The IT Nerd

The FDIC is reporting disappointing results after the Office of Inspector General performed an audit of its controls for securing and managing its Microsoft Windows Active Directory which it uses for central management of all IT system user credentials.

According to auditors, privileged system users didn’t practice simple password hygiene such as:

• Reusing their passwords 
• Sharing passwords across multiple accounts
• Failing to change passwords for over a year

In addition, the probe found that, in over 900 cases, the accounts of users were not removed after prolonged inactivity. They also found three FDIC IT accounts with privileged access that remained privileged for almost a year after the access was no longer required for their positions.

Since the audit findings, the FDIC IG has made 15 recommendations to the agency for improving security controls such as providing password training and the removal of unnecessary privileges. This brings into question what training may have been up until now for password and credential controls, and other widely-used cybersecurity issues such as phishing, for example. 

Details of the cybersecurity concerns come as the financial regulator headlines the SVB failure, and following another report published earlier this year also by the OIG, which found that the FDIC is not doing enough to monitor cyber risks within the institutions it regulates.

Oh boy.

I have there comments on this rather shambolic audit. The first is from

Naveen Sunkavalley, Chief Architect at Horizon3.ai had this comment: 

   “The issues highlighted in the audit – password re-use, excessive account privileges, and the failure to deactivate stale accounts – are very serious and commonly exploited by threat actors. These issues make it easier for an attacker to compromise an account and then use that single account to take over many other accounts and elevate privileges, ultimately leading to full compromise of AD and all AD-managed assets.

   “The FDIC is not alone though. We see the same problems in many of the organizations we work with. And the problems can easily recur after being fixed once, as users join or leave an organization, or users change passwords. We recommend regular security assessments of Active Directory environments to identify issues and address them as soon as possible. 

Baber Amin, COO at Veridium had this to say:

This report highlights two fundamental problems.

1. Reliance on knowledge based credentials and trusting that humans will not follow the path of least resistance. Training is important, but we now have the means to eliminate passwords for the most part. The report continues to focus on password quality rather than asking for removal of passwords. Strong passwords that are not shared or reused actually do not need to rotate or update often. There is ample evidence on this.
   • Multi factor authentication should also play a larger role than how it is treated in the report. This is the first line of defense.

Action:  Don’t put a training band aid, eliminate the problem, eliminate passwords.

2. Orphan accounts and access, and overarching entitlements
   • I put these under the access umbrell  Organizations need to embrace the concept of least privileged access and grant only the minimal amount of access necessary for the minimal amount of time. We have multiple entitlement management products and services that can root out orphan accounts, access sprawl, and even unused or orphan access grants.  These tools need to be used on a regular basis.

Action: Limit access grants, use privileged access management tools to monitor privileged activity, use smart entitlements to limit overarching access, use smart monitoring to identify probes, and anomalies.

Morten Gammelgaard, EMEA, co-founder of BullWall had this to say:

   “The fact that privileged users were found to be reusing passwords and sharing them across accounts, as well as failing to change passwords for extended periods, indicates a lack of awareness about the importance of good password hygiene practices.

   “Moreover, the incorrect account configurations, and the discovery that user accounts were not removed after prolonged inactivity, reveals a lack of oversight in managing user accounts. These are common weaknesses that leave agencies vulnerable to cyber attacks, particularly ransomware attacks, which have only increased year over year.

   “For all their potential resources, government agencies clearly need to prioritize cybersecurity best practices and implement robust security controls. This includes providing password training to users, regularly reviewing user accounts and privileges, and removing unnecessary elevated domain privileges.”

It’s bad enough that smaller businesses suffer from these sorts of issues. But for the FDIC to have these sorts of issues is insane. Hopefully this is the wake up call that they need to move them into a much better place. And everybody else should read this report and ensure that they don’t have any of these issues as well.

Hot on the heels of the downfall of Silicon Valley Bank, there are growing concerns regarding threat actors using the news to target users with phishing and credential stealing attempts. I am going to be watching this story closely to see if that is the case. But in the meantime, I already have commentary from Yaron Kassner, CTO and Cofounder, Silverfort:

     “As always, uncertainty and panic are threat actors’ closest allies, and we are already witnessing a distinct surge in fraud attacks that attempt to leverage the confusion to lure users into fraudulent transfers as well as credential disclosure.

