Read Time:11 Second
Facebook users are being warned of a phishing campaign that tries to break into accounts, disguised as a Facebook Messenger chat from a friend.
Read more in my article on the Hot for Security blog.
Category Archives: News
Securing Critical Infrastructure: The Essential Role of Public-Private Partnerships
Read Time:4 Minute, 30 Second
Government collaboration with industry can help drive strategic planning and tactical operations to address cyberthreats.
The U.S. Cybersecurity and Infrastructure Security Agency (CISA) states, “Public-private partnerships are the foundation for effective critical infrastructure security and resilience strategies, and timely, trusted information sharing among stakeholders is essential to the security of the nation’s critical infrastructure.” We couldn’t agree more.
Critical infrastructure is highly susceptible to cyberattacks, as seen with the SolarWinds attack in late 2020, which impacted global governments and critical infrastructure providers, and in the ransomware attacks on Colonial Pipeline and JBS Meat last year. However, with the proper IT infrastructure security in place, organizations can mitigate the risk of cyberattacks and protect their vulnerable data.
We believe it’s imperative for global governments to leverage the combined resources and expertise of government, industry and other stakeholders to enhance cybersecurity. Public-private partnerships play a critical role in establishing the strategic frameworks and tactical operational mechanisms necessary to secure data and IT infrastructure.
The President’s National Security Telecommunications Advisory Committee (NSTAC) and the Joint Cyber Defense Collaborative (JCDC) are critical public-private partnerships that should be further advanced over the next year. The NSTAC and JDCD allow for agencies to join efforts on combating cyberthreats through strategic planning and proactive defense measures.
How NSTAC supports public-private cybersecurity initiatives
NSTAC aims to assist agencies dealing with telecommunications that affect national security and emergency preparedness. The NSTAC brings together IT and communications sector industry leaders and executives from many of our country’s largest and most influential companies, as well as cybersecurity experts from the White House, CISA and other government agencies to provide advice on securing telecommunications and digital technologies to protect the nation. I have the privilege of supporting Tenable co-founder Jack Huffard, who serves as a member of the NSTAC.
The NSTAC is currently working on a multi-phase project for improving internet resilience. Under the initial phase of this project, the NSTAC released a report to the President on Software Assurance in the Information and Communications Technology and Services Supply Chain. For the second phase, the NSTAC is currently developing a report on recommendations for adopting zero trust architectures. In the next couple of months, NSTAC will launch the third phase of this project, focused on addressing cybersecurity challenges associated with the convergence of Information Technology and Operational Technology, which is vital to further protect industrial control systems and other critical infrastructure from cyberattacks.
How the JCDC supports public-private cybersecurity initiatives
The JCDC was established by CISA to create a collaborative environment for federal agencies and the companies involved to prevent cyber intrusions and implement national cyber defense plans. The JCDC joins forces with federal agencies, state and local governments, and private-sector companies to protect our nation’s critical infrastructure. CISA Director Jen Easterly noted that the JCDC allows for “a shared situational awareness of the threat environment, so that we understand it better to develop whole-of-nation comprehensive cyber defense plans to deal with the most significant threats to the nation to include significant threats to our critical infrastructure.”
Tenable was recently named as an Alliance Partner for the JCDC, meaning we will be collaborating with CISA across a range of cybersecurity issues and challenges, to provide strategic insights and operational response acumen. Managing vulnerabilities is essential to secure critical IT infrastructure and the work done by JCDC and CISA promotes the prioritization of network security. Federal agencies across the nation need to adopt initiatives put forth by the JCDC to ensure their networks are protected from vulnerabilities, like the recent Apache Log4J flaw, which has impacted billions of devices worldwide. The JCDC and CISA have been quick to respond and help protect the nation’s infrastructure from this vulnerability, a vital effort, especially given that recent research from Tenable shows that nearly 30% of organizations hadn’t begun scanning for Log4J as of late December.
