This article is about a company that hired an IT consulting firm to help migrate their employees over to the Office365 environment. One of the employees of the IT firm who was assigned to help with the migration was let go because his work was not satisfactory. As a result of the firing, this contractor was upset and used his knowledge to hack into the company’s server and delete 1,200 of the Office365 accounts. This company had a total of 1,500 Office365 accounts, so about 80% of the company’s employees were unable to access their emails, contacts, calendars, documents, or Teams environments which essentially made their company come to a halt. This is a form of insider threat because even though the contractor was no longer at the company he knew the company’s network. The article went on to say that it took two days to restore the accounts, but many days more to handle lingering issues and ultimately cost the company over $500,000. The disgruntled former contractor who performed this attack was arrested and convicted.
This article was interesting to me for a few reasons. It is information provided from an insider/whistleblower from the Ubiquiti Inc, which is a vendor of IoT devices who says the company was silenced by their legal department and downplayed a breach to protect their stock price. They disclosed a breach in January 11 of this year. The insider is alleging that the breach is much worse than was disclosed. A few of the interesting things stated by the insider include: the hackers obtained full read/write access to databases stored at AWS, they were able to exfiltrate signing keys, the intruders attempted to blackmail/demand ransom to avoid disclosing the breach by asking for 50 bitcoin, they had no access logging turned on for the databases.
Since this is still a relatively new story, and the information in the article comes from allegations of an insider, we do not have all confirmed facts at this point. However, if all of this is true, there were serious gaps in controls in place by the provider and it is alarming that the customer disclosure did not fully capture the level of concern. Having worked for a publicly traded company, I can see that there could be pressure to downplay breaches and I hope this is not a new trend we will see more of.
The Threat Analysis Group at Google has found another website set up by a North Korean government-backed entity for a fake company called “SecuriElite” to continue targeting attacks at security researchers. The new website claims to be for a penetration testing company. Google’s Threat Analysis Group published warnings about the same group in January when it found they posed as security researchers or students on social media and directed security researchers to their malicious websites.
Google published a list of the new social media profiles, emails, and websites.
“80% of Global Enterprises Report Firmware Cyberattacks”
The results of a survey conducted by Microsoft indicate that a vast majority of enterprises have been targeted by firmware-based cyberattacks in the last two years. Common issues in the firmware security space include a lack of funding in department budgets, lack of awareness of the nature of threats to firmware security, and lack of implemented automation. Per the report, 21 percent of information security managers indicated that they do not monitor firmware data from the hosts on their networks, and many devices simply do not make firmware data available at all. Furthermore, the survey reported that 36 percent of organizations invest in hardware-based memory encryption and 46 percent invest in hardware-based kernel protections. These are two significant controls that mitigate risks from common firmware attacks. On the other hand, over 90 percent of organizations in Japan, the United Kingdom, the United States, and China answered that they are willing to budget for such protections moving forward.
“Double-Extortion Ransomware Attacks Surged in 2020”
F-Secure’s “Attack Landscape Update” researchers reported that In 2020, double-extortion attacks broke out due to threat actors stealing data from organizations and encrypting files. This approach came from attackers demanding ransom to decrypt data and threaten to leak stolen information if extra payments were not made. Compared to just 1 double-extortion approach in 2019, 2020 reported 15 from different ransomware families. Other cybersecurity developments in 2020 included Excel formulas used to complicate malicious code; also Outlook, Facebook, and Office 365 were the most popular in phishing attacks.
FBI: APTs Actively Exploiting Fortinet VPN Security Holes https://threatpost.com/fbi-apts-actively-exploiting-fortinet-vpn-security-holes/165213/
The three security vulnerabilities in Fortinet SSL VPN have been used to gain a foothold in the network, and then move laterally and perform reconnaissance. They are CVE 2018-13379, 2020-12812, and 2019-5591. The FBI and the Cybersecurity and Infrastructure Security Agency warned that Advanced Persistent Threats (APT) nation-state participants are actively exploiting known security vulnerabilities in the Fortinet FortiOS network security operating system to gain access to multiple governments, commercial, and technical service networks’ access. APT participants have used critical vulnerabilities in the past to conduct distributed denial of service (DDoS) attacks, ransomware attacks, structured query language (SQL) injection attacks, spear-phishing campaigns, website destruction, and disinformation campaigns. FBI and CISA recommend a regular offline backup of data and keep blank and password-protected backup copies. Ensure that the copy of the key data cannot be accessed to modify or delete the key data from the main system where the key data is located. They also recommend using multi-factor authentication as much as possible and focus on awareness and training, etc. To help organizations stop these and other attacks.
