CISA Issues Guidance for MSPs and SMBs on Strengthening Security Defenses

Cybercriminals usually target Managed Service Providers (MSPs) because MSPs have privileged access to their clients’ systems. Therefore, one cyber attack on one MSP will allow the attacker to get access to several systems, if not all of the MSP’s clients.

The latest Kaseya supply chain attack demonstrated just how critical this kind of attack could be. An REvil ransomware affiliate acquired access to Kaseya systems, and through which accessed the systems of approximately 60 of its customers (mostly MSPs) and encrypted the data therein. Through those MSP clients, ransomware affected about 1,500 downstream companies.

Small- and mid-sized companies usually don’t have employees to handle their own IT systems or may not have the expertise or hardware to keep sensitive data and manage sensitive operations. Many use MSPs to offer that needed expertise. It is usually more economical for SMBs to scale and manage their networks using MSPs instead of handling their resources on their own.

Outsourcing IT or security capabilities to an MSP presents risks, which SMBs must mitigate. MSPs additionally must have safety measures to block unauthorized access to their networks and to control the harm that may affect their clients in case there is a breach of their perimeter defenses.

On July 14, 2021, the DHS’ Cybersecurity and Infrastructure Security Agency (CISA) released guidance to assist MSPs and SMBs in strengthening their defenses to enhance resilience to cyberattacks and to control the damage brought about in case an attack succeeds.

The CISA Insights report gives mitigations and hardening advice for MSPs and SMBs, pointing out vital steps to take to secure MSP network resources and those of their clients to minimize the risk of successful attacks.

The CISA Insights: Guidance for Managed Service Providers (MSPs) and Small- and Mid-sized Businesses guidance document can be downloaded on this page.

Critical Vulnerabilities Identified in MesaLabs Lab Temperature Monitoring System

Stephen Yackey of Securifera identified five vulnerabilities in the continuous monitoring system of MesaLabs AmegaView, which is utilized in hospital laboratories, forensics labs, and biotech firms. Two critical command injection vulnerabilities are given CVSS severity scores of 9.9 and 10 out of 10. Both vulnerabilities affect the AmegaView Versions 3.0 and prior versions.

The vulnerabilities include the following:

Vulnerability CVE-2021-27447 is given a CVSS 10/10. It is caused by the wrong neutralization of special elements utilized in a command that can enable an attacker to execute arbitrary code.

Vulnerability CVE-2021-27449 is given a CVSS 9.9/10. It is caused by the wrong neutralization of special elements utilized in a command that could allow an attacker to execute web server commands.

Vulnerability CVE-2021-27445 is given a CVSS 7.8/10. It is a result of insecure file permissions that enable an attacker to lift privileges on the device.

Vulnerability CVE-2021-27451 is given a CVSS 7.3/10. It is a result of the wrong authentication due to the passcodes produced by an easily reversible algorithm that could allow an attacker to acquire access to the device.

Vulnerability CVE-2021-27453 is given a CVSS 7.3/10. It is an authentication bypass issue that could enable an attacker to acquire web app access.

There are currently no public exploits that particularly target these vulnerabilities. Given that AmegaView is near its end-of-life this year, MesaLabs has made the decision not to produce any patches to address the vulnerabilities. Instead, all customers using the vulnerable devices are advised to obtain a current Viewpoint software that is compatible with AmegaView systems.

If this cannot be carried out, or if it is, it is suggested to determine vulnerable products secured by firewalls and to segregate them from the system and ensure they aren’t accessible on the internet. If remote access is required, Virtual Private Networks (VPNs) must be utilized for access, and VPNs must be the newest version.

Before taking on any new safety actions, an impact and risk analysis should be performed.

Active Exploitation of Critical VMWare VCenter Software Vulnerability

Cyber actors are actively exploiting a critical remote code execution vulnerability identified in VMware vCenter Server and VMware Cloud Foundation to get complete command of unpatched systems. VMWare announced vulnerability CVE-2021-21985 in late May and released a patch to resolve the vulnerability on May 25, 2021.

The Cybersecurity and Infrastructure Security Agency (CISA) lately released an advisory cautioning all end users of VMware vCenter Server and VMware Cloud Foundation about the vulnerability being an interesting target for cyber attackers and the high probability of exploitation. There is already a reputable proof-of-concept exploit for the vulnerability available in the public domain.

Thousands of vulnerable vCenter servers that can be accessed online are prone to attack. Several security researchers are conducting mass scanning for VMware vSphere hosts prone to RCE attacks and have noted the scanning for vulnerability of honeypots set up with unsecured versions of VMware vCenter Server.

Currently, the Department of Health and Human Services’ Office for Civil Rights published a cyber alert repeating the great importance of applying the patches to the vulnerability, conveying that CISA discovered a number of agencies that haven’t employed the patch yet and are prone to cyber attack.

VMWare explained that a malicious actor having network access to port 443 could take advantage of this problem to execute commands without restriction on the root operating system hosting the vCenter Server.

Security researcher Kevin Beaumont mentioned about the infection of his honeypot with a web shell following the expolitation of the vulnerability. “vCenter, which is a virtualization management software program can be hacked to control the virtualization layer (e.g., VMware ESXi)- allowing access prior to the OS layer (as well as security controls). This is a critical vulnerability, therefore businesses need to patch or limit the vCenter servier access to authorized administrators only.

In case it’s not possible to implement the patches right away, there are steps that can be done to work around the problem and lower the possibility of exploitation. These workarounds ought to be carried out without delay.

Threat Actor Actively Exploiting Pulse Connect Secure Vulnerabilities Including New Zero-Day Vulnerability

A recent alert from the DHS’ Cybersecurity and Infrastructure Security Agency (CISA) stated that at least one threat group is exploiting vulnerabilities found in Ivanti’s Pulse Connect Secure products. Although there is no official attribution, a number of security researchers had linked the threat actor with China. Targets of attacks included government, defense, financial, and critical infrastructure agencies.

FireEye has been monitoring the malicious activity and states that about 12 malware families have been involved in cyberattacks taking advantage of the vulnerabilities beginning August 2020. These attacks involved the mining of credentials to permit lateral movement inside victim networks and using scripts and replacing files to gain persistence.

A number of entities have already confirmed that they suffered attacks after they detected malicious activity with the Pulse Connect Secure Integrity Tool. Access to Pulse Connect Secure appliance was acquired by exploiting several vulnerabilities such as three vulnerabilities that were disclosed in 2019 and 2020 and one lately spotted zero-day vulnerability. Patches were already available for a few months to resolve the first three vulnerabilities – CVE-2020-8260, CVE-2019-11510, and CVE-2020-8243; nevertheless, a patch has yet to be accessible to fix the lately exposed zero-day vulnerability – CVE-2021-22893.

The CVE-2021-2893 authentication bypass vulnerability has gotten the highest CVSS vulnerability severity score of 10/10. Ivanti released a security warning regarding the new vulnerability on April 20, 2021. An unauthenticated attacker exploiting the vulnerability can remotely execute arbitrary code within the Pulse Connect Secure Gateway. The vulnerability is thought to be exploitable by transmitting a specially designed HTTP request to an unsecured device, though this is not yet confirmed by Ivanti. The vulnerability impacts Pulse Connect Secure 9.0R3 and higher versions.

