Microsoft today released three more patches for vulnerabilities in Windows Print Spooler and changed its default Point and Print driver installation and update behavior to require administrator privileges.
Today’s Patch Tuesday fixes three bugs in the Windows Print Spooler, adding to the number of flaws already patched so far this year. Microsoft last month issued a new vulnerability identifier (CVE-2021-34527) for the “PrintNightmare” flaw affecting Windows Print Spooler services and claimed this bug was different from another critical flaw (CVE-2021-1675) patched in June.
Two Print Spooler vulnerabilities patched today are remote code execution (RCE) flaws: CVE-2021-36936, which is listed as publicly known and classified as Critical, and CVE-2021-369467, classified as Important. Both are ranked as “Exploitation More Likely” by Microsoft and require low complexity and privileges to exploit. The third, CVE-2021-34483, is an elevation of privilege bug that is ranked “Exploitation Less Likely” but requires low complexity and privileges.
In addition to releasing the above fixes for Windows Print Spooler vulnerabilities, Microsoft is changing the default Point and Print driver installation and update behavior to require admin privileges. The change is an update to CVE-2021-34481, originally released last month:
“Our investigation into several vulnerabilities collectively referred to as ‘PrintNightmare’ has determined that the default behavior of Point and Print does not provide customers with the level of security required to protect against potential attacks,” the Microsoft Security and Response Center (MSRC) writes in a blog post.
The installation of this update with default settings will mitigate the publicly disclosed flaws in Print Spooler, MSRC says. The change my affect print clients in situations where non-elevated users could previously add or update printers. The mitigation can be disabled with a registry key, as officials note in a separate KB article about the change, but this is not recommended. Microsoft notes disabling the mitigation will expose the environment to Print Spooler flaws.
Zero-Day
Overall, there was a total of 44 security fixes in Microsoft’s August Patch Tuesday rollout, which include one zero-day, two publicly known flaws, and seven vulnerabilities rated Critical.
The bugs patched today affect Microsoft Windows and Windows Components, Office, Windows Defender, .NET Core and Visual Studio, Azure, Microsoft Dynamics, and Windows Update and Update Assistant. It’s an unusually small rollout from Microsoft – which consistently deployed Patch Tuesday releases of 100+ fixes throughout 2020 into 2021 – and its smallest yet this year.
Today’s rollout includes one bug under attack: CVE-2021-36948, an elevation of privilege flaw in the Windows Update Medic Service. This is a new service introduced in Windows 10 to repair Windows Update components so a machine can still receive updates when parts are damaged.
An attacker could exploit the vulnerability by accessing a target system locally or remotely; they could also rely on user interaction and trick a legitimate user into exploiting the flaw. The zero-day is classified as Important with a CVSS score of 7.8; it requires low attack complexity and low privileges to exploit. It was reported by Microsoft; details on active attacks were not disclosed.
“Interestingly, there was a similar vulnerability in the same service, CVE-2020-17070, announced in November 2020,” notes Allan Liska, senior security architect with Recorded Future, in an email to Dark Reading. “Recorded Future was not able to find any evidence of it being exploited in the wild, so this may be a new area of focus for attackers.”
Organizations should also prioritize CVE-2021-34535, a remote code execution vulnerability in the Remote Desktop Client with a CVSS score of 9.9. It’s worth noting this flaw affects the RDP client, and not the RDP server, but it is rated “Exploitation More Likely” by Microsoft.
With a Remote Desktop connection, an attacker controlling a Remote Desktop Server could trigger RCE on a target machine if a victim connects to the attacker’s server with a vulnerable Remote Desktop Client, Microsoft says. In the case of Hyper-V, a malicious program running in a guest virtual machine could trigger guest-to-host RCE by exploiting this vulnerability in the Hyper-V viewer if a victim running on the host connects to the Hyper-V guest.
“This is the more likely scenario and the reason you should test and deploy this patch quickly,” writes Dustin Childs of Trend Micro’s Zero-Day Initiative in a Patch Tuesday blog post.
Another CVE worth noting this month is CVE-2021-34480, a Critical scripting engine memory corruption vulnerability. While it has a lower CVSS score of 6.8, it is assessed as “Exploitation More Likely” by Microsoft. An attacker would have to convince a victim to open a specially crafted file in order to exploit the flaw, so it does require some user interaction to exploit.
New York (CNN Business)There’s been a sharp rise in cyberattacks in recent weeks, often disrupting services and products that are essential to everyday lives.In May, the ransomware attack that forced a six-day shutdown of Colonial Pipeline — a key East Coast line that delivers gas to millions of people — brought the scary situation to the forefront of people’s minds. Days later, food processor JBS USA also suffered a cyberattack, which affected servers supporting its IT systems.The uneasy trend continued in June, with several high-profile companies like McDonald’s and Peloton revealing they, too,were targeted by hackers. These incidents highlight the growing need for cybersecurity professionals, a space that’s facing a skills gap.Here’s who announced this month that they got hacked:
Electronics Arts
Hackers broke into the systems of Electronic Arts, one of the world’s biggest video game publishers, and stole source code used in company games. The company made the announcement earlier this month.