Amazon’s Simple Storage Service or S3 is used by many developers to build applications and as such has become a target for cyber-attacks resulting in data leaks. These data leaks are primarily due to buckets being misconfigured to allow public access; no authentication required to access or download bucket data; stealing AWS keys from application code or exploiting an application vulnerability. This can be mitigated by blocking all public access when creating new buckets and using AWS Config to detect and remediate if S3 buckets are publicly accessible.
Manufacturing’s Cloud Migration Opens Door to Major Cyber-Risk
New research shows 70 percent of manufacturing apps have vulnerabilities. Web-facing applications continue to be one of the highest security risks present for organizations, with more than 40 percent of them actively leaking data in a way that can have a ripple affect across businesses and their partners. The article also states that the manufacturing sector are particularly susceptible to being attacked by vulnerabilities in web-facing applications because it was “traditionally never internet-connected as an industry,” then had to rapidly transition legacy systems and software to keep up.
According to a survey by Microsoft, 80% of companies reported experiencing at least 1 firmware attack in the last two years. Firmware is a software that provides low-level control for a device’s specific hardware and is last on the list for security protection. Most firms invest in security updates, vulrenability scas, and threat protection solutions. of the 80% of enterprises that reported a firmware attack, only 29% have security budgets for firmware security. It is becoming increasingly popular for cyberattackers because sensitive information like credentials and encryption keys are stored in memory but companies do not focus on security in this area. Firmware data often go unmonitored. It is advised that firms look closely into investing more into firmware technology.
An article published by AP on 4/2 detailed yet another hack with the University of California as the victim this time. The attack was effetely carried out by utilizing the vulnerabilities that existed in 3rd party vendor software for secure file transfer. On Friday the university system said that about 300 organizations were affected including Universities, government institutions, and private companies. The data affected included PII, health data, and research data. Similar breaches happened last month at the Washington State Auditor’s office and data affected including nearly 1.5 million unemployment applicants’ data.
You can find the article here: https://apnews.com/article/hacking-california-6d0f5e1644814e2a85822cfaba132674
Last week the University of California reported to become another victim of a ransom ware attack. According to the news The Hill website, The University’s UCNet, became involved in an attack via the Accellion, which is a secure filing transfer company. The website reported, “An unauthorized individual appears to have copied and transferred UC files by exploiting a vulnerability in Accellion’s file transfer service”. The University of California added that officials do not believe the university’s systems or networks were compromised as a result. However, UC said it reported the incident to federal law enforcement took measures to contain it, and has begun its cyberattack investigation. The University of California is not the only higher education institution to become victims; just last month other universities such as Stanford University, Yeshiva University and the University of Maryland also became cyberattack victims.
The headline is music to my ears. The article goes on to say that with the ever-growing information age, it is becoming more and more important that CISO’s are being added to C-Suites. Obviously, you could imagine that I agree with that statement. All bias aside, in more and more industries every day, the CISO role is becoming more important than the traditional CFO or COO. For example, it is a safe assumption to make that for a company, like Amazon, the CISO has surpassed the CFO in importance. As always, the companies that refuse to adapt get hurt, while those who do, get ahead.
“US Lawmakers Press Online Ad Auctioneers Over User Data”
On Friday April 2, a bipartisan group of US senators sent letters to Google, Twitter, AT&T, Verizon and other major digital ad exchanges, inquiring about what type of information is gathered about people during the ad auction process and whether user data was sold to foreign entities among other questions. The companies have until May 4th to respond to the inquiry. There is a “real time” bidding process that takes place to determine which personalized ads a user sees when browsing web pages. This results in literally hundreds of businesses receiving data such as the user’s search history, IP address, age, gender, user location, and web activity among other personal information. Some of these auction participants store the data and create files on individuals which are then sold to anyone via credit card such as governments, hedge funds, and politicians including foreign entities. This information could be used for blackmail, to influence campaigns, hacking, and/or other malicious intent.
