Cyber Defence Report - August 2020

The Security Operations Centre is the heart and lungs of CyberGuard. The team monitor, respond and proactively change customers’ defences to adapt to the ever-changing tools and techniques that cyber-criminals use. 

Our SOC team is rapidly expanding as we move to support our customers, and I am delighted to announce that our team now, effective 1 August, we are able to offer full 24/7 active response between 6am and 10pm, based here in the UK. 

We have recruited a new Operations Manager, Sean Tickle, who has brought a wealth of experience and knowledge to the business. We are also currently recruiting for new SOC Analysts, at all levels, as we continue to grow our team. 

With so many attacks and so many criminal gangs, we have to keep up with the rapidly changing threat landscape.

There are three main ways that we arm our team, and I will detail these over the next few reports; Open Source Intelligence, Incidents and Investigations, and Commercial Threat Intelligence.

This month we will start with Open Source Intelligence (OSINT). 

Open Source Intelligence – this intelligence is published by security researchers and security vendors on blogs and Twitter.

There are also a number of security-based sites such as Securelist, Threatpost and Bleeping Computer, that will also publish reports along with vendor released information from the likes of FireEye, Kaspersky and CrowdStike, to name a few.

Once we have access to one of these reports (https://securelist.com/lazarus-on-the-hunt-for-big-game/97757/) the job of the SOC Analyst is to take the relevant information and apply it to the systems, to either block the actor or create an alert, based on the activity. 

In the above report we know the Lazarus Group, a North Korean group that is also known as APT38 or Stardust Chollima, is targeting large businesses to deploy ransomware.  

The report contains indicators of compromise as well as talking about the techniques the attacker uses for initial compromises and then the tools used inside your network. The more we understand the “how”, the easier it becomes to set your defences against these attacks; of course, this is an ever-evolving battle of cat and mouse. 

Unfortunately, as soon as these reports are released the attacker knows their infrastructure has been compromised and will move quickly on, giving some of these indicators a limited shelf life in usefulness.

We also use some of the freely available data feeds from the likes of Spamhaus, and well established Government Computer Emergency Response Teams (CERT) and the UK’s own National Cyber Security Centre (NCSC). 

July was another very busy month for critical updates from some of the largest software companies. 

Microsoft released a security update that affected all Windows DNS Servers (CVE-2020-1350). This vulnerability was remotely executable, wormable, and rated a 10 out of 10 on the CVE scoring system. We deemed this patch so important that we issued an out of band security notice on the night of its release.

SAP released their July 2020 Security Update. It included several security patches including fixing critical vulnerabilities in NetWeaver AS JAVA (LM Configuration Wizard) (CVE-2020-6287).

Cisco released a security update for the Citrix Application Delivery Controller, Citrix Gateway, and Citrix SD-WAN WANOP appliance. These vulnerabilities, if exploited, could result in a number of security issues, including system compromise.

Our patch management team have been busy.

The UK Government issued a warning to all companies that are helping with the fight against Covid-19, that an advanced threat actor from Russia named APT29 (Cozy Bear) was actively targeting these organisations, specifically those that are working on a vaccine.

Wearable device maker, Garmin, shut down some of its connected services and call centres last week because of a confirmed ransomware attack. The ransomware has been identified as Wastedlocker. Full analysis can be found here https://securelist.com/wastedlocker-technical-analysis/97944/?es_p=12372980 

The ransom was reportedly set at £10 million. In an update this week Garmin has confirmed that they now have the decryption keys and are currently restoring services. There is a lot of speculation that the ransom was paid through a third party.

Stay safe
Paul Colwell, Technical Director