Archive for the ‘Uncategorized’ Category

#IMOS21: Global Threat Brief – The Most Dangerous Attack Techniques in 2021

#IMOS21: Global Threat Brief – The Most Dangerous Attack Techniques in 2021

During Infosecurity Magazine’s North American Online Summit, editorial director Eleanor Dallaway moderated a session dedicated to the most dangerous attack techniques in 2021. In her opening statement, she stated that the last two years have seen a huge amount of change and evolution, and cyber attack vectors and attack techniques have been no exception. 


Dallaway was joined by an expert panel including Brad LaPorte, partner of High Tide Advisors,  Miranda Richie, director of cyber threat operations at Orbia; and Michael F.D. Anaya, head of attack surface analysis, Palo Alto Networks & ex-cyber special agent, FBI. 


Cyber Attacks and COVID-19


The opening question of the Q&A concerned the speed of cyber-attacks changing in the context of COVID-19. LaPorte brought up  that crimeware-as-a-service (CaaS) has become widespread. He pointed out that around 2018, criminals changed their hacking approach. In effect, cyber-criminals have become managed service providers. The attack surface is now “everywhere” because of hybrid work models. Moreover, cyber-threat groups are more extensive and can now make a lot of money. Anaya responded to the question by stating that criminals will always find new opportunities. Phishing is still a big thing; it is easy to execute and will not disappear anytime soon, he noted. Richie raised the topic of initial access brokers, who she claims are enjoying rich pickings amid the COVID-19 chaos. LaPorte points out that alongside crime-as-a-service, DDoS-as-a-service and ransomware-as-a-service have become very popular during the pandemic. Additionally, hacker groups can easily break into companies and then sell the keys to the highest bidder.


 Anaya, agreeing with the points raised by the other two panelists, emphasized that while it’s true that threats are also evolving because of the amount of information sharing on the dark web, it’s also happening on open forums. At this stage, Richie asks Anaya whether this typically goes beyond collaborative efforts. What about the mafia? Anaya claimed that it is hard for law enforcement to obtain the identities of threat actors because of the factor of anonymity. 


Threat Actors and Competition



The second question  concerned whether there is an ostensible competition between threats actors? Anaya gave a succinct response, claiming that, unlike most organizations that struggle to share information because of legal barriers, there are no obvious barriers between threat actors. However, this is something that needs to change, according to Anaya, because organizations must share information more freely and effectively. 


“International hacker networks, nation-states and gangs are all collaborating”Brad LaPorte

Threat Actors Working Together


Dallaway shifted the question to the topic of money and how threats actors work together. LaPorte responded, stating that it makes sense to work together if no person’s wallet is affected. If people do not believe that threat actors are working together, people need to “wake up,” he said, adding that international hacker networks, nation-states and gangs are all collaborating.


The first audience poll asked viewers which of the following attack techniques do they consider to be the most dangerous. The results were as follows: 


  1. Supply chain attack (46%) 
  2. DDoS as a ransom (26%)
  3. RaaS (14%)
  4. API attacks (12%)


Ransomware-as-a-Service


The conversation shifted at this stage when Dallaway raised the question of ransomware-as-a-service. To this question, Richie explained what ransomware-as-a-service is while emphasizing the rise of double-extortion techniques, particularly exfiltration and encryption.  Anaya emphasized that when publicly sharing information when an organization is a victim of a ransomware attack, there is no regulation to force an organization to disclose it publically. LaPorte drew attention to 2018 when one third of ransomware victims would report an attack. However, in 2021 that number has shrunk to 13%. Unfortunately, even the FBI doesn’t have relevant information since many organizations don’t come forward. 



Off the back of this point, Dallaway asked whether fewer people are paying up. LaPorte contended that cyber-attacks are increasing in frequency, but also ransom demands are increasing. Essentially, attacks are still happening. Worryingly, hackers will look at other ways to get organizations to pay. Moreover, the costs associated with breaches are also increasing. Miranda Ritchie questioned whether authorities are going after the attackers en masse.


Michael F.D. Anaya argued that the FBI was trying to identify threat actors, but the task was very complicated since attackers are notoriously hard to identify
Michael F.D. Anaya argued that the FBI was trying to identify threat actors, but the task was very complicated since attackers are notoriously hard to identify

To this previous point, Anaya replied that the FBI was trying like other government departments, but the task was very complicated: he contended that attackers are notoriously hard to identify. According to Anaya, there is a lot of delineation in the government, and the FBI is “siloed,” which presents various problems. LaPorte added that this gets more complicated when factoring in things like insurance. The best practice should be to share intel and to make the process “ubiquitous.” Here Anaya added that organizations could not achieve this without being empowered to share intel strategically so law-enforcement agencies can identify threat actors. 


