Cybersecurity News Headline Updated on 30 May 2020 – Ransomware’s Expanding Footprint; Another Dangerous WordPress Vulnerability, and more

The headline on 30 May 2020

Michigan State University Suffers Ransomware Attack. The computer network at Michigan State University (MSU) was hit with ransomware earlier this week. The ransomware operators, who used malware known as NetWalker, have given MSU one week to pay the ransom. The NetWalker operators have threatened to publish data stolen from MSU’s network if the payment is not received within the given time frame. Researchers at Sophos investigating NetWalker found that the ransomware uses “tools include[ing] legitimate, publicly-available software (like TeamViewer), files cribbed from public code repositories (such as Github), and scripts (PowerShell) that appeared to have been created by the attackers themselves.”

Read more in:

Microsoft Warns Users Over PonyFinal Ransomware. Microsoft Security Intelligence has warned organizations about Java-based ransomware known as PonyFinal. Microsoft says that “organizations should focus less on this payload and more on how it’s delivered.” PonyFinal gathers and exfiltrates information about systems it infects and waits for an opportune time to encrypt files.

Note:

  • PonyFinal gains access via brute force attacks against system management servers rather than exploiting an endpoint or user clicking a malicious link. As such, securing system management services, including multi-factor authentication are the best mitigations. Verify access controls and monitoring on services which may have been exposed to the Internet to better support work from home.
  • The obvious, but still resisted, defense is strong authentication on those servers, on all servers. Enterprise failure to use strong authentication puts us all at risk.

Read more in:

New Mexico County Government Suffers Ransomware Attack. Computers at the Rio Arriba County, New Mexico government were hit with ransomware. According to a news release, “nearly every county server that has files or databases on it has been affected in some way, including the County’s backup servers.” Officials discovered the situation on Tuesday, May 26.

Read more in:

WordPress PageLayer Vulnerabilities. A pair of flaws in the PageLayer WordPress plugin could be exploited to take control of or even wipe vulnerable sites. Version 1.1.2 of PageLayer, which was released on May 6, addresses the issues. The plugin has more than 200,000 active installations. As of May 27, the updated version of the plugin had been downloaded 85,000 times; that number includes both updates and new installs.

Note:

  • The Verizon DBIR reported that 43% of “breaches” involved web applications.
  • There are few more dangerous applications than content management systems like WordPress.

Read more in:

Russian Cyber Actor Group Sandworm is Exploiting Exim Flaw. A cybersecurity advisory from the US National Security Agency (NSA) warns that “Russian cyber actors … have been exploiting a vulnerability in Exim Mail Transfer Agent (MTA) software since at least August 2019.” The hacking group, known as Sandworm, has likely been exploiting the known vulnerability to gain purchase in targeted systems and move through networks. Sandworm is believed to have been involved in cyberattacks targeting Ukraine’s power grid.

Note: If you’re running Exim servers, make sure that you’re running version 4.92 or higher, and watch for connections from Sandworm-associated domains and address.

Read more in:

Shadowserver Finds Funding From Multiple Sources After Cisco Withdraws Support. Earlier this year, security nonprofit Shadowserver learned that it was losing its main source of support. Cisco, which had been Shadowserver’s primary source of funding for 15 years, announced in March that it would no longer fill that role. On Wednesday, May 27, Trend Micro announced that it will help fund Shadowserver over the next three years; other organizations have also stepped forward to help with funding. Shadowserver scans billions of IP addresses every day, provides activity reports to computer emergency response teams (CERTs) around the world, and helps track hackers and contain attacks.

Note:

  • It’s nice to have good news these days. Not only did Shadowserver have to find new funding sources, they also had to move out of Cisco’s data centers. Good non-biased threat intel sources, such as Shadowserver, are key for effective make analysis and response.
  • Kudos to Trend Micro and others for supporting Shadowserver’s efforts. In most areas of life we find a mix of private enterprise, government agencies, and non-profit/non-government organizations is an effective “triad” – same is true with cybersecurity.
  • This is very welcome news. I know from my involvement with IRISSCERT that the data we get from Shadowserver is invaluable.

