Follow ISA Cybersecurity on LinkedIn for the latest cybersecurity news
Weekly CyberTip: The Importance of Internal Audit
Even companies with mature cybersecurity practices need to conduct regular internal audit to verify their security programs. Internal, yet independent, auditors can work with management and IT functions to assess and test security practices to identify systemic security issues, close loopholes, validate effectiveness of controls, and help improve security policies. Make internal audit a part of your cybersecurity strategy.
Hackers exploit OMIGOD vulnerability in Azure Linux
According to a report in Bleeping Computer, hackers have already started exploiting a serious vulnerability in Azure Linux – nicknamed OMIGOD – just days after the technical details of the flaw were made public.
The OMIGOD vulnerability is actually a family of at least four bugs allowing remote code execution and privilege escalation in the Open Management Infrastructure (OMI) software agent found on many Azure instances. Thousands of Azure customers and millions of endpoints are at risk.
The ease of compromise is alarming: “With a single packet, an attacker can become root on a remote machine by simply removing the authentication header. It’s that simple,” according to one of the researchers who discovered the bug. “This vulnerability can be also used by attackers to obtain initial access to a target Azure environment and then move laterally within it.”
Worse yet: the code is “both widely used (because it is open source) and completely invisible to customers as its usage within Azure is completely undocumented,” the researcher observed.
Technical details were withheld until September 14 in order to allow time to install fixes. According to the report, the first attacks were spotted on September 16, and threat actors are continuing to scan the Internet for exposed Azure Linux instances vulnerable to OMIGOD from over 110 servers worldwide. Hackers have exploited the flaws to launch botnet attacks and crypto-mining operations on affected servers.
Customers are urged to install the fixes to the OMI software agent as soon as possible. Even if you have automatic updates activated, it is still important to verify that you have the most current version installed, as Microsoft has not been able to roll out patches to all customers yet. Microsoft has published guidance , while Bleeping Computer has issued a report documenting the vulnerabilities in detail.
Mastermind behind AT&T hacking scheme sentenced to 12 years in prison
Pakistani national Muhammad Fahd was sentenced to 12 years in prison by an American court for his role in a seven-year campaign of hacking at AT&T. Starting in 2012, Fahd systematically recruited confederates to breach AT&T security protocols, eventually costing the company over $200 million (all figures USD).
Fahd led a group that recruited AT&T employees at a Washington State call centre: connecting over Facebook, Fahd offered cash incentives to the employees to illegally unlock a supply of mobile phones in 2012. When AT&T implemented user activity monitoring and reporting systems in 2013, Fahd then bribed employees to install malware and hacking tools on AT&T’s systems to sidestep security and continue to unlock the devices remotely. Using these tactics, Fahd orchestrated the campaign for years until his arrest in Hong Kong in 2018. He was extradited to the U.S. in 2019, and pleaded guilty to conspiracy to commit wire fraud in September 2020.
AT&T’s investigation eventually concluded that nearly 2 million phones were illegally unlocked as part of the scheme, resulting in lost revenues of over $200 million. Fahd has been ordered to re-pay $200 million in restitution.
Malaysian web hosting service hit by ransomware attack
Exabytes, one of the largest web hosting services in Malaysia, was hit with a ransomware attack on September 18, disrupting services to an estimated 160,000 clients around the world. The attack compromised customers’ virtual private servers and Windows hosting services. After formulating a recovery plan, Exabytes has set about restoring each server instance, a process that was an estimated 80% complete two days after the attack.
Few details were offered by the company about the nature of the attack, and no confirmed reports have been released about any ransom demands. “The matter is under investigation now and we are unable to provide any further information on this at this moment,” according to the status blog page maintained by the company. In addition to recovery efforts, the company is also scrambling to develop a mitigation plan to help reduce the risk of future similar incidents. The company has been posting regular updates on its support portal.
CyberSecurity Malaysia (CSM), the country’s cyber risk advisory organization, has been involved to assist with investigation of the incident.
Google announces new cloud in Toronto
Google Cloud has launched a new cloud region in Toronto, Ontario. The cloud is Google’s second in Canada (a cloud region was opened in Montreal in 2018) and 28th globally.
According to the press release, the new cloud offers customers “improved business continuity planning with distributed, secure infrastructure needed to meet IT and business requirements for disaster recovery, while maintaining data sovereignty.
The new region launches with three zones, allowing organizations of all sizes and industries to distribute apps and storage to protect against service disruptions, and with our core portfolio of Google Cloud Platform products, including Compute Engine, App Engine, Google Kubernetes Engine, Bigtable, Spanner, and BigQuery.”