Author: blogmirnet

Building a Cybersecurity and Privacy Learning Program: NIST Publishes SP 800-50r1

NIST Special Publication (SP) 800-50r1 (Revision 1), Building a Cybersecurity and Privacy Learning Program, provides updated guidance for developing and managing a robust cybersecurity and privacy learning program in the Federal Government. This revision was informed by National Defense Authorization Act (NDAA) for FY2021, the Cybersecurity Enhancement Act of 2014, and the NICE Workforce Framework for Cybersecurity (NICE Framework). In addition, the 2016 update to Office of Management and Budget (OMB) Circular A-130 emphasizes the role of both privacy and security in the federal information life cycle and requires agencies to have both security and privacy awareness and training programs.

This revision to SP 800-50:

  • Integrates privacy with cybersecurity in the development of organization-wide learning programs
  • Introduces a life cycle model that allows for ongoing, iterative improvements and changes to accommodate cybersecurity, privacy, and organization-specific events
  • Introduces a learning program concept that incorporates language found in other NIST documents
  • Leverages current NIST guidance and terminology in reference documents, such as the NICE Workforce Framework for Cybersecurity, the NIST Cybersecurity Framework, the NIST Privacy Framework, and the NIST Risk Management Framework
  • Proposes an employee-focused cybersecurity and privacy culture for organizations
  • Integrates learning programs with organizational goals to manage cybersecurity and privacy risks
  • Addresses the challenge of measuring the impacts of cybersecurity and privacy learning programs
  • Incorporates guidance for using standard instructional design elements, maturity models, and assessment approaches

With the publication of SP 800-50r1, NIST has ceased developing a companion guide—SP 800-16r1 third public draft, A Role-Based Model for Federal Information Technology/Cybersecurity Training—and has withdrawn SP 800-16, Information Technology Security Training Requirements: a Role- and Performance-Based Model (1998).

Read More

NIST Publishes IR 8459, Report on the Block Cipher Modes of Operation in the SP 800-38 Series

NIST is pleased to announce the release of Internal Report (IR) 8459, Report on the Block Cipher Modes of Operation in the NIST SP 800-38 Series.

Under the auspices of NIST’s Cryptographic Publication Review Board, IR 8459 supports the ongoing review of the Special Publication (SP) 800-38 series, which approves a variety of block cipher modes of operation for encryption and authentication. In particular, IR 8459 surveys relevant research results about the modes and their implementations, and it provides a set of recommendations to improve the corresponding standards.

See additional information about NIST’s cipher modes project.

Read More

Russian Military Cyber Actors Target U.S. and Global Critical Infrastructure

Summary
The Federal Bureau of Investigation (FBI), Cybersecurity and Infrastructure Security Agency (CISA), and National Security Agency (NSA) assess that cyber actors affiliated with the Russian General Staff Main Intelligence Directorate (GRU) 161st Specialist Training Center (Unit 29155) are responsible for computer network operations against global targets for the purposes of espionage, sabotage, and reputational harm
since at least 2020. GRU Unit 29155 cyber actors began deploying the destructive WhisperGate malware against multiple Ukrainian victim organizations as early as January 13, 2022. These cyber actors are separate from other known and more established GRU-affiliated cyber groups, such as Unit 26165 and Unit 74455.
To mitigate this malicious cyber activity, organizations should take the following actions today:
 Prioritize routine system updates and remediate known exploited vulnerabilities.
 Segment networks to prevent the spread of malicious activity.
 Enable phishing-resistant multifactor authentication (MFA) for all externally facing account services, especially for webmail, virtual private networks (VPNs), and accounts that access critical systems.

This Cybersecurity Advisory provides tactics, techniques, and procedures (TTPs) associated with Unit 29155 cyber actors—both during and succeeding their deployment of WhisperGate against Ukraine—as well as further analysis (see Appendix A) of the WhisperGate malware initially published in the joint advisory, Destructive Malware Targeting Organizations in Ukraine, published February 26, 2022

Read the full article here

NIST small business cybersecurity webinar

Event Date: October 23, 2024

Event Time: 2:00PM – 3:00PM EDT

Event Location: Virtual

Description:

Identity and Access Management is a fundamental and critical cybersecurity capability for businesses of all sizes. To protect your business from fraud and unauthorized system and data access, you want to take steps to ensure that only the right people and technologies have the right level of access to the right resources at the right time.

