Symantec Antivirus Flaws Put Enterprise Users At Risk of Cyberattack

A researcher from Google’s Project Zero has blasted Symantec for a long list of security flaws that have placed enterprise users at risk of experiencing cyberattacks. The Symantec antivirus flaws were described as “as bad as it gets”.

Symantec Antivirus Flaws Now Addressed but Companies May Still be at Risk

Symantec has now addressed all of the vulnerabilities and has released patches. All enterprise users of Symantec products are advised to check to make sure that their anti-virus products have been patched. While updates have been pushed out and should be applied automatically, users should check to make sure they have been correctly applied. Not all products can be updated automatically.

Malicious actors could potentially use the flaws to take control of enterprise computers. Entire networks could potentially be compromised. Malicious actors would not even require users to take any action to exploit the flaws. Many could be exploited simply by sending users an email.

According to Google researcher Tavis Ormandy who discovered the flaws, “millions of companies have been put at risk.” The security flaws affect all enterprise anti-virus products sold by Symantec, including Norton products.

Symantec was notified of the flaws and acted quickly to address all of the vulnerabilities, although the company was criticized for not discovering the flaws itself, especially considering their severity. Ormandy discovered that Symantec had used code from open source libraries to unpack compressed files. That code was four years out of date in once case and seven years out of data in another. Ormandy said in a recent blog post that “Dozens of public vulnerabilities in these libraries affected Symantec, some with public exploits.”

Other Symantec antivirus flaws were discovered that were potentially far more serious. Symantec used code to unpack and analyze ASPack compressed files which could be exploited to trigger a buffer overflow without any user interaction.

“An attacker could easily compromise an entire enterprise fleet using a vulnerability like this.” Said Ormandy.

In many cases, components in anti-virus software run under the highest level of privileges possible when this is unnecessary. This introduces unnecessary risk. Ormandy pointed out that many of the Symantec antivirus flaws could be exploited allowing remote code execution and could be used to create computer worms.

Antivirus Software Should Be Extensively Tested for Security Flaws

Symantec and other anti-virus software providers preach about the importance of protecting against threats, yet all too often they have failed to address serious flaws in their own products and have not even applied patches that have been available for years.

The Symantec antivirus flaws may be making headline news at the moment, but the company is far from the only antivirus software provider to have allowed vulnerabilities to persist in security products. Enterprises rely on these security products to protect their end points and networks and expect the software to be bulletproof. Enterprises do not expect the products could actually introduce risks.

All software developers must conduct rigorous checks of their software and need to scan for vulnerabilities in their own code, as well as that taken from third party developers. Ormandy said, “This means monitoring for new releases of third-party software used, watching published vulnerability announcements, and distributing updates. Nobody enjoys doing this, but it’s an integral part of secure software development.”

Hospital Legacy System Security Vulnerabilities Being Exploited to Gain Access to Health Data

Cybercriminals are taking advantage of hospital legacy system security vulnerabilities and are installing malware on medical devices such as blood gas infusers. The malware is used to steal data or launch attacks on other parts of healthcare networks. Specialist devices operating on hospital legacy systems are being attacked with increasing frequency and, in many cases, the attacks are going undetected for long periods of time. Once malware has been installed on the devices, hackers are able to conduct attacks from within the network.

The malware allows attackers to download a range of tools that serve as backdoors. They are able to move freely around the network and search for data. Many hospitals are completely unaware that their networks have been compromised and that they are under attack. When the attack is finally identified, it is often too late and data has already been stolen.

The Risk of Hospital Legacy System Security Vulnerabilities Being Exploited is Considerable

In the past few days, researchers at TrapX Security have issued an update to a security report that was first released last year. In 2015, TrapX Security warned of the risk of medical devices being targeted by cybercriminals and of hospital legacy system security vulnerabilities being exploited.

The company’s researchers explained that many healthcare providers had been attacked via their medical devices and warned that additional protections needed to be put in place to prevent the devices from being used to gain access to otherwise secure networks. Security researchers call the attack vector MEDJACK – short for medical device hijack.

Medical devices often run on hospital legacy systems which cannot be changed or updated. Hospital legacy systems security vulnerabilities are often allowed to go unpatched. Hospitals have addressed some of these vulnerabilities and have implemented a host of new security controls to block attacks and detect malware. However, TrapX Security has reported that cybercriminals are managing to bypass these new security controls using old malware.

Old Malware Being Used to Gain Access to Healthcare Data

Researchers have discovered that security software is failing to identify the threat from old malware. These old malware variants may not be effective against the latest operating systems which have had the vulnerabilities that they exploit plugged. However, they are still effective against hospital legacy systems.

