Category Archives: Privacy & Security

Quebec insurer says personal information of present, past staff may have been exposed in cyberattack

A Montreal-based insurance firm’s website is still offline four weeks after a cyberattack and is still trying to recover from the incident.

Promutuel Assurance says the attack started on Dec. 20 and made its IT systems unavailable. In a statement yesterday, the firm said that, so far, its investigation shows no signs of compromised social insurance numbers, driver’s licence numbers, credit card numbers or banking information of insured members.

However, the statement added, personal information of past, present and retired employees “may have been compromised.” As a precaution, Promutuel says it will provide them with credit monitoring and data protection services.

In an email, a spokesperson for the company was asked to confirm to IT World Canada if the incident was ransomware. According to a source working for a cybersecurity research firm in Canada who wished to remain anonymous, the website of the DoppelPaymer ransomware gang lists Promutuel as a victim. It also lists file names it allegedly copied in an attack. Typically, DoppelPaymer threatens to release copied files if the victim doesn’t pay for a data decryption key.

The spokesperson referred the publication to its official statement, which didn’t explain the attack’s source.

Another attack

Meanwhile, Winnipeg-based fashion retailer Nygard, which is in receivership, has acknowledged that it was hit by a ransomware attack.

Earlier this week, the Journal de Quebec reported that confidential documents from the firm had been published online. In a story today, the news site said Promutuel told it those 15 files were recovered.

Meanwhile, late Friday afternoon, the receiver for the Nygard group of companies issued an advisory to employees, customers and partners about a Dec. 12 ransomware attack.

Richter Advisory Group Inc., the court-appointed receiver of Nygard Holdings (USA) Limited, Nygard Inc., and several related companies, said it issued the statement to advise current and former employees, customers, suppliers and others to monitor their information for any unusual activity, including suspicious emails or other communications that claim to be from the retailer.

Richter has been selling off Nygard assets for several months after taking control of the company in March 2020. The cyberattack happened after the receiver took over the company. However, it says that while the attack encrypted many servers, data copied for forensic purposes wasn’t impacted.

On Dec. 30, Richter issued a report to the Manitoba court on the progress of its work, which included a description of the attack. It said the attackers from the Netwalker ransomware gang initially demanded the equivalent of about $3.6 million in bitcoin for the decryption key or copied data would be released. That demand has gone up to the equivalent of $7 million.

In its statement to the court, the receiver said a ransom wouldn’t be paid.

Richter has hired security firm Sophos to work with it to try and restore data from Nygard backups. As of the end of December, the receiver couldn’t say who might be impacted by the attack. Of Nygard’s 245 servers, 58 were encrypted, including five with data on current and former employees, five with sales data and eight with financial data. The report says 54 backup servers are available, but it isn’t confident the data can be relied on in part because the attack damaged  Nygard’s IT system.

Former company head Peter Nygard was taken into custody Dec. 15 and is awaiting extradition to the U.S. on allegations of racketeering, sex trafficking and related crimes.

The post Quebec insurer says personal information of present, past staff may have been exposed in cyberattack first appeared on IT World Canada.

Is XDR the answer to simplify security?

Extended detection and response (XDR) is gaining momentum as the next big thing to simplify and improve security. The term, coined by Gartner, refers to a platform that provides unified visibility across all security products to make it easier to quickly spot and resolve threats. Security leaders say they’re overwhelmed with managing the myriad of…

The post Is XDR the answer to simplify security? first appeared on IT World Canada.

Weak cyber hygiene behind many successful cloud attacks, warns US agency

Experts maintain that organizations that mandate multifactor authentication as an extra step to protect logins greatly improves their defences. However, it’s not fail-proof.

The latest example is this week’s warning from the U.S. government’s cyber expert that successful hacks have been reported on cloud services, including one that got around MFA, possibly by stealing browser cookies.

The report from the Cybersecurity and Infrastructure Security Agency (CISA) also makes it clear that firms thinking cloud services alone improve security are wrong: “Despite the use of security tools, affected organizations typically had weak cyber hygiene practices that allowed threat actors to conduct successful attacks,” the report says.

“Threat actors are using phishing and other vectors to exploit poor cyber hygiene practices within a victims’ cloud services configuration.”

One thing many cloud attacks have in common, the report adds, is that victim organizations’ employees worked remotely and used a mixture of corporate laptops and personal devices to access the cloud services.

Phishing tactics

Threat actors often use phishing emails with malicious links to harvest credentials for users’ cloud service accounts. Some included a link to what appeared to be a secure message, while others looked like a legitimate file hosting service account login. After a targeted recipient provided their credentials, the threat actors then used the stolen credentials to gain to the user’s cloud service account. The attackers then sent emails from the user’s account to phish other accounts within the organization. In some cases, these emails included links to documents within the organization’s file hosting service.