“For example, threat actors will impersonate suppliers, claiming it has moved from SVB to another bank, urgently asking you to wire payment to this new account.

“Additionally, attackers will send emails impersonating FDIC, SVB or another government agency with a reassuring message that a deposit in SVB can be fully returned. However, users must urgently login to their new bank account in a provided link. Needless to say, this link leads to an adversary-controlled web page, with credentials now being compromised.

“Business email is the primary attack vector adversaries employ to deliver fraud attacks. While employee education is paramount in counteracting these attempts, it must be paired with security control. To prevent threat actors from compromising user accounts and sending messages on their behalf, organizations should enforce the following:

• Enforce MFA verification on any access to an employee’s email address.
• Disable legacy email protocols that are more susceptible to compromise.
• Block access to email from risky locations”

While I hope I am wrong, I expect a wave of attacks because of the downfall of Silicon Valley Bank. Because for threat actors, this situation is too good to pass up.

On Friday the White House said it would require states to report on cyber threats noted in their audit reports of public water systems. This comes a day after they released their new cybersecurity strategy:

The Environmental Protection Agency said public water systems are increasingly at risk from cyberattacks that amount to a threat to public health. 

“Cyberattacks against critical infrastructure facilities, including drinking water systems, are increasing, and public water systems are vulnerable,” said EPA Assistant Administrator Radhika Fox. “Cyberattacks have the potential to contaminate drinking water.” 

Fox said the EPA would assist states and water systems in building out cybersecurity programs, adding that states could begin using EPA’s guidance in their audits right away. The agency did not respond immediately to questions about enforcement deadlines.

Public water systems could be easy targets for hackers and with minimal security attention/funding might act as a front door to ransomware attacks not unlike the recent attack on Oakland, CA.

Jan Lovmand, CTO of BullWall had this to say:

   “Often forgotten in the battle to prevent cyber attacks, physical municipal infrastructure such as public water supplies can provide an open attack surface for hackers, as evidenced by 2021 attack on a Florida water supply. The EPA Assistant Administrator, Radhika Fox, noted that a threat to public water systems is also a threat to public health, as cyber-attacks have the potential to contaminate drinking water and said that it is essential to address the cybersecurity of these systems as a top priority to protect public health.

   “The cyber risk to public water systems is not just due to their connectivity to government networks, as it could be just as easy to shut down a city by controlling their water supply as any other aspect of their infrastructure. Municipalities that do not prioritize cybersecurity and do not have robust protections in place are at higher risk of falling victim to these types of attacks.

   “The White House is proposing that states report on cyber threats noted in their audit reports of public water systems and the EPA is offering guidance to states to assist them in building out their water supply cybersecurity programs. However, given the critical importance of these systems to public health and safety, municipalities had best prioritize cybersecurity investments now, to prevent cyber-attacks and safeguard their water supplies.”

David Brunsdon, Threat Intelligence, Security Engineer at Hyas follows up with this comment:

   “Water systems utilize a significant amount of automation and are monitored simultaneously by the control systems, and human operators. Like in Florida, 2021, threat actors could misuse the system to introduce chemicals to the water. A more sophisticated attack would be covert and would obfuscate the changes from both the plant operators and automated monitoring systems.

   “Municipal governments and water treatment plants are vulnerable to well-funded nation-state actors, and so protecting water systems should be considered a national security concern.”

This is a good move by the EPA and I hope this leads to an improvement in terms of the security of these facilities. Because really bad things could happen if these facilities don’t up their game.

The Biden Administration has released the National Cybersecurity Strategy is out. And it has some interesting details:

The strategy – shaped by major hacking incidents that threatened key public services in the first year of the Biden administration – embraces the US government’s regulatory and purchasing power to force companies that are critical to economic and national security to raise their cyber defenses.

It reflects a widely held belief in the US government that market forces have failed to keep the nation safe from cybercriminals and an array of foreign governments such as Russia and China. 

“We ask individuals, small businesses and local government to shoulder a significant burden for defending us all. This isn’t just unfair, it’s ineffective,” Acting National Cyber Director Kemba Walden told reporters Wednesday. “This strategy asks more of industry, but also commits more from the government.”

The strategy is a policy document and not law, but it could shape corporate behavior for years to come as firms compete for billions of dollars in federal contracts that increasingly require a minimum set of cybersecurity defenses. And the White House says it wants to work with Congress to develop legislation that holds software makers liable when their products and services don’t provide adequate protections from sabotage.

Edgard Capdevielle, CEO of ICS/OT Cybersecurity Vendor of Nozomi Networks had this to say: 

“The National Cyber Strategy’s non-voluntary requirements for critical infrastructure to increase cybersecurity posture will be met with varying responses from CEOs and Boards alike. While the impetus for a better cyber posture to defend against potential nation-state adversaries is wise and necessary, the ability for these entities to identify the budget and personnel to manage these pieces is going to be difficult. As it is for most companies in this macroeconomic climate. We look forward to working with our U.S. critical infrastructure partners, just as we have with their international counterparts, to meet changing regulatory guidelines with the best defenses and visibility possible.” 

The nearly 40-page document provides a roadmap for new laws and regulations over the next few years aimed at helping the United States prepare for and fight emerging cyber threats. Hopefully this is effective at stopping the sort of large scale attacks that we’ve seen over the last few years.

UPDATE: Craig Burland, CISO of Inversion6 had this to say:

This strategy continues a trend of a more activist federal government pushing cybersecurity forward. Within the last 12 months or so, you can see increased announcements and initiatives from CISA, as an example, that foreshadowed something broader. The pillars build on existing ideas and cyber principles – defend critical infrastructure, support the nation’s collective defense, and embrace secure by design. That last item has been discussed in solution development forums for years, but hasn’t become a norm for producers. 

The real test will come in the pronouncements that follow.  A strategy by itself won’t compel companies to change how they invest. This strategy is a shot across the bow that signals tougher standards are coming.  How those manifest themselves will be fascinating to watch. Will the administration try to enact laws with associated fines? Will they pressure industry groups to do self-improvement? Can they become a catalyst for real change and help get cybersecurity past the tipping point where best practices are the only accepted practices? Hopefully, one way or another, they can spur real change and make all of our lives safer.

Security researchers at Zscaler ThreatLabz observed threat actors using the open-source C2 framework known as Havoc in attack campaigns targeting government organizations.

The Havoc framework is an advanced post-exploitation command and control framework is an alternative to paid options such as Cobalt Strike and Brute Ratel and is capable of bypassing the most current and updated version of Windows 11 Defender due to the implementation of advanced evasion techniques such as indirect syscalls and sleep obfuscation.

Matt Mullins, Senior Security Researcher at Cybrary had this to say:

   “Command and Control (or C2) frameworks are nothing new to the threat actor community. For a long time, the FOSS (Free and Open-Source Software) community had a harder time keeping up with the features and functionality associated with premium paid tools like Cobalt Strike. This left learners, lower budget teams, and criminal groups with limited options around older frameworks like Empire, Metasploit, and some very basic custom tooling.

   “This all changed around 2018, when it seems that C2 frameworks simply exploded in options. There were a number of very sophisticated tools that reached a fair degree of maturity (such as Sliver, Mythic, etc.) while older frameworks were forked and revisited (such as BC-Security’s Empire fork) that gave a wonderful buffet of options to the aforementioned groups.

   “As with most things in the industry, as these options became available, so did the options being implemented in threat actor TTPs. Outside of these robust options being made available, paid tooling was beginning to be leaked. Cobalt Strike has had its source code leaked a number of times now, along with other paid tools being shared and cracked. Cracked software is nothing new but what is interesting is the specific shift of criminal groups to target cracking of red team software, as well as red teams for licenses.

   “With such a cornucopia of options available to criminals, the detections and patterns used to previously sink paid tools aren’t nearly as effective. Take for consideration Cobalt Strike, it was already a big waste of money even back in 2018 because nearly every IR team, EDR tool, or any other defensive capability under the sun, has detection ruling built for a majority of its offerings. This means that it was only useful to advanced red teamers, or criminals, because of the amount of customization needed to get it to work. This brings me back to the original point, why would anybody waste their money or time on Cobalt Strike when they can just download Havoc and it “works” off of the shelf and bypasses detections? Criminals now no longer need to hunt for licenses or crack software, while red teams don’t need to pay absurd prices for tools that they have to know how to use and customize.

   “The cat-and-mouse game of detection and innovation is about to accelerate in favor of the offensive side because of this blooming of C2s. Reflecting on the implementation of new tools like ChatGPT, along with other AI tools, and you now have more rapid generation of payloads, phishing emails, and other attacker-beneficial aspects. I can only surmise that we will see more breaches (and thus more potential undetected breaches) as a result of this increase in options and sophistication.”

The best thing about this for threat actors is thatit’s free! Which is bad for you and I.

A new North Korean malware M2RAT, discovered by ASEC researchers (Translation here) is in the wild. It begins with a phishing attack, installing its malware via a downloaded jpeg using steganography. Then the malware performs keylogging, data theft, command execution, and the taking of screenshots from the desktop. As if that’s not intrusive enough, it locates any attached portable devices such as phones, scans them for documents and voice recording files and transfers them to the attacker’s servers.
 
The malware is being used by the RedEyes attack group (aka APT37, ScarCruft), a North Korean cyber espionage hacking group believed to be state-supported. The group targets personal PC information and mobile phone data of specific individuals, not companies. The malware is distributed through the Hangul word processor EPS vulnerability (CVE-2017-8291). The vulnerability used in the attack is old and has been patched in newer versions of the word processor. The attackers seemed to know in advance that the targets are using the older version of the word processor that supports the EPS.

James Lively, Endpoint Security Research Specialist for Tanium:

   “While M2RAT, the capabilities, and the delivery process are indicative of a state-sponsored APT, the initial access vectors are the real highlight here. Phishing and exploiting unpatched services and software are generally the easiest and most cost-effective methods to gain access to a target network.

   “APTs have a reputation for operating solely out of memory while using encrypted communications to their C2’s. It’s difficult to detect malicious activity within memory without escalating costs and business disruptions. Combined with encrypted C2 communications, network analyzers are often rendered ineffective since they cannot identify traffic.  Based on these factors, it’s extraordinarily difficult to identify a sophisticated attacker, such as an APT, once they have gained a foothold inside of a network.”

   “It’s important for organizations to employ phishing training and campaigns often, ideally monthly or quarterly, to raise employee awareness and help them identify and report phishing attempts. Unpatched services and software allow attackers to use even decade old vulnerabilities to gain access. Proper asset management, inventory, and patching are critical to fortifying an enterprise against attackers seeking low hanging fruit. It only takes one employee to click a malicious link or unpatched system to compromise a network and potentially the entire enterprise.

While this is highly targeted malware, I suspect it’s a matter of time before attacks become broader in nature. Thus my advice would be to ensure that every endpoint, server, mobile phone, etc is fully patch to defend against this and other threats.

 

Yesterday, the CISA released a waring that North Korean government-backed hackers have conducted ransomware attacks on health care providers and other key sectors in the US and South Korea. Then they used the proceeds to fund further cyberattacks:

This CSA provides an overview of Democratic People’s Republic of Korea (DPRK) state-sponsored ransomware and updates the July 6, 2022, joint CSA North Korean State-Sponsored Cyber Actors Use Maui Ransomware to Target the Healthcare and Public Health Sector. This advisory highlights TTPs and IOCs DPRK cyber actors used to gain access to and conduct ransomware attacks against Healthcare and Public Health (HPH) Sector organizations and other critical infrastructure sector entities, as well as DPRK cyber actors’ use of cryptocurrency to demand ransoms.

The authoring agencies assess that an unspecified amount of revenue from these cryptocurrency operations supports DPRK national-level priorities and objectives, including cyber operations targeting the United States and South Korea governments— specific targets include Department of Defense Information Networks and Defense Industrial Base member networks. The IOCs in this product should be useful to sectors previously targeted by DPRK cyber operations (e.g., U.S. government, Department of Defense, and Defense Industrial Base). The authoring agencies highly discourage paying ransoms as doing so does not guarantee files and records will be recovered and may pose sanctions risks.

Sanjay Raja, VP, Product Marketing and Solutions at Gurucul had this comment:

“Healthcare institutions have already been a target for threat actor groups as they know they have constrained resources and budgets and maintain a wealth of personal and financial information on patients, and disruption can be catastrophic. North Korea’s use of common attacks indicates that these hospitals have neither managed to patch vulnerabilities nor have implemented monitoring solutions with a strong set of threat models to detect these common attacks. North Korean threat actor groups may have also developed variants that can evade solutions, like traditional SIEMs or XDR, that fail to implement trained machine learning in their analytical models that can adapt to new and unknown attack variants.

