Search This Blog

Powered by Blogger.

Blog Archive

Labels

Showing posts with label Data Loss. Show all posts

Faulty Upgrade at Cloudflare Results in User Data Loss

 

Cloudflare has disclosed a severe vulnerability with its logging-as-a-service platform, Cloudflare Logs, which resulted in user data loss due to an improper software update. The US-based connectivity cloud firm acknowledged that around 55% of log data generated over a 3.5-hour period on November 14, 2024, was permanently wiped out. This loss was caused by a succession of technical misconfigurations and system failures. 

Cloudflare logs collects event metadata from Cloudflare's global network and makes it available to customers for troubleshooting, compliance, and analytics. To speed up log delivery and avoid overloading users, the organisation uses Logpush, a system that collects and transmits data in manageable sums. An update to Logpush caused a series of system failures, disrupting services and resulting in data loss. 

The incident started with a configuration upgrade to enable support for an additional dataset in Logpush. A defect in the configuration generation system resulted in Logfwdr, a component responsible for forwarding logs, receiving an empty configuration. This error informed Logfwdr that no logs needed to be delivered. Cloudflare discovered the bug within minutes and reverted the update. 

However, rolling back the update triggered a separate, pre-existing issue in Logfwdr. This flaw, which was linked to a fail-safe technique designed to "fail open" in the event of configuration mistakes, caused Logfwdr to process and attempt to transmit logs for all customers, not just those with active setups. 

The unexpected rise in log processing overloaded Buftee, Cloudflare's log buffering system. Buftee is intended to keep distinct buffers for each customer to ensure data integrity and prevent interference between log operations. Under typical circumstances, Buftee manages millions of buffers worldwide. The large influx of data caused by the Logfwdr mistake boosted buffer demand by fortyfold, exceeding Buftee's capacity and rendering the system unresponsive. 

According to Cloudflare, addressing the issue needed a complete system reset and several hours of recovery time. During this time, the company was unable to transfer or recover the affected logs, which resulted in permanent data loss.

Cloudflare attributed the incident to flaws in its system security and configuration processes. While systems for dealing with such issues existed, they were not set up to handle such a large-scale failure. Buftee, for example, offers capabilities designed to handle unexpected surges in buffer demand, but these functions were not enabled, leaving the system vulnerable to overflow.

The company also stated that the fail-open mechanism in Logfwdr, which was established during the service's early development, has not been updated to match the much bigger user base and traffic levels. This error enabled the system to send logs for all clients, resulting in a resource spike that exceeded operational constraints. 

Cloudflare has apologised for the disruption and pledged to prevent similar instances in the future. The company is implementing new alerts to better detect configuration issues, improving its failover procedures to manage larger-scale failures, and doing simulations to verify system resilience under overload scenarios. 

Furthermore, Cloudflare is improving its logging design so that individual system components can better withstand cascading failures. While faults in complex systems are unavoidable, the company's priority is to minimise their impact and ensure that services recover fast. 

Last month, Cloudflare claimed successfully managing the largest recorded distributed denial-of-service (DDoS) assault, which reached 3.8 terabits per second (Tbps). The attack was part of a larger campaign aimed at industries such as internet services, finance, and telecommunications. The campaign consisted of over 100 hyper-volumetric DDoS attacks carried out over the course of a month, overwhelming network infrastructure with massive amounts of data.

Google Workspace Unveils AI-Powered Security

 

Google LLC announced today a set of new artificial intelligence-powered cyber defence controls, the majority of which will be deployed to its Workspace cloud platform later this year. Data loss prevention, often known as DLP, and data privacy controls are among the topics that are covered. 

Many of these involve a series of automated updates that use Google Drive's AI engine to continuously analyse data input. Administrators for Google's Workspace, which the company claims is used by 9 million organisations, can establish incredibly specific context-aware policy controls, such as looking for certain device locations. 

The DLP technology has already been available in Google services such as Chat and Chrome browsers, and it will be extended to Gmail later this year. The purpose is to assist business information technology managers in defending against phishing scams that may steal data and account information. 

Another set of features includes upgrades to Sovereign Controls in Workspace, which Google introduced last year. These include providing client-side encryption to mobile versions of Google Calendar, Gmail, and Meet to prevent third-party data access. 

,Another feature allows users to browse, modify, or convert Microsoft Excel files into GSheets. In addition, Google is collaborating with Thales SA, Stormshield, and Flowcrypt to keep encryption keys in their own repositories. Google has not and will not store any of the encryption keys on its own servers. 