For many busy small business owners, the use of passwords has been the primary method for locking down access to sensitive systems and data. However, passwords alone are not effective for protecting your data from most attackers. They have become too easy for threat actors to exploit at scale and with limited effort. So that leaves us with the question: what can a small business owner with limited resources do to protect their systems and information from unauthorized access?

During this webinar, we’ll take it back to the fundamentals to discuss practical steps small businesses can take to enhance their identity and access management, resulting in a stronger, more resilient business in the face of increasing cybersecurity risks. We will cover:

  • Current guidance and leading-practices for multi-factor authentication (MFA), including phishing-resistant MFA.
  • Identity and Access Management approaches to consider as your business grows.
  • How identity and access management is covered in the NIST Cybersecurity Framework 2.0.

Speakers:

  • Ryan Galluzzo, Digital Identity Program Lead, Applied Cybersecurity Division, NIST
  • Robert Thelen, CEO and Co-Founder, Rownd 
Register Here

Sextortion Scams Are Back

Image Source: KrebsOnSecurity
The NJCCIC received incident reports indicating that a new version of the well-known sextortion email scam is currently circulating. This version now includes a photo of the recipient’s home, likely found via online mapping applications. The targeted individual’s home address could have been easily obtained in public data records or through compromised personal information resulting from data breaches. This fraudulent scheme claims that the Pegasus spyware was installed on the target’s device and secretly recorded webcam footage of recipients engaging in intimate activities. The targeted individual is then threatened with the release of compromising or sexually explicit photos or videos to contacts and their social media platforms if a Bitcoin payment ranging from $500 to $2,500 is not made. The email states that the targeted individual has 24 hours to pay by scanning the included QR code. The cybercriminal also claims to have embedded a specific pixel to identify when the email was read, starting the 24-hour countdown.
Recommendations
The NJCCIC recommends users educate themselves and others on this and similar scams to prevent future victimization. There is no indication that these threats are credible; therefore, users are advised to refrain from sending funds and disregard these emails. Avoid clicking links, responding to, or otherwise acting on unsolicited text messages or emails. Users can search for and report the bitcoin addresses included in the scam email to the Bitcoin Abuse Database. This scam can be reported to the Federal Trade Commission (FTC), the FBI’s IC3 and the  NJCCIC.

Multiple Vulnerabilities in Veeam Products Could Allow for Remote Code Execution – PATCH: NOW

OVERVIEW:
Multiple vulnerabilities have been discovered in Veeam Products, the most severe of which could allow for remote code execution.

  • Veeam Backup & Replication is a proprietary backup app.
  • Veeam ONE is a solution for managing virtual and data protection environments.
  • Veeam Service Provider Console provides centralized monitoring and management capabilities for Veeam protected virtual, Microsoft 365, and public cloud workloads.
  • Veeam Agent for Linux is a backup agent that’s designed Linux Instances.
  • Veeam Backup for Nutanix.
  • Veeam Backup for Oracle Linux Virtualization Manager and Red Hat Virtualization.

Successful exploitation of the most severe of these vulnerabilities could allow for remote code execution in the context of the system. Depending on the privileges associated with the system, an attacker could then install programs; view, change, or delete data.

THREAT INTELLEGENCE:
There are no reports that these vulnerabilities are being exploited in the wild.

SYSTEMS AFFECTED:

  • Veeam Backup & Replication 12.1.2.172 and all earlier version 12 builds.
  • Veeam Agent for Linux 6.1.2.1781 and all earlier version 6 builds.
  • Veeam ONE 12.1.0.3208 and all earlier version 12 builds.
  • Veeam Service Provider Console 8.0.0.19552 and all earlier version 8 builds.
  • Veeam Backup for Nutanix AHV Plug-In 12.5.1.8 and all earlier version 12 builds.
  • Veeam Backup for Oracle Linux Virtualization Manager and Red Hat Virtualization Plug-In 12.4.1.45 and all earlier version 12 builds.

