For this week’s “In the News”, locate an article that discusses one of the following:
- new security threats
- changing security threats
- reduced security threats?
In regards to the threats that you have identified, how does the threat change the steps that the organization would take to mitigate, or lessen, the risk from that threat?
Shubham Patil says
The below article shows that a simple misconfiguration can risk human lives, Cloud security is one of the biggest changes in security threats.
Cloud Misconfig Exposes 3TB of Sensitive Airport Data in Amazon S3 Bucket: ‘Lives at Stake’
A misconfigured Amazon S3 bucket resulted in 3TB of airport data (more than 1.5 million files) being publicly accessible, open, and without an authentication requirement for access, highlighting the dangers of unsecured cloud infrastructure within the travel sector.
The exposed information, uncovered by Skyhigh Security, includes employee personal identification information (PII) and other sensitive company data affecting at least four airports in Colombia and Peru.
The PII ranged from photos of airline employees and national ID cards — which could present a serious threat if leveraged by terrorist groups or criminal organizations — to information about planes, fuel lines, and GPS map coordinates. Airport security protects the lives of travelers and airport staff,” the report explains. “As such, this breach is extremely dangerous with potentially devastating consequences should the bucket’s content end up in the wrong hands.”
Mitigations:
Teaching your employees proper defense practices can minimize risk and prevent cloud security threats. Enable automatic scanning for vulnerable storage across AWS S3 buckets and Azure Blobs. Use continuous configuration audits for IaaS accounts and services to enforce consistent protection. Enforce compliance checks against industry best practices to maintain secure postures. Run data loss prevention and malware scans to detect violations in cloud-storage services and protect sensitive data from being exfiltrated. Put measures in place to detect insider threats as well as threats from compromised accounts and privileged-access misuse. Apply automatic remediation to take appropriate action against misconfigurations, vulnerabilities, and exposures.
Link: https://www.darkreading.com/application-security/cloud-misconfig-exposes-3tb-sensitive-airport-data-amazon-s3-bucket
Kelly Sharadin says
I remember when macOS was a tiny share of the marketplace. In recent years I have watched organizations begin to adopt macOS devices more and more, introducing new management solutions like JAMF to protect these devices. While Windows operating systems may still be more prone to malware, we have seen the rise of macOS malware due to its increasing adoption in the workplace. In this article from Dark Reading, not only has a new macOS spyware, “CloudMensis,” emerged, but it uses public cloud infrastructure (ex. Dropbox) as part of its C2 operations (indeed a security threat of our time).
Regarding mitigations, I would refer back to management solutions like JAMF to ensure devices stay up-to-date with Apple patches. I would inventory what public cloud resources the business requires and try to eliminate the use of unapproved cloud solutions. For example, if the organization is using M365, then OneDrive would be the approved cloud storage solution, and DropBox would not be permitted via blocklists and employee agreement within acceptable use policies.
https://www.darkreading.com/threat-intelligence/mysterious-cloud-enabled-macos-spyware
Mohammed Syed says
In 2022, new threats have been invoked due to changes in technologies and increment of usage digitalization. After the covid 19, so many businesses switched to the cloud, cloud service providers highly increased the number of cloud services, and customers rely on those services.
May organizations moved their infrastructure to the cloud over the last two years. Cloud technologies are constantly evolving and changing, generating many security gaps in deployment. New threats target attacks against Multi-Factor Authentication, attacks against system backup, attacks against mobile devices, the attack against communication satellites, etc. as per technology changes, so may vary in threats also, such as cross-site scripting attacks, SQL injection, and other threats reduce but remain constant possibility to increase it.
