Global Cyber News Digest

Events

Cyber Insider Podcast

Press Room

Daily News Digest

Stay current on the global cyber threat landscape and industry developments with CCOE’s daily digest and library of cybersecurity news and articles.

  • Remote Desktop Protocols are Attractive Targets to Cyberattackers

    • Remote desktop protocol (RDP) exploded in popularity when the Coronavirus disease (COVID-19) pandemic ignited sweeping lockdowns and work-from-home orders because it enabled workers to continue work while away from the office. However, they are not without their security issues, such as commonly exposed port access points and weak sign-in credentials.
    • RDP is one the most common ways attackers compromise network security simply due to its ubiquitous nature and improper security.
    • Exposed RDP are extremely attractive targets for cyber attackers, as there are many vulnerabilities they can utilize to attempt to gain a foothold in a network and launch their attack. As most organizations use RDP, the likelihood of discovering an exposed network is high. Once in the network, cyber attackers can perform whatever action they desire, such as deploy ransomware or data exfiltration for IP theft, data reselling or extortion. Additionally, RDP is increasingly becoming the most popular attack vector for ransomware operators, nearly edging out phishing.
    • Some cyberattackers sell RDP credential on multiple underground communities and forums as means to make an extra buck.
    • Steps IT leaders can take to protect their organization from RDP attacks include:
      • Restrict access to RDP connections to trusted sources
      • Audit connectivity logs for unknown connections
      • Implement two-factor authentication (2FA) for RDP logins
      • Audit administrative accounts regularly to ensure unexpected accounts haven’t had their permissions escalated to an admin account
    - Josh Smith | February 14, 2021
    hak-iq.us20.list-manage.comFebruary 14, 2021

  • Will this Utah proposal quash lawsuits from victims of data breaches?

    • Should consumers have the right to sue a company that allows their personal information to be stolen by data thieves?
    • Under a proposal moving quietly through the 2021 Utah legislative session, the bar for filing such a lawsuit would be raised considerably in the event that a company has taken at least some measures to keep your data protected.
    • Jacey Skinner, the chamber’s vice president for public policy and general counsel, said the new protections were “a very positive way to help with the goal of protecting customer information” as opposed to rules that only mete out punishment, usually in the form of fines, if and when computer hacks or other actions lead to the loss of customers’ personal information.
    • The national lawyers group also warned that the creation of an affirmative defense against tort claims, as the Utah proposal seeks to do, does not result in an impenetrable liability wall. The group’s legal analysis notes there are other avenues by which consumers who have lost data seek damages and that the safe harbor does not let companies off the hook in having to present a defense of their cybersecurity systems.
    - Art Raymond | February 14, 2021
    hak-iq.us20.list-manage.comFebruary 14, 2021

  • The Long Hack: How China Exploited a U.S. Tech Supplier

    • For years, U.S. investigators found tampering in products made by Super Micro Computer Inc. The company says it was never told. Neither was the public.
    • In 2010, the U.S. Department of Defense found thousands of its computer servers sending military network data to China—the result of code hidden in chips that handled the machines’ startup process. 
    • In 2014, Intel Corp. discovered that an elite Chinese hacking group breached its network through a single server that downloaded malware from a supplier’s update site. 
    • And in 2015, the Federal Bureau of Investigation warned multiple companies that Chinese operatives had concealed an extra chip loaded with backdoor code in one manufacturer's servers.
    • Each of these distinct attacks had two things in common: China and Super Micro Computer Inc., a computer hardware maker in San Jose, California. They shared one other trait; U.S. spymasters discovered the manipulations but kept them largely secret as they tried to counter each one and learn more about China’s capabilities.
    • “Supermicro is the perfect illustration of how susceptible American companies are to potential nefarious tampering of any products they choose to have manufactured in China,” said Tabb, who was the executive assistant director of the FBI’s national security branch from 2018 until he retired in January 2020. “It’s an example of the worst-case scenario if you don’t have complete supervision over where your devices are manufactured.”
    • “If you think this story has been about only one company, you’re missing the point,” said Frank Figliuzzi, who was the FBI’s assistant director for counterintelligence until 2012. “This is a ‘don’t let this happen to you’ moment for anyone in the tech sector supply chain.”
    - Jordan Robertson and Michael Riley | February 12, 2021
    hak-iq.us20.list-manage.comFebruary 12, 2021

  • Cybersecurity expert warns about the dangers of working from home

    • Nuclear war would require billions of dollars and years of development. But someone in a basement can pull off a devastating cyberattack that takes down the critical infrastructure for practically nothing.
    • "The cyberwar has replaced the Cold War. And it's really a cyber-pandemic," says Adam Levin, the founder of Cyberscout and an expert on cybersecurity.
    • The threat is even greater if those employees are using their personal computers rather than company-issued laptops with loaded anti-virus and anti-malware software.
    • It isn't just other nations attacking the targets in the United States. The U.S. attacked Russia's power grid less than 2 years ago. So this really is a cyber-world war. Levin says, be vigilant. Be careful what you do online. And never use the same password for multiple accounts. It not only protects you personally but could keep your company and others safe.
    - Jamey Tucker | February 11, 2021
    hak-iq.us20.list-manage.comFebruary 11, 2021

  • Australian research institute confirms ‘likely’ data breach after third-party Accellion hack

    • The QIMR Berghofer Medical Research Institute in Brisbane, Australia, is investigating a “likely” data breach after a third-party service was compromised.
    • The medical research institution said its early investigation indicates that certain data stored in file-sharing system Accellion has been accessed.
    • Accellion, a US-based company that offers a secure file sharing system, announced it had been the victim of a cyber-attack on December 25 last year.
    • QIMR Berghofer said that it used Accellion’s services to share data related to clinical trials of anti-malaria drugs. However, it confirmed that no personally identifiable information was stored in the files.
    • Instead, the organization said that codes are used to refer to study participants.
    • The breach at Accellion impacted a number of organizations worldwide after a 20-year-old product that was nearing end of life – Accellion FTA – was targeted.
    • Accellion said that attackers took advantage of a zero-day product in the legacy software during the “sophisticated” hack.
    - Jessica Haworth | February 11, 2021
    hak-iq.us20.list-manage.comFebruary 11, 2021

  • Data Breach at Syracuse University Leaves Almost 10,000 Names, SSNs Exposed

    • The breach occurred sometime between Sept. 24 and Sept. 28, 2020, when an unauthorized individual accessed a Syracuse employee’s email account. The university launched its investigation in early January and discovered that emails and attachments in the account contained private information, like names and associated Social Security numbers.
    • In a statement to the SU campus newspaper, The Daily Orange, senior associate vice president Sarah Scalese said, “To date, we are unaware of any misuse of the information maintained in the employee’s email account, nor do we have any evidence that private, personal information was actually viewed.”
    • The university has not yet addressed the specifics of how the breach occurred. Nor have they addressed why they waited nearly a month between starting their investigation and informing those potentially affected.
    - Matt Jones | February 11, 2021
    hak-iq.us20.list-manage.comFebruary 11, 2021

  • Water treatment cyberattack updates

    • The FBI has released an advisory on the Oldsmar water treatment facility incident. In an advisory (shared on Twitter by POLITICO's Eric Geller) the Bureau said the attack "likely" exploited an old Windows 7 operating system and weak password security as they (or he, or she) gained access to the TeamViewer software in use at the facility.
    • The Miami Herald says that other regional water utilities have assured them that they have safeguards in place that would have prevented the sort of incident Oldsmar sustained.
    • Who did it remains an open question.
    • The FBI's recommendations for securing infrastructure are:
      • "Use multiple factor authentication;
      • "Use strong passwords to protect Remote Desktop Protocol (RDP) connections;
      • "Ensure anti-virus, spam filters, and firewalls are up to date, properly configured, and secure;
      • "Audit network configurations and isolate computer systems that cannot be updated;
      • "Audit your network for systems using RDP, closing unused RDP ports; applying two-factor authentication wherever possible, and logging RDP login attempts;
      • "Audit logs for all remote connection protocol;
      • "Train users to identify and report attempts at social engineering;
      • "Identify and suspend access of users exhibiting unusual activity;
      • "Keep software updated."
    • Dragos had published a quick set of recommendations useful in securing any industrial environment:
      • "Manually identify software installed on hosts, particularly those critical to the industrial environment such as operator workstations- such as TeamViewer or VNC. Accessing this on a host-by-host basis may not be practical but it is comprehensive.
      • "Beyond host data, there are a variety of network traffic sources to help identify TeamViewer. Most environments are not configured where centralized logging is occurring and can be a manual process. We recommend: 
      • "Use DNS logging to identify outbound DNS resolution to *.teamviewer.com 
      • "Encrypted communications to teamviewer.com will have a X509 certificate for *.teamviewer.com 
      • "Use perimeter logging or other network logging to identify external communications via TCP/5938 and UDP/5938. 
      • "Talk to the operations staff or IT staff at the site to determine if other remote software tools such as virtual private networks are used. If so, perform searches for those tools and where possible utilize multi-factor authentication on remote connections.  
      • "From a prevention perspective, blocking these communications, and all egress communications that are not explicitly approved, will prevent remote access solutions like TeamViewer. However, ensure that you talk with plant personnel before doing this and after blocking any connections be available to reverse the changes if something was necessary that they did not know about."
    | February 10, 2021
    hak-iq.us20.list-manage.comFebruary 10, 2021

  • City of Monroe’s utility billing vendor hit with data breach

    • Between Wednesday and Thursday, hackers used ransomware to encrypt servers hosted by Seattle-based Automatic Funds Transfer Services, which processes paper checks for the city’s residential and commercial utility billing.
    • Residents or businesses who pay utility bill by mailing a paper check should monitor their bank accounts for unusual activity and report anything suspicious to their bank.
    • The cities of Kirkland and Redmond were also affected by the breach.
    | February 9, 2021
    hak-iq.us20.list-manage.comFebruary 9, 2021

  • Threat intelligence vs. future data breaches

    • In a 2020 report on cyber security breaches, the UK government revealed that nearly half (46%) of businesses experienced a breach between Q2 2019 and Q2 2020. Of those impacted, almost a third (32%) admit to facing breach attempts at least every week.
    • In response to the rise in breaches, the European Union General Data Protection Regulation (GDPR) and similar regulatory bodies have been created in recent years to ensure organizations maintain a certain standard when it comes to the control and protection of their data, and are therefore prepared to detect and mitigate breaches more efficiently. Failing to meet these standards can mean sizable fines for the victim organizations, a move the regulators hope will encourage businesses to do all they can to remain secure.
    • A successful breach against an organization doesn’t mean lights out, and there is still much a SOC team can do to limit financial losses and reputational damage:
      • Assess the fallout
      • Control the damage
      • Keep an account
      • Alert compromised customers
      • Alert law enforcement
    • Other areas of focus:
      • Mitigating a breach before it happens
      • Precise Threat Intelligence
      • Stolen Credential Protection
      • Proactive Threat Monitoring
      • Fraud prevention
      • Compliance
    | February 9, 2021
    hak-iq.us20.list-manage.comFebruary 9, 2021

  • Microsoft February 2021 Patch Tuesday fixes 56 bugs, including Windows zero-day

    • The OS maker has fixed 56 security vulnerabilities, including a Windows bug that was being exploited in the wild before today's patches.
    • Tracked as CVE-2021-1732, the Windows zero-day is an elevation of privelege bug in Win32k, a core component of the Windows operating system.
    • Besides the zero-day, this month's Patch Tuesday also stands out because of the high number of vulnerabilities whose details were made public even before patches were available.
    • In total, six Microsoft product bugs had their details posted online before today's patches. This included:
      • CVE-2021-1721 - .NET Core and Visual Studio Denial of Service Vulnerability
      • CVE-2021-1733 - Sysinternals PsExec Elevation of Privilege Vulnerability
      • CVE-2021-26701 - .NET Core Remote Code Execution Vulnerability
      • CVE-2021-1727 - Windows Installer Elevation of Privilege Vulnerability
      • CVE-2021-24098 - Windows Console Driver Denial of Service Vulnerability
      • CVE-2021-24106 - Windows DirectX Information Disclosure Vulnerability
    • Microsoft has also released fixes for three vulnerabilities in the Windows TCP/IP stack, which allows the operating system to connect to the internet.
    • Of all Windows systems, Windows Server instances are the ones most likely to be susceptible to attacks, as many are used to host web servers or cloud infrastructure and are almost certainly connected to the internet at all times and exposed to attacks.
    - Catalin Cimpanu | February 9, 2021
    hak-iq.us20.list-manage.comFebruary 9, 2021

451 A Street, Suite 500
San Diego, CA 92101

[email protected]

CONNECT WITH US

Linkedin Twitter

Cyber Center of Excellence is a San Diego-based nonprofit dedicated to growing the regional cyber economy and creating a more secure digital community for all.

JOIN US
Linkedin Twitter
Cyber Center of Excellence | Privacy Policy  |  Terms & Conditions
Linkedin Twitter
Privacy Policy  |  Terms & Conditions
© 2024 Cyber Center of Excellence