Archive for June 21, 2022

Products Prevalent In Many Important Industries Are Home To Dozens Of Vulnerabilities

Posted in Commentary with tags on June 21, 2022 by itnerd

Security researchers have disclosed 56 new vulnerabilities in 10 operational technology (OT) vendors’ products that they say demonstrate significant “insecure-by-design” practices.

Forescout issued the OT:Icefall report today, naming products prevalent in industries such as oil and gas, chemical, nuclear, power generation and distribution, manufacturing, water treatment and distribution, mining, and building automation.

The vulnerabilities are divided into four main categories:

  • Insecure engineering protocols
  • Weak cryptography or broken authentication schemes
  • Insecure firmware updates
  • Remote code execution (RCE) via native functionality
    • 38% allow for compromise of credentials
    • 21% allow for firmware manipulation and 
    • 14% allow remote code execution
    • 74% of have some form of security certification

I have a pair of comments on this report. The first is from Rajiv Pimplaskar, CEO, Dispersive Holdings, Inc.:

“As the report illustrates, critical infrastructure industries that utilize ICS SCADA systems and IoT devices pose appealing soft targets for threat actors as a significant percentage of the estate has vulnerabilities. Also, they tend to fall out of the purview of the IT organization’s responsibility and its cyber security program. Oil and gas, chemical, nuclear, power generation and distribution, manufacturing, water treatment and distribution, mining, and building automation and other operations technology (OT) intensive businesses should be especially vigilant and actively secure their OT estate using zero trust strategies and leveraging next gen VPN technologies that are capable of protecting both IT and OT assets.  A key strategy is cloud obfuscation where source and destination relationships and sensitive data flows are anonymized and privatized using a smart secure communications overlay that makes it virtually impossible for a bad actor to even detect and target such vulnerable devices in the first place.”

Garret Grajek, CEO, YouAttest had this to say:   

“This is an extremely alarming but not surprising finding.  Hackers often go at known vulnerabilities in software – that’s noted and publicized. But deployment and misconfiguration errors are really the bread and butter. How the engineering pieces fit together is where the gaps usually are – and can be exploited.   This is where the man-in-the middle attacks, form hacking and hijacking of sessions occurs. Thorough pen testing through automated and manual means are a must to eliminate these errors – including thorough overview of system and admin privileges.”

The report is very much worth reading because it seriously got my attention. Which means that if you’re in any of the sectors outlined in the report, it should get your attention.

UPDATE: I have three additional comments. The first is from Ron Fabela, Co-founder and CTO of SynSaber:

“While the breadth and depth of the vulnerabilities identified in OT:ICEFALL seem like a doomsday scenario, Forescout has just outlined what many of us in the industry already know: Protocols are not secure, unauthenticated, and other ‘insecure by design’ engineering choices that were never really meant to be CVEs. Again, these are not vulnerabilities as information security would identify them, but truly ‘that’s not a bug, it’s a feature’ for industrial. Protocols were designed to not use authentication, and although there are secure options for industrial protocols, there has been slow adoption. ‘Protocol does not use authentication’ could generate thousands of CVEs across multiple vendors and business lines, because there was never meant to be authentication. But does generating thousands of CVEs, tying up vendor product security teams and asset owners, really cause a positive impact on the security of our critical infrastructure? The OT:ICEFALL report is well constructed, highly detailed, and great insight from a security perspective on legacy ICS ‘vulnerabilities,’ however, because CVE numbers are being generated, this will trigger a swell of unnecessary tracking and management of vulnerabilities with no patch and few mitigations.”

The second is from Chris Olson, CEO of The Media Trust:

“The ongoing convergence of information technology (IT) and operational technology (OT) has paved the way to an ever-expanding host of OT vulnerabilities that will continue to threaten public safety and national security for years to come. Even when OT systems are designed with cybersecurity in mind, an unsafe IT perimeter creates channels which global cyber actors can use to compromise critical infrastructure, especially when remote industrial control systems (ICS) come into play.”