“One-Third of Organizations Take No Action After Detecting a Cyber Attack”
A recent cybersecurity report was just completed by Department for Digital, Culture, Media, and Sport (DCMS). From this study, the DCMS made some very interesting discoveries. One key finding from this report was that the number of cyber-attacks increased as a result of the pandemic. There was also an increase in the number of successful attacks. This was somewhat expected, as the increased WFH has made enforcing cybersecurity policies more difficult.
The most surprising statistic was that of those surveyed, 1/3 took no action when a cybersecurity threat was detected. I would have expected this number to be much less. The 2/3 that did say they take action took actions like increased training, updated security software, modified security configurations, or installed new security software.
The facebook breach from 2019, which was vulnerable due to a previous breach, has determined that some of the information is still available on the public domain. A lot of Facebook accounts had PII stolen such as phone numbers, birth dates, etc. Although, some of the information may be old, the information is still available and can be easily collected by a simple search. Facebook stated that they found and fixed the issue in 2019.
The information is still available and although it may not be valuable to Hackers, The name and phone numbers are valuable to Robocallers, this may be why more robocallers occur.
Title: Office 365 Cyberattack Lands Disgruntled IT Contractor in Jail
URL: https://threatpost.com/office-365-cyberattack-disgruntled-contractor-jail/164986/
This article is about a company that hired an IT consulting firm to help migrate their employees over to the Office365 environment. One of the employees of the IT firm who was assigned to help with the migration was let go because his work was not satisfactory. As a result of the firing, this contractor was upset and used his knowledge to hack into the company’s server and delete 1,200 of the Office365 accounts. This company had a total of 1,500 Office365 accounts, so about 80% of the company’s employees were unable to access their emails, contacts, calendars, documents, or Teams environments which essentially made their company come to a halt. This is a form of insider threat because even though the contractor was no longer at the company he knew the company’s network. The article went on to say that it took two days to restore the accounts, but many days more to handle lingering issues and ultimately cost the company over $500,000. The disgruntled former contractor who performed this attack was arrested and convicted.
Whistleblower: Ubiquiti Breach “Catastrophic”
https://krebsonsecurity.com/2021/03/whistleblower-ubiquiti-breach-catastrophic/
This article was interesting to me for a few reasons. It is information provided from an insider/whistleblower from the Ubiquiti Inc, which is a vendor of IoT devices who says the company was silenced by their legal department and downplayed a breach to protect their stock price. They disclosed a breach in January 11 of this year. The insider is alleging that the breach is much worse than was disclosed. A few of the interesting things stated by the insider include: the hackers obtained full read/write access to databases stored at AWS, they were able to exfiltrate signing keys, the intruders attempted to blackmail/demand ransom to avoid disclosing the breach by asking for 50 bitcoin, they had no access logging turned on for the databases.
Since this is still a relatively new story, and the information in the article comes from allegations of an insider, we do not have all confirmed facts at this point. However, if all of this is true, there were serious gaps in controls in place by the provider and it is alarming that the customer disclosure did not fully capture the level of concern. Having worked for a publicly traded company, I can see that there could be pressure to downplay breaches and I hope this is not a new trend we will see more of.
Update on campaign targeting security researchers
The Threat Analysis Group at Google has found another website set up by a North Korean government-backed entity for a fake company called “SecuriElite” to continue targeting attacks at security researchers. The new website claims to be for a penetration testing company. Google’s Threat Analysis Group published warnings about the same group in January when it found they posed as security researchers or students on social media and directed security researchers to their malicious websites.
