A quick Saturday digest of cybersecurity news articles from other sources.
FBI-CISA Joint Advisory on Compromise of Microsoft Exchange Server
Original release date: March 10, 2021
CISA and the Federal Bureau of Investigation (FBI) have released a Joint Cybersecurity Advisory (CSA) to address recently disclosed vulnerabilities in Microsoft Exchange Server. CISA and FBI assess that adversaries could exploit these vulnerabilities to compromise networks, steal information, encrypt data for ransom, or even execute a destructive attack.
The CSA places the malicious cyber actor activity observed in the current Microsoft Exchange Server compromise into the MITRE Adversarial Tactics, Techniques, and Common Knowledge (ATT&CK®) framework.
NSA Releases Guidance on Zero Trust Security Model
Original release date: February 26, 2021
The National Security Agency (NSA) has released Cybersecurity Information Sheet: Embracing a Zero Trust Security Model, which provides information about, and recommendations for, implementing Zero Trust within networks. The Zero Trust security model is a coordinated system management strategy that assumes breaches are inevitable or have already occurred.
CISA encourages administrators and organizations review NSA’s guidance on Embracing a Zero Trust Security Model to help secure sensitive data, systems, and services.
They are some of the biggest names in technology and cybersecurity.
And this week, they testified in front of the U.S. Senate Intelligence Committee about the SolarWinds supply chain attack and the state of cybersecurity.
The hearings, like most in Congress, lasted hours. However, SecureWorld has picked off 10 quotes that speak to the state of information security and the mindset of these leaders from corporate America.
10 powerful cybersecurity quotes [FireEye]
China-Linked Group RedEcho Targets the Indian Power Sector
News like this shows that it isn’t just the United States that is targeted by nation-state cyber-ops units. Cyber-warfare and cyber espionage activity is showing up around the globe. Attacks against critical infrastructure could have devastating repercussions, including loss of human life.
Recorded Future, the world’s largest provider of intelligence for enterprise security, today revealed details of a cyber campaign conducted by a China-linked group, named RedEcho by Insikt Group, in a new report. Recorded Future’s large-scale automated network traffic analytics and expert analysis identified the threat group activity targeting the power sector in India.
To access the full report, go to: China-linked Group RedEcho Targets the Indian Power Sector Amid Heightened Border Tensions
Alien Vault OTX for TTPs and IOCs
How to manage the security challenges triggered by remote work
Remote employees have engaged in certain risky behaviors, such as storing sensitive data, using inappropriate admin access and failing to update software, says Tanium
New Ryuk Ransomware Strain Now Worms Itself To All Your Windows LAN Devices
A new Ryuk strain has a worm-like feature that allows it to spread to all other devices on victims’ local networks. It was discovered by the French CERT, their national cyber-security agency while investigating an attack in early 2021.
“Through the use of scheduled tasks, the malware propagates itself – machine to machine – within the Windows domain,” ANSSI (short for Agence Nationale de la Sécurité des Systèmes d’Information) said in a report (PDF). “Once launched, it will thus spread itself on every reachable machine on which Windows RPC accesses are possible.”
Ryuk is a ransomware-as-a-service (RaaS) group first spotted in August 2018 that has left behind a long list of victims. It is at the top of the RaaS rankings, with its payloads being discovered in roughly one in three ransomware attacks throughout the last year. The group delivers payloads as part of multi-stage attacks using Emotet, BazarLoader, or TrickBot infection vectors for a quick way into their targets’ networks, usually through phishing attacks.
Blog post with links:
Is Your Browser Extension a Botnet Backdoor?
A company that rents out access to more than 10 million Web browsers so that clients can hide their true Internet addresses has built its network by paying browser extension makers to quietly include its code in their creations. This story examines the lopsided economics of extension development, and why installing an extension can be such a risky proposition. More…
Should you pay up when hit by ransomware? There are several things to consider first
Whether paying ransom for data held hostage makes sense depends on many variables. Experts define the variables and why they’re important.
Ars Technica Orbital Transmission Newsletter
It’s been a busy period on the security beat, and the only thing to really smile about is the hacker who reduced load times in GTA Online by 70 percent.
Within the last week, two separate vulnerabilities received near-perfect severity scores on the Common Vulnerability Scoring System Version 3.0. The first, a 9.8 out of 10, is a remote code-execution vulnerability in VMware vCenter server, an application for Windows or Linux that administrators use to enable and manage virtualization of large networks. The second, a 10 out of 10, is a vulnerability found in programmable logic controllers from Rockwell Automation that are marketed under the Logix brand. These devices, which range from the size of a small toaster to a large bread box or even bigger, help control equipment and processes on assembly lines and in other manufacturing environments. Both require little skill to be exploited. And on top of all that, a botnet that researchers have been following for about two years recently started using a new way to prevent command-and-control server takedowns: by camouflaging one of its IP addresses in the bitcoin blockchain.
As always, modern security remains a digital Wild West, where white hat and black hat hackers continuously engage in an arms’ race of exploits and detection/patches. So for this week’s Orbital Transmission, we’re revisiting a few of the most notable security issues to arise during this frenetic stretch. This stuff continues to possibly impact everyone—Mac users, Windows customers, one particular former president—so our longstanding advice stands. Keep your passwords long and randomly generated, your software updated, and your RSS feeds filled with alerts from longtime Ars’ Security Editor Dan Goodin.
Three Top Russian Cybercrime Forums Hacked
Over the past few weeks, three of the longest running and most venerated Russian-language online forums serving thousands of experienced cybercriminals have been hacked. In two of the intrusions, the attackers made off with the forums’ user databases, including email and Internet addresses and hashed passwords. Members of all three forums are worried the incidents could serve as a virtual Rosetta Stone for connecting the real-life identities of the same users across multiple crime forums.
About the Author:I am a cybersecurity and IT instructor, cybersecurity analyst, pen-tester, trainer, and speaker. I am an owner of the WyzCo Group Inc. In addition to consulting on security products and services, I also conduct security audits, compliance audits, vulnerability assessments and penetration tests. I also teach Cybersecurity Awareness Training classes. I work as an information technology and cybersecurity instructor for several training and certification organizations. I have worked in corporate, military, government, and workforce development training environments I am a frequent speaker at professional conferences such as the Minnesota Bloggers Conference, Secure360 Security Conference in 2016, 2017, 2018, 2019, the (ISC)2 World Congress 2016, and the ISSA International Conference 2017, and many local community organizations, including Chambers of Commerce, SCORE, and several school districts. I have been blogging on cybersecurity since 2006 at http://wyzguyscybersecurity.com