Read more in: Shadowserver, an Internet Guardian, Finds a Lifeline

Germany Urges Users to Install iOS Updates; Apple Releases macOS Updates, Too. Germany’s Federal Office for Information Security (Bundesamt für Sicherheit in der Informationstechnik, or BSI) is urging iOS users to install updates Apple released on May 20 to address a pair of zero-click vulnerabilities that are being actively exploited. The attacks have been occurring since at least January 2018. In a separate story, Apple has also released security updates for macOS and related software.

Note:

  • Apple iOS updates are usually very low risk and users do not resist them; “urging” not required. 13.5 was an exception; it had a conflict with an iOS feature called “family sharing” in which one family member pays for all apps used by the family. The fix to this was to re-install the apps, which for many simply happened automagically.
  • iOS & iPadOS 13.5 and iOS 12.4.7 were released with fixes to the long standing email security flaw reported in NewsBites Volume 22, Number 33. iOS & iPadOS 13.5 include a number of features aimed at COVID-19, such as improvements in facial recognition when wearing a mask which focus on the user’s eyes. Check the Apple Security Updates page for the other products updated: support.apple.com/en-us/HT201222

Read more in:

Open Letter Calls on Governments to Work Together to Stop Cyberattacks Targeting Healthcare Organizations. In a joint statement, the International Committee of the Red Cross and the Cyber Peace Institute have called for governments to take steps to help prevent cyberattacks against healthcare organizations. The signatories of an open letter “call on the world’s governments to take immediate and decisive action to stop all cyberattacks on hospitals, healthcare and medical research facilities, as well as on medical personnel and international public health organizations.”

Read more in:

SSH Maintainers Say SHA-1 Support Will be Discontinued. SSH developers OpenSSH and libssh plan to retire the SHA-1 hashing algorithm, as its vulnerability to being cracked increases. SHA-1 has been known to be vulnerable for 15 years, but the cost of attacks is falling. “It is now possible to perform chosen-prefix attacks against the SHA-1 algorithm for less than USD$50K.”

Note: Phasing out SHA-1 hashing has taken much longer than expected. Seems like we’ve been removing SHA-1 hash support for 10 years. Generate new SSH keys, including host keys, using a stronger hash like SHA-2 before the library is retired and make sure that other less secure encryption algorithms are also disabled to both mitigate attacks and ensure operations continue after support is deprecated.

Read more in:

Cisco Servers Breached Through SaltStack Vulnerabilities. Earlier this month, six Cisco servers that support its Virtual Internet Routing Lab Personal Edition (VIRL-PE) were compromised. The hackers exploited critical vulnerabilities in the Salt management framework. The breach occurred on May 7; Cisco remediated the issue the same day. Cisco disclosed the incident on Thursday, May 28.

Read more in:

Israeli Government Official Says Water Systems Cyberattack Thwarted Last Month. An Israeli government official confirmed water systems in that country were recently the target of a cyberattack. Israel’s National Cyber Directorate detected the attack as it was happening and managed to thwart it.

Read more in:

Germany Warns of Russian Cyberthreats to Critical Infrastructure Operators. A memo sent from German intelligence and security agencies to operators of the country’s critical infrastructure warns that a hacking group that may have ties to Russia’s government has been targeting German power, energy, and water sector organizations. The hackers’ goal appears to be to gain persistent access to IT networks, to steal information and gain access to operational technology (OT) networks.

Read more in: German intelligence agencies warn of Russian hacking threats to critical infrastructure

The headline on 27 May 2020

Ransomware Deploys Virtual Machine to Evade Detection. Researchers from Sophos found that the RagnarLocker ransomware group is installing the Oracle VirtualBox app to run virtual machines (VMs) on targeted computers. The attackers use the VM to execute the ransomware and evade detection. The RagnarLocker operators choose their targets carefully, focusing exclusively on corporate and government networks.