The researchers discovered that some attackers had used the MS08-067 worm which exploits vulnerabilities in early versions of Windows. The vulnerabilities were addressed in Windows 7 and the worm is no longer considered a security risk. Even if security software detects the worm, since it is not believed to pose a risk it is either not flagged or the security alert is ignored. However, medical devices are vulnerable if they run on older operating systems. Attackers have also embedded highly sophisticated tools in the worm. Even if the threat is detected, security software does not recognize that the risk of attack is actually high.

TrapX Security has warned that these infections are going undetected for long periods of time due to a lack of security on medical devices or the operating systems on which they run. Consequently, attackers can steal sensitive medical data over long periods of time. Unfortunately, once a backdoor has been installed, it can difficult to detect. Many security systems do not scan medical devices for malware and lateral movement within the network is similarly difficult to detect.

To prevent attacks on medical devices, healthcare organizations should, as far as is possible, isolate the devices and only run them inside a secure network zone. That zone should be protected by an internal firewall, and the devices should not be accessible via the Internet. If patches and updates are available, they should be installed to address hospital legacy system security vulnerabilities. If medical devices cannot be updated and have reached end-of-life, they should be retired and replaced with devices that have the necessary protections to prevent device hijacking.

Top Websites Fail to Prevent Email Spoofing

Many top companies have not done enough to prevent email spoofing using their domains. A new study conducted by security firm Detectify has revealed that many top website domains are wide open to abuse because email servers have been misconfigured or do not use authentication.

Website Owners are Not Doing Enough to Prevent Email Spoofing

Detectify conducted the study to determine how widespread the problem really is. The top 500 Alexa ranked websites were scanned to determine whether vulnerabilities existed that would allow spammers to send spoofed emails from the domains. The Swedish security firm found that fewer than half of the websites tested had configured their email servers correctly. The majority had either misconfigured their email servers or had failed to use authentication, which could prevent email spoofing. 276 of the domains were discovered to be vulnerable. More than half of the most visited websites could therefore be used by spammers to send spoofed emails.

Email spoofing is the sending of emails using a forged email address. This can either be the sending of an email that appears to come from a particular domain – Using a very similar domain name for example – or sending fake emails from the domain itself. In the case of the former, there is little companies can do to prevent this and it is largely down to email recipients to carefully check the sender’s address.

However, organizations can take steps to prevent spammers from sending emails from their own domains. If fake emails are sent from their domains customers may be fooled into thinking the messages are genuine. Criminals use email spoofing for phishing, spearphishing, and malware/ransomware campaigns. It is easier for them to achieve their objective if the message recipients trust the domain from which the email is sent.

How to Prevent Email Spoofing

There are three main ways that companies can address vulnerabilities and prevent domain spoofing. The most common method is to use the Sender Policy Framework, or SPF.  By using this setting the website owner can specify which servers are permitted to send emails using the domain. There are three possible settings – hardfail, softfail, and neutral. To prevent email spoofing, hardfail should be selected. This will reject suspected spam emails and will ensure they are not delivered. If the softfail setting is used, emails will still be delivered although they should be marked as suspected spam. If neutral is used there is no control and all emails will be sent and delivered.

The 276 domains that Detectify discovered were vulnerable had used the softfail or neutral settings. Softfail is often used instead of hardfail to prevent the loss of emails that are incorrectly flagged. However, many free email providers such as Gmail fail to mark messages as spam if the softfail setting has been used.

Detectify recommended that websites use the hardfail setting and also use DMARC – Domain Based Message Authentication Reporting and Conformance. DMARC is a much more reliable way to prevent spoofed emails from a domain.  DMARC creates a link between the email and the domain name. This makes it easier to determine whether an email is genuine or if it just looks real. DMARC also sends reports to advise the domain owner who is sending emails from their domain.

However, only 42% of the websites tested used DMARC, and in many cases, the settings had been configured incorrectly. While SPF and DMARC are not infallible, they can make it much harder for spammers to send spoofed emails.

University Ransomware Attacks on the Rise

Healthcare ransomware infections have made the headlines in recent weeks, although the University of Calgary ransomware attack shows that no organization is immune: In fact, university ransomware attacks are on the rise.

Organizations in the healthcare and financial sectors are the main targets for cybercriminals, although education is the third most likely industry to be attacked. Universities store huge volumes of highly sensitive data and state-sponsored hacking groups frequently conduct attacks.