There is one threat group taking advantage of the vulnerabilities and placing web shells in vulnerable Pulse Secure VPN appliances. Because of the web shells, the threat group will be able to avoid authentication as well as multi-factor authentication controls, login passwords and obtain persistent access to the appliance even after the application of patches.

Ivanti and CISA firmly recommend all users of the unsecured Pulse Connect Secure devices to use the patches right away to avoid exploitation and to implement the mitigations recently released by Ivanti to minimize the risk of exploitation of the CVE-2021-22893 vulnerability until the release of a patch. The workaround involves removing two Pulse Connect Secure capabilities – Windows File Share Browser and Pulse Secure Collaboration – which could be realized by importing the workaround – 2104.xml file. A patch is predicted to be introduced to resolve the CVE-2021-22893 in May 2021.

Because patching can’t block unauthorized access in case the vulnerabilities have been exploited, CISA ardently recommends utilizing the Pulse Connect Secure Integrity Tool to see whether the vulnerabilities were already exploited.

CISA has given an emergency directive requiring all federal institutions to list all instances of Pulse Connect Secure virtual and hardware appliances, deploy and run the Pulse Connect Secure Integrity Tool to find malicious activity, and implement the mitigation against CVE-2021-22893. The actions should be taken by 5 pm Eastern Daylight Time on April 23, 2021.

COVID-19 Vaccine Cold Chain Still Targeted by Threat Groups

An up-to-date IBM Security X-Force report reveals that advanced persistent threat groups still target the COVID-19 vaccine cold chain all over the world. X-Force analysts published a December 2020 report warning about cyber criminals’ campaign on the COVID-19 cold chain to get access to vaccine data. There remains a big risk to the supply and storage of the COVID vaccine.

There are currently around 350 logistics partners active in the cold chain to make certain that vaccines are distributed and stored in cold environments. Since the initial published report concerning cold chain phishing attacks, the IBM X-Force researchers have found other 50 email message records associated with spear-phishing campaigns and recorded 44 institutions in 14 countries throughout Africa, Asia, the Americas and Europe.

The targeted organizations offer services such as the transport, warehousing, storage, and delivery of COVID-19 vaccines. The majority of targeted institutions are associated with healthcare, transport, IT and electronic devices including companies in biomedical research, medical manufacturing, and pharmaceutical and hygiene suppliers.

Threat actors, viewed as backed by nation-states, have expanded their campaigns and are employing spear-phishing email for stealing account records of CEOs, global sales representatives, purchasing managers, Human Resource officials, administrators of plant engineering and others to obtain privileged information of national Advance Market Commitment (AMC) talks connected to the buying of vaccines, schedules for delivery, information on the transit of vaccines through countries and territories, World Trade Organization (WTO) trade facilitation agreements, export rules and international property rights, technical vaccine information, and other sensitive facts.

The threat group liable for this threat campaign seems to have a full understanding of the vaccine cold chain. The email communications used in the spear-phishing campaign look like coming from an account manager from Haier Biomedical, a Chinese biomedical company that is the number one cold chain provider worldwide.

The emails request price quotations for service contracts regarding the Cold Chain Equipment Optimization Platform (CCEOP) program and reference products for instance an ice-lined fridge and solar-powered vaccine fridge from Haier Biomedical. The email communications furthermore explore firms linked to petrochemical production and the manufacturing of solar panels that fits in with those merchandises, and the language used in the message indicates the educational background of the sender that is falsified in the signature.

The emails have malicious HTML attachments that are accessed locally, which the user accesses by first providing their login credentials. In the event that credentials are provided, they are obtained and duplicated in the attacker’s command and control server.

The researchers stated that even though prior reporting revealed direct targeting of supranational organizations, the energy and IT sectors in six nations around the world, it is thought that this development is based on the identified attack pattern, and the campaign is still a purposive and calculated threat.

Considering the vaccine nationalism and global competition for vaccine access, attacks that impact the cold chain were inescapable. Though researchers did not associate the campaign with any criminal gang, there is a good chance that this operation is supported by a nation-state.

If the cold chain is disturbed it could bring about slowdowns in moving the vaccines or can impact the circumstances required to securely transfer and store vaccines, which can make the vaccines hazardous or not effective. IBM outlined the Indicators of Compromise in its document 
to help organizations in keeping the COVID-19 cold chain safe against attacks.

FBI Issues Advisory Regarding Mamba Ransomware

A spike in cyberattacks employing Mamba ransomware prompted the Federal Bureau of Investigation (FBI) and the Department of Homeland Security (DHS) to give a flash alert notifying organizations and companies in several sectors regarding the risks of the ransomware.

As opposed to numerous ransomware variants having their own encryption programs, Mamba ransomware has adapted the open-source full disk encryption software DiskCryptor and used it as a weapon. DiskCryptor is a legit encryption tool that’s not malicious and is for that reason unlikely to be identified as such by security solutions.

The FBI has yet to give any information regarding the degree to which the ransomware has been utilized in attacks, which have to date primarily targeted government institutions and transportation, legal agencies, technology, commercial, industrial, manufacturing, construction firms.

A number of techniques are employed to get access to systems to set up the ransomware, which includes exploitation of vulnerabilities in Remote Desktop Protocol (RDP) and other unsecured means of remote access.

Rather than finding particular file extensions to encrypt, Mamba ransomware utilized DiskCryptor to encrypt the whole drives, making all attacked devices unusable. Following encryption, a ransom note is shown that tells the victim that their drive was attacked. It provides an email address for contact, the victim’s ID and Hostname, and an area to put the decryption key to recover the drive.

The Mamba ransomware package comes with a DiskCryptor, which is unpacked and set up. The system is rebooted after about two minutes to accomplish the installation, then the encryption routine begins. A second restart will happen approximately two hours afterward which finishes the encryption step and shows the ransom note.

An attack in progress can be stopped until the second restart. The encryption key and the shutdown time variable are stored in the myConfig.txt file, which can be read until before the second restart. The myConfig.txt can’t be accessed after the second restart and the system will require the decryption key to access files. This gives network defenders a brief opportunity to stop an attack and recover without the need to pay the ransom. A listing of DiskCryptor files is given in the advisory to help network defenders discover attacks in progress. These files ought to be blacklisted when DiskCryptor is not utilized.

The FBI TLP: White Alert also gives mitigations that will help prevent the success of an attack, restrict the effect in case of a successful attack, and make sure that systems may be brought back without paying the ransom demand.

Recommended mitigations consist of:

  • Saving a copy of data and keeping the backups on an air-gapped device.
  • Segmenting sites.
  • Setting up systems to only permitting administrators to install software programs.
  • Patching operating systems, software programs, and firmware immediately.
  • Employing multifactor authentication.
  • Having excellent password hygiene.
  • Deactivating unused remote access/RDP ports and keeping track of access logs.
  • Only utilizing secure networks and using a VPN for remote access.

FBI Gives Warning of Increase in Business Email Compromise Attacks on Local and State Governments

The Federal Bureau of Investigation (FBI) in its March 17, 2021 Private Industry Notification cautioned state, local, tribal, and territorial (SLTT) governments about Business Email Compromise (BEC) scammers. It has been observed that BEC attacks on SLTT government entities increased between 2018 and 2020. Losses as a result of these attacks range from $10,000 to $4 million.

