In summary, the article is about a scam that targeted Microsoft users. The scammers sent phishing emails to 21k users and included the person’s name in the email along with a Zoom icon. The scammers did this to make it more trustworthy. The scammers included 2 bad URL links in the email. One link was the main “call-to-action” button and the other was an unsubscribe link (per the article). After selecting the button, the user would be taken to a fake page prompting for the user’s password in order to access messages that needed a response. According to the article, this is not isolated and has become more common to target Microsoft login pages.
The article is about the Cash app data breach where a previous employee was able to download customer information which led to at least 8 million cash app user vulnerability. However, it’s interesting to note that human errors are not the only cause of data breach sometimes it could be a malicious insider threat or even retaliation from a disgruntled employee. Therefore, organizations must have strict policy when it comes to decommissioning, revocation of password and authentication after resignation or disengagement.
The article I have chosen to highlight this week speaks to DDoS Attacks against some of the largest airports in the U.S. There was 14 targeted public facing domains. Of which include Los Angeles International Airport (LAX), Hartsfield-Jackson Atlanta International Airport (ATL), Chicago O’Hare International Airport (ORD), as well as other airports in Florida, Colorado, Arizona, Kentucky, Mississippi and Hawaii. The group that has taken credit for this DDoS attack is a pro-Russian group known as KillNet, who earlier this year successfully carried out the same attack. In summary, the DDoS attack was more of an annoyance than anything as it didn’t last very long.
Microsoft is investing reports of a new zero-day bug used to hack Exchange servers later used to launch Lockbit ransomware attacks. One incident from July 2022 used a previously deployed web shell on a compromised Exchange server to escalate privileges to Active Directory admin, steal 1.3 TB of data, and encrypt network systems. Previous attacks have been tracked as CVE-2022-41040 and CVE-2022-41082; however, this new attack utilizes tactics that do not line up with these CVE’s. Microsoft has addressed that they are working on patches for the previous issues; however, they have not disclosed any information regarding these newer flaws since they were reported.
Microsoft deployed functionality to automatically block brute force attacks against local administrator accounts through the group policy if the IT administrator enables the configuration. This is available on any Windows system that has the October 2022 update (or later). Windows 11 is set to default to this configuration which locks any user account for ten minutes after ten failed logins within a ten minute time period. The specific configuration is the “Allow Administrator account lockout” policy under Local Computer Policy\Computer Configuration\Windows Settings\Security Settings\Account Policies\Account Lockout Policies. As an additional defense against brute force attacks, Microsoft strengthen the password requirements for local admin account passwords to use three out of the four basic character types
Toyota recently became aware of an access key that was publicly available on GitHub for over 5 years, this access key could have potentially granted access to 300,000 customers’ private information including addresses, phone numbers, and credit card numbers. The leak was caused in 2017 by an outside website development contractor mistakenly uploaded source code to their T-connect service via GitHub. Toyota has made a statement, “on September 17, we took measures such as changing the access key of the data server, and no secondary damage has been confirmed.”. Toyota has also warned customers to remain vigilant against phishing emails and other forms of identity theft if their information was on the T-connect servers.
Events like this demonstrate how even the largest companies can fall victim to small mistakes like uploading an access key and strong administrative policies need to play a larger role to mitigate these risks. It is surprising that the investigation concluded that there has yet to be any damage confirmed despite the access code being publicly available for 5 years. Who knows how long this information could have remained hidden, and I’m sure Toyota is grateful whoever found this reported it to them instead of using it for more nefarious purposes. This all illustrates that not all data breaches are caused by complex attacks, if someone does enough digging in the right spots they may be able to come up with something incredibly valuable.
I have a pair of articles that talk about the Year 2038 problem. This is a very similar issue to the Y2K bug that we talked about in this week’s assignment.Much like Y2k, the Year 2038 Problem is an issue of computers hitting the end of their time counters and potentially causing havoc. Y2k had to do with the decimal time (using xx to represent 19xx), the Year 2038 Problem is a little deeper, it deals with how time information is stored in binary format. Unix-based systems count time from “epoch”, the number of seconds since 1 Jan 1970. There is a limit to the number of seconds that can be stored in the 32 bit register that counts time. In 2038, the counter will run out and roll over. This will cause dates to revert to 1910 which could cause all sorts of issues.
