Information Security News 5-1-2023

Hackers use Fake “Windows Update” Guides to Target Ukrainian Govt

Article Link: https://www.bleepingcomputer.com/news/security/hackers-use-fake-windows-update-guides-to-target-ukrainian-govt/

• Ukraine believes that Russian state-sponsored hackers sent emails and impersonated system administrators of targeted government entities to trick Ukrainian government targets into downloading malicious content masked as Windows updates via PowerShell.
• The attackers created “@outlook.com” email addresses using real employee names to send fake instructions on how to upgrade Windows via PowerShell scripts.
• In this specific instance, the hackers used the Mocky service API to exfiltrate data on victim devices.

Many Public Salesforce Sites are Leaking Private Data

Article Link: https://krebsonsecurity.com/2023/04/many-public-salesforce-sites-are-leaking-private-data/

• According to KrebsOnSecurity, a significant number of organizations, including banks, state governments, and healthcare providers, are leaking private and sensitive information from their public Salesforce Community websites.
• The leaks are sourced from a misconfiguration in Salesforce Community, which is used to quickly create websites, that allows an unauthenticated user to access records that should only be available after a user logs in. Exposed data include full names, Social Security Numbers, addresses, phone numbers, emails, and bank account numbers.
• Several of the organizations with websites that were leaking information noted that rapid development of the websites occurred in response to events like COVID-19. As such, many of these Salesforce Community websites didn’t go through the normal development and review process.

Major UK Banks Including Lloyds, Halifax, TSB Hit by Outages

Article Link: https://www.bleepingcomputer.com/news/technology/major-uk-banks-including-lloyds-halifax-tsb-hit-by-outages/

• Websites and mobile apps of Lloyds Bank, Halifax, TSB Bank, and Bank of Scotland experienced web and mobile app outages on April 28^th, leaving customers unable to access their account balances and information.
• It is unclear what led to issues for the United Kingdom’s four major banks. However, the article noted all four are, or were, owned by the same parent company, which suggests that the server infrastructure is similar across each entity.
• All four banks’ systems have been brought back online; however, none of the entities appear to have released any detailed information on the source of the issues.

Google Authenticator Updated, Finally Allows Syncing of 2FA Codes

Article Link: https://www.helpnetsecurity.com/2023/04/26/google-authenticator-codes-sync/

• Google has updated Google Authenticator, its mobile authenticator app for delivering time-based one-time authentication codes, and now gives users the option to sync (back up) their codes to their Google account.
• Before this update, losing one’s mobile device with Google Authenticator on it created many problems for end users and enterprise IT departments. However, now if this feature is enabled, users are able to access the codes from other devices that are linked through Google.
• While this new feature enhances accessibility and eases a potential pain point for IT personnel, it does come with several drawbacks. First, if a hacker gains access to a user’s Google account, they can sync and back up the user’s codes as well as discover the usernames for linked 2FA codes. Additionally, the backed-up codes lack end-to-end encryption at this time.

Kansas Enacts Financial Institutions Information Security Act

Article Link: https://buckleyfirm.com/blog/2023-04-26/kansas-enacts-financial-institutions-information-security-act

• On April 20, the Kansas governor signed SB 44, which establishes information security standards relating to the handling of customer information for covered entities, including credit services organizations, mortgage companies, financial institutions that engage in credit and money transmissions, trust companies, and technology-enabled fiduciary financial institutions.
• Covered entities will be required to develop, implement, and maintain a cybersecurity system to protect consumer information, and must ensure its information security program is maintained as part of its books and records in compliance with established record retention requirements.
• Starting on July 1, 2023, the Kansas state bank commissioner, or a designee, will be allowed to enforce the legislation through a variety of means including investigating organizations, ordering cease and desists, and fines of up to $5,000 per violations in addition to investigation and enforcement costs.
• Link to the Kansas Financial Institutions Information Security Act: http://kslegislature.org/li/b2023_24/measures/documents/sb44_00_0000.pdf

Risk Miscommunicated Across Organizations

Article Link: https://www.helpnetsecurity.com/2023/04/26/effective-it-risk-management/

• According to a survey by RiskOptics who surveyed 261 information security and GRC personnel, there is a lack of clarity as to what is considered the “biggest challenge” for the security leadership of organizations. Likewise, 54% of respondents said that cyber/IT risk assessments are as hard or harder than signing up for health insurance and 55% equated assessments to getting a license renewed.
• Additionally, the results suggest that the respondents struggle to define and communicate risk. Specifically, 30% of respondents noted that they don’t communicate the risk around specific business initiatives to other company leaders. Likewise, 23% of respondents don’t consider third-party vendors when assessing risk.
• Link to RiskOptics’ Report: https://reciprocity.com/resources/riskoptics-announces-cyber-risk-viewpoints-survey-results/

Combating Kubernetes — the Newest IAM Challenge

Article Link: https://www.darkreading.com/attacks-breaches/combating-kubernetes-the-newest-iam-challenge-

• Since its release in 2014, Kubernetes has emerged as one of the most widely used open-source systems for containers. The tool allows organizations to improve organizational efficiency, enable advanced security monitoring, and reduce costs. However, they can lead to significant environment access for bad actors. Specifically, if a cluster is compromised, bad actors gain access to multiple cloud applications, including confidential files, usernames, and passwords.
• Many organizations have deployed basic identity and access management (IAM) functionality to address security gaps, but these solutions tend to provide master authorization and do not allow for effective access governance.
• By specifying each user’s role, and limiting cluster access and management controls accordingly, IT leaders can ensure Kubernetes clusters don’t become a gateway for cybercriminals to access their organizational data.

MITRE Caldera for OT Adversary Emulation Tool

Article Link: https://www.helpnetsecurity.com/2023/04/25/mitre-caldera-for-ot-tool/

• MITRE is launching its MITRE Caldera for OT tool, which allows security teams to run automated adversary emulation exercises that are specifically targeted against operational technology (OT).
• Built on the MITRE ATT&CK for ICS framework, MITRE Caldera for OT emulates the attack path and attacker capabilities that are defined either through ATT&CK for ICS or other custom-built plug-ins.
• OT security teams can leverage MITRE Caldera for OT as an automated, preventive tool to examine their OT cyber environment and determine if there are any existing vulnerabilities that adversaries could exploit or gaps in their security architecture.
• Link to MITRE Caldera: https://caldera.mitre.org/