nGuard

Call us p. 704.583.4088
Client PortalSpeak to An Expert

malware

TWiC | U.S. House Data Leak, ICS Attacks, FortiOS Vulnerability, Cyber Insurance

FBI Investigating Data Breach Affecting U.S. House of Representatives Members and Staff

The Federal Bureau of Investigation (FBI) is investigating a data breach affecting members and staff of the U.S. House of Representatives. The breach saw account and sensitive personal information belonging to them and their families stolen from the servers of DC Health Link, which administers their health care plans.

While US House Chief Administrative Officer Catherine L. Szpindor has said, “it was unclear how many people had been affected by the breach.” A sample of the data reportedly posted on a hacking forum showed details of around 170,000 people. The information included names, dates of birth, addresses, email addresses, phone numbers, and Social Security numbers. At least one threat actor has reportedly put the data up for sale.

nGuard’s MECC (Managed Event Collection and Correlation) can help protect against malicious attacks by collecting and analyzing log data from various sources. MECC can then alert security teams to potential threats and provide them with the information they need to investigate and respond to an ongoing or potential attack. Should your organization fall victim to an attack like this, call nGuard to help with our Cyber Security Incident Response services.

New FortiOS and FortiProxy Critical Vulnerabilities

Fortinet has released patches to address 15 security flaws, including one critical vulnerability in FortiOS and FortiProxy that could allow an attacker to take control of affected systems. The buffer underwrite flaw (CVE-2023-25610) is rated 9.3 out of 10 for severity and was discovered by Fortinet’s internal security teams. The vulnerability could enable a remote, unauthenticated attacker to execute arbitrary code on the device or cause a denial-of-service attack. Fortinet has not yet seen any malicious exploitation attempts against the flaw, but users are urged to apply the patches quickly, as prior flaws in software have been actively abused in the wild. Workarounds include disabling the HTTP/HTTPS administrative interface or limiting IP addresses that can reach it. Just last week, nGuard wrote about another Fortinet critical vulnerability that was actively being exploited. As this continues to develop, nGuard has a number of solutions that can help your organization stay ahead of the curve, including internal penetration testing and vulnerability management.

Over 40% of Industrial Control Systems (ICS) Were Attacked in 2022

Over 40% of industrial control systems (ICS) computers globally experienced malicious attacks in 2022, according to Kaspersky research into telemetry statistics. The report highlighted growth in Russia, which saw a 9% increase in malicious activity in 2022, but Ethiopia was the top target overall with 59% of its ICS footprint seeing malicious activity.

Kaspersky noted that blocked malicious scripts and phishing pages targeting ICS were particularly common threats, seeing an 11% rise from 2021. The percentage of ICS computers experiencing malicious activity varied from 40.1% in Africa and Central Asia to 14.2% and 14.3% respectively in Western and Northern Europe. nGuard has been helping protect Industrial control systems, SCADA networks, and critical infrastructure for over 20 years with security assessments, penetration testing, incident response, and managed SIEM services.

Low-coverage Cyber Insurance Plans Help Meet Compliance and Contractual Requirements

As the cyber insurance market experiences a surge in claims for ransomware attacks, insurance carriers and brokers have started imposing tighter rules on the companies that can qualify for coverage, raising prices and reducing the amount of coverage offered per policy. nGuard recently wrote about requirements needed to obtain cyber insurance. Policy coverages have significantly dropped in recent times, with some as low as $5m, and some companies cannot purchase as much insurance as they would like. However, some contracts and compliance regulations require that a company have a cyber insurance policy, which can pose a problem for those that lose coverage. Basic policies are now available for more organizations to obtain affordable coverage, allowing them to avoid a breach of compliance and fulfill contractual obligations.

TWiC | ChatGPT, New CISA and NSA Advisory, Microsoft Blocking Add-ins, New Malware Using Google Ads

The nGuard Security Advisory for this week covers several important topics related to cyber security threats. The Cybersecurity and Infrastructure Security Agency (CISA) and the National Security Agency (NSA) have issued warnings that remote desktop tools are being used to breach US federal agencies; ChaptGPT being used to create malicious output; Microsoft is set to block Excel add-ins that have been used for office exploits; and a new malware called “Rhadamanthys” has been discovered that uses Google Ads to redirect users to fake software downloads.