Fortunately, we have the Y2k remediation to look at as an example and plenty of time to address the issue. Unfortunately, the issue is a harder to remediate. Altering data structures in the kernel has ripple effects that can cause all manner of problems. Additionally, Linux has been the go-to OS for devices that are long-life or low maintenance. Millions of IoT devices, infrastructure devices, sensors, and embedded systems have and will be made that run a version of Linux, BSD, or other Unix-like OS that utilizes epoch time. Many of these devices will be end of life before 2038, but as we’ve seen, there are systems that run long past their expected lifespan, especially in industrial or infrastructure systems. Identifying and remediating these devices will be a more complex problem that it was in the 90s because there are so many more devices and they are sub components in a wide variety of other devices.
I found this article quite interesting, because the hacker used session hijacking to gain access into the administrator account. According to the article, the hacker managed to obtain the authentication cookies as site sets after an account holder enters valid credentials and successfully completes an two-factor authentication requirements. The session hijacking was made possible after uploading malicious content to XenForo, a site Kiwi Farms uses to power its user forums.
With all these techniques readily available for the bad actors, it is key for every organization to ensure that they have proper defense mechanisms in place in order to be protected from these data breaches. The problem with many organizations is that the treat IT Security as a burden, but not treating it as part of the business until a data breach happens.
An unofficially released version of WhatsApp called YoWhatsApp has been seen spreading an Android trojan called Triada. The goal of the malware was the steal the keys that allow the use of a WhatsApp account without the app and the user would lose control of their account. YoWhatsApp is a UX customization app for WhatsApp and many others like it exist and it has become very apparent in the past few years that even when users want to use the legitimate app they are still somehow managing to distribute hacks – like this one – that ruin the entire legitimate experience.
https://cybernews.com/security/microsoft-users-targeted-by-scammers-pretending-to-be-zoom/
In summary, the article is about a scam that targeted Microsoft users. The scammers sent phishing emails to 21k users and included the person’s name in the email along with a Zoom icon. The scammers did this to make it more trustworthy. The scammers included 2 bad URL links in the email. One link was the main “call-to-action” button and the other was an unsubscribe link (per the article). After selecting the button, the user would be taken to a fake page prompting for the user’s password in order to access messages that needed a response. According to the article, this is not isolated and has become more common to target Microsoft login pages.
The article is about the Cash app data breach where a previous employee was able to download customer information which led to at least 8 million cash app user vulnerability. However, it’s interesting to note that human errors are not the only cause of data breach sometimes it could be a malicious insider threat or even retaliation from a disgruntled employee. Therefore, organizations must have strict policy when it comes to decommissioning, revocation of password and authentication after resignation or disengagement.
https://www.usatoday.com/story/money/2022/04/06/cash-app-data-breach/9490327002/
https://www.infosecurity-magazine.com/news/killnet-claims-us-airport-ddos/ – Pro-Russian Group KillNet Claims Responsibility for 14 US Airport DDoS Attacks
The article I have chosen to highlight this week speaks to DDoS Attacks against some of the largest airports in the U.S. There was 14 targeted public facing domains. Of which include Los Angeles International Airport (LAX), Hartsfield-Jackson Atlanta International Airport (ATL), Chicago O’Hare International Airport (ORD), as well as other airports in Florida, Colorado, Arizona, Kentucky, Mississippi and Hawaii. The group that has taken credit for this DDoS attack is a pro-Russian group known as KillNet, who earlier this year successfully carried out the same attack. In summary, the DDoS attack was more of an annoyance than anything as it didn’t last very long.
https://www.bleepingcomputer.com/news/security/microsoft-exchange-servers-hacked-to-deploy-lockbit-ransomware/
Microsoft is investing reports of a new zero-day bug used to hack Exchange servers later used to launch Lockbit ransomware attacks. One incident from July 2022 used a previously deployed web shell on a compromised Exchange server to escalate privileges to Active Directory admin, steal 1.3 TB of data, and encrypt network systems. Previous attacks have been tracked as CVE-2022-41040 and CVE-2022-41082; however, this new attack utilizes tactics that do not line up with these CVE’s. Microsoft has addressed that they are working on patches for the previous issues; however, they have not disclosed any information regarding these newer flaws since they were reported.
