The Crisis of Convergence: OT/ICS Cybersecurity 2023, which is available for free download, “details diverse intensifying challenges, including growth in attacks via Ransomware-as-a-Service (RaaS) models, exploitation of supply chain vulnerabilities and prevalence of state-sponsored hackers and other politically motivated actors in the wake of geopolitical issues,” according to the company announcement.

TXOne Networks surveyed 405 key information technology (IT) and operational technology (OT) security decision-makers from across multiple global markets and sectors including automotive, pharmaceuticals and biotechnology, chemical, general manufacturing, oil and gas and transportation in September 2023.

The Crisis of Convergence: OT/ICS Cybersecurity 2023 “distills the survey findings, alongside extensive TXOne Networks threat research from 545 cybersecurity incidents around the world in 2023,” according to the company announcement.

“The threat landscape has intensified significantly in the industrial manufacturing and critical infrastructure sectors, leading to destructive events, economic losses, and potential risks to human safety,” reads the TXOne Networks report, which was produced in collaboration with Frost & Sullivan.

“Organizations emphasize the protection of critical OT assets as a top priority, with data security being a key investment area within their OT security budget allocations,” the report says. “Organizations are also seeking to invest in strengthening the resilience of their technological infrastructure and are turning to innovative approaches like Cyber-Physical Systems Detection and Response (CPSDR), which integrates OT expertise across various domains.

“This enhances OT security posture and resilience against evolving threats, enabling organizations to better protect their operations and ensure resilience in the face of a constantly changing threat environment,” according to the report.

More About the TXOne Networks Cybersecurity Report

The Crisis of Convergence: OT/ICS Cybersecurity 2023 explores a range of topics relevant to contemporary OT/ICS cybersecurity:

• Ransomware threats
• OT system maintenance and Information Technology (IT) integration concerns
• Nation-state cyberattacks and implications
• Dedicated teams for OT and Industrial Control System (ICS) security management
• OT/ICS cybersecurity investment
• New regulations and standards propelling OT/ICS defense
• Supply-chain Integrity

“The Crisis of Convergence: OT/ICS Cybersecurity 2023 is the result of a thorough research and technical analysis that is aimed at delivering up-to-date insights into the global threat landscape and the tactics that malicious actors employ to launch attacks,” says Terence Liu, chief executive officer (CEO) of TXOne Networks, in the announcement.

“The findings are clear,” he says. “Organizations must move well beyond regulatory compliance in their OT/ICS cybersecurity strategies if they are to successfully adapt for the constantly evolving threat.

“Safeguarding the availability, reliability and security of revenue-generating operations will depend on new governance structures, enhanced team and technical capabilities, integration of advanced threat detection and response into cybersecurity frameworks and risk management across the supply chain,” says Liu.

Another version of this article originally appeared on our sister-site Security Sales & Integration on February 16, 2024. It has since been updated for My TechDecisions’ audience.

The post Rising Ransomware, Supply Chain Disruptions & Geopolitical Issues Complicate Cybersecurity appeared first on My TechDecisions.

OptixAV RMM 24x7x365 Monitoring 

OptixAV serves as a single pane of glass, providing real-time visibility across an entire AV environment. This allows organizations to gain valuable insights into their operations. Through integration with most ticketing systems, OptixAV streamlines the process and enhances efficiency, says Solutionz. The RMM platform is customizable and can be tailored to meet individual room and customer requirements.

One of the key benefits of OptixAV, Solutionz says, is its ability to proactively identify and resolve issues before they impact operations. With the platform’s 24x7x365 monitoring and automated self-healing functionalities, organizations can reduce downtime by up to 92%. OptixAV empowers AV tech teams to scale efficiently; thus enabling them to manage geographically dispersed rooms effectively and with less staff.

“OptixAV is a game-changer for any organization that relies on seamless AV performance as a critical aspect of their day-to-day operations,” says Bill Warnick, CEO of Solutionz Inc. He continues, “With OptixAV, we offer a fully customizable solution that optimizes room uptime, enhanced cybersecurity, and a system for streamlined AV management tasks. We are excited to empower organizations with tools that integrate with their current IT environments and deliver exceptional AV experiences.”

Continuous Cybersecurity Monitoring & Response

To ensure the utmost security, OptixAV includes an additional layer of cybersecurity designed specifically for audiovisual environments. By securely connecting AV equipment to an orchestration engine, organizations can manage, monitor, maintain, test and repair their AV environments from a single web browser. With this, it provides peace of mind and protects valuable assets.

