malware

This Week in Cybersecurity (TWiC): 18-Year-Old Zero-Day, Azure DDoS Outage, Blood Center Attack, & HealthEquity Breach

In this edition of “This Week in Cybersecurity” (TWiC), we take a look into four significant incidents: a cyber-attack on a Florida blood center, unauthorized access to HealthEquity’s customer information through a third-party service, the discovery of an 18-year-old zero-day exploit affecting browsers, and a massive DDoS attack causing an Azure outage. We’ll also explore how nGuard’s solutions can help protect your organization from similar threats.

Cyber Attack Causes Blood Shortage at Florida Blood Center

A recent cyber attack on OneBlood, a major blood center in Florida, has led to a significant blood shortage. The attack disrupted the center’s operations, hindering its ability to collect and distribute blood. This incident underscores the vulnerability of critical healthcare infrastructure to cyber threats.

Impact and Response
The attack forced OneBlood to halt its activities temporarily, creating a critical shortage in blood supply. The center is working to restore operations, but the incident highlights the dire need for robust cybersecurity measures in the healthcare sector.

How nGuard Can Help
nGuard’s Incident Response services can be instrumental in scenarios like this. Our team can quickly identify, contain, and mitigate the effects of cyber attacks, ensuring minimal disruption to critical operations. Additionally, our Security Assessments, like internal and external penetration testing can help healthcare organizations identify and address vulnerabilities before they can be exploited.

Unauthorized Access to HealthEquity Customer Information

HealthEquity, a leading administrator of Health Savings Accounts (HSAs), recently revealed that cyber attackers accessed customer information through a third-party service provider. This breach shows the continued risks associated with third-party services and the importance of robust third-party risk management.

Breach Details
Attackers leveraged vulnerabilities in the third-party service to gain unauthorized access to HealthEquity’s customer data, including personal and financial information. This incident has raised concerns about data security and the safeguards in place to protect sensitive information.

How nGuard Can Help
nGuard’s Best Practice Strategic Security Assessment service is designed to help organizations assess and mitigate risks associated with third-party vendors. As we review the CIS Critical Security Controls we cover a range of topics including Service Provider Management. This helps ensure that your organization’s third-party services meet stringent security standards, reducing the likelihood of such breaches.

Discovery of an 18-Year-Old Browser Zero-Day Exploit

An 18-year-old browser vulnerability, “0.0.0.0 Day,” has been discovered, affecting Apple and Linux systems, but not Windows. This flaw lets malicious websites access local network services by exploiting how the IP address 0.0.0.0 is handled.

Exploit Details
The vulnerability involves the misuse of the IP address 0.0.0.0, which allows external websites to interact with local network services. While not a widespread threat, it poses risks for AI development environments. Windows remains unaffected due to its different handling of this IP address. Patches are in progress for Chrome, Firefox, and Safari.

How nGuard Can Help
nGuard’s Vulnerability Management services can help organizations stay ahead of such threats. By regularly scanning for and addressing vulnerabilities, we ensure that systems remain secure against even long-standing exploits. Our Penetration Testing services can also identify weaknesses in an organization’s defenses, providing actionable insights to enhance security posture.

Massive DDoS Attack Causes Azure Outage

Microsoft recently disclosed that a massive Distributed Denial of Service (DDoS) attack caused a significant outage of over 9 hours on its Azure cloud services. The attack disrupted services like Microsoft 365, Azure App, IoT Central, the Azure portal, and more for numerous customers, highlighting the scale and impact of DDoS threats and attacks. This is the second outage Azure has suffered recently with the last one coming out July 19^th.

Outage Details
The DDoS attack targeted Azure’s infrastructure, and a misconfiguration in Microsoft’s cyber defenses amplified the attack’s impact. This led to widespread service disruptions across multiple regions, highlighting the importance of properly configured security measures in cloud environments.

Conclusion

The incidents covered highlight the critical importance of staying informed and up to date against emerging threats. Whether it’s a targeted cyber-attack on a blood center, a breach via third-party services, a long-standing browser vulnerability, or a large-scale DDoS attack on cloud infrastructure, the need for continuously improving and testing cybersecurity protections has never been more evident. nGuard offers comprehensive solutions to help organizations protect their assets and maintain operational resilience in the face of such challenges.

CrowdStrike Down: Unpacking the Chaos

The Outage Explained

On July 19, 2024, a routine update to CrowdStrike Falcon’s sensor configuration (version 7.11) inadvertently unleashed chaos across millions of Windows systems worldwide. The update, specifically channel file 291, aimed to enhance behavioral protections but instead introduced a critical logic flaw. This flaw caused the Falcon sensor to crash, leading to the infamous “blue screen of death” (BSOD) on affected devices.

