A German cybersecurity firm called Genua recently patched a vulnerability in one of their many firewall products they sell. This vulnerability could allow an attacker to bypass authentication measures and gain access into the internal network of the organization using the product. More specifically this vulnerability allows an attacker to access the various web interfaces by manipulating parameters while logging in via the HTTP POST request. This particular firewall is classified as “NATO Restricted” as it meets certain requirements by containing two different firewall systems: application level gateway and a packet filter.
Ransomware attacks rose to an astonishing 150%, along with extortion amounts that doubled last year. A Singapore security firm called Group-IB looked at over 500 ransomware attacks (mainly Fortune 500 companies in North America and Europe) and accumulated a “Ransomware Uncovered” report that recorded frequent strategies from a framework used by these attackers called MITRE ATT&CK. The ransom demands from threat hunters were extremely high, ranging from $170,000 to even $1-$2 million. Victims experienced blackouts that caused damage to their revenue and reputation. To gain access, attackers used RDP servers, phishing, and exploitation of public-facing applications. From the senior digital analyst perspective at Group-IB, ransomware has grown and will continue to grow from this point on.
“Password Reuse at 60% as 1.5 Billion Combos Discovered Online”
The security vendor SpyCloud discovered nearly 1.5 billion breached logins combos along with billions more pieces of PII circulating in 2019. This was primarily due to a combination of password reuse and weak hashing algorithms (MD5 algorithm, SHA 1 & password salting). Some notable highlights of the report include: 60% of credentials were reused across multiple accounts; out of the 270K government emails recovered, password reuse was significant at 87%; approximately 2M passwords contained “2020”; 200K passwords featured COVID related keywords such as “corona” and “pandemic” and finally the most common passwords were “123456”, “123456789”, “12345678”, “Password” & “111111” which appeared more than 1.2 million times. Additionally, there were over 4.6 billion pieces of PII including name, addresses, DOB, job titles, social media accounts, etc. Overall, this report highlights an ongoing security concern of password reuse that presents opportunities for brute force attacks, credential stuffing, etc.
At Least 30,000 U.S. Organizations Newly Hacked Via Holes in Microsoft’s Email Software
At least 30,000 organizations in the United States (but probably a lot more) have recently been hacked because of vulnerabilities in the Microsoft Exchange Server email software. The campaign has been carried out by an “unusually aggressive Chinese cyber espionage unit that’s focused on stealing email from victim organizations.” The attackers are creating backdoors with web shells and currently has controls over “hundreds of thousands” of Exchange servers around the world. A “a significant number of small businesses, towns, cities and local governments” are affected.
Microsoft had released emergency security updates on March 2 to fix four vulnerabilities. The hacking group has since increased its efforts to take advantage of any unpatched servers. The U.S. Cybersecurity & Infrastructure Security Agency (CISA) has ordered all federal civilian departments and agencies running vulnerable Microsoft Exchange servers to either update the software or disconnect the products from their networks.
The US Department of Defense (DoD) weapons program was not enough to integrate cybersecurity requirements. It had formulated a series of policies aimed at enhancing the security of its weapon systems, but it has missed a key detail-contracts for the procurement of various weapons. Cybersecurity requirements, acceptance standards, or verification procedures have been omitted. Most modern DoD weapon systems rely on software and various IT systems for the operation. Loss of confidentiality means that the enemy can obtain important information about operations, tactics, and strategies in battle.
CISA Orders Federal Agencies to Patch Exchange Servers
The Cybersecurity and Infrastructure Security Agency (CISA) has issued an emergency directive, warning that its partners have observed active exploitation of the bugs in Microsoft Exchange on-premises products, which allow attackers to have “persistent system access and control of an enterprise network.” The exploited bugs are being tracked as CVE-2021-26855, CVE-2021-26857, CVE-2021-26858 and CVE-2021-27065. When chained together, they allow remote authentication bypass and remote code execution. CISA is requiring federal agencies to take several steps in light of the spreading attacks.
