MIS 5214 - Section 001 - David Lanter
March 10, 2021 by Jose Gomez 21 Comments
Humbert Amiani says
March 11, 2021 at 9:47 pm
Attackers used an unmonitored account of a deceased employee to gain entry and launch the Nefilim ransomware. The ransomware locked up more than 100 systems after exfiltrating data for over a month. The attackers compromised a vulnerable Citrix software to gain access to an admin account, where they stole domain admin credentials using Mimikatz.
At the time of the attack, the victim had Citrix storefront 7.15 installed, which had several high severity vulnerabilities and security bugs. This was determined to be the point of entry, after which they used RPD to gain access to the initial admin account. They were then able to compromise a domain admin account, to access and map out the active directory environment. They were then able to install MEGA, -a file transfer and synchronization app-, which they used to exfiltrate data for about a month. The new domain admin account the attackers created was used to delete about 150 virtual servers and to encrypt server backups using Bit locker.
The initial compromised ghost account belonged to a former employee who had been deceased for 3 months. There was no active monitoring of inactive accounts by the victim or set alerts to when domain admin accounts are created or used. This attack could have possibly been prevented by removing the user account as soon as the employee was no longer there.
Priyanka Ranu says
March 12, 2021 at 10:21 am
Netflix Introduces Measures to Prevent Password Sharing
Netflix has introduced trial measures to try and prevent the practice of password sharing with multiple households. In this trial, users will receive a code sent via text or email to verify and access their account which is enforcing authentication to use Netflix services. Some users have reported seeing a message on their screen stating If you don’t live with the owner of this account, you need your own account to keep watching. I think this process that has been introduced by Netflix is effective to ensure that people using Netflix accounts are authorized to do so. Evidence suggests that password sharing among friends and family is a regular occurrence and increases chances for accounts being compromised and personal details accessed or stolen. The article also mentions how some people use the same password for multiple media service and other accounts which increases the risk of account being compromised. The article recommended in order to reduce risk of compromise to regularly change your passwords and create complex passwords with a password manager.
Zibai Yang says
March 12, 2021 at 10:54 am
Ransomware Operators Start Targeting Microsoft Exchange Vulnerabilities
In addition to state-sponsored threat actors, the recently disclosed vulnerabilities affecting Microsoft Exchange Server are now being targeted by ransomware operators.
A total of four critical zero-day vulnerabilities that are collectively referred to as ProxyLogon were patched in the Exchange Server at the beginning of this month, and activity surrounding the bugs has only intensified since.
This week, ESET revealed that it had identified at least 10 threat actors that are attempting to exploit these vulnerabilities in their attacks. Some of these threat actors had been targeting the vulnerabilities before Microsoft released patches for them. Thousands of Exchange servers are believed to be vulnerable to attacks, and at least hundreds of them have already been compromised since the attacks started. This week, the FBI and CISA issued a joint advisory to warn of these attacks.
Jonathan Castelli says
March 14, 2021 at 8:24 pm
The company I work for produces software which helps which vulnerability management. This is one of our Research Response Team’s blogs which outlines the vulnerability, the steps to identify and to mitigate the vulnerability. Recently IBM F5 had 5 vulnerabilities which made the news. These vulnerabilities take advantage of buffer overflows. “At a minimum, the attacker would be able to cause a denial-of-service (DoS) against the vulnerable device. In some instances, the attacker could gain arbitrary code execution privileges.” Our team makes sure the organizations which use the vendor’s product have the information they need to ensure they are able to harden their machines.
Kyuande Johnson says
March 14, 2021 at 11:47 pm
Molson Coors reported a systems outage caused by a cybersecurity incident that delayed and may continue to disrupt parts of the company’s business, including its brewery operations, production and shipments. It was reported that the company experienced a ransomware attack. There has been no further information to confirm the nature of the attack. Molson Coors is the second-largest brewer in the United States behind Anheuser-Busch. Molson Coors are known for Coors Light and Miller Light and many other legacy beer brands. Reports revealed IT equipment in manufacturing plants can’t get patched frequently, making these operations a prime target for attacks,
Wenyao Ma says
March 15, 2021 at 4:50 am
Pathlock Raises $20 Million to Grow Data Access Control Platform
Application data security provider Pathlock plans to use a new cash infusion to accelerate the development of its automated application governance solution and enhance its internal threat protection capabilities.
