A hacker group located in the United States was able to successfully get access to high-level administrator accounts for a company called Verkada which provides enterprise security camera systems. The security camera systems utilize the cloud to to store and access the cameras. The hackers claim they were able to access 150,000 security cameras which included banks, schools, jails, and Tesla. The group posted images from the security cameras onto Twitter. A CISO from a risk protection firm was quoted saying “The Verkada breach shows the risk of outsourcing security surveillance to companies in the internet cloud”. Verkada says they disabled all internal administrator accounts and notified all companies that use the platform of the breach.
“Microsoft Exchange Exploits Pave a Ransomware Path”
Threatpost reports on a new variety of ransomware, called “DearCry”, which has exploded in the last few days and has appeared especially frequently on Microsoft Exchange servers. This comes in the wake of public disclosure of a series of four vulnerabilities that, in combination, allow remote administrative pre-authentication access to an Exchange server – in other words, no credentials whatsoever are required to gain the remote administrative rights. These vulnerabilities are related to the massive vulnerability now known as ProxyLogon which came to light in late 2020.
After gaining control of the Exchange server and exhausting its usefulness, the attackers encrypt it using the DearCry ransomware and hold it ransom for $16,000. This exploit has targeted in particular government and military organizations, and manufacturing and banking businesses. A patch has already been released by Microsoft and researchers urge all organizations with Exchange mail servers to install the patch as soon as possible.
Hackers are taking advantage of vulnerable Microsoft Exchange servers and installing a new ransomware family called DearCry. The attackers are downloading a new ransomware strain (aka Ransom: Win32/DoejoCrypt.A) to an unpatched server and taking over the server without knowing any valid account credentials. The ransomware dropped the ransom note (called “readme.txt”) after initially infecting the victim, which contained two email addresses of the threat person, and demanded $16,000 for extortion. Victim companies of DearCry have been found in Australia, Austria, Canada, Denmark, and the United States. Researchers warned this week that at least 10 different Advanced Persistent Threat (APT) groups are attacking the flaw, all of which are dedicated to destroying email servers around the world. They have seen hundreds of attempts to exploit attacks against organizations around the world. The most targeted industries are the government and military sectors, manufacturing, and banking.
“Exchange Server security patch warning: Apply now before more hackers exploit the vulnerabilities”
Organizations are being urged to apply security patches released on March 2 intended to fix Microsoft Exchange Server zero-day vulnerabilities. Thousands of organizations worldwide have been affected by cyberattacks impacting Microsoft Exchange. Hafnium – a state sponsored ATP hacking group, working out of China and at least 10 other hacking groups are leading the charge to compromise email severs worldwide. If used in an attack chain, these vulnerabilities can lead to remote code execution, server hijacking, backdoors, data theft, malware deployment. Given this, patches should be installed and then reviewed for any trace of compromise. Organizations should also consider restricting access to their networks from open internet and making their Exchange server accessible to their users via VPN, which can allow more time to patch before it can be exploited.
Ransomware may be targeting Microsoft’s Hafnium Exchange Server vulnerabilities
Microsoft confirmed “a new family of ransomware being used after an initial compromise of unpatched on-premises Exchange Servers”. Microsoft announced that a state-sponsored actor located in China breached on-premises Exchange Servers on Tuesday, March 2. The company named that hacker group Hafnium. Since then the number of clusters of distinct hacker activity researchers identified as taking advantage of those Exchange Server vulnerabilities has rapidly expanded. At least 30,000 servers have been breached.
Giant Datacenter Fire Takes Down Government Hacking Infrastructure
A fire destroyed a data center owned by OVHcloud, the largest European cloud service provider, in Strasbourg, France. As a result, many websites were taken offline and OVHcloud told its customers to activate their disaster recovery plans.
Interestingly, many servers used by government hackers and criminal groups were also taken offline. Researchers believe both sets of groups were using OVHcloud to host command and control servers. The outage, though, is expected to have minimal overall impact to their hacking operations, however.
Settlement reached Over Data Breach Impacting 24 Million Americans
A settlement was reached for a multi-state data breach in 2019 that revealed personal information from approximately 25 million Americans that took place from August 2018 to March 2019. The American Medical Collection Agency (AMCA) was hacked by an unauthorized user who went into their internal computer system and gained access to sensitive data, including social security numbers, payment card information, and medical tests results. It was also discovered that 23 other healthcare organizations may have been affected by this breach. AMCA filed for bankruptcy after paying costs that came from the breach notification, and although they were liable for $21 million from the settlement, it was suspended due to their financial struggles. Also, as part of the settlement, AMCA was required to carry out several data security practices to protect consumers from future cyber-attacks.
