Hackers Breached Computer Network At Key US Port But Did Not Disrupt Operations

Suspected foreign government-backed hackers last month breached a computer network at one of the largest ports on the US Gulf Coast, but early detection of the incident meant the intruders weren’t in a position to disrupt shipping operations, according to a Coast Guard analysis of the incident obtained by CNN and a public statement from a senior US cybersecurity official. CNN reports: The incident at the Port of Houston is an example of the interest that foreign spies have in surveilling key US maritime ports, and it comes as US officials are trying to fortify critical infrastructure from such intrusions. “If the compromise had not been detected, the attacker would have had unrestricted remote access to the [IT] network” by using stolen log-in credentials, reads the US Coast Guard Cyber Command’s analysis of the report, which is unclassified and marked “For Official Use Only.” “With this unrestricted access, the attacker would have had numerous options to deliver further effects that could impact port operations.” The Port of Houston is a 25-mile-long complex through which 247 million tons of cargo move each year, according to its website.

In the case of the Port of Houston, the unidentified hackers broke into a web server somewhere at the complex using a previously unidentified vulnerability in password management software at 2:38 p.m. UTC on August 19, according to the Coast Guard report. The intruders then planted malicious code on the server, which allowed further access to the IT system. Beginning about 90 minutes after the initial breach, the hackers stole all of the log-in credentials for a type of Microsoft software that organizations use to manage passwords and access to their networks, according to the report. Minutes later, cybersecurity staff at the port isolated the hacked server, “cutting off unauthorized access to the network,” the advisory said.

2021 Has Broken the Record For Zero-Day Hacking Attacks

According to multiple databases, researchers, and cybersecurity companies who spoke to MIT Technology Review, 2021 has had the highest number of zero-day exploits on record. “At least 66 zero-days have been found in use this year, according to databases such as the 0-day tracking project — almost double the total for 2020, and more than in any other year on record,” the report says. From the report: One contributing factor in the higher rate of reported zero-days is the rapid global proliferation of hacking tools. Powerful groups are all pouring heaps of cash into zero-days to use for themselves — and they’re reaping the rewards. At the top of the food chain are the government-sponsored hackers. China alone is suspected to be responsible for nine zero-days this year, says Jared Semrau, a director of vulnerability and exploitation at the American cybersecurity firm FireEye Mandiant. The US and its allies clearly possess some of the most sophisticated hacking capabilities, and there is rising talk of using those tools more aggressively.

Attackers are exploiting the same types of software vulnerabilities over and over again, because companies often miss the forest for the trees. And cybercriminals, too, have used zero-day attacks to make money in recent years, finding flaws in software that allow them to run valuable ransomware schemes. “Financially motivated actors are more sophisticated than ever,” Semrau says. “One-third of the zero-days we’ve tracked recently can be traced directly back to financially motivated actors. So they’re playing a significant role in this increase which I don’t think many people are giving credit for.”

CDC Panel Endorses Pfizer COVID-19 Booster Shots For People 65 and Older

A key Centers for Disease Control and Prevention advisory group unanimously voted Thursday to recommend distributing Pfizer and BioNTech’s Covid-19 booster shots to older Americans and nursing home residents, clearing the way for the agency to give the final OK as early as this evening. CNBC reports: The agency’s Advisory Committee on Immunization Practices specifically endorsed giving third Pfizer shots to people 65 and older in the first of four votes. The panel will also vote on whether to recommend the shots for adults with medical conditions that put them at risk of severe disease and those who are more frequently exposed to the virus — possibly including people in nursing homes and prisons, teachers, front-line health employees and other essential workers. The elderly were among the first groups to get the initial shots in December and January.

The vote is seen as mostly a win for President Joe Biden, whose administration has said it wants to give booster shots to all eligible Americans 16 and older as early as this week. While the CDC panel’s recommendation doesn’t give the Biden administration everything it wanted, boosters will still be on the way for millions of Americans. The endorsement comes a day after the Food and Drug Administration granted emergency use authorization to administer third Pfizer shots to many Americans six months after they complete their first two doses. While the CDC’s panel’s recommendation isn’t binding, Director Dr. Rochelle Walensky is expected to accept the panel’s endorsement shortly.

Microsoft Exchange Autodiscover flaw reveals users’ passwords

Researchers have been able to get hold of 372,072 Windows domain credentials, including 96,671 unique credentials, in slightly over 4 months by setting up a Microsoft Exchange server and using Autodiscover domains.

The credentials that are being leaked are valid Windows domain credentials used to authenticate to Microsoft Exchange servers.

What is Autodiscover?

From Microsoft’s site we learn that “the Autodiscover service minimizes user configuration and deployment steps by providing clients access to Exchange features. For Exchange Web Services (EWS) clients, Autodiscover is typically used to find the EWS endpoint URL. However, Autodiscover can also provide information to configure clients that use other protocols. Autodiscover works for client applications that are inside or outside firewalls and in resource forest and multiple forest scenarios”.

Which boils down to a feature of Exchange email servers that allows email clients to automatically discover email servers, provide credentials, and then receive proper configurations. Designed to make the user’s life easier while forgetting that such designs need to be done with security in mind. Because cybercriminals love such features and use them for their own purposes.

How can it be abused?

The protocol’s goal is to make an end-user be able to completely configure their Outlook client solely by providing their username and password and leave the rest of the configuration to Microsoft Exchange’s Autodiscover protocol.

To accomplish this the Autodiscover protocol looks for a valid Autodiscover URL in these formats, where the example.com is replaced by the domain name (the part after the @) in the users’s email address:

https://autodiscover.example.com/Autodiscover/Autodiscover.xml http://autodiscover.example.com/Autodiscover/Autodiscover.xml https://example.com/Autodiscover/Autodiscover.xml http://example.com/Autodiscover/Autodiscover.xml

CWE-78

Improper Neutralization of Special Elements used in an OS Command (‘OS Command Injection’)

OS command injection occurs when the application uses user input (which isn’t escaped or sanitized) as part of a command that’s run against the host’s operating system.

Time is Not on Your Side: Why Every CISO needs a Cyber Risk Quantification Strategy before It’s Too Late

 

Cyber Risk Quantification needs to be the strategy driving your cybersecurity roadmap and priorities starting now. Breaches are getting worse, ransomware can cripple your business, and the financial impacts can last years. By looking at the financial impacts of recent high-profile breaches such as Colonial Pipeline or SolarWindswe can plainly see that the traditional methods of risk assessment are no longer effectivemeasures such as compliance mandates and maturity models have a purpose, but solely relying on them is no longer sufficient to render the best possible business decisions around cyber security. Relying solely on the traditional qualitative approaches, security scoring or stop light methods in today’s climate will continue to leave you exposed. Making better, data-driven decisions to avoid these costly attacks has to be our focus and this is where Axio’s Cyber Risk Quantification can make the difference.