2021 will overburden already stressed infosec teams

The year 2020 has given us a contentious U.S. election, a global economic crisis, and most notably a global pandemic. Disinformation has wreaked havoc in our ability to discern fact from truth, ransomware has been delivering ever more serious consequences, and insider leaks continue to validate privacy concerns despite increased adoption of privacy laws across the globe. According to a recent study published by Webroot, there has been a 40% increase in unsecured RDP-enabled machines … More

The post 2021 will overburden already stressed infosec teams appeared first on Help Net Security.

Automation to shape cybersecurity activities in 2021

Automation will play a major role in shaping cybersecurity attack and defence activities in 2021, WatchGuard predicts.

automation 2021

Traditionally a high-investment, high-return targeted attack, in 2021 automation tools will replace manual techniques to help cybercriminals launch spear phishing campaigns at record volumes, by harvesting victim-specific data from social media sites and company web pages.

Automated spear phishing attacks to prey on fears

And as society continues to grapple with the impact of COVID-19, it is likely that these automated spear phishing attacks will prey on fears around the pandemic, politics and the economy.

Conversely, the research team believes that automation will also help cloud-hosting providers such as Amazon, Microsoft and Google to crack down on cybercriminal groups abusing their reputation and services to launch malicious attacks.

Threat actors commonly host website HTML files designed to mimic a legitimate website like Microsoft 365 or Google Drive to steal credentials submitted by unsuspecting victims. But in 2021, these companies will deploy automated tools and file validation technologies that will spot spoofed authentication portals.

In its annual look ahead to the next 12 months, the tumultuous events of 2020 will impact the threat landscape next year and for years to come. Other predictions include:

Attackers swarm VPNs and RDPs as the remote workforce grows

As more companies adopt VPNs and Remote Desktop Protocol (RDP) solutions to provide secure connections to employees working from home, attacks against them will double in 2021. If an attacker can compromise VPN, RDP or remote connection servers, they have an unobstructed path into the corporate network.

Security gaps in legacy endpoints targeted

Endpoints have become a high priority target for attackers during the global pandemic and many personal computers are still running legacy software that is difficult to patch or update.

With Microsoft just ending its extended support program for Windows 7, organizations are warned to expect at least one major new Windows 7 vulnerability to make headlines in 2021.

Services without MFA will suffer a breach

Authentication is the cornerstone of strong security; but with billions of usernames and passwords available on the dark web and the prevalence of automated authentication attacks, no Internet-exposed service is safe from cyber intrusion if it isn’t using multi-factor authentication (MFA). In fact, any service without MFA enabled is highly likely to be compromised in 2021.

“As we have learnt in 2020, it is very difficult to predict what is going to happen in the future,” says Corey Nachreiner, CTO at WatchGuard.

“But our Threat Lab team along with other researchers around the world have an increasing level of analytics and insight to make well-informed guesses. Cybercriminals always look for the weak links, so the growing ranks of home workers are an obvious target and when it comes to new technologies such as automation and AI, what can work for good, can also be exploited for malicious activity. It’s just a case of trying to stay one step ahead.”

The security consequences of massive change in how we work

Organizations underwent an unprecedented IT change this year amid a massive shift to remote work, accelerating adoption of cloud technology, Duo Security reveals.

security consequences work

The security implications of this transition will reverberate for years to come, as the hybrid workplace demands the workforce to be secure, connected and productive from anywhere.

The report details how organizations, with a mandate to rapidly transition their entire workforce to remote, turned to remote access technologies such as VPN and RDP, among numerous other efforts.

As a result, authentication activity to these technologies swelled 60%. A complementary survey recently found that 96% of organizations made cybersecurity policy changes during the COVID-19, with more than half implementing MFA.

Cloud adoption also accelerated

Daily authentications to cloud applications surged 40% during the first few months of the pandemic, the bulk of which came from enterprise and mid-sized organizations looking to ensure secure access to various cloud services.

As organizations scrambled to acquire the requisite equipment to support remote work, employees relied on personal or unmanaged devices in the interim. Consequently, blocked access attempts due to out-of-date devices skyrocketed 90% in March. That figure fell precipitously in April, indicating healthier devices and decreased risk of breach due to malware.