“Today, geopolitical tensions and the growing possibility of cyberwarfare makes OT vulnerabilities a preoccupation for nation state actors. Following the Florida Water Supply hack, the attack on Colonial Pipeline and many similar incidents, these vulnerabilities represent a proven threat to the United States. In response, organizations throughout the public and private sector should not only be taking steps to secure OT, but also to harden their IT defenses and lock down their digital ecosystem.”

The third is from Christopher Prewitt, Chief Technology Officer of Inversion6:

IOT devices are often developed as commodity products that aren’t treated as enterprise products. The IOT software development process is immature and focus is not on security and software lifecycle, but immediate functionality and value to the consumer.

Some product developers have been improving security within their product sets for some time, but this is a long slow evolution as some products may exist within the market for more than a decade. At the time of development, there wasn’t concern for how would we maintain this software for 10 to 15 years. How would updates be provided, how would code be compiled as processors, chip sets, compilers come and go.

In some cases, you may have a computer or software that is tied to a piece of industrial or healthcare equipment that is expected to have a 10 or 20 year life. Not enough thought was given to managing the hardware and software componentry.

 

Email Threats Spike 101% Year Over Year Says Trend Micro

Posted in Commentary with tags on June 21, 2022 by itnerd

Trend Micro announced today that it has blocked over 33.6 million cloud email threats in 2021, a 101% increase on the previous year. This stark increase in attacks proves that email remains a top point of entry for cyber attacks.

The data was collected over the course of 2021 from products that supplement native protection in collaboration platforms such as Microsoft 365 and Google Workspace. 

Other key findings include:

  • 16.5 million detected and blocked phishing attacks, a 138% increase as the hybrid workforce continued to be targeted
  • 6.3 million credential phishing attacks, a 15% increase as phishing remains a primary means of compromise
  • 3.3 million malicious files detected, including a 134% surge in known threats and a 221% increase in unknown malware

More positively, ransomware detections continued to decline by 43% year-over-year. This could be because attacks are becoming more targeted, along with Trend Micro’s successful blocking of ransomware affiliate tools such as Trickbot and BazarLoader.

Business email compromise (BEC) detections also fell by 11%. However, there was an 83% increase in BEC threats detected using Trend Micro’s AI-powered writing style analysis feature, indicating that these scams may be getting more sophisticated.

To read a full copy of the Cloud App Security Threat Report, please visit: https://www.trendmicro.com/vinfo/us//security/research-and-analysis/threat-reports/roundup/trend-micro-cloud-app-security-threat-report-2021

Retrospect Announces Retrospect Cloud for Simple Offsite Data Protection

Posted in Commentary with tags on June 21, 2022 by itnerd

 Retrospect™, a StorCentric company, today announced Retrospect Cloud Storage, Retrospect Backup 19, and Retrospect Virtual 2022. With Retrospect Cloud Storage integrated into Retrospect, businesses have a complete ransomware protection and detection solution that encompasses on-premise and cloud protection. Retrospect Cloud Storage is a low-cost, high-availability (HA) cloud storage service, with 13 data centers located around the world. Retrospect Cloud Storage has been one of the most requested features from Retrospect’s customers, combining the simplicity of a single subscription with seamless integration into Retrospect Backup.

Ransomware continues to hamper businesses around the world, locking them out of their business workflows and demanding exorbitant payments. With the availability of Ransomware-as-a-Service (RaaS), those attacks will become even more frequent, targeting ever-wider segments of businesses. Organizations need tools to defend themselves, both to protect their data and to detect early signs of intrusion.

With Retrospect Backup 19 and Retrospect Virtual 2022, businesses around the world can now protect their critical infrastructure on Retrospect Cloud Storage, with complete support for immutable backups and anomaly detection, as well as on-premise with Retrospect’s deep support for NAS devices, including the new Nexsan EZ-NAS unit with Retrospect built-in, and tape libraries, including LTO-9 support.

Retrospect Cloud Storage is built on Wasabi Technologies’ Hot Cloud Storage, providing lightning-fast object storage. Retrospect Cloud Storage leverages that foundation to provide advanced data protection features like immutable backups. With Retrospect’s AES-256 at-rest encryption, sensitive data can be backed up to Retrospect Cloud Storage but guaranteed to remain private from the underlying infrastructure provider, including Retrospect, Inc. and Wasabi Technologies. Using Retrospect Cloud Storage and the multi-homed backups with the 3-2-1 backup rule, businesses are fully protected and encrypted from ransomware attacks with on-premise and cloud backups.

