Welcome to #WakeUpWednesday. We want to make the Netherlands digitally safe and resilient. That is why Tesorion will now give you a short overview every Wednesday in a post about vulnerabilities or hacks that have received national or international attention. We want to wake up as many people as possible and make them aware of possible risks in the field of cyber security.
We will of course report directly on important vulnerabilities and options to mitigate them. Our #WakeUpWednesday is a kind of retrospective.
Several vulnerabilities have been disclosed during the last few days.
Pulse Secure announced a vulnerability in Pulse Connect Secure, a solution used for VPN connections. This vulnerability (CVE-2021-22893) is considered very critical and is currently actively exploited in the wild. Cyber criminals can take over vulnerable VPN servers remotely, the FireEye blog describes a number of scenarios. There is currently no patch available for this vulnerability, the security update is expected in May. There are, however, mitigating measures that can be taken. Check for the latest information our live blog.
In addition, three vulnerabilities related to SonicWall Email Security have also been published. CVE-2021-20022 is particularly serious, it can allow an attacker to create an administrator account with an http package. These vulnerabilities are also currently being actively used. A patch was released for these vulnerabilities on April 19.
We cannot mention this too many times: install updates and security patches as soon as possible. Not only for your operating system or business software, but also for your browser, for example. Important patches were released last week for both Microsoft Exchange and Google!
Microsoft Exchange: As mentioned last week, two new very serious vulnerabilities have been revealed for which patches are available.
Google: There have been a number of vulnerabilities fixed in the Chrome browser. An unauthenticated attacker could potentially exploit the vulnerabilities remotely to execute arbitrary code or gain access to sensitive data in the context of the application. To this end, the malicious person must induce the victim to visit a malicious web page. Google has indicated that exploit code is in circulation for the vulnerabilities that have been fixed.
Just like last week, there were several data leaks. Perhaps the biggest leak in ages was found at allekabels.nl. This concerns data of over than 3.6 million customers.
Another notable leak was that of real estate company Heijmans. Here an email was accidentally sent to interested parties for a house in a new construction project, with an Excel file enclosed containing the personal data of more than 1100 other interested parties. Unfortunately, the Excel file was not protected, with for example a password. This means that the data could be viewed by everyone receiving the file.
Your digital security is essential. An important detail is not to lose sight of your physical security. Last week, for example, a hard drive was stolen at the tax office in Amsterdam containing data from 30,000 people. The disk contains scans of documents sent by post from July 2020 to March 2021 by approximately 30,000 taxpayers. Be alert to what data is on external data carriers and where you store it!
Making backups is very important, especially when it concerns your most business-critical data. It can be essential for the survival of your organization. Make sure that you also make an offline backup of this data! We regularly see that these backups are made online and in the case of ransomware are included in the encryption together with the original data!
Microsoft announced security patches for newly found critical vulnerabilities this Patch Tuesday, following the critical vulnerabilities disclosed last month in Microsoft Exchange (Hafnium). Microsoft Exchange Server 2013, 2016, and 2019 are impacted by these new vulnerabilities, Exchange Online customers are already protected. Via Remote Code Execution an attacker can run malicious code on the system. Currently there are no signs of any active exploits in the wild. As Tesorion we advise you to patch Exchange as soon as possible.
Because a logistics service provider has been hit by ransomware, problems have arisen with the supply of Albert Heijn. As a result, there were empty shelves in the cheese department. Even though only a part of the organization was affected, the collateral damage in the supply chain turns out to be significant.
After some problems with Zoom during the start of the Corona crisis last year, ethical hackers appear to have discovered a new vulnerability last week. This vulnerability allows cyber criminals to take control of the computer, even if Zoom is not in use at that time.
Last week, we mentioned in our #WakeUpWednesday, that data from Facebook users is being offered for sale. This week it emerged that data from Clubhouse users has been made public. The dataset was created via scraping. According to Cybernews, the data of 1.3 million users has been combined. Clubhouse is a relatively new social media app enabling live conversations, so without images and chat functionality, with different people. Clubhouse has been under fire before, partly because you have to share your address book in order to invite others.
Privacy is a great asset that, for some time now, is not only covering compliance. It is a fundamental human right that you as an organization are confronted with. Partly due to the introduction of the GDPR. This means that as an organization, you also have a duty to act quickly and carefully if you become a victim of a data breach. Reporting too late can result into significant costs, Booking.com was one of the companies that found out the hard way. The fine in this case: EUR 475,000.
