“TSA to reveal security plan for air cargo industry”
The TSA is restructuring their Cybersecurity policies. The organization, in the past, had packages screened like passengers, where almost every piece of cargo is scanned. They want to move to more of a risk based approach and scan every piece of cargo by 6/30/2021, but with a caveat; they will allow for companies to bypass these new requirements if they can prove their security awareness within the supply chain. This approach is unpopular with many distributors, as they believe this will allow for Amazon to further gain market share in the e-commerce business. Amazon will be able to qualify for the risk based security approach, which will allow for even faster delivery of products. They also argue that this will be a much too costly plan. Many cargo x-ray machines will not be large enough to scan certain packages, and staff and drug sniffing dogs will need to be retrained. This plan would represent a major shakeup of the airline business, and will have significant downstream effects of security and cybersecurity policies at many companies
Malwarebytes recently announced that it has joined the list of victims of the SolarWinds attack. What’s interesting to me is that from the disclosed information, the attack surface is the ADFS, specifically a token-signing cert. The attacker was able to add additional domains as trusted domains in Azure AD, which resulted in the compromising of the credentials of user accounts that was used to synchronize to Microsoft 365 applications that have high privileged directory roles such as global administrator or application administrator.
According to Malwarebytes, the attacker was not able to compromise their security and malware protection products (unlike the SolarWinds attack), and their product remains secure and effective. In addition, Malwarebytes further disclosed that only a selective set of internal emails were compromised, and the more through investigation revealed that their source code, build and delivery process, internal on-premises and production environments have not been tampered with.
“A look into the pricing of stolen identities for sale on the dark web”
Stolen personally identifiable information (PII) provides lucrative opportunities for cyber security criminals. But how much is this stolen data worth? Research has shown that Americans have the cheapest “fullz” (full credentials, i.e. SSN, DOB, etc), which averages $8, while Japan and UAE stolen identities are sold for $25. Stolen credit cards range from $.11 to $986, while hacked PayPal accounts can fetch from $5 to $1767 and are often the most popular types of stolen information traded on the dark web; other types of stolen information usually for sale are passports, drivers licenses, frequent flyer miles, streaming account, social media account, bank accounts and debit cards. This data is typically stolen through phishing, credential stuffing, data breaches and card skimmers. In an effort to safeguard against the theft of PII, users can minimize their digital footprint, keep an eye out for card skimmers at POS registers and learn how to spot phishing emails and use strong unique passwords.
Joker’s Stash, one of the largest marketplaces for stolen credit card and identity information, announced it will shut down in mid-February. The announcement came a few weeks after authorities from the United States and Europe seized many of its servers. The site opened in 2014, but recently “Intel 471 says many of Joker’s loyal customers started complaining that the shop’s payment card data quality was increasingly poor,” according to the KrebsonSecurity blog. The owner of the website contracted COVID-19, which prevented him from updating the website with fresh inventory for a period of time. Gemini Advisory, a New York City-based company that monitors underground carding shops, estimates that Joker’s Stash generated more than a billion dollars in revenue over the past several years.
The Einstein Healthcare employee email system was breached by an unauthorized person this past August for approximately 12 days. Some of the stolen emails contained patient information such as name, date of birth, diagnoses, prescriptions, and other sensitive information protected by HIPAA. Einstein did not publicly notify the patients that had their information compromised until 5 months after the breach was identified. According to the Health and Human Services HIPAA Breach Notification Rule, which states that the patients should have been notified no later than 60 days after the breach was found, which means Einstein was in violation of this rule. As of this writing, no fines were imposed for violating this rule and Einstein is providing credit monitoring to all impacted patients.
Most Financial Services Have Suffered COVID-Linked Cyber-Attacks
The research shows over 70% of financial services firms have experience a successful cyber-attack over the past year. 57% of respondents argued that cyber-attacks are increasing in severity as a result of work-from-home (WFH) and 41% argued that remote workers are putting the business at risk of a major data breach. The research also revealed that home workers often engage in more risky behavior than when they are at the office. When combined with the surge in COVID-19 phishing emails and devices that may be shared with other users in the same household and/or less well protected than corporate equivalents.
“Threat Actors Can Exploit Windows RDP Servers to Amplify DDoS Attacks”
Based on research by Netscout, Threatpost reports that average cyber criminals are capable of expanding their DDoS capabilities via a vulnerability discovered on Microsoft Remote Desktop Protocol (RDP) servers. RDP servers utilizing UDP port 3389 are exploitable for UDP reflection/amplification attacks, and “more than 14,000” servers have been identified as vulnerable to this particular threat. Originally, this was considered to be exploitable only by sophisticated DDoS attackers, but at this point is able to be utilized by a typical attacker. To mitigate this threat, it is being recommended that RDP servers only be accessible from the internet through a VPN service, or that UDP port 3389 be disabled on servers as a stopgap.
Cisco Launches a Comprehensive Security Architecture for Industrial IoT
CISCO has developed a new security architecture for industrial IoT. It claims to be the first to deliver visibility across IoT and operational technology environments. This will allow organizations to increase efficiencies and accelerate digitization projects. The article states the combination of IT and OT will allow for advanced anomaly detection so that organizations can rapidly detect changes in systems that could cause threats.
This article seemed to be relevant during the week’s topic of security plans. In the article, a woman was sentenced in relation to a scheme to give top secret information from NSA to the Russian Government. One of the counts she pled guilty to was willful retention of national defense information. What struck me as relevant to this week’s reading was that any government agency’s System Security Plan would have a lot of very sensitive information that could potentially be used against the government. Given the amount of sensitive information in the Plan, I would expect to see strong controls in place to promote Confidentiality of of Plan. The article also echoed the point that at the end of the day, humans are the weakest link in security. A government agency can have the best documented security plan, but if a person leaks or misuses that information, it could make even the best security control over a system irrelevant.
This article discusses the importance of performing a risk assessment against threats and vulnerabilities from a cyber attack chain. The article explains that attackers employ an “attack chain” which is a series of consecutive steps used to breach systems/organizations. An assessment should be performed against each step within the chain referred to as the “kill chain framework”. There are several intended benefits of performing this kill chain assessment such as being able to combat cyberattacks in multiple forms (SQL injection, ransomware, etc.). In addition, this can help inform the design of the information security architecture in order to prevent, detect, identify, contain, restore, recover, report, and perform forensic investigations in order to glean lessons learned from an incident and also prevent an attack.
“TikTok vulnerability left users’ private information exposed”
The popular app “TikTok” was the victim of a security vulnerability that could have allowed attackers to access users’ profile settings, account details, and phone numbers associated with their account. Checkpoint, a cybersecurity provider, discovered that the vulnerability was in the “Find Friends” feature which bypassed its privacy protections. That would have made it possible for hackers to take advantage of the accounts and other security activity. Fortunately, TikTok confirmed that the flaw was spotted and has been repaired. However, there is no indication of the vulnerability being exploited. For TikTok users, is it highly recommended to “share the bare minimum” for security purposes. https://www.cnet.com/news/tiktok-vulnerability-left-users-private-information-exposed/
This is large-scale espionage first discovered in December. The list shows 23 new targets allegedly targeted by the unprecedented SolarWinds hack. These attacks stole emails from major government agencies including the Ministry of Justice and the Ministry of Finance and destroyed countless private companies. It also including Qualys, a $5 billion market capitalization cybersecurity company. It turned Orion, one of its most popular IT management tools, into malware, further infecting as many as 18,000 customers. Other known victims include Microsoft, the Department of Energy, and the Ministry of Finance.
According to the article, What you need to know about the biggest hack of the US government in years, a sophisticated operation reportedly targeted federal government networks and marks the biggest cyber attack against the United States government in years. The treasury and commerce departments were both affected and others may have been breached. The attackers, supposedly from Russia, used malware to access to an organization’s networks so they could steal confidential information. The breach was not discovered until a few weeks ago when the prominent cybersecurity company FireEye determined it had experienced a breach by way of the software. The scale of the hack is potentially global since the affected software touches many parts of a business, potentially devastating for organizations such as SolarWinds, a company from Texas.
Cisco study reveals critical role of privacy emerging from global pandemic in their 2021 Data Privacy Benchmark Study, a look into corporate privacy practices worldwide. They found that privacy protection is at the forefront and extremely important amidst the global pandemic and the increasing benefits for businesses that adopt strong privacy measures. On top of new cybersecurity concerns revolving work from home, people have been suddenly expected/required, to share their personal information to help slow the spread of COVID19. More people have shifted much of their lives online, such as Zoom hang outs, work calls, meetings, accelerating a trend that normally would have taken years. These mass-scale shifts in human interaction and digital engagement presented many challenging data privacy issues for organizations who aim to follow the law, stop the spread of the pandemic, while also respecting individual rights. Consumers and the general public are growing increasingly concerned about how their personal data is being used.
“Four security vendors disclose SolarWinds-related incidents”
Four new security vendors have reported being affected by the SolarWinds Orion software attack in which hackers breached systems of users of the software update. The vendors that just reported their security systems being compromised include Mimecast, Palo Alto Networks, Qualys, and Fidelis. This brings the total number of affected vendors to eight, as FireEye, Microsoft, CrowdStrike, and Malwarebytes had previously reported being targeted. I found it interesting that, despite the attack first coming to light in December, there are still new breaches being reported. This highlights the nature of cybersecurity attacks, as the true extent of the damage is often never brought to light. I am curious to see whether other security vendors report breaches. https://www.zdnet.com/article/four-security-vendors-disclose-solarwinds-related-incidents/
Cook County, IL, home of Chicago, has had a known data breach with court records since September 26, 2020. On Monday, the database was just shut down from public view. Some of the information that was available is names, addresses and email addresses and other private details about the cases. The cases that were impacted were (According to the Cook County Website) CRI (Criminal), IMM (Immigration) and FAM (Family) courts.
There is a concern that the information that the was available could be used by bad actors to initiate ransomware attacks, such as with Immigration cases they could threaten the family with deportation unless the ransom is paid. Or blackmail families that divorce or domestic violence information would be leaked unless the family pays.
“TSA to reveal security plan for air cargo industry”
The TSA is restructuring their Cybersecurity policies. The organization, in the past, had packages screened like passengers, where almost every piece of cargo is scanned. They want to move to more of a risk based approach and scan every piece of cargo by 6/30/2021, but with a caveat; they will allow for companies to bypass these new requirements if they can prove their security awareness within the supply chain. This approach is unpopular with many distributors, as they believe this will allow for Amazon to further gain market share in the e-commerce business. Amazon will be able to qualify for the risk based security approach, which will allow for even faster delivery of products. They also argue that this will be a much too costly plan. Many cargo x-ray machines will not be large enough to scan certain packages, and staff and drug sniffing dogs will need to be retrained. This plan would represent a major shakeup of the airline business, and will have significant downstream effects of security and cybersecurity policies at many companies
https://www.freightwaves.com/news/tsa-to-reveal-security-plan-for-air-cargo-industry
Malwarebytes recently announced that it has joined the list of victims of the SolarWinds attack. What’s interesting to me is that from the disclosed information, the attack surface is the ADFS, specifically a token-signing cert. The attacker was able to add additional domains as trusted domains in Azure AD, which resulted in the compromising of the credentials of user accounts that was used to synchronize to Microsoft 365 applications that have high privileged directory roles such as global administrator or application administrator.
According to Malwarebytes, the attacker was not able to compromise their security and malware protection products (unlike the SolarWinds attack), and their product remains secure and effective. In addition, Malwarebytes further disclosed that only a selective set of internal emails were compromised, and the more through investigation revealed that their source code, build and delivery process, internal on-premises and production environments have not been tampered with.
You can read more about this breach here: https://www.helpnetsecurity.com/2021/01/20/malwarebytes-breached/
“A look into the pricing of stolen identities for sale on the dark web”
Stolen personally identifiable information (PII) provides lucrative opportunities for cyber security criminals. But how much is this stolen data worth? Research has shown that Americans have the cheapest “fullz” (full credentials, i.e. SSN, DOB, etc), which averages $8, while Japan and UAE stolen identities are sold for $25. Stolen credit cards range from $.11 to $986, while hacked PayPal accounts can fetch from $5 to $1767 and are often the most popular types of stolen information traded on the dark web; other types of stolen information usually for sale are passports, drivers licenses, frequent flyer miles, streaming account, social media account, bank accounts and debit cards. This data is typically stolen through phishing, credential stuffing, data breaches and card skimmers. In an effort to safeguard against the theft of PII, users can minimize their digital footprint, keep an eye out for card skimmers at POS registers and learn how to spot phishing emails and use strong unique passwords.
https://www.securitymagazine.com/articles/94405-a-look-into-the-pricing-of-stolen-identities-for-sale-on-dark-web?
Large online cybercrime store ending is business
Joker’s Stash, one of the largest marketplaces for stolen credit card and identity information, announced it will shut down in mid-February. The announcement came a few weeks after authorities from the United States and Europe seized many of its servers. The site opened in 2014, but recently “Intel 471 says many of Joker’s loyal customers started complaining that the shop’s payment card data quality was increasingly poor,” according to the KrebsonSecurity blog. The owner of the website contracted COVID-19, which prevented him from updating the website with fresh inventory for a period of time. Gemini Advisory, a New York City-based company that monitors underground carding shops, estimates that Joker’s Stash generated more than a billion dollars in revenue over the past several years.
https://krebsonsecurity.com/2021/01/jokers-stash-carding-market-to-call-it-quits/
Title: Einstein Healthcare Network Announces August Breach
URL: https://threatpost.com/einstein-healthcare-network-announces-august-breach/163237/
The Einstein Healthcare employee email system was breached by an unauthorized person this past August for approximately 12 days. Some of the stolen emails contained patient information such as name, date of birth, diagnoses, prescriptions, and other sensitive information protected by HIPAA. Einstein did not publicly notify the patients that had their information compromised until 5 months after the breach was identified. According to the Health and Human Services HIPAA Breach Notification Rule, which states that the patients should have been notified no later than 60 days after the breach was found, which means Einstein was in violation of this rule. As of this writing, no fines were imposed for violating this rule and Einstein is providing credit monitoring to all impacted patients.
Most Financial Services Have Suffered COVID-Linked Cyber-Attacks
The research shows over 70% of financial services firms have experience a successful cyber-attack over the past year. 57% of respondents argued that cyber-attacks are increasing in severity as a result of work-from-home (WFH) and 41% argued that remote workers are putting the business at risk of a major data breach. The research also revealed that home workers often engage in more risky behavior than when they are at the office. When combined with the surge in COVID-19 phishing emails and devices that may be shared with other users in the same household and/or less well protected than corporate equivalents.
https://www.infosecurity-magazine.com/news/financial-services-suffered-covid/
“Threat Actors Can Exploit Windows RDP Servers to Amplify DDoS Attacks”
Based on research by Netscout, Threatpost reports that average cyber criminals are capable of expanding their DDoS capabilities via a vulnerability discovered on Microsoft Remote Desktop Protocol (RDP) servers. RDP servers utilizing UDP port 3389 are exploitable for UDP reflection/amplification attacks, and “more than 14,000” servers have been identified as vulnerable to this particular threat. Originally, this was considered to be exploitable only by sophisticated DDoS attackers, but at this point is able to be utilized by a typical attacker. To mitigate this threat, it is being recommended that RDP servers only be accessible from the internet through a VPN service, or that UDP port 3389 be disabled on servers as a stopgap.
https://threatpost.com/threat-actors-can-exploit-windows-rdp-servers-to-amplify-ddos-attacks/163248/
https://www.prnewswire.com/news-releases/cisco-launches-a-comprehensive-security-architecture-for-industrial-iot-300993998.html
Cisco Launches a Comprehensive Security Architecture for Industrial IoT
CISCO has developed a new security architecture for industrial IoT. It claims to be the first to deliver visibility across IoT and operational technology environments. This will allow organizations to increase efficiencies and accelerate digitization projects. The article states the combination of IT and OT will allow for advanced anomaly detection so that organizations can rapidly detect changes in systems that could cause threats.
“West Virginia Woman Sentenced for Planning to Offer Top-Secret NSA Information to Russia”
https://pittsburgh.cbslocal.com/2021/01/25/woman-sentenced-in-scheme-to-offer-information-to-russia/amp/
This article seemed to be relevant during the week’s topic of security plans. In the article, a woman was sentenced in relation to a scheme to give top secret information from NSA to the Russian Government. One of the counts she pled guilty to was willful retention of national defense information. What struck me as relevant to this week’s reading was that any government agency’s System Security Plan would have a lot of very sensitive information that could potentially be used against the government. Given the amount of sensitive information in the Plan, I would expect to see strong controls in place to promote Confidentiality of of Plan. The article also echoed the point that at the end of the day, humans are the weakest link in security. A government agency can have the best documented security plan, but if a person leaks or misuses that information, it could make even the best security control over a system irrelevant.
“Threat hunting and Cyberrisk Assessment Using Cyber kill chain”
https://www.isaca.org/resources/news-and-trends/isaca-now-blog/2021/threat-hunting-and-cyber-risk-assessment
This article discusses the importance of performing a risk assessment against threats and vulnerabilities from a cyber attack chain. The article explains that attackers employ an “attack chain” which is a series of consecutive steps used to breach systems/organizations. An assessment should be performed against each step within the chain referred to as the “kill chain framework”. There are several intended benefits of performing this kill chain assessment such as being able to combat cyberattacks in multiple forms (SQL injection, ransomware, etc.). In addition, this can help inform the design of the information security architecture in order to prevent, detect, identify, contain, restore, recover, report, and perform forensic investigations in order to glean lessons learned from an incident and also prevent an attack.
“TikTok vulnerability left users’ private information exposed”
The popular app “TikTok” was the victim of a security vulnerability that could have allowed attackers to access users’ profile settings, account details, and phone numbers associated with their account. Checkpoint, a cybersecurity provider, discovered that the vulnerability was in the “Find Friends” feature which bypassed its privacy protections. That would have made it possible for hackers to take advantage of the accounts and other security activity. Fortunately, TikTok confirmed that the flaw was spotted and has been repaired. However, there is no indication of the vulnerability being exploited. For TikTok users, is it highly recommended to “share the bare minimum” for security purposes.
https://www.cnet.com/news/tiktok-vulnerability-left-users-private-information-exposed/
SolarWinds Hacks: Virginia Regulator And $5 Billion Cybersecurity Firm Confirmed As Targets
https://www.forbes.com/sites/thomasbrewster/2021/01/25/solarwinds-hacks-virginia-regulator-and-5-billion-cybersecurity-firm-confirmed-as-targets/?sh=142bbf67f172
This is large-scale espionage first discovered in December. The list shows 23 new targets allegedly targeted by the unprecedented SolarWinds hack. These attacks stole emails from major government agencies including the Ministry of Justice and the Ministry of Finance and destroyed countless private companies. It also including Qualys, a $5 billion market capitalization cybersecurity company. It turned Orion, one of its most popular IT management tools, into malware, further infecting as many as 18,000 customers. Other known victims include Microsoft, the Department of Energy, and the Ministry of Finance.
According to the article, What you need to know about the biggest hack of the US government in years, a sophisticated operation reportedly targeted federal government networks and marks the biggest cyber attack against the United States government in years. The treasury and commerce departments were both affected and others may have been breached. The attackers, supposedly from Russia, used malware to access to an organization’s networks so they could steal confidential information. The breach was not discovered until a few weeks ago when the prominent cybersecurity company FireEye determined it had experienced a breach by way of the software. The scale of the hack is potentially global since the affected software touches many parts of a business, potentially devastating for organizations such as SolarWinds, a company from Texas.
https://www.theguardian.com/technology/2020/dec/15/orion-hack-solar-winds-explained-us-treasury-commerce-department
Cisco study reveals critical role of privacy emerging from global pandemic in their 2021 Data Privacy Benchmark Study, a look into corporate privacy practices worldwide. They found that privacy protection is at the forefront and extremely important amidst the global pandemic and the increasing benefits for businesses that adopt strong privacy measures. On top of new cybersecurity concerns revolving work from home, people have been suddenly expected/required, to share their personal information to help slow the spread of COVID19. More people have shifted much of their lives online, such as Zoom hang outs, work calls, meetings, accelerating a trend that normally would have taken years. These mass-scale shifts in human interaction and digital engagement presented many challenging data privacy issues for organizations who aim to follow the law, stop the spread of the pandemic, while also respecting individual rights. Consumers and the general public are growing increasingly concerned about how their personal data is being used.
https://www.securitymagazine.com/articles/94438-cisco-study-reveals-critical-role-of-privacy-emerging-from-global-pandemic
“Four security vendors disclose SolarWinds-related incidents”
Four new security vendors have reported being affected by the SolarWinds Orion software attack in which hackers breached systems of users of the software update. The vendors that just reported their security systems being compromised include Mimecast, Palo Alto Networks, Qualys, and Fidelis. This brings the total number of affected vendors to eight, as FireEye, Microsoft, CrowdStrike, and Malwarebytes had previously reported being targeted. I found it interesting that, despite the attack first coming to light in December, there are still new breaches being reported. This highlights the nature of cybersecurity attacks, as the true extent of the damage is often never brought to light. I am curious to see whether other security vendors report breaches.
https://www.zdnet.com/article/four-security-vendors-disclose-solarwinds-related-incidents/
Cook County, IL knew of the breach.
Cook County, IL, home of Chicago, has had a known data breach with court records since September 26, 2020. On Monday, the database was just shut down from public view. Some of the information that was available is names, addresses and email addresses and other private details about the cases. The cases that were impacted were (According to the Cook County Website) CRI (Criminal), IMM (Immigration) and FAM (Family) courts.
There is a concern that the information that the was available could be used by bad actors to initiate ransomware attacks, such as with Immigration cases they could threaten the family with deportation unless the ransom is paid. Or blackmail families that divorce or domestic violence information would be leaked unless the family pays.
https://threatpost.com/criminal-domestic-case-cook-county-leak23k-sensitive-court-records