Editor’s Note: The targets chosen are more likely to be running VirtualBox, so its presence alone is not necessarily a red flag. This attack installs an unsigned SunxVM VirtualBox MSI from 2009, which should trigger endpoint defenses. Unplanned disabling of backup and remote management utilities also merits follow-up. As this group is also known for exfiltrating data, expect threats of data disclosure to accompany ransom demands.

Read more in:

Microsoft Warns of Coronavirus-Related Phishing Scheme Using Malicious Excel Files. The Microsoft Security Intelligence Team has warned of a “massive campaign” that tries to install NetSupport Manager, a legitimate remote access tool, on users’ computers. The phishing campaign pretends to be from Johns Hopkins Center and claims to contain a World Health Organization coronavirus-related situation report. The scheme tries to get users to open email attachments that contain malicious Excel macros.

Editor’s Note: This attack is spoofing an email from the Johns Hopkins Center providing an update on the Coronavirus-related deaths in the United States, with an attached Excel file titled ‘covid_usa_nyt_8072.xls.’ Additionally, Microsoft has announced they are making some of their COVID-19 related threat intelligence open-source to help customers better protect themselves by providing the community a more complete view of attackers’ tactics, techniques, and procedures (TTPs). Information is being provided via threat intelligence sharing feeds for Azure Sentinel Customers, and for the public on GitHub. See: www.microsoft.com: Open-sourcing new COVID-19 threat intelligence

Read more in:

Majority of Apps Contain Flaws via Open-Source Libraries. Open source libraries are ubiquitous; they help developers create apps more quickly. According to the State of Software Security Open Source Edition report from Veracode, 70 percent of apps is use today have at least one vulnerability that exists because of an open source library. The four most common types of vulnerabilities found in open source libraries are access control issues, cross-site scripting, sensitive data exposure, and injection.

Note:

  • The Veracode paper breaks down flaws by language type, with PHP having the most flaws including, at least, a Proof of Concept (Poc) exploit. This introduces the burden of not only monitoring and updating your Open-Source libraries but also integrating these releases with current software lifecycle update processes. The good news is the majority of identified open-source flaws are addressed in small updates unlikely to break applications, reducing the risk and difficulty of remaining current.
  • Good reminder that open source software is just as likely to have vulnerabilities in it as commercial software. A key takeaway from the Veracode report: “Fixing most library-introduced flaws in most applications can be accomplished with only a minor version update. Major library upgrades are not usually required!”

Read more in:

EasyJet Breach Exposed Travelers’ Itineraries. The data compromised in the EasyJet breach that was disclosed last week is now believed to include travelers’ itineraries for trips booked between October 17, 2019 and March 4, 2020. The hackers had access to EasyJet data between October 2019 and January 2020. A law firm in the UK has filed a class action claim against EasyJet, under Article 82 of the General Data Protection Regulation (GDPR).

Read more in:

Companies Ask Congress to Block Warrantless Access to Browsing Data and Searches. Seven Internet companies have joined voices to ask Congress to prohibit the collection of browsing and Internet searches without a warrant. The US House of Representatives is scheduled to vote on the USA FREEDOM Reauthorization Act of 2020 this week. Late last week, US Representatives Zoe Lofgren (D-California) and Warren Davidson (R-Ohio) said they would introduce an amendment to the reauthorization legislation that is expected to be very similar to an amendment that failed to pass the Senate by just one vote.

Read more in:

eBay is Conducting Port Scans on Site Visitors’ Computers. When users visit the eBay website, it conducts a local port scan on their computers. The site scans 14 ports in all ; The scan is conducted by a check.js script. It scans 14 ports associated with remote access and support tools. eBay scans Windows machines; the scans do not occur when users running Linux visit the site.

