Tag Archive for: monitoring

CRA’s computer network security suffers from ‘lack of monitoring:’ Audit

/in


Filing your Canadian taxes digitally?

Article content

You may have cause to be concerned about how secure your information is, according to an internal audit, says Blacklock’s Reporter.

Article content

The audit says computer security at the Canada Revenue Agency — which has more than 27 million individual and corporate tax filers — is still uneven years after hackers breached the accounts of taxpayers.

“There was a lack of monitoring,” said the audit, blaming “a lack of management oversight.”

Revenue Agency managers “were not always aware of, or did not clearly understand, the security assessment and authorization process, more specifically for monitoring,” wrote auditors.

“Addressing security in the early stages of information technology projects and throughout the information system’s life cycle is vital to ensuring security is integrated into the design, that security objectives are met and that planning and resources are optimized.”

Article content

CRA’s website was shut down for six days in 2014 following a cyberattack, with hundreds of Social Insurance Numbers stolen.

Recommended video

We apologize, but this video has failed to load.

Investigators determined the cyberattack went unnoticed for six hours before the system was shut down.

Six years later in 2020, thousands of tax records were breached in a second cyberattack and managers promised tighter security.

“The Canada Revenue Agency has one of the largest information technology environments and repositories of personal and financial information in the Government of Canada,” wrote auditors.

“Ninety percent of income tax and benefit returns and 94% of corporate income tax returns were filed digitally. It is essential for the agency to meet Canadians’ expectations for delivering client service while maintaining trust that their information will be protected from potential data breaches and identity theft.”

Share this article in your social network

Source…

CISA publishes plan for remote monitoring tools after nation-state, ransomware exploitation

/in


A collaboration between the U.S.’s cybersecurity defense agency and private companies published its first plan to address security issues with remote monitoring and management (RMM) tools on Wednesday.

RMM software is typically used by the IT departments of most large organizations around the world as a way to get remote access to a computer to help with software installations or other services needed by employees.

In recent years hackers have increasingly exploited these tools – particularly in government networks – as an easy way to circumvent security systems and establish longstanding access to victim networks. In January, for example, the U.S. Cybersecurity and Infrastructure Agency (CISA) and the National Security Agency said at least two federal civilian agencies were exploited by cybercriminals as part of a refund scam campaign perpetrated through the use of RMM software.

In an announcement Wednesday, CISA said it worked with industry partners as part of the Joint Cyber Defense Collaborative (JCDC) to create a “clear roadmap to advance security and resilience of the RMM ecosystem.”

Eric Goldstein, CISA executive assistant director for cybersecurity, said the organization worked with other U.S. agencies as well as RMM companies to develop a plan focusing on four main tasks: vulnerability information sharing, industry coordination, end-user education and advisory amplification.

“The collaboration established to develop this plan has already achieved several accomplishments for RMM stakeholders and ecosystem,” Goldstein said in a statement. “As the JCDC leads the execution of this plan, we are confident that this public-private collaboration in the RMM ecosystem will further reduce risk to our nation’s critical infrastructure.”

RMM software allows hackers to establish local user access without the need for higher administrative privileges, “effectively bypassing common software controls and risk management assumptions,” CISA and the NSA said in their January announcement.

The agencies warned that threat actors could sell access to an exploited victim to government-backed hacking groups – noting that both cybercriminals and nation-states use RMM…

Source…

The Dark Web Is Expanding (As Is the Value of Monitoring It)

/in


Many security professionals today associate the Dark Web with named leaks, which are leaked credentials from employee password reuse. This is still a relevant threat; in the last six years, the Flare platform has counted over 12 billion leaked credentials. The Dark Web is rapidly growing along with the variety of cybercrime. So is the value in monitoring it.

The cybercrime ecosystem now not only includes private communications platforms like I2P and Tor but also reaches across clear websites and Telegram channels.

Dark Web Monitoring: What to Watch For

There is tangible value in monitoring the Dark Web for potential risks. Following are some of the threats you might encounter.

Infostealer Malware

Stealer logs with corporate access are likely one of the most significant vectors for data breaches and ransomware attacks today.

Infostealer variants such as RedLine, Raccoon, Vidar, Titan, and Aurora infect computers, then exfiltrate the browser fingerprint containing all the saved passwords in the browser. Threat actors then sell the results on Dark Web marketplaces or Telegram channels.

Screenshot of a threat actor promoting RedLine stealer malware

These logs are then used for account takeover attacks, stealing cryptocurrency, or as initial access for ransomware attacks. Flare monitors more than 20 million infostealer logs and is adding 1 million new logs per month, many of which contain credentials to multiple corporate applications. We believe that somewhere between 2% and 4% of logs contain access to corporate IT environments that could pose significant risk if compromised.

To detect malicious actors distributing stealer logs across the Dark Web and Telegram, companies can monitor for any logs that contain an internal corporate domain access, such as sso.companyname.com.

Initial Access Brokers

Initial access brokers (IABs) are active across Dark Web forums, such as XSS and Exploit.in. IABs establish initial access to companies, which they resell in auction and forum threads, typically for $10,000 to $500,000 per listing, depending on the company and level of access. A listing usually contains:

  • Number of devices and services compromised
  • Industry of the victim company
  • Antivirus or endpoint…

Source…

Enhanced Monitoring to Detect APT Activity Targeting Outlook Online

/in


SUMMARY

In June 2023, a Federal Civilian Executive Branch (FCEB) agency identified suspicious activity in their Microsoft 365 (M365) cloud environment. The agency reported the activity to Microsoft and the Cybersecurity and Infrastructure Security Agency (CISA), and Microsoft determined that advanced persistent threat (APT) actors accessed and exfiltrated unclassified Exchange Online Outlook data.

CISA and the Federal Bureau of Investigation (FBI) are releasing this joint Cybersecurity Advisory to provide guidance to critical infrastructure organizations on enhancing monitoring of Microsoft Exchange Online environments. Organizations can enhance their cyber posture and position themselves to detect similar malicious activity by implementing logging recommendations in this advisory. Organizations that identify suspicious, anomalous activity should contact Microsoft for proceeding with mitigation actions due to the cloud-based infrastructure affected, as well as report to CISA and the FBI.

Download the PDF version of this report:

TECHNICAL DETAILS

In Mid-June 2023, an FCEB agency observed MailItemsAccessed events with an unexpected ClientAppID and AppID in M365 Audit Logs. The MailItemsAccessed event is generated when licensed users access items in Exchange Online mailboxes using any connectivity protocol from any client. The FCEB agency deemed this activity suspicious because the observed AppId did not normally access mailbox items in their environment. The agency reported the activity to Microsoft and CISA.

Microsoft determined that APT actors accessed and exfiltrated unclassified Exchange Online Outlook data from a small number of accounts. The APT actors used a Microsoft account (MSA) consumer key to forge tokens to impersonate consumer and enterprise users. Microsoft remediated the issue by first blocking tokens issued with the acquired key and then replacing the key to prevent continued misuse.[1]

The affected FCEB agency identified suspicious activity by leveraging enhanced logging—specifically of MailItemsAccessed events—and an established baseline of normal Outlook activity (e.g., expected AppID). The MailItemsAccessed event enables detection of otherwise difficult to detect adversarial activity.

CISA and FBI are not aware of other audit logs or events that would have detected this activity. Critical infrastructure organizations are strongly urged to implement the logging recommendations in this advisory to enhance their cybersecurity posture and position themselves to detect similar malicious activity.

LOGGING

CISA and the FBI strongly encourage critical infrastructure organizations to ensure audit logging is enabled. Note: Per CISA’s Microsoft Exchange Online Microsoft 365 Minimum Viable Secure Configuration Baselines, FCEB agencies shall enable audit logging. These minimum viable secure configuration baselines are part of CISA’s Secure Cloud Business Applications (SCuBA) Project, which provides guidance for FCEB agencies securing their cloud business application environments and protecting federal information created, accessed, shared, and stored in those environments. Although tailored to FCEB agencies, the project provides security guidance applicable to all organizations with cloud environments. The Office of Management and Budget (OMB) M-21-31 requires Microsoft audit logs be retained for at least twelve months in active storage and an additional eighteen months in cold storage. This can be accomplished either by offloading the logs out of the cloud environment or natively through Microsoft by creating an audit log retention policy.

