Follow ISA Cybersecurity on LinkedIn for the latest cybersecurity news
Weekly CyberTip: Safe disposal of old phones and computers
Just as you would shred old documents containing sensitive or personal information, you must take precautions to protect data left on phones, computers, or obsolete media before discarding them.
While reformatting or wiping a disk will defend against “casual” theft, determined hackers may still be able to piece together data from discarded hardware or media like CDs or USB drives. Consider using software that deletes data to high-security standards. If you cannot do this yourself, investigate a service that will securely wipe your old tech.
NSA issues urgent “wildcard TLS certificate” warning
On October 7, the National Security Agency (NSA) issued a press release warning IT administrators about the dangers of “wildcard” TLS certificates.
The NSA provided five recommendations to help mitigate the risk of using poorly-implemented wildcards, and defend against so-called “ALPACA” (Application Layer Protocol Content Confusion Attack) threats, which are exploitable through the use of overly-permissive wildcard use.
The NSA’s warning includes the following recommendations:
+ Understanding the scope of each wildcard certificate used in your organization
+ Using an application gateway or web application firewall in front of servers, including non-HTTP servers
+ Using encrypted DNS and validating DNS security extensions to prevent DNS redirection
+ Enabling Application-Layer Protocol Negotiation (APLN) [sic], a TLS extension that allows the server/application to specify permitted protocols where possible
+ Maintaining web browsers at the latest version with current updates
Wildcard certificates gained popularity in the early days of domain registration with administrators seeking to cut costs and enjoy the convenience of licensing a blanket certificate instead of purchasing individual certificates for each domain in use. Used judiciously, this can be a good strategy; however, used carelessly or left unsecured, these certificates can create significant risks. Complete details about vulnerabilities and mitigation strategies are documented in the NSA’s official cybersecurity information sheet. Recorded Future also provides example breach scenarios to help guide mitigation efforts.
Streaming service suffers massive hacktivist data breach
According to a report in Threatpost, the popular live-streaming video site “Twitch” has been breached, with the entirety of its corporate digital assets – including system source code (live and under development), proprietary SDKs and web services, financial reports, and even internal “red team” security tools – being published online. The cache of stolen data, estimated to be 125Gb, was posted as a “torrent” file on the infamous posting board “4chan”.
Twitch confirmed the breach on its Twitter account, but has disputed claims that user login information and encrypted passwords were also stolen in the incident, seeking to calm its user base.
In contrast to many recent breaches, the motivation behind the attack appears to be punitive rather than financially-driven. According to the Threatpost report, the unidentified hackers have called the leak a means to “foster more disruption and competition in the online-video streaming space,” because the Twitch “community is a disgusting toxic cesspool”.
Twitch has come under fire recently for its inability to control extensive posts containing extreme racist and transphobic content. Protesters recently boycotted the streaming service for 24 hours to protest the hate content, with the action reducing viewer hours to the lowest levels in 2021.
Researchers identify quick-strike Python-based malware for VMware
While investigating a recent ransomware incident, security researchers have discovered a Python ransomware script that is both simple and extremely fast in encrypting target VMware systems. According to a report in Bleeping Computer, the script took under three hours to encrypt all of the victim’s virtual machines and VM settings files, taking the vulnerable target system offline. A tiny 6kb Python script was at the heart of the attack.
The attackers reportedly breached the unidentified victim’s network over a weekend by “logging into a TeamViewer account running on a device with a domain admin logged on”. The attackers then pivoted to connect to a poorly-secured ESXi server, from which they were able to launch the rest of the attack.
The Python script works quickly by shutting down each virtual machine, overwriting the original files stored on the datastore volumes, then deleting them to block any recovery attempts, leaving only encrypted files behind.
While devastating, the damage caused from the use of this new script is avoidable. “Administrators who operate ESXi or other hypervisors on their networks should follow security best practices, avoiding password reuse, and using complex, difficult to brute-force passwords of adequate length,” recommended the researchers. “Wherever possible, enable the use of multi-factor authentication and enforce the use of MFA for accounts with high permissions, such as domain administrators.” Remote access software like the one exploited in this incident are always attractive targets for hackers, so restrictions on usage and admin access to such tools must be in place at all times as well.