WebProNews

Category: SecurityProNews

SecurityProNews

  • Microsoft Warns Customers of Major Azure Security Issue

    Microsoft Warns Customers of Major Azure Security Issue

    Microsoft is warning impacted customers of a flaw in Azure Container Instances (ACI) that could allow individuals to access other customers information.

    It’s been a bad few weeks for Microsoft on the security front. Research firm Wiz discovered a flaw — named #ChaosDB — in Azure’s Cosmos DB that could allow a hacker to access other users’ databases.

    Now Palo Alto Networks have discovered a new flaw that could allow a malicious user to gain access to other information in the ACI service, according to Microsoft. The company says it has already fixed the vulnerability and has notified impacted customers.

    There is no indication any customer data was accessed due to this vulnerability. Out of an abundance of caution, notifications were sent to customers potentially affected by the researcher activities, advising they revoke any privileged credential that were deployed to the platform before August 31, 2021.

    If you did not receive a Service Health Notification, no action is required. The vulnerability is fixed and our investigation surfaced no unauthorized access in other clusters. If you are unsure whether your subscription or organization has received a notification, please contact Azure Support. If you have any concerns, rotating privileged credentials is a good periodic security practice and would be an effective precautionary measure.

    As the second-largest cloud provider, Microsoft better get a handle on its security issues before it starts losing customer confidence.

  • REvil Is Back!

    REvil Is Back!

    REvil, one of the most notorious ransomware gangs, is back after its servers went offline two months ago.

    REvil is a gang of hackers, believed to be operating from Russia, that specializes in ransomware attacks. The group was behind the Kaseya attack, the biggest ransomware in history.

    Two months ago REvil went dark, with their servers going offline. Even their “leak site” went down. While servers for ransomware gangs often go down, as we pointed out then, it’s unusual for all of them to go down at once. Some experts believed the gang may have shut down operations in response to increased pressure after the Kaseya attack.

    Despite the seeming good news, experts warned organizations not to become complacent, and that REvil’s operators would likely show up somewhere, one way or another.

    According to security researchers, it appears that’s exactly what’s happened, as the group’s servers are once again active on the Dark Web.

    The revelation is bad news for organizations around the world, and underscores the importance of continued vigilance.

  • Harvard University Hit With Ransomware Attack

    Harvard University Hit With Ransomware Attack

    Harvard University has revealed it has suffered a ransomware attack, the latest in a string of high-profile organizations that have fallen victim.

    The FBI has been warning that ransomware attacks are on the rise, and currently has more than 100 groups on its radar. JBS Foods, Colonial Pipeline and Kaseya are just a few of the organizations that have recently been attacked.

    Harvard University is the latest addition, announcing it suffered an attack on September 3.

    The situation is still being investigated, but we are writing to provide an interim update and to share as much information as we safely and possibly can at this point in time, considering that our emails are often shared within a public domain. 

    Based on the investigation and the information we have to date, we know the University has experienced a ransomware cyberattack. 

    The university is working to restore normal operations, but its WiFi network will remain down until it can safely be brought back online.

  • FBI: Cybercriminals ‘Targeting the Food and Agriculture Sector’

    FBI: Cybercriminals ‘Targeting the Food and Agriculture Sector’

    The FBI is warning that cybercriminals are targeting the US food and agriculture sector with ransomware attacks.

    US businesses and agencies have increasingly been under attack from cybercriminal groups, both state-sponsored and profit-driven. JBS FoodsT-Mobile, Colonial Pipeline, the University of Kentucky and Kaseya are just a few of the major companies and organizations that have recently been attacked.

    The worst may be yet to come, with the FBI warning that the food and agriculture sector is being specifically targeted.

    The Food and Agriculture sector is among the critical infrastructure sectors increasingly targeted by cyber attacks. As the sector moves to adopt more smart technologies and internet of things (IoT) processes the attack surface increases. Larger businesses are targeted based on their perceived ability to pay higher ransom demands, while smaller entities may be seen as soft targets, particularly those in the earlier stages of digitizing their processes, according to a private industry report. 

    The FBI is asking for any information that may be of assistance.

    The FBI is seeking any information that can be shared, to include boundary logs showing communication to and from foreign IP addresses, Bitcoin wallet information, the decryptor file, and/or a benign sample of an encrypted file. 

    The FBI reiterates that it does not encourage companies to pay a ransom, but recognizes that all options are on the table when a company is crippled and unable to do business as a result of an attack. Regardless of whether an organization agrees to pay or not, the FBI encourages victims to contact it as soon as possible so it can render assistance.

    The FBI’s full notice is well worth a read, as it includes detailed mitigation efforts organizations should be taking.

  • Unpatched SSL VPN Vulnerabilities From 2019 Still Being Exploited

    Unpatched SSL VPN Vulnerabilities From 2019 Still Being Exploited

    Three SSL VPN vulnerabilities are being actively exploited, despite being disclosed in 2019 and patched by January 2020.

    SSL VPN products are critical to many organization’s security. As such, they’re a prime target for bad actors looking for a way to compromise an entire network. Unfortunately, many companies and organizations are not patching vulnerabilities as they should be.

    Data from Tenable Research shows that three critical SSL VPN vulnerabilities are still being actively exploited, including CVE-2019-19781, CVE-2019-11510 and CVE-2018-13379. CVE-2019-11510, in particular, had a Vulnerability Priority Rating (VPR) of 10.0, although the other two were not far behind at 9.9

    Although all three vulnerabilities were disclosed in 2019 and patched by January 2020, they continue to be routinely exploited more than halfway through 2021. According to a joint cybersecurity advisory from four international government agencies, these vulnerabilities were some of the most exploited in 2020. In fact, CVE-2019-19781 was named the most exploited vulnerability of 2020, according to government data.

    With the increasing rate of hacks, ransomware and data breaches, it’s disturbing that organizations are not making it a priority to apply readily available patches to such a critical part of their security.

  • Big Tech Pledges Billions, Jobs and Training to Boost US Cybersecurity

    Big Tech Pledges Billions, Jobs and Training to Boost US Cybersecurity

    President Joe Biden met with leaders of the biggest tech firms, securing commitments from them to help improve US cybersecurity.

    US agencies and businesses have increasingly been under attack, with multiple high-profile cybersecurity incidents. As a result, President Biden has met with tech leaders in an effort to enlist their assistance.

    • Apple agreed to create a new program to improve security in the technology supply chain, as well as “drive the mass adoption of multi-factor authentication, security training, vulnerability remediation, event logging, and incident response.”
    • Google says it will invest $10 billion over the next five years to help secure the supply chain, improve open source security and expand zero-trust security — especially critical for cloud computing platforms.
    • IBM plans to provide cybersecurity training to 150,000 people over the next three years, and “will partner with more than 20 Historically Black Colleges & Universities to establish Cybersecurity Leadership Centers to grow a more diverse cyber workforce.”
    • Over the next five years, Microsoft will invest $20 billion to “integrate cyber security by design and deliver advanced security solutions,” in addition to providing another $150 million in technical services to government agencies looking to improve their cybersecurity.
    • Amazon plans to make its employee security awareness training available to the public free-of-charge. The company will also provide all AWS account holders a multi-factor authentication device.

    These commitments by the biggest names in tech are significant, and should go a long way toward shoring up US cybersecurity.

  • Researchers Gain Access to Thousands of Microsoft Azure Customer Databases

    Researchers Gain Access to Thousands of Microsoft Azure Customer Databases

    Researchers from security firm Wiz have gained access to thousands of Microsoft Azure customer databases, demonstrating a major security flaw.

    Microsoft Azure is currently the second largest cloud platform, behind AWS. As a result, companies the world over, large and small, rely on the platform for mission-critical operations.

    According to Wiz, the issue impacts Azures flagship database, Cosmos DB. 

    A series of flaws in a Cosmos DB feature created a loophole allowing any user to download, delete or manipulate a massive collection of commercial databases, as well as read/write access to the underlying architecture of Cosmos DB.

    We named this vulnerability #ChaosDB. Exploiting it was trivial and required no other credentials.

    The flaw revolves around the Jupyter Notebook feature that Microsoft added in 2019. A misconfiguration in the notebook allows an attacker to escalate privileges and access other notebooks, the primary keys and eventually the entire database.

    Every Cosmos DB account that uses the notebook feature, or that was created after January 2021, is potentially at risk. Starting this February, every newly created Cosmos DB account had the notebook feature enabled by default and their Primary Key could have been exposed even if the customer was not aware of it and never used the feature. 

