Cybersecurity News Headline Updated on 09 May 2020 - New WordPress Vulnerabilities, Ransomware, and more

The headline on 09 May 2020

Snake Ransomware Hits Major European Healthcare Company’s Systems. IT systems belonging to Fresenius, a European healthcare conglomerate, were hit with ransomware earlier this month. The ransomware used in the attack has been identified as Snake, which has recently been used in attacks against a variety of large businesses.

Note: The healthcare industry is a target of choice for extortion attacks. Within the industry, attacks succeed against targets of opportunity. Healthcare enterprises should raise the cost to their attackers high enough not to be targets of opportunity. “Targets of opportunity” are, almost by definition, on the flat part of the security cost curve where one can get a significant reduction in the cost of losses for every dollar spent.

Read more in:

Toll Group Systems Infected with Ransomware Again. IT systems belonging to Australian transportation and logistics company Toll Group have been hit with ransomware for the second time since the beginning of the year. On Tuesday, May 5, Toll acknowledged that they “took the precautionary step yesterday of shutting down certain IT systems after [they] detected unusual activity on some of [their] servers.” The ransomware used in the attack has been identified as Nefilim. The ransomware used in the attack earlier this year was identified as MailTo, also known as Netwalker.

Note: The tricky part here is the second attack was delivered through vulnerable RDP servers while the first used phishing emails, indicating that while one vector was hardened the other was missed. If you must offer RDP services, follow best practice guides for securing them, including use of multi-factor authentication, secure gateways and restrictions on which accounts can use RDP. Make sure that incident response procedures include validation of your entire security posture not just the vector exploited.

Read more in:

Ransomware Strikes Taiwan Energy Company. Taiwan’s state-owned energy company, CPC Corp., has reportedly been hit with ransomware. The attack did not disrupt CPC’s energy production, but some customers had trouble using CPC payment cards to buy fuel.

Hackers Take Aim at Cross-Site Scripting Flaws in WordPress Sites. The Wordfence Threat Intelligence Team has observed a significant increase in attempted attacks targeting cross-site scripting (XSS) vulnerabilities in WordPress sites over the past 10 days. The number of these attacks is 30 times what Wordfence normally sees. The attacks are likely the work of a single hacking group.

Note:

These attacks are targeting five WordPress plugins: Easy2Map, Total Donations (both of which are discontinued), Blog Designer, WP GDPR Compliance, and the Newspaper Theme, which have updates. Removal of the discontinued plugins is the best mitigation. Note that while Wordfence offers a security plugin for WordPress that both monitors and will perform automated updates of plugins, removal of discontinued plugins is still manual.
There is hard data showing the most frequently exploited vulnerability in government agencies and, by extension in smaller organizations and not-for-profits is WordPress (because of the carelessness of the developers of the plug-ins) and the other content management systems. Allowing people to deploy WordPress-based websites may well be seen as actionable negligence unless additional mitigating controls are implemented.

Read more in:

GitHub Code-Scanning Tools for Open-Source Projects. GitHub is offering its automated code-scanning tools to open-source projects at no cost. The GitHub Advanced Security Suite includes the Semmle code scanning tool, which GitHub acquired last fall, as well as tools that can scan repositories for data that should not be exposed, like passwords and private keys.

Note: Even before Microsoft acquired GitHub back in 2018, Microsoft had been using Semmle on Windows code. The pricing for GitHub Advanced Security doesn’t seem to be public yet. One of the news items says scanning will be free of charge, a good thing.

Read more in:

Several Thousand Salt Servers Remain Unpatched. Over the past few weeks, hackers have been exploiting vulnerabilities in unpatched versions of the Salt configuration management tool. While many servers have been patched against the exploit, there are still several thousand that remain vulnerable. Organizations that have been breached include DigiCert, LineageOS, Ghost, and Algolia. Users are urged to patch their systems as soon as possible.

