Hackers Steal Employee and Corporate Information From Mitsubishi Electric

Hackers Steal Employee and Corporate Information From Mitsubishi Electric

Personal and corporate information was stolen from electronics and electrical equipment manufacturing company Mitsubishi Electric during a data breach that occurred last year.

In a notice published on Monday, the Japanese company confirmed not only that its network was breached, but also that the attackers may have accessed some personal and confidential corporate information.

The manufacturer revealed that it discovered suspicious behavior on a system on June 28 last year, and that it immediately restricted external access.

The company says its internal investigation has confirmed that “sensitive information on social infrastructure such as defense, electric power, and railways, highly confidential technical information, and important information concerning business partners” hasn’t been stolen.

The company has also revealed that the attackers were careful enough to erase their tracks, which made the compromise difficult to detect on some systems.

Mitsubishi Electric estimates that the hackers exfiltrated around 200MB of data, including employment application information on 1,987 people, employee information on 4,566 people, and information on 1,569 retired employees of affiliated companies.

Confidential technical materials, sales materials, and other trade secrets might have been leaked as well, the company reported.

The manufacturer said it started sending notices of the data breach on January 20, and it is also informing customers about the potential leak of trade secrets. Authorities have been alerted as well.

To access the company’s network, the attackers apparently targeted a vulnerability in an anti-virus product before a patch was released.

According to Japanese newspapers, the attackers gained access to the company’s systems via hijacked email accounts, after initially compromising a China-based affiliate. The hackers had apparently compromised over 120 systems at 14 locations.

Asahi Shimbun reports that data on 10 public and government agencies was stolen during the attack, along with data on the Ministry of Defense, the Ministry of the Environment, the Cabinet Office, the Nuclear Regulatory Commission, and the Agency for Natural Resources and Energy.

The attack is supposedly the work of China-linked hacking group Tick, which has been known to target large companies through their Chinese subsidiaries. Over the past few years, the threat actor has targeted various organizations in Japan and South Korea.

“While the type of data breached is unclear, knowing that Mitsubishi Electric is a top contractor for Japan’s military and infrastructure, this breach is especially concerning. Enterprises and organizations that regularly handle sensitive and confidential data must understand the serious risks associated with a breach of that information and leverage Zero Trust security strategies, where organizations ‘never trust, but always verify’ entities outside and inside their network,” Ben Goodman, CISSP and SVP of global business and corporate development at ForgeRock, told SecurityWeek in an emailed comment.

“To avoid a fate similar to that of Mitsubishi Electric, companies must understand the importance of security solutions that provide full visibility and control over their data. In other words, they must implement tools that detect and remediate misconfigurations, enforce real-time access control, encrypt sensitive data at rest, manage the sharing of data with external parties, and prevent the leakage of sensitive information,” Anurag Kahol, CTO of Bitglass, commented via email.

Source: Hackers Steal Employee and Corporate Information From Mitsubishi Electric

2020 Rings in a New Era of Cyber Attacks – and it’s Getting Personal

2020 Rings in a New Era of Cyber Attacks – and it’s Getting Personal

Recently, I finished a great audiobook by the famed hacker Kevin Mitnick, called “Ghost in the Wires”, where he details his exploits in using social engineering techniques to hack phone systems. For the most part, he used old school methods that involved research, cold calling and convincing people he should have access to their systems. Success was predicated on his skill in manipulation – and the fact that most people inherently want to trust others.

Fast forward to 2020 and social engineering is essentially the same, relying on the techniques pioneered by Mitnick and his peers. The major differences now are that technology and scale play a greater part in the success of today’s attacks.

In a few of my recent articles, I warned about the growth potential for attacks in the coming year and explored some of the methods being adopted by attackers that use technology to ensure greater success.

Many of us are familiar with the two most common types of socially engineered attacks – phishing and spear-phishing – but there are many more to be aware of, including:

Baiting, for example. The age-old story of a hacker leaving a USB device in a carpark, hoping that someone will pick it up and connect to their computer, may sound like the stuff of Hollywood, but it is a surprisingly common attack that has even been used successfully on USB devices given away at computing conferences. Once connected, the USB device will appear to be safe, perhaps containing music or videos. However, it is instead attempting to inject malicious software into the host device.