The number of data breach reports that the Dutch government reported to the Dutch DPA last year, also increased by 13 percent compared to the previous year. However, the increase cannot yet be explained by the minister.
Facebook was also in the media last week, announcing that data of 533 million users have been leaked, of which 5.4 million are Dutch. The data breach took place back in 2019, the data could be stolen via a vulnerability that had been resolved already some time ago. The information leaked is including full name, phone number and date of birth. This data is currently provided free of charge.
In general: Be aware of your online activities and what information you share with third parties (including on social media). Many people still work from home. It is important to be aware of the fact that spam is still one of the most used ways by cyber criminals to distribute malware. In addition, new malware is still on the market.
The following points are therefore still important to realize:
- Install your security updates as soon as they arrive.
- Update your virus scanner and spam filter.
- If you receive mail in your inbox from an unknown sender, do not open it.
- Know how to recognize malicious emails.
- Do not click on links and do not leave any personal information.
- Know what to do if you are affected by malware.
The FBI has warned this week about the use of FortiOS vulnerabilities. Advanced attackers have been detected using CVEs CVE-2018-13379, CVE-2020-12812 en CVE-2019-5591. These groups scan for ports 4443, 8443, and 10443. For more information, see the FBI’s report.
March 31 was World Backup Day. A day to remind people of the importance of making backups. Backups are an essential part of a good cyber security policy. In fact, in the case of ransomware, it can sometimes be the only option to fall back on.
Despite all the attention that has been devoted to patching Microsoft Exchange, there are still organizations that have failed to do so. As we mentioned on March 12, there are cyber criminals who have exploited this vulnerability to place ransomware. This ransomware is currently being actively used.
What many organizations seem to overlook is that patching does fix the vulnerability, but it is not a solution if cyber criminals are already in! Currently, ransomware is placed via backdoors on servers that have now been patched but were previously vulnerable. In addition, an increase can also be seen in the number of hacks on web shells (Dutch content). It is therefore important not only to patch, but also to scan your systems!
Other vulnerabilities currently actively used by cyber criminals are vulnerabilities in F5’s BIG-IP platform. This platform is widely used for load balancing of (web) servers and (web) application delivery systems. The vulnerabilities were reported two weeks ago, a patch is available.
That data is worth big money for cyber criminals is also evident from the recent data breach at RDC.
The private details of potentially millions of Dutch car owners have been stolen and are being offered for sale on the internet. According to the NOS, this concerns information such as name, address details, e-mail addresses and dates of birth. The data was stolen from RDC (Dutch only), an ICT service provider for car companies.
In the past week, a lot of attention has again been paid to the Exchange vulnerabilities. Still, that is not the only cybersecurity news from the past week. What else happened:
The research report on the hack at Hof van Twente has been published with important learning moments, among other things, the vulnerability caused by weak passwords. So, provide definitions around password settings that go beyond 8 characters, a capital letter and alternation between numeric and alphanumeric. In addition, errors in the network configuration and too many assumptions were also to blame for this hack.
Other Notable News: Prison needs to change 600 locks by one WhatsApp photo of intern. Behavior and awareness play an important role, both offline and online. The intern from this article was unaware that sharing an image of a runner key is enough to duplicate the profile. Therefore, make employees aware of the possibilities that arise when work-related images are shared on social media. For example, at the start of the corona crisis, we shared images of online measurements en masse. In several cases with the access code for the meeting in view.
Was by far the biggest hack in the news last week. Four vulnerabilities in on-premises Exchange (OWA) servers 2013, 2016 and 2019, not in O365. Perpetrators are (Chinese) state sponsored Hafnium hackers, abused by more than 10 APT parties. There are patches that need to be done properly or they won’t work. There is not enough patching, many systems are still open. The Zero Day vulnerability has been widely exploited for months (100,000+ worldwide). With tooling you can find out if your Exchange has been abused, not what they did.
Impact is huge and it could be years before we become aware of the impact. Ransomware is now being rolled out to organizations. Companies, universities, banks, governments, everything, and everyone is affected.
Most important for organizations now is to patch and scan their environment. Tesorion can help you.