Note: In addition to patching SaltStack, be sure to follow the Salt hardening guide, which recommends restricting who can login, use SSH Keys with a passphrase and not making the Salt server internet accessible. Salt Hardening Guide: docs.saltstack.com: Hardening Salt

Read more in:

NYC Department of Education Approves Improved Zoom Platform. The New York City Department of Education has approved a specially tailored Zoom platform to use for remote learning. Last month, the NYC Department of Education banned the use of Zoom due to privacy concerns. In a statement, the NYC Schools Chancellor said that “Zoom has addressed vulnerabilities over the last few weeks and effective immediately, our community can safely use the Department of Education licensed Zoom account for remote learning.”

Note: Properly configured and set up, Zoom was probably always sufficiently secure for K-12 instruction. In an abundance of caution and in response to reports about exploitation of Zoom, the NYC Department of Education “banned” its use. It is to the credit of Zoom and the Department that the ban has now been lifted. Zoom is “free” for educational institutions and represents a major contribution in the response to school closures.

Zoom Acquires Keybase in Effort to Improve Security Issues. Video conferencing platform company Zoom has acquired security company Keybase, which will help Zoom implement stronger encryption. The improved encryption service will be available to paid versions of Zoom.

Note:

Zoom is following the path many other fast growth tech startups (like Microsoft, Salesforce and Google) followed when they were forced by customers to realize security is critical. Zoom is continuing to live up to its CEO’s promise to focus on security and encryption (and especially key management) – something that is easy to do badly and complex to do right – especially at scale. Keybase has been around for 6 years, was early to sign up for bug bounty programs to make sure vulnerabilities in their code were exposed and fixed, and also paid for a professional audit of their product and made the results public – all good signs.
Keybase focuses on key management which essential for getting end-to-end encryption right, which will help address concerns over Zoom’s current security implementation. There are no plans to eliminate the existing functions of Keybase; there are new products planned and updates to Zoom to leverage Keybase’s services. The current ZoomBot client will allow a Zoom meeting to be started from your Keybase client.

Read more in:

Cisco Updates Include Fixes for a Dozen High Severity Flaws Affecting ASA and Firepower Software. Cisco has released fixes for a total of 34 security issues in a range of products. Twelve of the vulnerabilities are rated high severity; they affect Cisco Adaptive Security Appliance (ASA) software and Firepower Threat Defense (FTD) software.

Read more in:

German Authorities Charge Alleged Bundestag Hacker. Authorities in Germany have issued an arrest warrant for an individual who allegedly hacked the internal network of the German Parliament (Bundestag) five years ago. Dmitriy Sergeyevich Badin allegedly conducted the attacks as part of a cyberespionage campaign on behalf of the Russian military. Badin, who remains at large, is also wanted in the US in connection with cyberattacks against the Democratic National Committee and the World Anti-Doping Agency.

InfinityBlack Hacking Group Operations Dismantled. Law enforcement authorities in Poland and Switzerland, with help from Europol, and Eurojust, have dismantled the InfinityBlack hacking group’s operations. Five people were arrested in Poland late last month. Police seized electronic equipment, external hard drives, and hardware cryptocurrency wallets; they also shut down platforms that held databases with more than 170 million entries. The group sold stolen user credentials with a particular focus on loyalty reward account credentials.

Read more in:

Firefox Update Fixes 11 Vulnerabilities. Mozilla has released updates for Firefox and Firefox ESR to address a total of 11 security issues. Three of the flaws are rated critical. The most recent versions of the browsers are Firefox 76 and Firefox ESR 68.8.

Note: Isolate browsing (and e-mail) from sensitive applications. Prefer purpose-built clients to browsers.

Read more in:

Vulnerabilities in Schneider Electric Products. Security flaws in Schneider’s SoMachine Basic v1.6 and Schneider Electric M221, firmware version 1.6.2.0, Programmable Logic Controller (PLC) can be exploited to take control of vulnerable systems. The flaws can be used to intercept, modify, and resend commands between the engineering software and the PLC. Schneider has made a fix available for SoMachine Basic v1.6 and is working on a fix for the second issue.

Note: For most applications and environments, prefer to attach PLCs only to private networks.

Read more in:

The headline on 06 May 2020

US Executive Order on Grid Security. A White House executive order declares “a national emergency with respect to the threat to the United States bulk-power system” and takes steps to ban the US power grid from acquiring or installing using equipment “in which any foreign country or a national thereof has any interest.”

