Cybersecurity News Headline Updated on 20 May 2020 – Ransomware Succeeding, AirGaps Failing, Patch Tuesday: Microsoft, Adobe, and more

The headline on 20 May 2020

Texas Department of Transportation Hit With Ransomware. Computer systems at the Texas Department of Transportation (TxDOT) were hit with ransomware. The agency detected unauthorized network access on Thursday, May 14, and determined that they were experiencing a ransomware incident. TxDOT is the second Texas state agency to suffer a ransomware attack this month; on May 8, computers at the Texas Court System were infected with ransomware.

Note: Back in August 2019 more than 20 Texas state and local agencies were hit with ransomware. At the time, Texas Governor Abbott was quoted as “stressing the importance of public and private sectors alike practicing ‘good cyber hygiene.’” Obviously, some continued failings in basic security hygiene that require investigation and rapid application of lessons that should have been learned from last year’s incidents.

Read more in:

Four Arrests in Ransomware Plot Against Romanian Hospitals. Four people have been arrested in connection with a plan to target public health organizations in Romania with ransomware. The plan appeared to be to send spoofed email messages that appeared to come from government officials and to contain COVID-19 information, but which actually would lead to ransomware infections. Three of the suspects were arrested in Romania; the fourth was arrested in Moldova.

Read more in:

Hackers are Using Malware Designed to Target Airgapped Networks. Hackers have targeted air-gapped networks that belong to Taiwan’s and the Philippines’s militaries. The hackers, who are believed to be working on behalf of China’s government, used malware called USBferry, “a USB malware that performs different commands on specific targets, maintains stealth in environments, and steals critical data through USB storage.“ According to Trend Micro, the hacking group has been using the malware since 2014.

Note:

  • As Ed Skoudis says: Airgaps are just high latency network links. This malware takes advantage of USB drives to bridge airgaps. Also note that some of the more obscure methods to bridge airgaps that make the news from time to time are more of a curiosity and probably work better to generate headlines and clickbait vs. actual exploits.
  • This malware uses USB removable media to spread and collect data. Judicious use of a USB kiosk or other scanner or one-way link to sanitize media or data transferred between environments can stop or mitigate risks to the air-gapped systems.

Read more in:

The FBI Cracked iPhone Encryption Without Apple’s Help. The FBI has unlocked two iPhones that belonged to a man who shot 11 people at a Florida Naval Air Station in December 2019. The FBI initially asked for Apple’s help unlocking the devices. FBI Director Christopher Wray criticized Apple for not helping, saying that their refusal delayed the investigation. Apple says it responded immediately, providing DOJ with gigabytes of data from cloud backups.

Note: Although the devices in question, an iPhone 5 and iPhone 7, had security weaknesses which could have been used to access the device, the trick is maintaining forensic integrity of the device while obtaining access as well as not triggering a device wipe. While the FBI continues to seek a general use way to access recovered devices, they were able to develop a technique to access these devices which they claim was specific to this situation.

Read more in:

BlueScope Steel Cyber Incident. Australia’s BlueScope Steel Ltd has disclosed that a cyber incident disrupted some of its manufacturing and sales operations in Australia. The incident also caused minor disruptions in Asia, New Zealand, and the US. In a message to investors, BlueScope said it had reverted to manual operations in some impacted areas. A BlueSteel official said the company is working with external providers to restore its systems.

Read more in:

European Supercomputers are Shut Down After Cryptomining Malware Infections. Supercomputers throughout Europe are shut down to allow investigations after hackers targeted them to hijack their CPU power to mine cryptocurrency. The attackers are moving from one system to another with compromised SSH credentials. The incident has affected super computers in UK, Germany, Switzerland, and Spain.

Note: Primary access is via compromised SSH credentials, but there is also some evidence of compromised SSH binaries. Multi-factor authentication is a key tool to protect access to valuable resources. HPC relies on exhaustive configuration management to guarantee smooth operation, which should also include identifying and replacing unauthorized binaries or configuration files.

Read more in:

Chrome is Testing a Feature That Will Stop Ads From Consuming Too Many Resources. Chrome is testing a feature that will block ads that consume large quantities of computer resources. In the Chromium blog, Chrome Product manager Marshall Vale writes, “a fraction of a percent of ads consume a disproportionate share of device resources, such as battery and network data, without the user knowing about it.” The feature “will limit the resources a display ad can use before the user interacts with the ad,” and display an error message when the ad reaches the consumption limit. The feature is expected to be introduced on the stable version of Chrome toward the end of August.

