STE WILLIAMS

Global facilities company ISS World, headquartered in Denmark, has shuttered most of its computer systems worldwide after suffering what it describes as a “security incident impacting parts of the IT environment.”

The company’s website currently shows a holding page, with no clickable links on it:

On 17 February 2020, ISS was the target of a malware attack. As a precautionary measure and as part of our standard operating procedure, we immediately disabled access to shared IT services across our sites and countries, which ensured the isolation of the incident.

The root cause has been identified and we are working with forensic experts, our hosting provider and a special external task force to gradually restore our IT systems. Certain systems have already been restored. There is no indication that any customer data has been compromised.

Some media outlets – for example, the BBC – have mentioned ransomware prominently in their coverage of the issue, perhaps because of the suddenness of the story, but at the moment we simply don’t know what sort of malware was involved.

As you can imagine, facilities companies that provide services such as cleaning and catering rely heavily on IT systems for managing their operations.

But one silver lining for ISS World is that many, perhaps most, of its staff don’t rely on computers to carry out their hour-by-hour work, and most staff work on customer sites:

The nature of our business is to deliver services on customer sites mainly through our people and as such we continue our service delivery to customers while implementing our business continuity plans. Our priority is to ensure limited or no disruption while we fully restore all systems.

Nevertheless, a report in the UK claims that 43,000 staff worldwide, including 4000 in the UK, don’t have access to email, a serious operational blow to any modern business.

ISS World has promised, via its one-page, static website, that it is “currently estimating when IT systems will be fully restored and are assessing any potential financial impact”, and that it will “provide a further update when we have significant, additional information.”

Two things right

As bad as it sounds, it seems that the company has done at least two things right: it has issued a clear statement of what it’s willing to say right now, and it has stated that it will tell us all more when it is sure of its facts.

It’s easy to jump down the throat of a business that suffers a cyberattack, to demand answers right away, and to assume that “something is suspicious” if the company demands time to investigate for some time before making a full statement.

In this case, we’d urge ISS World customers to be as patient as possible, and to give the company time to find out as much as it can, with as much forensic precision as possible, before expecting it to reveal what it knows.

Incidents of this size in a business this large are definitely a matter for the regulators and for law enforcement – so if there’s any chance of finding out who was reponsible with the sort of evidence that would stand up in court…

…let’s hope ISS World can come up with it.

What to do?

Here’s our advice on how to keep crooks out of your network – not just for ransomware in particular, but for malware in general.

• Pick strong passwords. And don’t re-use passwords, ever.
• Make regular backups. They could be your last line of defence against a six-figure ransom demand. Be sure to keep them offsite where attackers can’t find them.
• Patch early, patch often. Attacks such as WannaCry and NotPetya relied on unpatched vulnerabilities to spread around the globe.
• Lock down RDP. Criminal gangs exploit weak RDP credentials to launch targeted malware attacks. Turn off RDP if you don’t need it, and use rate limiting, 2FA or a VPN if you do.
• Use anti-ransomware protection. Sophos Intercept X and XG Firewall are designed to work hand in hand to combat ransomware and its effects. Individuals can protect themselves with Sophos Home.

Article source: http://feedproxy.google.com/~r/nakedsecurity/~3/y0hNTP9Tc8U/

RSA Yet another big brand has pulled out of RSA Conference, due to take place next week, amid the ongoing novel coronavirus panic.

ATT Cybersecurity, formerly Alienvault, confirmed today it will not send employees to the annual infosec shindig out of concern for their health: they don’t want their staff to pick up the Wuhan bio-nasty from any one of thousands of folks jetting into the event. The telco goliath declined to comment on how many workers were supposed to attend nor whether employees would be allowed to turn up on their own dime.

“We have decided not to participate in RSA Conference 2020 after careful consideration and discussions. We value our participation in industry events like RSA and greatly support the measures taken by event organizers to protect attendees,” an ATT spokesperson told The Register.

“But it is our responsibility to safeguard our employees. While we are withdrawing our participation for this year, we look forward to returning next year.”

ATT did not say whether it was also pulling its sponsorship of the event, though the comms giant is still listed as a “Gold Sponsor” on the RSAC website.

Mobile World Congress now none of those things as 2020 industry megashow axed over coronavirus fears

READ MORE

This is the second major vendor to pull out of the annual security gathering, held in San Francisco, USA, in as many weeks. Just days ago, IBM announced it will also hold back its employees from the convention over fears the deadly novel coronavirus could break out among attendees.

RSAC organizers said, following ATT Cybersecurity’s decision to eject from the event, about 1.2 per cent of its 40,000 to 45,000 attendees – roughly 500 to 550 people – have cancelled their registrations so far. This includes six of the nine Chinese companies scheduled to attend.

This spin by the conference bosses is a little like a music festival claiming, after a headline band pulls out, that only 0.05 per cent of attendees have refused to show up, but hey, maybe we’re just painfully cynical.

“The remaining three exhibitors from China will be staffing their booth with individuals from the USA to maintain their presence at RSA Conference,” the organizers’ ongoing coronavirus alert web page reads.

“The total number of exhibitors, including ATT, that have canceled their participation as a sponsor or exhibitor is thirteen. As stated above, six of them are from China; six are from the USA, and one of them is from Canada.”

Despite the pullout, we appear to be a long way from the sort of wholesale sponsor revolt that brought down Mobile World Congress, a mega-bash that draws a significantly larger number of attendees from China – the epicenter of virus – than RSA. Earlier this week, El Reg polled the remaining platinum sponsors, and all said they still plan to be at the show next week. ®

Sponsored:
Detecting cyber attacks as a small to medium business

Article source: https://go.theregister.co.uk/feed/www.theregister.co.uk/2020/02/20/att_security_out_rsa/

Financial services firms’ public APIs are becoming the target du jour for internet ne’er-do-wells, reckons Akamai, which also said that one of its customers was firehosed with 55 million malicious login attempts last summer.

The web services ‘n’ security biz said, in a report released today, that three-quarters of all credential abuse attacks it detected in 2019 were targeted at banks’ publicly available APIs.

“Criminals are getting more creative and hyper-focused on how they go about obtaining access to the things they need to conduct their crimes,” said Steve Ragan, Akamai security researcher and first author of the State of the Internet / Security report. “Criminals targeting the financial services industry pay close attention to the defences used by these organisations, and adjust their attack patterns accordingly.”

Akamai said it had “observed 85,422,079,109 credential abuse attacks” over two years, spanning December 2017 to November last year. Around a fifth of these – 16,557,875,875 – “were against hostnames that were clearly identified as API endpoints”. In turn, 473,518,955 of those were categorised as attacks against organisations in the financial services industry.

The firm said in a statement: “On August 7, 2019, Akamai recorded the single largest credential stuffing attack against a financial services firm, in our company’s history, consisting of 55,141,782 malicious login attempts. This attack was a mix of API targeting, and other methodologies.”

Credential stuffing is where cybercrims take a list of previously breached usernames and passwords and try the list against other websites and services in the hope that some of them might work.

SQL injection attacks accounted for around 72 per cent of all attacks during the two-year period examined in the report. The top attack type against the financial services sector was Local File Inclusion (LFI), Akamai said, accounting for just under half (47 per cent) of observed traffic.

“LFI attacks,” it said, “exploit various scripts running on servers, and as a consequence, these types of attacks can be used to force sensitive information disclosure. LFI attacks can also be leveraged for client-side command execution (such as a vulnerable JavaScript file), which could lead to Cross-Site Scripting (XSS)” as well as plain old denial-of-service attacks.

The full report can be found here (PDF). ®

Sponsored:
Detecting cyber attacks as a small to medium business

Article source: https://go.theregister.co.uk/feed/www.theregister.co.uk/2020/02/20/bank_api_new_target_du_jour_akamai/

Safari will, later this year, no longer accept new HTTPS certificates that expire more than 13 months from their creation date.

That means websites using long-life SSL/TLS certs issued after the cut-off point will throw up privacy errors in Apple’s browser.

The policy was unveiled by the iGiant at a Certification Authority Browser Forum (CA/Browser) meeting on Wednesday. Specifically, according to those present at the confab, from September 1, any new website cert valid for more than 398 days will not be trusted by the Safari browser and instead rejected. Older certs, issued prior to the deadline, are unaffected by this rule.