    Microsoft has already begun warning customers, although it’s unclear to what extent. Wiz told The Register it believes Microsoft has only warned roughly 30% of impacted users, while Microsoft is saying all those affected have been notified.

    Whatever the case, this is a devastating issue for Microsoft, coming on the heels of other widespread vulnerabilities.

  • Another Week, Another Round of Serious Google Chrome Security Flaws

    Another Week, Another Round of Serious Google Chrome Security Flaws

    In what is becoming a regular occurrence, Google has issued another Chrome update to fix a number of issues, including seven serious security flaws.

    Google Chrome is the most popular desktop browser by a wide margin. Unfortunately, it also seems to have its fair share of security issues, with Google issuing a patch every couple to few weeks to fix critical ones.

    Google has now issued another fix, addressing seven serious security issues. Even the Department of Homeland Security’s Cybersecurity and Infrastructure Security Agency (CISA) is recommending users and admins update immediately.

    This version addresses vulnerabilities that an attacker could exploit to take control of an affected system.

    CISA encourages users and administrators to review the Chrome Release Note and apply the necessary updates.

    A recent report showed Firefox has dropped 50 million users in the last couple of years, and is now hovering around 200 million. Google’s ongoing issues show why it’s important to not only have a variety of browsers on the market, but also ones that use different rendering engines.

    Safari uses Webkit, Firefox uses Gecko and Chrome is based on the Chromium codebase, which uses Blink. Many others, such as Brave, Opera, Vivaldi and Microsoft Edge are also based on Chromium, meaning they all use the same engine.

    As a result, with the popularity of Apple’s Safari on mobile, and Chrome-based browsers on the desktop, Firefox’s future as a private, secure third option is more important than ever.

  • Pearson Agrees to $1 Million Settle With SEC Over Data Breach

    Pearson Agrees to $1 Million Settle With SEC Over Data Breach

    London-based Pearson, a company specializing in educational publishing, has agreed to a $1 million settlement with the SEC over a data breach.

    Pearson suffered a data breach in 2018 that resulted in the theft of millions of student records. Unfortunately, the company misled investors, and continued to do so well into 2019, referring “to a data privacy incident as a hypothetical risk, when, in fact, the 2018 cyber intrusion had already occurred.”

    Pearson’s statements continued to gloss over what really happened as late as July 2019. In addition, the company claimed to have “strict protections,” even though the security vulnerability remained unpatched six months after Pearson became aware of it.

    The company has agreed to settle with the SEC for $1 million as a result of the violations.

    “As the order finds, Pearson opted not to disclose this breach to investors until it was contacted by the media, and even then Pearson understated the nature and scope of the incident, and overstated the company’s data protections,” said Kristina Littman, Chief of the SEC Enforcement Division’s Cyber Unit. “As public companies face the growing threat of cyber intrusions, they must provide accurate information to investors about material cyber incidents.”

  • T-Mobile Confirms Data Breach

    T-Mobile Confirms Data Breach

    T-Mobile has confirmed it has suffered a data breach following reports that information for 100 million customers is for sale online.

    News broke yesterday that a hacker was trying to sell T-Mobile customer information. The hacker claimed to have gained access to T-Mobile servers, copying and backing up the data before he was locked out.

    T-Mobile issued a statement saying they were investigating the claims, but the company has now confirmed the breach occurred.

    We have determined that unauthorized access to some T-Mobile data occurred, however we have not yet determined that there is any personal customer data involved. We are confident that the entry point used to gain access has been closed, and we are continuing our deep technical review of the situation across our systems to identify the nature of any data that was illegally accessed. This investigation will take some time but we are working with the highest degree of urgency. Until we have completed this assessment we cannot confirm the reported number of records affected or the validity of statements made by others.

    We’ll provide updates as T-Mobile does.

  • Hacker Boasts of Massive T-Mobile Data Breach, Company Investigating

    Hacker Boasts of Massive T-Mobile Data Breach, Company Investigating

    A hacker is claiming to have obtained data for some 100 million T-Mobile customers and is trying to sell it.

    In a forum post online, a hacker claims to have compromised T-Mobile servers and made off with a treasure trove of customer data. While the post itself didn’t specify the company, Motherboard reached out to the hacker and received confirmation the target company was T-Mobile.

    The data in question is allegedly full customer information, including names, addresses, social security numbers (SSN), phone numbers, driver license information and unique IMEI numbers. Motherboard was given access to a sample of the data and confirmed its validity.

    It appears T-Mobile has closed the security issue that allowed the hackers access, but not before they copied the data and made multiple backups. The hacker(s) is trying to sell a subset of the data, composed of 30 million SSNs and driver licenses, for 6 bitcoin, or roughly $270,000. The rest of the data is being sold privately.

    Motherboard reached out to T-Mobile and received the following statement:

    “We are aware of claims made in an underground forum and have been actively investigating their validity. We do not have any additional information to share at this time.”

  • Keystrokes and Mouse Clicks: Amazon’s Plan to Monitor Customer Service Staff

    Keystrokes and Mouse Clicks: Amazon’s Plan to Monitor Customer Service Staff

    Amazon is rolling out a sweeping monitoring program, with the goal of tracking the keystrokes and mouse clicks of its customer service staff.

    In the era of Big Data, few companies have access to as much customer data as Amazon. The company controls the largest e-commerce platform, a line of popular security devices and, of course, the most popular cloud computing platform in the world. As a result, the company is a prime target for unscrupulous individuals looking to access that data.

    According to a document seen by Motherboard, Amazon is preparing to roll out software designed to track customer service employees’ activity in an effort to prevent abuses from occurring. The company has already had instances where imposters have impersonated customer service staff and accessed information.

    The company has looked at various solutions, including those that capture all keystrokes and mouse clicks. The one the company appears to be leaning toward focuses on capturing patterns instead, building a profile of how a person interacts with their workstation, via the keyboard and mouse. If someone else tries to use it, their usage would stand out as different from the established pattern, making it easy to spot an imposter.

    “We have a security gap as we don’t have a reliable mechanism for verifying that users are who they claim they are,” reads the document.

    The lengths to which Amazon is going illustrates the ongoing struggle companies have, and the solutions that will likely become more commonplace as threats continue to grow.

  • University of Kentucky Discloses Large Data Breach

    University of Kentucky Discloses Large Data Breach

    The University of Kentucky has sent out a letter disclosing a data breach impacting some 355,000 individuals.

    UK discovered the issue during an annual cybersecurity penetration test. The breach occurred in June 2021, impacting the College of Education database, part of the university’s Digital Driver License (DDL) platform. The DDL is used by K-12 schools and other colleges, both in and outside of Kentucky, for online training and test-taking.

    UK says the database contained usernames (usually a person’s email) and passwords for some 355,000 individuals, although the university says it contained no other personal information, minimizing potential identity theft concerns.

    “The University of Kentucky has spent more than $13 million on cybersecurity in last five years alone,” said Brian Nichols, UK’s chief information officer. “We have increased cybersecurity investments and enhanced our mitigation efforts in recent years, which enabled us to discover this incident during our annual inspection process conducted by an outside entity. Although the potential for identity theft is limited, we take this incident seriously and it is unacceptable to us. As a result, we will be taking additional measures to provide even more protection going forward. UK’s chief concern is end user privacy and protection and we are making every effort to secure end user data.”

    You can read UK’s full disclosure letter, contributed by The Recordhere.

    The DDL’s primary purpose is to provide free online teaching and test-taking capabilities to K-12 schools and colleges in Kentucky and other US states. The platform is also used by the university for some of its own test-taking capabilities.

    The DDL breach was discovered in early June when the university carried out scheduled penetration tests of its platforms with the help of a third party.

    The test uncovered a vulnerability in the DDL platform, which when the university investigated further it discovered that it had been exploited earlier in the year.

  • 86% of Organizations Expect to Suffer a Successful Cyberattack

    86% of Organizations Expect to Suffer a Successful Cyberattack

    A whopping 86% of organizations expect to suffer a successful cyberattack in the next year.

    Cyberattacks have been on the rise for years, although the last year has seen some particularly devastating examples. The ransomware attacks on Colonial Pipeline, Kaseya and JBS are some of most recent ones that have had far-reaching consequences.

    Unfortunately, the outlook going forward doesn’t look much better. According to the latest research by Trend Micro, some 86% of organizations expect to be the victim of a successful cyberattack within the next 12 months.

    In asking about attacks in the past 12 months and future attacks in next 12 months, the results don’t bode well for 2H’2021. Globally, 81% had 1 or more successful attacks, and 24% had 7 or more successful attacks in the past 12 months. Additionally, 86% say it is somewhat to very likely they will have a successful attack in the next 12 months. This again appears to indicate organizations know they are not prepared enough to defend against new attacks.

    Cybersecurity has been a major focus of the Biden administration, but it looks like there’s still a long way to go before companies feel safe from threats.

  • FBI Has More Than 100 Ransomware Groups on its Radar

    FBI Has More Than 100 Ransomware Groups on its Radar

    The FBI is currently keeping tabs on more than 100 ransomware groups in the wake of multiple, high-profile attacks.

    Bryan Vorndran, assistant director of the FBI’s cyber division, was testifying before a Senate Judiciary Committee hearing when he divulged the statistic, according to NBC News. Ransomware gangs have already cost untold damage in recent times. Hackers targeted managed software provider Kaseya; shut down JBS, one of the world’s largest meat processors; and crippled fuel supplies on the US East Coast by attacking Colonial Pipeline.

    Some ransomware gangs have gone dark, most notably REvil, the gang behind the Kaseya attack. Similarly, the gang behind the Colonial Pipeline attack have disbanded their Ransomware as a Service (SaaS) operations.

    Assistant Director Vorndran’s revelation echoes what other experts have said, warning that organizations should not get complacent just because some gangs have shut down.

  • Kaseya Has Obtained Ransomware Unlock Key

    Kaseya Has Obtained Ransomware Unlock Key

    The target of the largest ransomware attack in history has obtained the key to unlock impacted systems.

    Kaseya makes IT management software used by companies around the world. As a result, it’s a tempting target for hackers, since compromising its software can potentially compromise thousands of its clients and their clients. This most recent attack compromised as many as 1,500 customers around the world.

    REvil, the gang believed to be behind the ransomware, went dark in the aftermath of the attack. According to The Washington Post, Kaseya has now received the unlock key from a “trusted third party.” The company has verified the universal decryptor key works, and is rolling it out to customers.

    The news is a welcome relief to the victims of the attack, and should speed up their recovery.

  • AWS Bans NSO Group Behind Pegasus Spyware Used Against Journalists

    AWS Bans NSO Group Behind Pegasus Spyware Used Against Journalists

    Amazon Web Services has shut down the accounts of Israeli surveillance firm NSO Group, following explosive revelations of its software being used to target activist and journalists.

    The Washington Post reported that NSO Group’s software, which is normally used to combat terrorists and criminals, “was used in attempted and successful hacks of 37 smartphones belonging to journalists, human rights activists, business executives and two women close to murdered Saudi journalist Jamal Khashoggi.”

    The reaction has been swift and severe, with the company pledging to investigate the incidents. Nonetheless, Motherboard has reported that AWS is shutting down accounts linked to the Israeli company.

    “When we learned of this activity, we acted quickly to shut down the relevant infrastructure and accounts,” an AWS spokesperson told Motherboard in an email.

    This issue is a potential minefield for AWS, since a forensic report by Amnesty International shows NSO Group recently started using AWS services, with captured data from its software being sent to a service on Amazon CloudFront.

    Given the accusations against NSO Group — especially targeting human rights activists and journalists — it’s likely AWS’ response won’t be the last repercussions the company faces.

  • US Offers $10 Million Reward for Information on ‘Foreign Malicious Cyber Activity’

    US Offers $10 Million Reward for Information on ‘Foreign Malicious Cyber Activity’

    The US is ramping up its fight against cybercriminals, especially those who are state-sponsored, offering a $10 million reward for information.

    Cybersecurity has become the new battleground of the 21st century. To make matters worse, many hacking groups are state-sponsored, as a successful cyberattack carries far less risk for a hostile government than open confrontation.

    The US has been rocked by multiple ransomware attacks, including against critical infrastructure. The Colonial Pipeline attack had a devastating impact on the East Cost fuel supply, the attack against JBS threatened the food chain and the Kaseya attack is believed to have up to 1,500 victims. 