Note:

  • You can enable this feature today with chrome://flags/#enable-heavy-ad-intervention. This approach uses resource consumption as opposed to Firefox’s anti-crypomining prevention which relies on blocking known bad domains. Either approach should help keep browser resource use in check.
  • In a recent SANS webinar (www.sans.org: Making and Keeping Work at Home Operations Safe and Productive), Virginia Tech University CISO and SANS Senior Instructor Randy Marchany commented that the dependence on the internet during the pandemic has shown that in many ways internet access has become as important a utility as water, electricity, etc. Browser vendors are building security and viewing controls into browsers for advertising-laden services, while ISPs who charge for access are doing very little about equal access to and secure delivery of digital services needed by school children, small businesses, etc.

Read more in:

WP Product Review Lite Plugin Vulnerability. A critical flaw in the WP Product Review Lite plugin could be exploited to take control of vulnerable WordPress websites. The issue has been fixed in WP Product Review Lite version 3.7.6, which was released on May 14. Users are urged to upgrade as soon as possible. The plugin is installed on at least 40,000 WordPress sites.

Note:

  • WordPress has a hardening guide (wordpress.org: Hardening WordPress) which includes links to additional resources for consideration. In addition to updating this plugin, verify that your plugins are as expected and configurations are as intended.
  • Warnings about vulnerabilities in WordPress plugins are becoming as routine as “patch Tuesday.” While patching is mandatory, it should now be obvious that we cannot patch our way to security. Since we cannot hide WordPress plugins, we best use them sparingly.

Read more in: Critical WordPress plugin bug allows for automated takeovers

US Department of Commerce Rule Places More Restrictions on Huawei. The US Department of Commerce’s Bureau of Industry and Security (BIS) has issued an interim final rule amending an existing rule that aims to prevent Huawei from using US technology in its semiconductor design and production. Foreign companies that use certain US technology will be required to obtain a license before selling it to Huawei. The amended rule will take effect in September 2020. Comments on the document will be accepted through July 14, 2020.

Read more in:

Bill Would Have US Dept. of Commerce Establish Cybersecurity Grand Challenges. A trio of US Senators has introduced the Cyber Leap Act of 2020, which directs the Department of Commerce to create competitions to solve cybersecurity grand challenges, such as making it more expensive for criminals to conduct cyberattacks, improving federal agencies’ response to cyberattacks, and re-imagining digital identity to improve security. The idea of establishing cybersecurity grand challenges grew out of the November 2018 “Cybersecurity Moonshot” report from the National Security Telecommunications Advisory Committee.

Read more in:

The headline on 16 May 2020

ARCHER Supercomputer Offline. The ARCHER supercomputer, used for academic research in the UK, has been offline since Monday, May 11. According to the ARCHER website, the “incident is part of a much broader issue involving many other sites in the UK and internationally.” ARCHER is located at the University of Edinburgh.

Note: While unauthorized use of resources or unexpected jobs running on a Super Computer raise flags immediately, campus data center resources are a current target for crypto mining. Raising the bar on authentication is appropriate. Adding multi-factor authentication, and deliberate update of SSH keys go a long way towards keeping this in check.

Read more in:

Patch Tuesday: Microsoft and Adobe. Microsoft’s Patch Tuesday for May includes more than 110 fixes. Of those, Microsoft has rated 16 as critical; the rest are rated as important. Adobe’s Patch Tuesday release includes fixes for 24 issues in Acrobat and Reader, as well as 12 in the Adobe DNG Software Development Kit.

