Thought leadership. Threat analysis. Cybersecurity news and alerts.
Weak Cyber Hygiene Practices Behind Successful Cloud Attacks
The U.S. Cybersecurity and Infrastructure Security Agency (CISA) recently issued an alert detailing the weak cyber hygiene practices behind successful cyberattacks against various organizations’ cloud environments.
In the alert "Strengthening Security Configurations to Defend Against Attackers Targeting Cloud Services," CISA said that based on data derived exclusively from several of its incident response engagements, it’s aware of several recent successful cyberattacks against various organizations’ cloud environments.
“Despite the use of security tools, affected organizations typically had weak cyber hygiene practices that allowed threat actors to conduct successful attacks,” CISA said.
Weak Cyber Hygiene Practices
According to CISA, successful cyberattacks against various organizations’ cloud environments frequently occur when victim organizations’ allowed employees to work from home and used a mixture of personal devices and corporate laptops to access organizations’ cloud environments.
Here are some of the weak cyber hygiene practices behind successful cyberattacks against various organizations’ cloud environments based on CISA’s alert:
CISA said threat actors are using phishing emails to harvest credentials for users’ cloud service accounts. In phishing emails, threat actors weaponize the traditional emails for cyberattacks.
These phishing emails, CISA said, contain malicious links that appear on a first glance as legitimate links to file hosting service account login. Login details entered on these malicious links were then stolen by threat actors and used to login to victims’ legitimate file hosting service accounts. From these hijacked legitimate file hosting service accounts, threat actors then sent emails from the victims’ accounts to steal login details for other accounts within the organization, CISA said.
Open Port 80
The CISA alert found that threat actors are exploiting open port 80. According to the agency, open port 80 was exploited even though an organization’s terminal server was located within a firewall.
Due to remote work posture, CISA said the terminal server was configured with port 80 open to allow remote employees to access it, leaving the organization’s network vulnerable.
The agency added that this open port 80 was exploited by launching brute force attacks. In brute force attacks, threat actors use the trial-and-error method to guess the correct username and password combination.
MFA Bypass via Pass-the-Cookie Attack
According to CISA, threat actors successfully signed into a cloud account with proper multi-factor authentication (MFA). “In this case, CISA believes the threat actors may have used browser cookies to defeat MFA with a ‘pass-the-cookie’ attack,” the agency said.
Authentication cookies are commonly used by cloud-based services to avoid frequently asking users to re-enter their credentials. Cookies are often valid for an extended period of time, even when the cloud-based service isn’t actively used.
“After the cookie is obtained through Steal Web Session Cookie, the adversary may then import the cookie into a browser they control and is then able to use the site or application as the user for as long as the session cookie is active,” MITRE said. “Once logged into the site, an adversary can access sensitive information, read email, or perform actions that the victim account has permissions to perform.”
Taking Advantage of Keyword Search Rule and Email Forwarding Rule
After gaining access into victims’ cloud service accounts, CISA said threat actors take advantage of keyword search rule and email forwarding rule.
Keyword search and email forwarding are two features found in many cloud service accounts. These features can be applied manually or automatically. While these two features are handy, these two pose a security risk due to the potential disclosure of information.
According to CISA, threat actors modified existing automated keyword search rules to search victims’ email messages for several finance-related keywords. The agency added that threat actors modified existing automated email forwarding rules and forward the emails to the threat actors’ accounts.
Mitigating Measures to Strengthen Cloud Security Practices
Here are some of the recommended mitigating measures to strengthen cloud security practices:
Phishing Scams Education
Train employees about phishing emails by making them aware how these emails are being delivered.
Secure Over-all Network from Open Port 80
One way to mitigate the adverse effect of an open port 80 is by implementing network segmentation. In network segmentation, your organization’s network is divided into sub-networks so that in case one sub-network is compromised the other sub-networks won’t be affected.
Mitigating Measures Against Pass-the-Cookie Attacks
Mitigating measures against pass-the-cookie attacks includes MFA that uses the target login domain as part of the negotiation protocol. Software configuration is another mitigating measure against pass-the-cookie attacks. In software configuration, browsers are configured to regularly delete persistent cookies.
