The standout hack of July 2020, and possibly of the year, was the takeover of 45 celebrity Twitter accounts, in a bid to scam their millions of followers by requesting Bitcoin in tweets.
While the Twitter hack and scam dominated media headlines around the world, the attack was not the 'highly sophisticated cyber-attack' as reported by many media outlets, but it was certainly bold and clever. The attackers phoned Twitter administrative staff and blagged (socially engineered) their Twitter privilege account credentials out of them, which in turn gave the attackers access to Twitter's backend administrative system and to any Twitter account they desired. It is understood this Twitter account access was sold by a hacker on the dark web to a scammer in the days before the attack, that scammer(s) orchestrated a near-simultaneous Bitcoin scam tweets to be posted from the high profile accounts. On 31st July, law enforcement authorities charged three men for the attack, with one of the suspects disclosed as a 19-year British man from Bognor Regis.
There was a very serious critical Windows vulnerability disclosed as part the July 2020 Microsoft 'Patch Tuesday' security update release. Dubbed "SIGRed", it is a 17-year-old Remote Code Execution (RCE) vulnerability in Windows Domain Name System (DNS), a component commonly present in Microsoft Windows Server 2008, 2012, 2012R2, 2016 and 2019. Disclosed as CVE-2020-1350 it was given the highest possible CVSS score of 10.0, which basically means the vulnerability is “easy to attack” and “likely to be exploited”, although Microsoft said they hadn't seen any evidence of its exploitation at the time of their patch release.
Given SIGRed is a wormable vulnerability, it makes it particularly dangerous, as wormable malware could exploit the vulnerability to rapidly spread itself over flat networks without any user interaction, as per the WannaCry attack on the NHS and other large organisations. Secondly, it could be used to exploit privilege level accounts (i.e. admin accounts found on Servers). The Microsoft CVE-2020-1350 vulnerability can be mitigated on effected systems by either applying the Microsoft Windows DNS Server Microsoft released patch (https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2020-1350 or by applying a Registry Workaround (https://support.microsoft.com/en-us/help/4569509/windows-dns-server-remote-code-execution-vulnerability)
As expected, the UK Government ordered UK mobile network operators to remove all Huawei 5G equipment by 2027, and banning their purchase of Huawei 5G network equipment after 31st December 2020. Digital Secretary Oliver Dowden said it follows sanctions imposed by the United States, which claims the Chinese firm poses a national security threat, which Huawei continues to resolutely deny. The ban is expected to delay the UK's 5G rollout by a year. "This has not been an easy decision, but it is the right one for the UK telecoms networks, for our national security and our economy, both now and indeed in the long run," he said.
- BT says 'impossible' to remove all Huawei kit in under 10 years
- The UK faces mobile blackouts if Huawei 5G ban imposed by 2023
- Huawei ban 'would depress GDP and spark inflation', think tank warns
- Huawei: The company and the security risks explained
- Huawei U-turn: Cyberattacks, levies and other possible repercussions of the UK's 5G move
Russian Hacking Group (APT 29) was jointly accused of targeting the theft of coronavirus vaccine research by the UK NCSC, the Canadian Communication Security Establishment (CSE), United States Department for Homeland Security (DHS), Cyber-security Infrastructure Security Agency (CISA) and the US National Security Agency (NSA). The UK's National Cyber Security Centre (NCSC) said the hackers "almost certainly" operated as "part of Russian intelligence services". It did not specify which research organisations had been targeted, or whether any coronavirus vaccine research data was taken, but it did say vaccine research was not hindered by the hackers. Russia's ambassador to the UK has rejected allegations, "I don't believe in this story at all, there is no sense in it," Andrei Kelin told the BBC's Andrew Marr Show. While Foreign Secretary Dominic Raab said it is "very clear Russia did this", adding that it is important to call out this "pariah-type behaviour".
