Tag Archive for: Lessons

4 Lessons Security Leaders Can Learn


Ivanti has had a rough start to the year. In January and February, the IT software company disclosed a series of VPN vulnerabilities impacting the Ivanti Connect Secure and Ivanti Policy Secure gateways. In February, the Cybersecurity and Infrastructure Security Agency (CISA) warned that threat actors were actively exploiting these vulnerabilities.  

As exploitation continued, CISA became one of the impacted organizations. The federal agency took down two of its systems affected by exploitation of the Ivanti vulnerabilities, The Record reported.  

“About a month ago CISA identified activity indicating the exploitation of vulnerabilities in Ivanti products the agency uses. The impact was limited to two systems, which we immediately took offline. We continue to upgrade and modernize our systems, and there is no operational impact at this time,” a CISA spokesperson shared in an emailed statement.  

What lessons can CIOs, CISOs, and other enterprise security leaders learn from these vulnerabilities, Ivanti’s response, and the exploitation of the bugs?  

Understand the VPN Vulnerabilities 

“From Jan. 10 to Feb. 8, there were five vulnerabilities disclosed; the nature of these vulnerabilities allows an unauthenticated actor to execute arbitrary commands with elevated privileges,” Nick Hyatt, director of threat intelligence at managed detection and response (MDR) company Blackpoint Cyber, tells InformationWeek in an email interview.  

Related:How to Evaluate a CISO Job Offer

The five vulnerabilities that impacted the Ivanti Connect Secure and Ivanti Policy Secure gateways are CVE-2023-46805 (CVSS 8.2), CVE-2024-21887 (CVSS 9.1), CVE-2024-21888 (CVSS 8.8), CVE-2024-21893 (CVSS 8.2), and CVE-2024-22024 (CVSS 8.3).  

This crop of VPN flaws in Ivanti’s products has led to criticism of the company’s cyber incident response. The company will likely need to work to regain customer trust following the exploitation of these bugs. In the meantime, enterprise leaders may be considering their choice of VPN solution.  

“There are other solutions out there that do this exact same thing that haven’t appeared on CISA KEV [Known Exploited Vulnerabilities Catalog] as much,” says…

Source…

Lessons from a ransomware attack: How one healthcare CIO helped her company recover


In the early-morning hours of Feb. 25, 2021, Terri Ripley got the call every chief information officer dreads: Her company, OrthoVirginia Inc., had been hit by a massive attack of the Ryuk ransomware that had shut down its entire computing fabric.

Although it would be 18 months before systems were fully restored, OrthoVirginia never shut down operations or abandoned patients. What it learned during the crisis is a lesson for any organization that might become an attack target. Today, that’s everyone.

Speaking at the Healthcare Information and Management Systems Society Inc.’s Healthcare Cybersecurity Forum in Boston this week, Ripley gave a blow-by-blow description of the events immediately following the attack, the critical choices that were made and how the company is insulating itself from future incidents.

OrthoVirginia is Virginia’s largest provider of orthopedic medicine and therapy, encompassing 105 orthopedic surgeons spread across the state. Its 25-person information technology organization had put cyber protections in place before the attack hit, but the pandemic was a curveball they didn’t anticipate.

“When COVID hit and we sent everybody home, some of those protections were not in place,” she said. “We put a lot of good measures in place, but we still got hit.”

System-wide shutdown

The attack took down servers, workstations, network storage and backups, but fortunately not electronic health records, which were hosted offsite. It encrypted the picture archiving and communication system that contains the X-rays vital to orthopedic surgery. The application and database needed to view the images were also hit and the internet protocol phones went down.

To make matters worse, OrthoVirginia’s chief cybersecurity expert was on vacation at the time. Knowing that ransomware attacks can be unpredictable, “we made the decision to shut everything down,” Ripley said. “That stopped the script from running so we were able to save the data files.”

Forensics would later determine that the attack was triggered by a remote worker clicking on a malicious link. The attackers were able to compromise the system administration password, tunnel through the…

Source…

The most hated man on the internet. Lessons to learn


A while ago I was scouring Netflix and stumbled across the 2022 The most hated man on the internet docuseries.

What’s that all about then?

The show is about Hunter Moore and his isanyoneup.com website (Wikipedia article), where abhorrent people uploaded naked / pornographic images, intended to shame or embarrass the subject. The website was shut down in April 2012. At its height it was getting 350K unique visits daily. Today that number could be monetised into $millions.

While some images were willingly submitted many were not. It was apparent that plenty of people, mainly women, had their intimate images uploaded without consent, and more worryingly those images had never been in the public domain before. They had gone to lengths to keep them private.

It transpired that many of the exploited women’s email accounts had been hacked. The Tactics, Techniques, and Procedures (TTPs) used to hack the accounts weren’t ground-breaking in the 2010s and they still work today. Typically it’s credential stuffing and spoofing of messages to friends in order to bypass 2FA. This isn’t APT territory, but it’s still effective.

Why have I written this post?

Like the TTPs used there, none of what I write is ground-breaking or state of the art. People’s digital lives are fairly easy to look in to as a consequence of social media and our increasingly connected lives.

At PTP we regularly use TTPs (TLAs in full effect!) in various engagements, TTPs that are covered in Netflix shows like The most hated man on the internet and also You. We use them to identify weaknesses in a client’s defences, and a significant part of those defences are human beings.

More and more we’re asked by the Board or Senior Leadership Team to conduct consensual Digital Footprint Reviews of its members, to identify potential angles or leverage a crook could use to bypass the most sophisticated tech a company can buy.

What lessons can we learn?

What we can learn from shows like this and the experiences of the victims:

  • Don’t give your password to anyone. Ever.
  • Double check and verify anyone who wants to connect with you, even if they seem like someone you know. Social media allows people to find out a lot…

Source…

Lessons from CL0P and MOVEit


Hacking group CL0P’s attacks on MOVEit point to ways that cyber extortion may be evolving, illuminating possible trends in who perpetrators target, when they time their attacks and how they put pressure on victims.

Malicious actors that successfully target software supply chains can maximize their reach, impacting the initial victims as well as their clients and clients’ clients. And Allan Liska, intelligence analyst at threat intelligence platform provider Recorded Future, noted that cyber extortion groups like CL0P have the money to buy zero-day vulnerabilities to compromise commonly used platforms.

Plus, perpetrators increasingly use threats to publish stolen data — more so than file encryption — to put pressure on victims and are exploring new ways of denying victims access to their data.


Still, cyber extortionists aren’t a monolith. While zero days make headlines, shoring up basic cyber defense can still go a long way toward defending against many of today’s ransomware attacks, said Tom Hofmann, chief intelligence officer for cyber intelligence and solutions provider Flashpoint.

And other extortionists are likely watching the MOVEit incident play out and drawing their own takeaways.

“With a lot of these, the first big attack, it gets the headlines, but these ransomware groups are learning at the same time,” Hofmann said. “They’re seeing what worked well, what didn’t, what tactics worked, and they’re learning from each other. So, the next go-around is going to be different.”

TIMING AND ATTACK METHODS

With MOVEit, CL0P struck around Memorial Day, notes risk and financial advisory solutions provider Kroll. This follows a trend of perpetrators timing their attacks for holiday weekends. The 2021 ransomware attack on software from IT company Kaseya also hit right before the Fourth of July holiday.

Groups like CL0P also appear to be putting attention on targeting widely used platforms and exploiting zero-day vulnerabilities.

The MOVEit compromise was CL0P’s third known attack on a file transfer service, each one netting more victims. Its 2020 Accellion exploit stole data from roughly 100 companies,…

Source…