The headline on 06 June 2020
Maze Ransomware Hits US Military Subcontractor Westech. The operators of Maze ransomware have hit Westech, a US military subcontractor that is involved in maintenance for the US’s Minuteman III nuclear missile program. Hackers appear to have stolen sensitive nuclear missile data from Westech and have begun leaking the files online.
Note: Maze operators continue to publish exfiltrated data in an attempt to get income irrespective of system recovery plans. Additionally, Maze operators maintain a web site of those who refuse to cooperate with their demands for payment, further complicating the recovery decision process.
Read more in:
- Hackers steal secrets from US nuclear missile contractor
- U.S. Nuclear Contractor Hit with Maze Ransomware, Data Leaked
DoppelPaymer Ransomware Operators Claim to Have Hit NASA Contractor. The operators behind the DoppelPaymer ransomware say they have infected the network of DMI, a managed IT and cybersecurity services firm. DMI customers include Fortune 100 companies and government agencies. The hackers appear to have obtained NASA-related files from DMI’s network and posted some on a dark web portal.
Read more in:
- Ransomware gang says it breached one of NASA’s IT contractors
- NASA contractor allegedly hit by DopplePaymer ransomware group
Netwalker Ransomware Operators Claim to Have Hit University of California, San Francisco Systems. Operators of the Netwalker ransomware have recently been targeting colleges and universities in the US and threatening to publish stolen data if the ransom is not paid. The group has launched attacks against Michigan State University, Columbia College of Chicago, and most recently, they say they have launched a successful attack against systems at the University of California, San Francisco (UCSF). Researchers at UCSF are running “antibody testing and clinical trials for possible coronavirus treatments,” according to Bloomberg Law.
Read more in:
- Netwalker ransomware continues assault on US colleges, hits UCSF
- Hackers Target California University Leading Covid Research (1)
Foreign Hackers Targeting US Presidential Campaigns. Google’s Threat Analysis group (TAG) says that hackers believed to be acting on behalf of China and Iran have targeted the US presidential campaigns of candidates in both major political parties. The attackers targeted campaign staff with spearphishing emails.
Read more in:
- Google: Chinese and Iranian hackers targeted Biden and Trump campaign staffers
- Chinese, Iranian phishing campaigns target Biden, Trump campaigns
- Chinese and Iranian hackers targeted Biden and Trump campaigns, Google says
Large Scale WordPress Attack Campaign. Between May 29 and May 31, attackers tried to steal configuration files from more than 1.3 million WordPress websites. The attackers exploited known vulnerabilities in unpatched WordPress plugins and themes. Researchers at WordFence detected and blocked more than 130 million attempted attacks targeting the sites.
Note: WordPress continues to be a popular target for exploitation. Mitigate the risks by ensuring that you’ve enabled WordPress core auto-updates. If you don’t have a plugin that watches and updates plugins and themes automatically, you can enable those updates by adding a filter as per the WordPress Automatic Updates configuration page (wordpress.org: Configuring Automatic Background Updates). WordPress 5.5, when released, makes this easier to enable. Also, even with automatic updates, monitor your site to ensure it is updated and secure.
Read more in:
- Attackers Target 1M+ WordPress Sites To Harvest Database Credentials
- Large-scale attack tries to steal configuration files from WordPress sites
- Large Scale Attack Campaign Targets Database Credentials
Zoom Explains Why End-to-End Encryption is for Paying Customers Only. Zoom says that its end-to-end encryption will be available to paying customers only because it will be easier for the company to comply with FBI requests for access to communications data. A Zoom spokesperson said “We plan to provide end-to-end encryption to users for whom we can verify identity, thereby limiting harm to these vulnerable groups. Free users sign up with an email address, which does not provide enough information to verify identity.”
Note:
- Zoom first has to get end-to-end encryption working before we spend much time on whether it should be part of a free offering. Other teleconferencing apps that do include end-to-end encryption on free services get revenue by collecting user information as part of offerings to advertisers – a major privacy issue. Others don’t offer it for free either, or only upon submission of a request to support. Businesses evaluating competing offerings should make overall security management tools and security of the application software (especially the client-side agents) more highly weighted criteria than end-to-end encryption for this kind of application.
- When considering end-to-end encryption for video conferencing, understand both your data protection requirements and what the given solution provides. Know what and where content is not encrypted. For example, voice traffic over the PSTN is not encrypted until it reaches the entry point for the service. Also, understand who is managing the keys and who can access them. Lastly, look at any tradeoffs of using end-to-end encryption. The key exchange process may disable or impede functions you utilize, such as joining before the meeting host. Beyond encryption, make sure that you also have the other meeting security settings properly configured.
Read more in:
- Zoom’s End-to-End Encryption Will Be for Paying Customers Only
- Zoom: Free Users Won’t Get Encryption So We Can Help FBI
- Zoom won’t add end-to-end encryption to free calls so it can keep aiding police
Zoom Addresses Two Remote Code Execution Flaws. Zoom has addressed two vulnerabilities that could be exploited to execute code remotely. Cisco Talos researchers detected the flaws earlier this year. They say that Zoom’s mitigations fixed one of the flaws in May and partially addressed the other in a server-side update, but “Cisco Talos believes it still requires a fix on the client-side to completely resolve the security risk,” according to a Talos Intelligence blog.
Note: These flaws only affect earlier 4.x versions of Zoom. Current 5.x versions are not affected. You should be using the most recent 5.x version. If you are holding back because of virtual camera support, Zoom added virtual camera support back in recent 5.x versions. It was removed in late 4.x and early 5.x versions. Virtual camera support will allow the use of tools like Manycam to pre-process video.
Read more in:
- Vulnerability Spotlight: Two vulnerabilities in Zoom could lead to code execution
- Zoom has partially fixed two new flaws, with other security hurdles ahead
- Two Critical Flaws in Zoom Could’ve Let Attackers Hack Systems via Chat
Large Number of Exchange Servers Remain Unpatched Against Critical Flaw. According to Rapid7 Research’s 2020: Q1 Threat Report, as many as 350,000 Microsoft Exchange Servers remain unpatched against a critical privilege elevation flaw. Microsoft released a patch for the vulnerability in February 2020.The flaw exists in the Exchange Control Panel component, which uses a static cryptographic key that is identical on every installation.
Note:
- The patch has been out since February and the CISA CERT put out an alert in March about exploitation of CVE 2020-0688, but three months later 82% of Exchange servers are unpatched, according to Rapid7 scanning! This may indicate delayed server patching since Coronavirus shut downs hit – an important warning sign to check all patch levels immediately.
- Several of today’s reports involve “patches.” Unfortunately, the cost of using these popular but porous products includes the hidden cost of routine patching or accepting the risk of not doing so. Only you know which is the efficient strategy for your enterprise but for most it will be patching.
Read more in:
- 2020: Q1 Threat Report | Microsoft Exchange Outlook Web Application (OWA)
- Many Exchange Servers Are Still Vulnerable to Remote Exploit
- Into the Great Wide Open With CVE-2020-0688
Kaspersky: Chinese APT Group’s USBCulprit Malware Targets Air-Gapped Systems. Malware dubbed USBCulprit targets air-gapped devices. USBCulprit is being used by a Chinese advanced persistent threat (APT) group, known as Cycldek, that has been attempting to steal government and state secrets from Southeast Asian countries since 2013. Kaspersky says that USBCulprit has been used in attacks on systems in Vietnam, Thailand, and Laos.
Read more in:
- Cycldek: Bridging the (air) gap
- Sophisticated Info-Stealer Targets Air-Gapped Devices via USB
- Kaspersky IDs Sophisticated New Malware Targeted at Air-Gapped Systems
- USBCulprit malware targets air-gapped systems to steal govt info
Cisco Semi-Annual IOS and IOS XE Software Security Advisory Bundled Publication. Cisco has released updates to address four critical vulnerabilities affecting equipment that use Cisco IOS and IOS XE software. The updates are part of Cisco’s June 2020 Semiannual Cisco IOS and IOS XE Software Security Advisory Bundled Publication, which includes a total of 23 advisories addressing 25 vulnerabilities in IOS and IOS XE software.
