Flair Data Systems Cybersecurity News Update 1-24-2024
My name is Brent Forrest and I serve as a vCISO at Flair Data Systems. Here is your cybersecurity news update for 1/24/2024
Well, it seems the cold will leave us for a while and give us warmer weather, yet yesterday was one wet day. This past week of events that have come out has caught my attention, specifically regarding Microsoft and their corporate email accounts being compromised.
On that note, let’s jump into this week's cybersecurity news update.
Water management conglomerate hit by ransomware
Veolia North America, a subsidiary of transnational conglomerate Veolia, has disclosed that they were impacted by a ransomware attack that affected systems part of its Municipal Water division and disrupted its bill payment systems
- Law enforcement and third-party forensics have been engaged to determine the extent of the attacks impact
- The attack only appeared to affect the bill payment system and not water treatment operations or wastewater services
- At this point in time, the threat actor is not being disclosed now
Have I Been Pwned adds “statistically significant” data leak
71 million email addresses were recently added to the Have I Been Pwned system
- Have I Been Pwned is a site one can use to validate if their email has been part of a compromise
- The database of information has been circulating for the past several months, but was originally dismissed as though it was all historical data
- The big concern here is that Troy Hunt (HIBP owner) noticed after further review that about 1/3 of the email addresses were brand new
- If one researches HIBP service, and their email address pops up with "Naz.API", this would point to a likely infection of malware that stole passwords
iShutdown helps discover spyware on iPhones
An interesting find by security researchers that if a device was infected by Pegasus, Reign, or Predator that it could be discovered by checking the Shutdown.log, a system log file that stores reboot events
- There is a Python script released by Kaspersky to help automate the process of analyzing the Shutdown.log file and recognize potential signs of malware infection
Link (1): https://securelist.com/shutdown-log-lightweight-ios-malware-detection-method/111734/
Kansas State University sustains cyberattack
K-State has announced that it is in the process of managing a cybersecurity incident that has disrupted network systems
- VPN, K-State Today emails, and video services on Canvas and Mediasite
- Third-party forensics has been engaged to assist on the investigation
- At this point in time, no threat actor has taken claim to this attack nor has K-State divulged this information
Subway has been hit by Lockbit
Subway has shown up on the Leaked Data site for Lockbit - which brings concerns around sensitive customer and corporate data being exfiltrated
- Sources have disclosed that the encryption of crucial files has occurred with a substantial amount for the ransom
- Other than that, the teams within Subway are working to resolve the issue, no other information has been provided
Russian hackers breach Microsoft executive emails to learn about themselves
Last Friday it was announced that Microsoft corporate email accounts had been compromised and data was stolen by "Midnight Blizzard"
- It was originally detected on January 12th but the system was originally breached in November 2023 through a password spray attack against a legacy non-production test tenant account
- This type of attack points to the non-use of MFA on that tenant and the accounts
- The real question is how a test tenant was able to have access to the larger corporate email platform
- The targets included members of the leadership team and employees within the cybersecurity and legal departments
- Initial investigation is pointing to the initial targets were email accounts with information about themselves, Midnight Blizzard
JPMorgan Chase says hacking attempts are increasing
JPMorgan currently invests around $15 billion (that is a B ) a year and employs more 62,000 technologists to enhance their security defenses
- Early in the panel discussion, Erodes made a comment about how they experienced over 45 billion cyber-attacks made last year... this statement has been clarified by someone else with JPMorgan to state it is observed activity collected (malicious or not) which is a more accurate statement
- The concerns here is how we are arming those outside of our realm with information and making sure they are properly articulating what it is they were provided
Link (1): https://finance.yahoo.com/news/jpmorgan-chase-fights-off-45-211618309.html
TeamViewer still being abused to breach networks in new ransomware attacks
RMM type tools (i.e., TeamViewer) are still being utilized to either gain access or maintain access to organizations and deployment of ransomware malware
- TeamViewer is stating these breaches into their clients' tenants is not due to a vulnerability but more due to credential stuffing attacks (leaked credentials)
- The key point here is to make sure you have good password policies in place, not only in your corporate environment but also your SaaS platforms (along with MFA)
- More and more third-party tools are moving to a SaaS based solution, those usually have more "god-like" access than some of the on-premise applications and needed to be secured as such
- RMM tools are not the only ones that fall into this category: Endpoint Protection, DLP, PAM, DDI (think Infobox), and Patch Management (Ivanti, Automox) are all examples
POC For Fortra GoAnywhere MFT Authentication Bypass CVE-2024-0204
CVE-2024-0204: Authentication Bypass where an unauthorized user can create an admin user via the administration portal
- There is a patch released for this vulnerability (see Link 2 for more details)
Link (1): https://www.horizon3.ai/cve-2024-0204-fortra-goanywhere-mft-authentication-bypass-deep-dive/
Link (2): https://www.fortra.com/security/advisory/fi-2024-001
Until next week, it’s Brent Forrest signing off. Be cyber safe my friends!
About the Author: Brent Forrest is a Field CISO with Flair Data Systems. In this role, Brents acts as an advisor to customers that span across different verticals providing guidance to include; developing strategies to reduce risk with existing or modern technology while enabling the business. With over 20 years of experience in the IT industry, Brent has been able to be a part of multiple groups within the IT field spanning from Telecom, Network, Wireless, Infrastructure, and eventually finding his passion within Security. Roughly 20 years of that time was spent within the Oil and Gas industry working across multiple teams and leading initiatives. Specifically with EnLink Midstream, he spent most of his time building resilience and developing the cybersecurity program.
Brent has been with Flair Data for 3 years and is CISSP, C|CISO, CvCISO, & Sec+ certified. In his free time, he likes to spend time with family, working out, or staying up with personal development.
He lives in Dallas, Texas with his wife and children.
About: Flair Data Systems is a strategically priced IT solutions company, serving clients in the U.S., with offices in Texas and Colorado. Now a technology industry leader, we began in 1916 as the Porter Burgess Company. Flair Data Systems is your Trusted Advisor for: Collaboration, Unified Communications, Networking, Cloud, Infrastructure, Data Analytics, and Cybersecurity, serving the U.S. We are a trusted cyber security company in Plano, TX.
