Cyber Security Today, Week in Review for Nov. 19, 2021

Welcome to Cyber Security Today. This is the Week in Review version for Friday November nineteenth. I’m Howard Solomon, contributing reporter on cybersecurity for


In a couple of minutes I’ll be joined by Terry Cutler, head of Cyology Labs in Montreal, to debate a few tales from the week. But first a fast look again at a few of what occurred in the final seven days:

The compromise of an FBI email server to ship out 100,000 items of spam made headlines. Terry and I’ll talk about the way it probably occurred and the way IT departments can forestall being victimized the identical method.

We’ll additionally look into a report that the RAM in private computer systems, servers and cellphones could be extra simply compromised by hackers for knowledge theft than has been thought.

And we’ll additionally take a look at a report that some ransomware teams are making a lot cash they’re now bidding on million-dollar zero-day vulnerabilities.

Elsewhere, information emerged that the gang behind the Emotet malware and botnet is again. Its infrastructure was taken down in January by legislation enforcement companies. But safety researchers famous that the TrickBot botnet is now distributing emails with attachments laced with malware just like Emotet. This is one other instance of how cybercrooks knocked out of enterprise are in a position to rise once more in the event that they preserve their code, or their data of the best way to create malicious code.

The province of Newfoundland and Labrador continues coping with the cyber assault on the healthcare system that began 20 days in the past. Canadian privacy expert Ann Cavoukian told me it’s appalling that years of information was accessed by the attackers.

Meanwhile a health clinic in Ottawa is still trying to restore services after it was hit by a cyber assault final weekend.

Here’s an replace on the information theft I reported final week from the Robinhood inventory buying and selling platform: A menace actor claiming to be the attacker has put the data up for sale on the dark web. That features a listing of 5 million e mail addresses and a listing of two million e mail addresses with the customers’ names. The attacker isn’t but promoting detailed knowledge on 310 clients that have been copied.

Another warning has been issued by authorities safety companies to IT departments concerning the risks of not promptly making use of safety patches to merchandise. The U.S., U.K. and Australia said an Iranian-backed group is exploiting vulnerabilities in sure Fortinet community units and Microsoft Exchange. These vulnerabilities have been patched. In reality one dates again to 2018, one other to 2019.

A warning has additionally gone out to WordPress directors to raised safe their methods. This comes after a cybersecurity company found numerous compromised websites all of the sudden displaying pretend claims of a ransomware assault. How was it completed? Somehow an attacker was in a position to break into the WordPress website and tamper with a plug-in referred to as Directorist, which lets directors construct contact directories for their websites. It’s crucial that every one WordPress directors tighten safety, together with ensuring their passwords are sturdy and guarded with multifactor authentication. They also needs to be aware of different methods of defending their websites.

(The following is an edited model of my speak with Terry Cutler. To hear the total model play the podcast);

Howard: I wish to deliver in Terry Cutler now. We’ll begin with the FBI hack final Friday night time about 100,000 emails went out from an FBI e mail handle. It’s used for communications with legislation enforcement companies and prosecutors. The e mail warned recipients that their methods had been hacked by a menace actor however it was a hoax. In reality, the so-called menace actor blamed is mostly a cyber safety skilled who has been the sufferer of a number of hacks. Regardless of that, it was embarrassing to the FBI. From what we all know publicly, how was this completed?

Terry: There’s an internet web page on the FBI referred to as the Law Enforcement Enterprise Portal, or LEEP. This portal permits an account to work together with varied legislation enforcement companies and use FBI sources. On that web page was an ‘Apply now’ button, and while you apply you’d fill out data and it could say okay on the finish. But there was a flaw and the menace actor was in a position to inject code that allowed them to work together with the webserver on the backend and ship out over 100 thousand emails.

Howard: So candidates have been to get a affirmation e mail, however that portal was compromised. In reality, the web site leaked the one-time passcode that was wanted for affirmation. And that allowed the attacker to compromise the e-mail server that despatched out the affirmation discover. Have you heard about something like this earlier than?

Terry: I haven’t come throughout this. But what we discovered is also that the one-time password was the identical for everybody. There are some mitigation steps they will put in place to cease this. One of the issues is having what’s referred to as an SPF file. This checks to guarantee that emails aren’t being spoofed alongside the best way earlier than they get despatched out, however in this particular case. all of the emails got here from inner FBI methods. So there was no solution to cease it in this specific case. Another mitigation step is to restrict the variety of methods {that a} message talks to earlier than an e mail will get despatched out.

The greatest factor is to get an audit completed. Have an internet software penetration take a look at to see if there are any flaws in the mechanisms of the web site. You wish to take a look at the OWASP (Open Web Application Security Project) Top 10 Vulnerabilities to see the place flaws might be. A variety of lot of what we’re seeing proper now with poor software improvement is that the builders aren’t coding with safety in thoughts. They wish to get an internet site up and working as shortly as attainable and repair it alongside the best way, as a substitute of constructing it with Privacy by Design all the best way up.

Howard: Let’s transfer on to the DRAM vulnerability report. DRAM is the reminiscence in computer systems. It’s a juicy goal for attackers as a result of it could actually quickly maintain delicate knowledge like passwords and software program tokens which might be used to confirm identification. As I perceive it, just a few years years in the past researchers found a way referred to as Rowhammer that might enable an attacker to siphon off knowledge from reminiscence. But this week researchers stated a more moderen approach they name Blacksmith is much more efficient. Tell us about this.

Terry: Rowhammer has been round for a few years. In reality, it was introduced in 2014. It’s mainly a bodily hacking approach that enables and the attacker to govern the digital cost in laptop reminiscence chips. It’s going to deprave or presumably permit you to exfiltrate knowledge from that reminiscence house. It permits the identical program to run repeatedly on completely different rows of the chip. So they will really entry different individuals’s reminiscence house on the identical system if it’s a cloud system.

Howard: My understanding from the analysis paper was two years in the past or a yr in the past there was a take a look at of 40 units on whether or not the Rowhammer assault would work. And they discovered that it it labored me on 30 p.c of the units. The new assault technique they name Blacksmith was tried on the identical units and it labored 100 hundred per cent of the time. So. That sounds prefer it’s attainable that this vulnerability might be simply exploited.

Terry: Yes. It appears prefer it’s going throughout all [memory] producers, as a result of again in a day we used to have the ability to combine and match RAM producers. But then we’ve seen typically the place, like in an working system, it may end result in a blue display screen or crash as a result of the reminiscence chips weren’t the identical. There is a few stuff chip producers can implement, which is known as goal function refresh. But what we’re seeing proper now’s that it’s solely obtainable on the newest chipsets. So what do you do when you bought older {hardware}?

Howard: I fired off an e mail with a query to Johannes Ullrich, dean of analysis on the SANS Institute due to a remark he had made in a SANS briefing notice. And he says cloud environments could also be riskier locations now for sure knowledge as a result of they share infrastructure. He stated that that bodily separating sure delicate knowledge to run on separate servers could now be essential due to this discovery.

Terry: This goes to be robust as a result of the entire level of the cloud is to make it extra inexpensive, extra environment friendly and and and simply managed. So if this assault good points extra traction that signifies that all people’s going to have their very own bodily server, which is which going to defeat the aim [of cloud computing]. It’s going to be extra expensive and it’s not gonna run effectively. It’s going to be a multitude. I imply there was an identical factor just a few years in the past. You could have heard of the Meltdown and Spector vulnerabilities in CPUs. I feel we’re going to start out seeing increasingly more hardware-level assaults which could be capable to bypass software program controls.

Howard: So when you’re an IT division head and now you’ve heard about this Blacksmith reminiscence assault approach, what are you able to do?

Terry: I feel you’re on the mercy of the [memory] producers. If you’ve gear that isn’t set as much as defend you in opposition to the newest threats you’re gonna have to tear and exchange that {hardware}, as a result of a few of these assaults are solely mitigated on DDR4 RAM. If you’ve bought DDR3 you don’t have that functionality. So you’ve bought be sure to do your [security] audits be sure to defend in opposition to as many vulnerabilities as attainable.

Howard: The remaining merchandise I need to check out is ransomware, once more. It appears no Week in Review could be completed with out speaking about ransomware. And that’s as a result of it’s a profitable tactic that menace teams can make use of. In reality, it’s so profitable that in keeping with a report this week from the menace intelligence agency referred to as Digital Shadows, some ransomware gangs can now afford to bid on zero-day vulnerabilities. A zero-day is a vulnerability that’s found by a menace actor that’s unknown to product builders. They’re being bought on legal web sites to the very best bidder. It was once that the cyber divisions of nations or menace teams which might be backed by international locations have been the one ones who may afford to purchase these. But apparently, now ransomware teams are bidding on them as effectively. What does this imply for an IT defender?

Terry: This means it’s an actual mess as a result of, once more, the attackers simply want a method into your setting. But as a defender you’re coping with patch issues, compliance issues, whose bought multifactor dedication turned on, who’s bought an excessive amount of entry, who’s not protected in opposition to phishing assaults, have my passwords leaked onto the darkish net, I’ve bought previous outdated working methods that I can’t eliminate as a result of it’s required to run my operations as a result of it perhaps it doesn’t run on newer {hardware}, I can’t afford EDR …

Howard: For those that don’t know I’m going to say some well-known — or notorious — zero-day assaults. You in fact have heard concerning the SolarWinds provide chain compromise. Separately, there was a zero-day vulnerability that was discovered. There have been zero-day vulnerabilities exploited in Linkedin, Facebook, and a few years one in the Starwoods lodge chain that led to ah a giant knowledge theft. In reality, coincidentally final in final week’s podcast Dinah Davis talked about an MIT report that stated thus far this yr 66-day exploits have been discovered — and the yr isn’t over but.

Terry: I feel that’s as a result of when there was an assault earlier this yr supply code was accessed. The attackers have taken that code again dwelling, ripped it aside they usually stated ‘Oh, we are able to create all these further exploits from right here.’ And I feel there’s additionally been a gaggle of crowdsourced vulnerability consultants who’ve come collectively to assist take a look at the code. So, for instance, they’ll go on an internet site the place [an application] is crowdsourced and anyone can put up a remark and ask ‘How do I defend myself in opposition to this flaw?’ and subsequent suppose individuals say it is advisable to do that, do that, do that. But in actuality, they’re really telling the attacker the best way to reap the benefits of that exploit.

Howard: One of the issues that this report says is that whereas zero-day vulnerabilities are very severe, these have been solely a small variety of the weapons utilized by most attackers. Most of them are exploiting older vulnerabilities that safety groups haven’t patched but. And as I discussed in the information abstract, intelligence companies have put out a warning that one menace group has just lately been seen exploiting unpached vulnerabilities that have been mounted in 2018 and 2019. We’ve talked about this earlier than the significance of patching shortly.

Terry: To be trustworthy I nonetheless come throughout most of these exploits throughout penetration assessments. In reality, I nonetheless come throughout one from 2015 which is the [Windows] Eternal Blue. I can use that vulnerability to can achieve entry to the Active Directory rip down all the consumer names and passwords, and use a cross the hash assault and get entry to different stuff … Everybody was alleged to have patched that, however typically that these patches don’t come down through Automatic Update. You must manually go and apply them. That’s the issue we’re seeing proper now, is that organizations don’t have a correct patch administration system in place and patches aren’t utilized in as shortly as attainable.

Howard: Also one of many issues that this report makes clear is that patching needs to be completed in a extra disciplined method. Every IT division has to determine what its priorities are after which patch the purposes that have an effect on essentially the most precious knowledge. Would you agree with that?

Terry: I do. What we’re seeing, although, is that the IT departments are seen as a value middle. Corporations are working with a price range that doesn’t have the correct sources to have a advisor come in and correctly assess the setting. Patching is essential. But it’s a must to correctly take a look at patches in a take a look at setting earlier than making them reside. Most firms don’t have a take a look at setting, in order that they’re hoping nothing’s going to interrupt.

Related Posts