The platform supports any IP addressable equipment and integrates seamlessly with two-factor authentication tools such as Okta, ensuring a secure environment. Additionally, OptixAV boasts extensive asset/inventory management capabilities and enterprise-wide visibility of all audiovisual systems. It also has the ability to generate customized reports tailored to an organization’s specific data points, says the company.

Shawn Fernandez, VP of sales development, Solutionz, says, “[OptixAV] offers customization, ensuring that automation aligns with your specific workflows. We prioritize continuous cybersecurity monitoring and response; offering peace of mind in an ever-evolving threat landscape.”

He adds, “Furthermore, OptixAV supports old IP-based equipment, allowing organizations to leverage their existing investments. Finally, the integration with ticketing systems and multi-factor authentication tools like Okta demonstrates our commitment to delivering a seamless user experience.”

Another version of this article originally appeared on our sister-site Commercial Integrator on August X, 2023. It has since been updated for My TechDecisions’ audience.

The post Solutionz OPTIXAV RMM Platform for AV Environments Now Available appeared first on My TechDecisions.

That list of bugs that should be prioritized includes two remote code execution vulnerabilities in Microsoft Exchange Server, an elevation of privilege bug in Microsoft SharePoint, a trio of remote code execution flaws in Windows Pragmatic General Multicast, and a handful of others.

Based on input from security researchers from Zero Day Initiative (ZD), Tenable, Immersive Labs and others, here is a look at the vulnerabilities that warrant more attention for the June 2023 Patch Tuesday release.

CVE-2023-32031 – Microsoft Exchange Server Remote Code Execution Vulnerability

If this looks familiar, you aren’t alone. Microsoft has issued fixes for a number of Exchange Server remote code execution bugs in recent years, and this one is a bypass of fixes for CVE-2022-41082 and CVE-2023-21529, with the latter listed as being under active exploitation.

This vulnerability exists within the Command class, and the issue results from the lack of proper validation of user-supplied data, which can result in the deserialization of untrusted data. This bug requires the attacker to have an account on the Exchange server, but successful exploitation could lead to executing code with SYSTEM privileges.

CVE-2023-28310  – Microsoft Exchange Server Remote Code Execution Vulnerability

This is the other Exchange RCE bug listed this month, and like its twin this month, is rated as important but considered more likely to be exploited. This also requires an attacker to be authenticated, so an attacker will need valid credentials.

According to researchers, both Exchange Server bugs closely mirror the vulnerabilities identified as part of the ProxyNotShell exploits. Successful exploitation could result in an attacker gaining access to an organization’s email account, or even the ability to impersonate any user.

Since attackers are adept at stealing valid credentials via phishing attacks, these should not be ignored.

CVE-2023-29357 – Microsoft SharePoint Server Elevation of Privilege Vulnerability

According to researchers, this critical-rated vulnerability is used to bypass authentication due to a flaw within the ValidateTokenIssuer method. Microsoft lists enabling the AMSI feature to mitigate this flaw, but organizations are still urged to deploy the update as soon as possible.

Exploitation is achieved by sending a spoofed JWT authentication token to a vulnerable server, giving them privileged of an authenticated user on the target, researchers say.

CVE-2023-29363/32014/32015 – Windows Pragmatic General Multicast (PGM) Remote Code Execution Vulnerability

This trio of vulnerabilities, all critical-rated, allow a remote, unauthenticated attacker to execute code on an affected system where the messag queuing service s running in a Pragmatic General Multicast (PGM) Server environment. This is the third month in a row that Microsoft has patched a critical-rated bug in this component.

For successful exploitation, a system must have message querying services enabled.

For further June 2023 Patch Tuesday analysis, consult research blogs from Zero Day Initiative, Tenable, Immersive Labs and others.

The post June 2023 Patch Tuesday: Exchange Server, SharePoint, PGM appeared first on My TechDecisions.

Barracuda Networks is urging organizations with Email Security Gateway appliances impacted by a remote command injection bug in the devices to replace them, even if they were patched.

The company’s recommendation comes after Barracuda was first alerted to anomalous traffic coming from Email Security Gateway (ESG) appliances on May 18, which prompted the company to begin an investigation with the help of cybersecurity firm Mandiant.

This week, Barracuda updated its notice, urging customers with impacted ESG appliances to replace them regardless of their patch version level.

