Thought leadership. Threat analysis. Cybersecurity news and alerts.
Latest to Admit Cyber-Attack: The UN
The United Nations (U.N.) recently admitted that it was a victim of a cyber-attack. The admission came months after the cyber incident.
U.N. spokesman Stephane Dujarric told reporters in New York that U.N. offices in Geneva and Vienna were targeted by an “apparently well-resourced” cyber-attack in the middle of 2019. In Geneva, Switzerland, several U.N. offices are based, including the World Health Organization (WHO), World Trade Organization (WTO), Human Rights Council (UNHRC), Office of the High Commissioner for Human Rights (OHCHR), the High Commissioner for Refugees (UNHCR). Vienna, Austria, meanwhile, is home to other U.N. offices, including the International Atomic Energy Agency (IAEA) and the Office on Drugs and Crime (UNODC).
“The attribution of any attack is very uncertain and fuzzy, but this was apparently a well-resourced attack,” Dujarric said. “The attack resulted in a compromise of core infrastructure components at both [Geneva] and [Vienna], and was determined to be serious.”
The cyber-attack admission of U.N. spokesman Dujarric came hours after The New Humanitarian exposed the 2019 cyber-attack at the U.N. The New Humanitarian reported that it obtained a confidential U.N. report, dated September 20, 2019, which found that dozens of servers at the U.N. offices in Geneva and Vienna were illegally accessed starting in July 2019.
According to The New Humanitarian, key findings of the confidential U.N. report revealed that staff records and commercial contract data were compromised by the attackers. The U.N. confidential report also revealed that the cyber-attack could have been avoided with a simple patch or update to fix a software security vulnerability.
Security Vulnerability CVE-2019-0604
The Associated Press said that it also viewed the confidential U.N. report. Based on the report, the Associated Press said that the attackers initially gained access to the U.N. networks by exploiting the security vulnerability in Microsoft’s SharePoint software. This security vulnerability designated as CVE-2019-0604 was patched in February 2019 but the U.N. reportedly didn’t update its systems.
"A remote code execution vulnerability exists in Microsoft SharePoint when the software fails to check the source markup of an application package,” Microsoft describes the security vulnerability CVE-2019-0604. “An attacker who successfully exploited the vulnerability could run arbitrary code in the context of the SharePoint application pool and the SharePoint server farm account. Exploitation of this vulnerability requires that a user uploads a specially crafted SharePoint application package to an affected version of SharePoint.”
On April 23, 2019, the Canadian Centre for Cyber Security issued an alert, saying that it’s aware of an ongoing campaign compromising several versions of Microsoft SharePoint Server in order to deploy the China Chopper web shell. The following versions of Microsoft SharePoint are known to be affected: Microsoft SharePoint Enterprise Server 2016, Microsoft SharePoint Foundation 2013 SP1, Microsoft SharePoint Server 2010 SP2 and Microsoft SharePoint Server 2019.
China Chopper is a publicly available web shell that was first discovered in 2012. "The China Chopper web shell is extensively used by hostile actors to remotely access compromised web-servers, where it provides file and directory management, along with access to a virtual terminal on the compromised device,” the Canadian Centre for Cyber Security said. “As China Chopper is just 4 Kb in size, and has an easily modifiable payload, detection and mitigation is difficult for network defenders.”
Analysis of the China Chopper Web Shell by researchers at FireEye found that this web shell is flexible enough to run on both Windows and Linux. "This OS and application flexibility makes this an even more dangerous Web shell,” researchers at FireEye said.
In the case of the U.N. cyber-attack, however, it wasn’t mentioned by The New Humanitarian and the Associated Press whether the China Chopper Web Shell was deployed on the compromised servers.
Active Directory Compromise
“As part of the compromised infrastructure, lists of user accounts would have been exposed,” Dujarric told The New Humanitarian.
