Information Security News 11-7-2022

Microsoft: Raspberry Robin USB Worm Hits Nearly 1,000 Organizations in the Past Month

Article Link: https://www.zdnet.com/article/microsoft-raspberry-robin-usb-worm-hits-nearly-1000-organizations-in-the-past-month/

• Microsoft is warning that the relatively new Raspberry Robin USB drive worm has triggered payload alerts on nearly 3,000 devices in almost 1,000 organizations in the past 30 days. In the past, Raspberry Robin has deployed Lockbit ransomware, IcedID, Bumblebee, and Truebot malware; however, most recently Raspberry Robin has been deploying the Clop ransomware.
• Raspberry Robin is often installed on Windows systems via a USB drive, which contains an LNK shortcut file disguised as a folder. Once a USB is inserted, Raspberry Robin relies on USB autorun being enabled through legacy Group Policy changes and tricking users to click the LNK file.
• In newer versions of the malicious software, the Raspberry Robin drives only have the LNK and executable files, which is believed to allow the files to populate with common USB brand names.

U.S. Govt Employees Exposed to Mobile Attacks From Outdated Android, iOS

Article Link: https://www.bleepingcomputer.com/news/security/us-govt-employees-exposed-to-mobile-attacks-from-outdated-android-ios/

• According to a new report by cybersecurity firm Lookout, almost half of Android-based mobile phones used by U.S. state and local government employees are running outdated versions of the operating system, exposing them to hundreds of vulnerabilities that can be leveraged for attacks. This is based on an analysis of over 200 million devices and 175 million applications from 2021 and H2 2022.
• Lookout’s report notes that 10 months after iOS 15 had been made available to users, 5% of federal government employees and 30% of state and local government devices were running older versions of the operating system. 10 months after the release of Android version 12, about 30% of federal devices and almost 50% of state and local government devices still needed to upgrade to the latest versions.
• According to Lookout, the most common attack against mobile users is malware delivery, accounting for about 75%, while credential harvesting represents most of the remaining percentage; however, credential theft attacks appear to be increasing year-over-year.

Three Inexpensive Steps to Secure IoT

Article Link: https://www.techrepublic.com/article/3-inexpensive-steps-to-secure-iot/

• Unsecured IoT devices are a treasure trove for botnet operators. It’s the responsibility of IT managers to ensure these devices remain protected against botnet enlistment.
• The three steps noted in the article include identifying IoT devices (i.e., any non-traditional endpoint with an IP address), isolating the systems (i.e., changing default passwords, applying security updates, and creating a separate IoT VLAN), and limiting internet access where possible.

Build Security Around Users: A Human-First Approach to Cyber Resilience

Article Link: https://www.darkreading.com/risk/build-security-around-users-a-human-first-approach-to-cyber-resilience

• A new strategy for security could be to put users first and then build the defense around them. This is not only because we must protect people but also because, by fostering a false sense of protection, we’re instigating risk and making them more vulnerable.
• People already share files and images, use email, and use social media. Layering cyber security onto personnel is akin to asking people to wear a seatbelt.
• The article notes that the approach to security is like teaching driver safety while ignoring how people drive. Doing this all but ensures that users either blindly adopt something, believing it’s better, or on the flip side, when forced, merely comply with it. Either way, the outcomes are suboptimal.

This Stealthy Hacking Campaign Uses a New Trick to Deliver Its Malware

Article Link: https://www.zdnet.com/article/this-stealthy-hacking-campaign-uses-a-new-trick-to-deliver-its-malware/

• According to Symantec, malicious cyber actors have launched campaigns where they spend more than 18 months inside the networks of victims, all while taking steps to ensure their activity avoids detection. What makes this campaign unique is the way Internet Information Services (IIS) logs are abused to remain undetected, something researchers say they haven’t seen used in attacks before.
• The threat actors, Cranefly, use malware dubbed “Geppei” to read commands from legitimate IIS logs, which are meant to record data from IIS, disguising their actions as activities like web access requests. IIS logs them as normal inputs, but the trojan used can read the inputs as commands. The commands read contain malicious encoded files that are saved to an arbitrary folder, and they run as backdoors on appliances that don’t support security tools.
• Techniques that organizations can employ to help prevent or detect attacks include using two-factor authentication on accounts, adopting network segmentation, and avoiding default password use.

Microsoft Warns of Uptick in Hackers Leveraging Publicly Disclosed 0-Day Vulnerabilities

Article Link: https://thehackernews.com/2022/11/microsoft-warns-of-uptick-in-hackers.html

• Microsoft is warning of an uptick among nation-state and criminal actors increasingly leveraging publicly disclosed zero-day vulnerabilities for breaching target environments with a shorter delay between vulnerability disclosure and exploitation attempts.
• Microsoft noted that it only takes 14 days on average for an exploit to be available in the wild after public disclosure, stating that while 0-day attacks are initially limited in scope, they tend to be swiftly adopted by other threat actors, leading to indiscriminate probing events before patches are installed.
• Microsoft’s full report: https://www.microsoft.com/en-us/security/business/microsoft-digital-defense-report-2022

Multi-factor Auth Fatigue is Real – and It’s Why You May Be in the Headlines Next

Article Link: https://www.theregister.com/2022/11/03/mfa_fatigue_enterprise_threat/

• MFA fatigue relies on social engineering, as well as any shortcomings in the system design, to access the corporate network. Spamming MFA works against a decent number of teams and has become a tactic of choice for many cybercriminals.
• Improving your MFA deployment, educating employees about common types of attacks (and how to recognize them, prevent them, and appropriately report them), and building a system that contains a breach as the result of a successful phish are all vital to mitigating risks associated with MFA fatigue.
• Other solutions to MFA fatigue are being adopted by the main providers of MFA products. These include showing the IP address of who is trying to authenticate and number matching between what is shown on the authentication screen and an authenticator app.

How to Securely Manage LAPS on a Windows Network

Article Link: https://www.csoonline.com/article/3678293/how-to-securely-manage-laps-on-a-windows-network.html

• Maintaining good password hygiene on networks, especially large and spread-out ones, is complex. Microsoft has a solution to this problem in the form of Local Administrator Password Solution (LAPS), which enables local administrator passwords to be set programmatically based on a provided schedule using the complexity parameters you define.
• This article walks through the process of enabling LAPS, making the best use of the service, and retrieving and resetting passwords within LAPS.
• The biggest thing to be aware of when considering using LAPS is the fact that Local Administrator passwords are stored in plain text in Active Directory. This risk can be mitigated with permissions to the key attributes being restricted, and additional compensating controls, but should be considered.
• While LAPS isn’t a “new” feature to Windows, it is a service that is actively being improved on newer implementations of Windows, such as Windows 11, by Microsoft.

Cybersecurity Recovery is a Process That Starts Long Before a Cyberattack Occurs

Article Link: https://www.helpnetsecurity.com/2022/11/03/cybersecurity-recovery/

• Recovery is a process that starts long before a cyberattack occurs. It concludes not when the data is secured, but when the organization can genuinely say that it’s learned everything it can from the event and has made the changes necessary to avoid it happening again.
• The reality is most organizations find it very difficult to fully recover from a cyberattack. Those that invest more in disaster recovery and business continuity recover from these attacks far more swiftly than their less-prepared competitors.
• The article highlights four core components of an effective cybersecurity recovery program: pre-emptive action, detailing responsibilities and accountability, having the right IT architecture in place, and discussing lessons learned and implementing changes after an incident.