Google published a list of the new social media profiles, emails, and websites.
https://blog.google/threat-analysis-group/update-campaign-targeting-security-researchers/
“80% of Global Enterprises Report Firmware Cyberattacks”
The results of a survey conducted by Microsoft indicate that a vast majority of enterprises have been targeted by firmware-based cyberattacks in the last two years. Common issues in the firmware security space include a lack of funding in department budgets, lack of awareness of the nature of threats to firmware security, and lack of implemented automation. Per the report, 21 percent of information security managers indicated that they do not monitor firmware data from the hosts on their networks, and many devices simply do not make firmware data available at all. Furthermore, the survey reported that 36 percent of organizations invest in hardware-based memory encryption and 46 percent invest in hardware-based kernel protections. These are two significant controls that mitigate risks from common firmware attacks. On the other hand, over 90 percent of organizations in Japan, the United Kingdom, the United States, and China answered that they are willing to budget for such protections moving forward.
https://threatpost.com/enterprises-firmware-cyberattacks/165174/
“Double-Extortion Ransomware Attacks Surged in 2020”
F-Secure’s “Attack Landscape Update” researchers reported that In 2020, double-extortion attacks broke out due to threat actors stealing data from organizations and encrypting files. This approach came from attackers demanding ransom to decrypt data and threaten to leak stolen information if extra payments were not made. Compared to just 1 double-extortion approach in 2019, 2020 reported 15 from different ransomware families. Other cybersecurity developments in 2020 included Excel formulas used to complicate malicious code; also Outlook, Facebook, and Office 365 were the most popular in phishing attacks.
https://www.infosecurity-magazine.com/news/double-extortion-ransomware/
FBI: APTs Actively Exploiting Fortinet VPN Security Holes
https://threatpost.com/fbi-apts-actively-exploiting-fortinet-vpn-security-holes/165213/
The three security vulnerabilities in Fortinet SSL VPN have been used to gain a foothold in the network, and then move laterally and perform reconnaissance. They are CVE 2018-13379, 2020-12812, and 2019-5591. The FBI and the Cybersecurity and Infrastructure Security Agency warned that Advanced Persistent Threats (APT) nation-state participants are actively exploiting known security vulnerabilities in the Fortinet FortiOS network security operating system to gain access to multiple governments, commercial, and technical service networks’ access. APT participants have used critical vulnerabilities in the past to conduct distributed denial of service (DDoS) attacks, ransomware attacks, structured query language (SQL) injection attacks, spear-phishing campaigns, website destruction, and disinformation campaigns. FBI and CISA recommend a regular offline backup of data and keep blank and password-protected backup copies. Ensure that the copy of the key data cannot be accessed to modify or delete the key data from the main system where the key data is located. They also recommend using multi-factor authentication as much as possible and focus on awareness and training, etc. To help organizations stop these and other attacks.
“Understanding and Preventing S3 Leaks”
Amazon’s Simple Storage Service or S3 is used by many developers to build applications and as such has become a target for cyber-attacks resulting in data leaks. These data leaks are primarily due to buckets being misconfigured to allow public access; no authentication required to access or download bucket data; stealing AWS keys from application code or exploiting an application vulnerability. This can be mitigated by blocking all public access when creating new buckets and using AWS Config to detect and remediate if S3 buckets are publicly accessible.
https://securityboulevard.com/2021/04/understanding-and-preventing-s3-leaks/
Manufacturing’s Cloud Migration Opens Door to Major Cyber-Risk
New research shows 70 percent of manufacturing apps have vulnerabilities. Web-facing applications continue to be one of the highest security risks present for organizations, with more than 40 percent of them actively leaking data in a way that can have a ripple affect across businesses and their partners. The article also states that the manufacturing sector are particularly susceptible to being attacked by vulnerabilities in web-facing applications because it was “traditionally never internet-connected as an industry,” then had to rapidly transition legacy systems and software to keep up.
https://threatpost.com/manufacturing-cloud-migration-cyber-risk/165028/
According to a survey by Microsoft, 80% of companies reported experiencing at least 1 firmware attack in the last two years. Firmware is a software that provides low-level control for a device’s specific hardware and is last on the list for security protection. Most firms invest in security updates, vulrenability scas, and threat protection solutions. of the 80% of enterprises that reported a firmware attack, only 29% have security budgets for firmware security. It is becoming increasingly popular for cyberattackers because sensitive information like credentials and encryption keys are stored in memory but companies do not focus on security in this area. Firmware data often go unmonitored. It is advised that firms look closely into investing more into firmware technology.
https://threatpost.com/enterprises-firmware-cyberattacks/165174/
An article published by AP on 4/2 detailed yet another hack with the University of California as the victim this time. The attack was effetely carried out by utilizing the vulnerabilities that existed in 3rd party vendor software for secure file transfer. On Friday the university system said that about 300 organizations were affected including Universities, government institutions, and private companies. The data affected included PII, health data, and research data. Similar breaches happened last month at the Washington State Auditor’s office and data affected including nearly 1.5 million unemployment applicants’ data.