This week, the Exchange hacking continues, according to an article published on ZDNet. The slow patching continues to contribute to the continuing hacking targeting on-prem Exchange servers. The exploitation attempts on organizations are doubling every two to three hours. Palo Alto estimates that there are at least 125,000 servers still not patched for the vulnerabilities. The government and military are still ranked high on the list, and the United States is still occupying the top position on the geopolitical spectrum. You can read more here: https://www.zdnet.com/article/microsoft-exchange-server-hacks-doubling-every-two-hours/
The video talks about how the VP of a Cybersecurity firm warns about the threat of ransomware attacks following the attack on Microsoft. It then shows the National Security Advisor talks about the threat of cyber and how they still don’t fully grasp the situation surrounding it.
Founder of McAfee antivirus company, John McAfee has been found guilty of cryptocurrency fraud, money laundering, and tax evasion. He was conspiring with Jimmy Watson and others on two fraud schemes. They pump-and-dump altcoins, promoting them on Twitter, then sold large numbers for a profit after buyers bought in, it is said McAfee and his parnters made $2 million off this scehme. Second, he used McAfee’s offical antivirus company twitter to promote ICOs without disclosing they were paid to do so, earning them $11 million dollars. The SEC has filed civil charges against McAfee and Watson. McAfee is sentenced to decades in prison and financial penalties.
Swiss Police Raid Over Hack on U.S. Security-Camera Company
Swiss police, acting on a request from U.S. authorities for legal assistance arrested a software engineer that was part of a group of “hacktivists” whose goal was to raise awareness about mass surveillance. The hacktivists, obtained access to the systems of Verkada, a cloud-based surveillance services company based in California through administrator account credentials which were found online. Subsequently, the group was able to view live camera feeds from corporate offices, schools, hospitals and jails among other organizations. The group had access for approximately two days until Verkada disabled the internal administrator accounts which locked them out. Verkada notified its customers and law enforcement.
This article talks about the breach of a Dutch e-ticketing platform called Ticketcounter. A database with 1.9 million email addresses (plus other information) was stored on an unsecured staging server. The hacker was able to access the data since the server was not secured and published the data for free on a hacking forum. The article was brief but two things stood out to me. The first was that this data was kept on an unsecured server – basic protections (aka general hardening) were not in place. The second is that the data was on a staging server, which is separate from the production environment and typically used for testing purposes. As security professionals and auditors, it is always important to understand what sort of data is being used in a test or non-production environment. If the data does not have to be an actual copy of sensitive data, then that is preferable. But in cases where that is not feasible, then that environment needs to be as protected as the production environment to ensure confidentiality of the data.
“Securing IT During the Pandemic: Report Reveals Cyber-Readiness Challenges”
As a current IT Auditor, when interviewing my clients on their disaster recovery and business continuity plans, many of them have responded with, “where currently in the plan and we will let you know how it goes.” COVID triggered most organization disaster recovery plans and this article explores the main challenges organizations incurred as it relates to the securing IT. COVID forced most business to remote environments and Acronis, a global technology company, performed a study to access hot IT teams performed during this transition. The main takeaways the study found are as follows:
1. Nearly half of all organizations struggled to instruct and secure remote workers
2. 31% of global companies are attacked by cyber-criminals at least once a day. The most common attack types are phishing attempts, DDoS attacks and videoconferencing attacks
3. 92% of global organizations had to adopt new technologies to complete the switch to remote work. As a result, 72% of global organizations saw their IT costs increase during the pandemic
4. Attacks remain frequent, despite increased tech spending, because organizations aren’t prioritizing defensive capabilities properly
The article notes, when surveyed, the employees of the organizations did not receive much guidance and training on working in a remote environment. We understand that the IT teams were under a lot of stress and were likely pressed for resources, so properly training employees wasn’t a priority; however, given that we know that employees are the main vulnerabilities in attacks, this should have been a priority. This played a huge role in the second takeaway as it relates to phishing and videoconferencing attacks. Because of the need to switch to support remote work, there were huge IT costs, and with that, one could assume that the systems would be more protected; however, this was not the case. COVID is unprecedented, so I wouldn’t expect organization to seamlessly continue business processes; however, I’m interested to see the finding from this year’s risk assessments and updated disaster recovery plans.
