2022 New Year Security Summary
Summary
First, let me start by saying that I am very sorry for the long pause. As some of you know I am a grad student and last semester was very brutal. I lost pretty much all my free time between work and school. I also was ill (non-covid) for a couple of weeks and was out of commission. Lastly, over the holidays, I (like most of the rest of the cyber security world) was under pretty high alert and spent a lot of after-hours time perfecting my IDS and response systems. I am hopeful in 2022 to do better (just like I am every year). To assist with this, I am toying with starting a podcast in either totally audible or in audio-video format. Please feel free to let me know if this would be of use.
News
Education
A nonprofit is warning that many of the programs and applications used by k-12 schools have major privacy and security flaws. One of the major contributors was the use of website technologies to allow schools to create dynamic content, but a lot of this has little to no safeguards against location tracking and other issues.
The Bloomington Illinois School District #87 published their insurance renewal details and it showed a 334% rise in premiums. This mirrors reports I have heard from some of those I know in the industry who have reported quite an increase this year. The linked report indicated this is because of a rise in the threats and the number of successful breaches requiring insurance payments.
SLTT
A rash of hacks against national and local government entities as well as infrastructure providers in Ukraine are likely from Russian actors. Many different security entities (both government and private) have independently come to the same conclusion.
One of the defacements made what some have called an amateurish attempt to frame Polish officials.
WhisperGate has been found to have been used in several of the attacks. This tool is used to delete drives and flies.
Other attacks seem to have used some variants of NotPetya.
It appears that the Log4j vulnerability was used to gain initial access to at least some of the systems.
It is worth noting that in previous attack attempts by Russin actors they have not been very precise in their targeting and have had western governments and international companies caught up in the attack.
The United States also indicated they would launch attacks against Russian targets if the attacks continue.
NATO announced they were taking an active role in helping Ukraine deal with the incident and defend against future attacks.
Everyone who deals with any companies doing business in or with American or European connections or who manages infrastructure should be on high alert.
A former Clerk Treasurer for Tenino was the victim of a phishing scam that cost the city over $280,000. The initial attack was sent to several treasures across the state but to date, the Tenino tressure is the only one known to respond. Over the course of 3 months, he made 20 transfers, before he told the alleged recipient of the transfers and learned they were not going where he thought. In the state Auditor's Office review they found the 2 main factors that led to the attack were:
1) The Treasurer had access to all bank accounts and did not need a sign-off on transfers.
2) There was no outside review of account reconciliations.
Power
A cyberespionage campaign was discovered that is targeting industrial technology and renewable energy companies. There has not been a definitive ID of those behind it, but at least some were able to be traced to APT28 (Snakemackerel, Swallotail, Group 74, ...) and another to groups using Konni.
In a review of 2021 attacks against Industrial Control System manufacturers, Kaspersky showed that ~20% of the attacking payloads had a life span of 25 days or less before being new samples and that they spread much less than others. This makes ICS attacks different than most others and may point to them being used mostly as backdoors.
Healthcare
Florida Digestive Health Specialists had to notify 200k+ of their patients that data was potentially compromised in a 2020 data breach. IT staff was first tipped off when multiple emails were found to be sent from employees' accounts without their knowledge.
Mespinoza Ransomware (aka Pysa) is still being used against US health care entities. The same groups using this software are also attacking education sector targets. It is believed by many that Pysa is either being used as an Attack as a Service or is the work of a single entity that has many fronts.
LogJam
Google's open-source team says ~36,000 packages contain vulnerable versions of Log4j. The report does do a good job of breaking down the challenges that face developers as well as the paths that can be taken for quick remediation. Of particular concern are indirect dependencies that will take a long time to track back to source code.
Belgian Ministry of Defense has confirmed that they had a cyberattack and the point of entry was the Log4J vulnerability. There was no real information given but it appears that it is a ransomware-type attack.
Jobs
Eastern Shawnee Tribe of Oklahoma has a Cyber Security Analyst position open.
Creek Nation in Tulsa has a Sr. IT Security Analyst (as well as other IT) position open.
Comments
Post a Comment