Commodity Malware



Dallaway shifted the conversation to a question posed by the audience regarding commodity malware, asking why cybersecurity experts do not place enough emphasis on this.  Anaya replied to this point by asking to look at the most significant threat: commodity malware. Furthermore, this is what government entities are setting their sights on. 



The results of the second poll, namely, which of the following attack techniques do voters consider to be the most dangerous, were: 



  1. Supply Chain Zero Day exploit (50%) 
  2. Cloud misconfiguration (26%)
  3. Business email compromise (19%)
  4. EPP/EDR bypass (3%)



Ransomware and Supply Chain Attacks


Dallaway raised another critical topic in the global threat landscape in light of the second poll results. Directing the question at  Richie, Dallaway asked why voters likely picked ransomware and supply chain attacks as the most concerning threats. Richie highlighted that we should look at the Kaseya supply chain attack this year, which caused widespread downtime for over 1,000 companies. The SolarWinds attack this year is another example, which targeted US federal agencies and over 100 companies. Not only do they have a huge impact on businesses, operationally and financially, but they are notoriously hard to detect and defend. LaPorte emphasized remote code execution — if attackers can execute this effectively, they have significant power in their attacks. 

“Ransomware and supply chain attacks not only have a huge impact on businesses, operationally and financially, but they are notoriously hard to detect and defend”Miranda Richie

Artificial Intelligence


Dallaway raised a question from the audience focusing on AI-based attacks. Since attackers are using AI to execute supply chain attacks, the question asked, must companies use AI to protect themselves effectively? LaPorte responded by pointing out that companies using AI will decrease work and costs. Moreover, AI-led detection and response are significantly effective at protecting organizations.


Anaya remarked that machine learning could assist businesses greatly since AI can learn patterns of “normal” behavior in an organization and detect and investigate anomalies. In response to this point, LaPorte claimed that studies show an 80% reduction in costs when organizations use both AI and automation. Richie added that the industry is well aware of SOC fatigue; AI can help automate the repetitive tasks SOCs typically tackle. 


Cloud Misconfiguration



The penultimate question raised concerned the threats associated with cloud misconfiguration. Anaya responded that the MFA (multi-factor authentication) base isn’t rotated enough, presenting innumerable threats. Additionally, rotation isn’t a policy that organizations enforce enough. A follow-up point concerned EPP and EDRs being bypassed and zero-day exploits. LaPorte highlighted that attackers can, in effect, do various things on IoT without detection. Additionally, modern tech is an ever more complicated and increasing issue. 



The result of the third poll, asking voters what 2022 will be the year of, revealed the following:


  1. Ransomware…again (43%)
  2. Who on earth knows?! (25%) 
  3. Zero trust (16%)
  4. AI (9%)
  5. Data breaches (4%)


2022 Is the Year Of? 


The final question was posed as a quick-fire round, asking what each panelist believed 2022 would be the year of. Richie believed 2022 to be when the lines between physical and digital will be blurred. Real-life examples include hospitals and pipelines. This trend, she argued, will increase. Anaya agreed with Richie, adding that there are three things that organizations can do here to protect themselves: 1) organize a dedicated team, 2) empower that team and 3) see cybersecurity as a critical cost. Finally, LaPorte wrapped up the commentary, stating that organizations can also protect themselves with ‘operational readiness.’ 




The session is now on-demand and can be viewed here.










Source: Infosecurity
#IMOS21: Global Threat Brief – The Most Dangerous Attack Techniques in 2021

California Hospital Sued Over Data Breach

California Hospital Sued Over Data Breach

An academic health-care system in California is facing legal action over a data breach that potentially exposed the information of nearly half a million patients, employees, and students.  



UC San Diego Health disclosed a security incident in July via a public notice. The notice indicated that unauthorized access to “some employee email accounts” had taken place from December 2, 2020, to April 8, 2021. 



The incursion occurred after an employee with a health-system email account took the bait proffered in a phishing attack. Suspicious activity was detected in the system’s network on March 12, and compromised email accounts were shut down on April 8.



“When UC San Diego Health discovered the issue, we terminated the unauthorized access to these accounts and enhanced our security controls,” said the health-care provider.  



The health system said that data potentially accessed and exfiltrated in the attack may include the full names, addresses, dates of birth, email addresses, fax numbers, claims information including dates and costs of care received, laboratory results, medical diagnoses and conditions, medical record numbers, prescription information, treatment information, Social Security numbers, government identification numbers, financial account numbers, student identification numbers, usernames, and passwords of a “subset of our patient, student and employee community.”



On September 7, UC San Diego Health began notifying 495,949 individuals – where contact information was available – that they may have been affected by the breach.



The San Diego Union-Tribune reports that lawyers representing a cancer patient from El Cajon filed a suit last week against UC San Diego Health over the data breach. The plaintiff has accused the health-care system of breach of contract, negligence, and violating California consumer privacy and medical confidentiality laws.



“This breach was preventable had UC San Diego Health had the right data protection protocols in place,” said San Diego attorney Jason Hartley.



The plaintiff asserts that the health-care system failed to adequately train employees on how to avoid phishing attacks and neglected to implement reasonable security practices. 



The suit is seeking class-action status and unspecified damages for all the individuals whose medical data and personal information may have been exposed.



Source: Infosecurity
California Hospital Sued Over Data Breach

Port of Houston Quells Cyber-Attack

Port of Houston Quells Cyber-Attack

A leading port in the United States has successfully fended off an attempted cyber-attack, which authorities believe was sponsored by a foreign power.  



Cybersecurity and Infrastructure Security Agency (CISA) director Jen Easterly revealed to a Senate committee on September 23 that malicious hackers had targeted the Port of Houston in August.



The 25-mile-long port complex is one of the largest on the US Gulf Coast and handles around 247 million tons of cargo per year, according to the port’s website.



Easterly divulged to the Senate Homeland Security and Governmental Affairs Committee that while attribution of cyber-attacks “can always be complicated,” she was of the opinion that a “nation-state actor” was to blame in this case. 



“At this point in time, I would have to get back with my colleagues, but I do think it is a nation-state actor,” said Easterly. However, the cyber leader did not go so far as to name which one she believed to be responsible. 



The Port of Houston put out a brief statement on Thursday announcing that a digital assault against its systems had come to naught.



“The Port of Houston Authority (Port Houston) successfully defended itself against a cybersecurity attack in August. Port Houston followed its Facilities Security Plan in doing so, as guided under the Maritime Transportation Security Act (MTSA), and no operational data or systems were impacted as a result,” read the statement.



Hackers exploited a previously unknown vulnerability in password management software to break into one of the port’s web servers at 2:38pm UTC on August 19, according to Coast Guard analysis of the incident, obtained by CNN.



The threat actor installed malicious code to expand their access to the system and then exfiltrated all the log-in credentials for a piece of Microsoft password management software used to control network access. 



“If the compromise had not been detected, the attacker would have had unrestricted remote access to the [IT] network,” the unclassified report by US Coast Guard Cyber Command reportedly reads.  



“With this unrestricted access, the attacker would have had numerous options to deliver further effects that could impact port operations.”



Source: Infosecurity
Port of Houston Quells Cyber-Attack

BloodyStealer: Advanced New Trojan Targets Accounts of Popular Online Gaming Platforms

Kaspersky researchers have discovered an advanced Trojan, dubbed BloodyStealer, sold on darknet forums and used to steal gamers’ accounts on popular gaming platforms, including Steam, Epic Games Store, and EA Origin.
Source: DarkReading
BloodyStealer: Advanced New Trojan Targets Accounts of Popular Online Gaming Platforms

CVE-2021-23445

This affects the package datatables.net before 1.11.3. If an array is passed to the HTML escape entities function it would not have its contents escaped.
Source: NIST
CVE-2021-23445

CVE-2021-37761

Zoho ManageEngine ADManager Plus version 7110 and prior is vulnerable to unrestricted file upload, leading to remote code execution.
Source: NIST
CVE-2021-37761

CVE-2021-41753

A denial-of-service attack in WPA2, and WPA3-SAE authentication methods in D-Link DIR-X1560, v1.04B04, and DIR-X6060, v1.11B04 allows a remote unauthenticated attacker to disconnect a wireless client via sending specific spoofed SAE authentication frames.
Source: NIST
CVE-2021-41753

CVE-2021-40329

The Authentication API in Ping Identity PingFederate before 10.3 mishandles certain aspects of external password management.
Source: NIST
CVE-2021-40329

CVE-2021-41558

The set_user extension module before 3.0.0 for PostgreSQL allows ProcessUtility_hook bypass via set_config.
Source: NIST
CVE-2021-41558

CVE-2021-36134

Out of bounds write vulnerability in the JPEG parsing code of Netop Vision Pro up to and including 9.7.2 allows an adjacent unauthenticated attacker to write to arbitrary memory potentially leading to a Denial of Service (DoS).
Source: NIST
CVE-2021-36134