Welcome to #WakeUpWednesday. We want to make the Netherlands digitally safe and resilient. That is why Tesorion will now give you a short overview every Wednesday in a post about vulnerabilities or hacks that have received national or international attention. We want to wake up as many people as possible and make them aware of possible risks in the field of cyber security.
We will of course report directly on important vulnerabilities and options to mitigate them. Our #WakeUpWednesday is a kind of retrospective.
Last week we announced that patches have been made available for Kaseya’s on-premises solutions and the Windows Print Spooler vulnerability. In addition, Microsoft announced last week that they found a zero-day vulnerability in the SolarWinds Serv-U software. SolarWinds already has a patch available for this vulnerability. Make sure these patches are installed if you are using the affected software.
Hack groups that take your files hostage with ransomware nowadays also often use the so-called ‘double-extortion’ strategy. This strategy involves the hackers first exfiltrating (stealing) sensitive files to strengthen their position in the extortion. ReversingLabs reported last week that they found malware specifically designed for this purpose. Their blog lists some indicators of this malware. Recognizing this malware could be an early warning for a potential ransomware attack.
Ransomware attacks are becoming more common, and their impact is also increasing. Take, for example, the attack on Colonial Pipeline in the US. The US DHS and DOJ therefore launched a new initiative last week called StopRansomware.gov. The goal of this initiative is to provide a collective resource of information to help organizations better guard against ransomware. StopRansomware.gov describes step-by-step what you can do for prevention, detection and once you are infected.
Another data breach was reported last weekend, this time to the Dutch Ministry of Justice and Security. An outside employee had illegally copied sensitive information into his own work environment. This information subsequently also ended up in two other government environments. The personal data of about 65,000 civil servants were leaked because an employee did not follow the rules.
FortiNet has released an advisory regarding a critical vulnerability (CVE-2021-32589) in the FortiManager and FortiAnalyzer products. The vulnerability may allow a remote, non-authenticated attacker to execute unauthorized code as root by sending a specifically crafted request to the fgfm port of the targeted device. For details, please read the FortiNet advisory.
Last week there was a lot of attention for the issues with Kaseya and for the Microsoft printnightmare. The latest update regarding Kaseya: a patch is available for the on-premise solutions. More info in our blog.
A patch is available for the Microsoft printnightmare vulnerability, but configuration changes also need to be made to be fully protected. The latest updates are described here.
In addition, there were several data breaches last week in which private data unintentionally ended up in the hands of third parties. This concerns various combinations of first and last name, email address, address details and bank details. Therefore, make sure that you use different passwords for the different online webshops and applications. In addition, if possible, use multi-factor authentication.
Make sure employees are alert and cyber-aware. Cyber criminals are becoming more and more creative and also regularly use the combination of online and offline activities. One of the most striking or convincing examples is the combination between vishing and a physical visit by a so-called bank employee.
Last week there was a lot of talk about the supply chain attack at Kaseya. One of the lessons that can be drawn from this is that cybersecurity is not only about preventing incidents, but also about rapid detection and taking appropriate action, response.
In our blog, we keep up with the latest developments about the ransomware attack that is underway via a supply chain attack at Kaseya.
In addition to this attack, there were two Microsoft vulnerabilities, one in PowerShell 7 and an RCE vulnerability in Windows Print Spooler that requested updates. For PowerShell 7, it is recommended that you update to PowerShell version 7.0.6 or 7.1.3 as soon as possible. For the RCE vulnerability, all supported Windows versions are vulnerable. Microsoft has published two workarounds. The first option is to disable the Print Spooler service. This has the disadvantage that the system can no longer print. The second option concerns disabling inbound remote printing. The system then no longer functions as a print server, but local printing is still possible. An update for this vulnerability has been released.
We are closing this week with a new data breach at Linkedin. Combinations of passwords and e-mail addresses are on the street. The advice is to change your Linkedin password and to come up with a unique password for all applications and/or online accounts.
