News

Cyber Security Bulletin: SolarWinds Supply-Chain Compromise

On 13 December, 2020 SolarWinds disclosed a security advisory outlining recent malicious activity impacting SolarWinds Orion Platform resulting from a supply chain compromise. The SolarWinds technology is used by many businesses to manage their network environments including mapping and capacity planning. This is a widespread campaign by a “highly evasive” actor gaining access to numerous public and private organizations around the world.

Through trojanizing SolarWinds Orion Platform software updates, actors were successfully able to distribute malware. This campaign may have begun as early as Spring 2020 and is reported as currently ongoing. Post compromise activity leverages multiple techniques to evade detection and obscure their activity, which includes lateral movement and data theft.

SolarWinds has provided guidance on how to identify the version of Orion Platform organizations are using and to check which hotfixes organizations have applied. If an organization cannot upgrade immediately, please follow the guidelines securing an Orion Platform instance.

An additional hotfix release, 2020.2.1 HF 2 is anticipated to be made available Tuesday, December 15, 2020. SolarWinds recommends that all customers update to release 2020.2.1 HF 2 once it is available, as the 2020.2.1 HF 2 release both replaces the compromised component and provides several additional security enhancements.

In addition to the fixes being posted by SolarWinds, the following recommendations are mitigation techniques that could be deployed as first steps to address the risk of trojanized SolarWinds software in an environment. SRG encourages organizations review the below recommendations and action those based on an organization’s own risk-based assessment:

Ensure that SolarWinds servers are isolated / contained until a further review and investigation is conducted. This should include blocking all Internet egress from SolarWinds servers.
If SolarWinds infrastructure is not isolated, consider taking the following steps:
- Restrict scope of connectivity to endpoints from SolarWinds servers, especially those that would be considered Tier 0 / crown jewel assets
- Restrict the scope of accounts that have local administrator privileged on SolarWinds servers.
- Block Internet egress from servers or other endpoints with SolarWinds software.
Consider (at a minimum) changing passwords for accounts that have access to SolarWinds servers / infrastructure. Based upon further review / investigation, additional remediation measures may be required.
If SolarWinds is used to managed networking infrastructure, consider conducting a review of network device configurations for unexpected / unauthorized modifications. Note, this is a proactive measure due to the scope of SolarWinds functionality, not based on investigative findings.

If malicious activity is discovered in an environment, SRG recommends conducting a comprehensive investigation and designing and executing a remediation strategy driven by the investigative findings and details of the impacted environment.

Please reach out to us with your concerns or for more information on how to protect yourself and your business.

December 14, 2020/0 Comments/by Kyla

Announcements, Bulletins

Cyber Security Bulletin: FireEye Cyber Security Breach

This Cyber Security alert is intended for organizations that utilize this technology as part of their cyber security protection program.

On December 8, 2020, cyber security firm FireEye disclosed that it was recently a victim of a targeted security breach by a threat actor.

The threat actors were successful at infiltrating the internal network and acquire red team security assessment tools. FireEye is currently investigating and initial findings show no evidence of customer data exfiltration and at this time cannot state confidently whether these tools will be used or publicly disclosed by the threat actors..

These FireEye tools are used by customers to simulate real-world cyber attacks and test themselves in a near-real type of environment. Users of these technologies should review FireEye released methods of detecting the use of those red team tools in the event the threat actors use them for attack purposes.

Further actions for Consideration:

Review the CSE Top 10 Security Actions (https://cyber.gc.ca/en/top-10-it-security-actions)
Review the signatures shared by FireEye and consider them for inclusion within security appliances. Organizations are encouraged to contact vendors if tailored signatures are required for specific products.
Consider measures to limit the amount of sensitive information that malicious actors can collect about their networks by performing security assessments on network systems for un-necessary or inadequately secured or patched services.
Assess networks for the presence of vulnerable software, particularly where it is installed on devices exposed to the internet, and update as soon as possible to the latest version.
Implement two-factor authentication (2FA) on all internet-facing remote access services, starting with perimeter security devices such as firewalls and remote access gateways for teleworkers and administrators.

Please reach out to us with your concerns or for more information on how to protect yourself and your business.