Online forum posts reviewed by CNN Business and vetted by an independent cybersecurity expert show that on June 6, hackers claimed to have obtained 780 gigabytes of data from EA (EA), including source code for Frostbite, the game engine that powers games that include titles in the FIFA, Madden and Battlefield series.Brett Callow, a threat analyst at cybersecurity software maker Emsisoft, said losing control over source code could be problematic for EA’s business.”Source code could, theoretically, be copied by other developers or used to create hacks for games,” Callow said.An EA spokesperson said “no player data was accessed, and we have no reason to believe there is any risk to player privacy. Following the incident, we’ve already made security improvements and do not expect an impact on our games or our business.”
McDonald’s
McDonald’s said earlier this month it, too, was affected by a data breach, which exposed private information of customers and employees in South Korea and Taiwan.The burger chain said in a statement that an investigation revealed a “small number of files were accessed,” some of which contained personal data like emails, phone numbers and addresses. McDonald’s is contacting affected customers and regulators in the two areas and said that payment information wasn’t accessed.”These tools allowed us to quickly identify and contain recent unauthorized activity on our network,” a McDonald’s (MCD) spokesperson told CNN Business. “A thorough investigation was conducted, and we worked with experienced third parties to support this investigation.”
Peloton
Earlier in June, Peloton warned users of its Bike+ about a newly found security threat relating to the touchscreen. Researchers at cybersecurity company McAfee discovered a vulnerability that allows hackers to access Peloton’s bike screen and potentially spy on riders using its microphone and camera.However, the threat most likely affects only the $2,495 bike used in public spaces, such as hotels or gyms. That’s because a hacker needs to physically access the screen and plug in a USB drive containing malicious code. Researchers said hackers can then discreetly control the stationary bike’s screen remotely and interfere with its operating system.Fortunately, Peloton (PTON) said it doesn’t know of any instances where this vulnerability was actually exploited, and the company pushed a mandatory software update to users to patch the problem.
Volkswagen
Volkswagen and Audi revealed this month they were hit by a data breach that exposed the contact information of customers in the United States and Canada, as well as personal details like drivers’ license numbers in some cases. More than 3 million customers or shoppers had at least basic contact information stolen from an outside company that worked with the automakers, according to VW. That data included phone numbers, email addresses, postal mailing addresses and in some cases, vehicle identification numbers. “We regret any inconvenience this may cause our current or potential customers,” VW USA said in a statement. “As always, we recommend that individuals remain alert for suspicious emails or other communications that might ask them to provide information about themselves or their vehicle.”
Data breaches affecting millions of users are far too common. Here are some of the biggest, baddest breaches in recent memory.
Thinkstock
In today’s data-driven world, data breaches can affect hundreds of millions or even billions of people at a time. Digital transformation has increased the supply of data moving, and data breaches have scaled up with it as attackers exploit the data-dependencies of daily life. How large cyberattacks of the future might become remains speculation, but as this list of the biggest data breaches of the 21st Century indicates, they have already reached enormous magnitudes.
For transparency, this list has been calculated by the number of users impacted, records exposed, or accounts affected. We have also made a distinction between incidents where data was actively stolen or reposted maliciously and those where an organization has inadvertently left data unprotected and exposed, but there has been no significant evidence of misuse. The latter have purposefully not been included in the list.
So, here it is – an up-to-date list of the 15 biggest data breaches in recent history, including details of those affected, who was responsible, and how the companies responded (as of July 2021).
1. Yahoo
Date: August 2013 Impact: 3 billion accounts
Securing the number one spot – almost seven years after the initial breach and four since the true number of records exposed was revealed – is the attack on Yahoo. The company first publicly announced the incident – which it said took place in 2013 – in December 2016. At the time, it was in the process of being acquired by Verizon and estimated that account information of more than a billion of its customers had been accessed by a hacking group. Less than a year later, Yahoo announced that the actual figure of user accounts exposed was 3 billion. Yahoo stated that the revised estimate did not represent a new “security issue” and that it was sending emails to all the “additional affected user accounts.”
Despite the attack, the deal with Verizon was completed, albeit at a reduced price. Verizon’s CISO Chandra McMahon said at the time: “Verizon is committed to the highest standards of accountability and transparency, and we proactively work to ensure the safety and security of our users and networks in an evolving landscape of online threats. Our investment in Yahoo is allowing that team to continue to take significant steps to enhance their security, as well as benefit from Verizon’s experience and resources.” After investigation, it was discovered that, while the attackers accessed account information such as security questions and answers, plaintext passwords, payment card and bank data were not stolen.
2. Alibaba
Date: November 2019 Impact: 1.1 billion pieces of user data
Over an eight-month period, a developer working for an affiliate marketer scraped customer data, including usernames and mobile numbers, from the Alibaba Chinese shopping website, Taobao, using crawler software that he created. It appears the developer and his employer were collecting the information for their own use and did not sell it on the black market, although both were sentenced to three years in prison.
The acceleration of digitization means that IT leaders should urgently seek decarbonization strategies.