SITA, a communications and IT vendor for 90% of the world’s airlines was breached, compromising passenger data in the company’s US servers. The servers were in Atlanta, this breach could impact over millions of users. Singapore Airlines alone reported 580,000 impacted customers. There is a rise of attacks on airline supply-chain attacks, a vulnerability data shows that the aviation and aerospace industry see more privilege escalation and SQL-injection vulnerabilities than any other industry, accounting for 57 percent of the vulnerabilities reported to these companies by ethical hackers. It’s because of the PII information they hold: name, address, and passport data which includes social security numbers.
The article talks about how a Chinese government-backed hacking group hacked into up to 30,000 mid and small-sized US businesses through Microsoft outlook. This article is another example, like the Maersk case, where government-sponsored hacking groups are attacking private companies in other nations using well-known software. It further supports the notion that warfare in the 21st century is going to be cyber.
“Fake Google reCAPTCHA Phishing Attack Swipes Office 365 Passwords”
Threatpost reports that phishing attacks targeting Microsoft Office 365 users are growing more and more sophisticated, recently by incorporating Google reCAPTCHA’s to make their phishing sites appear more legitimate. Malicious actors are targeting thousands of upper managers of large organizations, sending emails claiming that they have a new voicemail left on their office line. When clicking the link in the email or opening the attached .htm file, they are asked to complete the reCAPTCHA, then provide their Office 365 credentials at a page that even includes their organization’s logo. The combination of their company’s logo and the reCAPTCHA works to convince these managers that the page is legitimate, and so far the attempts have been quite successful. As always, information security teams should implement effective email filtering and end-user training and awareness campaigns must be kept up to date with these new threats.
Just a few weeks ago, an IT and communication company known as SITA Passenger Service System Inc. became victim of a cyberattack. The attack happened on February 24, 2021 and according to the ZDNet article was described as a “highly sophisticated attack” however no further information regarding how many passengers were affected. Airline companies such as Singapore Airlines, New Zealand Air and Lufthansa have warned passengers about the SITA data breach, while some One World airlines including Malaysia Airlines, Finnair, Japan Airlines and Cathay Pacific have also informed passengers about the cyberattack. According to the article, “some airlines have detailed what information was accessed in the attack, stating that frequent flyer data – such as name, tier status and membership number – has been stolen.” However, the exact number of passengers affected by the cyberattack remains uncertain.
Flagstar Bank hit by data breach exposing customer, employee data
In December 2020 a ransomwear group known as the Clop exploited multiple vulnerabilities in Accellion FTA servers which is typically used by organizations as a way to securely share files with outside associates. In January 2021, Flagstar bank disclosed a breach of their Accellion server. Once Flagstarr was notified of the incident, they ceased using the server, but it was too late. Shortly after, Flagstarr received ransom demand in bitcoin from the Clop who threatened to release the stolen data if they did not receive payment in bitcoin. After Flagstar began notifying its customers of the breach, the Clop released some of the stolen data including social security numbers and other sensitive customer and employee data with a warning they had much more. This is the modus operandi we have seen in other similar attacks from the Clop and expect the attacks to continue.
As drones are slowly becoming more widely used in organizations. This article discusses some of the security risks associated with the use of drones that traditionally haven’t been considered as this is a fairly new technology. Some of the organizations the articles sites as using drones for the operations are Amazon for deliveries, Allstate to assess property damage, CVS and UPS for prescription delivery, and Shell for surveillance of assets. As we are discussing physical security this week, I found this to be interesting topic as I did not considered security risks associated with drones. Largely because I hadn’t considered the many uses for drones in organizations from in all industries. The main physical security risks the article associates with drones are physical surveillance and physical attacks, drone takeover, threats to drone data, and drone supply chain concerns.
