Posts

What Companies Can Learn from the SEC Breach

Another day and unfortunately, another high-profile cybersecurity hack is in the news. This time, it happened at the Securities and Exchange Commission (SEC).

On September 20, SEC officials said the agency, which regulates the United States markets and protects investors, had a security breach in 2016 that affected the electronic storing system which houses public-company filings. The hackers who accessed the SEC records may have conducted stock market trades on the stolen information, officials said.  

From WannaCry to Petya and Equifax and now the SEC, it seems like breaches are becoming commonplace and that cybersecurity is on the top of everyone’s mind. Referenced on social media channels as the #cyberattacksurge, we must ask what financial companies can do to better protect and prepare themselves from a potential cyberattack.

How Did This Breach Occur?

The data storing system that the SEC named “Edgar” (Electronic Data Gathering, Analysis and Retrieval System) is an online tool that investors use to view company’s earnings and disclosures. Companies can also purchase and then resell the feeds produced by Edgar to online traders as well.

The SEC revealed that the hackers found a vulnerability in the Edgar system through a data transmitting form. Few details were provided, except that the hack was detected in 2016 but evidence of illicit trading using the stolen information wasn’t discovered until August 2017.  An FBI investigation is underway and the SEC is cooperating with authorities.

Steve Groom, Director of Cyber Defense Services at Proficio, said the problem the SEC is facing is that the agency’s web application was compromised by either an SQL Injection or Cross Site Scripting. The real issue is more centered around web application scanning, code review and penetration testing.

Today’s web applications have moved from an agile development cycle to daily sprints, where they are making changes hour by hour or even day by day, Groom stated.

How to Build an Effective Cybersecurity Action Plan

Bryan Borra, SOC and SIEM Director at Proficio, said having an action plan in place to manage applications and services that are exposed to the internet is a critical piece to helping prevent an attack that is sourced against public-facing web applications.

“This breach occurred due to a vulnerability in a web application,” Borra said. “Web applications exposed to the internet are most vulnerable to attacks because a group of individuals from the outside can access them.”

Deploying an externally facing firewall change policy and relevant SIEM correlation use cases can help safeguard your network from attacks like those that broke into the SEC systems, Borra said.

Deploying an Externally Facing Firewall Change Policy

Not all firewall changes are equal in risk and some of the riskiest changes are what you allow inbound to your network, Borra cautioned. Some enterprises have deployed special procedures that treat firewall changes that open a port or system to the outside differently than other firewall changes.

For example, if a web server is stood up and the system owner requests the system be accessible to the internet, a request will be forwarded to the information security team to approve the change. The information security team will then assess the change and approve or disapprove based on criteria documented in the policy, Borra said.

Common evaluation criteria in this policy could be:

  1. The Information Security Team performs a vulnerability scan against the system and have the system owner remediate all vulnerabilities that are interpreted as “critical” or “serious” or above a certain priority level before the system can be placed on the internet.
  2. Assess “least privilege” and attempt to limit the ports and subnets within the change to only what is needed.
  3. Place the system in a specific zone such as a DMZ based on its function.
  4. Make sure that no applications, services, or plugins hosted on the system violate any applications that the information security team has banned due to their security risk profile (ex: WordPress, Joomla, Coldfusion, etc.).

Deploying Relevant SIEM Correlation Use Cases

Vulnerability scan data is often ingested to the SIEM and can provide value for this particular situation. For example, if change approval hooks in security operations to input the systems that have been approved to be open to the outside, then you can input this information into your SIEM and make a list of “systems open to the outside,” Borra said.

With this list, you can correlate the system against incoming vulnerability scan data. If incoming scan data matches this system up with having a new critical, serious, or high priority vulnerability, you can forward the case to security operations to assess blocking access to the system externally until the vulnerability is remediated.

Small to medium sized enterprises may have difficulties doing the previously mentioned correlation use case because they often don’t have a structured list of systems or applications exposed externally through the firewall. They may also have not deployed any type of externally facing firewall change policy and do not have a simple straight forward answer as to if anything currently being accessed from the outside has a critical vulnerability.

If you ingest vulnerability data into your SIEM and have threat intelligence feeds around blacklisted IP addresses, you can build a use case that is somewhat effective at discovering interesting services that have vulnerabilities that are accessible externally.

First, setup a correlation rule to model systems that have services that have critical, serious, or high priority vulnerabilities (ex: webserver01 has critical web vulnerability).

Next, build correlation rules that correlate those systems and services with the firewall to allow blacklisted IP addresses (ex: blacklisted IP was permitted through the firewall accessing websever01 over http).

