Cybersecurity News: July 3–9 2021
Kaseya, PrintNightmare, RNC hack and the rest of this week’s cybersecurity news
Free Content on Jobs in Cybersecurity | Sign up for the Email List
2nd Sight Lab | Cybersecurity | Vulnerabilities | Malware | Threat Reports | Breaches & Attacks | Cost of a Data Breach | Laws & Legal | Investments
2nd Sight Lab News
_____________________________________________
Someone read Cybersecurity for Executives in the Age of Cloud and asked me to prepare a presentation for a university on getting into security. I agreed! I get too many requests to present and perform work for free but I try to give back when I can. So many universities have new cybersecurity programs that didn’t exist when I got my masters degree so I’ll make a video that can be shared with those that are looking for a brief introduction to cybersecurity they can share with students to get off on the right track. Here are some of the cybersecurity certifications I obtained through my own masters program. I also have a GSE and a lot of cybersecurity experience!
Check out the third in this series on cybersecurity for the mortgage industry. Insecure and broken portals are contributing to the problem.
Someone asked me if 2nd Sight Lab’s customers were affected by the Kaseya attack. I explain the difference between preventative and reactive security in this post and a brief overview of the attack here. I have a much more extensive overview of the Kaseya attack below based on additional research.
^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
If you like this blog, please clap, follow, join, or pass it on. Thanks! 👏
^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
Cybersecurity
_____________________________________________
White House urges mayors to review local govts’ cybersecurity posture
36% of CTOs are not disclosing data breaches
Inside the FBI, Russia, and Ukraine’s failed cybercrime investigation
Russia and Ukraine promised to cooperate and help catch the world’s most successful hackers. But things didn’t quite go to plan.
As ransomware attacks continue, cyber insurance is in trouble ~ at the brink of not being profitable any longer
Train employees what to do if they’ve made a security mistake
Proofpoint has some good advice here. Train employees to report security mistakes immediately since there is a gap between when criminals get credentials and when they use them.
More crimes involving children and the Internet this week
AWS Firewall Manager now supports central monitoring of VPC routes for AWS Network Firewall
Google made some updates to its secure foundation templates
Microsoft 365 to let SecOps lock hacked Active Directory accounts
Mozilla Firefox to roll out DNS over HTTPS for Canadian users
State and local groups press Congress to pass cyber grants
Privacy
_____________________________________________
Tor Browser adds new anti-censorship feature, V2 onion warnings
Audacity owner will revise its privacy policy following spyware concerns
Apple wins privacy battle in China
Vulnerabilities
_____________________________________________
Microsoft Urges Azure Users to Update PowerShell to Patch RCE Flaw
Regarding the PrintNightmare vulnerability reported last week
Microsoft Issues Emergency Patch for Windows Flaw
The patch causes problems for some printers:
Some claim the patch doesn’t work:
Meanwhile others are already creating exploits for this vulnerability:
Print Nightmare Attack Tool on GitHub:
Mimikatz Exploit on GitHub:
Works on more than domain controllers
Exploit on gitlab. As mentioned in my previous news feed reports when Microsoft announced they would take down malicious code on Github if used in an attack, attackers and researchers will simply move to other platforms.
With CobaltStrike:
Meanwhile security defenders were busy generating indicators of compromise (IOCs) as explained in my book.
A scanner to find this vulnerability on a network. Note: I haven’t tested this tool and not endorsing it. Test it carefully before you use it.
Some security pros not happy that an exploit came out prior to the patch.
Others claim Microsoft is removing posts with information about the vulnerability. See the whole thread on how this security professional had issues sharing research.
Microsoft claimed this patch works
Meanwhile on another front…an RCE patched in Windows Defender called about by Travis Ormandy of Google Project Zero
Kaspersky PasswordManager vulnerability — Generating bad passwords?!
Bruce Schneier writes:
Stupid programming mistake, or intentional backdoor? We don’t know.
More generally: generating random numbers is hard. I recommend my own algorithm: Fortuna. I also recommend my own password manager: Password Safe.
ForgeRock Critical CVE targeting Australian government organisations
CVE-2021–35464 was disclosed on 23 June 2021 and targets ForgeRock OpenAM, an open-source access management solution. The ACSC has identified a number of Australian organisations which have been compromised through exploitation of this CVE.
