Cyber Intelligence Weekly (Sept 19, 2021): Our Take on Three Things You Need to Know

Welcome to our weekly post where I will be sharing some of the major developments on the future of cybersecurity that you need to know about. Make sure to follow my LinkedIn page as well as Echelon’s LinkedIn page to receive updates on the future of cybersecurity!

You can also Subscribe to receive Cyber Intelligence Weekly in your inbox each week.

Away we go!

1. Customer Service Outsourcing Giant TTEC Hit by Ransomware

TTEC Holdings, Inc. (NASDAQ: TTEC), one of the largest global customer experience technology and services companies in the world, recently reported that they were dealing with a ransomware attack. The attack reportedly began on Sunday, September 12 and it was reported to KrebsOnSecurity on September 14th from a reader who passed along an internal message sent by TTEC to certain employees. TTEC has some pretty large name customers on their roster, including Best Buy, Verizon, Bank of America and more. TTEC has since announced that they have “resolved” the cybersecurity incident.

While all the technical details of this attack and the extent of the attack remain unknown, there are several good lessons that we can take away from this event:

• Sunday, Bloody Sunday. We’ve noted in the past how threat actors love to dial up the pain on weekends. This attack seemed to be no different as it was reported that it begun on Sunday, September 12. Understanding these types of nuances can sometimes be half the battle. Make sure your incident response teams are prepared and ready for weekends and long holiday breaks, these are the times the bad guys are most likely to attack.
• Three’s a Party. This is yet another example of a third party that is critical to many large business operations that has fallen victim to a large-scale ransomware attack. Thousands of customer service agents were unable to perform their work this past week due to lack of resources and technology. If your organization places heavy reliance on third parties like TTEC, make sure you take the time to audit and understand their ransomware prevention and response programs.
• Dishing out Dirt. This is another great example of how controlling communications is so critical during a cybersecurity incident. The last thing that you want is to have the KrebsOnSecurity blog break the exclusive story. Clearly, in this case, this was enabled by an employee who shared critical details with the revered cyber journalist. Assume that the worst will happen from a public relations and communications standpoint, and be prepared for it!

2. Apple Releases Patch for Zero-Day Affecting Just About Everything

This past week Apple released a patch for a zero-day security flaw that packs a big punch. The vulnerability apparently allows an attacker to take over and steal just about everything on the phone (photos, messages, location, etc.) using the Pegasus software from the Israeli firm, NSO Group.

The vulnerability, dubbed ‘FORCEDENTRY’ was found by Citizen Lab while analyzing the phone of a Saudi activist that was infected with the NSO Group’s Pegasus spyware. The vulnerability was classified as a zero-day with zero-click needed to exploit through iMessage. Basically, this is a cutting edge, almost impossible to detect/stop exploitation mechanism for all Apple products.

What makes this vulnerability so intriguing is that it bypasses one of Apple’s newest security feature ‘BlastDoor’, which is meant to interrogate iMessage data for malicious code and untrusted features. Hence, why the vulnerability is called ‘FORCEDENTRY’.

Reuters released a prepared statement from the tech giant, where Apple’s head of Apple Security Engineering and Architecture, Ivan Krstić, had this to say about the issue, “After identifying the vulnerability used by this exploit for iMessage, Apple rapidly developed and deployed a fix in iOS 14.8 to protect our users. Attacks like the ones described are highly sophisticated, cost millions of dollars to develop, often have a short shelf life, and are used to target specific individuals. While that means they are not a threat to the overwhelming majority of our users, we continue to work tirelessly to defend all our customers, and we are constantly adding new protections for their devices and data.”

Ensure that you and your employees update all Apple devices to fix this flaw. The latest update level is iOS 14.8 for iPhones and iPads, and there are various new updates for the Apple Watch and macOS as well. This is yet another reason to ‘patch your stuff’ on a regular basis!

3. O. MI. GOD.

Microsoft seemingly can’t keep out of the news cycle for bad reasons this year, and for bad reason. This week, it is an issue with Microsoft’s Azure, specifically their Linux Virtual Machine product. Researchers at Wiz disclosed a set of vulnerabilities in Microsoft’s Open Management Infrastructure (OMI), which is an open source Common Information Model (CIM) management server used for managing Unix and Linux systems.

This vulnerability apparently allows attackers to remotely execute arbitrary code within the network with a single request, which allows them to escalate to high-level root privileges.

While the below list is not exhaustive of all services using OMI, Wiz notes that any organization using one or more of the following Azure services is vulnerable:

• Azure Automation
• Azure Automatic Update
• Azure Operations Management Suite
• Azure Log Analytics
• Azure Configuration Management
• Azure Diagnostics
• Azure Container Insights

The tricky part about this vulnerability is figuring out just what VMs may be running OMI, as Azure apparently does not reference OMI in the Azure portal. Tenable has provided useful guidance that lays out a mapping of vulnerable services/extensions, table of affected and fixed versions, and how to update OMI. The article does note that Microsoft will provide automatic updates (if enabled) for cloud deployments of OMI.