social engineering

Attacking FortiNAC Devices: Experts Advise Updating

A serious vulnerability in Fortinet’s FortiNAC network access control suite (CVE-2022-39952) is now being exploited by hackers to add a cron job that starts a reverse shell on vulnerable systems as the root user. This unauthenticated file path modification vulnerability poses a major security risk for enterprises using the FortiNAC solution because it may be used to execute commands remotely.

Fortinet has already released security upgrades to remedy the issue, and has recommended that users update susceptible appliances to the most recent versions. As the corporation hasn’t offered any mitigation advice or workarounds, updating is the only option to prevent attacks. Researchers from cybersecurity firms, including Shadowserver Foundation, GreyNoise, and CronUp, have recently observed attacks on CVE-2022-39952 from a variety of IP addresses. This indicates that attackers have already started focusing on unpatched FortiNAC devices.

Horizon3 security researchers have created proof-of-concept (PoC) exploit code which allows hackers to add a cron task that starts a reverse shell on vulnerable systems. Fortinet had previously issued a warning in December 2022 to customers to patch FortiOS SSL-VPN appliances against an actively exploited security flaw (CVE-2022-42475), which was also used as a zero-day in attacks against targets associated with the government.

In reaction to what it called “sensationalized claims” about recent exploitation attempts aimed at a vulnerability in its FortiNAC network access control product, Fortinet has offered some crucial clarifications. The company emphasized that it is yet unclear how exploiting CVE-2022-39952 will actually affect users. However, FortiNAC users should be aware of the possible hazard, as knowledgeable threat actors have been known to attack Fortinet products.

FortiNAC administrators are highly advised to update their software right away to a version of the software that is not impacted by the CVE-2022-39952 vulnerability. This includes FortiNAC versions 9.4.1 or later, 9.2.6 or later, 9.1.8 or newer, and 7.2.0 or later. Organizations may stop hackers from using this important vulnerability to gain access to their corporate networks by heeding this advice.

At nGuard, we understand the importance of proactive security measures to protect our clients from the evolving threat landscape. That’s why we offer a range of security services designed to help detect vulnerabilities like the FortiNAC vulnerability, including internal penetration testing, vulnerability management, and strategic security assessments. Our team of experts can work with clients to develop and implement policies and procedures to ensure they can quickly identify and address security threats, and stay up-to-date on emerging vulnerabilities through our security advisories. By partnering with nGuard, clients can rest assured that they have access to the latest security technologies and expertise to help them stay one step ahead of the threats.

Are You Prepared for the New Cyber Insurance Requirements?

As cyberattacks increase worldwide, insurance companies are tightening their cyber insurance policy requirements. This is due to the 80% rise in ransomware attacks last year, leading to a large number of claims. Among the new provisions are the requirement for multi-factor authentication (MFA) for all admin access and the protection of all privileged accounts. However, identifying gaps in MFA and privileged account protection within a network can be challenging for organizations. In addition to MFA, there are several other requirements that stipulate detailed attestation when filling out a cyber policy questionnaire. A few of those requirements are:

Security Awareness Training and Testing
This process is designed to educate employees on cyber security threats and risks, and to test their understanding of these issues through interactive simulations and assessments. The goal is to raise awareness, increase knowledge, and promote safe online behavior within an organization. To reduce your risk of phishing attacks, nGuard has been conducting Security Awareness Training and phishing testing though our Social Engineering Assessment for years.
Vulnerability Management
A thorough vulnerability management program will identify, assess, and prioritize vulnerabilities in an organization’s systems and networks, and take action to remediate or mitigate these risks to prevent exploitation. This helps maintain the security and integrity of systems and data by staying on top of vulnerabilities as they are discovered. Conducting monthly or quarterly vulnerability scans on an ongoing basis will not only help meet insurance requirements but also keep your network secure. nGuard’s Vulnerability Management can help you manage your external environment, internal environment, and meet PCI requirements with ASV scanning.
24/7/365 Monitoring
A Security Information and Event Management (SIEM) system collects and aggregates log data from various sources within an organization and uses analytics and threat detection techniques to identify potential security incidents and enable security teams to respond promptly. SIEM provides centralized security visibility and event correlation. nGuard’s managed security team performs both manual and automated daily log analysis that proactively detects suspicious activity in your environment with our managed SIEM service called Managed Event Collection & Correlation. nGuard is adding artificial intelligence and machine learning to detect and respond to security threats in real-time via UEBA (User and Entity Behavior Analytics).
Secured, Encrypted, Offsite Backups
Offsite backups refer to the storage of backup data at a remote location, typically in a secure data center, separate from the primary data storage. This helps ensure that the data can be recovered in case of a disaster or cyberattack and protected against data loss while minimizing downtime. Offsite backups are an important component of a comprehensive disaster recovery plan. A Strategic Security Assessment utilizing the Center for Internet Security (CIS) 18 Critical Security Controls as the foundation can help bring the lack of controls like this and others to light.
Endpoint Detection & Response (EDR)
This real-time security solution will monitor and respond to security threats on endpoint devices such as computers and servers using artificial intelligence and machine learning to detect and isolate security incidents.

