Cybersecurity Digest #13: 16/11/2020 – 27/11/2020

Cybersecurity News

• ENCS, the European Network for Cyber Security, and E.DSO, the European Distribution System Operators’ Association,  announced the launch of security requirements for Distribution Automation (DA) of Remote Terminal Units (RTUs). The requirements provide European distribution system operators (DSOs) with a defined set of practical considerations for procuring secure RTUs and are a significant step forward to industry wide requirements.
• The notorious TrickBot has released a new lightweight reconnaissance tool used to scope out an infected victim’s network for high-value targets. The new “LightBot” is a PowerShell reconnaissance script used by the same group linked to the high-level ransomware and breach incidents involving Universal Health Service (UHS).
• ZDNet has announced that multiple threat actors have spent the past two-three years mass-scanning the internet for ENV files that have been accidentally uploaded and left exposed on web servers. They are looking for ENV files such as API tokens, passwords, and database logins.
• VMware has released a workaround to address a critical zero-day in multiple VMware Workspace One components that allows attackers to execute commands on the host Linux and Windows operating systems using escalated privileges.
• Unit 42 researchers discovered a class of Amazon Web Services (AWS) APIs that can be abused to leak the AWS Identity and Access Management (IAM) users and roles in arbitrary accounts. Palo Alto Networks Researchers confirmed that 22 APIs across 16 different AWS services could be abused the same way and the exploit works across all three AWS partitions (aws, aws-us-gov or aws-cn).

Cybersecurity Blog Posts

• Brian Krebs explained why users should be very sparing in allowing site notifications. His post is based on deep analysis of the PushWelcome network compiled by Indelible LLC, a cybersecurity company based in Portland, Oregon.
• Warren Axelrod is sharing his opinion about how to get cybersecurity lessons from the pandemic by using preventive methods.
• Stephen Pritchard tells about OSINT in his article “What is open source intelligence and how is it used?”. The author describes OSINT history, common techniques and shows the current list of OSINT tools and services which is constantly growing.
• The Recorded Future team shared Chapter 3 from their Security Intelligence Handbook. This chapter describes six phases of the security intelligence lifecycle.

Research and analytics

• Group-IB has researched the key changes in the world cybercrime industry and made a forecast for the development of cyber threats for the upcoming year. According to the Hi-Tech Crime Trends 2020-2021 report, the greatest financial damage occurred due to ransomware attacks. The result of a difficult period for the global economy was prosperity of the market for selling access to compromised companies’ networks.
• Intel 471 has been tracking over 25 different ransomware-as-a-service crews over the past year, ranging from well-known groups that have become synonymous with ransomware, to newly-formed variants that have risen from the failures of old, to completely new variants that may have the ability to unseat the current top-level cabals.
• Verizon has released a Cyber-Espionage Report based on the Verizon Data Breach Investigations Report (DBIR) over the past seven years. The experts found out that more than 80% of cyber espionage criminals acted in the interests of the governments of the countries and only 4% were associated with organized crime. Former employees of companies made up 2% of all cyber spies.
• NordPass researchers investigated 275,699,516 passwords from leaks happened in 2020. The experts have made the list of the worst 200 passwords in 2020.
• The Armorblox threat research team has seen a sharp uptick in attackers using Google services to help them get emails past binary security filters based on keywords or URLs. They outlined five targeted phishing campaigns that weaponize various Google services during their attack flow. These attacks are representative but in no way exhaustive – they are the tip of a deep iceberg.
• The latest Global Threat Index for October 2020 by Check Point Research has revealed that the Trickbot and Emotet trojans continue to rank as the top two most prevalent malware in October, and that the trojans have been responsible for the sharp increase in ransomware attacks against hospitals and healthcare providers globally.
• In the Sophos 2021 Threat Report experts predicted the development of ransomware attacks in the upcoming year. They report that groups such as Ryuk, Ragnar Locker and even Maze, which targets are large attacks with multi-million dollar claims, will continue to operate, but attacks of newcomer hackers targeting large amounts of small loot should also be expected.
• The last Debate Security Research Report demonstrates that Cybersecurity is failing because the technology is not as effective as it needs to be and the reason is economics, not technology.
• According to the (ISC)² Cybersecurity Workforce Study the cybersecurity staff gap has decreased for the first time in the history. While companies are facing cybersecurity challenges with distance working due to COVID-19, the cybersecurity specialists scarcity has decreased from 4.07 million to 3.12 million per year. Job satisfaction of cybersecurity professionals is higher than ever.
• According Cyber Security Statistics Amidst Pandemic Hit Q2 2020 performed by Kratikal, the detection of pandemic-related cyber attacks grew by a massive 605% and Attacks on cloud services users reached nearly 7.5 million in the second quarter, given to the fact that cloud services being popular with people working from home.
• CrowdStrike, Inc. released the 2020 CrowdStrike Global Security Attitude Survey performed by Vanson Bourne. This year report highlighted the continuing expansion of ransomware, increased concerns about national state actors, and the need to accelerate digital and cybersecurity transformation.
  

Major Cyber Incidents

• Managed.com, one of the biggest providers of managed web hosting solutions, has taken down all its servers in order to deal with a ransomware attack. The ransomware impacted the company’s public-facing web hosting systems, resulting in some customer sites having their data encrypted.
• A hacker has posted a list of one-line exploits to steal VPN credentials from almost 50,000 Fortinet VPN devices. Present on the list of vulnerable targets are domains belonging to high street banks and government organizations from around the world. The vulnerability being referred to here is CVE-2018-13379, a path traversal flaw impacting a large number of unpatched Fortinet FortiOS SSL VPN devices.
• VpnMentor’s research team has discovered a possible credential stuffing operation whose origins are unknown, but that affected some online users who also have Spotify accounts. They unearthed an Elasticsearch database containing over 380 million records, including login credentials and other user data being validated against the Spotify service. Spotify initiated a ‘rolling reset’ of passwords for all users affected.
• South Korean conglomerate and retail giant E-Land has suffered a ransomware attack causing 23 of its retail stores to suspend operations while they deal with the attack.
• Manchester United Plc announced that the club has experienced a cyber attack on its systems. The club has taken swift actions to contain the attack and is currently working with expert advisers to investigate the incident and minimize the ongoing IT disruption.
• UK-based cyber-security vendor Sophos notified customers via email about a security breach the company suffered last week. Exposed information included details such as customer first and last names, email addresses and phone numbers.