Security Bytes - Issue 4

Jim Tiller is the Chief Information Security Officer at Nash Squared. With over two decades of information security experience, Jim is an internationally recognized cybersecurity authority on cyber risk management, security technology, industry leadership, and multiple patent-winning recognition for innovation in security solutions.

Ok, this week we have a report saying we’re going to have to deal with Log4j for at least a decade, session cookies bypass MFA, new ransomware gets smart and comes to you as a Google update, we come to grips with cars are computers, and finally the reality of crypto and North Korea.

Here we go…

The Truth Bytes

The US’s Dept. of Homeland Security (DHS) formed the Cyber Safety Review Board (CSRB) in February and this week they issued their first report calling out that Log4j has become the first endemic vulnerability, meaning that it will be present in in systems for the next decade. The CSRB provided 15 recommendations (Section 3) that reenforces foundational security practices adding to the importance of security hygiene.

The concept of long-standing vulnerabilities that are/were unknown is far from new… hence the term zero-day/0-day. But how this manifested and persists says a lot about the future of cybersecurity. We speak in terms of third-party risk and more recently supply chain security (e.g., SolarWinds) that have evolved from certificate theft to embedded code. The simple point being… complexity is security nemesis and today’s environment is extraordinarily complex, layered, and relies on dozens if not hundreds of different groups.

With hyper-speed digital transformation, application security and application ecosystem security will become the focal point, far more than it is today. The key for organizations is getting a grip on the role of security in applications, cloud, and transformative strategies now.

Links:
Article: https://therecord.media/first-cyber-safety-review-board-report-finds-log4j-has-become-an-endemic-vulnerability/
DHS Report: https://www.cisa.gov/sites/default/files/publications/CSRB-Report-on-Log4-July-11-2022_508.pdf
Log4j: https://www.lunasec.io/docs/blog/log4j-zero-day/
DHS Announcement of board: https://www.dhs.gov/news/2022/02/03/dhs-launches-first-ever-cyber-safety-review-board
Board’s site: https://www.cisa.gov/cyber-safety-review-board

Cookie Monster

This week Microsoft disclosed a nearly yearlong phishing attack impacting over 10k companies by bypassing accounts secured with multi-factor authentication (MFA) essentially by stealing session cookies. Attackers then used the stolen credentials to perform additional business email compromise (BEC) attacks to move laterally within the environment.

It's important to understand the importance and risks related to session cookies, and cookies in general. In fact, all forms of data retention in your browser (IMHO) is fundamentally a bad thing from a cyber perspective (don’t get me started with EverCookie), and today’s browsers are highly sophisticated applications that don’t always have your interests at heart.

There are several lessons here: 1) session cookies and cookies in general should be managed better by companies and by users. Be an active participant in your personal security by recognizing this and taking action; 2) email is the trunk of your digital tree. All password verification, resets, and changes end up in email. Therefore, protecting your account is critical to cyber survival; 3) use MFA on everything, but also take advantage of additional layers of verification and especially conditional access policies so you’re not relying on one form of authentication. In today’s marketing vernacular this is getting close to zero trust.

For our clients, there’s a lot happening here. You have phishing attacks, MFA by-pass, and BEC attacks. Add to that companies everywhere are exploring zero trust and addressing integrated MFA solutions. A big first step is setting a strategy, framework, and a specific roadmap that helps put an organization on a path to success. This is where our vCISO practice can help companies and begin that envisioning zero trust process.

Links:
Microsoft blog: https://www.microsoft.com/security/blog/2022/07/12/from-cookie-theft-to-bec-attackers-use-aitm-phishing-sites-as-entry-point-to-further-financial-fraud/
Article: https://www.theregister.com/2022/07/13/aitm-phishing-microsoft/
Technical article: https://thehackernews.com/2022/07/microsoft-warns-of-large-scale-aitm.html
Evercookie: https://en.wikipedia.org/wiki/Evercookie

Ransomware Masquerade

Threats are up to their old tricks with a new spin. A new ransomware called “HavanaCrypt” discovered by researchers at Trend Micro disguises itself as an update to Google software, but is using Microsoft’s web hosting service for its command and control server (C2/C&C).

Using software updates to distribute malware is not necessarily new and early examples go back to 2015 and conceptually noted by the FBI and Brian Krebs as far back as 2012. This is also more than tangentially related to third-party and supply chain risk. The primary lesson here is while malware can leach into your environment via updates, the first step is ensuring you’re using established and trusted sources for software updates. Of course, they are not immune but far better than other out-of-band updates.

