Welcome to Cybersecurity Today. This is the Week in Review for the week ending Friday, March 22, 2024. I'm Howard Solomon. In the US, he is a reporter who writes about cybersecurity for ITWorldCanada.com and TechNewsday.com.
In a few minutes, Terry Cutler from the Institute of Cytology in Montreal will be here to talk about recent news. This includes lessons learned from last year's ransomware attack on the British Library, the latest criminals in court, an app developer leaving Google Firebase instances unprotected, and managing cybersecurity expectations for his team. Contains advice for business leaders.
Before we get into the discussion, here's a quick recap of other news that's happened over the past seven days.
scammers are quick It exploits a recently discovered vulnerability in the on-premises version of JetBrains' TeamCity continuous integration development server. Trend Micro says its unpatched servers are being attacked by ransomware, backdoors and cryptomining malware.
Ivanti is calling out to administrators Install security patches using a standalone Sentry gateway. This is to resolve a remote code execution vulnerability. It is rated 9.8 by the Common Vulnerably Scoring System.
February ransomware attack The incident that hit Change Healthcare, a company that processes healthcare transactions for healthcare organizations across the United States, continues to impact healthcare providers across the company. According to SCMagazine.com, facilities are unable to pay their medical providers and employees, and patients are forced to pay for medications from savings. Washington is trying to help. The Secretary of Health and Human Services told Congress this week that the department is issuing $2.5 billion in advance to agencies for Medicare and Medicaid payments.
Developers and IT administrators If you have hardware and applications that run on Zephyr OS, be sure to update your operating system as soon as possible. This happened after Synopsys researchers discovered a serious vulnerability. The fix he released in January. Word was released this month.
german researcher We have discovered a new type of denial of service attack that could affect 300,000 network devices. It exploits vulnerabilities in communication protocols such as DNS, NTP, TFTP, and some legacy protocols. This attack, known as a loop attack, can be blunted by applying mitigations such as the latest security patches and firewalls to network equipment from companies such as Cisco Systems, Honeywell, Broadcom, Microsoft, and MikroTik.
Mint Rify, The company, which provides a cloud service that allows developers to generate code documentation on their computers or on GitHub, says hackers have accessed 91 access tokens of customers who use the service to analyze GitHub. Did. These were tokens stored in the Mintlify database. These tokens have been revoked.
As I mentioned earlier, Terry and I talk about the dangers of misconfiguring Google Firebase. This week, Tenable researchers released a report on how they discovered a vulnerability in Amazon Web Services that could be exploited by leveraging a misconfiguration to take over the web administration panel. Although AWS has resolved this issue, it also serves as a warning to other cloud providers to put guardrails in their domain architectures to prevent similar risks.
finally, GitHub's promised code scanning auto-fix tool is now in public beta. Developers can use this tool to identify many vulnerabilities in Java, JavaScript, Typescript, and Python and suggest fixes. Although in beta, only users with enterprise GitHub accounts and using GitHub Advanced Security can access this tool.
(The following is an edited version of the first of four news items that Terry Cutler and I discussed. To hear the entire conversation, play the podcast)
Howard: I'd like to start with a report on the lessons learned by the British Library from the Rhysida gang's ransomware attack last October. For those who don't know, the British Library is the national library, home to 170 million of the country's most rare books, ancient documents, maps, and recordings. Open to the public and researchers. Five months later, he still hasn't fully recovered from the attack. But to make sure the public understands what the library has been doing for months, and to convey lessons to cybersecurity and IT professionals, the library released an analysis of the incident.
Much of the server infrastructure was encrypted or destroyed, and approximately 600 GB of data was copied. It was then dumped on the dark web after the library refused to pay for the decryption key. Recovery for libraries requires a complete overhaul of the IT infrastructure. One reason for this is that some key software legacy systems are no longer supported by their vendors or will not work under new, secure infrastructure.
What did you learn from reading the report?
Terry Cutler: A few things. So every time we come to incident response after a company has been hacked, three things typically happen: [in IT] Monitoring alerts. They all feel alert fatigue. We see this all the time. Even when you're doing adversarial testing, you're testing and no one is looking. [incident] Alert. Checking in your email or event log manager reveals that the alert existed, but no one was monitoring it. Second, they are monitoring alerts, but they are not skilled enough to understand when an incident is occurring. Third, we rely on log managers to monitor threats, and there is a delay in receiving these logs. This usually happens frequently.That's why we do our best [ntework] Always perform packet captures when performing incident response.
