IT Solutions That Serve You

What is happening?

Google said this week it is expanding the types of data people can ask to have removed from search results, to include personal contact information like your phone number, email address or physical address. The move comes just months after Google rolled out a new policy enabling people under the age of 18 (or a parent/guardian) to request removal of their images from Google search results. 

Why is this significant?

In a blog post on Wednesday, Google’s Michelle Chang wrote that the company’s expanded policy now allows for the removal of additional information that may pose a risk for identity theft, such as confidential log-in credentials, email addresses and phone numbers when it appears in Search results. 

While Google’s removal of a search result from its index will do nothing to remove the offending content from the site that is hosting it, getting a link decoupled from Google search results is going to make the content at that link far less visible. According to recent estimates, Google enjoys somewhere near 90 percent market share in search engine usage. 

How does this work?

What can I do?

For many years, people have been able to request the removal of certain sensitive, personally identifiable information from Search — for example, in cases of doxxing, or information like bank account or credit card numbers that could be used for financial fraud. 

Under this new policy expansion, people can now request removals of additional types of information when they find it in Search results, including personal contact information like a phone number, email address, or physical address. The policy also allows for the removal of additional information that may pose a risk for identity theft, such as confidential log-in credentials, when it appears in Search results. 

Go here https://blog.google/products/search/new-options-for-removing-your-personally-identifiable-information-from-search/ 

What is happening?

Russian State-Sponsored and Criminal Cyber Threats to Critical Infrastructure 

The cybersecurity authorities of the United States, Australia, Canada, New Zealand, and the United Kingdom are releasing this Joint Cybersecurity Advisory (CSA). The intent of this joint CSA is to warn organizations that Russia’s invasion of Ukraine could expose organizations to increased malicious cyber activity. 

Why is this important?

This activity may occur as a response to the unprecedented economic costs imposed on Russia as well as materiel support provided by the U.S., its allies, and partners.  Evolving intel indicates that the Russian government is exploring options for potential cyberattacks. 

Additionally, some cybercrime groups have recently publicly pledged support for the Russian government, threatening to conduct cyber operations.

• in retaliation for perceived cyber offensives against the Russian government and people 
• against countries and organizations providing materiel support to Ukraine

Other cybercrime groups have recently conducted disruptive attacks against Ukrainian websites, likely in support of the Russian military offensive. 

Who is considered critical infrastructure?

Chemical Sector The Department of Homeland Security is designated as the Sector Risk Management Agency for the Chemical Sector. 

Commercial Facilities Sector The Department of Homeland Security is designated as the Sector Risk Management Agency for the Commercial Facilities Sector, which includes a diverse range of sites that draw large crowds of people for shopping, business, entertainment, or lodging. 

Communications Sector The Communications Sector is an integral component of the U.S. economy, underlying the operations of all businesses, public safety organizations, and government. The Department of Homeland Security is the Sector Risk Management Agency for the Communications Sector. 

Critical Manufacturing Sector The Department of Homeland Security is designated as the Sector Risk Management Agency for the Critical Manufacturing Sector. 

Dams Sector The Department of Homeland Security is designated as the Sector Risk Management Agency for the Dams Sector. The Dams Sector comprises dam projects, navigation locks, levees, hurricane barriers, mine tailings impoundments, and other similar water retention and/or control facilities. 

Defense Industrial Base Sector The U.S. Department of Defense is the Sector Risk Management Agency for the Defense Industrial Base Sector. The Defense Industrial Base Sector enables research, development, design, production, delivery, and maintenance of military weapons systems, subsystems, and components or parts to meet U.S. military requirements. 

Emergency Services Sector The Department of Homeland Security is designated as the Sector Risk Management Agency for the Emergency Services Sector. The sector provides a wide range of prevention, preparedness, response, and recovery services during both day-to-day operations and incident response. 

Energy Sector The U.S. energy infrastructure fuels the economy of the 21st century. The Department of Energy is the Sector Risk Management Agency for the Energy Sector. 

Financial Services Sector The Department of the Treasury is designated as the Sector Risk Management Agency for the Financial Services Sector. 

Food and Agriculture Sector The Department of Agriculture and the Department of Health and Human Services are designated as the co-Sector-Risk Management Agencies for the Food and Agriculture Sector. 

Government Facilities Sector The Department of Homeland Security and the General Services Administration are designated as the Co-Sector Risk Management Agencies for the Government Facilities Sector. 

Healthcare and Public Health Sector The Department of Health and Human Services is designated as the Sector Risk Management Agency for the Healthcare and Public Health Sector. 

Information Technology Sector The Department of Homeland Security is designated as the Sector Risk Management Agency for the Information Technology Sector. 

Nuclear Reactors, Materials, and Waste Sector The Department of Homeland Security is designated as the Sector Risk Management Agency for the Nuclear Reactors, Materials, and Waste Sector. 

Transportation Systems Sector The Department of Homeland Security and the Department of Transportation are designated as the Co-Sector-Specific Agencies for the Transportation Systems Sector. 

Water and Wastewater Systems Sector The Environmental Protection Agency is designated as the Sector Risk Management Agency for the Water and Wastewater Systems Sector. 

MITIGATIONS

U.S., Australian, Canadian, New Zealand, and UK cyber authorities urge critical infrastructure organizations to prepare for and mitigate potential cyber threats by immediately (1) updating software, enforcing MFA, (3) securing and monitoring RDP and other potentially risky services, and (4) providing end-user awareness and training.

• • Update software, including operating systems, applications, and firmware Prioritize patching known exploited vulnerabilities and critical and high vulnerabilities that allow for remote code execution or denial-of-service on internet-facing equipment. 
  • Enforce MFA to the greatest extent possible and require accounts with password logins, including service accounts, to have strong passwords. Do not allow passwords to be used across multiple accounts or stored on a system to which an adversary may have access. As Russian state-sponsored APT actors have demonstrated the ability to exploit default MFA protocols and known vulnerabilities, organizations should review configuration policies to protect against “fail open” and re-enrollment scenarios.   
  • If you use RDP and/or other potentially risky services, secure and monitor them closely. RDP exploitation is one of the top initial infection vectors for ransomware, and risky services, including RDP, can allow unauthorized access to your session using an on-path attacker. 
  • Limit access to resources over internal networks, especially by restricting RDP and using virtual desktop infrastructure. After assessing risks, if RDP is deemed operationally necessary, restrict the originating sources, and require MFA to mitigate credential theft and reuse. If RDP must be available externally, use a virtual private network (VPN) or other means to authenticate and secure the connection before allowing RDP to connect to internal devices. Monitor remote access/RDP logs, enforce account lockouts after a specified number of attempts to block brute force attempts, log RDP login attempts, and disable unused remote access/RDPports.
  • Ensure devices are properly configured and that security features are enabled. Disable ports and protocols that are not being used for a business purpose (e.g., RDP Transmission Control Protocol Port 3389). 
  • Provide end-user awareness and training to help prevent successful targeted social engineering and spear phishing campaigns. Phishing is one of the top infection vectors for ransomware, and Russian state-sponsored APT actors have conducted successful spear phishing campaigns to gain credentials of target networks. 
    • Ensure that employees are aware of potential cyber threats and delivery methods. 
    • Ensure that employees are aware of what to do and whom to contact when they receive a suspected phishing email or suspect a cyber incident 

As part of a longer-term effort, implement network segmentation to separate network segments based on role and functionality. Network segmentation can help prevent the spread of ransomware and threat actor lateral movement by controlling traffic flows between—and access to—various subnetworks. 

• • Operational Technology (OT) networks in smart buildings consist of elevators, lighting, HVAC, surveillance, or essentially, anything attached to the building. With these devices becoming more connected and networked, it’s possible to consolidate IT and OT networks. 
  • Ensure OT assets are not externally accessible. Ensure strong identity and access management when OT assets needs to be externally accessible. 
  • Appropriately implement network segmentation between IT and OT networks. Network segmentation limits the ability of adversaries to pivot to the OT network even if the IT network is compromised. Define a demilitarized zone that eliminates unregulated communication between the IT and OT networks. 
  • Organize OT assets into logical zones by considering criticality, consequence, and operational necessity. Define acceptable communication conduits between the zones and deploy security controls to filter network traffic and monitor communications between zones. Prohibit ICS protocols from traversing the IT network. 

To further prepare for and mitigate cyber threats from Russian state-sponsored or criminal actors, U.S., Australian, Canadian, New Zealand, and UK cyber authorities encourage critical infrastructure organizations to implement the recommendations listed below. 

Preparing for Cyber Incidents

• • Create, maintain, and exercise a cyber incident response and continuity of operations plan. 
    • Ensure the cyber incident response plan contains ransomware- and DDoS-specific annexes.  
    • Keep hard copies of the incident response plan to ensure responders and network defenders can access the plan if the network has been shut down by ransomware, etc. 
  • Maintain offline (i.e., physically disconnected) backups of data. Backup procedures should be conducted on a frequent, regular basis (at a minimum every 90 days). Regularly test backup procedures and ensure that backups are isolated from network connections that could enable the spread of malware. 
  • Ensure the backup keys are kept offline as well, to prevent them being encrypted in a ransomware incident 
  • Ensure all backup data is encrypted, immutable (i.e., cannot be altered or deleted), and covers the entire organization’s data infrastructure with a particular focus on key data assets. 
  • Develop recovery documentation that includes configuration settings for common devices and critical equipment. Such documentation can enable more efficient recovery following an incident. 
  • Identify the attack surface by mapping and accounting all external-facing assets (applications, servers, IP addresses) that are vulnerable to DDoS attacks or other cyber operations. 
  • For OT assets/networks: 
    • • • Identify a resilience plan that addresses how to operate if you lose access to—or control of—the IT and/or OT environment. 
        • Identify OT and IT network interdependencies and develop workarounds or manual controls to ensure ICS networks can be isolated from IT networks if the connections create risk to the safe and reliable operation of OT processes. Regularly test contingency plans, such as manual controls, so that safety-critical functions can be maintained during a cyber incident. Ensure that the OT network can operate at necessary capacity even if the IT network is compromised. 
        • Regularly test manual controls so that critical functions can be kept running if ICS or OT networks need to be taken offline. 
        • Implement data backup procedures. 
        • Develop recovery documents that include configuration settings for common devices and critical OT equipment. 

Identity and Access Management

• • Require accounts with password logins, including service accounts, to have strong passwords and do not allow passwords to be used across multiple accounts or stored on a system to which an adversary may have access.  
  • Create a deny list of known compromised credentials and prevent users from using known- compromised passwords. SOURCE https://haveibeenpwned.com/Passwords 
  • Secure credentials by restricting where accounts and credentials can be used and by using local device credential protection features. Russian state-sponsored APT actors have demonstrated their ability to maintain persistence using compromised credentials. 
    • Use virtualizing solutions on modern hardware and software to ensure credentials are securely stored. 
    • Ensure storage of clear text passwords in Local Security Authority Subsystem Service (LSASS) memory is disabled. Note: for Windows 8, this is enabled by default. For more information see Microsoft Security Advisory Update to Improve Credentials Protection and Management. https://support.microsoft.com/en-us/topic/microsoft-security-advisory-update-to-improve-credentials-protection-and-management-may-13-2014-93434251-04ac-b7f3-52aa-9f951c14b649 
    • Consider disabling or limiting NTLM and WDigest Authentication. 
    • Implement Credential Guard for Windows 10 and Server 2016 (refer to Microsoft: Manage Windows Defender Credential Guard for more information). For Windows Server 2012R2, enable Protected Process Light for Local Security Authority (LSA). 
    • Minimize the Active Directory (AD) attack surface to reduce malicious ticket-granting activity. Malicious activity such as “Kerberoasting” takes advantage of Kerberos’ Ticket Granting Service (TGS) and can be used to obtain hashed credentials that malicious cyber actors attempt to crack. 
  • Audit domain controllers to log successful Kerberos TGS requests and ensure the events are monitored for anomalous activity. 
    • Secure accounts. 
    • Enforce the principle of least privilege. Administrator accounts should have the minimum permission necessary to complete their tasks. 
    • Ensure there are unique and distinct administrative accounts for each set of administrative tasks. 
    • Create non-privileged accounts for privileged users and ensure they use the non- privileged accounts for all non-privileged access (e.g., web browsing, email access). 
  • Disable inactive accounts uniformly across the AD, MFA systems, etc. 
  • Implement time-based access for privileged accounts. The FBI and CISA observed cybercriminals conducting increasingly impactful attacks against U.S. entities on holidays and weekends in 2021. Threat actors may view holidays and weekends—when offices are normally closed—as attractive timeframes, as there are fewer network defenders and IT support personnel at victim organizations. The just-in-time access method provisions privileged access when needed and can support enforcement of the principle of least privilege (as well as the zero-trust model) by setting network-wide policy to automatically disable admin accounts at the AD level. As needed, individual users can submit requests through an automated process that enables access to a system for a set timeframe

Protective Controls and Architecture

• • Identify, detect, and investigate abnormal activity that may indicate lateral movement by a threat actor, ransomware, or other malware. Use network monitoring tools and host-based logs and monitoring tools, such as an endpoint detection and response (EDR) tool. EDR tools are particularly useful for detecting lateral connections as they have insight into common and uncommon network connections for each host. 
  • Implement a firewall and configure it to block Domain Name System (DNS) responses from outside the enterprise network or drop Internet Control Message Protocol (ICMP) packets. Review which admin services need to be accessible externally and allow those explicitly, blocking all others by default. 
  • Enable web application firewalls to mitigate application-level DDoS attacks. 
  • Implement a multi-content delivery network (CDN) solution. This will minimize the threat of DDoS attacks by distributing and balancing web traffic across a network. 

Vulnerability and Configuration Management

• • Use an antivirus program that uses heuristics and reputational ratings to check a file’s prevalence and digital signature prior to execution. Note: organizations should assess the risks inherent in their software supply chain (including its security/antivirus software supply chain) in light of the existing threat landscape. For instance, Kaspersky antivirus HQ is in Moscow, Russia and was founded by Eugene Kaspersky, who U.S. officials describe as a former Russian intelligence officer 
    • Set antivirus/antimalware programs to conduct regular full scans of IT network assets using up-to-date signatures. 
    • Use a risk-based asset inventory strategy to determine how OT network assets are identified and evaluated for the presence of malware. 
  • Implement rigorous configuration management programs. Ensure the programs can track and mitigate emerging threats. Review system configurations for misconfigurations and security weaknesses. 
  • Disable all unnecessary ports and protocols. 
    • Review network security device logs and determine whether to shut off unnecessary ports and protocols. Monitor common ports and protocols for command-and-control activity. 
    • Turn off or disable any unnecessary services (e.g., PowerShell) or functionality within devices. 
  • Identify business-to-business VPNs and block high-risk protocols. 
  • Ensure OT hardware is in read-only mode. 
  • Enable strong spam filters. 
    • Enable strong spam filters to prevent phishing emails from reaching end users. 
    • Filter emails containing executable files to prevent them from reaching end users. 
    • Implement a user training program to discourage users from visiting malicious websites or opening malicious attachments. 
  • Restrict Server Message Block (SMB) Protocol within the network to only access servers that are necessary and remove or disable outdated versions of SMB (i.e., SMB version 1). Threat actors use SMB to propagate malware across organizations. 
  • Review the security posture of third-party vendors and those interconnected with your organization. Ensure all connections between third-party vendors and outside software or hardware are monitored and reviewed for suspicious activity. 
  • Implement listing policies for applications and remote access that only allow systems to execute known and permitted programs under an established security policy. 
  • Open document readers in protected viewing modes to help prevent active content from running. 

Responding to Cyber Incidents

U.S., Australian, Canadian, New Zealand, and UK cybersecurity authorities urge network defenders of critical infrastructure organizations to exercise due diligence in identifying indicators of malicious activity. Organizations detecting potential APT or ransomware activity in their IT or OT networks should: 

• • Immediately isolate affected systems  
  • For DDoS attacks: 

1. 1. 1. Identify the source address originating the attack via the SIEM or logging service. If the attack is originating from a single pool of IP addresses, block IP traffic from suspected IPs via access control lists or by contacting your internet service provider (ISP). 
      2. Enable firewall rate limiting to restrict the amount of IP traffic coming in from suspected IP addresses 
      3. Notify your ISP and enable remote triggered blackhole (RTBH). 

• • Secure backups. Ensure your backup data is offline and secure. If possible, scan your backup data with an antivirus program to ensure it is free of malware. 
  • Collect and review relevant logs, data, and artifacts. 
  • Consider soliciting support from a third-party partner to provide subject matter expertise, ensure the actor is eradicated from the network, and avoid residual issues that could enable follow-on exploitation 

What is happening?

On April 12th, GitHub Security began an investigation uncovering evidence that an attacker abused stolen OAuth user tokens issued to two third-party OAuth integrators, Heroku and Travis-CI, to download data from dozens of organizations, including npm.  

Why is this significant?