By implementing the policy in Safari, Apple will, by extension, enforce it on all iOS and macOS devices. This will put pressure on website admins and developers to make sure their certs meet Apple’s requirements – or risk breaking pages on a billion-plus devices and computers.

Certificates issued on or after that date with term beyond 398 days will be distrusted in Apple products

Tim Callan, a senior fellow at PKI and SSL management firm Sectigo, who attended this week’s meeting in Slovakia, told The Register: “This week Apple announced at the 49th CA/Browser Forum Face-to-Face that it will limit the term of accepted TLS certificates to 398 days as of September 1, 2020. Certificates issued on or after that date with term beyond 398 days will be distrusted in Apple products.

“Certificates issued prior to September 1 will have the same acceptable duration as certificates do today, which is 825 days. No action is required for these certificates.”

The reduced certificate lifetime was mulled by Apple and other members of CA/Browser for months. The policy has its benefits and drawbacks.

The aim of the move is to improve website security by making sure devs use certs with the latest cryptographic standards, and to reduce the number of old, neglected certificates that could potentially be stolen and re-used for phishing and drive-by malware attacks. If boffins or miscreants are able to break the cryptography in a SSL/TLS standard, short-lived certificates will ensure people migrate to more secure certs within roughly a year.

Shortening the lifespan of certificates does come with some drawbacks. It has been noted that by increasing the frequency of certificate replacements, Apple and others are also making life a little more complicated for site owners and businesses that have to manage the certificates and compliance.

“Companies need to look to automation to assist with certificate deployment, renewal, and lifecycle management to reduce human overhead and the risk of error as the frequency of certificate replacement increase,” Callan told us.

We note Let’s Encrypt issues free HTTPS certificates that expire after 90 days, and provides tools to automate renewals, so those will be just fine – and they are used all over the web now. El Reg‘s cert is a year-long affair so we’ll be OK.

These truly are the end times for TLS 1.0, 1.1: Firefox hopes to ‘eradicate’ weak HTTPS standard by blocking it

READ MORE

GitHub.com uses a two-year certificate, which would fall foul of Apple’s rules though it was issued before the cut-off deadline. However, it is due to be renewed by June, so there’s plenty of opportunity to sort that out. Apple’s website has a year-long HTTPS cert that needs renewing in October.

Microsoft is an interesting one: its dot-com is a two-year affair, which expires in October. If Redmond renews it for another two years, it’ll trip up over Safari’s policy.

No public announcement has been made by the Cupertino goliath, it seems, though Digicert has a page up already about the policy, dated February 19:

“Why did Apple unilaterally decide to enforce a shorter certificate lifetime?” the cert biz pondered.

“Their spokesperson said it was to ‘protect users.’ We know from prior CA/B Forum discussions that longer certificate lifetimes proved to be challenging in replacing certificates, in the case of a major security incident. Apple clearly wants to avoid an ecosystem that cannot quickly respond to major certificate-related threats.

“Short-lived certificates improve security because they reduce the window of exposure if a TLS certificate is compromised. They also help remediate normal operational churn within organizations by ensuring yearly updates to identity such as company names, addresses and active domains. As with any improvement, shortening of lifetimes should be balanced against the hardship required of certificate users to implement these changes.”

Apple declined to comment. ®

Sponsored:
Detecting cyber attacks as a small to medium business

Article source: https://go.theregister.co.uk/feed/www.theregister.co.uk/2020/02/20/apple_shorter_cert_lifetime/

On Thursday Google confirmed it has removed nearly 600 Android apps from the Google Play Store and banned them from its ad services for violating its policies on disruptive advertising and interstitials.

“We define disruptive ads as ads that are displayed to users in unexpected ways, including impairing or interfering with the usability of device functions,” said Per Bjorke, senior product manager for ad traffic quality in a blog post.

“While they can occur in-app, one form of disruptive ads we’ve seen on the rise is something we call out-of-context ads, which is when malicious developers serve ads on a mobile device when the user is not actually active in their app.”

An example of a disruptive ad would be one that covers the entire mobile device screen, without an obvious way to get rid of it.

The Register asked Google whether the corresponding developer accounts have been deleted and, if so, how the company can be certain those developers will never be able to re-register under a different identity. We’ve not heard back.

Such purges have become a regular occurrence on platforms where third-party developers are afforded some freedom, like Google Play, the Chrome Web Store, and even the iOS App Store.

In 2015, Google crowed about its effort to fight ad fraud. In 2017, the Chocolate Factory discussed how it dealt with an Android fraud botnet. It also removed 700,000 Android apps for policy violations that year. In 2018, the company removed Android apps that incorporated third-party ad network SDKs involved in ad fraud.

Google burns down more than 500 private-data-stealing, ad-defrauding Chrome extensions installed by 1.7m netizens

READ MORE

In 2019, the ad biz said it removed “tens of thousands of apps and developers” from AdMob, its mobile ad platform, and its Play Store for policy violations. That year, it also brought in reinforcements, in the form of security partners ESET, Lookout, and Zimperium, an acknowledgement that it isn’t up to policing its Android ecosystem on its own.

Where Google at times has been reactive, responding to reports of misbehaving apps provided by third-parties, it’s trying to be proactive: Bjorke contends its latest takedown was made possible by a machine learning system trained to recognize errant ads on its own.

“We recently developed an innovative machine-learning based approach to detect when apps show out-of-context ads, which led to the enforcement we’re announcing today,” said Bjorke.

The search biz said it’s also making changes to Android to minimize app interruptions and give users more control over what appears on device screens. Google this week published the Developer Preview for Android 11, which contains privacy improvements like one-time permissions and limiting permission dialogs based on implied user intent.

Asked whether this latest ouster of 600 apps for bad advertising would have any effect on the prevalence of ad fraud, Augustine Fou, a cybersecurity and ad fraud researcher who advises companies about online marketing, doubted there would be any noticeable impact, given that there are six or seven million apps in Google Play. ®

Sponsored:
Detecting cyber attacks as a small to medium business

Article source: https://go.theregister.co.uk/feed/www.theregister.co.uk/2020/02/21/google_nixes_android_apps/

A new report shows the scale of ransomware’s harm and the growth of that damage year-over-year — an average of $141,000 per incident.

No one questions that a ransomware attack is a bad thing. But a new report doesn’t just confirm that these encryption assaults are bad, it also quantifies the $11.5 billion in damage that ransomware did in 2019 alone.

According to the report from Deep Instinct, ransomware attacks became more focused in 2019, going after organizations rather than individuals. And it’s not just any organization that’s coming under attack; those with critical infrastructure, life-or-death consequences, or thousands of citizens depending on their services were the most frequently targeted.

The “Cyber Threat Landscape Report” ascribes the shift in ransomware target to the rise of the non-state, financially focused attacker: criminal, in other words. This rise can also be seen in the dramatic increase in rentable malware droppers like Emotet that can be hired to deliver malware of virtually any kind to targeted systems.

As a result of the targeted attacks’ success, the average cost of a ransomware attack in 2019 was estimated at $141,000, up from $46,800 one year earlier. Sodinokibi, which appeared in the wild concurrently with the end of the GandCrab network, was the leading ransomware version of 2019, responsible for attacks such as the one that hit 22 municipalities.

For more, read here.

Check out The Edge, Dark Reading’s new section for features, threat data, and in-depth perspectives. Today’s featured story: “10 Tough Questions CEOs Are Asking CISOs.“

Dark Reading’s Quick Hits delivers a brief synopsis and summary of the significance of breaking news events. For more information from the original source of the news item, please follow the link provided in this article. View Full Bio

Article source: https://www.darkreading.com/attacks-breaches/ransomware-damage-hit-$115b-in-2019/d/d-id/1337103?_mc=rss_x_drr_edt_aud_dr_x_x-rss-simple

Microsoft made several security announcements ahead of RSA Conference, including its decision to bring Microsoft Defender to iOS and Android.

Microsoft today announced the general availability of its Threat Protection and Insider Risk Management platforms, as well as the decision to bring Microsoft Defender Advanced Threat Protection to iOS and Android. The announcements come amid a wave of security product news ahead of RSA Conference.

When Microsoft Threat Protection (MTP) arrived in public preview last December, it was described as an “integrated solution” built on the Microsoft 365 security suite: Defender Advanced Threat Protection (ATP) for endpoints, Office 365 ATP for email and collaboration, Azure ATP for identity alerts, and Microsoft Cloud App Security (MCAS) for software-as-a-service applications.

MTP is designed to bring the capabilities of all of these Microsoft systems together into a single tool and, in doing so, to coordinate threat detection and response. It looks across domains to understand a chain of events, pinpoint affected assets, and protect resources. MTP prioritizes incidents for investigation and response, terminates malicious processes on endpoints, and removes mail-forwarding rules an attacker may have put in place. It’s meant to give admins greater visibility, stop attacks from spreading, and automatically fix assets affected in an attack.

Insider Risk Management, built into Microsoft 365 and launched in preview at last year’s Ignite, aims to help security teams address a threat that has become a primary concern among CISOs. It started with an internal demand at Microsoft to use machine learning to detect threats based on user behavior, explains Ann Johnson, corporate vice president of cybersecurity at Microsoft.

“It’s one of those solutions that when we brought it to market, the demand was instant,” she says. Insider Risk Management uses the same technology that classifies and protects 50 billion documents for Microsoft users; it’s meant to bring signals, sensitivity labels, and content into a single view so admins can get a picture of what’s happening and take appropriate action.

Many insider threat cases are not inherently malicious, Johnson explains. In one preview case, an employee had forwarded a work email to their personal email because there was data they wanted to access, and they didn’t realize the email contained confidential proprietary data. In another, the tool picked up on users authenticating into applications from different locations.

The preview process taught Microsoft about how companies approach insider threats, which the company believed would be more of a compliance issue, Johnson says. “What we’ve learned is a lot of customers consider insider risk management solely a SOC problem,” she explains. Going forward, a goal is to add new capabilities to educate customers on how they can integrate insider threat management into their broader risk management platforms.

In addition to making MTP and Insider Risk Management generally available, Microsoft is bringing Defender ATP to Linux in public preview and plans to bring the security platform to Android and iOS later this year. Mobile apps for both platforms will be demonstrated at next week’s RSA Conference. Defender ATP is already available on Windows and Mac platforms.

Among Microsoft’s announcements are changes and capabilities to Azure Sentinel, first debuted in February 2019 and made generally available in September. The cloud-native SIEM narrows down high volumes of signals into the significant incidents security teams should prioritize. In December, Microsoft used Sentinel to evaluate nearly 50 billion suspicious signals and generated 25 high-confidence alerts for the security operations team to investigate.

Microsoft is bringing in new data connectors and workbooks from Forcepoint, Zimperium, Quest, CyberArk, Squadra, and other partners to enable easier data collection. A new connector for Azure Security Center for IoT lets admins onboard data workloads from the Internet of Things into Azure Sentinel from deployments managed in the IoT Hub. It’s also releasing new developer documents, guides, samples, validation criteria, and updated GitHub Wiki.

To show how Azure Sentinel can pull security insights from across the enterprise, Microsoft is letting new and current Azure Sentinel users import Amazon Web Services CloudTrail logs at no additional cost from Feb. 24 through June 30, 2020.

Related Content:

• Zero-Factor Authentication: Owning Our Data
• Microsoft Patches Exploited Internet Explorer Flaw
• RSAC Sets Finalists for Innovation Sandbox
• 7 Free Tools for Better Visibility Into Your Network

Check out The Edge, Dark Reading’s new section for features, threat data, and in-depth perspectives. Today’s featured story: “10 Tough Questions CEOs Are Asking CISOs.“

Kelly Sheridan is the Staff Editor at Dark Reading, where she focuses on cybersecurity news and analysis. She is a business technology journalist who previously reported for InformationWeek, where she covered Microsoft, and Insurance Technology, where she covered financial … View Full Bio

Article source: https://www.darkreading.com/cloud/microsoft-announces-general-availability-of-threat-protection-insider-risk-management-/d/d-id/1337105?_mc=rss_x_drr_edt_aud_dr_x_x-rss-simple

Most iOS and Android apps that Cometdocs has published on Google and Apple app stores transmit entire documents – unencrypted.

Dozens of popular file management apps published by a popular operator of an online document management system do not encrypt file transfers to and from user devices, potentially exposing data.

Mobile security firm Wandera, which discovered the issue, described it as impacting 23 of 29 Cometdocs apps on Apple’s App Store. Four of the remaining apps did not convert files as claimed, and the other two were not file conversion apps. A random sampling of 31 Android versions of the same apps that Cometdocs has published on Google’s official Play store showed them to be leaking private files as well, Wandera said.

“The Cometdocs applications are transferring files without using encryption (via http), providing bad actors the opportunity to cache and retrieve the files,” the security vendor said in a report Thursday. The lack of encryption also gives attackers on the same Wi-Fi network as the user an opportunity to access files as they are transmitted to and from Cometdocs servers.

“This is the first time I have seen entire documents sent across the network without strong encryption,” says Michael Covington, vice president of product at Wandera. Bad actors and casual eavesdroppers need minimal effort to obtain entire documents being sent to the conversion service, he says. Though Wandera has not performed any random tests of other document management software, it is unlikely that many are leaking full documents like Cometdocs apps, Covington notes.

Thes apps are an example of the risks organizations face when they allow employees to use unmanaged mobile devices and non-vetted apps for work-related purposes. “When users introduce applications and personally-enabled IT setups into the workplace without understanding how they work, it can cause a lot of headaches for IT and security professionals,” Covington says.

Wandera said it had notified Cometdocs three times between December 2019 and January 2020 about the issue but has so far not received a response. Cometdocs did not immediately respond to a Dark Reading request for comment.

Cometdocs bills itself as a provider of apps that allow mobile device users to convert PDF documents into Word, Excel, PowerPoint, AutoCAD, HTML, and other formats. The company claims that its apps can also be used to create PDF documents from a variety of other formats, including rarely used ones such as Publisher and XPS. 

Its services include storing documents in the cloud for users so the files can be accessed from anywhere. Cometdocs apps allow users to sign into Gmail, iCloud, DropBox, OneDrive, and other popular file-hosting services and fetch files from there. Or users can manually upload files to the service from their mobile devices.

Cometdocs claims that some 3 million people worldwide currently use its software. The company offers both a free and paid version of its document conversion service.

Covington says that Cometdocs apps appear to be widely used by employees in enterprise settings. “I was honestly surprised to see that Cometdocs is actively used by some of Wandera’s largest enterprise customers,” Covington notes. “In fact, our researchers first investigated these apps because we saw a data leak originating from one of our customer devices,” he says.

One reason for the popularity of Cometdocs’ apps could be that many businesses are not equipped with an IT-approved PDF-converter tool. So employees are likely simply going to Apple and Google’s mobile app stores and installing something they can use to quickly convert files. “

They assume that such a simple piece of software shouldn’t introduce any risk,” Covington says.

Related Content:

• Users Have Risky Security Habits, but Security Pros Aren’t Much Better
• Mobile Banking Malware Up 50% in First Half of 2019
• Mobile Users Targeted With Malware, Tracked by Advertisers
• 7 Ways to Get the Most Out of a Penetration Test

Check out The Edge, Dark Reading’s new section for features, threat data, and in-depth perspectives. Today’s featured story: “10 Tough Questions CEOs Are Asking CISOs.“

Jai Vijayan is a seasoned technology reporter with over 20 years of experience in IT trade journalism. He was most recently a Senior Editor at Computerworld, where he covered information security and data privacy issues for the publication. Over the course of his 20-year … View Full Bio

Article source: https://www.darkreading.com/mobile/popular-mobile-document-management-apps-put-data-at-risk-/d/d-id/1337110?_mc=rss_x_drr_edt_aud_dr_x_x-rss-simple

Almost half of connected hospital devices are still exposed to the wormable BlueKeep Windows flaw nearly a year after it was announced, according to a report released this week.

The report, called 2020 Vision: A Review of Major IT Cyber Security Issues Affecting Healthcare, comes from CyberMDX, which provides cybersecurity systems for hospitals.

It says that 22% of a typical hospital’s Windows devices are exposed to BlueKeep. The proportion of Windows devices connected to a network that are vulnerable is far higher, at 45%, it adds.

CyberMDX gathers these kinds of metrics via its own platform, which tells it about the machines it’s protecting in the field. It told us that it has analysed a little over a million data points collected from machines across hundreds of facilities.

The BlueKeep bug, first reported in May 2019, is wormable, meaning that an attacker can trigger it without human interaction. An exploit could spread by sending malicious packets via the Remote Desktop Protocol (RDP) to Microsoft’s Remote Desktop Service (RDS).

It affected Windows 7 and Windows Server 2008, and Microsoft issued patches when it first reported the bug. However, as with many patches, it has taken companies a long time to apply, and there is a ‘long tail’ of machines still online and vulnerable.

The problem doesn’t just lie with BlueKeep. According to the CyberMDX report, 25% of connected devices in hospitals are also exposed to another flaw: DejaBlue.

News of DejaBlue surfaced in August when Microsoft patched another two RDP bugs, this time affecting versions of Windows up to and including Windows 10. These bugs, CVE-2019-1181 and 1182, are also wormable.

Like BlueKeep, the bug was exploitable using a maliciously crafted RDP message. The saving grace for some users is the use of Network Level Authentication (NLA), which when turned on requires authentication before an attacker can trigger an exploit. However, if the attacker has valid credentials, they could still mount the attack.

Patching devices is a particular problem in healthcare according to the CyberMDX report, which suggests some devices need specialised toolkits or skill sets when modifying their code. Regulations may also put hurdles in a healthcare company’s way when patching these devices.

Those aren’t the only reasons for poor patching, though. We can look to the UK National Audit Office’s investigation of WannaCry, another worm-based attack that bought the National Health service to its knees in 2017, for some answers. That document said that most affected systems were unpatched boxes still on support contracts.

There was no formal mechanism for checking that recommended patches had taken place when WannaCry hit, the document said. After the attack, it admitted that it needed a way to ensure that organisations acted on the alerts that NHS Digital was sending out, which included applying software patches. So enforcing best practice seems to be a problem for large healthcare bureaucracies.

Jon Rabinowitz, VP of marketing for CyberMDX, confirmed that visibility is an issue for hospitals:

Patching medical devices is a challenge hospitals constantly face. Many hospitals lack the necessary asset visibility to even centrally identify vulnerable devices. Some devices run multiple operating systems and most SIEMs will not be able to properly capture and communicate this information for IT/IS teams.

There’s also the matter of identifying the exact version of the OS running as well as noting what patches and updates have been installed across the device/software lifecycle. This requires a level of granularity that just doesn’t normally exist in the standard structure for hospital IT operations.

The NHS had developed a cybersecurity response plan following government warnings about the possibility of an attack but hadn’t yet implemented it, the NAO report added.

---

Latest Naked Security podcast

LISTEN NOW

Click-and-drag on the soundwaves below to skip to any point in the podcast. You can also listen directly on Soundcloud.

Article source: http://feedproxy.google.com/~r/nakedsecurity/~3/wGhEwriWtkU/

The US Department of Homeland Security (DHS) on Tuesday said that an infection by an unidentified ransomware strain forced the shutdown of a natural-gas pipeline for two days.

Fortunately, nothing blew up. The attacker never got control of the facility’s operations, the human-machine interfaces (HMIs) that read and control the facility’s operations were successfully yanked offline, and a geographically separate central control was able to keep an eye on operations, though it wasn’t instrumental in controlling them.

Where this all went down is a mystery.

The alert, issued by DHS’s Cybersecurity and Infrastructure Security Agency (CISA), didn’t say where the affected natural gas compression facility is located. It instead stuck to summarizing the attack and provided technical guidance for other critical infrastructure operators so they can gird themselves against similar attacks.

The alert did get fairly specific with the infection vector, though: whoever the attacker was, they launched a successful spearphishing attack, which enabled them to gain initial access to the facility’s IT network before pivoting to its operational technology (OT) network.

OT networks are where hardware and software for monitoring and/or controlling physical devices, processes and events reside. Some examples are SCADA industrial control systems, programmable logic controllers (PLCs), and HMIs.

After the attacker(s) got their hands on both the IT and OT networks, they deployed what CISA called “commodity” ransomware, encrypting data on both networks. Staff lost access to HMIs, data historians and polling servers. Data historians – sometimes referred to as process or operational historians – are used in several industries, and they do what you might expect: record and retrieve production and process data by time and store the information in a time series database.

Although humans partially lost their view of some low-level OT devices, the attack didn’t affect PLCs, and hence, the facility never lost control of operations. From the alert:

At no time did the threat actor obtain the ability to control or manipulate operations.

CISA’s alert also noted that, although the victimized facility’s emergency response plan didn’t specifically take cyberattacks into consideration, a decision was made to implement what DHS called a “deliberate and controlled shutdown” of operations. That shutdown lasted about two days. It also affected other compression facilities that were linked to the victimized site, the advisory said:

Geographically distinct compression facilities also had to halt operations because of pipeline transmission dependencies.

As a result, “the entire pipeline asset” had to be shut down for two days, not just the victimized compression facility.

Why, in this day and age, when ransomware and other malware attacks are running amok, would cyberattacks have been left out of a utility company’s emergency response plan? CISA said in its advisory that the victimized facility pointed to a gap in cybersecurity knowledge being a mitigating factor: it’s at the heart of the facility’s failure to “adequately incorporate cybersecurity into emergency response planning.”

For years, DHS has been warning that enemy nations have been ready to disrupt US energy utilities.

In 2018, DHS’s chief of industrial-control-system analysis, Jonathan Homer, got specific. He said that between 2016 and 2018, Russian hackers snared “hundreds of victims” in the utilities and equipment sectors, to the point where “they could have thrown switches” in a way that could have caused power blackouts. Similarly to the recently announced natural-gas compression facility attack, those compromises also started with phishing attacks, according to Homer. He added that the attackers had, at the time, been sophisticated enough to even jump air-gapped networks.

Although we don’t know which malware strain was involved in this week’s advisory, Ars Technica notes that it comes two weeks after researchers from industrial cybersecurity firm Dragos reported that a ransomware strain known as EKANS had tampered with industrial control systems used by gas facilities and other critical infrastructure.

Dragos reported that EKANS, a ransomware that emerged in December 2019, is pretty straightforward, as ransomware goes: it encrypts, it displays a ransom note. But beyond that, it’s been tailored to cripple industrial control systems in particular. From Dragos’s writeup:

EKANS featured additional functionality to forcibly stop a number of processes, including multiple items related to ICS operations. While all indications at present show a relatively primitive attack mechanism on control system networks, the specificity of processes listed in a static “kill list” shows a level of intentionality previously absent from ransomware targeting the industrial space.

ICS asset owners and operators are therefore strongly encouraged to review their attack surface and determine mechanisms to deliver and distribute disruptive malware, such as ransomware, with ICS-specific characteristics.

Mind you, we don’t know if EKANS was used in this recent incident at the natural-gas pipeline. What we do know: ransomware exists to specifically target such crucial infrastructure facilities, and operators should be aware of the risks that entails.

Again, CISA’s advisory provides guidance for critical infrastructure operators. Here’s additional guidance for the rest of us:

How to protect yourself from ransomware

• Pick strong passwords. And don’t re-use passwords, ever.
• Make regular backups. They could be your last line of defense against a six-figure ransom demand. Be sure to keep them offsite where attackers can’t find them.
• Patch early, patch often. Ransomware like WannaCry and NotPetya relied on unpatched vulnerabilities to spread around the globe.
• Lock down RDP. Criminal gangs exploit weak RDP credentials to launch targeted ransomware attacks. Turn off Remote Desktop Protocol (RDP) if you don’t need it, and use rate limiting, two-factor authentication (2FA) or a virtual private network (VPN) if you do.
• Use anti-ransomware protection. Sophos Intercept X and XG Firewall are designed to work hand in hand to combat ransomware and its effects. Individuals can protect themselves with Sophos Home.

For information about how targeted ransomware attacks work and how to defeat them, check out the SophosLabs 2019 Threat Report.

For more advice, please check out our END OF RANSOMWARE page.

---

Latest Naked Security podcast

LISTEN NOW

Click-and-drag on the soundwaves below to skip to any point in the podcast. You can also listen directly on Soundcloud.

Article source: http://feedproxy.google.com/~r/nakedsecurity/~3/YqiqInxA_Kc/