https://www.bleepingcomputer.com/news/microsoft/all-windows-versions-can-now-block-admin-brute-force-attacks/
Microsoft deployed functionality to automatically block brute force attacks against local administrator accounts through the group policy if the IT administrator enables the configuration. This is available on any Windows system that has the October 2022 update (or later). Windows 11 is set to default to this configuration which locks any user account for ten minutes after ten failed logins within a ten minute time period. The specific configuration is the “Allow Administrator account lockout” policy under Local Computer Policy\Computer Configuration\Windows Settings\Security Settings\Account Policies\Account Lockout Policies. As an additional defense against brute force attacks, Microsoft strengthen the password requirements for local admin account passwords to use three out of the four basic character types
Toyota Reveals Data Leak of 300,000 Customers
Toyota recently became aware of an access key that was publicly available on GitHub for over 5 years, this access key could have potentially granted access to 300,000 customers’ private information including addresses, phone numbers, and credit card numbers. The leak was caused in 2017 by an outside website development contractor mistakenly uploaded source code to their T-connect service via GitHub. Toyota has made a statement, “on September 17, we took measures such as changing the access key of the data server, and no secondary damage has been confirmed.”. Toyota has also warned customers to remain vigilant against phishing emails and other forms of identity theft if their information was on the T-connect servers.
Events like this demonstrate how even the largest companies can fall victim to small mistakes like uploading an access key and strong administrative policies need to play a larger role to mitigate these risks. It is surprising that the investigation concluded that there has yet to be any damage confirmed despite the access code being publicly available for 5 years. Who knows how long this information could have remained hidden, and I’m sure Toyota is grateful whoever found this reported it to them instead of using it for more nefarious purposes. This all illustrates that not all data breaches are caused by complex attacks, if someone does enough digging in the right spots they may be able to come up with something incredibly valuable.
https://www.infosecurity-magazine.com/news/toyota-data-leak-customers/
https://www.hawaiinewsnow.com/2022/02/24/what-tech-end-time-is-nigh-according-computers-anyway/
https://independentaustralia.net/business/business-display/year-2038-the-day-we-run-out-of-time,15951
I have a pair of articles that talk about the Year 2038 problem. This is a very similar issue to the Y2K bug that we talked about in this week’s assignment.Much like Y2k, the Year 2038 Problem is an issue of computers hitting the end of their time counters and potentially causing havoc. Y2k had to do with the decimal time (using xx to represent 19xx), the Year 2038 Problem is a little deeper, it deals with how time information is stored in binary format. Unix-based systems count time from “epoch”, the number of seconds since 1 Jan 1970. There is a limit to the number of seconds that can be stored in the 32 bit register that counts time. In 2038, the counter will run out and roll over. This will cause dates to revert to 1910 which could cause all sorts of issues.
Fortunately, we have the Y2k remediation to look at as an example and plenty of time to address the issue. Unfortunately, the issue is a harder to remediate. Altering data structures in the kernel has ripple effects that can cause all manner of problems. Additionally, Linux has been the go-to OS for devices that are long-life or low maintenance. Millions of IoT devices, infrastructure devices, sensors, and embedded systems have and will be made that run a version of Linux, BSD, or other Unix-like OS that utilizes epoch time. Many of these devices will be end of life before 2038, but as we’ve seen, there are systems that run long past their expected lifespan, especially in industrial or infrastructure systems. Identifying and remediating these devices will be a more complex problem that it was in the 90s because there are so many more devices and they are sub components in a wide variety of other devices.
I found this article quite interesting, because the hacker used session hijacking to gain access into the administrator account. According to the article, the hacker managed to obtain the authentication cookies as site sets after an account holder enters valid credentials and successfully completes an two-factor authentication requirements. The session hijacking was made possible after uploading malicious content to XenForo, a site Kiwi Farms uses to power its user forums.
With all these techniques readily available for the bad actors, it is key for every organization to ensure that they have proper defense mechanisms in place in order to be protected from these data breaches. The problem with many organizations is that the treat IT Security as a burden, but not treating it as part of the business until a data breach happens.
https://arstechnica.com/information-technology/2022/09/kiwi-farms-has-been-breached-assume-passwords-and-emails-have-been-leaked/
https://thehackernews.com/2022/10/modified-whatsapp-app-caught-infecting.html
An unofficially released version of WhatsApp called YoWhatsApp has been seen spreading an Android trojan called Triada. The goal of the malware was the steal the keys that allow the use of a WhatsApp account without the app and the user would lose control of their account. YoWhatsApp is a UX customization app for WhatsApp and many others like it exist and it has become very apparent in the past few years that even when users want to use the legitimate app they are still somehow managing to distribute hacks – like this one – that ruin the entire legitimate experience.