The fallout was profound. Airline giants such as Delta, United, and American Airlines were forced to ground thousands of flights, resulting in significant delays and cancellations globally. Airports were also affected, compounding the disruption across international travel routes. Healthcare systems experienced disruptions in appointment scheduling and patient care across the United States. Financial services were not spared either, with online banking systems faltering and payment platforms failing to process transactions as usual.

CrowdStrike responded swiftly, identifying, and deploying a fix within 79 minutes. However, the recovery process for affected organizations proved arduous. IT administrators had to manually remove the problematic update from each affected system, which reportedly takes 15 minutes each. The process is exacerbated by complexities like encrypted drives and the need for physical access to devices. After one week, the update has cost an estimated “$5.4 billion across just the Fortune 500” and 97% of Windows sensors have been restored.

Post-Outage Exploitation

Unfortunately, the aftermath of the CrowdStrike outage opened doors for cybercriminals to capitalize on the chaos through targeted phishing campaigns. Exploiting vulnerabilities in affected organizations, these attackers deploy phishing domains mimicking CrowdStrike and related technical support services. Malware such as HijackLoader and RemCos RAT have been used to infiltrate systems.

Mitigating such threats requires vigilance and proactive measures. Organizations are advised to deploy protective DNS tools, maintain blocklists against suspicious domains, and strictly adhere to official support channels for critical updates and communications. Effective cybersecurity awareness training and social engineering campaigns also play a crucial role in equipping employees with the knowledge to identify and thwart potential threats.

Rise of Supply Chain Complications

Historically, supply chain issues have impacted various sectors, from retail giants like Target to critical infrastructure like the Stuxnet attack on Iran’s nuclear facilities. The SolarWinds incident exemplified how malicious actors can compromise upstream software providers to directly infiltrate users, impacting organizations globally.

Statistics from CrowdStrike’s Global Security Attitude Survey indicate a troubling trend. A significant percentage of organizations have experienced supply chain attacks, yet many lack comprehensive strategies for evaluating and mitigating risks from third-party suppliers. This stresses the urgent need for solid cybersecurity policies and infrastructure aligned with frameworks that encompass thorough supplier vetting, continuous monitoring, and rapid incident response capabilities.

Prevention: Proactive Strategies

To prepare for similar incidents, CISA and NIST’s Cybersecurity Framework (CSF) provide essential recommendations and guidelines for organizations to maintain operations and resilience. Key takeaways include:

Gap Analysis & Risk Management: Implement stringent protocols for vetting third-party vendors, through analysis of security gaps and potential risks. Detailed control review and risk matrices provided by nGuard are aligned to best practices like “Control 15: Server Provider Management” in NIST (CSF) 2.0 to ensure readiness in a similar supply chain event.
Continuous Monitoring: Deploy comprehensive monitoring systems to detect anomalies and potential threats in real-time, 24/7. nGuard’s Managed Event Collection & Correlation (MECC) includes monitoring network traffic, system logs, and user activities to swiftly identify and respond to suspicious behavior.
Incident Response: Engage in tabletop exercises lead by experienced engineers to apply organizational procedures to similar real-life scenarios and ensure relevant stakeholders are trained and prepared. nGuard can also assist in creating and updating incident response plans that outline clear steps to responding to disruptive events.
Awareness and Training: Educate employees about cybersecurity best practices, including identifying phishing attempts, handling sensitive data securely, and reporting suspicious activities promptly. Personalized training sessions and simulated social engineering campaigns coordinated by nGuard can significantly enhance employee readiness.

Conclusion: Cultivating Resilience

As our daily lives rely more on connected systems, the CrowdStrike outage is a wake-up call showing how important it is to keep up and stay innovative. Supply chain attacks are a serious and growing danger to organizations everywhere. This means we need strong cybersecurity methods that include careful checking and managing risks, constant monitoring, and quick responses to incidents.

By following established guidelines, and thoroughly vetting suppliers, organizations can better protect themselves against cyber threats. The main goal is to create a strong cybersecurity stance that secures essential operations and reduces the impact of future incidents.

Your DNA on the Dark Web: The 23andMe Breach Unveiled

Introduction
In early October, a significant breach at genetic testing giant 23andMe compromised the personal data of 6.9 million users. This incident not only exposed sensitive genetic information but also highlighted the critical vulnerabilities that exist within digital security infrastructures.

