Happy New Year and welcome to the first episode ever of Security Weekly News.
It’s another year of malware, exploits, and fun here on the Security Weekly Network. Ransomware, TikTok, World War III, & in the Expert Commentary, we welcome Jason Wood of Paladin Security, to talk about Iranian Cyber Threats: Practical Advice for Security Professionals!
Visit https://www.securityweekly.com/swn for all the latest episodes!
To learn more about our sponsors visit: The Security Weekly Sponsor’s Page
January 7, 2020
- https://www.theguardian.com/technology/2020/jan/02/travelex-forced-to-take-down-website-after-cyber-attack — Travelex hacked and down for the new year.
- https://www.thesun.co.uk/money/10680248/travelex-foreign-currency-website-still-down/ — Travelex
- https://www.darkreading.com/attacks-breaches/widely-known-flaw-in-pulse-secure-vpn-being-used-in-ransomware-attacks/d/d-id/1336729 — Travelex hack likely CVE-2019-1150 Pulse VPN exploit
- https://globalnews.ca/news/6373514/ehealth-saskatchewan-offline-while-dealing-with-ransomware-attack — healthcare is still being targetted
- https://www.darkreading.com/threat-intelligence/ransomware-victim-southwire-sues-maze-operators/d/d-id/1336719 — a lawsuit against John Doe for Ransomware, a New Hope?, doubtful.
- https://www.darkreading.com/edge/theedge/what-tools-will-find-misconfigurations-in-my-aws-s3-cloud-buckets/b/d-id/1336720 — secure your bit buckets, c’mon.
- https://www.xplg.com/s3-security-buckets/ — s3 bucket security guide
- https://www.washingtonpost.com/nation/2020/01/06/american-government-website-defaced-iran-hackers-bloodied-trump/ — WWIII Cyber war?
- https://www.dhs.gov/news/2019/06/22/cisa-statement-iranian-cybersecurity-threats — CISA statement about Iranian Cyber Threats from last year
- http://large.stanford.edu/courses/2015/ph241/holloway1/ — Old Stuxnet reference
- https://docs.house.gov/meetings/HM/HM08/20130320/100523/HHRG-113-HM08-Wstate-BermanI-20130320.pdf — US House statement about Cyber Pearl Harbor
- https://www.washingtonpost.com/news/powerpost/wp/2017/01/12/trump-names-rudy-giuliani-as-cybersecurity-adviser/ — Rudy is the Cyber Chief.
- https://www.darkreading.com/endpoint/how-a-password-free-world-could-have-prevented-the-biggest-breaches-of-2019/a/d-id/1336629#msgs — Credential Stuffing
- https://www.zdnet.com/article/half-of-the-websites-using-webassembly-use-it-for-malicious-purposes/ — Could there be Web Assembly in your future?
- https://www.zdnet.com/article/chinas-tiktok-banned-by-us-army-amid-security-concerns-report/ — Army bans TikTok
- https://www.techrepublic.com/article/tik-tok-google-and-twitter-dominate-2019-app-rankings — Top Social Media Rankings
- Top Threat for the Week — Targeted Ransomware and well, Hostile Nation States.
- Hot Malware to review: Kwampirs resurgence.
- Send Nudes. https://www.iflscience.com/plants-and-animals/us-model-raises-over-500000-for-australia-bushfires-by-sending-nudes/?fbclid=IwAR0wMJjcrXrui14zmmW3W0oh1Tudjehn_7WB1Z1fGlQTEOPKvtFgkbrUO0s
- https://www.vice.com/en_us/article/884amp/hasbro-now-owns-death-row-records-because-why-not-its-2020 — Tupac and Biggie live on at Hasbro
In case you hadn’t heard yet, the United States killed Iranian General Qasem Soleimani last Friday. Since then it seems like everyone is freaking out over what Iran’s response will be. I think my favorite headline came from The Express in the UK. “World War 3: Is World War 3 official? Will WW3 happen and will the UK get involved?” To tell you how good their research on the topic was, they said the attack occurred in Iran in the first paragraph, then later say it happened near the Baghdad airport. Even without that level of hysteria, people are concerned as to what Iran’s move is going to be. In our field, folks are worried about cyberattacks from Iran. So let’s talk about preparation for attacks against our systems, regardless of whether Iran did it or not.
In the show notes, I’ve linked to an article by Rick Holland on the Digital Shadows blog. Rick’s analysis is focused on threat modeling in particular, while my point of view is focused more on day to day security operations. He makes the point that this is “not the time ZOMG CYBER IRAN” and I agree with him. Yes, the tension between the US and Iran is at a very high level. Yes, the Iranians are quite busy conducting offensive operations and they are now very angry. At the same time, what really changed for most of us between January 2nd and January 3rd. The answer is not a lot.
Our networks are still plugged into this hostile environment called the internet and they are being attacked by people of varying skill levels. This has been ongoing for years. We should have fairly comprehensive defenses in place already for the type of actions that Iran may take against our organizations. For example, a quick look at APT33 or Refined Kitten’s techniques include things like spear phishing, brute force attacks, and distributed denial of service. There have already been some web defacements in response to General Soleimani’s death. None of these are new and they aren’t limited to Iranian attackers only. You can include the Chinese, Russians, Americans, and nearly everyone else to the list of countries or groups using them.
There’s really nothing new that you need to implement that you should not have in place already. If you don’t have defenses for this stuff in place, then you have bigger problems. In times of greater tension you may decide to be more attentive on your monitoring. For some organizations, that may mean performing hunts in their networks for signs of similar attacks being employed. This is what I would hope to see organizations in financial, defense, government, and critical infrastructure doing. They should already have robust defenses and, due to their threat profile, should be on a higher state of alert. For other organizations, they may be responding to emailed alerts from defenses more closely. And finally, I hope that some organizations decide they need to take a look at their security logs for the first time in months.
So what can you do? Honestly, stay focused on the operational basics. That means making sure patches are being deployed in a timely manner, that unexpected services aren’t hanging out on the internet, and that you’ve changed default passwords to something other than “admin” or “password”. Preferably something really long and not easily guessed. Check to make sure your back up system is working as expected and do a test restore to make sure the process works. Make sure that those who are responsible for security monitoring are paying attention and are not asleep at the keyboard.
One point that Mr. Holland makes in his blog post did stand out is that we need to make sure our threat model includes being “collateral damage” in an attack intended for someone else, but it spreads in unexpected ways. He cites the example of Maersk and NotPetya. Maersk was not the intended victim for NotPetya, but it got caught up in it and was seriously damaged. This could happen to anyone of us. The defenses against this fall into the operational basics again.
Finally, I’d add one more point to the current panic sweeping the twitters. Make sure we keep some perspective on what is going on. We are going to continue to have political and military strife in the world. We can’t lose our cool when another conflict occurs between nations or other groups. If you feel unprepared to respond to an incident in your organization, then that’s a sign that you’ve got some work to do. Otherwise, stay attentive and be ready to respond, regardless of who may be attacking you. After all, that’s what we are paid to do in this field.
- Our next webcast is January 15th with Cecilia Marinier, RSAC Program Director, Innovation & Scholars where we will discuss RSAC Sandbox, RSAC Innovation Sandbox, RSAC Launch Pad, RSAC Security Scholar and their “How to” Seminar for Innovators and Entrepreneurs! Register for our upcoming webcasts by visiting securityweekly.com, selecting the webcast drop down from the top menu bar and clicking registration.