RISK:
Government:

  • Large and medium government entities: High
  • Small government entities: Medium 

Businesses:

  • Large and medium business entities: High
  • Small business entities: Medium 

Home users: Low

TECHNICAL SUMMARY:
Multiple vulnerabilities have been discovered in Veeam Products, the most severe of which could allow for remote code execution. Details of these vulnerabilities are as follows:

TacticInitial Access (TA0001):

Technique: Exploit Public-Facing Application (T1190):

  • A vulnerability allowing unauthenticated remote code execution (RCE). (CVE-2024-40711)
  • A series of related high-severity vulnerabilities, the most notable enabling remote code execution (RCE) as the service account and extraction of sensitive information (saved credentials and passwords). Exploiting these vulnerabilities requires a user who has been assigned a low-privileged role within Veeam Backup & Replication. (CVE-2024-40710)
  • A vulnerability that allows an attacker in possession of the Veeam ONE Agent service account credentials to perform remote code execution on the machine where the Veeam ONE Agent is installed. (CVE-2024-42024)
  • A vulnerability that allows low-privileged users to execute code with Administrator privileges remotely. (CVE-2024-42023)
  • A vulnerability that permits a low-privileged user to upload arbitrary files to the server, leading to remote code execution on VSPC server. (CVE-2024-39714)
  • A vulnerability that allows a low-privileged user with REST API access granted to remotely upload arbitrary files to the VSPC server using REST API, leading to remote code execution on VSPC server. (CVE-2024-39715)
  •  A vulnerability that permits a low-privileged user to overwrite files on that VSPC server, which can lead to remote code execution on VSPC server. (CVE-2024-38651)

Additional lower severity vulnerabilities include:

  • A vulnerability that allows a user who has been assigned a low-privileged role within Veeam Backup & Replication to alter Multi-Factor Authentication (MFA) settings and bypass MFA. (CVE-2024-40713)
  • A vulnerability that allows a low-privileged user to remotely remove files on the system with permissions equivalent to those of the service account. (CVE-2024-39718)
  • A vulnerability in TLS certificate validation allows an attacker on the same network to intercept sensitive credentials during restore operations. (CVE-2024-40714)
  • A path traversal vulnerability allows an attacker with a low-privileged account and local access to the system to perform local privilege escalation (LPE). (CVE-2024-40712)
  • A vulnerability that allows a local low-privileged user on the machine to escalate their privileges to root level. (CVE-2024-40709)
  • A vulnerability that allows an attacker to access the NTLM hash of the Veeam Reporter Service service account. This attack requires user interaction and data collected from Veeam Backup & Replication. (CVE-2024-42019)
  • A vulnerability that allows an attacker with valid access tokens to access saved credentials. (CVE-2024-42021)
  • A vulnerability that allows an attacker to modify product configuration files. (CVE-2024-42022)
  •  A vulnerability in Reporter Widgets that allows HTML injection. (CVE-2024-42020)
  • A vulnerability that allows a low privileged attacker to access the NTLM hash of service account on the VSPC server. (CVE-2024-38650)
  • A vulnerability that allows a low-privileged user to perform local privilege escalation through exploiting an SSRF vulnerability. (CVE-2024-40718)

Successful exploitation of the most severe of these vulnerabilities could allow for remote code execution in the context of the system. Depending on the privileges associated with the system, an attacker could then install programs; view, change, or delete data.

RECOMMENDATIONS:
We recommend the following actions be taken:

