Your Daily Decrypt

8/10/2023 - Today’s news and insights for cybersecurity pros and leaders

📸 Cybersecurity Snapshot

Here's a bar chart that visualizes the top 10 lesser-known cybersecurity tips, with each tip's importance or relevance represented by the length of the bar.

📰 Top Stories 

Summary

Who's Behind the Attacks: China's MSS-linked hackers, known as RedHotel.

What They Did: Attacked 17 countries (2021-2023) targeting sectors like government, academia, and research.

How They Did It: Utilized Log4Shell flaws, weaponized applications, and multi-tiered infrastructure.

Why It Matters: Intelligence gathering, economic espionage, and posing a highly skilled and dangerous threat.

Why it’s important to you

Stay Alert: Know the threat landscape; RedHotel is evolving.

Be Prepared: Your sector might be targeted; understand their methods.

Think Globally: These attacks have worldwide implications; collaboration is key.

Summary

What is Cloudflare Tunnel? A secure tunneling solution that can be abused by attackers for easy access to internal applications and services.

How Attackers Use It: Attackers can utilize Cloudflare Tunnel to create an outbound connection, making services like SSH, RDP, and SMB accessible externally without raising suspicion.

Benefits for Attackers: Simple installation, remote configuration, and the ability to route an entire network IP range through the tunnel, essentially working as a VPN.

Detection and Defense: Monitoring specific DNS queries and outbound connections to port 7844, and establishing policies to prevent unauthorized execution of the tool.

Why it’s important to you

Awareness of a New Threat Vector: Cloudflare Tunnel's exploitation is a novel and straightforward way for attackers to maintain access to victim networks, requiring attention and understanding.

Potential Risk to Internal Networks: The ability for attackers to expose an entire network and bypass typical security alerts makes this a significant concern.

Need for Proactive Defense: Monitoring and establishing policies against this threat is essential to protect networks from potential compromises.

Summary

Microsoft's Bug Bounty Payouts: Microsoft has paid more than $13 million through its bug bounty programs for the fourth year in a row, awarding a total of $13.8 million to 345 researchers for over 1,100 vulnerability reports.

Highest Rewards: The highest single reward was $200,000, with up to $250,000 offered for critical vulnerabilities in the Hyper-V hypervisor.

Range of Programs: The company runs 17 bug bounty programs, mainly for cloud services and platforms, and has introduced new high-impact scenarios for various programs.

Comparison with Other Tech Giants: Other companies like Meta, Google, Intel, and Apple have also paid out millions through their respective bug bounty programs.

Why it’s important to you

Recognition of Security Research: Microsoft's continued investment in bug bounty programs highlights the importance of identifying and rectifying vulnerabilities, encouraging collaboration with external researchers.

Emphasis on Cloud Security: With a majority of the programs focused on cloud services, the emphasis on cloud security reflects a broader industry trend that cybersecurity professionals should be aware of.

Benchmark for the Industry: Microsoft's commitment, along with other tech giants, sets a precedent for the industry, potentially influencing the way other organizations approach and invest in cybersecurity.

Summary

Microsoft's August Patch Tuesday Update: Addressed over 70 vulnerabilities, including two exploited zero-days and six critical bugs.

Zero-Day Fixes:

  • ADV23003 for Microsoft Office: Breaks exploit chain for CVE-2023-36884, an RCE vulnerability linked to Russian intelligence.

  • CVE-2023-38180 for .NET and Visual Studio: A denial of service vulnerability, low complexity but higher priority.

Critical Vulnerabilities: Six RCE flaws within Microsoft Message Queuing, Teams, and Outlook. Quick exploitation expected for Message Queuing bugs.

Microsoft Exchange Server Flaws: Includes CVE-2023-21709, an elevation of privilege vulnerability, exploitable through brute-force attacks against weak passwords.

Why it’s important to you

Importance of Immediate Patching: Wide-ranging fixes for zero-day vulnerabilities and critical RCE flaws highlight urgent need for action.

Connection to Known Threat Actors: The known exploitation by Russian intelligence emphasizes the critical nature of these vulnerabilities.

Organizational Priority: Products like Office, .NET, Visual Studio, Message Queuing, Teams, Outlook, and Exchange Server must be updated promptly to ensure security.

🚨 Threat Alerts

Summary

Worldwide Phishing Campaign: An expansive phishing operation involving over 800 fraudulent domains impersonating around 340 reputable global companies, including Facebook and Booking.com, came to light when an Imperva staff member nearly fell victim to the scam.

The Incident with Imperva Staff Member: While trying to sell a car seat on Yad2, the staff member was approached by a fraudulent buyer who introduced a fake payment service using Yad2's appearance. The fake site led to a payment page that would have sent credit card information to the fraudsters.

Scale and Scope of the Operation: The campaign, originating from Russian IP addresses and active since May 2022, encompassed phishing websites in over 48 languages, impersonating more than 340 different companies.

Social Engineering at Play: The campaign relied on social engineering, exploiting human interaction to manipulate or deceive individuals into disclosing critical information or gaining unauthorized access.

Why it’s important to you

Understanding the Threat Landscape: This phishing campaign's sophistication, scale, and successful impersonation of well-known brands provide insights into current threat tactics and methodologies.

Need for Vigilance and Education: The incident emphasizes the importance of continuous vigilance and education within organizations to recognize and resist social engineering attempts.

Monitoring for Fraudulent Domains: With 800 distinct fraudulent domains linked to the campaign, cybersecurity professionals must be aware of the Indicators of Compromise (IOCs) and actively monitor for potential threats.

Summary

Cloud Account Takeover Campaign: In the past six months, over 100 global organizations have been targeted, with successful cloud account takeovers increasing by over 100%.

Key Tool - EvilProxy: Attackers are using EvilProxy to steal MFA-protected credentials. Even with MFA enabled, accounts are being compromised.

Phishing Evolution: Threat actors sent around 120,000 phishing emails from March to June 2023, employing brand impersonation, scan blocking, and multi-step infection chains.

Phases of Attack: The campaign involves impersonation, redirection, account compromise of high-value targets, and post-compromise exploitation.

Conclusion and Recommendations: MFA is not foolproof. Organizations need a multi-layered security approach and must stay updated on evolving threats.

Why it’s important to you

Threat Understanding: Know the methods and evolution of phishing tactics.

Security Measures: Emphasize a comprehensive, multi-layered security strategy.

Stay Updated: Keep abreast of developments like EvilProxy.

Summary

LockBit's Threat to Varian Medical Systems: The LockBit ransomware group has threatened to leak medical data of cancer patients stolen from Varian Medical Systems. A renowned company owned by Siemens Healthineers, Varian has revenues of $3 billion.

Deadline for Ransom Payment: Lockbit has fixed the deadline for the ransom payment on August 17, 2023. Failure to comply could result in a dramatic violation of cancer patients' privacy.

Incident Yet to Be Disclosed: The company has remained silent on the incident, causing increased concern.

Previous Security Breaches with Siemens: Earlier this year, other Siemens-owned companies, including Siemens Metaverse and Siemens Energy, were targeted by security breaches, revealing potential vulnerabilities within the organization.

Why it’s important to you

Critical Privacy Threat: The potential leak of sensitive medical data emphasizes the critical importance of robust cybersecurity measures in healthcare.

Ransomware Strategy: LockBit's tactics underline the evolving nature of ransomware attacks, requiring continuous updates to defense strategies.

Corporate Responsibility: Varian's silence raises questions about transparency and responsibility in handling such serious incidents, providing a case study in crisis management for cybersecurity professionals.

Summary

Customized Yashma Ransomware Targets Multiple Countries: Cisco Talos has discovered an unknown threat actor, likely of Vietnamese origin, conducting a ransomware operation using a variant of Yashma ransomware. This ongoing attack, which began around June 4, 2023, targets English-speaking countries, Bulgaria, China, and Vietnam, and mimics WannaCry characteristics.

Unique Delivery of Ransom Note: Instead of embedding the ransom note in the binary, the actor downloads it from a GitHub repository using an embedded batch file—an uncommon technique that could evade endpoint detection.

Analysis of Threat Actor: With evidence pointing to a Vietnamese origin and specific languages used in ransom notes, the actor's GitHub account “nguyenvietphat” reveals intentions to target a wide geographic area.

Ransom Note Details: Demanding payment in Bitcoins, the actor doubles the ransom price if not paid within three days. The ransom note's resemblance to WannaCry might be an attempt to obfuscate the actor’s identity.