“Barracuda’s remediation recommendation at this time is full replacement of the impacted ESG,” the company says in its advisory.

According to the advisory, Barracuda identified a remote command injection vulnerability in their ESG appliance one day after discovering the “anomalous traffic” and engaging Mandiant. A patch was released a day after that on May 20, but the patch is apparently not enough to prevent compromise of the affected devices.

The company is also releasing a “series of security patches” to all appliances.

Exploitation for 10 months

Alarmingly, Barracuda and other cybersecurity firms say exploitation of these ESG appliances has been discovered to date back to fall 2022, specifically October 2022.

According to Barracuda, the vulnerability existed in a module which initially screens attachments of incoming emails. The bug has been leveraged to obtain unauthorized access to a subset of ESG appliances, and malware was identified on a subset of appliances to give attackers a backdoor.

Evidence of data exfiltration was also identified, the company says.

The company notified users with impacted appliances to take action, but “additional customers may be identified in the course of the investigation,” the firm says.

About the vulnerability and malware

According to Barracuda, the vulnerability, CVE-2023-2868, stems from “incomplete input validation of user supplied .tar files as it pertains to the names of files contained within the archive.”

This allows a remote attacker to format file names in a particular manner that would result in “remotely executing a system command through Perl’s qx operator with the privileges of the Email Security Gateway product,” the company says.

Barracuda also identified three malware strains that make the backdoor possible.

Recommendations

Barracuda is recommending that organizations with ESG appliances ensure that the devices are receiving and applying updates and security patches, but the company is of course also recommending that organizations discontinue the use of compromised ESG appliances and contact the company’s support to obtain a new ESG virtual or hardware appliances.

In addition, organizations should rotate any applicable credentials connected to the ESG appliance, including:

• Any connected LDAP/AD
• Barracuda Cloud Control
• FTP Server
• SMB
• Any private TLS certificates

Organizations should also review their network logs for any of the indicators of compromise listed in Barracuda’s advisory. They should contact compliance@barracuda.com if any are identified, the firm says.

Barracuda’s official statement

The company’s official statement reads as such:

The latest information related to the Barracuda’s Email Security Gateway (ESG) vulnerability and incident has been published on Barracuda’s Trust Center (https://www.barracuda.com/company/legal). The product CVE is published here: https://nvd.nist.gov/vuln/detail/CVE-2023-2868. 

An ESG product vulnerability allowed a threat actor to gain access to and install malware on a small subset of ESG appliances. On May 20, 2023, Barracuda deployed a patch to ESG appliances to remediate the vulnerability. 

Not all ESG appliances were compromised, and no other Barracuda product, including our SaaS email solutions, were impacted by this vulnerability.

As of June 8, 2023, approximately 5% of active ESG appliances worldwide have shown any evidence of known indicators of compromise due to the vulnerability. Despite deployment of additional patches based on known IOCs, we continue to see evidence of ongoing malware activity on a subset of the compromised appliances. Therefore, we would like customers to replace any compromised appliance with a new unaffected device.

We have notified customers impacted by this incident. If an ESG appliance is displaying a notification in the User Interface, the ESG appliance had indicators of compromise. If no notification is displayed, we have no reason to believe that the appliance has been compromised at this time. Again, only a subset of ESG appliances were impacted by this incident.  

Barracuda’s guidance remains consistent for customers. Out of an abundance of caution and in furtherance of our containment strategy, we recommend impacted customers replace their compromised appliance. If a customer received the User Interface notification or has been contacted by a Barracuda Technical Support Representative, the customer should contact support@barracuda.com to replace the ESG appliance. Barracuda is providing the replacement product to impacted customer at no cost. 

If you have questions on the vulnerability or incident, please contact compliance@barracuda.com. Please note that our investigation is ongoing, and we are only sharing verified information. 

Barracuda has engaged and continues to work closely with Mandiant, leading global cyber security experts, in this ongoing investigation. 

We will provide updates as we have more information to share.

The post Barracuda: Replace Compromised ESG Appliances Immediately appeared first on My TechDecisions.

Announced at Cisco Live in Las Vegas, Cisco announced Cisco Networking Cloud for simplified IT management, security service edge solution Cisco Secure Access, a new Secure Firewall 4200, Cisco Multicloud Defense, Cloud Native Application Security, Full-Stack Observability, a generative AI-powered security assistant and a new Webex device.

Cisco Networking Cloud

Cisco announced its vision for the Cisco Networking Cloud: to simplify network management via a single platform experience for seamlessly managing all networking domains.