Pathlock’s orchestration platform can provide real-time data protection to more than 140 on-premise and cloud applications. Unlike traditional risk, audit, and security systems, Pathlock continuously monitors and synthesizes transactions across all enterprise applications where sensitive activities and data are concentrated. It surfaces actual violations, not theoretical possibilities. With Pathlock as the hub, all lines of defense work together to make informed decisions.
Xinyi Zheng says
March 15, 2021 at 6:48 pm
Over 80,000 Exchange Servers Still Affected by Actively Exploited Vulnerabilities
The bugs were publicly disclosed on March 2, Roughly 80,000 Exchange servers have yet to receive patches for the actively exploited vulnerabilities. After found these bugs, security researchers revealed that multiple adversaries were quick to pick up exploits for the Exchange bugs, but also that some had been targeting the flaws even before patches were released. The first known exploitation attempt is dated January 3, 58 days before public disclosure.
Over the course of last week, Microsoft released additional fixes for these vulnerabilities, including security updates (SUs) for older and unsupported Exchange Server versions, or Cumulative Updates (CU), as the company calls them.
With the latest set of released updates, more than 95% of the Exchange Server versions that are exposed to the Internet are covered, yet tens of thousands of machines remain vulnerable. Microsoft revealed that, as of March 12, more than 82,000 Exchange servers were still left to be updated (out of 400,000 identified on March 1).
Cami Chen says
March 15, 2021 at 10:20 pm
Microsoft identified that new ransomware called DearCry and can attack the latest security patches. Microsoft emphasizes that they have detected and blocked the ransomware being used after an initial compromise of unpatched on-premises Exchange Servers. They found that the threat used the Hafnium group installed the web shells or backdoors, and the group exploited four zero-day Exchange Server flaws. The attacker used the web shells to upload to Microsoft Exchange Server to enable remote administration of the machine. Additionally, the article mentioned that DearCry uses AES-256 and RSA-2048 to encrypt victim files and changes file headers with the string ‘DEARCRY!’ The attacker can enumerate on the victim’s system so that the ransomware can start encrypting files with the RSA public key. While the researchers are analyzing the threat, they say that the ransomware is manually installed on each vulnerable server. Even though Microsoft released a new patch, the attackers can still use the web shells to install the ransomware unless the companies can remove all of them.
Mei X Wang says
March 15, 2021 at 11:04 pm
25% of UK Workers let their Children use their work device.
A recent study shows that 25% of UK workers let their children use their corporate devices at home for schooling or other purposes. Due to COVID-19, there have been strict mandates to working at home, homeschooling, and closing of care facilities. It’s no wonder that the lines become blurred between personal and professional use of devices.
Many company-issued systems allow social media, and children are likely to use these devices for personal use, which leads way to higher risks of being hacked. It’s difficult for businesses to harden their system effectively “at home” with key security elements such as managed network access, gateway firewall, and secure cloud environment compared to these devices being hosted in the office. Some more issues that became prevalent from the working from home dynamic are the discovery of poor employee poor password management and work emails hosted on personal devices. These key security implications need to be addressed because these seemingly harmless acts become expanded endpoints that the hackers can target.
Anthony Messina says
March 16, 2021 at 9:04 am
Microsoft releases one-click Exchange On-Premises Mitigation Tool
Microsoft has released a one-click Exchange On-premises Mitigation Tool (EOMT) tool to allow small business owners to easily mitigate the recently disclosed ProxyLogon vulnerabilities. This month, Microsoft disclosed four zero-day vulnerabilities were being actively used in attacks against Microsoft Exchange. These vulnerabilities are collectively known as ProxyLogon and are being used by threat actors to drop web shells, cryptominers, and more recently, the DearCry ransomware on exploited servers. With many small businesses still not having installed the patch for the vulnerability, it seems Microsoft decided to be a bit proactive more proactive about defending against it. Many organizations may lack the IT experience to understand things as basic as patch management, or may not even be aware of the exploit. Microsoft creating a one-click script for smaller organizations is a great step for them. Microsoft is quoted on saying, “Based on these engagements we realized that there was a need for a simple, easy to use, automated solution that would meet the needs of customers using both current and out-of-support versions of on-premises Exchange Server.” The ‘EOMT.ps1’ script can be downloaded from Microsoft’s GitHub repository, and when executed, will automatically perform the following tasks:
Checks if the server is vulnerable to the ProxyLogogon vulnerabilities.
