Week 10: SecuritySheperd

Due to concerns raised by the European Union’s Privacy Regulators regarding potential violations of the Union’s General Data Protection Regulation, Microsoft has reviewed and changed their Online Service Terms and Conditions for Commercial users. These changes come as a result of collaborative work with the Dutch Ministry of Justice, who first raised the concerns that Microsoft was collecting data that violated the General Data Protection Regulation. In a statement regarding these changes, Microsoft’s Chief Privacy Officer stated how this is a big “positive step forward” in regards to compliance and collaboration with bodies of the European Union to safeguard their users.

Source: https://yro.slashdot.org/story/19/11/18/1735246/microsoft-were-changing-all-your-cloud-contracts-after-privacy-complaints

Capital One has replaced its cybersecurity chief four months after the company disclosed a massive data breach involving the theft of sensitive data on more than 100 million customers. Capital One continues to assess the aftermath from its July data breach, which saw a hacker take PII from millions of customers applying for credit cards. The data leaked also included names, addresses, postal addresses, phone numbers, email addresses, dates of birth and self-reported income, as well as credit scores and credit limits.

Capital One replaces security chief after data breach

While many companies are spending a significant amount of their IT budget to protect assets from external attacks, many companies fail to recognize that internal attacks can be just as damaging as external attacks. An internal threat can be an employee holding a sensitive position that may act with malicious or unwitting intent.

In this article, we have an internal threat acting with malicious intent.

Trend Micro announced a security incident where an employee gained access to the personal data of thousands of its customers and sold it to a malicious third-party tech support scammers.

Per Trend Micro,  68,000 of the company’s 12 million customers were impacted by this internal attack, and the stolen data contained customers’ names, email addresses, Trend Micro support ticket numbers, and phone numbers.

Trend Micro became aware of the breach in August 2019 when customers reported receiving calls by criminals who purchased the stolen data and were impersonating Tren Micro employees.

https://thehackernews.com/2019/11/insider-threat-data-breach.html

I think it’s always good time to talk about Quantum. Quantum computer is a looming threat to all forms of cryptography. I have confidence that as quantum becomes available to the “bad guys” trying to brute force our systems, quantum will also be available to the “good guys” and we will have new tools for using the extra CPU horsepower to protect our systems. This article is a nice compilation of what is going on with quantum currently and how it relates to cryptography.

https://www.thesslstore.com/blog/post-quantum-cryptography-10-things-you-need-to-know/

Attack on Utah power utility cause a loss of view of remote power station from the main control center.
A DDoS attack was carried out on an unpatched internet facing server on the utilities network that caused a crash leading the company to be unable to monitor the remote station. No further breach occurred but this would be the first step in a full fledged attack on a power utility and could be viewed as a proof of concept attack. This shows how crucial it is for a continuous vulnerability scanning program and patching program to be in place.

https://threatpost.com/solar-wind-power-utility-cyberattack/149816/

The NSA considers the BlueKeep exploit potentially “devastating” and a “wide-ranging impact”. In June 2019, they published an advisory urging Windows administrators to update their operating systems to prevent this growing threat. The exploit is being compared to the WannaCry attack, which as we know infected numerous systems worldwide. This ongoing BlueKeep attack seems to be smaller scale as a cryptocurrency miner payload is being used. However, the threat actors behind the attack can potentially drop more malicious payloads that can infect the estimated 700,000 Windows systems that still aren’t patched. Another interesting fact is that the BlueKeep exploit was recently released in Metasploit.

https://www.forbes.com/sites/daveywinder/2019/11/03/windows-bluekeep-attack-that-us-government-warned-about-is-happening-right-now/

A new zero-day was disclosed by Google on October 31. Update 78.0.3904.87 will start rolling out “over the coming days/weeks” according to Google. The nature of the zero-day and the detail about this vulnerability is not available at this time, according to Google “Access to bug details and links may be kept restricted until a majority of users are updated with a fix. We will also retain restrictions if the bug exists in a third party library that other projects similarly depend on but haven’t yet fixed.”

With the limited information on this zero-day, Google did confirm it is related to CVE-2019-13720 vulnerability, which was first reported by Kaspersky. You can read more about this zero-day here.

Two hackers who extorted money from Uber and LinkedIn plead guilty in a California court yesterday. Two guys (one from FL and other from Toronto) admitted that they had accessed and downloaded massive amount of confidential data from AWS using stolen creds.

One of the emails sent by them was:

“I was able to access backups upon backups, me and my team would like a huge reward for this,” the hackers said to the victim company in an email.

“Please keep in mind, we expect a big payment as this was hard work for us, we already helped a big corp which paid close to 7 digits, all went well.”

These guys were able to get their hands on more than 55 million Uber riders and drivers for which the company reportedly paid $100k in bitcoins in an attempt to cover up the breach. According to the article – “The indictment also revealed that the duo blackmailed LinkedIn in the same way in December 2016, informing the company that they had compromised databases of LinkedIn’s subsidiary Lynda.com and stole over 90,000 user records, including their credit card information.”

They have been released on a bond and will be sentenced in March 2020.

Article: https://thehackernews.com/2019/10/hackers-extorted-money.html

Per Microsoft, Russian state backed hackers have been using IoT devices to breach certain networks. The attacks were discovered in April when some common IoT devices (VOIP Phone, Office printer) were found to be communicating with servers associated with “Strontium,” a Russian state backed group better known as Fancy Bear.

The devices were able to be compromised due to default passwords in use, and old firmware being used with know vulnerabilities.

From the article:

“After gaining access to each of the IoT devices, the actor ran tcpdump to sniff network traffic on local subnets. They were also seen enumerating administrative groups to attempt further exploitation. As the actor moved from one device to another, they would drop a simple shell script to establish persistence on the network which allowed extended access to continue hunting. Analysis of network traffic showed the devices were also communicating with an external command and control (C2) server”

Microsoft has notified the IoT vendors to address the vulnerable devices.

Securing IoT devices can be a challenge as the device may have a proprietary OS that cannot be managed like Windows 10 IoT. Many IoT devices are configured using the set and forget method, leaving them in a vulnerable state. More education around securing IoT devices is needed prior to purchase.

https://arstechnica.com/information-technology/2019/08/microsoft-catches-russian-state-hackers-using-iot-devices-to-breach-networks/