The Office of the High Commissioner for Human Rights (OHCHR), for its part, in a statement, said, “The hackers did manage to access our Active User Directory, which contains the user IDs for our staff and devices.” The OHCHR added that the malicious actors didn’t succeed in accessing the passwords, preventing them in gaining access to other parts of OHCHR’s IT system.
Active Directory is built into most Windows Server operating systems and has become the popular approach in managing Windows domain networks. As Active Directory is used in connecting different computers within a network, this has become a prime target of attackers as well.
A senior U.N. IT official, meanwhile, told The New Humanitarian that approximately 400 GB of data was exfiltrated from the U.N. servers and part of the exfiltrated data was the “user lists”, a key component to the network, which, the source said “once you’ve got privileged access, you’ve got into everything”. The New Humanitarian added that the U.N. confidential report about the cyber-attack found that some administrator accounts were breached.
Lack of Transparency
It’s worthy to note that the cyber-attack at the U.N. in 2019 was only admitted by the organization a few hours after The New Humanitarian exposed the said attack.
The UN spokesperson Dujarric told The New Humanitarian that the reason for the lack of transparency is that the “exact nature and scope of the incident could not be determined, [the UN offices in Geneva and Vienna] decided not to publicly disclose the breach.”
In a data breach, the lack of transparency could have negative results as individuals and organizations affected aren’t made aware of the situation, preventing them to seek measures to lessen the impact of the data breach. In Canada, data breach reporting is mandatory under the federal private sector privacy law, the Personal Information Protection and Electronic Documents Act (PIPEDA).
What is a Virtual CISO and How Can You Hire One for Your Business?
An effective security strategy is crucial to protect your business against cyber threats. Hackers continue to exploit vulnerabilities in systems and leverage cutting-edge technologies to disrupt operations. Even hospitals are at risk.
Cybercriminals’ nefarious activities can lead to lost sales and reduced productivity, costing companies and organizations big money. And as one in five Canadian businesses have been affected by cybersecurity attacks, every company needs to take their security infrastructure seriously.
One of the best moves a business can make to stay safe is appoint a virtual Chief Information Security Officer (CISO). But what is this, and how can you hire one?
Virtual CISO Defined
Let’s explore what a traditional CISO is before we dive into its virtual counterpart.
CISOs take responsibility for overseeing, developing, and implementing a company’s information security measures. They take the lead in implementing the right procedures and protocols to safeguard a company from risks, both internal and external.
The role demands an iron grasp of the latest information systems, cybersecurity threats (ransomware, cyber extortion, etc.), software solutions, and more. CISOs must be able to guide a business’s information security choices, sharing key insights with colleagues at all levels.
Over time, a CISO can empower teams with the knowledge and skills they need to stay vigilant against cybersecurity risks. Their growing awareness can help employees prevent data breaches, for example, which are a persistent risk to businesses’ and customers’ data alike.
Data breaches can be devastating: 78 percent of people would choose to stop engaging with a company online after an attack, while 36 percent would avoid the company altogether. This equates to lost revenue, negative word of mouth, and reputation damage (possibly long-term).
Worse, 60 percent of small businesses close their doors within six months of a data breach.
Working with a CISO helps you avoid such a catastrophic fallout. But while they make a real difference, hiring an in-house CISO incurs extra expense on top of current overheads. And, depending on the level of experience and training they bring to the table, a full-time CISO may stretch your budget too far.
Outsourcing a CISO is a more cost-effective, practical solution for companies today. Especially those without the available funds to bring a full-time CISO into their workforce on a permanent basis.
CISOs may not be necessary every day of the week, all year long. Instead, a business may benefit from working with a CISO on occasion. A virtual CISO is available as and when needed, but brings none of the overheads or full-time salary a certified professional will expect. They remain available to their clients without being part of the team.
What are a Virtual CISO’s Responsibilities?
A virtual CISO may be an individual or a team. They will have spent years serving as a CISO in one or more businesses, achieving invaluable hands-on experience.
Virtual CISOs can help companies and implement cutting-edge security measures without needing to be integrated into the culture. It demands less time, less effort, and fewer resources. They simply do the work expected of them. No more, no less.
And this revolves around defining security standards and policies, as well as establishing guidelines for employees to follow. Compliance, for example, is easy to overlook without a CISO on hand to get it right.
They may conduct a vendor risk assessment as required, too — a crucial task when doing business with new associates for the first time.
A virtual CISO can help create security strategies, recruit other security-focused employees, and ensure management have a working knowledge of certain cybersecurity tools. They’ll identify security weaknesses, reinforcing your network and systems to withstand potential attacks.
Furthermore, contingency plans are essential for any company, and a CISO will set one in place just in case an attack strikes.
The level of expertise and specialist insights a virtual CISO can bring to your business offers real peace of mind. You’ll be free to focus on running your company and achieving results without worrying about hackers bringing operations to a halt.
Hiring a Virtual CISO for Your Business
Any business looking to hire a virtual CISO should consider their selection process carefully. You want to feel certain that the team you choose offers the best value for money and will take effective actions to reinforce your security.
Keep the following points in mind:
A reputable virtual CISO will be happy to discuss their previous work, their credentials, their experience, their tools, and more key factors.
Want to Start Working with a Virtual CISO You can Depend On?
The Driz Group provides virtual CISO services of the highest standard. We’ve worked with companies and organizations across diverse sectors, helping to reinforce their security and IT compliance.
Our team focuses on preventing risks and effective mitigation. We leverage cybersecurity programs and respond to any incident as required — we’re always here to help.
Want to learn more? Get in touch now to speak to a member of our expert team.
Researchers Warn Windows EFS Could be Abused by Ransomware Attackers
Researchers at Safebreach Labs have warned that EFS, a feature in Microsoft Windows, could be abused for ransomware attacks.
What Is EFS?
EFS, short for Encrypted File System, is a feature on Windows operating system, starting with Windows 2000, for its business users. This feature allows users to encrypt specific folders and files. In encryption, data is converted into secret code, allowing only authorized users to access the specific folders and files and, in theory, denying access to unauthorized users.
EFS shouldn’t be confused with another encryption feature on Microsoft Windows called “BitLocker”. While EFS encrypts specific folders and files, BitLocker is a full disk encryption feature.
In EFS, to access the encrypted specific folders and files, an authorized user doesn’t need to provide a password as access is via the user’s account password. In BitLocker, to access the BitLocker-encrypted drive, a user needs to type the password or plug in a USB key or have BitLocker use Trusted Platform Module (TPM) if the Windows operating system has one.
Proof of Concept of Ransomware Attack Scenario Exploiting Windows EFS
Ransomware is a type of malicious software (malware) that encrypts victims’ computers or data, denying legitimate users access to their computers or data. In ransomware attacks, attackers demand from their victims to pay ransom in exchange for the decryption keys that, in theory, unlock the encrypted computers or data. Recent ransomware attacks, meanwhile, steal computer files prior to encryption and threaten the publication of these stolen files for victims who refuse to pay the ransom.
Researchers at Safebreach Labs recently disclosed that they’ve developed a proof-of-concept of a ransomware that abuses Windows EFS. The EFS-based ransomware developed by Safebreach Labs encrypts files, rendering these files unreadable to users and even to the Windows operating system. Safebreach Labs said that the encrypted files can only be made readable using the ransomware attacker’s decryption key and have the EFS-based ransomware restore the encrypted files into their original position, and only then that the Windows operating system can once again read the user files.
Safebreach Labs said that EFS-based ransomware is an “alarming concept and a possible new threat in the ransomware horizon” due to the following reasons:
Safebreach Labs said that EFS-based ransomware works on Windows 10 64-bit versions 1803, 1809 and 1903, and should also work on Windows 32-bit operating systems, and on earlier versions of Windows such as Windows 8.x, Windows 7 and Windows Vista.