Note:

  • A couple of important points: (1) There have been reports of this Microsoft patch release causing more “application error code 0X…” errors than usual, often meaning the update either didn’t take, or memory needs were exceeded or there were connectivity issues. The size of the updates and the number of business Windows laptops being updated over marginal home WiFi connectivity could be part of the problem – this is a good month to recheck that all business PCs actually did install the updates. (2) SAP issued a notice about many vulnerabilities in several of their SaaS cloud-based applications and Cisco issued a big list of patches for their ASA appliances and Firepower software, too.
  • Adobe gives this update a priority rating of 2, which means there is an elevated risk but no known exploits, and none are expected imminently. Which means pushing the patch with your monthly patch cycle, versus an out-of-band patch is sufficient and should not distract you from applying the larger Microsoft update.
  • The rate of published “fixes” suggests that there is a reservoir of known and unknown vulnerabilities in these popular products (e.g., operating systems, browsers, readers, content managers). They present an attack surface much larger than the applications for which they are used and cannot be relied upon to resist those attacks. They should not be exposed to the public networks. Hiding them behind firewalls and end-to-end application layer encryption moves from “good” practice to “essential.”

Read more in:

US Accuses China of Cyberattacks Aimed at Stealing COVID-19 Research. In a joint statement, the US Federal Bureau of Investigation (FBI) and the Department of Homeland Security’s Cybersecurity and Infrastructure Security Agency (CISA) accused the hackers working on behalf of the People’s Republic of China (PRC) of launching cyberattacks against US organizations involved in COVID-19 research and attempting to steal intellectual property.

Read more in:

Toll Group Says Ransomware Hackers Downloaded Corporate Data. Australian shipping company Toll Group said that the hackers behind a recent ransomware attack “downloaded some data stored on [a] corporate server.” The Toll Group, which experienced another ransomware attack earlier this year, is determined not to pay the ransom.

Note: This appears to be the Nefilim ransomware which often spreads through unsecure RDP services. It is yet not known if Nefilim operators will threaten to reveal exfiltrated data to ensure payment, as the Maze operators do. The Toll Group claims there was no operational data affected, indicating they not only are aware of what data was on that server, but also that they have taken the necessary steps to assess the risk of that data being exposed.

Read more in:

Customer Data Exfiltrated in Ransomware Attack on Magellan Health. Arizona-based Magellan Health, Inc., has disclosed that it was the victim of a ransomware attack. The company’s systems were initially breached on April 6, 2020, through a phishing email that was spoofed to appear to come from a client. Magellan detected the ransomware attack on April 11. Between the initial breach and launch of the ransomware, the attackers exfiltrated data taken from a company server. The stolen data include customers’ personally identifiable information, including names, Social Security numbers, and Taxpayer ID numbers.

Note: It is essential that healthcare institutions address their vulnerability to extortion attacks; their ability to perform their mission depends on making improvements. At a minimum, there must be a documented plan or risk acceptance that describes how the institution will respond to such attacks.

Read more in:

Scammers Steal Millions from Norwegian State Investment Fund. Fraudsters stole $10 million from Norfund, Norway’s state-owned investment fund for developing countries. The scammers gained access to Norfund’s network and spent months laying the groundwork for the theft, monitoring the organizations’ operations and injecting themselves into communications. The $10 million investment was intended for a Cambodian microfinance organization. The fraudsters infiltrated communications between Norfund and the Cambodian organization over a period of several months. The money that was supposed to go to that organization was instead transferred to an account in Mexico. The fraudulent transaction took place on March 16, 2020, but Norfund did not realize the funds had been stolen until April 30.

Read more in:

CISA Lists Top 10 Most Exploited Vulnerabilities. The US Department of Homeland Security’s Cybersecurity and Infrastructure Security Agency (CISA) has released a list of the 10 vulnerabilities most commonly exploited by foreign hackers between 2016 and 2019. CISA has also listed the vulnerabilities that are most frequently being exploited in 2020. The alert includes a listing of indicators of compromise and mitigations for each of the vulnerabilities. CISA notes that “a concerted campaign to patch these vulnerabilities would introduce friction into foreign adversaries’ operational tradecraft and force them to develop or acquire exploits that are more costly and less widely effective.”

Note:

  • Pay particular attention to the ones listed for 2020 – the vulnerabilities in VPN (and other security) appliances being exploited is something Johannes Ullrich pointed out in the SANS Top New Attack Trends keynote at RSA (www.sans.org: SANS Top New Attacks and Threat Report). The scanning for misconfigured cloud applications is an ongoing issue, but the rush to cloud-based teleconferencing and storage/collaboration apps to support Work From Home has made misconfigurations even more likely.
  • Note that the vulnerabilities are listed by CVE which are then summarized, such as vulnerabilities in Microsoft OLE. Mitigations start with basic cyber hygiene – timely application of patches and following security configuration guides. Leverage continuous monitoring, including scanning and testing, to verify products remain updated and secure.

