There’s no shortage of cyber news making the headlines, but what does it mean for you?
At CyberCX, we keep a close eye on the news to identify reports of the latest trends, issues and exploits.
Here we present a selection of recent news stories that caught our attention, and the important lessons we can learn to keep secure.
Australian firm unlocks iPhone
Amid the continuing controversy in Australia surrounding Government-mandated backdoors, it appears the United States is taking a different approach.
It was revealed that the FBI approached a small Australian hacking firm, Azimuth Security, to help it access an Apple iPhone belonging to one of the terrorists responsible for the murder of 14 people in San Bernadino, California in December 2015.
It is understood that Azimuth Security engages in “white hat” penetration testing. It agrees to disclose vulnerabilities it identifies to democratic governments for a fee.
The choice to turn to Azimuth Security came after the FBI sought a court order compelling Apple to install backdoors into iPhones, so intelligence could be gathered on terrorist activities. Apple resisted the FBI’s demands on the grounds that backdoors would fundamentally weaken iPhone security.
Rather than persist with their demands, it has now emerged that the FBI changed tack and sought the assistance of Azimuth Security.
By revealing a way to access this terrorist’s iPhone, Azimuth Security effectively provided the FBI with an alternative to demanding that Apple install a backdoor. Apple is freed from having to take actions that would have undermined iPhone security.
The case does however raise questions about whether penetration testers should, as a first priority, notify vendors whenever they uncover vulnerabilities, or whether national security and public safety considerations should take precedence.
Supply chain vulnerabilities
Fresh off the back of the SolarWinds compromise comes another supply chain attack. This time the target was Codecov, a firm which provides tools and services to check how well software tests are covering code under development in continuous integration (CI) workflows.
Developers discovered a backdoor in the Codecov Bash Uploader tool, which is used by many organisations and open-source projects as part of their testing processes.
Codecov said the breach allowed the attackers to export all the data stored in its users’ CI environments by modifying a command-line upload tool. Of deep concern is the extent of the compromised data, which included user credentials, software tokens, and keys, including the data that could be accessed with those keys, as well as the remote repository information.
This compromised data was then sent to a third-party server outside of Codecov’s infrastructure.
It is believed the backdoors may have been there for up to four months, with the company reporting periodic, unauthorised access to its Google Cloud Storage (GCS) key beginning January 31, 2021.
Codecov strongly recommends affected users immediately re-roll all credentials, tokens, or keys located in the environment variables in their CI processes that used one of Codecov’s Bash Uploaders.
For any of the 29,000 organisations that use Codecov, it is advised to start scanning logs for unusual activity from the end of January to the beginning of April.
Recently, the United States Government established strong cooperative partnerships with private-sector cyber security firms as it sought to get a handle on dealing with both the SolarWinds and Microsoft Exchange Server breaches.
So successful have these public-private partnerships been, that the White House has indicated it will be a model for dealing with future breaches too.
The US administration convened two Unified Coordination Groups (UCGs) to drive the Government response to the far-reaching incidents. Both UCGs are now being stood down due to the increase in security patches being applied to prevent the attacks and a reduction in the number of victims.
But the way they operated and what was learned will be used to guide future responses to additional cyber incidents in future. Lessons learned include ‘integrating private sector partners at the executive and tactical levels’ and involving private sector organisations in the response in order to help deliver fixes smoothly, like Microsoft one-click tool to simplify and accelerate victims’ patching and clean-up efforts, as well as sharing relevant information between firms.
The experience of the United States may also inform Australia’s approach to handling major cyber incidents. In last year’s Cyber Security Strategy, the Australian Government committed to:
“invest $10.0 million for an expanded National Exercise Program that will bring Commonwealth, state and territory government agencies together with private sector organisations to plan and prepare for cyber security incidents.” ¹
Given national capacity constraints, skills shortages and the extensive cyber security expertise within the private sector, such partnerships would serve national interests well.
¹ https://www.homeaffairs.gov.au/cyber-security-subsite/files/cyber-security-strategy-2020.pdf p.39.
Neglecting to patch older vulnerabilities is one of the most common reasons organisations experience breaches.
In 2019 and 2020, Pulse Secure VPN disclosed and issued patches for a number vulnerabilities. Now, it appears some organisations continue to be vulnerable.
It has been revealed that hacking groups are leveraging older, unpatched vulnerabilities with a dangerous new zero day. This combination of old and new vulnerabilities is paving the way for the malicious actors to attack governments, defence contractors and other businesses in the US and Europe.
The malicious actors are highly skilled, with deep technical knowledge of the Pulse Secure VPN product. They developed malware that persisted despite software updates and factory resets. This enabled them to harvest Active Directory credentials and bypass multifactor authentication on Pulse Secure devices for several months without being detected.
On 20 April 2021, the US Cybersecurity and Infrastructure Security Agency (CISA) warned of ongoing exploitation which has impacted US Government agencies, critical infrastructure entities, and private sector organisations.
It is also a concern for authorities here in Australia. The Australian Cyber Security Centre (ACSC) recommends that in addition to patching, organisations should refer to mitigations provided within the CISA alert: Alert AA21-110A: Exploitation of Pulse Connect Secure Vulnerabilities,
The ACSC also recommends taking the additional step of running the Pulse Connect Secure Integrity Tool, which checks the file system and finds any additional/modified file(s).
For further details on the vulnerabilities and impacted versions please refer the Pulse Security Advisory.