Security Newsletter

16 November 2020

FTC Settlement With Zoom Sets Security Requirements

As part of a settlement of allegations that Zoom "engaged in a series of deceptive and unfair practices that undermined the security of its users," the U.S. Federal Trade Commission is requiring video conferencing provider to implement and maintain a comprehensive security program within the next 60 days. The 17-page agreement announced Monday comes after allegations that Zoom did not maintain a high level of cybersecurity and misled its customers concerning the level of encryption provided for meetings, saying it was AES 256 when it was actually AES 128.

The FTC settlement describes the steps Zoom must take, including:

• Assess and document on an annual basis any potential internal and external security risks and develop ways to safeguard against such risks;
• Implement a vulnerability management program;
• Deploy safeguards such as multifactor authentication to protect against unauthorized access to its network, institute data deletion controls and take steps to prevent the use of known compromised user credentials;
• Require Zoom personnel to review any software updates for security flaws and ensure the updates will not hamper third-party security features.

Although no financial penalties were issued with the settlement, the FTC says any future violations could cost Zoom up to $43,280 for each.

As part of the New York settlement, Zoom agreed to implement "reasonable encryption and security protocols," for customer and corporate data. This includes the use of end-to-end encryption for all data as well as deploying industry-standard AES-256 encryption.

 

New ModPipe Point of Sale (POS) Malware Targeting Restaurants, Hotels

Cybersecurity researchers today disclosed a new kind of modular backdoor that targets point-of-sale (POS) restaurant management software from Oracle in an attempt to pilfer sensitive payment information stored in the devices. The backdoor — dubbed "ModPipe" — impacts Oracle MICROS Restaurant Enterprise Series (RES) 3700 POS systems, a widely used software suite in restaurants and hospitality establishments to efficiently handle POS, inventory, and labor management. A majority of the identified targets are primarily located in the US.

Businesses in the hospitality sector that are using the RES 3700 POS are advised to update to the latest version of the software as well as use devices that run updated versions of the underlying operating system.

 

Ransomware Demands continue to rise as Data Exfiltration becomes common

The Coveware Quarterly Ransomware Report describes ransomware incident response trends during Q3 of 2020. Ransomware groups continue to leverage data exfiltration as a tactic, though trust that stolen data will be deleted is eroding as defaults become more frequent when exfiltrated data is made public despite the victim paying.

The average ransom payment increased to $233,817 in Q3 of 2020, up 31% from Q2. The median payment in Q3 rose slightly from $108,597 to $110,532, reflecting how large, big game payments continue to drag the averages up. The disequilibrium within the cyber extortion industry was evident when attackers discovered that the same tactics, techniques, and procedures (TTPs) that work on a 500 person company can work on a 50,000 person company and the potential payoff is substantially higher. The dramatic increase in ransom amounts may imply a higher degree of sophistication as attackers go upmarket, but Coveware does not believe that the attacks are more sophisticated.

The biggest change over the past 6 quarters is threat actors now realize that their tactics scale to much larger enterprises without much of an increase in their own operating costs. The profit margins are extremely high and the risk is low. This problem will continue to get worse until pressure is applied to the unit economics of this illicit industry. It is also possible that the influx of remote and work-from-home setups using RDP and other remote technologies allowed threat actors to leverage attack vectors that previously didn’t exist.

Almost 50% of ransomware cases included the threat to release exfiltrated data along with encrypted data. The threat to release exfiltrated data was used as a monetization conversion kicker. Previously, when a victim of ransomware had adequate backups, they would just restore and go on with life; there was zero reason to even engage with the threat actor. Now, when a threat actor steals data, a company with perfectly restorable backups is often compelled to at least engage with the threat actor to determine what data was taken.

Downtime is still the most dangerous aspect of a ransomware attack, and one of the reasons data exfiltration should not present as much of a challenge to victims as business interruption. In Q3 of 2020, the average firm experienced roughly 19 days of downtime. Downtime can range on a spectrum from having a business be at a total standstill, to being just mildly affected by non-available machines.

 

More #News