“As the pandemic began, the priority for many organizations was keeping the lights on and accepting risk in order to accomplish this end,” said Dave Lewis, Global Advisory CISO, Duo Security at Cisco. “Attention has now turned towards lessening risk by implementing a more mature and modern security approach that accounts for a traditional corporate perimeter that has been completely upended.”

Additional report findings

So long, SMS – The prevalence of SIM-swapping attacks has driven organizations to strengthen their authentication schemes. Year-over-year, the percentage of organizations that enforce a policy to disallow SMS authentication nearly doubled from 8.7% to 16.1%.

Biometrics booming – Biometrics are nearly ubiquitous across enterprise users, paving the way for a passwordless future. Eighty percent of mobile devices used for work have biometrics configured, up 12% the past five years.

Cloud apps on pace to pass on-premises apps – Use of cloud apps are on pace to surpass use of on-premises apps by next year, accelerated by the shift to remote work. Cloud applications make up 13.2% of total authentications, a 5.4% increase year-over-year, while on-premises applications encompass 18.5% of total authentications, down 1.5% since last year.

Apple devices 3.5 times more likely to update quickly vs. Android – Ecosystem differences have security consequences. On June 1, Apple iOS and Android both issued software updates to patch critical vulnerabilities in their respective operating systems.

iOS devices were 3.5 times more likely to be updated within 30 days of a security update or patch, compared to Android.

Windows 7 lingers in healthcare despite security risks – More than 30% of Windows devices in healthcare organizations still run Windows 7, despite end-of-life status, compared with 10% of organizations across Duo’s customer base.

Healthcare providers are often unable to update deprecated operating systems due to compliance requirements and restrictive terms and conditions of third-party software vendors.

Windows devices, Chrome browser dominate business IT – Windows continues its dominance in the enterprise, accounting for 59% of devices used to access protected applications, followed by macOS at 23%. Overall, mobile devices account for 15% of corporate access (iOS: 11.4%, Android: 3.7%).

On the browser side, Chrome is king with 44% of total browser authentications, resulting in stronger security hygiene overall for organizations.

UK and EU trail US in securing cloud – United Kingdom and European Union-based organizations trail US-based enterprises in user authentications to cloud applications, signaling less cloud use overall or a larger share of applications not protected by MFA.

Security Blueprints of Many Companies Leaked in Hack of Swedish Firm Gunnebo

In March 2020, KrebsOnSecurity alerted Swedish security giant Gunnebo Group that hackers had broken into its network and sold the access to a criminal group which specializes in deploying ransomware. In August, Gunnebo said it had successfully thwarted a ransomware attack, but this week it emerged that the intruders stole and published online tens of thousands of sensitive documents — including schematics of client bank vaults and surveillance systems.

The Gunnebo Group is a Swedish multinational company that provides physical security to a variety of customers globally, including banks, government agencies, airports, casinos, jewelry stores, tax agencies and even nuclear power plants. The company has operations in 25 countries, more than 4,000 employees, and billions in revenue annually.

Acting on a tip from Milwaukee, Wis.-based cyber intelligence firm Hold Security, KrebsOnSecurity in March told Gunnebo about a financial transaction between a malicious hacker and a cybercriminal group which specializes in deploying ransomware. That transaction included credentials to a Remote Desktop Protocol (RDP) account apparently set up by a Gunnebo Group employee who wished to access the company’s internal network remotely.

Five months later, Gunnebo disclosed it had suffered a cyber attack targeting its IT systems that forced the shutdown of internal servers. Nevertheless, the company said its quick reaction prevented the intruders from spreading the ransomware throughout its systems, and that the overall lasting impact from the incident was minimal.

Earlier this week, Swedish news agency Dagens Nyheter confirmed that hackers recently published online at least 38,000 documents stolen from Gunnebo’s network. Linus Larsson, the journalist who broke the story, says the hacked material was uploaded to a public server during the second half of September, and it is not known how many people may have gained access to it.

