Cybersecurity News Headline Updated on 29 Apr 2020 – Vulnerability in Teams, Sophos XG Firewall, Water Treatment Plant Cyberattacks, and more


Get VPN, Browser Cleanup, Passwords Manager, and Webcam Shield for FREE

The headline on 29 Apr 2020

Microsoft Fixes Vulnerability in Teams (a Zoom competitor). Microsoft has fixed a subdomain takeover flaw in its Teams communication and collaboration platform that could have been exploited to take control of vulnerable accounts. A proof-of-concept exploit demonstrated that would-be attackers could take over accounts by tricking users into viewing a maliciously-crafted GIF.

Note: Teams is positioned to subsume Skype for Business as well as provide collaboration services. While collaboration is restricted to your Microsoft 365 tenant, meetings can include external, guest, participants which necessitated providing support for sharing images in the chat channel. The token needed for the attack to work is good for only an hour, but is renewed each time the GIF is viewed. Exploiting this weakness is difficult, due to the requirement for identifying a vulnerable Microsoft Teams subdomain. Microsoft claims to have secured those domains and added anti-exploitation measures.

Read more in:

Sophos Fixes XG Firewall Vulnerability. Sophos has released a patch to fix an SQL injection vulnerability in its XG Firewall that was being actively exploited. Hackers were using the flaw to install a malicious payload, which then exfiltrated sensitive data. Sophos pushed out the hotfix to all supported versions of the XG Firewall that have enabled automatic hotfix installations.

Note: OWASP has documented how difficult it is to do complete input checking at the application layer because the developer usually cannot know the environment in which the application will run. Therefore, every layer in the stack must parse its own input. That said, SQL injection attacks exploit the failure of the application layer to check for SQL commands in the input.

Read more in:

Israeli Government Warns Water Treatment Plants of Cyberattacks. Hackers have reportedly launched attacks against wastewater treatment facilities, pumping stations, and sewers in Israel. An alert from the Israeli National Cyber-Directorate (INCD) is urging employees at water and energy facilities in that country to change their passwords for all Internet connected systems. The Israeli government Water Authority and the country’s Computer Emergency Response team have also released alerts.

Read more in:

Expired Certificate Causes Problems for Rabobank Android App Users in Australia. An expired security certificate prevented Australian Rabobank customers from accessing their bank accounts on Android mobile devices. The security certificate issue has been addressed and an updated version of the app has been released.

Note:

  • SSL certificate management is easy if you use only one Certificate Authority, because most CA’s provide tools to track the certificates you bought from them. However, it is very rare for larger organizations to have only one source of SSL certificates in use. So, discovery and expiry tracking are too often done, if done at all, in manually updated spreadsheets or via the “Oops” method as happened to Rabobank. Commercial certificate management products are available from vendors like Entrust DataCard, ManageEngine, SolarWinds, Venafi and others with free trial offers.
  • If you’re embedding certificates in applications at the endpoint, such as a mobile device, particularly for customer-managed devices, the method for updating that certificate must be documented and verified. To offset the impacts of reduced staffing the Rabobank team has setup an email list (clienservicesAU@rabobank.com) for users to request help.

Read more in: Rabobank security cert expires and gives its Australian Android app a case of internet-blindness

Hupigon RAT Spear Phishing Campaign. A phishing campaign aiming to spread the Hupigon remote access Trojan (RAT) has been targeting users in multiple sectors, including faculty and students at US colleges and universities. In the past the Hupigon RAT has been linked to hackers working on behalf of China’s government.

Read more in:


Shade Ransomware Operators Stop Development, Release Decryption Keys. The operators responsible for ransomware known as Shade say they have stopped developing and distributing the malware. They have created a GitHub repository that includes decryption keys. Shade, also known as Troldesh, has been associated with Russian hackers.

Note: The Shade ransomware was often sold to others for use, but active use of that strain seems to have ended at the close of 2019. The decryption keys have been verified and may be incorporated into third-party decryption tools. The group also published instructions for decryption of files on systems still impacted by Shade.

Read more in:

Hackers Stole Data From Chinese Firm Conducting COVID-19 Research. Hackers have stolen data from Huiying Medical, a Chinese company that is developing COVID-19 screening technology that uses artificial intelligence. Some of the stolen information has been offered for sale on the dark web. The compromised data include technology source code and reports.

Read more in:

Ransomware Hits Hospital in Colorado. Parkview Medical Center in Pueblo, Colorado, was the victim of a ransomware attack last week. On Monday, April 27, the hospital’s website said the facility was ”currently experiencing a network outage.”

