By Charles Kime
IT and security teams try their best to secure our organizations and their critical assets.
Yet sometimes, our efforts fail to keep out adversaries. That’s why we use defense-in-depth and zero trust security strategies – to provide a backstop for when our initial efforts don’t work.
Let’s cover this month’s security news, and why every possible layer of cybersecurity is needed to keep you and your data safe.
Past Cybersecurity Breaches Come Back to Light
In 2019, Pulse Secure VPN servers were discovered to have a vulnerability that allowed hackers to run malicious codes on the servers.
Nations states and ransomware gangs pounced on the vulnerability, but patches were created and installed. End of story, right?
Unfortunately, no. Pulse Secure VPNs now suffer from a common and subtle vulnerability – poor password hygiene.
According to Japan’s computer emergency response team and the U.S. Department of Homeland Security’s cybersecurity and infrastructure security agency, hackers ran malicious codes on the servers also stole many plain-text Active Directory credentials.
Now, even though the servers have been patched, the attackers have begun to simply log into the networks using the credentials that no one thought to change. Unfortunately for the victims and for many other organizations, recovering from a breach can take so much effort that some details become overlooked.
If an organization even suspects a breach, all passwords must be reset.
COVID-19 Cyber Attacks
Over the past few weeks, we cited a number of cyber attacks related to COVID-19.
Although coronavirus-themed attacks were anticipated, no one could have guessed they’d occur at this scale.
In January, Zscaler’s cloud-security platform detected and blocked 1,200 attacks – “phishing, malicious websites and malware targeting remote users – all related to COVID-19.”
In March, they saw a 30,000% increase as they blocked over 380,000 cyber attacks.
Google also announced abnormally high numbers and revealed that, for just one week in March, their built-in scanners blocked 18 million phishing and malware emails using COVID-19-themes. Microsoft showed similar volume – the company blocks more than 18,000 malicious URLs and IP address per day.
If your organization hasn’t already warned its users about COVID-19-themed issues, it definitely needs to do so.
“If an organization even suspects a breach, all passwords must be reset.”
Ransomware and More Ransomware
In a similar fashion, organizations need to work to determine the sources of their attacks, or they will continue to happen.
For example, Asia Pacific’s top provider of logistics and transportation, The Toll Group, just suffered a second ransomware attack in three months. On Feb. 5, the Mailto ransomware forced Toll Group to shut down their network and disrupt their business.
Exactly three months later on May 5, a Nefilim Ransomware attack forced the company to shut down affected systems again.
So, how did this happen?
Researchers noted that the Toll Group continues to use a vulnerable Citrix ADC Netscaler server that has not been patched, even though vulnerabilities were publicized in January, and patches with instructions were provided in February.
While it might be obvious that companies need to fix existing issues, knowing it does not make it happen. Resource constraints and the increased demands of working during the COVID-19 pandemic can make any organization slow to respond.
Of course, the resource issues also apply to attacks that are on the horizon. In January, the first warnings emerged of a campaign to attack enterprises using the Snake Ransomware. While this malware began attacks slowly, so far in May, their attacks have surged.
One prominent victim has been Europe’s largest private hospital operator, Fresenius. Snake ransomware attackers are unusual, as they focus on IT processes tied to enterprise management tools and industrial control systems.
However, attackers have also copied other ransomware teams, as they’ve begun to leak user data to force payment.
Of course, Fresenius is not alone. Ransomware attackers continue to use all of their creativity to compel enterprises to pay.
A recent analysis of the Maze ransomware team tactics found that the attackers have frequently expanded their data leak threats to the customers of their ransomware victims. For example, if a healthcare provider fails to pay a ransom, a cybercriminal might go after patients and threaten to leak their personal medical information.
P@ssw0rD Problems Continue
We often discuss the importance of passwords.
This column began with the story of credentials stolen from Pulse Secure VPNs, but if the organizations were using multi-factor authentication (MFA), would there have been a story? Maybe, maybe not.
Unfortunately, many people still have poor password habits.
In an analysis of the top 100 weak passwords for 2019, “123456” and “qwerty” are two of the most commonly used passwords. Reflecting the trend towards longer passwords, “123456789” rounds out the top three.
And, of course, “password” isn’t far behind.
Organizations should periodically conduct internal password cracking tests to make sure that no one uses weak and overused passwords.
To further complicate matters, 91% of people know they should not use the same user name and password combination on multiple sites, yet two-thirds of them still do. That number continues to increase, year after year.
Maybe your organization is lucky. Perhaps your users create special passwords for the office. But, you shouldn’t count on that being the case.
By restricting user permissions tightly and conducting regular audits to check for permissions and privileges, you’ll greatly reduct risk. Why put more pressure on your IT backup defenses than necessary?
Managed Detection & Response
The fact remains that users will make mistakes, and attackers will find ways around at least one defense. The key to mitigating that risk is to quickly limit the damage.
Having a managed detection and response security net can improve the critical reaction time to locate and lock down attackers.