“Constrained security teams need solutions that focus on leveraging a unified set of advanced analytics, including those that can provide an early warning to known variants of attacks through behavioral analytics, such as UEBA. Identity analytics is also critical for security teams to leverage as stolen credentials is a common method of compromising healthcare systems. These two capabilities along with more traditional endpoint, network and cloud threat detection can help these hospitals with accelerating detection and eliminating manual tasks that burden security teams and waste time.”

Lovely. This is just the latest warning about North Korea and their hacking activities. Which means that given how prolific they are at hacking all the things, you should be paying attention to this and make adjustments to protect yourself.

UPDATE: Matt Marsden, VP, Technical Account Management at Tanium added this comment:

It is not surprising to see North Korean state actors using techniques generally attributed to cybercrime and ransomware gangs. We’ve seen that North Korea will seek to use whatever methods possible to fund weapons and cyber programs.  This activity demonstrates the significance of shifting the focus of cybersecurity from traditional compliance to active defense.

A threat-informed approach to defense requires agility, comprehensive visibility, and control to properly assess the effectiveness of controls against attacks. In contrast, compliance programs seek to measure the implementation of static controls against an established baseline, which values consistency and static configuration. Attackers are creative and seek to exploit misconfigurations to identify gaps in a secure host baseline. They have the advantage of time and scale; and only need to be right once. On the flipside, defenders must be right every time and suffer the disadvantage of trying to predict their adversaries’ next move.

Cyber defenders need comprehensive awareness, and absolute control of what is happening in their environments; blind spots are unacceptable. Employing an active defense approach is critical, including protecting against known threats, scanning for indicators of compromise, performing real-time hunt activities, and preparing a response.

It is no longer a question of “will there be an attack” but “when will I be attacked?” With this sobering thought in mind, it is imperative to quickly identify the compromise, scope the incident, implement changes to stop the attacker and prevent lateral movement, and finally, quickly remediate at scale. 

If you’re the type to use Google to search for downloads of popular software is a really bad idea. But over the past few months, it has been downright dangerous. Here’s why:

“Threat researchers are used to seeing a moderate flow of malvertising via Google Ads,” volunteers at Spamhaus wrote on Thursday. “However, over the past few days, researchers have witnessed a massive spike affecting numerous famous brands, with multiple malware being utilized. This is not “the norm.'” 

The surge is coming from numerous malware families, including AuroraStealer, IcedID, Meta Stealer, RedLine Stealer, Vidar, Formbook, and XLoader. In the past, these families typically relied on phishing and malicious spam that attached Microsoft Word documents with booby-trapped macros. Over the past month, Google Ads has become the go-to place for criminals to spread their malicious wares that are disguised as legitimate downloads by impersonating brands such as Adobe Reader, Gimp, Microsoft Teams, OBS, Slack, Tor, and Thunderbird. 

On the same day that Spamhaus published its report, researchers from security firm Sentinel One documented an advanced Google malvertising campaign pushing multiple malicious loaders implemented in .NET. Sentinel One has dubbed these loaders MalVirt. At the moment, the MalVirt loaders are being used to distribute malware most commonly known as XLoader, available for both Windows and macOS. XLoader is a successor to malware also known as Formbook. Threat actors use XLoader to steal contacts’ data and other sensitive information from infected devices. The MalVirt loaders use obfuscated virtualization to evade end-point protection and analysis. To disguise real C2 traffic and evade network detections, MalVirt beacons to decoy command and control servers hosted at providers including Azure, Tucows, Choopa, and Namecheap.

That’s not trivial and this is true for Windows and Mac users. And the challenge is that I have had to come to the rescue of people who just think that this behaviour is okay. Which it isn’t. So I would strongly suggest that you exercise good computing habits and only download software from reputable sources. Seriously, don’t do it.

INKY has published a new Fresh Phish, in which INKY’s cybersecurity research analyst explains how the Southwest Airlines brand was used as the lure for a credential harvesting phishing scam.

This report details how the phisher used a survey and gift card scam via legitimate, newly created domains to deliver emails that have been able to circumvent most email security systems. 

You can read the research here.