Drones have the ability to completely bypass traditional security measures such as fences, trip lines, and CCTV. This is seen as the military is often able to conduct intelligence undetected. Another risk associated with the use of drones is drone takeover. Drones are very susceptible to hacking and hijacking via GPS spoofing, malware infection, and malicious manipulation; however, the use of encrypted data links should significantly reduce the risks of hacking and hijacking. Next, drones are at risk of threats to drone data. Data on a drone should be treated as data on any company system and needs to be treated as such to protect against data theft. Drones should never be flown connected to a Wi-Fi network to reduce the risk of the data theft. Lastly, drone supply chain concerns are huge risks associated with the use of drones. The first question is who will produce and supply the drones and can we trust these entities. A major drone manufacturer in China has been known to deploy drones that can be used for spying and collecting data. As such, much due diligence needs to go into considering a drone vendor, and might be worthwhile for an organization to produce its own.
I found this article interesting. It talks about the state of cybersecurity in light of the recent Solarwinds attack. It talks about the challenges of protecting an organization, particularly in light of a “zero trust” concept. It gives these statistics to illustrate just how challenging it is to implement an effective “zero trust” approach:
• 80% of data breaches originated with a third party, and 29% of companies have no visibility into the security of their third-party partners.
• 60% of companies have identified new security gaps as a result of widespread work-from-home support.
• It takes an average of 280 days to identify and contain a data breach.
• 56% of large enterprises experience over 1,000 security alerts per day.
• 42% of cyberattacks were the result of application software bugs.
Here are a few of the suggested approaches to help with the ongoing challenges of cybersecurity risk management: use IT Management platforms that give complete visibility to what’s in the environment, perform proactive assessment of risk, mitigate known gaps, respond immediately to known indicators of compromise, train employees, perform due diligence and test and monitor controls regularly. This article does a good job at explaining that not all risks can be mitigated (we can’t effectively operate with zero trust or it’s likely companies would not be operating at all) but that a meaningful risk-based approach to managing security can provide reasonable assurance and we should continuously be rethinking our approach to security since the threat landscape is always changing.
“9 Android Apps On Google Play Caught Distributing AlienBot Banker and MRAT Malware”
Andriod discovered 9 apps that were deploying malware onto victims’ phones. the apps that included this malware were Cake VPN, Pacific VPN, eVPN, BeatPlayer, QR/Barcode Scanner MAX, Music Player, tooltipnatorlibrary, and QRecorder. The dropper that deployed this malware is called Clast82. Google play has famously fewer restrictions than Apple when it comes to apps become available to its users. Many times, the apps start as legitimate but then are changed with updates. Once the update happens, the malicious code is deployed onto the device. Luckily, ass apps that contained this malware were removed from the store. This has become a new trend among some apps and will continue to get worse if changes are not made.
Title: Firewall Vendor Patches Critical Auth Bypass Flaw
URL: https://threatpost.com/firewall-critical-security-flaw/164347/
A German cybersecurity firm called Genua recently patched a vulnerability in one of their many firewall products they sell. This vulnerability could allow an attacker to bypass authentication measures and gain access into the internal network of the organization using the product. More specifically this vulnerability allows an attacker to access the various web interfaces by manipulating parameters while logging in via the HTTP POST request. This particular firewall is classified as “NATO Restricted” as it meets certain requirements by containing two different firewall systems: application level gateway and a packet filter.
