Search This Blog

Powered by Blogger.

Blog Archive

Labels

Showing posts with label IT Service. Show all posts

Hackers Exploit Security Flaws to Access Millions of UK Voters' Details

 


The UK's data privacy watchdog has found that the personal details of millions of UK voters were left exposed to hackers due to poor security practices at the Electoral Commission. The breach occurred because passwords were not changed regularly and software updates were not applied.

The cyber-attack began in August 2021 when hackers gained access to the Electoral Registers, containing details of millions of voters, including those not publicly available. The Information Commissioner's Office (ICO) has formally reprimanded the Electoral Commission for this security lapse. The Electoral Commission expressed regret over the insufficient protections and stated that they have since improved their security systems and processes.

No Evidence of Data Misuse

Although the investigation did not find any evidence of personal data misuse or direct harm caused by the attack, the ICO revealed that hackers had access to the Electoral Commission's systems for over a year. The breach was discovered only after an employee reported spam emails being sent from the commission's email server, and the hackers were eventually removed in 2022.

Accusations and Denials

The UK government has accused China of being behind the attack on the Electoral Commission. However, the Chinese embassy has dismissed these claims as "malicious slander."

Basic Security Failures

The ICO’s investigation surfaced that the Electoral Commission failed to implement adequate security measures to protect the personal information it held. Hackers exploited known security weaknesses in the commission's software, which had not been updated despite patches being available for months. Additionally, the commission did not have a policy to ensure employees used secure passwords, with 178 active email accounts still using default or easily guessable passwords set by the IT service desk.

Preventable Breach

ICO deputy commissioner Stephen Bonner emphasised that the data breach could likely have been prevented if the Electoral Commission had taken basic security steps. By not promptly installing the latest security updates, the commission's systems were left vulnerable to hackers.

This incident serves as a striking reminder of the importance of regular software updates and strong password policies to protect sensitive data from cyber-attacks.


Guarding the Gate: How to Thwart Initial Access Brokers' Intrusions

 


The term "Access-as-a-service" (AaaS) refers to a new business model in the underground world of cybercrime in which threat actors sell one-time methods to gain access to networks to infiltrate networks for as little as one dollar. 

One group of criminals, which are known as access brokers, initial access brokers, and initial access traders (IABs), are stealing credentials of enterprise users and selling them to other groups of attackers. There are also encryption tools that can be used by these buyers to secretly exfiltrate your personal information from the target organization using malware-as-a-service (MaaS) or ransomware-as-a-service (RaaS). 

Cybercrime-as-a-service (CaaS) is a growing trend that is increasingly being used as a platform for committing crimes. A significant portion of the evolution of ransomware attacks over the last decade has taken place at both the technological level and organizational level as threat actors have attempted to expand the scope and profitability of their operations. 

A pivotal factor behind the widespread increase in the frequency and complexity of ransomware attacks can be attributed to the provision of ransomware as a service (RaaS). RaaS, which operates much like SaaS, and involves the creation of ransomware capabilities and selling or leasing them to buyers, has lowered the barrier to entry for the extortion business and provided a simpler and more accessible model. 

There are now a number of operators working together in unison to orchestrate the attacks in order to achieve the goal, including Users, Affiliates, and Initial Access Brokers, who act as a cohesive team. According to the recent report, "Rise of Initial Access Brokers", these intermediaries, which are the first to get access to cyberattack victims, are playing a key role at the top of the kill-chain funnel of cyberattacks. 

An independent analysis bureau (IAB) can be defined as a de facto intermediary whose business model is exactly what their name suggests: they breach the networks of as many companies as they are able to. Upon accessing victims, they then sell to the highest bidders at the highest prices. There is a tendency for ransomware groups to buy the ransomware from the buyers. 

A growing number of independent advisory boards have been formed recently mainly as a result of the pandemic and the ensuing migration to work from home. As a result of workers log in remotely and connecting to untrustworthy Wi-Fi networks, untrustworthy Wi-Fi networks can be exploited to allow attackers to gain access to systems.

There is a growing trend among cybercriminals of scanning at scale for vulnerabilities that will allow them to access remote systems, such as virtual private networks (VPNs) and selling this access to their victims. Once the details of a vulnerability are made public, the Information Assurance Business deploys info stealers to gather keystrokes, session cookies, credentials, screenshots and video recordings, local information, browser history, bookmarks, and clipboard material from the compromised device as soon as the details are made public. 

As soon as an information stealer is installed in an organization or system, a remote access Trojan (RAT) will begin to collect raw log files to log information. As a result, these logs are manually reviewed to identify usernames and passwords that may be used to sell or monetize identities on the Dark Web. This means that IABs are seeking login credentials to access virtual private networks (VPNs), remote desktop protocols (RDPs), Web applications, and email servers that will aid in the recruitment of spear phishing scammers and potential business email compromise schemes. Occasionally, some brokers have direct contact with system administrators or end users who may be willing to sell access to their systems directly through them. 

Threat groups have been advertising (on the Dark Web) in recent months for administrators and end users who are willing to share their credentials with them in exchange for large amounts of cryptocurrency in exchange for sharing credentials for a few minutes. 

Threat groups have contacted employees from specific organizations to obtain access to their systems in exchange for larger payments. It is safe to say that initial access brokers have taken the spotlight in the past year because they have demonstrated a significant ability to facilitate network intrusions by ransomware affiliates and operators, and they have been very successful at it. As the cybercrime underground ecosystem becomes more active and popular, these initial access brokers ("IABs") will continue to gain popularity as the cybercrime underground ecosystem grows. 

A Guide to Defending Against Access Brokers 


Users should identify their attack surface and develop a plan to address it, to close security gaps, security teams must gain an outside-in perspective on their entire enterprise attack surface. Empower user security teams to map their assets, visualize attack paths, and define plans to address them so that they can close the gaps.  

Identity protection should be considered a priority, today, plenty of malware-free attacks, social engineering, and similar attempts have been made to steal and use credentials, making it crucial that strong identity protection is implemented. Employees need to be taught about social media, not just how to use it. 

Avoid announcing department closures or IT service changes on social media, and remind them to refrain from sharing private information on social media. Users should train their staff not to share credentials over support calls, emails, or support tickets. 

Finally, users should avoid publishing executive or IT contact information on their company's website — it might facilitate impersonation attempts on their behalf. 

To protect the cloud, a strong cloud protection strategy is required. There have been increasing attacks on cloud infrastructure and attackers have been employing a variety of tactics, techniques, and procedures to compromise cloud-based data and applications that are critical to businesses. 

The role of IABs in the realm of RaaS (Ransomware-as-a-Service) is continuously evolving. By understanding and keeping up with their shifting tactics, methods, and trends, organizations can better prepare themselves to effectively mitigate the risk and impact of ransomware attacks. As IABs continually remodel and refine their strategies, it becomes increasingly crucial for organizations to adopt and implement robust security measures. 

Strengthening the security of the supply chain, implementing multi-factor authentication across all systems and platforms, deploying advanced threat-hunting solutions to proactively detect and prevent attacks, and conducting regular and comprehensive training sessions for employees are key steps that organizations should take to effectively mitigate the growing threat posed by IABs.

SysAid Ransomware: Unveiling the Zero-Day Menace

A zero-day ransomware attack has recently been reported on, affecting SysAid, a well-known provider of IT service management and help desk services. The cybersecurity community has been shaken by the occurrence, which has prompted swift response and a careful examination of the scope and nature of the intrusion.

The attack, orchestrated by the infamous hacking group known as 'Lace Tempest,' leveraged a zero-day vulnerability in SysAid's on-premise software. This vulnerability allowed the attackers to exploit weaknesses in the system, gaining unauthorized access and compromising sensitive information. The severity of the situation has been highlighted by cybersecurity experts, as SysAid plays a crucial role in managing IT services for numerous organizations.

The zero-day ransomware attack was first brought to light by cybersecurity researchers who discovered the breach and reported it on various platforms, including Dark Reading. According to the information provided, the attackers targeted SysAid's software, exposing a vulnerability that was promptly exploited for unauthorized access and data compromise.

SysAid has acknowledged the security breach and has released a notification regarding the on-premise software security vulnerability on its official blog. The company is actively working to address the issue and has urged its users to take immediate action by applying patches and updates to mitigate the risk of exploitation. The urgency is further emphasized by the fact that the vulnerability has already been exploited by Lace Tempest, as reported by cybersecurity firm Profero.

The CVE-2023-47246 SysAid zero-day vulnerability is being keenly watched by security researchers, and Rapid7 has published a thorough blog post breaking down the details. The article highlights how crucial it is for businesses to continue being watchful and proactive in protecting their IT infrastructure while also shedding light on the technical underpinnings of the attack.

Organizations that depend on SysAid's services are urged to keep up with the latest developments during the investigation and to swiftly put recommended security measures into place. The SysAid security incident highlights the necessity of ongoing awareness and strong cybersecurity procedures in today's digital environment by serving as a sobering reminder of the sophisticated and ever-evolving nature of cyber threats.

Five Eyes Agencies Warn Managed Service Providers of Cyber Attacks

 

The Five Eyes alliance of cybersecurity authorities from the United States, the United Kingdom, Australia, New Zealand, and Canada last week published a joint advisory warning of threats targeting managed service providers (MSPs) and their customers. 

The advisory recommends customers of MSPs in the member nations on how to guard sensitive details and reassess security posture and contractual agreements with their service providers based on individual risk tolerance. MSPs are a prime target for cybercriminals and nation-state actors–because attacking an MSP can lead to additional downstream victims (as we witnessed with Kaseya and the SolarWinds assaults.)

"As this advisory makes clear, malicious cyber actors continue to target managed service providers, which is why it's critical that MSPs and their customers take recommended actions to protect their networks," Jen Easterly, director of US's Cybersecurity and Infrastructure Security Agency (CISA) stated. 

"We know that MSPs that are vulnerable to exploitation significantly increase downstream risks to the businesses and organizations they support. Securing MSPs are critical to our collective cyber defense, and CISA and our interagency and international partners are committed to hardening their security and improving the resilience of our global supply chain," she added. 

The alert is the result of a collaborative effort among the Cybersecurity and Infrastructure Security Agency, the National Security Agency, and the Federal Bureau of Investigation in the U.S.; the National Cyber Security Centers in the United Kingdom and New Zealand; the Australian Cyber Security Center; and the Canadian Center for Cyber Security. 

Mitigation tips 

In the advisory issued on the second day of the NCSC's Cyber UK conference, where several senior figures from the cybersecurity agencies have met to discuss the issue of global cyber threats, the authorities recommend that MSP customers ensure that their MSPs implement the following measures and controls: 

• To counter initial assault, enhance the security of vulnerable devices, protect internet-facing services and defend against brute-force and phishing attacks. 
• Improve monitoring and logging processes for the delivery infrastructure activities used to provide services to the customer. 
• Enable multifactor authentication across all customer services and products. 
• Periodically erase obsolete accounts and infrastructure and apply updates to the infrastructure whenever available and necessary. 
• Develop incident response and recovery plans. 
• Understand and proactively manage supply chain risk. 
• Adopt transparent processes and, at the same time, manage account authentication and authorization.