Smart home cybersecurity news roundup [March 2021]
Several major system infiltrations made it onto the books in March, including the previously downplayed Ubiquiti Networks breach and a new ransomware demand to the tune of $50 million. Reoccurring malware threats continue to spur a response from the United States government for stronger defensive security measures, for the general public as well as federal offices. We explore the potential for corporate and national policy change in this month's cybersecurity roundup.
Revisit of Ubiquiti Networks data breach finds it was downplayed
Further investigation of the Ubiquiti Networks infiltration from January 11th reveals that consequences were more severe than first explained. Described as catastrophic, the vendor originally claimed information like names, email addresses, salted/hashed credentials, and other identifying information could have been compromised. Customers were simply notified via email to create new passwords and enable two-factor authentication accordingly.
A letter to KrebsonSecurity from Ubiquiti security professional details the dangers of this attack with more scrutiny. After finding credentials from an employee's LastPass account, the attacker was able to obtain root administrative privileges for all of Ubiquiti's Amazon Web Services accounts. Such privileges include the risk of infiltrating into any of Ubiquiti's cloud-driven devices. The anonymous interviewee believes simple password change notifications were a mishandling of the event, claiming that Ubiquiti ignored security's recurring recommendations:
Ubiquiti had negligent logging (no access logging on databases), so it was unable to prove or disprove what they accessed, but the attacker targeted the credentials to the databases, and created Linux instances with networking connectivity to said databases. Legal overrode the repeated requests to force rotation of all customer credentials, and to revert any device access permission changes within the relevant period.
KrebsonSecurity advises deleting device profiles on Ubiquiti devices, updating to the latest version of firmware, and creating new profiles attached to new credentials. They also recommend disabling remote access in Ubiquiti device settings.
Microsoft Exchange Server software hacked by HAFNIUM
Cybernews explained that an estimated 30,000 organizations could be victims of this attack, as well as 82,000 internet-facing servers that might still be unpatched.
Microsoft revealed in their security blog from early March that it has reported eight infiltration attempts in the past year alone, all from groups targeting critical institutions. The company has named the most recent of these threats to their Exchange Server software "HAFNIUM," and uncovered the three sequential steps the infiltration takes to exploit their servers:
- Obtains access via stolen passwords or previously unknown vulnerabilities
- Creates a web shell to reign control of the server
- Commandeers data from the organization's network
Microsoft also credits Volexity for uncovering suspicious activity in January 2021. They detected data being sent to IP addresses believed to be from illegitimate users, which sparked further investigation. After analyzing system memory, Volexity found strong evidence pointing to zero-day vulnerabilities allowing authentication bypass and remote code execution. Consequently, actors proceeded with post-exploitation movement inside the network using separate tools and methods.
Since the discovery, Microsoft has released updates to patch the vulnerabilities and recommends immediate installation on any Microsoft Exchange 2013, 2016, or 2019 software. They also provide detailed reports on each vulnerability as well as indicators to determine if your server has been compromised. This includes a Github script for Microsoft Exchange Server administrators to test for known vulnerabilities. IT Management is advised to implement updates as soon as possible.
Biden administration considers cybersecurity rating system for consumer devices
In an interview with a senior White House official, the Biden administration mentioned the possibility of adopting a cybersecurity rating system similar to that of the Cybersecurity Agency of Singapore. Singapore's system aims to clarify defense capabilities for consumers in networking and IoT products, as well as encourage manufacturers to create competitive security features. The official references former New York City Mayor Bloomberg's implementation of restaurant health and safety ratings on display for passersby as a comparison, stating:
"[H]e required restaurants to put a simple rating — A, B, C, D — in their front window to make a market — to make a market around health and sanitation. And we’re looking to do a very similar thing with cyber and the cybersecurity of software companies we buy software from.”
"Singapore has an interesting model where they provide cybersecurity standards for different Internet of Things devices, like baby monitors, so that moms who want to buy secure products have a really easy way to put their money on it. And we don’t have that in the U.S. today; we don’t have that transparency so that people can make a market for cybersecurity."
Singapore's Cybersecurity Labeling System uses a 4-level rating system:
- Level 1: Meets basic security requirements.
- Level 2: Adherence to principles of security by design.
- Level 3: Absence of known common software vulnerabilities.
- Level 4: Resistance against common cyber attacks.
Currently, the participation in their labeling scheme is voluntary. The Cybersecurity Agency of Singapore states that they will monitor participation in the scheme and "consider when it will be suitable for the labelling scheme to be made mandatory for IoT consumer devices." They also specify that any product that is later found dissatisfactory to the requirements will be requested to remove the label from their products.
Based on the correspondence with a White House official, there is currently no further information about how closely an American rating system would resemble Singapore's. However, a report released by the Cyberspace Solarium Commission details a proposal of granting non-governmental agents the power to certify, creating a set of metrics for scoring device security, and providing public information about the system both on- and off-label (Key Recommendation 4.1, pg. 73-75).
REvil ransomware demands $50 million from Acer
Hardware giant Acer allegedly became victim to ransomware targeting their bank and financial documents. Acer neither confirms nor denies the attack, but REvil has provided images of files they claim to have stolen. They also requested a total of $50 million in payment for the release of the files and threatened to double the amount to $100 million if it is not paid by March 28th. To date, this is the largest demand of ransom yet. Despite REvil offering to discount the payment by 20% if Acer could provide the fund by March 17th, there are no reports on whether Acer has decided to pay the ransom as of this writing. Acer provided the following response when prompted by several technology news outlets:
Acer discovered abnormalities from March and immediately initiated security and precautionary measures. Acer's internal security mechanisms proactively detected the abnormality, and immediately initiated security and precautionary measures.
REvil stands for Ransomware Evil and is an organization that offers ransomware as a service on the dark web. When employed, they provide the malware needed to breach sensitive data for a 20-30% cut of the ransom. In fact, REvil claims to have raked in over $100 million in just one year from their exploits. In double extortion ransomware attacks like this, offline backups are virtually useless protection; Acer's sensitive data was first exfiltrated from their systems before it was encrypted, meaning data restoration would only cover half the battle since REvil can still publish the data they've stolen. Moreover, REvil has also added new commands in its ransomware, including methods of reboot and running in Windows Safe Mode, allowing for more stealth in their attacks.
Research has shown that ransomware attackers monitor networks, patiently waiting to strike at the right opportunity. For more details, CI Security provides helpful information on detection and prevention of similar attacks.