A last set of tools can be used to combat phishing and other attacks. Many Workspace account administrators may need to set up additional authorisation factors for their accounts later this year. According to Google, it will begin with its top resellers and enterprise customers. It will also demand multiparty approvals for specific high-risk actions, such as updating authentication settings, later this year. 

Finally, the company said that clients will be able to integrate their Workspace activity and alert logs into Chronicle, Google's threat data ingestion and anomaly detection service. For example, Andy Wen, director of product management for Google Workspace, stated during a press conference that a bad actor could see the following two events: a search for active cryptocurrency wallets followed by the creation of a mail forwarding rule to an external account. This situation could be flagged as suspicious by Chronicle for further examination.

Akira Ransomware Unleashes a New Wave of Attacks via Compromised Cisco VPNs

 


The Cisco Network Security Division is aware of reports suggesting that malicious individuals are infiltrating organizations through Cisco VPNs that are not configured for multi-factor authentication with the Akira ransomware threat. In some instances, threat actors are targeting organizations that do not configure multi-factor authentication for their VPN users. Some instances have been observed where threat actors are targeting organizations that are not doing so. 

It has been verified by several cybersecurity firms that Cisco VPN products are being targeted with ransomware, and there are reports that the perpetrators are members of a relatively new gang known as Akira who have perpetrated the attack. 

Typically, this ransomware campaign is targeted at corporate entities to gain sensitive information about them and make money through charging ransoms as a means of obtaining this sensitive information. All members of Akira have to do to access their accounts is to log in to the VPN service by using their Akira account details. 

As part of Cisco's investigation of similar attack tactics, the company has actively collaborated with Rapid7. Thanks to Rapid7 for providing Cisco with a valuable collaboration over the last few months. To provide secure, encrypted data transmission between users and corporate networks, Cisco VPN solutions are widely adopted across a wide range of industries, primarily by employees who work remotely and rely on these solutions to do so. 

The Akira Ransomware Attack 


As of March 2023, there have been multiple instances of the Akira ransomware. To attack VMware ESXi servers, the group developed an encryptor for Linux that, like many other ransomware gangs, targets this server type.

If the ransom demands are not met, the threat actors responsible for the Akira ransomware will employ a variety of extortion strategies and they will run a website using the Tor network (with an IP address ending in .onion) that lists victims and the information they have stolen from them. To begin negotiations, victims are instructed to contact the attackers via a TOR-based website, through a unique identifier provided in the ransom message, that can be used to contact them. 

It was first discovered by Sophos researchers in May that the ransomware gang was abusing VPN accounts to breach a network with the use of "VPN access using Single Factor authentication." A person known as 'Aura', who responded to multiple Akira attacks as part of the Akira operation, shared on Twitter further information about how he and other incident responders dealt with incidents that were carried out using Cisco VPN accounts that were not protected by multi-factor authentication. 

Akira is a malicious program that targets not only corporations but also educational institutions, real estate, healthcare, manufacturing, as well as the financial sector. As part of its encryption capabilities, the Linux versions of Akira ransomware make use of the Crypto++ library to enable the encryption process on the target device. Akira offers only a limited number of commands, but there are no options to shut down VMs before encrypting them using Akira. 

With the -n parameter of the command, there is still the possibility of the attacker modifying the encryption speed and the chance that the victim's data can be recovered. Consequently, if the encryption speed is high, there is a slim chance that the victim who is hiding the data will be able to recover it with the help of a decryption tool. 

The first indication of Akira's activities was picked up by a cybersecurity firm based in the US in March 2023, called Arctic Wolf. Their research shows that small and medium-sized businesses worldwide have been the main target of attackers and that they have paid particular attention to the US and Canada in particular. Akira, as well as Conti's operators, have also been linked between the researchers. 

There was a recent report from the SentinelOne WatchTower, shared privately with BleepingComputer, that looked at the same attack method and speculated that Akira may have exploited a newly discovered vulnerability in Cisco VPN software that may be able to bypass authentication in the absence of the multi-factor authentication mechanism. 

In leaked data posted on the Akira group's extortion page, SentinelOne found evidence that the ransomware group used Cisco VPN gateways. At least eight instances were observed that displayed Cisco VPN-related characteristics, which shows that the ransomware gang is continuing to use Cisco VPN gateways as part of their ongoing extortion scheme. 

Implementing VPNs Without MFA


As a general rule, when an attacker tries to target VPNs or any other type of network services or applications, the first stage of their attack is to exploit an exposed service or application. In many cases, attackers focus on the fact that there is no multi-factor authentication (MFA) or there is a known vulnerability in VPN software in the form of software that has multi-factor authentication. 

Once the attackers have gained access to a target network, they attempt to breach the network using LSASS dumps (Local Security Authority Subsystem Service) to obtain credentials that will enable them to move further within the network and raise privileges if necessary. 

There have also been reports that this group has been using other tools, such as Living-Off-The-Land Binaries (LOLBins) or Commercial Off-The-Shelf (COTS) tools, or creating minidump files, to gather further intelligence about or pivot within the target network, as well as using other tools commonly referred to as Living-Off-The-Land Binaries (LOLBins) or Commercial Off-The-Shelf tools (COTS). 

Moreover, SentinelOne researchers observed that Akira operators maintained access to compromised networks by using the legitimate open-source remote access tool RustDesk which works similarly to RustDesk. It has been announced that cybersecurity company Avast has released a free decryptor that can be used by victims of the Akira ransomware to restore their valuable data without having to pay a ransom.

It was decided by the threat actors to encrypt their encryptors by patching them. By doing so, they would prevent victims from using them to recover data that was encrypted by the newer version of the encryption. Business users prefer Cisco VPN products due to their reliability and ease of use. 

Data transmission between networks/users can be made more secure with this technique, which is relied upon by organizations. Those who work in a hybrid or remote environment are expected to comply with it as a matter of course. That is why there might be a desire on the part of threat actors to exploit the vulnerability. Data loss and computer extortion attempts from ransomware operators can be prevented by organizations remaining vigilant and ensuring foolproof digital security measures.

Protect Yourself from Healthcare Cyber Risks

 

It has become increasingly apparent in the past few years that technology has played a significant role to assist hospitals and patients in managing their interactions. This is at a time when healthcare systems are stretched to their limits. HMIS has been concerned with the issue of cyber security for quite some time. The use of Health information technology (HIT) in hospitals has made it possible for them to synchronize patient information safely and securely. 

Cyberattacks are no longer a thing of the past for organizations. A resilient business with superior risk management separates it from a data breach business.  

Many techniques can be used to ensure resilience, including meticulous calculations of all potential risks and implementing control measures to mitigate them if necessary. As a result of healthcare cybersecurity, services that protect patients' data and privacy from cyber threats and attacks are being adopted by healthcare organizations around the globe. 

A crucial factor for the success of healthcare is the safety of patient information, which means that all stakeholders must take every precaution to ensure that patient information remains sensitive. There is no doubt that healthcare cybersecurity threats extend internally and externally, which is why it is imperative to realize this. 

There has been a rapid evolution of hacking tactics used to exploit population fears. This was done to use the panic during the pandemic. Keeping up with the ever-evolving threats, especially in the healthcare sector, is made possible by cybersecurity best practices. 

The absence of a secure cybersecurity framework invites unwanted cyber threats, which can put the hospital and its patients at risk in terms of both financial and clinical risks. Cyber frauds, malware and ransomware attacks, phishing attacks, and other cyber scams are a few of the most common threats facing the healthcare industry. 

A Review of Common Health Cyber Risks 

As part of the healthcare system, hospitals also store patient health records that contain sensitive information. 

In addition, they received a large payment from the company. A cybercriminal who wants to steal money from a patient's account is eager to obtain payment details from the patient's account. They use them for identity theft and financial fraud, which enables them to steal money from the patient. 

Fraudulent emails 

As the name suggests, phishing refers to a process in which a threat actor appears as a legitimate entity or individual. This can trick you into divulging confidential data to them. To get access to your network, the attacker manipulates you into opening malicious content downloaded to your computer, tricking you into giving them access to your network by clicking on the content. When this type of writing is done, it will usually evoke the fear of missing out (FOMO) and a sense of urgency.

Healthcare organizations likely receive a tremendous amount of emails and messages since they cater to the public. There are many ways threat actors can pose as prospective patients or business partners to launch phishing attacks against them. 

Attacks by ransomware

It is well known that ransomware encrypts your computer and locks you out of your network in an attempt to take control of the system. They intend to encrypt your files in a way that makes them inaccessible without the key to decrypt them. You will then be asked to pay them a ransom to regain access to your system.

Because healthcare organizations possess ransomware-sensitive data, they are prone to ransomware attacks. In most cases, attackers would prefer to pay up than allow their confidential information to be compromised or exposed. 

Increasing Supply Chain Vulnerability

Attacks on supply chains may come from any one of the multiple areas that are part of and contribute to it. Health insurance companies work with a wide range of suppliers and partners who provide them with products and services that enable them to operate effectively. Several third parties have been granted authorization access to their network so that they can make their operations seamless. 

Health organizations can do one of the most important things to stay on top of these threats. Getting your healthcare system's cybersecurity up to speed is essential if you want to ensure its integrity.

1. Staff Cyber Security Training

A robust technical control system can make it much more challenging for unauthorized people to gain access to your systems which is why it is beneficial to put in place such controls. Social engineers circumvent system safeguards by using phishing and spoofing. These tactics take advantage of users' lack of security awareness. All employees are required to undergo cybersecurity training so they know what to do to prevent data loss or theft. 

2. User Access Controlled 

Hackers are often pictured congregating in dark underground rooms and huddled close together when hacking. 

Your systems are constantly penetrated and decrypted to compromise your privacy. There are, however, some exceptions to this rule, such as most successful attacks coming through a system's front door i.e. by attempting to access the system through an authenticated user account. You need to define the different roles each employee within your organization plays. This will enable you to create a system access control policy that is feasible to implement within your organization. This information should already be available in the human resources department.

3. A Depth Approach to Security 

A security software maker cannot guarantee 100 percent that their application will prevent hacks with their application for the duration of its use. There are several levels of security that you need to have, and that's why you need them. Getting around one will not give an attacker access to your data, even if they manage to circumvent one successfully. There are several security measures you can take to keep intruders out of your network. These measures include a firewall, an anti-virus program, and a whitelist of approved applications. 

Since this is the same as the different forms of security you might install in your own home, it does not seem a big deal that there are different types of security. Lighting, door locks, alarms, security cameras, guard dogs, and security guards are some of them that can be installed to improve security around homes.

4. Recovery of Lost Data 

Among the reasons why cyberattacks are carried out is the theft of personal data, which is a common occurrence. An infection caused by a virus as well as a DDoS attack can cause disruptions to your work. While DDoS attacks and malware infections have the potential to corrupt your data and render it unusable, they aren't likely to overtly steal information. The loss of your data is much more devastating than having it accessed unauthorized by someone else. As with hackers gaining access to patient data, it can not only damage your reputation, but it can also cripple your operations to the extent that it can bring down your entire company and public image.

Sainsbury's Payroll Provider Targeted in a Cyber Attack

 

Sainsbury’s payroll system provider, US-based Kronos, has been hit by a cyber-attack, impacting nearly 150,000 employees.

The Mirror reported that Kronos was targeted on Saturday last week, which caused the supermarket to lose a week’s worth of data. However, despite the data loss, Sainsbury has promised that its 150,000 employees would be paid before Christmas. 

Sainsbury's is among leading firms in the UK and US and relies on Kronos to log, store and process the 'hours' employees have worked on their systems to calculate their monthly payments. Following the cyber-attack, multiple departments involved in payroll including payroll, human resources (HR), and accounting are now using historical data to ensure workers are paid the correct amount, including the overtime that is common during the festive season. 

A Sainsbury's spokeswoman said: "We're in close contact with Kronos while they investigate a systems issue. In the meantime, we have contingencies in place to make sure our colleagues continue to receive their pay." 

Kronos, run by the Ultimate Kronos Group (UKG) company, from Massachusetts, supplies a range of cloud payroll services, including an automated payment system used by firms around the globe. The payroll provider has announced that some of its services will be offline for weeks following the ransomware attack. 

The sector which is severely affected by the UKG ransomware attack within public finance is healthcare, where Kronos’ payroll and workforce solutions systems have been popular. The ransomware attack should not affect clinical outcomes or add meaningful costs, except for some added expenses activating contingencies to track hours and pay employees.

According to CNN, many sectors have shifted to paper checks, while others are still finding ways to access their payroll systems. In most cases, however, the offline Kronos timesheet system is still working and firms can keep using it for the time being.

“Data is no longer a commodity, it’s a currency — as this incident represents. Information within an organization’s network is valuable to both businesses and attackers. With a majority of the world’s data residing in the cloud, it is imperative that organizations become cloud-native when thinking about data protection,” Amit Shaked, Co-Founder & CEO of Laminar, stated.