure and ongoing emergency services operations
- Be aware that large aftershocks or additional earthquakes have a realistic possibility of occurring in the coming hours
- If caught in an earthquake, it is advisable to ‘Drop, Cover, and Hold On’ to reduce the risk of injuries, ensuring to cover the head and neck
- Following an earthquake, there can be serious hazards, such as damaged buildings, leaking gas and water pipes, and downed power lines
- If caught outside during earthquakes, exit vehicles and remain clear of overhead powerlines, bridges, or large structures
- If earthquakes occur during travel within coastal regions, be alert to the possibility of tsunami and consider heading towards high-ground once the initial tremors have passed
- Anticipate disruption to essential services, including water and electricity, WiFi or GSM/cellular network coverage, in addition to considerable pressure on local healthcare services
- Adhere to all instructions issued by emergency services or local government/security officials
- Monitor the Solace Secure platform and trusted local media for updates