Note: This, and the Cisco Nexus vulnerability item, are another reminder that patch processes need to be extended to, and actually prioritized for, critical network security and operational appliances. The CVE-2020-0688 item indicates patching levels overall may have declined with the forced work at home status of employees.
Read more in:
- Cisco’s warning: Critical flaw in IOS routers allows ‘complete system compromise’
- Cisco Event Response: June 2020 Semiannual Cisco IOS and IOS XE Software Security Advisory Bundled Publication
- Cisco IOx for IOS XE Software Privilege Escalation Vulnerability
- Cisco IOS Software for Cisco Industrial Routers Virtual Device Server Inter-VM Channel Command Injection Vulnerability
- Cisco IOS Software for Cisco Industrial Routers Arbitrary Code Execution Vulnerabilities
Cisco Releases Fix for Nexus Switch Flaw. Cisco has released a fix for a high severity vulnerability in its Nexus switches running NX-OS software. The flaw lies in the network stack and could be exploited to bypass network access controls or cause denial-of-service conditions.
Read more in:
- Severe Cisco DoS Flaw Can Cripple Nexus Switches
- Cisco warns: These Nexus switches have been hit by a serious security flaw
- IP-in-IP protocol routes arbitrary traffic by default
- Cisco NX-OS Software Unexpected IP in IP Packet Processing Vulnerability
Users Urged to Patch SAP Adaptive Server Enterprise Software. Researchers at Trustwave have found several vulnerabilities in SAP Adaptive Server Enterprise 16.0 database software. Two of the vulnerabilities are rated critical; they could be exploited to remotely execute code and manipulate system data. The were addressed in SAP’s May update; users who have not patched their systems are advised to apply the patches as soon as possible.
Read more in:
- System Takeover Through New SAP ASE Vulnerabilities
- Patch SAP Adaptive Server Enterprise now to avoid takeover risk
- Critical SAP ASE Flaws Allow Complete Control of Databases
- Researchers Disclose 2 Critical Vulnerabilities in SAP ASE
Mozilla Updates Firefox to Version 77, then to 77.0.1. On Tuesday, June 2, Mozilla released Firefox 77, which includes fixes for eight security issues. Five of the vulnerabilities are designated high impact; of those, three could be exploited to allow remote code execution. On Wednesday, June 3, Mozilla updated Firefox to version 77.0.1 in which it “disabled automatic selection of DNS over HTTPS providers during a test to enable wider deployment in a more controlled way.”
Note:
- DNS over HTTPS remains a hot topic. The original DNS protocol was designed to be very low latency and require minimum resources. No surprise that servers are having a hard time keeping up with requests once TLS and HTTP overhead is added.
- One of the concerns is not overloading the DNS over HTTPS (DOH) providers. DOH can be enabled and provider selected in the Firefox preferences under network settings. For enterprises, the current version of ESR is 68.9.0 also released June 2.
Read more in:
- Update Firefox: Mozilla just patched three hijack-me holes and a bunch of other flaws
- Firefox 77.0.1 released to prevent DDoSing DoH DNS providers
- Version 77.0.1, first offered to Release channel users on June 3, 2020
- Mozilla Foundation Security Advisory 2020-20 | Security Vulnerabilities fixed in Firefox 77
The headline on 03 June 2020
Judge: Capital One Must Provide Lawyers With a Copy of Digital Forensic Breach Report. A US federal judge in Virginia has ordered Capital One to provide a copy of a forensic report regarding a data breach to attorneys who are suing the company on behalf of affected customers. The Capital One breach, which was disclosed last year, affected payment card application data for more than 100 million people.