  • Apply appropriate updates provided by Veeam to vulnerable systems immediately after appropriate testing. (M1051: Update Software)
    • Safeguard 7.1 : Establish and Maintain a Vulnerability Management Process: Establish and maintain a documented vulnerability management process for enterprise assets. Review and update documentation annually, or when significant enterprise changes occur that could impact this Safeguard.
    • Safeguard 7.2: Establish and Maintain a Remediation Process: Establish and maintain a risk-based remediation strategy documented in a remediation process, with monthly, or more frequent, reviews.
    • Safeguard 7.4: Perform Automated Application Patch Management: Perform application updates on enterprise assets through automated patch management on a monthly, or more frequent, basis.
    • Safeguard 7.5 : Perform Automated Vulnerability Scans of Internal Enterprise Assets: Perform automated vulnerability scans of internal enterprise assets on a quarterly, or more frequent, basis. Conduct both authenticated and unauthenticated scans, using a SCAP-compliant vulnerability scanning tool.
    • Safeguard 7.7: Remediate Detected Vulnerabilities: Remediate detected vulnerabilities in software through processes and tooling on a monthly, or more frequent, basis, based on the remediation process.
    • Safeguard 12.1: Ensure Network Infrastructure is Up-to-Date: Ensure network infrastructure is kept up-to-date. Example implementations include running the latest stable release of software and/or using currently supported network-as-a-service (NaaS) offerings. Review software versions monthly, or more frequently, to verify software support.
    • Safeguard 18.1: Establish and Maintain a Penetration Testing Program: Establish and maintain a penetration testing program appropriate to the size, complexity, and maturity of the enterprise. Penetration testing program characteristics include scope, such as network, web application, Application Programming Interface (API), hosted services, and physical premise controls; frequency; limitations, such as acceptable hours, and excluded attack types; point of contact information; remediation, such as how findings will be routed internally; and retrospective requirements.
    • Safeguard 18.2: Perform Periodic External Penetration Tests: Perform periodic external penetration tests based on program requirements, no less than annually. External penetration testing must include enterprise and environmental reconnaissance to detect exploitable information. Penetration testing requires specialized skills and experience and must be conducted through a qualified party. The testing may be clear box or opaque box.
    • Safeguard 18.3: Remediate Penetration Test Findings: Remediate penetration test findings based on the enterprise’s policy for remediation scope and prioritization.
  • Apply the Principle of Least Privilege to all systems and services. Run all software as a non-privileged user (one without administrative privileges) to diminish the effects of a successful attack. (M1026: Privileged Account Management)
    • Safeguard 4.7: Manage Default Accounts on Enterprise Assets and Software: Manage default accounts on enterprise assets and software, such as root, administrator, and other pre-configured vendor accounts. Example implementations can include: disabling default accounts or making them unusable.
    • Safeguard 5.5: Establish and Maintain an Inventory of Service Accounts: Establish and maintain an inventory of service accounts. The inventory, at a minimum, must contain department owner, review date, and purpose. Perform service account reviews to validate that all active accounts are authorized, on a recurring schedule at a minimum quarterly, or more frequently.
  • Vulnerability scanning is used to find potentially exploitable software vulnerabilities to remediate them. (M1016: Vulnerability Scanning)
    • Safeguard 16.13: Conduct Application Penetration Testing: Conduct application penetration testing. For critical applications, authenticated penetration testing is better suited to finding business logic vulnerabilities than code scanning and automated security testing. Penetration testing relies on the skill of the tester to manually manipulate an application as an authenticated and unauthenticated user.
  • Architect sections of the network to isolate critical systems, functions, or resources. Use physical and logical segmentation to prevent access to potentially sensitive systems and information. Use a DMZ to contain any internet-facing services that should not be exposed from the internal network. Configure separate virtual private cloud (VPC) instances to isolate critical cloud systems. (M1030: Network Segmentation)
    • Safeguard 12.2: Establish and Maintain a Secure Network Architecture: Establish and maintain a secure network architecture. A secure network architecture must address segmentation, least privilege, and availability, at a minimum.
  • Use capabilities to detect and block conditions that may lead to or be indicative of a software exploit occurring. (M1050: Exploit Protection)
    • Safeguard 10.5:  Enable Anti-Exploitation Features: Enable anti-exploitation features on enterprise assets and software, where possible, such as Microsoft® Data Execution Prevention (DEP), Windows® Defender Exploit Guard (WDEG), or Apple® System Integrity Protection (SIP) and Gatekeeper™.

REFERENCES:

Veeam: 
https://www.veeam.com/kb4649

CVE:
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-38650
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-38651
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-39714
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-39715
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-39718
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-40709
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-40710
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-40711
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-40712
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-40713
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-40714
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-40718
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-42019
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-42020
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-42021
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-42022
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-42023
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-42024

Proposal to Update FIPS 202, “SHA-3 Standard” and Revise SP 800-185, “SHA-3 Derived Functions

In July 2023, NIST’s Crypto Publication Review Board initiated a review of the following publications:

In response, NIST received public comments on FIPS 202 and SP 800-185.

NIST proposes to update FIPS 202 to improve its editorial quality. For example, text about SHA-1 and Triple DES will be edited to reflect the withdrawal of those techniques, as suggested in the public comments.

NIST proposes to revise SP 800-185 to provide “streaming” specifications of the two extendable output functions (XOFs) SHAKE128 and SHAKE256, to support implementations in which the length of the data output and the complete data input are not necessarily available before the XOF is called.

The public comments included suggestions that NIST specify and approve several other SHA-3 derived functions.  NIST is considering whether to specify and approve one or more SHA-3 derived functions for authenticated encryption with associated data in a new, separate Special Publication.