Read more in:

Ramsay Cyberespionage Toolkit Targets Air-Gapped Networks. Researchers at ESET have found samples of malware that steals information from air-gapped networks. The cyber-espionage toolkit, dubbed Ramsay, appears to be under development; each of the three samples contains new features. Each of the three has been used to conduct attacks through varying attack vectors.

Note: The ESET research provides information about how the malware spreads, actions it can provide, and how it gathers and exfiltrates data, as well as IOCs to aid discovery and response. Ramsay appears to share roots with the PLANEPATCH and Retro Malware strains. There is no explicit information on how data from air-gapped computer is accessed; the assumption is that data would be intercepted when transferred to those systems over thumb drives or by an attacker with physical access to target systems. The use of a media kiosk, which prevents transfer of malware and direct insertion of media from one system to another, could prevent the transfer of the malware to the air-gapped system; this would not prevent the capture of data from media inserted into a connected compromised system.

Read more in:

Privilege Elevation Vulnerability in Google’s Site Kit WordPress Plugin. A critical flaw in Google’s Site Kit WordPress plugin could be exploited to access vulnerable sites’ Google Search Console. The privilege elevation vulnerability could be exploited “to modify sitemaps, remove pages from Google search engine result pages (SERPs), or to facilitate black hat SEO campaigns.” Google was alerted to the problem on April 21, 2020, and a fix was released on May 7.

Note: WordPress plugin weaknesses remain a popular target of exploitation. As the plugins are run with privileges needed to modify the entire WordPress site and installation, any weakness, when exploited, can be significant. While there are ways to convert a site to read only, that requires new processes for updating content and software which may outweigh the benefits or the overhead of judicious monitoring and updating of your site.

Read more in:

CISA: Lazarus Hacking Group is Using New Malware. The Cybersecurity and Infrastructure Security Agency (CISA) has released three Malware Analysis Reports detailing new variants of malware that are being used by hackers acting on behalf of North Korea’s government. The new malware variants are a remote access tool called Copperhedge, and two Trojans, knowns as Taintedscribe and Pebbledash.

Read more in:

US Supreme Court Hearing CFAA Case. The US Supreme Court is hearing a case that could affect the way the Computer Fraud and Abuse Act (CFAA) is enforced. The case the court is hearing involves a police officer who used his access to law enforcement databases to conduct a search in return for payment. Circuit courts are not in agreement about the scope of CFAA. Some say there has to be deliberate malicious hacking for a CFAA violations; others say that merely violating terms of service is sufficient.

Note: It seems unlikely that the SCOTUS can “fix” the CFAA, written when most access to computers was by insiders. Congress must undertake the thankless job of crafting a law that will outlaw abuse and misuse of computer applications and the Internet while minimizing unintended consequences. Drafting such a law will be difficult but not impossible.

Read more in: US Computer Fraud and Abuse Act: How an upcoming Supreme Court ruling could have serious ramifications for ethical hackers

UK Power Grid Middleman Suffers Cyberattack. British power grid middleman Elexon has suffered a cyberattack that affected its internal IT systems. In a bulletin posted to its website, the company provided few details about the incident, but did note that they “are unable to send or receive any emails.” The company said on Thursday that it has found the “root cause” of the problem.

Read more in:

The headline on 13 May 2020

Lessons Learned From Analysis of Ransomware Attacks. In a Threat Research report, Navigating the MAZE: Tactics, Techniques and Procedures Associated With MAZE Ransomware Incidents, FireEye takes a close look at MAZE ransomware. The report draws from FireEye Mandiant Threat Intelligence’s experience responding to multiple incidents as well as “research into the MAZE ecosystem and operations.”

