CERT.JE - its been busy!

Introduction

Dear readers,

Normally, Matt writes this introduction, but today it is my turn to provide an update “from the trenches” as they say.

It is safe to say that 2023 has started with a “bang”. CERT.JE has been responding to a number of incidents including providing ongoing support for a level three category incident, whilst managing level four and five category incidents. Please continue to report incidents via the CERT.JE website.

In addition, the CERT.JE has been providing public briefings on the policy intent for the new Cyber Defence Jersey Law with valuable feedback given by those that attended.

The process for membership of FIRST.org is also ongoing and we hope to become members by the summer but we will keep you updated on that. FIRST stands for Forum of Incident Response and Security Teams and is one of the two organisations that certify national cyber security teams.

CERT.JE is aware of a number of systems that are vulnerable and we will be attempting to contact owners of these systems before they have a “ bad” day. After all, “prevention is better than cure”.

Regards,

Paul

Paul Dutot, Head of Jersey Cyber Defence

Meet the User Superheroes

by Senior Analyst James McLaren

Sometimes sticking to bureaucracy is a good thing.

No, we are not advocating more red tape. But hear us out: having someone who follows process, and won’t be diverted from it, is something we’d genuinely like to see more of.

Advanced Threat Activity & Cyber Espionage

UK NCSC have warned of targeted attacks by Russian and Iranian threat actors. Even if you’re not targeted, your accounts can be compromised to attack others. Now is a good time to protect your personal email and social media accounts, and check your email configuration at work.

Hive Ransomware disrupted.

US Department of Justice has disrupted the Hive ransomware group seizing their domains and to quote “Since June 2021, the Hive ransomware group has targeted more than 1,500 victims around the world and received over $100 million in ransom payments. “

Lockbit Ransomware continues to cause problems globally and locally.

The Lockbit ransomware continues to be problematic with them recently threatening to release Royal Mail data after a ransomware attack. However, there is no entry on LockBit’s dark net leak site and Lockbit have seeked (via a representative known as LockBitSupp) to distanced themselves from the attack, this is most likely to try to prevent agencies taking action against them. We have also seen attacks by this Russian threat actor here in Jersey.

It is also interesting that there are Lockbit rules that affiliates must abide by, these include attacking against former Soviet Block countries. However, not all affiliate do so as seen by the attack on a sick kids hospital in Canada:

Why is this of interest to Jersey?

Simply, it is an example of a global problem (ransomware) which has affected a number of local institutions in which CERT.JE has provided advice and support. There are steps you can take to make sure you’re not next; contact us for advice.

Data Breaches

JD Sports says hackers stole data of 10 million customers

UK sports apparel chain JD Sports is warning customers of a data breach after a server was hacked that contained online order information for 10 million customers.

In data breach notices shared by affected customers, the company warns that the "attack" exposed customer information for orders placed between November 2018 and October 2020.

CERT.JE would advise that if you have been affected by this data breach or any other data breach that you report it to the Jersey Office of the Information Commissioner here.

Research and vulnerabilities

Here are some of the interesting research and vulnerabilities that CERT.JE have come across (this information will be useful if you’re responsible for enterprise IT).

BitLocker Bypass

Interesting research on bypassing BitLocker using windows update here.

Windows Defender Vulnerability Management

If you use Microsoft Defender Vulnerability Management, then this article is a must read especially if you have a penetration test coming up.

Manage Engine

Manage Engine has released a patch for CVE-2022-47966, a pre-authentication remote code execution (RCE) vulnerability impacting at least 24 on-premise Manage Engine products. There is also a report here. SOC Prime have released a blog on detecting access here.

Fortinet

If you run Fortinet hardware, then a previously zero day CVE-2022-42475 is now under active exploitation by threat actors. There is the Fortinet advisory here.

Other News

Microsoft Discontinue virtual machines

In other news, Microsoft have discontinued their availability of their free virtual machines with the IE11 and MS Edge browsers. This is problematic as these were a great resource for students and cyber security professionals, this just means we now have to use the Windows Media Creation tool and build our virtual machines manually.

The Microsoft Media creation tool can be found here.

Background OSINT - Silverado think tank release Russian sanctions report

The Silverado institute ( a Washington DC based policy think tank) has released a report on the methods that Russia is using to evade sanctions. If you interested, it can be found here.

Events

Tuesday 21 February - join Will Wilson, Head of Threat Protection & Governance at Altum, and like-minded professionals to discuss how we can best embed data protection and cyber security in an organisation. Will is IDGF’s winner of the Grant Thornton Innovation Award 2022 and will be reflecting on the good, the bad and the ugly of effective awareness campaigns. Watch our social media as to how to sign up.

Jobs

Senior Manager, Cyber Security at the Jersey Financial Services Commission:

Vacancies at the JFSC (jerseyfsc.org)

This role would suit someone with a passion for driving security related projects that enable the JFSC to achieve their security and strategic objectives. The role requires someone who has a highly collaborative approach, with the ability to maintain positive working relationships both internally and externally. Candidates should be able to demonstrate a disciplined and analytical approach to problem solving, along with good time management and communication skills.

Roles at PwC

Cyber Manager, Risk Assurance Services, Advisory

Digital Audit Manager, Risk Assurance

(We couldn’t meaningfully summarise the job descriptions from the website, so read the full description for details)

Tech roles at Resolution IT

Cloud Consultant, technician & more

Learning & Tools of the month

Windows Forensics - YouTube

There is a good tutorial on Windows Forensics provided by 13Cubed on YouTube

Github - Blue Team Notes by Purp1eW0lf

An invaluable repository of blue team notes to help you investigate a windows system.

Hijacklibs

Another useful resource to understand DLL Search Order hijacking to enable defenders to spot this type of activity.