Submit your comments on this decision proposal by October 7, 2024, to [email protected] with “Comments on FIPS 202 Decision Proposal” or “Comments on SP 800-185 Decision Proposal” in the subject line. Comments received in response to this request will be posted on the Crypto Publication Review Project site after the due date. Submitters’ names and affiliations (when provided) will be included, while contact information will be removed. See the project site for additional information about the review process.

Read More

Current Cyber Threats Targeting the Education Sector

The NJCCIC assesses with high confidence that educational institutions across the globe will remain attractive targets for a range of cyberattacks designed to disrupt daily operations, steal sensitive data, instill fear in the community, and hold critical operational data for ransom.

Summary

The education sector stands out as a primary focus for threat actors, ranking among the most vulnerable sectors globally. This susceptibility stems from the vast collection of valuable data, a general deficit in cybersecurity awareness, and extensive, prevalent vulnerabilities. Educational institutions manage the daily activities of hundreds or thousands of students and faculty members. Consequently, they handle extensive and sensitive data such as student and educator login details, home addresses, birthdates, full names, social security numbers, credit card details, and other financial records. According to Check Point Research, the education sector experienced an average of 3,086 weekly attacks per organization, marking a 37 percent increase compared to 2023. Social engineering, various business email compromise scams, and vulnerability exploitation pose significant threats, resulting in data breaches, financial losses, and reputational damages.

The education sector is often slow to adopt modern cybersecurity solutions due to a lack of funding. This can lead to outdated technology, limited resources to invest in cyber solutions and ever-growing institution sizes. Public schools receive funding from the government, which often leads to budget constraints. Consequently, cybersecurity is often deprioritized in favor of staff salaries, school resources, and infrastructure upgrades.

Vulnerability exploitation in educational institutions involves attackers identifying and leveraging weaknesses in the institution’s software or systems to gain unauthorized access or cause harm. Educational institutions often use a wide array of technologies, including older legacy systems that may not be regularly updated or patched, making them susceptible to such exploits. The open network environments common in educational settings and the high turnover of students and staff can exacerbate these security challenges. Additionally, limited cybersecurity budgets and resources mean that necessary updates and security practices may be neglected. The consequences of vulnerability exploitation can be severe, ranging from data breaches and loss of privacy to substantial disruptions in educational services and financial losses.

Social engineering poses the most significant threat to the education sector, which includes phishing and business email compromise (BEC) attacks. Phishing, a type of social engineering attack against educational institutions, typically involves cybercriminals sending fraudulent emails or messages that mimic legitimate communications. The emails may appear to originate from trusted sources like the school administration, IT services, or popular educational software providers. Often, these messages include urgent requests or threats, compelling recipients to act quickly without proper scrutiny, leading to compromised accounts or data breaches. Personal data obtained through successful phishing attacks enables cybercriminals to target high-profile individuals with spear phishing and whaling attacks and distribute malware, such as ransomware. Additionally, cybercriminals benefit from compromising account credentials to gain access to a school or university network, often through successful phishing attempts.

Unlike generic phishing scams, BEC scams are a highly targeted form of social engineering, often incorporating preliminary reconnaissance on potential victims and using various impersonation techniques, including email spoofing and look-alike domains. Threat actors spoof a familiar contact’s source name or email address to convey a sense of legitimacy, use domain names that mimic a trusted source, or compromise a legitimate account. The messages typically instruct the target to transfer funds, purchase gift cards, or provide other sensitive information to the threat actors posing as trusted individuals or businesses. Common types of BEC attacks include wire transfer scams, direct deposit scams, W-2 scams, and invoice scams. BEC scams can result in system compromises, data breaches, financial losses, and reputational damages.

Invoice scams begin with a threat actor impersonating trusted vendors with whom the target organization does business. They send emails to redirect outstanding and future invoices for products or services to a new bank account. Threat actors may attach legitimate or fraudulent invoices with inflated amounts and provide new payment policies with payment instructions and updated bank account details to steal funds from the vendor’s customers. According to the 2023 FBI IC3 Internet Crime Report, BEC scams are the second most expensive type of cybercrime. In 2023, New Jersey claimed 628 victims in BEC scams and ranked second in the nation with an average loss per victim of $223,000.

Direct deposit or payroll diversion scams occur when threat actors impersonate an employee, often by creating a free email address using the employee’s name and employing display name spoofing in the messages. They frequently send fraudulent emails to payroll or human resources departments, and direct deposit change forms are requested. Occasionally, threat actors may locate an organization’s direct deposit change form online and include a filled-out form in the email to divert an employee’s direct deposit account information to an account under the threat actor’s control.