So, how can a baiting attack be avoided? By never blindly connecting an unknown USB device to your computer. If you do decide to trust the device, make sure you have the latest anti-virus software installed and set to “scan connected devices automatically” to prevent known malware infections.

Pretexting covers several different attacks using emails, texts or phone calls. The attacker will pose as an authority with the intention of leveraging this authority to gain access to private, corporate or personal high value information. For example, in an attack, the target could first be emailed by a family member who says they need money, followed by an urgent text. This is a dangerous attack as it heavily exploits, and ultimately damages, trust.

Verification is the best way to avoid a pretexting attack. As much as we want to trust managers, friends and family members, if you get an unexpected and urgent call pressuring you to provide information or money, take extra steps to verify the request. Hang up and call back on a known number or have the caller provide some information which they would only know if they were genuine.

Tailgating allows an attacker to gain access to a building or a restricted area and is easily executed. For instance, a stranger follows you into the office carrying a heavy box and asks if you can “badge” them in. Or, an unknown person scrambles in behind you, saying “brrr it’s cold outside! I’m glad to get out of the rain.” Either could be a tailgater or present a risk. They are relying on the fact that people want to be helpful and that by appearing to be familiar, they are less likely to be questioned.

Want to avoid a tailgating scenario? If someone asks you to let them in, make sure to escort them to reception – or use their badge to activate the door. Do not rely solely on trust.

Scareware is another successful tactic in recent years, using desktop popups and messages to communicate a fake virus infection warning. Sometimes these messages even appear to be legitimately coming from security companies. Less common, but similar, is to receive the infection message in an email, purporting to come from your internet or security software provider. In both cases, clicking on the message will redirect to a software portal, offering the right software to remove the malware for a cost. At this stage, payment will result in two things: fake antivirus software being installed – or, possibly even malware – and stolen financial information.

Practice caution to avoid scareware. A popup or email stating that you’ve been infected by malware and offering a “click here” fix is likely fake and attempting to scare victims into engaging. Make sure to have the latest antimalware installed, along with the most recent operating system security updates. Never click on unknown popups or emails.

Socially engineered attacks are especially nasty and effective because they rely upon natural human responses to be successful; anyone can be a victim at any time. As both cybercriminals and technology get smarter, the public must also adapt. Educate consumers and employees on the risks and warning signs of these attacks. The idea is to not simply “trust no one;” rather, be cautiously suspicious and train yourself to sniff out the (ph)ishy.

The More Authentication Methods, the Merrier

The More Authentication Methods, the Merrier

An Increasingly Diverse, Dynamic Workforce Is Driving Dramatic Change in How Users Authenticate

Remember when being part of an organization’s workforce meant being an employee of that organization, and being “at work” meant sitting in an office at a desktop? In today’s digital age, the latter hasn’t been the case for many people for quite a long time, and in the growing gig economy, the former is becoming less and less common. The workforce is growing more distributed, diverse and dynamic every day, which is driving dramatic change in who’s working, where they’re working, and how they’re connecting with the resources they need to do their work. And if you’re in the business of enabling those connections, it’s driving dramatic change for you.

There are not only more users, but also more kinds of users working in more places, all needing to authenticate in a way that keeps resources secure without making access unduly difficult or time-consuming. And there’s the rub: There’s no one way to achieve that. You need an authentication solution that allows you to authenticate users in multiple ways, both to meet different users’ needs for convenient access and to make multi-factor authentication possible for security purposes. I touched on this in an earlier column about how to evaluate and choose authentication methods; now, let’s take a closer look at some examples of diverse users and their needs, and at what an authentication solution must deliver to meet those needs.

Meet Greg, the Fast-Moving Sales Exec Who’s Never in One Place for Long

We all know this type of user, who is constantly on the go and relies almost entirely on a mobile phone or tablet for access. To make that access easy for him, and secure for the organization, authentication methods that are made for mobility make the most sense. After all, if he has a device in his hand all the time, why not take advantage of it for authentication purposes? Phone-based biometrics, like fingerprint or face recognition, make it easy for this kind of user to quickly authenticate and connect. And on the rare occasions when he needs access through an office workstation or laptop, all he has to is walk up to it for the device to unlock; as long as he has his authenticating mobile device at hand, proximity authentication does the rest.

Then There’s Judy, Who’s Only in One Place… and Can’t Use a Mobile Device There

Mobile authentication may work perfectly for Greg, but it’s not an option for Judy, a helpdesk representative who works in a call center where mobile devices are prohibited. In this scenario, a physical authenticator like an employer-issued USB security key may be ideal. Hardware-based one-time passcode (OTP) keys may also be great options. There’s also a place for risk-based authentication that takes location into account. Since Judy works in the same building and at the same workstation every day, as long as she logs in from that workstation, she can be quickly authenticated using location services that confirm where she is. This makes authenticating quick and simple, yet secure for the organization. If there’s ever an attempt to log in from a different location using Judy’s credentials, an additional layer of authentication could be required to prove the person attempting to log in is really her. Or the organization could elect to have access automatically denied when a request comes from a different location – which would be reasonable in this case, since Judy only works from one location, without exception.

And Let’s Not Forget the Contractor Who Relies Entirely on Devices You Don’t Control

What about contractors or gig workers who aren’t traditional employees? How do you provide them with the access they require, absent direct control of the devices they’re using to access your organization’s resources? This is a perfect use case for a hardware or software token. A hardware token-based one-time passcode, or a software app that generates passcodes on a mobile phone, will make it possible for non-employees to prove they are who they say they are, no matter what devices they use for access.

Hardware- and software-based OTP solutions also work well for all types of users in environments with no network or internet connectivity. They’re ideal replacements for desktop passwords when the work environment provides no easy way for laptop, desktop or infrastructure components to connect to remote authentication services. In fact, I’m writing this on a flight that has limited Wi-Fi capabilities, and I was able to use my trusty software OTP on my iPhone (in airplane mode) to securely log into my laptop. This is especially important at a time when a lot of attention is paid to protecting connections to web-based applications or cloud-based SaaS applications. We all need to remember the critical nature of information that exists on people’s devices, including laptops, and the need to protect that information.

As the examples above illustrate, diversity in the workforce drives the need for diversity in authentication. As the workforce continues to evolve, a one-size-fits-all approach won’t work for different identity and access management needs across organizations. Managing access in ways that keep diverse users productive and engaged while also keeping your organization’s information secure will continue to be a challenge. Meeting that challenge depends on identity teams understanding the needs of different users and choosing a solution that provides a unified platform for secure enrollment, flexible choices for authentication and identity assurance, and features to reduce the burden on the IT help desk when users lose their credentials or obtain new mobile devices. Keep in mind, too, that adding a layer of risk-based authentication to augment all the options for authentication can further increase security and also reduce user friction.

In my next column, I’ll share ways risk-based authentication can make access experiences better for all the users I’ve described here. As always, awareness is the first step, and I hope the information provided is helpful to you in your journey.

Source: The More Authentication Methods, the Merrier

Serious Vulnerabilities Expose Honeywell Surveillance Systems to Attacks

Serious Vulnerabilities Expose Honeywell Surveillance Systems to Attacks

Some of Honeywell’s MAXPRO video surveillance systems are affected by serious vulnerabilities that can be exploited by hackers to take complete control of the system, a researcher has discovered.

Researcher Joachim Kerschbaumer told SecurityWeek that he reported his findings to Honeywell in September 2019 and the vendor released patches after roughly 2 months, which he says is a fast response time compared to other physical security systems manufacturers he has contacted to report flaws.

The DHS’s Cybersecurity and Infrastructure Security Agency (CISA) published an advisory this week for the vulnerabilities found by Kerschbaumer. CISA learned about the security holes from Honeywell, and Kerschbaumer says the agency’s description of the vulnerabilities is not entirely accurate.

Kerschbaumer identified two vulnerabilities in Honeywell’s MAXPRO video management system (VMS) and network video recorder (NVR) products. Specifically, they impact HNMSWVMS and HNMSWVMSLT VMS products, and XE, SE, PE and MPNVRSWXX NVR products. MAXPRO VMS 560 Build 595 T2-Patch and MAXPRO NVR 5.6 Build 595 T2-Patch address the vulnerabilities. Honeywell has shared information about the vulnerabilities in its SN 2019-10-25 01 security notice.

Vulnerabilities found in Honeywell surveillance systems

One of the weaknesses, CVE-2020-6959, has been described as a deserialization issue that can lead to unauthenticated remote code execution. The second flaw, CVE-2020-6960, is a SQL injection vulnerability that can also be exploited remotely without authentication.

The researcher has provided the following descriptions for the vulnerabilities:

CVE-2020-6959: A default installation of MAXPRO starts a Windows service that hosts a service that uses .NET Remoting for communication. Due to the nature of .NET Remoting and the unsafe hardcoded configuration of this service, an attacker can create custom payloads that use the .NET BinaryFormatter with available open source tools.

As soon as the service receives the payload, it deserializes it no matter whether the data is of the type the service expects. There is no form of authentication or preventative measures in place in order to avoid this. This can be exploited in order to execute arbitrary code with the permissions of the service that executes the payload. In this case the service runs with SYSTEM-level permissions by default.

CVE-2020-6960: A default installation of MAXPRO starts a service called “TrinityService” (which contains a broad range of services necessary for the system). The service was created using Microsoft’s Windows Communication Foundation (WCF) and hosted an endpoint using Microsoft’s proprietary binary SOAP protocol. This service contained a service method that accepted a generic “Request-Object”.

By supplying a specially crafted object, an attacker can provide arbitrary SQL statements as parameter that immediately get executed by the service, resulting in full control over the database. By default the service user is allowed to reconfigure the default installation of Microsoft’s SQL Server, which allows enabling additional (available by default) SQL Server features that allow an attacker to execute code with SYSTEM-level permissions. No authentication is needed to call this method remotely.

Both vulnerabilities can give an attacker complete control over the targeted system with SYSTEM-level privileges. This would allow them, among other things, to access video feeds and change the system’s configuration, Kerschbaumer said.

The CVSS score assigned by CISA to the vulnerabilities puts them in the critical severity category, but Honeywell’s advisory rates them as high severity — CISA says attack complexity (AC) in the CVSS score calculation is low, while Honeywell says it’s high.

Kerschbaumer told SecurityWeek that the vulnerabilities are not particularly difficult to exploit — he has demonstrated exploitation using freely available tools — but in most cases an attack requires network access to the targeted systems, as the ports they use are typically not exposed to the internet.

Kerschbaumer said these vulnerabilities were identified as part of a larger research project into video management systems and access control systems. The project targeted over 40 products and resulted in the discovery of more than 60 vulnerabilities.

New Ransomware Process Leverages Native Windows Features

New Ransomware Process Leverages Native Windows Features

A new methodology for instigating ransomware makes use of Windows’ own Encrypting File System (EFS). EFS has been a part of Windows since Windows 2000. Unlike Windows’ BitLocker — which is a full disk encryption feature — EFS can selectively encrypt individual files or folders. It does this transparently to the user, using a key that is partly stored in an accessible file, and partly computed from the user’s account password. Once set up, the user does not need to provide a password for EFS to work.

A potential ransomware process using EFS was discovered by researchers at SafeBreach. This approach entirely uses Windows features — and can consequently be defined as a form of ‘living off the land’ — although the primary difference with traditional ransomware is that this process uses different Windows features that are less likely to be monitored. Eight steps are required for attackers to use EFS ransomware.

Firstly, the ransomware will generate the key to be used by EFS, using AdvApi32!CryptGenKey. It then generates a certificate using Crypt32!CertCreateSelfSignCertificate, and adds it to the certificate store. It sets the current EFS key to this store, and then invokes AdvApi32!EncryptFile on every file to be encrypted.

The ransomware saves the key file (whose name was recorded in step 1) to memory, and deletes it from the two folders %APPDATA% MicrosoftCryptoRSAsid (where sid is the user SID), and %ProgramData% MicrosoftCryptoRSAMachineKeys.

