The IT Nerd

Valtix has released new research findings highlighting how cloud security leaders are changing the way they secure cloud workloads in the aftermath of Log4Shell. The research key findings include:

1. 95% of IT leaders say Log4Shell was a wakeup call for cloud security, changing it permanently.
2. 87% feel less confident about their cloud security now than they did prior to Log4Shell.
3. 77% of IT leaders are still dealing with Log4J patches 3 months after the incident.
4. 83% stated that Log4Shell has impacted their ability to address business needs. 
5. 82% say visibility into active security threats in the cloud is usually obscured
6. 86% agree it’s more challenging to secure workloads in a public cloud than in an on-prem data center
7. Only 53% feel confident that all of their public cloud workloads and APIs are fully secured against attacks from the internet
8. 79% agreeing that agent-based security solutions are difficult to operationalize in the cloud
9. 88% stated that bringing network security appliances to the cloud is challenging to the cloud computing operating model

I have a pair of comments on this research. The first is from Edward Roberts, VP of Marketing for Neosec:

“As the digital transformation has evolved the adoption of cloud services and use of APIs has skyrocketed. APIs are the connective tissue for most businesses today. Since most organizations have no inventory of their APIs, it is therefore no surprise that many organizations feel their API estate is insecure.”

Sanjay Raja, VP of Solutions, Gurucul is next with some commentary:

“Too many security vendors that claim to better secure the cloud have major flaws in their capabilities. For one, many have simply “lifted and shifted” on-premise-based security software and appliances to be supported in the cloud without specifically building them to cater to fundamental architecture differences. This severely impacts deploying them correctly and much worse, limits their capabilities, especially when being leveraging and operated by security operations for the purposes of threat detection, investigation and response. This is one way attackers are finding security gaps, especially gaps in cloud threat detection solutions and programs, that allow them to leverage Log4J vulnerabilities in cloud environments. Another factor is that few security solutions can be deployed across multi-cloud architectures even if they can correlate across multi-cloud. This limits their deployability in complex environments. Threat attackers take that further to spread and effectively hide attack campaigns across multi-cloud architectures that very few solutions have security analytics for helping security teams identify the scope of such an attack”. 

Log4Shell has changed the game and forced companies to rethink their security in the cloud. Or at least it should force companies to rethink their security in the cloud. Business leaders should read this report and give their security a good hard look to make sure that they aren’t the next victim of the next exploit that comes along.

The DFIR Report has released findings on Quantum Ransomware, one of the fastest ransomware cases they have observed. Researchers with The DFIR Report observed an IcedID payload go from initial access to domain wide ransomware in under four hours. Once the initial IcedID payload was executed, approximately 2 hours after initial infection, the threat actors appeared to begin hands-on-keyboard activity. Cobalt Strike and RDP were used to move across the network before using WMI and PsExec to deploy the Quantum ransomware. This case exemplified an extremely short Time-to-Ransom (TTR) of 3 hours and 44 minutes. 

I have a pair of comments on this. The first is from Chris Olson, CEO of The Media Trust had this to say:

“The speed of Quantum ransomware is consistent with recent findings that network defenders only have 43 minutes on average to stop a ransomware attack once it begins. Ultimately this shows that it is futile to respond to ransomware and encryption attacks after the fact. To protect themselves, organizations must pivot to prevention over treatment.”

“Importantly, today’s businesses must work to gain a detailed understanding of the way that ransomware attackers compromise their systems, from the reconnaissance phase through to execution. It’s easy to overlook the importance of digital attack surfaces such as the Web and mobile devices – but this is exactly where many ransomware incidents begin.”

The second comment is from Saryu Nayyar, CEO and Founder of Gurucul:

“This is an example of an attacker using multiple known methods that are linked together but are easily able to evade static flow-chart based machine learning and artificial intelligence found in most traditional SIEMs and XDR systems today. The key for security teams is to assume that “compromise is inevitable” and take a stance in improving their operations to handle quickly spun-up malware variants and changes in layered attack techniques that shows a high degree of persistence by threat actors. Organizations need to incorporate behavior-based analytics, a plethora of machine learning models, and more importantly self-trained machine learning that does not require vendor updates to detect these new attack campaigns.”

Clearly threat actors are becoming more and more advanced in how they launch attack campaigns, and they attacks themselves are even more sophisticated than ever before. That means that your organizations ability to detect threat actors really need to be priority one.

USA, Canada, New Zealand, The United Kingdom and Australia who are known collectively as the “Five Eyes” have released a warning about Russian State-Sponsored actors taking aim at critical infrastructure:

Evolving intelligence indicates that the Russian government is exploring options for potential cyberattacks (see the March 21, 2022, Statement by U.S. President Biden for more information). Recent Russian state-sponsored cyber operations have included distributed denial-of-service (DDoS) attacks, and older operations have included deployment of destructive malware against Ukrainian government and critical infrastructure organizations. 

Additionally, some cybercrime groups have recently publicly pledged support for the Russian government. These Russian-aligned cybercrime groups have threatened to conduct cyber operations in retaliation for perceived cyber offensives against the Russian government or the Russian people. Some groups have also threatened to conduct cyber operations against countries and organizations providing materiel support to Ukraine. Other cybercrime groups have recently conducted disruptive attacks against Ukrainian websites, likely in support of the Russian military offensive.

This means that attacks are likely inbound on any country that supports Ukraine. And it means that we all need to up our cybersecurity game. To get some color commentary on this, I reached out to Darktrace and got a pair of quotes. The first is from Darktrace’s CEO, Poppy Gustafsson:

“Since the start of the war critical infrastructure globally has been on high alert to cyber-attacks. Russia has previously displayed its ability to get into the heart of critical systems and launch attacks in cyber space that have real-world impacts – such as the attack on Ukraine’s energy grid in 2015. The attack on Colonial Pipeline last year also served as a wake-up call showing defenders of critical national infrastructure that no system is invulnerable to attack.

While we’ve seen examples in the Ukraine conflict of attacks targeting industrial systems, such as Industroyer 2.0, we have yet to see any novel cyber-attacks at scale during the crisis to date. But we can say with a degree of confidence that the Russian state and state-affiliated actors have novel and destructive cyber-attacks in their arsenal and it is only a matter of time before these are deployed.

The warning from the Five Eyes represents another global effort to combat disinformation, and serves as another reminder of the urgency with which defenders must act to ensure their digital assets are protected. We have to think about the people on the other side of these warnings; the people that are responsible for defending critical infrastructure. These defenders can only take a ‘shields up’ approach so far – we must augment security teams with advanced technology that can spot, stop and investigate attacks on their behalf.”

Additionally, I have the following comment from Darktrace’s Canadian Director of Enterprise Security, David Masson:

“The US Government set a precedent some weeks ago by issuing warnings about Russia’s attack plans for the invasion of Ukraine. This was a Five Eyes government releasing intelligence to the public about Russia’s intentions. Our own intelligence agencies have repeatedly warned us about potential Russian cyber-attacks on Canadian critical infrastructure.

In the last twenty-four hours, the head of the Canadian Centre for Cyber Security, Sami Khoury, shared a joint Five Eyes advisory on social media about the “increased risk of malicious cyber activities posed by Russian state-sponsored advanced persistent threat (APT) actors, their proxies, and independent cybercriminal groups.” On American television, the US Deputy Attorney General, Lisa Monaco, said that the Russians are probing critical infrastructure, and she used the analogy of a burglar “trying to jiggle the lock to see if it’s open.” 

Now is the time for all Canadian organizations, private and public, critical infrastructure or not, to work on their resilience plans, train staff, and be ready to deploy technology to deal with cyber-attacks. We need to make sure our doors are locked, but more importantly, our jewels are locked in a safe. We need to assume that sophisticated attackers will find a back door (or window) to get in and that we are prepared to catch them once inside.”

Seeing as Russian backed threat actors are already going after critical infrastructure in Ukraine, it a certainty that those attacks are coming here. Thus now is a great time to get your defences in order so that you don’t become the next company with a really bad headline.

Here’s an interesting initiative. Craig Newmark of craigslist fame on Monday promised a major investment in the cybersecurity community and public cyber education by serving up more than $50 million towards what he called a Cyber Civil Defense. This was announced on Twitter:

A press release was also part of this announcement. Here’s a section of it:

CNP’s funding will support efforts to raise public awareness of threats and online security choices, in addition to the creation of online tools and digital infrastructure that help secure the country’s networks. The effort will also include programming aimed at developing a diverse, inclusive, and equitable workforce capable of meeting the technical challenges ahead.

“American and western democracy are at risk,” said Craig Newmark. “As individuals, we’re also under attack. We need to work together to protect each other and democratic ideals in the digital world.”

I think that this will make a difference. So does Allen Drennan, Co-Founder & CTO, Lumicademy:

“Lately, breaking news of meeting provider and remote learning breaches have made it clear that mainstream vendors of these products are not compliant. This significant gift will give consumers a better chance at solid privacy, security and control when implementing a learning or meeting platform that involves more than basic privacy.”

If we want to be safe online, all of us have to participate in being part of the solution. The $50 million that Newmark has served up will help to kickstart the solution becoming a reality.

Security researchers at Trend Micro have observed an active exploitation of the Spring4Shell vulnerability where threat actors were able to weaponize and execute the Mirai botnet malware on vulnerable servers in the Singapore region. 

Trend Micro says most of the vulnerable setups were configured with the following features:

• Spring Framework versions before 5.2.20, 5.3.18, and Java Development Kit (JDK) version 9 or higher
• Apache Tomcat
• Spring-webmvc or spring-webflux dependency
• Using Spring parameter binding that is configured to use a non-basic parameter type, such as Plain Old Java Objects (POJOs)
• Deployable, packaged as a web application archive (WAR)
• Writable file system, such as web apps or ROOT

This of course is a major problem as if one group of threat actors taking advantage of this vulnerability, other threat actors are doing the same thing. Or will be doing the same thing soon enough.

I have sourced a pair of comments on this starting with Saryu Nayyar, CEO and Founder, Gurucul:

“This is another example of a known set of malware being leveraged to exploit a newly discovered set of vulnerabilities. Mirai is indeed a long standing and dangerous piece of malware that can deliver multiple destructive outcomes to organizations. Until vulnerabilities such as these can be patched, which can take weeks or months, organizations need to augment their threat detection, investigation and response programs to determine if they are already under attack and certainly find any signs of an attack early in the kill chain. This can allow them to perform emergency patching on systems if threatened. However, this requires a solution not only with advanced analytics and non-rule-based machine learning models to detect any variations employed when Mirai is executed, but also threat intelligence combined with risk analytics to prioritize and escalate to security teams once the attack is potentially found. These capabilities are critical for accelerating response and rallying security teams to identify and focus efforts on a serious active threat. Unfortunately, most current SIEM and XDR solutions lack this combination of features to be enough to stop this attack so organizations must look at more advanced solutions to better enable security teams. “

Chris Olson, CEO, The Media Trust is next:

 “In the face of Log4Shell, many organizations rolled out patches to protect their internal systems and consumer-facing services. But the emergence of Spring4Shell reminds us that patching is only a temporary fix: as long as organizations are depending on third-party assets for website, app and backend development, they must exercise continual vigilance and monitoring to protect their users.”

This is likely the start of larger campaigns using this exploit. This sysadmins and security professionals should take this time to make sure that they aren’t vulnerable to being pwned by this exploit.

By Hank Schless, Senior Manager of Security Solutions at Lookout. 

There is only one you – let’s keep it that way! Tomorrow, April 12th is Identity Management Day and Lookout cybersecurity would like to share tips on how consumers can better manage their identity online. 

A recent study from Lookout found that scammers are increasing their complexity, and hacks are looking more real to consumers. Only 8.7% of the 2,000 survey participants correctly identified the legitimate text message, login page, and video when compared to scammers.

Here are some tips to keep you protected: 

Conceal Personal Information
Limit the amount of personal information placed online. Information like location, pet name, last name, and birthday can be used to break into important accounts. 

• 60% of people share their birthday publicly on social media

Strong Passwords 

• Use Two-Factor Authentication: This makes it harder for hackers to access your account and will alert you to any potential hacking attempts.  
• Password Changes: Be sure to regularly change the password to your most important accounts. This will help prevent hackers from getting access. Make sure you use a combination of letters and numbers for the best protection. 
• AVOID using passwords like these:

Delete WiFi Connections
If you connect to an unknown WiFi network and it starts asking you for any sort of username and password, such as validating your identity with a login, disconnect from it immediately. 

Install Security Software On Your Devices
Security protection, like Lookout, will automatically monitor and identify scam URLs in email, text messages, and on the web and block you from threats that can do harm.

• Only 31% of Americans pay for identity theft monitoring on their devices, leaving 69% of Americans vulnerable to identity theft.

Fox News is making headlines for all the wrong reasons.

In a recent report from security researcher Jeremiah Fowler, details were revealed of an open and non-password protected database that contained nearly 13 million records belonging to FOX News. The data reportedly contained management data including employee personally identifiable information, internal FOX emails, usernames and more. In the data, there were several references to Comcast Technology Solutions. Comcast has confirmed that they did not manage this dataset and that it likely belonged to a customer that was using their services.

Kevin Novak, Managing Director, Breakwater Solutions:

“Over the course of the past couple of years, as companies have struggled to adapt to a new operating paradigm in the face of a global pandemic, there has been a mass migration of processes and information from captive, in-house data centers to public cloud centric service providers such as Google Cloud, Microsoft Azure, and Amazon Web Services.  The ease by which services can be deployed has created a false sense of security, and as many are learning, this is starting to materialize into a significant wave of improper data disclosures (breaches) and cybercrime compromises.”

“While in-house, captive data centers are certainly not immune to accidental misconfigurations (particularly as it pertains to things like leaving remote access portals accessible through the firewall), these environments have been around much longer, and the hardening of these environments tends to be slightly more well-understood.” 

“Whether hosting information in captive data centers or public-cloud ones, enterprises need to be mindful to enforce mature, tested security controls and governance protocols, lest they find themselves the subject of tomorrow’s big headline.”

Companies have to take care to make sure that their data always stays in their control. Otherwise bad things will happen. At the very least it’s bad press. At worst, it’s going to be a serious data breach with serious consequences. Neither of those is a good thing.

Security researchers at Cyble have spotted a new malware strain in the wild, dubbed Borat. Yes, as in the movie character. This malware includes features such as DDoS attacks, UAC bypass, ransomware deployments and much more. The malware is available on the darknet markets and enables threat actors to choose their compilation options to create small payloads that feature exactly what they need to tailor attacks to the threat actor’s use case.

Saryu Nayyar, CEO and Founder, Gurucul had this to say:

“Once again we see a variation of an existing attack put together as a new toolkit that uses various tactics and techniques to get their malware or ransomware evade existing security controls. It also shows that misusing privileged access controls is an emerging trend where identity monitoring and analytics is critical for emerging and modern security operations teams to combat compromised credentials and abuse of identity. However, the overall campaign shows the need for advanced analytics that leverage non-rule-based machine learning (ML) that can adapt to new threats and emerging variants, similar to this attack. Current XDR and SIEM solutions are mostly rule-based Artificial Intelligence and ML are unable to detect unknown, newer and emerging attacks without relying on updated models from vendors. We know that vendors are slow to disclose an attack let alone provide meaningful patches or updates in time to protect organizations. A change is needed to stay ahead of attackers.”

Clearly the threat actors behind this are clearly pretty crafty. Which is bad news for everyone else. Hopefully now that this has been exposed, defences can be built to stop this malware from being a huge problem.

UPDATE: I have additional commentary. First from Rob Shaughnessy, VP, Federal for GRIMM

“The recently disclosed malware variant being called BORAT RAT, named and initially reported by security research firm Cyble, Inc., appears to be a multi-purpose malware platform including remote access tools, spyware including platform accessory access, and the ability to crypto lock content and provide customizable ransom messaging. Although the individual elements of BORAT do not seem particularly novel, the availability of a prepackaged suite of malicious tools with integrated management and control capabilities is an emerging trend. The past few months have seen an acceleration in widespread reels of malware tools and techniques globally. We are likely to see more prepackaged malware sets like BORAT in the near future as more and more individuals and organizations take advantage of the wealth of malicious software now available for profit.”

Next I have commentary from Chris Olson, CEO, The Media Trust:

“Borat is a trojan built to order and sold through an organized campaign which exposes the role that darknet markets play in cybercrime today. They are one of many reasons we are seeing a rise in Web and Java-based malware with sophisticated features like polymorphic and obfuscated code, rapid URL shifting and more. It takes little expertise for attackers to target consumers and organizations through digital surfaces – only the money and inclination to acquire the right code from malicious actors who design it for a living.”