Read more in:

In Wake of Ransomware Attack, Hackers Post Information Stolen From Pharmaceutical Outsourcing Company. Hackers have published data taken from systems at Pennsylvania-based ExecuPharm. The company suffered a ransomware attack in mid-March.

Note: Add the CLOP ransomware group to the list of entities that will publish your data if they are not paid. There is no known decryption tool for the CLOP ransomware. ExecuPharm rebuilt their systems and implemented measures, including password resets, multi-factor authentication and updated endpoint protection to prevent recurrence, avoiding paying the ransom. Read the letter to the Vermont Attorney General for a description of the data exfiltrated.

Read more in:

Ransomware Targets Architecture Firm. Systems at Zaha Hadid Architects (ZHA), a London-based firm, were the target of a ransomware attack last week. ZHA has brought in a cyber forensics team to investigate the incident. ZHA appears not to have paid the demanded ransom.

Read more in: Zaha Hadid Architects hit with ransomware attack

No Fix Available for WordPress OneTone Theme Vulnerability. Hackers are exploiting an unpatched cross-site scripting issue in the OneTone WordPress theme to create backdoor admin accounts. The vulnerability was detected in September 2019; the developer did not release a fix. WordPress delisted the free version of the OneTone theme in October 2019.

Note: The OneTone theme plugin has not been updated since 2018. While replacing the theme of a web site can be painful, being compromised is even more painful. Plugins need to be on your software support watch list, and just like other layered products, replaced or removed when they reach end-of-life.

Read more in: Hackers are creating backdoor accounts and cookie files on WordPress sites running OneTone

The headline on 26 Apr 2020

Sophos XG Firewall – SQL Injection and RCE Vulnerability Announced. Sophos received a report on April 22, 2020, regarding a suspicious field value visible in the XG Firewall management interface. The incident was determined to be a SQL injection attack against physical and virtual XG Firewall units. The investigation shows one or more of XG Firewalls has been compromised. At this time, Sophos have already applied a hotfix that prevents further intrusion, stops the XG Firewall from accessing any attacker infrastructure and cleans up any remnants from the attack. Source: Fixing SQL injection vulnerability and malicious code execution in XG Firewall/SFOS

The headline on 25 Apr 2020

Zoom 5.0 Includes Security and Privacy Improvements. Zoom has released a new version of its teleconferencing software. New features in Zoom 5.0 include controlled data routing, and passwords on by default for all meetings; administrators can now establish password complexity requirements. Zoom is also implementing stronger encryption, which is expected to be enabled system-wide by the end of May. The newest version of Zoom will be rolled out to users over the next week.

Note:

  • Zoom continues to live up to its promise to enhance security, but there is a predictable trajectory when IT platforms retroactively add security features. Security management capabilities tend to lag, providing limited visibility into and tracking of critical security policies/events. The Business version of Zoom has an admin dashboard that is mostly performance-oriented and relies on exporting .CSV files for any deeper analysis – never a scalable approach. Third-party partner vendors can fill the gap, but the Zoom App Marketplace has a very limited choice of small vendors. Zoom may add more security management capabilities, but training will be required for admins and security analysts on how to properly configure and monitor security-relevant features, how to integrate to SIEM, etc. Many will require direct vendor support until these capabilities mature. At the Enterprise pricing level of Zoom ($1999/month minimum), you get a dedicated “Customer Success Manager” which many may need to buy.
  • The update is not available yet; yes, I tried to update before reading that, too. The plan is to push out client updates next week. They are updating to AES 265 GCM encryption and allowing your account admin to control meeting routing. They are also grouping the security settings under a new security icon. The Zoom blog explains the new features: blog.zoom.us: Zoom Hits Milestone on 90-Day Security Plan, Releases Zoom 5.0

Read more in:

FBI and Domain Name Registries Take Down Malicious COVID-19 Websites. The FBI, working in cooperation with domain registries and other technology companies, has removed hundreds of malicious websites with names related to COVID-19. Some of the websites pretended to be legitimate sites seeking donations; others pretended to be US government websites and sought to collect personal information. The FBI’s Internet Crime Complaint Center has received more than 3,600 complaints related to COVID-19 scams.

Note: We must accept the risk of more false-positive blocking of URLs than in more normal times. Bad guys have their greatest successes taking advantage of people (users, admins, CFOs, CEO, directors of boards, etc.) when the targets are distracted and can be made to feel a sense of urgency. Let’s all hope we never see this high level of distraction and uncertainty again in our lifetimes, but while we are stuck in it is the time to err on the side of caution and having to deal with “Hey, your stupid security system kept me away from this perfectly safe website” complaints.

Read more in:

NSA and Australian Signals Directorate Issue Joint Advisory on Web Shell Malware. A joint security advisory from the US National Security Agency (NSA)and Australian Signals Directorate (ASD) urging organizations to take steps to detect and prevent web shell malware. Suggested detection techniques include “Known-Good” Comparison, Web Traffic Anomaly Detection, and Signature-Based detection. Suggested prevention techniques include Web Application Permissions, File Integrity Monitoring, and Network Segregation. The advisory also includes a list of commonly exploited web application vulnerabilities.

Read more in:

New GNU Compiler Collection (GCC) 10 Feature Detected OpenSSL Flaw. A high-severity flaw in OpenSSL could be exploited to crash servers and applications running vulnerable OpenSSL builds. The flaw was detected by GCC 10’s new static analysis feature.

Note: It is exciting to see features like this incorporated in a popular compiler like GCC. I hope that this feature will find many more vulnerabilities. The fact that it found the problem in OpenSSL, a project that has already seen quite a few reviews in recent years, shows how valuable it is.

Read more in:

Apple Will Fix Flaws in iOS Mail. A pair of vulnerabilities in Apple’s mail app on iOS devices has been actively exploited since 2018. The ZecOps researchers who found the vulnerabilities say that they have been present since iOS 6, which was released in 2012. ZecOps says the vulnerabilities have been exploited to spy on employees of a North American Fortune 500 company, a European journalist, managed security service providers in the Middle East, and others. Apple has patched the flaws in the iOS 13.4.5 beta release. (Please note that the WSJ story is behind a paywall.)

Note:

  • There is no great work-around for users right now. You may be able to filter some attacks on the mail server using the IOCs provided, but it is hard to tell how good these IOCs are. If you are using a cloud-based mail service, there is usually little you can unless the provider already implemented these filters. I feel that ZecOps was too fast in releasing that much detail. But they are right in their assessment that while the flaw does allow arbitrary code execution, due to additional safeguards iOS put in place, a compromise of the phone would require additional kernel exploits.
  • iOS 13.4.5 public beta is available for testing on devices enrolled in Apple’s beta software program. Enroll from your device at beta.apple.com. While Apple holds release dates close, they have been working towards publishing updates on patch Tuesday.

Read more in:

US Small Business Administration Data Breach. The US Small Business Administration (SBA) has disclosed a suspected data breach that may have exposed information entered into an emergency loan application portal. Potentially compromised data include names, Social Security numbers, addresses, dates of birth, and insurance information. Of nearly 8,000 applicants to the SBA’s Economic Injury Disaster Loans (EIDL) program. The possible breach was detected in late March.

Note: The flaw allowed access to other businesses’ data while in the application portal and was only exploitable through the EIDL portal. The flaw was fixed on March 25th. Businesses affected were notified and offered a year of free credit monitoring.

Read more in:

Hacked Ad Servers. Researchers at Confiant have detected a malvertising scheme that has been ongoing since at least August 2019. Hackers have been breaking into ad networks running older versions of the Revive ad server. Then add malicious code to existing ads so that the ads will redirect users to malicious sites. The hackers have compromised about 60 ad servers.

Read more in:

Microsoft Releases Unscheduled Fixes for Autodesk FBX Library. Microsoft has released fixes to address vulnerabilities in the Autodesk FBX library outside of its regular patch schedule. The Autodesk FBX library is integrated into Microsoft Office, Office 365 ProPlus, and Paint 3D. The vulnerabilities, which are rated “important,” could be exploited to allow remote code execution.

Note: As always, if Microsoft deems a vulnerability important enough to release a patch out of cycle, then you should deem it important enough to apply that patch.

Read more in:

IBM Data Risk Manager Zero-days. After initially rejecting reports of four vulnerabilities in IBM Data Risk Manager (IDRM), IBM has acknowledged that “a process error resulted in an improper response to the researcher who reported this situation to IBM.” The person who discovered the flaws disclosed them on April 21, after IBM would not accept their disclosure through the company’s vulnerability disclosure program. The vulnerabilities could be exploited to allow unauthenticated remote code execution.

Note: When running a vulnerability disclosure program, treating the reported issues as legitimate and respecting those reporting is key to not undermining the program’s credibility as well as preventing undesired disclosure of flaws, irrespective of the exploitability of those flaws.

Read more in:

Phishing Campaign Targets Skype Credentials. Phishers are sending phony emails to Skype users in the hopes of harvesting their account credentials. The email messages tell users that they have pending Skype notifications and provide a link to what looks like a Skype login page.

Note: Enable multi-factor authentication on your Microsoft accounts. All Microsoft/Skype account types allow the addition of MS Authenticator, SMS, or Email second-factor validation.

