Cyber Security Bulletin – May 2022

Top 4 Security Issues

Here are our top cyber security news stories from around the world. These stories have been specially selected by our in-house Security Operations Centre (SOC) team for being the most critically relevant to you.

 

1. Microsoft to disable Exchange Online basic authentication in October 2022

Microsoft to disable Exchange Online basic authentication in October 2022

Microsoft has sent out a reminder post to inform users of the upcoming amendment to the way that authentication works for Exchange Online.

Put simply, basic authentication allows the use of locally stored credentials (on the end-user device) and sends them – via plain text (not encrypted) – to servers, endpoints, or online services.  A malicious actor could intercept the unencrypted traffic and capture the plain text credentials.

Modern authentication is a much more secure form of authenticating and makes use of “limited lifetime” tokens. These tokens cannot be re-used to authenticate on other devices (such as a malicious actor’s device).

Microsoft’s Exchange Security team re-iterated that the majority of compromised accounts are with credentials stolen in basic authentication attacks.

We advise that basic authentication methods be disabled for all users. If there are exceptions, then explicit policies need to be created to help lower the risk. We further advise to enable Multi-Factor Authentication wherever possible.

 

2. US Department of Defence (DoD) tricked into paying $23.5 million to phishing actor

United_States_Department of Defense Seal

The US Department of Justice (DoJ) has convicted a person for defrauding the DoD of $23.5 million.

The criminal gang had used a common technique called domain squatting, to register a domain (dia-mil.com) that was similar to a legitimate DoD domain (dla.mil) and used it to launch the phishing campaign.

The gang attacked a database of vendors used for contract bid operations. At least one vendor actioned the phishing email (a link to a cloned .gov login page) and entered their credentials. These credentials were then used to log into the legitimate portal and change the banking details. This vendor had 11 active contracts, including one worth around $23.5 million, to supply the US military with just over 10 million gallons of jet fuel.

The criminals were eventually caught when they tried to use an illegitimate source to launder the money.

The leader of the gang could face up to 30 years in prison.

Regular phishing and security training and awareness, along with technical controls such as MFA, will significantly lower the risk associated with phishing campaigns.

 

3. Unpatched DNS bug could affect millions of IoT devices and routers

Unpatched DNS bug could affect millions of IoT devices and routers

 

A domain name system (DNS) component vulnerability in a common programming language could create the conditions to allow a DNS poisoning attack, affecting millions of router and IoT devices.

A malicious actor can use DNS poisoning or DNS spoofing to redirect the victim to a malicious website hosted at an IP address on a server controlled by the attacker instead of the legitimate location.

The vulnerability, discovered in Sept 2021 but only disclosed in Jan 2022, affects over 200 vendors. There is also no known fix to this vulnerability at present. Affected vendors will start to push fixes out once they have completed their own internal testing.

A regular patching and firmware update schedule should be among your organisation’s top priorities.

 

4. French medical firm fined nearly £ 1.3 million in GDPR breach

French medical firm fined nearly £ 1.3 million in GDPR breach
A French medical firm was fined by the French data watchdog CNIL for leaking the data of around 490k patients. This data was then sold on the dark web and made freely available on the internet.

The firm was sanctioned under two offences:

1 Article 29 of GDPR – failure to comply with the controller’s instructions

2 Article 32 of GDPR – failure to secure information

Offence 1 is related to a migration of data systems, and the firm extracted more data than was required.

Offence 2 is related to failures in a number of areas including (amongst others): lack of encryption, lack of internet-facing authentication, and use of shared accounts.

The fine equates to 10% of the company’s revenue and falls in line with ICO fines for similar infractions.

Ensuring correct policies and procedures are in place to complement relevant technical controls, will help lower the risk of a data leak.

Contact us to find out more about our Cyber Security services