New innovations include single sign-on, API key exchange/repository, sustainable data center networking solutions and expanded network assurance with Cisco Thousand Eyes.

Cisco says Networking Cloud will “dramatically simplify IT” with a more flexible Cisco Catalyst switch stack, improved visibility into data center power and energy consumption and new AI data center blueprints to improve performance and visibility for network operations.

Security enhancements

Cisco announced several new security tools and enhancements, including a new security service edge solution for hybrid work security, generative AI capabilities and innovations across firewall, multicloud and application security.

The company during its Cisco Live event announced its first generative AI capabilities in the Security Cloud, including an AI-powered Policy Assistant designed to help security and IT administrators describe granular security policies and evaluate how best to implement them across different aspects of their security infrastructure. It will be available later this year.

Cisco also announced a new SOC Assistant, available by the end of the year, to help support SOC analysts and detect and respond to threats faster by contextualizing events across email, web, endpoints and the network to tell the analyst what happened and the impact.

In addition, Cisco announced the Cisco Firewall 4200 Series, featuring AI and ML-based encrypted threat blocking without decryption, complete threat inspection and policy for each individual application and simplified branch routing. Cisco Secure Firewall 4200 Series appliance will be generally available in September 2023 supporting the 7.4 version of the operating system. The 7.4 OS will be generally available for the rest of the Secure Firewall appliance family in December 2023.

Cisco also announced new capabilities in Panoptica, the company’s cloud-native application security solution including Cloud Security Posture Management, a new attack path engine and an integration with Cisco’s Full Stack Observability portfolio.

Full-Stack Observability

The company also used its Cisco Live event to announce the general availability of its Full-Stack Observability (FSO) platform to give customers the ability to develop and grow an application ecosystem built on an open, extensible architecture, including new use cases in a single consumption model. Additionally, Cisco’s new bi-directional integration between AppDynamics and ThousandEyes drives powerful customer digital experience monitoring and closes observability gaps with rapid actionable recommendations and insights, the company says.

Room Bar Pro

Also at Cisco Live, Cisco announced the Room Bar Pro, a new easy-to-deploy video bar with “significant processing power, more connections, touch screen integration, and all of the advanced AI capabilities built into (Cisco’s) RoomOS platform.”

Cisco says the Room Bar Pro, based on the powerful NVIDIA processor, is optimized for medium workspaces (5-12 seats) of varying shapes. The device also features a dual camera system that reaches further, wider, and frames everyone in the room in ultra-high quality, even when participants are sitting at the ends of the table.

The post Cisco Live 2023: Simplified Management, Enhanced Security, AI appeared first on My TechDecisions.

Additionally, a Data Breach Investigations Report from Verizon showed that web applications and email are the top two vectors for breaches. Because they’re often internet-facing, web apps and email can provide a useful avenue for attackers to try and slip through an organization’s perimeter – and their tricks are only growing more sophisticated.

So what can security teams and end users do to combat these increasingly sophisticated email threats? Here are a few tips on how to keep email attacks from getting through.

Watch out for evolving phishing attempts

Many successful email compromises can be attributed to phishing attacks becoming more advanced. Historically, BEC would entail a bad actor stealing a user’s alias and password – maybe by sending them a fake Office or Google login form to fill out – and hoping they don’t encounter multifactor authentication (MFA), which could remediate the attack.

However, the last few years have seen new approaches, like an increase in the use of social engineering to secure MFA tokens, where bad actors trick users into providing their one-time MFA passcode. The attacker may try push bombing, where they spam the end user with notifications to authenticate until the user finally accepts it out of fatigue. Or they may use newer malicious proxies and tools that adopt the traditional phishing approach of stealing a username and password by sending a fraudulent link for the user to click. But these proxies can bypass MFA by completing the entire authentication transaction and securing an authenticated session.

Unfortunately, all these new approaches and commoditized tools mean BEC continues to be a lucrative attack vector for malicious actors. With defense often one step behind, end users must stay vigilant. Whenever something looks suspicious, rely on other communication channels to confirm a message’s legitimacy before carrying out an action that could be damaging to you or your organization.

Adopt a layered security approach

There is no magic bullet to cybersecurity; you can’t rely on a single control, policy, or training session for end users. Therefore, a layered approach with various tools, procedures, and training is necessary to be effective. Should one layer fail, another will be there to pick up the slack.

