Cyber Round-up for 29th July
Welcome to Ironshare’s Cyber Round-up, where we look back at the events of that last week and year to cover some of the news, posts, views, and highlights from the world of Security.
In this week’s round-up:
The LockBit ransomware group recently launched an attack on Italy’s tax agency. After investigating the incident, the company claimed that there was “no evidence of a breach”. LockBit claim to have stolen 78GB of data and have warned that the data will be leaked if a payment is not made within 6 days. Along with this statement, screenshots were also shared of the stolen files to prove the existence of a breach. The tax agency is currently working with Italy’s National Cybersecurity Agency to continue the investigation and learn more about the incident.
Tens of millions of people were affected by the huge T-Mobile data breach last year. The mobile communications giant recently issued a statement about the impact the breach had on their customers. They said: “Customers are first in everything we do and protecting their information is a priority”. In response to the incident, T-Mobile have agreed to pay $350 million to cover payments to class members, including legal and admin fees.
The Premier League app, most commonly used for its Fantasy Premier League feature, has introduced two-factor authentication ahead of the upcoming 2022/23 season. This is an incredible step forward for the app’s security, and will play a massive role in reducing the number of account takeovers. With more than nine million players last season, we are glad to hear the news of this implementation, and the EPL’s commitment to improving security.
The fresh report released by Unit 42 helps, businesses, governments and other organisations to understand the threat landscape for the past year. Unit 42 has analysed more than 600 incident response cases and accumulated the results into one report.
For the cases analysed 37% of incidents recorded that their initial access was caused by phishing, a massive figure, but not a surprise, organisations should be training their employees to identify and report phishing attempts. Even the most robust email security can’t stop all email phishing attempts and other methods such as SMS and phone calls should be understood as a possible attack vector for a hacker.
31% of cases reported that initial access was caused by a software vulnerability. A robust update policy should be in place to ensure devices (including network and IoT devices) are updated to remove existing security vulnerabilities and to reduce the length of vulnerability exposure from time of release to time of patching.
Initial access to 9% of cases was down to the brute force of the credentials or passwords, a simple password policy to enforce strong, complex, unique passwords, removal of default passwords from accounts and devices (yet again, including network and IoT devices) and MFA would help to reduce this this threat.
Simply, the proper creation and enforcement of a password and update policy alongside employee training could protect against 77% of initial access attempts and keep organisations safe. Businesses aren’t the only entities at risk, individuals are too. To help you stay secure remember to check emails, SMS, phone calls and website for scams or credential theft. Keeping devices up to date and using strong, complex, unique passwords & MFA for devices and accounts will help to protect you in this digital world.
If you want to read more about Unit 42’s 2022 Incident Response Report, please see here.
Remote Desktop Protocol continues to be a security nightmare and Windows 11 brute force protection is a welcomed addition to its security features. RDP is used to allow one computer to control another through screen mirroring and overriding controls. This is mainly used by IT support to access the device remotely for management & troubleshooting. RDP is often not disabled or weakly configured making it a common method of entry. Hackers can abuse this relationship by brute-forcing the password when trying to RDP to a computer. A successful RDP connection would give a hacker full control of the device. Windows 11 will now come with a default brute force protection configuration that automatically locks accounts for 10 minutes after 10 invalid sign-in attempts. This vastly reduces the effectiveness of a brute force attack on an RDP client. Hackers will have to move to dictionary attacks due to the significantly reduced number of attempts that can do at any one time however an effective password policy should significantly reduce this threat.
Questions for Confluence, an app designed to allow employees to ask and answer questions as well as surf business wikis, has been in the limelight. The application has a password programmed into itself (hardcoded) for a user account called disabledsystemuser. This account is available from installation and is designed to be used by IT technicians and support staff. A hacker leaked the hardcoded password for this account on Twitter a day after the vulnerability was made public. The company has warned to search for the account using:
• User: disabledsystemuser
• Username: disabledsystemuser
• Email: email@example.com
The company stated:
“A remote, unauthenticated attacker with knowledge of the hardcoded password could exploit this to log into Confluence and access any pages the confluence-users group has access to,”
“It is important to remediate this vulnerability on affected systems immediately.”
The account should be disabled or removed to protect organisations from information being leaked.
A hacker is selling the email addresses and phone numbers of 5.4 million Twitter accounts on a hacker forum. The hacker, known as ‘Devil’, used a vulnerability in the android client for Twitter which he could feed emails and phone numbers into and retrieve the Twitter ID which would identify the account it belongs to. Twitter has claimed they are investigating the hack and the validity of the claims made by the hacker. A sample of accounts identified was shared with Bleeping Computer and authenticated to be accurate. Although the breach doesn’t allow the hacker to log into the account the phone numbers of celebrities, businesses and high-profile user accounts are contained within the document.
Vulnerabilities & Updates
SonicWall have released an advisory for the recent critical SQL injection flaw, found in the GMS (Global Management System) and Analytics On-Prem products. This critical vulnerability has been given a severity rating of 9.4 and does not require user interaction or authentication to exploit. It’s low attack complexity also contributes to it’s high severity, however SonicWall does not believe it has been actively exploited yet. All SonicWall customers are recommended to apply the latest security updates as soon as possible to ensure they are protected against this flaw.
And that’s it for this week’s round-up, please do check in next week for our new batch of security news and posts.
Stay Safe, Secure and Healthy!
Edition #199 – 29th July 2022
Why not follow us on social media:
Ironshare – Security Simplified