Symantec Security Summary – September 2020

Cyber attacks on the rise. It appears that the cyber security industry can’t escape the general consensus that 2020 is shaping up to be the year we hope to soon forget. In fact, a new report finds there were more cyber attacks in the first half of 2020 than all of 2019. Chalk it up to the sharp transition to remote work and school due to the COVID-19 pandemic or the rapid growth of ransomware-as-a-service offerings—the report said both contributed to the burgeoning number of attacks in the first half of this year.

VPN vulnerabilities are another growing concern. The U.S. government issued a warning about an Iranian espionage group known as Pioneer Kitten, which was found exploiting recently-patched vulnerabilities in Pulse Secure Citrix NetScaler and F5 VPN products. According to the joint alert, put out by the Cybersecurity and Infrastructure Security Agency (CISA) and the FBI, Pioneer Kitten is taking aim at companies in the IT, government, healthcare, financial, insurance, and media sectors across the United States, using mass scanning tools to identify open ports and then exploiting VPN vulnerabilities to gain network access. The goal, according to the agencies, is to install ransomware on the victim’s network.

Speaking of ransomware—it continues to be a major threat vector, particularly in the public sector as of late. After a ransomware attack hit a school’s IT network, the city was forced to postpone its first day of school. In a statement, the school district confirmed it was hit by a ransomware attack that impacted several of its internal IT systems that managed school buses and transportation routes, causing a prolonged outage that set them back a day from the planned Sept. 8th opening.

The 10th largest school division in the United States, was also hit by a ransomware attack, and the Virginia-based school district was working with law enforcement to investigate. While the district didn’t specify the strain of ransomware used in the attack, the Maze group claimed responsibility, publishing an archive of roughly 100MB (about 2% of what was stolen) of student data and administrative documents before encrypting files.

Beyond schools, the Fourth District Court of Louisiana became a target, hit by the Conti ransomware group in an attack that knocked its website offline and published stolen court data on the dark web.

Beyond these incidents, other garden variety cyber threats continue to rear their head. In one example, there was fall out from a developer on GitHub who leaked AWS keys. While GitHub initiated a response, it didn’t fully address the issue. Over a 30-day period, researchers scanned more than 150 million entities from GitHub, GitLab, and Pastebin and found nearly 800,000 exposed access keys, 40% of which were tied to database stores, 38% to cloud services, and 11% to online services. These type of credentials could allow unauthorized access to company data in databases or in the cloud; alternatively, unauthorized users could also expose, destroy, or use the data for manipulation.

The stakes are high. The fallout from any type of cyber attack could be severe as exemplified by what just befell a coffee chain. The parent company of the coffee and donut chain just settled a lawsuit brought by New York’s attorney general, which claimed it ignored cyber attacks that compromised the online accounts of its customers. They doled out $650,000 in fines and costs and agreed to upgrade its security protocols.

In the meantime, there are new efforts to fight back against cyber security transgressions. Just this week [SEPT 14], the House passed bi-partisan legislation aimed at improving security for federal Internal-connected devices. The Internet of Things (IoT) Cybersecurity Improvement Act would require all Internet-connected devices purchased by the federal government to comply with minimum security recommendations outlined by the National Institute of Standards and Technology. It also mandates companies or groups providing such devices to the federal government to notify agencies if the IoT device has a vulnerability that could open the door to an attack.

* * * 

Protecting the vote. In the countdown to the 2020 election, the U.S. government and the private sector are taking steps to try to curb the spread of misinformation and ward off the possibility of foreign interference in the vote.

Microsoft recently stepped up with warnings that the Russian military intelligence unit that attacked the DNC in 2016 is back at it, this time taking aim at people and resources associated with both Democrats and Republicans. Chinese hackers were discovered ramping up attacks on the private emails of staffers associated with the Biden campaign along with targets in academia and the national security establishment.

Tech companies have been working with federal agencies to support efforts to secure the November election. In fact, members of a government-private-sector consortium meet regularly to discuss trends and to compare notes on illicit activities and behaviors happening on their respective platforms.

With cyber security experts in short supply, some states are calling in the big guns—literally, the National Guard to help protect the integrity of the 2020 election. Ten states have already committed to using their Army or Air Force National Guard cyber security units to safeguard the election process and there are many more evaluating the opportunity, government officials said. The guard personnel will offer general support such as evaluating infrastructure for vulnerabilities and performing tasks such as network intrusion analysis and cyber hunting.