Note:

  • This has come up before with financial institutions scanning customers PCs trying to protect customers with compromised PCs from fraud, usually from the login page but not always. In general, in the US and in EU at least, it has been ruled to be legal and not violate various Computer Misuse Acts. But, generally accepted practice is to at least notify, if not obtain permission, for doing this kind of thing. If your organization is asking for advice on doing this kind of thing, best to involve legal counsel.
  • While this is intended as an anti-fraud measure to make sure that a user’s system is secure, the user is not granting permission for this activity, which is concerning with current privacy regulations. As the scan is run via a JavaScript, your local firewall is not going to block it. It can be blocked with browser extensions like NoScript and uBlock Origin, or by using a browser which is not targeted, such as Brave.

Read more in:

Hackers Leak Data Stolen From Banco de Costa Rica After Alleged Cyberattack. Malicious cyber actors claim to have launched a cyberattack against the Banco de Costa Rica and have begun publishing data stolen from the banks’ servers. The attackers say they plan to release more information taken from bank systems every week. Banco de Costa Rica has denied that it suffered an attack. The first set of data published appears to be payment card information that belong to Banco de Costa Rica customers.

Note: Payment card data is still too easy to monetize, now more so in “card not present” transactions. Online merchants should prefer check-out proxies (e.g. PayPal, Apple Pay, Click-to-Pay) to processing payments themselves. Telephone merchants should separate order taking from payment taking.

Read more in:

DHS’s CISA Bolstering Cybersecurity Protections for Organizations Conducting Coronavirus Research. In a webinar last week, US Department of Homeland Security’s Cybersecurity and Infrastructure Security Agency (CISA) assistant director Bryan Ware said that hackers working on behalf of China and other foreign governments have been targeting organizations conducting research into COVID-19 vaccines. CISA has “stepped up” cybersecurity protections for the Department of Health and Human Services (HHS) and the Centers for Disease Control and Prevention (CDC). CISA is also working closely with pharmaceutical companies and other research organizations to keep their Internet-connected devices secure.

Note: The environment in which most of us work is dramatically more hostile than it was two years ago but our security is not much better, sometimes even worse. Keep doing the same thing, expect worse results.

Read more in: DHS’s cyber division has stepped up protections for coronavirus research, official says

National Guard Deployed in Maryland for COVID Aid Also Helping with Cybersecurity. More than two months ago, Maryland’s governor called in the National Guard to help with the coronavirus pandemic. The Guard has been providing help with tests and screening and has also been conducting cybersecurity assessments of state data repositories.

Read more in: Pandemic duties for National Guard include cyber help

Zoom E2E Encryption Whitepaper. Zoom has published a whitepaper that “proposes major security and privacy upgrades for” the company through an “incrementally-deployable four-phase roadmap.” The paper details how the four phases – Client Key Management, Identity, Transparency Tree, and Real-Time Security – will be implemented.

Note:

  • This paper also lays out the current meeting security mechanisms and differentiates between meeting access control features, such as a meeting password, and securing the meeting content, which may use a symmetric key. Take note of where connectors are required to extend encryption to certain devices and the limitations of those connections.
  • I did a webinar with Zoom Head of Product Security Randy Barr, and he gave details on what Zoom has done to date to address needed security improvements and what is on the roadmap for the rest of their first 90 day plan. Encryption gets the press attention but the increase in focus on application security and proactive pen testing, and getting input from industry CISOs are the more important initiatives. Webinar recording available at www.sans.org: Zooming Ahead Safely and Securely: SANS Interviews Zoom’s Head of Product Security
  • “Zoom bombing” notwithstanding, most users have more risk in their operating systems, browsers, readers, etc. than in any application. Zoom remains more vulnerable to meeting host decisions than to attacks on its crypto. Zoom is rapidly approaching “enterprise grade.” However, for most system code, that still involves a reservoir of known and unknown vulnerabilities. When using any conferencing application, prefer device specific purpose-built clients to historically porous browsers.