Threats constantly change as new technologies shift in the market. For mitigating, various organizations must always be aware and ready to protect from the recent changes and threats. Organizations must change mitigation hardware and software devices, implement new policies, and train employees to face new technology threats. So many unknown hackers use the various skill sets as they have it’s no matter what action take to hack the target they are going through; as he knows, organizations still need to mitigate old as well as new threats with the help of new innovative technology to protect.
https://www.crn.com/news/security/rsa-conference-most-dangerous-cybersecurity-threats-in-2022
Antonio Cozza says
One relatively new/changing security threat to all major organizations and entities using Office 365 suite is a threat actor’s demonstrated ability to deliver macro-triggered malware through these applications by exploiting their usage/enabling of visual basic scripts. A lot of footholds are gained, as the article supports, by malware delivered through phishing emails containing Microsoft Word, Excel, etc. documents. Microsoft has now finally implemented a workaround which disables VB scripts by default. However, this simply made malicious hackers pivot to a different variant of the same strategy; instead of Word and other Office suite docs, they are now sending .odt, .lnk, and .iso files with malware scripts. The primary malware signatures affected are Qakbot, IcedID, Emotet, and Bumblebee.
https://thehackernews.com/2022/07/microsoft-resumes-blocking-office-vba.html
Vraj Patel says
The new SQL injection security threat has been identified within SonicWall Global Management System (GMS) and Analysts On-Prem products. The attackers could modify the legitimate SQL query within the software to have it perform an unexpected behavior. This threat is being tracked under the CVE-2022-22280. Once this flaw was being identified the SonicWall has released a patch and has suggested the organization using the impacted version of the software to update to the newer version. According to this article, SonicWall has stated that they were not currently aware of any organizations being impacted by that threat.
Reference:
https://www.bleepingcomputer.com/news/security/sonicwall-patch-critical-sql-injection-bug-immediately/?&web_view=true
Kyuande Johnson says
The introduction of cloud computing has created uniques business models for companies to outsource expensive and resource extensive task. Software as a service delivers applications over the internet for a monthly fee. Common examples are Microsoft 365 and Adobe Suite. Platform as a service is a cloud computing model where a third-party provider delivers hardware and software tools to users over the internet. Infrastructure as a service is type of cloud computing service that offers essential compute, storage and networking resources on demand, on a pay-as-you-go basis. A new cloud business model creates new threats for organziation who are targeted. Ransomware as a service. offers pay-for-use malware.RaaS kits allow affiliates lacking the skill or time to develop their own ransomware variant to be up and running quickly and affordably. They are easy to find on the dark web, where they are advertised in the same way that goods are advertised on the legitimate web.
Kyuande Johnson says
https://www.techtarget.com/whatis/definition/ransomware-as-a-service-RaaS#:~:text=Ransomware%20as%20a%20service%20(RaaS)%20is%20the%20offering%20of%20pay,hostage%20with%20little%20technical%20skill.
Tal Eidenzon says
https://www.darkreading.com/attacks-breaches/attacker-using-fake-google-software-update-to-distribute-new-ransomware
This is a concerning trend that is building on the relatively recent corporate push for keeping up with patches and updates. Hackers are using this to inject malware into systems to infect machines.
The specific malware mentioned in the article is HavanaCrypt , which is a .Net malware that uses an open-source tool called Obfuscar to obfuscate its code. Once deployed on a system, HavanaCrypt first checks to see if the “GoogleUpdate” registry is present on the system and only continues with its routine if the malware determines the registry is not present.
Mitchell Dulaney says
“Large-Scale Phishing Campaign Bypasses MFA”
Threatpost reports that phishing campaigns are now being conducted using methods that eliminate the protections offered by multi-factor authentication. First detected in September 2021, attackers are combining man-in-the-middle attacks with phishing campaigns to gain access to user mailboxes. Rather than directing victims to a fake sign-in page that simply collects the user’s credentials, attackers instead are covertly directing victims to a proxy server that establishes an HTTP connection with the Office 365 portal on the victim’s behalf. In doing so, the attacker c0llects the user’s email address and password, and by facilitating the completion of multi-factor authentication, they also collect the session token provided to the user for their login session. The attacker can use the combination of credentials with the session token to gain unfettered access to the user’s mailbox, and historically these campaigns have resulted in attackers using financial information in victim mailboxes to commit financial fraud. Another “benefit” from the perspective of the attacker is that the user ultimately establishes a connection with their intended resource (Office 365), so after the attack has been completed it isn’t obvious to the user that something has gone wrong.
Unfortunately, the article did not identify a compensating control to prevent this man-in-the-middle phishing attack from succeeding. The best way to combat this threat, like all phishing threats, is to require security awareness training that educates your users on how to identify a legitimate email from a phishing one.
https://threatpost.com/large-scale-hishing-bypasses-mfa/180212/