Forescout Cyber Weekly Roundup
January 25, 2019
The Forescout Cyber Roundup is a weekly blog series highlighting some of the previous week’s cyber headlines and explaining why they matter. Each article includes a closer look at the potential implications of the news or event, predictions about what might happen next and suggestions for all readers, from the C-suite to end users. Articles are ordered by date, not necessarily priority.
- DHS Issues Emergency Directive to Counter DNS Hijacking Campaign (January 22, 2019)
- North Korean Hackers Infiltrate Chile’s ATM Network after Skype Job Interview (January 16, 2019)
- BlackRock’s Data Leak Strikes 20,000 Advisers (January 21, 2019)
- Zero-Day Virus Forces EHR Downtime at 21 Health Science North Hospitals (January 18, 2019)
- Plug in your iPhone, iPad, iPod, Fire up the App Store: You Have New Apple Patches to Install (January 23, 2019)
Summary: The Department of Homeland Security (DHS) issued Emergency Directive 19-01 January 22 to nearly all federal agencies mandating cybersecurity actions to mitigate a global Domain Name System (DNS) infrastructure hijacking campaign.
Why it matters: Multiple executive branch agency domains have been impacted by this latest campaign. Given that agencies have only 10 days to audit public DNS records on all authoritative and secondary DNS servers to verify they resolve to the intended location, coupled with the fact that over 91% of malware uses DNS as a key capability to gain command and control, extract and alter data—making DNS crucial infrastructure for attackers and defenders alike—many would agree this is a pretty significant threat. It’s unclear exactly how attackers gained access to user credentials (possibly by phishing), but once obtained, they altered DNS records and replaced legitimate service addresses with an attacker-controlled address. From there, attackers can set DNS record values, obtain valid encryption certificates and decrypt redirected traffic. DNS attacks have evolved significantly in recent years—from DNS hijacking (as in this case) to cache poisoning, spoofing and domain generation algorithms, attackers have found multiple methods to gain access to DNS. Yet surprisingly, more than 86% of companies leave DNS unmonitored. Advances such as Domain Name System Security Extensions (DNSSEC), which allows a client to verify that the DNS responses they receive are valid, can reduce some of the DNS risks. Government agencies aren’t the only targets, however; according to recent research, 43% of U.S. telco organizations suffered from a DNS-based malware over the past 12 months. Godaddy.com, the world’s largest domain name registrar, had an authentication weakness where the DNS pointed to a server controlled by a third party that allowed spammers to hijack domains—some of which are owned by some of the world’s biggest names and brands—that ultimately resulted in bomb threats and sextortion attempts. The DHS directive requires a DNS record audit, DNS password changes, multi-factor authentication, and certificate monitoring—all considered part of basic cyber hygiene. What we can hope is that in similar future events, guidance won’t have to cover the basics—practices that should already be widespread—and can instead focus on modernized cyber defense practices.
Summary: The computer network of Redbanc, the company responsible for interconnecting the ATM infrastructure of all Chilean banks, was recently infiltrated by a major hacking group.
Why it matters: As is almost always the case, attribution is uncertain, but all indicators point to the North Korea-based Lazarus Group. Most would label Lazarus as a profit center—not focused on espionage or IP theft, but instead mostly interested in banks, financial institutions, and cryptocurrency exchanges. Since February of 2017, Lazarus has pocketed more than $571 million in cryptocurrency. One can only speculate as to how the loot is being spent, but it’s pretty safe to say that a portion of it is being reinvested within the group and leveraged to entice additional malicious resources to propel more sophisticated attacks. In this particular case, it appears that the group created a fake job posting on LinkedIn at a competitor of Redbanc—or perhaps an entirely fake company. Once the employee engaged, the attackers secured a Skype interview and asked the employee to download and run a malicious executable file. This is yet another example of how attacks are going to get more creative and personal in 2019 and beyond. The attackers leveraged two specific platforms that are commonly used to attract and interview talent—LinkedIn and Skype. To be clear, there’s no evidence that either platform was compromised in any way; instead, they were simply used to achieve the same result as any legitimate company seeking to attract and hire new talent. The fact that there was a video interview—in Spanish, no less—is a testament to just how sophisticated and widespread some group activities have become. The attackers, somewhat ironically, had to attract someone both fluent in Spanish, and also technically savvy enough to conduct a conversation with a developer. Was the interviewer a legitimate member of Lazarus, or were they also enticed by a fake job posting, hired for a day to conduct the interview, then relieved of responsibility? The hiring process has evolved significantly in recent years. With more employees working remote, video interviews are not uncommon, and for the sake of convenience, employees are often asked to sign documents electronically. Employers now face a significant cybersecurity challenge. It’s not just about protecting your own data and preserving your reputation, but also defending against imposters seeking to steal or dupe your workforce. For financial institutions specifically, it’s important to follow the guidelines detailed in the human and operational security guidelines defined in the ISO 27000 family of standards, which suggests required employee changeover, consecutive two week vacations, and additional controls to prevent embezzlement, fraud, and insider compromise. For those seeking employment, it’s important to know exactly what you’re downloading and who you’re emailing before clicking. It’s hard enough to parse legitimate opportunities from fake ones, but when you’re an outsider to an enticing new company, it’s much harder to know with certainty who you’re talking to is really an employee of a legitimate company.
Summary: The largest asset manager in the world, BlackRock, inadvertently exposed names, email addresses and other information of roughly 20,000 advisers—among them, 12,000 clients from LPL Financial, the largest U.S. independent broker dealer.
Why it matters: Although severe, this ‘breach’ was not the result of an attack by a malicious actor or nation-state. Instead, this leak was caused by the ever persistent and reliable problem of human error. As far as we can tell right now, social security numbers were not disclosed in the leak. However, since names and email addresses were included—and are considered PII according to the National Institute of Standards and Technology (NIST) as information that can be used to distinguish or trace an individual‘s identity, and are also considered PII in Europe under the General Data Protection Regulation (GDPR), it’s possible that BlackRock may eventually be charged with fines similar to those Google is currently facing. Increasingly, companies are taking strides to bounce back from cyber incidents and reputational damage. . For years, the prevailing post-breach thought was that it was really difficult for a company to recover from reputational damage. However, we’re seeing that increasingly, so long as companies take some basic steps to prevent future breaches and alleviate customer concerns, and if cyber is used as the speartip for transformational change, it’s entirely possible not just to recover, but to continually drive up the company share price after a data breach. Obviously, the size of the company is a significant factor in the recovery success equation, but breaches and attacks are simply so common nowadays that although consumer trust is down, there have been so many breaches and attacks across industries that the trust is down universally. Coming on the heels of both the BlackRock leak and Google’s GDPR fines, Data Privacy Day is only a few days away—STOP. THINK. CONNECT.
Summary: The computer system of Sudbury Hospital, Ontario-based Health Sciences North, was infected by a zero-day virus, driving officials to shut down multiple EHR systems to contain the infection.
Why it matters: Although this zero-day forced many Canadian hospitals to take systems offline temporarily, no ransom demands ever surfaced. Aside from the inconvenience, no data appears to have been lost or compromised. This story is actually a bit refreshing, as the impacted hospital had backed up critical data and had implemented seemingly streamlined procedures to handle cyber events like this one. It is absolutely critical, however, that the hospital remain vigilant and seek to determine the attack vector, vulnerabilities and potential lateral movements. It’s not uncommon for cyber adversaries to gain access to a network and remain dormant for months or even years before taking malicious action. This hospital, and any other organizations that have been attacked, would be wise to leverage MITRE’s ATT&CK Framework to assess the problem from the perspective of the adversary to understand technical entrypoints, lateral movement and exfiltration. Health Sciences North can learn from a potentially devastating scenario—an increasingly uncommon luxury across today’s cyber landscape.
Summary: Apple has released a handful of software patches to address security vulnerabilities in iOS, macOS and various peripherals.
Why it matters: We’ve seen an unusually high volume of patches and CVEs over the past few days. As this headline notes, Apple has released a number of critical flaw fixes for WebKit, FaceTime, as well as Mac and IThing kernels, not to mention a handful of remote code execution flaws in SQLite. Similarly, Adobe has issued multiple unscheduled updates for the experience manager platform, following fixes for two other critical flaws in Adobe Acrobat and Reader for Windows and MacOS, which could have been exploited for arbitrary code execution. The list of vulnerabilities isn’t just limited to Apple and Adobe, however. BMC vulnerability CVE-2019-6260, appropriately named ‘pantsdown’, if exploited, could result in malware execution, firmware flashing or the dump of firmware of a running BMC from the host, arbitrary reads or writes, configuration tampering, or even BMC bricking by disabling the CPU click until a future power cycle. With so many patches coming out so quickly in recent weeks, it’s critical that enterprises take steps to implement them as quickly as possible. Research shows that, in the financial services industry alone, it takes as long as 176 days to patch a vulnerability and more than a month for the average organization to patch its most critical vulnerabilities. The number of recently released patches is staggering—it’s critical that private and public sector organizations alike find a faster way to deploy patches.