Read more in: E2E Encryption for Zoom Meetings (PDF)

The headline on 22 May 2020

U.K. and U.S. Virtual Cyber Schools Open This Month. Students ages 13-18 in the UK and the US have the opportunity to take part in a virtual cyber school that offers more than 200 cybersecurity challenges. The program is government sponsored: free for residents of the UK; students in the US can participate for US $100 a year. No background in computers expected or needed. Kids’ observations: “The most fun I’ve ever had learning,” and ”I had no idea I could be so good at computer science.”

Note:

  • Great opportunity to take advantage of current crazy times and get your kids or your company’s employees’ kids into the cybersecurity skills pipeline. The gaming aspect is very cool – much like in the “makers” movement, the fact that the technology is really a tool vs. the entire focus attracts and holds types of kids who had no interest in computers or networks for technology’s sake.
  • My 13 year-old-self would love this type of opportunity. My present-day-self is thinking of all the friends and family who ask how their kids can get started in cyber security and sending this to them. If they object to the cost, I’ll suggest they also look to the SANS Holiday Hack Challenge web site for some fun challenges, reminding them the past solutions are published if they want a hint.

Read more in:

Verizon’s 2020 Data Breach Investigations Report. Some takeaways from Verizon’s 2020 Data Breach Investigations Report: Eighty-six percent of breaches in 2019 were financially motivated, compared with 71 percent in 2018; 70 percent of breaches were caused by outsiders; and 27 percent of incidents were attributed to ransomware. The information in the report is derived from more than 150,000 security incidents experienced by Verizon clients as well as by other organizations in data shared by partners, law enforcement agencies, CSIRTs, and security firms.

Note:

  • The Verizon DBIR is always a good synopsis of incidents and trends to watch for. The report also notes that unsecured or misconfigured cloud data storage opens the doors of small businesses to attacks previously faced only by larger organizations. The report also shows a trend in breaches related to configuration errors catching up with socially engineered ones.
  • This is one of the most valuable reports a security professional can read. The report will give you valuable insights into how to defend your systems and networks. It also gives you good data points when dealing with security vendors to ask them how their product would deal with the breaches and issues raised in the report.
  • The DBIR continues to be a valuable source of open source intelligence. Be sure to read the disclaimers.

Read more in:

Data Stolen from The Toll Group Published on Dark Web. Data stolen from Australian transportation and logistics company The Toll Group have been published to the dark web. The data were taken from a corporate server during an April ransomware attack. Toll has not paid the ransom and has shut down its IT systems to contain the malware. The company was the victim of a ransomware attack in January as well.

Note: When the decision was made not to pay the ransom and recover systems, The Toll Group identified the server and data they believed had been exfiltrated. They are now faced with the challenge of validating the scope and depth of data published to determine appropriate response actions, including deciding whether it is worth paying ransom to prevent additional disclosures.

Read more in: Toll’s stolen data finds itself on the ‘dark web’

US Legislators Push for Complete Phone Encryption Between House and Senate. US legislators want to ensure that phone communications between the House and the Senate are protected by encryption. Currently, most internal calls in both chambers are encrypted. In a letter dated May 19, 2020, legislators ask the Senate Sergeant at Arms and the House Chief Administrative Officer to “take immediate action to encrypt, in bulk, all internal calls and other electronic communications between the Senate, House and other components of the legislative branch.”

Note: Not a bad idea for protecting corporate secrets, too. VoIP phones make the encryption within the system practical, without having to invest in formal COMSEC equipment, provided you have the infrastructure to manage the certificates. The challenge is more and more communications also happen over mobile devices necessitating either a smartphone client on the device, or training users to have sensitive conversations only over the secure phone system. Even with encryption, situational awareness is important to prevent eavesdropping.

Read more in:

Facebook New Messenger Warnings are Based on Metadata. Governments have criticized Facebook’s plans to implement end-to-end encryption for all its apps because they say it allows criminals to escape detection. Facebook is debuting tools that use metadata analysis to generate warnings in its Messenger app when messages appear to come from scammers, child abusers, or other criminals.