A Taobao spokesperson said in a statement: “Taobao devotes substantial resources to combat unauthorized scraping on our platform, as data privacy and security is of utmost importance. We have proactively discovered and addressed this unauthorized scraping. We will continue to work with law enforcement to defend and protect the interests of our users and partners.”
3. LinkedIn
Date: June 2021 Impact: 700 million users
Professional networking giant LinkedIn saw data associated with 700 million of its users posted on a dark web forum in June 2021, impacting more than 90% of its user base. A hacker going by the moniker of “God User” used data scraping techniques by exploiting the site’s (and others’) API before dumping a first information data set of around 500 million customers. They then followed up with a boast that they were selling the full 700 million customer database. While LinkedIn argued that as no sensitive, private personal data was exposed, the incident was a violation of its terms of service rather than a data breach, a scraped data sample posted by God User contained information including email addresses, phone numbers, geolocation records, genders and other social media details, which would give malicious actors plenty of data to craft convincing, follow-on social engineering attacks in the wake of the leak, as warned by the UK’s NCSC.
4. Sina Weibo
Date: March 2020 Impact: 538 million accounts
With over 600 million users, Sina Weibo is one of China’s largest social media platforms. In March 2020, the company announced that an attacker obtained part of its database, impacting 538 million Weibo users and their personal details including real names, site usernames, gender, location, and phone numbers. The attacker is reported to have then sold the database on the dark web for $250.
China’s Ministry of Industry and Information Technology (MIIT) ordered Weibo to enhance its data security measures to better protect personal information and to notify users and authorities when data security incidents occur. In a statement, Sina Weibo argued that an attacker had gathered publicly posted information by using a service meant to help users locate the Weibo accounts of friends by inputting their phone numbers and that no passwords were affected. However, it admitted that the exposed data could be used to associate accounts to passwords if passwords are reused on other accounts. The company said it strengthened its security strategy and reported the details to the appropriate authority.
5. Facebook
Date: April 2019 Impact: 533 million users
In April 2019, it was revealed that two datasets from Facebook apps had been exposed to the public internet. The information related to more than 530 million Facebook users and included phone numbers, account names, and Facebook IDs. However, two years later (April 2021) the data was posted for free, indicating new and real criminal intent surrounding the data. In fact, given the sheer number of phone numbers impacted and readily available on the dark web as a result of the incident, security researcher Troy Hunt added functionality to his HaveIBeenPwned (HIBP) breached credential checking site that would allow users to verify if their phone numbers had been included in the exposed dataset.
“I’d never planned to make phone numbers searchable,” Hunt wrote in blog post. “My position on this was that it didn’t make sense for a bunch of reasons. The Facebook data changed all that. There’s over 500 million phone numbers but only a few million email addresses so >99% of people were getting a miss when they should have gotten a hit.”
6. Marriott International (Starwood)
Date: September 2018 Impact: 500 million customers
Hotel Marriot International announced the exposure of sensitive details belonging to half a million Starwood guests following an attack on its systems in September 2018. In a statement published in November the same year, the hotel giant said: “On September 8, 2018, Marriott received an alert from an internal security tool regarding an attempt to access the Starwood guest reservation database. Marriott quickly engaged leading security experts to help determine what occurred.”
Marriott learned during the investigation that there had been unauthorized access to the Starwood network since 2014. “Marriott recently discovered that an unauthorized party had copied and encrypted information and took steps towards removing it. On November 19, 2018, Marriott was able to decrypt the information and determined that the contents were from the Starwood guest reservation database,” the statement added.
We asked developers and security professionals about their web app and API security challenges. Read our findings from the global research survey, compiling responses from 500 organizations.
The data copied included guests’ names, mailing addresses, phone numbers, email addresses, passport numbers, Starwood Preferred Guest account information, dates of birth, gender, arrival and departure information, reservation dates, and communication preferences. For some, the information also included payment card numbers and expiration dates, though these were apparently encrypted.
Marriot carried out an investigation assisted by security experts following the breach and announced plans to phase out Starwood systems and accelerate security enhancements to its network. The company was eventually fined £18.4 million (reduced from £99 million) by UK data governing body the Information Commissioner’s Office (ICO) in 2020 for failing to keep customers’ personal data secure. An article by New York Times attributed the attack to a Chinese intelligence group seeking to gather data on US citizens.
7. Yahoo
Date: 2014 Impact: 500 million accounts
Making its second appearance in this list is Yahoo, which suffered an attack in 2014 separate to the one in 2013 cited above. On this occasion, state-sponsored actors stole data from 500 million accounts including names, email addresses, phone numbers, hashed passwords, and dates of birth. The company took initial remedial steps back in 2014, but it wasn’t until 2016 that Yahoo went public with the details after a stolen database went on sale on the black market.
8. Adult Friend Finder
Date: October 2016 Impact: 412.2 million accounts
The adult-oriented social networking service The FriendFinder Network had 20 years’ worth of user data across six databases stolen by cyber-thieves in October 2016. Given the sensitive nature of the services offered by the company – which include casual hookup and adult content websites like Adult Friend Finder, Penthouse.com, and Stripshow.com – the breach of data from more than 414 million accounts including names, email addresses, and passwords had the potential to be particularly damming for victims. What’s more, the vast majority of the exposed passwords were hashed via the notoriously weak algorithm SHA-1, with an estimated 99% of them cracked by the time LeakedSource.com published its analysis of the data set on November 14, 2016.
9. MySpace
Date: 2013 Impact: 360 million user accounts
Though it had long stopped being the powerhouse that it once was, social media site MySpace hit the headlines in 2016 after 360 million user accounts were leaked onto both LeakedSource.com and put up for sale on dark web market The Real Deal with an asking price of 6 bitcoin (around $3,000 at the time).
According to the company, lost data included email addresses, passwords and usernames for “a portion of accounts that were created prior to June 11, 2013, on the old Myspace platform. In order to protect our users, we have invalidated all user passwords for the affected accounts created prior to June 11, 2013, on the old Myspace platform. These users returning to Myspace will be prompted to authenticate their account and to reset their password by following instructions.”
It’s believed that the passwords were stored as SHA-1 hashes of the first 10 characters of the password converted to lowercase.
10. NetEase
Date: October 2015 Impact: 235 million user accounts
NetEase, a provider of mailbox services through the likes of 163.com and 126.com, reportedly suffered a breach in October 2015 when email addresses and plaintext passwords relating to 235 million accounts were being sold by dark web marketplace vendor DoubleFlag. NetEase has maintained that no data breach occurred and to this day HIBP states: “Whilst there is evidence that the data itself is legitimate (multiple HIBP subscribers confirmed a password they use is in the data), due to the difficulty of emphatically verifying the Chinese breach it has been flagged as “unverified.”
11. Court Ventures (Experian)
Date: October 2013 Impact: 200 million personal records
Experian subsidiary Court Ventures fell victim in 2013 when a Vietnamese man tricked it into giving him access to a database containing 200 million personal records by posing as a private investigator from Singapore. The details of Hieu Minh Ngo’s exploits only came to light following his arrest for selling personal information of US residents (including credit card numbers and Social Security numbers) to cybercriminals across the world, something he had been doing since 2007. In March 2014, he pleaded guilty to multiple charges including identity fraud in the US District Court for the District of New Hampshire. The DoJ stated at the time that Ngo had made a total of $2 million from selling personal data.
12. LinkedIn
Date: June 2012 Impact: 165 million users
With its second appearance on this list is LinkedIn, this time in reference to a breach it suffered in 2012 when it announced that 6.5 million unassociated passwords (unsalted SHA-1 hashes) had been stolen by attackers and posted onto a Russian hacker forum. However, it wasn’t until 2016 that the full extent of the incident was revealed. The same hacker selling MySpace’s data was found to be offering the email addresses and passwords of around 165 million LinkedIn users for just 5 bitcoins (around $2,000 at the time). LinkedIn acknowledged that it had been made aware of the breach, and said it had reset the passwords of affected accounts.
13. Dubsmash
Date: December 2018 Impact: 162 million user accounts
In December 2018, New York-based video messaging service Dubsmash had 162 million email addresses, usernames, PBKDF2 password hashes, and other personal data such as dates of birth stolen, all of which was then put up for sale on the Dream Market dark web market the following December. The information was being sold as part of a collected dump also including the likes of MyFitnessPal (more on that below), MyHeritage (92 million), ShareThis, Armor Games, and dating app CoffeeMeetsBagel.
Dubsmash acknowledged the breach and sale of information had occurred and provided advice around password changing. However, it failed to state how the attackers got in or confirm how many users were affected.
14. Adobe
Date: October 2013 Impact: 153 million user records
In early October 2013, Adobe reported that hackers had stolen almost three million encrypted customer credit card records and login data for an undetermined number of user accounts. Days later, Adobe increased that estimate to include IDs and encrypted passwords for 38 million “active users.” Security blogger Brian Krebs then reported that a file posted just days earlier “appears to include more than 150 million username and hashed password pairs taken from Adobe.” Weeks of research showed that the hack had also exposed customer names, password, and debit and credit card information. An agreement in August 2015 called for Adobe to pay $1.1 million in legal fees and an undisclosed amount to users to settle claims of violating the Customer Records Act and unfair business practices. In November 2016, the amount paid to customers was reported to be $1 million.
15. My Fitness Pal
Date: February 2018 Impact: 150 million user accounts
In February 2018, diet and exercise app MyFitnessPal (owned by Under Armour) exposed around 150 million unique email addresses, IP addresses and login credentials such as usernames and passwords stored as SHA-1 and bcrypt hashes. The following year, the data appeared for sale on the dark web and more broadly. The company acknowledged the breach and said it took action to notify users of the incident. “Once we became aware, we quickly took steps to determine the nature and scope of the issue. We are working with leading data security firms to assist in our investigation. We have also notified and are coordinating with law enforcement authorities,” it stated.
And there’s more! Each week we round up all the news we didn’t cover in depth. Click on the headlines to read the full stories. And stay safe out there.A Security Camera Company Got Very Badly Hacked
Hackers breached the video surveillance services company Verkada on Monday, Bloomberg reported, gaining access to a “super admin” account that let them see more than 150,000 live feeds as well as video archives from Verkada’s customers. Exposed organizations included jails, schools, and hospitals—like the Madison County Jail in Huntsville, Alabama, and Sandy Hook Elementary School—as well as tech companies like Tesla and Cloudflare. More than 100 Verkada employees had access to thousands of customers’ streams—an additional surprising and likely disturbing revelation for the clients’ customers. Tillie Kottman, a hacker who claimed responsibility for the breach, said in a Mastodon post on Friday that officials raided their apartment in Lucerne, Switzerland, and confiscated their electronic devices. The search warrant was apparently related to an alleged hack from last year and not the Verkada breach.Microsoft-Owned GitHub Takes Down Exchange Server Exploit
Security researchers warned this week that a full, public proof-of-concept exploit for recently-patched Microsoft Exchange Server vulnerabilities would further roil a hacking frenzy that had already escalated in recent days. On Wednesday, independent security researcher Nguyen Jang uploaded one such exploit on the code repository platform Github. Within hours, Github had removed the post. The incident stoked controversy within the security community, because Microsoft owns both Github and Exchange Server. The idea that a corporate overlord might police content on Github, or otherwise encroach on the open source community, caused major controversy during Microsoft’s acquisition of the service.
“We understand that the publication and distribution of proof-of-concept exploit code has educational and research value to the security community, and our goal is to balance that benefit with keeping the broader ecosystem safe,” a Github spokesperson told Motherboard on Thursday. “In accordance with our Acceptable Use Policies, we disabled the gist following reports that it contains proof of concept code for a recently disclosed vulnerability that is being actively exploited.”Most Popular
The US brewing giant Molson-Coors confirmed on Thursday that it was the target of a digital attack that caused delays and disruption to its “brewery operations, production, and shipments.” The company said in a Securities and Exchange Commission disclosure that some of the impacts could persist into the weekend. It is working on remediation and has retained both an incident response firm and legal counsel to advise during the process. Though the company was not specific about what type of attack it suffered, the situation seems consistent with a ransomware attack. Technicians rebooted productions systems while employees were told to simply leave their computers and, in some cases, were sent home.FBI Warns That Adversaries Will Weaponize Deepfakes
The FBI issued a warning on Wednesday that foreign actors will “almost certainly” use deepfakes, or “synthetic content,” as part of misinformation and influence operations in the next 12 to 18 months. The FBI says that such actors are already using deepfakes in their campaigns and that adoption will only rise among nation-state and criminal actors. Such manipulated materials could be used in targeted spearphishing attacks or for social engineering. The alert specifically notes that Chinese and Russian actors are already actively deploying deepfakes.
A recent phishing campaign used a clever trick to deliver the fraudulent web page that collects Microsoft Office 365 credentials by building it from chunks of HTML code stored locally and remotely.
The method consists of gluing together multiple pieces of HTML hidden in JavaScript files to obtain the fake login interface and prompt the potential victim to type in the sensitive information.
Hidden building blocks
Researchers at Trustwave decoded the text and found more decoding ahead as it was further obfuscated through Entity codes. Using GCHQ’s CyberChef, they revealed links to two JavaScript files hosted at “yourjavascript.com,” a domain used for other phishing campaigns.
Each of the two JavaScript files had two blocks of encoded text hiding HTML code, URL and Base64 encoded.
In one of them, the researchers found the beginning of the phishing page and code that validates the email and password from the victim.
The second JavaScript contained the ‘submit’ function, located via the ‘form’ tags and code that triggered a popup message informing victims that they had been logged out and needed to authenticate again.
In all, the researchers decoded more than 367 lines of HTML code spread in five chunks among the two JavaScript files and one the email attachment, which, stacked together, built the Microsoft Office 365 phishing page.
Trustwave said that the unusual thing about this campaign is that the JavaScript is downloaded in obfuscated chunks from a remote location and then pieced together locally.
“This helps the attackers bypass security protections like Secure Email Gateways that might identify the malicious JavaScript from the initial attachment and block it,” the researchers added.
The victim email address is automatically filled in to give a sense of legitimacy. The phishing scams also check to make sure the password is not blank and will use regular expressions to confirm a valid email address.
In a blog post today, Trustwave notes that the URL receiving the stolen credentials for this campaign is still active.
The researchers say that the tricks in this campaign are uncommon. Using an HTML attachment pointing to JavaScript code in a remote location and unique encoding, the cybercriminals are looking to avoid detection.
Industrial enterprises in Europe are target of campaign, which forced a shutdown of industrial processes in at least one of its victims’ networks, according to researchers.
Threat actors are exploiting a Fortinet vulnerability flagged by the feds last week that delivers a new ransomware strain, dubbed Cring, that is targeting industrial enterprises across Europe.
Researchers say the attackers are exploiting an unpatched path-reversal flaw, tracked as CVE-2018-13379, in Fortinet’s FortiOS. The goal is to gain access to victims enterprise networks and ultimately deliver ransomware, according to a report by Kaspersky researchers published this week.
“In at least in one case, an attack of the ransomware resulted in a temporary shutdown of the industrial process due to servers used to control the industrial process becoming encrypted,” Kaspersky senior security researcher Vyacheslav Kopeytsev wrote in the report.
Cring is relatively new to the ransomware threat landscape—which already includes dominant strains REvil, Ryuk, Maze andConti. Cring was first observed and reported by the researcher who goes by Amigo_A and Swisscom’s CSIRT team in January. The ransomware is unique in that it uses two forms of encryption and destroys backup files in an effort to antagonize victims and prevent them from retrieving backup files without paying the ransom.
Last week, the FBI and the Cybersecurity and Infrastructure Security Agency (CISA) warned that nation-state advanced persistent threat (APT) groups were actively exploiting known security vulnerabilities in the Fortinet FortiOS operating system, affecting the company’s SSL VPN products.
One of those bugs, is CVE-2018-13379, a path-traversal flaw in Fortinet FortiOS. The vulnerability is tied to system’s SSL VPN web portal and allows an unauthenticated attacker to download system files of targeted systems via a specially crafted HTTP resource requests.
In its report Kaspersky echoed the feds’ warning adding attackers are first scanning connections to Fortinet VPNs to see if the software used on the device is the vulnerable version. In the campaign researchers observed, threat actors follow an exploit chain, exploiting CVE-2018-13379 to launch a directory-traversal attack. The goal is to crack open affected hardware, give adversaries access to network credentials and to establish foothold in the targeted network, Kopeytsev explained.
“A directory-traversal attack allows an attacker to access system files on the Fortigate SSL VPN appliance,” he wrote. “Specifically, an unauthenticated attacker can connect to the appliance through the internet and remotely access the file ‘sslvpn_websession,’ which contains the username and password stored in cleartext.”
For it’s part, “the security of our customers is our first priority,” according to a statement from Fortinet provided to Threatpost. “For example, CVE-2018-13379 is an old vulnerability resolved in May 2019. Fortinet immediately issued a PSIRT advisory and communicated directly with customers and via corporate blog posts on multiple occasions in August 2019 and July 2020 strongly recommending an upgrade. Upon resolution we have consistently communicated with customers as recently as late as 2020. If customers have not done so, we urge them to immediately implement the upgrade and mitigations.”
Anatomy of an Attack
Once gaining access to the first system on the enterprise network, attackers use the Mimikatz utility to steal the account credentials of Windows users who had previously logged in to the compromised system, according to Kaspersky.
In this way, attackers compromised the domain administrator account, and then used commodity tools like Cobalt Stroke backdoor and Powershell to propagate attacks across various systems on the network, according to the report.
After gaining complete control, attackers download a cmd script to launch Cring ransomware, naming the malicious execution script “Kaspersky” to disguise it as a security solution, Kopeytsev said.
The report breaks down how Cring achieves encryption and destroys existing backup files once it’s launched on a system. First, the ransomware stops various services of two key programs on the network—Veritas NetBackup and Microsoft SQL server.
Cring also halts the SstpSvc service, which is used to create VPN connections, which researchers surmised was to block any remediation effort by system administrators, Kopeytsev said.
“It is most likely that the attackers, who at this stage controlled the infected system via Cobalt Strike, did this to make it impossible to connect to the infected system remotely via VPN,” he wrote. “This was done to prevent system administrators from providing a timely response to the information security incident.”
Cring proceeds by terminating other application processes in Microsoft Office and Oracle Database software to facilitate encryption as well as the removal of key backup files to prevent recovery of files, according to the report.
In its final step, Cring starts to encrypt files using strong encryption algorithms so victims can’t decrypt files without knowing the RSA private key held by the attackers, Kopeytsev explained. First each file is encrypted using an AES encryption key and then that key is in turn encrypted using a 8,192-bit RSA public key hard-coded into the malicious program’s executable file, he wrote.
Once encryption is complete, the malware drops a ransom note from attackers asking for two bitcoins (currently the equivalent of about $114,000) in exchange for the encryption key.
Learning from Mistakes
The report points out key mistakes made by network administrators in the attack observed by Kaspersky researchers in the hopes that other organizations can learn from them. First the attack highlights once again the importance of keeping systems updated with the latest patches, which could have avoided the incident altogether, Kopeytsev said.
“The primary causes of the incident include the use of an outdated and vulnerable firmware version on the Fortigate VPN server (version 6.0.2 was used at the time of the attack), which enabled the attackers to exploit the CVE-2018-13379 vulnerability and gain access to the enterprise network,” he wrote.
System administrators also left themselves open to attack by not only running an antivirus (AV) system that was outdated, but also by disabling some components of AV that further reduced the level of protection, according to the report.
Key errors in configuring privileges for domain policies and the parameteres of RDP access also came into play in the attack, basically giving attackers free rein once they entered the network, Kopeytsev observed.