Mitigating Measures Against Exploitation of Keyword Search Rule and Email Forwarding Rule
Mitigating measures against exploitation of keyword search rule and email forwarding rule include routinely reviewing these rules for any signs of malicious changes.
In the case of Microsoft 365, outbound spam filter policies are available to control automatic forwarding to external recipients. One of the available outbound spam filter policies is the “Off” option which disables automatic external forwarding and will result in a non-delivery report to the sender.
Implement Zero Trust Security Strategy
Zero Trust assumes that no one should be trusted by default within and outside the network. Zero trust security strategy includes the principle of least privilege and the principle of explicit verification.
In implementing the principle of least privilege, right access at the right time is only given to those who need it. Explicit verification, meanwhile, includes MFA that requires users using new devices and from new locations to respond to an MFA challenge.
Capital One Data Breach Aftermath: 3 Cyber Threats that Every Organization Should be Mindful
The data breach at Capital One Financial Corporation, the data breach that affected approximately 100 million individuals in the U.S. and approximately 6 million in Canada, throws light into 3 cyber threats that every organization using the public cloud should be mindful: account takeover attack, attack on misconfigured web application firewall (WAF) and Server-Side Request Forgery (SSRF) attack.
Large enterprises like Capital One build their own web applications on top of Amazon’s cloud services to answer to their specific needs. Amazon told the New York Timesit had found no evidence of compromise on its underlying cloud services. The company added that its customers fully control the web applications that they built.
Last July 29th, the U.S. Department of Justicearrested a Seattle resident for the intrusion on the stored data of Capital One. The arrest of the Seattle resident came as an offshoot of an email sent to the official email for responsible disclosure of Capital One. The tipster wrote that someone’s GitHub account was exposing data which appeared to belong to Capital One.
In the indictment document, Joel Martini, Special Agent at the U.S. Federal Bureau of Investigation (FBI) stated that the exposed data was verified to belong to Capital One and the GitHub account was traced to belong to the accused Seattle resident, who goes with the handle “erratic” in her Twitter and Slack accounts. A review of June 26, 2019 Slack postings, FBI Special Agent Martini said, showed that Erratic claimed to be in possession of files belonging to several companies, government entities and educational institutions, and one of these files was associated with Capital One.
Capital One, in a statement, said that it had fixed the “configuration vulnerability” that was exploited in the data breach. Publicly-available data and new information, however, show that more than one cyber threats were exploited in the Capital One data breach.
1. Account Takeover
Account takeover refers to the access of someone else’s online account for malicious purposes. In the indictment, FBI Special Agent Martini stated that the file that was publicly exposed by Erratic in her GitHub account contained a list of more than 700 folders and code for three commands.
The first command, when executed, provides login details to an account that enabled access to certain storage space of Capital One at Amazon cloud service. The said account, which had the necessary permissions, was used to extract or copy Capital One’s data. The indictment didn’t mention how the accused got hold of the login details of the account used to access Capital One’s data.
2. Misconfigured Web Application Firewall (WAF)
Web application firewall (WAF) filters, monitors and blocks traffic between a web application and the internet. A properly configured WAF blacklists and/or whitelists traffic to and from a web application.
A WAF that operates based on a blacklist, also known as negative security model, blocks traffic that doesn’t meet the predetermined qualifications. A WAF that operates on a whitelist, also known as positive security model, grants entry only to traffic that has been pre-approved. Many of today’s WAF implements both negative security model and positive security model. A typical WAF also protects web applications from attacks such as SQL injection and other common attacks against web applications.
In the indictment document, FBI Special Agent Martini stated that the data breach at Capital One was a result of a misconfigured WAF. Capital One’s logs show a number of connections or attempted connections from IP addresses beginning with 46.246. Specifically, on or about March 12, 2019, Capital One’s logs show IP address beginning in 46.246 attempted to access Capital One’s cloud data. Publicly-available records show that this IP address is controlled by a company that provides VPN services.