Conclusion
As cyberattacks become more sophisticated, building collaborative communities between the public and private sectors is crucial to synchronize operations and take preventative measures as a unified front to critical infrastructure threats.
In order to complete many large-scale projects, the expertise and technology from private-sector entities, as well as the resource support and convening power of global governments, are what permit public-sector proposals to come to fruition.
Learn More
Log4Shell: 5 Steps The OT Community Should Take Right Now
CISA’s Binding Operational Directive on Managing Unacceptable Risk Vulnerabilities in Federal Enterprises Is Key to Stopping Federal Cyberattacks
Unpacking the U.S. National Security Memorandum on Improving Cybersecurity for Critical Infrastructure
Qubit pleads with hacker to return $80 million of stolen funds
Read Time:11 Second
Qubit, a decentralized finance (DeFi) platform, has publicly offered $2,000,000 to a hacker who stole $80 million worth of cryptocurrency from it last week.
Read more in my article on the Hot for Security blog.
Twelve-Year-Old Linux Vulnerability Discovered and Patched
Read Time:49 Second
It’s a privilege escalation vulnerability:
Linux users on Tuesday got a major dose of bad news — a 12-year-old vulnerability in a system tool called Polkit gives attackers unfettered root privileges on machines running most major distributions of the open source operating system.
Previously called PolicyKit, Polkit manages system-wide privileges in Unix-like OSes. It provides a mechanism for nonprivileged processes to safely interact with privileged processes. It also allows users to execute commands with high privileges by using a component called pkexec, followed by the command.
It was discovered in October, and disclosed last week — after most Linux distributions issued patches. Of course, there’s lots of Linux out there that never gets patched, so expect this to be exploited in the wild for a long time.
Of course, this vulnerability doesn’t give attackers access to the system. They have to get that some other way. But if they get access, this vulnerability gives them root privileges.
Stories from the SOC – WannaCry malware
Read Time:3 Minute, 35 Second
Stories from the SOC is a blog series that describes recent real-world security incident investigations conducted and reported by the AT&T SOC analyst team for AT&T Managed Threat Detection and Response customers.
Executive summary
WannaCry malware was first discovered in May 2017 and a patch was released roughly two months prior to its public release. However, 230,000 computers were globally affected by WannaCry as of 3/31/2021. It is unfortunate to hear, but many companies remain vulnerable to this attack due to unpatched systems. We often see that by the time some companies update their systems, they have already experienced a breach.
The Managed Threat Detection and Response (MTDR) SOC analyst team received 56 alarms related to the suspicious use of port 445 within a 24-hour timeframe. Given the high influx of alarms, our team created an Investigation to reveal which assets were using port 445, the destinations that were being communicated with, and the frequency of the connections. The customer quickly identified that the source assets were unpatched Windows 7 production servers affected by WannaCry. They were able to segment the infected computers, block SMB port 445, use Trend Micro’s Anti-Threat Toolkit to clean the machines, and then return the assets to the network.
Investigation
Initial alarm review
Indicators of compromise (IOC)
The initial alarms that triggered this investigation were created from a custom alarm. The MTDR team can create custom alarms specific to the customers environment to help improve time to response. The alarms were triggered when events from Trend Micro showed assets using Server Message Block (SMB) port 445 in which a single source was communicating with multiple destinations.
This initial alarm was one of many that was generated. The alarms came in with a priority of “Low” because use of SMB port 445 is common within the customer’s organization. Our team and the customer began to suspect that a breach had occurred due to the high volume of internal connections as well as those connections attempting to reach external IP’s.
Expanded investigation
Events search
Upon further investigation, we searched for events “CnC Callback” and “Suspicious Connection”. The team then analyzed these events over a 24-hour period. This analysis revealed all of the internal assets and their events’ sources and destinations. These assets were communicating over port 445 and were likely compromised systems.