The Breach
Hackers leveraged a credential stuffing attack, exploiting password reuse across platforms to gain unauthorized access. Initially, they penetrated 0.1% of user accounts, around 14,000 individuals. However, exploiting the DNA Relatives feature, they widened their impact, reaching an additional 5.5 million users. This feature, which connects users with potential relatives by analyzing shared DNA, became the unwitting conduit for a breach of staggering proportions.

The compromised data included display names, family tree profiles, birth years, self-reported locations, and detailed genetic information, including the percentage of DNA shared with potential relatives. Notably, the breach was first recognized when user information appeared for sale on the dark web, with claims that it included genetic profiles of specific ethnic groups and individuals from affluent regions in the U.S. and Western Europe.

Company Response and Consumer Impact
23andMe’s response to the breach has involved steps to reinforce account security, such as mandatory two-step verification and urging users to reset passwords. Despite the measures taken, the breach’s scale has raised questions about the security protocols in place and the company’s initial response. Cybersecurity experts highlight the human element in this breach, noting the common practice of password reuse. Ronnie Tokazowski, a digital scams researcher, emphasizes this behavior as a primary enabler of credential stuffing attacks.

Our Take: nGuard’s Perspective on Preventative Measures
As a leader in cybersecurity solutions, nGuard recognizes the 23andMe breach as a stark warning for stronger security protocols. We advocate for preemptive action through services like Web Application & API Penetration Testing, which could detect and mitigate such exploitable issues beforehand. Moreover, our Password Database Audit service is crucial, as it rigorously scrutinizes password storage and management systems, identifying vulnerabilities that could lead to devastating breaches. Alongside this, our Red Team Assessment delivers a simulated real-world attack scenario to uncover potential security flaws, potentially recognizing risks such as those exploited in the DNA Relatives feature.

Conclusion
The 23andMe breach is a sobering reminder of the ever-present threat landscape. At nGuard, we are committed to fortifying our clients’ defenses with our comprehensive cybersecurity services. We encourage all organizations to learn from this incident and take proactive steps to enhance their security posture.

TWIC: Barracuda Alert, Fortinet Patch, and VMware ESXi Exploit

In this week’s edition of TWIC (This Week in Cybersecurity), we delve into the most significant stories and developments in the cybersecurity landscape. This week, we’re focusing on three major incidents involving Barracuda, Fortinet, and VMware ESXi.

Barracuda Urges Immediate Replacement of Vulnerable Appliances
Barracuda Networks, a leading provider of cloud-enabled security solutions, has issued an urgent call to its customers to replace vulnerable email security gateway (ESG) appliances immediately. This follows the disclosure of a critical security flaw, which has been exploited since October 2022. The vulnerability existed in a module which initially screens the attachments of incoming emails. Despite a patch being issued last month, Barracuda recommends replacing the compromised appliances as the safest course of action. Three different malware strains have been discovered to date on a subset of appliances allowing for persistent backdoor access, and evidence of data exfiltration was identified on a subset of impacted appliances.

Fortinet’s Patched Critical Flaw May Have Been Exploited
Fortinet recently patched a critical flaw in its FortiOS SSL VPN. However, there are indications that this vulnerability may have already been exploited in attacks impacting various sectors, including government and manufacturing. The heap-based buffer overflow, pre-authentication vulnerability affects FortiOS and FortiProxy SSL-VPN and can allow unauthenticated attackers to gain remote code execution (RCE) via maliciously crafted requests. Fortinet found the flaw in an audit of its SSL-VPN platform after the rampant exploitation of another vulnerability, CVE-2022-42475 — which upon discovery was a zero-day bug — in January.

Chinese Cyberspies Caught Exploiting VMware ESXi Zero-Day
A Chinese cyberespionage group, known as UNC3886, has been observed exploiting a zero-day vulnerability in VMware ESXi to escalate privileges on guest virtual machines. The group has been using malicious vSphere Installation Bundles (VIBs) to install backdoors on ESXi hypervisors and gain command execution, file manipulation, and reverse shell capabilities since September 2022. The group’s malicious actions would impact VMware ESXi hosts, vCenter servers, and Windows virtual machines (VM). The cyberspies also used installation scripts to deploy malicious VIBs to hosts, and exploited CVE-2023-20867 to execute commands and transfer files from the compromised ESXi host to and from guest VMs, without authentication and without a trace.

Conclusion
The cybersecurity landscape is constantly evolving, with new threats and vulnerabilities emerging on a regular basis. These incidents involving Barracuda, Fortinet, and VMware ESXi underscore the importance of maintaining robust security measures and staying abreast of the latest developments.

At nGuard, we offer a range of services designed to help businesses navigate these challenges. Our Cyber Security Incident Response service is equipped to provide immediate assistance in the face of potential security incidents, helping to manage and mitigate risks effectively. Our Vulnerability Management service is designed to identify and manage vulnerabilities in your systems, ensuring that your network remains secure against a variety of threats. Furthermore, our Managed Event Collection service provides continuous monitoring and detection capabilities, enabling swift identification and response to malicious activities in your network.

Remember, in the realm of cybersecurity, staying informed and taking proactive measures is key. At nGuard, we’re committed to helping you navigate the ever-evolving cybersecurity landscape. Contact us today to learn more about how we can assist you in securing your organization.

TWiC | U.S. House Data Leak, ICS Attacks, FortiOS Vulnerability, Cyber Insurance

FBI Investigating Data Breach Affecting U.S. House of Representatives Members and Staff

The Federal Bureau of Investigation (FBI) is investigating a data breach affecting members and staff of the U.S. House of Representatives. The breach saw account and sensitive personal information belonging to them and their families stolen from the servers of DC Health Link, which administers their health care plans.

While US House Chief Administrative Officer Catherine L. Szpindor has said, “it was unclear how many people had been affected by the breach.” A sample of the data reportedly posted on a hacking forum showed details of around 170,000 people. The information included names, dates of birth, addresses, email addresses, phone numbers, and Social Security numbers. At least one threat actor has reportedly put the data up for sale.

nGuard’s MECC (Managed Event Collection and Correlation) can help protect against malicious attacks by collecting and analyzing log data from various sources. MECC can then alert security teams to potential threats and provide them with the information they need to investigate and respond to an ongoing or potential attack. Should your organization fall victim to an attack like this, call nGuard to help with our Cyber Security Incident Response services.

New FortiOS and FortiProxy Critical Vulnerabilities

Fortinet has released patches to address 15 security flaws, including one critical vulnerability in FortiOS and FortiProxy that could allow an attacker to take control of affected systems. The buffer underwrite flaw (CVE-2023-25610) is rated 9.3 out of 10 for severity and was discovered by Fortinet’s internal security teams. The vulnerability could enable a remote, unauthenticated attacker to execute arbitrary code on the device or cause a denial-of-service attack. Fortinet has not yet seen any malicious exploitation attempts against the flaw, but users are urged to apply the patches quickly, as prior flaws in software have been actively abused in the wild. Workarounds include disabling the HTTP/HTTPS administrative interface or limiting IP addresses that can reach it. Just last week, nGuard wrote about another Fortinet critical vulnerability that was actively being exploited. As this continues to develop, nGuard has a number of solutions that can help your organization stay ahead of the curve, including internal penetration testing and vulnerability management.

Over 40% of Industrial Control Systems (ICS) Were Attacked in 2022

Over 40% of industrial control systems (ICS) computers globally experienced malicious attacks in 2022, according to Kaspersky research into telemetry statistics. The report highlighted growth in Russia, which saw a 9% increase in malicious activity in 2022, but Ethiopia was the top target overall with 59% of its ICS footprint seeing malicious activity.

Kaspersky noted that blocked malicious scripts and phishing pages targeting ICS were particularly common threats, seeing an 11% rise from 2021. The percentage of ICS computers experiencing malicious activity varied from 40.1% in Africa and Central Asia to 14.2% and 14.3% respectively in Western and Northern Europe. nGuard has been helping protect Industrial control systems, SCADA networks, and critical infrastructure for over 20 years with security assessments, penetration testing, incident response, and managed SIEM services.

Low-coverage Cyber Insurance Plans Help Meet Compliance and Contractual Requirements

As the cyber insurance market experiences a surge in claims for ransomware attacks, insurance carriers and brokers have started imposing tighter rules on the companies that can qualify for coverage, raising prices and reducing the amount of coverage offered per policy. nGuard recently wrote about requirements needed to obtain cyber insurance. Policy coverages have significantly dropped in recent times, with some as low as $5m, and some companies cannot purchase as much insurance as they would like. However, some contracts and compliance regulations require that a company have a cyber insurance policy, which can pose a problem for those that lose coverage. Basic policies are now available for more organizations to obtain affordable coverage, allowing them to avoid a breach of compliance and fulfill contractual obligations.

TWiC | ChatGPT, New CISA and NSA Advisory, Microsoft Blocking Add-ins, New Malware Using Google Ads

The nGuard Security Advisory for this week covers several important topics related to cyber security threats. The Cybersecurity and Infrastructure Security Agency (CISA) and the National Security Agency (NSA) have issued warnings that remote desktop tools are being used to breach US federal agencies; ChaptGPT being used to create malicious output; Microsoft is set to block Excel add-ins that have been used for office exploits; and a new malware called “Rhadamanthys” has been discovered that uses Google Ads to redirect users to fake software downloads.

CISA & NSA Warn Remote Desktop Tools Are Being Used to Breach US Federal Agencies

The Cybersecurity and Infrastructure Security Agency (CISA) and the National Security Agency (NSA) have issued a joint advisory warning that financially motivated hackers have compromised federal agencies using legitimate remote desktop software. The hackers used phishing emails to lure victims to a malicious site that impersonated high-profile companies, including Microsoft and Amazon, and prompted the victims to call the hackers who then tricked employees into visiting the malicious domain. This led to the download of legitimate remote access software which the hackers then used in a refund scam to steal money from victims’ bank accounts. CISA also warned that the attackers could use legitimate remote access software as a backdoor for maintaining persistent access to government networks.

nGuard often can obtain remote access to victim’s computers using legitimate remote access tools like TeamViewer. nGuard’s Social Engineering assessment could help prevent these types of attacks by testing an organization’s resistance to phishing and other types of social engineering tactics.

ChaptGPT Malicious Prompt Engineering

OpenAI’s ChatGPT, a large-scale AI-based natural language generator, was released in late 2022 and has demonstrated the potential of AI for both good and bad. ChatGPT is a chatbot that is built on top of OpenAI’s GPT-3 family of large language models. It is designed to respond to prompts with accurate and unbiased answers. However, the concept of ‘prompt engineering’ has been used to manipulate the system and force it to respond in a specific manner desired by the user. This has led to the malicious potential of social engineering. A Finnish security firm recently published an extensive and serious evaluation of prompt engineering against ChatGPT, focusing on the generation of phishing, various types of fraud, and misinformation. They found they were able to quickly create convincing phishing emails that were well written and free of typos and grammatical errors. They also were able to create writing styles to match a given input which could lead to ‘deep fakes’ impersonating someone’s writing style. Last, they were able to make requests that forced ChatGPT to transfer their opinion within the response. The idea of prompt engineering is something still not fully understood but certainly has shown the power of a tool like ChatGPT can have.

nGuard’s MECC (Managed Event Collection and Correlation) can help protect against malicious ChatGPT attacks by collecting and analyzing log data from various sources, including chatbot interactions. MECC can then alert security teams to potential threats and provide them with the information they need to investigate and respond to the attack. Additionally, nGuard is adding UEBA (User and Entity Behavior Analytics) to its MECC solution. UEBA leverages AI and Machine Learning to help protect against malicious ChatGPT attacks by analyzing user behavior and identifying anomalies that may indicate a security incident. This can include detecting when a user or bot is attempting to access sensitive information or perform unauthorized actions. UEBA can then alert security teams to potential threats and provide them with the information they need to investigate and respond to the attack. Additionally, UEBA can also help to detect compromised user account and bot impersonation.

Microsoft Set to Block Excel Add-in Used for Office Exploits

Microsoft is set to block XLL files from the internet in a bid to prevent cyber attackers from exploiting the “add-ins” function of Excel to run malicious code on a victim’s computer. An XLL file is an Excel Dynamic Link Library, a type of Microsoft Excel add-in used to extend the functionality of the spreadsheet software. XLL files contain custom functions and macros written in C or C++, and can be used to perform tasks that are not possible with the built-in Excel functions. The feature, set to be released in March, is a response to an increasing use of XLL files by attackers which offer a way to read and write data within spreadsheets, add custom functions and interact with Excel objects across platforms. However, experts have said that the feature may not be effective if users ignore the warning that XLL files could contain malicious code, and attackers are likely to continue to find new ways to compromise systems.

nGuard’s Security Awareness Training services can help with this threat by educating employees on how to identify and avoid phishing attempts, both in the form of emails and websites. The training can cover topics such as how to spot suspicious emails, what to look for in a legitimate and illegitimate website, and how to recognize the signs of a phishing attempt.

Rhadamanthys Malware Using Google Ads to Redirect to Fake Software Downloads

A new malware strain called “Rhadamanthys Stealer” is being spread by redirects from Google Ads that pretend to be download sites for popular remote-workforce software, such as Zoom and AnyDesk. The malware is sold on the dark web as malware-as-a-service and is spread through two methods: carefully crafted phishing sites, and phishing emails with malicious attachments. The malware can steal sensitive data such as browser history and account login credentials, including crypto-wallet information. It is also able to detect if it is running in a controlled environment and will terminate its execution if so. As mentioned earlier in this Advisory, nGuard’s Social Engineering assessment and Security Awareness training can prepare your organization and employees for these types of attacks. Help your organization stay vigilant against the latest attack vectors and keeping up to date by assessing your employees and organization on an annual basis at a minimum.