The rapid shift to remote working has created newfound challenges for organizations when it comes to digitizing their operations. One major hurdle is managing employees’ digital identities. So much so, that the vast majority of organizations (84%) report experiencing some form of identity-related breach within the past 12 months, which is undoubtedly a huge security risk.
A recent study found that nearly all organizations have seen an exponential increase in the number of identities they have to manage. This is because more applications and workloads are being moved to the cloud, while organizations are typically also working with more third-party software providers than ever.
Organizations must understand that they have a responsibility to protect their employees’ digital identities. Without a well-developed digital identity security strategy, they can face huge risks, such as operational disruption, negative publicity, and costly regulatory fines.
In this article we will examine some of the measures organizations can put in place to ensure the security of their digital infrastructure and regain control over employees’ digital identities.
Zero Trust Architecture – The ‘Be All and End All’ Solution?
Security strategies have to evolve with the times. With the hybrid working boom, it’s no longer enough for organizations to just protect the perimeter of their networks. Employees are now often logging in from multiple locations and on different devices; all they need is a reliable internet connection. Organizations have to take this into account – and understand that traditional measures are no longer fit for purpose.
The evolving business landscape has created new challenges for enterprise network security. Zero trust architecture (ZTA) is becoming an increasingly popular approach, as it provides a higher level of security than a perimeter-centric model. ZTA assumes that all devices and users are potentially malicious and requires that they be authenticated as they move laterally within a network, making it more difficult for attackers to breach the system.
The effective management of users’ digital identities is the cornerstone of ZTA. Its…
https://spinsafe.com/wp-content/uploads/2023/03/f7e0d9e5-854a-45ab-84f8-c92e1ebe6c28.jpg300300SecureTechhttps://spinsafe.com/wp-content/uploads/2024/01/SS-Logo.svgSecureTech2023-03-01 05:30:072023-03-01 05:30:07Are You Prioritizing Digital Identity Management?
Welcome to The Cybersecurity 202! Ahhhhh, long weekends. Who doesn’t love ‘em? Thanks for having a birthday, George Washington. As a result of the holiday, we’ll see you next on Tuesday.
Below: The Technology Modernization Fund announces new million-dollar investments to secure federal agencies, according to details shared exclusively with The Cybersecurity 202, and we dive into a coordinated effort between the United States and Europe to dismantle Russian spy networks. First:
The Post and its media partners uncover depths of deceptive tactics at Spanish firm
A Spanish reputation management firm conducted online “information warfare,” in the words of one expert, to alter perceptions of its clients, according to an investigation out this morning.
The story, written by my Washington Post colleague Shawn Boburg as part of a project involving more than 100 journalists from 30 news organizations, has a smorgasbord of cyber and cyber-related elements, from allegations of hacking to an Italian spyware company.
At the center of the story is Eliminalia, a firm founded by Diego “Dídac” Sánchez that “employs elaborate, deceptive tactics to remove or drown out unflattering news stories and other content,” the investigation found.
“It’s hugely significant that this stuff is happening,” Adam Holland, a project manager at Harvard University’s Berkman Klein Center for the internet and Society, said in response to The Post’s findings. “This is information warfare.”
Eliminalia and Sánchez did not respond to questions for Shawn’s story. Eliminalia’s lawyers declined to provide answers to the questions in part because they concern “business secrecy or a request for information on customers about whom our client could not in any case answer.”
The investigation draws on nearly 50,000 internal documents, and is part of the “Story Killers” project of Forbidden Stories, a Paris-based journalism nonprofit organization.
One of the company’s tactics is to bury unflattering information about its clients under an avalanche of…
https://spinsafe.com/wp-content/uploads/2023/02/A2QXBWTGDII6VCUOLRJTNMZHMA.jpgw1440.jpeg10631440SecureTechhttps://spinsafe.com/wp-content/uploads/2024/01/SS-Logo.svgSecureTech2023-02-17 10:30:162023-02-17 10:30:16Spyware, fake news and more feature in investigation of reputation management firm
The Cybersecurity and Infrastructure Security Agency (CISA), National Security Agency (NSA), and Multi-State Information Sharing and Analysis Center (MS-ISAC) (hereafter referred to as the “authoring organizations”) are releasing this joint Cybersecurity Advisory (CSA) to warn network defenders about malicious use of legitimate remote monitoring and management (RMM) software. In October 2022, CISA identified a widespread cyber campaign involving the malicious use of legitimate RMM software. Specifically, cyber criminal actors sent phishing emails that led to the download of legitimate RMM software—ScreenConnect (now ConnectWise Control) and AnyDesk—which the actors used in a refund scam to steal money from victim bank accounts.
Although this campaign appears financially motivated, the authoring organizations assess it could lead to additional types of malicious activity. For example, the actors could sell victim account access to other cyber criminal or advanced persistent threat (APT) actors. This campaign highlights the threat of malicious cyber activity associated with legitimate RMM software: after gaining access to the target network via phishing or other techniques, malicious cyber actors—from cybercriminals to nation-state sponsored APTs—are known to use legitimate RMM software as a backdoor for persistence and/or command and control (C2).
