Report

Weekly Threat Report 24th February 2017

Created:  24 Feb 2017
Updated:  24 Feb 2017
This report is drawn from recent open source reporting.

Ex-employee threats to business

A disgruntled former system administrator at a US paper and packing manufacturing company was recently sentenced to 34 months in prison for causing the company $1.1 million worth of losses.

His network accesses were not revoked when he was fired in 2014, enabling him to establish a VPN connection to the industrial plant. Through this, he was able to send commands over a two-week period that caused 'significant damage to Georgia-Pacific and its operations'. Open source suggests that he may have modified Industrial Control Systems pertaining to a quality checking process, which it appears hindered production.

Privilege misuse by former employees is a significant insider risk as a determined malicious insider may retain valuable knowledge of a company's programs and network. Ensuring these privileged accesses are removed significantly reduces the likelihood of this occurring, and requires companies to implement effective identity and access management procedures. The NCSC provides guidance on managing user privileges.
 

Supply chain operations through systems administrators

Research by security company RSA, taken further by cyber security researcher Brian Krebs, recently identified a "sophisticated software application supply chain attack", involving the compromise of event log management software used by systems administrators within numerous organisations, probably including defence contractors, telecommunications companies and financial institutions.

While victims have not been identified, the list of organisations believed to be customers of the affected software supplier includes some major UK companies, as well as many US and international organisations.

RSA began its investigation after suspicious beaconing was observed going to a command and control server. Its investigations uncovered a number of victims and ultimately revealed that a legitimate vendor's website (and software packaging system) had been compromised for a short period in 2015, causing purchasers and existing users to download malicious, compromised software or software updates, instead of the genuine version. RSA comments that such supply chain operations are effective because they are hard to spot and can provide the attacker with access to a large number of victims.
 

SOHO router vulnerabilities

Router security is sometimes seen as a low priority, and attackers are seizing the opportunity. SOHO (small office/home office) routers are seen as particularly soft targets by cyber criminals, as they are typically used by small organisations without dedicated security staff. Various exploits can be used to compromise routers, though these are sometimes unnecessary as the default login credentials are commonly left unchanged. A compromised router may allow the attacker to spy on user browsing activity, and could also be used to redirect DNS traffic to a malicious server.

Legitimate DNS servers are a vital part of internet architecture, bridging the gap between human-readable web addresses (such as ncsc.gov.uk) and machine-readable IP addresses (54.192.28.195). A DNS server will accept a web address, and return an IP address which can be used to navigate across the internet to the computer which hosts that website.

A malicious DNS server can redirect web traffic to any location. Attackers can then harvest login credentials by sending victims to imitation websites, enable further exploitation by sending them to pages which will infect their computers with malware, or defraud online advertisers by generating fake click-throughs.
 

Vulnerabilities

Cisco dominates the vulnerabilities landscape this week with updates for their Email Security Appliance, Web Security Appliance, Intrusion Prevention System, Meeting Server, Secure Access Control System, Identity Services engine, Unified Computing System, Unified Communications Manager and Prime Collaboration Assurance products. These updates fixed a range of different vulnerabilities potentially causing variously the bypassing of security restrictions, elevation of privileges, SQL injection, cross-site scripting or the obtaining of sensitive information.

Xen released two updates, one to fix an out-of-bounds memory error and the other to fix a memory leak, the former potentially leading to local users gaining admin rights on a guest system and the latter allowing local users to cause a denial-of-service condition. Elsewhere this week there were updates for OpenSSL, IBM Security Access Manager, QEMU, NetBSD, Trend Micro's InterScan Web Security Virtual Appliance, cURL and PCRE.

Was this report helpful?

We need your feedback to improve this content.

Yes No