There’s no shortage of cyber-attacks making the headlines, but what do they mean for you?
At CyberCX, we keep a close eye on the news to identify reports of the latest trends, issues and exploits.
Here we present a selection of recent news stories that caught our attention, and the important lessons we can learn to keep secure.
Supply chain vulnerabilities
Fresh off the back of the SolarWinds compromise comes another supply chain attack. This time the target was Codecov, a firm which provides tools and services to check how well software tests are covering code under development in continuous integration (CI) workflows.
Developers discovered a backdoor in the Codecov Bash Uploader tool, which is used by many organisations and open-source projects as part of their testing processes.
Codecov said the breach allowed the attackers to export all the data stored in its users’ CI environments by modifying a command-line upload tool. Of deep concern is the extent of the compromised data, which included user credentials, software tokens, and keys, including the data that could be accessed with those keys, as well as the remote repository information.
This compromised data was then sent to a third-party server outside of Codecov’s infrastructure.
It is believed the backdoors may have been there for up to four months, with the company reporting periodic, unauthorised access to its Google Cloud Storage (GCS) key beginning January 31, 2021.
Codecov strongly recommends affected users immediately re-roll all credentials, tokens, or keys located in the environment variables in their CI processes that used one of Codecov’s Bash Uploaders.
For any of the 29,000 organisations that use Codecov, it is advised to start scanning logs for unusual activity from the end of January to the beginning of April.
Recently, the United States Government established strong cooperative partnerships with private-sector cyber security firms as it sought to get a handle on dealing with both the SolarWinds and Microsoft Exchange Server breaches.
So successful have these public-private partnerships been, that the White House has indicated it will be a model for dealing with future breaches too.
The US administration convened two Unified Coordination Groups (UCGs) to drive the Government response to the far-reaching incidents. Both UCGs are now being stood down due to the increase in security patches being applied to prevent the attacks and a reduction in the number of victims.
But the way they operated and what was learned will be used to guide future responses to additional cyber incidents in future. Lessons learned include ‘integrating private sector partners at the executive and tactical levels’ and involving private sector organisations in the response in order to help deliver fixes smoothly, like Microsoft one-click tool to simplify and accelerate victims’ patching and clean-up efforts, as well as sharing relevant information between firms.
The experience of the United States may also inform Australia’s approach to handling major cyber incidents. In last year’s Cyber Security Strategy, the Australian Government committed to:
“invest $10.0 million for an expanded National Exercise Program that will bring Commonwealth, state and territory government agencies together with private sector organisations to plan and prepare for cyber security incidents.” ¹
Given national capacity constraints, skills shortages and the extensive cyber security expertise within the private sector, such partnerships would serve national interests well.
¹ https://www.homeaffairs.gov.au/cyber-security-subsite/files/cyber-security-strategy-2020.pdf p.39.
Neglecting to patch older vulnerabilities is one of the most common reasons organisations experience breaches.
In 2019 and 2020, Pulse Secure VPN disclosed and issued patches for a number vulnerabilities. Now, it appears some organisations continue to be vulnerable.
It has been revealed that hacking groups are leveraging older, unpatched vulnerabilities with a dangerous new zero day. This combination of old and new vulnerabilities is paving the way for the malicious actors to attack governments, defence contractors and other businesses in the US and Europe.
The malicious actors are highly skilled, with deep technical knowledge of the Pulse Secure VPN product. They developed malware that persisted despite software updates and factory resets. This enabled them to harvest Active Directory credentials and bypass multifactor authentication on Pulse Secure devices for several months without being detected.
On 20 April 2021, the US Cybersecurity and Infrastructure Security Agency (CISA) warned of ongoing exploitation which has impacted US Government agencies, critical infrastructure entities, and private sector organisations.
The National Cyber Security Centre (NCSC) strongly advises UK organisations to install the upgrade as soon as is practicable.
For further details on the vulnerabilities and impacted versions please refer the Pulse Security Advisory.