As insurance carriers adjust the requirements to obtain and maintain coverage, a thorough assessment can help organizations identify and close security gaps to help meet the new cyber insurance requirements and improve their overall security posture. nGuard has a number of solutions that can help meet and exceed the requirements needed to obtain and maintain cyber insurance.

TWiC | ChatGPT, New CISA and NSA Advisory, Microsoft Blocking Add-ins, New Malware Using Google Ads

The nGuard Security Advisory for this week covers several important topics related to cyber security threats. The Cybersecurity and Infrastructure Security Agency (CISA) and the National Security Agency (NSA) have issued warnings that remote desktop tools are being used to breach US federal agencies; ChaptGPT being used to create malicious output; Microsoft is set to block Excel add-ins that have been used for office exploits; and a new malware called “Rhadamanthys” has been discovered that uses Google Ads to redirect users to fake software downloads.

CISA & NSA Warn Remote Desktop Tools Are Being Used to Breach US Federal Agencies

The Cybersecurity and Infrastructure Security Agency (CISA) and the National Security Agency (NSA) have issued a joint advisory warning that financially motivated hackers have compromised federal agencies using legitimate remote desktop software. The hackers used phishing emails to lure victims to a malicious site that impersonated high-profile companies, including Microsoft and Amazon, and prompted the victims to call the hackers who then tricked employees into visiting the malicious domain. This led to the download of legitimate remote access software which the hackers then used in a refund scam to steal money from victims’ bank accounts. CISA also warned that the attackers could use legitimate remote access software as a backdoor for maintaining persistent access to government networks.

nGuard often can obtain remote access to victim’s computers using legitimate remote access tools like TeamViewer. nGuard’s Social Engineering assessment could help prevent these types of attacks by testing an organization’s resistance to phishing and other types of social engineering tactics.

ChaptGPT Malicious Prompt Engineering

OpenAI’s ChatGPT, a large-scale AI-based natural language generator, was released in late 2022 and has demonstrated the potential of AI for both good and bad. ChatGPT is a chatbot that is built on top of OpenAI’s GPT-3 family of large language models. It is designed to respond to prompts with accurate and unbiased answers. However, the concept of ‘prompt engineering’ has been used to manipulate the system and force it to respond in a specific manner desired by the user. This has led to the malicious potential of social engineering. A Finnish security firm recently published an extensive and serious evaluation of prompt engineering against ChatGPT, focusing on the generation of phishing, various types of fraud, and misinformation. They found they were able to quickly create convincing phishing emails that were well written and free of typos and grammatical errors. They also were able to create writing styles to match a given input which could lead to ‘deep fakes’ impersonating someone’s writing style. Last, they were able to make requests that forced ChatGPT to transfer their opinion within the response. The idea of prompt engineering is something still not fully understood but certainly has shown the power of a tool like ChatGPT can have.

nGuard’s MECC (Managed Event Collection and Correlation) can help protect against malicious ChatGPT attacks by collecting and analyzing log data from various sources, including chatbot interactions. MECC can then alert security teams to potential threats and provide them with the information they need to investigate and respond to the attack. Additionally, nGuard is adding UEBA (User and Entity Behavior Analytics) to its MECC solution. UEBA leverages AI and Machine Learning to help protect against malicious ChatGPT attacks by analyzing user behavior and identifying anomalies that may indicate a security incident. This can include detecting when a user or bot is attempting to access sensitive information or perform unauthorized actions. UEBA can then alert security teams to potential threats and provide them with the information they need to investigate and respond to the attack. Additionally, UEBA can also help to detect compromised user account and bot impersonation.

