Password Management

Chinese APT Group Compromised Healthcare Organizations by Exploiting Zoho Password Management Platform Flaw

An advanced persistent threat (APT) actor has been conducting an espionage campaign that has seen the systems of at least 9 organizations compromised. The campaign targeted organizations in a range of critical sectors, including healthcare, energy, defense, technology, and education.

The campaign was identified by security researchers at Palo Alto Networks and while the identity of the hacking group has yet to be confirmed, the researchers believe the attacks were most likely conducted by the Chinese state-sponsored hacking group APT27, aka Iron Tiger, Emissary Panda, TG-3390, and LuckyMouse based on the use of hacking tools and techniques that match previous APT27 activity.

The campaign exploited a critical vulnerability (CVE-2021-40539) in ManageEngine ADSelfService Plus, an enterprise password management and single sign-on solution developed by Zoho. Successful exploitation of the flaw allows remote attackers to execute arbitrary code and take full control of vulnerable systems.

On September 17, 2021, the U.S. Cybersecurity and Infrastructure Security Agency (CISA) issued a security advisory warning exploits for the flaw were in the public domain and being used by APT actors to install web shells on vulnerable servers to gain persistent access.

Palo Alto Networks said a second campaign was then identified that involved extensive scans for vulnerable servers using leased infrastructure in the United States. Vulnerable systems that had not been patched against the vulnerability started to be attacked from September 22, 2021, with those attacks continuing throughout October.

The attackers deployed a web shell called Godzilla, with a subset of victims also having a new backdoor called NGlite installed. The backdoor or web shell was then used to run commands and move laterally within victims’ environments, with sensitive data exfiltrated from victims’ systems. When the attackers located a domain controller, they installed a new credential-stealing tool dubbed KdcSponge, and harvested credentials and exfiltrated files such as the Active Directory database file (ntds.dit) and the SYSTEM hive from the registry.

Palo Alto Networks said its scans indicate there are currently around 11,000 servers running the Zoho software, although it is unclear how many of them have been patched against the CVE-2021-40539 vulnerability. The researchers said the APT group attempted to compromise at least 370 Zoho ManageEngine servers in the United States alone.

The post Chinese APT Group Compromised Healthcare Organizations by Exploiting Zoho Password Management Platform Flaw appeared first on HIPAA Journal.

Cybersecurity Awareness Month: Put Cybersecurity First

The theme of the fourth week of Cybersecurity Awareness Month is “Cybersecurity First”, with the focus on getting the message across to businesses about the need for cybersecurity measures to address vulnerabilities in products, processes, and people.

Cybersecurity Advice for Companies

One study suggests 64% of companies worldwide have experienced some form of cyberattack and the rate at which attacks are occurring is increasing. It is essential for companies to ensure that cybersecurity measures are incorporated when developing apps, products, or new services and for cybersecurity to be considered at the design stage. Safeguards need to be baked into products from the start. Cybersecurity should not be an afterthought.

Businesses need to have a thorough understanding of their IT environment and what assets need to be protected. An inventory should be created for all assets and the location of all sensitive data should be known. A plan then needs to be developed to protect those assets, which should include overlapping layers of protection using technologies such as firewalls, spam filters, web filters, antivirus software, endpoint detection systems, encryption software, and backup solutions. Patch management is also key. Software and firmware updates should be applied promptly, with priority given to patching the most serious vulnerabilities.

Businesses should adopt a mindset of a cyber breach being inevitable, which means they need to know how they will respond to an attack when it occurs. A business continuity plan should be developed and tested. The plan should include emergency protocols while systems and data are inaccessible, the restoration of systems and data, communication with stakeholders, compliance, and reporting breaches to appropriate authorities. Having an incident response plan in place ensures the business can continue to function in the event of a cyber breach and it will greatly speed up the recovery time and help to keep breach costs to a minimum.

FBI Raises Awareness of the Ransomware Threat

This week, the Federal Bureau of Investigation (FBI) is raising awareness of the threat from ransomware. Ransomware is a type of malware used to encrypt files to ensure they cannot be accessed. A ransom demand is then issued for the keys to decrypt files, although there are no guarantees that file recovery will be possible even if the ransom is paid. It is also now common for sensitive data to be stolen before file encryption, with threats issued to publish or sell the data if the ransom is not paid.

Access to computers and networks is gained by exploiting vulnerabilities, conducting brute force attacks to guess weak passwords, and most commonly, through phishing emails. Links are sent in emails that direct users to websites where they are asked to provide their login credentials or download files containing malware. Oftentimes attachments are included in emails that have macros and other scripts that download malware that provides the attackers with persistent access to devices and networks.

Steps recommended by the FBI to avoid ransomware attacks include keeping software up to date, applying patches promptly, using anti-malware software on all devices, backing up data regularly and storing backups offline, and educating employees about how to identify phishing emails and other threats.

Security awareness training for the workforce is vital. Employees are the last line of defense and they are often targeted by cybercriminals. Employees should receive security awareness training during the onboarding process and should be provided with the tools they need to help them keep their company safe, with training regularly provided throughout employment.

Cybersecurity Advice for Individuals

Individuals are being encouraged to take greater care when using products and services to ensure that cybersecurity best practices are followed. That process needs to start before any purchase is made, with cybersecurity considered before signing up for a new service or buying a new product to ensure the company is legitimate.

When new devices, apps, or services are used, individuals should consider applying measures to secure their accounts and check privacy and security settings. Default passwords should be changed with strong, unique passwords set for all accounts. A password manager should be considered as this will help with the generation of secure passwords for all accounts and will mean users do not have to remember complex passwords. It is also important to set up multi-factor authentication on all accounts to ensure they remain protected if passwords are compromised.

The post Cybersecurity Awareness Month: Put Cybersecurity First appeared first on HIPAA Journal.

What are the Best Password Managers for MSPs?

The provision of password managers for MSPs is a rapidly growing industry due to the increasing number of Managed Service Providers being targeted by cybercriminals. Indeed, in a recent “State of the Channel” survey, 95% of MSP respondents agreed that their businesses – rather than the clients they provide a managed service for – were being targeted with attacks.

It is not difficult to understand why cybercriminals are targeting MSPs. A successful “supply-chain ransomware attack” against an MSP can prevent an MSP providing a service to its clients; and even though it may only be the MSPs systems that are encrypted with ransomware, clients may be unable to operate their businesses due to the nature of the services provided by the MSP.

SMB clients are also under attack, but not to such a great extent as MSBs. 78% of respondents to the Datto “State of the Channel” survey reported attacks against SMB clients in the past two years – with adware, spyware, and viruses accounting for nearly as much disruption as ransomware. What was more concerning were the ways in which cybercriminals were accessing systems to deploy malware:

  • 54% of respondents reported an attack was the result of a phishing email
  • 27% of respondents said attacks were attributable to poor user practices.
  • 26% of respondents attributed attacks to a lack of cybersecurity training
  • 24% of respondents said weak passwords and poor credential management was to blame.

Among other responses to the survey (multiple answers were allowed) lost and stolen user credentials, a lack of funding for IT security, and a lack of executive buy-in for adopting security solutions were given as reasons for successful cyberattacks. All of these reasons could be prevented – or substantially mitigated – by implementing a password manager for MSPs.

How Password Managers for MSPs Protect MSPs

One statistic missing from Datto´s State of the Channel report is the percentage of cyberattacks attributable to MSP susceptibility compared to the percentage of cyberattacks attributable to client susceptibility. While it could be assumed clients may be easier targets due to a lack of security expertise, it is noticeable the report states “more than half [of MSPs] are now using password management and multi-factor authentication tools “

The inclusion of the word “now” in the statement is revealing inasmuch as it implies fewer than half of MSPs were using password management tools previously. Again, there is no distinction between whether password managers for MSPs are being used exclusively within the MSP businesses or if MSPs are also providing “password-management-as-a-service” to clients, but let´s start with how password managers for MSPs protect MSP businesses.

How login credentials are created, saved, and shared between teams can have an impact on any business´s online security. Research has shown that many employees use weak passwords because they are more memorable, re-use passwords across multiple sites to save having to remember multiple passwords, store login credentials in unprotected documents and spreadsheets, and share passwords via unsecure channels of communication such as email, SMS, and chat services.

When businesses implement a password manager, they can also enforce password policies requiring the use of strong, unique passwords for each account. Most commercial password managers support cross-platform, cross-browser synchronization, integration with directory services, and secure encrypted credential sharing – giving employees a safe way to exchange passwords, credit card details, and other sensitive information.

Password managers for MSPs can be used not only to protect business credentials, but clients’ credentials as well. Passwords are stored in a secure user vault and, when a user visits a website for which a password has been saved, the login credentials are auto-filled automatically. This means that if a user inadvertently clicks on a phishing email and is redirected to a fake phishing site, the login credentials will not auto-fill – alerting the user to a possible threat.

With password policies enforcing good password practices, educating users on good password hygiene, and eliminating the potential for weak passwords, the primary methods of cybercriminal access into MSP systems are eliminated. With regards to a lack of funding for IT security or executive buy-in, password managers for MSPs are inexpensive compared to the cost of recovering from a successful cyberattack and – when provided to clients as “password-management-as-a-service” – password managers for MSPs can generate more income than they cost.

Separating MSP Credentials from Client Credentials

Providing clients with password-management-as-a-service should not only be viewed as a revenue generator. By providing an MSP password management service which clients can use to access saved passwords form any location via any device, MSPs are reducing the number of calls they will receive for password resets. Furthermore, by allowing clients to apply their own password policies, MSPs are encouraging clients to develop good password practices and become more security conscious.

Nonetheless, potentially managing hundreds of passwords per user across hundreds of clients can create an administrative nightmare – notwithstanding that an MSP has to manage its own user passwords and not get them confused with client passwords. To overcome this potential issue, some password managers for MSPs – such as Bitwarden – have developed “Provider Portals” which keep the login credentials of MSPs users separate from those of its clients.

 

This architecture enables MSP users to access and manage clients´ credentials without the potential for mixing up credentials for different clients or confusing them with MSP credentials.  Furthermore – using Bitwarden as an example – MSPs can create an “organization” for each client; and, within each organization, “collections” of shared password and corporate data can be made available to authorized “groups”. Each organization, collection, or group can have separate password policies applied if necessary.

This structure allows for either MSP users or clients to run “per-client” health checks on credentials stored in client vaults to identify weak, re-used, or compromised passwords. MSP users and clients also have access to event logs that record when actions occur in client vaults (passwords changed, groups created, etc.). Not only do the event logs enable transparency between MSPs and clients, but they can also be integrated into SIEMs and other external systems to enhance security.

More about Bitwarden Password Managers for MSPs

Bitwarden password managers for MSPs are built on open source software that has been assessed for security by independent audits as well as being vetted by the open source community. They offer MSPs certain benefits over other enterprise password management solutions inasmuch as they synchronize with user directories via an easy-to-use Directory Connector (rather than an SCIM Bridge) that supports on-premises directories as well as cloud directories.

From a client´s perspective, Bitwarden has a user-friendly interface that simplifies password management. Clients´ employees receive a personal password vault in addition to the organization vault which encourages them to store personal credentials securely. Having access to a personal vault tends to result in better password hygiene and security awareness, which reflects in how corporate data is securely managed.

Ultimately, the provision of a password manager to clients, either as a managed service or a resale, will result in clients becoming more resilient to phishing attacks, improve user practices, enhance cybersecurity, and eliminate the use of weak passwords – reducing the client management overhead. If you would like to find out more about Bitwarden, organize a free trial of a password manager for MSPs, or discuss Bitwarden´s MSP Partner Program, visit www.bitwarden.com.

The post What are the Best Password Managers for MSPs? appeared first on HIPAA Journal.

1 in 3 Americans Have Tried to Guess Someone’s Password and 3/4 Succeeded

A recent study conducted on more than 1,000 Americans has revealed one in three Americans have attempted to guess someone else’s password. Worryingly, in 73% of cases, that attempt to guess the password was successful.

Unsurprisingly, survey participants were most interested in guessing the password of a romantic partner, which accounted for 43.7% of attempts to guess a password. 40.2% of respondents said they attempted to guess the password of a parent. Worryingly, 21.7% of respondents said they had attempted to guess the password of a work colleague and 19.9% had attempted to guess the password of their boss.

The study, conducted by Beyond Identity on 1,015 individuals in the United States, provides insights into the password practices of Americans and confirms what security experts are all to aware of: People are bad at choosing passwords. Many people are aware how to create a strong password that is difficult to guess, but they still opt for a memorable password that they are unlikely to forget and it is common for passwords to consist of personal information that is known to others. 1 in 10 respondents to the survey thought their password could be guessed from looking at their social media profiles.

When asked about successful attempts to guess passwords, 39.2% of respondents said they guessed the password using information they knew about the person. 18.4% said they used information they found in social media profiles, 15.6% checked personal files or records, and 12.8% said they asked friends or loved ones for information. In 9.2% of cases, respondents were able to correctly guess the answer to a security question.

The survey indicates many people have a false sense of confidence about the strength of their passwords and how easy they are to guess, especially considering 23.1% of respondents said their personal email account had been compromised and 17.9% said they had experienced compromised or hacked online banking accounts.

In many cases, it is not necessary to guess a password as many people are willing to share their passwords with others. Across all account types, one in three people admitted to sharing their password with another person. The sharing of a password for a video streaming site was most common, but 26.9% of people said they shared the password for a personal email account and 25.7% of respondents said they shared a password for an online banking account.

When asked about the creation of a generic password, the average password length was 15 characters and 37% of people said they use random letters, with 30.7% replacing letters with random characters. Bad password practices were highly evident from the survey. More than a quarter (27.4%) of respondents used the name of a pet for their password, a fifth used either their birth year or a child’s name for a password, and alarmingly, 18.7% of people used their own name for their password. It was also common for sequential letters/numbers to be used (17.3%), birthdates (15.2%), and the name of a spouse (14.7%). .

There are tools available that can help people generate strong passwords, but 37.6% of people said they never use password generators for their accounts, especially baby boomers, half of which said they never use a password generator. When a password generator was used, it was most commonly used for sensitive accounts such as online banking (32.4%) or work-related accounts (28.7%). Gen Xers were the most likely age group to use a password generator.

The use of a password manager solution is the easiest way to generate secure passwords for all accounts, with the solutions solving the problem of passwords being difficult to remember. Only one master password for the account needs to be remembered. These solutions are low cost and can greatly improve security, with some providers – Bitwarden and LastPass for example – even offering free versions of their solutions. However, according to one survey, almost half of Americans said they would never use a password manager and only 22.5% of Americans currently do. The main reason for not using a password manager is a lack of trust in the password management company, even though many operate under the zero-knowledge model and do not have access to users’ password vaults.

The post 1 in 3 Americans Have Tried to Guess Someone’s Password and 3/4 Succeeded appeared first on HIPAA Journal.

NCSC Password Recommendations

The UK’s NCSC password recommendations have been updated and a new strategy is being promoted that meets password strength requirements but improves usability. 

There are multiple schools of thought when it comes to the creation of passwords, but all are based on the premise that passwords need to be sufficiently complex to ensure they cannot be easily guessed, not only by humans, but also the algorithms used by hackers in their brute force attacks.

Each year lists of the worst passwords are published that are compiled from credentials exposed in data breaches. These worst password lists clearly demonstrate that some people are very poor at choosing passwords. Passwords such as “password,” “12345678,” and “qwertyuiop” all feature highly in the lists. Due to the risk of end users creating these weak passwords, many organizations now have minimum requirements for password complexity, but that does not always mean that strong passwords will be set.

The Problem with Password Complexity Requirements

The minimum requirements for password complexity are typically to have at least one lower- and upper-case letter, a number, and often a special character. Incorporating these elements makes passwords much harder to guess – in theory at least. In practice, individuals get around these requirements by setting passwords such as “Passw0rd!” or “Qwertyuiop1!” that meet complexity requirements but are still incredibly weak and extremely vulnerable to brute force attacks.

From a security perspective, all accounts should have a unique password which must never be used to protect multiple accounts. Passwords should ideally consist of random letters, numbers, and characters and be sufficiently long – 8 characters as an absolute minimum. The problem is that while these random complex passwords are strong and will be resistant to brute force attacks, they are also virtually impossible for most people to remember, especially considering the average person has around one hundred passwords.

The National Institute of Standards and Technology (NIST) highlighted this problem in its latest password guidance (SP 800-63B), and recommends the use of passphrases rather than passwords, as the length of a passphrase of, say 16 characters, adds the required complexity while being human-friendly.

Now, the National Cyber Security Center (NSCS), part of the UK Government Communications Headquarters (GCHQ) has suggested a new approach for creating passwords that combines security with usability.

NCSC Password Recommendations are to Use Three Random Words

The solution proposed by NSCS is contrary to the arbitrary complexity password requirements that are often recommended. Complex passwords consisting of lower- and upper-case letters, numbers, and special characters are often far from complex may give a false sense of security. The reason is the character combinations selected by end users are usually far from random. There are tricks that many people use to make passwords easy to remember and meet password complexity requirements, and those tricks are known to hackers. For example, replacing a 1 with an exclamation mark, an E with a 3, a 5 with an S, or an O with a zero.

There are also combinations of letters and numbers that are more common than others, and those more common combinations are incorporated into hackers’ password guessing tools. “Counterintuitively, the enforcement of these complexity requirements results in the creation of more predictable passwords,” explained NSCS in a recent blog post. “Security that’s not usable doesn’t work.”

The NCSC password recommendations add enough complexity while still making passwords easy to remember. They are to use three random words to make up a password. The use of three random words means passwords will be relatively long, sufficiently complex, but easy to remember.

The three random word approach to passwords works in several different ways:

  • Length – Passwords will generally be longer
  • Impact – The strategy is quick and easy to explain
  • Novelty – Encourages use of words not previously considered
  • Usability – It is easy to think of three words and remember them

“Traditional password advice telling us to remember multiple complex passwords is simply daft,” said NCSC’s technical director, Dr Ian Levy. “By following this advice, people will be much less vulnerable to cybercriminals and I’d encourage people to think about the passwords they use on their important accounts, and consider a password manager.”

The latter advice is important, as the strategy of using three random words does not work when unique passwords need to be created for 100 difficult online accounts. “Adopting three random words is not a panacea that solves the issue of remembering a lot of passwords in a single stroke, and we expect it to be used alongside secure storage,” said NCSC.

The aim of the latest NCSC password recommendations is not to solve the password problem completely, but simply to increase password diversity – that is, “reducing the number of passwords that are discoverable by cheap and efficient search algorithms, forcing an attacker to run multiple search algorithms (or use inefficient algorithms) to recover a useful number of passwords.”

The Best Password Strategy

The best password strategy based on the NCSC password recommendations is to create password of three random words, but also to use a password manager. A password manager allows users to generate truly random strings of numbers, letters, and characters that are incredibly complex, but importantly users never have to remember them. Those passwords are stored in encrypted form in a secure password vault and will be autofilled when a user needs them. There is never the need to remember them or type them in. These solutions are very secure, and many operate under the zero-knowledge model, where even the password manager developer does not have access to users’ password vaults.

All that is required is for a user to set a secure, master password for their password vault and set up 2-factor authentication. The strategy of using three random words would work well for the master password that provides access to user’ vault of truly random, long complex passwords.

Password manager solutions are usually low cost or even free. For example, Bitwarden provides a secure, open-source password manager solution under a free tier with the individual premium package only costing $10 per year, yet even with the low cost of these solutions, uptake is still low.

If businesses and individuals make the change and start using a password manager and implement the latest NCSC password recommendations, password security and usability will be substantially improved.

The post NCSC Password Recommendations appeared first on HIPAA Journal.

Flaw in Kaspersky Password Manager Password Generator Made Passwords Susceptible to Brute Force Attacks

Security researchers have discovered the random password generator of the Kaspersky Password Manager (KPM) was generating passwords that were susceptible to brute force attacks.

Password managers often include a password generator to help users create unique, random, complex passwords for their accounts. In a recent blog post, researchers at security firm Donjon said the pseudo-random number generator (PRNG) used by the KPM solution was not sufficiently random to create strong passwords. As a result, any passwords generated could be brute forced in a matter of minutes, and in seconds if the approximate time that the account password was created is known.

Password generation in KPG involves suggesting a password based on the policy created by the user. Those policies are set for password length and the characters that must be included (upper/lower case letters, numbers, special characters).  While several issues were found with the solution, the main problem was the PRNG was not suitable for cryptographic purposes, as the single source of entropy was the current time in seconds.

Since the current system time was the random seed value, the password manager would generate identical passwords at any given time for all users worldwide.

“The consequences are obviously bad: every password could be bruteforced,” explained the researchers. “For example, there are 315619200 seconds between 2010 and 2021, so KPM could generate at most 315619200 passwords for a given [character set]. Bruteforcing them takes a few minutes.”

“It is quite common that web sites or forums display the creation time of accounts,” explained the researchers. “Knowing the creation date of an account, an attacker can try to bruteforce the account password with a small range of passwords (~100) and gain access to it.”

The vulnerability was reported to Kaspersky in June 2019, and updates were issued between October 2019 and December 2019, but they failed to fully fix the problem. The flaw was assigned CVE-2020-27020 and was corrected in KPM 9.0.2 Patch M on October 13, 2020. After applying the update, notifications were displayed to users telling them that weak passwords needed to be regenerated. An advisory about the flaw was published by Kaspersky on April 27, 2021.

Any user of KPM that has not applied the updates should do so as soon as possible and follow the advice of the solution to change any weak passwords. Kaspersky explained that while passwords could be discovered by an attacker, this would be unlikely as the attacker would need to know the user’s account information, the exact time that a password was generated, and that KPM was used by that individual.

The post Flaw in Kaspersky Password Manager Password Generator Made Passwords Susceptible to Brute Force Attacks appeared first on HIPAA Journal.