Read more in: Facebook Messenger Adds Safety Alerts—Even in Encrypted Chats

Lawsuits Filed Against ADT Over Former Employee Spying On Customers. ADT Security Services is facing lawsuits over the company’s alleged “intentional and negligent tortious acts in providing security services to its customers with remote-viewing capabilities.” ADT has admitted that an ADT technician created admin accounts for himself on customers systems and then abused that privilege to spy on them. More than 200 customer accounts were compromised; the activity went on for seven years before it was detected. The scheme was uncovered when a customer in Texas reported an unknown email address as an admin user on their system. ADT conducted an internal investigation and determined that the issue was with one of their employees. ADT fired the individual, reported them to the police, and contacted all affected customers.

Note:

  • Have a clear understanding of what the remote monitoring service can and cannot do. Review accounts with access to your home systems regularly. Even so, the service provider may still have legitimate access to your system for emergency response. If you must have cameras in your home, make sure that privacy needs are considered, including where images can be accessed and stored. Make sure that electronic locks are not the only access control on outer doors so you can prevent them from being unsecured when desired.
  • Quis custodiet ipsos custodes? (Who will guard the guards themselves?) – A great example of why people need to check the security settings of all devices installed in their homes and businesses. Trusting default settings or relying on third parties to set up devices securely can lead to security and/or privacy breaches. Always, review settings on devices to ensure they are secure.
  • Supervision and multi-party controls are indicated to resist insider abuse and misuse. Privileged Access Management software should be considered to provide accountability for privileged users.

Read more in:

EasyJet Data Breach. UK-based EasyJet has disclosed a breach that compromised information, including email addresses and travel details, belonging to 9 million customers. For a small subset of customers, payment card information was also compromised. EasyJet has reported the incident to the UK Information Commissioner’s Office (ICO) and to the National Cyber Security Centre.

Note: As an accommodation to frequent travelers, airlines and hotel chains offer them the option of storing a credit card number for convenience with future bookings. There have been enough successful attacks in the travel industry to make the risk of doing so obvious and significant. Frequent travelers can limit this risk by using tokens from Privacy.com that can only be used by that airline or hotel chain.

Read more in:

Cisco Releases Update to Fix Deserialization Flaw in Cisco Unified CCX. Cisco has released updates to fix a critical deserialization flaw in the Java Remote Interface of its Unified Contact Center Express (CCX). The vulnerability could be exploited to install malware on unpatched devices.

Read more in:

Adobe Releases Unscheduled Updates. Adobe has released updates to address a critical vulnerability in Adobe Character Animator. The issue affects Character Animator 2020 versions 3.2 and earlier. The buffer overflow vulnerability could be exploited to allow arbitrary code execution. Adobe has also released fixes for vulnerabilities in its Premiere Rush, Audition, and Premiere Pro products.

Read more in:

Info Leaked from 2019 Mitsubishi Breach May Include Missile Data. Japan’s Defense Ministry is investigating the leak of information about a prototype missile. The data are believed to have been compromised during a cyberattack against systems at Mitsubishi Electric Corp. in late June 2019; the incident was not disclosed until January 2020. The attack exploited a then-zero-day vulnerability in Trend Micro OfficeScan antivirus software.

Note: Am I the only one thinking that I would be able to buy a missile equipped vehicle in the future? The exploited zero-day vulnerability in the Trend Micro AV product has since been patched. Attribution is still tricky, although initial indications point to the Tick group which has previously targeted Japanese and South Korean technology and defense industries.

Read more in:

Data Stolen from Fresenius Dialysis Facility Data Leaked. Fresenius Medical Care says that some patient data from dialysis facilities in Serbia has been posted to the Internet. The data include personally identifiable patient information. Fresenius was the target of a ransomware attack earlier this year.

Read more in: