CyberCX Security Report | July 2021
There’s no shortage of cyber news making the headlines, but what does it mean for you?
At CyberCX, we keep a close eye on the news to identify reports of the latest trends, issues and exploits.
Here we present a selection of recent news stories that caught our attention, and the important lessons we can learn to keep secure.
The Race to Patch
If any further reminders were needed of the importance of rapid patching, the latest supply-chain attack should be a wake-up call for all organisations.
Kaseya, the remote IT management software vendor, finds itself at the centre of a devastating ransomware strike. The REvil ransomware gang managed to exploit several vulnerabilities in Kaseya’s VSA remote management software, which is used by managed service providers around the world. As a result, the gang was able to deploy ransomware on the systems of at least hundreds, if not thousands of organisations, including here in Australia.
According to the Australian Cyber Security Centre, there are reports of Australian organisations being impacted by this ransomware attack. While this activity is under investigation, early reporting indicates that the supply-chain attack enabled the REvil group to distribute malware through update mechanisms within Kaseya VSA with the intent of encrypting and ransoming data held on victim networks.
Reports indicate that they are demanding payments up to $5 million from affected managed service providers and $44,999 for their individual customers who were encrypted.
According to reports, Dutch researchers had recently notified Kaseya about several zero-day vulnerabilities in VSA. Whilst Kaseya was close to fixing the vulnerabilities in its software, the REvil operation hit. It’s unclear if REvil somehow knew in advance that that patches were coming.
While its internal patching development effort was underway, Kaseya would have been hoping that threat actors did not identify the vulnerability before a fix could be built. Software companies typically don’t make information about vulnerabilities available prior to patches, so as not to alert malicious actors.
This raises a problem for software company customers, who may unknowingly have vulnerable applications in their digital supply-chain.
The ACSC recommends that organisations using Kaseya immediately shutdown relevant servers until further notice, ensure they have Multi-Factor Authentication (MFA) implemented and ensure service accounts run with minimal appropriate privileges.
Insurance and Ransom Payments
Australia’s biggest insurance companies have largely endorsed potential Government intervention to outlaw reimbursements to companies that make ransom payments to cyber criminals on the basis it acts as a perverse incentive.
IAG’s chief executive, Nick Hawkins, said cyber insurance that covered ransom payments was “an area that is likely to see significant change in coming years”. Though IAG covers businesses hit by cyber-attacks for losses incurred as a result of disruption and hiring consultants to alleviate the issues, its insurance also currently extends to reimbursement of payments made to criminals as part of a ransomware attack.
According to industry reports, ransomware payouts are putting the squeeze on cyber-insurance companies and resulting in higher premiums for organisations that want protection against the threat. Larger companies are getting hit with bigger price hikes than midsize and small companies because they are the ones that are experiencing the biggest losses.
Over the past six months, premiums have gone up by 7% on average for small firms and between 10% and 40% for medium and large businesses in the United States.
Recent large-scale ransom payments, such as those paid by Colonial Pipeline and JBS Foods, running into multiple millions of dollars, are a significant concern for the cyber-insurance industry.
Potential policy changes by insurers to limit reimbursements of ransom payments will put the onus of responsibility onto individual organisations to take all precautionary measures possible to avoid becoming a victim.
With millions of Australians still working from home, VPNs continue to be an essential element in ensuring organisations remain secure. VPNs allow remote staff to connect to their organisation’s networks, reducing the risks of data compromise.
For many organisations, there is an assumption that once a VPN is in place, it’s ‘job done’. However, this is a mistake. VPNs can be vulnerable to breaches, allowing malicious actors to access corporate data.
Zyxel, a manufacturer of enterprise routers and VPN devices, has issued an alert that attackers are targeting its devices and changing configurations to gain remote access to a network.
The attacks affect organisations using Unified Security Gateway (USG), ZyWALL, the USG FLEX combined firewall and VPN gateway, Advanced Threat Protection (ATP) firewalls, and VPN series devices running its ZLD firmware.
According to the company: The threat actor attempts to access a device through WAN; if successful, they then bypass authentication and establish SSL VPN tunnels with unknown user accounts, such as”zyxel_sllvpn”, “zyxel_ts”, or “zyxel_vpn_test”, to manipulate the device’s configuration.
Zyxel notes that firewalls may be affected if users experience issues accessing the VPN, or routing, traffic and login issues. Other signs include unknown configuration parameters and password problems. Administrators should delete all unknown admin and user accounts that have been created by the attackers. You should also delete unknown firewall rules and routing policies.
This is a timely reminder of the importance of VPN penetration testing. Whilst many organisations routinely test their applications and servers, VPNs are often neglected. This can make them a weak link in an organisation’s environment.
Contact CyberCX for expert advice on VPN penetration testing.