Friday Five: 9/22 Edition
It's Friday! Catch up on the latest infosec news with our weekly roundup.
CCleaner, a popular PC cleanup and repair software that’s created by Avast, was recently compromised by attackers who installed a backdoor into the product while bypassing the company’s security checks. The results were disastrous as more than 700K computers were infected. As the story continues to evolve, we learn that this wasn’t just a widespread malware campaign, but actually an orchestrated attack on targeted companies that included 18 tech firms such as Intel, Google, Microsoft, Akamai, Samsung, Sony, VMware, HTC, Linksys, D-Link and Cisco. These findings came after researchers analyzed the attackers’ C2 infrastructure, where they found evidence that the attackers were trying to target specific firms based on the filtering and collection settings of the C2. Basically, the attackers would use the initial malicious CCleaner as a foothold, and then install additional software from the C2 that would enable cyberespionage. The shift to this being a widespread cybercriminal campaign to a nation-state sponsored one is significant, and Avast has confirmed that at least 8 of the 18 companies named were indeed infected. The infection is a nasty one, and even deleting the CCleaner app does not guarantee attackers didn’t install any additional malicious payloads to strengthen their foothold. It’s recommended to do a full wipe and restore from your latest backup.
2. Homeland Security Found SEC Had Critical Cybersecurity Flaws As Far Back As January by Reuters Staff
A confidential report to Reuters revealed that the DHS detected five “critical” cybersecurity weaknesses on the SEC’s computers as of 1/23/17. These flaws raise additional questions about the level of the SEC’s security, especially following a 2016 incident where hackers may have exploited systems to use for insider trading. Despite prompt patching and remediation after the 2016 hack, the SEC is still showing cybersecurity weaknesses, and is currently ranked fourth for having the most critical vulnerabilities among all civilian agencies that the DHS scans. The top four agencies with the most "critical" vulnerabilities as of 1/23/17 included the Environmental Protection Agency, the Department of Health and Human Services, the General Services Administration, and the SEC. However, it’s important to keep in mind that it only takes one vulnerability for an attacker to exploit and use as an infection vector – it’s absolutely critical we prioritize patching, despite the difficulties in potential disruption to government systems during the update process.
Malicious apps and cybercriminals targeting Google Play have been around since Android’s inception; however, we are seeing miscreants apply the same clever tricks to high degrees of effectiveness. After last week’s widespread attack of more than 50 apps infected with the mobile malware ExpensiveWall, which lead to between 1M and 4.4M downloads, it’s time to evaluate how these miscreants are bypassing Google Play’s Security Suite, which scans all apps for potential malicious behavior, malware or other areas of suspicion. The problem here is that attackers aren’t using exploits to penetrate Google Play’s security architecture; they’re simply obfuscating their apps to fool Google Play’s security scanning algorithms, and they’re having a high degree of success. There are a couple ways to do this – some apps won’t execute any malicious behavior until after they’ve been downloaded, while others try to insert malicious code via third party installs and social engineering. These are old tricks but will continue to work well as long as Google delays in modifying their security levels for apps.
As more companies move to the cloud for storage space, we’ve run into an unexpected issue: misconfigured cloud servers and settings are leading to a number of accidental incidents involving data loss. The nonprofit GDI Foundation has tracked close to 175,000 examples of misconfigured software and services on the cloud in 2017 alone. There is rampant growth in cloud; Gartner estimates that cloud infrastructure services spending will go up to $247 billion. The major problem here is the easy access to cloud storage, coupled with the lack of experience in hardening your security settings for cloud storage – it’s still new and evolving. Cloud storage providers are taking steps to assist. Amazon issued a service called Macie which identifies misconfigurations so administrators can take swift action to correct the problem. However, the problem really starts with unsanctioned cloud usage in corporations, or Shadow IT, and companies lacking a plan that builds in security and visibility to how data is accessed, stored and managed in the cloud. Cloud companies could also contribute more – such as introducing a reporting feature that flags potential Shadow IT usage, which can be identified when an employee has purchased the use of cloud services via credit card, and not through typical corporate financial channels.
5. No one is safe from internet attacks, and A.I. defenses can't help, Google security veteran says by John Shinal
Heather Adkins, director of information security and privacy and a founding member of Google's security team, made some interesting claims at TechCrunch Disrupt 2017 this week. As we’ve seen among cybersecurity vendors, AI has become a common buzzword most often associated with intrusion-prevention vendors who want to be one step ahead of attackers using predictive analytics and algorithms. The problem, according to Adkins, is that AI is reliant on machine learning to understand what is good and what is bad, which can lead to a plethora of false positives. Adkins actually claims AI is more effective for launching cyberattacks than using them for any form of defense. During her session, Adkins advised start-up companies to create an IR plan in the event they’re breached, and to start thinking that they’re potential targets. She also advocated not to record any personal information in emails, as email credentials are highly coveted by attackers and you want to avoid giving them any extra information they could access. In addition, Adkins advocated for more talent rather than a reliance on technology for cybersecurity.