Google Warns Mac, Windows Users of Chrome Zero-Day Flaw
A new Use-After-Free exploit was recently discovered in Chrome that affects Mac and Windows users, The flaw (CVE-2021-21193) ranks 8.8 out of 10 on the CVSS vulnerability-rating scale, making it high-severity. The exploit allows hackers to run arbitrary code or perform a DoS-style attack if the victim is coerced into visiting a certain website. This is the third time in the last 3 months that Google has had to rush a patch to fix a zero-day vulnerability. For obvious reasons, Google is not disclosing the vulnerable websites or methods the criminals are using until the site is patched. The other major vulnerability that was recently patched is an exploit in the audio function in the Chrome browser.
Jails and Hospital Verkada cameras were breached.
A Tesla Factory in China was also part of the breach
A quote from the article states.
“This afternoon we were alerted that the Verkada security camera system that monitors main entry points and main thoroughfares in a handful of Cloudflare offices may have been compromised,” San Francisco-based Cloudflare said in a statement. “The cameras were located in a handful of offices that have been officially closed for several months.” The company said it disabled the cameras and disconnected them from office networks.
Tesla said that, “based on our current understanding, the cameras being hacked are only installed in one of our suppliers, and the product is not being used by our Shanghai factory, or any of our Tesla stores or services centers. Our data collected from Shanghai factories and other places mentioned are stored on local servers.”
Title: Hackers Breach Cameras at Banks, Jails, Tesla and More
URL: https://www.securityweek.com/hackers-breach-cameras-banks-jails-tesla-and-more
A hacker group located in the United States was able to successfully get access to high-level administrator accounts for a company called Verkada which provides enterprise security camera systems. The security camera systems utilize the cloud to to store and access the cameras. The hackers claim they were able to access 150,000 security cameras which included banks, schools, jails, and Tesla. The group posted images from the security cameras onto Twitter. A CISO from a risk protection firm was quoted saying “The Verkada breach shows the risk of outsourcing security surveillance to companies in the internet cloud”. Verkada says they disabled all internal administrator accounts and notified all companies that use the platform of the breach.
“Microsoft Exchange Exploits Pave a Ransomware Path”
Threatpost reports on a new variety of ransomware, called “DearCry”, which has exploded in the last few days and has appeared especially frequently on Microsoft Exchange servers. This comes in the wake of public disclosure of a series of four vulnerabilities that, in combination, allow remote administrative pre-authentication access to an Exchange server – in other words, no credentials whatsoever are required to gain the remote administrative rights. These vulnerabilities are related to the massive vulnerability now known as ProxyLogon which came to light in late 2020.
After gaining control of the Exchange server and exhausting its usefulness, the attackers encrypt it using the DearCry ransomware and hold it ransom for $16,000. This exploit has targeted in particular government and military organizations, and manufacturing and banking businesses. A patch has already been released by Microsoft and researchers urge all organizations with Exchange mail servers to install the patch as soon as possible.
https://threatpost.com/microsoft-exchange-exploits-ransomware/164719/
Microsoft Exchange Exploits Pave a Ransomware Path
https://threatpost.com/microsoft-exchange-exploits-ransomware/164719/
Hackers are taking advantage of vulnerable Microsoft Exchange servers and installing a new ransomware family called DearCry. The attackers are downloading a new ransomware strain (aka Ransom: Win32/DoejoCrypt.A) to an unpatched server and taking over the server without knowing any valid account credentials. The ransomware dropped the ransom note (called “readme.txt”) after initially infecting the victim, which contained two email addresses of the threat person, and demanded $16,000 for extortion. Victim companies of DearCry have been found in Australia, Austria, Canada, Denmark, and the United States. Researchers warned this week that at least 10 different Advanced Persistent Threat (APT) groups are attacking the flaw, all of which are dedicated to destroying email servers around the world. They have seen hundreds of attempts to exploit attacks against organizations around the world. The most targeted industries are the government and military sectors, manufacturing, and banking.
