The IRS is ditching its previous biometric authentication method for online accounts at irs.gov. Now taxpayers can authenticate through live video interviews through the 3rd party provider ‘ID.me.’ Furthermore, the IRS states that all previously enrolled biometric data will be permanently deleted. Taxpayers who continue to authenticate through biometric data will also have their data deleted—some have argued that the IRS outsourcing authentication data collection to a third party is questionable at best. Additionally, alongside the partnership with ID.me, the IRS plans to launch Login.gov for taxpayers to access their records online. Login.gov is an SSO solution currently utilized by 28 federal agencies. The IRS argues that Login.gov alone is not sufficient for digital identities; however, that is debatable.
“This one change could protect your systems from attack. So why don’t more companies do it?”
In order to keep your systems from being exploited, a simple answer would be, to update your patches, right? So why aren’t companies keeping up with their patches if it avoids a security breach?
This article mentions to turn on automatic patching updates. The article mentions, “when vulnerabilities are made public, cyber attackers will actively look for networks that have yet to apply the patches. But information security teams can beat criminal hackers to the punch by examining their own networks for potential vulnerabilities, such as unsecured internet facing RDP (Remote Desktop protocols) ports.
Dr. Ian Levy, technical director of the National Cyber Security Centre, explained and warned that some organizations doesn’t help theselves when it comes to applying security updates, noting that the NCSC is aware of over 1,000 endpoints in the UK that are still vulnerable to BlueKeep, a critical vulnerability in Microsoft’s RDP implementation that allows attackers to remotely execute malicious code on machines.
However, an eye opener happened when the SolarWinds supply chain hack or the Microsoft Exchange Server took place. This is one of the key things organizations need to do to secure their infrastructure form cyber threats is to provide their information security teams with the resources needed to do things like apply the patches.
I came across this article that is somewhat relevant to the ongoing conflict between Russia and Ukraine.
It details a malware posing as a pro-Ukraine hacking tool that supposedly offered a DDoS tool to target Russian websites, when in actuality it is a info stealer used to target credentials and cryptocurrency info.
I found the psychological aspect of this interesting, because many pro-Ukraine individuals may feel the desire to target Russian websites and other forms of media, and this info stealer takes advantage of that.
I think it’s an interesting reminder that we have to be very careful of things that we download on the internet.
Another update on the Russia-Ukraine conflict in terms of cybersecurity has arisen due to the imposed sanctions on Russia by many other countries and organizations at large. The issue is centered upon foreign CAs revoking certificates to Russian domains. In response, the Russian government, specifically the Ministry of Digital Development, has created its own “TLS” / SSL CA. The new Russian domestic CA will be issuing new digital certificates to Russian legal sites after an application is submitted by the website owner within 5 days. Sanctions against Russia have barred other CAs from continuing to operate and do business in Russia.
The data breach at Equifax included an exposure of personal data including the names, dates of birth, Social Security numbers, and physical addresses. In addition, there were 209,000 credit card numbers and more than 10 million drivers’ licenses were being exposed. The attacker was able to get access to the Equifax network through the unpatched vulnerability that existed within Equifax network. According to the update from the Federal Trade Commission (FTC), Equifax had agreed to pay up to $425 million to help everyone that was being affected by the data breach. Which the part of the money would be going towards the credit monitoring.
On 3/8, Microsoft issued a security update for 71 software vulnerabilities, three critical and one with a known proof-of-concept known to the public. Two vulnerabilities (Microsoft Exchange Server Remote Code Execution Vulnerability & Windows SMBv3 Client/Server Remote Code Execution Vulnerability), allow an attacker who has been authenticated to the server run malicious code. This shows the importance of both hardening a host system and regularly patching the system. The third vulnerability is ranked “important” (not critical) but has the known PoC, so security experts recommend prioritizing it.
Dirty pipe a privilege escalation vulnerability was found on the Linux kernel of QNAP NAS (Network Attached Storage). This vulnerability affects the NAS devices in such a way that they could be abused to elevate privileges and gain control of the impacted systems. This affects Linux kernels on QNAP NAS running QTS 5.0.x and QuTS hero h5.0.x. Essentially this vulnerability makes it possible to overwrite arbitrary data to read-only files making it possible to take over the attacked machine.
On March 10th, Denso – a multibillion dollar auto parts supplier to Toyota, Honda, Ford, GM, and others – reported a ransomware attack perpetrated by Pandora. It’s confirmed that 1.4 TB of classified Toyota data has been stolen. This gives Pandora double-extortion potential by threatening to leak the data if Denso and Toyota don’t pay up.
This demonstrates the danger and importance of hardening the supply chain. This is the second attack of 2022 that has impacted suppliers that Toyota relies on.
The Pandora ransomware group is an evolution of Rook, and is borrowing code from Babuk.
The article I chose to summarize this week is about Alphabet (Google) purchasing Mandiant. Google bought Mandiant for $5.4 billion; to put this amount in perspective, the value of Google’s current cash and short-term investments is $140 billion, with only around $15 billon in total liabilities. Mandiant makes money from helping customers automate security investigations, mapping out organizations’ security networks to help find weak points, investigating & consulting after cyberattacks, and more.
Mandiant will be mainly implemented into the Google Cloud infrastructure, but I am sure the cybersecurity experts at Mandiant will at least somewhat integrate into Google’s other internal IS projects. As the frequency and cost of data breaches are rising rapidly, Google’s acquisition of Mandiant will help the company compete against Microsoft Azure and Amazon AWS.
The article talks about in the UK, HM Government’s ‘Cyber Incident Response Scheme’ is precisely connected with US Cyber Threat Sharing Bill. The motivators for both mandates are that, in order to safeguard against realistically targeted, stealthy cyber-attacks (APTs, there will need to embark on much bigger level of awareness and collaboration. This usually becomes a government issue when the nation’s critical infrastructures (defense, air traffic control, health service, power and gas utilities etc.) are concerned. Hence to ensure environment is one where all security best practices are defined and embedded within the organization and working continuously, vulnerability monitoring and system integrity should be continuous process, not a quarterly or ad hoc pen test. Real-time file integrity monitoring, continuously evaluating devices for compliance with a hardened build standard and identifying all system changes is the only way to truly guarantee. https://www.newnettechnologies.com/system-hardening-and-fim.html
This week, the FBI and CISO have announced that Russian state-sponsored attackers were able to successfully breach an American non-governmental organization (NGO) using vulnerability exploits pertaining to the “PrintNightmare” vulnerability. One quote from the Vulcan Cyber senior technical engineer really stood out to me, in light of this week’s class readings: “The cyberattack ‘is a good example of why user account hygiene is so important, and why security patches need to go in as soon as is practical.’” The NGO breach exploited a vulnerable account that should have been disabled and patched. “PrintNightmare” is a remote code execution vulnerability affecting MSFT Windows print spooler services. This was disclosed (and patches were released) summer 2021, but this entity did not follow best practices and patch accordingly. The hacker group was able to gain access to the NGO’s cloud and email accounts, laterally move across the organizational network (proving no network segmentation was in place) , and exfiltrate documents. The attack commenced in 2021—almost going on for a year undetected.
This article is especially important since Russia has been orchestrating increased cyberattacks, in addition to physical attacks on Ukraine. Now is the time for organizations to be vigilant and regularly patch both critical and noncritical software.
Nearly 34 ransomware variants observed in hundreds of cyberattacks in Q4 2021
As many as 722 ransomware attacks were observed in the fourth quarter of 2021, with LockBit 2.0, Conti, PYSA, Hive, and Grief emerging as the most prevalent strains, according to new research published by Intel 471.
These attacks represent an increase of 110 and 129 compared to the third and second quarters of 2021, respectively. A total of 34 different ransomware variants were detected during the three-month period from October 2021 to December 2021.
“The most prevalent ransomware in Q4 2021 was LockBit 2.0 with 29.7% of all reported incidents, followed by Conti with 19%, PYSA with 10.5% and Hive with 10.1%,”
The discovery came amid “striking resemblance” to a relatively unknown variant of the ransomware called Nokoyawa, most of which was targeted primarily in Argentina.
“Massive DDoS Attack Knocked Israeli Government Websites Offline”
Several websites belonging to the Israeli government were felled in a distributed denial-of-service (DDoS) attack on Monday, rendering the portals inaccessible for a short period.
“In the past few hours, a DDoS attack against a communications provider was identified,” the Israel National Cyber Directorate (INCD) said in a tweet. “As a result, access to several websites, among them government websites, was denied for a short time. As of now, all of the websites have returned to normal activity.”
Samsung says hackers breached company data and source code for Galaxy smartphones
On Monday Hackers Breach Samsung’s internal company data, gaining access to some source codes of Galaxy-branded devices like smartphones. Lapsus$ The same company that attack NVIDA claimed over the weekend via its Telegram channel that it has stolen 190 gigabytes of confidential Samsung source code. The breach involves some source codes relating to the operation of Galaxy devices, but does not include the personal information of our consumers or employees.”
The company said it does not anticipate any impact to its business or customers. Lapsus$ has not made any threats to Samsung trying to extort specific concessions.
Defending Against Misconfigured MFA & Print Nightmare Vulnerabilities
In the spirit of system hardening, I came across this article dated March 21, 2022, and thought this article would be important.
Compromise of Inactive Accounts and Default Configurations – Hackers apparently gained access by brute-forcing an existing user account through “a simple, predictable password” to enroll a new device in the MFA procedures, the agencies said. The targeted organization was using the default MFA configuration, so it was possible to re-enable MFA for a dormant account with a new device owned by the attackers.
Kelly Sharadin says
The IRS is ditching its previous biometric authentication method for online accounts at irs.gov. Now taxpayers can authenticate through live video interviews through the 3rd party provider ‘ID.me.’ Furthermore, the IRS states that all previously enrolled biometric data will be permanently deleted. Taxpayers who continue to authenticate through biometric data will also have their data deleted—some have argued that the IRS outsourcing authentication data collection to a third party is questionable at best. Additionally, alongside the partnership with ID.me, the IRS plans to launch Login.gov for taxpayers to access their records online. Login.gov is an SSO solution currently utilized by 28 federal agencies. The IRS argues that Login.gov alone is not sufficient for digital identities; however, that is debatable.
https://krebsonsecurity.com/2022/02/irs-selfies-now-optional-biometric-data-to-be-deleted/#more-58627
Victoria Zak says
“This one change could protect your systems from attack. So why don’t more companies do it?”
In order to keep your systems from being exploited, a simple answer would be, to update your patches, right? So why aren’t companies keeping up with their patches if it avoids a security breach?
This article mentions to turn on automatic patching updates. The article mentions, “when vulnerabilities are made public, cyber attackers will actively look for networks that have yet to apply the patches. But information security teams can beat criminal hackers to the punch by examining their own networks for potential vulnerabilities, such as unsecured internet facing RDP (Remote Desktop protocols) ports.
Dr. Ian Levy, technical director of the National Cyber Security Centre, explained and warned that some organizations doesn’t help theselves when it comes to applying security updates, noting that the NCSC is aware of over 1,000 endpoints in the UK that are still vulnerable to BlueKeep, a critical vulnerability in Microsoft’s RDP implementation that allows attackers to remotely execute malicious code on machines.
However, an eye opener happened when the SolarWinds supply chain hack or the Microsoft Exchange Server took place. This is one of the key things organizations need to do to secure their infrastructure form cyber threats is to provide their information security teams with the resources needed to do things like apply the patches.
Reference:
https://www.zdnet.com/article/this-one-change-could-protect-your-systems-from-attack-so-why-dont-more-companies-do-it/
Andrew Nguyen says
I came across this article that is somewhat relevant to the ongoing conflict between Russia and Ukraine.
It details a malware posing as a pro-Ukraine hacking tool that supposedly offered a DDoS tool to target Russian websites, when in actuality it is a info stealer used to target credentials and cryptocurrency info.
I found the psychological aspect of this interesting, because many pro-Ukraine individuals may feel the desire to target Russian websites and other forms of media, and this info stealer takes advantage of that.
I think it’s an interesting reminder that we have to be very careful of things that we download on the internet.
https://threatpost.com/malware-posing-russia-ddos-tool-bites-pro-ukraine-hackers/178864/
Antonio Cozza says
Another update on the Russia-Ukraine conflict in terms of cybersecurity has arisen due to the imposed sanctions on Russia by many other countries and organizations at large. The issue is centered upon foreign CAs revoking certificates to Russian domains. In response, the Russian government, specifically the Ministry of Digital Development, has created its own “TLS” / SSL CA. The new Russian domestic CA will be issuing new digital certificates to Russian legal sites after an application is submitted by the website owner within 5 days. Sanctions against Russia have barred other CAs from continuing to operate and do business in Russia.
https://thehackernews.com/2022/03/russian-pushing-its-new-state-run-tls.html
Vraj Patel says
The data breach at Equifax included an exposure of personal data including the names, dates of birth, Social Security numbers, and physical addresses. In addition, there were 209,000 credit card numbers and more than 10 million drivers’ licenses were being exposed. The attacker was able to get access to the Equifax network through the unpatched vulnerability that existed within Equifax network. According to the update from the Federal Trade Commission (FTC), Equifax had agreed to pay up to $425 million to help everyone that was being affected by the data breach. Which the part of the money would be going towards the credit monitoring.
Reference:
https://portswigger.net/daily-swig/equifax-finalizes-data-breach-settlement-with-us-regulators
Patrick Jurgelewicz says
Microsoft Patches Critical Exchange Server Flaw
https://www.darkreading.com/vulnerabilities-threats/microsoft-patches-critical-exchange-server-flaw
On 3/8, Microsoft issued a security update for 71 software vulnerabilities, three critical and one with a known proof-of-concept known to the public. Two vulnerabilities (Microsoft Exchange Server Remote Code Execution Vulnerability & Windows SMBv3 Client/Server Remote Code Execution Vulnerability), allow an attacker who has been authenticated to the server run malicious code. This shows the importance of both hardening a host system and regularly patching the system. The third vulnerability is ranked “important” (not critical) but has the known PoC, so security experts recommend prioritizing it.
Dhaval Patel says
Dirty pipe a privilege escalation vulnerability was found on the Linux kernel of QNAP NAS (Network Attached Storage). This vulnerability affects the NAS devices in such a way that they could be abused to elevate privileges and gain control of the impacted systems. This affects Linux kernels on QNAP NAS running QTS 5.0.x and QuTS hero h5.0.x. Essentially this vulnerability makes it possible to overwrite arbitrary data to read-only files making it possible to take over the attacked machine.
https://thehackernews.com/2022/03/dirty-pipe-linux-flaw-affects-wide.html
Madalyn Stiverson says
On March 10th, Denso – a multibillion dollar auto parts supplier to Toyota, Honda, Ford, GM, and others – reported a ransomware attack perpetrated by Pandora. It’s confirmed that 1.4 TB of classified Toyota data has been stolen. This gives Pandora double-extortion potential by threatening to leak the data if Denso and Toyota don’t pay up.
This demonstrates the danger and importance of hardening the supply chain. This is the second attack of 2022 that has impacted suppliers that Toyota relies on.
The Pandora ransomware group is an evolution of Rook, and is borrowing code from Babuk.
https://threatpost.com/pandora-ransomware-hits-giant-automotive-supplier-denso/178911/
Michael Jordan says
The article I chose to summarize this week is about Alphabet (Google) purchasing Mandiant. Google bought Mandiant for $5.4 billion; to put this amount in perspective, the value of Google’s current cash and short-term investments is $140 billion, with only around $15 billon in total liabilities. Mandiant makes money from helping customers automate security investigations, mapping out organizations’ security networks to help find weak points, investigating & consulting after cyberattacks, and more.
Mandiant will be mainly implemented into the Google Cloud infrastructure, but I am sure the cybersecurity experts at Mandiant will at least somewhat integrate into Google’s other internal IS projects. As the frequency and cost of data breaches are rising rapidly, Google’s acquisition of Mandiant will help the company compete against Microsoft Azure and Amazon AWS.
https://www.fool.com/investing/2022/03/15/alphabet-betting-big-on-cybersecurity-what-means/
kofi bonsu says
The article talks about in the UK, HM Government’s ‘Cyber Incident Response Scheme’ is precisely connected with US Cyber Threat Sharing Bill. The motivators for both mandates are that, in order to safeguard against realistically targeted, stealthy cyber-attacks (APTs, there will need to embark on much bigger level of awareness and collaboration. This usually becomes a government issue when the nation’s critical infrastructures (defense, air traffic control, health service, power and gas utilities etc.) are concerned. Hence to ensure environment is one where all security best practices are defined and embedded within the organization and working continuously, vulnerability monitoring and system integrity should be continuous process, not a quarterly or ad hoc pen test. Real-time file integrity monitoring, continuously evaluating devices for compliance with a hardened build standard and identifying all system changes is the only way to truly guarantee.
https://www.newnettechnologies.com/system-hardening-and-fim.html
Lauren Deinhardt says
Russian hackers exploited MFA and ‘PrintNightmare’ vulnerability in NGO breach, U.S. says
https://venturebeat.com/2022/03/15/russian-hackers-exploited-mfa-and-printnightmare-vulnerability-in-ngo-breach-u-s-says/
This week, the FBI and CISO have announced that Russian state-sponsored attackers were able to successfully breach an American non-governmental organization (NGO) using vulnerability exploits pertaining to the “PrintNightmare” vulnerability. One quote from the Vulcan Cyber senior technical engineer really stood out to me, in light of this week’s class readings: “The cyberattack ‘is a good example of why user account hygiene is so important, and why security patches need to go in as soon as is practical.’” The NGO breach exploited a vulnerable account that should have been disabled and patched. “PrintNightmare” is a remote code execution vulnerability affecting MSFT Windows print spooler services. This was disclosed (and patches were released) summer 2021, but this entity did not follow best practices and patch accordingly. The hacker group was able to gain access to the NGO’s cloud and email accounts, laterally move across the organizational network (proving no network segmentation was in place) , and exfiltrate documents. The attack commenced in 2021—almost going on for a year undetected.
This article is especially important since Russia has been orchestrating increased cyberattacks, in addition to physical attacks on Ukraine. Now is the time for organizations to be vigilant and regularly patch both critical and noncritical software.
Dan Xu says
Nearly 34 ransomware variants observed in hundreds of cyberattacks in Q4 2021
As many as 722 ransomware attacks were observed in the fourth quarter of 2021, with LockBit 2.0, Conti, PYSA, Hive, and Grief emerging as the most prevalent strains, according to new research published by Intel 471.
These attacks represent an increase of 110 and 129 compared to the third and second quarters of 2021, respectively. A total of 34 different ransomware variants were detected during the three-month period from October 2021 to December 2021.
“The most prevalent ransomware in Q4 2021 was LockBit 2.0 with 29.7% of all reported incidents, followed by Conti with 19%, PYSA with 10.5% and Hive with 10.1%,”
The discovery came amid “striking resemblance” to a relatively unknown variant of the ransomware called Nokoyawa, most of which was targeted primarily in Argentina.
https://thehackernews.com/2022/03/nearly-34-ransomware-variants-observed.html
zijian ou says
“Massive DDoS Attack Knocked Israeli Government Websites Offline”
Several websites belonging to the Israeli government were felled in a distributed denial-of-service (DDoS) attack on Monday, rendering the portals inaccessible for a short period.
“In the past few hours, a DDoS attack against a communications provider was identified,” the Israel National Cyber Directorate (INCD) said in a tweet. “As a result, access to several websites, among them government websites, was denied for a short time. As of now, all of the websites have returned to normal activity.”
https://thehackernews.com/2022/03/massive-ddos-attack-knocked-israeli.html?&web_view=true
Kyuande Johnson says
Samsung says hackers breached company data and source code for Galaxy smartphones
On Monday Hackers Breach Samsung’s internal company data, gaining access to some source codes of Galaxy-branded devices like smartphones. Lapsus$ The same company that attack NVIDA claimed over the weekend via its Telegram channel that it has stolen 190 gigabytes of confidential Samsung source code. The breach involves some source codes relating to the operation of Galaxy devices, but does not include the personal information of our consumers or employees.”
The company said it does not anticipate any impact to its business or customers. Lapsus$ has not made any threats to Samsung trying to extort specific concessions.
https://www.theverge.com/2022/3/7/22965220/samsung-hack-lapsus-galaxy-source-code-confirmed-nvidia
Olayinka Lucas says
Defending Against Misconfigured MFA & Print Nightmare Vulnerabilities
In the spirit of system hardening, I came across this article dated March 21, 2022, and thought this article would be important.
Compromise of Inactive Accounts and Default Configurations – Hackers apparently gained access by brute-forcing an existing user account through “a simple, predictable password” to enroll a new device in the MFA procedures, the agencies said. The targeted organization was using the default MFA configuration, so it was possible to re-enable MFA for a dormant account with a new device owned by the attackers.
Source:
https://www.esecurityplanet.com/threats/misconfigured-mfa-printnightmare/