Ransomware is a threat to national security, according to the Dutch National Coordinator for Counterterrorism (NCTV) in the Cyber Security Assessment Netherlands 2021 this week. A danger that we also identify. Our analysts therefore work very closely with various authorities daily to minimize the consequences of this danger. One of the results of those efforts is a new decryptor. In some cases, this decryptor can help decrypt files encrypted by Lorenz ransomware without paying the requested ransom. The decryptor is made available for free through nomoreransom.
Another ransomware development is that ransomware organizations are creating websites to recruit affiliates. For example, promotional texts are used to attract partners who can use the Ransomware as a service. This allows many more cybercriminals (even without specific ransomware knowledge) to use this form of cybercrime.
In line with the Cyber Security Assessment, both the government and academia are calling on organizations to increase the knowledge of cybersecurity and information security among employees. One of these initiatives was initiated by ACCSS, with an Dutch open letter called: “Open Brief: Overstappen naar de Cloud, bezint eer ge begint“. Know where your data is stored, under what conditions and who has access to it.
Cyber criminals are getting more and more inventive. In addition to responding to current events, such as the campaigns on Covid-19, they also consciously respond to people’s sense of safety.
After the DarkSide ransomware group announced to cease its activities, we see new activities emerging under the same name. Cyber criminals use the DarkSide name to steal a lot of money from organizations in the energy and food industry, partly by acting on fear. As with DarkSide’s ransomware attacks, a ransom claim is made, however, contrary to the actions of the original group, there is no proof that any data is in possession. The approach of this new party also differs in other respects. In addition, this party also claims the attack on JBS, but this was carried out by REvil. The advice is be alert and if in doubt, contact experts for further analysis.
Research from Cybereason shows that once hit by ransomware, you are likely to be attacked a second time. In addition, half of the organizations lose data despite payment and one in four companies is forced to stop its activities.
An example of responding to the feeling of safety is the incident at Ledger, in December 2020. This organization makes crypto wallets, USB sticks with which you can send and receive Bitcoins, among other things. After user data was stolen from Ledger, these users were sent a new USB stick with the message that the old one was no longer safe after the hack. Because the stick and the packaging were indistinguishable from the real thing, this new stick was used and the instructions followed. The result is clear, the cyber criminals took many cryptos.
If you use Google Chrome, it is recommended to update Chrome as soon as possible. For the seventh time this year, vulnerabilities have been found that are being actively exploited.
Cybersecurity is not only an important topic during office hours. Cybercrime can happen anytime, anywhere. Taking basic measures, including increasing the cyber awareness of employees, can reduce the risk of an incident. Also during the holidays. Think, for example, of awareness about the risks when it comes to free WiFi, an easy first step.
Looking up data and e-mailing is no longer just a PC based task, it can be done just as easily with the mobile phone. In short, keeping these devices up-to-date is now just as important as the network. Cyber criminals can spy on users and access data via pre-installed Samsung Apps. Multiple vulnerabilities were patched in April and May. Do your employees know this too?
Are you dealing with a data breach? Do not forget to report this to the Dutch Autoriteit Persoonsgegevens (for Dutch companies). Failure to report, or not on time, may result in a fine. There are various ways in which a data breach can occur. For example, the VPRO was hit by a data breach after a break-in on a server at a supplier. This could potentially affect thousands of subscribers.
Cyber criminals are actively exploiting a vulnerability in VMware vCenter server that could allow a cyber criminal to take over the control remotely. A patch has been available for CVE-2021-21985 since May 25, but many systems are still vulnerable. We recommend patching systems as soon as possible.
There are also two critical vulnerabilities for Citrix systems and appliances that require urgent attention. Details about these vulnerabilities can be found in the blog we published yesterday.
In addition, Microsoft released updates for six vulnerabilities, one of which, CVE-2021-33742, has been labeled critical. This is a vulnerability in the Windows MSHTML platform that allows remote code execution. Patching as soon as possible is also the urgent advice here.
In recent weeks, the developments regarding the ransomware at Colonial pipeline have been frequently covered in the media. The origin of this extensive ransomware is a confluence of various aspects in the field of people, process and technology. In this case, the same password was used by a user in multiple places. The leaked VPN password also belonged to an account that was no longer in use, but that was still operational. Because no multi-factor authentication was used, it was relatively easy for cyber criminals to get acces. Meanwhile, the bitcoins in which the ransom was paid have been traced and recovered by hacking one of the accounts used by the cyber criminals.
Because cyber criminals take advantage of this type of news, the first phishing attacks have now also been discovered in which this ransomware attack is used as a reason. Employees are asked to install ransomware system updates. However, these updates do not protect you against ransomware, but facilitate these types of attacks.
Last week, it was announced that cybercriminals launched an advertising campaign on Google to mislead those interested in AnyDesk (a remote desktop access solution). These individuals were ingeniously seduced, using a clone of the original website to install malware.
Another clever way that was made public is the extortion of gas station owners. After the recently exposed form of Whatsapp fraud in April, contact is now being made, stating that the driver left without paying, but that they still want to pay for the petrol. You will then be asked to provide the name and account number, or to make a payment request. What follows is not a payment, but ransomware or a virus.
It is good to realize that cyber criminals do not only use online resources. Another way that was recenlty made public, is where you receive an email with a subscription for an online streaming service. However, you never subscribed, so call the number stated in the email to make a complaint. A call center employee will then help you to cancel the (non-existing) subscription and install malware on your PC at the same time.
Not only on the user side there are a lot of developments, there are also the necessary developments on the technical side.
The CISA (Cybersecurity & Infrastructure Security Agency) released an update last week for the vulnerabilities in Pulse Connect Secure. The advice is, if the patches for these vulnerabilities are not yet installed, to install them as soon as possible.
The last few days, a lot of attention was paid to the default settings of Whatsapp. It can be easy for anyone to add random people (people who are not in your contact list) to a Whatsapp group. This functionality did already exist, but recently a lot of warnings were issued. Although it is not considered to be a vulnerability in the software, you should be in control of what is happening on your device. In this case, it is not only about usability, it also poses a great risk of phishing or extortion, for example. Make sure you know which applications you have installed, what functionality they offer and what they have access to.
Examples from America show that cyber criminals regularly misuse the data of missing people for their campaigns. Details of family members looking for their loved ones are retrieved through various online channels, after which these people are approached with ransom claims, among other things.
QR codes are also abused to send people to malafid websites. On these sites, you are then asked to enter personal data that can be misused. Another possibility is that malicious software is installed from this site to your device.
Today, VMWare has released an update for critical vulnerabilities CVE-2021-21985 and CVE-2021-21986. These affect VMware vCenter Server (vCenter Server) and VMware Cloud Foundation (Cloud Foundation) and can be used for remote code execution. The advice is to patch these as soon as possible.
Microsoft recently released a patch for two critical vulnerabilities, CVS-2021-31166 and CVE-2021-28476, that have been rated “Critical” by Microsoft. More details about these vulnerabilities can be found in our blog. Of course we advise you to install the released patch as soon as possible!
In addition to these vulnerabilities in Windows, there are also signs that cyber criminals are using Microsoft Build Engine to proliferate malware. The attackers distribute input files for the build tool MSBuild. Malicious executable files are put in these input files, which then open back doors on the system in question at the time of compilation and deployment. These then allow cyber criminals to take control of victims’ machines and steal sensitive information.
Last week, we indicated in our wakeup Wednesday that the French branch of insurer AXA is no longer reimbursing ransom money that must be paid in ransomware cases. It was revealed this week that an Asian division of the company has recently been hit by ransomware. The attack was claimed by the group behind the Avaddon ransomware. The group has now made some of the stolen data, including screenshots of ID cards and passports, public.
The FBI and the Australian Cyber Security Center (ACSC) have also warned about the Avaddon ransomware. Urgent advice was also given to pay more attention to the security of teleworking solutions. These are widely used by attackers to gain access to corporate networks.
Online shopping has increased enormously in the past year, resulting in a strong growth in the number of packages. Cyber criminals are responding to this development in various ways. More than 10,000 Android phones in Belgium were recently infected with FluBot malware, a banking trojan that, among other things, tries to steal data in order to commit bank fraud. This malware uses a text message stating that the delivery person is on its way with your package with a track and trace link that points to a rogue app that contains malware. The malware then sends an SMS to random people. KPN is now also warning for this malware and for potentially unexpected high telephone bills.