Malwarebytes writes about the format string bug on iPhones that disables wifi
Flaw in preprocessor language Less.js causes website to leak AWS secret keys
WAF bypass: ‘Severe’ OWASP ModSecurity Core Rule Set bug was present for several years
Cisco BPA, WSA Bugs Allow Remote Cyberattacks
Critical Flaws Reported in Philips Vue PACS Medical Imaging Systems
Critical Flaws Reported in Sage X3 Enterprise Management Software
Coursera Flunks API Security Test in Researchers’ Exam
Malware
_____________________________________________
Magecart Hackers Hide Stolen Credit Card Data Into Images for Evasive Exfiltration
Hackers Use New Trick to Disable Macro Security Warnings in Malicious Office Files
In yet another instance of malware authors continue to evolve their techniques to evade detection, researchers from McAfee Labs stumbled upon a novel tactic that “downloads and executes malicious DLLs (ZLoader) without any malicious code present in the initial spammed attachment macro.”
A report on Conti malware from Sentinel Labs
The Evolution of PINCHY SPIDER from GandCrab to REvil by CrowdStrike
Fake crypto-mining Android apps net fraudsters $350k
Google removed some but more are circulating.
The lure for unsuspecting victims in this case was the false promise of renting cloud computing power via the apps and taking a small cut of each transaction verified.
Filesec.io project catalogs malicious file extensions being used by attackers
Trend Micro on detecting Cobalt Strike
Bandidos at large: A spying campaign in Latin America targeting American corporations
Hancitor tries XLL as initial malware file
SideCopy Hackers Target Indian Government Officials With New Malware
using decoys posing as operational documents belonging to the military and think tanks and honeytrap-based infections.
WildPressure APT Emerges With New Malware Targeting Windows and macOS
Dozens of Vulnerable NuGet Packages Allow Attackers to Target .NET Platform
All identified precompiled software components in our research were different versions of 7Zip, WinSCP and PuTTYgen, programs that provide complex compression and network functionality
TrickBot Botnet Found Deploying A New Ransomware Called Diavol
QNAP fixes critical bug in NAS backup, disaster recovery app
Threat Reports
_____________________________________________
CISA Analysis Reveals Successful Attack Techniques of FY 2020
phishing links were most common and used to gain initial access in 49% of RVAs. Next were exploits of public-facing applications (11.8%), followed by phishing attachments (9.8%). For execution, PowerShell was used in 24.4% of RVAs, followed by Windows Management Instrumentation (13%) and Command & Scripting Interpreter (12.2%).
Valid accounts were used to gain privilege escalation in 37.5% of RVAs, followed by exploitation for privilege escalation (21.9%) and making and impersonating tokens (15.6%). For lateral movement, attackers primarily used pass-the-hash (29.8%), followed by Remote Desktop Protocol (25%) and exploitation of remote services (11.9%).
Aqua Security’s Cloud Native Threat Report Reveals Sophisticated New Attacks in the Wild on Container Supply Chains and Infrastructure
May have missed this one earlier. Ran across it this week.
A new survey shows leaked enterprise secrets costs companies millions of dollars each year.
Increase in BEC scams in construction industry in Australia
The ACSC has observed a growing trend affecting construction companies and their customers. In the past six months there has been an increase in cybercriminals targeting builders and construction companies to conduct business email compromise (BEC) scams within Australia.
Lazarus campaign TTPs and evolution
AT&T Alien Labs™ has observed new activity that has been attributed to the Lazarus adversary group potentially targeting engineering job candidates and/or employees in classified engineering roles within the U.S. and Europe.
Scanning for Microsoft Secure Socket Tunneling Protocol
resurgence of probe by Digitalocean looking for the Microsoft (MS) Secure Socket Tunneling Protocol (SSTP). This MS proprietary VPN protocol is used to establish a secure connection via the Transport Layer Security (TLS) between a client and a VPN gateway.
FBI warns cryptocurrency owners, exchanges of ongoing attacks
SAAS Security Survey
Breaches & Attacks
_____________________________________________
Kaseya Updates This Week
Last week ransomware delivered though a product called Kaseya hit a number of companies. The fallout and analysis continued this week.
As mentioned above 2nd Sight Lab published a brief summary and explanation of the difference between preventative and reactive cybersecurity services.
The ransomware in this attack infiltrated companies using software made by Kaseya that is used by Managed Service Providers (MSPs). Those MSPs are companies that provide technical services to other organizations, typically to small businesses. The software the attackers infiltrated is used to remotely manage customer systems. Leveraging this access is how the criminals were able to spread ransomware to so many companies and systems.
Michael Hamilton explains what he discovered during a specific incident. The attackers obtained access to Kaseya administrative systems. Per other accounts below, the attackers obtained access to those systems via software vulnerabilities. Then the attackers pushed out malware making it look like an update to the VSA agents on the machines managed by the MSPs. That software disabled Windows Defender with a Powershell command. Then the malware downloaded a signed binary which was an old windows executable. That executable had a vulnerability which the attackers then used to access the operating system and encrypt the system.
Kaseya Hacked via Authentication Bypass
It is believed that REvil used an authentication bypass in the Web interface of Kaseya VSA to gain an authenticated session, upload the original payload, and then execute commands via SQL injection.
Kaseya ruled out a supply chain attack.
Hmm. Definition of supply chain: A supply chain is a network between a company and its suppliers to produce and distribute a specific product to the final buyer.
CISA and FBI provide guidance to affected organizations.
Australian Cyber Security Centre guidance:
Unfixed flaws were at the heart of the attack. Kaseya was working to fix them, they just didn’t get fixed fast enough.
Attribution has been assigned to Russian criminal organization by the name of REvil.
REvil tried to get $70 million to unlock ransomware for all victims.
https://therecord.media/revil-gang-asks-70-million-to-decrypt-systems-locked-in-kaseya-attack
The US government launched an investigation.
The US government indicates that retaliation may be in order in this press conference.
Robert McMillan points out that the REvil blog is down about the same time.
Some news organizations are writing about why this is such as dangerous attack. This is not new.
I wrote about how attackers leveraged automated update processes in the Target Breach to affect many POS machines at once. I explained in my book on cybersecurity how Cloud Hopper and other attacks are leveraging vendors to get into customer systems. Michael Hamilton spoke about that as well in the video I posted above. I explain in cloud security classes how cloud services that perform auto-updates on systems through agents may be used against companies in the cloud and how to defend against it.
Brian Krebs wrote about a 2015 flaw that in a deprecated portal left online by the company that would allow access to files via a web browser. However, this flaw was not thought to be leveraged in the ransomware attack per the article.
The debate continues about whether or not to pay ransoms. My take: Companies should not be allowed to pay simply because they are negligent in addressing security problems. However, if the ransomware could cause significant damage to many people or companies other than the company that was targeted or, for example, not retrieving data could result in loss of life, perhaps an organization should pay the ransom. Past ransomware has affected hospitals and caused delays getting treatments to patients. Perhaps companies should pay additional fines when egregious security problems exist. Those funds should go towards fighting ransomware in the future.
There is no single answer but for those enacting laws preventing the ability to pay ransoms, ensure an exception process exists. You may need it.
This attack, though widespread, is not as devastating as it could have been. That’s because the attackers did not infiltrate networks and ensure they deleted backups before performing the attack. It also appears the attackers did not exfiltrate any data. This allowed some customers to restore from backups and most are declining to pay the ransom.
However, as noted in the video from Critical Insight at the start of this section explains, the damage was much worse for companies that had the VSA agent on their backup servers or had the VSA agent on many systems.
REvil dropped their ransom demand to $50 million.
Two Maryland towns were affected by the breach. Restoring from backups takes time.
https://www.washingtonpost.com/technology/2021/07/08/kaseya-ransomware-attack-leonardtown-maryland
Kindergarten group Whānau Manaaki falls victim to Kaseya ransomware attack
Swedish supermarket closed by Kaseya cyberattack
Kaseya hires Fireeye to help with incident response.
Kaseya delays restoration of SAAS service until Sunday.
A malspam campaign takes advantage of the Kaseya ransomware attack
The Republican National Committee Was Targeted By Hackers
The RNC said that its contractor Synnex had been hacked but added no access was gained to any RNC data.
One of the original reports:
RNC denies attackers accessed any of their data:
Russia’s U.S. Embassy Distorts What Happened in Republican Party Cyber-Attack
FBI, CISA Investigating Hack of Republican Party, Psaki Says
Hackers Attack Microsoft Cloud Customer Apps Via Synnex
Hackers attempted to use Synnex to gain access to customer applications within the Microsoft cloud environment.
Synnex comment indicates a Bloomberg report that they are an MSP and that this attack is related to Kaseya may be at least partially incorrect:.
“We do not know if this is related to the Kaseya ransomware attack to MSPs and some end customers,“ Michael Urban, Synnex’s president of worldwide technology solutions distribution, said in an emailed statement. ”That is part of the review. SYNNEX is not an MSP, and we have no relationship with Kaseya and do not use its systems.”
Michael Hamilton has an interesting take on the fact that the Kaseya ransomware isn’t making any money and occurred right around the same time as the attack on the Republican National Committee systems. Coincidence?
“No question, the Russian government is absolutely benefiting from security companies and intelligence organizations being so focused on ransomware right now,” Carmakal told Bloomberg. “But the question is, is the Russian government providing tacit approval for ransomware operators or are they providing instructions? I don’t know.”
As with any cybersecurity story, we only can go off of the facts that are publicly available. If the RNC was compromised, should we know? This is a question related to a story in my first news feed blog post where Georgia was considering a law to limit publicly available information related to government data breaches.
Hacker dumps private info of pro-Trump GETTR social network members
Israeli cybersecurity researchers expose worldwide hacking scheme
Washington state data breach compromises personal information
Mint Mobile hit by a data breach after numbers ported, data accessed
Date Reported: 7/5/21
……………………………..
Sites Stinson LLC Micheal Wentworth, Siracusa ~ 05/03/2020 (Maine)
Other, Inadvertent disclosure, External system breach (hacking), Insider wrongdoing, Internal system breach, Loss or theft of device or media (computer, laptop, external hard drive, thumb drive, CD, tape, etc.). Probate proceeding Fraud Abuse Guardianship bank account documents stolen.
Date Reported: 7/6/21
……………………………..
Stride ~ 11/4/20–11/19/20 (Oregon, Maine)
Ransomware attack. Working with third-party forensic investigators, Stride determined that an unknown actor may have gained access to Stride systems from November 4, 2020 to November 19, 2020.
Invenergy LLC ~ 04/21/2021–05/17/2021 (Maine, Iowa, New Hampshire)
Through the investigation, Invenergy determined that an unauthorized party may have accessed certain Invenergy computer systems between April 21, 2021 and May 17, 2021.
Financière des Professionnels ~ 01/19/2021, 04/02/2021 (Maine)
We were first informed on February 11th, 2021 of a phishing email campaign in which an unauthorized third party had sent emails from a fdp corporate email address to some of our customers.
MASS Design Group ~ 02/19/2021 (Maine)
Ransomware
Maine Drilling and Blasting Group ~ 01/29/2021 (Maine)
On or about January 29, 2021, Maine Drilling and Blasting fell victim to a sophisticated ransomware attack.
individual gained access to five employee email accounts via a phishing email.
Professional Business Systems, Inc. d/b/a Practicefirst Medical Management Solutions, July 6, 2021
Ransomware.
UniBank ~ March 1 — March 28, 2021 (New Hampshire)
On June 9, 2021, UniBank experienced a theft that included an electronic device among the items stolen. Based on UniBank’s investigation, the accessible data included information stored by the bank between the dates of March 1, 2021 through May 28, 2021.
Zurich American Insurance Company (Massachussettes)
No link to report
Biocrates life sciences ag (Massachussettes)
No link to report
The Cooperative Bank of Cape Cod (Massachussettes)
No link to report
Virtus Percision Tube (Massachussettes)
No link to report
Marsh McLennan (Massachussettes)
No link to report
Date Reported: 7/7/21
……………………………..
Hello House ~11/24/2020, 12/03/2020 (California)
Through this investigation, it was determined a certain business email account had been compromised by an unauthorized third party.
Jordan Manufacturing Company, Inc. ~ 06/08/2021 (Maine)
On June 8, 2021, Jordan was initially notified that an employee may have viewed human resources information regarding current and former employees outside the scope of the employee’s job duties. Jordan determined that it was possible for employees, who did not have a business reason to do so, to access certain human resources databases and that certain unauthorized employees claim to have viewed and/or taken sensitive information regarding current and former employees.
Freedom Insurance Agency, Inc. ~2012–12/01/2020 (Maine, North Dakota)
On November 30, 2020, Vertafore discovered a configuration error in its insurance agency management product, QQCatalyst. As a result, there was unauthorized access to reports and forms generated using QQCatalyst. Other files uploaded to QQCatalyst, including insurance applications and quotes, were accessible to the public, though we cannot determine whether these files were actually accessed by unauthorized parties.
Coastal Family Health Center ~ 05/13/2021 (Maine)
Someone tried to shut down operations.
Bank of Oak Ridge~ 04/26/2021 (Maine)
Through the investigation, Bank of Oak Ridge learned that an unauthorized actor accessed its systems and may have viewed historical data containing certain customer information between April 26 and April 27, 2021.
Wellfleet Insurance Company ~ 08/06/2020; 08/24/2020; and, 10/02/2020 (Maine)
email phishing incident that targeted AHP employees and may have resulted in unauthorized access to emails and attachments in the employees’ email accounts. The investigation determined that two AHP employees’ email accounts were subject to unauthorized access as a result of the incident between the dates of August 6, 2020 and August 24, 2020, and on October 2, 2020.
East Coast Seafood Group LLC ~ 11/10/2020–12/04/2020 (Maine)
On December 3, 2020, East Coast discovered that its network had been impacted by a malware attack that encrypted certain systems.
North Iowa Community Action Organization (NICAO) ~ 7–7–2021 (Iowa)
Suspicious activity related to an employee’s email account. An unauthorized Date Reported: 7/8/21
……………………………..
intrusion into our IT network by cyber criminals and determined that the incident resulted in unauthorized access to certain files
CNA ~ 03/05/2021 ( California, Oregon, Maine)
ransomware attack
Arthur J. Gallagher & Co. ~ 7/2/2020–9/26/2020 (Oregon)
No report
Date Reported: 7/7/21
……………………………..
Workers Federal Credit Union (Massachussettes)
No link to report
Cost of a Data Breach
_____________________________________________
Moroccan police arrest suspected cybercriminal after INTERPOL probe
Judge drops hammer, dishes 7 years slammer for BEC and romance scammer
British Airways agrees to pay victims of record-breaking data breach
It estimated that “victim compensation could be up to £2,000 [$2,770] putting BA’s overall potential liability at around £800 million [$1.1 billion]”.
Dominion National reaches $2M settlement over nine-year data breach
New York Department of Financial Services Announces a $1.8 Million Settlement with Two Life Insurers for Data Breach Violations
As ransomware attacks continue, cyber insurance is in trouble ~ at the brink of not being profitable any longer
Cybersecurity insurance rates likely to rise amid escalating ransomware attacks
US chemical distributor shares info on DarkSide ransomware data theft — $4.4 million ransom paid to DarkSide
Laws & Legal
_____________________________________________
Proposed bill would create a new federal agency to protect consumer data
China puts national security protection at the center of new data privacy law
China reportedly warns local tech companies of increased cybersecurity oversight
As part of the statement, China reportedly said rules for local companies listing overseas would be revised and publicly-traded firms would be held accountable for keeping their data secure.
New Connecticut law nudges businesses to adopt cybersecurity controls
Hong Kong dismisses Google, Facebook warning over privacy laws
Colorado Privacy Act Signed Into Law
NYC’s new biometrics privacy law takes effect
Dutch court rejects Facebook’s bid to have privacy lawsuit in the Netherlands dismissed
Supreme Court delivers defeat to Harris with donor-privacy decision
Virginia’s New Data Privacy Law: An Uncertain Next Step for State Data Protection
Investments
_____________________________________________
Security startups to watch
Sophos Acquires Capsule8 for Linux Server & Container Security
Cybersecurity startup Netskope raises new funding at a $7.5 billion valuation
Funding Pours Into Cybersecurity As Mid-Year 2021 Numbers Eclipse Last Year’s Total
Chrysalis splashes £50m on US cybersecurity company
Ola Picks Up $500M, Netskope’s $7.5B Valuation, And More
Orca Security raising $150 million from Singapore’s Temasek
DHS awards nearly $1M for Texas-based small business efforts to secure emergency multimedia content
Follow for updates.
Teri Radichel | © 2nd Sight Lab 2021
About Teri Radichel:
~~~~~~~~~~~~~~~~~~~~
⭐️ Author: Cybersecurity Books
⭐️ Presentations: Presentations by Teri Radichel
⭐️ Recognition: SANS Award, AWS Security Hero, IANS Faculty
⭐️ Certifications: SANS ~ GSE 240
⭐️ Education: BA Business, Master of Software Engineering, Master of Infosec
⭐️ Company: Penetration Tests, Assessments, Phone Consulting ~ 2nd Sight LabNeed Help With Cybersecurity, Cloud, or Application Security?
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
🔒 Request a penetration test or security assessment
🔒 Schedule a consulting call
🔒 Cybersecurity Speaker for PresentationFollow for more stories like this:
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
❤️ Sign Up my Medium Email List
❤️ Twitter: @teriradichel
❤️ LinkedIn: https://www.linkedin.com/in/teriradichel
❤️ Mastodon: @teriradichel@infosec.exchange
❤️ Facebook: 2nd Sight Lab
❤️ YouTube: @2ndsightlab
