Healthcare

TWiC | Lapsus$ Ransomware, LastPass Hack & MS ZeroDay

The past couple of weeks have been busy ones for the world of cybersecurity. Multiple companies have disclosed serious hacks that have led to breaches of customer data and overall system availability. In this week’s security advisory, nGuard will detail some of these incidents and their impact on the cybersecurity landscape.

Cisco Data Breach Attributed to Lapsus$ Ransomware Group

The Lapsus$ crime gang is back at it again with an attack on the networking giant, Cisco. About a month ago, Cisco had disclosed that its systems were breached. A social engineering attack led adversaries on a pathway to overtaking an employee’s Google account. Saved credentials were then obtained from the browser and voice communications were utilized to trick the unsuspecting employee into accepting a multi-factor authentication push notification. Cisco believes the end goal of the attacker was to deploy ransomware on the network after gaining access to multiple systems. Cisco is reporting that attempts to deploy ransomware were unsuccessful.

LastPass Says Hackers Had Internal Access For Four Days

Lastpass reported a breach back in August and are now releasing some more details about the compromise. They are now reporting that an attacker had internal access to the company systems for four days before they were detected. Lastpass worked with a cybersecurity firm to investigate the incident and found that no customer data or password vaults were accessed during this time. LastPass maintains that your master password, and the keys used to encrypt and decrypt data, are never sent to LastPass’ servers, and are never accessible by LastPass. The attacker was however able to access a developer endpoint and poke around the development environments.

Microsoft Patches a New Zero-Day Affecting All Versions of Windows

Microsoft is patching another zero-day vulnerability affecting all supported versions of Windows. This zero-day is reported as being used in real-world attacks. CVE-2022-37969 is a privilege elevation flaw in the Windows Common Log File System Driver. This is utilized for data and event logging. Once a system is compromised, this vulnerability can be used to escalate user privileges to the highest level, SYSTEM. 4 different security firms reported this vulnerability to Microsoft which makes them believe this could be widely used in real-world scenarios. They recommend patching immediately.

nGuard closely monitors trends in the world of cybersecurity and applies those trends to assessment activities and managed security services. Having penetration testing conducted periodically against network assets, web applications, and other critical infrastructure can prevent data breaches before they happen. Putting your employees through social engineering campaigns to test their security readiness can boost awareness. Having a security first mindset is essential in protecting the valuable data of organizations.

Vulnerability Exploits Overtake Phishing as Initial Attack Vector

Most security professionals will advise the number one way attackers gain an initial foothold on a network is, and continues to be, phishing and social engineering attacks. Palo Alto recently released their 2022 Incident Response Report which confirmed what most would say is true. At a combined 42%, phishing and social engineering make up almost half of all means of initial access.

Source: 2022 Incident Response Report

The second most common way according to the above chart from Palo Alto is software vulnerabilities. However, in the first week of September, Kaspersky released its 2021 Incident Response Overview and it told a different story. 53.6% of the initial attack vectors they responded to were exploits of public-facing applications.

Source: 2021 Incident Response Overview

2021 had no shortage of time sensitive critical vulnerabilities including Log4j, Microsoft Exchange ProxyLogon, and three other CVEs related to the ProxyLogon vulnerabilities that were released in March of 2021. When these vulnerabilities are made publicly available it is only a matter of minutes before publicly facing systems are being scanned for vulnerable targets. Within hours, proof of concept exploits become available leading to an extremely high rate of organizations falling for such attacks.

In recent years, organizations have prioritized security awareness training and conducted social engineering and phishing training. But have those same organizations made it a priority to have a vulnerability management program in place?

How can organizations stay ahead of these attack trends? Start by building out a mature security program that includes annual penetration testing, ongoing vulnerability scanning, and a properly configured SIEM to alert on network anomalies. If you suspect a breach, identify a firm capable of responding to security incidents and secure an incident response retainer. Lastly, have an expert conduct a strategic security assessment to compare your organization’s security program to a known security standard like the Center for Internet Security Critical Security Controls.

Password Guidelines You Need To Know

Conventional wisdom says passwords should be longer than 8 characters, they should contain complexity with upper case, lower case, numbers, and symbols, and Rotating passwords periodically is crucial to prevent them from being compromised. Consider rethinking your password requirements if this is still how you instruct your employees. In this security advisory, nGuard will lay out the password requirements you should be utilizing for employees.