Port 80 open

In one case, the report says an organization didn’t require a virtual private network (VPN) for accessing the corporate network. Although their terminal server was located within their firewall due to remote work posture, the terminal server was configured with port 80 open to allow remote employees to access it—leaving the organization’s network vulnerable. The threat actor attempted to exploit this by launching brute force login attempts.

Abuse of email forwarding

In several cases, threat actors collected sensitive information by taking advantage of email forwarding rules, which users had set up to forward work emails to their personal email accounts.

In one case the attackers modified an existing email rule on a user’s account — originally set by the user to forward emails sent from a certain sender to a personal account — to redirect the emails to an account controlled by the actors. The threat actors updated the rule to forward all email to the threat actors’ accounts.  Attackers sometimes modified existing rules to search users’ email messages (subject and body) for several finance-related keywords and then and forward the emails to the hackers.

In other cases the threat actors created new mailbox rules that forwarded certain messages received by the users (specifically, messages with certain phishing-related keywords) to the legitimate users’ Really Simple Syndication (RSS) Feeds or RSS Subscriptions folder in an effort to prevent warnings from being seen by the legitimate users.

MFA abuse

CISA verified that in one case a threat actor successfully signed into one user’s account with proper multi-factor authentication (MFA). CISA believes the threat actors may have used browser cookies to defeat MFA with a “pass-the-cookie” attack.

On the other hand the agency admits MFA did thwart attempted brute force attacks on some accounts.

The report “is a rude awakening that attackers are seeing personal email accounts as the soft underbelly to corporate environments and are starting to use “pass-the-cookie” techniques to successfully bypass multi-factor authentication,” said Ed Bishop, CTO of security firm Tessian. “While phishing is a persistent threat to company security, the risk posed by people sending emails to personal accounts is often overlooked, and it’s a risk that’s been heightened as people work remotely.”He added that personal accounts are easier to compromise because they are typically only protected by home routers often have remote management APId. Companies should only allow access to corporate cloud infrastructure from known IP addresses, ideally via a corporate VPN endpoint with separate strong authentication or MFA in place.

In addition, businesses must treat remote home networks as untrusted, in the same way they do for airports or coffee shops, and require remote workers to use a VPN for any work-related task. Lastly, it’s important that companies monitor when new forwarding rules are created, and in some cases even disable auto-forwarding rules altogether.

Christian Espinosa, managing director at Cerberus Sentinel, noted that pass-the-cookie attacks aren’t new.

Cookies establish session persistence for web applications, he said in an email, and are placed on a computer whether MFA is used or not. The cookie contains the session ID and access tokens to the web application to avoid constant re-authentication. “This is an inherent flaw in the HTTP protocol and how web applications work. HTTP is a stateless protocol and relies on cookies to maintain state.”

He said the way to mitigate the MFA pass-the-cookie vulnerability is with better cookie management and better user training. Cookies should be set with a short lifespan and for a single session, so when the browser is closed, the cookie is made void. Users should be trained to logoff the web application and close their browser after they are done using the web application. Many users never logoff or close a browser, he noted, which increases risk.

The CISA report includes a long list of recommendations for better security cloud applications. For those using Microsoft Office 365, it specifically recommends:

  • Assigning a few (one to three) trusted users as electronic discovery (or eDiscovery) managers to conduct forensic content searches across the entire environment (Mailboxes, Teams, SharePoint, and OneDrive) for evidence of malicious activity.
  • Disabling PowerShell remoting to Exchange Online for regular users. Disabling for non-administrative users will lower the likelihood of a compromised user account being used to programmatically access tenant configurations for reconnaissance.
  • Don’t allow an unlimited amount of unsuccessful login attempts.
  • And consider using a tool such as Sparrow or Hawk, which are open-source PowerShell-based tools used to gather information related to Office 365, to investigate and audit intrusions and potential breaches.

The post Weak cyber hygiene behind many successful cloud attacks, warns US agency first appeared on IT World Canada.

Cyber Security Today – Watch out for marketplace scams, why vulnerabilities are increasing and more

This morning's podcast looks at marketplace scams, why vulnerabilities are increasing, vulnerability reports climbing, an update for an F5 Network controller and more

The post Cyber Security Today – Watch out for marketplace scams, why vulnerabilities are increasing and more first appeared on IT World Canada.

CRTC says Canadian ISPs may be forced to get tougher on botnets

Canada’s telecom regulator may force internet service providers to adopt network-level botnet blocking to limit criminally-run automated systems’ ability to spread malware.

ISPs can use several techniques to fight botnets, including domain-based blocking, internet protocol (IP)-based blocking and protocol-based blocking. However, these and other strategies aren’t required by regulation or controlled for possible bias.

But on Wednesday, the Canadian Radio-Telecommunications and Telecommunications Commission (CRTC) called for comments on a proposal to require ISPs to implement strategies to fight botnets at the network level by blocking suspicious email, texts and communications by malware to command and control servers.

It would do so by approving a mandatory or voluntary network-blocking framework that carriers would follow. To meet privacy concerns, the commission says any approved framework has to be done in ways that protect internet user privacy, enable subscribers to opt into or out of message blocking, provide a mechanism to correct possible false positives of messages, ensure blocking decisions are unbiased and made in the best interest of Canadians, and minimize subscriber information monitoring, collection, and usage.

Technically, the CRTC says, any filtering or blocking affects the principle of net neutrality — the concept that all internet traffic should be given equal treatment by ISPs, with little or no prioritization. But there are exceptions, the CRTC notes. For example, blocking access to child exploitation material. If rules for network-based blocking are approved, “a limited exception to net neutrality may be warranted” to give Canadians protection from spyware, information theft and ransomware, the regulator says.

The commission also suggests that rather than leave decisions in the hands of ISPs, an independent body with expertise in cybersecurity might assess whether blocking a particular domain or IP address is justified. That body could also decide how message blocking decisions can be unbiased and accurate. The commission doesn’t suggest a body, but one possibility is the federal government’s Canadian Centre for Cyber Security.

The commission also acknowledges that any blocklist of forbidden IP addresses will need to change regularly to remain accurate. It wants to hear about worries of over-blocking and false positives and ways to take wrongly-blocked addresses off a list quickly.

“Malicious botnet attacks are a serious and recurring concern,” CRTC chair Ian Scott said in a statement. “Almost every week, we see another organization victimized by ransomware or hear of a fellow citizen lured in by a phishing scam. With the launch of this proceeding, we are aiming to better protect Canadian individuals, businesses and institutions against damaging botnet activity.”

ISPs, exchange carriers, web hosting companies, consumers, and others have until March 15th to file comments. Submissions are limited to 20 pages.

In an interview, telecommunications consultant Mark Goldberg said that by launching this consultation, the CRTC might be signaling that blocking and filtering measures ISPs already perform need formal approval of the commission under the Telecommunications Act. Section 36 of the act says a carrier shall not control content or purpose of communications it carries without permission.

In a statement the Competitive Network Operators of Canada (CNOC), which represents many independent ISPs, said the consultation may raise end-user concerns with content interference and blocking and overreach. At the same time, it added, network integrity, public safety, and user safety are crucial. “We will study this new consultation, to identify any meaningful areas requiring comment in terms of independent ISPs and concerns about how this might affect our users, and our ability to compete fairly.”

Greg Young, vice-president of cybersecurity at Trend Micro who used to work for the federal department of communications, applauded the proposal to create an anti-botnet framework. “Anything that blocks known bad traffic is a good thing,” he said in an interview.

The CRTC has the authority to fight spam by enforcing the Canadian Anti-Spam Legislation (CASL), which prevents Canadian-based companies from sending commercial email without the recipient’s consent, installing software on computers without consent, and making false or misleading representations to promote products or services online. The CRTC expects ISPs to take steps to limit such behaviour on their networks. Botnets, which are huge networks of interconnected PCs, servers and other internet-connected devices around the world that pump out spam, violate CASL.

However, most are controlled outside Canada and therefore out of the reach of the regulator. A framework would give ISPs a guide to implementing technologies to block messages from botnets to domains of their command and control (C2) servers, as well as meet privacy concerns.

No one-size-fits-all solution

The CRTC document notes that one strategy alone won’t accomplish its goals. Not all malware connects to C2 servers using domains, so that domain-based blocking won’t work for these attacks. That’s why IP-based blocking (through firewalls that block communications to suspected C2 servers) and protocol-based blocking need to be used.

The commission says if it goes ahead with mandating botnet traffic blocking, it could do many things to protect privacy. Suggested ideas include prohibiting carriers from monitoring, collecting, or disclosing content or metadata that does not contribute to blocking botnet traffic; limiting monitoring and collection to the destination domain name or IP address requested and the number of times the malicious service is requested, and restricting disclosure of monitored data to parties participating in the blocking program.

And while internet subscribers should know some information from ISPs to decide which provider to chose and whether to participate in a blocking program (such as whether a particular domain or IP address is blocked), the CRTC also says it may put limits on how much an ISP can publicly divulge about its blocking technology.