In addition to patching systems, it remains very important to make your employees, also when they mostly work from home, aware of the many different ways in which cyber criminals try to gain access to company data and networks.
Last week Tuesday and Wednesday, we have been publishing blogs for Dell driver and 21Nails Exim vulnerabilities. For details about these vulnerabilities and how to fix them, please refer to the relevant blogs.
Adobe released a patch for the following vulnerability (CVE-2021-28550) in her applications for Windows and MacOS. In total 12 different Adobe applications are vulnerable. We strongly advise to patch your systems as this vulnerability is currently being exploited.
In addition, the Dutch CBS (Central Agency for Statistics in the Netherlands) sees a sharp increase in the number of data leaks at large companies. For example, it indicates that in 2019 a quarter of companies with 250 or more employees were affected by a data breach as a result of an internal incident. In 2018, that percentage was still 17%. Relatively speaking, most data breaches occurred in healthcare. In total, almost 30,000 reports were made to the Dutch Data Protection Authority (AP) in 2019.
Delivery service Gorillas recently had a data breach invlovling data from 200,000 customers and deliverers. The customer data that was leaked included: name, address details, credit card details and e-mail address, in the case of the deliverers it concerned name and telephone number. The data turned out to be easily accessible via an API, a similar vulnerability was previously exploited by the German delivery service Flink.
Insurer AXA has indicated that it will stop paying ransom money in France that victims of ransomware have to pay to criminals to regain access to their data and systems. Many organisations are paying close attention, not only to see who will follow but also to monitor what will be the effect on ransomware cases.
To stop ransomware, 60 representatives from the security industry and US governments have set up a task force to fight ransomware. They are supported in this by, among others, Europol. The responsibility of the ISP is also considered, as well as the payment process. Because crypto currencies play an important role in payment in ransomware cases, possible measures will also be examined in this area.
Multiple vulnerabilities in Exim mail transfer agent (MTA) allow attackers to fully compromise mailservers. The vulnerabilities, known as 21Nails, require immediate patching. Check our blog for more info.
Pulse Connect Secure released a patch for the recently announced vulnerability. Our advise is to patch your systems as soon as possible.
Despite all the warnings to be cautious with unexpected requests in emails, such as changing a bank account number, it is easy to make a mistake. Last week it was announced that online store Bol.com has transferred 750,000 euros to the account number of scammers instead of that of one of their Dutch partners, Brabantia. Stay alert to these kind of change requests. Ensure a procedure that, if requests are made to change, for example, an account number, these are always verified in a second way, such as contacting the relevant party by telephone.
Swiss cloud provider Swiss Cloud has been hit by ransomware, preventing thousands of customers from accessing their applications and data. Be aware that if criminals have access to your cloud provider’s systems, they may also be able to access your systems. As an organization, therefore, regularly test your own cyber security measures and ensure that offline backups are also available of your systems and data.
In many organizations more and more equipment is connected and data is made accessible via the Internet. The Internet of Things (IoT) has enormous potential for both IT and OT (operational technology). At the same time, it is necessary to also be aware of the risks you run with IoT.
Microsoft has recently found many (over 25) vulnerabilities in IoT and OT devices. Although patching the software for these devices is often very difficult, this is necessary. If it is not necessary for these devices to have a connection to the internet, then taking these devices offline is of course the easiest solution. In addition, segmenting the network, whereby these devices are placed in their own segment, is a step that contributes to increasing cybersecurity within the organization.
Last but not least: If you use an iPhone, it is recommended to install the latest iOS update as soon as possible (if you have not already done so). In addition to the new privacy policies that have been implemented, no fewer than 50 vulnerabilities have been patched.
Last week several organizations have issued warnings for vulnerabilities in their software. Patching is essential, where no patch is yet available (Pulse Secure), a workaround is described.
In addition, Apple came into the media as a victim of the hacker collective REvil. $ 50 million in ransom has been demanded for blueprints and other confidential data. The hackers obtained this information via a supply chain attack.
Another ransomware attack was carried out by cyber criminals on IT supplier Managed IT. This attack could also have been evolved as a suppychain attack, but fortunately the systems and data of the affiliated notary offices were not hit.
