Cybersecurity News & Trends for August 26, 2022

Here’s your summary of curated cybersecurity news and trends from leading media and IT security bloggers.

The mid-year update to the 2022 SonicWall Cyber Threat Report continues to garner press hits while other SonicWall news (delivery of Wi-Fi 6 Wireless Access Points) rises to the top of the cycle. Industry News was shaken up with the discovery that Microsoft’s multi-factor authentication was hacked by a Russian group called Nobelium. The MFA hack is our Big Read for the week with sources from Microsoft, ZDNet, TechRadar, and Bleeping Computer. In other news, from Hacker News, SMS-based phishing attacks against employees at Twilio, Cloudflare and other companies were part of an extensive smartphone attack campaign. From TechMonitor, the LockBit ransomware group was targeted with a DDoS attack after they released hacked Entrust data. And according to Bleeping Computer, hackers use a zero-day bug to steal more crypto from Bitcoin ATMs.

Remember that cybersecurity is everyone’s business. Be safe out there!

SonicWall News

SonicWall Ships Wi-Fi 6 Wireless Access Points

Channel Pro Network, SonicWall News: SonicWall has introduced a pair of remotely manageable Wi-Fi 6 access points designed to secure wireless traffic while boosting performance and simplifying connectivity. The SonicWave 641 and SonicWave 681, part of the vendor’s new SonicWave 600 series, are based on the 802.11ax standard, which according to SonicWall can increase overall wireless throughput by up to 400% compared to Wi-Fi 5 technology and reduce latency by up to 75%.

10 States Most at Risk for Malware Attacks

Digital Journal, SonicWall News: Malware attacks—when an intruder tries to install harmful software on the victim’s computer without their knowledge—are a huge problem around the world. Beyond Identity collected data from the 2022 SonicWall Cyber Threat Report to rank the top 10 US states that are the most at risk for malware attacks.

Managing Risk: Cloud Security Today

Silicon UK, Bill Conner Quoted: GCHQ advisor and cybersecurity veteran at SonicWall, Bill Conner, commented on the rise in attacks: “We are dealing with an escalating arms race. At the same time, threat actors have gotten better and more efficient in their attacks. They are now leveraging readily available cloud tools to reduce costs and expand their scope in targeting additional attack vectors. The good news is, that the cybersecurity industry has gotten more sophisticated in identifying and stopping new ransomware strains and protecting organizations.”

Norway’s Oil Fund Warns Cybersecurity is Top Concern

The Financial Times, Bill Conner Quoted: Perpetrators can range from private criminal groups to state-backed hackers. Russia, China, Iran and North Korea are the most active state backers of cyber aggression, according to Bill Conner, executive chairman at SonicWall. “As sanctions go up, the need for money goes up as well,” he said. A cyber security expert who advises a different sovereign wealth fund said the “threat landscape” for such groups was “massive.” “When it comes to ransomware, about half of network intrusions are phishing attempts and the other half are remote access attacks using stolen credentials. You’ve also got insider threats [involving] someone with a USB drive, and sometimes people with access are just bribed,” he added.

How to be Ransomware Ready in Four Steps

Security Boulevard, SonicWall Threat Report Mention: 2021 was a breakout year for ransomware, growing 105% and exceeding 623.3 million attacks, according to SonicWall’s 2022 Cyber Threat Report.

SonicWall’s New CEO on M&A, Channel Commitment and the Biggest Cyber Threats

CRN, SonicWall Mention: Bob VanKirk took command of the platform security vendor on Aug. 1, six years after the company’s spin-off from Dell Technologies.

New SonicWall CEO Bob VanKirk on XDR, SASE & Going Upmarket

Information Security Media Group, SonicWall Mention: New CEO Bob VanKirk wants to capitalize on SonicWall’s distributed network technology and strength in the education and state and local government sectors to expand beyond the company’s traditional strength with small and mid-sized businesses and into larger enterprises. VanKirk says the company’s new high-end firewalls and security management capabilities should be a natural fit for larger customers.

Basingstoke’s Racing Reverend ready for Silverstone Classic

Basingstoke Gazette, SonicWall Mention: Simons Le Mans Cup program is supported by a number of companies including Asset Advantage, SonicWall and The Escape.

Is the drop in ransomware numbers an illusion?

The Washington Post, SonicWall Threat Report Mention: Also in July, SonicWall, NCC Group and GuidePoint Security pointed to decreases across the board, although the companies covered various time periods.

SonicWall Capture ATP Receives 100% ICSA Rating for Threat Detection Again

InfoPointSecurity (Germany), SonicWall News: SonicWall Capture Advanced Threat Protection (ATP) has once again achieved 100% threat detection at ICSA Labs Advanced Threat Defense certification for the second quarter of 2022 – for the sixth time in a row.

How will the crypto crash affect ransomware attacks and payments?

SC Magazine, Threat Report: Ransomware attacks dropped 23% globally from January to June, according to U.S. cybersecurity firm SonicWall’s 2022 mid-year cyber threat report. Though this time period overlaps with crypto’s bear market, many experts emphasize that the political conflict between Russia and Ukraine is the biggest factor in ransomware’s decline.

Industry News

Big Read: Attackers are Circumventing Microsoft’s Multi-Factor Authentication

Various Source: According to ZDNet, TechRadar, Bleeping Computer, Microsoft recently discovered that a Russian-based threat group called Nobelium could gain access to systems and bypass multifactor authentication. Microsoft is asking Windows administrators limit and restrict access to Active Directory servers.

The attackers can gain administrative rights to Active Directory Federated Services servers using a tool called MagicWeb. They replace a legitimate DLL file with one of theirs. This tool allows Active Directory authentication tokens to be modified, which allows hackers to log in as any user to bypass multifactor authentication. Hackers have long sought administrative access to servers and domain controllers like Active Directory. These must be isolated and accessible only to designated admin accounts. They also need to be regularly monitored for changes. It is important to keep servers updated with the most recent security updates and take steps to prevent attackers from lateral movement.

According to Bleeping Computer, the campaign started June 2022 when analysts noticed a spike in phishing attempts against specific business sectors (ex: credit unions) and users of Microsoft email services.

TechRadar adds that the source of the vulnerability is still Log4Shell, which was one of the largest and potentially most devastating vulnerabilities to ever be discovered. The flaw is still being leveraged by threat actors more than half a year after it was first observed and patched. Attackers used the flaw on SysAid applications, which is a relatively novel approach according to analysts, noting that while other hacks use Log4j 2 exploits with vulnerable VMware apps, using SysAid apps as a vector for initial access is new.

ZDNet reports that if there’s no additional verification around the MFA enrollment process, anyone who knows the username and password of an account can apply multi-factor authentication to it, so long as they are the first person to do so – and hackers are using this to gain access to accounts. In one instance, attackers attributed to APT29 gained access to a list of undisclosed mailboxes they obtained through unknown means and successfully managed to guess the password of an account that had been set up, but never used.

Twilio Suffers Cybersecurity Breach After Employees Fall Victim to SMS Phishing Attack

Hacker News: Customer engagement platform Twilio on Monday disclosed that a “sophisticated” threat actor gained “unauthorized access” using an SMS-based phishing campaign aimed at its staff to gain information on a “limited number” of accounts.

The SMS phishing attacks were also directed against employees at Cloudflare, and other companies were part of an extensive smartphone attack campaign. Reports say that almost 10,000 people have fallen into the scheme to steal their credentials. They were mainly in the United States. Three of the targeted companies were in Canada. Most organizations use Okta’s access and identity management software. They received texts containing links to fake websites that mimicked Okta’s authentication page. The hackers obtained their usernames, passwords, and login credentials when they logged into the system. It is still not clear how the hackers got a list with targets and mobile phone numbers. Two critical lessons from this incident: One is that administrators must continually remind users/employees about the dangers of logging in from links in emails and text messages, and two is that companies must recognize the risk of continual use of SMS-based multifactor authentication.

The social-engineering attack was bent on stealing employee credentials, the company said, calling the as-yet-unidentified adversary “well-organized” and “methodical in their actions.” The incident came to light on August 4.

LockBit Ransomware Group Targeted with DDoS Attack After Entrust Data Leak

TechMonitor: Ransomware gang LockBit says it has been hit with a distributed denial of service (DDoS) attack, which appears to have knocked its leak site offline. The attack comes after the gang claimed responsibility for a hack on security giant Entrust earlier this year. The DDoS attack on LockBit’s darkweb server, which hosts leaks from companies the gang has attacked, began yesterday, and according to analysts, the gang has been receiving 400 requests a second from over 1,000 servers.

Hackers Steal Crypto from Bitcoin ATMs by Exploiting Zero-Day Bug

Bleeping Computer: Hackers have exploited a zero-day vulnerability in General Bytes Bitcoin ATM servers to steal cryptocurrency from customers. When customers would deposit or purchase cryptocurrency via the ATM, the funds would instead be siphoned off by the hackers. General Bytes is the manufacturer of Bitcoin ATMs that, depending on the product, allow people to purchase or sell over 40 different cryptocurrencies. The Bitcoin ATMs are controlled by a remote Crypto Application Server (CAS), which manages the ATM’s operation, what cryptocurrencies are supported, and executes the purchases and sales of cryptocurrency on exchanges.