In honor of World Password Day on May 2nd, government entities and tech giants are making big moves to raise awareness and promote secure data protection mechanisms. In this article, we spotlight recent news around the security and advancements of robust password policies across the globe.
The Change Healthcare Cyberattack: Lessons Learned the Hard Way
During a U.S. Senate hearing on May 1st, UnitedHealth CEO, Andrew Witty, acknowledged the root cause of the Change Healthcare cyberattack. Witty attributed the assault from earlier this year to a security lapse and emphasized the importance of multifactor authentication, a standard practice across UnitedHealth, which could have prevented the $872 million breach. Hackers gained access through compromised credentials, unleashing a ransomware storm that disrupted payment and claims processing nationwide.
nGuard recommends services like vulnerability scanning, penetration testing, and managed SIEM, all of which could have detected the weakness exploited in this attack, ensuring a proactive defense against similar incidents in the future. Additionally, nGuard’s cybersecurity incident response (CSIR) services assists organizations in rapidly identifying and containing breaches, minimizing the impact on critical systems and data.
Advancements in Authentication: Google’s Passkey Adoption
In celebration of World Password Day, Google has announced their successes with passkey adoption and utilization. Claiming passkeys have been “used more than one billion times by 400 million Google accounts” and is “50 percent faster”, this milestone reflects a shift towards more secure authentication methods. The conversion will also expand “Cross-Account Protection”, making it even more difficult for cybercriminals to gain initial traction by notifying users of “suspicious events with apps and services” connected to their Google Account. As passwords prove vulnerable to phishing attacks, passkeys offer a promising alternative with increased defenses.
Our services, including penetration testing, and strategic security assessments, can assess the efficacy of authentication mechanisms and security policies to identify gaps and make tailored recommendations to your organization’s needs.
Regulatory Initiatives: The UK Bans Default Passwords
On April 29th, the United Kingdom became the first country to ban default passwords for IoT devices. While many other entities have taken steps in this direction, this new regulation signifies a more proactive approach to upholding high cybersecurity standards and paving the way for others to do the same. Currently, the United States does not have a federal law for securing IoT devices, although the National Institute of Standards and Technology (NIST) has guidelines for IoT cybersecurity. Governing bodies and manufacturers must prioritize initial security protocols to mitigate risks posed by default credentials.
Our password database audit can assist organizations in testing the strength of encrypted passwords to safeguard against potential breaches.
Combatting Sophisticated Phishing: Insights from LastPass Incident
CryptoChameleon, a sophisticated phishing campaign, is now targeting LastPass users to unveil their master passwords. First, victims receive a robocall which ultimately ends in receiving a follow up call from a live customer service representative that asks questions to officially “close a ticket”. During the call, the scammer provides a reassuring spiel before sending over a link via email to a copycat LastPass site. Once the user enters their credentials, the “agent” immediately has the ability to permanently disable access for the user, and view all of their linked accounts and passwords. LastPass is providing details and updates of operation to promote awareness among users. The evolving nature of social engineering techniques pose significant challenges to traditional security measures, emphasizing the need for heightened awareness and proactive defenses.
nGuard’s simulated and targeted spear phishing social engineering campaigns, security awareness training, and cybersecurity incident response capabilities equip organizations to detect and respond swiftly, minimizing potential damages, and shielding users from advanced phishing and persistent threats.
Embracing Passkey Technology: Microsoft’s Integration
Like Google and Apple, Microsoft has announced the integration of passkey technology for World Password Day. This conversion, taken by world-renowned tech giants, signifies the push for enhanced security and user convenience. Since passkeys cannot be stolen or forgotten, they offer a seamless authentication experience while decreasing dangers associated with traditional credentials and will even be coming soon to associated mobile apps in the “coming weeks”.
In light of recent cyber threats and initiatives, it is evident that safeguarding users from vulnerabilities surrounding passwords is paramount across the globe . From multifactor authentication to security awareness training to security information and event management (SIEM), password protections are becoming increasingly important. As advancements in authentication and lessons learned pave the way for solidifying security, nGuard’s expertise in strategic security assessments, penetration testing, phishing simulations, and holistic policy development, ensures institutions can adapt and thrive in the tumultuous cyberworld.
SIEM
Overview of the Vulnerability
Recently, Palo Alto Networks identified a critical zero-day vulnerability in their firewall software, PAN-OS versions 10.2, 11.0, and 11.1. The vulnerability, tracked as CVE-2024-3400, enables unauthenticated actors to execute arbitrary code as root through command injection. This exploit particularly affects devices where both the telemetry and GlobalProtect features are enabled. Initially identified as being exploited in the wild since March 26th, this security flaw has permitted well-resourced, likely state-sponsored threat groups, identified as UTA0218, to implant backdoors, pivot to internal networks, and exfiltrate data.
Technical Analysis
The exploit occurs via command injection where a malicious actor manipulates the SESSID cookie value. This manipulation occurs when the GlobalProtect portal or gateway with telemetry enabled receives the modified SESSID. The string manipulation ultimately executes as a shell command, leading to unauthorized data access or system control.
Impact Assessment
This vulnerability has a significant impact, with over 82,000 firewalls potentially vulnerable, and 40% of these within the United States. The threat was severe enough that CISA added CVE-2024-3400 to its Known Exploited Vulnerabilities catalog, requiring federal agencies to secure their devices promptly. Additionally, numerous proofs of concept (PoCs) are available that exploit this vulnerability, increasing the risk of widespread exploitation.
Response and Mitigation Strategies
Palo Alto Networks has started issuing hotfixes to address this vulnerability. However, they noted that disabling telemetry, once considered a viable mitigation strategy, is no longer effective. To guard against these threats, organizations must install the latest software updates and enable threat prevention capabilities, such as the ‘Threat ID 95187’ in the Palo Alto Networks Threat Prevention subscription.
In the wake of these vulnerabilities, nGuard’s penetration testing services can play a crucial role. By simulating an attack on the network using the latest exploit techniques, nGuard helps identify vulnerabilities before they can be exploited maliciously. Furthermore, nGuard’s vulnerability management solutions provide ongoing detection and remediation of security vulnerabilities, ensuring that firewalls and other critical infrastructure are protected against newly discovered threats.
Forward-Looking Security Strategies
Organizations should not only focus on patch management but also on enhancing their detection capabilities. Continuous monitoring and testing, along with a robust incident response plan, are critical. It’s also vital for organizations to understand that no single mitigation tactic is foolproof; thus, a layered security approach is essential. Employing services like those offered by nGuard not only helps in immediate threat identification and mitigation but also strengthens the security posture against future threats.
Conclusion
The release of exploit code for CVE-2024-3400 has escalated the urgency for organizations using Palo Alto Networks’ firewalls to implement comprehensive security measures. While the provided hotfixes address immediate vulnerabilities, long-term security requires an integrated approach combining technology, processes, and expert services like those provided by nGuard. This proactive stance ensures resilience against evolving cybersecurity threats.
Recently, Microsoft has made significant strides in enhancing its cybersecurity posture while also grappling with challenges that highlight vulnerabilities in its systems. In this advisory, we dissect the recent updates from Microsoft, categorizing them into the good, the bad, and the really bad, and provide insights into how organizations can navigate these changes effectively.
The Good: Azure AI Fortifications
Microsoft’s Azure AI Studio has received notable enhancements aimed at bolstering defenses against emerging threats. Introducing tools designed to protect against prompt injection and ensure the resilience of generative AI applications, developers now have the means to build more reliable and secure AI systems. These advancements signify Microsoft’s commitment to staying ahead of malicious actors in the ever-expanding realm of artificial intelligence.
The Bad: US House of Representatives’ Ban on Copilot
The US House of Representatives has taken a precautionary stance by prohibiting the use of Microsoft’s Copilot chatbot and AI productivity tools due to cybersecurity concerns. The decision reflects apprehensions over potential data leaks to unauthorized cloud services, prompting the House to await a government-tailored version of Copilot. This move underscores the growing need for stringent security protocols, especially in government entities entrusted with sensitive information.
The Really Bad: Cascading Security Failures
A scathing report from the independent Cyber Safety Review Board sheds light on preventable security failures within Microsoft, culminating in a breach with severe implications. The theft of a Microsoft signing key by Chinese hackers underscores systemic issues within the company’s corporate culture, where security has been deprioritized. This revelation serves as a stark reminder of the critical importance of robust security measures in safeguarding against sophisticated cyber threats.
How Can You Project Your Organization?
Organizations face an array of cybersecurity challenges that demand proactive measures to safeguard digital assets and sensitive information. To address these challenges effectively, it is imperative for organizations to conduct comprehensive assessments and deploy robust security solutions. Key assessments include:
- External Penetration Testing:
- Identify vulnerabilities in external-facing systems and networks.
- Assess the effectiveness of perimeter defenses against external threats.
- Web Application Penetration Testing:
- Detect security vulnerabilities in web applications.
- Prevent common exploits such as SQL injection and cross-site scripting.
- Ensure the confidentiality, integrity, and availability of web-based services.
- Security Information and Event Management (SIEM):
- Aggregate, correlate, and analyze security events and logs from various sources.
- Detect and respond to security incidents in real-time.
- Provide insights into potential threats and vulnerabilities across the organization’s IT environment.
- AI-driven anomaly detection in identifying security incidents within the organization’s IT environment.
- Vulnerability Management:
- Identify and prioritize security vulnerabilities within systems and networks.
- Remediate vulnerabilities to reduce the risk of exploitation by cyber attackers.
- Establish a continuous monitoring and assessment process to stay ahead of emerging threats.
- API Penetration Testing:
- Evaluate the security of APIs and associated endpoints.
- Prevent unauthorized access, data breaches, and API abuse.
- Ensure the integrity and confidentiality of data exchanged through APIs.
The recent events surrounding Microsoft serve as both a cautionary tale and a beacon of progress. While advancements in AI defenses offer promise in mitigating emerging threats, the revelations of cascading security failures and proactive measures such as the House’s ban on Copilot show the persistent challenges in safeguarding digital assets. By adopting robust security protocols, organizations can mitigate risks against evolving cyber threats.
FBI Investigating Data Breach Affecting U.S. House of Representatives Members and Staff
The Federal Bureau of Investigation (FBI) is investigating a data breach affecting members and staff of the U.S. House of Representatives. The breach saw account and sensitive personal information belonging to them and their families stolen from the servers of DC Health Link, which administers their health care plans.
While US House Chief Administrative Officer Catherine L. Szpindor has said, “it was unclear how many people had been affected by the breach.” A sample of the data reportedly posted on a hacking forum showed details of around 170,000 people. The information included names, dates of birth, addresses, email addresses, phone numbers, and Social Security numbers. At least one threat actor has reportedly put the data up for sale.
nGuard’s MECC (Managed Event Collection and Correlation) can help protect against malicious attacks by collecting and analyzing log data from various sources. MECC can then alert security teams to potential threats and provide them with the information they need to investigate and respond to an ongoing or potential attack. Should your organization fall victim to an attack like this, call nGuard to help with our Cyber Security Incident Response services.
New FortiOS and FortiProxy Critical Vulnerabilities
Fortinet has released patches to address 15 security flaws, including one critical vulnerability in FortiOS and FortiProxy that could allow an attacker to take control of affected systems. The buffer underwrite flaw (CVE-2023-25610) is rated 9.3 out of 10 for severity and was discovered by Fortinet’s internal security teams. The vulnerability could enable a remote, unauthenticated attacker to execute arbitrary code on the device or cause a denial-of-service attack. Fortinet has not yet seen any malicious exploitation attempts against the flaw, but users are urged to apply the patches quickly, as prior flaws in software have been actively abused in the wild. Workarounds include disabling the HTTP/HTTPS administrative interface or limiting IP addresses that can reach it. Just last week, nGuard wrote about another Fortinet critical vulnerability that was actively being exploited. As this continues to develop, nGuard has a number of solutions that can help your organization stay ahead of the curve, including internal penetration testing and vulnerability management.
Over 40% of Industrial Control Systems (ICS) Were Attacked in 2022
Over 40% of industrial control systems (ICS) computers globally experienced malicious attacks in 2022, according to Kaspersky research into telemetry statistics. The report highlighted growth in Russia, which saw a 9% increase in malicious activity in 2022, but Ethiopia was the top target overall with 59% of its ICS footprint seeing malicious activity.
Kaspersky noted that blocked malicious scripts and phishing pages targeting ICS were particularly common threats, seeing an 11% rise from 2021. The percentage of ICS computers experiencing malicious activity varied from 40.1% in Africa and Central Asia to 14.2% and 14.3% respectively in Western and Northern Europe. nGuard has been helping protect Industrial control systems, SCADA networks, and critical infrastructure for over 20 years with security assessments, penetration testing, incident response, and managed SIEM services.
Low-coverage Cyber Insurance Plans Help Meet Compliance and Contractual Requirements
As the cyber insurance market experiences a surge in claims for ransomware attacks, insurance carriers and brokers have started imposing tighter rules on the companies that can qualify for coverage, raising prices and reducing the amount of coverage offered per policy. nGuard recently wrote about requirements needed to obtain cyber insurance. Policy coverages have significantly dropped in recent times, with some as low as $5m, and some companies cannot purchase as much insurance as they would like. However, some contracts and compliance regulations require that a company have a cyber insurance policy, which can pose a problem for those that lose coverage. Basic policies are now available for more organizations to obtain affordable coverage, allowing them to avoid a breach of compliance and fulfill contractual obligations.
A serious vulnerability in Fortinet’s FortiNAC network access control suite (CVE-2022-39952) is now being exploited by hackers to add a cron job that starts a reverse shell on vulnerable systems as the root user. This unauthenticated file path modification vulnerability poses a major security risk for enterprises using the FortiNAC solution because it may be used to execute commands remotely.
Fortinet has already released security upgrades to remedy the issue, and has recommended that users update susceptible appliances to the most recent versions. As the corporation hasn’t offered any mitigation advice or workarounds, updating is the only option to prevent attacks. Researchers from cybersecurity firms, including Shadowserver Foundation, GreyNoise, and CronUp, have recently observed attacks on CVE-2022-39952 from a variety of IP addresses. This indicates that attackers have already started focusing on unpatched FortiNAC devices.
Horizon3 security researchers have created proof-of-concept (PoC) exploit code which allows hackers to add a cron task that starts a reverse shell on vulnerable systems. Fortinet had previously issued a warning in December 2022 to customers to patch FortiOS SSL-VPN appliances against an actively exploited security flaw (CVE-2022-42475), which was also used as a zero-day in attacks against targets associated with the government.
In reaction to what it called “sensationalized claims” about recent exploitation attempts aimed at a vulnerability in its FortiNAC network access control product, Fortinet has offered some crucial clarifications. The company emphasized that it is yet unclear how exploiting CVE-2022-39952 will actually affect users. However, FortiNAC users should be aware of the possible hazard, as knowledgeable threat actors have been known to attack Fortinet products.
FortiNAC administrators are highly advised to update their software right away to a version of the software that is not impacted by the CVE-2022-39952 vulnerability. This includes FortiNAC versions 9.4.1 or later, 9.2.6 or later, 9.1.8 or newer, and 7.2.0 or later. Organizations may stop hackers from using this important vulnerability to gain access to their corporate networks by heeding this advice.
At nGuard, we understand the importance of proactive security measures to protect our clients from the evolving threat landscape. That’s why we offer a range of security services designed to help detect vulnerabilities like the FortiNAC vulnerability, including internal penetration testing, vulnerability management, and strategic security assessments. Our team of experts can work with clients to develop and implement policies and procedures to ensure they can quickly identify and address security threats, and stay up-to-date on emerging vulnerabilities through our security advisories. By partnering with nGuard, clients can rest assured that they have access to the latest security technologies and expertise to help them stay one step ahead of the threats.
As cyberattacks increase worldwide, insurance companies are tightening their cyber insurance policy requirements. This is due to the 80% rise in ransomware attacks last year, leading to a large number of claims. Among the new provisions are the requirement for multi-factor authentication (MFA) for all admin access and the protection of all privileged accounts. However, identifying gaps in MFA and privileged account protection within a network can be challenging for organizations. In addition to MFA, there are several other requirements that stipulate detailed attestation when filling out a cyber policy questionnaire. A few of those requirements are:
- Security Awareness Training and Testing
This process is designed to educate employees on cyber security threats and risks, and to test their understanding of these issues through interactive simulations and assessments. The goal is to raise awareness, increase knowledge, and promote safe online behavior within an organization. To reduce your risk of phishing attacks, nGuard has been conducting Security Awareness Training and phishing testing though our Social Engineering Assessment for years. - Vulnerability Management
A thorough vulnerability management program will identify, assess, and prioritize vulnerabilities in an organization’s systems and networks, and take action to remediate or mitigate these risks to prevent exploitation. This helps maintain the security and integrity of systems and data by staying on top of vulnerabilities as they are discovered. Conducting monthly or quarterly vulnerability scans on an ongoing basis will not only help meet insurance requirements but also keep your network secure. nGuard’s Vulnerability Management can help you manage your external environment, internal environment, and meet PCI requirements with ASV scanning. - 24/7/365 Monitoring
A Security Information and Event Management (SIEM) system collects and aggregates log data from various sources within an organization and uses analytics and threat detection techniques to identify potential security incidents and enable security teams to respond promptly. SIEM provides centralized security visibility and event correlation. nGuard’s managed security team performs both manual and automated daily log analysis that proactively detects suspicious activity in your environment with our managed SIEM service called Managed Event Collection & Correlation. nGuard is adding artificial intelligence and machine learning to detect and respond to security threats in real-time via UEBA (User and Entity Behavior Analytics). - Secured, Encrypted, Offsite Backups
Offsite backups refer to the storage of backup data at a remote location, typically in a secure data center, separate from the primary data storage. This helps ensure that the data can be recovered in case of a disaster or cyberattack and protected against data loss while minimizing downtime. Offsite backups are an important component of a comprehensive disaster recovery plan. A Strategic Security Assessment utilizing the Center for Internet Security (CIS) 18 Critical Security Controls as the foundation can help bring the lack of controls like this and others to light. - Endpoint Detection & Response (EDR)
This real-time security solution will monitor and respond to security threats on endpoint devices such as computers and servers using artificial intelligence and machine learning to detect and isolate security incidents.
As insurance carriers adjust the requirements to obtain and maintain coverage, a thorough assessment can help organizations identify and close security gaps to help meet the new cyber insurance requirements and improve their overall security posture. nGuard has a number of solutions that can help meet and exceed the requirements needed to obtain and maintain cyber insurance.