Education sector hounded by cyberattacks in 2021

Read Time:39 Second

Education and research were the top targets for cyberattackers in 2021, with an average of 1605 attacks per organization per week, a 75% increase from 2020, according to research by Check Point Software Technologies.

Pandemic’s push for digital invites threats 

The COVID-19 pandemic has pushed staff in businesses and education to work from home. The resulting need for digital skills and online courses has boosted the digital education market, creating opportunities for study but also for cyberthreats.

A major shift to distance learning and the fact that online education organizations have a huge number of non-employees accessing their systems from remote locations widens the exposure, elevating risks, according to Omer Dembinsky, data research manager at Check Point.

To read this article in full, please click here

Read More

Education sector hounded by cyberattacks in 2021

Read Time:39 Second

Education and research were the top targets for cyberattackers in 2021, with an average of 1605 attacks per organization per week, a 75% increase from 2020, according to research by Check Point Software Technologies.

Pandemic’s push for digital invites threats 

The COVID-19 pandemic has pushed staff in businesses and education to work from home. The resulting need for digital skills and online courses has boosted the digital education market, creating opportunities for study but also for cyberthreats.

A major shift to distance learning and the fact that online education organizations have a huge number of non-employees accessing their systems from remote locations widens the exposure, elevating risks, according to Omer Dembinsky, data research manager at Check Point.

To read this article in full, please click here

Read More

Linux-Targeted Malware Increased by 35%

Read Time:48 Second

Crowdstrike is reporting that malware targeting Linux has increased considerably in 2021:

Malware targeting Linux systems increased by 35% in 2021 compared to 2020.

XorDDoS, Mirai and Mozi malware families accounted for over 22% of Linux-targeted threats observed by CrowdStrike in 2021.

Ten times more Mozi malware samples were observed in 2021 compared to 2020.

Lots of details in the report.

News article:

The Crowdstrike findings aren’t surprising as they confirm an ongoing trend that emerged in previous years.

For example, an Intezer report analyzing 2020 stats found that Linux malware families increased by 40% in 2020 compared to the previous year.

In the first six months of 2020, a steep rise of 500% in Golang malware was recorded, showing that malware authors were looking for ways to make their code run on multiple platforms.

This programming, and by extension, targeting trend, has already been confirmed in early 2022 cases and is likely to continue unabated.

Slashdot thread.

Read More

Linux-Targeted Malware Increased by 35%

Read Time:48 Second

Crowdstrike is reporting that malware targeting Linux has increased considerably in 2021:

Malware targeting Linux systems increased by 35% in 2021 compared to 2020.

XorDDoS, Mirai and Mozi malware families accounted for over 22% of Linux-targeted threats observed by CrowdStrike in 2021.

Ten times more Mozi malware samples were observed in 2021 compared to 2020.

Lots of details in the report.

News article:

The Crowdstrike findings aren’t surprising as they confirm an ongoing trend that emerged in previous years.

For example, an Intezer report analyzing 2020 stats found that Linux malware families increased by 40% in 2020 compared to the previous year.

In the first six months of 2020, a steep rise of 500% in Golang malware was recorded, showing that malware authors were looking for ways to make their code run on multiple platforms.

This programming, and by extension, targeting trend, has already been confirmed in early 2022 cases and is likely to continue unabated.

Slashdot thread.

Read More

High anxiety spreads among Russian criminal groups in wake of REvil raid

Read Time:27 Second

The crackdown on members of the REvil ransomware gang by agents of the Kremlin’s domestic security force January 14 is sending a wave of distress and dread through the Russian hacker underground, according to researchers at Trustwave’s SpiderLabs.

“What our researchers found was a great deal of anxiety and consternation from those who participate in these Dark Web forums regarding the FSB arrests and how those actions will impact them in the future,” Trustwave noted Friday in a company blog post.

To read this article in full, please click here

Read More

High anxiety spreads among Russian criminal groups in wake of REvil raid

Read Time:27 Second

The crackdown on members of the REvil ransomware gang by agents of the Kremlin’s domestic security force January 14 is sending a wave of distress and dread through the Russian hacker underground, according to researchers at Trustwave’s SpiderLabs.

“What our researchers found was a great deal of anxiety and consternation from those who participate in these Dark Web forums regarding the FSB arrests and how those actions will impact them in the future,” Trustwave noted Friday in a company blog post.

