Canadian Organizations Attacked via Unpatched Devices & Inadequate Authentication, Canadian Centre for Cyber Security Says

The Canadian Centre for Cyber Security recently revealed that in recent months several Canadian organizations’ computer networks have fallen victim to cyberattackers via unpatched devices and inadequate authentication.

“In recent months, the Cyber Centre [Canadian Centre for Cyber Security] has been made aware of several compromises of computer networks in Canada,” the Canadian Centre for Cyber Security said. “In each case, a threat actor was able to compromise infrastructure exposed to the internet because it was not properly secured via 2FA and/or because software running on an exposed server was not patched to the latest version.”

Inadequate Authentication

Inadequate authentication refers to the insecure process of accessing a device. According to the Canadian Centre for Cyber Security, threat actors were able to compromise Canadian infrastructure exposed to the internet because they weren’t properly secured via two-factor authentication (2FA) – an authentication method that adds another layer of protection to the traditional single-factor authentication, that is, the reliance of the username and password combination. An example of a 2FA is the one-time code sent to the user’s phone or email.

Two-factor authentication deters one of the widely used tools in cyberattackers’ arsenal: brute force attack. In a brute force attack, malicious actors attempt to log into an account by using the trial-and-error method.

Attackers used commonly used usernames such as “administrator” and commonly used passwords such as “123456” in brute force attacks. Attackers also used usernames and passwords derived from past data breaches.

In the blog post “Data science for cybersecurity: A probabilistic time series model for detecting RDP inbound brute force attacks”, Microsoft Defender ATP Research Team reported that attackers target Windows Remote Desktop Protocol (RDP) servers that aren’t protected with two-factor authentication or multi-factor authentication or other security protections such as virtual private networks (VPNs). RDP is a proprietary protocol developed by Microsoft that allows a user to connect to another computer over the internet.

In brute-forcing RDP, threat actors can gain access to target computers or networks and conduct malicious activities such as ransomware or illicit cryptocurrency mining.

It’s important to note that 2FA shouldn’t be relied upon as your organization’s sole security protection. In some cases, threat actors have bypassed 2FA.

Unpatched Devices

Unpatched devices refer to computers in which the latest security update hasn’t been applied. According to the Canadian Centre for Cyber Security, in addition to inadequate authentication, threat actors were able to compromise Canadian infrastructure exposed to the internet due to unpatched devices.

In September 2019, the Canadian Centre for Cyber Security urged Canadian organizations to patch multiple VPN products. “The Cyber Centre has become aware of widespread exploitation attempts being made against Virtual Private Networks (VPNs),” the Canadian Centre for Cyber Security said. “A recent Black Hat 2019 presentation on VPN vulnerabilities has triggered heightened interest in exploiting vulnerabilities present in multiple VPN products, including Fortinet Fortigate, Palo Alto GlobalProtect, and Pulse Secure. In some cases, proof of concept code and exploitation tools have been published on the Internet. Due to the fact that VPN devices are typically Internet-facing, it is of the utmost importance that they be kept up to date with the latest patches.” 

Recently, the United States Cybersecurity and Infrastructure Security Agency (CISA) and the United Kingdom’s National Cyber Security Centre (NCSC) issued a joint alert warning organizations to stop using legacy backups, specifically QNAP backup devices, due to cyberattack threat.

Legacy backups refer to outdated backup systems. A backup device is considered as outdated when its firmware no longer receives security update from its vendor, or the device owner fails to apply the vendor’s latest security update.

QSnatch Malware

CISA and NCSC, in a joint statement, said, “All QNAP NAS devices are potentially vulnerable to QSnatch malware if not updated with the latest security fixes.” QNAP’s Network Attached Storage(NAS) are backup systems that consist of one or more hard drives. These backup systems can either be connected to the internet or used offline.

On October 25, 2019, the National Cyber Security Centre Finland (NCSC-FI) reported about the malicious software (malware) called “QSnatch” – a malware that’s designed specifically for QNAP NAS devices. QSnatch is capable of various malicious activities in an infected QNAP NAS device, such as all usernames and passwords related to the device are retrieved and sent to the C2 server; QNAP MalwareRemover App is prevented from being run; and QNAP’s firmware updates are prevented via overwriting update sources completely.

The original infection method remains unknown, NCSC-FI said. On November 1, 2019, QNAP issued a security advisory asking QNAP NAS users to apply then the latest security update.

CISA and NCSC recommend that organizations consider the following mitigations against QSnatch malware:

• Verify that you purchased QNAP devices from reputable sources.
• If sources are in question, run a full factory reset on the device prior to completing the firmware upgrade.
• Block external connections when the device is intended to be used strictly for internal storage.

According to CISA and NCSC, the infrastructure used by the group behind QSnatch malware isn’t currently active but the “threat remains to unpatched devices”.

Thousands of QNAP NAS devices are infected with QSnatch malware. CISA and NCSC reported that in mid-June 2020, there were approximately 62,000 infected devices worldwide; of these, 46% of infected devices were in Western Europe, 15% in North America, 8% in Eastern Europe and 31% from the rest of the world.

As the QSnatch malware prevents the installation of the latest security update in infected QNAP NAS devices, CISA and NCSC recommend to users to run a full factory reset on the infected devices prior to applying the firmware patch to ensure the device isn’t left vulnerable.

Without a doubt, when your business is dealing with so many issues on a daily basis, it’s easy to miss a security advisory or a critical patch resulting in a serious incident affecting your organization.

At GenX, we have the processes and the expertise to manage your infrastructure mitigating the risks and reducing the pressure on your operations. Call us today at (416) 920-3000 or email sales@genx.ca, and we will show you how you can protect your company today.