Ransomware attacks soared 150% in 2020
Ransomware attacks rose to an astonishing 150%, along with extortion amounts that doubled last year. A Singapore security firm called Group-IB looked at over 500 ransomware attacks (mainly Fortune 500 companies in North America and Europe) and accumulated a “Ransomware Uncovered” report that recorded frequent strategies from a framework used by these attackers called MITRE ATT&CK. The ransom demands from threat hunters were extremely high, ranging from $170,000 to even $1-$2 million. Victims experienced blackouts that caused damage to their revenue and reputation. To gain access, attackers used RDP servers, phishing, and exploitation of public-facing applications. From the senior digital analyst perspective at Group-IB, ransomware has grown and will continue to grow from this point on.
https://www.infosecurity-magazine.com/news/ransomware-attacks-soared-150-in/
“Password Reuse at 60% as 1.5 Billion Combos Discovered Online”
The security vendor SpyCloud discovered nearly 1.5 billion breached logins combos along with billions more pieces of PII circulating in 2019. This was primarily due to a combination of password reuse and weak hashing algorithms (MD5 algorithm, SHA 1 & password salting). Some notable highlights of the report include: 60% of credentials were reused across multiple accounts; out of the 270K government emails recovered, password reuse was significant at 87%; approximately 2M passwords contained “2020”; 200K passwords featured COVID related keywords such as “corona” and “pandemic” and finally the most common passwords were “123456”, “123456789”, “12345678”, “Password” & “111111” which appeared more than 1.2 million times. Additionally, there were over 4.6 billion pieces of PII including name, addresses, DOB, job titles, social media accounts, etc. Overall, this report highlights an ongoing security concern of password reuse that presents opportunities for brute force attacks, credential stuffing, etc.
https://www.infosecurity-magazine.com/news/password-reuse-60-15-billion/
At Least 30,000 U.S. Organizations Newly Hacked Via Holes in Microsoft’s Email Software
At least 30,000 organizations in the United States (but probably a lot more) have recently been hacked because of vulnerabilities in the Microsoft Exchange Server email software. The campaign has been carried out by an “unusually aggressive Chinese cyber espionage unit that’s focused on stealing email from victim organizations.” The attackers are creating backdoors with web shells and currently has controls over “hundreds of thousands” of Exchange servers around the world. A “a significant number of small businesses, towns, cities and local governments” are affected.
Microsoft had released emergency security updates on March 2 to fix four vulnerabilities. The hacking group has since increased its efforts to take advantage of any unpatched servers. The U.S. Cybersecurity & Infrastructure Security Agency (CISA) has ordered all federal civilian departments and agencies running vulnerable Microsoft Exchange servers to either update the software or disconnect the products from their networks.
https://krebsonsecurity.com/2021/03/at-least-30000-u-s-organizations-newly-hacked-via-holes-in-microsofts-email-software/
U.S. DoD Weapons Programs Lack ‘Key’ Cybersecurity Measures
https://threatpost.com/dod-weapons-programs-lack-cybersecurity/164545/
The US Department of Defense (DoD) weapons program was not enough to integrate cybersecurity requirements. It had formulated a series of policies aimed at enhancing the security of its weapon systems, but it has missed a key detail-contracts for the procurement of various weapons. Cybersecurity requirements, acceptance standards, or verification procedures have been omitted. Most modern DoD weapon systems rely on software and various IT systems for the operation. Loss of confidentiality means that the enemy can obtain important information about operations, tactics, and strategies in battle.
CISA Orders Federal Agencies to Patch Exchange Servers
The Cybersecurity and Infrastructure Security Agency (CISA) has issued an emergency directive, warning that its partners have observed active exploitation of the bugs in Microsoft Exchange on-premises products, which allow attackers to have “persistent system access and control of an enterprise network.” The exploited bugs are being tracked as CVE-2021-26855, CVE-2021-26857, CVE-2021-26858 and CVE-2021-27065. When chained together, they allow remote authentication bypass and remote code execution. CISA is requiring federal agencies to take several steps in light of the spreading attacks.
https://threatpost.com/cisa-federal-agencies-patch-exchange-servers/164499/
SITA, a communications and IT vendor for 90% of the world’s airlines was breached, compromising passenger data in the company’s US servers. The servers were in Atlanta, this breach could impact over millions of users. Singapore Airlines alone reported 580,000 impacted customers. There is a rise of attacks on airline supply-chain attacks, a vulnerability data shows that the aviation and aerospace industry see more privilege escalation and SQL-injection vulnerabilities than any other industry, accounting for 57 percent of the vulnerabilities reported to these companies by ethical hackers. It’s because of the PII information they hold: name, address, and passport data which includes social security numbers.
https://threatpost.com/supply-chain-cyberattack-airlines/164549/
“Microsoft Attack Blamed On China Morphs Into Global Crisis”
https://www.bloomberg.com/news/articles/2021-03-07/hackers-breach-thousands-of-microsoft-customers-around-the-world
The article talks about how a Chinese government-backed hacking group hacked into up to 30,000 mid and small-sized US businesses through Microsoft outlook. This article is another example, like the Maersk case, where government-sponsored hacking groups are attacking private companies in other nations using well-known software. It further supports the notion that warfare in the 21st century is going to be cyber.
“Fake Google reCAPTCHA Phishing Attack Swipes Office 365 Passwords”
Threatpost reports that phishing attacks targeting Microsoft Office 365 users are growing more and more sophisticated, recently by incorporating Google reCAPTCHA’s to make their phishing sites appear more legitimate. Malicious actors are targeting thousands of upper managers of large organizations, sending emails claiming that they have a new voicemail left on their office line. When clicking the link in the email or opening the attached .htm file, they are asked to complete the reCAPTCHA, then provide their Office 365 credentials at a page that even includes their organization’s logo. The combination of their company’s logo and the reCAPTCHA works to convince these managers that the page is legitimate, and so far the attempts have been quite successful. As always, information security teams should implement effective email filtering and end-user training and awareness campaigns must be kept up to date with these new threats.
https://threatpost.com/google-recaptcha-phishing-office-365/164566/
Just a few weeks ago, an IT and communication company known as SITA Passenger Service System Inc. became victim of a cyberattack. The attack happened on February 24, 2021 and according to the ZDNet article was described as a “highly sophisticated attack” however no further information regarding how many passengers were affected. Airline companies such as Singapore Airlines, New Zealand Air and Lufthansa have warned passengers about the SITA data breach, while some One World airlines including Malaysia Airlines, Finnair, Japan Airlines and Cathay Pacific have also informed passengers about the cyberattack. According to the article, “some airlines have detailed what information was accessed in the attack, stating that frequent flyer data – such as name, tier status and membership number – has been stolen.” However, the exact number of passengers affected by the cyberattack remains uncertain.
https://www.zdnet.com/article/airlines-warn-passengers-of-data-breach-after-aviation-tech-supplier-is-hit-by-cyberattack/
Flagstar Bank hit by data breach exposing customer, employee data
In December 2020 a ransomwear group known as the Clop exploited multiple vulnerabilities in Accellion FTA servers which is typically used by organizations as a way to securely share files with outside associates. In January 2021, Flagstar bank disclosed a breach of their Accellion server. Once Flagstarr was notified of the incident, they ceased using the server, but it was too late. Shortly after, Flagstarr received ransom demand in bitcoin from the Clop who threatened to release the stolen data if they did not receive payment in bitcoin. After Flagstar began notifying its customers of the breach, the Clop released some of the stolen data including social security numbers and other sensitive customer and employee data with a warning they had much more. This is the modus operandi we have seen in other similar attacks from the Clop and expect the attacks to continue.
https://www.bleepingcomputer.com/news/security/flagstar-bank-hit-by-data-breach-exposing-customer-employee-data/
How Drones Affect your Threat Model
As drones are slowly becoming more widely used in organizations. This article discusses some of the security risks associated with the use of drones that traditionally haven’t been considered as this is a fairly new technology. Some of the organizations the articles sites as using drones for the operations are Amazon for deliveries, Allstate to assess property damage, CVS and UPS for prescription delivery, and Shell for surveillance of assets. As we are discussing physical security this week, I found this to be interesting topic as I did not considered security risks associated with drones. Largely because I hadn’t considered the many uses for drones in organizations from in all industries. The main physical security risks the article associates with drones are physical surveillance and physical attacks, drone takeover, threats to drone data, and drone supply chain concerns.
Drones have the ability to completely bypass traditional security measures such as fences, trip lines, and CCTV. This is seen as the military is often able to conduct intelligence undetected. Another risk associated with the use of drones is drone takeover. Drones are very susceptible to hacking and hijacking via GPS spoofing, malware infection, and malicious manipulation; however, the use of encrypted data links should significantly reduce the risks of hacking and hijacking. Next, drones are at risk of threats to drone data. Data on a drone should be treated as data on any company system and needs to be treated as such to protect against data theft. Drones should never be flown connected to a Wi-Fi network to reduce the risk of the data theft. Lastly, drone supply chain concerns are huge risks associated with the use of drones. The first question is who will produce and supply the drones and can we trust these entities. A major drone manufacturer in China has been known to deploy drones that can be used for spying and collecting data. As such, much due diligence needs to go into considering a drone vendor, and might be worthwhile for an organization to produce its own.
https://www.csoonline.com/article/3568452/how-drones-affect-your-threat-model.html?upd=1601345189456
“Controlling the Controllables in Cybersecurity”
https://www.forbes.com/sites/forbestechcouncil/2021/03/09/controlling-the-controllables-in-cybersecurity/?sh=505a8fad753f
I found this article interesting. It talks about the state of cybersecurity in light of the recent Solarwinds attack. It talks about the challenges of protecting an organization, particularly in light of a “zero trust” concept. It gives these statistics to illustrate just how challenging it is to implement an effective “zero trust” approach:
• 80% of data breaches originated with a third party, and 29% of companies have no visibility into the security of their third-party partners.
• 60% of companies have identified new security gaps as a result of widespread work-from-home support.
• It takes an average of 280 days to identify and contain a data breach.
• 56% of large enterprises experience over 1,000 security alerts per day.
• 42% of cyberattacks were the result of application software bugs.
Here are a few of the suggested approaches to help with the ongoing challenges of cybersecurity risk management: use IT Management platforms that give complete visibility to what’s in the environment, perform proactive assessment of risk, mitigate known gaps, respond immediately to known indicators of compromise, train employees, perform due diligence and test and monitor controls regularly. This article does a good job at explaining that not all risks can be mitigated (we can’t effectively operate with zero trust or it’s likely companies would not be operating at all) but that a meaningful risk-based approach to managing security can provide reasonable assurance and we should continuously be rethinking our approach to security since the threat landscape is always changing.
“9 Android Apps On Google Play Caught Distributing AlienBot Banker and MRAT Malware”
Andriod discovered 9 apps that were deploying malware onto victims’ phones. the apps that included this malware were Cake VPN, Pacific VPN, eVPN, BeatPlayer, QR/Barcode Scanner MAX, Music Player, tooltipnatorlibrary, and QRecorder. The dropper that deployed this malware is called Clast82. Google play has famously fewer restrictions than Apple when it comes to apps become available to its users. Many times, the apps start as legitimate but then are changed with updates. Once the update happens, the malicious code is deployed onto the device. Luckily, ass apps that contained this malware were removed from the store. This has become a new trend among some apps and will continue to get worse if changes are not made.
https://thehackernews.com/2021/03/9-android-apps-on-google-play-caught.html?&web_view=true
3rd hospital hit with a cyberattack.
On Monday a hospital in France was hit with a cyber attack with demands for $50,000 Bitcoin.
Hospital workers are writing medical histories with pen and paper. This is also impacting inventory of medications which is now also pen and paper.
The Hospital director Frederic Lechenne was quoted “we might get our systems back in 48 hours or 3 months”.
This is the 3rd hospital targeted with ransomware since 2019.
http://www.securityweek.com/third-french-hospital-hit-cyberattack