Note:

  • The FireEye report provides insight into how the various Maze teams operate as well as indicators of compromise. The affiliate model of Maze distribution suggests the TTPs will continue to change over time. It is worth noting that the initial compromise is not just users falling for a phishing attack, but also may be via exposed vulnerable services such as RDP or VDI services using compromised accounts. The call to action is ransomware protection, which includes both user awareness and due diligence, particularly for the security of internet facing services. At a minimum, enable multi-factor authentication and limit account access so compromised credentials cannot be readily used for maleficence.
  • Several ransomware news items in this issue of NewsBites – the FireEye report around MAZE serves as a good summary of most ransomware incidents. Two major ways initial compromise was gained: (a) targeted phishing via email; and (b) exploitation of glaring lack of basic security hygiene in patching, server configuration and privilege management. The techniques used for lateral movement included sophisticated “living off the land” exploits but plenty of success from simple techniques like searching for files containing the text “password.” SANS published a “2020 Threat Trends Report” with advice from SANS instructors Ed Skoudis, Heather Mahalik and Johannes Ullrich on this and related threat areas. www.sans.org: SANS Top New Attacks and Threat Report
  • One interesting finding is that the attacks are a team effort, involving multiple skilled parties, using a black market to cooperate, collaborate, and coordinate.

Read more in:

Nation State Hackers Targeted Pharmaceutical Company That Makes Drug Being Used to Treat COVID-19. Suspected nation-state hackers have reportedly targeted employees of a company that makes Remdesivir, a drug that has shown promise in speeding up recovery of patients suffering from COVID-19. The hackers attempted to trick employees of Gilead Science, Inc., into disclosing their email account credentials. The US Food and Drug Administration (FDA) last week granted the drug emergency use authorization. The US and Britain have recently warned that nation-state-backed hackers are increasingly targeting organizations involved with developing treatments for COVID-19.

Note: Enterprises with significant intellectual property should be using strong authentication.

Read more in: Exclusive: Iran-linked hackers recently targeted coronavirus drugmaker Gilead – sources

Diebold Nixdorf Suffered Ransomware Attack Last Month. Diebold Nixdorf, which makes automated teller machines (ATMs), point-of-sale systems, and related software, was hit with a ransomware attack in April. The company’s security team detected unusual activity on the corporate network on Saturday, April 25; they started disconnecting systems to prevent the malware from spreading further. Diebold says it did not pay the ransom.

Note: Today’s NewsBites could be called “The Ransomware Round-Up.” Ransomware clearly is a preferred attack mechanism today, with attackers increasingly not only encrypting the data, but also stealing it and threatening public disclosure unless they are paid. Based on that evolution of these attacks, I found this quote from Lawrence Abrams of BleepingComputer really thought provoking: “Every ransomware attack has to be treated as a data breach now.”

Read more in: krebsonsecurity.com: Ransomware Hit ATM Giant Diebold Nixdorf

Pitney Bowes Detects Ransomware Attack, Prevents Data Encryption. Mailing services and equipment company Pitney Bowes has suffered a second ransomware attack. The company managed to detect the most recent attack and stop it before any data were encrypted. However, the attackers, who used Maze ransomware, claim they have stolen data from the company and are threatening to publish it. Pitney Bowes was also the target of an October 2019 ransomware attack that caused limited downtime for some package tracking systems. The ransomware used in that attack was Ryuk.

Read more in:

Texas Court System Hit With Ransomware. The Texas courts system became infected with ransomware late last week; the incident was detected early on Friday, May 8. Websites and servers were disabled to prevent the malware from spreading further. The Office of Court Administration administrative director says they do not plan to pay the ransom.

Read more in:

Data Stolen From NYC Law Firm in Ransomware Attack. A New York City law firm has been hit with REvil (also known as Sodinokibi) ransomware. The attackers are threatening to expose data they claim to have stolen from the firm’s systems. They plan to release the data in nine stages unless the firm pays the ransom demand. The law firm, Grubman Shire Meiselas & Sacks, has a large number of high-profile clients.

Read more in:

German University Takes Systems Offline in Wake of Ransomware Attack. A ransomware attack against IT systems at Ruhr-Universität Bochum has forced the German university to take down portions of the network, including backup systems. Last week, the university announced that “Due to significant technical problems in the IT infrastructure, a large number of systems have not been available since around 8 a.m. on Thursday, May 7, 2020.” Users are unable to access the university’s email system or the school’s VPN tunnel.

Note: We need to dramatically raise the cost of attacks, starting with strong authentication, “least privilege” access control, system to system isolation (think “zero trust”) among other measures. We must not continue to fund this growing extortion cabal. We have known what to do more than a decade. If not now, when?

Read more in:

Samsung Releases Fix for Critical Zero-click Flaw. Samsung has made an update available to address a critical zero-click vulnerability that affects devices running Android versions 4.4.4 and later. The flaw could be exploited to assume permissions and privileges granted to Samsung Messenger; no user interaction is required. The issue lies in a problem with the way Android’s Skia graphics library handles .qmg images.

Note:

  • The Qmage image format, developed by Quarmsoft, is Samsung-specific. While the exploit takes 50-100 messages to bypass ASLR, it is possible to send those messages without triggering device alerts, and requires no user action to exploit, making this a very stealthy attack. While the update applies to a wide range of devices, check Samsung’s Android Security Updates page to make sure your device is in scope for updates, particularly if it is more than three years old.
  • Safe operation of Android devices requires cooperation between vendors, carriers, and knowledgeable end users. Nice people do not give such devices to children or the elderly.

Read more in:

DHS’s CISA Says Online Voting Has Significant Security Risks. In an advisory to election officials and voting vendors, the US Department of Homeland Security’s (DHS) Cybersecurity and Infrastructure Security Agency (CISA) warned that online voting “faces significant security risks to the confidentiality, integrity, and availability of voted ballots.” Other agencies, including the FBI, the Election Assistance Commission (EAC), and the National Institute of Standards and Technology (NIST), have signed off on the guidance.

Note:

  • It’s interesting to see this comment come in the same issue as the Diebold ransomware story.
  • The response to the Pandemic demonstrates the need for online voting. Surely we can do as good a job online with purpose-built apps as the banks do. Surely we can do as good a job as is done with paper, rubber stamps, and double envelopes. We cannot continue to allow the perfect to be the enemy of good enough.

Read more in: DHS memo: ‘Significant’ security risks presented by online voting

MITRE Releases APT29 Emulation Test Results for Products From 21 Vendors. MITRE has released the results of evaluations of security products’ response to attacks that emulated the activity of the APT29 hacking group. In all, products from 21 vendors were evaluated.

Note: This is worth reading, not necessarily to determine how the various products fared in the testing, but to get an understanding as to how threat actors attack your network and how to prevent that happening.

Read more in:

Virginia State Government Website Subdomains Hijacked. Two subdomains of the state of Virginia’s official government website were hijacked by hackers who set up what appear to be suspicious e-book sites. A researcher with the Electronic Frontier Foundation (EFF) found the sites and contacted Motherboard. After Motherboard notified the State of Virginia, the sites were taken down. A spokesperson for Virginia’s state government says they plan to “undertake a full audit of the Virginia.gov domain to verify the hosting and content responsibilities across the platform.”

Read more in: Hackers Turned Virginia Government Websites Into Elaborate eBooks Scam Pages

Thunderspy Data Stealing Attack. A researcher from Eindhoven University of Technology in the Netherlands has discovered an attack that allows attackers to steal data from Windows and Linux devices that have Thunderbolt ports. Exploiting the vulnerability, known as Thunderspy, requires physical access to the targeted device.

Note:

  • To exploit this vulnerability, an attacker has to have access to your laptop, needs to open it, and then apply new firmware. Exploitability depends on how easy it is to open the device and how easy it is to reach the respective components that need to be patched. With current travel restrictions, attacks are unlikely. But if you ever get to travel again, you could cover your laptops screws in glitter nail polish to make it easier to detect tampering. And as a reminder: There are about 6 or 7 ransomware attack stories in this edition of NewsBites alone. Once you got ransomware under control, this may be an attack worth worrying about.
  • While this attack does require physical access to a system, it’s still a fascinating approach to undermining the security levels that were… bolted on… to Thunderbolt. Direct Memory Access (DMA) attacks have been around for many years and are based on the idea that, to achieve high speeds, we can have devices and even peripherals talk directly to memory with little involvement of the CPU. That’s hard terrain to defend.
  • While the exploit requires physical access, the Thunderbolt bus still needs to be active, so the best mitigation is to not leave systems sleeping, but instead have them powered off or hibernating, particularly when left in a hotel room or vehicle.
  • While this reads like an exciting vulnerability, it requires the attacker to have unfettered physical access to the device. It is probably a technique that will be more useful for forensic investigators rather than attackers.

Read more in: