Over the past week there have been many hot topics in the cybersecurity world. This edition of This Week in Cybersecurity includes stories about Log4Shell continuing to pop up, a government contractor showing their ability to spy on CIA and NSA personnel, supply chain attacks becoming an increasing threat, and more. Check out the articles below for more on each story.
AWS’s Log4Shell Hot Patch Vulnerable To Container Escape and Privilege Escalation
Following Log4Shell, AWS released several hot patch solutions that monitor for vulnerable Java applications and Java containers and patch them on the fly. If you installed the hot patch to a Kubernetes cluster, every container in your cluster can now escape until you either disable the hot patch or upgrade to the fixed version. A hot patch Daemonset for Kubernetes clusters, which installs the aforementioned hot patch service on all nodes is now available. To patch Java processes inside containers, the hot patch solutions invoke certain container binaries. In Kubernetes clusters, you can install the fixed hot patch version by deploying the latest Daemonset provided by AWS. Note that only deleting the hot patch Daemonset doesn’t remove the hot patch service from your nodes. Penetration testing and vulnerability management remains a key tool to mitigate risks like this.
American Phone-Tracking Firm Demo’d Surveillance Powers By Spying On CIA and NSA
Anomaly Six, a secretive government contractor, claims to monitor the movements of billions of phones around the world and unmask spies with the press of a button. According to audiovisual recordings of an A6 presentation reviewed by The Intercept and Tech Inquiry, the firm claims that it can track roughly 3 billion devices in real time, equivalent to a fifth of the world’s population.
In a sales pitch, to fully impress upon its audience the immense power of this software, Anomaly Six did what few in the world can claim to do: spied on American spies. “I like making fun of our own people,” Clark began. Pulling up a Google Maps-like satellite view, the sales rep showed the NSA’s headquarters in Fort Meade, Maryland, and the CIA’s headquarters in Langley, Virginia. With virtual boundary boxes drawn around both, a technique known as geofencing, A6’s software revealed an incredible intelligence bounty: 183 dots representing phones that had visited both agencies potentially belonging to American intelligence personnel, with hundreds of lines streaking outward revealing their movements, ready to track throughout the world. “So, if I’m a foreign intel officer, that’s 183 start points for me now,” Clark noted. This isn’t the first time we have heard about a story like this. nGuard has covered a similar topic to this with the NSO Group and their spyware, Pegasus.
Cyber Agencies Renew Warnings Of Russia-Linked Threats Against Industrial Targets
Federal and international authorities issued urgent warnings Wednesday, April 21st to critical infrastructure providers to take precautions against potential retaliatory cyberattacks from alleged Russian state actors and criminal cyber groups.
Experts have linked other nation state-affiliated actors like Berserk Bear to past cyber incidents against U.S. and Western European targets ranging from energy, transportation, defense contractors as well as water and wastewater system facilities.
nGuard has been helping secure critical infrastructure since 2002 and can validate your segmentation between your business and critical networks and help you stay on top of time sensitive alerts with a managed SIEM.
North Korean Crypto Hacks a Growing Threat, U.S. Warns
A trio of U.S. agencies have issued a joint advisory to warn of escalating North Korean cyberattacks on cryptocurrency and blockchain platforms. The Federal Bureau of Investigation, the Cybersecurity and Infrastructure Security Agency and the U.S. Treasury Department issued the alert Monday in the wake of a stunning $620 million crypto heist by the Pyongyang-connected Lazarus Group.
More Than Half of Initial Infections in Cyberattacks Come Via Exploits, Supply Chain Compromises
The length of time attackers remained undetected on a victim’s network decreased for the fourth year in a row, sinking to 21 days in 2021, down from 24 days in 2020, according to a new report on incident response (IR) investigations conducted by Mandiant. In general, the improvement is driven by faster detection of non-ransomware threats because more companies are working with third-party cybersecurity firms. Additionally, government agencies and security firms often notify victims of attacks, leading to faster detection.
Overall, two methods of initial compromise – exploiting vulnerabilities and attacks through the supply chain – accounted for 54% of all attacks with an identified initial infection vector in 2021, up from less than a 30% share of attacks in 2020. Companies should be tackling the primary threat this year by reviewing and assessing their Active Directory implementation for vulnerabilities or misconfigurations, understanding how to detect and prevent unusual lateral movement attempts in their environment, and implementing application whitelisting and disabling macros to significantly limit initial access attacks.
Prior to a cyberattack ever occurring, be sure to be proactive and have an incident response partner in place. An incident response retainer ensures the fastest response possible from a third party. nGuard offers its CSIR Complete service which is a full CSIR program with guaranteed service-level commitments, priority response, and ongoing proactive activities throughout the year.
6 Malware Tools Designed to Disrupt Industrial Control Systems (ICS)
A recent attempt by Russia’s infamous Sandworm threat group to disrupt operations at a Ukrainian power company has once again drawn attention to the — still somewhat limited — collection of publicly known tools designed specifically to disrupt industrial control systems. Ukraine’s computer emergency response team (CERT-UA) thwarted the attack before any damage was done. Unlike other malware, which often share commonalities in features and functions, ICS-specific malware tools have tended to be highly customized for targeted environments. Just last month, the FBI issued a Flash Alert on critical infrastructure being targeted with a ransomware strain called RagnarLocker.