Note:
- After a breach, first, hire experienced and competent legal counsel; let them hire and supervise the investigators. Any report of the investigators should be “attorney work product,” so labeled, and arguably privileged. While transparency is desirable, litigation may increase transparency, and courts are entitled to all evidence, one does not want one’s legitimate efforts used against one.
- Understanding data protection and disclosure restrictions, particularly around security audits, assessments, and reports are key before the engagement begins. When taking legal action, be certain that the case, for or against, doesn’t depend on disclosing the very documents you wish to keep private. Sometimes a redacted document can be offered as a compromise, particularly when protecting information with regulatory-driven or mandatory protections such as PII, HIPAA, and CUI; even so, your legal and information management teams should validate your assumptions upfront.
Read more in:
- Judge demands Capital One release Mandiant cyberforensic report on data breach
- Capital One Must Turn Over Mandiant’s Forensics Report
Highly Customized Spear Phishing Attacks. Researchers have detected targeted attacks that appear to be aimed at stealing credentials for industrial control systems (ICS) equipment and software suppliers. Researchers detected attacks targeting organizations in Germany, Japan, the UK, and Italy. The attacks employ steganography and messages customized to match the language used by the targets. Also, one of several PowerShell scripts used in the attacks contains a deliberate error; the error message it returns serves as the decryption key for the data hidden in the steganographic image.
Note:
- This attack leverages multiple techniques to avoid detection and analysis, including a deliberate PowerShell script “error” as well as downloading components from legitimate Internet sites. Segmentation or isolation is important mitigation for control systems. Direct internet access, inbound our outbound, should not be available by default. Also, make sure that credentials are unique for your control system so that credentials captured elsewhere are ineffective.
- All industrial control systems connected to the public networks must employ strong authentication to resist fraudulent reuse of compromised credentials.
Read more in:
- An advanced and unconventional hack is targeting industrial firms
- Steganography Anchors Pinpoint Attacks on Industrial Targets
- Highly-targeted attacks on industrial sector hide payload in images
- Multilingual malware attacks on industrial sector suppliers designed to thwart detection
Open Source Software Supply Chain Attack: Octopus Scanner Malware Infected 26 GitHub-hosted Projects. In early March 2020, GitHub’s Security Incident Response Team learned that some repositories were serving open-source projects that had been infected with malware known as Octopus Scanner. The malware is a backdoor that was crafted to infect NetBeans projects. A GitHub report describes the attack from detection through remediation.
Note: Kudos to GitHub for being so open with this incident and for sharing their report. It is through sharing that we as an industry can learn how to improve our processes and responses.
Read more in:
- The Octopus Scanner Malware: Attacking the open-source supply chain
- How Octopus Scanner malware attacked the open-source supply chain
- New Octopus Scanner malware spreads via GitHub supply chain attack
- How GitHub untangled itself from the ‘Octopus’ malware that infected 26 software projects
- New Octopus Scanner Malware Poisoning NetBeans Projects on Github
- Malware in GitHub-hosted projects designed to spread among open-source developers
CISA Cyber Essentials Toolkit. The US Department of Homeland Security’s (DHS’s) Cybersecurity and Infrastructure Security Agency (CISA) has released the first of six planned Cyber Essentials Toolkit modules, “Essential Element: Yourself, the Leader.” This module “focuses on the role of leadership in forging a culture of cyber readiness in their organization with an emphasis on strategy and investment.”
Note: As a new or seasoned CISO, this reference provides an easy to read the list of essential actions and supporting resources which will aid getting a handle on your current cyber readiness and starting to assess your corresponding risks. Future toolkits will focus on awareness, protection, access controls, backups, and business continuity.
Read more in:
- CISA Releases First Cyber Essentials Toolkit
- CISA Releases New Cyber Essentials Toolkit (press release)
- Essential Element: Yourself, the Leader (PDF)
REvil Ransomware Operators Publish Data Stolen from Elexon. Ransomware operators behind last month’s attack on systems at the UK’s Elexon have published data stolen from the company. The documents posted online include employee passport information and an insurance policy application. Elexon runs the balancing and settlement code for the UK’s electricity markets.