Credential harvesting allows threat actors to compromise further accounts, escalate privileges, exploit vulnerabilities, move laterally within a network, deploy malware, and breach data. Threat actors attempt to harvest or steal these credentials primarily through phishing or distributing malware such as infostealers. Infostealer malware has significantly increased, in which threat actors compromised business and personal devices and exfiltrated millions of credentials, usually sold on dark web forums to other threat actors looking to compromise accounts or conduct further malicious activity. Moreover, in the education sector, it is common to observe the reuse of passwords across multiple accounts and the sharing of account credentials for frequently used applications. This practice increases the impact of a successful cyberattack and poses significant risks, potentially resulting in numerous compromised accounts.

School networks can be challenging to secure because they have a large user base, including faculty, staff, and students. With technology being an essential part of education, many schools have opted for Bring Your Own Device (BYOD) policies, which allow students and employees to connect their personal computers, tablets, and mobile phones to the school network. However, if BYOD policies are not implemented with security in mind, it can increase the risk of compromising the network and exposing sensitive data to potential threats from vulnerable and infected devices. Additionally, students are not bound by strict corporate guidelines for network access, thereby increasing the risk posed by their personal devices, shared accommodation, and public Wi-Fi use on campus.

Ransomware attacks on educational institutions involve encrypting data and demanding a ransom for access. Educational networks’ interconnectedness and insufficient cybersecurity measures make them lucrative targets for cybercriminals. These attacks can disrupt academic operations and cause significant financial and reputational damage. Additionally, they may result in the theft or sale of sensitive information.

The education sector also has a significant risk of Distributed Denial of Service (DDoS) attacks, which could impact students trying to access learning resources or submit time-sensitive assignments online. DDoS attacks attempt to deny access to various websites or domains and force a server overload, which can significantly impact day-to-day operations.

A successful DDoS attack can cause significant disruption, halting academic activities and administrative processes. The diversity of users and devices connecting to these networks often leads to security inconsistencies, which attackers exploit. The impact goes beyond inconvenience; it can also damage the institution’s reputation and incur significant costs for mitigating and preventing future attacks.

Common Attack Types in the Education Sector

Data breaches: The main reason data breaches happen is due to human error, either by stolen or weak credentials or through social engineering tactics. A data breach happens when an unauthorized person gets access to protected information such as dates of birth, Social Security numbers, banking information, and medical records. Data breaches can have a devastating impact on students, teachers, and staff.

Phishing: Attackers go to great lengths to ensure that their emails appear as legitimate as possible, for a phishing attack to be successful. These emails most contain links that direct target recipients to an attacker-controlled website that delivers malware or steals user credentials. Such an attack can lead to more sophisticated attacks such data breaches, malware or ransomware attacks.

Ransomware attacks: A ransomware attacks is financially motivated. It generally aim to damage and steal from a information system or server by targeting vulnerabilities within the network. Furthermore, the use of external devices and the absence of anti-virus software protection facilitates the task of the hacker. Such attacks can cause a lot of damage to schools because they disrupt key computer systems and school operations, and, more importantly, put at risk student data and safety. Ransomware is often spread through phishing emails that contain malicious attachments.

Business email compromise (BEC) scams: Involving the use of email to scam school business officials and staff members out of sensitive information and large amounts of money, including by issuing fake invoices to districts, by redirecting authorized electronic payments to bank accounts controlled by criminals, and by stealing W-2 tax information of district employees.

Denial of service (DoS) attacks: Intended to make school IT resources unavailable to students and staff by temporarily disrupting their normal functioning.

Website and social media defacement: Involving unauthorized changes such as posting inappropriate language and images to a school website or official social media account.

Online class and school meeting disruption: Involves unauthorized access to online classes and meetings for the purpose of disruption. Invaders usually share hate speech, sharing via shocking images, sounds, and videos and threats of violence. Despite the attention drawn to these incidents and availability of advice on how to defend against them school districts continued to fall prey to these incidents.

Email compromises: Involving the compromise of a school district’s email systems by unauthorized individuals for the purpose of bulk sharing of or links to disturbing images, videos, hate speech, and/or threats of violence to members of the school community.

