Microsoft Security Bulletin Coverage for September 2021

/in /by

SonicWall Capture Labs threat research team has analyzed and addressed Microsoft’s security advisories for the month of September 2021. A list of issues reported, along with SonicWall coverage information, is as follows:

CVE-2021-36963 Windows Common Log File System Driver Elevation of Privilege Vulnerability
ASPY 214:Malformed-File exe.MP_199

CVE-2021-36955 Windows Common Log File System Driver Elevation of Privilege Vulnerability
ASPY 221:Malformed-File exe.MP_203

CVE-2021-36975 Win32k Elevation of Privilege Vulnerability
ASPY 219:Malformed-File exe.MP_202

CVE-2021-38633 Windows Common Log File System Driver Elevation of Privilege Vulnerability
ASPY 215:Malformed-File exe.MP_200

CVE-2021-38639 Win32k Elevation of Privilege Vulnerability
ASPY 216:Malformed-File exe.MP_201

CVE-2021-40444 Microsoft MSHTML Remote Code Execution Vulnerability
GAV 25418:CVE-2021-40444_7
GAV 25417:CVE-2021-40444_6
GAV 25414:CVE-2021-40444_5
GAV 25413:CVE-2021-40444_4
GAV 25412:CVE-2021-40444_3
GAV 25390:CVE-2021-40444_2
GAV 25389:CVE-2021-40444_1
GAV 25387:CVE-2021-40444
GAV 25379:CVE-2021-40444.X
GAV 25378:CVE-2021-40444.AB
GAV 25377:CVE-2021-40444.C

Adobe Coverage:
CVE-2021-39836 Acrobat Reader Use After Free Vulnerability
ASPY 217:Malforned-File pdf.MP.490

CVE-2021-39843Acrobat Reader Out-of-bounds Write Vulnerability
ASPY 218:Malforned-File pdf.MP.491

The following vulnerabilities do not have exploits in the wild :
CVE-2021-26434 Visual Studio Elevation of Privilege Vulnerability
There are no known exploits in the wild.
CVE-2021-26435 Windows Scripting Engine Memory Corruption Vulnerability
There are no known exploits in the wild.
CVE-2021-26436 Microsoft Edge (Chromium-based) Elevation of Privilege Vulnerability
There are no known exploits in the wild.
CVE-2021-26437 Visual Studio Code Spoofing Vulnerability
There are no known exploits in the wild.
CVE-2021-26439 Microsoft Edge for Android Information Disclosure Vulnerability
There are no known exploits in the wild.
CVE-2021-36930 Microsoft Edge (Chromium-based) Elevation of Privilege Vulnerability
There are no known exploits in the wild.
CVE-2021-36952 Visual Studio Remote Code Execution Vulnerability
There are no known exploits in the wild.
CVE-2021-36954 Windows Bind Filter Driver Elevation of Privilege Vulnerability
There are no known exploits in the wild.
CVE-2021-36956 Azure Sphere Information Disclosure Vulnerability
There are no known exploits in the wild.
CVE-2021-36959 Windows Authenticode Spoofing Vulnerability
There are no known exploits in the wild.
CVE-2021-36960 Windows SMB Information Disclosure Vulnerability
There are no known exploits in the wild.
CVE-2021-36961 Windows Installer Denial of Service Vulnerability
There are no known exploits in the wild.
CVE-2021-36962 Windows Installer Information Disclosure Vulnerability
There are no known exploits in the wild.
CVE-2021-36964 Windows Event Tracing Elevation of Privilege Vulnerability
There are no known exploits in the wild.
CVE-2021-36965 Windows WLAN AutoConfig Service Remote Code Execution Vulnerability
There are no known exploits in the wild.
CVE-2021-36966 Windows Subsystem for Linux Elevation of Privilege Vulnerability
There are no known exploits in the wild.
CVE-2021-36967 Windows WLAN AutoConfig Service Elevation of Privilege Vulnerability
There are no known exploits in the wild.
CVE-2021-36968 Windows DNS Elevation of Privilege Vulnerability
There are no known exploits in the wild.
CVE-2021-36969 Windows Redirected Drive Buffering SubSystem Driver Information Disclosure Vulnerability
There are no known exploits in the wild.
CVE-2021-36972 Windows SMB Information Disclosure Vulnerability
There are no known exploits in the wild.
CVE-2021-36973 Windows Redirected Drive Buffering System Elevation of Privilege Vulnerability
There are no known exploits in the wild.
CVE-2021-36974 Windows SMB Elevation of Privilege Vulnerability
There are no known exploits in the wild.
CVE-2021-38624 Windows Key Storage Provider Security Feature Bypass Vulnerability
There are no known exploits in the wild.
CVE-2021-38625 Windows Kernel Elevation of Privilege Vulnerability
There are no known exploits in the wild.
CVE-2021-38626 Windows Kernel Elevation of Privilege Vulnerability
There are no known exploits in the wild.
CVE-2021-38628 Windows Ancillary Function Driver for WinSock Elevation of Privilege Vulnerability
There are no known exploits in the wild.
CVE-2021-38629 Windows Ancillary Function Driver for WinSock Information Disclosure Vulnerability
There are no known exploits in the wild.
CVE-2021-38630 Windows Event Tracing Elevation of Privilege Vulnerability
There are no known exploits in the wild.
CVE-2021-38632 BitLocker Security Feature Bypass Vulnerability
There are no known exploits in the wild.
CVE-2021-38634 Microsoft Windows Update Client Elevation of Privilege Vulnerability
There are no known exploits in the wild.
CVE-2021-38635 Windows Redirected Drive Buffering SubSystem Driver Information Disclosure Vulnerability
There are no known exploits in the wild.
CVE-2021-38636 Windows Redirected Drive Buffering SubSystem Driver Information Disclosure Vulnerability
There are no known exploits in the wild.
CVE-2021-38637 Windows Storage Information Disclosure Vulnerability
There are no known exploits in the wild.
CVE-2021-38638 Windows Ancillary Function Driver for WinSock Elevation of Privilege Vulnerability
There are no known exploits in the wild.
CVE-2021-38641 Microsoft Edge for Android Spoofing Vulnerability
There are no known exploits in the wild.
CVE-2021-38642 Microsoft Edge for iOS Spoofing Vulnerability
There are no known exploits in the wild.
CVE-2021-38644 Microsoft MPEG-2 Video Extension Remote Code Execution Vulnerability
There are no known exploits in the wild.
CVE-2021-38645 Open Management Infrastructure Elevation of Privilege Vulnerability
There are no known exploits in the wild.
CVE-2021-38646 Microsoft Office Access Connectivity Engine Remote Code Execution Vulnerability
There are no known exploits in the wild.
CVE-2021-38647 Open Management Infrastructure Remote Code Execution Vulnerability
There are no known exploits in the wild.
CVE-2021-38648 Open Management Infrastructure Elevation of Privilege Vulnerability
There are no known exploits in the wild.
CVE-2021-38649 Open Management Infrastructure Elevation of Privilege Vulnerability
There are no known exploits in the wild.
CVE-2021-38650 Microsoft Office Spoofing Vulnerability
There are no known exploits in the wild.
CVE-2021-38651 Microsoft SharePoint Server Spoofing Vulnerability
There are no known exploits in the wild.
CVE-2021-38652 Microsoft SharePoint Server Spoofing Vulnerability
There are no known exploits in the wild.
CVE-2021-38653 Microsoft Office Visio Remote Code Execution Vulnerability
There are no known exploits in the wild.
CVE-2021-38654 Microsoft Office Visio Remote Code Execution Vulnerability
There are no known exploits in the wild.
CVE-2021-38655 Microsoft Excel Remote Code Execution Vulnerability
There are no known exploits in the wild.
CVE-2021-38656 Microsoft Word Remote Code Execution Vulnerability
There are no known exploits in the wild.
CVE-2021-38657 Microsoft Office Graphics Component Information Disclosure Vulnerability
There are no known exploits in the wild.
CVE-2021-38658 Microsoft Office Graphics Remote Code Execution Vulnerability
There are no known exploits in the wild.
CVE-2021-38659 Microsoft Office Remote Code Execution Vulnerability
There are no known exploits in the wild.
CVE-2021-38660 Microsoft Office Graphics Remote Code Execution Vulnerability
There are no known exploits in the wild.
CVE-2021-38661 HEVC Video Extensions Remote Code Execution Vulnerability
There are no known exploits in the wild.
CVE-2021-38667 Windows Print Spooler Elevation of Privilege Vulnerability
There are no known exploits in the wild.
CVE-2021-38669 Microsoft Edge (Chromium-based) Tampering Vulnerability
There are no known exploits in the wild.
CVE-2021-38671 Windows Print Spooler Elevation of Privilege Vulnerability
There are no known exploits in the wild.
CVE-2021-40440 Microsoft Dynamics Business Central Cross-site Scripting Vulnerability
There are no known exploits in the wild.
CVE-2021-40447 Windows Print Spooler Elevation of Privilege Vulnerability
There are no known exploits in the wild.
CVE-2021-40448 Microsoft Accessibility Insights for Android Information Disclosure Vulnerability
There are no known exploits in the wild.