Foreign governments are keen to obtain research data and ransomware attacks on universities may just be a smokescreen. All too often DDoS attacks are performed for this purpose, yet ransomware can be just as effective. While IT departments scramble to secure systems and recover data, attackers may be plundering data.

University of Calgary Ransomware Attack: $20K Paid for Decryption Keys

The University of Calgary ransomware attack occurred late last month and resulted in computer systems being severely disrupted. The IT department worked around the clock in an attempt to contain the infection and restore computer services one by one. While the University had made backups of critical data, the decision was taken to pay the attackers’ ransom demand as a precaution. To obtain the decryption keys the University had to pay the attackers $20,000.

However, even after paying the ransom, unlocking the encryption and recovering data has been a long winded process. The decryption keys had to be assessed and evaluated, and the process of decrypting the infection took a considerable amount of time.

If multiple computers are infected with ransomware, separate decryption keys are required for each device. Each computer must be restored separately and decryption keys do not always work and may not allow all data to be recovered.

The keys have to be used with care and an infection can take up a considerable amount of an IT department’s time to resolve. Systems and data need to be checked after the infection has been removed and additional cybersecurity measures implemented to protect against future attacks.

The University of Calgary ransomware attack has cost tens of thousands of dollars to resolve and shows that paying the attackers ransom demand is not a quick fix that will enable files to be quickly recovered. The recovery process is time consuming, expensive, and requires a considerable amount of resources.

During the time that systems are down, workflows are seriously disrupted. In the case of university ransomware attacks lives may not be put at risk as is the case with healthcare attacks, but the costs of ransomware attacks on universities can be considerable. The total cost of resolving a ransomware infection is far in excess of any ransom payment.

Protecting Against University Ransomware Attacks

Unfortunately for universities, protecting against ransomware can be difficult as public and private networks often overlap. Staff and students are often allowed to connect personal devices to networks, and controlling devices that connect to networks can be a difficult task. While businesses can conduct cybersecurity training and can teach staff basic security best practices to adopt, this can be difficult for universities with huge volumes of staff, students and researchers.

It is therefore important to implement a number of strategies to reduce the risk of a ransomware attack being successful.

It is essential that regular data backups are made and backup devices must be air-gapped. Staff and students should be encouraged to save files on backed up network drives, and cybersecurity training should be provided where possible. Students should be informed of the risk and advised of security best practices via email and noticeboards.

Many universities already use a web filtering solution to control the content that can be accessed via university wired and WiFi networks. Web filters can also be configured to reduce the risk of drive-by malware downloads. Anti-spam solutions can also prove effective as part of a multi-layered cybersecurity strategy and can prevent malicious emails from being delivered.

Technology should also be implemented to identify intrusions when they occur. A network intrusion detection system is a wise precaution alongside traditional anti-virus and anti-malware solutions.

It may not be possible to prevent all university ransomware attacks, but it is possible to manage risk and reduce the damage caused if ransomware is installed on devices or networks.

Acer Cyberattack: 34,500 Customers Impacted: Credit Card Numbers Stolen

The Acer cyberattack recently reported to the California attorney general was due to an unspecified “security issue” on the company’s online store. Acer recently discovered that an unauthorized third party had gained access to its server and had stolen the data of its customers. Customers affected by the breach had made a purchase through Acer’s online store between May 12, 2015 and April 28, 2016.

Full Credit Card Information of Customers Stolen in Acer Cyberattack

Affected customers’ names, addresses, credit card numbers, card expiry dates, and CVC codes were all potentially stolen in the attack. Acer has pointed out that Social Security numbers were not recorded and were not obtained by the attackers. Acer does not believe that customer login details were stolen; however, the theft of password and login data could not be ruled out.

All individuals impacted by the breach do face a significant risk of suffering financial losses and must therefore keep a close check on their credit card statements for any sign of fraudulent activity. Due to the high level of risk Acer has recommended that all customers impacted by the breach place a credit freeze and fraud alert on their files. Credit reports should also be obtained from each of the credit agencies.

The incident has been reported to law enforcement and an investigation is ongoing. Acer also brought in external cybersecurity experts to assist with the investigation.

It is unclear how the Acer cyberattack occurred and whether the attackers gained access to the company’s systems in May last year or whether the attack occurred recently and resulted in a year’s worth of data being stolen. However, Acer did confirm to PCWorld that customers’ have been placed at risk because their data were “inadvertently stored in an unsecured format.”

In a statement issued by the Taiwanese computer company, Mark Groveunder Vice President, Customer Service for the Pan-American region said “We regret this incident occurred, and we will be working hard to enhance our security.” The company’s payment processing company has been informed of the breach and customers have now been notified by mail.