Security Bytes - Issue 15
Jim Tiller is the Chief Information Security Officer at Nash Squared. With over two decades of information security experience, Jim is an internationally recognized cybersecurity authority on cyber risk management, security technology, industry leadership, and multiple patent-winning recognition for innovation in security solutions.
This week we see that no matter your defences, if you use lame passwords, you’ll get owned. MS’s stock falls to economic headwinds while security portfolio grows. Iran looks to go low and dox you and then embarrass you on social media using low-level hacks. Kids lose $101 million to cyber-based fraud in 2021 up over a 1000% (yes, a thousand) YoY. And supply chain security gets serious, but how many holes are already lurking out there.
Enjoy!
Stay on Target, Stay on Target
Ok, first forgive the Star Wars reference, I could go on for days. In a world where there is a seemingly endless sea of increasingly sophisticated threats coming at you from every direction using more and more advanced techniques, it’s still the lowly password that consumes us (and phishing). Making the news this week – again after initial reports late September – hackers access FastCompany’s systems allowing them to push offensive notifications to such outlets as Apple News. They gained access by guessing the password “pizza123”.
The simple point here is (I know I sound like a broken record) that security is about the fundamentals and the day-in and day-out hard work in the trenches. A lot of attention is given to “sexy” attacks that admittedly represent a real threat, but what’s the point in trying to defend 007-level attacks when a 12-yearold with an iPhone can own you? Case in point, in a recent Threat Horizons report from Google’s Cybersecurity Action Team they note that in Q2’22 that nearly 58% of detected compromises are due to “Weak or no credentials”.
I get it. We all want to work on the cool stuff and passwords and phishing are boring, somewhere between watching paint dry and grass grow. But until you have the basics down solidly and maintain a strong foundation in them, energy pointed in other cool directions is potentially wasteful.
Article about the original attack - https://www.cybertalk.org/2022/09/28/hacker-breaches-fast-company-sending-offensive-notifications/
Updated article - https://www.bleepingcomputer.com/news/security/how-the-pizza123-password-could-take-down-an-organization/amp/
Google’s report - https://services.google.com/fh/files/blogs/gcat_threathorizons_full_sept2022.pdf
Sign of the Times
Even Microsoft is starting to feel the impacts of the global economic woes. Sighting rising energy costs along with macroeconomic pressures, their shares dropped 6.4% Wednesday after announcing headwinds – despite their security portfolio growing 33% year over year! The adoption of MS’s security stack can save a company as much as 60% in security related spending, according to MS, and I have no problem believing this. This is a tangible example of the migratory evolution to the cloud and the perception that you can get better security for less money. This you should have little doubt. However, it’s critically important that evolution, consolidation, and shifting of environments brings new security capabilities and new security risks. I’ll again refer to Google’s report (see above ref) where in that report it states 13% of compromises were due to misconfiguration. When switching to a new system, regardless how it may be better, new challenges surface. Prepare accordingly.
Article - https://www.ciodive.com/news/microsoft-earnings-headwinds/635018/
Pump and Dump
This week the FBI issued an alert highlighting an Iranian cyber group called Emennet Pasargad conducting hack-and leak attacks under a false flags, such as hacktivists and cyber-crime groups. The intent, which appears to be mostly targeting Israeli companies, is intended to undermine the public’s perception of a company’s security posture by stealing data and then publishing it along with a barrage of social media manipulation. Interestingly, this group has been operating since 2020 and was identified as one of the groups involved in the manipulation of the US Presidential Election.
There are a few interesting points here. First, the hacks do not appear to be sophisticated. They’re attacking PHP-enabled websites, use SQL injection against internet facing open MySQL servers, and even Log4J – all of which are well known weaknesses that can be found and exploited easily. Second, the use of ransomware TTPs ranging from everything to secondary ransom practices (doxing companies) as well as using tools to encrypt the data without any provisions to pay or decrypt the information. Very NotPetya of them. Third, attempting to come across as a non-nation state hacking organization is now commonplace and it appears they weren’t very successful. Finally, the use of social media to enhance and manipulate the message is a vulnerability at some point we’re going to have to address.
This week’s FBI report - https://www.ic3.gov/Media/News/2022/221020.pdf
Jan 2022 FBI report - https://www.ic3.gov/Media/News/2022/220126.pdf
Article - https://therecord.media/fbi-warns-of-hack-and-leak-operations-from-group-based-in-iran/
21st Century Scam - Part 2
In August’s newsletter I highlighted cyber-based scams being perpetrated on the elderly to the tune of billions over the last 5 years. This time around is a report that identified a 1126% increase year over year in the amount of money scammed from young people under 20. More than $101 million was stolen from “kids” in 2021 just in the USA alone. The report goes further to highlight that losses from cyber scams have doubled since COVID totaling $6.9 billion, referring to the FBI IC3 report (see August newsletter). Interestingly, romance scams rank rather high in losses. This study highlights the problems with online scams and especially a massive increase in attacks on your people.
Article focused on young people - https://www.cnbc.com/2022/10/26/kids-lose-millions-online-to-hackers-social-catfish-report-fbi-data.html
Article about IC3 report - https://socialcatfish.com/scamfish/state-of-internet-scams-2022/
FBI report - https://www.ic3.gov/Media/PDF/AnnualReport/2021_IC3Report.pdf
Supply Chain Shackles
If you rewind the clock a few years you’ll see a collection of servers sitting in an office, small data center, or even stacked up in cages. Each one pretty much running a set of applications that were loaded on an operating system. In short, it was a relatively “closed”, small, and simple ecosystem. Today, it’s completely the opposite. With the birth of the “app”, modularity of applications and services exploded resulting in a highly complex and multilayered computing system. As such, very significant challenges are surfacing due to the vastness of technology supply chains.
A couple interesting news items this week. First, Blackberry offered results from research that demonstrated 77% of businesses uncovered hidden providers in their software supply chain, and 80% said they received notifications of an attack or vulnerability in its software supply chain providers in the last 12 months. Additionally, researchers from Checkmarx published a report related to a vulnerability they helped to find in late 2021 that demonstrates hackers can essentially take over GitHub repositories. Although the vulnerability was ultimately addressed in May 2022, the concerns now surround how much of the code to tens of thousands of applications was potentially manipulated. Much of the code that appears across many supporting modules (think Log4j) reside on GitHub permitting hackers the opportunity to inject malware into the supply chain.
This is not a small thing. Software Bill of Materials (SBOM) is very real and a create deal of energy is being put into getting better 1) visibility and 2) greater control. Importantly, the meaningful activities now are how to understand and digest supply chain vulnerabilities and how they relate to you – and ultimately how do they get fixed!
GitHub Article - https://therecord.media/github-resolves-flaw-allowing-attacker-to-take-over-repository-infect-all-applications/
Checkmarx GitHub report - https://checkmarx.com/blog/attacking-the-software-supply-chain-with-a-simple-rename/
Original Checkmarx report from Nov 2021 - https://checkmarx.com/blog/a-new-type-of-supply-chain-attack-could-put-popular-admin-tools-at-risk/
CISA SBOM - https://www.cisa.gov/sbom
NTIA SBOM - https://ntia.gov/SBOM
US Executive order on Supply Chain - https://www.whitehouse.gov/briefing-room/presidential-actions/2021/02/24/executive-order-on-americas-supply-chains/