Mitigates the CVE-2021-26855 Server-Side Request Forgery (SSRF) vulnerability by installing the IIS URL Rewrite module and a regular expression rule that aborts any connections containing the ‘X-AnonResource-Backend’ and ‘X-BEResource’ cookie headers.
Downloads and runs the Microsoft Safety Scanner to remove known web shells and other malicious scripts installed via these vulnerabilities. The script will then remove any malicious files found.
Anthony Wong says
March 16, 2021 at 12:05 pm
F5 released patches for four critical vulnerabilities with CVSS severity scores as high as 9.9. The highest score vulnerability (CVE-2021-22986) can be exploited by an attacker to for unauthenticated remove code execute (RCE) attacks. According to the article “The vulnerability allows for unauthenticated attackers with network access to the iControl REST interface, through the BIG-IP management interface and self IP addresses, to execute arbitrary system commands, create or delete files, and disable services”.
The other vulnerability (CVE-2021-22987) affect another interface called the BIG-IP’s Traffic Management User Interface (TMUI). The vulnerability can be exploited to execute commands, tamper with files, and disable services; however, this can only be performed by authenticated users.
Krish Damany says
March 16, 2021 at 7:14 pm
As part of the ongoing Microsoft Exchange hacks, attacks are doubling every hour and attackers are installing ransomware on the servers known as DearCry. DearCry encrypts files with a special “.CRYPT” extension as well as places a filemarker string of “DEARCRY!” on every file. There also is a ransom note which tells the user to pay $16,000 and send the money to two email addresses. This ties into this chapter of Host Hardening, as cloud computing solutions are new, and SaaS cloud services are still susceptible to attacks. Because it’s a cloud service, only Microsoft has the power to fix the exploit, and all the businesses that use it must update their applications to include the patches.
Haozhe Lin says
March 16, 2021 at 7:24 pm
“College closes all campuses for a week following ‘major’ cyber attack”
A Birmingham college has closed all its campuses to students for a week following a “major” ransomware cyberattack that disabled its core IT systems. A statement posted on the college’s website and its Twitter page on Saturday 13 March calls the incident a “major ransomware attack” – which is where computer systems are encrypted by hackers, who say they will only release them if a ransom is paid. From today, the college says, “we will revert to online teaching for the rest of the week for all areas. The college is now in the process of investigating the extent of the outbreak and is working to ensure security and restore service “as quickly as possible”.
Austin Mecca says
March 16, 2021 at 9:40 pm
Last year saw a double-digit surge in ransomware, IoT threats, new malware and cryptojacking in what is being called the “tipping point” in the cyber arms race. Security vendor SonicWall compiled a report from over one million global sensors, which showed ransomware threats up 62% globally and 158% in North America. Retail attacks up 365%, healthcare up 123% and government up 21% were the highest industries. SonicWall’s CEO stated that organizations need to continue to be vigilant and proactive in improving their cybersecurity posture. This may not directly be related to host hardening but it is still relevant as cybersecurity needs to be at an all time high and if reinforcing your system is what will help then the cons that come with it may have to find another way to solve them.
Zhen Li says
March 16, 2021 at 10:48 pm
Twitter Users Can Now Secure Accounts With Multiple Security Keys
Twitter on Monday announced that users with two-factor authentication (2FA) enabled can now use multiple security keys to protect their accounts. And they allows users to take advantage of multiple security keys when securing their accounts, regardless of whether on a mobile device or on desktop.
To use security keys for account protection, users need to enable 2FA via text message or authentication application, select Security Key, and then enter their passwords when prompted, to begin the setup process.
