Cybersecurity News Headline Updated on 19 June 2020 – Zoom; IoT At Risk; Fake LinkedIn Identities; Phony Job New Attack Vector, and more

The headline on 19 June 2020

Zoom Will Make End-to-End Encryption Available to Everyone. Zoom now says that it will provide end-to-end encryption (E2EE) for all users. Previously, the company had planned to provide the feature only to paying users. The feature will be off by default; meeting administrators must enable it when setting up each meeting. The feature is opt-in because it may not work with every piece of technology. Non-paying users must provide a piece of identifying information to have the feature enabled. A beta of the feature will begin next month.

Note: Be aware of the impacts of enabling E2EE before enabling it to make sure that users will be able to participate in your meeting. Zoom’s white paper on their E2EE implantation [github.com: zoom-e2e-whitepaper (PDF)] documents meeting UI changes as well as key management and verification. UI changes include: participants cannot join before the host, participants must run the official Zoom client; browsers, legacy Zoom enabled devices and PSTN dial-ins are disabled.

Read more in:

Ripple20 Vulnerabilities Affect Millions of IoT Devices. Researchers from JSOF, an Israeli security company, have discovered a group of vulnerabilities that affect millions of Internet of Things (IoT) devices. Ripple20 is “a series of zero-day vulnerabilities in a widely used low-level TCP/IP software library developed by Treck, Inc.” At least four of the flaws have CVSS base scored over 9.0. In March, Treck issued an updated version of the library that addresses the flaws. However, tracking down all vulnerable devices is difficult at best, and there are likely situations in which devices cannot be patched at all.

Note:

  • This flaw will keep us busy for the foreseeable future. The Treck IP Stack is used in millions of devices made by an unknown number of manufacturers. As an end user, you likely have no idea that this IP stack is used in your equipment. Identifying these devices and patching them will take years.
  • Cisco, Intel and HP/Samsung have issued alerts around their products that are or may be at risk. This isn’t just an obscure IoT device risk issue, though it is a huge issue there. There are 19 CVEs; in order to mitigate or patch, discovery of vulnerable devices with the Treck stack is key. Some discovery and Network Access Control vendors have released scripts and signatures to detect use of the vulnerable stack. Treck recommends reviewing those CVEs and if you have questions about a device, contact them via email at security@treck.com.

Read more in:

Hackers Used Fake LinkedIn Identities and Phony Job To Infiltrate European Defense Companies. Hackers on LinkedIn pretended to be corporate recruiters on LinkedIn working for US defense contractors. They sent phony job offers to employees at European defense companies and managed to gain access to systems at two of those companies in late 2019. The hackers sent documents that contained malicious code through LinkedIn’s private messaging feature.

Read more in:

Microsoft Releases Out-of-Cycle Windows 10 Cumulative Update to Address Printing Problems. On Tuesday, June 16, Microsoft released cumulative updates for Windows 10 that address an issue introduced by updates released the week before. Users reported that after installing the June 9 updates, they were unable to print. The optional, out-of-cycle cumulative updates will not install automatically. Microsoft recommends that only users who have experienced printer problems with the earlier updates install the new updates.

Note: Put this in the “if it isn’t broken don’t fix it” category. Deploy this fix to systems only if they are experiencing printer problems after last week’s update. You may not discover those problems until workers return on-site and attempt to print.

Read more in:

Adobe Releases Out-of-Cycle Updates to Fix 18 Critical Flaws. Adobe has released out-of-cycle updates to address 18 critical vulnerabilities in six products. Five of the vulnerabilities are in Illustrator, and another five are in After Effects. The other patches address flaws in Premiere Pro, Premiere Rush, Audition, and campaign Classic. Adobe patched four critical vulnerabilities in Flash Player a week ago.

Read more in:

US House Subcommittee Hearing on Financial Sector Cyberattacks. Witnesses told the US House Subcommittee on National Security, International Development, and Monetary Policy that the US financial sector experienced a 238 percent increase in cyberattacks during the first five months of 2020. VMware’s head of cybersecurity strategy Tom Kellerman noted that 90 percent of US financial sector employees are working from home, which makes their systems more vulnerable to attacks.