Atlassian Confluence and Data Center OGNL Injection Vulnerability

/in /by

Overview:

  Atlassian Confluence is a collaboration platform written in Java. Users can create content using spaces, pages, and blogs which other users can comment on and edit. It is written primarily in Java and runs on a bundled Apache Tomcat application server.

  An OGNL injection has been reported in the Webwork module of Atlassian Confluence Server and Data Center. The vulnerability is due to insufficient input validation leading to OGNL evaluation of user-supplied input.

  A remote, unauthenticated attacker could exploit this vulnerability by sending a crafted request to the target server. Successful exploitation can result in arbitrary code execution under the security context of the affected server.

CVE Reference:

  This vulnerability has been assigned the Common Vulnerabilities and Exposures (CVE) identifier CVE-2021-26084.

Common Vulnerability Scoring System (CVSS):

  The overall CVSS score is 9.3 (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H/E:F/RL:O/RC:C).

  Base score is 10.0 (AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H), based on the following metrics:
    • Attack vector is network.
    • Attack complexity is low.
    • Privileges required is none.
    • User interaction is none.
    • Scope is changed.
    • Impact of this vulnerability on data confidentiality is high.
    • Impact of this vulnerability on data integrity is high.
    • Impact of this vulnerability on data availability is high.
  Temporal score is 9.3 (E:F/RL:O/RC:C), based on the following metrics:
    • The exploit code maturity level of this vulnerability is functional.
    • The report confidence level of this vulnerability is confirmed.

Technical Overview:

  Confluence uses the Webwork web application framework to map URLs to Java classes, creating what is known as an “action”. Action URLs end with the “.action” suffix and are defined in the xwork.xml file inside confluence “version”.jar (where “version” is the confluence version number) and in the atlassian-plugin.xml file within the JAR files of the included plugins. Each action entry contains at least a name attribute, defining the action name, a class attribute, defining the Java class implementing the action, and at least one result element which decides the Velocity template to render after the action is invoked based on the result of the action. Common return values from actions are “error”, “input”, and “success”, but any value may be used as long as there is a matching result element in the associated XWork XML. Action entries can contain a method attribute, which allows invocation of a specific method of the specified Java class. When no command is specified, the doDefault() method of the action class is called. The following is a sample action entry for the doenterpagevariables action:

  In the above example, the doEnter() method of the “com.atlassian.confluence.pages.actions.PageVariablesAction” class handles requests to “doenterpagevariables.action” and will return values such as “success”, “input”, or “error”, resulting in the appropriate velocity template being rendered.

  Confluence supports the use of Object Graph Navigational Language (OGNL) expressions to dynamically generate web page content from Velocity templates using the Webwork library. OGNL is a dynamic Expression Language (EL) with terse syntax for getting and setting properties of Java objects, list projections, and expressions. OGNL expressions contain strings combined together to form a navigation chain. The strings can be property names, method calls, array indices and so on. OGNL expressions are evaluated against the initial, or root context object supplied to the evaluator in the form of OGNL Context.

  The container object “com.opensymphony.webwork.views.jsp.ui.template.TemplateRenderingContext” is used to store objects needed to execute an Action. These objects include session identifiers, request parameters, spaceKey etc. TemplateRenderingContext also contains a com.opensymphony.xwork.util.OgnlValueStack object used to push and store objects against which dynamic Expression Languages (EL) are evaluated. When the EL compiler needs to resolve an expression, it searches down the stack starting with the latest object pushed into it. OGNL is the EL used by the Webwork library to render Velocity templates defined in Confluence, allowing access to Confluence objects exposed via the current context. For example, the $action variable returns the current Webwork action object.

