This context is a collection of cybersecurity news and articles from the week of July 3-9, 2021, covering topics such as vulnerabilities, malware, threat reports, breaches, attacks, and more.
Abstract
The provided context contains various cybersecurity news and articles from the mentioned week. It starts with news about the Kaseya attack and the difference between preventative and reactive cybersecurity services. It then covers several vulnerabilities, including the PrintNightmare vulnerability and its impact on Windows systems. The text also discusses malware, such as Magecart and Hackers using new tricks to disable macro security warnings in Microsoft Office files. Additionally, it presents threat reports, such as the CISA analysis revealing successful attack techniques of FY 2020 and a new survey showing the cost of leaked enterprise secrets. The context also covers numerous breaches and attacks, including the Kaseya ransomware attack, the RNC hack, and other data breaches affecting various organizations.
Opinions
The author suggests that companies should not be allowed to pay ransoms due to negligence in addressing security problems. However, exceptions should be made for cases where not retrieving data could result in loss of life or significant damage to many people or companies.
Michael Hamilton points out that the REvil ransomware attack on Kaseya was not as devastating as it could have been, as the attackers did not infiltrate networks to ensure they deleted backups before performing the attack.
The author implies that the Russian government may be benefiting from security companies and intelligence organizations being focused on ransomware attacks.
The author questions whether the RNC was compromised and if the public should know about it, referencing a story from their first news feed blog post.
The author mentions that the Kaseya ransomware attack is not making any money, and it occurred around the same time as the attack on the Republican National Committee systems, suggesting a possible connection.
The author highlights that the attackers in the Kaseya ransomware attack did not exfiltrate any data, allowing some customers to restore from backups and most declining to pay the ransom.
The author emphasizes the importance of addressing security problems and implementing preventative measures to avoid ransomware attacks and their consequences.
Cybersecurity News: July 3–9 2021
Kaseya, PrintNightmare, RNC hack and the rest of this week’s cybersecurity news
Someone read Cybersecurity for Executives in the Age of Cloud and asked me to prepare a presentation for a university on getting into security. I agreed! I get too many requests to present and perform work for free but I try to give back when I can. So many universities have new cybersecurity programs that didn’t exist when I got my masters degree so I’ll make a video that can be shared with those that are looking for a brief introduction to cybersecurity they can share with students to get off on the right track. Here are some of the cybersecurity certifications I obtained through my own masters program. I also have a GSE and a lot of cybersecurity experience!
Someone asked me if 2nd Sight Lab’s customers were affected by the Kaseya attack. I explain the difference between preventative and reactive security in this post and a brief overview of the attack here. I have a much more extensive overview of the Kaseya attack below based on additional research.
Train employees what to do if they’ve made a security mistake
Proofpoint has some good advice here. Train employees to report security mistakes immediately since there is a gap between when criminals get credentials and when they use them.
Exploit on gitlab. As mentioned in my previous news feed reports when Microsoft announced they would take down malicious code on Github if used in an attack, attackers and researchers will simply move to other platforms.
Some security pros not happy that an exploit came out prior to the patch.
Others claim Microsoft is removing posts with information about the vulnerability. See the whole thread on how this security professional had issues sharing research.
ForgeRock Critical CVE targeting Australian government organisations
CVE-2021–35464 was disclosed on 23 June 2021 and targets ForgeRock OpenAM, an open-source access management solution. The ACSC has identified a number of Australian organisations which have been compromised through exploitation of this CVE.
Hackers Use New Trick to Disable Macro Security Warnings in Malicious Office Files
In yet another instance of malware authors continue to evolve their techniques to evade detection, researchers from McAfee Labs stumbled upon a novel tactic that “downloads and executes malicious DLLs (ZLoader) without any malicious code present in the initial spammed attachment macro.”
Fake crypto-mining Android apps net fraudsters $350k
Google removed some but more are circulating.
The lure for unsuspecting victims in this case was the false promise of renting cloud computing power via the apps and taking a small cut of each transaction verified.
Dozens of Vulnerable NuGet Packages Allow Attackers to Target .NET Platform
All identified precompiled software components in our research were different versions of 7Zip, WinSCP and PuTTYgen, programs that provide complex compression and network functionality
CISA Analysis Reveals Successful Attack Techniques of FY 2020
phishing links were most common and used to gain initial access in 49% of RVAs. Next were exploits of public-facing applications (11.8%), followed by phishing attachments (9.8%). For execution, PowerShell was used in 24.4% of RVAs, followed by Windows Management Instrumentation (13%) and Command & Scripting Interpreter (12.2%).
Valid accounts were used to gain privilege escalation in 37.5% of RVAs, followed by exploitation for privilege escalation (21.9%) and making and impersonating tokens (15.6%). For lateral movement, attackers primarily used pass-the-hash (29.8%), followed by Remote Desktop Protocol (25%) and exploitation of remote services (11.9%).
Increase in BEC scams in construction industry in Australia
The ACSC has observed a growing trend affecting construction companies and their customers. In the past six months there has been an increase in cybercriminals targeting builders and construction companies to conduct business email compromise (BEC) scams within Australia.
AT&T Alien Labs™ has observed new activity that has been attributed to the Lazarus adversary group potentially targeting engineering job candidates and/or employees in classified engineering roles within the U.S. and Europe.
Scanning for Microsoft Secure Socket Tunneling Protocol
resurgence of probe by Digitalocean looking for the Microsoft (MS) Secure Socket Tunneling Protocol (SSTP). This MS proprietary VPN protocol is used to establish a secure connection via the Transport Layer Security (TLS) between a client and a VPN gateway.
The ransomware in this attack infiltrated companies using software made by Kaseya that is used by Managed Service Providers (MSPs). Those MSPs are companies that provide technical services to other organizations, typically to small businesses. The software the attackers infiltrated is used to remotely manage customer systems. Leveraging this access is how the criminals were able to spread ransomware to so many companies and systems.
Michael Hamilton explains what he discovered during a specific incident. The attackers obtained access to Kaseya administrative systems. Per other accounts below, the attackers obtained access to those systems via software vulnerabilities. Then the attackers pushed out malware making it look like an update to the VSA agents on the machines managed by the MSPs. That software disabled Windows Defender with a Powershell command. Then the malware downloaded a signed binary which was an old windows executable. That executable had a vulnerability which the attackers then used to access the operating system and encrypt the system.
It is believed that REvil used an authentication bypass in the Web interface of Kaseya VSA to gain an authenticated session, upload the original payload, and then execute commands via SQL injection.
Hmm. Definition of supply chain: A supply chain is a network between a company and its suppliers to produce and distribute a specific product to the final buyer.
I wrote about how attackers leveraged automated update processes in the Target Breach to affect many POS machines at once. I explained in my book on cybersecurity how Cloud Hopper and other attacks are leveraging vendors to get into customer systems. Michael Hamilton spoke about that as well in the video I posted above. I explain in cloud security classes how cloud services that perform auto-updates on systems through agents may be used against companies in the cloud and how to defend against it.
Brian Krebs wrote about a 2015 flaw that in a deprecated portal left online by the company that would allow access to files via a web browser. However, this flaw was not thought to be leveraged in the ransomware attack per the article.
The debate continues about whether or not to pay ransoms. My take: Companies should not be allowed to pay simply because they are negligent in addressing security problems. However, if the ransomware could cause significant damage to many people or companies other than the company that was targeted or, for example, not retrieving data could result in loss of life, perhaps an organization should pay the ransom. Past ransomware has affected hospitals and caused delays getting treatments to patients. Perhaps companies should pay additional fines when egregious security problems exist. Those funds should go towards fighting ransomware in the future.
There is no single answer but for those enacting laws preventing the ability to pay ransoms, ensure an exception process exists. You may need it.
This attack, though widespread, is not as devastating as it could have been. That’s because the attackers did not infiltrate networks and ensure they deleted backups before performing the attack. It also appears the attackers did not exfiltrate any data. This allowed some customers to restore from backups and most are declining to pay the ransom.
However, as noted in the video from Critical Insight at the start of this section explains, the damage was much worse for companies that had the VSA agent on their backup servers or had the VSA agent on many systems.
Hackers Attack Microsoft Cloud Customer Apps Via Synnex
Hackers attempted to use Synnex to gain access to customer applications within the Microsoft cloud environment.
Synnex comment indicates a Bloomberg report that they are an MSP and that this attack is related to Kaseya may be at least partially incorrect:.
“We do not know if this is related to the Kaseya ransomware attack to MSPs and some end customers,“ Michael Urban, Synnex’s president of worldwide technology solutions distribution, said in an emailed statement. ”That is part of the review. SYNNEX is not an MSP, and we have no relationship with Kaseya and do not use its systems.”
Michael Hamilton has an interesting take on the fact that the Kaseya ransomware isn’t making any money and occurred right around the same time as the attack on the Republican National Committee systems. Coincidence?
“No question, the Russian government is absolutely benefiting from security companies and intelligence organizations being so focused on ransomware right now,” Carmakal told Bloomberg. “But the question is, is the Russian government providing tacit approval for ransomware operators or are they providing instructions? I don’t know.”
As with any cybersecurity story, we only can go off of the facts that are publicly available. If the RNC was compromised, should we know? This is a question related to a story in my first news feed blog post where Georgia was considering a law to limit publicly available information related to government data breaches.
Other, Inadvertent disclosure, External system breach (hacking), Insider wrongdoing, Internal system breach, Loss or theft of device or media (computer, laptop, external hard drive, thumb drive, CD, tape, etc.). Probate proceeding Fraud Abuse Guardianship bank account documents stolen.
Ransomware attack. Working with third-party forensic investigators, Stride determined that an unknown actor may have gained access to Stride systems from November 4, 2020 to November 19, 2020.
Through the investigation, Invenergy determined that an unauthorized party may have accessed certain Invenergy computer systems between April 21, 2021 and May 17, 2021.
We were first informed on February 11th, 2021 of a phishing email campaign in which an unauthorized third party had sent emails from a fdp corporate email address to some of our customers.
On June 9, 2021, UniBank experienced a theft that included an electronic device among the items stolen. Based on UniBank’s investigation, the accessible data included information stored by the bank between the dates of March 1, 2021 through May 28, 2021.
On June 8, 2021, Jordan was initially notified that an employee may have viewed human resources information regarding current and former employees outside the scope of the employee’s job duties. Jordan determined that it was possible for employees, who did not have a business reason to do so, to access certain human resources databases and that certain unauthorized employees claim to have viewed and/or taken sensitive information regarding current and former employees.
On November 30, 2020, Vertafore discovered a configuration error in its insurance agency management product, QQCatalyst. As a result, there was unauthorized access to reports and forms generated using QQCatalyst. Other files uploaded to QQCatalyst, including insurance applications and quotes, were accessible to the public, though we cannot determine whether these files were actually accessed by unauthorized parties.
Through the investigation, Bank of Oak Ridge learned that an unauthorized actor accessed its systems and may have viewed historical data containing certain customer information between April 26 and April 27, 2021.
email phishing incident that targeted AHP employees and may have resulted in unauthorized access to emails and attachments in the employees’ email accounts. The investigation determined that two AHP employees’ email accounts were subject to unauthorized access as a result of the incident between the dates of August 6, 2020 and August 24, 2020, and on October 2, 2020.
China reportedly warns local tech companies of increased cybersecurity oversight
As part of the statement, China reportedly said rules for local companies listing overseas would be revised and publicly-traded firms would be held accountable for keeping their data secure.
About Teri Radichel:
~~~~~~~~~~~~~~~~~~~~
⭐️ Author: Cybersecurity Books
⭐️ Presentations: Presentations by Teri Radichel
⭐️ Recognition: SANS Award, AWS Security Hero, IANS Faculty
⭐️ Certifications: SANS ~ GSE 240
⭐️ Education: BA Business, Master of Software Engineering, Master of Infosec
⭐️ Company: Penetration Tests, Assessments, Phone Consulting ~ 2nd Sight Lab
Need Help With Cybersecurity, Cloud, or Application Security?
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
🔒 Request a penetration test or security assessment
🔒 Schedule a consulting call
🔒 Cybersecurity Speaker for Presentation
Follow for more stories like this:
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
❤️ Sign Up my Medium Email List
❤️ Twitter: @teriradichel
❤️ LinkedIn: https://www.linkedin.com/in/teriradichel
❤️ Mastodon: @teriradichel@infosec.exchange
❤️ Facebook: 2nd Sight Lab
❤️ YouTube: @2ndsightlab