December 10, 2020/0 Comments/by Kyla

Announcements, Bulletins

Cyber Security Bulletin: Phishing Attack Campaigns Target MS Teams Users

A new attack vector has been identified specific to those organizations that use Microsoft Teams for collaboration with internal teams as well as with your customers. The phishing campaign pretends to be an automated message from Microsoft Teams. In reality, the attack aims to steal Office 365 recipients’ login credentials.

Teams is Microsoft’s popular collaboration tool, which has particularly risen in popularity among remote workforces during the pandemic. This particular campaign was sent to between 15,000 to 50,000 Office 365 users with suspicion that additional campaigns will be forthcoming. Because Microsoft Teams is an instant-messaging service, recipients of this notification might be more apt to click on it so that they can respond quickly to whatever message they think they may have missed based on the notification.

The initial phishing email displays the name “There’s new activity in Teams,” making it appear like an automated notification from Microsoft Teams. Within the body of the email, there are three links appearing as ‘Microsoft Teams’, ‘(contact) sent a message in instant messenger’, and ‘Reply in Teams’,” according to researchers. Clicking on any of these leads to a fake website that impersonates the Microsoft login page. The phishing page asks the recipient to enter their email and password.

Further, the phishing landing page also looks convincingly like a Microsoft login page with the start of the URL containing “microsftteams.” If recipients are convinced to input their Microsoft credentials into the page, they are unwittingly handing them over to attackers, who can then use them for an array of malicious purposes – including account takeover. See one sample of the phishing email below.

In May, a similar convincing campaign that impersonated notifications from Microsoft Teams in order to steal the Office 365 credentials of employees circulated, with two separate attacks that targeted as many as 50,000 different Teams users.

Users are warned to be diligent in reading all invites such as described above and when in doubt, delete the email and not click on any of the display areas.

Please reach out to us with your concerns or for more information on how to protect yourself and your business.

October 23, 2020/0 Comments/by Kyla

Announcements, Bulletins

Cyber Security Bulletin: Increased Threat from Emotet Malware Campaigns

Since July 2020 there has been an increase in malicious activity associated with Emotet malware campaigns. Emotet has been frequently observed working in tandem with Trickbot and Ryuk malware in a persistent attempt to compromise computer systems within Canada. These threats have been successfully used to attack many Canadian companies since 2019.

Emotet is an advanced botnet attached to email. Once a system is infected by Emotet, additional malware, including Trickbot and Ryuk may be implanted on the system resulting in data exfiltration or attempts to extort the victim.

Emotet malware can be spread through untargeted bulk spam emails (such as shipping notifications, or “past-due” invoices), as well as what appear to be targeted malicious emails (spear phishing). Targeted emails are particularly effective as they appear to come from a trusted source, often from someone with whom the email recipient has recently been in communication.

Furthermore, Emotet email campaigns have been observed to be leveraging both ‘thread hijacking’, a technique where malicious emails are inserted into existing email threads, and using password-protected zip files to avoid detection by network defenses. These techniques result in convincing messages that an unaware recipient may believe to be trustworthy and encouraged to download malware by opening an attachment (a macro-enabled Microsoft Word document or PDF) or clicking a malicious link.

SUGGESTED ACTIONS

Scan all incoming and outgoing e-mails to detect threats and prevent executable files or macro enabled documents from reaching end users.
Always exercise caution when receiving an unexpected email or email reply containing an attachment or URL, even when from a trusted source. If the email seems unusual, contact the sender to confirm the authenticity of the attachment.
Avoid enabling macros within a document received via email.
Use anti-virus protection and ensure that it is diligently kept up to date.
Implement architectural controls for network segregation and protection.
Perform daily backups of all critical systems, maintain offline and offsite copies of backup media and periodically test data restoration processes from backups, including key databases to ensure integrity of existing backups and processes.
Ensure operating systems receive the latest patches.

Please reach out to us with your concerns or for more information on how to protect yourself or your business.

October 8, 2020/0 Comments/by Kyla

Announcements, Bulletins

Cyber Security Bulletin: Due Diligence vs Bad Actors

While bad actors continue their denial-of-service for ransom activities, SRG would like to remind all clients and businesses to continue your due diligence as you work to protect your company assets:

Actors claiming to be various Advanced Persistent Threat (APT) groups have been threatening to carry out large-scale distributed denial-of-service attacks for ransom, commonly known as Ransom DoS (RDoS). Recent reported threats were against the financial sector, globally and in Canada, but other sectors are expected to be subject to the same activities. The threats are typically accompanied by short Distributed Denial of Service attacks (DDoS) that are intended to demonstrate the actor’s capability.

Details vary from case to case but the core elements are as follows:

An organization is approached via e-mail by an actor identifying explicitly as a well-known APT, indicating an intent to demonstrate the capability to disrupt the organization’s infrastructure, and demanding a specific payment in Bitcoin be made. In return for payment, the actor undertakes to refrain from further activity.
A short time after the e-mail is sent, the targeted organization’s infrastructure is subjected to a relatively short DDoS, as threatened in the e-mail.

There are reports across Canada of such activity where the subject line of the ransom email is: “DDoS Attack on <organization name>’s network”. The email specifies a date on which the organization’s network would be subjected to a DDoS attack and imply that a small-scale attack on a specific IP address range will be carried out immediately to prove the message was not a hoax. The mail demands a ransom amount, to be paid in Bitcoin, to avoid a larger and sustained attack. The ransom attack then escalates daily with non-payment.

The following denial-of-service techniques have been reported:

UDP flooding;
DNS amplification;
NTP amplification;
CLDAP amplification;
IP Fragmentation; and possibly others.

Recommended Protection Activities are as follows:

Work with your cloud and Internet service providers to implement service-level agreements that include DoS defence provisions. Your service providers may use multiple tools and techniques to help your organization protect itself against DoS attacks.
Ensure your system administrators are familiar with DoS protection services. Familiarity with these services can help them effectively rate limit or whitelist.
Monitor network and systems. Configure monitoring tools to alert you when there is an increase in traffic (outside of your baseline) or any suspicious traffic overloading a site.
Install and configure firewalls and intrusion prevention systems. You can use these tools to monitor traffic and block known-malicious and illegitimate traffic.
Update and patch operating systems and applications. Update and patch systems and applications, including your firewalls, to ensure that security issues are addressed and prevent threat actors from taking advantage of vulnerabilities.
Defend your network perimeter. To protect your network, use a layered approach to security by implementing multiple controls and techniques.
Plan for an attack. Have a recovery plan that prioritizes systems and processes based on their tolerable downtime. You should also identify points of contact and an incident response team.
Monitor for inbound e-mails to publicly available addresses where addressing and subject line is similar to that provided above.

Reach out to us with your concerns or for more information on how to protect yourself or your business.

September 2, 2020/0 Comments/by Kyla

Who We Are

SRG Security Resource Group Inc. is a Canadian company dedicated to providing world-class Protective Security Guard and Patrol and Cyber Security services. Founded in the spring of 1996, SRG provides solutions and services for people and organizations across Canada.

Testimonials

Information Technology Office

“SRG provides subject matter expertise to the Government of Saskatchewan in a timely, proficient manner. I have enjoyed working with the SRG team and appreciate the adaptability and professionalism they exhibit when dealing with our challenging environment.”

– Crystal Zorn
Director, Information Security Branch

The Manitoba Museum

“SRG has been a reliable and preferred supplier of security services to The Manitoba Museum for a number of years.”

– David Thompson
Director of Finance and Operations

The Alberta Teachers’ Association

“The IT security improvement journey for any organization can be a large and continuous undertaking. The Alberta Teachers’ Association (ATA) chose to partner with SRG many years ago to assist us on that journey. SRG continues to add value to the ATA by providing top quality service and resources in an annual security plan. Over the years, SRG has helped us to gain support and commitment from the various stakeholders in the Association and we continue to look forward to a long relationship with SRG.”

– Dr. Terry Bruchal
Director of Information Technology

Get In Touch

Phone
306-522-0135
Email
admin@securityresourcegroup.com
Address
300-1914 Hamilton Street
Regina, SK S4P 3N6