Insights blog.

Financial regulators have long been concerned about the cyber risk associated with third-party- supplied products or services in financial institutions. For example, in 2013, federal financial regulators put out an issuance to financial institutions regarding how to manage third-party cyber risk. Over the last few years since this 2013 bulletin was published, the attention on third-party risk has continued to increase and the topic has been included on several examination priorities published by the Office of the Comptroller of the Currency (OCC), the Securities and Exchange Commission (SEC), and the Federal Reserve.

As we discussed in a previous blog post, Cloudflare suffered a serious bug that caused private information from any Cloudflare customer and their users to be publicly leaked onto websites that had corrupted web content. Any person with knowledge of those websites was able to scrape the sensitive information left there.

On Thursday, February 23rd, Cloudflare announced a serious bug in its caching infrastructure that caused uninitialized memory to be printed on a number of its customers’ websites. This information included sensitive data such as passwords, cookies, tokens, private messages, and while it believes the bug was limited to roughly a thousand websites, it caused sensitive data to be dumped from potentially any Cloudflare reverse proxy customer. Some observers have stated this issue has similarities with “Heartbleed” and have thus referred to it as “Cloudbleed.”

Necurs is a malware that is mainly known for sending large spam campaigns, most notably the Locky ransomware. However, Necurs is not only a spambot, it is a modular piece of malware that is composed of a main bot module, a userland rootkit and it can dynamically load additional modules. 

Vendor risk management (VRM) is the practice of evaluating business partners, associates, or third-party vendors both before a business relationship is established and during the duration of your business contract. This is a difficult—albeit necessary—process all companies should go through when they enter into a third-party relationship.

Dridex is a banking trojan that uses an affiliate system for its botnets. We have documented the Dridex communication and P2P protocols in the past. In this post we want to shed some light about all the known botnets, their respective geographic targets, and how they are organized.

Over the past couple of weeks, a major issue has surfaced affecting numerous companies that use MongoDB to store their data. Those who install MongoDB on a server and use default settings are exposing their data to the internet and allowing anybody to browse the databases, download information, and erase them entirely. Many companies are unaware of the vulnerability and that their information may be exposed to hackers. Criminals are reacting quickly and opportunistically by stealing data, then asking for a ransom. To make matters worse, some criminals asking for a ransom don’t actually have the data, so when the ransom is paid, companies are still left without answers. In addition to MongoDB, it was reported that clusters of Elasticsearch, an enterprise search engine has also been hit with ransomware.

During 2016, a lot happened in the realm of cybersecurity, and we witnessed a number of noteworthy events and trends: 

Vendor security is becoming a focal point of risk management for many organizations. In many ways, this trend started with the Target breach from 2013, which highlighted the extensive financial and reputational impact of a third party security breach. Gartner estimates that by 2019, the need for transparency into operational and security activities within a vendor's value network will drive demand for vendor security by 30%.

In today’s security landscape, the CIO has a large and important role to fill. They must be aware of and compliant with regulations in their industry, focus on ensuring that the right security controls are in place for the organization and its vendors, and be able to consider the risks and benefits of new business processes. 

With third parties becoming a major attack vector into organizations, Bitsight is focused on enabling security and vendor risk professionals to better prioritize their efforts when it comes to identifying and monitoring cyber security risks across their vendor ecosystem.  Bitsight Security Ratings customers can now prioritize issues and receive customized alerts when the aggregate performance of multiple companies change.

To a chief information officer (CIO), cybersecurity is a multifaceted concern. Not only could a breach that results in a loss of sensitive data or information be a legal or reputational nightmare for their organization, but it could also cost them (and others in the C-suite) their job.

In this article, we will be detailing an issue we discovered affecting a number of low-cost devices. It allowed for adversaries to remotely execute commands on the devices as a privileged user if they were in a position to conduct a Man-in-the-Middle attack. The binary responsible appears to be an insecure implementation of an OTA (Over-the-air) mechanism for device updates associated to the software company, Ragentek Group, in China. All transactions from the binary to the third-party endpoint occur over an unencrypted channel, which not only exposes user-specific information during these communications, but would allow an adversary to issue commands supported by the protocol. One of these commands allows for the execution of system commands. This issue affected devices out of the box.

In 2015, the Australian Red Cross contracted with a web development company called Precedent to create a new website. Unfortunately, the vendor left sensitive donor information from the Red Cross in a backup database on a public-facing website. 

In our most recent Bitsight Insights report, we discuss the pervasive issue that is ransomware. The report states that education has the highest rate of ransomware across all industries—and government comes in second.