Advisory

Microsoft Azure Mitigates Impressive DDoS Attack

Microsoft is reporting that nearly 70,000 sources spread across the globe are responsible for one of the largest cyber-attacks in history. A Distributed Denial-of-Service (DDoS) attack is a cyber-attack in which the adversary attempts to make a machine or network resource unavailable to its intended users by flooding the target machine with requests in an attempt to overload the system. A report by Link11 suggests that DDoS attacks are on the rise, as we have seen a 33 percent increase during the first half of 2021.

Microsoft reports that the attack, while lasting only around 10 minutes, was one of the most significant they have ever seen. Bursts of traffic that peaked out at 2.4 Tbps were utilized in attempt to cripple servers and prevent legitimate traffic from reaching its target. While DDoS attacks on their own can be devastating for organizations with internet facing services, many times they are used as a distraction for an even more sophisticated attack. An attacker with persistent access to an internal network may use an external DDoS attack to distract IT staff while ransomware is deployed across the internal network.

The Azure security team was able to confirm that all services remained online during the attack due to security controls that mitigate the effect of large-scale DDoS attacks. How would your organization’s internet facing infrastructure hold up against an attack like this? Here are some mitigating steps:

Reduce Attack Surface – Limiting the internet facing attack landscape is the best way to reduce the risk of DDoS attacks.
Scaling – Scaling your infrastructure to absorb a large-scale DDoS attack can be a great way to mitigate risk. Utilizing Content Distribution Networks (CDNs) or Load Balancers to spread traffic out across multiple servers can limit the effect overwhelming amounts of traffic can have on a single server.
Know What is Normal – Having a general idea of what is a normal amount of traffic and what is not can assist you in configuring technologies to prevent against DDoS attacks. Configuring proper rate limiting and traffic analysis to block illegitimate traffic could save you a major headache.
Deploy Sophisticated Controls – Web Application Firewalls (WAFs) are sophisticated tool sets that can detect and block these types of attacks. They can be configured to protect your application by blocking source IPs, whitelisting specific geo-locations, and stopping illegitimate requests in their tracks.
Penetration Testing – Performing external and web application penetration tests can point you to vulnerabilities that would be at risk of a DDoS attack. Patching these holes on your external perimeter may save your organization from experiencing unproductive downtime.

Conti Ransomware CISA Alert & Attack Playbook

On September 22^nd, the Cybersecurity & Infrastructure Security Agency (CISA) released an alert regarding a spike in the use of Conti ransomware. Conti ransomware has been used in attacks more than 400 times against U.S based and international organizations. Back in May, the FBI also released a flash on Conti Ransomware and its impact on healthcare and first responder networks.
Conti ransomware is classified as a ransomware-as-a-service (RaaS) model with a small difference in how its threat actors are compensated. Rather than paying a percentage of the earning from a successful attack, they pay a wage to the individuals who deploy the ransomware. CISA advises Conti typically gains access to networks in the following ways:

Spear phishing containing malicious links or attachments. Once the link is clicked or the attachment is opened, malware is usually placed on the system to help gain persistent access with Command and Control (C2) operated by software like Cobalt Strike. nGuard published a security advisory on Cobalt Strike earlier this year.
Stolen or weak remote desktop protocol (RDP) credentials.
Phone calls.
Fake software promoted through search engine optimization (SEO).
Other malware distribution networks (ZLoader).
Common vulnerabilities in external assets.

Recently, a Conti ransomware playbook was leaked, giving insight on how the organization operates. Some of the main takeaways are how Conti gains access, and the IP addresses they use for their Cobalt Strike C2 servers. Conti has been taking advantage of the recent PrintNightmare vulnerability, Zerologon vulnerability, and the 2017 Windows SMB 1.0 vulnerabilities. A few IPs they are known to use for their C2 operations are:

162.244.80.235
85.93.88.165
185.141.63.120
82.118.21.1

It is recommended you block these IPs in your firewall to prevent any type of inbound or outbound connection and then be alerted if there is any connection attempts.

To reduce risk, CISA, FBI, and NSA and recommending the following mitigations:

Implement multi-factor authentication (MFA) to remotely access networks
Implement network segmentation and filter traffic. This will make it more difficult for ransomware to spread should it find its way into your network.
Scan for vulnerabilities and keep software updated.
Remove unnecessary applications and apply controls.
Implement endpoint detection and response tools.
Limit access to resources, especially RDP.
Secure user accounts.
If infected, use the Ransomware Response Checklist.

CIS Controls v8 (Part 3)

Summary
Last month, nGuard released a security advisory called CIS Controls v8 (Part 2) where we covered controls 7-12. This time, we are wrapping it up by covering the remaining 8 controls that are essential for a company who puts emphasis on a strong security posture. Read about these controls below and then take action within your organization to implement them.

Controls
Control 13: Network Monitoring and Defense
If an attacker gained access to your internal network, would you even know that it happened? It is essential that tools be in place to monitor network traffic for malicious activity and take action if necessary. Implementing an intrusion prevention system and log management system, then configuring it to meet the needs of your organization can halt simple attacks in their tracks.

Control 14: Security Awareness and Skills Training
Employees are the weakest link in the chain of organizational security landscape. Step 1 for any company looking to increase their security posture should be training employees to put a halt to social engineering attempts. At nGuard, we regularly conduct advanced social engineering campaigns for our customers — their employees fall for it every time. It is essential to establish and maintain a security awareness program for employees and conduct simulations if possible. Make security part of your company’s culture.

Control 15: Service Provider Management
We have been seeing a lot of disturbing headlines lately in which companies release data to third-parties and those vendors allow the data to become compromised. While the vendor may be responsible, perhaps the contracting organization didn’t conduct proper due diligence. Take service provider management seriously by having a developed process in place to evaluate whether or not this vendor is going to put security first while in possession of your sensitive data.

Control 16: Application Software Security
Any nGuard engineer will tell you that the easiest way to compromise a system is by exploiting critical, widely-known vulnerabilities due to outdated or unsupported software. Although these companies rely on a slew of software packages to conduct daily business operations, they fail to update them when security patches are released. nGuard recommends that you maintain a list of firmware and software that will need to be updated; sign up for mailing lists that will alert you when new patches are to be released; and configure automatic updates if possible. Do not let your software be outdated for an extended period of time!

Control 17: Incident Response Management
Many security professionals will tell you that it’s not a matter of “if,” but a matter of “when” a company will become compromised in some form or fashion. Is your organization prepared to recover from a ransomware attack? If not, maybe it’s time to think about this. Having a well-developed incident response plan in place can prevent a world a trouble. Develop policies, plans, procedures, define roles, conduct training, and develop communication plans to mitigate threats. Once these measures have been implemented, conduct table top exercises to test the plan you have put in place.

Control 18: Penetration Testing
This is nGuard’s favorite control. Penetration testing attempts to evaluate the security of an IT infrastructure by safely trying to exploit vulnerabilities. While vulnerability scans do a great job of pointing you to the low hanging fruit that attackers will take advantage of, penetration testing brings a real-world expert into your environment to chain together vulnerabilities and give you a better evaluation of potential risk. Start with external penetration testing to secure your public facing infrastructure and then move to internal penetration testing to make life harder for an attacker that gets in.

Next Steps
nGuard offers a wide variety of services that will help guide your organization on its path to implementing these critical security controls. Our Strategic Security Assessment allows your organization’s key players the opportunity to sit down with a security consultant who knows these controls like the back of their hand. Not only will they help you strengthen the controls that are already in place, they will make recommendations for the areas in which your organization falls short. Below are some other ways nGuard can help your business implement these controls:

This Week In Cybersecurity (TWIC)

It’s another busy week in the world of cybersecurity and nGuard wants to keep our advisory readers up to date. This week, nGuard is bringing you everything from the US State Department being attacked to Microsoft Power Apps leaking 38 million records.

US State Department Hit By Cyber-Attack

On August 21, Fox News journalist Jacqui Heinrich reported that the U.S. State Department suffered a cyber-attack. This led to the Department of Defense Cyber Command making notifications of a possible serious breach. A spokesperson for the State Department was quoted as saying, “The department takes seriously its responsibility to safeguard its information and continuously takes steps to ensure information is protected. For security reasons, we are not in a position to discuss the nature or scope of any alleged cybersecurity incidents at this time.” The State Department will not likely release any details of the attack. This comes in the wake of recent attacks on Colonial Pipeline and JBS from Russia, and the Microsoft Exchange Server attacks originating from China.

AT&T Data Being Sold On The Dark Web

Last week it was T-Mobile, this week it’s AT&T. The hacker gang, ShinyHunters, is claiming they have the data of 70 million AT&T customers personal identifiable information (PII) which includes names, phone numbers, social security numbers, dates of birth, addresses, and more. ShinyHunters are selling the data on RaidForums in small segments for $30,000 or the entire database for $1 million. AT&T has denied this information came from their systems.

Microsoft Power Apps Leaks 38 Million Records

The data of 38 million people was mistakenly exposed to the internet which was caused by an issue with more than 1000 Microsoft web applications. Some of the companies that were affected are American Airlines, Ford, J.B. Hunt, the Maryland Department of Health, the New York City Municipal Transportation Authority, and New York City public schools. The information leaked included COVID-19 contact tracing platforms, vaccination information, job application portals, and employee databases. The information included vaccination status, social security numbers, home addresses, and phone numbers. The flaw that allowed this leak to occur was in the Power Apps application programming interface (API) default setting which opened the information to the public. The privacy settings needed to be changed manually to prevent this from happening, but a majority of customers were not aware of this option.

President Biden Hosts Tech, Energy, Finance Leaders Meet In ‘Call to Action’

On Wednesday August 25^th, Apple, Amazon, Google, Microsoft and chief executives from insurance, energy and water companies were summoned to the White House to focus on improving cybersecurity. This meeting comes as recent high-profile attacks like the SolarWinds and Microsoft Exchange attacks have become more frequent. The White House wanted to address these areas of concern and determine how to best protect the 16 Critical Infrastructure sectors. Additionally, nonprofit organizations focused on computer science education and several colleges were included in the meeting to discuss efforts on how to address the gap of roughly 500,000 vacant U.S. cybersecurity jobs.

This Week In Cybersecurity (TWIC)

It’s another busy week in the world of cybersecurity and nGuard wants to keep our advisory readers up-to-date. This week, nGuard is bringing you everything from a T-Mobile data breach that exposed some extremely sensitive data to a Windows zero-day that may allow remote code execution.

T-Mobile Data Breach
Late Sunday night, the U.S. Sun reported that T-Mobile USA had likely suffered a massive data breach. T-Mobile was made aware of the breach after a hacker posted large swaths of data for sale on a popular online hacking forum. Early reports show the information from over 100 million customers may be at risk. This data set includes drivers license information, physical addresses, phone numbers, names, social security numbers, and unique IMEI numbers.

Norton and Avast Merger
On August 11^th, the security community was made aware that anti-virus giants NortonLifeLock and Avast were going to merge in a deal worth more than $8 billion. While both companies offer a similar product set, Norton’s experience with identity logistics and Avast’s individual focus on privacy could lead us down the path to the ultimate anti-virus product. With ransomware attacks on the rise, this merger could be timely for security professionals.

Gigabyte Ransomware Attack
Bleeping Computer and United Daily News were the first to report that Taiwan-based computer manufacturer, Gigabyte, had been the latest company to suffer a large-scale ransomware attack. Early reports are confirming that IT infrastructure was shut down, but the attack may be worse than originally expected. The attack appears to have been carried out by an organization called RansomEXX. This organization is also responsible for the attacks on the Brazilian government and the Texas’ Department of Transportation.

Windows Print Spooler Zero-Day
Late last week, Microsoft confirmed the presence of a Windows print spooler vulnerability now known as CVE-2021-36958. This is one of many vulnerabilities in a class of bugs known as “PrintNightmare.” This vulnerability utilizes the CopyFile registry directive on the device to copy a DLL file that ultimately allows an attacker to gain SYSTEM level privileges on the device. Microsoft quickly released security updates to address this vulnerability.

The Most Sophisticated Smartphone Attack Ever?

Who is the NSO Group?

The NSO Group is an Israeli cyber intelligence firm that, according to their website, “creates technology that helps government agencies prevent and investigate terrorism and crime.” NSO Group recently suffered a major data leak which has brought light on one of the products offered by the company. Current news is reporting that the NSO Group offers a cybersurveillance tool called Pegasus that has been discovered to be used by more than just government agencies and utilized on more than just criminals and terrorists.

What is Pegasus?

Pegasus, also being referred to as, “The most sophisticated smartphone attack ever” is a malicious program that can easily infect any iPhone, Android, or Blackberry device. Once the phone is infected, there is no way to remove the software, even with a hard factory reset. Pegasus allows an attacker to listen to phone calls and intercept incoming and outgoing text messages, but it doesn’t stop there. The software allows full access to the contents of the device. Passwords, photos, emails, contacts, ability to remotely turn on the microphone, and even the ability to view messages sent and received using encrypted applications like Signal and WhatsApp. This document from NSO group is a manual for the software, detailing its capabilities and how it works. Here is a list of what NSO Group says are the benefits of Pegasus:

How is Pegasus deployed on a device?

Pegasus can be deployed via SMS, WhatsApp, iMessage, zero-day vulnerabilities, and social engineering. The scariest way that Pegasus can be loaded on a device requires zero interaction from the end user. An over-the-air (OTA) push message is sent to the device which installs an agent on the device. The target is unaware of the agent being installed and the user cannot prevent this from happening as the device gives no indication of malicious activity occurring and requires no interaction from the user.

Image Courtesy of The Guardian

What does it cost to get your hands on Pegasus?

The NSO Group charges $500,000 to setup Pegasus for a customer, then an additional $650,000 to hack 10 iPhone or Android devices or $500,000 for 5 Blackberry devices. NSO Group also charged a 17% maintenance fee based on what a customer has spent with them over the course of a year. Forbidden Stories reports the contract with Saudi Arabia was worth $55 million.

What targets has Pegasus been used against?

Media outlets have released a list containing over 50,000 phone numbers in over 50 countries, with a majority from countries with oppressive governments that have been known to spy on their citizens. The people that have been identified as targets of Pegasus include current heads of state from South Africa, France, Pakistan, Egypt, Iraq, business executives, human rights activists, journalists, and additional politicians or government officials.

Has your phone been infected?

A publication from The Verge gives a detailed guide to check if Pegasus has found its way onto your device using a Mobile Verification Toolkit.