Tag Archive for: Activity

Georgia School District Goes Offline After Suspicious Activity

/in


(TNS) — Henry County Schools Superintendent Mary Elizabeth Davis said Tuesday leaders continue to investigate “suspicious activity” that has resulted in the district restricting Internet access since last week.

In a video posted to YouTube, Davis did not say what activity led the south metro Atlanta district to decide to take its Internet offline on Thursday, but said that student services, payroll, billing and other district operations remain functional as the school system conducts a probe of its network.

“What we know now is that last week suspicious activity was detected on our network,” she said. “And as you would expect, we take matters of this nature very seriously.”


The district’s investigators are being joined by the U.S. Department of Homeland Security, the FBI, the Georgia Emergency Management Agency, Henry County Police Department and others in its probe, Davis said.

Henry Schools said late last week that district operations ”will continue for students with the exception of online courses.” In addition, leaders said lunches, bus services and after-school activities would “continue as normal.” The livestream of the Henry school board’s Monday meeting was canceled because of the district’s restricted Internet functions.

Davis did not say when Internet functionality would return to the system or when the district might have answers in the investigation, including defining the “suspicious activity.”

She did, however, seek to find a bright side to the challenges.

“It really has been amazing to see the agility of our organization kick in,” she said. “As always, the Henry County team of professionals, our students and our parents have responded with amazing adaptability as we keep school operations going, maintain student learning and maintain functionality of our core business applications.”

©2023 The Atlanta Journal-Constitution. Distributed by Tribune Content Agency, LLC.

Source…

Wi-Fi encryption can be hacked and anyone can spy on your internet activity

/in


Equifax and Yahoo disclosed major security breaches recently, which are quite scary, especially the former. But security researchers are about to unveil to explain how hackers could hack any existing Wi-Fi connection and spy on all of your data.

The encrypted WPA2 protocol was just breached, putting at risk everyone who uses wireless internet at home or abroad. You can’t fix the issue yourself, but while you wait for network equipment makers to patch access points, there are several steps you can take to protect yourself.

Yes, the issue is serious, but as long as a hacker isn’t specifically looking to spy on your data, you should not worry about it.

The proof-of-concept exploit is called KRACK (or Key Reinstallation Attacks), according to Ars Technica. An advisory from US-CERT explains that the hack should be publicly disclosed on Monday:

US-CERT has become aware of several key management vulnerabilities in the 4-way handshake of the Wi-Fi Protected Access II (WPA2) security protocol. The impact of exploiting these vulnerabilities includes decryption, packet replay, TCP connection hijacking, HTTP content injection, and others. Note that as protocol-level issues, most or all correct implementations of the standard will be affected. The CERT/CC and the reporting researcher KU Leuven will be publicly disclosing these vulnerabilities on 16 October 2017.

Until access points are fixed, all Wi-Fi traffic is at risk, meaning that hackers will be able to eavesdrop on all your Wi-Fi traffic and steal data coming from all sorts of home devices that connect to the internet wirelessly.

If you’re worried about your security, various solutions can help you mitigate the problem while you wait for hardware companies to update router firmware.

You can stop using Wi-Fi until your routers are fixed, and switch to Ethernet instead. You should also consider using Virtual Private Networks (VPN) to obfuscate your internet usage, especially if you keep using Wi-Fi, and especially in those…

Source…

Mallox Ransomware Group Activity Shifts Into High Gear

/in


A ransomware actor with a penchant for breaking into target networks via vulnerable SQL servers has suddenly become very active over the past several months and appears poised to become an even bigger threat than it is already.

The group, tracked as Mallox — aka TargetCompany, Fargo, and Tohnichi — first surfaced in June 2021 and claims to have infected hundreds of organizations worldwide since then. The group’s victims include organizations in the manufacturing, retail, wholesale, legal, and professional services sectors.

Sudden Surge

Starting earlier this year, threat activity related to the group has surged, particularly in May, according to researchers at Palo Alto Networks’ Unit 42 threat intelligence team. Palo Alto’s telemetry, and that from other open threat intelligence sources, show a startling 174% increase in Mallox-related activity so far this year, compared to 2022, the security vendor said in a blog this week.

Previously, Mallox was known for being a relatively small and closed ransomware group, says Lior Rochberger, senior security researcher at Palo Alto Networks, attributes the explosive activity to concerted efforts by group leaders to grow Mallox operations.

“In the beginning of 2023, it appears that the group started putting more efforts into expanding its operations by recruiting affiliates,” she says. “This can potentially explain the surge we observed during this year, and especially more recently, around May.”

The Mallox group’s typical approach for gaining initial access on enterprise networks is to target vulnerable and otherwise insecure SQL servers. Often they start with a brute-force attack where the adversary uses a list of commonly used passwords or known default passwords against an organization’s SQL servers.

Targeting Insecure SQL Servers

Researchers have observed Mallox exploiting at least two remote code execution vulnerabilities in SQL — CVE-2020-0618 and CVE-2019-1068, Rochberger says.

So far, Unit 42 has only observed Mallox infiltrating networks via SQL servers. But other researchers have reported recent attempts to distribute Mallox via phishing emails, suggesting that new affiliate groups are involved now as well, Rochberger says.

“After…

Source…

Enhanced Monitoring to Detect APT Activity Targeting Outlook Online

/in


SUMMARY

In June 2023, a Federal Civilian Executive Branch (FCEB) agency identified suspicious activity in their Microsoft 365 (M365) cloud environment. The agency reported the activity to Microsoft and the Cybersecurity and Infrastructure Security Agency (CISA), and Microsoft determined that advanced persistent threat (APT) actors accessed and exfiltrated unclassified Exchange Online Outlook data.

CISA and the Federal Bureau of Investigation (FBI) are releasing this joint Cybersecurity Advisory to provide guidance to critical infrastructure organizations on enhancing monitoring of Microsoft Exchange Online environments. Organizations can enhance their cyber posture and position themselves to detect similar malicious activity by implementing logging recommendations in this advisory. Organizations that identify suspicious, anomalous activity should contact Microsoft for proceeding with mitigation actions due to the cloud-based infrastructure affected, as well as report to CISA and the FBI.

Download the PDF version of this report:

TECHNICAL DETAILS

In Mid-June 2023, an FCEB agency observed MailItemsAccessed events with an unexpected ClientAppID and AppID in M365 Audit Logs. The MailItemsAccessed event is generated when licensed users access items in Exchange Online mailboxes using any connectivity protocol from any client. The FCEB agency deemed this activity suspicious because the observed AppId did not normally access mailbox items in their environment. The agency reported the activity to Microsoft and CISA.

Microsoft determined that APT actors accessed and exfiltrated unclassified Exchange Online Outlook data from a small number of accounts. The APT actors used a Microsoft account (MSA) consumer key to forge tokens to impersonate consumer and enterprise users. Microsoft remediated the issue by first blocking tokens issued with the acquired key and then replacing the key to prevent continued misuse.[1]

The affected FCEB agency identified suspicious activity by leveraging enhanced logging—specifically of MailItemsAccessed events—and an established baseline of normal Outlook activity (e.g., expected AppID). The MailItemsAccessed event enables detection of otherwise difficult to detect adversarial activity.

CISA and FBI are not aware of other audit logs or events that would have detected this activity. Critical infrastructure organizations are strongly urged to implement the logging recommendations in this advisory to enhance their cybersecurity posture and position themselves to detect similar malicious activity.

LOGGING

CISA and the FBI strongly encourage critical infrastructure organizations to ensure audit logging is enabled. Note: Per CISA’s Microsoft Exchange Online Microsoft 365 Minimum Viable Secure Configuration Baselines, FCEB agencies shall enable audit logging. These minimum viable secure configuration baselines are part of CISA’s Secure Cloud Business Applications (SCuBA) Project, which provides guidance for FCEB agencies securing their cloud business application environments and protecting federal information created, accessed, shared, and stored in those environments. Although tailored to FCEB agencies, the project provides security guidance applicable to all organizations with cloud environments. The Office of Management and Budget (OMB) M-21-31 requires Microsoft audit logs be retained for at least twelve months in active storage and an additional eighteen months in cold storage. This can be accomplished either by offloading the logs out of the cloud environment or natively through Microsoft by creating an audit log retention policy.

