nGuard

----

Call us p. 704.583.4088
Speak to An Expert

Vulnerabilities & Exploits

LinkedIn Breached Again!

Summary
Remember when someone discovered a misconfigured database exposed to the internet that left the information of 500 million LinkedIn users at risk? It’s happening again, except this time 700 million users have been impacted. Multiple outlets are now reporting that a hacker appears to have used the LinkedIn API in a malicious way which led to the download of large amounts of user data. This is extremely similar to the April incident in which an online database was compromised and user data was sold online. With both incidents, the user data has appeared for sale on a popular site called raidforums.com. Here, users can download large amounts of compromised data for any purpose. Hackers were able to compromise the following:

  • Email Addresses
  • Full Names
  • Phone Numbers
  • Physical Addresses
  • Geolocation Records
  • Usernames and Profile URLs
  • Genders
  • Other Social Media Accounts

Although this data set doesn’t contain cleartext passwords or password hashes, it does contain sensitive information that could be used in targeted social engineering attacks. Attackers utilize detailed information about employees to launch intricate social engineering campaigns that can be highly successful. When an unsuspecting employee receives a spoofed email with personal information included, it often makes it seem more legitimate. It is important to train your employees to look out for this type of targeted social engineering.

Awareness Training Helps
nGuard has been studying the art of social engineering and conducting simulations for its customers for nearly 20 years. nGuard’s highly trained engineers are well versed in the techniques used by adversaries and can conduct real world scenarios. This aids organizations in training their employees to expect the unexpected.

Colonial Pipeline Update

Summary
This is a follow up to a previous Security Advisory. For the initial timeline please visit Colonial Pipeline Timeline of Events.

Since the last Colonial Pipeline Security Advisory, there have been several updates related to the breach. Details were released on how the attackers gained initial access to Colonial’s internal network, the FBI was able to recover much of the bitcoin paid to the ransomware group (Darkside), and the Senate Homeland Security Committee held a hearing on the breach.

In the beginning of June, Bloomberg reported that the initial access gained by DarkSide was through a Virtual Private Network (VPN) account, which is used to gain remote access to private networks. The target account was no longer in use but remained active. The password associated with the account was discovered in a database of leaked passwords that are available on the dark web. Additionally, the VPN account did not utilize multi-factor authentication (MFA), which made gaining access much easier. The breach investigation stated that it is not known exactly how the password and username combination was compromised and likely they will never know. Only a week after the initial access was gained, ransomware was deployed resulting in the catastrophic damage to Colonial Pipeline and their supply chain.

On Monday June 7th, the Department of Justice (DOJ) announced it had successfully recovered 63.7 Bitcoins worth approximately $2.3 million from DarkSide. The FBI was able to discover the address of the virtual wallet used through blockchain’s public ledger. The FBI had the private key, which is like a password, used to access the wallet and seize the bitcoins. The FBI has not stated how they obtained the private key, but this shows that criminals who use bitcoin and other cryptocurrency in their activity are not as immune to law enforcement as once believed.

On June 8th, the Senate Homeland Security Committee held a hearing with the CEO of Colonial Pipeline, Joseph Blount. When discussing paying the ransom Joseph said, “It was one of the toughest decisions I have had to make in my life. At the time, I kept this information close hold [sic] because we were concerned about operational security and minimizing publicity for the threat actor. But I believe that restoring critical infrastructure as quickly as possible, in this situation, was the right thing to do for the country.” The hearing covered Colonial Pipeline’s security readiness and response to the event while putting a bigger spotlight on the gaps in security within the U.S energy infrastructure and country as a whole.

What Can Your Organization Do?
Cybersecurity cannot continue to be a reactive process. Security needs to be a priority from the ground up with infrastructure built around security. Discovering gaps in your organization’s security landscape can be simplified with an nGuard Strategic Security Assessment. Utilizing the Center for Internet Security Controls Version 8, nGuard can help you find ways to create a more mature security organization. If your organization does fall victim to a ransomware attack like Colonial Pipeline, bring in our experts to conduct a Cybersecurity Incident Response.

Colonial Pipeline – Timeline Of Events

On Friday May 7th Colonial Pipeline suffered a cyberattack involving ransomware, causing them to shutdown their IT systems and temporarily pause production on a majority of their pipelines. Additional details of the attack are still coming out each day, but here is a current timeline of events and details of how the hacker group, DarkSide, has carried out its attacks based on publicly available information.

May 6th 
Colonial Pipeline networks are breached, 100GB of data is stolen and computers are encrypted with ransomware.

May 7th 
Colonial Pipeline paid $4.4 million to DarkSide hacking group to decrypt their infrastructure.

May 8th 
Colonial Pipeline, along with U.S. Government organizations and U.S. companies take systems offline that were in control by the hackers.

Colonial Pipeline issues statement on attack stating they have been victims of ransomware and have engaged a third-party cybersecurity firm and alerted law enforcement. Source:Colonial Pipeline Statement

May 9th
Colonial Pipeline issues second statement giving an update of their investigation into the attack and the status of their pipeline operations. Source: Colonial Pipeline Statement

May 10th 
FBI issues statement confirming DarkSide is the responsible party for the hack.

Colonial Pipeline issues a statement that their goal is to substantially restore service by the end of the week.

Colonial Pipeline manually operates a line from Greensboro, NC to Woodbine, MD for a limited period of time, but other main lines continue to be offline.

May 11th 
CISA and FBI issue cybersecurity advisory describing ransomware used by DarkSide with strategies for risk mitigation. Source:Joint Advisory.

Colonial Pipeline’s website is offline for part of the day.

May 12th 
Colonial Pipeline’s website is restored and a new website is provided to address their response to the attack. Source: CP Cyber Response

Colonial Pipeline is able to restart services around 5:00pm. It will still take many days to replenish the depleted supply chain after panic buying of fuel and delayed fuel deliveries.

How Did Darkside Launch the Attack?
Based on research of DarkSide, the below methods are the tactics they have typically followed in recent attacks. Source: DarkSide Ransomware Research

  1. Attackers were able to gain access in a few different ways:
    1. Phishing attacks
    2. Brute-force password attacks
    3. SQL Injection against VPN networks
    4. Utilizing TeamViewer
    5. Installing backdoors
  2. Once inside the network, attackers escalated privileges by:
    1. Exploiting the Zerologon vulnerability.
    2. Utilizing Mimikatz.
    3. Accessing and dumping Local Security Authority Subsystem Service (LSASS).
  3. With privileged access, DarkSide uses PowerShell and Certutil to deploy and execute the ransomware across the network.

Where to go from here?
The attack methods used by DarkSide should lead to a review of your organization’s security assessment programs to ensure the below critical assessment activities are included.

nGuard’s security assessment portfolio can help your organization find your vulnerabilities before the bad guys do. If your organization falls victim to a ransomware attack like Colonial Pipeline, bring in our experts for your Cybersecurity Incident Response.

Should We Pay The Ransom?

Summary
Has your organization been a target of ransomware? Did you pay the ransom? If so, did you get all your data back? Whenever an organization becomes a victim of a ransomware attack, paying the malicious attackers may seem like the only hope, especially for companies that don’t have proper backup procedures in place. Unfortunately, statistics are showing us that paying the ransom guarantees little in return. Here are some key data points collected from a large sample size of mid-sized organizations spread across the globe.

  • In 2021, 37% of organizations have experienced some type of ransomware attack.
  • The average costs of remediating against a ransomware attack grew in 2021 to $1.85 million.
  • The average cost of paying the ransom grew to $170,000.
  • 32% of the organizations affected by a ransomware attacks decided to pay the malicious actors.
  • ONLY 8% WERE ABLE TO DECRYPT AND RECOVER ALL THEIR DATA AFTER PAYING THE RANSOM!

The last point truly brings reality into check. Paying the ransom rarely pays off. This can be attributed to many factors, but the overwhelming majority of organizations say that they received the ransom key after payment, but were unable to use it in an effective manner. This can be linked to poorly coded malware and IT teams with limited experience.

What Can You Do?
It is extremely important for organizations to take proper precautions to protect themselves against the increasing threat of ransomware.

  • Perform monthly or quarterly vulnerability scans against your external perimeter and internal networks to stay up to date with the latest vulnerabilities that could give an attacker their initial foothold.
  • Perform annual penetration testing to protect against advanced techniques that may allow an attacker to pivot once they have a foothold.
  • Create effective Incident Response policies and procedures.
  • Conduct tabletop exercises to validate and identify gaps in your Incident Response Plan.
  • Perform consistent security awareness training with employees to limit the chance of successful social engineering and phishing attacks.
  • Have proper onsite and offsite backup policies and procedures in place. If you fall victim to ransomware, you may be able to recover from backup, with limited, if any data loss, and not rely on paying a large sum of money for an 8% chance of getting your data back.

When it comes to protecting your organization’s critical data, it’s time to get serious. nGuard is ready and willing to discuss all these preventative solutions with you and your team.

Cyber Criminals Are Pressuring Your Customers

Summary
Over the past few years, cybercriminals have brought more sophisticated ransomware attacks against organizations leading to potentially catastrophic damages. Generally, an attacker gains access to an internal network, performs network reconnaissance, elevates their privileges, and deploys ransomware across the network, which encrypts the data rendering it unusable. The attacker then demands the organization pay a large sum of money for the keys to decrypt the data. This makes it critical for organizations to increase security awareness, perform regular offsite backups of critical systems, have properly configured network monitoring and endpoint protection, and a mature incident response program.

Criminals are now taking their extortion attempts to the next level. Security researchers have noticed a spike in emails sent to end customers of companies that have fallen victim to network breaches. These emails notify customers that their data has been compromised due to a security breach. It asks the customer to reach out and demand that the company pay the cybercriminal’s ransom request in order to prevent their personal data from being leaked online. Here is an example of the type of emails end customers are receiving:

Most security professionals will tell you, if possible, avoid paying the ransom when your company falls victim to data leaks or ransomware attacks. Increased pressure from customers receiving these emails only makes the decision to not pay more difficult. Additionally, these emails notifying customers of a data breach can lead to reputational damage and lost business.

What can be done?
It is important for companies to put an emphasis on security before they fall victim to these types of attacks. Performing regular external penetration testing can prevent attackers from compromising systems and pivoting into the internal network. Additionally, performing internal penetration testing can stop an attacker in their tracks. If an attacker gains a foothold, it will be difficult for them to elevate privileges and compromise critical internal systems allowing the deployment of ransomware. nGuard provides an abundance of tactical and strategic security assessments that will boost the overall security posture of an organization. This will reduce the chances of a successful attack and further minimize the damages that stem from a breach.

Critical Exchange Zero-Day

Summary
This month, Microsoft released security patches for multiple zero-day exploits targeting on-premise Exchange servers. CVE-2021-26855 allows a malicious attacker to bypass authentication and impersonate users. Not only does this vulnerability allow an attacker to compromise email accounts, but the ability to install malware for persistent access or ransomware is also available. Microsoft has labeled this as a critical vulnerability that must be patched immediately.

As of this week, full proof-of-concept exploits are popping up online. This allows the exploit to become more widely exploited by malicious actors with little to no technical expertise. Check out the video below to see just how easy it is to gain a high-privilege shell with the public proof-of-concept code. It is estimated that nearly 80,000 Exchange servers exposed to the internet are still vulnerable to this exploit. If your organization is utilizing Microsoft’s on-premise Exchange service, it is essential that it be patched right away to avoid compromise.

What to do?
Microsoft has released their Exchange On-premises Mitigation Tool (EOMT) to address CVE-2021-26855 which is the most effective way to protect and mitigate exchange servers prior to patching. If you need to check if your exchange servers are vulnerable, use this handy script from Microsoft which is formerly known as the HAFNIUM script. The United States CISA is recommending all organizations use this script to determine if their exchange servers have been compromised. Stay updated with alerts from US-CERT.