Carriers can use the consultation to list their preferred blocking techniques, listing pros and cons. If domain-based blocking is one, they can talk about which domain resolver technology they prefer. Domain resolvers translate domain names into IP addresses. Domain resolver providers include the Canadian Internet Registry Authority’s (CIRA) Canadian Shield, Quad9, OpenDNS, Comodo Secure DNS and CleanBrowsing.

(This story has been updated from the original to add statements from CNOC and Greg Young of Trend Micro)

The post CRTC says Canadian ISPs may be forced to get tougher on botnets first appeared on IT World Canada.

Cyber Security Today – The DarkMarket criminal website shut down, hacker gets 12 years in jail, digital currency thefts and more

Today's podcast reports on the capture of a big criminal website, a hacker gets 12 years in prison, digital currency thefts, stolen COVID vaccine data leaked, stolen digital currency and more 

The post Cyber Security Today – The DarkMarket criminal website shut down, hacker gets 12 years in jail, digital currency thefts and more first appeared on IT World Canada.

Network equipment maker Ubiquity urges admins to change passwords after third-party hack

Administrators with network equipment from manufacturer Ubiquiti are being urged to change their passwords and enable two-factor authentication after the company acknowledged a hack at a third-party may endanger access.

The post Network equipment maker Ubiquity urges admins to change passwords after third-party hack first appeared on IT World Canada.

Common development error likely led to huge Parler data theft, says expert

The huge theft of data from the controversial — and now almost homeless — social media app Parler was accomplished in part through a common web development mistake, according to one expert.

“Essentially the Parler [software] engineers made a mistake in that they allowed an endpoint [a web address] to exist that people could sequentially query,” says Matt Warner, CTO and co-founder of Blumira, an Ann Arbor, Mich.-based a cloud-based threat detection provider. “And if you can stand up enough people looking at different blocks of numbers you can essentially scrape nearly unlimited amounts of data through that endpoint.”

In short, the URLs Parler developers created included sequential numbers, like “ID=12345.” Knowledgeable people could guess the next numbered page was 12346 and would get a hit if access wasn’t protected.

That’s all right if the page is public. If it’s not — for example, it’s a page only logged in bank customer “Jane” is only allowed to access — then once anyone is logged in they can see other pages/accounts just by changing the page number.

Software developers call this an insecure indirect object reference (IDOR), and for years it was one of the Open Web Application Security Project’s (OWASP) Top 10 vulnerabilities. To be exploited, OWASP says, an IDOR issue must be combined with an access control problem, which gives an attacker access to a web page. Warner suggested the researchers or activists might have gained that access after several providers like Twilio dropped Parler after last week’s mob attack on the U.S. Congress. That may have made it impacted email verification, making it easier for new users to subscribe, opening the door to the IDOR expoit.

The data scraping happened shortly after it was revealed that Parler would be de-listed by providers because people involved in last week’s mob attack on the U.S. Congress used it to communicate. Apple and Google dropped Parler from their app stores, and Amazon stopped allowing Parler to use its hosting facilities. Parler is now suing Amazon.

In what Warner calls “probably the most co-ordinated hactivism we’ve seen in a while,” some 15 people who were told of Parler’s vulnerabilities quickly copied apparently almost every users’ post and attachment. According to the news site Gizmodo, 56 terabytes of data has been captured.

A question of timing

One interesting question is whether the IDOR vulnerability was discovered after the incident in Washington, or if it’s been known for some time, according to Warner.

IDOR is “a really common risk” among developers who build their own websites and application programming interfaces (APIs), Warner said. “It used to be a lot more common five or 10 years ago when people were standing up early database-driven web sites. It’s not that common these days with the prevalence of UUIDs (universally unique identifier, sometimes called a globally unique identifier), which are long and complex [URL] IDs, but for whatever reason on this specific endpoint, which was associated with their mobile app, they weren’t doing that. And because of that it essentially exposed all of Parler’s attachments and metadata.”

It’s one of the reasons why application security and testing is essential, Warner said. Parler more than likely didn’t have their application tested from a web application point of view. And it’s one of those things that can cascade very quickly just because it indicates other areas of risk within the environment — if you’re missing checks in this area you’re probably missing other areas in the application.”

IDOR vulnerabilities can be avoided if website designers make sure authentication and authorization of URLs are included early in development, says Warner. Otherwise, “if you have a lot of complex code you have to figure out where to jam that authentication check.”

Another way is to make sure sequential IDs are not part of page numbering so people can’t guess brute force access to pages.

The post Common development error likely led to huge Parler data theft, says expert first appeared on IT World Canada.