Customization of Yashma Ransomware: Compiled on June 4, 2023, this variant of Yashma ransomware includes a few notable modifications, such as the execution of an embedded batch file and anti-recovery capability. The actor also kept specific features like wiping the original unencrypted files.

Coverage and Protections: Various Cisco security products can detect and prevent the execution of this malware, with details provided for multi-factor authentication, malicious site blocking, and more.

Why it’s important to you

Emergence of a New Threat Actor: The discovery of a new threat actor using a customized ransomware variant underscores the importance of vigilance and continuous threat monitoring.

Innovative Attack Methods: The uncommon technique of downloading the ransom note from GitHub illustrates the evolving tactics of cybercriminals, necessitating adaptive cybersecurity measures.

Geographical Targeting Strategy: The specific targeting of multiple countries and the potential origin of the threat actor provide insights into geopolitical cyber strategies.

Learning from Yashma Customization: Analyzing the modifications and features retained in the Yashma variant may inform future defenses against similar threats.

⚖️ Regulatory Updates

Summary

Coexistence of Privacy Law and Trade Secret Law: The rise of the fourth industrial revolution, driven by data and connectivity, has led to a conflict between privacy law and trade secret law. While privacy law focuses on transparency and disclosure, trade secret law emphasizes confidentiality.

The Importance of Trade Secrets: With the unavailability of patent coverage for many technologies in Industry 4.0, companies often rely on trade secret law to protect large datasets, algorithms, and resulting insights. These include key information in food, retail, and medical technology industries.

Growing Conflict: The expansion of data privacy laws without trade secret exceptions, along with the growth of trade secret law, has heightened the risk for companies. Some privacy laws are passed with private rights of action and significant damages, forcing companies to choose between protecting trade secrets and complying with privacy laws.

Examples of Conflicts: Various privacy laws in the U.S. can conflict with trade secrets, such as the Health Insurance Portability and Accountability Act (HIPAA), Illinois' Biometric Information Privacy Act, and Washington's My Health My Data Act. These can require entities to provide access to trade secret protected data or even delete it.

Possible Solutions: Suggestions to resolve this conflict include eliminating derived or generated data from consumer access requests, limiting deletion requests to raw data, providing exceptions for trade secrets, or having consumers sign nondisclosure agreements. Coordination between IP and data privacy departments within companies is also essential.

Why it’s important to you

Protecting Intellectual Property: The dilemma between privacy law and trade secret law presents a complex challenge for cybersecurity professionals, highlighting the need to balance legal compliance with intellectual property protection.

Legal Compliance and Strategy: The understanding of this intersection between privacy and trade secrets is crucial for devising strategies that align with both legal requirements and corporate goals.

Risk Management: The choices companies make in navigating this legal landscape will determine the risks they are willing to take, underscoring the importance of informed decision-making in both legal compliance and risk management.

Summary

TSA’s Updated Pipeline Security Directive: Consistency and Collaboration Are Key: The Transportation Security Administration (TSA) has updated its security directive for the cybersecurity of oil and natural gas pipelines, building on previous versions.

Maintaining What Works:

  • Existing Measures: Retains community-driven, performance-based controls from the previous directive.

  • Flexible Implementation: Allows for tailored plans, using various industry standards, to fit specific risk profiles.

Consistency Without Complacency:

  • Alignment with Previous Versions: Ensures that compliance aligns with security, with iterative improvements.

  • Industry Collaboration: Encourages ongoing engagement with industry experts for the best security outcomes.

Regulatory Harmonization:

  • Tailored Regulations: Emphasizes industry-specific regulations and recognizes the need to streamline overlapping requirements.

Why it’s important to you

Performance-Based Approach: Highlights a shift from compliance checklists to real security, providing a model for evolving regulatory frameworks.

Collaboration with Industry: Stresses the importance of dialogue between government and private sector for resilience against evolving cyber threats.

Regulatory Alignment: Calls for streamlined regulations across sectors to allow organizations to focus on true security without distraction from duplicative requirements.

👀 Curated Finds

Summary

History’s Greatest Insider Threats by PJ Bradley, writer at Bora, dives into some of the most significant insider threat incidents that have shaped the cybersecurity landscape.

Twitter Bitcoin Scam (2020):

  • High-profile accounts hacked to promote a Bitcoin scam.

  • Losses totaled hundreds of thousands of dollars.