  OGNL expressions in Velocity templates are parsed using the ognl.OgnlParser.expression() method. The expression is parsed into a series of tokens based on the input string. The ognl.JavaCharStream.readChar() method, called by the OGNL parser, evaluates Unicode escape characters in the form of “\uXXXX” where “XXXX” is the hexadecimal code of the Unicode character represented. Therefore, if an expression includes the character “\u0027”, the character is evaluated as a closing quote character (‘), escaping the context of evaluation as a string literal, allowing to append an arbitrary OGNL expression. If an OGNL expression is parsed in a Velocity template within single quotes and the expression’s value is obtained from user input without any sanitization, an arbitrary OGNL expression can be injected.

  An OGNL injection vulnerability exists in Atlassian Confluence. The vulnerability is due to insufficient validation of user input used to set variables evaluated in Velocity templates within single quotes. By including the “\u0027” character in user input, an attacker can escape the string literal and append an arbitrary OGNL expression.

  Before OGNL expressions are evaluated by Webwork, they are compared against a list of unsafe node types, and variables names in the “com.opensymphony.webwork.util.SafeExpressionUtil.containsUnsafeExpression()” method. However, arbitrary Java objects can be instantiated without using any of the unsafe elements listed. For example, the following expression, executing an OS command, would be accepted as a safe expression by this method:

  A remote attacker can exploit this vulnerability by sending a crafted HTTP request containing a malicious parameter to a vulnerable server. Successful exploitation can result in the execution of arbitrary code with the privileges of the server.

Triggering the Problem:

  • The target system must have the vulnerable product installed and running.
  • The attacker must have network connectivity to the affected ports.

Triggering Conditions:

  An attacker connects to a target server and submits an HTTP request containing a malicious parameter to a vulnerable XWork action. The vulnerability is triggered when the target server processes the XWork action, resulting in the processing of the malicious request parameter.

Attack Delivery:

  The following application protocols can be used to deliver an attack that exploits this vulnerability:
    • HTTP, over port 8090/TCP

SonicWall’s, (IPS) Intrusion Prevention System, provides protection against this threat:

  • IPS: 15673 Atlassian Confluence Server Webwork OGNL injection 1

Remediation Details:

  The risks posed by this vulnerability can be mitigated or eliminated by:
    • Upgrading the product to a non-vulnerable version.
    • Filtering attack traffic using the signature above.
  The vendor has released the following advisory regarding this vulnerability:
  Vendor Advisory

Cybersecurity News & Trends – 09-10-21

/0 Comments/in /by

Global news outlets and bloggers continue to reference the Mid-Year Update to the 2021 SonicWall Cyber Threat Report and celebrate our 30th anniversary. Meanwhile, in industry news, the perfect ransomware victim, the biggest DDoS attack in history, phishing attacks are more numerous than we thought, the “FudCo” empire expands, hackers use our brains against us, and REvil has reappeared.

SonicWall in the News

What makes the perfect ransomware victim? — FinTech Global (U.K.)

  • Report about Kela, a cybersecurity company in the U.K. that studied profiles of victims of significant ransomware attacks. The report named the Mid-Year Update to the 2021 SonicWall Cyber Threat Report as it noted how the number of ransomware attacks in 2021 outperformed the entire year of 2020.

The Rise in Ransomware: HAUSER Insurance Wants You to Know the Risks — American Reporter

  • This report asks, “Are we actually seeing an increase in ransomware attacks, or are they just becoming more high-profile? According to experts, the answer is both. The Mid-Year Update to the 2021 SonicWall Cyber Threat Report shows that ransomware attacks rose by 62% worldwide and 158% in North America alone between 2019 and 2020.

Tips for SMEs: What to do in the event of a ransomware attack — ITUser (Spain)

  • According to Excem, small and medium-sized companies are particularly vulnerable to ransomware attacks as they do not have sufficient human, technological and financial resources to protect themselves.

The Rise of Ransomware and How the Education Sector Can Protect Itself — FENews (U.K.)

SonicWall turns 30 — Computing Es (Spain)

  • The cybersecurity veteran reflects on the vision, people, technology, customers, and partners that have shaped the company over three decades. In addition, the report mentions SonicWall’s celebrated legacy of product innovation, channel-based DNA, and cybersecurity innovations.

SonicWall celebrates three decades of innovation as a 100% channel company — ITReseller (Spain)

  • The report quotes Bill Conner, president and SEO of SonicWall: SonicWall has demonstrated over three decades that its mission is to ensure the long-term success of its customers, partners and employees.

SonicWall, three decades of cybersecurity innovation — Newsbook

  • SonicWall just celebrated 30 years in the cybersecurity market. Three decades dedicated to security innovation to tackle digital criminals.

Cybersecurity pioneer celebrates three decades of innovation — CyberSecurity

  • Cybersecurity veteran reflects on the vision, people, technology, customers and partners that have shaped the company over three decades.

Stellar Cyber: Partners with SonicWall for Advanced Prevention, Response — MarketScreener (U.S.)

  • Partnership delivers seamless integration between advanced prevention technology from SonicWall and AI-powered detection and automated response technology from Stellar Cyber.

SonicWall has been an attractive partner for the channel for 30 years — Infopoint Security (DACH)

  • The article reports on the development of the SonicWall Partner Programme, the SonicWall University, and the SonicWall MSSP Programme.

Industry News

Russia’s Yandex says it repelled biggest DDoS attack in history — Reuters

  • Russian tech giant Yandex reported “the largest known distributed denial-of-service (DDoS) attack in the history of the Internet.” The attack began in August and peaked on Sept 5, with more than 22 million requests per second sent to the company’s servers.

South African Justice Department Is Hit by Ransomware Attack — Bloomberg

  • South Africa’s Justice Department said its systems were attacked by a ransomware campaign earlier this week. All of the department’s information systems were encrypted and unavailable.

Russian cybercrime continues as government-backed attacks on companies dwindle, CrowdStrike says — Cyberscoop

  • The Russian approach to hacking shifted considerably over the past year, with state-sponsored attacks on commercial organizations dropping off even as the local cybercrime scene dominated the field, CrowdStrike said in a report Wednesday.

Ukrainian extradited to U.S. for allegedly selling computer credentials: DOJ — The Hill

  • The Department of Justice (DOJ) announced Wednesday that a Ukrainian hacker was extradited to the U.S. for allegedly selling computer passwords on the dark web. If convicted, Ivanov-Tolpintsev faces up to 17 years in federal prison.

U.S. Gov Seeks Public Feedback on Draft Federal Zero Trust Strategy — Security Week

  • THIS WEEK, the U.S. government’s Cybersecurity and Infrastructure Security Agency (CISA) and the Office of Management and Budget (OMB) announced they are seeking public feedback on draft zero-trust strategic and technical documentation.

SideWalk Backdoor Linked to China-linked Spy Group’ Grayfly’ — Threat Post

  • Grayfly campaigns have launched the novel malware against businesses in Taiwan, Vietnam, the U.S. and Mexico and target Exchange and MySQL servers. The attack revealed a “novel backdoor technique” that security experts dubbed “SideWalk.”

Microsoft: Attackers Exploiting Windows Zero-Day Flaw — Krebs on Security

  • Microsoft warned that attackers are exploiting a previously unknown vulnerability in Windows 10 and several Windows Server versions. The attack seizes control over P.C.s when users open a malicious document or visit a booby-trapped website.

Phishing attacks: One in three suspect emails reported by employees really are malicious — ZDNet

  • Up to a third of emails that were flagged as suspicious by employees were actually a threat, according to a new report released by F-Secure, an I.T. security company based in Finland. The analysis involved more than 200,000 emails during the first half of 2021.

Ransomware gang threatens to leak data if victim contacts FBI, police — Bleeping Computer

  • The Ragnar ransomware group is warning that they will leak stolen data from victims that contact law enforcement authorities. Ragnar previously hit prominent companies with ransomware attacks, demanding millions of dollars in ransom payment.

CISA Issues Guidelines on Choosing a Managed Service Provider — Security Week

  • The U.S. Cybersecurity and Infrastructure Security Agency (CISA) has issued new guidelines for government and private organizations to consider when looking to outsource services to a Managed Service Provider (MSP).

Dallas school district admits SSNs and more of all employees and students since 2010 accessed during security incident — ZDNet

  • If you were a student, employee or contractor of The Dallas Independent School District between 2010 and the present, your personal data was likely downloaded by an “unauthorized third party.”

Tech Industry Seeks Bigger Role in Defense. Not Everyone Is on Board — The Wall Street Journal

  • Tech-industry leaders are pushing the Pentagon to adopt commercially developed technologies on a grand scale to counter the rise of China. This initiative could transform the military and the multibillion-dollar defense-contracting business.

“FudCo” Spam Empire Tied to Pakistani Software Firm — Krebs on Security

  • In May 2015, KrebsOnSecurity briefly profiled “The Manipulators,” the name chosen by a prolific cybercrime group based in Pakistan that was very publicly selling spam tools and a range of services for crafting hosting and deploying malicious email. Six years later, a review of the social media postings from this group shows they are prospering. Brian Krebs reports.

Howard University shuts down network after ransomware attack — Cyberscoop

  • In Washington, the private Howard University disclosed that it suffered a ransomware attack late last week and is currently working to restore affected systems.

New Zealand banks, post office hit by outages in apparent cyberattack — Reuters

  • Websites of several financial institutions in New Zealand and its national postal service were briefly down on Wednesday, with officials saying they were battling a cyberattack.

How Hackers Use Our Brains Against Us — The Wall Street Journal

  • Cybercriminals take advantage of the unconscious processes that we all use to make decision-making more efficient. Blame it on our “lizard brains.”

Notorious Russian Ransomware Group ‘REvil’ Has Reappeared — Bloomberg

  • After vanishing this summer, the infamous criminal ransomware group behind the JBS SA cyberattack has returned to the dark web.

Juniper Breach Mystery Starts to Clear With New Details on Hackers and U.S. Role — Bloomberg

  • Tech company installed a flawed NSA algorithm that became a perfect example of the danger of government backdoors.’

Guntrader breach perp: I don’t think it’s a crime to dump 111k people’s details online in Google Earth format — The Register

  • A “pseudonymous person” reformatted Guntrader hack data as a Google Earth-compatible CSV and said they are prepared to go to prison, denying their actions are a criminal offense.

In Case You Missed It

IoT Devices: If You Connect It, Protect It

/0 Comments/in /by

7 “Smart” Steps to secure and protect your Home Network

A refrigerator that tells you there was a power outage — and whether it lasted long enough to spoil your food. Doorbells show you who’s at the door and allow you to communicate with them from across the country. Home medical devices that can collect data and transmit it directly to your doctor.

Present in countless applications, smart devices have revolutionized the way we live and work. Smart devices are a subset of a larger group of internet-connected products known as IoT (Internet of Things) devices. These devices can be controlled remotely, usually through a smartphone app or webpage, and send and receive data without human intervention.

In the 20 years since the term got wide usage, the number and scope of IoT devices have grown tremendously. According to Security Today, from 2018 through 2020, IoT devices jumped from 7 billion to 31 billion, with 127 new IoT devices coming online each second.

By 2020, IoT technology is expected to be present in the designs of 95% of new electronics products. And over the next five years, the number of connected devices is forecasted to climb to 41.6 billion and generate a mind-boggling 79.4 ZB of data (for reference, the entirety of the World Wide Web, as it existed in 2009, was estimated to be less than a half a ZB.)

Smart devices introduce conveniences unthinkable a decade ago. But unfortunately, they also bring a new set of risks that could endanger your privacy and your data, your other devices, and even other connected networks.

For starters, there’s currently no standard for securing IoT devices — companies are free to put as much or as little security in their products as they want. Even when vulnerabilities are discovered, many devices are not updated because their cost is too low, or there is no way to update them. When are updates are available, they’re never pushed out, or customers never hear about them. In all, IoT devices are open to wide exploitation.

However, there are several other risks related to the way people use these devices. Many users believe they don’t have the time or expertise to secure their IoT devices adequately — and that, because they’re not a large business or high-profile individual, they’re unlikely to be targeted.

But work statistics since COVID-19 has changed all that. According to Global Workplace Analytics, 25-30% of the American workforce now works from home. That means cybercriminals increasingly see remote employees’ home networks — especially poorly secured IoT devices that connect to them — as a back door to compromise corporate networks with lower chances of detection.

According to the mid-year update to the SonicWall 2021 Cyber Threat Report, cybercriminals have taken advantage of the increasingly distributed data landscapes. Not only have they increased the frequency of their attacks, but they’ve also expanded how they attack. As a result, ransomware attacks sharply rose to 304.6 million in 2020, up 62% over 2019. And the attacks increased to 226.3 million through May of 2021 — up 116% year-to-date over 2020.

While you can’t necessarily avoid being targeted, you can significantly decrease your odds of compromise by taking these 7 “smart” steps for better cybersecurity:

  1. Safeguard Your Router. By default, Routers are accessible with a simple password like “admin” — or no password — and are easily accessible to cybercriminals. Another risk flag is when users do not change the default Wi-Fi network name (or SSID), thus revealing the brand of the router. All a would-be hacker has to do is search default settings. Ditching the default settings go a long way toward increasing security.
  2. Stay Up to Date. Many devices offer the option to receive updates for firmware, vulnerability/bug fixes and more automatically. If this option is not enabled by default, turn it on. In cases where you must perform updates manually, make a note on your calendar to remind you to check for them regularly.
  3. Buy from the Best. Stick with companies known for prioritizing security in their offerings. These established brands are also more likely to push updates and patch vulnerabilities.
  4. Be Password Savvy. Password protection is significantly less effective when you use the same email and password combo for multiple accounts. If any of these accounts are breached, you’ve put your entire online existence at risk — and in the case of IoT devices connected to corporate networks, your company’s existence is at risk as well. With the advent of password managers, which assign a different password for each account and remember them for you, there’s no excuse to be lazy with credential hygiene.
  5. Leverage Two-Factor Authentication. With two-factor authentication (2FA), you’re offered the security of the traditional credential-based sign-in, plus an added layer of protection in the form of a code that is sent to a separate device and must be entered into the original app. With 2FA, even if the login credentials are compromised, the account won’t be accessible unless the attacker also has access to the secondary device.
  6. Divide and Conquer. Many popular routers provide a feature to create a secondary guest Wi-Fi access to your router. The guest Wi-Fi feature allows internet access without granting access to the full home network (and your computers, hard drives, etc.). Use Guest settings to isolate less-secure Wi-Fi connected smart home devices (and the malware that might infect them).
  7. Do I Need This? No matter how secure a smart device is, it can never match the safety and privacy of a non-internet-enabled device. Before purchasing a new smart device, ask yourself if the increased risk is worth adding convenience and features. If you’re likely to use the smart features only occasionally or not at all, opt for the non-smart device.

The network of connections created by the Internet of Things creates opportunities and challenges for individuals and businesses. SonicWall encourages everyone to be smart about smart devices and assume the responsibility of maintaining the health of their home network. Cybersecurity is everyone’s business. By being diligent, we can ensure the security of our home networks and anywhere else our connections may take us.

The Halfway Point: How Cybercrime Has Impacted Government in 2021

/0 Comments/in , /by

In August, the bipartisan U.S. Senate Committee on Homeland Security and Government Affairs released an update on the state of cybersecurity among federal agencies. The report, “Federal Cybersecurity: America’s Data Still at Risk,” noted that, even two years after a similar 2019 report revealed glaring cybersecurity shortcomings, there were still countless areas of concern.

Cybercriminals have always had an incentive to launch cyberattacks on the federal government, such as obtaining national secrets, disrupting a country’s operations at the highest possible level, and influencing politics. But now that they’ve been put on notice — twice — that launching a successful cyberattack might be far easier than they imagined, it’s no wonder we’ve seen attacks on federal, state and local governments rise at a pace far exceeding other industries.

Ransomware

As reported in the mid-year update to the 2021 SonicWall Cyber Threat Report, ransomware for the first half of 2021 increased an unprecedented 151% overall. But the increase in attacks for federal, state and local governments was actually much higher.

In the first half of 2020, there were 4.4 million attacks against government customers. During the same period in 2021, that number had risen to 44.6 million — a staggering 917% increase, the largest jump of any industry examined by SonicWall. 

As if having government data encrypted wasn’t bad enough, many of these attacks employed a tactic known as double extortion in order to increase the likelihood the targets would pay. In such attacks, cybercriminals exfiltrate large quantities of data before encrypting files and issuing a ransom demand. Then, they use the threat of releasing this sensitive data as a sort of “insurance policy” in case the target has followed best practices such as keeping up-to-date backups, etc.

One such incident, in April 2021, targeted the Washington, D.C., police department. In this attack, the ransomware group threatened to share data about informants and other such sensitive information with local gangs if the department failed to pay the ransom demand.

A similar attack targeted the Illinois Attorney General’s Office. In February 2021, a state audit had warned the office that it lacked adequate cybersecurity protections. But the department failed to heed the recommendations, and two months later a ransomware group launched a double extortion attack, with some of the stolen data eventually posted online.

Cybercriminals have since evolved the malicious tactic to triple extortion, where payment is demanded from customers, partners and other third parties.

The number of ransomware attempts per customer remained far higher for government than for any other industry.

Cryptojacking

Very few cryptojacking incidents made the headlines in 2021. This is unsurprising for a couple of reasons: first of all, anyone targeting the federal government is likely to find much more profit in demanding ransom or stealing data than in mining cryptocurrency. Secondly, illegal mining’s impact on the government in 2021 hasn’t been nearly as newsworthy as government’s impact on mining. (In fact, bans on mining in China, Iran and elsewhere are largely cited as one of the reasons cryptocurrency prices fell from their record highs in April.)

Still, the numbers don’t lie, and according to SonicWall’s threat data for the first six months of 2021, the volume of attacks on federal, state and local governments isn’t just up — it’s way up.

Across all industries, the number of cryptojacking attacks in the first half of 2021 rose 23% year to date. But for government customers, cryptojacking attack volume rose a whopping 329%.

IoT Attacks

In August, CISA issued an advisory about a public report detailing vulnerabilities in multiple real-time operating systems (RTOS). Known as “BadAlloc,” the report details a number of vulnerabilities in IoT devices that affect “a variety of sectors for every aerospace, robotics [and] rail industrial control system,” according to Vincent Sritapan, Cyber Quality Service Management Office Chief at CISA.

Unfortunately, attacks on similar systems have already been occurring. In February, an attacker took control of the Oldsmar, Fla., water supply, increasing the amount of sodium hydroxide, or lye, in the water to 110 times normal levels.

SonicWall threat research data indicates that IoT attacks on federal, state and local governments are rising — but the good news is that they seem to be rising more slowly than attacks as a whole. While the number of IoT attacks recorded overall in the first half of 2021 rose 59% year over year, for government customers, attack volume rose only 17% — not good news, per se, but better than it could be considering this attack type’s potential for disruption.

While it’s too early to say what the second half of 2021 will hold for government customers, a lot of it will depend on how federal, state and local governments and agencies respond to warnings like the one issued in August. If we see renewed efforts among these organizations to adhere to cybersecurity best practices, some of these trends may begin to slow or even reverse.

Otherwise, we’re likely to see an increase in the sorts of attacks that have dominated headlines recently, as cybercriminals increasingly shift to targeting the biggest game of all.

In the meantime, you can access all of SonicWall’s first-half threat data — including location-specific information and data on other industries and threat types — by downloading the mid-year update to the 2021 SonicWall Cyber Threat Report.

Lockbit 2.0, the ransomware behind the Accenture breach

/in /by

Lockbit ransomware has been around since 2019 but recently released an updated version called Lockbit 2.0. It is another ransomware-as-a-service (RaaS) which is a subscription based model allowing partners to use a full-featured already developed ransomware app ready to carry an attack. On their website, they boast their 2.0 version as being the fastest encryption software as well as the fastest upload of stolen data amongst myriads of many other popular ransomwares, all while highlighting the many features of this ransomware.

Recently, there were reports of targeted attacks with Accenture being the latest prominent victim of this ransomware. For non-payment, Lockbit has started leaking their data on their website to the public.

Infection cycle:

Upon execution of the ransomware, it disables all running security programs and any other means that could permit system recovery. It spawns a cmd exe to run the following commands:

  • vssadmin delete shadows /all /quiet
  • wmic SHADOWCOPY /nointeractive
  •  wmic shadowcopy delete
  •  wbadmin DELETE SYSTEMSTATEBACKUP -deleteOldest
  •  wbadmin DELETE SYSTEMSTATEBACKUP
  •  wbadmin delete catalog -quiet
  •  wevtutil cl system
  •  wevtutil cl security
  •  wevtutil cl application
  •  bcdedit /set {default} recoveryenabled No

It then proceeds to encrypt the victim’s files. All encrypted files bear the lockbit icon and a .lockbit file extension.

It changes the wallpaper with instructions on how to recover the files as well as adding a text file in every directory where files have been encrypted.

On reboot, the victim can’t miss the ransom note because it also adds a run key in the registry which loads an hta file that has the same instructions on how to get the victim’s files back.

  • Key: HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
  • Name: {2C5F9FCC-F266-43F6-BFD7-838DAE269E11}
  • Data: %Desktop%\Lockbit_Ransomware.hta

It then proceeds to delete itself and no copy of the ransomware nor its components is left in the victim machine.

On Lockbit’s website, there are quite a few victims whose data have already been leaked to the public while others still have some days left to submit payment before facing the same consequence.

 

SonicWall Capture Labs provides protection against this threat via the following signatures:

  • GAV: Lockbit.RSM_2 (Trojan)
  • GAV: Lockbit.RSM_3 (Trojan)
  • GAV: Lockbit.RSM_4 (Trojan)

This threat is also detected by SonicWall Capture ATP with Real-Time Deep Memory Inspection (RTDMI) and the Capture Client endpoint solutions.

Cybersecurity News & Trends – 09-03-21

/0 Comments/in /by

The Mid-Year Update to the 2021 SonicWall Cyber Threat Report continues to circulate through global news, and SonicWall rises to the status of an “admired brand.” In industry news, uncomfortable questions about U.S. cyber-intelligence methods, Autodesk’s admission, FIN7 hackers on the move, how Australia got hammered by hackers, and a Colorado man sues U.K. parents of hackers for a 3-year-old cryptocurrency hack.

SonicWall in the News

The Hybrid Workplace: The Next Frontier of Cyber Security — CPO Magazine

  • This story covers the aftermath of a REvil Kaseya attack. Thousands of business leaders are calculating their losses and cost of recovery, now dubbed the “worst ransomware attack on record.” The story cites the Mid-Year Update to the 2021 SonicWall Cyber Threat Report as a key source for the sharp rise of attacks via Microsoft Office documents that rose by 176% in 2020.

Ransomware threats explode in first-half 2021 — Frontier Enterprise

The Tech Industry Is Marching Ahead With These Admired Brands — Mybrandbook.com

  • A report that assesses the importance of “admired” brands in tech recounts SonicWall’s origins as a private company headquartered in Silicon Valley to a significant brand in cybersecurity with more than 1 million active security solutions trusted by more than 500,000 organizations in more than 215 countries.

Industry News

Hacker kids’ parents sued over $780k of stolen cryptocurrency — P.C. Gamer

  • In January of 2018, Colorado resident Andrew Schober was relieved of 16.4 bitcoin, worth around $780,000 in today’s market, by unknown hackers. Schober hired private investigators to track down the hack to two UK-based computer science students then minors. He’s now suing the parents of the two he believes hacked his account and stole his cash.

SolarWinds hackers targeted Autodesk in latest confirmed fallout from cyber-espionage campaign — CyberScoop

  • The list of victims keeps growing of the hackers (believed to be Russian) who breached a U.S. federal contractor. The hackers, it is believed, collected intelligence from all over the federal government. Autodesk filed an SEC disclosure to its investors that the hackers compromised one of its servers.

Juniper Breach Mystery Starts to Clear With New Details on Hackers and U.S. Role — Bloomberg

  • Days before Christmas in 2015, Juniper Networks Inc. alerted users that it had been breached. Five years later, the hackers have not been publicly identified, and no victims from the hack have surfaced. This brings the uncomfortable question about the methods U.S. intelligence agencies use to monitor hackers.

FIN7 Hackers Using Windows 11 Themed Documents to Drop Javascript Backdoor — The Hacker News

  • Spear-phishing campaigns leveraging weaponized Windows 11 Alpha-themed Word documents with Visual Basic macros. The macros inject malicious payloads, including a JavaScript implant that attacks a U.S.-based point-of-sale (PoS) service provider.

How Hackers Hammered Australia After China Ties Turned Sour — Bloomberg

  • A few days after Prime Minister Scott Morrison called for an independent international probe into the origins of the coronavirus, Chinese bots swarmed onto Australian government networks. It was April 2020. Bloomberg brings the incident to light in this week’s article.  

Regulators Tighten Scrutiny of Data Breach Disclosures — The Wall Street Journal

  • Lawyers warn that companies must pay closer attention to what they say after hackers strike, as regulators crack down on inaccurate disclosures and Congress debates mandatory reporting of cybersecurity breaches.

Biden administration establishes program to recruit tech professionals to serve in government — The Hill

  • The Biden administration announced it was establishing a program to recruit and train people to serve in digital positions within the federal government and address the COVID-19 pandemic and cybersecurity concerns.

Bangkok Airways hit by LockBit ransomware attack, loses lots data after refusing to pay — The Register

  • Bangkok Airways has revealed it was the victim of a cyberattack from ransomware group LockBit on August 23, resulting in the publishing of stolen data.