Several vulnerabilities have been disclosed during the last few days.
Pulse Secure announced a vulnerability in Pulse Connect Secure, a solution used for VPN connections. This vulnerability (CVE-2021-22893) is considered very critical and is currently actively exploited in the wild. Cyber criminals can take over vulnerable VPN servers remotely, the FireEye blog describes a number of scenarios. There is currently no patch available for this vulnerability, the security update is expected in May. There are, however, mitigating measures that can be taken. Check for the latest information our live blog.
In addition, three vulnerabilities related to SonicWall Email Security have also been published. CVE-2021-20022 is particularly serious, it can allow an attacker to create an administrator account with an http package. These vulnerabilities are also currently being actively used. A patch was released for these vulnerabilities on April 19.
We cannot mention this too many times: install updates and security patches as soon as possible. Not only for your operating system or business software, but also for your browser, for example. Important patches were released last week for both Microsoft Exchange and Google!
Microsoft Exchange: As mentioned last week, two new very serious vulnerabilities have been revealed for which patches are available.
Google: There have been a number of vulnerabilities fixed in the Chrome browser. An unauthenticated attacker could potentially exploit the vulnerabilities remotely to execute arbitrary code or gain access to sensitive data in the context of the application. To this end, the malicious person must induce the victim to visit a malicious web page. Google has indicated that exploit code is in circulation for the vulnerabilities that have been fixed.
Just like last week, there were several data leaks. Perhaps the biggest leak in ages was found at allekabels.nl. This concerns data of over than 3.6 million customers.
Another notable leak was that of real estate company Heijmans. Here an email was accidentally sent to interested parties for a house in a new construction project, with an Excel file enclosed containing the personal data of more than 1100 other interested parties. Unfortunately, the Excel file was not protected, with for example a password. This means that the data could be viewed by everyone receiving the file.
Your digital security is essential. An important detail is not to lose sight of your physical security. Last week, for example, a hard drive was stolen at the tax office in Amsterdam containing data from 30,000 people. The disk contains scans of documents sent by post from July 2020 to March 2021 by approximately 30,000 taxpayers. Be alert to what data is on external data carriers and where you store it!
Making backups is very important, especially when it concerns your most business-critical data. It can be essential for the survival of your organization. Make sure that you also make an offline backup of this data! We regularly see that these backups are made online and in the case of ransomware are included in the encryption together with the original data!
Microsoft announced security patches for newly found critical vulnerabilities this Patch Tuesday, following the critical vulnerabilities disclosed last month in Microsoft Exchange (Hafnium). Microsoft Exchange Server 2013, 2016, and 2019 are impacted by these new vulnerabilities, Exchange Online customers are already protected. Via Remote Code Execution an attacker can run malicious code on the system. Currently there are no signs of any active exploits in the wild. As Tesorion we advise you to patch Exchange as soon as possible.
Because a logistics service provider has been hit by ransomware, problems have arisen with the supply of Albert Heijn. As a result, there were empty shelves in the cheese department. Even though only a part of the organization was affected, the collateral damage in the supply chain turns out to be significant.
After some problems with Zoom during the start of the Corona crisis last year, ethical hackers appear to have discovered a new vulnerability last week. This vulnerability allows cyber criminals to take control of the computer, even if Zoom is not in use at that time.
Last week, we mentioned in our #WakeUpWednesday, that data from Facebook users is being offered for sale. This week it emerged that data from Clubhouse users has been made public. The dataset was created via scraping. According to Cybernews, the data of 1.3 million users has been combined. Clubhouse is a relatively new social media app enabling live conversations, so without images and chat functionality, with different people. Clubhouse has been under fire before, partly because you have to share your address book in order to invite others.
Privacy is a great asset that, for some time now, is not only covering compliance. It is a fundamental human right that you as an organization are confronted with. Partly due to the introduction of the GDPR. This means that as an organization, you also have a duty to act quickly and carefully if you become a victim of a data breach. Reporting too late can result into significant costs, Booking.com was one of the companies that found out the hard way. The fine in this case: EUR 475,000.
