A VPN bypass technique dubbed TunnelVision was discovered that allows an unauthenticated user to send DHCP messages to manipulate routes to redirect VPN traffic. This vulnerability may allow a threat actor to read, disrupt, or modify network traffic expected to be protected by the VPN. If successfully exploited, the existing VPN tunnel remains intact, and the side channel created by the threat actor is undetectable. This “decloaking” method is identified as CVE-2024-3661. Recommendations and technical details can be found in the Zscaler blog post and the Leviathan Security blog post. |
Month: May 2024
Security Issues with IoT Devices
As more Internet of Things (IoT) devices become prominent in our daily lives, concerns about their security shortcomings also increase. These devices—such as smart thermostats, smart appliances, and internet-connected security cameras and systems—add a layer of convenience and ease of access to many technologies we use regularly. While they have many advantages, they also have the disadvantage of being more vulnerable to cyberattacks. |
Researchers recently identified vulnerabilities in Telit Cinterion cellular modems that leave millions of IoT devices at risk. The most severe vulnerability could allow arbitrary code to be executed remotely on the modem without prior authentication. Telit Cinterion cellular modems are widely used in the automotive, industrial, financial, healthcare, and telecommunication sectors. Researchers recommend disabling nonessential SMS capabilities for vulnerable IoT devices and employing private Access Point Names (APNs) with strict security settings. |
Vulnerabilities were also previously discovered in the popular internet-connected treadmill, Peloton. While these vulnerabilities could allow threat actors to gain access to the network, they would also require threat actors to have physical access to the treadmill. Using social engineering, a determined threat actor could compromise the smart home device. |
Additionally, smart home security systems are vulnerable to compromise. Earlier this year, Wyze cameras had a security incident in which 13,000 accounts were compromised, and approximately 1,500 users were able to view the feed of other Wyze cameras. Wyze had a similar incident in September 2023. |
IoT devices are often used to build botnets, as their usually lax security measures make them ideal targets for threat actors. Many IoT devices still use default login account credentials and often go unpatched. Once compromised, threat actors can remotely control these devices. Botnets are frequently used in distributed denial-of-service (DDOS) attacks, and can also be used for credential stuffing, cryptojacking attacks, phishing, and infecting more devices with botnet malware. |
In March, the Connectivity Standards Alliance (CSA) Product Security Working Group released its IoT Device Security Specification 1.0 to upgrade IoT security measures. Highlights of these requirements include: |
Factory resets must return the device to a secure default. No hardcoded default passwords. Secure storage of sensitive data. Data must be stored and transmitted securely. Secure software updates to patch security issues. Secure development process. Known vulnerabilities must be identified, disclosed, and mitigated. |
Recommendations |
Keep all devices patched with the latest security updates after appropriate testing. Change the default password for accounts and devices. Use strong, complex passwords and multi-factor authentication (MFA) wherever possible, choosing authentication apps or hardware tokens over SMS text-based codes. |
Proposal to Revise SP 800-135 Revision 1, “Recommendation for Existing Application-Specific Key Derivation Functions”
Proposal to Revise SP 800-135 Revision 1, “Recommendation for Existing Application-Specific Key Derivation Functions”
In July 2023, NIST’s Crypto Publication Review Board initiated a review of Special Publication (SP) 800-135 Rev. 1, Recommendation for Existing Application-Specific Key Derivation Functions (2011). NIST received five public comments in response.
NIST proposes to revise SP 800-135 Rev. 1 to:
- standardize additional application-specific key derivation functions,
- maintain consistency with the upcoming revision of SP 800-131A regarding approved hash functions, and
- update references to current versions of existing application-specific key derivation functions.
Submit your comments on this decision proposal by June 14, 2024 to [email protected] with “Comments on SP 800-135 Decision Proposal” in the subject line.
Comments received in response to this request will be posted on the Crypto Publication Review Project site after the due date. Submitters’ names and affiliations (when provided) will be included, while contact information will be removed. See the project site for additional information about the review process.
Vulnerability in Google Chrome
A vulnerability has been discovered in Google Chrome, which could allow for arbitrary code execution. Successful exploitation of this vulnerability could allow for arbitrary code execution in the context of the logged on user. Depending on the privileges associated with the user, an attacker could install programs; view, change, or delete data; or create new accounts with administrative user rights. Users whose accounts are configured to have fewer user rights on the system could be less impacted than those who operate with administrative user rights. Threat Intelligence There are reports of this vulnerability being exploited in the wild. Systems Affected Chrome prior to 124.0.6367.201/.202 for Windows and Mac Chrome prior to 124.0.6367.20 for Linux Risk Government: – Large and medium government entities: High – Small government entities: Medium Businesses: – Large and medium business entities: High – Small business entities: Medium Home Users: Low Recommendations Apply appropriate updates provided by Google to vulnerable systems immediately after appropriate testing. Apply the Principle of Least Privilege to all systems and services. Run all software as a non-privileged user (one without administrative privileges) to diminish the effects of a successful attack. Restrict execution of code to a virtual environment on or in transit to an endpoint system. Use capabilities to detect and block conditions that may lead to or be indicative of a software exploit occurring. Restrict use of certain websites, block downloads/attachments, block JavaScript, restrict browser extensions, etc. Inform and educate users regarding the threats posed by hypertext links contained in emails or attachments especially from untrusted sources. Remind users not to visit untrusted websites or follow links provided by unknown or untrusted sources. References Google: https://chromereleases.googleblog.com/2024/05/stable-channel-update-for-desktop_9.html CVE: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-4671 |
#StopRansomware: Black Basta
This Joint Cybersecurity Advisory is part of an ongoing #StopRansomware effort to publish advisories for network defenders that detail various ransomware variants and ransomware threat actors. These #StopRansomware advisories include recently and historically observed tactics, techniques, and procedures (TTPs) and indicators of compromise (IOCs) to help organizations protect against ransomware. Visit stopransomware.gov to see all #StopRansomware advisories and to learn more about other ransomware threats and no-cost resources. |
The Federal Bureau of Investigation (FBI), Cybersecurity and Infrastructure Security Agency (CISA), Department of Health and Human Services (HHS), and Multi-State Information Sharing and Analysis Center (MS-ISAC) (hereafter referred to as the authoring organizations) released this Joint Cybersecurity Advisory to provide information on Black Basta, a ransomware variant whose actors have encrypted and stolen data from at least 12 out of 16 critical infrastructure sectors, including the Healthcare and Public Health (HPH) Sector. |
This advisory provides TTPs and IOCs obtained from FBI investigations and third-party reporting. Black Basta is considered a ransomware-as-a-service (RaaS) variant and was first identified in April 2022. Black Basta affiliates have impacted a wide range of businesses and critical infrastructure in North America, Europe, and Australia. As of May, Black Basta affiliates have impacted over 500 organizations globally. |
Black Basta affiliates use common initial access techniques—such as phishing and exploiting known vulnerabilities—and then employ a double-extortion model, both encrypting systems and exfiltrating data. Ransom notes do not generally include an initial ransom demand or payment instructions. Instead, the notes provide victims with a unique code and instructs them to contact the ransomware group via a .onion URL (reachable through the TOR browser). Typically, the ransom notes give victims between 10 and 12 days to pay the ransom before the ransomware group publishes their data on the Black Basta TOR site, Basta News. |
Healthcare organizations are attractive targets for cybercrime actors due to their size, technological dependence, access to personal health information, and unique impacts from patient care disruptions. |
The authoring organizations urge the HPH Sector and all critical infrastructure organizations to apply the recommendations in the mitigations section of this advisory to reduce the likelihood of compromise from Black Basta and other ransomware attacks. |
Cyber Criminals Phishing and SMiShing US Retail Corporations for Gift Card Fraud
The Federal Bureau of Investigation (FBI) released this Private Industry Notification (PIN) to highlight cybercriminals’ activity using phishing and Short Message Service (SMS) phishing (SMiShing) campaigns against employees at US retail corporate offices in order to create fraudulent gift cards resulting in financial loss. |
As of January, the FBI noted a cybercriminal group labeled STORM-0539, also known as Atlas Lion, targeting national retail corporations; specifically the gift card departments located in their corporate offices. STORM-0539 used SMiShing campaigns to target employees and gain unauthorized access to employee accounts and corporate systems. Once they gained access, STORM-0539 actors used phishing campaigns to target other employees to elevate network access and target the gift card department in order to create fraudulent gift cards. |
This FBI PIN includes some of the techniques, tactics, and procedures (TTPs) observed by STORM-0539 actors, recommended mitigations to reduce the likelihood and impact associated with similar attack campaigns, and is being provided to assist agencies and organizations in guarding against the persistent malicious actions of cybercriminals. |
Russian Hacktivists Target Water and Wastewater Facilities Nationally
The Cyber Army of Russia Reborn (CARR), a hacktivist group connected to the Russian government, is actively targeting Water and Wastewater facilities across the United States to break into Supervisory Control and Data Acquisition (SCADA) systems, which are commonly used to control and monitor water utilities.