Yet another big data exposure caused by a misconfigured AWS S3 bucket was found by security researchers, one million files of Fitness Brand 'V Shred' was discovered exposed to the world, including the personal data of 99,000 V Shred customers. Interestingly V Shred defended the researcher findings by claiming it was necessary for user files to be publicly available and denied that any PII data had been exposed.
- Twitter Hack & Scam
- Returning to the Workplace and the Ongoing Threat of Phishing Attacks
- iPhone Hacks: What You Need to Know About Mobile Security
- Mind the Gaps! The Requisite Mindset to Stay Ahead of Cybersecurity Threats
- How to Embed a Positive Security Culture in the COVID-19 Remote Working ‘New Normal'
- Cyber Security Roundup for July 2020
- 45 High Profile Twitter Accounts Hacked and Used to Scam Followers
- Blackbaud Hack: Universities Lose Data to Ransomware Attack
- Russian Hacking Group (APT 29) is Targeting Coronavirus Research Theft
- Huawei 5G kit must be removed from the UK by 2027
- Hacker Ransoms 23k MongoDB Databases and Threatens to contact GDPR Authorities
- Hackers try to Steal £1m Transfer Fee during Football Club Cyber Attack
- Dave ShinyHunters Hack Exposes 7.5 Million User Records
- Smartwatch Maker Garmin took Offline by Cyber Attack
- Open S3 Bucket Exposes One Million Files of Fitness Brand V Shred
- SEI Investments Customer Data Exposed in Ransomware Attack on Vendor
- Microsoft Patches 123 Vulnerabilities
- Microsoft Critical Warning to Fix Wormable Bug “SIGRed”
- Adobe Patch Tuesday: Adobe eliminates Four Critical Bugs
- Adobe Fixes 12 Critical Bugs in Second Round of July Patches
- Adobe mends Critical Code Execution Flaws in Magento
- Cisco Patches Severe Traversal Vulnerability Exploited in the Wild
- ‘Boothole’ Threatens Billions of Linux, Windows Devices
- Survey of 127 Routers’ Vulnerabilities: Remote Workers Warned over Security Flaws
- Dacls RAT’s Goals are to Steal Customer Data and Spread Ransomware
- GoldenSpy: Chinese Tax Software found to Dish Out Backdoor Malware
- Report: The Cost of Ransomware in 2020. A Country-by-Country Analysis
Often in discussions with customers and potential customers, questions arise about our penetration testing services, as well as penetration testing in general. In this post, we want to walk through Mandiant's take on the five W's of penetration testing, in hopes of helping those of you who many have some of these same questions. For clarity, we are going to walk through these W's in a non-traditional order.
First and foremost, it's important to be upfront with yourself with why you are having a penetration test performed (or at least considering one). If your organization's primary motivation is compliance and needing to "check the box," then be on the lookout for your people attempting to subtly (or not so subtly) hinder the test in order to earn an "easy pass" by minimizing the number of findings (and therefore the amount of potential remediation work required). Individuals could attempt to hinder a penetration test by placing undue restrictions on the scope of systems assessed, the types of tools that can be used, or the timing of the test.
Even if compliance is a motivating factor, we hope you're able to take advantage of the opportunity penetration testing provides to determine where vulnerabilities lie and make your systems more secure. That is the real value that penetration testing can provide.
Finally, if you are getting a penetration test to comply with requirements imposed on your organization, that will often drive some of the answers to later questions about the type and scope of the test. Keep in mind that standards only dictate minimum requirements, however, so you should also consider additional penetration testing activities beyond the "bare minimum."
There are really two "who" questions to consider, but for now we will just deal with the first: Who are the attackers that concern you? Are they:
- Random individuals on the Internet?
- Specific threat actors, such as state-sponsored attackers, organized criminals, or hacktivist groups?
- An individual or malware that is behind the firewall and on your internal corporate network?
- Your own employees ("insider threats")?
- Your customers (or attackers who may compromise customers' systems/accounts)?
- Your vendors, service providers, and other business partners (or attackers who may have compromised their systems)?
