Tag Archive for: Defenses

With the increase of cybercrime, local governments face in uphill battle in hardening digital defenses

/in


What would a small community do if its school district’s network was attacked by ransomware? What about if a municipally managed wastewater treatment plant in a rural county was shut down by a digital onslaught initiated by organized cybercriminals operating a continent away? 

With cyberthreats increasingly targeting municipal frameworks, these are the types of questions that constituents should be asking—and ones that local administrators should be prepared to answer.  

“You’re talking about tens of millions of dollars being raised from these crimes. It’s become a big business,” said Bert Kashyap, CEO of the cybersecurity firm SecureW2, which advises local governments on cybersecurity. 

Two decades ago when Kashyap entered the industry, hackers “were playing around with malware, it was less of an organized crime type of thing. Now, it’s definitely gotten to the point where there are nation states protecting these folks, and cyber gangs are basically forming syndicates,” Kashyap said. 

Last year, for example, American government organizations were targeted by nearly 80 ransomware attacks, potentially impacting 71 million people, according to a from the consumer tech information site Comparitech.  

Recently, the Allen Independent School District in Texas was targeted with ransomware. The district refused to pay, according to reports, and parents of children in the school system have since received threatening emails warning their student’s private information will be released if the district doesn’t change course. And on Thursday, the cybersecurity firm Mandiant issued a report detailing how “an aggressive, financially motivated threat actor” that goes by FIN12 is specifically targeting “critical care functions. Almost 20 percent of directly observed FIN12 victims were in the health care industry.” 

Faced with this rapidly emerging threat, Kashyap says most of the administrators he’s talked to and advised say they’re not prepared. 

“Everyone from school district (managers) to other local officials tell us they’re concerned,” he said. “Especially with the ransomware threats, when you have a situation (that)…

Source…

Windows MSHTML zero-day defenses bypassed as new info emerges

/in


Microsoft

New details have emerged about the recent Windows CVE-2021-40444 zero-day vulnerability, how it is being exploited in attacks, and the threat actor’s ultimate goal of taking over corporate networks.

This Internet Explorer MSHTML remote code execution vulnerability, tracked as CVE-2021-40444, was disclosed by Microsoft on Tuesday but with few details as it has not been patched yet.

The only information shared by Microsoft was that the vulnerability uses malicious ActiveX controls to exploit Office 365 and Office 2019 on Windows 10 to download and install malware on an affected computer.

Since then, researchers have found the malicious Word documents used in the attacks and have learned new information about how the vulnerability is exploited.

Why the CVE-2021-40444 zero-day is so critical

Since the release of this vulnerability, security researchers have taken to Twitter to warn how dangerous it is even though Microsoft Office’s ‘Protected View’ feature will block the exploit.

When Office opens a document it checks if it is tagged with a “Mark of the Web” (MoTW), which means it originated from the Internet.

If this tag exists, Microsoft will open the document in read-only mode, effectively blocking the exploit unless a user clicks on the ‘Enable Editing’ buttons.

Word document opened in Protected View
Word document opened in Protected View

As the “Protected View” feature mitigates the exploit, we reached out to Will Dormann, a vulnerability analyst for CERT/CC, to learn why security researchers are so concerned about this vulnerability.

Dormann told BleepingComputer that even if the user is initially protected via Office’s ‘Protected View’ feature, history has shown that many users ignore this warning and click on the ‘Enable Editing’ button anyway.

Dormann also warns that there are numerous ways for a document not to receive the MoTW flag, effectively negating this defense.

“If the document is in a container that is processed by something that is not MotW-aware, then the fact that the container was downloaded from the Internet will be moot. For example, if 7Zip opens an archive that came from the Internet, the extracted contents will have no indication that it came from the Internet. So no MotW, no Protected…

Source…

New AdLoad malware variant slips through Apple’s XProtect defenses

/in


New AdLoad malware variant slips through Apple's XProtect defenses

A new AdLoad malware variant is slipping through Apple’s YARA signature-based XProtect built-in antivirus tech to infect Macs as part of multiple campaigns tracked by American cybersecurity firm SentinelOne.

AdLoad is a widespread trojan targeting the macOS platform since at least since late 2017 and used to deploy various malicious payloads, including adware and Potentially Unwanted Applications (PUAs), 

This malware can also harvest system information that later gets sent to remote servers controlled by its operators.

Increasingly active since July

These massive scale and ongoing attacks have started as early as November 2020, according to SentinelOne threat researcher Phil Stokes, with an increase in activity beginning with July and the beginning of August.

Once it infects a Mac, AdLoad will install a Man-in-The-Middle (MiTM) web proxy to hijack search engine results and inject advertisements into web pages for monetary gain.

It will also gain persistence on infected Macs by installing LaunchAgents and LaunchDaemons and, in some cases, user cronjobs that run every two and a half hours.

While monitoring this campaign, the researcher observed more than 220 samples, 150 of them unique and undetected by Apple’s built-in antivirus even though XProtect now comes with roughly a dozen AdLoad signatures.

Many of the samples detected by SentinelOne are also signed with valid Apple-issued Developer ID certificates, while others are also notarized to run under default Gatekeeper settings.

XProtect AdLoad signatures
XProtect AdLoad signatures (SentinelOne)

“At the time of writing, XProtect was last updated around June 15th. None of the samples we found are known to XProtect since they do not match any of the scanner’s current set of Adload rules,” Stokes concluded.

“The fact that hundreds of unique samples of a well-known adware variant have been circulating for at least 10 months and yet still remain undetected by Apple’s built-in malware scanner demonstrates the necessity of adding further endpoint security controls to Mac devices.”

Hard to ignore threat

To put things into perspective, Shlayer, another common macOS malware strain that has also been able to bypass XProtect…

Source…

Mark Warner calls for improved cyber defenses to protect schools

/in


After high-profile ransomware attacks this year, Senator Mark Warner and Senator Susan Collins have called for school districts to improve cyber defenses.

WASHINGTON — WSSC Water, which serves almost 2 million residents in Prince George’s and Montgomery counties, announced on Friday that it was a victim of a ransomware attack in late May that targeted “non-essential business systems.”

The cyberattack occurred on May 24 but the company said drinking water and wastewater systems were not impacted or ever at risk.

In a statement, WSSC Water Police and Homeland Security Director David McDonough said the virus was successfully removed and the company did not pay any ransom to the hackers.

“These attacks have become more common, especially in recent weeks, and WSSC Water has prepared for this type of event,” he wrote.

The company added that files were restored from back-ups and there was no significant impact on business operations, however, some customers may be notified about potential breaches.

“While the virus was not successful, it appears the ransomware criminals did gain access to internal files,” the statement read. “As the investigation continues, WSSC Water will notify in writing any individuals whose personal identifying information was exposed. Those individuals will be offered five years of credit monitoring with $1,000,000 in identity theft insurance at no cost to them.”

The announcement of the WSSC Water cyberattack came after highly publicized breaches against Colonial Pipeline and JBS Holdings earlier this year.

Both companies were forced to pay millions of dollars to the hackers to get control of their systems back.

Source…