The attacker then flushes the EFS data from memory leaving the files unreadable to either the user or the operating system; and wipes the slack parts of the disk to ensure that no temporary files can be salvaged. Finally, the ransomware can encrypt the key file data, and send the decryption key to the attacker. If asymmetric encryption is used for this, the only way to decrypt the files will be through use of the attacker’s private key.

“The EFS ransomware was tested with Windows 10 64-bit versions 1803, 1809 and 1903, but should also work on Windows 32-bit operating systems, and on earlier versions of Windows (probably Windows 8.x, Windows 7 and Windows Vista),” state the researchers.

They tested the methodology against ESET Internet Security, Kaspersky Anti Ransomware Tool for Business, and MS Windows 10 Controlled Folder Access on Windows 10 64-bit version 1809 (Build 17763). None of these solutions would detect this form of ransomware; however, it should be stressed that this is not a flaw in any security product, nor even a vulnerability in Windows (the Windows code works exactly as it was intended to). It is possibly best described as a potential adversarial manipulation of designed logic — or a form of living off the land.

The researchers sent their findings to 17 of the major vendors of Windows endpoint protection, anti-malware and anti-ransomware. The majority, ten of the 17, accepted the issue and have developed workarounds for their products. A few did not accept the argument. Avira, for example, replied, “We believe that this potential bypass which is dependent upon a customized use scenario is not a realistic ‘failure point’.”

Microsoft replied, “We assessed this submittal to be a moderate class defense in depth issue, which does not meet the Microsoft Security Servicing Criteria for Windows (https://www.microsoft.com/en-us/msrc/windows-security-servicing-criteria…).”

One vendor — Panda — said that its own protection methodology would or could block the approach. “Only processes classified as goodware at our Panda detection cloud can modify the included/protected files,” it said.

Only one of the vendors, F-Secure, said ‘thank you, we already detect this’. Anthony Joe Melgarejo, service owner in F-Secure’s tactical defense unit, gave SecurityWeek further details. “In July 2019,” he said, “we were contacted by a researcher at SafeBreach regarding a potential security bypass technique in multiple anti-ransomware vendors’ products. SafeBreach had not specifically tested against F-Secure SAFE, but had found that the ‘vast majority’ of competing products it had tested were vulnerable.”

When F-Secure tested the technique, it found that its product already detected and blocked it (detection name Trojan.TR/Ransom.Gen) through its backend AI and heuristic file analysis. However, his colleague, principal security consultant Antti Tuomi, pointed to the importance of SafeBreach’s research. “By using tools that exist on the target, such as the Windows EFS in this case, you are more likely to avoid the logistics and potential compatibility issues of bringing in your tooling without getting caught. Seeing the same concept used by more manual attackers be successfully used in more automated malware is an interesting (although not completely unexpected) development. On the defensive side,” he continued, “and from an incident response/detection tooling point-of-view, this underlines the need for detecting not just potentially malicious software and tools, but malicious behavior regardless of what tools are used.”

The threat from EFS ransomware is greater for individual users than for corporations. “Machines that are joined to a domain,” Amit Klein, VP security research at SafeBreach, told SecurityWeek, “have the EFS key automatically backed up to the domain controller, and the domain controller could restore the key without reference to the attacker.”

There is also a relatively simple workaround for individual users. If EFS is not required, explain the researchers, “A user with administrator rights for a Windows machine can turn off EFS by setting the registry key HKEY_LOCAL_MACHINESOFTWAREMicrosoftWindows NTCurrentVersionEFSEfsConfiguration to 0. Group Policy can be used for enterprise-wise disabling of EFS.”

The Windows OS developers, as opposed to the anti-ransomware app developers, could solve the problem entirely by adding a new feature to stand-alone Windows. It would simply require the EFS keys to be backed up safely — similar to backing up to the domain controller — in a place or manner that is inaccessible to the ransomware attacker.

In the meantime, individual users should check with their anti-ransomware vendor that their product will detect this type of EFS attack, and use the registry solution if it does not.

Silicon Valley-based SafeBreach was founded in 2014 by Guy Bejerano and Itzik Kotler. It offers a breach and attack simulation platform. It raised $15 million in a Series B funding round in May 2018, bringing the total raised to $34 million.

Source: New Ransomware Process Leverages Native Windows Features