At a glance.
- CISA updates its Microsoft Exchange remediation directive.
- Data breaches are being detected more quickly.
- SolarWinds and the city of Tampa.
- The education sector and data security.
CISA releases updated Microsoft Exchange attack advisory.
For the past several weeks, Microsoft Exchange servers have been the target of ongoing attacks against a series of vulnerabilities disclosed in March. The US Cybersecurity and Infrastructure Security Agency (CISA) published an advisory warning of exploitation of the bugs and Microsoft swiftly released patches to protect against the vulnerabilities, but Security Week reports that CISA has now published an update including Malware Analysis Reports (MARs) detailing additional attacks. The alert identifies ten China Chopper webshells detected on Exchange servers, just a partial list of possible webshell attacks. As well, the update warns of attacks deploying DearCry ransomware, also known as DoejoCrypt, and recent assaults from the Black Kingdom/Pydomer threat group. The MARs also disclose tactics for detecting and defending against these potential threats.
Detection time for breaches is down, but why?
Security Week reports that researchers at FireEye have compiled data that shows that overall, organizations are detecting breaches faster, but this might not be the good news it appears to be. Ransomware operations increased from 14% in 2019 to 25% in 2020, and of these incidents, 78% had a dwell time (the time an attacker is present in the target’s system before they are detected) of thirty days or less, while just 1% experienced a dwell time of seven hundred days or more. These findings, part of the Mandiant incident response division’s M-Trends 2021 report, are partially due to the increase in ransomware attacks, which are by their very nature designed to be detected quickly, as the cybercriminal’s goal is to inconvenience the target and motivate the victim to meet ransom demands. It’s worth noting that the median dwell time for ransomware attacks was just five days, compared to forty-five days for other types of attacks. The report also examines ransomware extortion, the impact of remote work on cyberattacks, and the operations of FIN11, the threat group responsible for the SolarWinds attack.
City of Tampa probably affected by SolarWinds attack.
Speaking of SolarWinds, WFTS reports that the city of Tampa in the US state of Florida might have been impacted in the supply chain attack which is considered by many experts to be the largest cyberattack in US history. So far 18,000 organizations, from Fortune 500 companies to local governments to branches of the military, have been identified as victims in the massive breach of the software provider. The city of Tampa was one of two local governments listed among SolarWinds’ customers on their website before the page was removed from the site shortly after the breach was reported, and now investigators are saying employee and resident data was potentially exposed, and the threat actors could have access to the networks that support the city’s infrastructure. WFTS has found no evidence that SolarWinds contacted the city to inform them of the compromise, and when asked about the possible breach, a city spokesperson responded, “It’s our policy not to comment on matters involving security planning and/or response efforts.”
Survey says learning institutions need increased data security support.
Cybersecurity vendor Netwrix recently conducted the 2021 Netwrix Cloud Data Security Report, and is now sharing the report’s findings on the education sector. Highlights include:
- Phishing was the most common attack experienced by learning institutions, with 60% hit by phishing operations targeting cloud data, far higher than the global average of 40%.
- The US Federal Bureau of Investigation recently warned that educational entities would be targeted by PYSA ransomware operations, and indeed, more than a quarter of learning institutions in the report experienced ransomware attacks. For nearly half of those, the attack was not detected until days after deployment.
- In the case of accidental data leaks, a staggering 93% of learning institutions went days or even weeks before the breach was detected.
- Most of the institutions surveyed feel they are more susceptible to attack because they are lacking security staff, cloud security knowledge, and funding. Ilia Sotnikov, Netwrix’s Vice President of Product Management, explained, “Because educational institutions are understaffed and lack funding for sufficient training, the sector struggles to adequately respond to the ever-changing cyber threat landscape.”