1. Threat Actors Exploit Weaknesses in EDR Tools
- Endpoint Detection and Response (EDR) tools are designed to recognize and react to suspicious endpoint activities on a corporate network. Most EDR tools often combine signature-based malware detection with heuristic analysis, sandboxing capabilities, and other security techniques to respond to cyber-threats. This technology ensures that IT Security teams are able to quickly isolate an affected endpoint system before it corrupts an entire network.
- Most EDR tools use the “hooking” methodology to detect suspicious processes launched on a network. However, threat actors have discovered a simple way to modify the hooks in a system’s DLLs, to allow malicious code to evade EDR’s detection mechanisms.
- According to security researchers, this customized circumvention of EDR security controls is often implemented by writing malicious system call functions into a legitimate system process, then commanding an Operating System (OS) to execute the functions. Thus, corrupting the ability for EDR tools to pick-up on changes in normal system process/function behaviors.
Expert Commentary: The cybersecurity market is currently flooded with specialized tools that oftentimes promise ‘absolute security.’ However, it is critical to note that there is nothing like a “safe system” because threat actors are always seeking newer ways to circumvent security controls. Therefore, equipping IT teams with an intelligent security tool, which self-corrects and evolves its preventive, detective, corrective mechanisms in accordance with security trends, is best suited for today’s dynamic threat landscape.
2. U.S. Government Designates Ransomware as a National Security Threat
- Ransomware attacks have impacted otherwise secure U.S. government networks, especially with the far-reaching SolarWinds supply-chain attack. As such, the U.S. Secretary of Homeland Security (Alejandro Mayorkas) declared ransomware attacks as a National Security Threat, posing a critical challenge to both government and corporate entities alike.
- The DHS Secretary highlighted five key areas where the government could improve: ransomware detection, information sharing, modernization of federal cybersecurity infrastructures, federal incident response, and federal IT procurement processes.
- To tackle ransomware attacks against government entities, which Secretary Mayorkas referred to as a “monumental challenge,” the U.S. Department of Homeland Security is developing new initiatives, including 60-day ‘cyber sprints,’ aimed at strategizing urgent countermeasures to better protect both government and corporate critical infrastructures.
Expert Commentary: To security experts, ransomware attacks have always had the potential of becoming a National Security threat. However, the recent exposure from SolarWinds’ supply chain cyber-attack by Russian-sponsored threat actors, followed by a Microsoft Exchange compromise attributed to Chinese-sponsored threat actors, have proven to global leaders that ransomware tactics, techniques, and procedures are evolving rapidly. In today’s digital transformation age, the digital world is the new battleground and being able to attribute an attack to a specific actor is the greatest challenge. Therefore, the U.S. government must engage with both academic and corporate entities to ensure that a smooth information sharing window remains open at all times because all hands must be on deck to tackle this elusive National Security Threat known as “Ransomware.”
3. A Child Tweets Gibberish from U.S. Nuke Accounts
- A social media manager for the U.S. Strategic Command, which controls the launch codes for S. nuclear warheads, left his laptop open, unsecured, and unattended while working from home. Unknowingly, the social media manager’s child noticed the unattended laptop and proceeded to post a tweet consisting of the following gibberish: “;l;;gmlxzssaw.”
- Based on heightened security protocols, the gibberish tweet was met with a national security alarm, being the U.S. Strategic Command’s Twitter page (@USSTRATCOM) is often used as one of the primary sources of communication in today’s mass social media era.
- Although the U.S. Strategic Command did not designate this event as a “security breach,” it is a solemn reminder of the level of vulnerability that exists for individuals working remotely, within critical environments.
Expert Commentary: The COVID-19 pandemic reminded the cybersecurity community about the challenges associated with remote work environments – offsite workers have become more vulnerable to known and unknown threats, such as phishing, brute-force, or even security misconfiguration errors. Security researchers discovered that since the COVID-19 lockdown, about 55% of remote workers have made damaging security errors while working from home. And, the time to remediate said human errors appear to now be longer than normal. Thus, rendering otherwise security environments vulnerable to cybercriminals.
4. More Security Solutions Does Not Mean More Protection
- An IT security research report involving 4,400 IT clients and IT experts, in 22 countries, across six continents found that simultaneously running multiple cybersecurity solutions did not prevent data loss in many organizations last year. Security researchers discovered that 68% of IT clients and 20% of IT experts said network protection architecture made it nearly impossible to know if data had been modified without their knowledge or not.
- Over 40% of IT clients were not sure what impact their malware detection and prevention tools had on stopping zero-day attacks from affecting critical data.
- More shockingly, a tenth of the IT experts didn’t know if their organization was subject to data security and privacy regulations, exposing their organization to a host of major penalties.
Expert Commentary: Visibility and insight are some of the most important factors when considering which security tool to integrate into a corporate environment. However, several organizations believe that deploying the newest and popular tool will help to improve their security posture. Unknowingly, such a move only blurs the line and adds a visibility gap for IT security teams, who simply need one intelligent automation tool that will allow them to focus their attention on revenue-generating processes without worrying about other mundane tasks that, in fact, increases their risks.
5. PHP’S ‘Git’ Server Compromised to Add Backdoors to PHP Source Codes
- Threat actors targeted that official PHP Git repository in a concerted effort to launch another major software supply chain attack. Based on forensic reports from PHP, said attackers interfered with the source codes designed for PHP’s Git server, thus launching two malicious Git repository (repo) commits that were designed to compromise the PHP codebase.
- According to the PHP development team, in an attempt to eliminate suspicion, said threat actors pushed and signed off on the Git repo commit as those it was initiated by authorized PHP developers and maintainers.
- Although PHP is still investigating this incident, to prevent any residual escalation, PHP developers and maintainers have migrated the official PHP source code repository to GitHub, whose protocols are retrofitted with robust access control mechanisms that closely detect and prevent rogue operations that are outside the scope of normalcy. Additionally, PHP code base developers and maintainers decided to retire the git.php.net server for good.
Expert Commentary: Considering that PHP is the server-side programming language that powers over 79% of the websites hosted on the internet, this security incident is very alarming. Considering the attack methodologies used in this security incident, it is clear that the attackers’ goal was to initiate another SolarWinds-esque software supply chain disaster. If PHP code base can be attacked, then this is a clear sign that advanced persistent threat (APT) actors are laser-focused on compromising software applications to initiate far-reaching effects that can be leveraged for follow-up attacks, such as ransomware or phishing.