Numerous incidents have been reported nationally, and the frequency of these incidents has spiked in recent weeks. While none of the cyberattacks impacted drinking water for communities, the incidents mark a notable escalation in Russia’s targeting of critical infrastructure in the United States.
In January, a cyberattack against a water facility in Muleshoe, Texas caused a water tank to overflow. During the incident, hackers used a compromised password to break into a remote login system for industrial software that allows operators to interact with the water tanks. Officials took the system offline and switched to manual operations following the attack. Around the same time, authorities in several nearby Texan towns also implemented defensive strategies after detecting suspicious activity on their networks.
Related cyber threat activity targeting water utilities has recently increased, with additional incidents across the United States. CARR has claimed responsibility for the cyberattacks in a series of posts shared online. The posts are accompanied by screen recordings depicting the hackers infiltrating the water supply systems, changing passwords, and manipulating controls. Similar tactics, techniques, and procedures (TTPs) have been employed in the attacks, including using compromised passwords for accounts that did not have multi-factor authentication (MFA) enabled. In all instances, the hackers were observed attempting to access SCADA systems.
Mandiant has recently determined that CARR is connected to Sandworm, also known as APT44. Sandworm is part of Russia’s GRU military intelligence agency. Their research showed that Sandworm helped create CARR and can likely influence CARR’s activities. However, they are still determining if the group is operating independently.
Recommendations:
- Use strong, unique passwords and enable MFA where available, choosing authentication apps or hardware tokens over SMS text-based codes.
- Apply the Principle of Least Privilege.
- Keep systems up to date and apply patches after appropriate testing.
- Install endpoint security solutions to help protect against malware. · Employ a comprehensive data backup plan.
- Utilize monitoring and detection solutions to identify suspicious login attempts and user behavior.
- Ensure operational technology (OT) environments are segmented from the information technology (IT) environments.
Delivery Service Scams Continue to Evolve
Phishing attacks posing as popular delivery services are becoming more challenging to spot. Many of these scams begin with a text message or email , often claiming that a package cannot be delivered. They may use language, such as “final notice,” to scare users into acting immediately. These messages provide a link stating that more information is needed to finish the pending delivery. |
USPS SMiShing attempt. Source: Akamai |
Upon clicking the provided link, users are directed to a well-crafted malicious website. The website’s design may appear to be a replica of the authentic delivery service’s website, using logos, color schemes, and a falsified tracking information page. These websites may ask for address information or state that a small fee must be remitted to release the package for delivery. |
These malicious threat actors often use combosquatting domains to impersonate the delivery service. Researchers compared the amount of DNS traffic to the legitimate USPS.com and combosquatted domains over five months. The study was limited to domain names, which include “USPS,” and focused on the most apparent examples of combosquatting. Fully qualified domain names were ignored during their analysis due to the use of subdomains. Even within these parameters, the researchers discovered that the impersonated USPS domains receive as much traffic as the official domain and a much higher amount during holidays. |
While threat actors continue improving their techniques, there are signs of malicious attempts to steal information: |
The greetings are generic, as threat actors often send mass messages and do not have specific details. The message includes problems requiring personal details, payment information, or re-entry of address information. There is no prior knowledge of the incoming delivery. The provided link does not link to the official website for the delivery service. |
Recommendations |
Avoid clicking links, responding to, or otherwise acting on unsolicited text messages or emails. Track incoming packages via websites obtained from verified and official sources. Navigate directly to legitimate websites and verify websites before submitting account credentials or providing personal or financial information. Report SMiShing to the FTC, FBI’s IC3, and the NJCCIC , and forward the message to 7726 (SPAM). USPS requests for any USPS-related SMiShing should also be reported to [email protected]. |
NJCCIC Change Healthcare Ransomware Incident
The NJCCIC previously reported on the ransomware attack against Change Healthcare, one of the largest healthcare technology companies in the United States. This cyberattack showcases the cascading ramifications of ransomware incidents, including financial impacts and risks of paying ransom demands. |
Financial Impacts: The ransomware attack caused considerable impacts, including disruptions to payment processing, prescription writing, and insurance claims. UnitedHealth, the parent company of Change Healthcare, disclosed that the incident has cost the company approximately $872 million so far. According to the American Hospital Association (AHA), about 94 percent of US hospitals reported damage to cash flow due to the incident, with over 50 percent reporting severe or significant financial damage, largely due to the inability to process claims. |
Initial Attack Vector: In Change Healthcare CEO Andrew Witty’s written testimony for the House Energy and Commerce subcommittee hearing, Witty states that the BlackCat ransomware group breached Change Healthcare’s network via stolen credentials that were used to log into the company’s Citrix remote access service. It is believed that the credentials were obtained via information-stealing malware. The account did not have multi-factor authentication enabled, a security failure at odds with standard industry best practices. |
Risks of Paying Ransom Demands: In early March, Change Healthcare reportedly paid a $22 million ransom demand to the cybercriminals behind the attack; however, the BlackCat ransomware operators failed to pay the ransomware affiliate, known as “Notchy.” The affiliate refused to delete the four terabytes of data they stole from Change Healthcare, which includes personally identifiable information and protected health information. In early April, the cybercriminals threatened to sell or release the data unless an additional ransom payment was made. UnitedHealth was removed from the ransomware group’s leak site, indicating the company may have paid the second ransom demand. |
Business Continuity with Azure’s Business Continuity Center
Hi reader of this blog here is an offer from Microsoft that might interest you.
We are thrilled to announce the Azure Business Continuity Center (ABCC, replacing BCDR Center preview with a new enhanced experience), an enhanced version of Backup center. With ABCC, you can easily identify gaps in your protection estate, take action to fix them, understand your protection settings across multiple policies, perform centralized monitoring with a single location for managing Azure Backup and Site Recovery jobs, and define governance and auditing compliance using Azure policies – all in one convenient location. ABCC also provides a simplified yet powerful security posture view of advanced protection capabilities to improve recoverability from accidental, malicious, or ransomware attacks. With ABCC, you improve productivity and efficiency while enhancing your security posture and overall BCDR experience You can manage all your Azure resources protected with Azure Backup /Site Recovery as well us VMware VMs replicating with Azure Site Recovery using Azure Business Continuity Center.
You can manage all your Azure resources protected with Azure Backup /Site Recovery as well us VMware VMs replicating with Azure Site Recovery using Azure Business Continuity Center.
The new Azure Business Continuity Center experience offers a range of features to help you manage your security and protection needs. Here’s a summary of benefits that you can expect in this preview:
• View summary of overall security and protection estate to identify and fix issues across Azure Backup and Site Recovery in real-time.
• Identify the not protected resources across Azure Backup & Site Recovery.
• Obtain entire protection estate in primary and secondary regions, identify gaps in protection and perform BCDR operations on all protected resources across Azure Backup & Site Recovery right from the same view.
• Assess the security of all your BCDR data and improve it by using advanced protection capabilities like immutable vaults, soft-delete, and multi-user authorization.
• Centrally monitor the jobs across Azure Backup and Site Recovery from a single location.
• Define and govern the resources against the configuration and audit compliance using Azure Policies.
• View protection policies used to meet your protection requirements across Azure Backup and Site Recovery and understand the settings configured.
• Manage vaults across Azure Backup and Site Recovery from a single location.
We believe that the new renewed ABCC will improve productivity and efficiency while enhancing your security posture and overall BCDR experience. We invite you to join our private preview and experience the benefits of ABCC for yourself.
Getting started is easy, no prerequisites steps are required to experience as well as there is no cost associated. To start with , simply navigate to Azure portal and search for Azure Business Continuity Center.
We look forward for you to give it a try to and give us your valuable feedback to help shape the experience. Let us know if you require demo for the new management capabilities via ABCC.
Below are few resources for you to get started :
• Revolutionize Business Continuity and Disaster Recovery with Azure’s Business Continuity Center
• What is Azure Business Continuity Center?
• Capabilities in Azure Business Continuity Center