Read more in:

Senator Asks DNI Why the Intelligence Community Has Not Adopted Stronger Cybersecurity Practices. US Senator Ron Wyden (D-Oregon) has asked the Director of National Intelligence (DNI) why the intelligence community has not followed a CISA directive “to implement multi-factor authentication to protect their .gov domain names”; why its DMARC implementation is lagging; why the Intelligence community’s classified computer network for top secret information does not use multi-factor authentication; and whether they intend to adopt IG’s cybersecurity recommendations. Wyden appended a redacted version of a 2017 CIA WikiLeaks Task Force report, which found “day-to-day security practices had become woefully lax.” Users were sharing admin passwords; there were no controls for using removable USB drives; and they did not use network segmentation to limit access to tools.

Note:

  • Implementing broad changes while still meeting mission objectives takes leadership and support from the top, particularly if delivered as an unfunded mandate, and particularly for culture-changing initiatives such as security awareness and corresponding culture changes. If management doesn’t “walk the talk” the staff won’t either. The security measures suggested, such as DMARC, MFA and USB Security, are worth consideration irrespective of your business sector.
  • Some form of strong authentication is now mandatory for most applications in most enterprises, let alone for privileged users in intelligence agencies. It is ironic that sharing of IDs and passwords remains common among administrative users, those users where “accountability” is the primary control. Most enterprises, let alone intelligence agencies, should be using Privileged Access Management systems (the Israelis offer a very good one.) It was through abuse of administrative privileges that Edward Snowden was able to ravage NSA systems.

Read more in:

T-Mobile Outage Resolved. A T-Mobile network outage on Monday, June 15, caused problems across the US. Federal Communications Chairperson Ajit Pai called the incident “unacceptable” and said, “the FCC is launching an investigation.” The problems are believed to stem from network configuration changes gone awry. Rumors that the issue was due to a distributed denial-of-service (DDoS) attack were refuted. The issue was resolved by 1am ET on Tuesday, June 16.

Read more in:

Netgear Router Vulnerability. A vulnerability in Netgear routers could be exploited to bypass the authentication process and gain access to other devices on the network. The flaw lies in the web server component in the firmware used in 79 Netgear router models. Netgear says it is working on a fix.

Note:

  • The flaw is in the web server used to manage the router. The only mitigation is to limit access to that service to trusted systems. Make sure internet-based management is disabled, if possible, implement firewall rules to restrict which systems can manage the devices, and consider changing the admin password so systems with cached or stored credentials cannot connect easily. Netgear hopes to release updated firmware by the end of June.
  • The cost of the first repair that one makes will be high; subsequent ones much lower. Therefore, enterprises will repair; SOHO users may find it cheaper and easier to replace.

Read more in:

NSA is Piloting Secure DNS for DIB. The US National Security Agency (NSA) is piloting a secure DNS service for some of its defense industrial base (DIB) companies. Anne Neuberger, the NSA’s Director of Cybersecurity, noted that the pilot is based on NSA analysis that found “using secure DNS would reduce the ability for 92 percent of malware attacks both from command and control perspective deploying malware on a given network.” Neuberger said that the results of the pilot, which has been running for about six weeks, “have been very, very successful.”

Note: The article is a bit short on details, but this appears not to be another attempt to revive DNSSEC. Instead, it likely refers to a filtered DNS services (sometimes called DNS Firewalling) like that offered by companies like Threatstop and OpenDNS/Cisco. This type of service has been shown to be effective and easy and cheap to deploy. Having them specifically “tuned” for this user base could indeed be a good way to better protect participating companies.

Read more in:

Amazon Web Services Mitigated a 2.3 Tbps DDoS Attack in February. Amazon Web Services (AWS) Shield service disclosed that it fended off a massive distributed denial-of-service (DDoS) attack earlier this year. The incident is described in the AWS Shield Threat Landscape Report – Q1 2020. The report does not identify the customer but does note that (the attack lasted three days and had a volume of 2.3 Tbps.

Read more in:

Akamai Resolved 1.44 Tbps DDoS Against Website. Akamai said it resolved a 1.44 Tbps / 385 million packets per second distributed denial-of-service (DoS) attack against an unnamed website earlier this month. The attack is the largest Akamai has seen. The attack lasted 90 minutes.

Note: During the T-Mobile outage, there was unfounded speculation that a DDoS attack may have caused the outages. Many people don’t understand that large DDoS attacks have become a “new normal” for internet service providers. This story, as well as the AWS DDoS story, show how companies have learned to deal with these “new normal” attacks.

Read more in: Unnamed Web Host Hit with DDoS Attack

Cognizant Discloses What Information Ransomware Operators Stole. Cognizant Technology Solutions has disclosed additional details about the Maze ransomware infection it experienced in April 2020. The ransomware operators appear to have stolen information related to corporate credit cards as well as some personnel records.

Read more in:

The headline on 17 June 2020

Australian Beverage Company Falls Prey to Ransomware. Australian beverage company Lion has acknowledged that a ransomware attack last week was responsible for “a partial IT system outage,” and that the company “immediately shut down key systems as a precaution.”

Note:

  • Lion is attempting to rebuild rather than pay the ransomware and believes no sensitive data were impacted or exfiltrated. Recovery has necessitated stopping beverage production, just as restrictions are being loosened and Australians are slowly returning to pubs, restaurants, and clubs.
  • “Ransomware” attacks have become so routine that every enterprise must have a plan for resisting and mitigating such attacks. While “shutting down key systems” may be part of such a plan, it should be planned rather than ad hoc.

Read more in:

Knoxville Ransomware Attack: More Details. The city of Knoxville, Tennessee, was hit with a ransomware attack last week. The attack prevented police from responding to non-emergency car accidents and forced court sessions to be rescheduled. Knox County systems did not appear to be affected, but connectivity between the networks has been cut off until the issue is resolved. Local news reports say that the hackers have contacted the city to demand a ransom to be paid. There is no word on whether or not the city intends to pay.

Read more in: Knoxville Ransomware Attack Leads to IT Network Shutdown

Honda Resumes Production After Ransomware Attack. A Honda spokesperson said the company has resumed production at plants in the US, Turkey, India, Brazil, and other countries. Some Honda call centers and certain online functions were still affected by the attack. Honda’s computer network was infected with ransomware earlier this month.

Read more in: Honda resumes production at plants hit by a suspected cyber attack

Outages Across the US Blamed on Network Configuration Changes. Numerous service outages across the US on Monday, June 15, affected mobile providers, ISPs, streaming services, social media platforms, and games. While there has been some speculation that the problems were the result of a massive distributed denial-of-service (DDoS) attack, a tweet from Cloudflare CEO Matthew Prince said the cascading failures were caused by “T-Mobile … making some changes to their network configurations … [that] went badly.”

Note:

  • Once again, I’ll skew old here: just over 30 years ago, a botched ATT switch upgrade took down around half of ATT’s network for almost 8 hours. That was 4 years before the first browser came out, but it was a serious interruption to the major path of “online” orders of the day. Good reminder about backup plans for employee connectivity during current and future work at home. Cellular data service is not immune to outages either, but most mobile phones can be used as hot spots for backup purposes. Lance Spitzner of SANS has blogged security guidelines for personal hotspots at www.sans.org: Security Awareness for iPhone Personal Hotspot feature.
  • Routing configuration mistakes have a much more dramatic impact and take longer to rectify than they once did. When I started telecommuting full time, a mentor and seasoned telecommuter wisely advised me to have both a backup computer and a backup network connection such as a cellular hotspot. He also advised me to keep both updated and operational as you never know when they’ll be pressed into service. Today, I would add QOS, no data cap, and minimum bandwidth to that list.

