Category: In The News

  • NSA, FBI, CISA Statement on Russian SVR Activity

    What does it mean for your business?

    Summary of the Statement

    Last week, the National Security Agency (NSA), Cybersecurity and Infrastructure Security Agency (CISA), and Federal Bureau of Investigation (FBI) released a joint statement on five different vulnerabilities that the Foreign Intelligence Service of the Russian Federation (SVR RF) is known to be exploiting currently.

    How does this affect your business?

    Even if your business is not a target of the SVR RF, other threat actors such as ransomware gangs, are taking advantage of the same vulnerabilities. Therefore, if you have been using any of the affected product versions, you should take them offline, upgrade to the most recent version, and begin an incident response process to verify your servers are not compromised. Additionally, Raxis recommends performing the same process on other recently exploited products such as SolarWinds Orion and Microsoft Exchange Server.

    Affected Product Versions & Associated CVEs

    Fortinet FortiGate VPN

    • Version: Fortinet FortiOS6.0.0 to 6.0.4, 5.6.3 to 5.6.7 and 5.4.6 to 5.4.12
    • CVE: CVE-2018-13379

    Synacor Zimbra Collaboration Suite

    • Version: Synacor Zimbra Collaboration Suite 8.7.x before 8.7.11p10
    • CVE: CVE-2019-9670

    Pulse Secure Pulse Connect Secure VPN

    • Version: Pulse Connect Secure (PCS) 8.2 before 8.2R12.1, 8.3 before 8.3R7.1, and 9.0 before 9.0R3.4
    • CVE: CVE-2019-11510

    Citrix Application Delivery Controller and Gateway

    • Version: CitrixADC and Gateway versions before 13.0.47.24, 12.1.55.18, 12.0.63.13, 11.1.63.15 and 10.5.70.12 and SD-WAN WANOP 4000-WO, 4100-WO, 5000-WO, and 5100-WO versions before 10.2.6b and 11.0.3b
    • CVE: CVE-2019-19781

    VMware Workspace ONE Access

    • Version: VMware One Access 20.01 and 20.10 on Linux, VMware Identity Manager 3.3.1 -3.3.3 on Linux, VMware Identity Manager Connector 3.3.1-3.3.3 and 19.03, VMware Cloud Foundation 4.0-4.1, and VMware Vrealize Suite Lifecycle Manager8.x
    • CVE: CVE-2020-4006

    Remediation

    If your business is running any of the aforementioned product versions, upgrade immediately to the most recent versions following the guides for each product below:

    Fortinet FortiGate VPN

    Synacor Zimbra Collaboration Suite

    Pulse Secure Pulse Connect Secure VPN

    Citrix Application Delivery Controller and Gateway

    VMware Workspace ONE Access

    Solarwinds Orion

    Microsoft Exchange

    Additionally, Raxis recommends beginning an incident response process on any servers exposed to the internet that are running these product versions, as they are actively being exploited in the wild.

    Associated Links

    NSA, FBI & CISA Statement: https://www.nsa.gov/News-Features/Feature-Stories/Article-View/Article/2573391/russian-foreign-intelligence-service-exploiting-five-publicly-known-vulnerabili/

    CVE Links:
  • Exploring Attack Security: Insights from Raxis Experts

    In this captivating episode of the Confident Defense podcast, host Conor Sherman engages in an enlightening conversation with Raxis’ Brian Tant (CTO) and Brad Herring (VP of Business Development). Brian and Brad, with their extensive experience, provide invaluable insights into the ever-evolving sphere of attack security.

    As the discussion unfolds, Conor seeks to demystify fundamental terms such as red teaming and pen testing. Brian and Brad not only clarify these concepts but also delve into the intriguing realm of purple teaming. They guide companies on the optimal path for testing progression, emphasizing the need for mature attack security. Topics span from the unique security challenges posed by COVID-19 to framework-level assessments. Brian and Brad advocate for organizations to strive for greater security than their peers while addressing vulnerabilities effectively.

    The conversation takes a thrilling turn as Brian and Brad share real-world anecdotes from their consulting work. Listeners are treated to tales of a high-stakes penetration test for a bank and an adrenaline-fueled social engineering engagement with an EMC (where Brian found himself dodging bullets and seeking refuge). Amidst these gripping stories, they shed light on hacking key card security systems, underscore the importance of robust password management, and emphasize the value of visibility and ongoing assessment in the dynamic landscape of cybersecurity.

    Tune in to discover the secrets behind the scenes—a world where security professionals operate like modern-day 007 agents, navigating intrigue, risk, and resilience.

  • SolarWinds Supply Chain Attack – Updated 12/18/2020

    On December 8, 2020, FireEye disclosed that it had been breached by a sophisticated threat actor that had accessed some of its internally developed red team tools. On December 12, FireEye disclosed that this access, and access to many other companies, was accomplished through a supply chain attack against SolarWinds, a monitoring product that is deployed across a myriad of other organizations in the public and private sectors.

    What we know: SolarWinds’ Orion Platform versions 2019.4 HF 5 through 2020.2.1, released between March and June 2020, were affected by the supply chain attack. At present, we believe other versions are not affected.

    Who was affected: In addition to FireEye, anyone running these SolarWinds versions should assume they have been compromised and should take immediate action to mitigate this exposure.

    What to do:
    • Power down any SolarWinds Orion products that are running or have run versions 2019.4 HF 5 through 2020.2.1.
    • Upgrade to the SolarWinds Orion Platform version 2020.2.1 HF 1 immediately.
    • On Tuesday December 15, 2020, upgrade to SolarWinds Orion Platform version 2020.2.1 HF 2. This is a critical release that addresses the exposure.
    • If your company has used the affected versions, assume that the network has been breached and implement applicable incident response processes.
    • This was a far-reaching attack perpetrated by highly skilled threat actors. Evidence of the attack may be hard to detect, and Indications of Compromise (IOCs) may change over time as more information becomes available.
    How did this happen:

    SolarWinds was the victim of a sophisticated supply chain attack. Supply chain attacks target components that are trusted by their users in order to gain a foothold within an organization, product, or other target. This can happen to in-house software components, third-party libraries, or even in the manufacturing of devices. How the attack was deployed via the SolarWinds platform remains unclear, but multiple payloads were delivered via digitally signed updates from SolarWinds from March to May 2020 through the SolarWinds.Orion.Core.BusinessLayer.dll.

    Technical Details:
    • The trojan placed on the system lays dormant for up to two weeks before making a DNS request to avsvmcloud[.]com to get the details of a Command and Control (C2) server.
    • Further communications with the C2 server masquerade as SolarWinds API traffic.
    • The trojan downloads multiple types of payloads, including a memory-only dropper that FireEye has named, “TEARDROP.” A Cobalt Strike Beacon payload has also been detected.
    • After gaining a foothold, the attacker used remote access and conducted lateral movement using legitimate account credentials to establish persistence and levy ongoing attacks.
    • The attack prioritizes stealth and persistence, only using hostnames enumerated within the target environment and restricting traffic to mostly IP addresses from the target’s country.
    • The attacker modifies files and scheduled tasks to drive remote execution and later reverts them back to their original contents in order to evade detection.

    FireEye has released countermeasures for these threats, including Snort and Yara rules. For more specific details on the delivered malware, how it avoided detection, and other threat signatures, see the FireEye blog post detailing the attack.

    Updates

    December 18, 2020

    Who was affected:

    In addition to FireEye, Microsoft confirmed their systems were affected by the SolarWinds breach and have helped identify an additional 40+ customers of their own that have been affected. [1]

    Additionally, RedDrip7 and Bambenek have put forth research into DNS records and other Indicators of Compromise to help people determine whether they have been compromised. [2]

    However, anyone running these SolarWinds versions should still assume they have been compromised and should take immediate action to mitigate this exposure.

    [1] https://www.bleepingcomputer.com/news/security/microsoft-identifies-40-plus-victims-of-solarwinds-hack-80-percent-from-us/

    [2] https://github.com/bambenek/research/tree/main/sunburst

  • Tesla Proves People are First Line of Cyber Defense

    By now, most of you have surely read or heard about the Tesla employee who turned down a lot of money to help a hacker break into the company. Who wouldn’t want $1 million to plug in a USB drive? As a business owner, how confident are you that an employee wouldn’t take this deal?

    This is a fantastic story, and I’m happy to see the integrity of this employee. Yeah, a million dollars is amazing but he was part of a great story and took down someone that could have cost his employer millions more.  

    This type of situation is extreme compared to most others we’ve seen. A lot of times it takes only $100 to convince a cleaning person or security guard to do this. Sometimes, just $50 can get an employee to open the door for an attacker so they can do it themselves.

    And don’t forget about extortion. We’ve seen situations where a C-Level person was blackmailed into giving up a password to a system or plugging in a drive because an affair or some other secret was discovered. 

    This story proves that people are watching and doing a very good job of knowing their staff. Technology can help in these types of situations but training and integrity are the keys here. This employee was honest and saved Tesla millions of dollars in potential ransom, not to mention the bad publicity and potential loss of intellectual property. 

    I hope they rewarded him with the million dollars he was originally offered.

  • Windows 10 Vulnerability Highlights Need for Physical Security Testing

    During our more advanced Red Team penetration testing attacks, Raxis customers are often shocked to discover that we’ve not only been inside their network, but we’ve also been inside their buildings, their server rooms, and even their individual offices. It would take days to explain all the tricks and techniques we use to do that, so let’s focus on the more important question of why we do it.

    The simple answer is that physical access to devices opens up a world of possibilities to an attacker. In fact a recent Forbes article about a Windows 10 security problem offers an excellent example of what can happen when a bad guy gets to spend a few minutes alone with your computer.

    Notice in the article that Bjorn Ruytenberg says that a hacker with the right equipment needs less than five minutes of access to exploit the Windows 10 vulnerability… even if the computer is not on. The attacker only needs physical access to the device. This is an important finding because 95% of the time when Raxis conducts a physical, social-engineering assessment, we succeed in gaining unchallenged physical access to facilities and devices – even when armed guards are employed. Security is often perception, and our techniques commonly bypass guards, electronic devices, and employees. We often find unmanned workstations and usually find ourselves with these devices for far longer than the 5 minutes that Ruytenberg says it takes.

    What’s the takeaway? In the real world, cybersecurity must complement physical security. In other words, patch your Windows but don’t forget to lock your windows as well.

  • An Earth Day Message from Raxis

    With our planet in the grips of the COVID-19 pandemic, Earth Day 2020 definitely has a different vibe this year. In some ways, the virus serves as a reminder of how closely connected we are to one another and how little control we actually have over nature. Our activities can severely impact it, and our technology can sometimes predict it, but all it takes is a tiny strand of RNA to remind us that we are inhabitants of Earth and not its masters.

    If there can be any upside to this worldwide tragedy, it may be that many more businesses are coming to understand the benefits of allowing team members to work from home. At Raxis, we’ve enjoyed those advantages since we launched the company in 2011. For us, it makes sense on many levels.

    Atlanta is a large city and, no matter where we put an office, some of us would face commute times of an hour or more. As penetration testers, we have little need to share infrastructure or applications – we have our own tools and leverage VPNs. We have also become experts at online chat and audio/video conferencing, and we hold frequent team-building events to nurture camaraderie and friendship.

    For Raxis, the remote-work model continues to pay dividends in terms of productivity and quality of life – but that’s just at the company level. What’s really exciting is to think about the prospect that thousands of other businesses might now join our ranks. That’s because, in the few short weeks that COVID-19 has forced us to stay home, we’ve seen air quality improve around the world and greenhouse gas emissions dropping dramatically. Fewer cars on the roads also means fewer accidents and lower insurance costs. And for many, less time in their vehicles has meant more time with family, hobbies, and exercise.

    We won’t miss social distancing but imagine the improvements we could see over the long term if remote work becomes the norm.

    As a cybersecurity company, we can’t ignore the potential threats from hackers and scammers. In fact, my Raxis colleagues and I spend a lot of time warning businesses and their employees about the risks of working from home. With diligence and appropriate safeguards in place, however, a home office isn’t necessarily less secure than a traditional office.

    Of course there are also many who cannot work from home – police, first responders, emergency room personnel, to name just a few. Even so, their working conditions could well improve if more of the rest of us do stay home. In addition to making the highways safer, for example, less congestion means emergency personnel can get to the people who need them faster. Stores, restaurants, gyms, and salons could see customer traffic spread more evenly throughout the day. All of this would likely mean less of a burden on our federal, state, and local employees as well.

    Still, it would be naïve to think that the COVID-19 emergency on its own will cause an immediate and fundamental change in the way the world does business. It’s likely that these blue skies will fade a bit when people go back to work and the pace of life picks back up. But it’s also possible that this terrible pandemic has come with a silver lining – a brief glimpse at the benefits of living and working more sustainably.

    Our hope for this Earth Day is that the time we’ve spent away from the office has given us time to consider whether so many of us need one at all.

     

  • Raxis COO Shares WFH Cybersecurity Tips on Columbus, Ohio’s Fox 28

    “Protect your data in the same way you protect your health.” That’s the main message our own Bonnie Smyre delivered today in an interview on Good Day Marketplace, a popular television show in the Columbus, Ohio area.

    Raxis COO, Bonnie Smyre, on Good Day Marketplace

    Bonnie explained to host Shawn Ireland and her audience that hackers and scammers know that Americans are worried about COVID-19 and are hungry for reliable information now. That’s why it’s important to only visit sites you know are safe and never click links inside unsolicited emails. She also talked about the importance of keeping personal information off your work devices.

    Bonnie cautioned that, even though slow Internet speeds can be frustrating, don’t disable spam and virus filtering or endpoint protection in hopes of speeding things up.

    Check out Bonnie’s full interview below here: https://myfox28columbus.com/sponsored/good-day-marketplace/gdm-raxis-information-security

  • Remote Security Series: Protect Your Network Health Like Your Own

    Most of us understand by now (hopefully) that this COVID-19 emergency is not the time to take chances with our health and safety. The benefits of being disease free far outweigh the costs of some social distancing and extra diligence about hygiene. However, I’m worried that many companies don’t seem to make the connection between what they’re doing to protect their employees and what they should be doing to protect their data.

    That’s dangerous because hackers are heartless. In their world, COVID-19 doesn’t bring suffering and death; to them, it’s all about opportunity and wealth. Like a virus, they’re attacking the most vulnerable and leaving untold damage in their wake.

    Unfortunately, we’ve seen and heard about companies across America that are making hackers’ jobs easier. For example, the additional strain of accommodating remote workers has caused many IT departments to open ports and grant access that they would never allow normally.

    RDP, VPN, oh my!

    One common problem is companies opening remote desktop protocol (RDP) access, which can be easily exploited. Others have VPN configuration errors that slow network traffic, frustrate users, and put pressure on IT staff to relax security measures in order to improve productivity. And some are not monitoring network traffic, which can open the door to brute force attacks. Raxis is seeing this firsthand in many of our external and remote internal penetration tests we are currently conducting for our customers.

    Add to this the challenge of team members accessing the network with their home devices. Each one brings with it a high degree of risk that most office-based IT teams aren’t accustomed to managing at scale.

    The bad guys know all this, of course. That’s why we’ve seen a surge of attacks, many based on the COVID-19 emergency itself. Scammers know we’re scared, tired, and worried for ourselves and our loved ones. We’re more likely to click on a malicious link or reveal sensitive information – and less likely to have appropriate safeguards in place when we do.

    Where to start

    So, what’s the solution? Our previous posts in this series have talked about ways to make networks more resilient from a technological perspective. But this is also a time when IT pros have a responsibility to safeguard their companies infrastructure and protect their employees. It’s up to you to make sure that productivity doesn’t come at the expense of security, even if that isn’t what your C-suite leaders or colleagues want to hear right now.

    The good news is that you don’t have to go it alone. Raxis experts can help you discover and document any unintended security consequences that come from your team working remotely. We can provide a fresh, hacker’s-eye evaluation of your perimeter defenses along with continual assessments to make sure they remain effective. We also offer many remote solutions that go hand in hand with the new workplace guidelines for many of our customers.

    Just as the coronavirus has made us more careful about our physical health, the resulting work-from-home experience should make us much more conscious of our cybersecurity posture. Give us a call and let’s talk about how Raxis can help you emerge from this crisis more secure and more confident about working remotely.

    Contact Raxis for more information.

    Want to learn more? Take a look at the first part of our Remote Security Series.

  • Remote Security Series: Urgent Questions You’ll Face About VPN and Remote Access

     As the coronavirus has pushed almost all of the workforce remote, IT teams have been very busy making networks accessible in ways they weren’t previously. Most organizations plan for a consistent number of users remotely accessing the network. I doubt any planned for a nearly global work-from-home (WFH) event like COVID-19. 

    As a result, I’ve worked with a few companies to help implement some very last-minute WFH solutions. I came away with a better understanding that there are some critical questions companies need to be asking (and answering) right now. 

    Do you have enough VPN licenses? Imagine being told on a Friday afternoon that everyone will be working from home for the foreseeable future. One company’s VPN was licensed for 100 users but had over 250 working remotely. Their immediate answer was to open up remote desktop ports for each user’s office computer. Bad idea, especially considering a few passwords were very insecure, including “Winter2020!” and “Corona2020$.” 

    Do you have enough bandwidth? Like VPN licenses, most companies have plenty of bandwidth to handle office data and the normal load of remote users with no issues. But with everyone working from home and many streaming media, this can cause a lot of strain on your network and lead to performance issues and outages.  

    Is split tunneling appropriate for your company? In many cases, split tunneling is a great way to address the bandwidth issue. However, you lose some encryption as you now have only certain applications and network traffic going back through the encrypted VPN. This can lead to data being mishandled, so make sure you have safeguards in place to prevent that. Also, it’s a good idea to block streaming services through the VPN tunnel or on an endpoint protection product. 

    Are your users trained to use the VPN? With the rush to get users setup, users who worked in the office every day are now trying to do the same type of work from home. This may be painfully slow if they are accustomed to 1000 Mbps in the office and get only 50 Mbps at home. Their fix will be to download files locally, work on them, and then upload them back when done (we hope). That raises a couple of other important questions…

    Do they delete sensitive data from their computers when they are done?  Do they even know they should do this? If there’s even a speck of doubt, I strongly recommend putting data loss prevention (DLP) tools on the endpoints to ensure data isn’t leaving the network unsecured.

    Do you have a ‘shadow IT’ problem you didn’t know about? Here’s an interesting issue I ran into recently: A company realized there were employees who had been working remotely for years, but who didn’t know how to use the VPN to access files they need on a daily basis. I decided they either have integrity challenges, or they have unauthorized side channels they may not know about. Let’s set aside the ethics issue and assume you suspect the latter. Now would be a good time to start monitoring traffic going out to popular file sharing services. In an incident response situation, these services create more areas to audit, and your price tag and scope just increased a lot. Imagine thinking you have 10 servers and 400 workstations to check and then adding every Dropbox, Box.net, Sync and OneDrive account and folder. 

    Is your VPN network being monitored or logged? How many concurrent connections are allowed per user? This is important if a user is compromised and you allow unlimited connections per user. A malicious person can be connected to your network and it may go unnoticed. That’s why you should enforce MFA on your remote access solution.

    Are user endpoints encrypted and patched? Your end users are now working on networks with potential default passwords and weak wireless security, which you probably can’t control. It is very important then that you harden as much as you possibly can control.  Once your WFH solutions are in place, make sure you remember to audit their security. Don’t let a rush to get users working remotely lead to costly misconfigurations and data breaches — just because they click a malicious COVID-19 update or decide to watch cat videos.

    Does your business continuity plan reflect the new reality? Remote access to critical data should be a part of your business continuity plan. Being surprised by a hard limit of users on your VPN appliance can lead to a rush to provide accessibility, which in turn can lead to bad security decisions. Testing this plan will also show you areas that need to be addressed or that would be much easier to handle if you had known ahead of time. Also, ensure you have an updated remote access and VPN policy in place. Your end users will not always make smart security decisions, so ensure that they have a document to reference.

     The coronavirus emergency is putting all of us to the test, but especially the IT teams who shoulder the responsibility for keeping a remote workforce secure and productive. Make sure you have good answers to these questions and, if you need help, remember we are here for you.

     Raxis is always happy to discuss your unique circumstances and to offer options specific for your needs as well as your budget.

    Contact Raxis for more information.

     Want to learn more? Take a look at the next part of our Remote Security Series.

  • Remote Security Series: Review Remote Workforce Policies

    The coronavirus emergency has made it clear that some companies are ready for the new work-from-home (WFH) reality, with mature and tested policies for managing remote business workflows. Others were caught off-guard and now find themselves developing and refining their procedures even as they’re being implemented.

    Especially in times of crisis, we humans need structure, boundaries, and clear guidance to help us feel secure and remain productive. So much so that we’ll create our own in the absence of any guidance. And while a little flexibility is a good thing, remote work brings technology and cybersecurity challenges that demand clear, relevant, and effective policies to protect the company’s network.

    Turning the problem into an opportunity

    Though most companies are now facing the radical shift to a remote workforce, the smart ones are using this emergency as an opportunity to review and update their remote work policies. Even for those that have transitioned smoothly to WFH, the scale of this change makes it prudent to double check the security posture of their teams. Those that do will find more ways to make their operations more secure and efficient; those that don’t may become corporate casualties of the coronavirus.

    Safeguarding sensitive data

    One of the biggest security issues for businesses is handling sensitive data like Social Security, credit card, or bank account numbers. Do you have procedures in place to make sure that information can be sent and received securely? Take a close look at how sensitive data flows across your newly extended network boundaries. Make sure you’ve accounted for identity management, client information, and any type of financial divulgence or payment.

    Like a rubber band, your network perimeter thins as it expands. Remote workers are at a heightened risk of direct attacks against their personal data. Emphasize the importance of documented policies regarding internal communications. Some examples might include never asking for passwords, verifying critical or sensitive requests, and MFA support.

    Business continuity processes (you do have them, don’t you?) no longer enjoy the luxury of encompassing a small number of sites. They now must accommodate an increasingly dynamic footprint of inputs from remote workers. Use this experience to update them to include such things as better internal communications, more productivity checkpoints, remote device wipe, and alternate contact information for remote workers.

    Include guidance about the personal use of business assets and make sure your VPN enforces a minimum level of security compliance before authorizing network connections. That should include requiring the use of company devices, keeping your endpoint protection up to date, and making sure any necessary agents are installed.

    In addition, you should enforce MFA on all systems that connect to network resources. Implementing MFA requires planning, but it offers much more robust security at the perimeters.

    All of these efforts are important, but they’re doomed unless you also have an effective way to let your workers know about them. Now is the time to communicate more frequently about security and be on guard against localized attacks like phishing and spear-phishing. Not sure about that email? Don’t open it. Hold off on sending hyperlinks so that any links received stand out for additional scrutiny.

    Where to start

    These are just a few of the ways you can make sure your business turns the problems you face with remote work into opportunities to make the experience more effective for your company and your team.

    If you need more help or want experts to help you transition to WFH, Raxis offers thorough security reviews and guidance on Teleworking, Security, and Business Continuity / Disaster Recovery (BC/DR) policies.

    Contact Raxis today for more information.

    Want to learn more? Take a look at the next part of our Remote Security Series.