What you get are firewall rules that are allowing blacklisted IP addresses to access a service with a critical vulnerability.

This is a useful initial correlation use case when assessing what is critical and open to the internet.

What Companies Need to Know

The SEC hack is just another warning to companies, particularly those in the finance sector, that they must ensure that their security environments are properly secured and compliant and that they have strategic plans in place in how to respond if a potential breach does occur.

They are going to be a constant target to hackers because of their confidential and sensitive information that they possess, which unfortunately if hackers do get their hands on can make financial gain.

“This breach highlights the need for high-profile agencies and organizations like the SEC to put in place a more practical process or system to monitor critical assets not only at the perimeter but on the systems themselves to monitor for (IOCs) Indicators of Compromise,” said Dana Hawkins, Director of Security Services at Proficio. “Monitoring is only a part of the solution, you must also put in place trained SOC/NOC personnel capable of quickly identifying problems and an Incident Response Team that has the authority to act when a compromise is found.”

Government bodies like the SEC are particularly vulnerable to fast-moving cyber threats, according to Hawkins, who previously worked as an IT security contractor for the federal government.

“It’s time for government agencies around the country to come out of the dark ages and understand the changing cyber threat landscape,” Hawkins said. “Response to threats needs to be more agile and effective or breaches like this will be a common occurrence.”

OktoberTekfest | Sep 9, 2019

Tap Into the Latest Technologies

Since 2013, IE’s OktoberTekfest has been brewing up the best in IT solutions with Mobility, Intelligent Infrastructure, Collaboration, and Security. We bring together over 300 IT professionals from across the Southeast to tap into technology, inspire innovation, explore the biggest trends in the industry and connect over bratwursts & brews!

BREACH – United States Postal Service

A serious vulnerability on the United States Postal Service (USPS) website (www.usps.com) was discovered in early November by an anonymous security researcher. The vulnerability reportedly allowed access to account details for over 60 million users, which included personal information such as email address; username; user ID; account number; street address; and phone number among others. Additionally, anyone exploiting the vulnerability would also be able to access package tracking information and, in some cases, even modify user account data.

The vulnerability was traced to a major flaw in the authentication process for a USPS package tracking system known as “Informed Visibility.” The API for this system had essentially no access control measures in place to prevent basic unauthorized requests. This meant that any person that made a free USPS web account could log in and then make specific queries to view personal information of other users. A knowledgeable user could easily make queries containing a wildcard character, in order to produce a list that returned all account entries. The results could even reveal information such as multiple user accounts tied to a single home address, indicating a shared household. None of these unauthorized queries required the use of special hacking tools.

While researchers have reported this information to USPS, who claims to have fixed this issue, any unauthorized queries made during the exposure time frame could have leaked personal information to attackers. Not to mention, any of the leaked data could have possibly been saved for future attacks. In particular, 60 million email addresses would be considered a treasure trove to those conducting spam email or phishing campaigns.

Proficio Threat Intelligence Recommendations:

  • If your company utilizes a USPS web account, review your account information for unauthorized modifications. If any unauthorized changes have been made to your account, report your findings to USPS.
  • While no passwords were reported leaked in this breach, it is advised to change the password of your USPS web account, to a strong randomized password, as a precaution.

Krebs On Security – Click Here

TARGET – Democratic National Committee Phishing Mix-up

On August 22nd, the Democratic National Committee made a press release stating that a cybersecurity service provider had alerted them of a phishing page that was stood up to target their Votebuilder website. The investigation was escalated to the FBI and immediately Russia was suspected due to previous attack activity from 2016.

A day later, the Democratic National Committee came out and stated that the event had been a false alarm and was actually an authorized penetration test being performed against the Michigan Democratic Party.

While some bad press was received regarding the matter, many cybersecurity professionals attempted to give some praise for the DNC gaining the capability to quickly detect and report the attack. Because of the miscommunication between the DNC and Michigan Democratic Party, penetration tests and red team activity will likely be coordinated between the groups in the future.

Proficio Threat Intelligence Recommendations:

  • Validate that any red team or penetration test activity performed is coordinated in some way with subsidiaries and business partners that might be affected.
  • Employ two factor authentication for public facing web services that might be a target for hackers to use in a phishing campaign.

Reporting before discovery of mix-up – Click Here

Reporting after discovery of mix-up – Click Here

ATTACKER – Leafminer Expanding Operations to Target United States ICS Entities

In July of 2018, the threat actor Leafminer was detailed by Symantec as having targeted a list of government organizations and business verticals in the Middle East since at least early 2017. The article also detailed several aspects of how the attacker attempted to breach targets. One method detailed was the attackers using “file://” URLs embedded on websites used as watering holes that prompted Windows users that visited the site to enter their SMB credentials. When users provided input, it would transmit the user’s NTLM hash to the attackers to be cracked offline.

