A quick Saturday digest of cybersecurity news articles from other sources.
GitHub starts 2FA transition for all contributors
Developers who contribute code to the popular repository will have to implement two-factor authentication by the end of 2023.
Why World Password Day should become World Password-less Day
Identity theft and data breaches are less likely to occur in an environment without passwords. We now have the technology to replace passwords with stronger, more convenient methods of authentication.
New Sophisticated Malware
Mandiant is reporting on a new botnet.
ShareThe group, which security firm Mandiant is calling UNC3524, has spent the past 18 months burrowing into victims’ networks with unusual stealth. In cases where the group is ejected, it wastes no time reinfecting the victim environment and picking up where things left off. There are many keys to its stealth, including:
- The use of a unique backdoor Mandiant calls Quietexit, which runs on load balancers, wireless access point controllers, and other types of IoT devices that don’t support antivirus or endpoint detection. This makes detection through traditional means difficult.
- Customized versions of the backdoor that use file names and creation dates that are similar to legitimate files used on a specific infected device.
- A live-off-the-land approach that favors common Windows programming interfaces and tools over custom code with the goal of leaving as light a footprint as possible.
- An unusual way a second-stage backdoor connects to attacker-controlled infrastructure by, in essence, acting as a TLS-encrypted server that proxies data through the SOCKS protocol.
[…]
Unpacking this threat group is difficult. From outward appearances, their focus on corporate transactions suggests a financial interest. But UNC3524’s high-caliber tradecraft, proficiency with sophisticated IoT botnets, and ability to remain undetected for so long suggests something more.
Longer article on Ars Technica QUIETEXIT — Botnet that hid for 18 months boasted some of the coolest tradecraft ever
Colonial Pipeline facing $1,000,000 fine for poor recovery plans
How good is your cybersecurity? Are you making the same mistakes as lots of other people? Here’s some real-life advice…
CISA Joins Partners to Release Advisory on Protecting MSPs and their Customers
Original release date: May 11, 2022
The cybersecurity authorities of the United Kingdom, Australia, Canada, New Zealand, and the United States have released joint Cybersecurity Advisory (CSA), Protecting Against Cyber Threats to Managed Service Providers and their Customers, to provide guidance on how to protect against malicious cyber activity targeting managed service providers (MSPs) and their customers. The CSA—created in response to reports of increased activity against MSPs and their customers—provides specific guidance for both MSPs and customers aimed at enabling transparent discussions on securing sensitive data. The CSA also provides tactical actions for MSPs and customers, including:
- Identify and disable accounts that are no longer in use.
- Enforce MFA on MSP accounts that access the customer environment and monitor for unexplained failed authentication.
- Ensure MSP-customer contracts transparently identify ownership of information and communications technology (ICT) security roles and responsibilities.
CISA urges organizations to review the joint CSA and take actions to strengthen their defenses against malicious cyber activity.
U.S. Government Attributes Cyberattacks on SATCOM Networks to Russian State-Sponsored Malicious Cyber Actors
Original release date: May 10, 2022
CISA and the Federal Bureau of Investigation (FBI) have updated the joint cybersecurity advisory, Strengthening Cybersecurity of SATCOM Network Providers and Customers, originally released March 17, 2022, with U.S. government attribution to Russian state-sponsored malicious cyber actors. The United States assesses Russia launched cyberattacks in late February against commercial satellite communications networks to disrupt Ukrainian command and control during the Russia invasion, and those actions had spillover impacts into other European countries.
CISA is working with both international and JCDC partners to strengthen our collective cybersecurity resilience—especially in the critical infrastructure that governments and citizens rely on—and to protect against and respond to malicious cyber activity. We continue to urge public and private sector partners to review and implement the guidance contained in U.S. government cybersecurity advisories, including Strengthening Cybersecurity of SATCOM Network Providers and Customers, the January 2022 cybersecurity advisory on Protecting VSAT Communications, and the April 2022 cybersecurity advisory on Russian State-Sponsored and Criminal Threats to Critical Infrastructure. CISA also recommends partners review the CISA Shields Up, Shields Up Technical Guidance, and Russia webpages to stay current on the preventive measures that can help guard against Russian cyber threats and tactics.
MAY
About the Author:
I am a cybersecurity and IT instructor, cybersecurity analyst, pen-tester, trainer, and speaker. I am an owner of the WyzCo Group Inc. In addition to consulting on security products and services, I also conduct security audits, compliance audits, vulnerability assessments and penetration tests. I also teach Cybersecurity Awareness Training classes. I work as an information technology and cybersecurity instructor for several training and certification organizations. I have worked in corporate, military, government, and workforce development training environments I am a frequent speaker at professional conferences such as the Minnesota Bloggers Conference, Secure360 Security Conference in 2016, 2017, 2018, 2019, the (ISC)2 World Congress 2016, and the ISSA International Conference 2017, and many local community organizations, including Chambers of Commerce, SCORE, and several school districts. I have been blogging on cybersecurity since 2006 at http://wyzguyscybersecurity.com