Capital One’s logs also show IP addresses believed to be TOR exit nodes accessed Capital One’s cloud data on or about March 22, 2019. A properly configured WAF could have blacklisted IP addresses such as those belonging to the known VPN company. Conversely, a properly configured WAF could have whitelisted only IP address or addresses used by authorized personnel of Capital One. Malicious actors, however, are continually finding creative means in breaking into web applications that are shielded by properly configured WAFs.
3. Server Side Request Forgery (SSRF) Vulnerability
New information has recently been made public about the Capital One data breach. Based on new data, including information from one who is privy to details about the ongoing Capital One breach investigation, during the attack period, Capital One used ModSecurity, an open-source WAF that’s deployed along with the open-source Apache Web server.
The new report said that the Server Side Request Forgery (SSRF) vulnerability was exploited in the Capital One data breach. While ModSecurity protects web applications against many common attack categories, it doesn't protect against SSRF.
MITREdescribes SSRF in this manner: “The web server receives a URL or similar request from an upstream component and retrieves the contents of this URL, but it does not sufficiently ensure that the request is being sent to the expected destination. By providing URLs to unexpected hosts or ports, attackers can make it appear that the server is sending the request, possibly bypassing access controls such as firewalls that prevent the attackers from accessing the URLs directly.”
In the case of the Capital One data breach, one can’t say which of the attack methods – account takeover attack, attack on misconfigured WAF or Server-Side Request Forgery (SSRF) attack – played the biggest role in the data breach. These 3 types of threats have their own specific preventive and mitigating measures that every organization using the public cloud should be mindful.
When you need to safeguard your cloud applications, our web application security expert will design the right sized solution and will mitigate common risks within minutes. Contact ustoday and avoid a major breach.
Top 3 Cyber Security Predictions in 2019
Cyber-attacks are becoming more common and have become a looming threat not just to large enterprises but also to small and medium-sized organizations.
Here are our top 3 cyber security predictions for the year 2019:
1. Cloud Attack Threat
There’s a looming threat in the cloud as this is where the data is heading.
A study conducted by LogicMonitor(PDF) predicted that majority of IT workloads will move to the cloud by 2020, with workloads running in public clouds will reach 41% in 2020, while workloads running on-premises will fall to 27% and the balance will run on private or hybrid clouds.
Another study conducted by Gartnerpredicted cloud computing to be a $300 billion business by 2021. According to Gartner, organizations increasingly adopt cloud services as these have been proven to provide speed, agility and cut cost that digital business requires.
There’s, however, a flipside to the positive contributions of cloud computing. The 2nd quarter of 2018 study conducted by Gartner revealed that organizations continue to struggle with cloud security, with an estimated $400 billion lost to cyber theft and fraud worldwide.
Expanding cloud services as part of an organization’s digital initiatives is indeed needed, but these initiatives should be matched with a sound cloud security strategy as cyber criminals know that there’s money in the cloud.
There are many attack surfaces in the cloud that attackers could easily exploit. For instance, in early 2018, RedLockreported that attackers illicitly used the cloud computing resources of Tesla to mine a cryptocurrency. According to Redlock, attackers were able to gain access to Tesla’s cloud computing resources as Tesla openly exposed its Kubernetes – an open-source platform for managing cloud workloads and services – without password protection. Tesla’s exposed Kubernetes, Redlock said, contained the credentials of Tesla’s Amazon Web Service account.
In cryptocurrency mining, those who allow their computers to be used for mining digital coins are financially compensated for the computer and electricity usage. Cryptocurrency mining is legal in most countries but legality ends when this is done without the knowledge and consent of the owner of the computing resource – a cyber crime called “cryptojacking”. Since the most popular cryptocurrency Bitcoin reached an all-time high price of nearly $20,000 in late 2017, there has been a dramatic rise of cryptojacking.
2. Botnet Threat
Connecting almost every computing devices, including servers and Internet of Things (IoT) devices such as routers and security cameras, exposes online resources such as websites to botnet attacks.
Botnet, which originates from the words “robot” and “network”, refers to a group of malware-infected computers that’s remotely controlled by an attacker or attackers to conduct malicious activities such as a distributed denial-of-service (DDoS) attack. In a DDoS attack, fake traffic originating from malware-infected devices is directed against a target website, rendering the target website inaccessible to legitimate users.
In recent years, cyber attackers have tweaked in a number of ways the source code of the infamous malicious software called “Mirai”. At its peak in 2016, the Mirai malware infected hundreds of thousands of IoT devices worldwide and turned them as a “network of robots” to conduct malicious activities, including DDoS attacks.
In October 2016, the Mirai botnet almost brought down the internet when it attacked Dyn, a domain name service (DNS) provider. As a result of the attack on Dyn, 80 popular websites, including Twitter, Amazon, Reddit, Spotify and Netflix temporarily became inaccessible to the public.
A notable Mirai variant was recently discovered by researchers at Netscout. While the original Mirai infected IoT devices and turned them as part of a botnet, the Mirai variant discovered by Netscout researchers infected enterprise Linux servers and turned these compromised servers as part of a botnet. Turning hundreds of thousands or millions of IoT devices and a handful of enterprise servers as part of a DDoS botnet could bring down the internet or render many websites inaccessible to the public.
It’s important to note that the Mirai and other Mirai variant infections are preventable. The original Mirai infected hundreds of thousands of IoT devices by simply logging to these devices using default or factory username and password combinations. A mere change of default or factory username and password renders the original Mirai useless.
The recent Mirai variant discovered by Netscout researchers, on the other hand, infiltrated servers that were unpatched and through brute-force – systematic attempt to guess the correct username and password combination. Patching, that is, the timely installation of a security update, and the use of complex passwords could render this recent Mirai variant useless.
3. Shortage of Cyber Security Skills
While it’s widely known that there’s a shortage of cyber security professionals, what isn’t known is how dire the situation is.
A study conducted by (ISC)2revealed that the shortage of cyber security professionals around the world has never been more acute, placing the shortage of cyber security professionals at 2.93 million, with roughly 500,000 of these positions located in North America, 2.15 million positions located in Asia-Pacific and the balance located in other parts of the world.
“The lack of skilled cybersecurity personnel is doing more than putting companies at risk; it’s affecting the job satisfaction of their existing staff,” the (ISC)2 report said.
Happy New Year and stay safe!
DDoS Attacks: Protecting Your Business from Critical Disruption
In March 2018, developer platform GitHub was struck by the most powerful DDoS (distributed denial-of-service) attack ever recorded.
How big? 1.35 terabits of traffic was hitting GitHubeach second.
Still, GitHub was not without its defenses.
Within 10 minutes of the attack starting, GitHub’s DDoS mitigation service stepped in to combat it. They routed all incoming and outgoing traffic and scrubbed data, blocking all malicious packets responsible.
Such decisive action paid off. The attack ended eight minutes after the service took over, and GitHub was able to get back on track after just five minutes of downtime.
If GitHub had been without such a fast, effective response, the outcome of the attack might have been much worse.
A DDoS attack is a fairly cold-blooded attempt to disrupt a server, service or network’s standard operation by bombarding it with excessive traffic.
They incorporate a number of compromised computer systems to mount the attack, essentially overwhelming the target system and affecting genuine traffic.
GitHub had been targeted before, with an attack lasting for six days in 2015.
A company or organization’s website can be severely affected by a DDoS attack, potentially costing them lots of money in lost business. In fact, the average cost of a DDoS attack for businesses rose to more than $2.5 millionin 2017.
Research highlights just how common DDoS disruptions are for many companies. A staggering 849 of 1,010 enterprises questioned had been hit by a DDoS attack. DDoS disruption was estimated to cost target businesses as much as $100,000 per hour.
These figures make for disturbing reading, especially for smaller companies on a much tighter budget than their larger competitors. Still, even for global corporations, the risk of a DDoS attack can be incredibly troubling: after all, they may have more to lose.
Effective cybersecurity and preparation have never been more vital. Every cent available must be channeled into reinforcing your business against potential threats.
Still, this is easier said than done: cybercrime and security can be daunting. To help you understand how best to defend yourself against DDoS attacks, we have explored some of the most effective options below:
Get to know the symptoms
Recognizing the signs of an incoming DDoS attack can make a significant difference to how you handle it.
There is no real warning for a DDoS attack, though. While some hackers may issue threats, there will generally be nothing other than the assault itself.
As you might not browse your own website much on a day to day basis, it may not be until customers begin complaining about its performance than the warning bells start to sound.
However, certain other clues will tip you off:
The earlier you’re able to spot the warning signs, the sooner you can start to act.
Have a plan
Every business should have a plan in place for a potential DDoS attack. Once you confirm that your system has been targeted, you can jump to your plan and follow it. Being prepared helps to reduce the likelihood of panic or making mistakes that exacerbate the disruption.
Make sure all key players from each department are alerted to the situation and understand how best to handle it at their end. If everyone can work together and focus on damage limitation, you’re more likely to come out of the DDoS attack with minimal impact.
Companies that have no preparations for dealing with such a situation could waste valuable time trying to make sense of it.
Know how to prioritize
You will only have limited access to your system during a DDoS attack. Make sure you focus on keeping the most high-value services and applications running to preserve as much ‘normal’ function as possible.
Again, this comes down to planning. You should have an immediate idea which areas can be let go and which must be the priority.
Pay attention to your network security
Conducting security audits on your network on a regular basis is an effective way to keep your system protected.
Take a close look at the strength of passwords (particularly for the most vulnerable areas), review which employees have access to key data, and run comprehensive checks on software. Do you have the most up to date versions? Have any known security risks come to light with an application you’re using?
A network security audit may not be enough in itself to defend your business against a DDoS attack, but it can play a large part in the process. Incorporate this into ongoing workplace routines: make sure it becomes a habit and is never overlooked.
Letting your system go without the proper audits and preparations can leave it vulnerable to attack. Being complacent and assuming your business will escape the attention of cybercriminals is never a smart move.
Turn to the professionals
Your system security is paramount to keeping your business up and running. Not only does your entire flow of service depend on effective protection, so too does your customers’ experience.
Lengthy downtime can leave buyers with little choice but to start looking elsewhere if you cannot meet their needs. On top of this, they may wonder how safe their personal and financial data are within your company.
Hiring a professional cybersecurity firmto defend your system against DDoS attacks can help to take the strain. You will be free to focus on other areas of running your business while the experts handle the heavy lifting.
Are you concerned about your company’s vulnerability to DDoS attacks? What steps have you taken to safeguard your system? Share your thoughts and ideas below and contact ustoday to protect your organization.
Top 5 Cloud Computing Security Concerns
A Birmingham, Alabama-based healthcare company publicly acknowledged that it was a victim of a recent security breach.
According to the healthcare company, its cloud hosting and server management provider suffered a security breach at its facility. Information which may have been accessed as a result of the security breach at the cloud provider’s facility includes patient's name, address, telephone number, email address, Social Security number, medical record number, patient ID, physician name and health plan/insurance number.
This recent security breach at a cloud provider’s facility shows the vulnerability of some cloud providers.
According to Gartner, Inc., the worldwide cloud services market is projected to grow by 18% in 2017 to total $246.8 billion, from $209.2 billion in 2016.
"While some organizations are still figuring out where cloud actually fits in their overall IT strategy, an effort to cost optimize and bring forth the path to transformation holds strong promise and results for IT outsourcing (ITO) buyers,” Sid Nag, research director at Gartner, said. Nag added that cloud adoption strategies will influence more than 50% of IT outsourcing deals through 2020.
The 2016 Global Cloud Data Security Study conducted by the Ponemon Institute found that 73% of IT professionals said cloud computing applications and platform solutions are important or very important to business operations today. The IT professionals surveyed by Ponemon Institute estimated that 36% of their organizations’ total IT and data processing needs are met by cloud resources.
According to Cloud Security Alliance (PDF), beyond the handful large cloud providers, the reality is that there are tens of thousands of unique cloud providers. Cloud Security Alliance (CSA) is a nonprofit organization that promotes best practices for securing cloud computing.
A January 2016 CSA survey found that only 65% of the survey respondents were confident that the cloud had greater or equal security than internal IT systems. “Cloud provider security is uneven overall, with some providers having excellent security programs and others leaving much to be desired,” the CSA said in its 2016 state of cloud security report.
Here are the top 5 security concerns for cloud-based services:
1. Data Security Breach
The recent data breach at the cloud hosting and server management provider’s facility and the resulting unauthorized access of sensitive data of the Birmingham, Alabama-based healthcare company shows the security vulnerability of cloud providers.
Based on the Ponemon Institute study, the data that organizations move to the cloud is also the information that’s most at risk. Sixty percent of the Ponemon Institute’s 2016 global cloud data security study said it’s more difficult to protect confidential or sensitive information in the cloud.
2. Cloud Account Hijacking
Cloud hijacking refers to the breaking or taking over of a cloud account of an individual or organization. In 2010, Amazon encountered a cross-site scripting bug that allowed attackers to steal user login credentials. In 2014, the cloud hijacking threat called “Man in the Cloud” (PDF) enables an attacker to access synchronization services (such as GoogleDrive and Dropbox) account without compromising the victim’s user name or password.
3. Insider Threat
A malicious insider is defined by the CERT Insider Threat Center as a “current or former employee, contractor, or other business partner who has or had authorized access to an organizations network, system or data and intentionally exceeded or misused that access in a manner that negatively affected the confidentiality, integrity, or availability of the organizations information or information systems”.
In the study "Insider Threats to Cloud Computing: Directions for New Research Challenges", Carnegie Mellon University researchers named 3 types of cloud-related insider threats:
A. Cloud Insider as a Rogue Administrator
According to the Carnegie Mellon University researchers, the threat of rogue administrators is layered differently for a cloud platform compared to a standard enterprise environment, with at least four levels of administrators to consider in the cloud, including hosting company administrators, virtual image administrators, system administrators and application administrators.
B. Insider Who Exploits a Cloud-Related Vulnerability to Steal Information from a Cloud System
According to the Carnegie Mellon University researchers, this second type of cloud-related insider threat refers to an insider within the organization who exploits, whether malicious or accidental, vulnerabilities exposed by the use of cloud services to gain unauthorized access to organization systems or data. An example of this second type of cloud-related insider threat is when an employee of the victim organization is tricked by a malicious outsider into opening a document infected with malicious software.
C. Insider Who Uses Cloud Systems to Carry Out an Attack on an Employer’s Local Resources
This third type of cloud-related insider, according to the Carnegie Mellon University researchers, is different from the previous type of insider as this “third type of insider uses the cloud as the tool to carry out the attack on systems or data targeted that are not necessarily associated with cloud-based systems”. An example of this third type of insider is when an insider who plans to leave the company leverages cloud storage to steal sensitive information to take to a new job with a competitor.
4. Denial of Service Attacks
Another attack path that has been used to adversely affect cloud services is the distributed denial of service (DDoS) attack. A DNS amplification attack is an example of DDoS tactic in which the attacker delivers traffic to a victim and reflects it off to a third party to conceal the origin of the attack.
According to Microsoft, even a small DDoS attack – the size of 30 Mbps – if left unchecked could affect the availability of the cloud service. “Even if the service itself remains available for users, the bandwidth users rely on to get to the service can be starved, resulting in slow, intermittent, or unreliable service, or rendering the service unreachable,” Microsoft said.
5. Malware Injection
In the study “Security Threats on Cloud Computing Vulnerabilities”, East Carolina University researchers found that an attacker can create malicious software and inject it to target cloud service models. “Once the injection is completed, the malicious module is executed as one of the valid instances running in the cloud; then, the hacker can do whatever s/he desires such as eavesdropping, data manipulation, and data theft,” the East Carolina University researchers said.
Steve E. Driz, I.S.P., ITCP