After clicking Start, users can connect their physical security key, either via a USB port or via Bluetooth, after which they will need to touch the button on the key and then follow the on-screen steps to complete the setup process.
Security keys that have been added are displayed in the “Manage security keys” section, under “Two-factor authentication,” allowing users to easily manage them (rename, delete, or add new ones, as needed).
Prince Patel says
March 16, 2021 at 11:06 pm
Confessions of a security pro: I was wrong about host hardening.
this article provides a separate perspective about host hardening. the author believes it to be counter productive.its interesting to see the other side of the perspective.
Heather Ergler says
March 17, 2021 at 4:22 pm
While the article is not specifically about host hardening, it is about how the DOD has been able to use the more stringent Cybersecurity Maturity Model Certification (CMMC) requirements for contractors. The benefit is that the more stringent requirement has allowed and how DOD has effectively used those requirements to help harden the vendor selection and maintenance process. With hyper-awareness that cybersecurity is a constant battle where a vendor’s capabilities to secure information is as important as the DOD following stringent security best practices. What was unanticipated was the benefit that requiring the CMMC would do to the DOD’s capabilities to contract with smaller, more innovative organizations who comply with the clear requirements of the NIST SP800-171 standards, Provide a Plan of Action and Milestones on how they will fix areas of non-compliance and create a System Security Plan. Contractor organizations need to prove cybersecurity maturity processes through a third party before working for DOD. Because the expectation is out there DOD is seeing more small, innovative contractors eligible for DOD work.
Kelly Conger says
March 17, 2021 at 5:18 pm
Fiserv, a fortune 500 software company that specializes in banking software, used a “dummy” or “non-registered” domain name in one of its internet banking solutions. The domain defaultinstitution.com shows up in emails and is referenced to contact the company with any questions or concerns. A gray/white hat hacker noticed that the domain defaultinstitution.com was not registered, in fact, had never been registered so he bought the domain and to his surprise he started getting a number of replies from people emailing @defaultinstitution.com with questions or concerns. Had it not been for this white hat hacker, Fiserv could have had a serious security breach on their hands. From what I read in the article He was promised a t-shirt and a case of beer for alerting Fiserv of their security issue. He hasn’t received his t-shirt or beer yet. Come on Fiserv!
Ting-Yen Huang says
March 17, 2021 at 6:05 pm
Spend on enterprise information security, risk management to grow 9.5% in 2021: Gartner
End-user spending on enterprise information security and risk management in India is set to touch $2.08 billion in 2021, an increase of 9.5 per cent on that in 2020, according to a forecast from Gartner, Inc. Spending growth in India is a little slower than the global average of 10.5 per cent, but faster than the mature Asia-Pacific countries. The Asia-Pacific countries are expected to increase their spending in this area by 8.6 per cent. Spending growth of the emerging APAC countries is happening at a faster pace at 10.7 per cent.
India’s security spending growth rate of 9.5 per cent is reasonable considering the growth rate of the global and the mature Asia-Pacific countries, according to Bhajanka. As organisations accelerate digital transformation, spending in areas such as cloud security and integrated risk management are set to grow. Many organisations also rely on Cloud. CISOs (chief information security officers) and security leaders who are aware of the risks and vulnerabilities that their organisations can be exposed to while migrating to cloud from legacy systems.
In 2021, organisations are expected to increase their spending across all segments of security and risk management. Spending on cloud security is expected to witness the highest growth this year, up 251 per cent at $31 million as compared to $9 million last year.
Vanessa Marin says
March 17, 2021 at 6:18 pm
No one is safe. The more money you have, the more of a target you become. Add a social media profile and a PR group and you might as well have a target on your forehead. This article is from back in 2020 when celebrities and politicians were hacked via the network of pf Grubman Shire Meiselas & Sacks law firm. The ransom for the data started at 21 million and slowly incremented to 42 million. The firm refuse to pay as it was against their policy and the threats escalated to auctions on the dark we for data on Lady Gaga and Donald Trump. Madonna’s information started at $1 million.
This hackers are known as Sodin and Sodinokibi aka REvil and are set up as a RaaS or ransomware-as-a-business.
You must be logged in to post a comment.