Read more in:

Hackers Infected Company’s Android Devices Through its MDM Server. A banking Trojan has infected more than 75 percent of a multinational conglomerate’s Android devices. A new variant of the Cerberus malware was placed on the mobile devices by compromising the unnamed company’s Mobile Device Manager (MDM) server.

Note:

Every end-point security agent has a server somewhere behind it whether it is on premises or in the cloud. If that server is compromised, the security agent turns from a beneficial rootkit to a malicious rootkit. Basic security hygiene for all servers and vigilance on all admin accounts for those servers or cloud services has to be high priority.
Conventional wisdom says that any system used to configure your infrastructure should live on a dedicated management network. But mobile device management (MDM) has to interact with devices on the internet and can be difficult to segregate. Many of these systems are also cloud based, which typically leaves only strong authentication and the often-misplaced trust in vendors as your last remaining security controls.

Upgraded Cerberus Spyware Spreads Rapidly via MDM

Hackers breach company’s MDM server to spread Android malware

Multinational’s mobile endpoints engulfed by Cerberus banking trojan

First seen in the wild – Malware uses Corporate MDM as attack vector

Hackers Exploit SaltStack Vulnerabilities to Breach Servers at Ghost, LineageOS, and Others. Hackers have exploited recently patched vulnerabilities in the Salt management framework to gain unauthorized access to Salt servers belonging to LineageOS, the Ghost blogging platform, and other organizations. Ghost developers noted that the malware drove up CPU usage, which is how they knew something was wrong. SaltStack has released patches to fix the flaws; companies running Salt servers are urged to apply the patches as soon as possible or ensure that they are behind a firewall.

Note: If you are reading this and you still have an unpatched SaltStack in your environment: Call your IR team (no need to patch first). Now stop reading. For the rest of you still with me: A system used to manage your entire infrastructure should not be exposed to the internet. The idea of a central system like this is that you will be able to spend resources to adequately secure and monitor it. This isn’t easy. But at least you have to do it only once (vs. having many configuration management systems). Yes, these systems have to interact with cloud components. But I am sure with all the money you are saving by moving to the cloud, there was plenty left to actually secure it (read last sentence with sarcasm).

Read more in:

Mozilla is Developing a Firefox eMail Alias Service. Mozilla is developing an email alias service for its Firefox browser. Firefox Private Relay will be an addon. It will allow users to easily generate email aliases they can use to register new accounts, subscribe to newsletters, or conduct other business where they do not want to expose their email addresses. Private Relay is currently in closed beta testing; a public beta is expected later this year.

Note:

After reading about this I applied for the beta. I spend about 15 minutes every Saturday unsubscribing from the useless emails that found my account. Some are even cheeky enough to say, things like “Wanting to make sure you got my last email”, now click and it will take whoever sold my email out at the same time; what is not to like?
Apple has a similar service for users who don’t want to use their real email address when registering with apps downloaded from the Apple App Store. This is one of those “put all of your eggs in one basket and really, really trust that basket – or watch it very, very closely” kind of scenarios. The Firefox browser has an 8% market share, so it is not going to have a large impact. A simple, more universal approach is just to have a “burner” freemail address you use with all apps and web sites that require an email address.

Oracle Says WebLogic Server Vulnerability Patched in April is Being Used in Attacks. Oracle is urging users to apply patches it released last month as part of its quarterly Critical Patch Update. Oracle says it has learned that several of the patched flaws are being actively exploited. One of those, CVE-2020-2883, is a critical remote code execution flaw in WebLogic Server.

Note:

A PoC exploit was released the day after the patch. Oracle only discovering now that this vulnerability is being actively exploited is a bit late. If you haven’t patched yet, your first call should be your incident response team. Unless they are quite skilled, they will find a crypto coin miner, and call it a day, leaving the actual compromise undetected. You may want to read up on ransomware as this is probably what will hit you next.
The failure to “patch” in a timely manner demonstrates that the strategy of placing responsibility for the quality of software on the end user is not merely expensive but ineffective.

Read more in:

WordPress Ninja Forms Update Available to Fix Cross-Site Request Forgery Flaw. A vulnerability in the Ninja Forms WordPress plug in could be exploited to create new admin accounts and take control of unpatched websites. Ninja Forms has released an updated version of the plugin, 3.4.24.2, that fixes the flaw. Ninja Forms is installed on more than one million websites.