There were additional traditional attack methods observed in the article including using brute force / dictionary attackers against public facing services, EternalBlue for lateral movement, and common attack software such as Mimikatz, PsExec, and THC Hydra.

After this article had been released, a cybersecurity vendor that specializes in ICS incident response, Dragos, reported they had discovered Leafminer targeting US entities in the utility vertical. Dragos suggested that the threat actor uses embedded links that prompt for SMB credentials as well indicating that US entities might be experiencing future watering hole attacks similar to what was seen in the Middle East. Dragos named this threat actor “RASPITE.”

Dragos suggested in the blog that they have not received any evidence that the attackers have gained the ability to infiltrate ICS systems once a foothold has been gained into a utility entity, but that the attackers likely trying to gain access to organizations to prepare for a later ICS attack.

Proficio Threat Intelligence Recommendations:

  • Place two factor authentication on any public facing services where users authenticate.
  • Make sure Windows servers inside the network are up-to-date and patched, especially against ETERNALBLUE and other related recent SMB vulnerabilities.
  • Enforce password policies for Windows credentials such as complex passwords or periodic changes of passwords by users.


Symantec findings for Leafminer – Click Here

Dragos details on RASPITE – Click Here

TARGET: Technical Documents for U.S. Air Force Drone Leaked through Router Vulnerability

July 11th – In June 2018, Recorded Future observed a hacker on the Dark Web selling the technical plans and training manual of the MQ-9 Reaper UAV (unmanned aerial vehicle) for $150 to $200. The MQ-9 Reaper was introduced in 2001 by General Atomics and is currently in use by the U.S. Air Force, the U.S. Navy, the CIA, and U.S. Customs and Border Protection.

The hacker was English speaking and appeared to disclose the method of how he or she was able to obtain the sensitive documents from a computer of a captain at 432d Aircraft Maintenance Squadron Reaper stationed at the Creech Airforce Base in Nevada.

In early 2016, security researchers published findings regarding Netgear routers with remote access capabilities were vulnerable if the default FTP credentials were not changed out. Additionally, NetGear routers have a “ReadySHARE Storage” feature that allows individuals on the router’s network to connect USB storage and share the contents of the USB. If an attacker is able to access certain NetGear routers with this feature remotely via FTP, they can access the data stored on the router via the USB share feature. It was disclosed that the attacker was able to obtain a collection of sensitive files from a U.S. Airforce Captain’s computer via FTP remote access.

Beyond the documents stolen, the hacker also has disclosed that he or she is also able to access footage from U.S. border surveillance and can watch footage of certain predator drones flying over the Gulf of Mexico. The individual also disclosed that he or she was not targeting the U.S. Airforce when obtaining the plans for the Reaper, but rather came across information about the vulnerability through doing a search in Shodan (Shodan is a search engine platform used by hackers to identify vulnerabilities and configurations that are internet facing and susceptible for attack). The identity of the hacker has not been disclosed at this time from the sources researched.

Proficio Threat Intelligence Recommendations:

  • Inspect SOHO equipment that might be at remote sites for vulnerabilities or unsafe configurations.
  • Assess blocking well-known social networks that do not have business use to potentially reduce future channels of command and control.
  • Disable USB storage sharing over Wi-Fi if this feature is currently used in the environment.
  • Put security controls in place to guard against unauthorized access of the organization’s sensitive data.

Recorded Future Investigation – Click Here

Method: TA 18-086A: Brute Force Attacks / Password Spraying

In March 2018, the Department of Justice indicted nine Iranian nationals for conducting brute force style attacks against organizations in the United States utilizing a technique referred to as “Password Spraying”.

Characteristically, brute force attacks attempt to authenticate credentials by guessing the password of a single user account, however accounts now will typically lock out after a handful of failed attempts. “Password Spraying” attempts to successfully authenticate using easy-to-guess passwords against multiple user accounts. This technique reduces the chance of triggering red flags for multiple failed attempts from a single user.

“Password Spray” attacks target single sign-on (SSO) and cloud-based applications that use federated authentication protocols in an attempt to hide malicious traffic. Federated authentication protocols are used in linking a person’s electronic identity across multiple identity management systems, which will also broaden the attacker’s scope to maximize access to intellectual property during a successful compromise.

Proficio Threat Intelligence Recommendations:

  • Implement strong password standards
  • Enable multi-factor authentication
  • Abstain from clicking non-validated email links

Alert TA 18-086A – Click Here