Cybersecurity Week in Review: 2/1

This week we focus on the impact zero-day exploits and unpatched vulnerabilities have on security and business operations. Our  news includes how one exploit led to an extremely large government data breach involving 1.6 million records; how a small but sophisticated piece of malware is likely using old and unpatched systems to attack global supercomputers worldwide; and how a zero-day flaw for Secure Mobile Access (SMA) devices was likely being exploited in the wild before the vulnerability was discovered and patched.

Zero-day exploit leads to massive government data breach

We’re reminded of the importance of patching vulnerabilities as soon as they are discovered with an announcement last week by the Office of the Washington State Auditor (SAO) of a massive security breach involving the compromise of personal data on more than 1.6 million individuals.

The breach occurred as a result of a software vulnerability in the Accellion file transfer appliance (FTA) service which enabled the government entity to “securely” share sensitive documents with external entities.

(NOTE: GuidePoint Security, in partnership with deepwatch, conducted an in-depth analysis of a malicious web shell targeting the Accellion FTA service.)

The breach appears to have taken place during late December of 2020, with Accellion confirming the breach the week of January 25, 2021. The data included highly sensitive information for Washington state residents, as well as other data from local and state government agencies. Among the types of data stolen were complete names, social security and driver’s license numbers, state identification numbers, bank account and bank routing numbers, and place of employment for more than 1.6 million Washington state residents who had field unemployment insurance claims in 2020.

On January 11, the Palo Alto-based Accellion stated that it had been made aware of a zero-day exploit in its legacy FTA software in mid-December and released a patch within 72 hours to customers (of which there were only 50 using the legacy FTA service). It appears the company also issued another security update for some of its modern file sharing software in December. Notably, this organization’s FTA software has been used as an attack vector in several other recent attacks, including the Harvard Business School (HBS), the Australian Securities and Investments Commission (ASIC) and the Reserve Bank of New Zealand (RBNZ)

Individuals who had filed for unemployment insurance in Washington state are being encouraged to review bank accounts and credit reports and report any suspicious activity to law enforcement.

You can read more on this data breach here, here and here.

Supercomputers targeted with new Linux malware

Malware with a small but sophisticated codebase is targeting high-performance computers (HPCs) in the academic, research and scientific sectors globally, apparently with the purpose of stealing security network connection credentials.

Named by security researchers for a mischievous sprite from Greek mythology that is fond of tricking and frightening mortals—the malware “Kobalos” is impacting Linux, BSD and Solaris operating systems, with the possibility of attacks against AIX and Microsoft Windows systems as well.

The malware appears to have been used to attack a U.S. endpoint security vendor and an Asian internet service provider (ISP), as well as several other entities worldwide. While researchers were unable to establish the initial attack vector that enabled cybercriminals to breach administrative systems and install Kobalos, they were quick to point out that several of the affected systems were running unpatched, old, and unsupported operating systems and software.

Researchers believe that the Kobalos malware acts like a backdoor. Once inside an HPC system, the malware enables remote access to the file system and spawns terminal sessions to let the cybercriminals issue arbitrary commands. Among the actions that Kobalos is capable of are encrypting traffic from the HPC to the threat actors and turning a compromised machine into a command and control (C2) server.

Researchers have notified all victims they were able to identify and have worked with them to remediate the attack.

A complete technical analysis authored by security researchers has been published. Additional information on the Kobalos malware can be found here, here and here. 

Criminals exploiting vulnerability found in Secure Mobile Access (SMA) devices   

A security appliance company warned last week that criminals were already actively exploiting a zero-day vulnerability found in both its physical and virtual Secure Mobile Access (SMA) 100 series devices. The company issued a patch on February 2, 2021. Details on the attack are not yet available, as the company has issued a statement indicating the investigation is still ongoing.

Around the same time that the security appliance firm disclosed the vulnerability, another group of security researchers announced on Twitter the discovery that the zero-day flaw was currently being exploited in the wild.

In addition to patching, the company recommends enabling multi-factor authentication and the update of user passwords for any accounts that use the SMA 100 series with 10.X firmware.

Updated details on the vulnerability were published by the security appliance firm on February 2, 2021. More on this story can be found in this article, as well as other articles here and here.

Final Words

Last week security researchers released a fascinating interview with a LockBit ransomware operator and experienced threat actor. Over the course of a few weeks, these researchers delved into this criminal’s activities and mindset, providing insight into both the operational and ethical components of cybercrime. 

This “self-taught” cybercriminal maximized his efforts by staying up to date on the latest cybersecurity research—in particular, vulnerabilities—and then weaponizing those vulnerabilities into future attacks. He claimed to operate alone, without the assistance of a cybercriminal gang or state support. Although he disavowed any “state support” the criminal did claim that Russia is the best country in which to operate as a cybercriminal, likely because Russian authorities and law enforcement are notorious for turning a blind eye to cybercrime, particularly if it doesn’t affect Russian businesses or citizens. 

Among the ‘tactics, techniques and procedures’ (TTPs) used by this criminal, the frequent and preferred use of unpatched systems as an easy method of intrusion stands out. He explained how he takes advantage of white hat research that exposes new vulnerabilities: “We use white hat research against them. As soon as a CVE is published, we take advantage of it because it takes a long time for people to patch.” 

Researchers estimate that the number of Common Vulnerabilities and Exposures (CVEs) reported increased by 6% in 2020. Yet organizations often continue to delay the patching process for a variety of reasons that include not prioritizing it, not having the systems or staff to support the effort, or even out of legitimate concern for the effect the patch will have on other mission-critical systems. Yet, if this week’s stories emphasize anything, it is the importance of a good vulnerability- and patch-management process to ensure improved security.