Read more in:

DoppelPaymer Ransomware Group Posts Files Stolen From Torrance, California Systems. Computers belonging to the City of Torrance, California, were infected with DoppelPaymer ransomware earlier this year. At the time, the Los Angeles-area city said that no public personal information had been compromised. The attackers have begun leaking files they say were stolen from the city’s computers and are demanding a payment of 100 bitcoin (roughly $750,000 as of Thursday evening) to take down the data.

Read more in:

Private Equity Firms Fall Prey to Business Email Compromise. Criminals fooled three separate private equity firms in the UK into wiring funds to accounts the companies believed belonged to startups they intended to invest in, but which were controlled by the criminals. In all, the companies wired $1.3 million to the fraudsters’ accounts; roughly $600,000 has been recovered.

Note: The hackers have been refining their techniques to be harder to detect. This attack used a combination of look-alike domains and email account takeovers, including adding filters to divert messages to a different folder to facilitate MITM activities. High-level executives are targeted to add legitimacy to the fake messages generated. Aside from training on spotting spear phishing and using strong authentication on all email accounts, out of band validation of financial account information before setup or change remains key mitigation.

Read more in: Hackers Trick 3 British Private Equity Firms Into Sending Them $1.3 Million

The headline on 21 Apr 2020

Dangerous VMware Vulnerability. VMware recently released a patch for a vulnerability in vCenter management product; the vulnerability was given a CVSS score of 10. It is now known that the flaw could be exploited by anyone on the network to create new administrator accounts in the vCenter Directory. Admins are urged to apply the patch as soon as possible.

Note: A gap I regularly see when reviewing patch management strategies is the narrow focus on server and desktop operating systems and the applications that reside on them, but ignoring the virtualization platforms on which many of those systems rely.

Read more in:


CISA: Pulse Secure VPN Servers Vulnerable to Attacks After Patching Unless Passwords Changed. A patch was made available for an arbitrary file reading vulnerability in Pulse Secure VPN a year ago. However, the US Department of Homeland Security’s Cybersecurity and Infrastructure Security Agency (CISA) has warned that even if an organization has applied the fix, hackers could still use credentials stolen before the flaw was patched to access the system unless the organization has changed those credentials. Hackers used stolen Active Directory credentials to place ransomware on systems at US hospitals.

Note: Use the CISA “check-your-pulse” tool to analyze your Pulse Secure VPN logs for indications of compromise. If any are found, a full AD password reset, including administrator and service accounts, is indicated. Implementing 2FA on your Pulse Secure VPN can also reduce the risk of compromised credentials being used to enter your network. github.com: cisagove / check-your-pulse

Read more in:

Microsoft Releases New Windows Defender Definition to Fix Crash Issue. A recent Windows Defender definition update caused Windows 10 machines running the Microsoft anti-malware component to crash while in the middle of a full antivirus scan. Late last week, Microsoft pushed out a new definition to fix the problem.


Read more in:

Malicious Libraries Uploaded to RubyGems Repository. Hackers uploaded malicious files to the RubyGems package manager. The files have names that are a character or two off from legitimate files. If users download the malicious libraries, the software they build with them will include bitcoin stealing malware.

Read more in:

Is BGP Safe Yet?” Tool. Users can check to see whether their ISP is using features that improve the stability of the Border Gateway Protocol (BGP) through the “Is BGP Safe Yet” site. Sometimes BGP problem is accidental, sending traffic on unexpected routes, and sometimes it is deliberately disrupted, hijacked to route traffic through certain servers so attackers can steal data.

Note: While BGP was a vast improvement over prior options, anyone remembers RIP? It does allow the updates to preferred routes. ISPs can implement RPKI which adds a trust anchor to BGP updates. The “Is BGP Safe Yet?” provides an easy way to check your ISP. The site also provides suggestions for encouraging your ISP to implement RPKI and join MANRS.

Read more in:

GitHub Users Targeted in Phishing Attacks. GitHub users are being targeted in a phishing scheme. The message in the malicious email says that unauthorized activity has been detected on a user’s account, and provides a link that purportedly will show the questionable activity. Instead, the link takes users to a phony GitHub login page where their credentials could be stolen. Attackers have been accessing accounts of people who have fallen for the phish and have been downloading the contents of their repositories.

Note: Where multi-factor authentication is available, it should be enabled. Instructions to turn on MFA for Github are available here: help.github.com: Configuring two-factor authentication

Read more in:

Cryptocurrency Theft. Hackers stole a total of $25 million worth of cryptocurrency from Lendf.me and Uniswap. The thefts are being investigated; they are believed to be related. The hackers used a combination of vulnerabilities and legitimate features to steal the funds.

Read more in:

German State May Have Lost Millions in COVID-19 Aid to Phishers. The government of the German state of North Rhine-Westphalia appears to have lost between €31.5 million ($34.2 million) and €100 million ($109 million) to a phishing scheme. The funds were meant to be distributed to individuals and companies affected by the COVID-19 pandemic. The thieves set up a website that looked just like the one the North Rhine-Westphalia government created to help distribute the money. The thieves then sent links to their site, harvested information from people and organizations applying for the funds, and used the information to direct the payments into bank accounts under their control.

Note:

  • Most scams take advantage of targets being distracted and in a hurry, and these are distracting and rapidly changing times. Even before this, we’ve seen CFOs and financial managers fall for similar schemes where financial disbursement processes did not have a formal approval checkpoint or were a shortcut. Good idea to use this item to remind financial managers of the increased danger and to step up the email quarantining of anything suspect.
  • Strong validation of users or organizations enrolling for financial transactions, including out-of-band validation of bank information when setting up or change, is crucial. While remote enrollment introduces challenges, use existing services that use multiple sources for validation to raise the bar without having to roll your solution.

Read more in: German government might have lost tens of millions of euros in a COVID-19 phishing attack

Cognizant Hit with Ransomware Attack. IT services company Cognizant was the target of a ransomware attack last week. The company notified its clients and shared “indicators of compromise” with them so they could take steps to protect their systems. Forensic information shared with Cognizant clients suggests that the Maze ransomware was used in the attack.

Read more in:

State Dept. Concerned About Reports of Healthcare Organization Cyberattacks in the Czech Republic. A press statement from the US Department of State expresses concern of a recent warning from the Czech Republic’s National Cyber and Information Security Agency that hackers were targeting organizations in the country’s healthcare sector. Reuters reports that the Prague Airport and a hospital in the Czech Republic both say they staved off cyberattacks against their IT systems.

Read more in:

UK Ministry of Defence Temporarily Eases Cybersecurity Requirement for Contractors. The UK Ministry of Defence (MoD) is temporarily suspending certain cybersecurity requirements for its contractors. Until the COVID-19 threat abates, UK defense contractors will not need the Cyber Essentials Plus cybersecurity certification, which requires a visit from a third-party assessor.

Read more in:

Virtual Exam Monitoring Raises Privacy Concerns. Students at the Australian National University (ANU) are protesting the school’s plan to install monitoring software on their home computers to ensure that they do not cheat on exams. The software Proctorio identifies students biometrically, locks down the system to prevent outside information from being transmitted during the exam, and records the environment during the exam. It also tracks students’ eye movements. In a separate story, some schools in the US are using Proctorio as well as live remote proctors to monitor students during exams.

Note:

  • In many ways dealing with the current impact of the Coronavirus and coming out of it will require some tradeoffs between privacy and safety/security/trustability. Some US states are suspending laws requiring in-person notarization of legal documents; some are not. Some will risk cheating over invasive controls – for now, these will be local “learn as we go” decisions, but in the future, I think we will see “remote drills” to test processes a few times per year, just as we do fire drills in most buildings.
  • A great success story, while it still uses in-person proctors, is the Anchorage Amateur Radio Club remote testing which has been performed in 32 states and Antarctica to date. For those seeking GIAC certification attempts, or other exams proctored by Pearson Vue, check their site for relevant information home.pearsonvue.com

Read more in:

US Supreme Court Will Review the Case Involving Computer Fraud and Abuse Act. The US Supreme Court has agreed to review a case in which a former police officer was convicted of violating the Computer Fraud and Abuse Act (CFAA) for accessing data in a system he was authorized to use for a non-work-related purpose. Critics of the CFAA say the 34-year-old is overly broad and does not serve the current cyber climate.

Note:

  • Lower courts have ping-ponged around how they interpret the Authorized Access wording in the CFAA for years. CFAA has been used semi-randomly against security researchers in the past and many times not supported charging malicious insiders with unauthorized use of data. The law is long overdue for rewriting but this case is more focused on the insider authorized access issue vs. the security researcher issue – a narrow ruling may not address security researcher liability issue at all.
  • Drafting legislation the accomplishes its intent while avoiding unintended consequences is difficult. When the CFAA was drafted most of those who could send a message to a system worked for the owners of the system.

Read more in: Supreme Court to Review CFAA for the First Time

Thomas Apel Published by Thomas Apel

, a dynamic and self-motivated information technology architect, with a thorough knowledge of all facets pertaining to system and network infrastructure design, implementation and administration. I enjoy the technical writing process and answering readers' comments included.