“There were no restrictions on access to different systems,” he wrote. “In other words, all users were allowed to access all systems. Such settings help attackers to distribute malware on the enterprise network much more quickly, since successfully compromising just one user account provides them with access to numerous systems.”
FRANKFURT (Reuters) – The European Central Bank (ECB) shut down one of its websites on Thursday after it was hacked and infected with malicious software.
The ECB said no market-sensitive data had been compromised during the attack on its Banks’ Integrated Reporting Dictionary (BIRD), which it uses to provide bankers with information on how to produce statistical and supervisory reports.
But it added malware had been injected on the server hosting the site, adding that the email addresses, names and titles of the subscribers of the BIRD newsletter might have been stolen.
An ECB spokesman added the earliest evidence found of the attack dated back to December 2018, meaning it had gone undetected for months before being uncovered during maintenance work.
“The ECB is contacting people whose data may have been affected, the ECB said. “The breach succeeded in injecting malware onto the external server to aid phishing activities.”
Launched in 2015, BIRD was a joint initiative of the Eurosystem of euro zone central banks and the banking industry. Participation in it was voluntary but its content was made available to all interested parties.
The ECB said BIRD was hosted by a third-party provider and was separate from any other ECB system.
“Neither ECB internal systems nor market-sensitive data were affected,” the ECB said.
Central banks from Malaysia to Ecuador have been targeted by hackers in recent years. One of the world’s biggest ever cyber heists took place in 2016 when fraudsters stole $81 million from the central bank of Bangladesh’s account at the New York Fed using fraudulent orders on the SWIFT payments system.
A day after Quest Diagnostics announced 12 million patients were affected by a data breach, another medical testing company says its patients’ data was also compromised.
In a filing with the U.S. Securities and Exchange Commission on Tuesday, LabCorp. said “approximately 7.7 million consumers” are affected by a breach at third-party collections firm American Medical Collection Agency, also known as AMCA.
According to the SEC document, the breach happened between Aug. 1, 2018, and March 30, 2019. Information that could have been exposed includes names, addresses, dates of birth and balance information.
“AMCA’s affected system also included credit card or bank account information that was provided by the consumer to AMCA (for those who sought to pay their balance),” the SEC filing said. “LabCorp provided no ordered test, laboratory results, or diagnostic information to AMCA.”
AMCA is the same collections firm who worked with Quest.
The LapCorp filing says “Social Security Numbers and insurance identification information are not stored or maintained for LabCorp consumers.”
“LabCorp takes data security very seriously, including the security of data handled by vendors,” the company said in the SEC filing. “AMCA has informed LabCorp that it intends to provide the approximately 200,000 affected LabCorp consumers with more specific information about the AMCA Incident, in addition to offering them identity protection and credit monitoring services for 24 months.”
A statement sent to USA TODAY Tuesday on behalf of AMCA said the company is “investigating a data incident involving an unauthorized user accessing the American Medical Collection Agency system.”
According to the statement, AMCA took down its web payments page after “receiving information from a security compliance firm that works with credit card companies of a possible security compromise” and conducting an internal review.
“We hired a third-party external forensics firm to investigate any potential security breach in our systems, migrated our web payments portal services to a third-party vendor, and retained additional experts to advise on, and implement, steps to increase our systems’ security,” the statement said. “We have also advised law enforcement of this incident. We remain committed to our system’s security, data privacy, and the protection of personal information.”
Original Release Date: 2019-05-14 | Last Revised: 2019-05-14
Overview
Cisco’s Trust Anchor module (TAm) can be bypassed through manipulating the bitstream of the Field Programmable Gate Array (FPGA). This component handles access control to a hardware component within Cisco’s Secure Boot implementations, which affects multiple products that support this functionality. An authenticated, local attacker could write a new firmware image to the TAm. Additionally, Cisco’s IOS XE web UI improperly sanitizes user-input, and could allow an authenticated, remote attack to execute commands. An authenticated, remote attacker could execute commands as root on the vulnerable device.
Description
CVE-2019-1649: Secure Boot Tampering, also known as Thrangrycat
The logic that handles the access controls to TAm within Cisco’s Secure Boot improperly checks an area of code that manages the Field Programmable Gate Array (FPGA). The TAm is a proprietary hardware chip used for many security services within Cisco products, including nonvolatile secure storage, cryptography services, and as a Secure Unit Device Identifier. The TAm can be bypassed by modifying the bitstream of the FPGA, allowing an authenticated, local attacker to make persistent modification to the TAm.
CVE-2019-1862: IOS XE Web UI Command Injection
The web user interface of Cisco IOS XE improperly sanitizes user-supplied input. This could allow an authenticated, remote attacker to execute commands as root on the underlying Linux shell.
Impact
A local or remote attacker could write a new firmware image to the TAm. When exploited together, these vulnerabilities could allow a remote, authenticated attacker to remotely and persistently bypass Secure Boot and prevent future software updates to the TAm.
To exploit CVE-2019-1649, an attacker would need to have privileged administrative access to the device. This type of access could be achieved by exploiting the vulnerability described in CVE-2019-1862 or other potential remote command injection vulnerabilities.