In addition to enabling audit logging, CISA and FBI strongly encourage organizations to:

  • Enable Purview Audit (Premium) logging. This logging requires licensing at the G5/E5 level. See Microsoft’s guidance on Assigning Microsoft 365 Licenses to Users for additional information.
  • Ensure logs are searchable by operators. The relevant logs need to be accessible to operational teams in a platform (e.g., security operations center [SOC] tooling) that enables hunting for this activity and distinguishing it from expected behavior within the environment.
  • Enable Microsoft 365 Unified Audit Logging (UAL). UAL should be enabled by default, but organizations are encouraged to validate these settings.
  • Understand your organization’s cloud baseline. Organizations are encouraged to look for outliers and become familiar with baseline patterns to better understand abnormal versus normal traffic.

GENERAL CLOUD MITIGATIONS

All mitigation actions for this activity are the responsibility of Microsoft due to the cloud-based infrastructure affected; however, CISA and the FBI recommend that critical infrastructure organizations implement the following to harden their cloud environments. Although, these mitigations will not prevent this or related activity where actors leverage compromised consumer keys, they will reduce the impact of less sophisticated malicious activity targeting cloud environments. Note: These mitigations align with CISA’s SCuBA Technical Reference Architecture (TRA), which describes essential components of security services and capabilities to secure and harden cloud business applications, including the platforms hosting the applications.

  • Apply CISA’s recommended baseline security configurations for Microsoft Defender for Office 365, Azure Active Directory, Exchange Online, OneDrive for Business, Power BI, Power Platform, SharePoint Online, and Teams [SCuBA TRA Section 6.6].
  • Separate administrator accounts from user accounts according to the National Institute of Standards and Technology’s (NIST’s) guidance, AC-5: Separation of Duties. Only allow designated administrator accounts to be used for administration purposes. If an individual user requires administrative rights over their workstation, use a separate account without administrative access to other hosts.
  • Collect and store access and security logs for secure cloud access (SCA) solutions, endpoint solutions, cloud applications/platforms and security services, such as firewalls, data loss prevention systems, and intrusion detection systems [SCuBA TRA Section 6.8.1].
  • Use a telemetry hosting solution (e.g., SIEM solution) that aggregates logs and telemetry data to facilitate internal organization monitoring, auditing, alerting, and threat detection activities [SCuBA TRA Section 6.8.1].
  • Review contractual relationships with all Cloud Service Providers (CSPs) and ensure contracts include:
    • Security controls the customer deems appropriate.
    • Appropriate monitoring and logging of provider-managed customer systems.
    • Appropriate monitoring of the service provider’s presence, activities, and connections to the customer network.
    • Notification of confirmed or suspected activity.

REPORTING SUSPICIOUS ACTIVITY

Organizations are encouraged to report suspicious activity to CISA via CISA’s 24/7 Operations Center ([email protected] or 888-282-0870). The FBI encourages recipients of this document to report information concerning suspicious or criminal activity to their local FBI field office or IC3.gov.

RESOURCES

REFERENCES

[1] Microsoft Security Response Center (MSRC) blog: Microsoft mitigates China-based threat actor Storm-0558 targeting of customer email

ACKNOWLEDGEMENTS

Microsoft contributed to this CSA.

DISCLAIMER

The information in this report is being provided “as is” for informational purposes only. The FBI, and CISA do not endorse any commercial product or service, including any subjects of analysis. Any reference to specific commercial products, processes, or services by service mark, trademark, manufacturer, or otherwise, does not constitute or imply endorsement, recommendation, or favoring by the FBI and CISA.

Source…