CISA & NSA Warn Remote Desktop Tools Are Being Used to Breach US Federal Agencies

The Cybersecurity and Infrastructure Security Agency (CISA) and the National Security Agency (NSA) have issued a joint advisory warning that financially motivated hackers have compromised federal agencies using legitimate remote desktop software. The hackers used phishing emails to lure victims to a malicious site that impersonated high-profile companies, including Microsoft and Amazon, and prompted the victims to call the hackers who then tricked employees into visiting the malicious domain. This led to the download of legitimate remote access software which the hackers then used in a refund scam to steal money from victims’ bank accounts. CISA also warned that the attackers could use legitimate remote access software as a backdoor for maintaining persistent access to government networks.

nGuard often can obtain remote access to victim’s computers using legitimate remote access tools like TeamViewer. nGuard’s Social Engineering assessment could help prevent these types of attacks by testing an organization’s resistance to phishing and other types of social engineering tactics.

ChaptGPT Malicious Prompt Engineering

OpenAI’s ChatGPT, a large-scale AI-based natural language generator, was released in late 2022 and has demonstrated the potential of AI for both good and bad. ChatGPT is a chatbot that is built on top of OpenAI’s GPT-3 family of large language models. It is designed to respond to prompts with accurate and unbiased answers. However, the concept of ‘prompt engineering’ has been used to manipulate the system and force it to respond in a specific manner desired by the user. This has led to the malicious potential of social engineering. A Finnish security firm recently published an extensive and serious evaluation of prompt engineering against ChatGPT, focusing on the generation of phishing, various types of fraud, and misinformation. They found they were able to quickly create convincing phishing emails that were well written and free of typos and grammatical errors. They also were able to create writing styles to match a given input which could lead to ‘deep fakes’ impersonating someone’s writing style. Last, they were able to make requests that forced ChatGPT to transfer their opinion within the response. The idea of prompt engineering is something still not fully understood but certainly has shown the power of a tool like ChatGPT can have.

nGuard’s MECC (Managed Event Collection and Correlation) can help protect against malicious ChatGPT attacks by collecting and analyzing log data from various sources, including chatbot interactions. MECC can then alert security teams to potential threats and provide them with the information they need to investigate and respond to the attack. Additionally, nGuard is adding UEBA (User and Entity Behavior Analytics) to its MECC solution. UEBA leverages AI and Machine Learning to help protect against malicious ChatGPT attacks by analyzing user behavior and identifying anomalies that may indicate a security incident. This can include detecting when a user or bot is attempting to access sensitive information or perform unauthorized actions. UEBA can then alert security teams to potential threats and provide them with the information they need to investigate and respond to the attack. Additionally, UEBA can also help to detect compromised user account and bot impersonation.

Microsoft Set to Block Excel Add-in Used for Office Exploits

Microsoft is set to block XLL files from the internet in a bid to prevent cyber attackers from exploiting the “add-ins” function of Excel to run malicious code on a victim’s computer. An XLL file is an Excel Dynamic Link Library, a type of Microsoft Excel add-in used to extend the functionality of the spreadsheet software. XLL files contain custom functions and macros written in C or C++, and can be used to perform tasks that are not possible with the built-in Excel functions. The feature, set to be released in March, is a response to an increasing use of XLL files by attackers which offer a way to read and write data within spreadsheets, add custom functions and interact with Excel objects across platforms. However, experts have said that the feature may not be effective if users ignore the warning that XLL files could contain malicious code, and attackers are likely to continue to find new ways to compromise systems.

nGuard’s Security Awareness Training services can help with this threat by educating employees on how to identify and avoid phishing attempts, both in the form of emails and websites. The training can cover topics such as how to spot suspicious emails, what to look for in a legitimate and illegitimate website, and how to recognize the signs of a phishing attempt.

Rhadamanthys Malware Using Google Ads to Redirect to Fake Software Downloads

A new malware strain called “Rhadamanthys Stealer” is being spread by redirects from Google Ads that pretend to be download sites for popular remote-workforce software, such as Zoom and AnyDesk. The malware is sold on the dark web as malware-as-a-service and is spread through two methods: carefully crafted phishing sites, and phishing emails with malicious attachments. The malware can steal sensitive data such as browser history and account login credentials, including crypto-wallet information. It is also able to detect if it is running in a controlled environment and will terminate its execution if so. As mentioned earlier in this Advisory, nGuard’s Social Engineering assessment and Security Awareness training can prepare your organization and employees for these types of attacks. Help your organization stay vigilant against the latest attack vectors and keeping up to date by assessing your employees and organization on an annual basis at a minimum.

NIST’s Retirement of SHA-1: The Clock is Ticking

Introduction
The National Institute of Standards and Technology (NIST) has announced that the SHA-1 algorithm, one of the first widely used methods of protecting electronic information, has reached the end of its useful life. This algorithm, which has been in use since 1995 as part of the Federal Information Processing Standard (FIPS) 180-1, is a slightly modified version of SHA, the first hash function the federal government standardized for widespread use in 1993. As today’s increasingly powerful computers are able to attack the algorithm, NIST has announced that SHA-1 should be phased out by December 31, 2030, in favor of the more secure SHA-2 and SHA-3 groups of algorithms.

Importance of SHA-1
SHA-1, whose initials stand for “secure hash algorithm,” has served as a building block for many security applications such as validating websites, SSL certificates and digital signatures. It secures information by performing a complex mathematical operation on the characters of a message, producing a short string of characters known as a hash. It is impossible to reconstruct the original message from the hash alone, but knowing the hash provides an easy way for a recipient to check whether the original message has been compromised, as even a slight change to the message alters the resulting hash dramatically. However, today’s more powerful computers can create fraudulent messages that result in the same hash as the original, potentially compromising the authentic message. These “collision” attacks have been used to undermine the security of SHA-1 in recent years.

Recommendations
At nGuard, we recommend that organizations still using SHA-1 for security conduct a thorough network and database assessment to identify and address vulnerabilities. Our team of experts can assist with this transition by identifying any instances of SHA-1 usage and recommend a migration plan. Additionally, our web application testing can also lead to the discovery of data hashed with SHA-1, further highlighting the need for an upgrade.

Conclusion
In conclusion, SHA-1 has reached the end of its life, and organizations should consider migrating to the more secure SHA-2 or SHA-3 algorithms as soon as possible. It is important to note that NIST will stop using SHA-1 in its last remaining specified protocols by Dec. 31, 2030. And by that date, NIST plans to:

  • Publish FIPS 180-5 (a revision of FIPS 180) to remove the SHA-1 specification.
  • Revise SP 800-131A and other affected NIST publications to reflect the planned withdrawal of SHA-1.
  • Create and publish a transition strategy for validating cryptographic modules and algorithms.

As a result, modules that still use SHA-1 after 2030 will not be permitted for purchase by the federal government. Companies have eight years to submit updated modules that no longer use SHA-1. Because there is often a backlog of submissions before a deadline, we recommend that developers submit their updated modules well in advance, so that The Cryptographic Module Validation Program (CMVP) has time to respond.

TWiC | Hackers Keep up the Pressure Over the Holidays

Over the past few weeks, we have seen some interesting stories develop in the world of cyber security. It seems that attackers are not slowing down for the holiday season, with LastPass revealing yet another security breach, Killnet boasting of a DDoS attack targeting Musk’s Starlink services and the U.S. banning Chinese telecom companies. nGuard examines these new developments in this week’s security advisory.

Killnet Gloats About DDoS Attacks Downing Starlink, White House
Starlink services were disrupted last week, and it may have been caused by a hacking organization called Killnet. The group is notorious for making all of its communications public on Telegram. After digging into the reports of a massive DDoS attack, Trustwave discovered that many Starlink customers complained about service disruptions on Reddit. Other groups like Anonymous and Halva have also claimed responsibility for participating in the DDoS attack, although Killnet appears to be the main culprit here.

LastPass Reveals Another Security Breach
According to the CEO of LastPass, the popular password manager has been breached again. This company investigated unusual activity involving a third-party cloud storage service that it uses with its parent company, GoTo. A hacker was able to access some of the password managers’ source code using information obtained from a previous security breach. It is highly likely that the attacker was limited to the development environment but they had access to “certain elements” of customer information. The company maintains that no password information was divulged because it remains encrypted.

U.S. Banned Chinese Telecom & Surveillance Cameras That Pose National Security Threat
The U.S. has placed multiple Chinese-based firms on a ban list after they were identified as national security threats. The U.S. has decided to ban the import and sale of equipment from Huawei, ZTE, Hytera Communications, Hikvision, Dahua, Pacific Network Corp, along with its subsidiary ComNet (USA) LLC, and China Unicom (Americas) Operations Limited. FCC Chairwoman Jessica Rosenworcel said, “The FCC is committed to protecting our national security by ensuring that untrustworthy communications equipment is not authorized for use within our borders, and we are continuing that work here.”

In order to access sensitive data and disrupt important services, attackers constantly work behind the scenes to discover and exploit flaws in software. A high priority should be given to protecting your organization from malicious actors at all times. Continual penetration testing and vulnerability management can help you close security holes in your environment. Your employees can stay on top of their game by receiving security awareness training and participating in social engineering simulations. With nGuard, you can enhance your organization’s security posture and prevent data breaches.

TWiC | Fortinet PoC, US Airport Sites Go Offline, CISA Warns of Industrial Appliance Flaws, & Windows 11 Phishing Protection

Over the past few weeks there have been several hot topics and time sensitive advisories released. In this edition of This Week in Cybersecurity, nGuard will highlight the Fortinet proof-of-concept (PoC) that was released; Russian-speaking hackers taking down US Airport websites; Windows 11 offering automatic phishing protection; and CISA warning of critical flaws in some industrial appliances.