Security teams must identify the technical controls they can implement to minimize the impact of phishing in the instance that an attack gets through. A DNS firewall prevents network users and systems from connecting to known malicious internet locations and can effectively neutralize links to a bad destination. To combat malware, proactive anti-malware tools can monitor unusual behavior (instead of using signature-based detection) to identify malicious software and keep it from infecting computers and other devices.

Make sure to employ tools that can quickly identify and respond to attacks that slip through the cracks. Strong endpoint detection and response (EDR) tools can enhance visibility within your network to detect malicious activity and act on it before the incident grows. Finally, leverage MFA, as it remains the single best measure a security team can implement to protect against authentication attacks. Reinforce MFA with social engineering training for end users so that this line of defense remains strong.

Build a security-first culture

Most security professionals understand that no defense is perfect, especially with human behavior involved. They recognize the need for security awareness training since a successful attack is often the result of human error. The importance of training only grows as the methods for deceiving end users continue to evolve.

Security teams must continuously train users to be hyper-aware of business email compromise. Put a heavy emphasis on email phishing, spear phishing and social engineering. Since many attacks can come from vectors beyond email – via text message, over WhatsApp or other messaging applications, or voice calls via deepfake software – it’s important that users understand the entire range of threats.

Building a culture that promotes security awareness and in which users are comfortable coming to the IT team to flag an issue or suspicious activity is key. If a user is the victim of a phishing attempt, empower them to quickly notify IT so the threat can be addressed swiftly. Shaming them will only have negative consequences. You don’t want a user to hide a mistake they made, resulting in further risk of damage to the organization. Create a culture where users feel they are part of the security team and on the lookout for phishing attempts and malicious activity. More watchful eyes will create strength in numbers.

A skeptical mindset is a necessary tool in the current threat landscape. A bad actor will often compromise the account of a familiar party like a co-worker, partner, or vendor and use that in a phishing attempt. Remember: A message that appears to be from a trusted source isn’t always a trusted message. Take an extra second to double-check suspicious requests and cover your bases. Staying alert is the best protection you can have.

When it comes to email or other messaging-based cybersecurity threats, the reality is you will never get the click rate down to zero. But your security team should focus on getting your click rate as low as possible so your technical controls can pick up the slack wherever it’s needed.

______________________________________________________________________________________________________________________________________

Trevor Collins, is a Network Security Engineer at WatchGuard Technologies.

The post Email Attacks are Evading Security Protections. Here’s How Security Teams Should Respond. appeared first on My TechDecisions.

That includes Microsoft, which is attributing the attacks exploiting the bug, tracked as CVE-2023-34362, to a group it calls “Lace Tempest,” which is known for ransomware operations and running the Clop extortion site.

The Redmond, Wash. tech giant says the group has used similar vulnerabilities in file transfer tools to steal data and extort victims in the past.

In a series of tweets, the Microsoft Threat Intelligent Twitter account revealed several details on the attacks, saying exploitation is typically followed by deployment of a web shell with data exfiltration capabilities.

Microsoft is attributing attacks exploiting the CVE-2023-34362 MOVEit Transfer 0-day vulnerability to Lace Tempest, known for ransomware operations & running the Clop extortion site. The threat actor has used similar vulnerabilities in the past to steal data & extort victims. pic.twitter.com/q73WtGru7j

— Microsoft Threat Intelligence (@MsftSecIntel) June 5, 2023

According to Progress Software, the vulnerability in MOVEit Transfer could lead to escalated privileges and potential unauthorized access to the environment. MOVEit Transfer customers are advised to take immediate action to help protect their environment. Organizations are urged to apply the patch immediately.

According to a statement from a MOVEit spokesperson, the company promptly launched an investigation, alerted MOVEit customers about the issue and provided immediate mitigation steps. “We disabled web access to MOVEit Cloud to protect our Cloud customers, developed a security patch to address the vulnerability, made it available to our MOVEit Transfer customers, and patched and re-enabled MOVEit Cloud, all within 48 hours. We have also implemented a series of third-party validations to ensure the patch has corrected the exploit.”

Affecting all supported MOVEit Transfer versions, CVE-2023-34362 is an SQL injection vulnerability that could allow an unauthenticated attacker to gain access to MOVEit Transfer’s database.

“Depending on the database engine being used (MySQL, Microsoft SQL Server, or Azure SQL), an attacker may be able to infer information about the structure and contents of the database in addition to executing SQL statements that alter or delete database elements,” the company says.

In the meantime, the MOVEit says its continuing to work with cybersecurity experts to investigate the issue. A company spokesperson said in a statement, “We have engaged with federal law enforcement and other agencies with respect to the vulnerability. We are also committed to playing a leading and collaborative role in the industry-wide effort to combat increasingly sophisticated and persistent cybercriminals intent on maliciously exploiting vulnerabilities in widely used software products. Additional details are available on our knowledge base articles for MOVEit Transfer and MOVEit Cloud.”

Experts Weigh in On MOVEit Vulnerability

On Monday, reports of widespread exploitation came pouring in, as several security firms say their customers are under active attack.

Caitlin Condon, senior manager for security research at Rapid7, says the company has responded to alerts across a range of organizations from small businesses to enterprises with “tens of thousands of assets.”

There doesn’t appear to be any particular target vertical of organizational profile, Condon says, as victim organizations have so far included technology, insurance, manufacturing, municipal government, healthcare and financial services. The amount of data varies case by case, but Rapid7 has responded to “multiple incidents where several dozen gigabytes of data was stolen,” Condon says.

In a Rapid7 blog, the company says it has observed an uptick in related cases since the bug was disclosed last week, and the company’s researchers say the vulnerability was exploited at least four days prior to Progress Software’s first advisory on May 31.

These updates confirm what Satnam Narang, senior staff research engineer at Tenable, said last week, attributing the exploitation of file transfer tools to double extortion ransomware groups like Clop.

“While we don’t know the specifics around the group behind the zero day attacks involving MOVEit, it underscores a worrisome trend of threat actors targeting file transfer solutions,” Narang said last week. “Organizations that use MOVEit software should assume compromise and engage in incident response to determine the potential impact, if any.”

MOVEit customers are advised to check for indicators of compromise and unauthorized access over at least the past 30 days.

The post Ransomware Groups Confirmed to be Exploiting MOVEit Bug appeared first on My TechDecisions.

FortMesa’s Continurisk GRC (governance, risk and compliance) platform will be deployed to support the new Trustmark program from CompTIA, the Downers Grove, Ill.-based, nonprofit association for the global technology industry and workforce.

“The work CompTIA is doing in building a scalable cyber credibility model for MSPs and other IT providers is core to the FortMesa ethos and an essential part of rebuilding public trust in outsourced information technology systems – we’re all very excited to support this mission,” said Mathew Fisch, founder and CEO of FortMesa, in a statement.

FortMesa’s GRC platform will:

•  Allow CompTIA Cybersecurity Trustmark applicants to track progress in addressing and completing the standards outlined in Trustmark documentation.
• Be accessible to CompTIA members as they enroll in the Trustmark program.
• Provide actuarial insights and feedback to the Trustmark program.

“MSPs will be able to measure the effectiveness of their evolving security program as they progress through the Trustmark process. The addition of FortMesa as a Cybersecurity Programs partner and the inclusion of its GRC platform are exciting and important developments for our Trustmark program and for the global MSP community,” said Wayne Selk, vice president, cybersecurity programs at CompTIA, in a statement.

The CompTIA Cybersecurity Trustmark details a clear path for MSPs to achieve foundational cybersecurity hygiene, laying the groundwork for a functional security program within the organization.

The Trustmark maps to several control frameworks recognized as industry-accepted best cybersecurity practices, including the Center for Internet Security Critical Security Controls, ISO/IEC 27001, the National Institute of Standards and Technology (NIST) SP 800-171, the Health Insurance Portability and Accountability Act of 1996 (HIPAA), and the New York Department of Financial Services (NYDFS) Cybersecurity Regulation.

The post FortMesa Joins CompTIA to Strengthen Cybersecurity Culture Throughout MSP Community appeared first on My TechDecisions.

According to CNN, the C919’s first flight left Shanghai at 10:32 am. Sunday and landed at the Beijing Capital International Airport at 12:31 p.m. This is being hailed as an important moment in China’s strategy to boost domestic manufacturing by 2025 and reduce reliance on foreign companies in the aviation sector.

While manufactured in China, many of the airplane’s components do come from Western companies. Leading to further scrutiny of the aircraft’s development are allegations that a Chinese state-aligned adversar conducted cyber intrusions against several of those companies that make the C919’s components. These allegations are detailed in a lengthy and detailed 2019 report from cybersecurity firm CrowdStrike as well as a series of indictments against both cyber actors and insiders.

