A Month In Breaches: January

Breaches that happened in January are summarised and presented below. CTRL Group provides our expert opinion on how to prevent further breaches from happening in these pieces.

This is an initiative by our Security Operations Centre team who have their eyes on the prize 24/7 and are proactively observing breaches and critical security trends.

Part of protecting our clients is also promoting good security practices and raising awareness of current security trends. We hope this will give some extra boost to your overall understanding of security breaches happening in the expansive and scary internet.

Cloud Attacks Bypassing MFA 

CISA has issued an alert warning that cloud services at US organisations are being actively and successfully targeted. According to the alert, successful cyber-attacks focusing on cloud infrastructure has been detected for months. Most of the attacks are opportunistic, getting gain of lousy cloud cyber-hygiene and misconfigurations. These varieties of attacks frequently transpired when target organisations’ staff members worked remotely and utilised a combination of corporate and personal laptops to enter their respective cloud solutions.

On the phishing entrance, users are targeted by phishing email that contains destructive links, which purport as a “secure message.” Other e-mails masquerade as alerts from reputable file hosting services. In both cases, the links take targets to a phishing page, where they are asked to provide account credentials. The cybercriminals thus harvest these and use them to log into cloud services. Meanwhile, attackers have been able to bypass MFA using a “pass-the-cookie” attack. Browser cookies are used to store user authentication information so the website can keep a user signed in. The authentication information is stored in a cookie after the MFA test is satisfied, so the user isn’t prompted for an MFA check again.

To protect from these attacks, CTRL Group recommends staying up to date with security patches to prevent host from compromise. Cookies should be set with a short lifespan and should be for a single session, so when the browser is closed, the cookies are voided. Users should be trained to log off the web application and close their browser after they are done using the web application.

 

ASIC Hit by a Cyber Breach

The Australian Securities and Investments Commission (ASIC) was hit by a data breach in which attackers successfully gained access to files related to credit license applications. ASIC announced that the attack happened on January 15th. The attack was related to a vulnerability in vendor Accellion’s legacy file transfer appliance software. It was discovered that the software was vulnerable to SQL injection attacks through which the hackers got access to hidden parts of a database or file system. Attackers can use SQL Injection vulnerabilities to bypass application security measures. They can bypass authentication and authorisation of a web page or web application and retrieve the content of the entire SQL database.

It was confirmed by ASIC that no Australian credit license application forms or any attachments were opened or downloaded. Additionally, no other ASIC technology infrastructure was impacted by this attack. The owner of the software company Accellion has rolled out patches to mitigate the vulnerability in their product. All organisations using the older vulnerable version are advised to update to the latest version to secure themselves from this compromise. Furthermore, CTRL group suggests implementing strong patch management to stay on top of breaches that happen due to the exploitation of vulnerabilities in weaker product versions.

 

SonicWall Zero-Day Exploit

Cybersecurity product provider SonicWall informed that it detected active exploitation attempts against a zero-day vulnerability in its networking devices. The zero-day impacted Secure Mobile Access (SMA) gateways which are used inside government and other enterprise networks to provide intranet access to remote employees. SonicWall SMA 100 series are impacted by this vulnerability. The mode of attack is still being investigated at the moment.

A zero-day exploit is a cyber-attack that occurs on the same day a weakness is discovered in software. At that point, the vulnerability is exploited before a fix becomes available from its creator. Initially, when a user discovers that there is a security risk in a program, they can report it to the software company, which will then develop a security patch to fix the flaw. The user may also take to the internet and warn others about the flaw. Usually, the program creators are quick to create a fix that improves program protection, however, sometimes hackers hear about the flaw first and are quick to exploit it. When this happens, there is little protection against an attack because the software flaw is so new.

To mitigate this situation, it is imperative that SMA 100 networking devices are to be patched immediately. Enabling Multi-Factor Authentication on those devices is also strongly recommended. Moreover, the management interface to the vulnerable devices is to be restricted to trusted IP addresses only. Geo-blocking and botnet filtering can also be enabled to block web traffic from countries that do not need to access applications through the SMA appliance. Administrators can also use the Login Schedule feature to create a policy and a timetable of when users are allowed to be authenticated and when they should be automatically logged off.

 

– CTRL GROUP SECURITY OPERATIONS CENTRE ANALYSTS, Jae and Vic