Read more in:

South African Bank Must Reissue 12 Million Payment Cards After Breach. South Africa’s Postbank will reissue more than 12 million payment cards to its customers following a December 2018 breach. The bank’s 32-character master encryption key, which is used to generate keys for customers’ payment cards, was stolen. Between March and December 2019, thieves accessed Postbank accounts and conducted more than $3.2 million in fraudulent transactions. The issue affects not only payment cards, but also cards issued to people for receiving government benefits.

Note:

  • This is a good story of not only why we protect master encryption keys but also why the separation of duties is paramount. Also, master keys and the people who can access them need to be updated periodically to prevent fraud. Lastly, store the keys on dedicated resources designed to protect them.
  • Just replacing the cards will cost Postbank $60M; the total cost of the failures that enabled this insider attack will likely be twice that. The failure was in access control of high privilege administrators in what should also require two-person control under onerous change control, tracking, and auditing. That extraordinary level of control over encryption keys is key to the value of encryption and the cost of doing so is invariably a small fraction of the cost of compromise.
  • Encryption keys are more likely to be compromised when they are used. The keys that are used routinely should be changed routinely.

Read more in: South African bank to replace 12m cards after employees stole the master key

June’s Windows 10 Cumulative Update Causes Problems. Users have been reporting that Microsoft’s latest cumulative update for Windows 10 has caused problems with their networked printers. Users have also been reporting that they have been unable to launch some applications after installing the update.

Read more in:

Citizen Lab and Amnesty International: Spyware Campaign Targeted Indian Human Rights Activists. A joint report from Citizen Lab and Amnesty International describes a spyware scheme that targeted human rights defenders in India. The nine individuals, who are lawyers, activists, and journalists, were targeted with spear-phishing emails crafted to install malware that tracked their communications. Three of the nine people are also believed to have been targeted by NSO’s Pegasus spyware.

Read more in:

D-Link Router Vulnerabilities. Researchers at Palo Alto Networks Unit 42 global threat intelligence team have found six vulnerabilities on D-Link routers. The flaws affect the DIR-865L model of D-Link routers, a model used for home networks. The researchers found the vulnerabilities in late February 2020. D-Link released a beta patch in late May but noted that support for the routers ended in February 2016. D-Link is urging users to replace outdated devices.

Note:

  • It is a sad truth of IoT security that, too often, the upgrade path to fix a security vulnerability involves a dumpster. These devices still function well and may have a few years of life left in them. There are reports of being able to install open-source firmware on these devices, but doing so will involve opening the device and soldering a connection to the board. Maybe a good lesson to be learned from buying highly proprietary products.
  • The DIR-865L was D-Link’s first router to support 802.11ac released in June of 2012. While D-Link provides instructions for installing the updated beta firmware, the better fix is to replace these devices with current routers that have an active support and newer technology and security options.

Read more in:

Cybersecurity Bills Introduced in US Senate. US Senator Gary D. Peters (D-Michigan) has introduced two bills aimed at improving the country’s cybersecurity defenses. The Continuity of the Economy Act would direct the White House to “develop a plan to ensure essential functions of the economy can continue operating in the event of a cyberattack.” The bill grew out of a recommendation made by the Cyber Solarium Commission. The National Guard Cybersecurity Interoperability Act of 2020 would help ensure that the National Guard could provide remote cybersecurity support in the event of a cyber incident.

Read more in: Two Bills to Bolster Cyber Defenses Introduced in the Senate

Data From Multiple Dating Apps Exposed. Researchers found 845 gigabytes of data from several dating apps in misconfigured AWS buckets. The researchers who found the unprotected data noticed similarities between the apps that suggested they had a common developer. They reached out to one of the apps, which “quickly replied, asking for additional details about the breach.” The researchers sent a link to the unsecured AWS bucket for that particular app; that same day, buckets for all the affected apps were locked down. The exposed data include photos, audio recordings, and screenshots of private chats.

Note: It may seem like an odd comparison, but all online teleconferencing applications are similar to dating apps – lots of sensitive information needing to (or at least wanting to) be shared, much of it stored and almost all of it stored on cloud storage services that are often misconfigured. This item is a good reminder that we need to remind admins and employees of the security guidelines for online teleconferencing.

Read more in: