There were loads of interesting discoveries in the cybersecurity realm this month. Check out the articles that have made their rounds throughout our group chat and see why we think they’re so fascinating!
Belgium Government Discovers Old 2019 Hack during Hafnium Investigation
The Belgian government’s IT staff was investigating the Microsoft Exchange/Hafnium breach when they found a surprise—additional signs of compromise dating all the way back to 2019. Officials say the attack was highly targeted and very sophisticated, making them suspect nation-state espionage. The identity of the attackers was not shared.
“The discovery of an old compromise while you are investigating a recent one is interesting because it shows you didn’t even have a former breach on your radar when it happened. This one in particular shows that the threat actors were in the system for a long time, which makes this case a perfect example of where deception would have been the best tool. Adding that “extra layer” could have helped alert their presence as well as discover the MO of the attackers, leading to an ultimate discovery of who it is and what they are looking for.” — Member of the Development Team
Source: The Record, May 26
An Open Source Honeypot for Operational Technology (OT) Systems
A team of students at UC Berkeley created hunnypOT, a network appliance that simulates an Industrial Control System network. It provides an early warning system so that attacks on Critical Infrastructure (such as power plants, water treatment facilities and telecommunications networks) can be detected before the attacker can cause damage. Their simple solution is open source, leveraging Conpot, and improves realism by supporting more PLC commands.
“It’s great to see Berkeley students making access to emulated PLCs easier, via a discreet unit. This is a really cool class project.” — Dan, Founder
Source: UC Berkeley, Spring 2021
The Untold Story Of The SolarWinds Hack
One of the decade’s biggest hacks is finally getting the longform treatment it deserves. Maybe it will even make it into Hollywood sometime soon—this article by NPR is definitely dramatic enough! What started as a routine software update installed malicious code on thousands of customers’ machines and gave threat actors a foothold in some quite valuable places. The story is fascinating, not just to see how things unfolded but to see the craftiness of the adversary and the painful yet common cracks in security every little step along the way.
“This is another example of how technology can have a hard time preventing access from third parties that acquire valid credentials. As the old adage says, a security ecosystem requires different, complementary layers. Opsec, deception and Zero trust designs are three of these layers.” – Member of the Customer Success Team
Source: NPR, May 16
Amazon’s Sidewalk Network Is Turned On by Default
Amazon is preparing to finally power up its massive “Sidewalk” mesh network, which uses Bluetooth and 900MHz radio signals to communicate between devices. American Amazon customers are already opted in to this service, which makes it possible for smart home devices to serve as a sort of bridge between your WiFi connection and one another. Unfortunately, your neighbor’s devices can also be connected to your networks, so this is a bit of a privacy issue.
“Although this is not something that should have an impact on enterprises in the foreseeable future I think it is worth talking about it because it will pose a new threat for enterprises now that remote working is not so unusual anymore and the enterprise perimeter has become foggy at best.” – Fernando, Founder
Source: Inc., May 18
Vulnerability in VMware Product Has Severity Rating of 9.8 out of 10
A remote code vulnerability in a VMWare product has data centers around the world scrambling to patch the security flaw. It resides in the vCenter Server, a tool used for managing virtualization in large data centers. vCenter Server is used to administer VMware’s vSphere and ESXi host products, which by some rankings are the first and second most popular virtualization solutions on the market. This is the second vCenter vulnerability this year to carry a 9.8 rating, which is very serious.
“VMware products are used by many companies to run their private clouds. As Shodan shows, many companies have public facing vCenter Server instances. If anybody exploits this vulnerability they can potentially take full control of their infrastructure.” — Xabi, Lead Software Architect
Source: Ars Technica, May 25