Cyber Intelligence Weekly (Sept 12, 2021): Our Take on Three Things You Need to Know

Welcome to our weekly post where I will be sharing some of the major developments on the future of cybersecurity that you need to know about. Make sure to follow my LinkedIn page as well as Echelon’s LinkedIn page to receive updates on the future of cybersecurity!

You can also Subscribe to receive Cyber Intelligence Weekly in your inbox each week.

Away we go!

1. Microsoft Warns of New Zero Day Attack Exploiting Bug in MSHTL

It’s been a busy year for Microsoft with all the critical issues that have cropped up throughout the year. This past week has been no different as Microsoft has recently released mitigations and workarounds to address a remote code execution vulnerability (CVE-2021-40444) in Microsoft Windows. Exploitation of this MSHTL vulnerability may allow a remote attacker to take control of an affected system. This vulnerability has been detected in exploits in the wild.

In the Windows operating system, the MSHTML file is a Dynamic Link Library (DLL) file that allows the Microsoft Internet Explorer Web browser to read and display HTML Web pages. It is directly related to how the browser processes HTML files, which makes up the vast majority of web pages.

Microsoft details just how this bug could be exploited, “An attacker could craft a malicious ActiveX control to be used by a Microsoft Office document that hosts the browser rendering engine. The attacker would then have to convince the user to open the malicious document.”

While we wait on a patch, we suggest following Microsoft’s mitigations and workarounds, as well as following other cybersecurity best practices:

• Ensure users are well trained on phishing attacks and scrutinize any documents before they open them.
• Make sure to update any antivirus and antimalware systems that you may use.
• Limit local administrative rights as users with fewer user rights on an affected system could be less impacted than users who operate with administrative user rights.
• Disable the installation of all ActiveX controls in Internet Explorer and disable preview in Internet Explorer.

For additional technical reading, as well as prevention, detection and IOC examples, we recommend reading this Huntress blog post by John Hammond.

2. Public Companies on the Hot Seat in SolarWinds Breach Probe

A recent report from Reuters has detailed how publicly traded companies that were targeted in the SolarWinds supply chain incident are now in the hot seat with the Securities and Exchange Commission (SEC), who has embarked on a wide reaching probe.

The SEC does have laws and rules related to the disclosure of cybersecurity incidents and data breaches. In 2018, the SEC published interpretive guidance to assist public companies in preparing disclosures about cybersecurity risks and incidents.

In this recent probe, the SEC has reportedly asked over 100 companies for additional information regarding any computer incidents or data breaches that they have experienced since October 2019. The report from Reuters has noted that while the SEC requests are voluntary, there is quite a bit of fear that these inquiries will stir up previous data security events that likely should have been reported that weren’t.

The SEC has recently been stepping up its enforcement of SEC registered organizations and public companies for cyber disclosure failures and deficient cybersecurity procedures. This is yet another matter that public organizations must navigate as they manage their cybersecurity programs.

3. United Nations Confirms Breach in April of 2021

A new Bloomberg report reveals that the UN was breached earlier this year, and that the hackers made off with troves of data that could threaten agencies that work with or at the UN.

It was also reported that the methods used to carry out the initial access to the UN systems were relatively rudimentary. The hackers reportedly used stolen credentials of an employee that were found on the dark web. The credentials were linked to an internal project management system to the UN, Umoja. This was the jumping off point for the attack that lasted for months before detection.

Umoja reportedly did not require multi-factor authentication to access its various modules. Multi-factor authentication is one of the most widely recommend cybersecurity controls today and is relatively trivial to implement when compared to the costs of a breach. It appears that the UN moved the Umoja system to the cloud in July of this year and have also updated their access control mechanisms as well, which now appears to include MFA.