To read this article in full, please click here

Read More

Stories from the SOC – Inactive Account Exploitation

Read Time:3 Minute, 41 Second

Stories from the SOC is a blog series that describes recent real-world security incident investigations conducted and reported by the AT&T SOC analyst team for AT&T Managed Threat Detection and Response customers.

Executive summary

One of the primary ways that adversaries gain access to environments is through valid credentials. Because of this, maintenance and auditing of user accounts is an integral part of maintaining a good security posture. When an employee leaves a company or organization, it is important that all associated accounts be removed and permissions revoked. If these accounts are not removed, they are a potential avenue for attackers to enter a network. Attackers often leverage compromised accounts to gain a foothold in an organization’s environment and move across the network, while remaining hidden. Upon entry, threat actors can elevateuser privileges and cause serious harm to the organization such as sabotaging critical infrastructure or exfiltrating confidential or intellectual property.

The AT&T Managed Threat Detection and Response (MTDR) SOC analyst team received an alarm for a successful logon to Office 365 from a foreign location for a customer. After investigating, we discovered the account belong to an ex-employee of that organization that was not properly deactivated. An attacker was able to exploit this vulnerability and gain access to the account through brute force from sources all over the world.  The team quickly reacted to the threat and assisted the customer in containing it while mitigating follow-on actions.

Investigation

Initial alarm review

Indicators of Compromise (IOC)

The initial alarm was triggered from a custom rule alerting the MTDR analysts that the customer had a user successfully log-in to Office365 from a foreign country. Custom alarms can be created by the MTDR team and are tailored specifically to customer requests. These custom alarms can improve early warning signs of a potential attack specific to the customer’s environment.

Expanded investigation

Events search

A review of the event log indicated that the user successfully logged in from a foreign country. While this may not seem suspicious, it’s not often we observe logins from different parts of the world for this customer. With the adoption of work-from-home environments across many organizations, it’s almost every day we see foreign or multiple source country logins. However, regardless of how routine this seems, it is critical that security professionals perform their due diligence with this type of activity. To rule out the possibility of a compromised account, the team broadened their investigation to gather more information.

Event deep dive

Depending on the designed MTDR rule, any outside location will be considered an anomaly. Upon further review of the user’s history, the team discovered there was no activity within the last 90 days. No activity for short periods of time is not necessarily abnormal, but it was suspicious for a user to have absolutely zero activity for 90 days, only to log back in from multiple countries. In fact, we found that almost 1,000 failed login attempts from malicious IP addresses from 49 countries were made against the user’s account.

 Reviewing for additional indicators

Shortly after gaining access to the account, the attackers pivoted to the user’s personal SharePoint, but it did not appear that the attackers were able to gain access to anything confidential. Additionally, there was no evidence that attackers were able to move laterally in the network, escalate privileges, or gain access to other confidential or sensitive information beyond the initial access.

Response

Building the Investigation

With all the evidence gathered, it was critical that we contact the customer as soon as possible. We quickly assembled the investigation and reached out to the customer.

Shortly after contacting the customer, the SOC observed the attacker gaining access from another country. This new evidence suggests that the attacker was attempting to escalate and we needed to work quickly with the customer to contain the threat and prevent any potential lateral movement.

Customer interaction

The customer was able to revoke the credentials and disable the user account, and confirmed the targeted user was a former employee of the organization. This confirmation from the customer only added more validity to our concerns when we previously observed blank activity for 90 days from the user. While the attack did not escalate any further, this highlights the importance of maintaining and auditing the users in your environment.

Read More

Stories from the SOC – Inactive Account Exploitation

Read Time:3 Minute, 41 Second

Stories from the SOC is a blog series that describes recent real-world security incident investigations conducted and reported by the AT&T SOC analyst team for AT&T Managed Threat Detection and Response customers.

Executive summary

One of the primary ways that adversaries gain access to environments is through valid credentials. Because of this, maintenance and auditing of user accounts is an integral part of maintaining a good security posture. When an employee leaves a company or organization, it is important that all associated accounts be removed and permissions revoked. If these accounts are not removed, they are a potential avenue for attackers to enter a network. Attackers often leverage compromised accounts to gain a foothold in an organization’s environment and move across the network, while remaining hidden. Upon entry, threat actors can elevateuser privileges and cause serious harm to the organization such as sabotaging critical infrastructure or exfiltrating confidential or intellectual property.