Larsson quotes Gunnebo CEO Stefan Syrén saying the company never considered paying the ransom the attackers demanded in exchange for not publishing its internal documents. What’s more, Syrén seemed to downplay the severity of the exposure.

“I understand that you can see drawings as sensitive, but we do not consider them as sensitive automatically,” the CEO reportedly said. “When it comes to cameras in a public environment, for example, half the point is that they should be visible, therefore a drawing with camera placements in itself is not very sensitive.”

It remains unclear whether the stolen RDP credentials were a factor in this incident. But the password to the Gunnebo RDP account — “password01” — suggests the security of its IT systems may have been lacking in other areas as well.

After this author posted a request for contact from Gunnebo on Twitter, KrebsOnSecurity heard from Rasmus Jansson, an account manager at Gunnebo who specializes in protecting client systems from electromagnetic pulse (EMP) attacks or disruption, short bursts of energy that can damage electrical equipment.

Jansson said he relayed the stolen credentials to the company’s IT specialists, but that he does not know what actions the company took in response. Reached by phone today, Jansson said he quit the company in August, right around the time Gunnebo disclosed the thwarted ransomware attack. He declined to comment on the particulars of the extortion incident.

Ransomware attackers often spend weeks or months inside of a target’s network before attempting to deploy malware across the network that encrypts servers and desktop systems unless and until a ransom demand is met.

That’s because gaining the initial foothold is rarely the difficult part of the attack. In fact, many ransomware groups now have such an embarrassment of riches in this regard that they’ve taken to hiring external penetration testers to carry out the grunt work of escalating that initial foothold into complete control over the victim’s network and any data backup systems  — a process that can be hugely time consuming.

But prior to launching their ransomware, it has become common practice for these extortionists to offload as much sensitive and proprietary data as possible. In some cases, this allows the intruders to profit even if their malware somehow fails to do its job. In other instances, victims are asked to pay two extortion demands: One for a digital key to unlock encrypted systems, and another in exchange for a promise not to publish, auction or otherwise trade any stolen data.

While it may seem ironic when a physical security firm ends up having all of its secrets published online, the reality is that some of the biggest targets of ransomware groups continue to be companies which may not consider cybersecurity or information systems as their primary concern or business — regardless of how much may be riding on that technology.

Indeed, companies that persist in viewing cyber and physical security as somehow separate seem to be among the favorite targets of ransomware actors. Last week, a Russian journalist published a video on Youtube claiming to be an interview with the cybercriminals behind the REvil/Sodinokibi ransomware strain, which is the handiwork of a particularly aggressive criminal group that’s been behind some of the biggest and most costly ransom attacks in recent years.

In the video, the REvil representative stated that the most desirable targets for the group were agriculture companies, manufacturers, insurance firms, and law firms. The REvil actor claimed that on average roughly one in three of its victims agrees to pay an extortion fee.

Mark Arena, CEO of cybersecurity threat intelligence firm Intel 471, said while it might be tempting to believe that firms which specialize in information security typically have better cybersecurity practices than physical security firms, few organizations have a deep understanding of their adversaries. Intel 471 has published an analysis of the video here.

Arena said this is a particularly acute shortcoming with many managed service providers (MSPs), companies that provide outsourced security services to hundreds or thousands of clients who might not otherwise be able to afford to hire cybersecurity professionals.

“The harsh and unfortunate reality is the security of a number of security companies is shit,” Arena said. “Most companies tend to have a lack of ongoing and up to date understanding of the threat actors they face.”

Biomedical orgs working on COVID-19 vaccines open to cyber attacks

In a recently released report by the UK National Cyber Security Centre (NCSC), whose findings have been backed by Canada’s Communications Security Establishment (CSE) and the US NSA and CISA (Cybersecurity and Infrastructure Security Agency), the agency has warned about active cyber attacks targeting biomedical organizations that are involved in the development of a COVID-19 vaccine.

Biomedical cyber attacks

On Friday, BitSight researchers shared the results of a study that looked for detectable security issues at a number of companies who play a big role in the global search for a vaccine, and found compromised systems, open ports, vulnerabilities and web application security issues.