You can find the article here: https://apnews.com/article/hacking-california-6d0f5e1644814e2a85822cfaba132674
Last week the University of California reported to become another victim of a ransom ware attack. According to the news The Hill website, The University’s UCNet, became involved in an attack via the Accellion, which is a secure filing transfer company. The website reported, “An unauthorized individual appears to have copied and transferred UC files by exploiting a vulnerability in Accellion’s file transfer service”. The University of California added that officials do not believe the university’s systems or networks were compromised as a result. However, UC said it reported the incident to federal law enforcement took measures to contain it, and has begun its cyberattack investigation. The University of California is not the only higher education institution to become victims; just last month other universities such as Stanford University, Yeshiva University and the University of Maryland also became cyberattack victims.
https://thehill.com/policy/cybersecurity/546335-university-of-california-victim-of-ransomware-attack
“Bring CISOs into the C-Suite to bake cybersecurity into Company Culture”
https://techcrunch.com/2021/04/01/bring-cisos-into-the-c-suite-to-bake-cybersecurity-into-company-culture/
The headline is music to my ears. The article goes on to say that with the ever-growing information age, it is becoming more and more important that CISO’s are being added to C-Suites. Obviously, you could imagine that I agree with that statement. All bias aside, in more and more industries every day, the CISO role is becoming more important than the traditional CFO or COO. For example, it is a safe assumption to make that for a company, like Amazon, the CISO has surpassed the CFO in importance. As always, the companies that refuse to adapt get hurt, while those who do, get ahead.
“US Lawmakers Press Online Ad Auctioneers Over User Data”
On Friday April 2, a bipartisan group of US senators sent letters to Google, Twitter, AT&T, Verizon and other major digital ad exchanges, inquiring about what type of information is gathered about people during the ad auction process and whether user data was sold to foreign entities among other questions. The companies have until May 4th to respond to the inquiry. There is a “real time” bidding process that takes place to determine which personalized ads a user sees when browsing web pages. This results in literally hundreds of businesses receiving data such as the user’s search history, IP address, age, gender, user location, and web activity among other personal information. Some of these auction participants store the data and create files on individuals which are then sold to anyone via credit card such as governments, hedge funds, and politicians including foreign entities. This information could be used for blackmail, to influence campaigns, hacking, and/or other malicious intent.
https://www.securityweek.com/us-lawmakers-press-online-ad-auctioneers-over-user-data
“One-Third of Organizations Take No Action After Detecting a Cyber Attack”
A recent cybersecurity report was just completed by Department for Digital, Culture, Media, and Sport (DCMS). From this study, the DCMS made some very interesting discoveries. One key finding from this report was that the number of cyber-attacks increased as a result of the pandemic. There was also an increase in the number of successful attacks. This was somewhat expected, as the increased WFH has made enforcing cybersecurity policies more difficult.
The most surprising statistic was that of those surveyed, 1/3 took no action when a cybersecurity threat was detected. I would have expected this number to be much less. The 2/3 that did say they take action took actions like increased training, updated security software, modified security configurations, or installed new security software.
https://securityboulevard.com/2021/04/one-third-of-organizations-take-no-action-after-detecting-a-cyber-attack/
Facebook breach helpful to robocallers
The facebook breach from 2019, which was vulnerable due to a previous breach, has determined that some of the information is still available on the public domain. A lot of Facebook accounts had PII stolen such as phone numbers, birth dates, etc. Although, some of the information may be old, the information is still available and can be easily collected by a simple search. Facebook stated that they found and fixed the issue in 2019.
The information is still available and although it may not be valuable to Hackers, The name and phone numbers are valuable to Robocallers, this may be why more robocallers occur.
http://www.cnn.com/2021/04/06/tech/facebook-data-leaked-what-to-do/index.html