Microsoft Set to Block Excel Add-in Used for Office Exploits

Microsoft is set to block XLL files from the internet in a bid to prevent cyber attackers from exploiting the “add-ins” function of Excel to run malicious code on a victim’s computer. An XLL file is an Excel Dynamic Link Library, a type of Microsoft Excel add-in used to extend the functionality of the spreadsheet software. XLL files contain custom functions and macros written in C or C++, and can be used to perform tasks that are not possible with the built-in Excel functions. The feature, set to be released in March, is a response to an increasing use of XLL files by attackers which offer a way to read and write data within spreadsheets, add custom functions and interact with Excel objects across platforms. However, experts have said that the feature may not be effective if users ignore the warning that XLL files could contain malicious code, and attackers are likely to continue to find new ways to compromise systems.

nGuard’s Security Awareness Training services can help with this threat by educating employees on how to identify and avoid phishing attempts, both in the form of emails and websites. The training can cover topics such as how to spot suspicious emails, what to look for in a legitimate and illegitimate website, and how to recognize the signs of a phishing attempt.

Rhadamanthys Malware Using Google Ads to Redirect to Fake Software Downloads

A new malware strain called “Rhadamanthys Stealer” is being spread by redirects from Google Ads that pretend to be download sites for popular remote-workforce software, such as Zoom and AnyDesk. The malware is sold on the dark web as malware-as-a-service and is spread through two methods: carefully crafted phishing sites, and phishing emails with malicious attachments. The malware can steal sensitive data such as browser history and account login credentials, including crypto-wallet information. It is also able to detect if it is running in a controlled environment and will terminate its execution if so. As mentioned earlier in this Advisory, nGuard’s Social Engineering assessment and Security Awareness training can prepare your organization and employees for these types of attacks. Help your organization stay vigilant against the latest attack vectors and keeping up to date by assessing your employees and organization on an annual basis at a minimum.

NIST’s Retirement of SHA-1: The Clock is Ticking

Introduction
The National Institute of Standards and Technology (NIST) has announced that the SHA-1 algorithm, one of the first widely used methods of protecting electronic information, has reached the end of its useful life. This algorithm, which has been in use since 1995 as part of the Federal Information Processing Standard (FIPS) 180-1, is a slightly modified version of SHA, the first hash function the federal government standardized for widespread use in 1993. As today’s increasingly powerful computers are able to attack the algorithm, NIST has announced that SHA-1 should be phased out by December 31, 2030, in favor of the more secure SHA-2 and SHA-3 groups of algorithms.

Importance of SHA-1
SHA-1, whose initials stand for “secure hash algorithm,” has served as a building block for many security applications such as validating websites, SSL certificates and digital signatures. It secures information by performing a complex mathematical operation on the characters of a message, producing a short string of characters known as a hash. It is impossible to reconstruct the original message from the hash alone, but knowing the hash provides an easy way for a recipient to check whether the original message has been compromised, as even a slight change to the message alters the resulting hash dramatically. However, today’s more powerful computers can create fraudulent messages that result in the same hash as the original, potentially compromising the authentic message. These “collision” attacks have been used to undermine the security of SHA-1 in recent years.

Recommendations
At nGuard, we recommend that organizations still using SHA-1 for security conduct a thorough network and database assessment to identify and address vulnerabilities. Our team of experts can assist with this transition by identifying any instances of SHA-1 usage and recommend a migration plan. Additionally, our web application testing can also lead to the discovery of data hashed with SHA-1, further highlighting the need for an upgrade.

