This has been an interesting year for cybersecurity news, and November is no different. Read on to find out the articles our team has been sharing and talking about at the (Zoom) water cooler.
The Expedia/Booking.com breach
Millions of Expedia and Booking.com customers’ data has been exposed. Prestige Software, a company responsible for a hotel reservation system used by booking.com and Expedia, was storing extremely sensitive data from as far back as 2013 on a misconfigured Amazon Web Services (AWS) S3 bucket. The details include credit card and CVV numbers, full names, addresses and other details, all unprotected. Digital privacy experts call the leak and the number of consumers affected “beyond comprehension”.
“This is important because it shows how vital it is to maintain a minimum level of security in every element of IT. An ‘old-fashioned’ outlook on security and system administration still exists, and many of the possible threats in cloud services and non-traditional platforms are unknown to users At CounterCraft, we use these typical overlooked pieces to create effective and tempting breadcrumbs.”. – CounterCraft Senior Threat Analyst
Source: The Independent, November 12
Top American cybersecurity official fired
After Chris Krebs, America’s top cybersecurity official, publicly voiced that the 2020 election was the most secure election to date, he faced immediate blowback from the Trump administration. The White House was unhappy with his efforts to combat disinformation about voter fraud — claims that have primarily been coming from Trump and his allies. He received words of support from across the aisle, confirming that, as he stated in August, “Cybersecurity is apolitical.”
“The top White house official got fired for doing the right thing. He was accepted across both parties, respected by others, and the idea of having someone there to protect U.S. elections in terms of cybersecurity is great. However, it’s a shame to see a professional who, by doing their duty and ensuring the cyber aspect of the U.S. elections went well after the interference in 2016, has ended up losing his job.” —Dan, Founder and CSO
Source: CBS News, November 18
2 Hours to ransom with Ryuk
Ryuk ransomware has shot to the top of the news cycle, thanks to recent threats and attacks on prominent industries. This article offers a case summary of the attack with great technical detail, from the initial Bazar execution to the deployment of Cobalt Strike and subsequent Zerologon exploit and lateral movement.
“Ransomware just keeps getting faster. In this post, the DFIR report shows the technical details of a threat actor’s attack using Ryuk that ransomed systems in less than three hours, something that used to take days.” -David, Founder and CEO
Source: The DFIR Report, November 5
Stolen data doesn’t always get deleted
Over the last year, there have been more and more instances of ransomware gangs stealing data before encrypting it. This article talks about how not deleting data enables them to ‘punish’ businesses who rely on backups to avoid paying the ransom by threatening to publish the sensitive data online. Some gangs publish the data even after the ransom is paid. Negotiation for suppression of data can be an infinite cycle, a nightmare for breached businesses.
“It’s obvious that criminals aren’t to be trusted. This article shines a light on why that is particularly damaging for ransomware victims. The only solution is to stop the attackers from getting the data in the first place.“ -The Development Team
Source: ZDNet, November 6
Massive hacking linked to China
A group that has been active in espionage-style hacking as early as 2009 has now been linked to a recent worldwide hacking campaign using the most sophisticated techniques, according to this article. Code named Cicada, this group is thought to be funded by the Chinese government, and has targeted companies with links to Japan. These hacks take advantage of unpatched versions of Windows, using Zerologon to access Active Domain controllers and escalate privileges.
“This is an example of threat actors taking advantage of human error and the simple failure to patch software to get an all access pass to the Active Directory domain controllers on a network. Patch your software!” -David, Founder and CEO
Source: Ars Technica, November 19