Retrospect Backup 19

Also included in Retrospect Backup 19:

  • Backup Comparison: Businesses need to understand not only what is in a backup but what changed between backups. Using anomaly detection and backup comparison, administrators can identify exactly which files changed to signal an anomaly and evaluate their contents to isolate valid ransomware infections.
  • OS Compliance Checks: Many ransomware variants depend on unpatched systems for infiltration. Retrospect Backup now utilizes its extensive footprint to aggregate system information and identify systems that are out of compliance with the latest version of each operating system.

In addition, Retrospect Backup 19.1 will be released on August 30 with the following features:

  • Multi-Factor Authentication (MFA): Identity protection is important even for on-premise applications. Retrospect Backup will support configuration encryption and multi-factor authentication combined with a password prompt. Even if an attacker gains administrative access to the computer where Retrospect Backup runs, they will not be able to access the program or the configuration files.
  • Flexible Immutable Retention Periods: Retrospect will support an additional type of retention where Retrospect extends the period on past backups instead of including that data in new backups.
  • Additional 12 Worldwide Locations for Retrospect Cloud Storage: Retrospect Cloud Storage will include twelve additional worldwide locations, certifying each of Wasabi’s data centers around the world.
  • Microsoft Azure for Government: Retrospect will support blob storage on Microsoft Azure for Government to enhance support for state and local agencies looking for data protection in a US-based high-security data center.

Finally, Retrospect Management Console, the hosted backup analytics service, will be updated on August 30 to include the following features:

  • Multi-Factor Authentication (MFA): Identity protection is crucial for cloud services, and Retrospect Management Console will offer app-based multi-factor authentication for a more secure workflow.
  • Redesigned Reporting: The dashboard will be redesigned to better aggregate information for larger environments to address reporting pains in significantly larger backup infrastructure.
  • User Roles: Organizations will be able to assign roles to individual users, with “Administrators” able to access any function within the service and “Viewers” able to utilize the extensive reporting capabilities without worrying about changing any settings.
  • Audit Log: Administrators will be able to access a full audit log for actions taken by any users on their account.

Retrospect Virtual 2022

Included in Retrospect Virtual 2022:

  • Faster Backups and Restores: Fast data protection is critical in physical and virtual environments. Retrospect Virtual is now significantly faster at backups and restores.
  • Backup Data Deduplication: With advanced data deduplication, Retrospect Virtual can now protect larger amount of data in a smaller storage space.
  • Hyper-V 2022 Support: Hyper-V 2022 is the latest version of Microsoft’s virtualization software, and Retrospect Virtual is now fully certified for it.

Pricing and Free 30-Day Trial

For Retrospect Backup pricing details, please visit: https://www.retrospect.com/store. To request a free 30-day trial, please visit: https://www.retrospect.com/try.

General Availability

Retrospect Backup 19.0 and Retrospect Virtual 2022 will be generally available on July 12, and Retrospect Backup 19.1 and Retrospect Management Console updates will be generally available on August 30.

Ninety Percent Of Canadian Organizations indicate That They Have Experienced A Cyberattack In The Past Year: CDW Canada

Posted in Commentary with tags on June 21, 2022 by itnerd

CDW Canada today launched its annual Security Study, Advancing the Maturity of Canadian Organizations, which explores the state of IT security in Canada and evaluates the top cybersecurity challenges facing Canadian organizations today. The report uncovered that as the cybersecurity threat landscape evolves, Canadian organizations have become over-exposed to cyberattacks.   

CDW’s Security Study revealed regardless of size, industry or location, 90 percent of Canadian organizations surveyed have experienced a cyberattack in the past year. As cyberattacks increase in frequency, sophistication and severity, more organizations are taking a Zero-Trust approach to security.  

Additional highlights from the report include:   

  • Nearly three-quarters (73%) of Canadian companies surveyed reported having experienced data infiltration attacks with ransom demands in the past year, and 76% reported repeat ransom demands. 
  • 30% of organizations have adopted Zero Trust, while another 40% have it under process.    

There are many more findings outlined in the report, which can be accessed here. It’s very much worth a read.

New APT Group Targets Exchange Servers in Asia & Europe

Posted in Commentary with tags on June 21, 2022 by itnerd

An APT group has been actively targeting Microsoft Exchange servers since at least December 2020, according the researchers at Kaspersky’s Global Research & Analysis Team (GReAT). Security researchers have also found a previously unknown passive backdoor they named Samurai and a new trojan malware dubbed Ninja Trojan. Both malware strains allow the attackers to take control of infected systems and move laterally within the victims’ network. Which of course means that these malware strains are very dangerous.

Christopher Prewitt, CTO of Inversion6 had this commentary:

In March of 2020, Microsoft released patches to fix the Exchange exploit. It was thought that Chinese nation state actors were the ones who uncovered this vulnerability and were exploiting prior to discovery and disclosure. ToddyCat, likely linked to Chinese espionage activities, has been focused on Europe and Asia using the familiar China Chopper web shell.

The Samurai backdoor, in some cases has been used to deploy a post-exploitation toolkit dubbed Ninja. Ninja allows for full control of a system including shell access, and appears to have been developed by ToddyCat.

My thoughts go something like this. While these attacks are presently targeted towards high-profile entities in Europe and Asia, I can see this branching out to North America. Assuming that it hasn’t already. Thus I would make sure that your Exchange servers have all the patches needed to defend against this exploit.

UPDATE: Aimei Wei, CTO and Founder, Stellar Cyber added this commentary:

“When a vulnerability is discovered, it takes time for the patch to be available for all the impacted software releases. Usually, the newer releases get patched faster than older ones. It could take more than a year for patches to be available to earlier releases. The New ToddyCat APT group that has been actively targeting Microsoft Exchange servers since at least Dec. 2020 are still exploiting the vulnerability to attack even more entities from more countries. While actively patching the systems is critical to be protected from the attacks, it can’t always be achieved within short period of time, having a threat detection and response system that can effectively detect lateral movement and help to stop the attacks at the early stage is an important catch all mechanism.”

And Jake Williams, Executive Director of Cyber Threat Intelligence for SCYTHE had this to say:

The Samurai backdoor is a textbook example of a tool used to expand a beachhead access to an internal network. After the backdoor is deployed on an Internet facing Exchange server, network redirection modules are deployed that facilitate access by the threat actors to the internal network. Network redirection isn’t new, is especially useful when deployed on a server that is expected to communicate with many external and internal destinations. While zero-trust networking principles could limit some communication, threat actors will always execute actions on objectives on endpoints inside the network. A combination of network and endpoint controls, configured in alignment with the organization’s specific operational model, will be required to detect stealthy actors like ToddyCat after they gain access to a network.

Takeda Canada Innovation Challenge Awarded To Pentavere 

Posted in Commentary with tags , on June 21, 2022 by itnerd

Pentavere Research Group Inc. has been awarded the first Takeda Canada Innovation Challenge. The Innovation Challenge was launched in January 2022 to accelerate partnerships in identifying new digital technologies and artificial intelligence (AI) solutions that support enhanced patient care in inflammatory bowel disease (IBD) or rare disease conditions.  

Pentavere Research Group Inc. is a clinical discovery company that has developed a breakthrough, proprietary, artificial intelligence (AI) engine called DARWEN™, which accelerates discovery from vast amounts of clinical text.  DARWEN™ unlocks value, insights and evidence from clinical information which is impossible to analyze by human intelligence alone.

Pentavere will have the opportunity to collaborate and benefit from Takeda’s expertise and extensive international network, as well as funding, to build a proof of concept project in the areas of rare diseases.

The Takeda Canada Innovation Challenge received multiple submissions within the fields of early diagnosis or integrated and personalized care, applicable to the therapeutic areas of inflammatory bowel disease (ulcerative colitis or Crohn’s disease) or rare genetic diseases.

Guest Post: Almost 70% Of Email Scammers Leave The ‘Subject’ Line Empty Says Atlas VPN

Posted in Commentary with tags on June 21, 2022 by itnerd

In phishing attacks, scammers will employ social engineering techniques to get you to click on their email.