Biomedical orgs under attack

The report details recent tactics, techniques and procedures (TTPs) used by APT29 (aka “Cozy Bear”), which the NCSC and the CSE believe to be “almost certainly part of the Russian intelligence services.”

The agencies believe that the group is after information and intellectual property relating to the development and testing of COVID-19 vaccines.

“In recent attacks (…), the group conducted basic vulnerability scanning against specific external IP addresses owned by the organisations. The group then deployed public exploits against the vulnerable services identified,” the report states.

Among the flaws exploited by the group are CVE-2019-19781 (affecting Citrix’s Application Delivery Controller (ADC) and Gateway), CVE-2019-11510 and CVE-2018-13379 (affecting Pulse Secure VPN endpoints and Fortigate SSL VPN installations, respectively) and CVE-2019-9670 (affecting the Synacor Zimbra Collaboration Suite).

The group also uses spear-phishing to obtain authentication credentials to internet-accessible login pages for target organizations.

After achieving persistence through additional tooling or legitimate credentials, APT 29 uses custom malware (WellMess and WellMail) to execute arbitrary shell commands, upload and download files, and run commands or scripts with the results being sent to a hardcoded Command and Control server. They also use some malware (SoreFang) that has been previously used by other hacking groups.

The report did not identify the targeted organizations nor did it say whether the attacks were successful and whether any information and IP has been stolen.

Biomedical orgs open to cyber attacks

As many security researchers pointed out, Russian cyber espionage groups aren’t the only ones probing these targets, so these organizations should ramp up their security efforts.

BitSight researchers have recently searched for security issues that attackers might exploit. They’ve looked at 17 companies of varying size that are involved in the search for a COVID-19 vaccine, and found:

  • 25 compromised or potentially compromised machines (systems running malware/bots, potentially unwanted applications, spam-sending machines and computers behaving in abnormal ways) in the past year
  • A variety of open ports (i.e., exposed insecure services that should be never exposed outside of a company’s firewall): Telnet, Microsoft RDP, printers, SMB, exposed databases, VNC, etc., which can become access points into a company’s network
  • Vulnerabilities. “14 of the 17 companies have vulnerabilities and six of them have very serious vulnerabilities (CVSS score > 9). 10 companies have more than 10 different active vulnerabilities.”
  • 30 web application security issues (e.g., insecure authentication via HTTP, insecure redirects from HTTPS to HTTP, etc.) that could be exploited by attackers to eavesdrop on and capture sensitive data, such as credentials, corporate email, and customer data.

“These findings are not abnormal when compared to other groups of large companies (e.g. the Fortune 1000), but given the heightened threat environment, they do provide cause for concern,” the researchers pointed out.

“It only takes a misconfigured piece of software, an inadvertently exposed port, or an insecure remote office network for a hacker to gain entry to systems that store scientific research, intellectual property, and the personal data of subjects involved in clinical trials.”

Surge in unique clients reporting brute-force attack attempts

There’s a significant uptick in the number of unique clients who have reported brute-force attack attempts, ESET reveals.

brute-force attack attempts

Trend of RDP attack attempts against unique clients (per day) detected by ESET

The trend has been observed since the onset of the global pandemic. The COVID-19 crisis has radically changed the nature of everyday work, forcing employees to manage large parts of their jobs via remote access.

Cybercriminals exploiting remote work

Cybercriminals – especially ransomware operators – are aware of the shift and attempt to exploit the new opportunities and increase their illicit earnings. In the period between January 2020 and May 2020, the United States, China, Russia, Germany and France topped the list of countries with most IPs used for brute-force attacks.

“Before the lockdown, most employees worked from the office and used infrastructure monitored and controlled by their IT department. But the coronavirus pandemic has brought a major shift to the status quo.

“Today, a huge proportion of ‘office’ work occurs via home devices, with workers accessing sensitive company systems through Windows’ Remote Desktop Protocol (RDP), a proprietary solution created by Microsoft to allow connecting to the corporate network from remote computers,” explains Ondrej Kubovič, ESET Security Research & Awareness Specialist.

