1. Outdated Software Bug Led to Arizona Jail Mismanagement
- The Arizona Department of Corrections spent more than $24 million contracting with an IT services company to build and maintain a software program, known as ACIS, which is used to manage the inmate population in state prisons.
- Following a revelation from a whistleblower within the Department, it was discovered that a bug in the unpatched software management system was causing hundreds of inmates in Arizona to overstay their sentences.
- The Arizona Department of Corrections has admitted to having issues with its software, which reportedly fails to calculate correct release dates after state sentencing law changed in 2019.
SME Comments: In 2019, Senate Bill 1310 amended the Arizona Revised Statutes, to allow certain inmates who were convicted of non-violent crimes to earn release credits. However, the event management protocol in the ACIS software failed to comply with the newly enacted criminal code/policy. Having a solution that is capable of automatically deploying updates to an active software, based on changes in policies and regulations, is critical in a highly volatile environment such as the U.S. prisons system.
2. Clop Ransomware Gang Exploits an Aerospace Giant
- The Clop ransomware gang claims to have compromised the defense division of aerospace giant, Bombardier, stealing sensitive documents which appear to be a CAD drawing of one of Bombardier’s military aircraft products as well as the personal information of employees based in Costa Rica. As evidence of their claims, the ransomware gang shared screenshots of some of the stolen data online.
- To execute the data theft against Bombardier, the notorious ransomware gang exploited a vulnerability in a file-transfer application, which was developed by Accellion. According to security experts, the same file-transfer (FTA) vulnerability was exploited to steal financial documents from one of President Trump’s lawyers, earlier this year.
- Bombardier confirmed that unauthorized entities extracted data from their systems, and confirmed that they are collaborating with forensic and law enforcement to resolve the security incident and recover from the ransomware attack.
SME Comments: In December 2020, Accellion disclosed a major vulnerability in its file-transfer protocol which was being used within critical industries. This vulnerability has been exploited multiple times by cybercriminals, including UNC2546, to extort ransom payments from high-profile organizations. Although Accellion has provided patches for this FTA vulnerability, several organizations are yet to apply the fixes thus allowing ransomware gangs to capitalize off of poor security hygiene.
3. ‘Shadow Attackers’ Replace Content in Digitally Signed PDFs
- Security researchers discovered a novel attack technique, which allows threat actors to circumvent existing controls to break the integrity countermeasures of digitally signed PDF documents – this attack technique is called ‘shadow attack.’
- The primary goal of a shadow attack is to alter an existing signed document, without compromising its original signature, thus making it possible to forge a PDF document for nefarious purposes, such as Business Email Compromises (BECs) and other targeted phishing campaigns.
- This discovery was tested on 16 PDF viewers, including Adobe Acrobat, Perfect PDF, Foxit Reader, Okular, etc., and all were susceptible to shadow attacks.
SME Comments: To implement this shadow attack, an attacker creates a PDF document with two different contents: one bearing the content that is expected by the receiving party who is signing the document, and the other, bearing hidden contents that gets displayed once the PDF has been signed.
4. Venture Capital Giant, Sequoia, Targeted in BEC Attack
- The silicon valley-based venture capital giant, Sequoia Capital, disclosed that they were a victim of a business email compromise (BEC) attack attempt. The VC firm notified its investors that their personal and financial data might have been compromised by threat actors after an employee fell prey to an email phishing campaign.
- Although this security incident was discovered on January 20th, 2021, Sequoia is now notifying the general public after an in-depth forensic investigation was conducted and it was discovered that this breach was part of a unique wire payment diversion scam targeting key executives within their organization.
- It is still unclear whether any data was stolen or what type of data might have been compromised during this breach, but Sequoia Capital is currently monitoring the dark-web, in search of data dumps and/or stolen data auctions that could jeopardize their business posture.
SME Comments: Business Email Compromise (BEC) campaigns were initially implemented by mid-tier cybercriminals. However, security experts have noticed that state-sponsored APT actors are now leveraging BEC attack techniques to finance their illegal operations. For instance, since July 2019, over 200 sophisticated BEC attack campaigns have been attributed to the Russian-sponsored cyber gang, Cosmic Lynx. While BEC attacks are nothing new, their rate of occurrence have skyrocketed – in 2019, the FBI reported the occurrence of 24,000 BEC attacks, with enterprises losing $1.7 billions – on average, an organization loses $72,000 per BEC attack.
5. Nginx Server Misconfigurations Expose Websites to Attack
- Cybersecurity researchers found that a series of middleware misconfigurations in Nginx servers could expose web applications to open-source related attacks. Due to its simple configurations and user-friendly interface, the Nginx server powers one in three websites globally.
- Some of the misconfiguration vulnerabilities associated with Nginx servers include allowing unauthorized actors to self-issue root location, usage of unsafe variables, reading of raw backend responses, and switching off the ‘serge slashes’ setting).
- After examining 50,000 unique Nginx configuration files, security researchers also uncovered additional vulnerabilities that could allow threat actors to control a proxied host, access internal Nginx blocks, and access localhost-restricted Nginx blocks.
SME Comments: Middleware technology enables a web server to provide automated web services that modern day web applications need to function. As such, middleware configurations offer lots of flexibility and control over several utility processes. Unfortunately, it is this very flexibility that makes it extremely easy for human error to occur, thus leaving a website tool open to compromise. Therefore, employing an automated server configuration health checker would play a significant role in monitoring for changes to policies and procedures.