Safebreach Labs said it tested its EFS-based ransomware on 3 anti-ransomware solutions from well-known vendors, and all 3 anti-ransomware solutions failed to protect against this new threat. Thereafter, Safebreach Labs notified 17 major anti-malware and anti-ransomware vendors for Windows endpoints and provided them with the EFS-based ransomware proof-of-concept. Safebreach Labs also found that many of these major anti-malware and anti-ransomware vendors for Windows endpoints failed to protect against this threat.
Prevention and Mitigating Measures Against EFS-Based Ransomware
Below are some of the responses of the major anti-malware and anti-ransomware vendors for Windows endpoints that were notified by Safebreach Labs regarding the EFS-based ransomware.
Avast/AVG email to Safebreach Labs dated September 26, 2019: “We implemented a workaround for version 19.8.”
Bitdefender email to Safebreach Labs dated January 10, 2020: “As of today, the fix started rolling out on Bitdefender Antivirus, Bitdefender Total Security and Bitdefender Internet Security on version 220.127.116.11. On Bitdefender Free Edition the fix is in reporting mode only, being necessary for fine tuning in the future.”
Check Point email to Safebreach Labs dated January 20, 2020: “Check Point has resolved the issue and the fix is currently available with the latest Corporate Endpoint Client E82.30 and will be available in the latest release of Zone Alarm Anti-Ransomware in the next couple of days.”
McAfee email to Safebreach Labs dated January 17, 2020: “McAfee released protection against the sample code provided by the reporter in the Anti-Virus (AV) DATs released on 10th January. This covers both our Enterprise and Consumer products. The AV DATs are automatically updated and Customers can check the version of the DATs through the product User Interface.
“Enterprise Customers using MVision EDR have a detection rule available from 10th January which will trigger when some variations of this Proof of Concept are executed. Through EDR the administrator can scan their machines for other instances of the malware and then block execution or delete the malware. Enterprise Customers using ENS can configure an Endpoint Protection Access Protection rule which will prevent the sample deleting the keys it generates to encrypt the files. By preventing the deletion of the keys the files remain accessible to that user. Other users on the same machine would not have access to the files.”
Microsoft email to Safebreach Labs dated October 7, 2019: "Microsoft considers Controlled Folder Access a defense-in-depth feature. We assessed this submittal to be a moderate class defense in depth issue, which does not meet the Microsoft Security Servicing Criteria for Windows (https://www.microsoft.com/en-us/msrc/windows-security-servicing-criteria?rtc=1). Microsoft may consider addressing this in a future product".
In the absence of a Windows update, according to Safebreach Labs, one of the workarounds against EFS-based ransomware is by turning off EFS on the affected Windows operating system. The cybersecurity research lab, however, said that turning off EFS can disable legitimate encryption of the operating system.
Ransomware attacks are becoming more and more prominent. Turn to our experts to mitigate the ransomware infection risks and protect your organization. Contact us today for a no-obligation consultation.
Windows 7 Support to End Soon. What’s at Risk?
Windows 7, an operating system released by Microsoft more than 10 years ago, will reach its end of life on January 14, 2020.
While Windows 7 can still be used after the operating system's end of life, using this outdated operating system puts your organization’s computers vulnerable to security risks.
Security Risks of Using Outdated Operating System
According to Microsoft, the end of life of Windows 7 means that after January 14, 2020, technical assistance and software updates from Windows Update that help protect computers will no longer be available. "If you continue to use Windows 7 after support has ended on January 14, 2020, your PC will still work, but it may become more vulnerable to security risks,” Microsoft said in its advisory.
Software programs like operating systems are never made perfect. Somewhere along the way, someone will find a vulnerability or a bug that must be fixed. As such, operating system vendors like Microsoft regularly, and as the need arise, issue security updates to fix newly discovered security vulnerabilities. In 2018 alone, Microsoft patched hundreds of security vulnerabilities on its operating systems, including Windows 7 and Windows 10.
With the end of life of Windows 7, newly discovered security vulnerabilities will no longer be fixed by Microsoft, putting your organization’s at risk of cyber-attacks.
The WannaCry attack which infected hundreds of thousands of computers in just a matter of 24 hours on May 12, 2017 gave the world a hard lesson on the risk of using outdated operating systems. WannaCry is categorized as a ransomware – a type of malicious software (malware) that stops users from using their computers or accessing their data.
WannaCry had shaken the online world due to its worm capabilities, that is, this malware spreads through the network, infecting other vulnerable computers, without the need for any user involvement. WannaCry exploits the security vulnerability referred to as CVE-2017-0145. This security vulnerability exists in the way that the Server Message Block 1.0 (SMBv1) handles certain requests. SMBv1 is the old version of the Server Message Block protocol that Windows operating systems use for file sharing on a local network. “An attacker who successfully exploited the vulnerability [CVE-2017-0145] could gain the ability to execute code on the target server,” Microsoft said.
Microsoft issued a security fix for CVE-2017-0145 on March 14, 2017 – months before the WannaCry attack on May 12, 2017. The company issued a security update to fix CVE-2017-0145 for operating systems that still received the company’s support, including Windows 7, Windows 10, Windows 8.1, Windows Server 2008, Windows Server 2012, Windows Server 2016 and Windows Vista.
No security update was issued to fix the security vulnerability CVE-2017-0145 for operating systems that reached its end of life, including Windows XP, Windows 8, and Windows Server 2003. At the time of the WannaCry attack on May 12, 2017, these outdated operating systems were vulnerable as they were defenceless without the security update.
It’s worthy to note that WannaCry infected Windows 7 the most despite the fact that at the time of the attack, this operating system was still supported by Microsoft with a readily available security fix issued months before the attack.
Costin Raiu, Director of Global Research and Analysis Team at Kaspersky Lab said that 98% of the computers infected by WannaCry used Windows 7 as the operating system. “ #WannaCry infection distribution by the Windows version. Worst hit - Windows 7 x64,” Raiu said.
Migration to Latest Operating System
A study conducted by Kaspersky Lab showed that even as newer versions of operating systems are available, nearly 41% still use either an unsupported or approaching end of support operating system. The study also showed that 40% of very small businesses (VSBs) and 48% of small, medium-sized businesses (SMBs) and enterprises still rely on unsupported or approaching end of support operating system.
Even as operating system vendors stop in supporting customers via security updates, cyber attackers never stop digging up new security vulnerabilities, knowing full well that any security vulnerabilities discovered won’t be fixed by the vendors.
Using Windows 7 after its end of life on January 14, 2020 also makes this operating system incompatible with other software such as Office 365 ProPlus. On the flip side, many organizations delay their migration to the latest operating systems as custom-made applications are incompatible to the latest operating systems. Migration cost is also another reason why many organizations delay migration from outdated operating systems to newer operating systems.
Leaving your organization’s outdated operating system exposed to the internet leaves it open to cyber-attacks. The cost of a cyber-attack may even be higher than the cost of migrating to a newer operating system.
If the migration to a newer operating system needs to be delayed for a little longer, computers using outdated operating systems should be taken offline to keep them away from the reach of malicious actors.
It’s also important to practice network segmentation, especially when using outdated operating systems. Network segmentation controls how traffic flows across the network.
In network segmentation, your organization’s network is divided into smaller parts or sub-network, ensuring that in case of a compromise in one sub-network, the other sub-networks won’t be affected. It’s advisable to keep computers using outdated operating systems in a separate sub-network.
Connect with our team of experts today to learn more and mitigate IT and cybersecurity risks for your business.
Steve E. Driz, I.S.P., ITCP