“Despite the increasing importance of RDP, as well as other remote access services, organizations often neglect its settings and protection. Employees use easy-to-guess passwords, and without additional layers of authentication or protection, there is little that can stop cybercriminals from compromising an organization’s systems,” Kubovič continues.

According to telemetry, most of the blocked IPs in January–May 2020 were seen in the United States, China, Russia, Germany and France. Countries that had the largest proportion of targeted IPs were Russia, Germany, Japan, Brazil and Hungary.

RDP has become a popular attack vector

RDP has become a popular attack vector in the past few years, especially among ransomware gangs. These cybercriminals often brute-force their way into a poorly secured network, elevate their rights to admin level, disable or uninstall security solutions, and then run ransomware to encrypt crucial company data.

However, other malicious actors try to exploit poorly secured RDP to install coin-mining malware or create backdoors, which can be used in case their unauthorized RDP access has been identified and closed.

Your greatest work from home lifeline is also your newest attack vector

Enterprises have been experimenting with work from home policies for years. Unfortunately, that experiment suddenly became the default this spring as local and state governments across the U.S. issued “stay at home” orders, leaving tens of millions of employees working from home for the first time.

According to the CSO Pandemic Impact Survey, the number of employees working at least 60 percent of the time from home has increased five-fold since the institution of social and work restrictions. Overnight, organizations faced the urgent need to provide employees secure and reliable access to sensitive company resources, often via personal devices and over home Wi-Fi networks.

What’s worse: open RDP or close up shop?

The need to maintain business operations required some IT teams to open up remote desktop protocol (RDP) to quickly provide employees at home access to their computers in the office. In March, Shodan reported significant growth in RDP exposed to the Internet.

While virtual desktops that use RDP represent a lifeline to the office, they also present a new attack vector. Recently, Kaspersky observed a surge in RDP brute force attacks across the globe as hackers took advantage of new workloads, vulnerable VPN connections, and misconfigurations that left the gates to the network open.

Remote Desktop is an attractive target for attackers because it’s common in enterprise environments, provides remote access to a Windows device, and leaves credentials exposed in memory. Once a bad actor gains access to a device, it can be used for a variety of malicious activities capable of compromising not only that device, but devices and data across the entire network. What’s more, RDP is frequently used for administrative purposes, and administrators are likely to have access to a wide array of privileged systems.

For attackers, successfully compromising RDP can save a lot of time, giving them a level of access that makes it easier to rapidly infiltrate the network, move laterally within it, and continue to escalate privileges to gain further access. While RDP can help keep employees connected and businesses running, its vulnerabilities can lead to the exposure of customer data or dangerous and costly leaks that could shake brand confidence.

RDP is risky business

Below are some of the most prevalent malicious RDP activities and the associated risks that IT teams should be aware of when enabling RDP access.

Exploit: Brute force attacks on RDP are low-cost and easy to perform. Using tools like Ncrack or Hydra, an attacker can implement a brute force attack on RDP accounts to discover weak passwords or valid login credentials. Even though this type of brute force attack is noisy, it can be highly effective due to the prevalence of weak and repurposed passwords. An attacker could also perform a scan to find and exploit known vulnerabilities. With valid credentials, an attacker holds the key to opening multiple RDP sessions from a single device in order to gain control of numerous devices on the network.

One of the most famous examples of RDP exploits is that of BlueKeep (CVE-2019-0708), a well-known vulnerability in Microsoft’s RDP implementation. BlueKeep allows an unauthenticated attacker to remotely run arbitrary code on an RDP server to grant administrator access to a network-accessible Windows system—all without user credentials. An attacker could then tamper with data or automate the process by installing malware to propagate to other Windows devices. RDP is commonly enabled on devices, which increases the likelihood that this threat will have a significant effect or even grind business services to a halt.

Exfiltration: After gaining access to a device with a poorly secured RDP, an attacker can easily transfer data. Unusual data transfers might signal suspicious activity such as sharing malicious files between compromised devices or data staging (the process of collecting and preparing data for exfiltration). If important, proprietary, or customer data is leaked, the consequences can be devastating.

Command & Control: With Command and Control techniques, attackers can use RDP to gain access to a network. This typically occurs when devices outside of the network attempt or make connections with in-network Windows devices using compromised credentials. If the RDP connection is not authenticated, or if the attacker connects to a device with limited privileges, the impact to a business can be low. However, these activities should be examined before they facilitate critical and costly attacks.

Reconnaissance: Before adversaries can execute an attack, they have to find a weak spot they can use to access the network and gain a foothold. While this type of reconnaissance does not negatively affect network performance, attack tools make it easy to discover devices with active Remote Desktop sessions, helping an attacker pinpoint a number of Windows devices to target.

Minimize the risks of a necessary evil

The reality is that RDP is a convenient attack vector, particularly now that more employees use VPNs and virtual desktops to access corporate resources. There are practical steps IT teams can take to mitigate the risks that can make a vital difference between an attempted intrusion and a major breach.

First, practice good hygiene. Disable remote desktop services unless required and install relevant patches for any affected devices as quickly as possible. Be sure to track in real time which devices are active and connected so no devices are inadvertently missed. Review access controls to ensure that only approved users can connect to remote access services.

Next, put up roadblocks. Run the RDP connection through a VPN or remote desktop gateway where login attempts will undergo more scrutiny. Enforce strong passphrase rules and enable two-factor authentication on all RDP and VPN traffic. Do everything possible to prevent lateral movement if a bad actor does get inside. Implement micro-segmentation by adding secure zones based on the zero-trust security model, and partition network traffic with endpoint firewalls, virtual software-defined networks, or physical networks.

Finally, IT teams should only enable RDP access temporarily and should not consider it a long-term fix for remote access. Instead, organizations may want to evaluate alternatives such as distributing company-issued laptops or Desktop-as-a-Service (DaaS) solutions.

As the world adjusts to large-scale remote work, RDP enables agility when it’s absolutely necessary. However, with cybercriminals and APTs actively seeking to exploit the opportunity, IT teams must be fully aware of and work to mitigate the serious risks that the protocol introduces to the business.

Malware opens RDP backdoor into Windows systems

A new version of the Sarwent malware can open the Remote Desktop Protocol (RDP) port on target Windows computers to make sure that crooks can find their way back into the system through the backdoor.

Windows malware RDP backdoor

Whether that access is used later by the same crooks or sold to ransomware gangs or cyber espionage groups is unknown, but affected users should know that removing the malware does not close that particular “backdoor”.

Sarwent’s new capabilities

Sarwent is a piece of malware that started out as a loader for other malware, but has recently been updated with two new functionalities, SentinelOne researchers discovered.

These never variants can now also:

  • Execute commands via Windows Command Prompt and PowerShell
  • Create a new Windows user account, enable the RDP service for it, and make changes to the Windows firewall so that RDP access to the infected machine is allowed

Removing the malware from the infected computer will not automatically close the RDP “hole”. Users, admins or paid “cleaners” also have to remove the user account set up by the malware and close the RDP access port in the firewall.

RDP access: A hot commodity

Gaining access to Windows machines via the Remote Desktop Protocol has become a preferred tactic of cyber crooks and ransomware gangs, though they usually scan for machines/servers that already have RDP enabled and then they try to brute-force the passwords that safeguard access through it.

Since COVID-19 spread across the globe and many employees started working from home, RDP use has soared.

The crooks wielding Sarwent want to increase the chances of retaining access to the machine after the malware is found and removed.

It might be that they want to use that access themselves, to reinfect the computer at a later date. It’s also possible that they plant to rent or sell that access to other cyber gangs or individuals.

Access to corporate networks and systems is regularly sold on dark web forums and marketplaces.