BEC attacks involve acquiring access to an email account and sending messages impersonating the email account holder with the intention to convince the target to make a bogus transaction. The email account is frequently employed to deliver communications to the payroll division to modify employee direct deposit data or to persons authorized to perform wire transfers, to request modifications to bank account data or payment methods.

In 2020, the FBI’s Internet Crime Complaint Center (IC3) received information regarding the report of 19,369 BEC attacks and losses of approximately $1.9 billion. The following are some incidents of BEC scams:

In July 2019, a small city government lost $3 million after being scammed through a spoofed email that looked like it came from a contractor requesting an alteration of their payment method.

In December 2019, the email account of a financial supervisor of a government agency of a US territory was accessed and used to transmit 146 messages to government agencies with instructions regarding financial transactions. A lot of these requests were made via email, and the attacker had intercepted and replied to those messages. In total, $4 million was sent to the account of the scammer.

Besides the financial losses, the attacks hinder the operational functions of SLTT government organizations, cause reputational problems, and can additionally bring about the loss of sensitive information like PII, banking details, and employment information.

BEC scammers can very easily research targets and can find out SLTT operating data and data concerning vendors, suppliers, and contractors from public sources. Obtaining access to the email accounts is easy as the email address of the target can be quickly located, and phishing kits are available cheaply on the darknet for getting credentials.

As soon as an email account is compromised, the attacker copies the writing style of the account owner and often hijacks message threads. The scam can entail several messages where the target is convinced they are conversing with the real account holder when they are speaking with the scammer.

The FBI states that BEC scammers usually target SLTT government entities with insufficient cybersecurity practices and take advantage of SLTT government entities that are not able to give adequate training to the workers. The move to remote working because of the pandemic has additionally made it less complicated for the scammers.

In 2020, CISA performed phishing simulations involving SLTT government entities. Across 152 campaigns having about 40,000 messages, there were approximately 5,500 unique clicks of bogus malicious links. With a click rate of 13.6%, it indicates security awareness training doesn’t teach employees concerning the danger of email-based attacks and highlights the necessity of “defense in depth mitigations.”

The FBI suggests making sure that all workers receive training on security awareness, know about BEC attacks and how to distinguish phishing emails and bogus emails. Employees should be told to properly check email requests for advance payments, alterations to bank account details, or requests for sensitive details. Policies and processes must be carried out that call for any bank account change or transaction request to be validated by telephone utilizing a verified number, not information provided in emails.

Supplemental measures that ought to be considered consist of multi-factor authentication on email accounts, phishing simulations, blocking of automated email forwarding, keeping track of email Exchange servers for configuration alterations, including banners to emails from external sources, and employing email filtering services.

Read about further procedures that may be put in place to avoid and identify BEC attacks in the FBI Alert.

CISA/FBI Give Joint Advisory Regarding Spear Phishing Attacks Spreading TrickBot Malware

The Federal Bureau of Investigation (FBI) and the DHS’ Cybersecurity and Infrastructure Security Agency (CISA) have released a joint security advisory concerning TrickBot malware. This malware was first discovered in 2016 and began as a banking Trojan; today, it has many new capabilities and is broadly employed as a malware loader for sending other variants of malware, such as the ransomware Ryuk and Conti.

The CISA/FBI alert states that TrickBot has become a remarkably modular, multi-stage malware that gives its users a complete selection of tools to perform a variety of criminal cyber activities.

In the latter part of 2019, TrickBot overcame the effort of Microsoft and its associates to break up its infrastructure and spam activities circulating the malware shortly restarted, with TrickBot activity spiking in recently. At the beginning of March, Check Point researchers cautioned regarding increasing TrickBot infections right after the arrest of the Emotet botnet. In 2020, TrickBot was the 4th most rampant malware variant and went up to 3rd last January 2021. When the Emotet botnet was interrupted, TrickBot turned out to be the most extensively propagated malware variant and tops the malware index of Check Point for the first time.

The ransomware attack on Universal Healthcare Services involved TrickBot and systems were shut down for a few weeks. TrickBot was employed to obtain access to UHS systems and identify and collect information, then the malware sent the Ryuk ransomware payload. The ransomware attack resulted in $67 million worth of losses to UHS in 2020.

TrickBot is mainly propagated through spear-phishing emails, which are customized for the targeted company. The email messages utilize a mix of malicious file attachments and links to web pages with downloadable malware. In February, the TrickBot gang carried out a massive phishing campaign aimed at the legal and insurance industries that utilized a.zip file attachment that contains malicious JavaScript for sending the malware.

The most recent phishing campaigns make use of phony traffic violation notices as the bait to make recipients click to view a “photo proof” of the traffic violation. When the photo is clicked, a JavaScript file is launched that makes a connection with the command and control (C2) server of the gang then the TrickBot malware is installed in the system of the victim.

TrickBot can make a lateral movement through the Server Message Block (SMB) Protocol, copies sensitive information from breached systems, and can do crypto mining as well as host enumeration. TrickBot operators possess a set of tools that span the whole of the MITRE ATT&CK system, from passively or actively collecting data that may be employed to support targeting to attempting to manipulate, disrupt, or damage systems and information, revealed by CISA/FBI.

CISA has created a snort signature for uncovering network activity connected with TrickBot malware. The CISA/FBI advisory likewise specifies cybersecurity guidelines that make it more difficult to have TrickBot installed and will help to strengthen systems against system propagation.

CISA Gives Warning on Active Exploitation of Vulnerabilities in Accellion File Transfer Appliance

The Cybersecurity and Infrastructure Security Agency (CISA) and cybersecurity authorities in Singapore, New Zealand, Australia, and the United Kingdom have released a notification for Accellion File Transfer Appliance (FTA) users regarding 4 vulnerabilities that threat actors are actively exploiting to get access to sensitive information.

The Accellion FTA is an old file transfer appliance that is used for sharing big files. Accellion discovered a zero-day vulnerability in the FTA in the middle of December 2020 and introduced a patch to deal with the vulnerability. However, more vulnerabilities were identified since.

The following describes the vulnerabilities being monitored:

  1. CVE-2021-27101 – SQL injection vulnerability via a crafted HOST header
  2. CVE-2021-27102 – Operating system command execution vulnerability via a local web service
  3. CVE-2021-27103 – Server-side request forgery via a crafted POST request
  4. CVE-2021-27104 – Operating system command execution vulnerability via a crafted POST request

The SQL injection flaw (CVE-2021-27011) enables an unauthorized person to execute remote commands on vulnerable devices. An exploit for the vulnerability was coupled with a webshell, with the last mentioned used to receive commands from the attacker and exfiltrate information and clean up logs. Because the clean-up logs are removed, the attacker can steer clear of detection and examination of the attack is hampered.

With the exfiltration of sensitive information, the attacker tries to extort cash from the victim by issuing threats to publicly disclose the stolen information on a ransomware data leak website when no ransom is paid. FireEye/Mandiant have related the attacks to the FIN11 and CL0P ransomware activities, though no ransomware is used by the attackers.

Accellion knew about the attacks that take advantage of the vulnerabilities in January 2021 and less than 100 clients have reported being affected with about 2 dozen of them allegedly sustaining substantial data theft. Kroger has lately announced that a number of pharmacy and little Clinic customers were affected. Centene also experienced a data breach by means of exploiting the vulnerabilities. Other reported victims of the attacks are:

  • Transport for New South Wales in Australia
  • Canadian Aircraft maker Bombardier
  • Reserve Bank of New Zealand
  • Australian financial regulator ASIC
  • Office of the Washington State Auditor
  • The University of Colorado

CISA has given Indicators of Compromise (IoCs) in its cybersecurity advisory (AA21-055A) which Accellion clients can use to know if the vulnerabilities were exploited, as well as be advised as soon as malicious activity is found.

Besides doing an analysis to determine whether the vulnerabilities were exploited, CISA proposes separating systems hosting the software program from the Web and upgrading Accellion FTA to version FTA_9_12_432 or a more recent one. Accellion and CISA additionally suggested switching from this old tool to a more secure file sharing platform. The Accellion FTA’s end-of-life is on April 30, 2021. Accellion suggests using its Kiteworks file sharing platform, which has improved security functions.

100% of Analyzed mHealth Apps Vulnerable to API Attacks

The personally identifiable health information of hundreds of thousands of people is being exposed via the Application Programming Interfaces (APIs) utilized by mobile health (mHealth) applications, as per the latest study released by cybersecurity company Approov.

Ethical hacker and researcher Allissa Knight performed the study to find out how safe well-known mHealth apps are and whether it’s possible to get access to users’ sensitive health information. One of the provisos of the study was she won’t be permitted to identify any of the applications in case vulnerabilities were discovered. She evaluated 30 of the top mHealth apps and found all were prone to API attacks which can permit unauthorized persons to acquire access to the whole patient data, including personally identifiable information (PII) and protected health information (PHI), showing that security problems are systemic.

mHealth apps had been very helpful throughout the COVID-19 pandemic and are now more and more used by hospitals and healthcare firms. As per Pew Research, mHealth apps are now generating much more user activity compared to other mobile device applications like online banking. There are presently an approximated 318,000 mHealth apps available for download from the big app stores.

The 30 mHealth applications analyzed for the research are employed by around 23 million individuals, with each and every app downloaded about 772,619 times from app stores. These applications consist of a wealth of sensitive information, from vital signs records to pathology reports, test results, X-rays and other medical images and, in certain cases, full medical files. The types of information saved in or accessible by means of the apps hold a high price on darknet marketplaces and are often targeted by cybercriminals. The vulnerabilities determined in mHealth apps make it effortless for cybercriminals to obtain access to the data.

There will generally be vulnerabilities in the code. But it’s surprising to find that every app reviewed had hard-coded keys and tokens. All APIs had broken object level authorization (BOLA) vulnerabilities that allow access to patient reports, pathology information, X-rays, and full PHI information in their database.

BOLA vulnerabilities make it possible for a threat actor to replace the ID of a resource with another ID. If the object ID can be directly called in the URI, it opens the endpoint up to ID enumeration that permits an enemy the capability to read stuff that doesn’t belong to them. Exposed references to internal implementation objects could point to nearly anything — a file, directory, database record, or key. In the case of mHealth programs, that could give a threat actor the capacity to download complete medical information and personal data that may be utilized for identity theft.

APIs specify how applications can connect with other programs and systems and are employed for sharing information. Of the 30 mHealth applications examined, 77% contained hard-coded API keys which made them susceptible to attacks that would permit the attacker to intercept data as it is exchanged. In certain instances, those keys have no expiration and 7% of the API keys were used by third-party payment processors that disagree with hard coding the private keys using plain text. Still, the usernames and passwords were hardcoded.

All of the apps didn’t have certificate pinning that is required to avoid attacks. This flaw can be exploited and enable sensitive health and personal information to be intercepted and modified. Half of the tested apps didn’t authenticate requests using tokens, and 27% failed to have code obfuscation protections, which made them prone to reverse engineering.

Knight had the ability to access highly sensitive data throughout the study. 50% of records involved names, addresses, birth dates, Social Security numbers, allergies, prescribed medications, and more sensitive health information. Knight in addition discovered that when access is acquired to one patient’s files, other patient records could likewise be accessed randomly. 50 % of all APIs permitted medical specialists to look at pathology, X-ray, and clinical data of other patients and all API endpoints were identified to be susceptible to BOLA attacks, which granted Knight to see the PHI and PII of patients not included in her clinical account. Knight likewise discovered replay vulnerabilities that allowed her to playback FaceID unlock requests that were days old and take other users’ sessions.

One more issue is mHealth applications do not have security procedures baked in. Instead of build security into the apps at the design phase, the apps are created, and security measures are applied later. That can quickly bring about vulnerabilities not being completely addressed.

David Stewart, founder, and CEO of Approov stated the fact that top developers and their company and organizational customers continually fail to recognize that APIs servicing remote clients like mobile applications need a new and focused security paradigm. Since so few organizations use protections for APIs that make sure only authentic mobile app instances could link to backend servers, threat actors exploit these APIs and cause a real problem for vulnerable companies and their patients.

CISA Alert Concerning Hackers Exploiting Poor Cyber Hygiene to Access Cloud Environments

The DHS’ Cybersecurity and Infrastructure Security Agency (CISA) has given an alert concerning the exploitation of poor cyber hygiene by threat actors to obtain access to business cloud environments. The alert was given after CISA noticed a spike in attacks on companies that have switched to a mostly remote workforce because of the pandemic.

Although the hackers associated with the SolarWinds Orion supply chain attack used a few of the techniques specified in the report, these techniques were not tied up to any particular threat group. Several threat actors are using the techniques to get access to cloud environments and steal sensitive information.

As per the alert, threat actors are employing various methods, techniques, and processes to attack cloud environments. They use phishing attacks, brute force attacks to guess weak passwords, and unpatched vulnerabilities exploitation and exploitation of cloud security practices weaknesses.

Phishing is frequently employed to acquire credentials to remotely access cloud assets and programs. Phishing emails usually consist of links to malicious web pages where credentials are collected. When there’s no multi-factor authentication, the attackers could utilize credentials to access online resources. Phishing emails usually seem to be safe messages and hyperlinks to seemingly legit file hosting account services. The breached email accounts are then utilized to dispatch more phishing emails to other employees within the organization. These phishing emails that were sent internally usually link to files within what seems to be the company’s file hosting service.

There were instances where auto-forwarding protocols were created in the breached email accounts to gather sensitive emails, or to set up search rules to identify and gather sensitive information. “Besides changing current user email rules, the threat actors made new mailbox rules that sent a number of messages obtained by the users (particularly, messages with a number of keywords related to phishing) to the legit users’ Really Simple Syndication (RSS) Feeds or RSS Subscriptions folder to try to avoid legitimate users from seeing the warnings.

Besides employing phishing emails to acquire login information, brute force tactics are employed to speculate weak passwords. In a lot of instances, brute force and phishing attacks were successful but were foiled by multi-factor authentication, which averted the use of stolen credentials; nevertheless, CISA discovered one attack wherein the attacker bypassed multi-factor authentication to obtain access to cloud sources utilizing ‘pass-the-cookie’ techniques. A pass-the-cookie attack entails using a stolen cookie for a previously authenticated session to sign into online solutions or web applications. These attacks could succeed regardless if a company has properly integrated multi-factor authentication.

Threat actors are targeting remote workers utilizing personally owned devices or company-issued devices to connect to their company’s cloud resources. Although companies have enforced security solutions to prohibit these attacks, a lot had become successful due to poor cyber hygiene procedures.

In the notification, CISA specified the following best practices that could be followed to strengthen cyber hygiene and reinforce cloud security configurations to prevent attacks on cloud solutions.

  • Apply for conditional access
  • Review Active Directory logs and unified audit logs for suspicious activity
  • Enforce MFA for all users
  • Review email forwarding guidelines on a regular basis
  • Adhere to guidance on protecting privileged access
  • Resolve client site requests internal to the network
  • IT teams must follow a zero-trust mindset

Specific suggestions were also given to help business organizations protect their M365 environments.

Enterprise companies can read the Strengthening Security Configurations to Defend Against Attackers Targeting Cloud Services Analysis Report on this page and carry out the recommendations.

Hidden Backdoor Discovered in 100,000 Zyxel Devices

A vulnerability was discovered in Zyxel products including firewalls, access point (AP) controllers, and VPN gateways that hackers may exploited to obtain remote administrative access to the gadgets. By taking advantage of the vulnerability, hackers could change firewall configurations, permit/reject some traffic, intercept traffic, make new VPN accounts, make internal services accessible to the public, and acquire access to internal systems powering Zyxel products. About 100,000 Zyxel units globally have the vulnerability.

Zyxel company’s networking equipment and its devices are recognizyed by small and medium-sized organizations and are likewise utilized by big businesses and government institutions.

Niels Teusink of the Dutch cybersecurity firm EYE found the vulnerability, monitored as CVE-2020-29583 when he discovered a secret user account in the newest version of Zyxel software (4.60 patch 0). The secret user account, zyfwp, has a hardcoded plain-text password located in one of the product binaries. This hardcoded administrative password was introduced in the newest version of the software.

Teusink had utilized the credentials to logon to vulnerable equipment over SSH and the online interface. considering that the password is hardcoded, device users are unable to modify the password. A hacker can use the credentials to logon remotely and exploit a vulnerable Zyxel unit. Since SSL VPN on these products works on the same port like the cloud interface, numerous users have port 443 of these devices open online.

Zyxel has issued a patch to resolve the vulnerability. Zyxel said that the account was included to permit the organization to give programmed firewall updates to linked access points by FTP.

The vulnerability is found in a number of Zyxel solutions like the Zyxel Advanced Threat Protection (APT) firewall, VPN version 4.60, Unified Security Gateway (USG), USG Flex, and Zyxel AP Controllers NXC2500 and NXC5500 version 6.10.

The Multi-State Information Sharing and Analysis Center (MS-ISAC) gave an notification regarding the vulnerability. The vulnerability was ranked as medium risk for small government entities and small businesses; it was high risk for big and medium-sized government agencies and big and medium-sized businesses.

All end users of the vulnerable products were tols to utilize the patch without delay to protect against exploitation. Even though there are no documented instances of vulnerability exploitation so far, exploitation of the vulnerability is probable.

For the following vulnerable Firewall products, patches were available in December 2020.

  • USG series using firmware ZLD V4.60
  • ATP series using firmware ZLD V4.60
  • USG FLEX series using firmware ZLD V4.60
  • VPN series using firmware ZLD V4.60

For the following affected AP controllers, patches will be accessible on January 8, 2021.

  • NXC2500 using firmware V6.00 through V6.10
  • NXC5500 using firmware V6.00 through V6.10

To offset the threat, MS-ISAC advises the following actions:

  • Implement necessary updates offered by Zyxel to vulnerable systems, right away after suitable testing.
  • Use all software as a user with no admin privileges to reduce the effects of a successful attack.
  • Tell users not to go to un-trusted web pages or clink hyperlinks presented by anonymous or un-trusted sources.
  • Notify and teach users about the threats created by hypertext links included in emails or attachments particularly from un-trusted sources.
  • Follow the Principle of Least Privilege whenever employing all systems and solutions.

NSA Advisory of Authentication Mechanism Abuse to Obtain Access to Cloud Resources

The U.S. National Security Agency (NSA) has published a notification regarding two hacking strategies that threat groups are utilizing presently to obtain access to cloud resources that contain protected information. These tactics exploit authentication systems and permit attackers to exfiltrate credentials and retain persistent access to networks.

Threat actors who breached the SolarWinds Orion system are using these strategies. The hackers associated with the attacks aren’t yet known, however, some information has surfaced that indicates this attack was by a nation-state Russian threat group, perhaps APT29 (Cozy Bear). State Secretary Mike Pompeo stated in a radio interview that the activity was done by Russians, though President Trump undervalued the attack and mentioned there is a probability that China is liable.

The SolarWinds Orion system supply chain attack was employed to send malware out to clients via the SolarWinds software program update process, still, that is one of a number of strategies now being employed to compromise public and private industry companies and government institutions.

NSA’s alert detailed that the preliminary access may be established by means of various ways, which consist of identified and unidentified vulnerabilities. An example of this was the latest SolarWinds Orion code breach. On-premises systems were compromised, leading to the abuse of federated authentication and malicious cloud access.

As soon as first access had been acquired, the strategies explained in the advisory are utilized to develop more privileges via the forging of credentials to retain persistent access. The NSA has offered guidance on recognizing and mitigating attacks, no matter how the preliminary access is gotten. The NSA says that these techniques aren’t different and threat actors have used them starting 2017 and continue to be effective.

The methods explained in the alert entail utilizing compromised authentication tokens and misuse of compromised system administration accounts in Microsoft Azure and some other cloud systems as soon as a local network has been breached.

The first method entails breaching an on-premises federated identity provider or single sign-on (SSO) system. These methods permit organizations to utilize the authentication system they actually own to give access to resources, which include cloud services. These systems utilize cryptographically signed automatic messages – statements – which are given through Security Assertion Markup Language (SAML) to indicate that users were validated. Threat actors are abusing the authentication system to get dubious access to a broad variety of assets held by companies.

The attackers either steal credentials or private keys from the SSO system that make it possible for them to sign statements and imitate a legit user and obtain adequate privileges to generate their own keys and identities, in addition to their own SSO system. The second method consists of compromising administrator accounts to designate credentials to cloud program solutions, after that the attackers require the application’s credentials to obtain programmed access to cloud information.

The NSA has cautioned that threat actors continue to exploit the recently shared command injection vulnerability in VMware items (CVE-2020-4006). In one instance reported by the NSA, exploiting this vulnerability permitted first local network access to be obtained, instead of the SolarWinds tactic. The methods explained in the advisory were then utilized to acquire access to cloud assets. A patch was already issued to fix the vulnerability impacting VMware items. The patch ought to be employed immediately. SolarWinds Orion users must adhere to the earlier published mitigations.

These attack methods to get access to cloud sources don’t take advantage of vulnerabilities in cloud facilities, the SAML protocol, federated identity management, or on-premises and cloud identity systems, instead, they abuse confidence in the federated identity system.

However, since the safety of identity federation in any cloud environment directly relies on trust in the on-premises elements that execute authentication, designate privileges, and sign SAML tokens. When any of these elements is compromised, the trust in the federated identity system could be abused for unapproved access.

To avert the success of utilizing the new strategies to get access to cloud resources, the NSA suggests carrying out the following:

  • Protect SSO settings and service principle usage
  • Strengthen systems using on-premises identity and federation services
  • Keep track of logs for suspicious tokens that do not fit the company’s baseline for SAML tokens.
  • Review tokens to identify flaws
  • Analyze records for suspicious usage of service principles
  • Seek out unexpected trust relationships that were put into the Azure Active Directory

Serious Vulnerabilities Discovered in Medtronic MyCareLink Smart Patient Readers

Three serious vulnerabilities were found in Medtronic MyCareLink (MCL) Smart Patient Readers, which can likely be exploited to obtain access to and change patient data from the paired implanted cardiac gadget. Remote code execution on the MCL Smart Patient Reader is possible with the exploitation of the vulnerabilities together, permitting an attacker to have control of a matched cardiac device. An attacker can only exploit the vulnerabilities if within Bluetooth signal proximity to the vulnerable product.

All versions of the MCL Smart Model 25000 Patient Reader are affected by the following vulnerabilities.

Vulnerability CVE-2020-25183 is a vulnerability that exploits the authentication protocol. The method employed to authenticate the MCL Smart Patient Reader and the Medtronic MyCareLink Smart mobile app could be circumvented. An attacker using another mobile device or malicious application on the patient’s smartphone may authenticate the patient’s MCL Smart Patient Reader, deceiving it into believing it is conversing with the smartphone app of the patient. The vulnerability has an assigned CVSS v3 base score of 8.0 out of 10.

With vulnerability CVE-2020-27252, an authenticated attacker running a debug command could introduce a heap-based buffer overflow incident in the MCL Smart Patient Reader software stack. When prompted, an attacker can remotely execute code on the vulnerable MCL Smart Patient Reader, so that the attacker could get control of the device. This vulnerability has a designated CVSS v3 base rating of 8.8.

Vulnerability CVE-2020-27252 is identified in the software update system of MCL Smart Patient Readers. An attacker exploiting this vulnerability could upload and use unsigned firmware on the Patient Reader. This vulnerability can additionally permit remote execution of arbitrary code on the MCL Smart Patient Reader and may let an attacker take control of the system. This vulnerability has an assigned CVSS v3 base score of 8.8.

The researchers that discovered the device vulnerabilities were from the Israeli firm Sternum. Researchers at the UC Santa Barbara, University of Michigan and the University of Florida also independently identified the improper authentication vulnerability.

Medtronic has now provided a software update to correct the vulnerabilities after receiving a report about the vulnerabilities. The firmware update may be done by updating the MyCareLink Smartapp using its mobile application store. By updating the mobile app to version v5.2, it will make certain to apply the update upon next use; nevertheless, the patch will only work when the user’s smartphone is running Android 6.0 or above or iOS 10 or later version.

Device users were likewise advised to maintain strong physical control over their monitors at home and to limit the use of home devices to private settings. Patients should just use home monitors that were acquired straight from their healthcare provider or a Medtronic agent.

Medtronic likewise took steps to enhance security, including employing Sternum’s enhanced integrity validation (EIV) technology which provides early detection and real-time mitigation of identified vulnerability exploitation attempts, and Sternum’s advanced detection system technology, which allows device-level logging and tracking of all device activity and tendencies.

Critical Vulnerabilities Found in Over 100 GE Healthcare Imaging and Ultrasound Devices

  • Two critical severity vulnerabilities found in GE Healthcare medical imaging products may permit remote code execution and access/change of sensitive patient information. The vulnerabilities impact GE Healthcare’s exclusive management software program and impact over 100 GE Healthcare imaging gadgets which include MRI, Advanced Visualization, Ultrasound, Interventional, Mammography, X-Ray, Computed Tomography, PET/CT and Nuclear Medicine devices
    .
    GE Healthcare products affected by the vulnerabilities include:
  • Ultrasound Devices – Image Vault, EchoPAC, LOGIQ, Voluson, Vivid
  • MRI Devices – Brivo, Optima, Signa
  • Advanced Visualization Device – AW
  • X-Ray Devices – AMX, Brivo, Discovery, Definium, Optima, Precision
  • Interventional Devices – Optima, Innova
  • Mammography Devices – Seno, Senographe Pristina
  • Nuclear Medicine, PET/CT Devices – Brivo, Discovery, PET Discovery, Infinia Optima, PETtrace, Ventri, Xeleris
    Computed Tomography Devices – Brivo, BrightSpeed, Discovery, Frontier Optima, LightSpeed, Revolution

Researchers Lior Bar Yosef and Elad Luz of CyberMDX discovered the vulnerabilities and notified GE Healthcare last May 2020. CyberMDX has referred to the vulnerabilities as MDHexRay. The two vulnerabilities have an assigned CVSS v3 base rating of 9.8 of 10.

The first vulnerability CVE-2020-25175 is caused by unsecured transport of credentials via the network. The second vulnerability is caused by the exposure of sensitive system data to an unapproved control sphere, which may permit the access or alteration of sensitive data.

The CyberMDX researchers determined that GE Healthcare’s servicing practices depended on having selected ports open and available to GE Healthcare so that the devices could be managed remotely via the web. Although credentials are necessary for updating and maintaining the software, GE Healthcare only modifies the default credentials when a customer makes the request. Anyone can easily find the default credentials of GE Healthcare online. The number of customers that requested the change of the default credentials is unknown.

An attacker could only exploit the vulnerabilities when connected to the network of the hospital. The default credentials can then be utilized to get access to vulnerable linked imaging devices including the data saved on the devices. Unauthorized users cannot access medical devices if they don’t get access to the internal network of the hospital. No report indicated the exploit of the vulnerabilities in the wild.

GE Healthcare has evaluated the vulnerabilities and performed a risk assessment and confirmed that there are no patient safety issues; nevertheless, the vulnerabilities present a risk to patient privacy. An attacker could also alter patient data that may affect the results of some treatments. Considering that data only stays on the imaging devices for a finite amount of time prior to being transmitted to PACS, the potential compromise of patient data is limited.

Because no patch to fix the vulnerabilities is available yet, mitigation steps include modifying the default password, which only GE Healthcare can do. GE Healthcare is currently informing its customers and is assisting the affected clients to alter the default password and make sure firewalls of their product are set up correctly. Customers are likewise being instructed to follow guidelines for network management and security. CyberMDX suggests setting ports 21 (FTP), 22 (SSH), 23 (Telnet), and 512 (REXEC) to listen-only mode.

AMA Issues Guidance to Prepare Healthcare Organizations Mitigate COVID-19 Cyber Risks

The American Medical Association has cautioned hospitals, health systems, and medical practices regarding the spike in cyber risks particularly in the healthcare market, and has offered advice on the steps to be undertaken to mitigate threats and improve network security.

AMA assistant director of federal affairs, Laura Hoffman, discussed the existing threats in an AMA COVID-19 Update and introduced a new resource created by the AMA and American Hospital Association (AHA) regarding the technology that healthcare companies should consider for the rest of 2020 to have better network security and patient privacy.

The COVID-19 pandemic has created a lot of new problems for healthcare companies that are treating more patients while dealing with unfamiliar cases. The pandemic prompted a big growth of telehealth service, as many patients receive virtual care using new technology tools.

The new technologies and systems brought in vulnerabilities and widened the attack surface thus cybercriminals are taking advantage and escalating attacks on the healthcare industry. At the beginning of the pandemic, phishing attacks on this sector increased. Virtual Private Networks became popular for supporting remote employment, telehealth, and remote tracking of medical equipment, which has a greater attack surface. A number of vulnerabilities were discovered in these tools that threat actors exploit to get access to healthcare systems.

Ransomware attacks on healthcare providers also increased. Particularly, more Ryuk ransomware operators targeted the healthcare sector in recent weeks. These attacks stop access to protected health information (PHI) and deactivate mission-critical systems, resulting in delayed patient care and risk to patient safety. The AMA also noticed more insider threats throughout the pandemic. Insiders are exploiting identified security vulnerabilities for financial gain.

The new guidance is meant to help prepare for the months when practices and hospitals may have to deal with the second wave of COVID-19 infections occurring at the same time as the cold and flu season. The AMA’s recommendation tells healthcare providers to ask for regular updates from their IT vendors or security specialists. The guidance document provides a set of questions to ask providers to make sure to identify and address vulnerabilities. The questions tackle network security, legacy devices and unsupported software, systems access rights provided to third parties and vendors at the time of the pandemic, and the location of all PHI.

Besides dealing with cybersecurity risks, healthcare companies must be ready for the time when the Public Health Emergency ends. During the pandemic, the HHS’ Office for Civil Rights is exercising enforcement discretion regarding the use of telehealth technology. After the Public Health Emergency, healthcare organizations need to be in complete compliance with HIPAA.

The telehealth systems utilized at the time of the pandemic may not be acceptable for use. If used continually, there must be a business associate agreement with technology providers. It is additionally required to perform security risk checks on telehealth platforms to identify risks and vulnerabilities to PHI associated, if not yet conducted.

The AMA is telling doctors and hospitals to begin discussing with their telemedicine vendors and conducting a security risk analysis, so they will be ready when the Public Health Emergency comes to an end.

In the guidance, the AMA/AHA likewise recommends asking telemedicine vendors regarding their privacy procedures, designed data use, and security practices. Seek advice from your legal team to make clear how the vendors capture and store video, audio, and other information and could access such data. You may also ask if the vendor shares results of third-party security audits, such as SOC 2 or HITRUST, along with the penetration testing results.

It is additionally a good idea to allow all available privacy and security applications when utilizing telemedicine platforms, such as end-to-end encryption so that third-parties won’t intercept communications between patients and providers. Patients should also be made aware of the potential privacy risks involved when using telemedicine platforms and providing virtual care.

Advisory on Global Phishing Campaigns Targeting COVID-19 Vaccine Cold Chain Companies

The Cybersecurity Infrastructure and Security Agency has published a warning regarding a worldwide spear phishing campaign directed at companies supplying cold storage and are engaged with COVID-19 vaccine distribution.

The first two vaccines developed should be stored and transported at low temperatures before administering. The Pfizer/BioNTech vaccine should be stored at -94°F (-70°C) while the Moderna vaccine should be stored at -4°F (-20°C). Therefore cold chain suppliers are an important component of the supply chain.

At the beginning of the pandemic, IBM X-Force organized a cyber threat task force to monitor threats directed at companies engaged in fighting against COVID-19. The task force lately shared a report regarding a continuous spear-phishing campaign that began in September 2020 that is focusing on companies involved in the Cold Chain Equipment Optimization Platform program. The United Nations Children’s Fund and partner agencies introduced the program in 2015 to deliver vaccines around the world.

Phishing emails were dispatched to managers in sales, purchasing, finance, and information technology who are probably engaged in work assisting the vaccine cold chain. Targeted companies are considered suppliers of material resources to satisfy the transport requirements of the COVID-19 cold chain.

The phishing emails seem to be from a Haier Biomedical account manager, a Chinese certified merchant of the Cold Chain Equipment Optimization Platform program. Haier Biomedical is the only company on the planet that offers complete cold chain services, therefore it is being impersonated in the phishing campaigns.

The IBM X-Force researchers intercepted emails with malicious HTML attachments that open and cues the person to key in his/her information to open the file. The snagged credentials are then employed to spy on internal communications regarding the process, methods, and projects to deliver COVID-19 vaccines. When the attackers obtain the credentials, they could move laterally through linked systems, perform cyber surveillance, and steal more data to be used in other attacks.

IBM stated that there are phishing campaigns running in 6 countries and, to date, 10 international organizations had been targeted, including the European Commission’s Directorate-General for Taxation and Customs Union. The targeted organizations belong to varied industry sectors like manufacturing, energy, information technology and software. The researchers could not confirm the extent of the success of the campaigns.

According to the accurate targeting of executives in particular global companies engaged in vaccine storage and transportation and the absence of a distinct path to cash out, the campaign is probably being carried out by a nation-state threat actor. IBM X-Force recommends that cybercriminal agencies would probably not invest the time, funds, and resources into these campaigns targeting a lot of global companies.

IBM X-Force advises companies engaged in the cold storage and transportation chain to take measures to mitigate the threats from phishing such as developing and evaluating incident response programs, sharing and absorbing threat intelligence, evaluating their third-party ecosystems, implementing a zero-trust strategy to security, employing multi-factor authentication throughout the company, utilizing endpoint protection and response solutions, and performing frequent email security awareness training.

Besides the phishing threats, companies engaged in the cold storage chain ought to set up protection against ransomware attacks since they will be a probable target any time. In November, cold storage firm Americold Realty Trust based in the U.S. suffered a cyberattack believed to have involved ransomware. The firm was reported as asking Chicago Rockford international Airport for assistance in the COVID-19 vaccine distribution.

Majority of Microsoft 365 Administrators Have Not Activated Multi-Factor Authentication

CoreView released a new report showing that most Microsoft 365 admins have not enabled multi-factor authentication to secure their accounts from unapproved remote access and are not implementing other standard security measures. According to the study, 78% of Microsoft 365 administrators haven’t activated multi-factor authentication while 97% of Microsoft 365 users do not use MFA.

This is a big security risk especially when most of the workers are remote. The IT teams should recognize this issue and deal with it so as to successfully prevent cyberattacks and reinforce their organization’s security posture.

The SANS Institute states that 99% of data breaches could be prevented by utilizing MFA, whereas Microsoft mentioned in an August 2020 blog article that MFA is a very important measure to put in place to avert unauthorized account access, detailing that 99.9% of account breaches may be averted by employing MFA.

The CoreView study additionally pointed out that 1% of Microsoft 365 administrators fail to utilize strong passwords, even if hackers are skilled at guessing passwords using programmed brute force attacks. Even when using strong passwords, there is no assurance that a breach will be avoided. A strong password gives no safety when a user becomes a victim of a phishing scam. In the case of stolen passwords, MFA provides protection and should prevent those passwords from being utilized to get account access.

The CoreView M365 Application Security, Data Governance and Shadow IT Report showed that Microsoft 365 admins are granted excessive control and they have got access to high-value sensitive information. 57% of Microsoft 365 admins were discovered to have too many permissions to access, change, and share business-critical data. Also, 36% of Microsoft 365 administrators are international administrators. They get complete control over their organization’s overall Microsoft 365 environment. 17% of Microsoft 365 admins are additionally Exchange admins and have access to the entire organization’s email accounts, which include C-Suite accounts. If ever Microsoft 365 admin accounts become compromised, attackers could access the whole Microsoft 365 environment as well as the massive volumes of sensitive information. The Microsoft 365 environment does not only contain a large amount of readily monetized data, the accounts are furthermore linked to other networks and can be employed for a much wider attack on the company.

The study furthermore revealed that organizations have put in heavily in productivity and operations programs that allow personnel to communicate, collaborate, and work more effectively, however, there has been an increase in shadow IT, particularly SaaS applications. SaaS apps are usually utilized by employees without the IT department’s knowledge. A lot of those SaaS apps lack proper security and allow preventable cyberattacks to happen.

At a fundamental level, malicious applications can siphon off critical information. Users may additionally possibly be disclosing sensitive organization data by means of these programs to compromised parties so that organizations are at substantial risk of a data breach. It’s critical that companies appropriately keep track of these programs for probable security gaps.

Companies that move to Microsoft 365 frequently underrate their security and governance responsibilities, wrongly believing that Microsoft 365 is protected by default and includes the required protections to avoid data breaches. Although Microsoft 365 can be safe, companies need to be proactive and make certain that security is dealt with, there is adequate monitoring of shadow IT, and adequate data governance.

Active Threat Warning Given Regarding SharePoint RCE Vulnerability

The UK National Cyber Security Centre (NCSC) has lately released a security warning that companies should patch a critical remote code execution vulnerability identified in Microsoft SharePoint. The DHS Cybersecurity and Infrastructure Security Agency is likewise advising companies to apply the patch immediately to avoid being exploited.

The vulnerability, monitored as CVE-2020-16952, is caused by the inability of SharePoint to test an application package’s source markup. When exploited, an attacker can possibly use administrator privileges to execute arbitrary code in the SharePoint server farm account and the framework of the SharePoint application pool.

An attacker could exploit the vulnerability after being able to persuade a user to upload a specifically created SharePoint application package to an unsecure version of SharePoint. This is possible through a phishing campaign employing social engineering techniques.

The vulnerability’s assigned CVSS v3 base score is 8.6 out of 10. It impacts these SharePoint products:

  • Microsoft SharePoint Server 2019
  • Microsoft SharePoint Enterprise Server 2016
  • Microsoft SharePoint Foundation 2013 Service Pack 1

The vulnerability did not affect SharePoint Online.

Hackers target SharePoint vulnerabilities because SharePoint is often employed by enterprise companies. Past SharePoint vulnerabilities were broadly exploited, including two that were mentioned in CISA’s top 10 list of most exploited vulnerabilities from 2016 to 2019.

This week, Microsoft released an out-of-band patch to fix the vulnerability. The patch should be utilized to fix the vulnerability because no mitigations can stop the exploitation of the vulnerability. The patch alters the way SharePoint inspects the source markup of downloaded application packages.

Security researcher Steven Seeley released a proof of concept exploit for the vulnerability that is publicly available on GitHub. Seeley discovered the vulnerability and informed Microsoft about it. The PoC can quickly be weaponized and so there is a high probability of developing exploits and using it in attacks on companies. When the patch was released, Microsoft was not aware of any instances of vulnerability exploitation in the wild.

NCSC stated that this PoC could be discovered by looking at HTTP headers that contain the string runat=’server’ and reviewing SharePoint page creations.

According to Rapid7 researchers, the vulnerability is highly valuable to hackers because of the simplicity of exploiting the vulnerability to get privileged access. An authenticated user having page creation privileges can exploit the bug through SharePoint’s standard permission, and could leak an arbitrary file, remarkably the application’s web.config file that could be utilized to bring about remote code execution (RCE) via .NET deserialization. The patch must be applied immediately to avoid exploitation.

Treasury Department Gives Warning of Sanctions Risks if Facilitating or Paying a Ransomware Payment

The U.S. Treasury Department’s Office of Foreign Assets Control (OFAC) has cautioned that organizations that pay ransom to cyber actors on behalf of attack victims may have to confront sanctions risks for breaking OFAC regulations. Ransomware attack victims that pay ransom demands to threat actors could also face high fines from the federal government in case it is found out that the hackers responsible for the attacks are actually under economic sanctions.

OFAC explained that ransomware payment demands have gone up throughout the COVID-19 pandemic as cybercriminals focus on online systems that U.S. individuals depend on to keep on doing business. Organizations that facilitate ransomware payments to cybercriminals on behalf of victims, such as financial companies, cyber insurance companies, and companies engaged in electronic forensics and incident response, not just promote future ransomware payment demands but furthermore may risk infringing OFAC rules.

OFAC sanctioned many people involved in ransomware attacks in the last few years:

  • two Iranians thought to be behind the SamSam ransomware attacks that began in late 2015
  • the Lazarus Group of North Korea behind the May 2017 WannaCry 2.0 ransomware attacks
  • Evil Corp and its head, Maksim Yakubets, who are responsible for the Dridex malware
  • Evgeniy Mikhailovich Bogachev, who was identified as the creator of Cryptolocker ransomware, first launched in December 2016

Making ransom payments to sanctioned individuals or jurisdictions endanger U.S. national security pursuits. Facilitating a ransomware payment that is required due to malicious cyber activities might allow hackers and enemies with a sanctions nexus to get profit and move forward their dubious objectives.

U.S. people are usually forbidden from doing direct or indirect dealings, with people or agencies on OFAC’s Specially Designated Nationals and Blocked Persons List (SDN List), other blocked people, and those under the extensive region or country embargoes.

Civil monetary penalties may be charged for sanctions infringement, even though the individual violating sanctions was not aware that they were doing a transaction with an individual that’s banned under sanctions rules and regulations enforced by OFAC. Any individual facilitating or paying ransom demands to sanctioned persons, groups, or regimes could get a financial fine as much as $20 million.

A lot of entities never make known ransomware attacks or report them to authorities to steer clear of bad publicity and legal problems, however by not filing a report they are hindering attack investigations by authorities. OFAC mentioned in its alert that the financial intelligence and enforcement firm will look at a company’s prompt and full report of a ransomware attack to law enforcement to be a substantial mitigating factor in identifying a proper enforcement result when the situation is afterward established to have a sanctions nexus.

The alert additionally contains contact data for victims of ransomware attacks to find out in case there are sanctions enforced on cyber attackers, and if a ransom payment may entail a sanctions nexus.

OFAC has given warning against paying a ransom. Not only does it mean breaking OFAC policies, but it also does not give certainty that ransom payment will end in the valid keys being provided. The attackers also might not delete the stolen information, and they could demand more ransom. Ransom payment could also embolden attackers to carry out other attacks.

OFAC has merely given advice and cautioned of sanctions risks when payments are made to some threat actors. Besides enforcing a restriction on paying a ransom, the attacks are most likely to stay because of being lucrative. Only if the attacks stop being profitable will cybercriminals probably stop carrying out attacks.