Conclusion
In conclusion, SHA-1 has reached the end of its life, and organizations should consider migrating to the more secure SHA-2 or SHA-3 algorithms as soon as possible. It is important to note that NIST will stop using SHA-1 in its last remaining specified protocols by Dec. 31, 2030. And by that date, NIST plans to:

Publish FIPS 180-5 (a revision of FIPS 180) to remove the SHA-1 specification.
Revise SP 800-131A and other affected NIST publications to reflect the planned withdrawal of SHA-1.
Create and publish a transition strategy for validating cryptographic modules and algorithms.

As a result, modules that still use SHA-1 after 2030 will not be permitted for purchase by the federal government. Companies have eight years to submit updated modules that no longer use SHA-1. Because there is often a backlog of submissions before a deadline, we recommend that developers submit their updated modules well in advance, so that The Cryptographic Module Validation Program (CMVP) has time to respond.

TWiC | Fortinet PoC, US Airport Sites Go Offline, CISA Warns of Industrial Appliance Flaws, & Windows 11 Phishing Protection

Over the past few weeks there have been several hot topics and time sensitive advisories released. In this edition of This Week in Cybersecurity, nGuard will highlight the Fortinet proof-of-concept (PoC) that was released; Russian-speaking hackers taking down US Airport websites; Windows 11 offering automatic phishing protection; and CISA warning of critical flaws in some industrial appliances.

Fortinet PoC Released
A proof-of-concept (PoC) exploit code has been made available for the recently disclosed critical security flaw affecting Fortinet FortiOS, FortiProxy, and FortiSwitchManager. A successful exploitation of the shortcoming is tantamount to granting complete access “to do just about anything” on the affected system. Fortinet issued an advisory urging customers to upgrade affected appliances to the latest version as soon as possible and CISA added this to their Known Exploited Vulnerabilities (KEV) Catalog. 12 unique IP addresses have accounted for most responsibility in weaponizing CVE-2022-40684 as of October 13, 2022. A majority of them are located in Germany, followed by the U.S., Brazil, China and France. nGuard covered this in more detail in a Security Advisory last week. Conducting ongoing penetration testing and vulnerability management can alert you to these types of vulnerabilities being present in your environment.

US Airport Sites Taken Down by Russian-Speaking Attackers
On Monday October 10^th, more than a dozen public-facing airport websites, including those for some of the nation’s largest airports, appeared inaccessible, and Russian-speaking hackers claimed responsibility. The attack was carried out by a group known as Killnet, who support the Kremlin but are not thought to be government hackers. Killnet favors a type of attack known as a distributed denial of service (DDoS). Two of the sites that were affected by this attack were Atlanta’s Hartsfield-Jackson International Airport and the Los Angeles International Airport websites. Fortunately, there did not seem to be an impact to air travel itself but may have caused inconveniences for individuals traveling during the time access to those sites was attempted.

Windows 11 Offers Automatic Phishing Protection
Enhanced phishing protection now comes prebuilt into the Windows 11 operating system. This protection can automatically detect when users type their password into any app or site that is known to be dangerous. Admins can know exactly when a password has been stolen and can be equipped to better protect against such attacks. According to Microsoft, “When Windows 11 protects against one phishing attack, that threat intelligence cascades to protect other Windows users interacting with other apps and sites that are experiencing the same attack.” A blocking dialog warning is displayed prompting users to change their password if they type it into a phishing site in any Chromium browser or into an application connecting to a phishing site. If users try to store their password locally, like in Notepad or in any Microsoft 365 app, Windows 11 warns them that this is an unsafe practice and urges them to delete it from the file. To help train and test your employees on their security awareness, nGuard offers custom, tailored Security Awareness Training and social engineering.

CISA Publishes Two Advisories Regarding Industrial Appliances
The U.S. Cybersecurity and Infrastructure Security Agency (CISA) has published two Industrial Control Systems advisories pertaining to severe flaws in Advantech R-SeeNet and Hitachi Energy APM Edge appliances. The list of issues, which affect R-SeeNet Versions 2.4.17 and prior are:

CVE-2022-3385 and CVE-2022-3386 (CVSS scores: 9.8) – Two stack-based buffer overflow flaws that could lead to remote code execution
CVE-2022-3387 (CVSS score: 6.5) – A path traversal flaw that could enable a remote attacker to delete arbitrary PDF files

Patches have been made available in version R-SeeNet version 2.4.21 released on September 30, 2022.

