Cybersecurity News Headline Updated on 06 June 2020 – Ransomware at US Military Contractor, NASA Contractor, and UCSF; Foreign Hackers Targeting US Presidential Campaigns, and more

The headline on 06 June 2020

Maze Ransomware Hits US Military Subcontractor Westech. The operators of Maze ransomware have hit Westech, a US military subcontractor that is involved in maintenance for the US’s Minuteman III nuclear missile program. Hackers appear to have stolen sensitive nuclear missile data from Westech and have begun leaking the files online.

Note: Maze operators continue to publish exfiltrated data in an attempt to get income irrespective of system recovery plans. Additionally, Maze operators maintain a web site of those who refuse to cooperate with their demands for payment, further complicating the recovery decision process.

Read more in:

DoppelPaymer Ransomware Operators Claim to Have Hit NASA Contractor. The operators behind the DoppelPaymer ransomware say they have infected the network of DMI, a managed IT and cybersecurity services firm. DMI customers include Fortune 100 companies and government agencies. The hackers appear to have obtained NASA-related files from DMI’s network and posted some on a dark web portal.

Read more in:

Netwalker Ransomware Operators Claim to Have Hit University of California, San Francisco Systems. Operators of the Netwalker ransomware have recently been targeting colleges and universities in the US and threatening to publish stolen data if the ransom is not paid. The group has launched attacks against Michigan State University, Columbia College of Chicago, and most recently, they say they have launched a successful attack against systems at the University of California, San Francisco (UCSF). Researchers at UCSF are running “antibody testing and clinical trials for possible coronavirus treatments,” according to Bloomberg Law.

Read more in:

Foreign Hackers Targeting US Presidential Campaigns. Google’s Threat Analysis group (TAG) says that hackers believed to be acting on behalf of China and Iran have targeted the US presidential campaigns of candidates in both major political parties. The attackers targeted campaign staff with spearphishing emails.

Read more in:

Large Scale WordPress Attack Campaign. Between May 29 and May 31, attackers tried to steal configuration files from more than 1.3 million WordPress websites. The attackers exploited known vulnerabilities in unpatched WordPress plugins and themes. Researchers at WordFence detected and blocked more than 130 million attempted attacks targeting the sites.

Note: WordPress continues to be a popular target for exploitation. Mitigate the risks by ensuring that you’ve enabled WordPress core auto-updates. If you don’t have a plugin that watches and updates plugins and themes automatically, you can enable those updates by adding a filter as per the WordPress Automatic Updates configuration page (wordpress.org: Configuring Automatic Background Updates). WordPress 5.5, when released, makes this easier to enable. Also, even with automatic updates, monitor your site to ensure it is updated and secure.

Read more in:

Zoom Explains Why End-to-End Encryption is for Paying Customers Only. Zoom says that its end-to-end encryption will be available to paying customers only because it will be easier for the company to comply with FBI requests for access to communications data. A Zoom spokesperson said “We plan to provide end-to-end encryption to users for whom we can verify identity, thereby limiting harm to these vulnerable groups. Free users sign up with an email address, which does not provide enough information to verify identity.”

Note:

  • Zoom first has to get end-to-end encryption working before we spend much time on whether it should be part of a free offering. Other teleconferencing apps that do include end-to-end encryption on free services get revenue by collecting user information as part of offerings to advertisers – a major privacy issue. Others don’t offer it for free either, or only upon submission of a request to support. Businesses evaluating competing offerings should make overall security management tools and security of the application software (especially the client-side agents) more highly weighted criteria than end-to-end encryption for this kind of application.
  • When considering end-to-end encryption for video conferencing, understand both your data protection requirements and what the given solution provides. Know what and where content is not encrypted. For example, voice traffic over the PSTN is not encrypted until it reaches the entry point for the service. Also, understand who is managing the keys and who can access them. Lastly, look at any tradeoffs of using end-to-end encryption. The key exchange process may disable or impede functions you utilize, such as joining before the meeting host. Beyond encryption, make sure that you also have the other meeting security settings properly configured.

Read more in:

Zoom Addresses Two Remote Code Execution Flaws. Zoom has addressed two vulnerabilities that could be exploited to execute code remotely. Cisco Talos researchers detected the flaws earlier this year. They say that Zoom’s mitigations fixed one of the flaws in May and partially addressed the other in a server-side update, but “Cisco Talos believes it still requires a fix on the client-side to completely resolve the security risk,” according to a Talos Intelligence blog.

Note: These flaws only affect earlier 4.x versions of Zoom. Current 5.x versions are not affected. You should be using the most recent 5.x version. If you are holding back because of virtual camera support, Zoom added virtual camera support back in recent 5.x versions. It was removed in late 4.x and early 5.x versions. Virtual camera support will allow the use of tools like Manycam to pre-process video.

Read more in:

Large Number of Exchange Servers Remain Unpatched Against Critical Flaw. According to Rapid7 Research’s 2020: Q1 Threat Report, as many as 350,000 Microsoft Exchange Servers remain unpatched against a critical privilege elevation flaw. Microsoft released a patch for the vulnerability in February 2020.The flaw exists in the Exchange Control Panel component, which uses a static cryptographic key that is identical on every installation.

Note:

  • The patch has been out since February and the CISA CERT put out an alert in March about exploitation of CVE 2020-0688, but three months later 82% of Exchange servers are unpatched, according to Rapid7 scanning! This may indicate delayed server patching since Coronavirus shut downs hit – an important warning sign to check all patch levels immediately.
  • Several of today’s reports involve “patches.” Unfortunately, the cost of using these popular but porous products includes the hidden cost of routine patching or accepting the risk of not doing so. Only you know which is the efficient strategy for your enterprise but for most it will be patching.

Read more in:

Kaspersky: Chinese APT Group’s USBCulprit Malware Targets Air-Gapped Systems. Malware dubbed USBCulprit targets air-gapped devices. USBCulprit is being used by a Chinese advanced persistent threat (APT) group, known as Cycldek, that has been attempting to steal government and state secrets from Southeast Asian countries since 2013. Kaspersky says that USBCulprit has been used in attacks on systems in Vietnam, Thailand, and Laos.

Read more in:

Cisco Semi-Annual IOS and IOS XE Software Security Advisory Bundled Publication. Cisco has released updates to address four critical vulnerabilities affecting equipment that use Cisco IOS and IOS XE software. The updates are part of Cisco’s June 2020 Semiannual Cisco IOS and IOS XE Software Security Advisory Bundled Publication, which includes a total of 23 advisories addressing 25 vulnerabilities in IOS and IOS XE software.

Note: This, and the Cisco Nexus vulnerability item, are another reminder that patch processes need to be extended to, and actually prioritized for, critical network security and operational appliances. The CVE-2020-0688 item indicates patching levels overall may have declined with the forced work at home status of employees.

Read more in:

Cisco Releases Fix for Nexus Switch Flaw. Cisco has released a fix for a high severity vulnerability in its Nexus switches running NX-OS software. The flaw lies in the network stack and could be exploited to bypass network access controls or cause denial-of-service conditions.

Read more in:

Users Urged to Patch SAP Adaptive Server Enterprise Software. Researchers at Trustwave have found several vulnerabilities in SAP Adaptive Server Enterprise 16.0 database software. Two of the vulnerabilities are rated critical; they could be exploited to remotely execute code and manipulate system data. The were addressed in SAP’s May update; users who have not patched their systems are advised to apply the patches as soon as possible.

Read more in:

Mozilla Updates Firefox to Version 77, then to 77.0.1. On Tuesday, June 2, Mozilla released Firefox 77, which includes fixes for eight security issues. Five of the vulnerabilities are designated high impact; of those, three could be exploited to allow remote code execution. On Wednesday, June 3, Mozilla updated Firefox to version 77.0.1 in which it “disabled automatic selection of DNS over HTTPS providers during a test to enable wider deployment in a more controlled way.”

Note:

  • DNS over HTTPS remains a hot topic. The original DNS protocol was designed to be very low latency and require minimum resources. No surprise that servers are having a hard time keeping up with requests once TLS and HTTP overhead is added.
  • One of the concerns is not overloading the DNS over HTTPS (DOH) providers. DOH can be enabled and provider selected in the Firefox preferences under network settings. For enterprises, the current version of ESR is 68.9.0 also released June 2.

Read more in:

The headline on 03 June 2020

Judge: Capital One Must Provide Lawyers With a Copy of Digital Forensic Breach Report. A US federal judge in Virginia has ordered Capital One to provide a copy of a forensic report regarding a data breach to attorneys who are suing the company on behalf of affected customers. The Capital One breach, which was disclosed last year, affected payment card application data for more than 100 million people.

Note:

  • After a breach, first, hire experienced and competent legal counsel; let them hire and supervise the investigators. Any report of the investigators should be “attorney work product,” so labeled, and arguably privileged. While transparency is desirable, litigation may increase transparency, and courts are entitled to all evidence, one does not want one’s legitimate efforts used against one.
  • Understanding data protection and disclosure restrictions, particularly around security audits, assessments, and reports are key before the engagement begins. When taking legal action, be certain that the case, for or against, doesn’t depend on disclosing the very documents you wish to keep private. Sometimes a redacted document can be offered as a compromise, particularly when protecting information with regulatory-driven or mandatory protections such as PII, HIPAA, and CUI; even so, your legal and information management teams should validate your assumptions upfront.

Read more in:

Highly Customized Spear Phishing Attacks. Researchers have detected targeted attacks that appear to be aimed at stealing credentials for industrial control systems (ICS) equipment and software suppliers. Researchers detected attacks targeting organizations in Germany, Japan, the UK, and Italy. The attacks employ steganography and messages customized to match the language used by the targets. Also, one of several PowerShell scripts used in the attacks contains a deliberate error; the error message it returns serves as the decryption key for the data hidden in the steganographic image.

Note:

  • This attack leverages multiple techniques to avoid detection and analysis, including a deliberate PowerShell script “error” as well as downloading components from legitimate Internet sites. Segmentation or isolation is important mitigation for control systems. Direct internet access, inbound our outbound, should not be available by default. Also, make sure that credentials are unique for your control system so that credentials captured elsewhere are ineffective.
  • All industrial control systems connected to the public networks must employ strong authentication to resist fraudulent reuse of compromised credentials.

Read more in:

Open Source Software Supply Chain Attack: Octopus Scanner Malware Infected 26 GitHub-hosted Projects. In early March 2020, GitHub’s Security Incident Response Team learned that some repositories were serving open-source projects that had been infected with malware known as Octopus Scanner. The malware is a backdoor that was crafted to infect NetBeans projects. A GitHub report describes the attack from detection through remediation.

Note: Kudos to GitHub for being so open with this incident and for sharing their report. It is through sharing that we as an industry can learn how to improve our processes and responses.

Read more in:

CISA Cyber Essentials Toolkit. The US Department of Homeland Security’s (DHS’s) Cybersecurity and Infrastructure Security Agency (CISA) has released the first of six planned Cyber Essentials Toolkit modules, “Essential Element: Yourself, the Leader.” This module “focuses on the role of leadership in forging a culture of cyber readiness in their organization with an emphasis on strategy and investment.”

Note: As a new or seasoned CISO, this reference provides an easy to read the list of essential actions and supporting resources which will aid getting a handle on your current cyber readiness and starting to assess your corresponding risks. Future toolkits will focus on awareness, protection, access controls, backups, and business continuity.

Read more in:

REvil Ransomware Operators Publish Data Stolen from Elexon. Ransomware operators behind last month’s attack on systems at the UK’s Elexon have published data stolen from the company. The documents posted online include employee passport information and an insurance policy application. Elexon runs the balancing and settlement code for the UK’s electricity markets.

Note:

  • The new modus operandi for ransomware is to extensively compromise systems and exfiltrate information well before encrypting the data. Also, ransomware operators are starting to include brute force attacks, reducing reliance on social engineering. Knowing where your data is housed and the value of those repositories is essential to assessing the impact of exposure and to use a risk-based approach to the application of security protections.
  • A reminder that under GDPR a ransomware attack can be considered a data breach as, in effect, you have lost control of that personal data entrusted to your organization. If GDPR applies to your organization, review your Incident Response processes for ransomware attacks to ensure they include an assessment of what personal data has been affected and whether you need to report the breach to your Supervisory Authority.

Read more in:

Georgia (US) Bureau of Investigation Found No Evidence of Hacking in Voter Registration System. An investigation into allegations of hacking targeting the US state of Georgia’s voter registration system found “no evidence of damage to (the Secretary of State’s office) network or computers, and no evidence of theft, damage, or loss of data.” The Georgia Bureau of Investigation recently released the case files from the closed investigation.

Read more in:

Daniel’s Hosting Database Leaked Online. A database leaked online contains email addresses, associated passwords, and other sensitive information belonging to “owners and users of several thousand darknet domains.” The database was taken from Daniel’s Hosting.

Read more in:

Apple Releases Updates to Fix Memory Consumption Issue. Less than a week after a round of comprehensive security updates, Apple has released updates to iOS, iPadOS, watchOS, tvOS, and macOS to correct a memory consumption issue that could allow an application to execute arbitrary code with kernel privileges (CVE-2020-9859). The issue has been addressed through improved memory handling.

Note: Due to code reuse across products, the vulnerability had to be corrected in multiple places and while the severity rating has not yet been published, timely deployment of the updates is warranted. Note that this fix also closes the vulnerability used by the Unc0ver jailbreak.

Read more in:

Prison Sentence for Former Employee Who Sabotaged Network. A man who worked as a system administrator for an Atlanta, Georgia-based construction industry firm has been sentenced to 18 months in prison for sabotaging the company’s computer network after his departure. Charles E. Taylor resigned from his position in July 2018; a month later, he logged into the company’s network without authorization and change router passwords and shut down a central command server. Taylor was convicted of computer fraud earlier this year. Taylor was also ordered to pay more than the US $800,000 in restitution.

Note: Timely disabling of accounts and changing of shared credentials is key when staff separates, particularly system and network administrators. Monitoring the use of disabled accounts as well as privileged accounts, including those with domain or device administration rights, is important in detecting this type of threat. Also, make sure that remote administration of network and boundary control devices require the use of a secure entry point – not only to prevent unauthorized user modification but also to protect devices from direct exploitation of vulnerabilities.

Read more in:

Nipissing First Nation Computers Targeted by Ransomware. Computers belonging to Nipissing First Nation (NFN) administration in Canada were infected with ransomware last month. The incident was detected on May 8 and affected every department, “result[ing] in communications disruptions that [they] are still working to overcome.”

Read more in: