A Month In Breaches: August

CTRL Group presents a summary of key breaches that happened in the past month. Subscribe to stay on top of cyber threat intelligence. For the month of August, we see new cybersecurity targets and trojan on the rise.

This is an initiative by our Security Operations Centre team who have their eyes on the prize 24/7 and are proactively observing breaches and critical security trends. This month, we have seen the world ramping up its cybersecurity targets, while battling adversaries with prompting patching.

Part of protecting our clients is also promoting good security practices and raising awareness of current security trends. We hope this will give some extra boost to your overall understanding of security breaches happening on the expansive and scary internet.

Pegasus: A Tool to Discredit Your Privacy    

One of the most fundamental human rights is Privacy. Every person, literally every person on Earth would want their right to privacy preserved. Not only the physical world but also the core of the digital world is curated around privacy. However, with recent events unfolding, the whole idea of digital privacy is being threatened.

NSO Group, a technological firm from Israel, has developed a product called ‘Pegasus’, that aims at not only infiltrating your smart device but also turn them into surveillance machines. In theory, Pegasus can be transmitted and installed through a spear-phishing email, a message, or now redundant WhatsApp Call. However, the technique is so sophisticated that the Pegasus software can install itself without any user intervention, and the user would not even realize that they are being tracked. Once installed, the attacker can access any information on the compromised device, ranging from one’s location, photos, call logs, banking/credit card data, or other personal information.

Ideally, Pegasus aims at aiding only government bodies to track terrorists and criminals. However, it was recently linked to an extensive scandal targeting common netizens, not limited to the French president Emmanuel Macron. So, unless there is a global policy in place concerning such services, the whole idea of digital privacy cannot be affirmed.

Can you prevent this attack?

Yes, you can defend (if not mitigate) the risk, using the following recommendations:

  • Do not click on any links, even if they are from people you trust. If you believe it is trustworthy, kindly type it manually.
  • Occasionally visited websites must be bookmarked and avoid visiting them from other sources.
  • Always open a link in an incognito/private window to avoid the risk of auto-downloading a payload.
  • Always use URL Expander (https://urlex.org/) or Expand URL (https://www.expandurl.net/) to check the real identity of a shortened URL.
  • Always contact the sender of the link to validate if they did send it. It is recommended to use another channel to complete the validation. For example, make a call, if the link was sent to you using a message.
  • Always open the website with HTTPS://to ensure the website is secure.
  • The use of VPN can assist you in mitigating MITM attacks.
  • To avoid Zero-Clicks, it is recommended to avoid installing untrusted software and disable/delete applications that you no longer use.
  • Compartmentalize your remaining apps. This way, the sensitive data would not be shared, and the potential risk is lower.
  • Finally, do not leave your device out of your sight and enable MFA (Multi-Factor Authentication) on all accounts (with an authentication mode that is not on the same device – we recommend using burner phones).

 

Google and Microsoft’s $30B 5yr Cybersecurity Targets    

Over the next five years, Google and Microsoft have pledged they would invest a total of $30 Billion into cybersecurity upgrades, improvements, training, etc, to help protect their business from attacks. The announcement of such cybersecurity targets responds to how the world envisions the ever-changing threat landscape may challenge our digitised lives.

No matter the size of an organisation or where it is located in the world, malicious attacks are becoming a more recurring theme due to the monetary incentives that can be achieved on successful attacks for the threat actors. This could come in the form of pure scams, ransomware to shut down a business, leaking confidential data to sell or blackmail and many, many more vectors. An example of a recent high-scale monetary incentivised attack was the Colonial Pipeline attack which also affected infrastructure and caused major problems in America, including a shortage of gas for many citizens. Monetary incentives are not the only incentives that drive a threat actor, with political and war tactics seen more with governments starting to use state-funded groups called APT’s (Advanced Persistent Threats) to gain leverage, insights and control other countries infrastructure, knowledge, secrets and even gain control of head figures through potential blackmail campaigns.

The world is evolving at an exponential rate when it comes to technology and having the right cybersecurity measures to prevent stoppages and damages is key for a business to not only thrive but to survive in this new world. Therefore, the US government had a meeting with some of the biggest companies in the world based in all sectors like Amazon, Apple, IBM, Google, Microsoft and others to set ambitious, yet necessary cybersecurity targets and investments.

  • Apple: will now work with more than 9,000 of its suppliers to help push them for mass adoption of MFA integration, vulnerability remediation, security training and event logging.
  • IBM: target of training 150,000 people in skills for cybersecurity over the next three years and look to help diversify the cyber workforce by partnering with 20 historically Black Colleges & Universities.
  • Amazon: making available to all AWS account holders a multi-factor authentication device that will help to protect against phishing and password theft, for free.

Microsoft and Google combined have pledged to invest $30 billion over the next 5 years to help deliver advanced cybersecurity solutions to their own businesses and services for smaller businesses and levels of government. Together, these cybersecurity targets will upgrade cybersecurity tools for all organisations and proactively prevent cyber-attacks. The increasing of devastating attacks and investment of these large companies demonstrates the seriousness of investing in cybersecurity and creating a strong security posture for your business.

 

VMware Issues Patches to Fix New Flaws Affecting Multiple Products 

VMware recently shipped cybersecurity updates to address vulnerabilities in multiple products that could be potentially exploited by an attacker to take control of an affected system.

The six security weaknesses (from CVE-2021-22022 through CVE-2021-22027, CVSS scores: 4.4 – 8.6) affect VMware vRealize Operations (prior to version 8.5.0), VMware Cloud Foundation (versions 3.x and 4.x), and vRealize Suite Lifecycle Manager (version 8.x), as listed below:

  1. CVE-2021-22022 (CVSS score: 4.4) – Arbitrary file read vulnerability in vRealize Operations Manager API, leading to information disclosure
  2. CVE-2021-22023 (CVSS score: 6.6) – Insecure direct object reference vulnerability in vRealize Operations Manager API, enabling an attacker with administrative access to alter other users’ information and seize control of an account
  3. CVE-2021-22024 (CVSS score: 7.5) – Arbitrary log-file read vulnerability in vRealize Operations Manager API, resulting in sensitive information disclosure
  4. CVE-2021-22025 (CVSS score: 8.6) – Broken access control vulnerability in vRealize Operations Manager API, allowing an unauthenticated malicious actor to add new nodes to the existing vROps cluster
  5. CVE-2021-22026 and CVE-2021-22027 (CVSS score: 7.5) – Server Side Request Forgery vulnerability in vRealize Operations Manager API, leading to information disclosure

VMware has also issued patches to remediate a cross-site scripting (XSS) vulnerability impacting VMware vRealize Log Insight and VMware Cloud Foundation that stems from a case of improper user input validation, enabling an adversary with user privileges to inject malicious payloads via the Log Insight UI that’s executed when a victim accesses the shared dashboard link.

 

The flaw, which has been assigned the identifier CVE-2021-22021, has been rated 6.5 for severity on the CVSS scoring system. CTRL Group recommends updating the VMware to its latest versions to mitigate against this vulnerability. Adhering to strong patch management can also safeguard the infrastructure against Zero-Day exploits. Please use the following link to view the latest patches issued by VMware.

 

– CTRL GROUP SECURITY OPERATIONS CENTRE ANALYSTS,  Jae, Murray & Zain.