The AT&T Managed Threat Detection and Response (MTDR) SOC analyst team received an alarm for a successful logon to Office 365 from a foreign location for a customer. After investigating, we discovered the account belong to an ex-employee of that organization that was not properly deactivated. An attacker was able to exploit this vulnerability and gain access to the account through brute force from sources all over the world.  The team quickly reacted to the threat and assisted the customer in containing it while mitigating follow-on actions.

Investigation

Initial alarm review

Indicators of Compromise (IOC)

The initial alarm was triggered from a custom rule alerting the MTDR analysts that the customer had a user successfully log-in to Office365 from a foreign country. Custom alarms can be created by the MTDR team and are tailored specifically to customer requests. These custom alarms can improve early warning signs of a potential attack specific to the customer’s environment.

Expanded investigation

Events search

A review of the event log indicated that the user successfully logged in from a foreign country. While this may not seem suspicious, it’s not often we observe logins from different parts of the world for this customer. With the adoption of work-from-home environments across many organizations, it’s almost every day we see foreign or multiple source country logins. However, regardless of how routine this seems, it is critical that security professionals perform their due diligence with this type of activity. To rule out the possibility of a compromised account, the team broadened their investigation to gather more information.

Event deep dive

Depending on the designed MTDR rule, any outside location will be considered an anomaly. Upon further review of the user’s history, the team discovered there was no activity within the last 90 days. No activity for short periods of time is not necessarily abnormal, but it was suspicious for a user to have absolutely zero activity for 90 days, only to log back in from multiple countries. In fact, we found that almost 1,000 failed login attempts from malicious IP addresses from 49 countries were made against the user’s account.

 Reviewing for additional indicators

Shortly after gaining access to the account, the attackers pivoted to the user’s personal SharePoint, but it did not appear that the attackers were able to gain access to anything confidential. Additionally, there was no evidence that attackers were able to move laterally in the network, escalate privileges, or gain access to other confidential or sensitive information beyond the initial access.

Response

Building the Investigation

With all the evidence gathered, it was critical that we contact the customer as soon as possible. We quickly assembled the investigation and reached out to the customer.

Shortly after contacting the customer, the SOC observed the attacker gaining access from another country. This new evidence suggests that the attacker was attempting to escalate and we needed to work quickly with the customer to contain the threat and prevent any potential lateral movement.

Customer interaction

The customer was able to revoke the credentials and disable the user account, and confirmed the targeted user was a former employee of the organization. This confirmation from the customer only added more validity to our concerns when we previously observed blank activity for 90 days from the user. While the attack did not escalate any further, this highlights the importance of maintaining and auditing the users in your environment.

Read More

Red vs. blue vs. purple teams: How to run an effective exercise

Read Time:46 Second

In the arsenal of cybersecurity defenses is the exercise that goes by the name of red team/blue team simulated attack. These simulations are designed to closely mimic real-world conditions. For example, one red team member might take on the role of an employee clicking on a phishing link that deposits malware on the network. The defending team members must then find this malware before it spreads across their network and infects web servers and other applications. To make things more realistic, the simulation replays real network traffic to obscure the attacks, just like in the real world.

Let’s talk about the red and blue designations. Red team members usually play the role of attackers and try to overcome security protocols. They use the same tools and techniques that attackers use, similar to how penetration testers operate but on a much broader scale.

To read this article in full, please click here

Read More

Red vs. blue vs. purple teams: How to run an effective exercise

Read Time:46 Second

In the arsenal of cybersecurity defenses is the exercise that goes by the name of red team/blue team simulated attack. These simulations are designed to closely mimic real-world conditions. For example, one red team member might take on the role of an employee clicking on a phishing link that deposits malware on the network. The defending team members must then find this malware before it spreads across their network and infects web servers and other applications. To make things more realistic, the simulation replays real network traffic to obscure the attacks, just like in the real world.

Let’s talk about the red and blue designations. Red team members usually play the role of attackers and try to overcome security protocols. They use the same tools and techniques that attackers use, similar to how penetration testers operate but on a much broader scale.

To read this article in full, please click here

Read More