The number of data breach reports that the Dutch government reported to the Dutch DPA last year, also increased by 13 percent compared to the previous year. However, the increase cannot yet be explained by the minister.
Facebook was also in the media last week, announcing that data of 533 million users have been leaked, of which 5.4 million are Dutch. The data breach took place back in 2019, the data could be stolen via a vulnerability that had been resolved already some time ago. The information leaked is including full name, phone number and date of birth. This data is currently provided free of charge.
In general: Be aware of your online activities and what information you share with third parties (including on social media). Many people still work from home. It is important to be aware of the fact that spam is still one of the most used ways by cyber criminals to distribute malware. In addition, new malware is still on the market.
The following points are therefore still important to realize:
- Install your security updates as soon as they arrive.
- Update your virus scanner and spam filter.
- If you receive mail in your inbox from an unknown sender, do not open it.
- Know how to recognize malicious emails.
- Do not click on links and do not leave any personal information.
- Know what to do if you are affected by malware.
The FBI has warned this week about the use of FortiOS vulnerabilities. Advanced attackers have been detected using CVEs CVE-2018-13379, CVE-2020-12812 en CVE-2019-5591. These groups scan for ports 4443, 8443, and 10443. For more information, see the FBI’s report.
March 31 was World Backup Day. A day to remind people of the importance of making backups. Backups are an essential part of a good cyber security policy. In fact, in the case of ransomware, it can sometimes be the only option to fall back on.
Despite all the attention that has been devoted to patching Microsoft Exchange, there are still organizations that have failed to do so. As we mentioned on March 12, there are cyber criminals who have exploited this vulnerability to place ransomware. This ransomware is currently being actively used.
What many organizations seem to overlook is that patching does fix the vulnerability, but it is not a solution if cyber criminals are already in! Currently, ransomware is placed via backdoors on servers that have now been patched but were previously vulnerable. In addition, an increase can also be seen in the number of hacks on web shells (Dutch content). It is therefore important not only to patch, but also to scan your systems!
Other vulnerabilities currently actively used by cyber criminals are vulnerabilities in F5’s BIG-IP platform. This platform is widely used for load balancing of (web) servers and (web) application delivery systems. The vulnerabilities were reported two weeks ago, a patch is available.
That data is worth big money for cyber criminals is also evident from the recent data breach at RDC.
The private details of potentially millions of Dutch car owners have been stolen and are being offered for sale on the internet. According to the NOS, this concerns information such as name, address details, e-mail addresses and dates of birth. The data was stolen from RDC (Dutch only), an ICT service provider for car companies.
In the past week, a lot of attention has again been paid to the Exchange vulnerabilities. Still, that is not the only cybersecurity news from the past week. What else happened:
The research report on the hack at Hof van Twente has been published with important learning moments, among other things, the vulnerability caused by weak passwords. So, provide definitions around password settings that go beyond 8 characters, a capital letter and alternation between numeric and alphanumeric. In addition, errors in the network configuration and too many assumptions were also to blame for this hack.
Other Notable News: Prison needs to change 600 locks by one WhatsApp photo of intern. Behavior and awareness play an important role, both offline and online. The intern from this article was unaware that sharing an image of a runner key is enough to duplicate the profile. Therefore, make employees aware of the possibilities that arise when work-related images are shared on social media. For example, at the start of the corona crisis, we shared images of online measurements en masse. In several cases with the access code for the meeting in view.
Was by far the biggest hack in the news last week. Four vulnerabilities in on-premises Exchange (OWA) servers 2013, 2016 and 2019, not in O365. Perpetrators are (Chinese) state sponsored Hafnium hackers, abused by more than 10 APT parties. There are patches that need to be done properly or they won’t work. There is not enough patching, many systems are still open. The Zero Day vulnerability has been widely exploited for months (100,000+ worldwide). With tooling you can find out if your Exchange has been abused, not what they did.
Impact is huge and it could be years before we become aware of the impact. Ransomware is now being rolled out to organizations. Companies, universities, banks, governments, everything, and everyone is affected.
Most important for organizations now is to patch and scan their environment. Tesorion can help you.
Sign up for our technical updates
Would you like to receive these critical vulnerabilities by e-mail from now on? Enter your e-mail address below.