Managed Event Collection

This Week In Cybersecurity (TWIC)

It’s another busy week in the world of cybersecurity and nGuard wants to keep our advisory readers up-to-date. This week, nGuard is bringing you everything from a T-Mobile data breach that exposed some extremely sensitive data to a Windows zero-day that may allow remote code execution.

T-Mobile Data Breach
Late Sunday night, the U.S. Sun reported that T-Mobile USA had likely suffered a massive data breach. T-Mobile was made aware of the breach after a hacker posted large swaths of data for sale on a popular online hacking forum. Early reports show the information from over 100 million customers may be at risk. This data set includes drivers license information, physical addresses, phone numbers, names, social security numbers, and unique IMEI numbers.

Norton and Avast Merger
On August 11^th, the security community was made aware that anti-virus giants NortonLifeLock and Avast were going to merge in a deal worth more than $8 billion. While both companies offer a similar product set, Norton’s experience with identity logistics and Avast’s individual focus on privacy could lead us down the path to the ultimate anti-virus product. With ransomware attacks on the rise, this merger could be timely for security professionals.

Gigabyte Ransomware Attack
Bleeping Computer and United Daily News were the first to report that Taiwan-based computer manufacturer, Gigabyte, had been the latest company to suffer a large-scale ransomware attack. Early reports are confirming that IT infrastructure was shut down, but the attack may be worse than originally expected. The attack appears to have been carried out by an organization called RansomEXX. This organization is also responsible for the attacks on the Brazilian government and the Texas’ Department of Transportation.

Windows Print Spooler Zero-Day
Late last week, Microsoft confirmed the presence of a Windows print spooler vulnerability now known as CVE-2021-36958. This is one of many vulnerabilities in a class of bugs known as “PrintNightmare.” This vulnerability utilizes the CopyFile registry directive on the device to copy a DLL file that ultimately allows an attacker to gain SYSTEM level privileges on the device. Microsoft quickly released security updates to address this vulnerability.

The Most Sophisticated Smartphone Attack Ever?

Who is the NSO Group?

The NSO Group is an Israeli cyber intelligence firm that, according to their website, “creates technology that helps government agencies prevent and investigate terrorism and crime.” NSO Group recently suffered a major data leak which has brought light on one of the products offered by the company. Current news is reporting that the NSO Group offers a cybersurveillance tool called Pegasus that has been discovered to be used by more than just government agencies and utilized on more than just criminals and terrorists.

What is Pegasus?

Pegasus, also being referred to as, “The most sophisticated smartphone attack ever” is a malicious program that can easily infect any iPhone, Android, or Blackberry device. Once the phone is infected, there is no way to remove the software, even with a hard factory reset. Pegasus allows an attacker to listen to phone calls and intercept incoming and outgoing text messages, but it doesn’t stop there. The software allows full access to the contents of the device. Passwords, photos, emails, contacts, ability to remotely turn on the microphone, and even the ability to view messages sent and received using encrypted applications like Signal and WhatsApp. This document from NSO group is a manual for the software, detailing its capabilities and how it works.

How is Pegasus deployed on a device?

Pegasus can be deployed via SMS, WhatsApp, iMessage, zero-day vulnerabilities, and social engineering. The scariest way that Pegasus can be loaded on a device requires zero interaction from the end user. An over-the-air (OTA) push message is sent to the device which installs an agent on the device. The target is unaware of the agent being installed and the user cannot prevent this from happening as the device gives no indication of malicious activity occurring and requires no interaction from the user.

What does it cost to get your hands on Pegasus?

The NSO Group charges $500,000 to setup Pegasus for a customer, then an additional $650,000 to hack 10 iPhone or Android devices or $500,000 for 5 Blackberry devices. NSO Group also charged a 17% maintenance fee based on what a customer has spent with them over the course of a year. Forbidden Stories reports the contract with Saudi Arabia was worth $55 million.

What targets has Pegasus been used against?

Media outlets have released a list containing over 50,000 phone numbers in over 50 countries, with a majority from countries with oppressive governments that have been known to spy on their citizens. The people that have been identified as targets of Pegasus include current heads of state from South Africa, France, Pakistan, Egypt, Iraq, business executives, human rights activists, journalists, and additional politicians or government officials.

Has your phone been infected?

A publication from The Verge gives a detailed guide to check if Pegasus has found its way onto your device using a Mobile Verification Toolkit.

CIS Controls v8 (Part 2)

Summary
Last month, nGuard released a security advisory detailing the latest version (v8) of the Center for Internet Security (CIS) Critical Security Controls. In this version of the controls, CIS consolidated the original 20 controls into 18 with a major focus on many modern practices such as work-from-home, cloud computing, and increased mobility. In the previous security advisory, we discussed the first 6 controls. In this advisory, we will cover the next 6.

Controls
Control 7: Continuous Vulnerability Management
New vulnerabilities for widely used software and operating systems are coming out on a daily basis. It is essential for organizations to stay on top of these rising threats. Scanning your network infrastructure for new vulnerabilities will ensure that systems are patched against known threats. nGuard recommends scanning infrastructure on a monthly basis.

Control 8: Audit Log Management
It is essential for organizations to collect, alert, review, and retain audit logs of events that could help detect, understand, or recover from an attack. nGuard often responds to security incidents where organizations do not have the proper log management solution in place to better understand how an attacker was able to compromise systems on the network. This type of data is critical when responding to a security incident.

Control 9: Email and Web Browser Protections
Social engineering has quickly become the number 1 threat for organizations. Employees are often described as the weakest link in the security landscape because they can quickly provide an attacker access to the network with little effort. Organizations should assist their employees by improving protections and detections of threats from email and web vectors.

Control 10: Malware Defenses
A majority of organizations will experience a security incident at some point. Making life difficult for an attacker may prevent a small incident from turning into a major one. Having malware defenses like antivirus and intrusion prevention systems deployed across the network can prevent or control the installation, spread, and execution of malicious application, code, or scripts. Malware defense solutions are the number 1 preventer of ransomware.

Control 11: Data Recovery
Ransomware has become a serious threat for organizations. Attackers are gaining network access through the external perimeter or social engineering and deploying ransomware across the internal network while demanding payment for the decryption keys. Paying the ransom should be the nuclear option. Data shows that companies rarely recover all of their data with the decryption tools provided by an attacker. Recovering from backups remains the best option for getting back online.

Control 12: Network Infrastructure Management
It’s important to know who and what is sitting on your corporate network. Keeping a list of devices and services will play a key part in making sure everything is up to date and managed properly. Establishing and actively managing a list of networked devices will prevent attackers from exploiting vulnerable network services and access points.

Next Steps
nGuard offers a wide variety of services that will assist your organization on its path to implementing these critical security controls. Our Strategic Security Assessment allows your organization’s key players the opportunity to sit down with a security consultant who knows these controls like the back of their hand. Not only will they help you strengthen the controls that are already in place, they will make recommendations for the areas in which your organization falls short. Services like nGuard’s vulnerability management and security awareness training will lead your organization down the path to full implementation of these critical controls.

LinkedIn Breached Again!

Summary
Remember when someone discovered a misconfigured database exposed to the internet that left the information of 500 million LinkedIn users at risk? It’s happening again, except this time 700 million users have been impacted. Multiple outlets are now reporting that a hacker appears to have used the LinkedIn API in a malicious way which led to the download of large amounts of user data. This is extremely similar to the April incident in which an online database was compromised and user data was sold online. With both incidents, the user data has appeared for sale on a popular site called raidforums.com. Here, users can download large amounts of compromised data for any purpose. Hackers were able to compromise the following:

Email Addresses
Full Names
Phone Numbers
Physical Addresses
Geolocation Records
Usernames and Profile URLs
Genders
Other Social Media Accounts

Although this data set doesn’t contain cleartext passwords or password hashes, it does contain sensitive information that could be used in targeted social engineering attacks. Attackers utilize detailed information about employees to launch intricate social engineering campaigns that can be highly successful. When an unsuspecting employee receives a spoofed email with personal information included, it often makes it seem more legitimate. It is important to train your employees to look out for this type of targeted social engineering.

Awareness Training Helps
nGuard has been studying the art of social engineering and conducting simulations for its customers for nearly 20 years. nGuard’s highly trained engineers are well versed in the techniques used by adversaries and can conduct real world scenarios. This aids organizations in training their employees to expect the unexpected.

Colonial Pipeline Update

Summary
This is a follow up to a previous Security Advisory. For the initial timeline please visit Colonial Pipeline Timeline of Events.

Since the last Colonial Pipeline Security Advisory, there have been several updates related to the breach. Details were released on how the attackers gained initial access to Colonial’s internal network, the FBI was able to recover much of the bitcoin paid to the ransomware group (Darkside), and the Senate Homeland Security Committee held a hearing on the breach.

In the beginning of June, Bloomberg reported that the initial access gained by DarkSide was through a Virtual Private Network (VPN) account, which is used to gain remote access to private networks. The target account was no longer in use but remained active. The password associated with the account was discovered in a database of leaked passwords that are available on the dark web. Additionally, the VPN account did not utilize multi-factor authentication (MFA), which made gaining access much easier. The breach investigation stated that it is not known exactly how the password and username combination was compromised and likely they will never know. Only a week after the initial access was gained, ransomware was deployed resulting in the catastrophic damage to Colonial Pipeline and their supply chain.