LockFile Ransomware Uses Never-Before Seen Encryption to Avoid Detection — Threat Post 

  • Researchers from Sophos discovered the emerging threat in July, which exploits the ProxyShell vulnerabilities in Microsoft Exchange servers to attack systems.

Initial Access Broker use, stolen account sales spike in cloud service cyberattacks — ZDNet

  • On Tuesday, Lacework published its 2021 Cloud Threat Report vol.2, outlining how today’s cybercriminals are attempting to cut out some of the legwork involved in campaigns against cloud service providers.

Cyberattackers are now quietly selling off their victim’s internet bandwidth — ZDNet

  • Another intrusion with a twist: attackers use “proxyware” to target their victim’s internet connection and generate illicit revenue.

Cybercriminal sells tool to hide malware in AMD, NVIDIA GPUs — Bleeping Computer

  • Cybercriminals are making strides towards malware attacks that execute code from the graphics processing unit (GPU) of a compromised system.

Boston Public Library discloses cyberattack, system-wide technical outage — Bleeping Computer

  • The Boston Public Library (BPL) has disclosed today that its network was hit by a cyberattack on Wednesday, leading to a system-wide technical outage. 

U.S. Justice Department Introduces Cyber Fellowship Program — Security Week

  • The program will train selected attorneys on emerging national security and criminal cyber threats and how to fight them. The trainees will be rotating department components focused on cyber defense, such as the Criminal Division, the U.S. Attorneys’ Offices, and the National Security Division. 

Researchers, cybersecurity agency urge action by Microsoft cloud database users — Reuters

  • On Saturday, researchers who discovered a massive flaw in the central databases stored in Microsoft Corp’s Azure cloud platform urged all users to change their digital access keys, not just the 3,300 the company notified this week.

Bangkok Airways apologizes for passport info breach as LockBit ransomware group threatens data leak — ZDNet

  • The company said that it discovered a “cybersecurity attack which resulted in unauthorized and unlawful access to its information system” on August 23.

In Case You Missed It

Centreon hostGroupDependency.php SQL Injection Vulnerability

/in /by

Overview:

  Centreon is an open source IT monitoring solution. Centreon open source solution is the foundation for the Centreon EMS software suite which offers additional licensed modules. Centreon open source solution includes integration tools for IT Operations Management production environment.

  An SQL Injection vulnerability has been reported in the Centreon Web Application. The vulnerability is due to incorrect input validation in hostGroupDependency.php.

  A remote, authenticated attacker could exploit this vulnerability by sending a maliciously crafted request to the server. A successful attack may result in arbitrary SQL command execution against the database on the target server.

CVE Reference:

  This vulnerability has not been assigned a Common Vulnerabilities and Exposures (CVE) identifier.

Common Vulnerability Scoring System (CVSS):

  The overall CVSS score is 8.2 (CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:H/E:P/RL:O/RC:C).

  Base score is 9.1 (AV:N/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:H), based on the following metrics:
    • Attack vector is network.
    • Attack complexity is low.
    • Privileges required is high.
    • User interaction is none.
    • Scope is changed.
    • Impact of this vulnerability on data confidentiality is high.
    • Impact of this vulnerability on data integrity is high.
    • Impact of this vulnerability on data availability is high.
  Temporal score is 8.2 (E:P/RL:O/RC:C), based on the following metrics:
    • The exploit code maturity level of this vulnerability is proof of concept.
    • The remediation level of this vulnerability is official fix.
    • The report confidence level of this vulnerability is confirmed.

Technical Overview:

  A user with admin privileges can manage the notification settings for a host group on the “Configuration”->”Notification”->”Host Groups” page in the Centreon web interface. When clicking a host group on the web page, a request will be submitted to the “/centreon/main.get.php” endpoint as shown in an example below:

  

  In the request above, the parameter “p” contains a topology_page number (e.g. 60408 in the above example) which is used by Centreon application to locate the correspondent PHP file to handle this request. The mappings of a topology_page number and its correspondent PHP file is defined in the insertTopology.sql. For the topology_page number 60408 in the “p” request parameter, the corresponding PHP file to handle this request is:

  

  The hostGroupDependency.php is relevant to the vulnerability in this report.

  An SQL injection vulnerability exists in the Centreon web application. The vulnerability is due to a lack of input validation on the dep_id request parameter in the hostGroupDependency.php. When receiving a request submitted to “main.get.php” endpoint, the main.get.php will check the “p” request parameter value. If the value is 60408, it will route the request to hostGroupDependency.php. The hostGroupDependency.php will read the dep_id request parameter value and then check the “o” request parameter value. If “o” parameter value is the character “c”, “w” or “a”, it will call formHostGroupDependency.php to process this request. In formHostGroupDependency.php, it will first check if the “o” parameter is “c” or “w” and if yes, it will construct a SQL statement by appending the dep_id parameter value. Then, it will execute the SQL statement to query the “dependency” table in the database.

  However, the formHostGroupDependency.php does not sanitize the dep_id parameter before appending it to the SQL statement. A malicious user is therefore able to directly manipulate the Centreon database by embedding arbitrary SQL commands within the dep_id parameter in the HTTP requests. For example, an attacker may utilize the “;” character (or its URL-encoded equivalent) in a HTTP request to terminate a SQL statement with a malicious create table command, as shown below:

  

  A remote, authenticated attacker could exploit this vulnerability by sending a maliciously crafted request to the server. A successful attack may result in arbitrary SQL command execution at the database on the target server, potentially leading to the execution of arbitrary code in the security context as root.

Triggering the Problem:

  • The target system must have the vulnerable product installed and running.
  • The attacker must have network connectivity to the affected ports.
  • The attacker must authenticate to the target system.

Triggering Conditions:

  The attacker authenticates and then sends an HTTP request containing maliciously crafted parameters to the target server. The vulnerability is triggered when the request is processed by the target server.

Attack Delivery:

  The following application protocols can be used to deliver an attack that exploits this vulnerability:
    • HTTP, over port 80/TCP
    • HTTPS, over port 443/TCP

SonicWall’s, (IPS) Intrusion Prevention System, provides protection against this threat:

  • IPS: 15666 Centreon main.get.php SQL Injection
  • IPS: 15674 Centreon main.get.php SQL Injection 2

Remediation Details:

  The risks posed by this vulnerability can be mitigated or eliminated by:
    • Blocking the affected ports from external network access if they are not required.
    • Filtering traffic based on the signature above.
    • Upgrading the product to a non-vulnerable version.
  The vendor has released an advisory regarding this vulnerability:
  Vendor Advisory

Elevating SonicWall to the Cloud

/0 Comments/in /by

If the cloud were human, it would say veni, vidi, vici!

One can argue whether “the cloud” is still just a buzzword … whether it’s real or just another person’s computer … whether it’s a journey or a destination. But regardless of our conclusions, the cloud has arrived, the cloud is in vogue, and the cloud is here to stay.

Cloud is enabling a fundamental technology shift that, in many ways, shakes up how we live both our digital and our physical lives. SonicWall believes the purpose of any technology is to solve problems, and the cloud is no different.

That’s why we’re leveraging cloud technology as much as possible. We’re using the cloud to make our customers more secure and, at the same time, we’re also building our portfolio to secure data in the cloud.

As you can see in the visual below, we already have many products and solutions that take advantage of the cloud. They not only use cloud-native components — they’re also delivered from the cloud. Capture ATP, our threat detection capture technology that includes patented Real-Time Deep Memory Inspection (RTDMI™), is delivered to all SonicWall security products via the cloud.

All our central management solutions, such as Network Security Manager (NSM), Wireless Network Manager (WNM), Capture Client (CC) Management Console, etc., use cloud-native architecture. They can scale and manage tens and thousands of individual units.

Our single-pane-of-glass management solution, SonicWall Capture Security Center (CSC), is entirely cloud-native and cloud-delivered. We expect CSC to become not only the visualization and reporting tool, but also the threat detection and response tool for SonicWall partners and customers (more on that in the future).

But our work isn’t limited to the use of cloud technology for development and delivery. In the last few years, SonicWall has introduced and updated solutions such as our virtual firewall (NSv) and Secure Mobile Access (SMA) to secure data and access in the cloud. We offer cloud-delivered Hosted Email Security (HES) that secures the cloud email services such as Microsoft Office365 and Google GSuite.

We’ve also been developing new solutions specifically for the cloud, such as Cloud App Security (CAS) and Cloud Edge Secure Access, that help you secure your users and data in the cloud. Cloud Edge Secure Access represents our entry into the ZTNA/SASE world, which involves delivering multiple networking and security capabilities from the cloud.

While all solutions mentioned above are already available, we are currently working on future SonicWall product lines, which will be cloud-delivered and offer greater in-cloud security.

To learn more about SonicWall solutions designed to utilize or secure the cloud, visit our products page. This journey is going to be exciting. Stay tuned!

How Cybercrime Impacted Education in 2021

/0 Comments/in , /by

According to a report in The Journal, as of early August, more than 60% of parents were hesitant to send their children back to school this fall due to a large uptick in pediatric COVID-19 cases. As we have seen since, many of these fears were well-founded, as schools in Texas, Georgia, Florida, Tennessee and elsewhere have been forced to close almost as quickly as they opened due to widespread exposures, quarantines and staff shortages.

This unpredictable and ever-shifting education landscape has wreaked havoc on a back-to-school season that was once expected to herald a return to normalcy. But unfortunately for school leadership and IT administrators already dealing with a learning environment subject to change from day to day, this level of upheaval and uncertainty has historically been compounded by another crisis: cybercrime.

Toward the beginning of the pandemic, attacks on K-12 schools and higher education began rising as hackers realized that schools were frequently both overwhelmed and underprotected.

“K-12 institutions have limited resources to dedicate to network defense, leaving them vulnerable to cyberattacks,” the FBI warned in an alert sent in late June 2020.

It’s been more than a year since that initial report — enough time to collect the sort of data needed for an apples-to-apples comparison of 2020 and 2021. Unfortunately, as reported in the mid-year update to the 2021 SonicWall Cyber Threat Report, even as schools have reopened, any expected reprieve has remained elusive. Almost every type of cyberthreat against education has continued to rise drastically in the first half of 2021, painting a frightening picture of what might lie ahead as our K-12 and higher-education institutions face increasing challenges.

Ransomware

In April 2021, Broward County Public School District, one of the largest in the U.S., received a ransom demand of $40 million, the second-highest to date. To help ensure they received payment, the criminals threatened to publish student and employee data online — an increasingly popular tactic among cybercriminals known as “double extortion.”

But while this may be an extreme example, it represents a trend of increasingly audacious demands on schools. And as more schools show a willingness to pay at least something, the number of attacks has begun to rise even faster.

In the first half of 2020, SonicWall threat researchers recorded 1.4 million ransomware attacks on K-12 and higher education institutions. By the first half of 2021, this number had risen to 10.1 million — an increase of 615%.

As observed by SonicWall, education was top vertical targeted by ransomware in three of the first six months of 2021.

IoT Attacks

When students and teachers made the shift to online learning in early 2020, they introduced millions of new devices to the network, widening the attack surface considerably.

Mirroring the trends we saw among organizations as a whole, IoT attacks rose over the course of 2020, as cybercriminals recognized an opportunity to access unprotected or inadequately protected networks.

While IoT attacks in general rose 59% in the first half of 2021 over the same time period in 2020, those in education saw an even larger jump, despite the fact that many students had returned to in-person classes. Among schools and colleges, IoT attacks rose 78% year-to-date — a gap we may see continue to widen if more students are sent home for remote learning.

Cryptojacking

In April 2021, Washington educational organizations discovered that they’d been hit by a cryptojacking attack dating back to at least February. Given what was happening in the crypto market at the time, the timing was unsurprising: Cryptojacking is largely tied to the price of cryptocurrency, and in early 2021, cryptocurrency was soaring to record highs.

But in late spring, amid warnings of increased tax enforcement on cryptocurrency earnings and news of mining bans in China and elsewhere, the prices of cryptocurrency — and cryptojacking — crashed hard.

For schools, which saw a mind-boggling 1,917% increase in the number of cryptojacking attacks in the first half of 2021 over the first half of 2020 (versus a 23% increase among organizations as a whole), this was welcome news. But with the prices of most cryptocurrencies continuing to rebound, it’s possible we could see a sustained rise, rather than a drop, once the data from the second half of 2021 is in.

In March 2021, the K-12 Security Information Exchange and the K-12 Cybersecurity Resource Center released a report stating, “The 2020 calendar year saw a record-breaking number of publicly-disclosed school cyber incidents,” with many of these incidents “resulting in school closures, millions of dollars of stolen taxpayer dollars, and student data breaches directly linked to identity theft and credit fraud.”

Unfortunately, as the data from the first half of 2021 shows, attacks on K-12 and higher education institutions have only risen since then. While government programs such as the CARES Act, ARP and more will certainly help, unless we see sustained investment in cybersecurity in the coming years, K-12 and higher education will likely continue to be targeted.