Read more in:

Contact Tracing Apps: India, Singapore, UK. In parts of India where COVID-19 is spreading, people are being required to use a contact tracing app called Aarogya Setu. Starting May 12, Singapore’s “SmartEntry” system will require smartphone check-ins at all businesses. The system will log names, phone numbers, national ID numbers, and the time individuals enter and exit a business. In the UK, healthcare workers and local government officials on the Isle of Wight will be able to download a test version of the NHS’s contact tracing app, which was developed by NHS’s digital unit, NHSX.

Note: As they say for cryptography: Do not roll your own. Researchers have developed a number of contact tracing protocols that carefully weigh the value of the data vs. the privacy of the participants. Apple and Google are working on an API to implement these protocols in their devices. Contact tracing applications will not work if early implementations are not using these protocols and destroy the public’s trust in contact tracing. Tryst matters. These applications will work only if a majority of users turn them on. An overview of some of the proposed contact tracing protocols can be found here: isc.sans.edu: Privacy Preserving Protocols to Trace Covid19 Exposure

Read more in:

Downloader Bundles Malware with Older Version of Zoom. Users urged to be vigilant about the source when downloading Zoom software. Researchers at Trend Micro has detected a campaign that bundles shady Zoom downloads with the RevCode WebMonitor remote access Trojan (RAT).

Read more in:

Cyberthieves Targeting COVID-19 Research at UK Universities. The UK’s National Cyber Security Centre (NCSC) has warned that foreign hackers are targeting British universities and research facilities in an effort to steal COVID-19-related research. None of the attacks appears to have been successful.

Read more in:

Phishing eMails Look Like Microsoft Teams Alerts. A recently detected phishing campaign uses messages that pretend to be Microsoft Teams notifications. The emails attempt to get users to divulge their Office365 credentials. The campaign is especially worrisome as people working from home are likely to be expecting to receive such notifications.

Read more in:

CISA Reminds Agency CIOs to Use Approved DNS Resolution Service. The US Department of Homeland Security’s Cybersecurity and Infrastructure Security Agency (CISA) has sent a memo to federal agency CIOs reminding them that they are required to use the EINSTEIN 3 Accelerated DNS resolution service for devices connected to federal networks. The reminder comes while many federal employees are working from home and may attempt to connect to government networks through unsupported DNS encryption services. CISA is also planning to notify agencies of DNS traffic anomalies.

Note: In the April 10th NewsBites, I pointed to several good choices of DNS services to recommend to home workers. The CISA memo recommends many of the same ones: Cisco (OpenDNS), Cloudflare, Google and Quad9.

Read more in:

North Dakota Broadband Service Provider Hit With Ransomware. Dakota Carrier Network (DCN), a consortium of more than a dozen broadband companies, was the victim of a ransomware attack. DCN CEO said the attack was detected early in the morning of Sunday, April 26. The company “quickly shut everything down and restored all of [its] data from the most recent tape backup, which was Friday, April 24.” The hackers have posted information stolen from DCN to a website.

NGA Selects Seven States for Cybersecurity Policy Development Program. The US National Governors Association (NGA) has selected seven states to be the 2020 cohort for its cybersecurity policy development program. Colorado, Michigan, Mississippi, New York, Oregon, Pennsylvania, and Tennessee will receive guidance to help them “create strategic plans to address statewide cybersecurity governance, critical infrastructure cybersecurity, statewide cyber disruption response planning, cybersecurity workforce development and state-local partnerships in cybersecurity.”

Read more in:

The headline on 01 May 2020

U.K. Launches Virtual Cyber School. The UK Government is inviting all high school students in England, Scotland, Wales, and Northern Ireland to join a virtual cybersecurity school as part of plans to make sure the country develops the next generation of professional cyber defenders. At a time when schools remain closed to most children, the online initiative aims to inspire future talent to work in the cybersecurity sector and give students a variety of extracurricular activities they can do from the safety of their homes. By becoming gamified “cyber protection agents,” teens learn how to crack codes, fix security flaws and dissect criminals’ digital trails while progressing through the game as a cyber agent. This will help them develop important skills needed for future jobs, particularly in cybersecurity.

