Securing any organization is hard. However, neglecting simple issues makes us foolish.
From on-prem Exchange servers to SMS multifactor, some vulnerabilities can be self-inflicted and are easily resolved.
Though teams may be short of bandwidth, some projects are too important to put off – even if it means outsourcing or putting aside other projects.
ProxyLogon Update Progression
By of the end of March, 92% of the world’s Exchange Servers had been patched for the ProxyLogon security vulnerabilities. Sadly, this is four weeks after the patches were initially released.
Although there was a 43% improvement from the previous week, as we pointed out in a previous article, patching only prevents future attacks from occurring. Because malicious software could already be installed by that point, organizations would be safest to assume they have already been compromised.
In the same month, the computer manufacturing giant, Acer, had a vulnerable Exchange server leading to a $50 million ransom demand. The following week, Microsoft detected 1,500 Exchange servers with web shells installed by the Black Kingdom ransomware gang.
In addition to ransomware, attackers stole credentials and deployed cryptomining malware onto servers.
Attackers move quickly to exploit any vulnerability, which leaves organizations scrambling as they’re struck by multiple attackers using multiple methods at the same time.
If your organization has yet to patch or investigate its on-prem Microsoft Exchange server, get help to make it happen as soon as possible to avoid becoming the next victim.
CyberInsurance Attack Versus U.S. Sanctions
Near the end of March, the 7th largest insurance company in the world, CNA, suffered a ransomware attack that encrypted more than 15,000 devices on their corporate network.
Even employees’ personal computers, logged into the company’s VPN, were affected by the ransomware when it deployed.
This attack is notable for two key reasons: possible U.S. Treasury implications, and CNA’s insurance coverage for their clients.
Last year, the U.S. Treasury announced fines and penalties against those paying ransom to sanctioned countries or organizations.
The Phoenix CryptoLocker that struck CNA shows a similarity in coding with WastedLocker ransomware. WastedLocker has been tied to the Evil Corp ransomware gang, which is under U.S. Treasury sanctions.
In an effort to circumvent these sanctions, Evil Corp (aka: Drydex gang, INDRIK SPIDER) shifted its business model once researchers connected it to the Hades ransomware.
Evil Corp knows that, because organizations cannot legally pay ransoms to them directly, indirect routes are needed for making payments easier for their victims.
It is important to note that most current ransomware attacks also involve data exfiltration. In attacking CNA, the attackers now also have information about CNA’s insurance customers.
In an interview, one member of the REvil ransomware gang bragged, “Yes, this is one of the tastiest morsels. Especially to hack the insurers first—to get their customer base and work in a targeted way from there. And after you go through the list, then hit the insurer themselves.”
Organizations covered by CNA’s cyberinsurance policies could expect to be under attack soon by very sophisticated ransomware gangs. They should take extra steps to prevent phishing attacks and monitor networks for compromise.
Compromised Vulnerabilities: SMS Multi-factors
Multi-factor authentication is great for its ability to provide extra layers of protection. Unfortunately, it can easily be undermined.
Many users rely upon SMS texts to provide a second factor of authentication. However, if an attacker knows the phone number that the SMS will be sent to, they can obtain a copy of the SMS codes for as little as $16.
How often will attackers actually obtain these phone numbers?
While it may seem unlikely at first, many people include their cell phone numbers in the signature files for their email or business cards.
An attacker could easily go to a local mixer and collect the business cards of potential victims, later combining that information with various attacks. This can lead to compromised email, bank accounts, etc.
Executives with access to critical resources should be encouraged to use non-SMS multi-factor authentication (authentication apps, Duo, etc.), to prevent being easily compromised.
Default Settings, a Trap of Complacency
Default settings and sample addresses can help our organizations get started quickly.
Unfortunately, some defaults tend to be overlooked and lead to significant vulnerabilities.
For example, the $15 billion financial tech company, Fiserv, used “defaultinstitution.com” as a placeholder in email templates for itself and its partners.
However, by neglecting to change the placeholder to the correct URLs, customer information and internal emails were sent to this domain – one which they did not control.
Additional Security Support
When dealing with vulnerabilities, speed becomes essential and in-house teams sometimes cannot move faster than attackers.
When dealing with setting up new systems, sometimes teams need an expert to provide a second set of eyes to check settings and look for overlooked errors- such as erroneous defaults.
Our networking and security experts at Ideal Integrations and Blue Bastion are here to provide extra help for short-term projects or for long-term outsourcing. If your organization has urgent issues or ongoing needs, call us today at 412-349-6680 or fill out the form below and let us know how we can help.