Note:
- The new modus operandi for ransomware is to extensively compromise systems and exfiltrate information well before encrypting the data. Also, ransomware operators are starting to include brute force attacks, reducing reliance on social engineering. Knowing where your data is housed and the value of those repositories is essential to assessing the impact of exposure and to use a risk-based approach to the application of security protections.
- A reminder that under GDPR a ransomware attack can be considered a data breach as, in effect, you have lost control of that personal data entrusted to your organization. If GDPR applies to your organization, review your Incident Response processes for ransomware attacks to ensure they include an assessment of what personal data has been affected and whether you need to report the breach to your Supervisory Authority.
Read more in:
- REvil ransomware gang publishes ‘Elexon staff’s passports’ after UK electrical middleman shrugs off the attack
- Internal Data Stolen, Leaked, in REvil Attack on Electricity Market’s Elexon
Georgia (US) Bureau of Investigation Found No Evidence of Hacking in Voter Registration System. An investigation into allegations of hacking targeting the US state of Georgia’s voter registration system found “no evidence of damage to (the Secretary of State’s office) network or computers, and no evidence of theft, damage, or loss of data.” The Georgia Bureau of Investigation recently released the case files from the closed investigation.
Read more in:
- Law Enforcement Files Discredit Brian Kemp’s Accusation That Democrats Tried to Hack the Georgia Election
- Remember when Republicans said Dems hacked voting systems to rig Georgia’s election? There were no hacks
Daniel’s Hosting Database Leaked Online. A database leaked online contains email addresses, associated passwords, and other sensitive information belonging to “owners and users of several thousand darknet domains.” The database was taken from Daniel’s Hosting.
Read more in:
- Hacker leaks database of dark web hosting provider
- Hosting Provider’s Database of Crooked Customers Leaked
Apple Releases Updates to Fix Memory Consumption Issue. Less than a week after a round of comprehensive security updates, Apple has released updates to iOS, iPadOS, watchOS, tvOS, and macOS to correct a memory consumption issue that could allow an application to execute arbitrary code with kernel privileges (CVE-2020-9859). The issue has been addressed through improved memory handling.
Note: Due to code reuse across products, the vulnerability had to be corrected in multiple places and while the severity rating has not yet been published, timely deployment of the updates is warranted. Note that this fix also closes the vulnerability used by the Unc0ver jailbreak.
Read more in:
- iOS 13.5.1 Fixes Kernel Zero-Day
- Apple releases iOS 13.5.1 with security fixes, breaks recent Unc0ver jailbreak
- Apple security updates
Prison Sentence for Former Employee Who Sabotaged Network. A man who worked as a system administrator for an Atlanta, Georgia-based construction industry firm has been sentenced to 18 months in prison for sabotaging the company’s computer network after his departure. Charles E. Taylor resigned from his position in July 2018; a month later, he logged into the company’s network without authorization and change router passwords and shut down a central command server. Taylor was convicted of computer fraud earlier this year. Taylor was also ordered to pay more than the US $800,000 in restitution.
Note: Timely disabling of accounts and changing of shared credentials is key when staff separates, particularly system and network administrators. Monitoring the use of disabled accounts as well as privileged accounts, including those with domain or device administration rights, is important in detecting this type of threat. Also, make sure that remote administration of network and boundary control devices require the use of a secure entry point – not only to prevent unauthorized user modification but also to protect devices from direct exploitation of vulnerabilities.
Read more in:
- Former IT Administrator Sentenced in Insider Threat Case
- IT manager sentenced for hacking into and sabotaging his former employer’s computer network
Nipissing First Nation Computers Targeted by Ransomware. Computers belonging to Nipissing First Nation (NFN) administration in Canada were infected with ransomware last month. The incident was detected on May 8 and affected every department, “result[ing] in communications disruptions that [they] are still working to overcome.”
Read more in: