Cybersecurity Week in Review: 3/08/21

Big hacks and vulnerabilities are the central  themes in this week’s news roundup.  Highlights include: 

• A surveillance camera attack that affected a major car maker, healthcare providers, jails, and banks
• A significant vulnerability announced this week by Apple affecting iOS, macOS, watchOS and the Safari web browser
• The continuing fallout from the massive Microsoft Exchange attack

Hackers gain access to 150K surveillance cameras

A surveillance camera maker was hacked this week, giving hackers the ability to watch the live feed activities at organizations such as healthcare clinics, schools, a major carmaker and police departments. Reports also indicate that the threat actors gained access to the names and email addresses of the surveillance company’s client account administrators and details on sales orders. Hackers referred to the attack as #OperationPanopticon.

The surveillance company is the maker of enterprise security camera systems that include a cloud-based software platform. It appears the breach occurred through exposed account admin credentials found within the surveillance company’s DevOps infrastructure.

Live footage for 150,000 cameras included:

•  Staff at a hospital tackling a patient and pinning him to the bed
•  Law enforcement questioning a handcuffed individual in a police station
•  Live images from the Sandy Hook Elementary School in Newtown, Connecticut
•  Images from the factory of a major California-based electric car maker. 

In addition, the hackers also posted via Twitter screenshots proving they had gained root shell access to the camera systems of at least one cybersecurity provider.

The hackers behind the attack claim they intended to demonstrate the extent to which video surveillance exists and also how simple it is to breach these surveillance systems and expose sensitive footage.

Upon notice of the hack, the surveillance company indicated that they had “…disabled all internal administrator accounts to prevent any unauthorized access,” and that their  “internal security team and external security firm are investigating the scale and scope of this issue, and we have notified law enforcement.”

For more on this story, visit these articles here and here.

Remote hacking bug affects billions of Apple devices

Last week Apple released patches for a memory-corruption bug (CVE-2021-1844) affecting its Safari web browser and its iOS, macOS, and watchOS systems. The vulnerability is considered highly severe (ranking 7.7 out of 10 on the CVSS severity scale) and could enable remote attackers to take over a system entirely.

According to Apple, the impact of the memory corruption flaw “may lead to arbitrary code execution,” through the processing of maliciously crafted web content. A security advisory further explains that “The vulnerability exists due to a boundary error when processing web content in WebKit. A remote attacker can create a specially crafted web page, trick the victim into opening it, trigger memory corruption and execute arbitrary code on the target system.” 

Apple device users are being urged to install updates immediately to protect against any attack associated with the bug.

You can read more on this threat here and here.

Patching panic as ransomware, APT and other attacks surge on Microsoft Exchange servers

A cybercrime feeding frenzy has ensued as criminals have rushed to take advantage of vulnerable Microsoft Exchange servers.

Over the last couple of weeks, the world has learned of four significant bugs on Microsoft Exchange servers—CVE-2021-26855, CVE-2021-26857, CVE-2021-26858, and CVE-2021-27065. While Microsoft issued fixes on March 2, it also stated that these zero-days had already been used in attacks. (Read GuidePoint Security’s summary of the initial Microsoft attack news.)

The fallout from the announcement of the vulnerabilities last week began in earnest as news came to light of multiple threat groups exploiting unpatched and unmitigated servers. Security researchers began observing exploit activity occurring in clusters unrelated to the original threat actors, a Chinese state-sponsored hacking group dubbed ‘Hafnium.’ 

Researchers indicated that as early as February 28, the Exchange flaws were being weaponized by at least ten different APT groups who appear to have learned the details of the vulnerabilities before Microsoft had issued the fixes. According to reports, it seems most of the early criminal groups were focused on espionage, although one group was linked to a crypto mining campaign.

Further complications around the Microsoft Exchange flaws arose last week with news that a functional proof-of-concept exploit for the ProxyLogon flaw (CVE-2021-26855) was publicly available, despite Microsoft’s efforts to remove the exploit details that were published on GitHub. 

By the end of the week reports surfaced that threat actors were taking full advantage of non-existent or slow mitigation activities with attack rates doubling every two to three hours. One of the threats being distributed included ransomware known as DearCry. Detected as Ransom:Win32/DoejoCrypt.A, the attacks began around March 9 and target the ProxyLogon exploit. In at least one successful DearCry attack, cybercriminals  requested 1/3 of a bitcoin (approximately $20K as of March 12). In light of the ransomware attacks, according to an article by Brian Krebs, researchers are urgently warning Exchange users to back-up any data stored on the servers immediately, regardless of whether they have patched or already been hacked.

Microsoft has issued recommended mitigations for the Exchange Server vulnerabilities, but also clearly states that “These mitigations are not a remediation if your Exchange servers have already been compromised, nor are they full protection against attack. We strongly recommend investigating your Exchange deployments using the hunting recommendations here to ensure that they have not been compromised. We recommend initiating an investigation in parallel with or after applying one of the following mitigation strategies. All the scripts and tools mentioned in this blog, along with guidance on using them, can be found here: https://github.com/microsoft/CSS-Exchange/blob/main/Security/.”

Final Words

The reasons why the Microsoft Exchange attack happened are numerous and complicated.  It doesn’t necessarily serve any purpose to outline each and every one of the issues and challenges in detail. However, one problem that is undoubtedly affecting the ability to detect and mitigate vulnerabilities like these is the cybersecurity skills gap. 

It’s no secret that organizations are desperately short on qualified, trained, and experienced cybersecurity practitioners. According to the National Initiative for Cybersecurity Education (NICE), sponsored by NIST, between 2018 and 2020, the number of unfilled cybersecurity positions grew by 62% compared to only a 29% growth in the number of actual employees working in cybersecurity. Today there are an estimated 520,000 open cybersecurity roles in the United States alone. 

Closing the gap requires a collective effort and a shift in the way businesses recruit and hire cybersecurity professionals. Key recommendations include:

• Focusing less on four-year degrees and more on existing skills
• Eliminating jargon and company-specific phrases from job descriptions
• Creating career roadmaps for candidates that demonstrate how cybersecurity professionals can advance in their career.

Organizations are also being encouraged to develop their existing and potentially unrecognized talent. Locating and training someone from within the ranks can often go as far (or farther) than formal education programs that lack critical hands-on learning opportunities.

Changing the paradigm around how organizations respond to threats requires more than just the latest and greatest cybersecurity tools and employee phishing training. It requires a concerted effort by everyone in the business world to change their perspective on the necessary cybersecurity skill set and background.