“Exchange Server security patch warning: Apply now before more hackers exploit the vulnerabilities”
Organizations are being urged to apply security patches released on March 2 intended to fix Microsoft Exchange Server zero-day vulnerabilities. Thousands of organizations worldwide have been affected by cyberattacks impacting Microsoft Exchange. Hafnium – a state sponsored ATP hacking group, working out of China and at least 10 other hacking groups are leading the charge to compromise email severs worldwide. If used in an attack chain, these vulnerabilities can lead to remote code execution, server hijacking, backdoors, data theft, malware deployment. Given this, patches should be installed and then reviewed for any trace of compromise. Organizations should also consider restricting access to their networks from open internet and making their Exchange server accessible to their users via VPN, which can allow more time to patch before it can be exploited.
https://www.zdnet.com/article/microsoft-exchange-server-cybersecurity-warning-apply-patches-now-because-more-hacking-groups-are-trying-to-exploit-the-vulnerabilities/
Ransomware may be targeting Microsoft’s Hafnium Exchange Server vulnerabilities
Microsoft confirmed “a new family of ransomware being used after an initial compromise of unpatched on-premises Exchange Servers”. Microsoft announced that a state-sponsored actor located in China breached on-premises Exchange Servers on Tuesday, March 2. The company named that hacker group Hafnium. Since then the number of clusters of distinct hacker activity researchers identified as taking advantage of those Exchange Server vulnerabilities has rapidly expanded. At least 30,000 servers have been breached.
https://www.scmagazine.com/home/security-news/ransomware/ransomware-may-be-targeting-microsofts-hafnium-exchange-server-vulnerabilities/
Giant Datacenter Fire Takes Down Government Hacking Infrastructure
A fire destroyed a data center owned by OVHcloud, the largest European cloud service provider, in Strasbourg, France. As a result, many websites were taken offline and OVHcloud told its customers to activate their disaster recovery plans.
Interestingly, many servers used by government hackers and criminal groups were also taken offline. Researchers believe both sets of groups were using OVHcloud to host command and control servers. The outage, though, is expected to have minimal overall impact to their hacking operations, however.
https://www.vice.com/en/article/3an9wb/ovh-datacenter-fire-takes-down-government-hacking-infrastructure
Settlement reached Over Data Breach Impacting 24 Million Americans
A settlement was reached for a multi-state data breach in 2019 that revealed personal information from approximately 25 million Americans that took place from August 2018 to March 2019. The American Medical Collection Agency (AMCA) was hacked by an unauthorized user who went into their internal computer system and gained access to sensitive data, including social security numbers, payment card information, and medical tests results. It was also discovered that 23 other healthcare organizations may have been affected by this breach. AMCA filed for bankruptcy after paying costs that came from the breach notification, and although they were liable for $21 million from the settlement, it was suspended due to their financial struggles. Also, as part of the settlement, AMCA was required to carry out several data security practices to protect consumers from future cyber-attacks.
https://www.infosecurity-magazine.com/news/settlement-reached-over-amca-data/
This week, the Exchange hacking continues, according to an article published on ZDNet. The slow patching continues to contribute to the continuing hacking targeting on-prem Exchange servers. The exploitation attempts on organizations are doubling every two to three hours. Palo Alto estimates that there are at least 125,000 servers still not patched for the vulnerabilities. The government and military are still ranked high on the list, and the United States is still occupying the top position on the geopolitical spectrum. You can read more here: https://www.zdnet.com/article/microsoft-exchange-server-hacks-doubling-every-two-hours/
“Cybersecurity firm warns of potential ransomware attack in the near future”
https://www.cnbc.com/video/2021/03/12/cybersecurity-firm-warns-of-potential-ransomware-attack-in-the-near-future.html
The video talks about how the VP of a Cybersecurity firm warns about the threat of ransomware attacks following the attack on Microsoft. It then shows the National Security Advisor talks about the threat of cyber and how they still don’t fully grasp the situation surrounding it.
Founder of McAfee antivirus company, John McAfee has been found guilty of cryptocurrency fraud, money laundering, and tax evasion. He was conspiring with Jimmy Watson and others on two fraud schemes. They pump-and-dump altcoins, promoting them on Twitter, then sold large numbers for a profit after buyers bought in, it is said McAfee and his parnters made $2 million off this scehme. Second, he used McAfee’s offical antivirus company twitter to promote ICOs without disclosing they were paid to do so, earning them $11 million dollars. The SEC has filed civil charges against McAfee and Watson. McAfee is sentenced to decades in prison and financial penalties.
https://www.infosecurity-magazine.com/news/mcafee-decades-behind-bars-fraud/
Swiss Police Raid Over Hack on U.S. Security-Camera Company
Swiss police, acting on a request from U.S. authorities for legal assistance arrested a software engineer that was part of a group of “hacktivists” whose goal was to raise awareness about mass surveillance. The hacktivists, obtained access to the systems of Verkada, a cloud-based surveillance services company based in California through administrator account credentials which were found online. Subsequently, the group was able to view live camera feeds from corporate offices, schools, hospitals and jails among other organizations. The group had access for approximately two days until Verkada disabled the internal administrator accounts which locked them out. Verkada notified its customers and law enforcement.
https://www.securityweek.com/swiss-police-raid-over-hack-us-security-camera-company
Unsecured Server Triggers Ticket Counter Data Breach
http://www.digitaljournal.com/tech-and-science/technology/unsecured-server-triggers-ticketcounter-data-breach/article/586447
This article talks about the breach of a Dutch e-ticketing platform called Ticketcounter. A database with 1.9 million email addresses (plus other information) was stored on an unsecured staging server. The hacker was able to access the data since the server was not secured and published the data for free on a hacking forum. The article was brief but two things stood out to me. The first was that this data was kept on an unsecured server – basic protections (aka general hardening) were not in place. The second is that the data was on a staging server, which is separate from the production environment and typically used for testing purposes. As security professionals and auditors, it is always important to understand what sort of data is being used in a test or non-production environment. If the data does not have to be an actual copy of sensitive data, then that is preferable. But in cases where that is not feasible, then that environment needs to be as protected as the production environment to ensure confidentiality of the data.
“Securing IT During the Pandemic: Report Reveals Cyber-Readiness Challenges”
As a current IT Auditor, when interviewing my clients on their disaster recovery and business continuity plans, many of them have responded with, “where currently in the plan and we will let you know how it goes.” COVID triggered most organization disaster recovery plans and this article explores the main challenges organizations incurred as it relates to the securing IT. COVID forced most business to remote environments and Acronis, a global technology company, performed a study to access hot IT teams performed during this transition. The main takeaways the study found are as follows:
1. Nearly half of all organizations struggled to instruct and secure remote workers
2. 31% of global companies are attacked by cyber-criminals at least once a day. The most common attack types are phishing attempts, DDoS attacks and videoconferencing attacks
3. 92% of global organizations had to adopt new technologies to complete the switch to remote work. As a result, 72% of global organizations saw their IT costs increase during the pandemic
4. Attacks remain frequent, despite increased tech spending, because organizations aren’t prioritizing defensive capabilities properly
The article notes, when surveyed, the employees of the organizations did not receive much guidance and training on working in a remote environment. We understand that the IT teams were under a lot of stress and were likely pressed for resources, so properly training employees wasn’t a priority; however, given that we know that employees are the main vulnerabilities in attacks, this should have been a priority. This played a huge role in the second takeaway as it relates to phishing and videoconferencing attacks. Because of the need to switch to support remote work, there were huge IT costs, and with that, one could assume that the systems would be more protected; however, this was not the case. COVID is unprecedented, so I wouldn’t expect organization to seamlessly continue business processes; however, I’m interested to see the finding from this year’s risk assessments and updated disaster recovery plans.
https://www.infosecurity-magazine.com/blogs/securing-it-during-pandemic/
Google Warns Mac, Windows Users of Chrome Zero-Day Flaw
A new Use-After-Free exploit was recently discovered in Chrome that affects Mac and Windows users, The flaw (CVE-2021-21193) ranks 8.8 out of 10 on the CVSS vulnerability-rating scale, making it high-severity. The exploit allows hackers to run arbitrary code or perform a DoS-style attack if the victim is coerced into visiting a certain website. This is the third time in the last 3 months that Google has had to rush a patch to fix a zero-day vulnerability. For obvious reasons, Google is not disclosing the vulnerable websites or methods the criminals are using until the site is patched. The other major vulnerability that was recently patched is an exploit in the audio function in the Chrome browser.
https://threatpost.com/google-mac-windows-chrome-zero-day/164759/
Jails and Hospital Verkada cameras were breached.
A Tesla Factory in China was also part of the breach
A quote from the article states.
“This afternoon we were alerted that the Verkada security camera system that monitors main entry points and main thoroughfares in a handful of Cloudflare offices may have been compromised,” San Francisco-based Cloudflare said in a statement. “The cameras were located in a handful of offices that have been officially closed for several months.” The company said it disabled the cameras and disconnected them from office networks.
Tesla said that, “based on our current understanding, the cameras being hacked are only installed in one of our suppliers, and the product is not being used by our Shanghai factory, or any of our Tesla stores or services centers. Our data collected from Shanghai factories and other places mentioned are stored on local servers.”
https://www.bloomberg.com/news/articles/2021-03-09/hackers-expose-tesla-jails-in-breach-of-150-000-security-cams