Every month, the Pondurance team hosts a webinar to keep clients current on the state of cybersecurity. In January, the team discussed threat intelligence, notable vulnerabilities and trends, threat hunting trends, and the cyber threat landscape.
Threat intelligence review
To begin the webinar, the Senior Manager of Incident Response discussed the most prevalent threats for the month, including ransomware, business email compromise (BEC), and phishing.
- Ransomware. Following a brief slowdown in December, the team saw an increase in the rate of ransomware cases. Threat actors achieved initial access through improperly protected access channels, such as virtual private networks (VPN), terminal servers, and virtual desktop infrastructures, that are not using multifactor authentication or patching regularly. In most cases, they achieved persistent access via remote monitoring and management tools. The team also saw an uptick in the exfiltration of targeted data. Since threat actors know what data is valuable to steal, they’re spending more time conducting reconnaissance and less time exfiltrating data.
- BEC. Threat actors consistently exploit BECs, and financial gain is the most common motivation for their use. For example, threat actors use compromised email accounts to gain access to automated clearing house (ACH) codes or wire transfers or use a mail platform to change direct deposit information for payroll and human resources functions. Threat actors also use transport rules to converse and hide responses while maintaining an ongoing presence within an environment.
- Phishing. As usual, phishing ranks as the top method of credential compromise. Threat actors now use malicious QR codes in their phishing activity for two reasons: 1) many security solutions don’t have a reliable way to review or scan QR codes for a malicious redirect and 2) most people use their phones to scan a QR code, which is typically outside the protected network. Also, the team suggests that tax returns are a prime target for threat actors, so companies should look out for activity regarding W-2s, direct deposits, and ACH payments for tax returns.
Vulnerabilities and Trends
The Vulnerability Management Team Lead reviewed vulnerabilities from December. As many as 2,500 vulnerabilities were disclosed, and 12 of those vulnerabilities were high risk. Of those 12, six were zero-day vulnerabilities. The zero days included products from Google Chrome, Future X Communication, QNAP, Unitronics, Apache Struts 2, and Android. The most impactful was the Google Chrome vulnerability CVE-2024-0519. This out-of-bounds memory access in Google Chrome allows a threat actor to exploit a heap corruption vulnerability using a crafted HTML page. The exploitation occurs when a user visits the malicious page and interacts with it by clicking on a link or pop-up box.
The most critical new vulnerability that the team saw on internal vulnerability scans on client networks was the SSH Terrapin attack CVE-2023-48795. This man-in-the-middle type of exploit occurs when the threat actor already has a network presence, either through phishing or some other initial access. The attack requires a connection secured by either ChaCha20-Poly1305 or cyber block chaining with encrypt-then-MAC and a network running a vulnerable version or implementation of OpenSSH 9.5 or earlier. The vulnerability is not highly critical, but the team does recommend an upgrade to a newer version.
Also, in early January, the Ivanti VPN vulnerability impacted Ivanti Connect Secure and Ivanti Policy Secure gateways. Nation-state actors chained together the authentication bypass vulnerability (CVE-2023-46805) and the command injection vulnerability (CVE-2024-21887) to gain a foothold and deploy a web shell on devices across the network to implement ransomware, steal credentials, or conduct other exploits. Since this vulnerability is critical, the team recommends using a workaround that involves downloading an XML file from the Ivanti website and importing it. The patch will be released in late January.
Threat Hunting Trends
The Director of SOC Operations talked about various trends that the security operations center (SOC) team is monitoring on client networks.
Ransomware is the most prevalent type of malware attack, and the team expects to continue to see these attacks. Fortunately, the older types of ransomware attacks, such as cryptomining, have died off.
Credential harvesting via phishing emails is on the rise. The use of artificial intelligence (AI) services, such as ChatGPT, is making phishing emails harder to identify. Successful credential harvesting attacks typically involve the creation of auto-forward rules, which the team alerts on for every client. To reduce the risk of credential harvesting attacks, the team suggests using multifactor authentication (MFA) for all user accounts and implementing awareness training.
Malware delivery via phishing emails is increasing. These attacks usually occur through link attachments in the body of emails or PDF attachments that contain JavaScript or links to malicious websites. Also, password-protected documents and zip files are often associated with these attacks. The team recommends blocking password-protected files at the gateway, but it’s important for companies to fine-tune the blocking to assure that valid business documents are not also blocked. In addition, the team is seeing screensaver files that drop malware in a user’s home directory and the use of commonly allowed domains, like Blogspot, for hosting malicious components.
Fortunately, malware delivery via drive-by websites is decreasing, though the attacks still occur. The team encourages companies to update all browsers and network devices to reduce attack surface vulnerabilities.
Cyber Threat Landscape
The SOC Engineering Lead discussed the cyber threat landscape, focusing on the solutions for a broad number of security topics.
- Ransomware. Threats actors use ransomware as a service to enter an environment and sell access to the highest bidder. Also, they use SIM swapping attacks, so if a user is texting a one-time code to another user, a threat actor who has cloned the cell phone can intercept the code. The team suggests that MFA bypasses are the best way to remedy such an intercept. Solutions to protect against ransomware include timely patching, using the principle of least privilege for all facets of a network, and encouraging users to “trust but verify” before taking an action.
- Credential theft. The team suggests that using password managers is one of the most important tools a company can employ to keep users safe. Also, the team recommends that clients sign up for the free service HaveIBeenPwned to receive email breach notifications.
- Malware. The ease of using remote administration is surging, and password reuse is a big reason why. Threat actors install approved tools such as AnyDesk and LogMeIn to take over the networks. As a solution, the team suggests using application inventory, application approval process, and the principle of least privilege and implementing MFA controls on remote management and monitoring tools.
- Social engineering. With AI, social engineering scams are tougher to identify. Instead, it’s best to use secondary contacts for verification, establish reporting and escalation processes, and reward users who report phishing emails. Also, human resources and accounting employees may need additional training, more security controls, and a chain of command for reporting suspicious activity.
- Data threats. Data destruction is a common threat from bad actors. To stay safe, companies and their cloud providers need to back up and encrypt the data and then test the backups. If an attack happens, a company must know the timeline for restoring the data to accurately weigh the benefits of paying a ransom.
- Distributed denial-of-service attacks (DDoS). Threat actors use DDoS attacks to disrupt the availability of data. Every company must know how to contact its internet service providers, cloud providers, and data providers in the event of an attack and confirm that these providers are performing tested backups.
- Disinformation and misinformation. False information is common in political arenas and on social media. Companies need a protocol for how to submit questions, escalate issues, or report on false information. Also, training for media and public relations staff can help.
- Supply chain attack. A trusted third party can be compromised without its knowledge, so it’s best to always assume the worst has happened. The team recommends using a trust but verify philosophy, implementing the principle of least privilege for third parties, using trusted install sources, and staying diversified with backup suppliers.
- Hacktivism. Government entities are common targets for hacktivists, but sometimes reporters are swatted or public figures are doxxed. Whenever hacktivism occurs, the incident should be reported to the FBI and local law enforcement, and your company’s crisis communication plan should kick in. Go silent, call only on private cell phones, or use other means to avoid communications that the threat actor can readily track.
Next Month
The Pondurance team will host another webinar in February to discuss new cybersecurity activity. Check back next month to read the summary.