Links:
Trend Micro’s report (must read, quite good): https://www.trendmicro.com/en_us/research/22/g/brand-new-havanacrypt-ransomware-poses-as-google-software-update.html
Article: https://www.darkreading.com/attacks-breaches/attacker-using-fake-google-software-update-to-distribute-new-ransomware
Additional article: https://www.infosecurity-magazine.com/news/havanacrypt-ransomware-fake-google/
2015 Article: https://blog.zonealarm.com/2015/03/software-update-malware/
Krebs: https://krebsonsecurity.com/2012/05/fbi-updates-over-public-net-access-bad-idea/

Car Code

This week Honda announced it’s addressing a number of vulnerabilities, some dating back to 2016 affecting the key fob. The most recent vulnerability earlier this year was a replay attack allowing attackers to open and start vehicles remotely.

Hacking cars, especially key fobs, is not new but in general becoming an increasing concern. The auto industry is very interesting and has a number of regulations impacting how it designs, produces and supports the vehicles it manufactures. Add to that intense competition, customer demand, and digital transformation, automakers have a technical debt that would choke most companies.

Take for example Boeing’s 787 uses about 8 million lines of code, or Android OS is about 15 million lines, or perhaps Microsoft’s Windows 11 is roughly 50 million. But a modern car… over a 100 million lines of code. The 2009 the Mercedes S-Class’s navigation system alone was 20 million lines of code.

Today’s cars have well over a 100 processors, each addressing various operability, entertainment and performance - and security - aspects of the vehicle. Now, add to this self-driving and all this implies, you start to see some cyber threats and the potential for the impact to human life.

The key take-away (pun intended) is twofold. First, include a cybersecurity discussion in your car buying process. Finally, patching and maintaining code to minimize and address vulnerabilities is absolutely paramount to ensuring the foundation of security program is solid, we just now have to include vehicles in this practice. And by vehicle, I’m including company fleets, company provided cars, public transportation, farming equipment, trucks, shipping vessels and the like, because they all run on software now.

Links:
Article: https://therecord.media/honda-redesigning-latest-vehicles-to-address-key-fob-vulnerabilities/
Recent vulnerability: https://nvd.nist.gov/vuln/detail/CVE-2022-27254

Crypto, Because that’s Where the Money is

I could write a book about this, but Geoff White beat me to it with “The Lazarus Heist”, which I highly recommend. Nevertheless, I’ll try to keep this short.

Recently reported by the FBI was the theft of over $620M in Ethereum, which was on the back of an estimated $400M theft of digital assets based on chain analysis in 2021, and prior to that an estimated $1.3B in overall theft, starting in 2016, which is tied to the Bangladesh Bank cyber heist – only $81M, yet still the largest single bank robbery in history.

Who is doing this and who is Lazarus? In short, North Korea. APT38 (Advanced Persistent Threat). When added up we’re well over $2.5B in known theft and they are absolutely all about the cyrpto.

Reports of using deepfake to manipulate Know Your Customer (KYC) processes successfully and manipulating job interviews to get legitimate positions to perpetrate a wide range of attacks, most notably insider attacks. Add to this the unrelenting attacks on MFA controls, SIM card jacking, and business email compromises (BEC) that are flooding the new as I write, you can almost feel it coming down around you.

It's interesting to note that crypto has completely changed cybercrime. Unlike a decade ago, there is an easy way to monetize hacking and countries like North Korea have the motive, means, and opportunity to commit vast levels of cybercrime to fill their coffers, and they are relentless, desperately unethical, and boundless in approach. From a global perspective, keep in mind that one of the most valuable underlying aspects of crypto is portability across country lines. Meaning, we have a nation state that is not interested in cashing out the billions, but rather having purchase and political power in other nations.

Let that sink in.

Now that you’re processing that, companies need to be keenly aware of this type of threat, especially those embracing crypto. The various forms of data within organizations is valuable in some way. To put into context, data storage, bandwidth, and processing is cheap so why not collect it all? The ability to sift through endless volumes of data to extract actionable intelligence is trivial. Now point that weapon at obtaining money and power in cyberspace.

Links:
Article: https://www.cnn.com/2022/04/14/politics/fbi-north-korea-hackers-crypto/index.html
FBI statement: https://www.fbi.gov/news/press-releases/press-releases/fbi-statement-on-attribution-of-malicious-cyber-activity-posed-by-the-democratic-peoples-republic-of-kore
APT38: https://attack.mitre.org/groups/G0082/
About Lazarus: https://www.mandiant.com/resources/apt38-details-on-new-north-korean-regime-backed-threat-group
Chainanalysis: https://blog.chainalysis.com/reports/north-korean-hackers-have-prolific-year-as-their-total-unlaundered-cryptocurrency-holdings-reach-all-time-high/
Book: https://www.amazon.com/dp/024155425X