In addition to enabling audit logging, CISA and FBI strongly encourage organizations to:

  • Enable Purview Audit (Premium) logging. This logging requires licensing at the G5/E5 level. See Microsoft’s guidance on Assigning Microsoft 365 Licenses to Users for additional information.
  • Ensure logs are searchable by operators. The relevant logs need to be accessible to operational teams in a platform (e.g., security operations center [SOC] tooling) that enables hunting for this activity and distinguishing it from expected behavior within the environment.
  • Enable Microsoft 365 Unified Audit Logging (UAL). UAL should be enabled by default, but organizations are encouraged to validate these settings.
  • Understand your organization’s cloud baseline. Organizations are encouraged to look for outliers and become familiar with baseline patterns to better understand abnormal versus normal traffic.

GENERAL CLOUD MITIGATIONS

All mitigation actions for this activity are the responsibility of Microsoft due to the cloud-based infrastructure affected; however, CISA and the FBI recommend that critical infrastructure organizations implement the following to harden their cloud environments. Although, these mitigations will not prevent this or related activity where actors leverage compromised consumer keys, they will reduce the impact of less sophisticated malicious activity targeting cloud environments. Note: These mitigations align with CISA’s SCuBA Technical Reference Architecture (TRA), which describes essential components of security services and capabilities to secure and harden cloud business applications, including the platforms hosting the applications.

  • Apply CISA’s recommended baseline security configurations for Microsoft Defender for Office 365, Azure Active Directory, Exchange Online, OneDrive for Business, Power BI, Power Platform, SharePoint Online, and Teams [SCuBA TRA Section 6.6].
  • Separate administrator accounts from user accounts according to the National Institute of Standards and Technology’s (NIST’s) guidance, AC-5: Separation of Duties. Only allow designated administrator accounts to be used for administration purposes. If an individual user requires administrative rights over their workstation, use a separate account without administrative access to other hosts.
  • Collect and store access and security logs for secure cloud access (SCA) solutions, endpoint solutions, cloud applications/platforms and security services, such as firewalls, data loss prevention systems, and intrusion detection systems [SCuBA TRA Section 6.8.1].
  • Use a telemetry hosting solution (e.g., SIEM solution) that aggregates logs and telemetry data to facilitate internal organization monitoring, auditing, alerting, and threat detection activities [SCuBA TRA Section 6.8.1].
  • Review contractual relationships with all Cloud Service Providers (CSPs) and ensure contracts include:
    • Security controls the customer deems appropriate.
    • Appropriate monitoring and logging of provider-managed customer systems.
    • Appropriate monitoring of the service provider’s presence, activities, and connections to the customer network.
    • Notification of confirmed or suspected activity.

REPORTING SUSPICIOUS ACTIVITY

Organizations are encouraged to report suspicious activity to CISA via CISA’s 24/7 Operations Center ([email protected] or 888-282-0870). The FBI encourages recipients of this document to report information concerning suspicious or criminal activity to their local FBI field office or IC3.gov.

RESOURCES

REFERENCES

[1] Microsoft Security Response Center (MSRC) blog: Microsoft mitigates China-based threat actor Storm-0558 targeting of customer email

ACKNOWLEDGEMENTS

Microsoft contributed to this CSA.

DISCLAIMER

The information in this report is being provided “as is” for informational purposes only. The FBI, and CISA do not endorse any commercial product or service, including any subjects of analysis. Any reference to specific commercial products, processes, or services by service mark, trademark, manufacturer, or otherwise, does not constitute or imply endorsement, recommendation, or favoring by the FBI and CISA.

Source…