    The State Department is fighting back, using its Rewards for Justiceprogram to offer “a reward of up to $10 million for information leading to the identification or location of any person who, while acting at the direction or under the control of a foreign government, participates in malicious cyber activities against U.S. critical infrastructure in violation of the Computer Fraud and Abuse Act (CFAA).”

    To protect anyone having information, Rewards for Justice has set up a Dark Web, Tor-based method for reporting tips.

    For more information, visit www.rewardsforjustice.net.

  • NortonLifeLock In Advanced Talks to Buy Avast

    NortonLifeLock In Advanced Talks to Buy Avast

    Two of the leaders in the cybersecurity software market are in advanced merger talks, according to reports.

    NortonLifeLock and Avast are two of the most well-known makers of cybersecurity software. Norton has been a common name in the market for decades, while Avast made a name for itself as a freemium alternative.

    According to The Wall Street Journal the two companies are already in advanced talks for a deal that could value Avast as high as $8 billion. The deal could be completed as early as this month, provided no deal-breaking issues arise.

    Should Norton succeed in purchasing Avast, the combined company would be a behemoth in the industry, and put tremendous pressure on rivals.

  • DOJ and DHS Launch Website to Help Ransomware Victims

    DOJ and DHS Launch Website to Help Ransomware Victims

    The Department of Justice (DOJ) and the Department of Homeland Security (DHS) have launched StopRansomware.gov as a one-stop cybersecurity resource.

    Ransomware has become one of the leading cybersecurity threats, impacting businesses, organizations and agencies of all sizes. The most recent Kaseya attack, believed to be the largest ever, illustrated the growing dangers of an inter-connected tech industry. Because Kaseya makes software used in managed services, as many as 1,500 customers were impacted.

    The DOJ and DHS have created StopRansomware.gov in an effort to help companies protect themselves from ransomware, as well as mitigate the impacts should an attack occur. The site will also serve as a place to keep current with news and threat alerts.

    “The Department of Justice is committed to protecting Americans from the rise in ransomware attacks that we have seen in recent years,” said Attorney General Merrick B. Garland of the Justice Department. “Along with our partners in and outside of government, and through our Ransomware and Digital Extortion Task Force, the Department is working to bring all our tools to bear against these threats. But we cannot do it alone. It is critical for business leaders across industries to recognize the threat, prioritize efforts to harden their systems and work with law enforcement by reporting these attacks promptly.”

    “As ransomware attacks continue to rise around the world, businesses and other organizations must prioritize their cybersecurity,” said Secretary Alejandro Mayorkas for the Department of Homeland Security. “Cyber criminals have targeted critical infrastructure, small businesses, hospitals, police departments, schools and more. These attacks directly impact Americans’ daily lives and the security of our nation. I urge every organization across our country to use this new resource to learn how to protect themselves from ransomware and reduce their cybersecurity risk.”

    StopRansomware.gov should be a resource in every security professional’s toolbox.

  • Experts Warn of Ongoing Danger Despite REvil Going Dark

    Experts Warn of Ongoing Danger Despite REvil Going Dark

    Ransomware gang REvil may have gone dark, with its sites offline, but experts are warning against becoming complacent.

    REvil has been behind two recent, high-profile ransomware attacks. The group was behind the attack that crippled JBS, one of the world’s leading meat processors. They were also behind the largest-ever ransomware attack on Kaseya.

    REvil appears to have gone dark, with all of its websites going offline. Some believe the group may have received a subpoena, prompting the group to erase their servers in an effort to avoid prosecution.

    Despite the apparent good news, cybersecurity experts are warning against becoming complacent, as it’s only a matter of time before the group, or at least its members, resurface.

    Toshihiro Koike, CEO of Cyber Security Cloud Inc. (CSC), the provider of the only service on the market that automatically builds, tests and tunes AWS rules and continuously defends against zero-day threats, on the recent news that the REvil hacking group disappeared this afternoon. 

    “It doesn’t matter if REvil’s sites have gone dark; the threat of ransomware attacks is constant and the players will just re-emerge elsewhere,” Toshihiro Koike, CEO of Cyber Security Cloud Inc, told WebProNews. “Now is the time for companies to re-evaluate their systems and become proactive about cybersecurity. Every company on Earth is vulnerable to a debilitating ransomware attack, so what are you going to do about it?”

    Koike’s warning should be a sobering reminder to companies large and small to continue securing their networks and services.