In the category of “you can’t make this up but satisfyingly ironic,” it was recently reported that criminals who used the WeLeakInfo database to buy stolen credentials of individuals have had their own information compromised. It’s about time criminals get their just reward. Why would hackers treat other hackers any differently than the rest of us?
According to techrader.com and CyberNews, 24,000 criminals who used WeLeakInfo to purchase and sell compromised credentials of victims are now themselves victims and their personal information is being sold on online forums. CyberNews reported that “the forum user is now selling highly sensitive information of former WeLeakInfo customers that made their illicit purchases using Stripe. The data available for sale includes their full names, IP addresses, addresses, partial credit card data, transaction dates, Stripe reference numbers and phone numbers…”
If it is being sold online, the information can also get into the hands of law enforcement, which should be a concern to the former WeLeakInfo customers, as the information should be very helpful to law enforcement.
As we alerted our readers last week, Microsoft announced that its Exchange email servers have been compromised, which is estimated to affect at least 30,000 companies based in the United States. It is reported that the hackers installed web shells (and sometimes multiple web shells) into Microsoft’s customers’ email servers, giving the hackers back doors into the victims’ email content. These web shells allow the attackers to have complete remote control over the victims’ emails and to access other information technology assets of the victims. This means they can access all the data contained in the emails and can plant malware or ransomware directly into a company’s system without having to use a phishing attack that would rely on an employee to introduce the malicious code into the system.
On March 2, 2021, Microsoft released four patches to respond to the vulnerabilities in Exchange Server versions 2013-2019, which we published last week [view related post]. On March 8, 2021, Microsoft issued a patch for older, unsupported versions of Microsoft Exchange servers “as a temporary measure to help you protect vulnerable machines right now.” On March 9, 2021 (Patch Tuesday), in addition to the previously-released patches mentioned above, Microsoft issued software updates to address 82 security flaws in various Microsoft products, including Internet Explorer.
The U.S. Cybersecurity & Infrastructure Security Agency (CISA) has issued an alert called “Remediating Microsoft Exchange Vulnerabilities” that warns companies that the “exploitation of these vulnerabilities is widespread and indiscriminate,” and therefore CISA “strongly advised all system owners complete the following steps:”
If you have the capability, follow the guidance in CISA Alert AA21-062A: Mitigate Microsoft Exchange Server Vulnerabilities to create a forensic image of your system.
Check for indicators of compromise (IOCs) by running the Microsoft IOC Detection Tool for Exchange Server Vulnerabilities.
Immediately update all instances of on-premises Microsoft Exchange that you are hosting.
If you are unable to immediately apply updates, follow Microsoft’s alternative mitigations in the interim. Note: these mitigations are not an adequate long-term replacement for applying updates; organizations should apply updates as soon as possible.
If you have been compromised, follow the guidance in CISA Alert AA21-062A. For additional incident response guidance, see CISA Alert AA20-245A: Technical Approaches to Uncovering and Remediating Malicious Activity. Note: Responding to IOCs is essential to evict an adversary from your network and therefore needs to occur in conjunction with measures to secure the Microsoft Exchange environment.
According to security experts, in addition to applying the patches issued by Microsoft and following the guidance from CISA, companies are urged to backup any data stored on company Exchange servers immediately, disconnect those from other servers, and store them offline.
In this episode of the podcast (#204) we’re joined by Josh Corman of CISA, the Cybersecurity and Infrastructure Security Agency, to talk about how that agency is working to secure the healthcare sector, in particular vaccine supply chains that have come under attack by nations like Russia, China and North Korea.
How is the U.S. government responding to this array of threats? In this episode of the podcast, we’re bringing you an exclusive interview with Josh Corman, the Chief Strategist for Healthcare and COVID for the COVID Task Force at CISA, Cybersecurity and Infrastructure Security Agency.
In this interview, Josh and I talk about the scramble within CISA to secure a global vaccine supply chain in the midst of a global pandemic. Among other things, Josh talks about the work CISA has done in the last year to identify and shore up the cyber security of vital vaccine supply chain partners – from small biotech firms that produce discrete but vital components needed to produce vaccines to dry ice manufacturers whose product is needed to transport and store vaccines.
To start off I asked Josh to talk about CISA’s unique role in securing vaccines and how the Federal Government’s newest agency works with other stake holders from the FBI to the FDA to address widespread cyber threats.
New York Governor Andrew Cuomo recently announced his proposal for a comprehensive data security law that will “provide New Yorkers with transparency and control over their personal data and provide new privacy protections.” The proposal also would establish a Consumer Data Privacy Bill of Rights that would guarantee “the right to access, control, and erase the data collected from them; the right to nondiscrimination from providers for exercising these rights; and the right to equal access to services.”
According to the state of New York’s website announcing the initiative, the proposal also “expressly protects sensitive categories of information including health, biometric and location data and creates strong enforcement mechanisms to hold covered entities accountable for the illegal use of consumer data. New York State will work with other states to ensure competition and innovation in the digital marketplace by promoting coordination and consistency among their regulatory policies.”
This proposal is promising and, if passed, it would mean that New York would join California in enacting a comprehensive consumer privacy law. We will follow the proposal closely to see if this new proposal will add to New York’s Stop Hacks and Improve Electronic Data Security Act (the SHIELD Act), which passed in 2017 and established cybersecurity regulations for the financial services industry.
Indian news outlet Inc42 has reported that the ShinyHunters hacking group found some shiny objects when it was able to compromise the personal information of hundreds of thousands of individuals using the crypto exchange BuyUCoin.
The hackers were able to compromise and subsequently leak a BuyUCoin database that contained names, telephone numbers, email addresses, tax identification numbers and bank account information of users. Different reports say that the number of users who were affected by the compromise ranges from 161,000 to 325,000 users.
Although BuyUCoin initially denied the reports, it recently indicated that it is investigating and that no user funds had been affected.
Cybersecurity firm SonicWall Inc. is investigating an attack on its internal systems that it describes as “highly sophisticated.” According to SonicWall, the investigation is centered around its Secure Mobile Access 100 series, which assists with end-to-end secure remote access.
The company said that a few thousand devices have been impacted and that it is trying to determine whether the attackers exploited a zero-day vulnerability in the SMA 100 series product.
Although it sounds very similar to the recent SolarWinds cyber-attack, it is presently unknown whether this incident is related to that attack or if it was caused by the Russian-based attackers behind the SolarWinds incident.
It is clear that cybersecurity firms are being heavily targeted by cyber-attackers and are not immune from the onslaught of cyber-attacks we are seeing across the board in every industry. It also emphasizes the fact that there is no ability to completely transfer cyber risk. Data security is a team sport. Reasonable cyber-hygiene inside your organization, while using outside tools to augment your security posture, are both ways to minimize risk, but hackers are using more and more sophistication in their attacks, which present risk internally and externally. What is crystal clear from these attacks on cybersecurity firms is that cybersecurity and vendor management must continue to be a high priority for organizations in order to manage cyber risk.
In this episode of the podcast (#200), sponsored by Digicert: John Jackson, founder of the group Sakura Samurai talks to us about his quest to make hacking groups cool again. Also: we talk with Avesta Hojjati of the firm Digicert about the challenge of managing a growing population of digital certificates and how automation may be an answer.
Life for independent security researchers has changed a lot in the last 30 years. The modern information security industry grew out of pioneering work by groups like Boston-based L0pht Heavy Industries and the Cult of the Dead Cow, which began in Lubbock, Texas.
After operating for years in the shadows of the software industry and in legal limbo, by the turn of the millennium hackers were coming out of the shadows. And by the end of the first decade of the 21st century, they were free to pursue full fledged careers as bug hunters, with some earning hundreds of thousands of dollars a year through bug bounty programs that have proliferated in the last decade.
Despite that, a stigma still hangs over “hacking” in the mind of the public, law enforcement and policy makers. And, despite the growth of bug bounty programs, red teaming and other “hacking for hire” activities, plenty of blurry lines still separate legal security research from illegal hacking.
Hacks Both Daring…and Legal
Still, the need for innovative and ethical security work in the public interest has never been greater. The Solar Winds hack exposed the ways in which even sophisticated firms like Microsoft and Google are vulnerable to compromised software supply chain attacks. Consider also the tsunami of “smart” Internet connected devices like cameras, television sets and appliances are working their way into homes and workplaces by the millions.
What does a 21st century hacking crew look like? Our first guest this week is trying to find out. John Jackson (@johnjhacking) is an independent security researcher and the co-founder of a new hacking group, Sakura Samurai, which includes a diverse array of security pros ranging from a 15 year old Australian teen to Aubrey Cottle, aka @kirtaner, the founder of the group Anonymous. Their goal: to energize the world of ethical hacking with daring and attention getting discoveries that stay on the right side of the double yellow line.
One of the lesser reported sub plots in the recent Solar Winds hack is the use of stolen or compromised digital certificates to facilitate compromises of victim networks and accounts. Stolen certificates played a part in the recent hack of Mimecast, as well as in an attack on employees of a prominent think tank, according to reporting by Reuters and others.
How is it that compromised digital certificates are falling into the hands of nation state actors? One reason may be that companies are managing more digital certificates than ever, but using old systems and processes to do so. The result: it is becoming easier and easier for expired or compromised certificates to fly under the radar.
Our final guest this week, Avesta Hojjati, the Head of R&D at DigiCert, Inc. thinks we’ve only seen the beginning of this problem. As more and more connected “things” begin to populate our homes and workplaces, certificate management is going to become a critical task – one that few consumers are prepared to handle.
What’s the solution? Hojjati thinks more and better use of automation is a good place to start. In this conversation, Avesta and I talk about how digital transformation and the growth of the Internet of Things are raising the stakes for proper certificate management and why companies need to be thinking hard about how to scale their current certificate management processes to meet the challenges of the next decade.
Users of the Parler social media platform who participated in the riots last week at the U.S. Capitol are reportedly uneasy following the announcement that several activist hackers archived posts as they were happening in real time during the riots, and that they will release the posts publicly to assist law enforcement with investigations. Another activist hacker is reported to have said that she archived material as it was being posted to show how the platform was used to plan the attack and for communication by participants during the assault.
Parler is reported to have been a popular mode of communication during the months leading up to the election last fall after Facebook and Twitter began reviewing and labeling content that was false or misleading.
One of the activist hackers alleges that she archived 30 terabytes (equal to 30,000 gigabytes) of publicly-available posts of the events leading up to and during the riots so they would be preserved before the platform was taken down, which occurred on Monday.
Some of the data that were archived includes legally-obtained GPS data while posts were made by those participating in the riot. The GPS data show that Parler users were posting videos and pictures while they were inside the Capitol, including both chambers of Congress and offices of some politicians.
U.S. intelligence agencies, including the FBI, the Office of the Director of National Intelligence, the National Security Agency and the Cybersecurity and Infrastructure Security Agency, have confirmed that Russia was behind the SolarWinds hack. It is reported that the FBI is investigating whether Russia hacked into project management software JetBrains’ TeamCity DevOps tool to originally plant its malware in SolarWinds Orion, causing a cascade of downstream opportunities for Russia to access numerous governmental agencies’ systems, as well as thousands of private company systems.
In the fall-out, the Department of Justice, which includes the FBI, the Drug Enforcement Agency and the U.S. Marshal’s Service, announced this week that 3 percent of its employees’ emails were compromised as a result of the SolarWinds hack. This is very concerning and shows the magnitude and seriousness of the incident.
In more disturbing news, Microsoft has confirmed that the hackers behind the SolarWinds incident were able to access its systems and that some of its source code was viewed by the hackers. Notably, Microsoft confirmed that the code was not modified and that the Russians did not access its products or services, including customer information.
Cybersecurity firms are offering free solutions for companies to use to identify the SUNBURST malware variant and whether they have been affected, including Palo Alto Networks and SentinelOne.
We will continue to see significant fall-out from this devastating incident. If your company has not assessed its risk of being affected by the SolarWinds hack, you may wish to consider devoting time and resources to help make that determination now
The maritime industry is an enticing target for hackers. The Port of Los Angeles (the Port) alone facilitated about $276 billion in trade last year, and the International Chamber of Shipping estimated that the total value of world shipping was around $14 trillion in 2019. The Port has plans to construct a multi-million-dollar cyber intelligence facility as a hub for information sharing between the public and private sectors to thwart the increasing attacks on the maritime and logistics industries. This facility, the Cyber Resilience Center, is one of the first of its type to be built in the United States. The Port’s Executive Director, Gene Seroka, said, “What we’ve noticed over time is that the potential penetrations and cyber threats have grown each and every year,” including incidents like the 2017 NotPetya attacks that affected shipping lines, the 2018 ransomware targeting of the Port of Long Beach, and the October 2020 ransomware attack on CMA CGM S.A., a French transportation and container shipping company. Seroka said that as the threat become more evident, the Port “needed to find a way to bring the private sector into this space as well.” The Cyber Resilience Center is expected to go live by the end of 2021. Participants in this information exchange will be able to share information anonymously through the platform, which will standardize data from different companies’ cybersecurity tools. The Port’s Chief Information Officer will lead the project, which will operate alongside the Port’s cybersecurity operations center.
Seroka said that he hopes the Cyber Resilience Center will be a model for other large ports across the United States since information-sharing is such a vital defensive tool. As the shipping industry becomes even more digitized, cyber threats will require facilities such as ports to prioritize set data standards, business rules and open architecture for facilitating information sharing in a secure, protected manner.