According to the data presented by the Atlas VPN team, 67% of scammers leave the ‘subject’ line empty in malicious emails. Other ‘subject’ lines are not nearly as used as just keeping it blank, which can be a major red flag when identifying a phishing email.

About 9% of attackers would type in ‘Fax Delivery Report’ in the subject line of phishing emails. Nearly 6% of email scammers enter ‘Business Proposal Request’ as the subject line. Furthermore, 4% of threat actors would write a simple ‘Request’ as the email’s subject. Another 4% of attackers are trying to set up a ‘Meeting’ with their victims.

Almost 3.5% of scammers would send emails with the subject ‘You have (1*) New Voice Message’. Moreover, 2% of threat actors would type in ‘Re: Request’ in the subject of their phishing emails.

The tactic used in phishing emails is often to urge the user to click on the email or link without much thought. Some subjects are directed at business employees who might have real and fake ‘meetings’ or ‘business requests’ mixed in their inboxes.

To read the full article, head over to: https://atlasvpn.com/blog/study-almost-70-of-email-scammers-leave-the-subject-line-empty

Website Retailers Selling Domains Meant For Illicit Goods And Services: Digital Citizens Alliance

Posted in Commentary with tags on June 21, 2022 by itnerd

Domain names geared to offer illicit goods and services – from illegally purchased guns to opioids to Covid vaccine cards – remain easy to acquire from leading registrars and domain brokers, a Digital Citizens Alliance investigation has found.

The findings of the “Peddling for Profit” report are troubling and show that, despite warnings, little has been done to prevent the sale of website domains designed for illegal activity. Just last year, Digital Citizens investigators raised alarms about the ease with which registrars and domain brokers enabled the creation of websites designed to profit from illegal and/or illicit activities.

Little stands in the way of bad actors being able to create websites – such as buyillegalassaultweapons.co – designed for illegal activity.

When Digital Citizens sought sketchy domains such as covidvaccinecardsforsale.net, brokers that help acquire previously registered names asked no questions even when investigators informed the broker of the intent to “market to the unvaccinated who want Covid cards.”

A decade after the opioid crisis went from bad to catastrophic, domains offering the drugs -without a prescription – are easily attainable. Digital Citizens registered buyopioidswithoutrx.biz. And while many Americans are victimized by ransomware or other cyberattacks, registrars make it easy to acquire domains such as Malwareforsale.com.

Americans are looking for these website retailers to step up. Eighty-two percent of Americans said that they want companies selling tech services to business websites to regularly verify the identity of the company operators, according to a YouGov survey commissioned by Digital Citizens. In addition, 54 percent reported that if companies met these obligations, they would protect consumers from scammers, hackers, and thieves.

To read the Peddling for Profit report, go to:
https://www.digitalcitizensalliance.org/clientuploads/directory/Reports/DCA-Peddling-For-Profit.pdf 

To view the YouGov polling, please visit the appendix of the report.

Cloudflare Tanks For Several Hours Taking A Whole Lot Of Websites And Apps With It

Posted in Commentary with tags on June 21, 2022 by itnerd

Web domains and apps failed to connect this morning due to an outage at content delivery network provider Clouldflare. This impacted tens of thousands of users of said websites and apps. But to the company’s credit, they identified a problem and fixed in a few hours it based on this. But the outage still caused chaos because when Cloudflare goes down, the entire Internet feels it.

Having said that, things should be back to normal. Unless perhaps you’re an Office365 user.

UPDATE: The issue was caused by a network configuration error according to Cloudflare.

Microsoft Office365 Appears To Be Having Issues

Posted in Commentary with tags on June 21, 2022 by itnerd

Are you having trouble with Microsoft Office365 this morning? If so, you’re not alone as it appears to be having issues. Users have been reporting the following:

  • Being asked to relogin to their accounts
  • Emails stuck in queues and not getting delivered
  • Not being able to access their Exchange Online mailboxes via any connection method they tried. 

Microsoft has seemed to admit that there’s a problem.

I’ve done some testing with a couple of Office365 accounts and I only have issues with one of them. So this is a thing quite clearly. I’ll be keeping an eye on this as this is possibly going to impact a large number of people.