CrowdStrike could not be reached for comment, so this article is sourced entirely from the firm’s report and U.S. Department of Justice indictments.

In CrowdStrike’s report, the company says its research corroborates a series of DOJ indictments released over the course of two years during the C919’s development that highly suggests cyber actors from China, company insiders and state directives targeted foreign companies to fill key technology and intelligence gaps to better compete with against the western aerospace industry.

“What follows is a remarkable tale of traditional espionage, cyber intrusions, and cover-ups, all of which overlap with activity CrowdStrike Intelligence has previously attributed to the China-based adversary TURBINE PANDA,” CrowdStrike said in the 2019 report, alleging that the operations can be traced back to China’s Ministry of State Security’s (MSS) Jiangsu Bureau, the alleged perpetrators of the infamous 2015 U.S. Office of Personnel Management (OPM) breach.

Cyberattacks beginning in 2010

According to CrowdStrike, Turbine Panda, conducted cyber intrusions against between 2010 and 2015 against foreign manufacturers of aviation components, including many that were chosen for the C919.

The state-owned enterprise (SOE) Commercial Aircraft Corporation of China announced in December 2009 that it had chosen CFM International’s (a joint venture between U.S.-based GE Aviation and French aerospace firm Safran, formerly Snecma) LEAP-X engine to provide a custom variant engine, the LEAP-1C, for the then-newly announced C919.

Despite the deal, both COMAC and fellow SOE the Aviation Industry Corporation of China were believed to be tasked by China’s State-owned Assets Supervision and Administration Commission of the State Council (SASAC) with building an “indigenously created” turbofan engine that was comparable to the LEAP-X, CrowdStrike says in its report. In 2016, the Aero Engine Corporation of China produced the CKJ-1000AX engine, which bears multiple similarities to the LEAP-1C engine.

While CrowdStrike admitted that it is difficult to assess if the Chinese engine is a direct copy, the cybersecurity firm said it is highly likely that its makers benefitted significantly from the cyber campaign of the Jiangsu Bureau of the MSS (JSSD).

CrowdStrike, citing its own intelligence reporting and U.S. government sources, says the Chinese government uses a “multi-faceted system” of forced technology transfer, joint ventures, physical theft from insiders and cyber espionage to acquire information to fill key knowledge gaps.

One DOJ indictment, CrowdStrike says, describes initial preparatory action that included compromising Los Angeles-based Capstone Turbine servers and later using a doppelganger site as a strategic web compromise (SWC) in combination with DNS … to compromise other aerospace firms.”

From 2010 to 2015, the linked JSSD operators are believed to have targeted a variety of aerospace-related targets … using two China-based APT favorites, PlugX and Winnti, and malware assessed to be unique to the group dubbed Sakula.

Many individuals associated with the campaign are “assessed to have storied histories in legacy underground hacking circles within China dating back to at least 2004,” CrowdStrike says, citing the DOJ.

Indictments

As detailed in CrowdStrike’s report, the U.S. Department of Justice released several indictments from 2017 through October 2018, charging several individuals with activities related to theft of trade secrets and hacking related to the development of the C919.

The indictments were against Sakula developer YU Pingan, JSSD Intelligence Officer XU Yanjun, GE employee and insider ZHENG Xiaoqing, U.S. Army Reservist and assessor JI Chaoqun, and 10 JSSD-affiliated cyber operators.

“What makes these DoJ cases so fascinating is that, when looked at as a whole, they illustrate the broad, but coordinated efforts the JSSD took to collect information from its aerospace targets,” CrowdStrike says in its report. “In particular, the operations connected to activity CrowdStrike Intelligence tracked as TURBINE PANDA showed both traditional human-intelligence (HUMINT) operators and its cyber operators working in parallel to pilfer the secrets of several international aerospace firms.”

Insiders

CrowdStrike and the DOJ also detail how insiders and IT employees helped steal information and coverup the cyber activities, offering new insight into how adversaries leverage a wide variety of tools and techniques to accomplish their goals.

According to CrowdStrike and the DOJ, a GE insider was charged with using “an elaborate and sophisticated means” to steal GE trade secrets after being recruited by a Chinese aerospace official closely aligned with the country’s Ministry of Industry and Information Technology.

In addition, IT employees at the Canada-based International Civil Aviation Organization (ICAO), the United Nations body that sets global aviation standards, allegedly covered up a cyber intrusion by another alleged China state-sponsored actor that had been observed targeting the aviation industry.