On Monday June 7^th, the Department of Justice (DOJ) announced it had successfully recovered 63.7 Bitcoins worth approximately $2.3 million from DarkSide. The FBI was able to discover the address of the virtual wallet used through blockchain’s public ledger. The FBI had the private key, which is like a password, used to access the wallet and seize the bitcoins. The FBI has not stated how they obtained the private key, but this shows that criminals who use bitcoin and other cryptocurrency in their activity are not as immune to law enforcement as once believed.

On June 8^th, the Senate Homeland Security Committee held a hearing with the CEO of Colonial Pipeline, Joseph Blount. When discussing paying the ransom Joseph said, “It was one of the toughest decisions I have had to make in my life. At the time, I kept this information close hold [sic] because we were concerned about operational security and minimizing publicity for the threat actor. But I believe that restoring critical infrastructure as quickly as possible, in this situation, was the right thing to do for the country.” The hearing covered Colonial Pipeline’s security readiness and response to the event while putting a bigger spotlight on the gaps in security within the U.S energy infrastructure and country as a whole.

What Can Your Organization Do?
Cybersecurity cannot continue to be a reactive process. Security needs to be a priority from the ground up with infrastructure built around security. Discovering gaps in your organization’s security landscape can be simplified with an nGuard Strategic Security Assessment. Utilizing the Center for Internet Security Controls Version 8, nGuard can help you find ways to create a more mature security organization. If your organization does fall victim to a ransomware attack like Colonial Pipeline, bring in our experts to conduct a Cybersecurity Incident Response.

CIS Controls v8 (Part 1)

Summary
The Center for Internet Security (CIS) Critical Security Controls is a list of security best practice guidelines that organizations have been utilizing since 2008. Formerly known to many as the “CIS Top 20,” this publication covers a wide variety of security practices that assist organizations in taking the preventative measures needed to limit risk against cyber-attacks. Last month, CIS released the latest version of their publication, v8, to address the rising concerns that organizations are facing in 2021 and beyond. This version consolidates the former 20 controls into 18 and includes focus on many modern practices such as work-from-home, cloud computing, and increased mobility. Let’s take a look at the first 6 controls and how nGuard can help you down the path to compliance. We will cover the remaining controls in a future security advisory.

Controls
Control 1: Inventory and Control of Enterprise Assets
It’s important to know where your company-owned assets are located. How can you actively secure your network if you don’t even know how many devices are connected to it? This practice lays out the controls that are needed to dynamically monitor assets and keep track of the devices that are connected to your network.

Control 2: Inventory and Control of Software Assets
Is your development team standing up new web servers? Is your IT team exposing management style applications to the internet for remote management? It’s important to keep track of these things. nGuard consistently finds management interfaces exposed to the internet that our customers didn’t know existed. Out of the box, these applications can be insecure. It is essential that you know what types of applications exist in your environment.

Control 3: Data Protection
Is customer data living on your company’s network shares forever? Is it encrypted? Does everyone at the company have access to it, or only the people who need it? Data retention can be a difficult thing to manage properly. Complying with this control will give your customers a peace of mind that their data is properly managed within your organization.

Control 4: Secure Configuration of Enterprise Assets and Software
Does your organization have a proper patch management program in place? Can you say for sure that default accounts aren’t enabled on your network equipment? This control will help you develop policy to ensure proper patches are applied and new devices are configured properly.

Control 5: Account Management
8-character passwords are likely not secure. Your employees are probably using similar passwords for their domain and email accounts. Are you confident that your employees won’t fall victim to a social engineering attack? Account management is one of the more important controls for securing access to sensitive data and assets.

Control 6: Access Control Management
When nGuard engineers perform internal penetration testing, they consistently gain access to what are believed to be “low-privilege” user accounts. It turns out that this account has local administrator privileges on the workstation which allows engineers to dump domain administrator credentials from memory and compromise the entire network. Is your organization conducting annual internal penetration testing to identify weaknesses that may lead an attacker to gain elevated privileges?

Next Steps
Whether you are forced to comply with these controls, or just want to elevate the security posture of your organization, nGuard offers a wide variety of services that will assist you along the way. Tactical assessments like Penetration Testing can point out the flaws that exist in your environments while strategical assessments like the Best Practice Strategic Security Assessment (SSA) can assist your organization in implementing the preventive controls needed to minimize risk. Additionally, nGuard specializes in policy development that can lead your organization down the path to compliance. Talk to an nGuard Account Executive today!