1. Poor Patching Led to 25% of all Vulnerabilities Found in 2020
- According to Google’s security team, a quarter of all zero-day exploits detected in 2020 appeared to be closely related to insufficient patching hygiene of previously known exploits – meaning known vulnerabilities could have been prevented if more effort had been made to patch detected vulnerabilities.
- These discovered vulnerabilities impacted Chrome, Internet Explorer, and Windows Operating Systems.
- Leveraging the poor security patching habits of companies, threat actors focused on simply tweaking one or two lines of code to re-weaponize discovered zero-day vulnerabilities for nefarious activities, including ransomware attacks.
SME Comments: The insufficient patching of vulnerabilities – or lack thereof – without fully testing patch efficacy was discovered to be one of the major causes of supply chain security incidents in 2020. Although vendors fail to quickly release patches for zero-day vulnerabilities, corporate IT teams also fail to monitor the availability of new patches. The time-to-patch gap leaves computer environments prone to preventable attacks that affects a business’ continuity.
2. U.S. Courts Set New Requirements for Filing Sensitive Documents, Following SolarWinds Hack
- Following the SolarWinds hack that compromised several U.S. government agencies, including the U.S. Federal Judiciary’s electronic files, the federal judicial council issued an order demanding that all highly sensitive documents be filed to the courts using physical paper. These paper documents will then be uploaded and stored in a secure, stand-alone digital system.
- The Administrative Office of U.S. Courts revealed that the new measures would not change the public’s access to court records – any uploaded document will still be in the public domain unless the court deems it as sensitive.
- Although the SolarWinds incident is still having far-reaching impacts across critical industries, it is still unclear whether the intrusion at the U.S. Federal Judiciary is still ongoing. It is feared that the SolarWinds attackers might have gained unauthorized access to a wide range of confidential information hidden in sealed documents, including espionage targets, trade secrets, arrest warrants, and whistleblower reports.
SME Comments: Due to the attack sophistication employed by state-sponsored Advanced Persistent Threat (APT) actors, including backdoor creation, code manipulation, etc., it is often impossible to completely regain access to a compromised system without residual risks. Therefore, organizations within critical industries are now moving towards a manual format of data management to maintain a resilient security posture.
3. Chinese Government Has Stolen the Personal Data of 80% of American Adults
- The former Director of the U.S. National Counterintelligence and Security Center, Bill Evanina, revealed that Chinese state-sponsored threat actors have stolen personally identifiable information (PIIs) of 80% of American citizens. Evanina claimed that Chinese-sponsored threat actors are attempting to break into major U.S.-based healthcare institutions, to steal protected health information (PHIs), including sensitive DNA records.
- According to Evanina, the Chinese government is bent on implementing “less-than-honorable” means to steal data by also targeting smart homes, electrical sensors, and 5G technologies.
- Although China’s voracious gathering of Americans’ health data is nothing new, it continues to pose national security risks and privacy infringements against American citizens.
SME Comments: There has been concern, within the U.S. Intelligence Community, that the personal data of Americans being stolen by the Chinese government are leveraged for nefarious purposes, including the development of biological weapons and the circumvention of global health standards. Therefore, companies operating within critical industries, such as healthcare, financial services, public transportation, etc., must continuously enhance their detective, preventive, and corrective controls for dynamic security posture.
4. Ransomware Criminals Encrypt Virtual Disks Using VMWare ESXi Vulnerabilities
- Security researchers have discovered ransomware gangs exploiting VMWare ESXi vulnerabilities (CVE-2019-5544 and CVE-2020-3992), in an attempt to take-over virtual machines (VMs) and encrypt virtual hard drives.
- These vulnerabilities allow attackers to send malicious SLP requests to ESXi devices to take control of the system. After gaining access to a device on a corporate network, they are able to encrypt virtual hard drives, store data, and cause massive disruptions.
- These malicious exploits first surfaced in October 2020 and have been linked to criminal groups that leverage RansomExx ransomware, and target VMs deployed in sensitive enterprise environments.
SME Comments: As organizations rapidly leverage the power of cloud computing as well as resource virtualization, sophisticated attackers understand that business operations rely on computing needs that extend beyond on-premise resources. Therefore, the deployment of security patching within all computing environments (on-premise or virtual) is extremely critical to data security and privacy, as well as business continuity.
5. A New Linux Malware is Targeting SSH Credentials from Supercomputers
- A newly detected Linux malware known as ‘kobalos’ is targeting supercomputers worldwide. Kobalos is strategically designed to steal and corrupt the Secure Shell (SSH) credentials of several operating systems, including Linux, Solaris, FreeBSD, Windows, and AIX.
- Kobalos is, in essence, a backdoor containing a wide range of commands, which uniquely obfuscates an attacker’s path. It provides the ability to spawn terminal sessions, provide remote access to the file system, and permits proxy connections to other infected servers.
- The internet-wide risk assessment scan to identify kobalos victims revealed that the attackers targeted high profile victims in the research and academia sector, endpoint security vendors, and Internet Service Providers (ISPs) in Asia.
SME Comments: Kobalos compromises SSH in a system in order to capture user credentials. To detect kobalos, security experts must focus on searching for non-SSH traffic on the SSH server’s port. Since the malware utilizes users’ credentials to propagate to other systems, setting a multi-factor authentication for connecting to SSH servers can be an effective measure for mitigating this threat.