No Rest in 2020

It is the third week of 2020, and already the year 2020 has brought two new major vulnerabilities and two new major threats that banks and credit unions should have on their radar. Let’s look at the two threats first:

• Threat of Iranian Attacks: the Cybersecurity & Infrastructure Security Agency (CISA) has warned about the “potential for retaliatory aggression against the U.S. and it's global interests.” Disruptive and destructive cyber operations against financial service organizations were one of the threats singled out in the warning. Banks and credit unions are urged to ensure that their incident detection and response plans are up to date, and to ensure that they have an offline backup available. The CISA guidance in the link above includes an excellent list of “Actions for Cyber Protection” that institutions are urged to review and take to heart.
  
  
• Office 365 “Tricky Phish” Attacks: Brian Krebs posted this article warning of an emerging type of attack that can gain access to all of an Office 365 user’s files and email messages without ever having the user credentials or MFA response. The attack works by sending a victim a link that is designed to trick the user into giving the attacker a back door to the user’s Office 365 data using an API (see the Brian Krebs article for more details). APIs are used by many types of applications (conferencing solutions, CRM systems, etc.) to provide integration between the application and Office 365. Organizations are urged to limit API access in Office 365 to only applications which are approved. Note that this same type of attack might also be effective against organizations using other cloud providers that provide access through APIs.

Two vulnerabilities were also announced which financial institutions should immediately patch and/or mitigate. These vulnerabilities were as follows:

• Citrix NetScaler/ADC Critical Flaw: Many financial institutions utilize Citrix ADC (formerly known as NetScaler) to provide remote access to employees and third parties. This critical vulnerability was announced in January that can give an attacker complete control over a compromised system from the Internet without authentication. Exploitation of this vulnerability has been detected in the wild. Citrix is working to roll out a permanent fix for this vulnerability, but in the meantime has published steps that organizations should follow to mitigate potential attacks. Institutions may also want to see if their network perimeter IPS system has a mitigation for this vulnerability and implement the mitigation if available.
  
  
• Windows CryptoAPI Spoofing Vulnerability: A vulnerability has been discovered in how Windows validates a certificate. If exploited, the vulnerability can trick a system into trusting malware and allowing it to run on an unpatched system. The same vulnerability can be used to trick an unpatched system into trusting an invalid website certificate. The end result is that a user can be unknowingly redirected to a malicious site, where the site will run malware that Windows will think is part of the Windows operating system. As of Thursday morning, a proof of concept exploit has already been published for this vulnerability, so the race is on to patch before the vulnerability is exploited widely.

If keeping up with threats and vulnerability management are things you struggle with, give us a call at (833) 297-7681. We can help your institution cut through the confusion and make progress in appropriately addressing threats and vulnerabilities.