Solution
CVE-2019-1649
Cisco is in the process of developing and releasing software fixes for all affected platforms. We recommend installing this update when it is available.CVE-2019-1862
Apply the update from Cisco.
CVE-2019-1649
Guidance from Cisco recommends that users refer to the Cisco Guide to Harden Cisco IOS Devices, as it provides information about how to harden the device and secure management access. Implementing the recommendations in this document would likely reduce the attack surface for this vulnerability.
According to information derived from FBI investigations, malicious cyber actors are increasingly using a style of brute force attack known as password spraying against organizations in the United States and abroad.
On February 2018, the Department of Justice in the Southern District of New York, indicted nine Iranian nationals, who were associated with the Mabna Institute, for computer intrusion offenses related to activity described in this report. The techniques and activity described herein, while characteristic of Mabna actors, are not limited solely to use by this group.
The Department of Homeland Security (DHS) and the Federal Bureau of Investigation (FBI) are releasing this Alert to provide further information on this activity.
Description
In a traditional brute-force attack, a malicious actor attempts to gain unauthorized access to a single account by guessing the password. This can quickly result in a targeted account getting locked-out, as commonly used account-lockout policies allow three to five bad attempts during a set period of time. During a password-spray attack (also known as the “low-and-slow” method), the malicious actor attempts a single password against many accounts before moving on to attempt a second password, and so on. This technique allows the actor to remain undetected by avoiding rapid or frequent account lockouts.
Password spray campaigns typically target single sign-on (SSO) and cloud-based applications utilizing federated authentication protocols. An actor may target this specific protocol because federated authentication can help mask malicious traffic. Additionally, by targeting SSO applications, malicious actors hope to maximize access to intellectual property during a successful compromise.
Email applications are also targeted. In those instances, malicious actors would have the ability to utilize inbox synchronization to (1) obtain unauthorized access to the organization’s email directly from the cloud, (2) subsequently download user mail to locally stored email files, (3) identify the entire company’s email address list, and/or (4) surreptitiously implements inbox rules for the forwarding of sent and received messages.
Technical Details
Traditional tactics, techniques, and procedures (TTPs) for conducting the password-spray attacks are as follows:
Using social engineering tactics to perform online research (i.e., Google search, LinkedIn, etc.) to identify target organizations and specific user accounts for initial password spray
Using easy-to-guess passwords (e.g., “Winter2018”, “Password123!”) and publicly available tools, execute a password spray attack against targeted accounts by utilizing the identified SSO or web-based application and federated authentication method
Leveraging the initial group of compromised accounts, downloading the Global Address List (GAL) from a target’s email client, and performing a larger password spray against legitimate accounts
Using the compromised access, attempting to expand laterally (e.g., via Remote Desktop Protocol) within the network, and performing mass data exfiltration using File Transfer Protocol tools such as FileZilla
Indicators of a password spray attack include:
A massive spike in attempted logons against the enterprise SSO portal or web-based application;
Using automated tools, malicious actors attempt thousands of logons, in rapid succession, against multiple user accounts at a victim enterprise, originating from a single IP address and computer (e.g., a common User Agent String).
Attacks have been seen to run for over two hours.
Employee logons from IP addresses resolving to locations inconsistent with their normal locations.
Typical Victim Environment
The vast majority of known password spray victims share some of the following characteristics [1][2]:
Use SSO or web-based applications with federated authentication method
Use inbox synchronization, allowing email to be pulled from cloud environments to remote devices
Allow email forwarding to be setup at the user level
Limited logging setup creating difficulty during post-event investigations
Impact
A successful network intrusion can have severe impacts, particularly if the compromise becomes public and sensitive information is exposed. Possible impacts include:
Temporary or permanent loss of sensitive or proprietary information;
Disruption to regular operations;
Financial losses incurred to restore systems and files; and
Potential harm to an organization’s reputation.
Solution
Recommended Mitigations
To help deter this style of attack, the following steps should be taken:
Enable MFA and review MFA settings to ensure coverage over all active, internet facing protocols.
Review password policies to ensure they align with the latest NIST guidelines [3] and deter the use of easy-to-guess passwords.
Review IT helpdesk password management related to initial passwords, password resets for user lockouts, and shared accounts. IT helpdesk password procedures may not align to company policy, creating an exploitable security gap.
Many companies offer additional assistance and tools the can help detect and prevent password spray attacks, such as the Microsoft blog released on March 5, 2018. [4]
Reporting Notice
The FBI encourages recipients of this document to report information concerning suspicious or criminal activity to their local FBI field office or the FBI’s 24/7 Cyber Watch (CyWatch). Field office contacts can be identified at www.fbi.gov/contact-us/field. CyWatch can be contacted by phone at (855) 292-3937 or by e-mail at CyWatch@ic.fbi.gov. When available, each report submitted should include the date, time, location, type of activity, number of people, and type of equipment used for the activity, the name of the submitting company or organization, and a designated point of contact. Press inquiries should be directed to the FBI’s national Press Office at npo@ic.fbi.gov or (202) 324-3691.
