Welcome to the Ironshare Cyber Round-up where we look back atthe events of that last week and cover some of the news, posts, views, and highlightsfrom the world of Security.
In this week’s round-up:
Arizona Beverages a large US based beverage supplier hasthis week been recovering from a devastating Ransomware attack, that left thecompany unable to operate for several days.
Two weeks on from the initial infection and they are still notback to a fully restored service, although they are now up and running with theirsales operation.
It is believed that the infection was the iEncrypt ransomware, a possible variant of BitPaymer, which resulted in over 200 Windows based servers, PCs and laptops having their data encrypted and rendering them useless.
Although not confirmed, it is understood that the initial infection was introduced through a malicious email attachment, and like BitPaymer, it is highly likely that this was delivered using the Emotet trojan.
Once the infection was detected, AB staff were instructed thattheir computers could be compromised and that they should not power on theirdevices, copy files or connect to the network.
As there is no known decryption tool for iEncrypt, AB hadlimited options for recovering from the attack, and this got significantlyworse when 24 hours later, IT staff found that the backup solution had beenmisconfigured and it could not be used to restore the service.
It is believed that Arizona Beverages lost millions ofdollars per day while they were down due to lost sales.
Several big mistakes appear to have been made leading up toand during this attack:
The true depth of the damage caused may not be known forsome time, but we encourage organisations to learn from the mistakes of others.Be prepared so you can effectively protect and react in the event that youbecome the victim.
In the last couple of years Facebook have been taking a lotof stick due to numerous screw-ups with data privacy and security. It has gotten no better for them this week, asthey were hit with a double whammy of privacy concerns.
The first and biggest screw-up came in the form of anotherdata breach, this time 540 million Facebook users’ records have been left exposedonline by a third-party developer.
Researchers at UpGuard discovered the breach, which was caused by a third-party media company called Cultura Colectiva, after they left the records available and unsecured in Amazon S3 buckets.
Amazon S3, short for Simple Storage Service, is commonly used by developers to provide an easy way to store and retrieve data, unfortunately though, with no password used on these S3 buckets data was freely accessible for anyone on the internet.
The exposed data contained Facebook account information thatincluded names, email addresses, Facebook IDs, photos, check-ins, friend lists,interests, and more.
This at least might take the heat off the Cambridge Analytica issue - with data of only 87 million users shared with the 3rd party, it pales in comparison to this new breach of privacy.
It doesn’t end there though, Facebook are now asking users for their email account password to continue using the service. This has obviously raised more than a few eyebrows across the security industry. The message states:
“To continue using Facebook, you’ll need to confirm your email address. Because you signed up with [email address], you can do that automatically …”
By doing this you are basically giving Facebook access to your email account, which they should not be asking for. Facebook have stated that this information is not stored, but in the light of a lot of other issues in this area, can they be trusted.
Facebook have apparently acknowledged that this is not theright thing to do:
“We understand the password verification option isn’t the best way to go about this, so we are going to stop offering it,”
There is no legitimate reason for them to require your emailaccount and password. So if you see this message our advice is to not enteryour details and refrain from using Facebook until they remove this.
Like Facebook, the Chinese tech and telecoms giant Huawei, areonly too familiar with concerns over the security and privacy of their products.Its been a standing concern with western governments, that Huawei products maynot be safe, due to the possibility of Chinese government involvement, and thepotential for backdoors in their products that could be used to commit espionageand infiltration.
These concerns may have been realised to some extent thisweek, with reports of a flaw discovered by Microsoft Researchers, in the HuaweiMateBook Laptops.
A sophisticated flaw appears to have been inserted duringthe manufacturing of the products, that would allow an attacker to not only spyon the machine and its user, but also take full control of the target computer.
It is understood that this flaw may be linked to the NSA’s DoublePulsarback door that was leaked by the Shadowbrokers back in 2017, although it is unclearat what point in the manufacturing process this exploit was introduced.
According to the BBC there are no signs that Huawei havedone anything malicious, and there is a possibility that this could have been occurredupstream in the supply chain.
Huawei are a big player in the new 5G network infrastructure and services, where there has been equal concern, and unfortunately incidents such as this will not help their case with convincing governments that their products are indeed safe to use.
Since last year Microsoft have been working on improvedmechanisms for password security, and after a running a preview release, AzureActive Directory Password Protection is now available on general release forAzure AD Premium subscribers.
AAD Password Protection will provide administrators with the ability to add an additional layer of security to users of its Microsoft cloud and hybrid environments, by preventing them from setting poor passwords that maybe easy to guess or have been found included in known data breaches.
This new feature will make it easier for organisations to ensure users are creating better passwords, and significantly harder for malicious actors to launch successful Password Spray Attacks against its users and systems.
This new feature can protect accounts in Azure AD and hybrid on premise Window Server Active Directory deployments. It uses a banned list of 500 of the most common passwords, a banned password algorithm and a custom password blacklist, that can be controlled by the organisation’s administrators.
As with all elements of security, things can change very quickly, and it’s no different here. Microsoft’s security research and analysis teams ensure that any changes or additions to this feature and its lists are constantly updated as they become available.
In the event that users try to configure a banned passwordthey will be presented with the following error message:
"Unfortunately, your password contains a word, phrase,or pattern that makes your password easily guessable. Please try again with adifferent password."
This is a great step forward for Microsoft cloud users, andwe recommend that organisations take steps to include this as another layer ofsecurity.
And that’s it for this week round-up, please don’t forget totune in for our next instalment.
Why not follow us on social media using the links providedon the right.
Edition #35 – 5th April 2019
Stuart Hare is a Technologist with a passion for helping people in all aspects of IT & Cyber Security. Stuart is the Founder of Ironshare, an Information and Cyber Security company providing consultancy and managed services.
Samuel is a Security Analyst with Ironshare, an Information and Cyber Security company providing Security consultancy and managed services.
Joshua is working as a Managed Service Lead with Ironshare, an Information and Cyber Security company providing Security consultancy and managed services.