Fortinet PoC Released
A proof-of-concept (PoC) exploit code has been made available for the recently disclosed critical security flaw affecting Fortinet FortiOS, FortiProxy, and FortiSwitchManager. A successful exploitation of the shortcoming is tantamount to granting complete access “to do just about anything” on the affected system. Fortinet issued an advisory urging customers to upgrade affected appliances to the latest version as soon as possible and CISA added this to their Known Exploited Vulnerabilities (KEV) Catalog. 12 unique IP addresses have accounted for most responsibility in weaponizing CVE-2022-40684 as of October 13, 2022. A majority of them are located in Germany, followed by the U.S., Brazil, China and France. nGuard covered this in more detail in a Security Advisory last week. Conducting ongoing penetration testing and vulnerability management can alert you to these types of vulnerabilities being present in your environment.

US Airport Sites Taken Down by Russian-Speaking Attackers
On Monday October 10th, more than a dozen public-facing airport websites, including those for some of the nation’s largest airports, appeared inaccessible, and Russian-speaking hackers claimed responsibility. The attack was carried out by a group known as Killnet, who support the Kremlin but are not thought to be government hackers. Killnet favors a type of attack known as a distributed denial of service (DDoS). Two of the sites that were affected by this attack were Atlanta’s Hartsfield-Jackson International Airport and the Los Angeles International Airport websites. Fortunately, there did not seem to be an impact to air travel itself but may have caused inconveniences for individuals traveling during the time access to those sites was attempted.

Windows 11 Offers Automatic Phishing Protection
Enhanced phishing protection now comes prebuilt into the Windows 11 operating system. This protection can automatically detect when users type their password into any app or site that is known to be dangerous. Admins can know exactly when a password has been stolen and can be equipped to better protect against such attacks. According to Microsoft, “When Windows 11 protects against one phishing attack, that threat intelligence cascades to protect other Windows users interacting with other apps and sites that are experiencing the same attack.” A blocking dialog warning is displayed prompting users to change their password if they type it into a phishing site in any Chromium browser or into an application connecting to a phishing site. If users try to store their password locally, like in Notepad or in any Microsoft 365 app, Windows 11 warns them that this is an unsafe practice and urges them to delete it from the file. To help train and test your employees on their security awareness, nGuard offers custom, tailored Security Awareness Training and social engineering.

CISA Publishes Two Advisories Regarding Industrial Appliances
The U.S. Cybersecurity and Infrastructure Security Agency (CISA) has published two Industrial Control Systems advisories pertaining to severe flaws in Advantech R-SeeNet and Hitachi Energy APM Edge appliances. The list of issues, which affect R-SeeNet Versions 2.4.17 and prior are:

Patches have been made available in version R-SeeNet version 2.4.21 released on September 30, 2022.

These alerts come less than a week after CISA published 25 ICS advisories on October 13, 2022, spanning several vulnerabilities across devices from Siemens, Hitachi Energy, and Mitsubishi Electric.

nGuard has a wide array of experience assessing critical infrastructure, SCADA, and Industrial Control Systems (ICS) and can help you secure yours. Conducting annual penetration testing, having a proper Incident Response Plan, and ensuring you have the proper logging, alerting, and correlation can help you stay ahead of the attackers.

URGENT | Fortinet Authentication Bypass Vulnerability

On October 10, 2022, Fortinet, Inc released a new advisory for CVE-2022-40684 which affects the FortiOS, FortiProxy and FortiSwitchManager products.

Each of these products are vulnerable to an authentication bypass vulnerability. This vulnerability could allow an attacker to perform unauthenticated actions on the target system.  These actions include, but are not limited to:

  • Modifying admin user SSH keys.
  • Adding new local users
  • Updating network configurations to reroute traffic
  • Initiating packet captures to capture sensitive information

Publicly available exploit code is now starting to become available.

Affected Products

  • FortiOS version 7.2.0 through 7.2.1
  • FortiOS version 7.0.0 through 7.0.6
  • FortiProxy version 7.2.0
  • FortiProxy version 7.0.0 through 7.0.6
  • FortiSwitchManager version 7.2.0
  • FortiSwitchManager version 7.0.0

Solutions

  • Upgrade to FortiOS version 7.2.2 or above
  • Upgrade to FortiOS version 7.0.7 or above
  • Upgrade to FortiProxy version 7.2.1 or above
  • Upgrade to FortiProxy version 7.0.7 or above
  • Upgrade to FortiSwitchManager version 7.2.1 or above

Read more in:

Ongoing penetration testing and vulnerability management can alert you to these types of vulnerabilities being present in your environment. nGuard account executives are standing by to discuss solutions that elevate the overall security posture of your organization and ensure you are ready to handle vulnerabilities such as the ones described above.