Recommendations

At minimum, the education sector is advised to implement the following to strengthen cyber resiliency:

  • Consider cyber insurance: Cybersecurity insurance protects businesses against computer-related crimes and losses. This can include targeted attacks, such as malware and phishing, as well as the occasional misplaced laptop containing confidential material.
  • Patching and updating: Staff must install critical updates as soon as they are available. Install and regularly update anti-virus and anti-malware software on all hosts. Disable unused remote access/RDP ports and monitor remote access/RDP logs.
  • Create backups: Regularly back up data, air gap, and password-protect backup copies offline. Ensure copies of critical data are not accessible for modification or deletion from the system where the data resides.
  • Use strong passwords: Use at least 12 characters, with a mix of numbers, symbols, and capital letters in the middle of the password. Never use the same password for more than one account or for personal and business accounts. Consider using a password manager, an easy-to-access application that stores all valuable password information in one place. Do not share passwords on the phone, in texts, or by email. Implement the shortest acceptable time frame for password changes.
  • Enable MFA: Use multi-factor authentication (MFA) where possible. Also known as two-factor or two-step verification, this security feature requires the combination of at least two of three factors – something you know, something you have, or something you are. Oftentimes, MFA will use a password and either a code or biometric to fulfill MFA requirements to log in to an account. MFA protects accounts even if a password is compromised.
  • Ensure physical security of devices: Do not leave laptops, phones, or other devices unattended in public or even in a locked car. They may contain sensitive information and should be protected against falling into the wrong hands. Turn on device encryption to encrypt all data on each device and reduce the risk to sensitive information in case the device is stolen or misplaced.
  • Think before clicking or sharing information: Every time someone asks for business information, whether in an email, text, phone call, or web form, think about whether the request is trustworthy. Scammers will say or do anything to get account numbers, credit card numbers, Social Security numbers, or other sensitive information. Scammers will rush, pressure, or threaten to get targets to give up company information. Do not click any links in emails, as this can lead to credential compromise or malware installation.
  • Only give sensitive information over encrypted websites: If a company is banking or buying online, stick to sites that use encryption to protect information as it travels from a computer to the server. Look for “https” at the beginning of the web address in the browser’s address bar, as well as on every page of the site being visited – not just the login page.
  • Secure wireless networks: Unsecured routers could easily allow strangers to gain access to sensitive personal or financial information on devices. Users are advised to change their router’s name and password from the default to something unique that only they know. Keep router software up to date and turn off any “remote management” features, which hackers can use to get into the network. Once router setup is complete, log out as administrator to lessen the risk of someone gaining control of the account. Only use secure networks and avoid public Wi-Fi networks. Consider installing and using a virtual private network.
  • Segregation of duties and minimum privileges: Staff must have discrete credentials and relevant privileges based on their job descriptions and needs. The Principle of Least Privilege must be implemented on all accounts and require administrator credentials to install software.
  • Catalog and reduce system dependencies: Critical systems dependencies, such as third-party vendors and processes, should be identified and minimized where possible.
  • Encryption: Devices should implement end-to-end encryption and include embedded security in their processes. In some cases, certificate pinning (SSL pinning) must be required to avoid spoofed devices, and this includes protection from side channel attacks that can compromise encryption keys.
  • Employee training and awareness: All employees working on critical systems must have proper training or certifications to support the elevated threat level of their positions. Human error and phishing attacks are most effectively avoided through proper employee awareness rather than technical means.
  • Trusted procurement procedures: Commercial off-the-shelf hardware and software IT products that are ready-made and available for purchase by the general public must follow strict procurement procedures that only allow installing to certified devices that follow strict security standards.
  • Vulnerability management: All organizations are encouraged to implement vulnerability management policies that include vulnerability assessments, a patch management plan, and penetration testing audits, where feasible, on a regular basis to maintain an understanding of an organization’s risk posture.
  • Network segmentation: All facilities must deploy proper network segmentation, with DMZ configured and network isolation to protect critical systems. Whenever possible, any industrial control systems should not share the same network with internet-accessible devices.
  • Cybersecurity plans: Implement various cybersecurity plans, including continuity of operations plans (COOPs), incident response, disaster recovery, and a data backup plan in which multiple data copies are kept in a physically separate, segmented, and secure location (i.e., hard drive, storage device, the cloud). Establish, test, and update all cybersecurity plans at regular intervals.
  • External email tags: Consider adding an email banner to messages originating outside the organization and disabling hyperlinks in email sent from external accounts.