The applications maintained by these integrators were used by GitHub users, including GitHub itself. GitHub Security does not believe the attacker obtained these tokens via a compromise of GitHub or its systems: the tokens in question are not stored by GitHub in their original, usable formats. Following immediate investigation, GitHub disclosed findings to Heroku and Travis-CI on April 13th and 14^th. 

GitHub Security has high confidence that compromised OAuth user tokens from Heroku and Travis-CI-maintained OAuth applications were stolen and abused to download private repositories belonging to dozens of victim organizations that were using these apps. GitHub Security analysis of other behavior by the threat actor suggests they’re parsing the downloaded private repository contents, to which the stolen OAuth tokens had access, for secrets that could be used to pivot into other infrastructure. Teams can also leverage the organization and enterprise-level security overview to track their overall security posture, including any secret scanning alerts. 

Known-affected OAuth applications as of April 15, 2022:

• Heroku Dashboard (ID: 145909) 
• Heroku Dashboard (ID: 628778) 
• Heroku Dashboard – Preview (ID: 313468) 
• Heroku Dashboard – Classic (ID: 363831) 
• Travis CI (ID: 9216) 

Impact to GitHub.com and npm

The initial detection related to this campaign occurred on April 12th when GitHub Security identified unauthorized access to our npm production infrastructure using a compromised AWS API key. Based on subsequent analysis, GitHub Security believes this API key was obtained by the attacker when they downloaded a set of private npm repositories using a stolen OAuth token from one of the two affected third-party OAuth applications described above. Upon discovering the broader theft of third-party OAuth tokens not stored by GitHub or npm on the evening of April 13th, GitHub Security immediately acted to protect GitHub and npm by revoking tokens associated with GitHub and npm’s internal use of these compromised applications. 

GitHub Security believes that the two impacts to npm are unauthorized access to, and downloading of, the private repositories in the npm organization on GitHub.com and potential access to the npm packages as they exist in AWS S3 storage. The attacker did not modify any packages or gain access to any user account data or credentials. GitHub Security is working to identify whether the attacker viewed or downloaded private packages. npm uses completely separate infrastructure from GitHub.com; GitHub was not affected in this original attack. GitHub Security has not found evidence that other GitHub-owned private repos were cloned by the attacker using stolen third-party OAuth tokens. 

How GitHub responded to protect users of GitHub.com

Once GitHub identified stolen third-party OAuth tokens affecting GitHub users, GitHub took immediate steps to protect users. GitHub contacted Heroku and Travis-CI to request that they initiate their own security investigations, revoke all OAuth user tokens associated with the affected applications, and begin work to notify their own users. 

What can I do?

The attacks may be ongoing, and action is required for customers to protect themselves. 

GitHub customers and organizations need to know

GitHub is currently working to identify and notify all of the known-affected victim users and organizations that were discovered through analysis across GitHub.com. These customers will receive a notification email from GitHub with additional details and next steps to assist in their own response within the next 72 hours. If you do not receive a notification, you and/or your organization have not been identified as affected. GitHub will continue to notify any additional affected users or organizations as they are identified.  

You should periodically review and prune anything that’s no longer needed:

• what OAuth applications you’ve authorized
• https://docs.github.com/en/authentication/keeping-your-account-and-data-secure/reviewing-your-authorized-applications-oauth  or are authorized to access your organization
• https://docs.github.com/en/enterprise-cloud@latest/organizations/restricting-access-to-your-organizations-data/about-oauth-app-access-restrictions your organization audit logs  
• https://docs.github.com/en/organizations/keeping-your-organization-secure/managing-security-settings-for-your-organization/reviewing-the-audit-log-for-your-organization  user account security logs for unexpected or anomalous activity. 
• https://docs.github.com/en/authentication/keeping-your-account-and-data-secure/reviewing-your-security-log 

If you have questions or concerns

• If you have questions or need assistance regarding affected OAuth applications maintained by Heroku, reach out to Salesforce / Heroku security and support at help.heroku.com, and monitor the Salesforce Trust site for additional updates. https://trust.salesforce.com/en/ 
• If you have questions or need assistance regarding affected OAuth applications maintained by Travis CI, please reach out to compliance@travis-ci.com.
• Customers who are directly contacted by GitHub regarding this issue are welcome to contact them according to directions in the notification you received. For other questions regarding GitHub and npm you can contact GitHub Support. https://support.github.com/contact?subject=GH-0200941-4895-0+Questions&tags=GH-0200941-4895-0