Note: This program also will enable the UK to identify and nurture elite cyber talent early, just as the Israeli government identifies and supports young cyber talent who are then guided into its world-class national cyber programs. Talented students spend hundreds of hours demonstrating their high aptitude for success in cybersecurity and honing their cyber skills.

Read more in:

Ransomware Groups Targeting Healthcare Organizations. Research from Microsoft shows that ransomware groups are increasingly targeting healthcare organizations and other critical industries. Several of the groups gained access to targeted systems months before they launched the attacks.

Note: The Microsoft blog entry starts with a useful checklist of the patch vulnerabilities (and misconfigurations) being exploited: CVE-2019-11510, CVE-2019-0604, CVE-2020-0688, and CVE-2020-10189. Especially if you are in healthcare, good to check those – they include vulnerabilities in security perimeter equipment. Johannes Ullrich of SANS covered this area in his portion of the SANS Threat panel at the RSA conference, and SANS just published a white paper with more detail on that and other current attack trends emphasizing ransomware – available at www.sans.org: SANS Top New Attacks and Threat Report

Read more in:

Ransomware Mentioned More Frequently in SEC Filings. More than 1,000 US Securities and Exchange Commission (SEC) filings over the past year have listed ransomware as a potential risk factor. Reasons for the increased mentions of ransomware include 2018 SEC guidance asking that companies be more forthcoming about the cybersecurity risks they face; ransomware groups targeting organizations rather than individuals; and significant increases in the amount of money the ransomware groups are demanding.

Note: SEC filings are getting to be like drug commercials on TV – more time spent on the risks than on the benefits! The first time I remember ransomware being mentioned in an SEC filing was after the FedEx TNT Express business unit suffered a $300M outage due to NotPetya back in 2017. Now, it is just part of a litany of risks. The National Association of Corporate Directors reports that about 1/3 SEC filings have already included mention of Coronavirus impact.

Contact Tracing Technology Raise Concerns. Several groups have expressed concerns about privacy issues in contact tracing apps, which are being developed to let people know if they have come in contact with someone who has COVID-19. The Electronic Frontier Foundation (EFF) is concerned that COVID-19 contact tracing technology being developed by Apple and Google could be used by malicious actors to gather private information. In the UK, scientists and researchers have signed a joint statement expressing concerns about the NHS’s plans to use a content tracing app, saying that the technology should be analyzed by experts in privacy and security. And in Australia, security experts who examined the COVIDSafe app say that it presents privacy and security issues.

Note:

Any app used for something as critical as infection contract tracing needs to be bulletproof – written with security as a top priority and thoroughly reviewed and tested by experts. But there will need to be some individual privacy tradeoffs accepted to make gains in reopening economies while limiting new outbreaks.
A Washington Post study found that 3 of 5 Americans say they are unwilling or unable to use the infection alert system under development by Apple and Google, which may impede or undermine the mission of these applications. Without verifiable claims of proper privacy and security handling, wide-spread adoption may be impossible. www.washingtonpost.com: Most Americans are not willing or able to use an app tracking coronavirus infection. That’s a problem for Big Tech’s plan to slow the pandemic.
When people are concerned about the health of their families, they make compromises in other priorities. If using a tracing app will allow them to keep their families safe, I guess that a vast majority of people will accept some lessening of their privacy.

Read more in:

Adobe Releases Fixes for Vulnerabilities in Magento, Illustrator, and Bridge. Adobe had fixed a total of 35 vulnerabilities in its Magento, Illustrator, and Bridge products. Twenty-five of the flaws are rated critical; some of these could be exploited to allow remote code execution. These updates were released outside of Adobe’s scheduled monthly updates.

Read more in:

Estonian Internal Security Service Report Discloses Email Compromise. According to a recently published report from the Estonian Internal Security Service, hackers hijacked “a small number of [Mail.ee] email accounts belonging to persons of interest to a foreign country.” The incident occurred last year, and the vulnerability the hackers exploited at Mail.ee has been fixed.

