2019 Week 4 Security Summary

The linked is a long article but interesting read.  The gist of it is that cyber security has to rely on humans as the first line of defense and as the early warning system.  It is yet another argument that the social sciences are as important if not more so than the automated and computer driven systems that most cyber security relies on. 

·         https://www.weforum.org/agenda/2018/11/cybersecuritys-greatest-weakness-is-also-its-best-line-of-defence/

ISSA look ahead for 2019:

·         DevOps will become a bigger player.  The bad guys are getting more professional and they are starting to find the bugs and flaws faster than the community and will be taking advantage of those. 

·         The focus is on 3^rd parties more and more (personal note; we saw an uptick in this in the last half of 2018).  Idea is if they can compromise suppliers they can use that as a back door to get around your on-prem security.

·         More and more agencies will start moving to multifactor to combat the soft threats.

·         As more and more people use mobile devices for work, these devices will grow in importance to the cybercriminal.

·         Security Culture means nothing if we don’t protect the systems from the user and we don’t hold the users responsible for their actions.

·         Our users should be more of a human IDS than a human firewall

·         There are ~3 million devices with RDP enabled connected to the internet!

·         IoT and IIoT attacks are one of the up and coming  and it is a good bet that this trend will continue as more and more devices are released and the manufactures doing take security seriously.  IIoT devices in particular need to be installed and configured by professionals who need to check to ensure their security.

·         Several mentioned that Cryptojacking is a big deal but not really that destructive.  The one place it can be destructive is on PLC’s and IIoC type devices where latency is critical.

·         Cryptojacking is not explicitly a crime in most places.

·         Cryptojacking at the beginning of 2018 made up about 89% of detections

·         1/5 of those who pay a ransom don’t get their data back

·         Prevention is not currently 100% so you have to have a response plan.

RDP is still a major security vulnerability due to its legacy code.  A new ransomware package takes advantage of the out of date security practices. 

•  https://www.zdnet.com/article/new-phobos-ransomware-exploits-weak-security-to-hit-targets-around-the-world/
• https://www.coveware.com/blog/phobos-ransomware-distributed-dharma-crew
• https://www.securityweek.com/hackers-using-rdp-are-increasingly-using-network-tunneling-bypass-protections

·          

Smart Homes are hastening the trip to lessen security in the name of an easy life.  We are quickly getting to a point where homes and businesses are network unto themselves.  Now we just need to figure out how to secure them and hold vendors accountable. 

• https://www.nytimes.com/2019/01/22/business/smart-home-buyers-security-risks.html

An OCR database from Ascension, a data analytics company, was left unsecured on a cloud storage service by OpticsML who is one of their vendor/partners.  This is another of those companies you don’t do business with, but the person you do business with does (and in this case your bank so 3 degrees of separation).  This means that under Oklahoma (and many other state’s) law, you really have no legal recourse.  It looks like the data was loans from 2008 to present from Citigroup, HSBC, Wells Fargo, CapitalOne, and U.S. federal underwriters like the Department of Housing and Urban Development. 

• https://techcrunch.com/2019/01/23/financial-files/?fbclid=IwAR3q-SLJX3rF-_eNqH1eweAtYN1FuOsKL-wO_ZwqNArnkBsy81wwx1wWMDw

·          

I thought I had this in last week’s installment, but maybe this actually came to light over the weekend.  Basically, Carbon Black discovered a phishing attack that launches both Grandcrab and Ursnif.  This lets them gather data on your system and then encrypt it to try and get some money from you.

•  https://threatpost.com/phishing-gandcrab-ursnif/141182/
• https://cyware.com/news/new-phishing-campaign-threatens-victims-with-three-deadly-malware-infestations-b0601e3f
• https://www.bleepingcomputer.com/news/security/new-ursnif-malware-campaign-uses-fileless-infection-to-avoid-detection/

·          

There have been a lot of FBI, CERT, MS-ISAC and industry chatter about an active and persistent attack on DNS systems.  This attack seems to mostly be targeting federal agencies (taking advantage of the shutdown?) but is also catching government entities at other levels as well as businesses that do business with government.

•  https://www.infosecurity-magazine.com/news/dhs-emergency-directive-block/
• https://threatpost.com/gov-warning-dns-hijacking/141088/
• https://www.computing.co.uk/ctg/news/3069850/six-us-government-agencies-targeted-in-dns-hijacking-attacks
• https://www.cyberscoop.com/rep-langevin-need-dhs-briefing-understand-extent-dns-hijacking-threat/

·          

·          

Another 2 banking databases left open.  One belonged to several online casinos.  While researchers were playing with that they discovered AIESEC also had their database in the same server unprotected.

• https://www.infosecurity-magazine.com/news/two-elasticsearch-databases-found/
• https://techcrunch.com/2019/01/23/financial-files/

·          

When is a DoS attack not a DoS attack?  Basically, this new attack method piggybacks extra traffic on legit web and network traffic.  This helps it avoid detection and if you do block it, you are still blocking your data.  It is called Mongol and I suspect you will see more of these type of tactics.

• https://cyware.com/news/new-ddos-attack-hinges-on-internet-traffic-to-evade-detection-f55c6b6b

·          

Both Phoenix and Cisco switches have multiple vulnerabilities that made the news and industry bulletins.

• https://www.securityweek.com/flaws-expose-phoenix-contact-industrial-switches-attacks
•   https://www.securityweek.com/cisco-patches-flaws-webex-sd-wan-other-products       

Ransomware took down Sammamish Washington city systems and Salisbury, Md. PD.  Maybe of note, this is the 3^rd attack on Salisbury PD in the last 5 years.  In this one they attempted to negotiate a settlement, but ultimately restored from backups.

• https://www.scmagazine.com/home/security-news/ransomware/ransomware-attacks-take-down-sammamish-city-hall-and-salisbury-pd/

A bug in Exchange allows anyone with an email account to escalate their rights to Domain Admin.  It requires the running of a couple python scripts followed by an older reflection attack that uses a substuited relay attack on LDAP.  It basically takes advantage of Exchange having Domain Admin and it allows you to take its rights.  Microsoft indicated there might be a patch in the next 30 days.

• https://www.theregister.co.uk/2019/01/25/microsoft_exchange_domain_admin_eop

Moxa IIoT product has a flaw that exposes it to remote attack / control. 

•  https://www.securityweek.com/flaws-moxa-iiot-product-expose-ics-remote-attacks