The answer to this will help drive the type of testing to be performed and the types of test user accounts (if any) to provision. The next section will describe some possible penetration test types, but it's helpful to also discuss the types of attackers you would like the penetration test to simulate.
What type of penetration test do you want performed? For organizations new to penetration testing, we recommend starting with an external network penetration test, which will assess your Internet-accessible systems in the same way that an attacker anywhere in the world could access them. Beyond that, there are several options:
- Internal network penetration test - A penetration test of your internal corporate network. Typically we start these types of assessments with only a network connection on the corporate networks, but a common variant is what we call an "Insider Threat Assessment," where we start with one of your standard workstations and a standard user account.
- Web application security assessment - A review of custom web application code for security vulnerabilities such as access control issues, SQL injection, cross-site scripting (XSS) and others. These are best done in a test or development environment to minimize impact to the production environment.
- Social engineering - Using deceptive email, phone calls, and/or physical entry to gain access to systems.
- Wireless penetration test - A detailed security assessment of wireless network(s) at one or more of your locations. This typically includes a survey of the location looking for unauthorized ("rogue") wireless access points that have been connected to the corporate network and are often insecurely configured.
If budgets were not an issue, you would want to do all of the above, but in reality you will need to prioritize your efforts on what makes sense for your organization. Keep in mind that the best approach may change over time as your organization matures.
In what physical location should the test take place? Many types of penetration testing can be done remotely, but some require the testers to visit your facility. Physical social engineering engagements and wireless assessments clearly need to be performed at one (or more) of your locations.
Some internal penetration tests can be done remotely via a VPN connection, but we recommend conducting them at your location whenever possible. If your internal network has segmentation in place (as we recommend), then you should work with your penetration testing organization to determine the best physical location for the test to be performed. Generally, you'll want to do the internal penetration test from a network segment that has broad access to other portions of the internal network in order to get the best coverage from the test.
Another "Where" to consider for remote testing is where the testers are physically located. When testers are in a different country than you, legal issues can arise with data provisioning and accessibility. Differences in language, culture, and time zones could also make coordination and interpretation of results more difficult.
We recommend that most organizations get some sort of security assessment on an annual basis, but that security assessment does not necessarily need to be a penetration test (see Penetration Testing Has Come Of Age - How to Take Your Security Program to the Next Level). Larger organizations may have multiple assessments per year, each focused in a different area.
Within the year, the timing of the penetration test is usually pretty flexible. You will want to make sure that the right people from your organization are available to initiate and manage the test - and to receive results and begin implementing changes. Based on your organization's change control procedures, you may need to work around system freezes or other activities. Testing in December can be difficult due to holidays and vacation, along with year-end closeout activities, especially for organizations in retail, e-commerce, and payment processing.
If you have significant upgrades planned for the systems that will be tested, it is typically best to schedule the test for a month or two after the upgrades are due to be finished. This will allow some time for the inevitable delays in deploying the upgrades as well give the upgraded systems (and their administrators) a bit of time to "settle in" and get fully configured before being tested.
Who (part 2)
The other "who" question to consider is who will perform the penetration test? We recommend considering the following when selecting a penetration testing provider:
- What are the qualifications of the organization and the individuals who will be performing the test? What differentiates them from other providers?
- To what degree does their testing rely on automated vulnerability scanners vs. hands on manual testing?
- How well do they understand the threat actors that are relevant to your environment? How well are they able to emulate real world attacks?
- What deliverables will you receive from the test? Are they primarily the output of an automated tool? Ask for samples.
- Are they unbiased? Do they use penetration tests as a means to sell or resell other products and services?
No doubt, there are other questions that you will want to consider when scoping a penetration test, but we hope that these will help you get started. If you'd like to read more about Mandiant's penetration testing (and other) services, you can do so here. Of course, also feel free to contact us if you'd like to talk about your situation and how Mandiant can best assess your organization's security.