CrowdStrike, citing public reporting, says the intrusion at ICAO was “likely designed to facilitate a strategic web compromise (SWC) attack … that would easily provide a springboard to target a plethora of other aerospace-related as well as foreign government victims.”

“Upon being alerted to the breach by the Aviation Information Sharing and Analysis Center (AISAC), the ICAO internal IT investigation staff was reportedly grossly negligent, and the cyber intruders may have had direct access to one of their superuser accounts,” CrowdStrike says in its report. “In addition, a file containing a list of all the potential organizations who were compromised by the incident mysteriously disappeared during further investigations.”

Both the ICAO IT supervisor in charge of the mishandled internal investigation and the ICAO’s secretary general who shelved recommendations to investigate the IT supervisor and his four team members, were both found by CrowdStrike to have ties to China’s aviation industry, CrowdStrike says.

Takeaways from four years later

This article is just a snippet of CrowdStrike’s reporting and what Turbine Panda and other associated groups are alleged to have done to help boost the Chinese aviation sector. But more than that, it tells the tale of how advanced persistent threat (APT) groups and other sophisticated threat actors will go to extraordinary means to accomplish their end goals.

That includes advanced hacking techniques, leveraging insiders, physical theft and collaborating with the massive underground cybercrime community to launch multi-faceted attacks against a particular organization or industry.

The post The Cyberattacks and Insider Threats During The Development of China’s C919 Passenger Jet appeared first on My TechDecisions.

According to Progress Software, the vulnerability in MOVEit Transfer could lead to escalated privileges and potential unauthorized access to the environment. MOVEit Transfer customers are advised to take immediate action to help protect their environment. Organizations are urged to apply the patch immediately.

Affecting all supported MOVEit Transfer versions, the bug is an SQL injection vulnerability that could allow an unauthenticated attacker to gain access to MOVEit Transfer’s database.

“Depending on the database engine being used (MySQL, Microsoft SQL Server, or Azure SQL), an attacker may be able to infer information about the structure and contents of the database in addition to executing SQL statements that alter or delete database elements,” the company says.

Defending against the MOVEit zero-day vulnerability

To prevent exploitation of the vulnerability, organizations are urged to disable all HTTP and HTTPs traffic to their MOVEit environment, delete unauthorized files and user accounts, reset credentials, and apply a patch. Customers on unsupported versions should upgrade to a supported version, Progress Software says.

After applying the patch, organizations should enabled HTTP and HTTPs traffic, ensure that no unauthorized accounts remain, and continue to monitor the network, endpoints and logs for indicators of compromise. Organizations should look for indicators of compromise dating back at least a month.

Read the company’s advisory for additional security best practices to help defend against exploitation of this vulnerability, which as of Friday, has no CVE assigned.

According to cybersecurity firm Rapid7, there were roughly 2,5000 instances of MOVEit Transfers exposed to the public internet as of May 31, with the majority located in the U.S. Similar SQLi-to-RCE flaws in network edge systems can provide threat actors with initial access to corporate networks, the company says.

Rapid7 says its researchers observed the same webshell name in multiple customer environments, which could be an indicator of automated exploitation.

Rapid7 analyzed a sample webshell payload associated with successful exploitation. The webshell code would first determine if the inbound request contained a header named X-siLock-Comment, and would return a 404 “Not Found” error if the header was not populated with a specific password-like value. As of June 1, 2023, all instances of Rapid7-observed MOVEit Transfer exploitation involve the presence of the file human2.aspx in the wwwroot folder of the MOVEit install directory (human.aspx is the native aspx file used by MOVEit for the web interface).

Ransomware groups leveraging file transfer solutions

The vulnerability in MOVEit Transfer is the latest case of cybercriminals targeting file transfer tools, specifically with ransomware groups who are moving away from encryption and focusing solely on data theft to compel their victims to pay the ransom.

Satnam Narang, senior staff research engineer at Tenable, says file transfer applications have become increasingly popular among ransomware groups since late 2020. One group in particular, Clop, has breached “hundreds of organizations: that use those tools to transfer sensitive data.

“While we don’t know the specifics around the group behind the zero day attacks involving MOVEit, it underscores a worrisome trend of threat actors targeting file transfer solutions,” Narang says. “Organizations that use MOVEit software should assume compromise and engage in incident response to determine the potential impact, if any.”

The post Act Now: Vulnerability in Progress Software’s MOVEit Transfer Software appeared first on My TechDecisions.