Event deep dive
Continuing with the investigation, we learned that the affected assets were communicating with unknown external IP’s. Many of these outbound connections were blocked at the firewall; however, at this point, we were able to pivot from the external IP’s to look for more affected assets.
Reviewing for additional indicators
We then made a complete list of all potentially affected internal assets. After individually inspecting the assets, we discovered the following event: “Ransom_WCRY.SM2” on a few of the assets. This particular event confirmed our suspicion that this was, indeed, the WannaCry malware.
Response
Building the investigation
Within minutes of the team creating the investigation, the customer escalated the case. The customer noticed that all of the associated assets were part of a single subnet isolated to one sector of their business. The customer then isolated the subnet of potentially affected assets from the rest of the network in order to begin reviewing the machines.
While the assets were being scanned for further indicators of compromise, we involved the customer’s Threat Hunter (TH). The TH helped generate additional reports of all internal assets that were associated with the malicious events.
At this point, the customer blocked port 445 on the assets, used Trend Micro’s Anti-Threat Toolkit to clean the machines, and then returned the assets to the network.
We continued to closely monitor the customer’s network for further signs of compromise from the WannaCry malware. We maintained this vigilance until the team ensured the situation had been fully resolved.
Customer interaction
Our team worked closely with the customer to ensure we were up to date with any changes being made to their systems. Because of the close communication between our team and the customer, we were able to quickly assess the situation, investigate appropriate assets, and resolve the issue before any systems could be encrypted for ransomware.
US Revokes China Unicom’s License
Read Time:1 Minute, 35 Second
US Revokes China Unicom’s License
The US government has effectively stripped another Chinese telecoms player of its license to operate in the country on national security grounds.
The new Federal Communications Commission (FCC) order ends the ability of China Unicom Americas to provide telecoms services within the US.
It follows a March 2021 finding by the FCC in which it said the Chinese vendor had “failed to dispel serious concerns” about its continued operations.
In its ruling late last week, the FCC claimed that, as a state-owned enterprise, China Unicom “is subject to exploitation, influence and control by the Chinese government and is highly likely to be forced to comply with Chinese government requests without sufficient legal procedures subject to independent judicial oversight.”
It said this is more likely today than two decades ago when the firm’s license was first approved. The FCC is particularly concerned about Beijing’s ability to “access, store, disrupt and/or misroute US communications” and therefore conduct state-backed cyber-espionage via China Unicom.
“China Unicom Americas’ conduct and representations to the commission and Congress demonstrate a lack of candor, trustworthiness, and reliability that erodes the baseline level of trust that the Commission and other US government agencies require of telecommunications carriers given the critical nature of the provision of telecommunications service in the United States,” the FCC added.
According to the FCC order, “mitigation” would not address these national security concerns.
The firm now has 60 days to stop providing its services within the US.
China Unicom Americas is the latest of several Chinese state-owned telecoms firms caught in the middle of escalating hostility between Beijing and Washington.
Last year, China Telecom Americas also had its license revoked. In contrast, several years before that, the Trump administration blocked China Mobile USA’s application to enter the US market.
China Telecom is currently appealing the revocation of its license.
Crypto Finance Firm Offers $2m Bug Bounty to Hackers
Read Time:1 Minute, 37 Second
Crypto Finance Firm Offers $2m Bug Bounty to Hackers
A decentralized lending platform that lost $80m to hackers has offered them an astonishing multimillion-dollar bug bounty in return for the stolen funds.
Qubit Finance revealed at the end of last week that an attacker had exploited a vulnerability in its QBridge deposit function.
In doing so, they managed to get away with a large amount of Ethereum, which they converted to Binance coins with a value of tens of millions of dollars. In effect, they were able to exploit a mistake in Qubit Finance’s code to withdraw Binance tokens without depositing any Ethereum.
The firm pleaded with its attacker to return the funds, addressing them on Twitter as “dear exploiter.”
“We propose you to negotiate directly with us before taking any further action,” it wrote on Friday. “The exploit and loss of funds have a profound effect on thousands of real people. If the maximum bounty is now what you are looking for, we are open to have a conversation. Let’s figure out a solution.”
A follow-up note confirmed the firm would offer a “maximum” bug bounty and not seek to press charges if the attacker returned the funds.
Subsequent messages over the weekend then increased this ‘maximum’ bounty to $1m and then on Sunday to $2m.
It’s unclear whether the tactic was merely intended to buy investigators ADDITIONAL time or if the firm was genuinely prepared to hand over a considerable bug bounty to a cyber-criminal.
A new post issued hours ago revealed the firm is working on a new site that will enable affected users to access their digital wallets to file reports with local police. However, they have little hope of getting their money back unless the cyber-thieves decide to cooperate with Qubit Finance.
A report from Chainalysis last week claimed that decentralized finance (DeFi) protocols were attacked most last year, losing over $2bn.
QNAP Ransomware: Thousands Infected with DeadBolt
Read Time:1 Minute, 26 Second
QNAP Ransomware: Thousands Infected with DeadBolt
Thousands of QNAP users have been infected by a new ransomware variant flagged by the network-attached storage (NAS) vendor last week, according to a security vendor.
Taiwan-headquartered QNAP said last week that customers should urgently upgrade their systems to the latest version of its QTS operating systems and take steps to disconnect devices from the internet to mitigate the campaign.
Dubbed “DeadBolt,” the new ransomware variant demands a 0.03 Bitcoin ($1100) payment in return for a decryption key.
“This is not a personal attack,” reads the notice. “You have been targeted because of the inadequate security provided by your vendor (QNAP).”
Inventory firm Censys last week claimed there were around 5000 such devices impacted by the ransomware, although this is out of a total of 130,000 globally.
Interestingly, the vendor observed that the number fell sharply between January 26 and 27.
“Overnight, the number of services with the DeadBolt ransomware dropped by 1061, down to a total of 3927 infected services on the public internet,” it wrote.
“The exact reason for this drop is unknown at the moment, and we are continuing to monitor the situation. But earlier today, Malwarebytes reported that QNAP released a forced automatic update for their Linux-based operating system called QTS to address the vulnerability. This update reportedly removed the ransomware executable and reverted the web interface changes made by the ransomware.”
QNAP’s extorters had given it the opportunity to pay a flat rate of 50 BTC ($1.8m) to decrypt all customer data, but it does not appear to have acceded to these demands.
Some users have reported that decryption keys they were given following payment did not work.
DDoS attacks: Definition, examples, and techniques
Read Time:42 Second
What is a DDoS attack?
A distributed denial of service (DDoS) attack is when an attacker, or attackers, attempt to make it impossible for a service to be delivered. This can be achieved by thwarting access to virtually anything: servers, devices, services, networks, applications, and even specific transactions within applications. In a DoS attack, it’s one system that is sending the malicious data or requests; a DDoS attack comes from multiple systems.
Generally, these attacks work by drowning a system with requests for data. This could be sending a web server so many requests to serve a page that it crashes under the demand, or it could be a database being hit with a high volume of queries. The result is that available internet bandwidth, CPU and RAM capacity becomes overwhelmed.
12 CISO resolutions for 2022
Read Time:45 Second
It’s still early days, but if this year is anything like years past, it’s safe to say CISOs will have a lot to contend with, from a continuing labor shortage to the increasing sophistication of cyberattacks to an ongoing threat from nation-state actors.
However, they also have plenty of ideas on how they’ll tackle those challenges.
To learn what they’re planning to do and what they want to accomplish in the months ahead, we asked CISOs across various industries to share their main objectives—or, their top resolutions, if you will—for 2022.
Here’s what they say:
1. Eliminate blind spots
Suyesh Karki, CISO and VP of IT at cloud software company Domo, wants to eliminate blind spots within his tech environment because he knows that he can’t protect what he can’t see.