Cyber Weekly Roundup – September 21, 2017

Weekly Roundup

Cyber Weekly Roundup – September 21, 2017

By Andrew Paulette

1.) Ayuda! (Help!) Equifax Has My Data! (September 12, 2017)

https://krebsonsecurity.com/2017/09/ayuda-help-equifax-has-my-data/

Summary: Equifax last week disclosed a historic breach involving Social Security numbers and other sensitive data on as many as 143 million Americans. The company said the breach also impacted an undisclosed number of people in Canada and the United Kingdom. But the official list of victim countries may not yet be complete: According to information obtained by KrebsOnSecurity, Equifax can safely add Argentina — if not also other Latin American nations where it does business — to the list as well.

Why it matters: Kreb’s article on the lax security with Equifax’s Argentinian service does not just demonstrate how to never implement a user/password policy, but also demonstrates negligence on the part of Equifax. This distinction is important – in order for lawsuits and criminal cases against Equifax to be successful, prosecutors must build a convincing argument that Equifax did not take proper due care in protecting their data. While Equifax may be able to provide arguments explaining the mitigations they put into place against their unpatched Apache Struts vulnerability, something as basic as leaving “admin/admin” as the username/password for a system containing sensitive data builds the argument that the information security culture within Equifax was not up to snuff.

2.) Startup that Sells Zero-Days to Governments is Offering $1 Million for Tor Hacks (September 13, 2017)

https://motherboard.vice.com/en_us/article/7xkp8q/startup-that-sells-zero-days-to-governments-is-offering-dollar1-million-for-tor-hacks

Summary: A notorious startup is offering up to $1 million in rewards to security researchers who can find bugs and develop techniques to exploit the anonymous web surfing tool the Tor Browser.

Why it Matters: ​Aside from the fact that finding exploits that work on both Windows and the Linux privacy-oriented OS “Tails” will be difficult, Zerodium’s willingness to pay such high bounties for these vulnerabilities speaks to the demand by law enforcement and intelligence agencies to find ways to decloak users of the Tor network.  The act of decloaking these users is a dual sword – these users may be human traffickers and narcotics dealers, or journalists and dissidents reporting against groups abusing their place of power.

Summary: Users of Avast-owned security application CCleaner for Windows have been advised to update their software immediately, after researchers discovered criminal hackers had installed a backdoor in the tool. The tainted application allows for download of further malware, be it ransomware or keyloggers, with fears millions are affected. According to Avast’s own figures, 2.27 million ran the affected software, though the company said users should not panic.

Why it matters: With the recent the NotPetya ransomware attack, which compromised MeDocs to attack Ukrainian and global businesses, and a number of recent stories of Chrome extensions being compromised (sometimes through shady individuals buying apps that are no longer updated frequently), it’s likely that there will be more articles like this in the coming months. Rather than try to get around the security measures and controls put in place for protection by individuals and organizations, threat actors can instead exploit the vulnerable security posture of targeted third party software developers. Once they have rolled their malware into the vendor’s software product, the application update cycle provides an open door to the user’s device. The more popular the software, the more infections are likely to occur. This is an unfortunately clever attack vector because it takes advantage of what we consider to be a good security policy: keep software updated and install patches as soon as you can.

For now, the risk of not updating your software (like Equifax) remains much larger than the risk of your software updates containing malicious code. In addition, it’s best to allow as little superfluous software on the device as possible to reduce the attack surface.​

4.) The CCleaner Malware Fiasco Targeted at Least 18 Specific Tech Firms (September 20, 2017)

https://www.wired.com/story/ccleaner-malware-targeted-tech-firms/

Summary: Hundreds of thousands of computers getting penetrated by a corrupted version of an ultra-common piece of security software was never going to end well. But now it’s becoming clear exactly how bad the results of the recent CCleaner malware outbreak may be. Researchers now believe that the hackers behind it were bent not only on mass infections, but on targeted espionage that tried to gain access to the networks of at least 18 tech firms.

Why it matters: In todays world of cyber espionage and profit-motivated hacking, large-scale intrusions like the CCleaner attack against individual end-users without a follow-up stood out of place. Surely, if threat actors wanted to exploit such a large base, delivering ransomware through a second stage would have been ideal. However, this new piece of evidence reported by Wired lines up with what we’ve come to expect from cyber espionage. The infection of CCleaner seemed to be a means to an end, ensnaring a large number of corporate networks using CCleaner as the foothold into their network.

As this story continues to develop, it will be interesting to see if the analysis can lead to credible attribution for the attack, as understanding who was performing this activity will help inform us of the true purpose for these attacks.

5.) Exclusive: U.S. Homeland Security found SEC had ‘critical’ cyber weaknesses in January (September 21, 2017)

https://www.reuters.com/article/us-sec-cyber-weaknesses-exclusive/exclusive-u-s-homeland-security-found-sec-had-critical-cyber-weaknesses-in-january-idUSKCN1BW27P

Summary: The U.S. Department of Homeland Security detected five “critical” cyber security weaknesses on the Securities and Exchange Commission’s computers as of January 23, 2017, according to a confidential weekly report reviewed by Reuters.

Why it matters: ​While intrusions, compromises, and breaches against organizations are usually more complex, the Equifax and SEC breaches remind us it only takes one vulnerability to compromise a network. Both of these breaches have had severe impacts for both our identities and our economy. Organizations need to take a new approach to their cybersecurity posture by working from the viewpoint that their systems are already compromised, and design security around this point. If properly implemented, it should lead to much better detection and recovery controls being implemented to handle these events.

6.) U.S. SEC says hackers may have traded using stolen insider information (September 21, 2017)

https://www.reuters.com/article/legal-us-sec-intrusion/u-s-sec-says-hackers-may-have-traded-using-stolen-insider-information-idUSKCN1BW1K0

Summary: The top U.S. markets regulator said on Wednesday that hackers accessed its corporate disclosure database and may have illegally profited by trading on the insider information stolen.

Why it matters: ​Continuing last week’s discussion on the suspicious short selling that occurred before Equifax disclosed their breach, the US Security and Exchanges Commission’s (SEC) report that hackers may have used their intrusion to profit through insider information is unsurprising.  As hacking becomes more sophisticated and continues it maturation, applying it to make greater financial gains is an unfortunate side-effect, and using hacked information against the stock market is one of the best ways to turn a profit.