Cyber Round-up for 5th April
Welcome to the Ironshare Cyber Round-up where we look back at the events of that last week and cover some of the news, posts, views, and highlights from the world of Security.
In this week’s round-up:
- Arizona Beverages Hit by Ransomware Attack
- Facebook Privacy Woes Continue
- More Concerns on Huawei Security
- Microsoft Introduce AAD Password Protection
Arizona Beverages Hit by Ransomware Attack
Arizona Beverages a large US based beverage supplier has this week been recovering from a devastating Ransomware attack, that left the company unable to operate for several days.
Two weeks on from the initial infection and they are still not back to a fully restored service, although they are now up and running with their sales operation.
It is believed that the infection was the iEncrypt ransomware, a possible variant of BitPaymer, which resulted in over 200 Windows based servers, PCs and laptops having their data encrypted and rendering them useless.
Although not confirmed, it is understood that the initial infection was introduced through a malicious email attachment, and like BitPaymer, it is highly likely that this was delivered using the Emotet trojan.
Once the infection was detected, AB staff were instructed that their computers could be compromised and that they should not power on their devices, copy files or connect to the network.
As there is no known decryption tool for iEncrypt, AB had limited options for recovering from the attack, and this got significantly worse when 24 hours later, IT staff found that the backup solution had been misconfigured and it could not be used to restore the service.
It is believed that Arizona Beverages lost millions of dollars per day while they were down due to lost sales.
Several big mistakes appear to have been made leading up to and during this attack:
- Servers and operating systems were running out of date unsupported software versions.
- They were lacking an effective patch management process with most devices not being patched for some time.
- A robust incident response process was not in place, and the company took nearly a week to call in incident response experts from Cisco to assist with the attack investigation and recovery.
- Backups and restorations were never tested or verified as successful, resulting in a failure to restore post attack.
The true depth of the damage caused may not be known for some time, but we encourage organisations to learn from the mistakes of others. Be prepared so you can effectively protect and react in the event that you become the victim.
Facebook Privacy Woes Continue
In the last couple of years Facebook have been taking a lot of stick due to numerous screw-ups with data privacy and security. It has gotten no better for them this week, as they were hit with a double whammy of privacy concerns.
The first and biggest screw-up came in the form of another data breach, this time 540 million Facebook users’ records have been left exposed online by a third-party developer.
Researchers at UpGuard discovered the breach, which was caused by a third-party media company called Cultura Colectiva, after they left the records available and unsecured in Amazon S3 buckets.
Amazon S3, short for Simple Storage Service, is commonly used by developers to provide an easy way to store and retrieve data, unfortunately though, with no password used on these S3 buckets data was freely accessible for anyone on the internet.
The exposed data contained Facebook account information that included names, email addresses, Facebook IDs, photos, check-ins, friend lists, interests, and more.
This at least might take the heat off the Cambridge Analytica issue – with data of only 87 million users shared with the 3rd party, it pales in comparison to this new breach of privacy.
It doesn’t end there though, Facebook are now asking users for their email account password to continue using the service. This has obviously raised more than a few eyebrows across the security industry. The message states:
“To continue using Facebook, you’ll need to confirm your email address. Because you signed up with [email address], you can do that automatically …”
By doing this you are basically giving Facebook access to your email account, which they should not be asking for. Facebook have stated that this information is not stored, but in the light of a lot of other issues in this area, can they be trusted.
Facebook have apparently acknowledged that this is not the right thing to do:
“We understand the password verification option isn’t the best way to go about this, so we are going to stop offering it,”
There is no legitimate reason for them to require your email account and password. So if you see this message our advice is to not enter your details and refrain from using Facebook until they remove this.
Read More on grahamcluley.com & The Daily Beast ….
Like Facebook, the Chinese tech and telecoms giant Huawei, are only too familiar with concerns over the security and privacy of their products. Its been a standing concern with western governments, that Huawei products may not be safe, due to the possibility of Chinese government involvement, and the potential for backdoors in their products that could be used to commit espionage and infiltration.
These concerns may have been realised to some extent this week, with reports of a flaw discovered by Microsoft Researchers, in the Huawei MateBook Laptops.
A sophisticated flaw appears to have been inserted during the manufacturing of the products, that would allow an attacker to not only spy on the machine and its user, but also take full control of the target computer.
It is understood that this flaw may be linked to the NSA’s DoublePulsar back door that was leaked by the Shadowbrokers back in 2017, although it is unclear at what point in the manufacturing process this exploit was introduced.
According to the BBC there are no signs that Huawei have done anything malicious, and there is a possibility that this could have been occurred upstream in the supply chain.
Huawei are a big player in the new 5G network infrastructure and services, where there has been equal concern, and unfortunately incidents such as this will not help their case with convincing governments that their products are indeed safe to use.
Microsoft Introduce AAD Password Protection
Since last year Microsoft have been working on improved mechanisms for password security, and after a running a preview release, Azure Active Directory Password Protection is now available on general release for Azure AD Premium subscribers.
AAD Password Protection will provide administrators with the ability to add an additional layer of security to users of its Microsoft cloud and hybrid environments, by preventing them from setting poor passwords that maybe easy to guess or have been found included in known data breaches.
This new feature will make it easier for organisations to ensure users are creating better passwords, and significantly harder for malicious actors to launch successful Password Spray Attacks against its users and systems.
This new feature can protect accounts in Azure AD and hybrid on premise Window Server Active Directory deployments. It uses a banned list of 500 of the most common passwords, a banned password algorithm and a custom password blacklist, that can be controlled by the organisation’s administrators.
As with all elements of security, things can change very quickly, and it’s no different here. Microsoft’s security research and analysis teams ensure that any changes or additions to this feature and its lists are constantly updated as they become available.
In the event that users try to configure a banned password they will be presented with the following error message:
“Unfortunately, your password contains a word, phrase, or pattern that makes your password easily guessable. Please try again with a different password.”
This is a great step forward for Microsoft cloud users, and we recommend that organisations take steps to include this as another layer of security.
And that’s it for this week round-up, please don’t forget to tune in for our next instalment.
Why not follow us on social media using the links provided on the right.
Edition #35 – 5th April 2019
Ironshare – Security Simplified