RDP and VPN use soars, increasing enterprise cyber risk

As COVID-19 slowly spread across the globe, consumer demand for commercial virtual private network (VPN) services has soared – both for security reasons and for bypassing geo-blocking of (streaming) content. Not unexpectedly, enterprise VPN use has also greatly increased, and so has the use of the Remote Desktop Protocol (RDP), a popular and common means for remotely managing a computer over a network connection.

enterprise VPN use

Increased enterprise RDP and VPN use

Shodan creator John Matherly has pulled old and new data regarding devices exposing RDP and VPN protocols and ports to the Internet and has confirmed that:

  • The number of devices exposing RDP to the internet on standard ports (3389) has grown by 41.5 percent over the past month
  • The number of devices exposing RDP to the internet on non-standard but often used alternate ports (3388) has grown by 36.8 percent over the same period
  • The number of servers running VPN protocols (IKE, PPTP, etc.) on different ports has jumped from nearly 7.5 million to nearly 10 million (by a third).

With the increased usage of these services comes an increase risk of compromise, though.

Increased risk

“[RDP] has a history of security issues and generally shouldn’t be publicly accessible without any other protections (ex. firewall whitelist, 2FA),” Matherly noted.

While helpful for allowing remote users to securely connect to corporate applications and resources, the VPNs set up by organizations are not immune to attack and compromise via known and unknown vulnerabilities, both on the client and server side.

Among the more recent examples are:

  • CVE-2019-1573, a vulnerability that made a variety of VPN applications store the authentication and session cookies insecurely in memory and/or log files
  • CVE-2019-11510, an arbitrary file reading vulnerability affecting Pulse Connect Secure SSL VPN installations
  • CVE-2018-13379, a path traversal flaw in the FortiOS SSL VPN web portal

The latter two can be exploited remotely by sending a specially crafted HTTPS request, don’t require authentication, and allow attackers to download files/extract sensitive information from the vulnerable servers. They have also been actively exploited by attackers.

Healthcare industry at greatest risk of data breach

The healthcare industry has significantly more exposed attack surfaces than any other industry surveyed, according to Censys’s research findings of cloud risks and cloud maturity by industry, revealed at RSA Conference 2020.

Leveraging the Censys SaaS Platform, company researchers measured the occurrence of exposed databases and exposed remote login services – two key indicators of modern security risks – for the ten largest companies by revenue in seven major industries (Automotive, Energy, Hotels, Insurance, Manufacturing, Healthcare and Financials).

The healthcare industry showed significantly more exposed databases and more exposed remote login services.

Exposed databases by industry

Composed of pharmacies, healthcare providers, insurance providers and pharmaceutical manufacturers, the healthcare industry had an average of 13 exposed databases per company. The energy industry proved the least at-risk with only one exposed database per company.

healthcare exposed databases

Exposed Remote Desktop Protocol (RDP)

Healthcare also had the most exposed RDP servers per company with an average of eight. However this average is caused by one outlier with ten times the number of exposed RDP servers than the next highest company.

healthcare exposed databases

While cloud databases and remote working solutions provide a great deal of convenience and enable modern web applications, both provide attackers a common entry point and drive data breach attacks. Internet exposed databases put customer data at risk and RDPs pose risks of credential stuffing, reuse of stolen credentials, and specific software exploits.

“Along with enormous agility for the modern enterprise, the rise of cloud infrastructure in high-tech industries has created an incredible security challenge that only continues to grow,” said Jose Nazario, Ph.D., Principal R&D Engineer at Censys. “While all industries have guilty parties, healthcare’s attack surface is simply much bigger than they realize.”

In order to protect against breaches, companies must first gain visibility using a continuous attack surface monitoring platform. This enables businesses to be alerted to risks when they occur. Companies can then remediate the issue by reconfiguring an application to listen on a private network, employing VPN software, or simply ensuring a firewall ruleset is properly configured.

Attack tools and techniques used by major ransomware families

Ransomware tries to slip unnoticed past security controls by abusing trusted and legitimate processes, and then harnesses internal systems to encrypt the maximum number of files and disable backup and recovery processes before an IT security team catches up, according to a new Sophos report. Main modes of distribution for the major ransomware families Ransomware is typically distributed in one of three ways: as a cryptoworm, which replicates itself rapidly to other computers for maximum … More

The post Attack tools and techniques used by major ransomware families appeared first on Help Net Security.