These alerts come less than a week after CISA published 25 ICS a d visories on October 13, 2022, spanning several vulnerabilities across devices from Siemens, Hitachi Energy, and Mitsubishi Electric.

nGuard has a wide array of experience assessing critical infrastructure, SCADA, and Industrial Control Systems (ICS) and can help you secure yours. Conducting annual penetration testing, having a proper Incident Response Plan, and ensuring you have the proper logging, alerting, and correlation can help you stay ahead of the attackers.

TWiC | This Week in Cybersecurity – Let’s Go Phishing 🎣

Over the past week there have been many hot topics in cybersecurity. This edition of This Week in Cybersecurity includes stories focused on the latest in phishing campaigns tactics, techniques, procedures, common use cases, and infrastructure being used. Check out the details below.

Phishing Attacks Skyrocket with Microsoft and Facebook as Most Abused Brands

The number of phishing attempts that misuse the Microsoft brand jumped 266 percent in the first quarter of 2022 compared to the same period last year, according to a report by researchers at Vade. In the same period of time, fake Facebook messages increased by 177% in the second quarter of 2022. In Q1 2022 compared to the previous year, there were 266 percent more instances of phishing assaults using the Microsoft name. As opposed to the previous year, hackers are ramping up their use of false messages that abuse well-known companies, bringing back the bloom of phishing attempts. According to the phishing research Microsoft, Facebook, and the French bank Crédit Agricole are the three most frequently impersonated companies in attacks. Crédit Agricole, WhatsApp, and the French telecommunications provider Orange are some of the other top names that are misused in phishing attempts. Other well-known brands included Apple, Google, and PayPal.
DUCKTAIL Malware Targeting HR Professionals Through LinkedIn Spear-phishing Campaign

Cybersecurity research has recently learned of an ongoing operation known as DUCKTAIL. This strategy aims to gain control of a company’s Facebook business account that handle its advertising. DUCKTAIL uses a malware component that steals information to hack Facebook Business accounts. This sets DUCKTAIL apart from other malware campaigns that used Facebook as a base of operations in the past. The malware is able to access the victim’s Facebook account by stealing cookies from the victim’s browser and utilizing authentication cookies during authenticated Facebook sessions. This has allowed hackers to access every Facebook Business account that the victim has access to, even ones with restricted access. DUCKTAIL has been using LinkedIn to identify potential targets for these campaigns.
1,000s of Phishing Attacks Blast Off from InterPlanetary File System

The InterPlanetary File System (IPFS), a distributed peer-to-peer file system, has become a hotbed of phishing-site storage. Thousands of emails containing phishing URLs are showing up in corporate inboxes. IPFS uses peer-to-peer (P2P) connections for file and service-sharing instead of a static resource demarked by a host and path. Phishers may start using even more sophisticated methods for replicating sites, such as using distributed hash tables. According to an anti-phishing expert, security admins need to educate themselves and their staff about how IPFS works.
Evilnum APT Hackers Group Attack Windows Using Weaponized Word Documents

The APT threat actor, Evilnum, has been targeting European banking and investment organizations. Recently their tactics, techniques, and procedures have included spear-phishing emails with attachments like Microsoft Word, ISO, and Windows Shortcut (LNK) files. Researchers discovered other variations of the campaign in late 2022, including ones that employed financial bribes to get victims to open malicious ZIP folders that were coupled with malicious .LNK files. In the middle of 2022, the methodology that was being used to distribute Word documents was altered once more to incorporate a mechanism that tries to connect to an attacker-controlled domain and obtain a remote template.

Stop Phishing
nGuard has been conducting social engineering assessments for almost 2 decades and has the experience and expertise to assess your users against phishing campaigns using a variety of attack methods. Using emails, phone calls, text messages, multi-factor prompt bombing attacks, fake websites, and more, nGuard can thoroughly test your security awareness training program efficacy. Contact your Account Executive or Security Consultant to learn more about how nGuard can help.