Microsoft Warns of Malware in Pirated Movie Files. Bootlegged movies on some torrent sites have been found to contain malware, according to a warning from Microsoft. The attack appears to be primarily targeting users in Spain, Mexico, and South America. The malware tries to install cryptocurrency mining software on infected devices.

Note:

Explaining the down-side of pirated movie sites can be very challenging for older or financially limited friends and family members looking for home entertainment. The risk of malware causing harm that costs them more in the long run than a legitimate streaming service may be a sufficient enticement. You may need to hand-hold users through the process to ensure they are no longer accessing sources of pirated content.
Good to use this one to remind those working at home that if they or anyone in their house is trying to save $5 to $20 a month by going to the pirated video sites (often with dodgy domain extensions) then every computer on their home network is at risk of compromise. Paying for a few months of streaming services while everyone is stuck at home will be way less expensive in the long run.

Read more in:

Fix Available for WordPress Real-Time Search and Replace Plugin Vulnerability. A cross-site request forgery vulnerability in the WordPress Real-Time Find and Replace plugin could be exploited “to inject a new administrative user account, steal session cookies, or redirect users to a malicious site.” The flaw allows attackers to replace code on vulnerable websites. The issue was detected earlier this month and the developer has addressed the vulnerability; users are urged to update to Real-Time Find and Replace version 4.0.2.

Note: Plugin issues will continue. Beyond keeping them updated, assessing their value add, versus the risk of compromise should be performed at least annually. Retired and unused plugins should be uninstalled, not just disabled. to leave no trace of potentially exploitable code.

Read more in:

Updates Available to Address Flaws in Word Press Remote Learning Plugins. Researchers have found critical flaws in three WordPress plugins used for online learning: LearnPress, LearnDash, and LifterLMS. The vulnerabilities could be exploited to change grades, steal information, cheat on exams, or elevate privileges. There are updated versions for all three plugins that address the flaws.

Read more in:

Twitter Eliminates SMS Services in Most Countries. Twitter has switched off Twitter via SMS service in most countries around the world due to security concerns. Twitter has also purged millions of dormant accounts that had been created over SMS. Twitter temporarily eliminated the ability to tweet via text last fall after CEO Jack Dorsey’s account was hijacked. Twitter is still using SMS for two-factor authentication and account verification.

Note: The security of out-of-band mechanisms, such as the distribution of one-time-passwords via SMS and e-mail, relies in part upon the control exercised by those who provision addresses and phone numbers and those who maintain account profiles. The success of so-called “SIM-swapping” attacks suggests that those people are no less vulnerable to “social engineering” than those who click on the bait in “phishing” messages. All security mechanisms should be relied upon only in the context of their limitations.

Read more in:

Switzerland’s GovCERT Warns of Phishing Schemes Targeting Domain Owners. Switzerland’s Computer Emergency Response Team (GovCERT) has issued a warning about phishing attacks targeting webmasters and domain owners. GovCERT has seen an uptick in the attacks since the beginning of April. The phishing emails have been written in German or French. Users and hosting providers are urged to enable two-factor authentication as well as other steps to protect their accounts.

Note: We know that some of the worst security is practiced by administrators. They are likely to have too much privilege and are more likely than most to share IDs and passwords. In addition to strong authentication, Privileged Access Management systems and multi-party controls are indicated.

Read more in:

CISA Updates Office 365 Security Best Practices to Address Telework Concerns. The US Department of Homeland Security’s (DHS’s) Cybersecurity and Infrastructure Security Agency (CISA) has updated its security best practices for Microsoft Office 365. The update specifically addresses configuration issues that arise from migrating to cloud-based collaboration.

Note: Many organizations have implemented cloud-based services quickly in response to the pandemic. Guides like this should be leveraged to make sure that you have implemented minimum security settings. Tyler Robinson from NISOS suggested I also share NSA’s recently published guide for safely selecting and using collaboration services media.defense.gov: Selecting and Safely Using Collaboration Services for Telework (PDF)

Read more in:

Cybersecurity News Headline Updated on 09 May 2020 – New WordPress Vulnerabilities, Ransomware, and more

The headline on 09 May 2020

The headline on 06 May 2020

The headline on 01 May 2020

Your Support Matters...