Cisco’s WebEx Attack (2018):

  • A former employee deleted 456 virtual machines, costing Cisco $1.4 million.

Target Compromised Insider (2013):

  • Massive data breach via third-party vendor.

  • Cost of remediation: $202 million, including an $18.5 million court settlement.

Google’s Waymo Incident:

  • Former employee stole trade secrets, leading to a $757,000 payment to Google and a $95,000 fine.

Anthem Breach (2017):

  • Breach of 18,000 Medicaid members' data through an insider vendor.

Capital One Hacker (2019):

  • Former Amazon Web Services employee stole data of over 100 million people.

  • Estimated total cost: up to $150 million.

Apple Leak (2019):

  • Former intern leaked parts of iOS source code on GitHub.

Why it’s important to you

Complex Nature of Insider Threats: These incidents underscore the multifaceted nature of insider threats and the need for robust, tailored solutions.

High Costs: The financial and reputational damage from these attacks demonstrates the critical importance of preventing insider threats.

Technology Solutions: Emphasizes the role of data detection and response technology in analyzing sensitive data to prevent leaks and breaches.

Summary

What is Advanced Persistent Cyber Threat Hunting, and Why Is It Important?: The article, written by Zachary Folk, explains the concept of Advanced Persistent Threat (APT) Hunting, a proactive approach to cybersecurity that detects and mitigates complex threats.

Growing Complexity in Cybersecurity: Cybercrime costs are anticipated to rise to USD 10.5 trillion annually by 2025, with the average time to address a breach in 2022 being 277 days.

The Importance of APT Hunting: APT Hunting is vital in filling the 20% security gap left by traditional measures, enabling early detection, addressing limitations of traditional security, reducing the impact of incidents, and improving overall security posture.

How APT Hunting Works: APT Hunting integrates data sources, automates baselining of “normal” behavior, generates hypotheses, and prioritizes alerts. It involves three distinct forms: Structured, Situational, and Unstructured (APT Hunting).

How It Differs from Traditional Threat Hunting: Unlike the reactive traditional threat hunting, APT Hunting uses AI/ML technologies and real-time threat intelligence for an offensive approach.

Why it’s important to you

Proactive Cybersecurity: APT Hunting represents a significant shift from reactive to proactive cybersecurity, essential in the complex and evolving threat landscape.

Complementing Traditional Security Measures: It works alongside traditional security measures, providing a more comprehensive and nuanced protection against cyber threats.

Adaptation to New Threats: Continuous monitoring and intelligence feed integration are crucial in adapting to new and evolving threats.

Summary

TunnelCrack - Security Vulnerabilities in VPNs: TunnelCrack is a term for two significant security vulnerabilities found in VPNs, allowing an adversary to leak traffic outside the VPN tunnel. Tests have shown that every VPN product is vulnerable on at least one device, with iOS and macOS devices being highly susceptible.

LocalNet Attack: In this attack, an adversary acts as a malicious Wi-Fi network, tricking the victim into connecting and then rerouting the victim's traffic outside the protected VPN tunnel. Tests revealed that all VPN apps on iOS, nearly all on macOS, a majority on Windows, and more than one-third on Linux are vulnerable to this attack.

ServerIP Attack: The ServerIP attack abuses the observation that many VPNs don't encrypt traffic towards the IP address of the VPN server. The adversary can spoof the DNS reply and then redirect the traffic outside the VPN tunnel. This attack affects built-in VPN clients on Windows, macOS, and iOS, with Android 12 and higher being safe.

Prevention and Research Paper: To prevent these attacks, VPN clients should be updated to send all traffic through the VPN tunnel, excluding traffic generated by the VPN app itself. The paper detailing these vulnerabilities is titled "Bypassing Tunnels: Leaking VPN Client Traffic by Abusing Routing Tables," set to be presented at USENIX Security 2023.

Why it’s important to you

VPN Security Concerns: The discovery of these vulnerabilities highlights the critical importance of VPN security, especially with the widespread use of VPNs for secure connections.

Patch and Update Requirement: With every VPN product found vulnerable on at least one device, cybersecurity professionals must ensure that VPN clients are updated to prevent these attacks.

Awareness and Defense Strategy: Understanding these vulnerabilities and the techniques used in the attacks is vital for devising effective defense strategies and maintaining the security of VPN connections.



Thank you 🙏
Ali Abidi