Using portable executables of RMM software provides a way for actors to establish local user access without the need for administrative privilege and full software installation—effectively bypassing common software controls and risk management assumptions.
The authoring organizations strongly encourage network defenders to review the Indicators of Compromise (IOCs) and Mitigations sections in this CSA and apply the recommendations to protect against malicious use of legitimate RMM software.
Download the PDF version of this report: pdf, 608 kb.
For a downloadable copy of IOCs, see AA23-025.stix (STIX, 19 kb).
Overview
In October 2022, CISA used trusted third-party reporting, to conduct retrospective analysis of EINSTEIN—a federal civilian executive branch (FCEB)-wide intrusion detection system (IDS) operated and monitored by CISA—and identified suspected malicious activity on two FCEB networks:
In mid-June 2022, malicious actors sent a phishing email containing a phone number to an FCEB employee’s government email address. The employee called the number, which led them to visit the malicious domain, myhelpcare[.]online.
In mid-September 2022, there was bi-directional traffic between an FCEB network and myhelpcare[.]cc.
The authoring organizations assess that since at least June 2022, cyber criminal actors have sent help desk-themed phishing emails to FCEB federal staff’s personal, and government email addresses. The emails either contain a link to a “first-stage” malicious domain or prompt the recipients to call the cybercriminals, who then try to convince the recipients to visit the first-stage malicious domain. See figure 1 for an example phishing email obtained from an FCEB network.
The recipient visiting the first-stage malicious domain triggers the download of an executable. The executable then connects to a “second-stage” malicious domain, from which it downloads additional RMM software.
CISA noted that the actors did not install downloaded RMM clients on the compromised host. Instead, the actors downloaded AnyDesk and ScreenConnect as self-contained, portable executables configured to connect to the actor’s RMM server.
Note: Portable executables launch within the user’s context without installation. Because portable executables do not require administrator privileges, they can allow execution of unapproved software even if a risk management control may be in place to audit or block the same software’s installation on the network. Threat actors can leverage a portable executable with local user rights to attack other vulnerable machines within the local intranet or establish long term persistent access as a local user service.
CISA has observed that multiple first-stage domain names follow naming patterns used for IT help/support themed social-engineering, e.g., hservice[.]live, gscare[.]live, nhelpcare[.]info, deskcareme[.]live, nhelpcare[.]cc). According to Silent Push, some of these malicious domains impersonate known brands such as, Norton, GeekSupport, Geek Squad, Amazon, Microsoft, McAfee, and PayPal.[1] CISA has also observed that the first-stage malicious domain linked in the initial phishing email periodically redirects to other sites for additional redirects and downloads of RMM software.
Use of Remote Monitoring and Management Tools
In this campaign, after downloading the RMM software, the actors used the software to initiate a refund scam. They first connected to the recipient’s system and enticed the recipient to log into their bank account while remaining connected to the system. The actors then used their access through the RMM software to modify the recipient’s bank account summary. The falsely modified bank account summary showed the recipient was mistakenly refunded an excess amount of money. The actors then instructed the recipient to “refund” this excess amount to the scam operator. Although this specific activity appears to be financially motivated and targets individuals, the access could lead to additional malicious activity against the recipient’s organization—from both other cybercriminals and APT actors. Network defenders should be aware that:
Although the cybercriminal actors in this campaign used ScreenConnect and AnyDesk, threat actors can maliciously leverage any legitimate RMM software.
Because threat actors can download legitimate RMM software as self-contained, portable executables, they can bypass both administrative privilege requirements and software management control policies.
The use of RMM software generally does not trigger antivirus or antimalware defenses.
Malicious cyber actors are known to leverage legitimate RMM and remote desktop software as backdoors for persistence and for C2.[2],[3],[4],[5],[6],[7],[8]
RMM software allows cyber threat actors to avoid using custom malware.
Threat actors often target legitimate users of RMM software. Targets can include managed service providers (MSPs) and IT help desks, who regularly use legitimate RMM software for technical and security end-user support, network management, endpoint monitoring, and to interact remotely with hosts for IT-support functions. These threat actors can exploit trust relationships in MSP networks and gain access to a large number of the victim MSP’s customers. MSP compromises can introduce significant risk—such as ransomware and cyber espionage—to the MSP’s customers.
The authoring organizations strongly encourage network defenders to apply the recommendations in the Mitigations section of this CSA to protect against malicious use of legitimate RMM software.
INDICATORS OF COMPROMISE
See table 1 for IOCs associated with the campaign detailed in this CSA.
Table 1: Malicious Domains and IP addresses observed by CISA
Domain
Description
Date(s) Observed
win03[.]xyz
Suspected first-stage malware domain
June 1, 2022
July 19, 2022
myhelpcare[.]online
Suspected first-stage malware domain
June 14, 2022
win01[.]xyz
Suspected first-stage malware domain
August 3, 2022
August 18, 2022
myhelpcare[.]cc
Suspected first-stage malware domain
September 14, 2022
247secure[.]us
Second-stage malicious domain
October 19, 2022
November 10, 2022
Additional resources to detect possible exploitation or compromise:
The authoring organizations encourage network defenders to:
Audit remote access tools on your network to identify currently used and/or authorized RMM software.
Review logs for execution of RMM software to detect abnormal use of programs running as a portable executable.
Use security software to detect instances of RMM software only being loaded in memory.
Implement application controls to manage and control execution of software, including allowlisting RMM programs.
Require authorized RMM solutions only be used from within your network over approved remote access solutions, such as virtual private networks (VPNs) or virtual desktop interfaces (VDIs).
Block both inbound and outbound connections on common RMM ports and protocols at the network perimeter.
Implement a user training program and phishing exercises to raise awareness among users about the risks of visiting suspicious websites, clicking on suspicious links, and opening suspicious attachments. Reinforce the appropriate user response to phishing and spearphishing emails.
U.S. Defense Industrial Base (DIB) Sector organizations may consider signing up for the NSA Cybersecurity Collaboration Center’s DIB Cybersecurity Service Offerings, including Protective Domain Name System (PDNS) services, vulnerability scanning, and threat intelligence collaboration for eligible organizations. For more information on how to enroll in these services, email [email protected].
CISA offers several Vulnerability Scanning to help organizations reduce their exposure to threats by taking a proactive approach to mitigating attack vectors. See cisa.gov/cyber-hygiene-services.
Consider participating in CISA’s Automated Indicator Sharing (AIS) to receive real-time exchange of machine-readable cyber threat indicators and defensive measures. AIS is offered at no cost to participants as part of CISA’s mission to work with our public and private sector partners to identify and help mitigate cyber threats through information sharing and provide technical assistance, upon request, that helps prevent, detect, and respond to incidents.
PURPOSE
This advisory was developed by CISA, NSA, and MS-ISAC in furtherance of their respective cybersecurity missions, including their responsibilities to develop and issue cybersecurity specifications and mitigations.
DISCLAIMER
The information in this report is being provided “as is” for informational purposes only. CISA, NSA, and MS-ISAC do not endorse any commercial product or service, including any subjects of analysis. Any reference to specific commercial products, processes, or services by service mark, trademark, manufacturer, or otherwise, does not constitute or imply endorsement, recommendation, or favoring.
https://spinsafe.com/wp-content/uploads/2023/01/Protecting-Against-Malicious-Use-of-Remote-Monitoring-and-Management-Software.png799618SecureTechhttps://spinsafe.com/wp-content/uploads/2024/01/SS-Logo.svgSecureTech2023-01-26 13:30:062023-01-26 13:30:06Protecting Against Malicious Use of Remote Monitoring and Management Software
Device lifecycle management helps agencies by cataloging minute details of each device in the agency’s environment. Device lifecycle management also can be part of a larger IT asset management system that involves software and networking equipment.
It is a key tool for IT leaders to know where each device is in its lifecycle and when it might be time to refresh or retire the asset.
As far as compliance is concerned, device lifecycle management is a way for IT leaders to know where the agency’s information lives and how it’s secured.
“One of the biggest things is taking security into account in the entire lifecycle,” Frazier says. “We still think of things as secure after the fact. We put it out there and oh, by the way, let’s make it secure. We can’t do that.
“As IT leaders, we have to be thinking for everything we build, from the time that we have it as a thought in our brain, we should be planning what the security is for that architecture,” he says. “We have to be thinking about the security implications.”
Conversations on device lifecycles often revolve around software because, as Frazier notes, “device lifecycle is software lifecycle,” and keeping both up to date is “a never-ending prospect.”
Process and policy are foundational to IT asset management, write David Comings and Randi Coughlin of CDW in a blog post. “They can ensure that unapproved or malicious downloads are discovered on the network and help automate security and compliance practices.”
Finances can be a limiting factor when establishing a device lifecycle management system. The agency must consider the cost of acquiring new devices and the cost of managing them, including efforts to maintain security and compliance.
On one hand, keeping devices in use for a longer time lowers the overall cost of ownership, but it extends the energy and resources of the IT team to manage them.
“The longer you’re hanging on to devices, the more types of things you’re likely to be supporting — the more varieties of desktop models or…
https://spinsafe.com/wp-content/uploads/2023/01/FT_Q422_TT_modern_hero.jpg5001440SecureTechhttps://spinsafe.com/wp-content/uploads/2024/01/SS-Logo.svgSecureTech2023-01-25 17:30:052023-01-25 17:30:052023 Federal Tech Trends: Device Lifecycle Management Is Helping with Compliance