Increase in Cyber Threat Activity Associated with Iranian State-Sponsored and State-Affiliated Threat Groups

Over the past few weeks, there has been a significant increase in reported activity associated with Iranian state-sponsored or state-affiliated cyber threat groups. One of these cyber threat actors known as Pioneer Kitten, Fox Kitten, Parisite, RUBIDIUM, and Lemon Sandstorm, was observed targeting US and foreign organizations in various sectors, including education, finance, healthcare, defense, and local government entities. A substantial portion of the organization’s US-centric cyber operations involves gaining and retaining technical access to target networks to carry out future ransomware attacks. The perpetrators provide complete control over domains and administrator credentials to multiple networks globally.
Additionally, the FBI noted that a significant percentage of Iran-based cyber threat actors associated with the Government of Iran (GOI) are actively collaborating with ransomware affiliates to deploy ransomware against US organizations and conduct computer network exploitation activities to support the GOI. These actors have collaborated with the ransomware affiliates NoEscape, Ransomhouse, and ALPHV (aka BlackCat). The Iranian cyber actors’ involvement in these ransomware attacks goes beyond providing access; they work closely with ransomware affiliates to lock victim networks and strategize on approaches to extort victims. Their dual objectives of financial gain and espionage underscore the need for heightened international cooperation and the implementation of robust defense strategies.
Furthermore, APT 42, also known as Charming Kitten and associated with Iran’s Islamic Revolutionary Guard Corps (IRGC), was attributed to targeting former members of both the Trump and Biden administrations. In June, APT 42 successfully breached the Trump campaign, stealing internal campaign documents and distributing them to news organizations. Recent observations by US intelligence agencies highlighted Iran’s aggressive efforts to sow discord ahead of the 2024 presidential election. These reports underscore the critical need to counter election deepfakes and promote comprehensive education and awareness regarding possible foreign interference.
Recommendations
Users are encouraged to educate themselves and others on state-sponsored cyber threats and disinformation campaigns to prevent victimization. Implement cybersecurity best practices to reduce risk and increase resiliency to cyber threats. Avoid clicking links, responding to, or otherwise acting on unsolicited text messages or emails. Use strong, unique passwords and enable MFA for all accounts where available, choosing authentication apps or hardware tokens over SMS text-based codes. Keep systems up to date and apply patches after appropriate testing. Utilize monitoring and detection solutions to identify suspicious login attempts and user behavior. Enforce the principle of least privilege, disable unused ports and services, and use web application firewalls (WAFs). Employ a comprehensive data backup plan and ensure operational technology (OT) environments are segmented from the information technology (IT) environments. Regularly perform scheduled backups, keeping an updated copy offline in a separate and secure location, and testing it regularly. Cyber incidents can be reported to the FBI’s IC3 and the NJCCIC.

404 Keylogger Snakes Its Way In

The NJCCIC’s email security solution observed a recent surge in campaigns disseminating 404 Keylogger infostealing malware. 404 Keylogger, also known as SnakeKeylogger, is both a downloader and an information-stealing malware. This malware-as-a-service can steal credentials, log keystrokes, capture screenshots, harvest emails, and grab clipboard data.
The most recent email campaign includes messages claiming to be requests for invoices and product inquiries. The emails contain compressed executables disguised as Microsoft Word documents utilizing Packager Shell Objects (OLE) to exploit vulnerabilities found in Equation Editor. Upon successful exploitation, the LCG Kit downloads and installs AgentTesla and 404 Keylogger.
In another campaign, the phishing emails contained Microsoft Excel attachments. OLE was also utilized to download an HTML Application (HTA) file, which invoked PowerShell to download an executable file to install 404 Keylogger. Once installed, 404 Keylogger issues further PowerShell commands to evade detection and edit scheduled tasks to maintain persistence on the victim’s device. Another security researcher recently alerted users to an uptick in 404 Keylogger attacks; however, the attack vector has not been disclosed despite calling it a zero-day detection.
Recommendations
Avoid clicking links and opening attachments in unsolicited emails. Confirm requests from senders via contact information obtained from verified and official sources. Type official website URLs into browsers manually. Facilitate user awareness training to include these types of phishing-based techniques. Maintain robust and up-to-date endpoint detection tools on every endpoint. Consider leveraging behavior-based detection tools rather than signature-based tools. Report phishing emails and other cyber activity to the FBI’s IC3 and NJCCIC.