Entropy is defined as “a measure of the amount of uncertainty an attacker faces to determine the value of a secret.” Traditionally, it was believed that entropy could be increased by requiring users to change their passwords frequently and by increasing the complexity of passwords. We now know that this is not the case. Length alone can provide password entropy at any level. Furthermore, if you change your passwords numerous times a year, you may find it difficult to remember passwords with high levels of complexity. Let’s take a look at some examples:

Password: nGu@rd2022!

This is an 11-character password with a high level of complexity. According to security.org, it would take a computer about 400 years to crack this password using brute force methodology. Engineers at nGuard say this password has a high probability of being cracked very quickly. It uses the company name with some common substitutions such as the “@” instead of the “a.” It also uses the current year, which is common among companies that force password changes on a regular basis.

Password: nGuard is a leading provider of security

This is a 40-character password with a low level of complexity. According to security.org, it would take a computer about 88 septendecillion years to crack this password using brute force methodology. Septendecillion is a 1 followed by 54 zeros. That’s a lot! The length of this password makes it more difficult to crack, but it is easier to remember and type out. Passwords like this won’t need to be changed unless they become compromised through social engineering or some form of clear-text password compromise.

In order to avoid forcing users to reset their password on a regular basis, nGuard recommends using password phrases like the example above. Set up alerts to notify IT when a specific account experiences too many failed login attempts. Additionally, limit the number of failed login attempts allowed within a certain time frame. With nGuard’s Managed Event Collection & Correlation (MECC) service, these types of things can be monitored. For an organization to maintain a strong password posture, that’s all you need to do. Your organization’s password security posture will be at the forefront of the industry if you do all of this and implement multi-factor authentication if possible.

Following the implementation of a strong password policy, nGuard can provide a variety of services to make sure you’re on the right path. Password Database Audits allow you to test the strength of your passwords against industry leading password crackers. By performing an internal penetration test, you can make sure that passwords are not being stored on machines in a way that makes them insecure (for instance, in plaintext).

TWiC | This Week in Cybersecurity – Let’s Go Phishing 🎣

Over the past week there have been many hot topics in cybersecurity. This edition of This Week in Cybersecurity includes stories focused on the latest in phishing campaigns tactics, techniques, procedures, common use cases, and infrastructure being used. Check out the details below.

Phishing Attacks Skyrocket with Microsoft and Facebook as Most Abused Brands

The number of phishing attempts that misuse the Microsoft brand jumped 266 percent in the first quarter of 2022 compared to the same period last year, according to a report by researchers at Vade. In the same period of time, fake Facebook messages increased by 177% in the second quarter of 2022. In Q1 2022 compared to the previous year, there were 266 percent more instances of phishing assaults using the Microsoft name. As opposed to the previous year, hackers are ramping up their use of false messages that abuse well-known companies, bringing back the bloom of phishing attempts. According to the phishing research Microsoft, Facebook, and the French bank Crédit Agricole are the three most frequently impersonated companies in attacks. Crédit Agricole, WhatsApp, and the French telecommunications provider Orange are some of the other top names that are misused in phishing attempts. Other well-known brands included Apple, Google, and PayPal.
DUCKTAIL Malware Targeting HR Professionals Through LinkedIn Spear-phishing Campaign

Cybersecurity research has recently learned of an ongoing operation known as DUCKTAIL. This strategy aims to gain control of a company’s Facebook business account that handle its advertising. DUCKTAIL uses a malware component that steals information to hack Facebook Business accounts. This sets DUCKTAIL apart from other malware campaigns that used Facebook as a base of operations in the past. The malware is able to access the victim’s Facebook account by stealing cookies from the victim’s browser and utilizing authentication cookies during authenticated Facebook sessions. This has allowed hackers to access every Facebook Business account that the victim has access to, even ones with restricted access. DUCKTAIL has been using LinkedIn to identify potential targets for these campaigns.
1,000s of Phishing Attacks Blast Off from InterPlanetary File System

The InterPlanetary File System (IPFS), a distributed peer-to-peer file system, has become a hotbed of phishing-site storage. Thousands of emails containing phishing URLs are showing up in corporate inboxes. IPFS uses peer-to-peer (P2P) connections for file and service-sharing instead of a static resource demarked by a host and path. Phishers may start using even more sophisticated methods for replicating sites, such as using distributed hash tables. According to an anti-phishing expert, security admins need to educate themselves and their staff about how IPFS works.
Evilnum APT Hackers Group Attack Windows Using Weaponized Word Documents

The APT threat actor, Evilnum, has been targeting European banking and investment organizations. Recently their tactics, techniques, and procedures have included spear-phishing emails with attachments like Microsoft Word, ISO, and Windows Shortcut (LNK) files. Researchers discovered other variations of the campaign in late 2022, including ones that employed financial bribes to get victims to open malicious ZIP folders that were coupled with malicious .LNK files. In the middle of 2022, the methodology that was being used to distribute Word documents was altered once more to incorporate a mechanism that tries to connect to an attacker-controlled domain and obtain a remote template.

Stop Phishing
nGuard has been conducting social engineering assessments for almost 2 decades and has the experience and expertise to assess your users against phishing campaigns using a variety of attack methods. Using emails, phone calls, text messages, multi-factor prompt bombing attacks, fake websites, and more, nGuard can thoroughly test your security awareness training program efficacy. Contact your Account Executive or Security Consultant to learn more about how nGuard can help.

PCI DSS v4.0 – First Look

On March 31, 2022, the PCI Security Standards Council (PCI SSC) issued version 4.0 of the PCI Data Security Standard (PCI DSS). In the security advisory video below, you can join nGuard’s Eric Consford, Jim Brown, Chris Lau, and Zack Thornton for a first look at PCI DSS v4.0. In this video advisory, we take a quick look at the coming changes in v4.0 of the PCI DSS standard.

nGuard offers a wide variety of services for our customers that seek PCI compliance. From security advisory services that get all your questions answered to full merchant and service provider QSA audits, nGuard can assist you every step of the way.

TWiC | This Week in Cybersecurity

Over the past week there have been many hot topics in cybersecurity. This edition of This Week in Cybersecurity includes stories covering Microsoft patching the Follina Zero-Day, Apple M1 Kernel security flaws, a record-breaking DDoS attack, a Kaiser Permanente data breach, and US military hackers conducting offensive activities in support of Ukraine. Check out the details below.

Cloudflare Saw Record-Breaking DDoS Attack Peaking at 26 Million Request Per Second: Cloudflare disclosed that it had acted to prevent a record-setting 26 million requests per second (RPS) distributed denial-of-service (DDoS) attack last week, making it the largest HTTPS DDoS attack detected to date. In late April 2022, it said it staved off a 15.3 million RPS HTTPS DDoS attack aimed at a customer operating a crypto launchpad. According to the company’s DDoS attack trends report for Q1 2022, volumetric DDoS attacks over 100 gigabits per second surged by up to 645% quarter-on-quarter.
Microsoft Patches ‘Follina’ Zero-Day Flaw in Monthly Security Update: Microsoft has issued a patch for the recently disclosed and widely exploited “Follina” zero-day vulnerability in the Microsoft Support Diagnostic Tool as part of its scheduled security update for June. It’s a good idea for organizations to keep Microsoft’s recommended mitigations for the flaw in place even after they install the MSDT update. Applying the patch will protect users but the patch only fixed the code injection vulnerability in msdt.exe. The diagnostic tool itself will still launch if a user opens an affected document. For more information on this vulnerability, check out nGuard’s last Security Advisory: Microsoft Zero-Day with No Patch! This vulnerability will be commonly exploited via phishing attempts. Social Engineering simulations and Social Engineering Awareness Training can assist your organizations employees in identifying these types of attacks.
Kaiser Permanente data breach exposes health data of 69K people: Kaiser Permanente, one of America’s leading not-for-profit health plans and health care providers, has recently disclosed a data breach that exposed the health information of more than 69,000 individuals. The company revealed in a notice published on its website that an attacker accessed an employee’s email account containing patients’ protected health information on April 5, 2022, without authorization. Sensitive info exposed in the attack includes:
- The patients’ first and last names
- Medical record numbers
- Dates of service
- Laboratory test result information
Design Weakness Discovered in Apple M1 Kernel Protections: Security researchers released details about a new attack they designed against Apple’s M1 processor chip that can undermine a key security feature that protects the operating system kernel from memory corruption attacks. The work offers a tangible example of how the one-two punch of hardware vulnerabilities and low-level software flaws can provide ample opportunities for attackers to run rampant in the kernel.
US military hackers conducting offensive operations in support of Ukraine, says head of Cyber Command: General Nakasone, the head of US Cyber Command, confirmed for the first time that the US was conducting offensive hacking operations in support of Ukraine in response to the Russian invasion. Speaking in Tallinn, Estonia, the general, who is also director of the National Security Agency, told Sky News that he is concerned “Every single day” about the risk of a Russian cyber attack targeting the US and said that the hunt forward activities were an effective way of protecting both America as well as allies.