Another thing to understand is that setting a baseline for your network is very important. [activity]. Is it normal for people to be doing port scans all the time? How much data is being scanned, such as via external backups? Understand what's happening within your network and have a baseline need to do it. You also need to have appropriate incident response protocols up to date. As companies outsource their IT, we often see abbreviated versions of incident response plans in place. The plan is, “Call this person.” But when you talk to that person, you don't know how to prepare. They have to call someone else.
Another problem is that often [IT] There are too many tools trying to piece together what happened. They use one vendor for their software, one vendor for their servers, another vendor for endpoint EDR, and another vendor for network monitoring. These tools are not necessarily made to work together. Therefore, you need to have the right technology in place that allows you to see all of this holistically.
Often when conducting penetration or hostile testing to determine whether a third party is actually monitoring a network, organizations are not notified that port scanning is occurring and reconnaissance is not performed. It is.
Howard: As you mentioned, the best evidence is that the hacker got in through a Terminal Services server that was set up to allow IT contractors access to the library network for maintenance. Those people didn't have to log in with multi-factor authentication. Interestingly, multi-factor authentication was required for full-time staff to log in to email. However, the IT contractor was not required to use her MFA.The library knew it was dangerous, but thought otherwise [login] Mitigation measures will suffice. Apparently that wasn't the case. It seems to me that the lesson here is that multi-factor authentication cannot be put off by anyone.
Terry: Everyone needs to be turned on. It doesn't matter if you are a manager or a president. Everyone should wear it. And you need a layered approach, right? So even if he says MFA fails, there should be other technologies in place to help detect the problem.Just before I jumped on this call, I ran a dark web scan of the library's domain and found over 1,000 [British Library] leaked password [up for sale]. This means cybercriminals may be able to log into these accounts without any additional security prompts. [unless MFA was enabled] …I mean, MFA is really important. And if you're not sure if your organization has it turned on or off, or who's missing it, do an audit. Find out who has passwords set to never expire and who has never logged in before. This is often the case when a contractor or employee is hired but likely leaves soon after and the account is not shut down. So, [password] An audit is required here.
Howard: The timeline of response to this attack is very interesting. At 7:35am, I noticed something strange. Two hours later, the crisis management plan was called and the library's Gold Crisis Response Team was notified. By 10 o'clock, a WhatsApp video call with the elderly was arranged.Unable to rely on email, they were using his WhatsApp [after a successful breach of security controls].Here's a lesson on how well-prepared organizations plan [to respond to] This is a lesson many companies should learn. But what if you're a small company? You don't want to start a gold crisis team. Resources will become scarce. So how can small organizations develop an incident response plan and prepare personnel to respond to an attack?
Terry: They had a really good incident response plan in place, but they still didn't enforce 2FA for everyone. That's one of the basics. Step 1. [But] You're on step 8, but you haven't done step 1. Small business owners, listen up. You should create a simple incident response plan that covers the basics, such as who will be responsible for the recovery process if an incident is detected. Who is in charge of public relations?and you must too [daily] Basics of Cyber Security. Is patch management being done properly? Are you taking proper backups? Do you conduct evaluations? Is your IT department adequately equipped to rebuild your network in the event of an incident?
Here's a perfect example. I recently had a meeting with a customer who was almost the only person in his organization responsible for his IT operations. When we asked them what their incident management plan was, he said, “Just call this person.” To confirm, he called another person from the outsourced company, the IT department, and they were completely unprepared…
Howard: I noticed that the report says “Updates to previously approved investments are now being implemented.” It's like closing the barn door after the horse runs away. The lesson for me is to not put off getting rid of legacy equipment. Do it quickly, do it now.
Terry: It's a “never happen to us” approach.So you really have to run it regularly [security] Evaluation and [security] It's constantly updated… Many people still carry Windows XP with them, but they can't get rid of it because they need it to handle door security, for example. Therefore, if you want to upgrade a system that includes Windows XP, you will need to change your entire security infrastructure. In some cases, you may not have the budget to do this. So they're sticking with it. That's why it's so important to start segmenting your network and baseline what you have. During an audit, you can see, for example, which machines are outdated. So if you find a 7-year-old machine, you should already be making plans to replace or upgrade. This is because in the case of software, the vendor may no longer exist and you may not be able to continue using the software.
Howard: Another takeaway from this report is that a lack of network segmentation can cause cyberattacks to cause more damage than necessary.
Terry: I had just such a conversation with someone this week. Their entire network was flat. Everything was on his one subnet. No, you need to segment this because you need to contain the environment if something happens. Therefore, even if an attacker breaks in, he or she cannot access all locations. You want to make sure he's limited by segment. This will limit the damage.
People say, “I got this brand new firewall.” But hackers don't waste time trying to hack your firewall. Why do they email their employees when they need to? [and if they fall for a scam] They are [the attacker] Become an insider.
